The calculations in Risk Management scoring is explained below
Risk Scoring Calculations
The inherent and residual scores for a risk are calculated using the risk criteria, likelihood, and impact.
Use the following calculations to score risks.
• Qualitative Inherent ALE = Inherent ARO x Inherent SLE
• Qualitative Inherent Score = Inherent Likelihood x Inherent impact
• Quantitative Residual ALE = Residual ARO x Residual SLE
• Qualitative Residual Score = Residual SLE
When scoring is set to qualitative, the quantitative values are updated in the background.
If controls are implemented to mitigate risk, then
Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)).
Thus Calculated Score = Residual Score only if Compliance with the controls is 100%.
If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate a risk.
Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score.
If controls are not implemented to mitigate risk, then Calculated Score = Residual Score.
If the Residual Score is not set, then Calculated Score = Inherent Score.
The calculated risk factor value is calculated as
Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2
Control failure factor -> Sum of failed controls weighting divided by total controls weighting.
Indicator failure factor -> Uses the last result of each associated indicator. Number of last results failed divided by total number of indicators associated.
J and above
I found the above information from this documentation,