Residual Risk Scoring.

Neeraja Janardh · ‎07-10-2020

Hi All,

Can someone help me understand how residual score and calculated score are updated based on controls tied to risks? Is control compliance factor and risk factor used in this calculation ? Does this update even before controls are added to mitigate risk or its gets recalculated when controls are added for mitigation task for the specific risk ? If it does not calculate first time then what is the purpose of inheriting controls to risks ?

Thanks,

Neeraja.

Nicklas Jepsen · ‎07-14-2020

Hey Neeraja,

"When you say controls do you mean controls inherited onto risk?" Yes exactly.

Part of the mitigation plan could be to implement controls to lower the risk, these controls would then have to be directly linked to the risk.

If controls are added to the remediation plan, these controls will then be added to the risk once the task is completed and the risk set to monitor.

The risk factor only looks at the controls that are directly linked to the risk (see above screenshot)

Let me know if you require further clarification 🙂

Best regards,

Nicklas Jepsen

View solution in original post

Nicklas Jepsen · ‎07-11-2020

Hi Neeraja

So the residual risk is what the risk score will be after controls are implemented. The inherent is the risk without any form of controls or mitigating actions.

The calculated risk score shows the current risk score. The value lies between the inherent risk and the residual risk. It takes the compliance + weight of the associated controls into account.

For instance, if your inherent risk is 3 and the residual risk is 1, and you have two controls associated with the same weight which are compliant, the calculated risk score is 1. However, if one or more of the controls become non-compliant the calculated score will move closer towards the inherent score.

I hope this helps.

Best regards

Nicklas Jepsen

Jan Spurlin · ‎07-11-2020

Good description @Nicklas Jepsen

Please note that you may get confused if you look at the Product Docs. SerivceNow introduced Advanced Risk Assessment (ARA) which handles risk scoring very differently. Based on your questions, you are not using ARA. You are using what I refer to as the "original risk assessment" process.

When there are no controls or indicators related to a risk, then the Residual ALE and the Calculated ALE will be the same.

I thought I could find the description in the Product docs and point you to it. It may be there, but so much of what is there now relates to ARA. Here is a slide i use to explain it - this has the formula on it.

Neeraja Janardh · ‎07-14-2020

Thank you for your reply Nicklas. When you say controls do you mean controls inherited onto risk ? Say for example i am mitigating a risk and that risk already has inherited controls now how to ensure these controls are considered into the mitigation task created as response to mitigating the risk ? Does that mean risk factor was calculated right even when control is set up and not actually while mitigating the risk ?

Any inputs are highly appreciated.

Nicklas Jepsen · ‎07-14-2020

Hey Neeraja,

"When you say controls do you mean controls inherited onto risk?" Yes exactly.

Part of the mitigation plan could be to implement controls to lower the risk, these controls would then have to be directly linked to the risk.

If controls are added to the remediation plan, these controls will then be added to the risk once the task is completed and the risk set to monitor.

The risk factor only looks at the controls that are directly linked to the risk (see above screenshot)

Let me know if you require further clarification 🙂

Best regards,

Nicklas Jepsen