When the vendor submits the response for a particular questionnaire/Document request, the "Risk Rating" field on the related Assessment record changes automatically.


Description

When the user submits the responses, the “Risk Rating” changes for the record present in “sn_vdr_risk_asmt_m2m_asmt_doc_request” table. Once the risk rating is changed on this record , it automatically changes the risk rating on assessment record too.
While investigating further it was found that every time we change the Risk Rating on M2M record, it copies it to the assessment record. 

Steps to Reproduce: Go to any Vendor assessment.
Open the doc request/questionnaire record
Change the risk rating.
It changes on the assessment record as well.

Cause

This is expected behaviour.

Relevant sentence : "For any vendor risk assessment for a vendor or engagement, the final rating for the assessment is calculated as the weighted average of the questionnaires and document requests within each vendor risk area"
Assessments are assigned a default scoring rule with just a single vendor risk area (Default) if none are configured. In this case, if we have not configured the exist scoring rule or created a new one with customised vendor risk area so all questionnaires/document request fall under a single vendor risk area (Default).
That means the assessment risk rating is calculated by just the average risk rating of all the questionnaire/document request (ignore vendor risk area). Because there is only one document request linked to the assessment. The risk rating of the assessment will be the same as the document request.

Scores for each individual vendor risk area gets calculated (average) => All those vendor risk area scores "rollup" to the assessment risk rating by using weighted average.
The only rule in this case is Default (with single vendor risk area Default)

The OOB with demo data has three scoring rules: Default, IT Vendor Scoring Rule, Strategic Partner Rule
- The assessment in OOB is using the IT Vendor Scoring Rule:
- This scoring rule is applied to all assessments that meet the vendor filter field
- Inside of the vendor form, you can see which scoring rule is being applied:
- This scoring rule uses 3 vendor risk areas: Reputational, Security, Financial
- The document request/questionnaire record that is linked to the assessment has a vendor risk area of Default
- Because Default does not match any of the vendor risk areas defined in the rule, the score is not part of the calculation and hence the rollup will not happen.

OOB Example showing the risk rating being updated because the questionnaire has a Vendor Risk Area of Security: https://<instancename>.service-now.com/nav_to.do?uri=%2Fsn_vdr_risk_asmt_assessment.do%3Fsys_id%3D4a6bc9fb1b9df09007d07733cd4bcb76

Resolution

Couple ways we can stop assessment from updating risk rating if you want to manual update. Most requires you to create a new Vendor Risk Area in Risk Area Definition module first
1)Use that new vendor risk area when creating a questionnaire template
2)Swap out the new risk area in the configuration inside of the Default scoring rule
3)Make that new Vendor Risk Area the default value for the vendor_risk_area field on questionnaire / document request template
4)Inside the OOB assessment form, there is field that says "override risk rating". Checking that, you are able to select the risk rating you desire outside of the calculation. You would need to add these fields back: override_risk_rating, overridden_risk_rating, justification

Additional Information

Documentation: https://docs.servicenow.com/bundle/quebec-governance-risk-compliance/page/product/grc-vendor-risk/concept/vendor-ratings-scoring.html