Residual risk score calculation with non-compliant controls

Trey7
Tera Contributor

‎07-23-2024 11:20 AM

Where in the configuration does the residual risk calculation take into account any non-compliant controls? My assumption is that the residual risk score should automatically be lowered if there is an associated non-compliant control.

0 Helpfuls
  • 1,375 Views
5 REPLIES 5

AlexFiedler
Tera Contributor

‎07-27-2024 11:18 PM

The Residual risk calculation will depend on what is configured in the RAM and how it treats the related control effectiveness. There are different calculation options such as simple subtraction of Inherent Risk Rating Score - Control Effectiveness Score. There are others such as division. It will also depend on how your Control Effectiveness Score is calculated, e.g. using the minimum score across your controls, an average or weighted average.

 

More generally though, I would not expect that your residual score would reduce, if you have non-compliance controls. It would likely depend on whether there are a number of different controls and what your calculated control score is as well as how you use that score in your residual risk rating calculations (if any).

 

Happy to look at a bit more detail if you can post the RAM configuration. 

 

Cheers,

Alex

 

If this response has helped, please mark as helpful.

0 Helpfuls

Satishkumar B
Giga Sage
Giga Sage

‎07-29-2024 01:30 AM

Hi @Trey7 

The inherent and residual scores for risk are calculated using the risk criteria, likelihood, and impact. Use the following calculations to score risks:
  • Qualitative Inherent ALE = Inherent ARO x Inherent SLE
  • Qualitative Inherent Score = Inherent Likelihood x Inherent impact
  • Quantitative Residual ALE = Residual ARO x Residual SLE
  • Qualitative Residual Score = Residual SLE

When scoring is set to qualitative, the quantitative values are updated in the background.

The Calculated Score for risk is a read-only field designed to quickly assess a risk affecting the organization, and identify threats and areas of non-compliance. 

If controls are implemented to mitigate risk, then 

  • Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)). 
  • So: Calculated Score = Residual Score only if Compliance with the controls is 100%. 

If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate risk. 

Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score

If controls are not implemented to mitigate risk, then Calculated Score = Residual Score

If the Residual Score is not set, then Calculated Score = Inherent Score

The calculated risk factor value is calculated as:

  • Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2 

Control failure factor -> Sum of failed controls weighting divided by total controls weighting. 

Indicator failure factor -> Uses the last result of each associated indicator. The number of last results failed divided by the total number of indicators associated.

 

Happy Learning 😃
…………………………………………..
Mark it helpful 👍and Accept Solution !! If this helps you to understand.

Community Alums
Not applicable
In response to Satishkumar B

‎07-29-2024 01:56 AM

Hi @Satishkumar B ,

Please do not re-use the content without giving the credit else you should be using new content.

The answer has been given in my post : https://www.servicenow.com/community/grc-forum/inherit-and-residual-risk-scores-calculation/m-p/2352...