Skip to main content

Risk Scoring in the Risk Details Screen

Score risks using Likelihood, Impact, and Control Effectiveness. Supports Inherent, Residual, and Target risk modes.

N
Written by Nigel Groen
Updated over 2 weeks ago

What Is Risk Scoring?

Risk scoring in Essential ERM allows users to assess and document the severity of risks using a combination of:

  • Likelihood: How probable the risk is (rated 1–5)

  • Impact: How serious the consequences would be (rated 1–5)

  • Control Effectiveness: How well existing controls reduce the risk

By default, the score is calculated as:

Likelihood × Impact = Risk Score (1–25 scale)

However, your administrator can modify this logic.

Types of Risk Scores

Depending on system settings, users may see up to three types of risk scores:

  1. Inherent Risk

    • Represents risk before controls

    • Can be hidden by an admin

  2. Residual Risk

    • Represents risk after controls

    • Auto-filled based on Inherent Risk and Control Effectiveness

    • Can be manually overridden

  3. Target Risk (optional)

    • Represents desired residual state

    • Requires admin to enable

How Residual Risk Is Calculated

  • Default Behavior:
    Residual = Inherent × Control Effectiveness (with admin-defined adjustment logic)

  • Manual Override:
    Users can directly adjust Residual Likelihood and Impact.

    • A blue “Reset” link appears if override is used

    • Resetting reverts to system-calculated values

  • Control Effectiveness Scale:
    Admins can configure how each level of effectiveness (e.g. Partially Effective, Fully Effective) adjusts the score

Admin Configuration Options

Admins can configure the scoring system in Admin → General Settings, including:

  • Enable or disable Inherent Risk

  • Enable Target Risk

  • Configure how Control Effectiveness affects Residual scores

  • Adjust labels or scoring logic

Optional Features That May Appear

Depending on your configuration, users may also see:

  • Thresholds chart: Visualizes Residual score vs. Risk Appetite thresholds

  • Override link: Set custom thresholds for the individual risk

  • Suppress link: Hide risk from Risk Appetite Dashboard

  • Sub-risk averages: Weighted values from associated sub-risks

  • Mitigation Effectiveness average: Based on scored mitigations from the Bow Tie diagram

  • Warning color: Highlights major discrepancies between mitigation scores and Control Effectiveness

Flexibility in Scoring

  • Users can score only Residual Risk if Inherent is disabled

  • Target Risk appears when enabled, helping teams set improvement goals

  • Scores can be re-evaluated after completing Bow Tie analysis

Did this answer your question?