### Issue

# Description

The calculations in Risk Management scoring is explained below

# Risk Scoring Calculations

The inherent and residual scores for a risk are calculated using the risk criteria, likelihood, and impact.

Use the following calculations to score risks.

• Qualitative Inherent ALE = Inherent ARO x Inherent SLE

• Qualitative Inherent Score = Inherent Likelihood x Inherent impact

• Quantitative Residual ALE = Residual ARO x Residual SLE

• Qualitative Residual Score = Residual SLE

When scoring is set to qualitative, the quantitative values are updated in the background.

If controls are implemented to mitigate risk, then

Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)).

Thus Calculated Score = Residual Score only if Compliance with the controls is 100%.

If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate a risk.

Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score.

If controls are not implemented to mitigate risk, then Calculated Score = Residual Score.

If the Residual Score is not set, then Calculated Score = Inherent Score.

The calculated risk factor value is calculated as

Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2

Control failure factor -> Sum of failed controls weighting divided by total controls weighting.

Indicator failure factor -> Uses the last result of each associated indicator. Number of last results failed divided by total number of indicators associated.

# Applicable Versions

J and above

# Additional Information

I found the above information from this documentation,