Risk Management Qualitative Scoring weights
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2025 10:42 AM
Hey Community,
How can i locate the weighting that is being used to calculate inherent and residual scores, assuming we are using Qualitative scoring?
Just looking at the score that is being set it seems that there is weighting that is happening in the background. For instance if Impact is 2 - Low and Likelihood is 5 - Extremely Likely then the inherent score is set to 2 - low. However, if Impact is 5 - Very High and Likelihood is 2 - Unlikely then the score is set to 3 - Moderate.
Any help would be greatly appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2025 06:12 PM
Hi @TP8 ,
- Qualitative Inherent ALE = Inherent ARO x Inherent SLE
- Qualitative Inherent Score = Inherent Likelihood x Inherent impact
- Quantitative Residual ALE = Residual ARO x Residual SLE
- Qualitative Residual Score = Residual SLE
When scoring is set to qualitative, the quantitative values are updated in the background.
The Calculated Score for risk is a read-only field designed to quickly assess a risk affecting the organization, and identify threats and areas of non-compliance.
If controls are implemented to mitigate risk, then
- Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)).
- So: Calculated Score = Residual Score only if Compliance with the controls is 100%.
If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate risk.
Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score.
If controls are not implemented to mitigate risk, then Calculated Score = Residual Score.
If the Residual Score is not set, then Calculated Score = Inherent Score.
The calculated risk factor value is calculated as:
- Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2
Control failure factor -> Sum of failed controls weighting divided by total controls weighting.
Indicator failure factor -> Uses the last result of each associated indicator. The number of last results failed divided by the total number of indicators associated.
From KB : KB0692108
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2025 05:16 AM
Hello Sandeep,
Thank you for posting that knowledge article, however that does not answer the issue that we are having. According to that Knowledge Article the scoring is calculated by:
- Qualitative Inherent Score = Inherent Likelihood x Inherent impact
But if that is the case then why is if Impact is 2 - Low and Likelihood is 5 - Extremely Likely then the inherent score is set to 2 - low. However, if Impact is 5 - Very High and Likelihood is 2 - Unlikely then the score is set to 3 - Moderate.
It definitely seems like there is some weighting happening either to Impact or Likelihood
Any help is much appreciated
