IRM | I want to understand how the Risk Assessment scoring logic works OOTB in ServiceNow

AnkitaS65440776
Tera Contributor

8 hours ago

Hi Team,

 

Greetings!

 

As part of the current IRM implementation, we are required to design and configure specific logic within the RAM to support Risk Assessment , I would like to gain a detailed understanding of how scoring calculations work in ServiceNow IRM, specifically in relation to the following points:
  • How does the control assessment scoring logic work out of the box (OOTB)? What is the formula behind?
  • When control weighting is applied, how is the Computed Control Effectiveness calculated?
  • In scenarios where control attestations are not considered and a control is marked as none, how does this impact the overall scoring and calculations?
  • If all controls are assessed as effective, how is the residual risk derived with respect to Inherent Risk Score and Control Effectiveness?

If anyone has the understanding on this topic and has some sort of documentation for guidance please share.

 

Thanks in Advance!

0 Helpfuls
  • 106 Views
1 REPLY 1

Ken tang
Tera Expert

7 hours ago

been doing a lot of work in the IRM recently and had a chance to build out many RAMs

 

The OOTB scoring logic is fully configurable, not hardcoded

first thing to know: there is no single fixed formula. everything hinges on how your RAM is configured. when you set up an assessment type (inherent, control, residual), you're choosing a calculation method:

- factor responses (most common, fully configurable)
- formula
- manual override

 

for factor-response-based assessments, each factor gets a score from the assessor's response. those scores roll up using whatever aggregation method you set on the group factor: sum, average, weighted average, min, max, or a custom script. so the "formula" is whatever you chose there.

control weighting / computed control effectiveness

the weighting_factor field on each factor drives this. if you use weighted average as your group factor formula, it's basically:

 

sum(factor_score x weight) / sum(all weights)

so if you have 3 factors with weights 0.5, 0.3, 0.2 and scores 80, 60, 40:
(80x0.5 + 60x0.3 + 40x0.2) / 1.0 = 66

 

that numeric result then maps to a rating band via your rating criteria thresholds (the lower_interval values), which produces your qualitative label like Low/Medium/High.

 

assessors can override the computed score but they have to enter a justification.control attestation set to none

 

when a control is marked as none or not assessed, it gets excluded from the effectiveness calculation. the platform lets assessors select "no mitigating controls to assess" on the instance, and in that case residual risk defaults to not applicable. it doesn't assume fully effective or fully ineffective -- it just leaves residual blank.

 

practically speaking, if some controls have responses and others are "none," only the responded ones roll into the weighted calc. worth considering in your design whether that partial coverage behavior is what your client expects.

 

the OOTB approach supports a formula-based residual. the typical pattern most people implement is something like:

residual = inherent score x (1 - control_effectiveness_pct)

or a simpler band-based subtraction. you can also write a custom script on the residual assessment type if your org has a specific formula, just keep in mind it can only be modified while the assessment type is still in draft state.

 

all three ratings (inherent, control, residual) end up on the sn_risk_advanced_risk_assessment_instance record as references to your rating criteria records. what the platform is really doing is computing a numeric score and figuring out which rating band it falls into.

 

hope this helps!

0 Helpfuls