In general, the risk score is calculated using the following formula:
risk score = exposure value * likelihood
Note: Exposure is otherwise called as impact.
Risk score is in the range between 0 and 100, and asset criticality, exposure value, and likelihood are all ranged between 0 and 10.
Below are different kinds of risk scores in the Enterprise Risk Manager programs. For all these scores, entity criticality is always the same one that is defined at entity level within entity classification.
- Inherent risk score
- Current risk score
- Residual risk score
- ALE (risk score in dollar amount, and it uses a different calculation)
The exposure and likelihood values will get different user opinions and take the average or the middle value between highest or lowest, depending on the options set on each analysis..
Inherent Risk Score is calculated as follows:
Impact = sum of (ImpactWeight*Value) / sum of weights
Likelihood: sum of(LikelihoodWeight*Value) / sum of weights
Click the display name of Operational, Financial and Regulatory impacts and note down the values for ranges (in the graphic above, they are High, Medium and Low). Also, note down the weights of the impacts as mentioned in the graphic above.
The Custom defined ranges and custom defined values can also be used (through ConfigureUI).
When a risk is identified, the Impact and Likelihood values are calculated as follows:
sum(ImpactWeight*Value) / sum of weights
sum(LikelihoodWeight*Value) / sum of weights
The values obtained are:
Impact: ((2*5)+(5*5)+(10*5)) / 17 = 85 / 17 = 5
Likelihood: ((2*5)+(5*7)+(10*7)) = 115 / 17 = 6.76
Inherent Risk Value 33.82 is obtained as:
Inherent Risk = Impact * Likelihood, where Impact is 5 and Likelihood is 6.76.
Therefore, 5*6.76 is equal to 33.8.
Average: take average from all opinions with best or worst cases.
Overall: take the middle value between highest and lowest.
Or, users can choose NOT to use the opinions and provide values for the exposure/likelihood directly (override).
Instead of entering relative exposure values and likelihood, you may also decide to enter percentage and dollar values for likelihood and exposure (actually called impact in UI). In case of dollar value entered, normalize the value using natural log e.g. highest $10000 and one risk has $100 as impact, the normalized exposure is
normalized exposure = 10 * ln(100) / ln(10000)
The highest dollar value is derived from the comparison all risks' impact dollar value, and the business cost of the entity.
The default Current Risk score formula is:
Current Risk score = Inherent Risk * (1-Risk Reduction Percentage)*(1-Control Protection Score)
Adding the com.agiliance.web.risk.currentRisk.formula=2 property to the .properties file results in calculating the Current Risk score as:
Current Risk score = [(Inherent Risk - Residual Risk) * (1 - Control Protection score) * (1 - Risk Reduction score)] + Residual Risk
where Average Risk Score = (Sum of Implemented Controls score) / (Total number of Implemented controls)
and, Control Protection Score = Average score - (0.75 * unimplemented control)/(total number of relevant controls)
The 0.75 value is based on the following property:
com.agiliance.web.risk.protectionRiskScoreFactor
If the Inherent Risk score is less than Residual Risk score, the default Current Risk score formula is applied even when the com.agiliance.web.risk.currentRisk.formula property is set to "2."
Similar to inherent risk score, residual risk score is calculated based on users' input values of exposure and likelihood. Hence, use the average from worst and best cases.
