Hi there,
I have implemented some risk assessment questionnaires based on my client requirements. However, once the questionnaire is filled and submitted, the score dis not affected in the scoring tab within the risk record.
Is the scoring automated based on the assessment questions response or it is meant to be manually entered?
PS: this is not vendor risk management but just risk management
Thanks for your help
Fed
Currently, the risk scores are not adjusted based on the answers to the risk assessment. I'm pretty sure that is in the backlog of enhancements. I think it is difficult because customers can change those questions - it is just a survey.
Preethi is right that the SLE and ARO are inherited from the Risk Statement, however it is intended that they should be modified on the registered risk - because as you state the values could be different for each profile.
On the registered risk, in addition to the SLE and ARO you also have the ALE and Score. These are calculated. For Inherent and Residual, the ALE is SLE x ARO. The score is a look up on the Risk Criteria table that Preethi referenced.
The Calculated ALE and thus score are adjusted based on Controls and Indicators. On the Registered Risk there is a tab called Monitoring. there you find the Calculated risk factor. This value is the average of the Control failure factor and the Indicator failure factor.
The control failure factor is driven by control compliancy and their weight.
Indicator failure factor is driven by the result of the indicator. Pass/Fail
Then this formula is used to determine the Calculated ALE
Then the value that is returned is used to look up a risk score on the Risk Rating scale and that is updated in the Calculated Score field.
