Risk and assessment scoring configuration in Risk Manager
In the Risk Manager app, you can configure risk and assessment scoring according to your requirements.
How it works?
In the Risk Manager app, you can go to Settings > Scoring and set up the configuration for risk and assessment scoring.
After the scoring is configured, you can go to the Risks and Risk Event Assessment pages and begin scoring the risk and the risk assessments respectively.
Permissions
Only System Admins can access and manage risk and assessment scoring configuration.
Prerequisites
Before you configure the risk and assessment scores, you must know the severity scale of the risk fields you want to select when configuring the risk and assessment scores.
For example: Likelihood and impact with a 3-point severity scale, namely low, medium, and high.
You can set up the severity scale of the risk fields in the Configuration page, as follows:
-
Note
If your company uses more than one instance in Launchpad, make sure the appropriate instance is active.
- Select Options > Configuration .
- Click Attribute Types from either the side panel or the tile.
The Attribute Types page opens.
- In the search box, enter the attribute name and click on the name. For example: Likelihood.
If you have multiple attributes with the same display name, check the field name to choose one.
The General information panel opens.
- Click Edit.
- Under the Response type section, enter the scores for the options. For example: Low = 1, Medium = 2, and High = 3.
- Optional. You can also make other changes such as adding / removing options, renaming, reordering, and assigning colors.
- After making all the changes, click Save.
Your changes get saved.
- Go back to the Attribute Types page and repeat the same steps to update the Impact field.
Risk score configuration
The risk score configuration contains two sections: Risk Score Formula and Risk Level Output.
Risk Score Formula
In this section, you can set up a formula to calculate the risk score.
For example, the risk score formula can be (Likelihood x 100%) x (Impact x 100%), where likelihood and impact are the risk factors, x is the multiplication sign, and 100% is the weightage.
You can also provide a number at the end with a plus (+) or minus (-) operator to get a desired value.
For example: You decide to add 500 to the value, the formula will now look like this: (Likelihood x 100%) x (Impact x 100%) + 500.
Setting up the Risk Score Formula
You can customize the risk score formula by adding more fields and/or changing the logic of the formula.
Example
Scenario
You are tasked with configuring the risk score for your organization. You begin by creating a new risk score formula. You decide to use two fields: Likelihood and Impact. These two fields are configured with a 3-point severity scale: Low = 1, Medium = 2, and High = 3.
Process
You open the Risk Manager app, click Settings in the left panel, and click Scoring. The Risk score configuration page opens.
To set up the formula, you perform the following steps:
- In the Risk Score Formula section, click Edit.
- In the Field dropdown, select Likelihood.
Note
- Only dropdown and radio button fields from the risk are displayed in the Field dropdown list.
- The info icon (i) next to the Field displays the severity scale of the selected field.
- In the Weight field, enter weightage for the selected field.
Note
In simple terms, weight is the importance of a risk factor when calculating the risk score. This can range from 0 to whatever number you find suitable. For example: If you want to give double the importance for a risk factor, you can enter the weight as 200. Likewise, it can be 50 if you want to give half the importance for a risk factor.
Weight is measured in terms of percentage and is always multiplied with the risk factor. For example: Likelihood has the following scale range: Low = 1, Medium = 2, and High = 3. If the weightage entered for low is 200, then the calculated value is (1 x 200% = 2). If the weightage is 50, then the calculated value is (1 x 50% = 0.5).
- Optional. You can enter a number in the Number field with a plus (+) or minus (-) operator. Default is 0.
Note
You can either add or subtract the number from the score to get a value of your choice. For example: If the risk factor is 1 and weight is 100, you can enter 100 in the Number field with a plus operator (+). Then, the calculation will be (1 x 100%) + 100, which makes it 101.
Now, you have successfully added a field.
- Click Add Field and repeat the same steps to add another field: Impact. You need a minimum of two fields (risk factors) to perform the calculation.
- Select the operator to perform calculation: Plus, Minus, Multiply, or Divide (+, -, x, ÷). For example: (Likelihood) x (Impact).
- Optional. You can add another number at the end with any operator (+, -, x, ÷). This also serves the same purpose as the other Number field mentioned above.
- After making all the changes, you click Save Changes.
Result
The Risk Manager app saves the Risk Score Formula.
Setting up the Risk Level Output
After you have configured the risk score formula, you can set up the risk level output by providing a set of ranges, based on the severity scale of the output field.
Example
Scenario
After creating the risk score formula, you must configure the risk level output. You decide to set the ranges based on the output field: Inherent Risk Score.
