Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Vendor risk ratings and scoring calculations

Log in to subscribe to topics and get notified when content changes.

Vendor risk ratings and scoring calculations

Within a vendor risk assessment, multiple ratings and scored are calculated.

Risk Rating Scale

Every time a questionnaire is created, a default risk rating is applied. The risk rating scale (categories, minimum, and maximum values) is configurable and can vary per assessment.
Note: The default scale factor of a questionnaire is 100.
Risk Rating Scale list example

Score Calculation Mechanism

The score calculation mechanism for each vendor risk assessment uses the platform assessment score calculation engine. The calculations are performed using a series of related equations that are dynamically recalculated. Multiple user-defined parameters affect the calculated assessment rating:
  • Questions (metrics)
  • Metric Scale Definition
  • Categories
  • Weights
  • Risk Rating Scale
  • Business Service Rating Scale
Score Calculation Mechanism

For more information, see View a metric result View a metric result

Equation 1 questionRating

The questionRating calculation defines the relative degree of significance of the individual assessment metric, especially when compared to other metrics. This variable is one of the key variables in calculating the normalized value later in the process.

The Scale definition is stated within an individual Assessment Metric.

Scale definition example
  • High means that large numerical values indicate a positive result. If the rating is high, the following formula is used:
    Scale definition high rating calculation
  • Low means that small numerical values indicate a positive result. If the rating is low, the following equation is used:
    Scale definition low rating calculation

The value used in the formula is taken from the vendor’s response to the question. The configuration of the metric defines the correct answer (value) and the values that are associated with other (incorrect or less desirable) answers.

Assessment question value field example

Equation 2 questionPercentContribution

The questionPercentContribution defines the degree of significance of the assessment metric, within the category where it is included. This variable is one of the key variables in calculating the normalized value later in the process.

questionPercentContribution calculation

The Category represents a theme for evaluating assessable records in a given metric type. The category is user-defined with examples being ROI, risk, performance, security, personal data, and so on.

The Weight is a numerical value that represents the metric importance relative to other metrics. A higher weight in proportion to the overall weight of the category has a stronger bearing on the final score.

Category and Weight field examples

Equation 3 questionNormalizedValue

The questionNormalizedValue calculates a value so questions with different weights and ratings can be compared equally on the same scale.

questionNormalizedValue calculation

Each answer to every question (assessment metric) has a normalized value. This normalized value conducts a more meaningful comparison which is later rolled up to the category and the overall assessment results.

Assessment group normalized value list

Equation 4 categoryRating

Now that there are normalized values for each metric within the category, the categoryRating calculates a value for the entire category which can then be normalized using Equation 5 categoryNormalizedValue to facilitate inter-category comparisons.

categoryRating calculation

The category Rating is the sum of all normalized values for the metrics within the category.

The stated Risk Rating for each category is derived from the associated Risk Rating Scale.

Categories Rating and Risk rating list

Equation 5 categoryNormalizedValue

With the Category Ratings established, the categoryNormalizedValue formula uses this rating and the Category Weight to normalize the result across all categories.

categoryNormalizedValue calculation

This calculated Normalized value conducts a more meaningful comparison which is later rolled up to the overall assessment results. A higher category Weight has a stronger influence on the normalized value the category.

Categories Normalized value list example

Equation 6 questionnaireQuantitativeScore

With all of the categories normalized, the overall quantitative score for the assessment is calculated.

questionnaireQuantitativeScore calculation

The output from the questionnaireQuantitativeScore formula is the sum of the normalized category scores. It is presented as the Risk Score on the record for the questionnaire.

Questionnaire Risk Score example

Qualitative Score for Documents

Document Requests have a risk rating that is a qualitative score. The preliminary risk rating is based on the answer to the default question “Do you have document ‘document name’?”

Document Requests Risk rating example
The document risk rating uses the following scale:
Response Risk Rating
Yes Low
No or unanswered High
N/A Moderate

Once the document is reviewed, it may be found to be deficient, so the analyst can override the default rating. The assessment retains the current Risk Rating and the Original Risk Rating. As always, the stated Risk Rating for each category is derived from the associated Risk Rating Scale.

Categories related tab example

Equation 7 assessmentRating

The risk rating from all questionnaires and document requests is rolled up to the parent vendor risk assessment providing an overall assessmentRating

assessmentRating calculation

Finally, the assessment rating with the risk rating scale determines the risk rating for the assessment.

Vendor risk assessment Risk rating example

getBusinessServiceCriticality finds the most critical business service and finds a record in the business service rating scale table that best matches that critical business service. The weight from that rating scale record is used.

Business Service Rating Scales list
Feedback