## Vendor risk ratings and scoring calculations

# Vendor risk ratings and scoring calculations

Within a vendor risk assessment, multiple ratings and scored are calculated.

## Risk Rating Scale

## Score Calculation Mechanism

- Questions (metrics)
- Metric Scale Definition
- Categories
- Weights
- Risk Rating Scale
- Business Service Rating Scale

For more information, see View a metric result View a metric result

## Equation 1 `questionRating`

The
`questionRating`

calculation defines the relative degree of significance of the
individual assessment metric, especially when compared to other metrics. This variable is one of
the key variables in calculating the normalized value later in the process.

The Scale definition is stated within an individual Assessment Metric.

- High means that large numerical values indicate a positive result.
If the rating is high, the following formula is used:
- Low means that small numerical values indicate a positive result. If
the rating is low, the following equation is used:

The value used in the formula is taken from the vendor’s response to the question. The configuration of the metric defines the correct answer (value) and the values that are associated with other (incorrect or less desirable) answers.

## Equation 2
`questionPercentContribution`

The
`questionPercentContribution`

defines the degree of significance of the
assessment metric, within the category where it is included. This variable is one of the key
variables in calculating the normalized value later in the process.

The Category represents a theme for evaluating assessable records in a given metric type. The category is user-defined with examples being ROI, risk, performance, security, personal data, and so on.

The Weight is a numerical value that represents the metric importance relative to other metrics. A higher weight in proportion to the overall weight of the category has a stronger bearing on the final score.

## Equation 3 `questionNormalizedValue`

The `questionNormalizedValue`

calculates a value so questions with different
weights and ratings can be compared equally on the same scale.

Each answer to every question (assessment metric) has a normalized value. This normalized value conducts a more meaningful comparison which is later rolled up to the category and the overall assessment results.

## Equation 4 `categoryRating`

Now that there are normalized values for each metric within the category, the
`categoryRating`

calculates a value for the entire category which can then be
normalized using Equation 5 `categoryNormalizedValue`

to facilitate
inter-category comparisons.

The category Rating is the sum of all normalized values for the metrics within the category.

The stated Risk Rating for each category is derived from the associated Risk Rating Scale.

## Equation 5 `categoryNormalizedValue`

With the Category Ratings established, the `categoryNormalizedValue`

formula
uses this rating and the Category Weight to normalize the result across all categories.

This calculated Normalized value conducts a more meaningful comparison which is later rolled up to the overall assessment results. A higher category Weight has a stronger influence on the normalized value the category.

## Equation 6 `questionnaireQuantitativeScore`

With all of the categories normalized, the overall quantitative score for the assessment is calculated.

The output from the `questionnaireQuantitativeScore`

formula is the sum of the
normalized category scores. It is presented as the Risk Score on the
record for the questionnaire.

## Qualitative Score for Documents

Document Requests have a risk rating that is a qualitative score. The preliminary risk rating is based on the answer to the default question “Do you have document ‘document name’?”

Response | Risk Rating |
---|---|

Yes | Low |

No or unanswered | High |

N/A | Moderate |

Once the document is reviewed, it may be found to be deficient, so the analyst can override the default rating. The assessment retains the current Risk Rating and the Original Risk Rating. As always, the stated Risk Rating for each category is derived from the associated Risk Rating Scale.

## Equation 7 `assessmentRating`

The risk rating from all questionnaires and document requests is rolled up to the parent
vendor risk assessment providing an overall `assessmentRating`

Finally, the assessment rating with the risk rating scale determines the risk rating for the assessment.

`getBusinessServiceCriticality`

finds the most critical business service and
finds a record in the business service rating scale table that best matches that critical
business service. The weight from that rating scale record is used.