## Vendor risk ratings and scoring calculations

Log in to subscribe to topics and get notified when content changes.

# Vendor risk ratings and scoring calculations

Within a vendor risk assessment, multiple ratings and scored are calculated.

## Risk Rating Scale

Every time a questionnaire is created, a default risk rating is applied. The risk rating scale (categories, minimum, and maximum values) is configurable and can vary per assessment.
Note: The default scale factor of a questionnaire is 100.

## Score Calculation Mechanism

The score calculation mechanism for each vendor risk assessment uses the platform assessment score calculation engine. The calculations are performed using a series of related equations that are dynamically recalculated. Multiple user-defined parameters affect the calculated assessment rating:
• Questions (metrics)
• Metric Scale Definition
• Categories
• Weights
• Risk Rating Scale

For more information, see View a metric result View a metric result

## Equation 1 `questionRating`

The `questionRating` calculation defines the relative degree of significance of the individual assessment metric, especially when compared to other metrics. This variable is one of the key variables in calculating the normalized value later in the process.

The Scale definition is stated within an individual Assessment Metric.

• High means that large numerical values indicate a positive result. If the rating is high, the following formula is used:
• Low means that small numerical values indicate a positive result. If the rating is low, the following equation is used:

The value used in the formula is taken from the vendor’s response to the question. The configuration of the metric defines the correct answer (value) and the values that are associated with other (incorrect or less desirable) answers. ## Equation 2 `questionPercentContribution`

The `questionPercentContribution` defines the degree of significance of the assessment metric, within the category where it is included. This variable is one of the key variables in calculating the normalized value later in the process.

The Category represents a theme for evaluating assessable records in a given metric type. The category is user-defined with examples being ROI, risk, performance, security, personal data, and so on.

The Weight is a numerical value that represents the metric importance relative to other metrics. A higher weight in proportion to the overall weight of the category has a stronger bearing on the final score. ## Equation 3 `questionNormalizedValue`

The `questionNormalizedValue` calculates a value so questions with different weights and ratings can be compared equally on the same scale.

Each answer to every question (assessment metric) has a normalized value. This normalized value conducts a more meaningful comparison which is later rolled up to the category and the overall assessment results.

## Equation 4 `categoryRating`

Now that there are normalized values for each metric within the category, the `categoryRating` calculates a value for the entire category which can then be normalized using Equation 5 `categoryNormalizedValue` to facilitate inter-category comparisons.

The category Rating is the sum of all normalized values for the metrics within the category.

The stated Risk Rating for each category is derived from the associated Risk Rating Scale.

## Equation 5 `categoryNormalizedValue`

With the Category Ratings established, the `categoryNormalizedValue` formula uses this rating and the Category Weight to normalize the result across all categories.

This calculated Normalized value conducts a more meaningful comparison which is later rolled up to the overall assessment results. A higher category Weight has a stronger influence on the normalized value the category.

## Equation 6 `questionnaireQuantitativeScore`

With all of the categories normalized, the overall quantitative score for the assessment is calculated.

The output from the `questionnaireQuantitativeScore` formula is the sum of the normalized category scores. It is presented as the Risk Score on the record for the questionnaire.

## Qualitative Score for Documents

Document Requests have a risk rating that is a qualitative score. The preliminary risk rating is based on the answer to the default question “Do you have document ‘document name’?”

The document risk rating uses the following scale:
Response Risk Rating
Yes Low
## Equation 7 `assessmentRating`
The risk rating from all questionnaires and document requests is rolled up to the parent vendor risk assessment providing an overall `assessmentRating`
`getBusinessServiceCriticality` finds the most critical business service and finds a record in the business service rating scale table that best matches that critical business service. The weight from that rating scale record is used.