Configuring risk scoring settings

Configure the way risks are scored in Strategy to match your risk framework, and apply the framework to all risks.

What are risk scoring factors?

In Strategy, risk scoring factors are attributes that have an impact on the achievement of objectives.

Specifying risk scoring factors allows you to:

  • perform diverse risk scoring
  • assess risk on multiple factors
  • specify a more complex model that is used for your industry-specific risk framework

How it works

Each risk scoring factor can have a name, description, weight, and a severity scale.

Default and custom risk scoring factors

There are two default risk scoring factors (Likelihood and Impact). Each is associated with a 5-point severity scale (very low, low, medium, high, and very high).

You can make any modifications you like to the default risk scoring factors. You can also create up to eight custom risk scoring factors.

Example

Scenario

You use quantitative measures to assess an HR risk on three risk scoring factors:

Name Description Weight Severity Scale
Complexity Includes the number of unions, types of employees (casual, seasonal, or full-time), and physical locations 70% High (3), Medium (2), Low (1)
Variability Includes new hires, years of experience, and years to pension eligibility 40% High (3), Medium (2), Low (1)
Materiality Includes the number of employees 50% High (3), Medium (2), Low (1)

Result

Generally, the more complex and variable a process or activity, the higher the probability is that the risk will occur.

For example, a manager with 1,000 full-time, non-unionized employees working from a single location will have less inherent risk than another manager operating in three locations, with 500 employees that belong to four different unions, with each employee being casual, seasonal, or full-time.

Name

Give your risk scoring factors names that are descriptive, but short. These names appear throughout Strategy and are easier to read if they are not truncated. Use the description field to capture more detailed information.

Description

Give risk scoring factors meaningful descriptions so everyone understands what the factor represents.

The descriptions you write are available to others when they assess risks in Strategy and participate in risk workshops. Use descriptions to ensure everyone has a complete understanding of the risk scoring factor.

Example

You create a new risk scoring factor called "Velocity". However, different people interpret this name in different ways. Due to the lack of clarity, you find that risk workshop participants are giving some risks wildly different scores.

You add the following description for the risk scoring factor: "The time it takes for a problem to become apparent. Because low-impact, low-priority issues can still develop rapidly, this is not necessarily the speed with which we need to react."

Result Risk workshop participants can independently learn about the purpose of this new risk scoring factor, and assess risks more objectively and consistently.

Weight

Specify a weight for each risk scoring factor to create a more meaningful risk assessment.

Since not all risk scoring factors may be equally important, you can specify a weight to reflect the perceived importance of the risk scoring factor. The higher the value of the weight, the more important the risk scoring factor is, and the more the risk scoring factor will contribute to the overall inherent risk score.

You can specify a weight for each risk scoring factor between 0 - 1000%. The range of values enables full customization of your scoring. For example, you can weight a risk scoring factor five times more than another risk scoring factor (Likelihood = 100%, Impact = 500%).

Example

You add four risk scoring factors to assess risk:

  • Likelihood - 100%
  • Impact - 100%
  • Vulnerability - 60%
  • Velocity - 40%

Result Likelihood and Impact will contribute the most to the overall inherent risk score, while vulnerability and velocity will contribute less.

Severity Scale

A severity scale is a point system that allows you to define a range of values for scoring risks.

By default, you can score risks on a 3, 5, or 10 point scale. You can specify one label for each point.

If you want to score risks on a custom scale, specify the appropriate number of points below the Severity Scale dropdown list. The severity scale field automatically updates to show Custom if you have chosen a scale other than one of the defaults.

Tip

Add descriptions to each point on the scale. The descriptions you write are available to others when they assess risks in Strategy and participating in risk workshops. Scales can be subjective, and people may need guidance on the difference between, for example,"low" and "very low". Good descriptions clarify the exact requirements for each point on the scale and will help people to score risks more objectively during assessments and risk workshops.

Example

You select a 5 point scale for assessing risks on Impact.

