Verifying scoring calculations using the classic assessment engine

  • Release version: Xanadu
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Verifying scoring calculations using the classic assessment engine

    This guide helps ServiceNow customers ensure the accuracy and consistency of risk scoring in third-party risk assessments using the classic assessment engine. It focuses on verifying the correct application of weights, normalized values, scoring methods, and risk rating scales within questionnaires.

    Show full answer Show less

    Accurate scoring is essential, as Third-party Risk Management averages assigned weights to produce a composite risk score, reflecting the overall risk of third parties, engagements, assessments, and questionnaires.

    Verification checklist and roles

    • Users with vendorassessor or vendormanager roles can perform verification actions via the Vendor Management Workspace or VRM Classic interface.
    • Key configurations to verify include scoring methods, weights, and scoring calculations.

    Key configurations to verify

    • Scoring method: Confirm that the selected method (e.g., Min Risk vs. Average Risk) aligns with assessment goals. This applies to risk domains, criteria, and component criteria.
    • Weights: Ensure weights assigned to risk areas, criteria, components, and questions are accurate. Weights must be whole integers (e.g., 56 instead of 0.56) to avoid incorrect scoring.
    • Scoring calculations: Verify that calculations handle normalized values correctly and exclude unanswered questions from scoring, maintaining expected behavior.

    Viewing risk ratings

    Risk ratings become visible only after assessments are completed and scores are integrated. Customers can view various risk ratings for:

    • Third parties: Includes computed risk rating, third party rating (aggregate of engagements), subsidiary risk rating (aggregate of subsidiaries), and risk intelligence rating.
    • Engagements: Engagement risk rating determined by component criteria.
    • Assessments and questionnaires: Assessment rating based on defined weights and calculations.

    To view these ratings, navigate through the Third-party Risk Management module and select the desired third party, engagement, assessment, or questionnaire. Related lists provide access to detailed risk components, areas, assessments, and more for comprehensive review.

    You can review scores and risk ratings in your questionnaires to help ensure the accuracy and consistency of risk scoring by verifying the correct application of weights, normalized values, scoring methods, and risk rating scales. Based on the different weights you assign, Third-party Risk Management averages these values and produces a composite score for the overall risk.

    Verification checklist

    The [sn_vdr_risk_asmt.vendor_assessor] or [sn_vdr_risk_asmt.vendor_manager] role is required to perform all related actions by using the Vendor Management Workspace or VRM Classic user interface. For full descriptions of assessment configuration and set up, see Classic assessment configuration.

    Here are some of the configurations that you can check while reviewing scores and risk ratings:

    Table 1. Checklist items
    Configurations Description
    Scoring method Verify that the correct scoring method has been selected.

    You can select or update scoring methods for risk area domains, risk area criteria, and component criteria. For example, confirm that Min Risk is used instead of Average Risk if that aligns better with your assessment goals.

    For more information, see Define a third-party risk domain, Define third-party risk area criteria, and Define component criteria.
    Weights Verify the accuracy of weights applied to risk areas, risk criteria, risk components, and questions.

    You can apply custom weights to reflect the importance and priority of different types of risk.

    Weight values for questions must be whole integers. Using decimals results in incorrect scores. For example, use 56 and not 0.56.

    For more information on how to assign or update weights, see Define a third-party risk domain, Define third-party risk area criteria, Define component criteria, and Define a question.
    Scoring calculations Verify that calculations, normalized values, and unanswered questions are behaving as expected. For example, confirm that you’re accounting for unanswered questions not being included as part of the scoring calculation.

    For information on the different formulas used to calculate scores and ratings, see Scoring calculations using the classic assessment engine.

    For information on how to use normalized values to calculate assessment scores for Choice or Multiple Selection questions with the scored check box not selected Normalize the scores for metrics.

    How to view risk ratings

    You can view risk ratings for individual third parties, engagements, assessments, and questionnaires.
    The following risk ratings are available to view.
    • Computed risk rating: The overall risk rating for the third party, calculated after the assessment.
    • Third party rating: An aggregate of all engagement ratings.
    • Engagement risk rating: Determined by the component criteria
    • Subsidiary risk rating: If company1 has company2 and company3 as subsidiaries, the aggregate of final ratings on company2 and company3 are the subsidiary ratings on company1.
    • Risk intelligence rating: Aggregate of all provider ratings.
    • Assessment rating: Determined by weights defined by category, calculations, and more.
    Note:
    Risk ratings and scores are only available to view after assessments have been completed and scores have been integrated from a provider.
    You can view all associated ratings for a third party by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > Third Parties > All Third Parties and select the third party you want. The following example shows you can view all available risk ratings as well as the Third-party risk components, Third-party risk areas, Assessments, Tiering assessments, Repeating assessments related lists, and more.
    Figure 1. Example of a third-party record
    Risk ratings and associated background information available for a Third party record.
    You can view all associated ratings for an engagement by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > Engagements > All Engagements and select the engagement you want. The following example shows you can view all available risk ratings as well as the Engagement risk components, Third-party risk areas, Assessments, Tiering assessments, Repeating assessments related lists, and more.
    Figure 2. Example of an engagement record
    Risk ratings and associated background information for an engagement record.
    You can view all associated ratings for an assessment by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > External Risk Assessments > All Assessments and then select the assessment you want. The following example shows you can view all available risk ratings as well as the Third-party risk areas, Questionnaires, Document requests, Downstream supplier related lists, and more.
    Figure 3. Example of assessment record
    Risk ratings and associated background information available for an assessment record.
    You can view all associated ratings for a questionnaire by navigating to its Risk ratings list. After navigating to an assessment, select the questionnaire you want to view. The following example shows you can view all available risk ratings, risk scores, and more.
    Figure 4. Example of a questionnaire record
    Risk ratings and scores available in questionnaire record.