Hi @Gagandeep6 ,
The Vulnerable Item 'Business Impact' is controlled by a Calculator Group called (Risk Score). Within the Calculator Group there is a calculator record that controls how this is computed in the baseline:
Computed Risk Score - Calculator (London)
Basic Risk Score - Calculator (Kingston)
This particular page on the product docs site, describes how the Vulnerable Item's 'Business Impact' value is calculated:
https://docs.servicenow.com/bundle/kingston-security-management/page/product/vulnerability-response/...
The script performs the following functions:
First, it creates a list of all CIs that are linked to the vulnerable item and any business services that are marked as depending on the CI.
It queries and gets results of services that have business criticality (where criticality is not null), and orders them with the most critical ones first.
It gets the choice lists for the vulnerable item and business criticality fields.
If there are no business services in the list, the criticality is set to the lowest level.
If there are business services in the list, the business criticality for all services is calculated.
The weight of each vulnerable item is picked up from its CVSS score and is used to compute the new criticality.
Reference to the community link for more explanation
https://www.servicenow.com/community/secops-forum/business-impact-and-priority-on-vulnerable-items/m...)
Thanks,
Danish