The Inherent Risk Score is configured with a 3-point severity scale: Low, Medium, and High.
Process
You open the Risk Manager app, click Settings in the left panel, and click Scoring. The Risk score configuration page opens.
- In the Risk Level Output section, click Edit.
- In the Output field dropdown, select Inherent Risk Score.
Note
Dropdown and radio button fields of the risk are displayed in the Output field.
Based on the output field selected, the Severity Points field displays a predefined scale. In our example, for the output field, Inherent Risk Score, the scale is low, medium, and high.
To make any changes to the inherent risk score, you can go to the Configuration > Attribute Types page and make the required changes. - Assuming the risk factors selected to calculate the risk score are Likelihood and Impact, and they are configured with a 3-point severity scale: Low = 1, Medium = 2, and High = 3.
Based on the risk score formula of (Likelihood x 100%) x (Impact x 100%), the scale can range as follows :Likelihood Impact Value Low (1) Low (1) (1 x 100%) x (1 x 100%) = 1 Low (1) Medium (2) (1 x 100%) x (2 x 100%) = 2 Low (1) High (3) (1 x 100%) x (3 x 100%) = 3 Medium (2) Low (1) (2 x 100%) x (1 x 100%) = 2 Medium (2) Medium (2) (2 x 100%) x (2 x 100%) = 4 Medium (2) High (3) (2 x 100%) x (3 x 100%) = 6 High (3) Low (1) (3 x 100%) x (1 x 100%) = 3 High (3) Medium (2) (3 x 100%) x (2 x 100%) = 6 High (3) High (3) (3 x 100%) x (3 x 100%) = 9 The lowest is (1 x 1 = 1) and the highest is (3 x 3 = 9). Now, you can set up the Severity points as follows:
- Low = 0 to 3
- Medium = 4 to 6
- High = 7 to 9
Note
Click the link button to set up a continuous range without any gaps. For example:
- Low equals 0 to ≤ 3
- Medium equals >3 to ≤ 6
- High equals >6 to ≤ 9
This ensures that the high-ranged number of the first field is the starting point of the second field. In the above example, the low range scale is 0 to less than 3, so the medium range begins from greater than 3. Likewise, the medium range scale is greater than 3 to less than 6, therefore the high range begins from greater than 6.
- After making all the changes, click Save Changes.
Result
The Risk Manager app saves the Risk Level Output.
How to calculate the risk score?
Once the risk score formula and the risk level output are configured, you can calculate the risk score by performing the following steps:
- Open the Risk Manager app.
The Risk Manager home page opens.with the Risks tab.
-
Select the checkbox of the risks you want to calculate the score, you can select one or multiple risks.
Tip
You can select all the risks on the page by clicking the checkbox in the Name column header.
- Click Actions and select one of the following options:
- Score empty output fields To calculate the risk score, where the risk output field (for example: Inherent Risk Score) is empty. This option will not override the existing score.
- Score all output fields To calculate the risk score for all the output fields, even when they are filled in. This option will override the existing score.
Note
You can also calculate the risk scores using default configuration. For more information, see Using default configuration.
Risk Scoring example
Let's take a look at an example of risk scoring.
Example
Scenario
You want to score a risk in the Risk Manager app. The impact and likelihood are configured with a 3-point severity scale: Low = 1, Medium = 2, and High = 3.
The risk where you want to calculate the risk score has the following risk factors:
- Likelihood = High (3)
- Impact = Medium (2)
The risk score formula and risk level output are configured as follows:
Risk Score Formula: (Likelihood x 100%) x (Impact x 100%)
Risk Level Output: Inherent Risk Score is the output field with a 3-point severity scale (low, medium, and high). The ranges are set as follows:
- Low equals 0 to ≤ 3
- Medium equals >3 to ≤ 6
- High equals >6 to ≤ 9
Process
According to the risk score formula, the calculation is as follows:
(Likelihood x 100%) x (Impact x 100%)
(3 x 100%) x (2 x 100%)
3 x 2 = 6
Therefore, 6 is the Risk Score. This fits into the medium range of the output field in the Risk Level Output scale.
Result
Now, when you score this risk, the Inherent Risk Score is Medium.
Assessment score configuration
The assessment score configuration is similar to the risk score configuration. This also contains two sections: Assessment Score Formula and Assessment Level Output.
Assessment Score Formula
In this section, you can set up a formula to calculate the assessment score.
