Risk Management Scoring



The calculations in Risk Management scoring is explained below

Risk Scoring Calculations

The inherent and residual scores for a risk are calculated using the risk criteria, likelihood, and impact. 
Use the following calculations to score risks. 
• Qualitative Inherent ALE = Inherent ARO x Inherent SLE 
• Qualitative Inherent Score = Inherent Likelihood x Inherent impact 
• Quantitative Residual ALE = Residual ARO x Residual SLE 
• Qualitative Residual Score = Residual SLE 
When scoring is set to qualitative, the quantitative values are updated in the background. 
The Calculated Score for a risk is a read-only field designed to quickly assess a risk affecting the organization, and identify threats and areas of non-compliance. 
If controls are implemented to mitigate risk, then 
Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)). 
Thus Calculated Score = Residual Score only if Compliance with the controls is 100%. 
If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate a risk. 
Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score. 
If controls are not implemented to mitigate risk, then Calculated Score = Residual Score. 
If the Residual Score is not set, then Calculated Score = Inherent Score. 
The calculated risk factor value is calculated as 
Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2 
Control failure factor -> Sum of failed controls weighting divided by total controls weighting. 
Indicator failure factor -> Uses the last result of each associated indicator. Number of last results failed divided by total number of indicators associated. 

Applicable Versions

J and above

Additional Information

I found the above information from this documentation,