A finding can be assessed based on the impact and likelihood ratings provided by workflow stage stakeholders. These ratings have a corresponding threshold value defined in the Findings Configuration range that will derive the inherent risk and residual risk scores for a finding.
Assume that you have set up threshold values for the following findings configuration ranges:
Inherent Impact Score
Threshold | Label |
|---|---|
Score < 2 | Low |
2 <= Score < 5 | Medium |
5 <= Score | High |
Inherent Likelihood Score
Threshold | Label |
|---|---|
Score < 1 | Unlikely |
1 <= Score < 3 | Possible |
3 <= Score < 5 | Likely |
5 <= Score < 8 | Almost Certain |
8 <= Score | Certain |
Inherent Risk Score
Threshold | Label |
|---|---|
Score < 30 | Low |
30 <= Score < 60 | Medium |
60 <= Score | High |
An inherent risk score is calculated as follows:
Inherent impact rating X Inherent Likelihood rating
For a finding, if you have rated the inherent impact as 'Medium,' and the inherent likelihood as 'Almost Certain,' then the high value that constitutes the selected rating is applied in calculating the inherent risk score value. That is, the equivalent values for the inherent impact and inherent likelihood ratings are 4 and 7, and the Inherent Risk score is 4 * 7 = 28.
Likewise, the residual risk score is calculated as follows:
Residual Impact rating X Residual Likelihood rating