The points defined in your Severity Scale are: 

Number Name Description
1 Very Low
  • Less than $100,000 financial loss.
  • No or minimal local reputation damage.
  • No injuries or loss of life.
2 Low
  • Between $100,000 and $250,000 financial loss.
  • Some local reputation damage.
  • Minor injuries that do not require outpatient medical attention, no loss of life.
3 Medium
  • Between $250,000 and $500,000 financial loss.
  • Reputation damage beyond the local area of the incident.
  • Minor outpatient injuries, no loss of life.
4 High
  • Between $500,000 and $1 million financial loss.
  • Widespread, national damage to reputation.
  • Moderate to serious injuries requiring hospitalization but no loss of life.
5 Critical
  • More than $1 million financial loss.
  • Widespread, persistent, or international damage to reputation.
  • Threat to the viability of our brand and business.
  • Serious injuries requiring hospitalization and any loss of life.

Result You are able to rate the Impact of each entity associated with the risk on a scale from 1-5 using objectively established criteria.

How is risk calculated?

The Risk Score Calculation on the Scoring page displays how the inherent risk score is calculated and dynamically updates as you add or edit risk scoring factors.

What is inherent risk score?

The inherent risk score is the risk that an activity would pose if no controls or other mitigating factors were in place (the gross risk or risk before controls). The inherent risk score can also be the baseline for your company's risk tolerance or appetite.

Risk is inherently exponential. As likelihood, impact, and other risk scoring factors increase, risk to the company increases exponentially.

As a result, Diligent's risk assessment methodology is based on the following fundamental equation: Likelihood x Impact

This equation shows that the total amount of risk exposure is the probability of an event occurring, multiplied by the potential impact incurred by the event. If you translate impact into cost for the company, you can easily value the risk and compare one risk to another.

To quantitatively represent risk in Strategy, all risk scoring factors are multiplied together, with each risk scoring factor multiplied by its assigned weight.

Sometimes a risk that has a high likelihood and low impact and can be safely ignored, and sometimes a risk that has high impact and low likelihood can be safely ignored. Risks that have high likelihood and high impact are the ones worth investing in as they affect the company the most.

For an example calculation using multiple risk scoring factors and assigned weights, see Calculating inherent risk.

Permissions

Only Strategy Admins can configure risk scoring settings.

Add a risk scoring factor

Note

If you previously assessed risks, adding new factors does not reset scores. However, Inherent Risk and Inherent Risk Heat will be zero until you assess risk on the new factor.

  1. Open the Strategy app.
  2. Click Settings.

    The Users page opens.

  3. From the left panel, click Scoring.

    The Risk Scoring Factors page opens.

  4. Click factor+ Add.

    The New Risk Scoring Factor form opens. If you do not see the form immediately, scroll down the page.

  5. Enter a name for the Risk Scoring Factor. The maximum character length is 60.
  6. Enter a description for the Risk Scoring Factor. There is no character limit.
  7. Enter the weight of the Risk Scoring Factor. You can enter a weight between 1 - 1000%.
  8. Click the Severity Scale dropdown list and select the appropriate scale for scoring risks.
  9. Click + Add Point to add points to the scale, or click the trash icon to delete points in the scale.
  10. Enter names and, optionally, descriptions for each score. The maximum length for each name is 60 characters. Each name must be unique within a risk scoring factor. There is no character limit for descriptions.

  11. Click Save.

    The Risk Scoring Factor is saved and the Risk Score Calculation automatically updates on the Scoring page.

Edit a risk scoring factor

  1. Open the Strategy app.
  2. Click Settings.

    The Users page opens.

  3. From the left panel, click Scoring.

    The Risk Scoring Factors page opens.

  4. Navigate to the appropriate Risk Scoring Factor and click Edit.

    The Edit Risk Scoring Factor form opens.

  5. Edit any details, as required.
    Caution

    Modifying a Severity Scale may change the previously assigned scoring values for all risks. As a result, you may need to review and re-score risks. If you delete a point in a Severity Scale, the previously assigned value is retained.

  6. Click Save.

    The Risk Scoring Factor is saved and the Risk Score Calculation automatically updates on the Scoring page.

Delete a risk scoring factor

Caution

Deleting a Risk Scoring Factor permanently removes all assessed scores associated with the Risk Scoring Factor, and any risk heatmaps that use the Risk Scoring Factor will not display.

  1. Open the Strategy app.
  2. Click Settings.

    The Users page opens.

  3. From the left panel, click Scoring.

    The Risk Scoring Factors page opens.

  4. Navigate to the Risk Scoring Factor you want to remove and click Edit.
  5. Scroll to the bottom of the form and click Delete.
  6. Click Delete in the confirmation dialog box.