Verifying risk ratings and scoring calculations

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Verifying risk ratings and scoring calculations

    This guide enables ServiceNow customers to verify risk ratings and scoring calculations within Third-party Risk Management. It emphasizes the importance of ensuring accurate and consistent risk scoring by checking the application of weights, normalized values, and scoring methods.

    Show full answer Show less

    Key Features

    • Verification Checklist: Requires the [snvdrriskasmt.vendorassessor] or [snvdrriskasmt.vendormanager] role for actions via Vendor Management Workspace or VRM Classic.
    • Configurations to Review:
      • Scoring Method: Confirm the correct scoring method aligns with assessment goals.
      • Weights: Ensure weights applied are accurate and whole integers to avoid incorrect scores.
      • Scoring Calculations: Verify that calculations, normalized values, and treatment of unanswered questions are correct.
    • Viewing Risk Ratings: Risk ratings can be viewed for third parties, engagements, assessments, and questionnaires, following completion of assessments.

    Key Outcomes

    By following this guide, customers can ensure the integrity of their risk assessments, resulting in accurate risk ratings that inform decision-making. Accessing and reviewing risk ratings allows for enhanced visibility into the risks associated with third parties and engagements.

    You can review scores and risk ratings in your questionnaires to help ensure the accuracy and consistency of risk scoring by verifying the correct application of weights, normalized values, scoring methods, and risk rating scales. Based on the different weights you assign, Third-party Risk Management averages these values and produces a composite score for the overall risk.

    Verification checklist

    The [sn_vdr_risk_asmt.vendor_assessor] or [sn_vdr_risk_asmt.vendor_manager] role is required to perform all related actions by using the Vendor Management Workspace or VRM Classic user interface. For full descriptions of assessment configuration and set up, see Assessment configuration.

    Here are some of the configurations that you can check while reviewing scores and risk ratings:

    Table 1. Checklist items
    Configurations Description
    Scoring method Verify that the correct scoring method has been selected.

    You can select or update scoring methods for risk area domains, risk area criteria, and component criteria. For example, confirm that Min Risk is used instead of Average Risk if that aligns better with your assessment goals.

    For more information, see Define a third-party risk domain, Define third-party risk area criteria, and Define component criteria.
    Weights Verify the accuracy of weights applied to risk areas, risk criteria, risk components, and questions.

    You can apply custom weights to reflect the importance and priority of different types of risk.

    Weight values for questions must be whole integers. Using decimals results in incorrect scores. For example, use 56 and not 0.56.

    For more information on how to assign or update weights, see Define a third-party risk domain, Define third-party risk area criteria, Define component criteria, and Define a question.
    Scoring calculations Verify that calculations, normalized values, and unanswered questions are behaving as expected. For example, confirm that you’re accounting for unanswered questions not being included as part of the scoring calculation.

    For information on the different formulas used to calculate scores and ratings, see Third-party risk ratings and scoring calculations.

    For information on how to use normalized values to calculate assessment scores for Choice or Multiple Selection questions with the scored check box not selected Normalize the scores for metrics.

    How to view risk ratings

    You can view risk ratings for individual third parties, engagements, assessments, and questionnaires.
    The following risk ratings are available to view.
    • Computed risk rating: The overall risk rating for the third party, calculated after the assessment.
    • Third party rating: An aggregate of all engagement ratings.
    • Engagement risk rating: Determined by the component criteria
    • Subsidiary risk rating: If company1 has company2 and company3 as subsidiaries, the aggregate of final ratings on company2 and company3 are the subsidiary ratings on company1.
    • Risk intelligence rating: Aggregate of all provider ratings.
    • Assessment rating: Determined by weights defined by category, calculations, and more.
    Note:
    Risk ratings and scores are only available to view after assessments have been completed and scores have been integrated from a provider.
    You can view all associated ratings for a third party by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > Third Parties > All Third Parties and select the third party you want. The following example shows you can view all available risk ratings as well as the Third-party risk components, Third-party risk areas, Assessments, Tiering assessments, Repeating assessments related lists, and more.
    Figure 1. Example of a third-party record
    Risk ratings and associated background information available for a Third party record.
    You can view all associated ratings for an engagement by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > Engagements > All Engagements and select the engagement you want. The following example shows you can view all available risk ratings as well as the Engagement risk components, Third-party risk areas, Assessments, Tiering assessments, Repeating assessments related lists, and more.
    Figure 2. Example of an engagement record
    Risk ratings and associated background information for an engagement record.
    You can view all associated ratings for an assessment by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > External Risk Assessments > All Assessments and then select the assessment you want. The following example shows you can view all available risk ratings as well as the Third-party risk areas, Questionnaires, Document requests, Downstream supplier related lists, and more.
    Figure 3. Example of assessment record
    Risk ratings and associated background information available for an assessment record.
    You can view all associated ratings for a questionnaire by navigating to its Risk ratings list. After navigating to an assessment, select the questionnaire you want to view. The following example shows you can view all available risk ratings, risk scores, and more.
    Figure 4. Example of a questionnaire record
    Risk ratings and scores available in questionnaire record.