Inherit and residual risk scores calculation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-14-2022 09:00 AM
Hello, I am trying to understand how IRM calculates the inherit and residual scores after a risk assessment has been completed. If I look at my dashboard (residual or inherit) it will tell me for example that there are x number of risks with a High score, and when I select that number it will list the risks. All of them have a score of 4 (which I guess corresponds to High). But how did IRM calculated that 4? Is it multiplying the average impact from all the assessed categories by the likelihood %? We are assessing 5 categories and we have 5 impact levels and 5 likelihood levels. I would appreciate any understanding on how these scores are calculated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-16-2022 09:10 PM
Hi @Carlos58 ,
- Qualitative Inherent ALE = Inherent ARO x Inherent SLE
- Qualitative Inherent Score = Inherent Likelihood x Inherent impact
- Quantitative Residual ALE = Residual ARO x Residual SLE
- Qualitative Residual Score = Residual SLE
When scoring is set to qualitative, the quantitative values are updated in the background.
The Calculated Score for risk is a read-only field designed to quickly assess a risk affecting the organization, and identify threats and areas of non-compliance.
If controls are implemented to mitigate risk, then
- Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)).
- So: Calculated Score = Residual Score only if Compliance with the controls is 100%.
If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate risk.
Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score.
If controls are not implemented to mitigate risk, then Calculated Score = Residual Score.
If the Residual Score is not set, then Calculated Score = Inherent Score.
The calculated risk factor value is calculated as:
- Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2
Control failure factor -> Sum of failed controls weighting divided by total controls weighting.
Indicator failure factor -> Uses the last result of each associated indicator. The number of last results failed divided by the total number of indicators associated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-16-2022 11:32 PM
In Classic Risk it is simply Impact x Likelihood. Since you have 5 levels, I'd assume that the values of each choice in from 1 through 5. So the lowest score would be 1x1=1 and highest risk would be 5x5=25.
In Advanced Risk you can decide how you want the Risk Score to be calculated.
You can define yourself what score is to be considered High, Unacceptable, Very Low etc, so I'd say that a risk score of 4 out of a range 1-25 is actually low 🙂

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-04-2024 11:07 PM
Hi @Carlos58 ,
If you are referring to advanced risk assessment then you can check here
https://www.youtube.com/watch?v=Bn03SrHCpr4
Thanks,
Naveen