Residual Risk and Calculated Score

clfox12
Tera Contributor

‎09-20-2022 08:22 AM

Inherent risk = the amount of risk that exists in the absence of controls. In other words, before an organization implements any countermeasures at all, the risk they face is inherent risk.

Residual Risk = the risk that remains after controls are accounted for. It’s the risk that remains after your organization has taken proper precautions.

IN SERVICENOW RISK MANAGEMENT-  When a risk response is set to accept, and there are NO controls aligned to help mitigate or lower the risk calculated score, the calculated score = residual score if the residual is configured on the risk.  I verified this is the case, via testing, and via the scripts in Riskutilsbase and riskutilsbase2 and as per the documentation here:https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0692108

This makes ABSOLUTELY no sense that the calculated score = residual score when NO CONTROLS are applied.  Why is this the case? it defies logic.  

Labels:
0 Helpfuls
  • 1,504 Views
1 REPLY 1

Sebastien Fix
Giga Guru
Giga Guru

‎09-20-2022 01:45 PM

There are two key points here:

1. "The calculated risk factor value is calculated as Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2 & Control failure factor -> Sum of failed controls weighting divided by total controls weighting. "
 
If no controls are mapped, then Control failure factor is NULL, which means there is risk factor value is also NULL and Calculated Risk is therefore the same a residual. 
 
BUT!!
 
2. The other key part here is "If the Residual Score is not set, then Calculated Score = Inherent Score."
 
I agree with your logic that if no controls are in place (which is different from case #1 above where no controls are mapped), then the residual score is either not set at all ("I dont have controls in place, so i only have inherent risk and no residual risk"), or is set to the same value as inherent risk ("i dont have controls so my residual risk has the same value as my inherent risk").
 
As per SN rules, If you do not put a residual risk value, calculated risk = inherent. Alternatively, if you put residual = inherent due to lack of controls, then calculated = residual but then also = inherent.
 
So this works.