Risk Management Scoring - Support and Troubleshooting

Risk Management Scoring Issue This article explains the calculations in Risk Management scoring.

Risk Scoring Calculations The inherent and residual scores for risk are calculated using the risk criteria, likelihood, and impact. Use the following calculations to score risks: Qualitative Inherent ALE = Inherent ARO x Inherent SLE Qualitative Inherent Score = Inherent Likelihood x Inherent impact Quantitative Residual ALE = Residual ARO x Residual SLE Qualitative Residual Score = Residual SLE When scoring is set to qualitative , the quantitative values are updated in the background.

The Calculated Score for risk is a read-only field designed to quickly assess a risk affecting the organization, and identify threats and areas of non-compliance.

If controls are implemented to mitigate risk, then

Calculated ALE = Residual ALE + (( Inherent ALE - Residual ALE ) * ( Calculated Risk Factor / 100)). So: Calculated Score = Residual Score only if Compliance with the controls is 100%. If the Calculated Score > Residual Score , the organization is not 100% compliant with the controls used to mitigate risk.

Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score .

If controls are not implemented to mitigate risk, then Calculated Score = Residual Score .

If the Residual Score is not set, then Calculated Score = Inherent Score .

The calculated risk factor value is calculated as:

Calculated Risk Factor = ( Indicator failure factor + Control failure factor ) / 2 Control failure factor -> Sum of failed controls weighting divided by total controls weighting.

Indicator failure factor -> Uses the last result of each associated indicator. The number of last results failed divided by the total number of indicators associated.

Release Jakarta and newer

Related Links Manage risks, risk statements, and risk frameworks