158 views

# Description

The calculations in Risk Management scoring is explained below

# Risk Scoring Calculations

The inherent and residual scores for a risk are calculated using the risk criteria, likelihood, and impact.
Use the following calculations to score risks.

• Qualitative Inherent ALE = Inherent ARO x Inherent SLE
• Qualitative Inherent Score = Inherent Likelihood x Inherent impact
• Quantitative Residual ALE = Residual ARO x Residual SLE
• Qualitative Residual Score = Residual SLE

When scoring is set to qualitative, the quantitative values are updated in the background.

The Calculated Score for a risk is a read-only field designed to quickly assess a risk affecting the organization, and identify threats and areas of non-compliance.

If controls are implemented to mitigate risk, then

Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)).

Thus Calculated Score = Residual Score only if Compliance with the controls is 100%.

If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate a risk.

Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score.

If controls are not implemented to mitigate risk, then Calculated Score = Residual Score.

If the Residual Score is not set, then Calculated Score = Inherent Score.

The calculated risk factor value is calculated as
Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2

Control failure factor -> Sum of failed controls weighting divided by total controls weighting.

Indicator failure factor -> Uses the last result of each associated indicator. Number of last results failed divided by total number of indicators associated.

J and above

# Additional Information

I found the above information from this documentation,

#### Article Information

 Last Updated: 2019-08-02 21:09:56 Published: 2018-08-15