Inherit and residual risk scores calculation

Carlos58
Tera Contributor

‎10-14-2022 09:00 AM

Hello, I am trying to understand how IRM calculates the inherit and residual scores after a risk assessment has been completed. If I look at my dashboard (residual or inherit) it will tell me for example that there are x number of risks with a High score, and when I select that number it will list the risks. All of them have a score of 4 (which I guess corresponds to High). But how did IRM calculated that 4? Is it multiplying the average impact from all the assessed categories by the likelihood %? We are assessing 5 categories and we have 5 impact levels and 5 likelihood levels. I would appreciate any understanding on how these scores are calculated.

0 Helpfuls
  • 6,221 Views
3 REPLIES 3

Community Alums
Not applicable

‎10-16-2022 09:10 PM

Hi @Carlos58 ,

The inherent and residual scores for risk are calculated using the risk criteria, likelihood, and impact. Use the following calculations to score risks:
  • Qualitative Inherent ALE = Inherent ARO x Inherent SLE
  • Qualitative Inherent Score = Inherent Likelihood x Inherent impact
  • Quantitative Residual ALE = Residual ARO x Residual SLE
  • Qualitative Residual Score = Residual SLE

When scoring is set to qualitative, the quantitative values are updated in the background.

The Calculated Score for risk is a read-only field designed to quickly assess a risk affecting the organization, and identify threats and areas of non-compliance. 

If controls are implemented to mitigate risk, then 

  • Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)). 
  • So: Calculated Score = Residual Score only if Compliance with the controls is 100%. 

If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate risk. 

Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score

If controls are not implemented to mitigate risk, then Calculated Score = Residual Score

If the Residual Score is not set, then Calculated Score = Inherent Score

The calculated risk factor value is calculated as:

  • Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2 

Control failure factor -> Sum of failed controls weighting divided by total controls weighting. 

Indicator failure factor -> Uses the last result of each associated indicator. The number of last results failed divided by the total number of indicators associated.

Sebastien Fix
Giga Guru
Giga Guru

‎10-16-2022 11:32 PM

In Classic Risk it is simply Impact x Likelihood. Since you have 5 levels, I'd assume that the values of each choice in from 1 through 5. So the lowest score would be 1x1=1 and highest risk would be 5x5=25.

In Advanced Risk you can decide how you want the Risk Score to be calculated. 

 

You can define yourself what score is to be considered High, Unacceptable, Very Low etc, so I'd say that a risk score of 4 out of a range 1-25 is actually low 🙂

Naveen Kumar4
ServiceNow Employee
ServiceNow Employee

‎01-04-2024 11:07 PM

Hi @Carlos58 ,

 

If you are referring to advanced risk assessment then you can check here

 

https://www.youtube.com/watch?v=Bn03SrHCpr4

 

Thanks,

Naveen

Advanced Risk Assessment Setup | How-To Now Series
Advanced Risk Assessment Setup | How-To Now Series
youtube.com/watch?v=Bn03SrHCpr4
Learn how to set up advanced risk assessments in the ServiceNow Risk Management application with this step-by-step guide. This video demonstrates a qualitative Impact x Likelihood risk assessment, showcasing detailed setup, workflows, and functionality within ServiceNow products. **Connect with ...
0 Helpfuls