Verifying scoring calculations using the classic assessment engine

  • Release version: Zurich
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Verifying scoring calculations using the classic assessment engine

    This guide explains how to verify the accuracy and consistency of scoring and risk ratings in Third-party Risk Management questionnaires using the classic assessment engine. It helps you confirm the correct application of weights, normalized values, scoring methods, and risk rating scales to produce reliable composite risk scores.

    Show full answer Show less

    Verification checklist

    Users with the vendorassessor or vendormanager roles can perform verification actions via the Vendor Management Workspace or VRM Classic interface. Key configurations to review include:

    • Scoring method: Ensure the appropriate scoring method is selected for risk domains, criteria, and components (e.g., Min Risk vs. Average Risk) to align with assessment goals.
    • Weights: Verify weights assigned to risk areas, criteria, components, and questions are accurate and use whole integers (decimals can cause incorrect scoring).
    • Scoring calculations: Confirm that calculations correctly incorporate normalized values and handle unanswered questions appropriately, excluding them from scoring.

    How to view risk ratings

    Risk ratings become available after assessments are completed and scores integrated from providers. You can view risk ratings for:

    • Third parties: Overall computed risk rating, aggregate engagement ratings, subsidiary ratings, and risk intelligence ratings.
    • Engagements: Risk ratings determined by component criteria.
    • Assessments: Ratings based on defined category weights and calculations.
    • Questionnaires: Detailed risk scores and ratings related to specific questions.

    To access these ratings, navigate through Third-party Risk Management records in ServiceNow and select the relevant third party, engagement, assessment, or questionnaire. Related lists provide comprehensive views of risk components, areas, assessments, and more for thorough analysis.

    You can review scores and risk ratings in your questionnaires to help ensure the accuracy and consistency of risk scoring by verifying the correct application of weights, normalized values, scoring methods, and risk rating scales. Based on the different weights you assign, Third-party Risk Management aggregates these values and produces a composite score.

    Verification checklist

    The [sn_vdr_risk_asmt.vendor_assessor] or [sn_vdr_risk_asmt.vendor_manager] role is required to perform all related actions by using the Vendor Management Workspace or VRM Classic user interface. For full descriptions of assessment configuration and set up, see Classic assessment configuration.

    Here are some of the configurations that you can check while reviewing scores and risk ratings:

    Table 1. Checklist items
    Configurations Description
    Scoring method Verify that the correct scoring method has been selected.

    You can select or update scoring methods for risk area domains, risk area criteria, and component criteria. For example, confirm that Min Risk is used instead of Average Risk if that aligns better with your assessment goals.

    For more information, see Define a third-party risk domain, Define third-party risk area criteria, and Define component criteria.
    Weights Verify the accuracy of weights applied to risk areas, risk criteria, risk components, and questions.

    You can apply custom weights to reflect the importance and priority of different types of risk.

    Weight values for questions must be whole integers. Using decimals results in incorrect scores. For example, use 56 and not 0.56.

    For more information on how to assign or update weights, see Define a third-party risk domain, Define third-party risk area criteria, Define component criteria, and Define a question.
    Scoring calculations Verify that calculations, normalized values, and unanswered questions are behaving as expected. For example, confirm that you’re accounting for unanswered questions not being included as part of the scoring calculation.

    For information on the different formulas used to calculate scores and ratings, see Scoring calculations using the classic assessment engine.

    For information on how to use normalized values to calculate assessment scores for Choice or Multiple Selection questions with the scored check box not selected Normalize the scores for metrics.

    How to view risk ratings

    You can view risk ratings for individual third parties, engagements, assessments, and questionnaires.
    The following risk ratings are available to view.
    • Computed risk rating: The overall risk rating for the third party, calculated after the assessment.
    • Third party rating: An aggregate of all engagement ratings.
    • Engagement risk rating: Determined by the component criteria
    • Subsidiary risk rating: If company1 has company2 and company3 as subsidiaries, the aggregate of final ratings on company2 and company3 are the subsidiary ratings on company1.
    • Risk intelligence rating: Aggregate of all provider ratings.
    • Assessment rating: Determined by weights defined by category, calculations, and more.
    Note:
    Risk ratings and scores are only available to view after assessments have been completed and scores have been integrated from a provider.
    You can view all associated ratings for a third party by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > Third Parties > All Third Parties and select the third party you want. The following example shows you can view all available risk ratings as well as the Third-party risk components, Third-party risk areas, Assessments, Tiering assessments, Repeating assessments related lists, and more.
    Figure 1. Example of a third-party record
    Risk ratings and associated background information available for a Third party record.
    You can view all associated ratings for an engagement by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > Engagements > All Engagements and select the engagement you want. The following example shows you can view all available risk ratings as well as the Engagement risk components, Third-party risk areas, Assessments, Tiering assessments, Repeating assessments related lists, and more.
    Figure 2. Example of an engagement record
    Risk ratings and associated background information for an engagement record.
    You can view all associated ratings for an assessment by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > External Risk Assessments > All Assessments and then select the assessment you want. The following example shows you can view all available risk ratings as well as the Third-party risk areas, Questionnaires, Document requests, Downstream supplier related lists, and more.
    Figure 3. Example of assessment record
    Risk ratings and associated background information available for an assessment record.
    You can view all associated ratings for a questionnaire by navigating to its Risk ratings list. After navigating to an assessment, select the questionnaire you want to view. The following example shows you can view all available risk ratings, risk scores, and more.
    Figure 4. Example of a questionnaire record
    Risk ratings and scores available in questionnaire record.