For example, the assessment score formula can be (Likelihood x 100%) x (Impact x 100%), where likelihood and impact are the risk factors, x is the multiplication sign, and 100% is the weightage.
You can also provide a number at the end with a plus (+) or minus (-) operator to get a desired value.
For example: You decide to add 500 to the value, the formula will now look like this: (Likelihood x 100%) x (Impact x 100%) + 500.
Setting up the Assessment Score Formula
You can customize the assessment score formula by adding more fields and/or changing the logic of the formula.
Example
Scenario
You are tasked with configuring the risk assessment score for your organization. You begin by creating a new assessment score formula. You decide to use two fields: Likelihood and Impact. These two fields are configured with a 3-point severity scale: Low = 1, Medium = 2, and High = 3.
Process
You open the Risk Manager app, click Settings in the left panel, and click Scoring. The Assessment score configuration page opens.
To set up the formula, you perform the following steps:
- In the Assessment Score Formula section, click Edit.
- In the Field dropdown, select Likelihood.
Note
- Only dropdown and radio button fields from the risk are displayed in the Field dropdown list.
- The info icon (i) next to the Field displays the severity scale of the selected field.
- In the Weight field, enter weightage for the selected field.
Note
In simple terms, weight is the importance of a risk factor when calculating the risk score. This can range from 0 to whatever number you find suitable. For example: If you want to give double the importance for a risk factor, you can enter the weight as 200. Likewise, it can be 50 if you want to give half the importance for a risk factor.
Weight is measured in terms of percentage and is always multiplied with the risk factor. For example: Likelihood with the scale: Low = 1, Medium = 2, and High = 3. If the weightage entered for low is 200, then the calculated value is (1 x 200% = 2). If the weightage is 50, then the calculated value is (1 x 50% = 0.5).
- Optional. You can enter a number in the Number field with a plus (+) or minus (-) operator. Default is 0.
Note
You can either add or subtract the number from the score to get a value of your choice. For example: If the risk factor is 1 and weight is 100, you can enter 100 in the Number field with a plus operator (+). Then, the calculation will be (1 x 100%) + 100, which makes it 101.
Now, you have successfully added a field.
- Click Add Field and repeat the same steps to add another field: Impact. You need a minimum of two fields (risk factors) to perform the calculation.
- Select the operator to perform calculation: Plus, Minus, Multiply, or Divide (+, -, x, ÷). For example: (Likelihood) x (Impact).
- Optional. You can add another number at the end with any operator (+, -, x, ÷). This also serves the same purpose as the other Number field mentioned above.
- After making all the changes, you click Save Changes.
Result
The Risk Manager app saves the Assessment Score Formula.
Setting up the Assessment Level Output
After you have configured the assessment score formula, you can set up the assessment level output by providing a set of ranges, based on the severity scale of the output field.
Example
Scenario
After creating the assessment score formula, you must configure the assessment level output. You decide to set the ranges based on the output field: Inherent Risk Score.
The Inherent Risk Score is configured with a 3-point severity scale: Low, Medium, and High.
Process
You open the Risk Manager app, click Settings in the left panel, and click Scoring. The Assessment score configuration page opens.
- In the Assessment Level Output section, click Edit.
- In the Output field dropdown, select Inherent Risk Score.
Note
Dropdown and radio button fields of the risk are displayed in the Output field.
Based on the output field selected, the Severity Points field displays a predefined scale. In our example, for the output field, Inherent Risk Score, the scale is low, medium, and high.
To make any changes to the inherent risk score, you can go to the Configuration > Attribute Types page and make the required changes. - Assuming the risk factors selected to calculate the assessment score are Likelihood and Impact, and they are configured with a 3-point severity scale: Low = 1, Medium = 2, and High = 3.
Based on the assessment score formula of (Likelihood x 100%) x (Impact x 100%), the scale can range as follows :Likelihood Impact Value Low (1) Low (1) (1 x 100%) x (1 x 100%) = 1 Low (1) Medium (2) (1 x 100%) x (2 x 100%) = 2 Low (1) High (3) (1 x 100%) x (3 x 100%) = 3 Medium (2) Low (1) (2 x 100%) x (1 x 100%) = 2 Medium (2) Medium (2) (2 x 100%) x (2 x 100%) = 4 Medium (2) High (3) (2 x 100%) x (3 x 100%) = 6 High (3) Low (1) (3 x 100%) x (1 x 100%) = 3 High (3) Medium (2) (3 x 100%) x (2 x 100%) = 6 High (3) High (3) (3 x 100%) x (3 x 100%) = 9 The lowest is (1 x 1 = 1) and the highest is (3 x 3 = 9). Now, you can set up the Severity points as follows:
- Low = 0 to 3
- Medium = 4 to 6
- High = 7 to 9
Note
Click the link button to set up a continuous range without any gaps. For example:
- Low equals 0 to ≤ 3
- Medium equals >3 to ≤ 6
- High equals >6 to ≤ 9
This ensures that the high-ranged number of the first field is the starting point of the second field. In the above example, the low range scale is 0 to less than 3, so the medium range begins from greater than 3. Likewise, the medium range scale is greater than 3 to less than 6, therefore the high range begins from greater than 6.
