Verifying scoring calculations using the classic assessment engine

Release version: Australia

Updated March 12, 2026

3 minutes to read

Summarize

Summarized using AI

Summary of Verifying scoring calculations using the classic assessment engine

This guide helps ServiceNow customers verify the accuracy and consistency of risk scoring in third-party risk questionnaires using the classic assessment engine. It focuses on confirming that weights, normalized values, scoring methods, and risk rating scales are correctly applied to produce reliable composite scores in Third-party Risk Management.

Show full answer Show less

Verification Checklist

Users with snvdrriskasmt.vendorassessor or snvdrriskasmt.vendormanager roles can perform verification actions via the Vendor Management Workspace or VRM Classic interface. Key configurations to review include:

Scoring Method: Ensure the correct method is selected for risk domains, criteria, and components (e.g., using Min Risk instead of Average Risk if appropriate).
Weights: Check the accuracy of weights assigned to risk areas, criteria, components, and questions. Weights must be whole integers to avoid incorrect scores (e.g., use 56, not 0.56).
Scoring Calculations: Validate calculations including normalized values and treatment of unanswered questions, which should be excluded from scoring. Understanding the formulas used is critical for accurate score verification.

Viewing Risk Ratings

Risk ratings can be viewed for third parties, engagements, assessments, and questionnaires after assessments are completed and scores integrated from providers. Available rating types include:

Computed Risk Rating: Overall risk for the third party post-assessment.
Third Party Rating: Aggregate of all engagement ratings.
Engagement Risk Rating: Based on component criteria.
Subsidiary Risk Rating: Aggregate ratings of subsidiaries rolled up to parent companies.
Risk Intelligence Rating: Aggregate of all provider ratings.
Assessment Rating: Determined by category weights and scoring calculations.

To view these ratings, navigate through Third-party Risk Management records in ServiceNow, such as Third Parties, Engagements, Assessments, or Questionnaires, and access their respective Risk ratings related lists.

Practical Benefits

By following this verification process, ServiceNow customers can ensure that their third-party risk assessments produce accurate and meaningful scores and risk ratings. This supports informed decision-making in vendor risk management and helps maintain a consistent, reliable risk evaluation framework.

You can review scores and risk ratings in your questionnaires to help ensure the accuracy and consistency of risk scoring by verifying the correct application of weights, normalized values, scoring methods, and risk rating scales. Based on the different weights you assign, Third-party Risk Management aggregates these values and produces a composite score.

Verification checklist

The [sn_vdr_risk_asmt.vendor_assessor] or [sn_vdr_risk_asmt.vendor_manager] role is required to perform all related actions by using the Vendor Management Workspace or VRM Classic user interface. For full descriptions of assessment configuration and set up, see Classic assessment configuration.

Here are some of the configurations that you can check while reviewing scores and risk ratings:

Table 1. Checklist items
Configurations	Description
Scoring method	Verify that the correct scoring method has been selected. You can select or update scoring methods for risk area domains, risk area criteria, and component criteria. For example, confirm that Min Risk is used instead of Average Risk if that aligns better with your assessment goals. For more information, see Define a third-party risk domain, Define third-party risk area criteria, and Define component criteria.
Weights	Verify the accuracy of weights applied to risk areas, risk criteria, risk components, and questions. You can apply custom weights to reflect the importance and priority of different types of risk. Weight values for questions must be whole integers. Using decimals results in incorrect scores. For example, use 56 and not 0.56. For more information on how to assign or update weights, see Define a third-party risk domain, Define third-party risk area criteria, Define component criteria, and Define a question.
Scoring calculations	Verify that calculations, normalized values, and unanswered questions are behaving as expected. For example, confirm that you’re accounting for unanswered questions not being included as part of the scoring calculation. For information on the different formulas used to calculate scores and ratings, see Scoring calculations using the classic assessment engine. For information on how to use normalized values to calculate assessment scores for Choice or Multiple Selection questions with the scored check box not selected Normalize the scores for metrics.

How to view risk ratings

You can view risk ratings for individual third parties, engagements, assessments, and questionnaires.

The following risk ratings are available to view.

Computed risk rating: The overall risk rating for the third party, calculated after the assessment.
Third party rating: An aggregate of all engagement ratings.
Engagement risk rating: Determined by the component criteria
Subsidiary risk rating: If company1 has company2 and company3 as subsidiaries, the aggregate of final ratings on company2 and company3 are the subsidiary ratings on company1.
Risk intelligence rating: Aggregate of all provider ratings.
Assessment rating: Determined by weights defined by category, calculations, and more.

Note:

Risk ratings and scores are only available to view after assessments have been completed and scores have been integrated from a provider.

You can view all associated ratings for a third party by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > Third Parties > All Third Parties and select the third party you want. The following example shows you can view all available risk ratings as well as the Third-party risk components, Third-party risk areas, Assessments, Tiering assessments, Repeating assessments related lists, and more.

Risk ratings and associated background information available for a Third party record. — Figure 1. Example of a third-party record

You can view all associated ratings for an engagement by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > Engagements > All Engagements and select the engagement you want. The following example shows you can view all available risk ratings as well as the Engagement risk components, Third-party risk areas, Assessments, Tiering assessments, Repeating assessments related lists, and more.

Risk ratings and associated background information for an engagement record. — Figure 2. Example of an engagement record

You can view all associated ratings for an assessment by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > External Risk Assessments > All Assessments and then select the assessment you want. The following example shows you can view all available risk ratings as well as the Third-party risk areas, Questionnaires, Document requests, Downstream supplier related lists, and more.

Risk ratings and associated background information available for an assessment record. — Figure 3. Example of assessment record

You can view all associated ratings for a questionnaire by navigating to its Risk ratings list. After navigating to an assessment, select the questionnaire you want to view. The following example shows you can view all available risk ratings, risk scores, and more.

Risk ratings and scores available in questionnaire record. — Figure 4. Example of a questionnaire record