In Risk form, when changing inherent impact value, the Inherent Score always shows 5 - Very High

HelloCAD
Tera Contributor

‎04-15-2024 05:05 AM - edited ‎04-15-2024 06:44 AM

Hi,

In the Risk Form, I am trying to change the Inherent impact / Residual Impact field values, but no matter what I select, the Inherent Score / Residual score shows 5 - Very High.

But once I save the risk form, the correct value is displayed for Inherent Score / Residual Score.

All the Business Rules, Client scripts and Script Includes are OOB and untouched.

The only thing changed are the Risk Criteria values. Also where is  'Maximum value' used? I see Currency max value is used to calculate scores.

Can anyone think of any other reason why this could be happening?

0 Helpfuls
  • 835 Views
2 REPLIES 2

jaikishan1
ServiceNow Employee
ServiceNow Employee

‎06-05-2024 03:53 AM

Hi,

Can you please provide more information or an implementation of the issue? please provide screenshots or recording which can help understand the issue better.

Please mark this as helpful if it solves your query.

Regards,
Jai
0 Helpfuls

Community Alums
Not applicable

‎06-07-2024 12:28 AM

Hi @HelloCAD ,

n Classic Risk it is simply Impact x Likelihood. Let's say  you have 5 levels, I'd assume that the values of each choice in from 1 through 5. So the lowest score would be 1x1=1 and highest risk would be 5x5=25.

In Advanced Risk you can decide how you want the Risk Score to be calculated. 

Also,

The inherent and residual scores for risk are calculated using the risk criteria, likelihood, and impact. Use the following calculations to score risks:
  • Qualitative Inherent ALE = Inherent ARO x Inherent SLE
  • Qualitative Inherent Score = Inherent Likelihood x Inherent impact
  • Quantitative Residual ALE = Residual ARO x Residual SLE
  • Qualitative Residual Score = Residual SLE

When scoring is set to qualitative, the quantitative values are updated in the background.

The Calculated Score for risk is a read-only field designed to quickly assess a risk affecting the organization, and identify threats and areas of non-compliance. 

If controls are implemented to mitigate risk, then 

  • Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)). 
  • So: Calculated Score = Residual Score only if Compliance with the controls is 100%. 

If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate risk. 

Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score

If controls are not implemented to mitigate risk, then Calculated Score = Residual Score

If the Residual Score is not set, then Calculated Score = Inherent Score

The calculated risk factor value is calculated as:

  • Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2 

Control failure factor -> Sum of failed controls weighting divided by total controls weighting. 

Indicator failure factor -> Uses the last result of each associated indicator. The number of last results failed divided by the total number of indicators associated.

 

0 Helpfuls