- After making all the changes, click Save Changes.
Result
The Risk Manager app saves the assessment level output.
How to calculate the assessment score?
Once the assessment score formula and the assessment level output are configured, you can calculate the assessment score by performing the following steps:
- Open the Risk Manager app.
The Risk Manager home page opens.with the Risks tab.
-
Select the checkbox of the risk of your choice.
-
Select the checkbox of the risk assessments where you want to calculate the score, you can select one or multiple risk assessments.
Tip
You can select all the risk assessments on the page by clicking the checkbox in the Name column header.
- Click Actions and select one of the following options:
- Score empty output fields To calculate the assessment score, where the assessment output field (for example: Inherent Risk Score) is empty. This option will not override the existing score.
- Score all output fields To calculate the assessment score for all the output fields, even when they are filled in. This option will override the existing score.
Note
You can also calculate the assessment scores using default configuration. For more information, see Using default configuration.
Assessment Scoring example
Let's take a look at an example of assessment scoring.
Example
Scenario
You want to score a risk assessment in the Risk Manager app. The impact and likelihood are configured with a 3-point severity scale: Low = 1, Medium = 2, and High = 3.
The risk assessment where you want to calculate the score has the following risk factors:
- Likelihood = High (3)
- Impact = Medium (2)
The assessment score formula and risk level output are configured as follows:
Assessment Score Formula: (Likelihood x 100%) x (Impact x 100%)
Assessment Level Output: Inherent Risk Score is the output field with a 3-point severity scale (low, medium, and high). The ranges are set as follows:
- Low equals 0 to ≤ 3
- Medium equals >3 to ≤ 6
- High equals >6 to ≤ 9
Process
According to the assessment score formula, the calculation is as follows:
(Likelihood x 100%) x (Impact x 100%)
(3 x 100%) x (2 x 100%)
3 x 2 = 6
Therefore, 6 is the Assessment Score. This fits into the medium range of the output field in the Risk Level Output scale.
Result
Now, when you score this risk assessment, the Inherent Risk Score is Medium.
Viewing the scoring activity log
Scoring configuration is used to set up a scoring logic that applies to your organization. Scoring configuration enables you to apply the scores using a bulk operation rather than applying the scores manually to each risk or assessment.
The scoring dashboard displays a log for all the scoring activities performed. In the log, you can view the details of scores that were applied successfully and those that failed. The failed records can be rerun. The dashboard helps you to identify the records that are pending and manage the score-application process more efficiently.
Here is how you can view the scoring activity log:
- Open the Risk Manager app.
The Risk Manager home page is displayed.
-
In the left panel, select Activity and then select Scoring Activity.
In the Scoring Activity page, for every executed scoring run, you can view details such as date of execution, action, status (passed or failed), the risk or assessment records that were used for the execution, and the name of the user who executed the run.
-
Select the Action name link of the scoring run that you want to view or access.
The activity details pane is displayed. You can view the details such as date of execution, type of object, action on which scoring was performed, scoring logic, status and user details. You can also view the records that passed and failed. Select View details to access details of the records. Additionally, select Rerun action on failed objects to rerun failed records.
- Select View details to navigate to the scoring activity details page.
The Scoring Activity details page displays the detailed error message for each record included in the scoring execution run. In the Scoring Activity details page:
- View the details such as action on which scoring was performed, date of execution, status, type of object, user name, output field, scoring logic and the executed records.
Select View against each record to access details of the records. The object name, error message and status are displayed. Select the object name to view the Risk Event Assessment details page.
Select Rerun action on failed objects to rerun a failed scoring activity. When you initiate a rerun, a new scoring activity log entry is added in the Scoring Activity page list view with the new scoring execution details.
Note
When the scoring execution is in progress, you can view the number of records that have been completed and the number of records that are in progress. You can access the Rerun action on failed objects button after the execution is complete.