Risk scoring

The inherent and residual scores for a risk can be calculated using the risk criteria, likelihood, and significance.

Use the following calculations to score risks.
  • Inherent Score = Inherent Likelihood x Inherent Significance
  • Residual Score = Residual Likelihood x Residual Significance

Since the risk properties have maximum values for likelihood and significance set at 5 , the maximum inherent or residual score for a risk is 25. This can be changed by modifying the Risk Properties. See Risk properties.

The maximum value for the inherent or residual score is 100. If the maximum value of their respective properties are changed to 10, the fields for scores are read-only, and can only be changed by modifying the inherent or residual, likelihood or significance.

The calculated score for a risk is read-only allowing you to quickly assess a risk, and identify threats and areas of non-compliance.

If controls from the Governance, Risk, and Compliance (GRC) application are implemented to mitigate risk, then Calculated Score = (Inherent Score – Residual Score) * [(100 – Compliance)/100] + Residual Score.

Thus Calculated Score = Residual Score only if Compliance with the controls is 100%. If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate a risk. This means that the calculated score can never be less than the residual score or greater than the inherent score.

If controls from the Governance, Risk, and Compliance (GRC) application are not implemented to mitigate risk, then Calculated Score = Residual Score. If the residual score is not set, then Calculated Score = Inherent Score.