Verifying scoring calculations using the classic assessment engine

  • Release version: Yokohama
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Verifying scoring calculations using the classic assessment engine

    This guide helps ServiceNow customers ensure the accuracy and consistency of risk scoring in third-party risk assessments using the classic assessment engine. It focuses on verifying the correct application of scoring methods, weights, normalized values, and risk rating scales to produce reliable composite scores.

    Show full answer Show less

    Verification Checklist

    Users with the snvdrriskasmt.vendorassessor or snvdrriskasmt.vendormanager roles can perform verification actions through the Vendor Management Workspace or VRM Classic interface. Key configurations to verify include:

    • Scoring method: Confirm the appropriate scoring method (e.g., Min Risk vs. Average Risk) is selected for risk domains, criteria, and components, aligning with assessment goals.
    • Weights: Check that weights applied to risk areas, criteria, components, and questions are accurate and whole integers (decimals cause scoring errors). Weights reflect the priority of different risk types.
    • Scoring calculations: Validate scoring calculations and normalized values, ensuring unanswered questions are excluded from scores as intended. This includes verifying formulas used for assessments and normalization for Choice or Multiple Selection questions.

    Viewing Risk Ratings

    After assessment completion and score integration from providers, various risk ratings can be viewed for third parties, engagements, assessments, and questionnaires. These include:

    • Computed risk rating: Overall risk rating for a third party post-assessment.
    • Third party rating: Aggregate rating of all engagements.
    • Engagement risk rating: Based on component criteria.
    • Subsidiary risk rating: Aggregate of subsidiary company ratings.
    • Risk intelligence rating: Aggregate of all provider ratings.
    • Assessment rating: Determined by category weights and calculations.

    Risk ratings are accessible through the Risk ratings related list on third party, engagement, assessment, and questionnaire records within the Third-party Risk Management application.

    You can review scores and risk ratings in your questionnaires to help ensure the accuracy and consistency of risk scoring by verifying the correct application of weights, normalized values, scoring methods, and risk rating scales. Based on the different weights you assign, Third-party Risk Management aggregates these values and produces a composite score.

    Verification checklist

    The [sn_vdr_risk_asmt.vendor_assessor] or [sn_vdr_risk_asmt.vendor_manager] role is required to perform all related actions by using the Vendor Management Workspace or VRM Classic user interface. For full descriptions of assessment configuration and set up, see Classic assessment configuration.

    Here are some of the configurations that you can check while reviewing scores and risk ratings:

    Table 1. Checklist items
    Configurations Description
    Scoring method Verify that the correct scoring method has been selected.

    You can select or update scoring methods for risk area domains, risk area criteria, and component criteria. For example, confirm that Min Risk is used instead of Average Risk if that aligns better with your assessment goals.

    For more information, see Define a third-party risk domain, Define third-party risk area criteria, and Define component criteria.
    Weights Verify the accuracy of weights applied to risk areas, risk criteria, risk components, and questions.

    You can apply custom weights to reflect the importance and priority of different types of risk.

    Weight values for questions must be whole integers. Using decimals results in incorrect scores. For example, use 56 and not 0.56.

    For more information on how to assign or update weights, see Define a third-party risk domain, Define third-party risk area criteria, Define component criteria, and Define a question.
    Scoring calculations Verify that calculations, normalized values, and unanswered questions are behaving as expected. For example, confirm that you’re accounting for unanswered questions not being included as part of the scoring calculation.

    For information on the different formulas used to calculate scores and ratings, see Scoring calculations using the classic assessment engine.

    For information on how to use normalized values to calculate assessment scores for Choice or Multiple Selection questions with the scored check box not selected Normalize the scores for metrics.

    How to view risk ratings

    You can view risk ratings for individual third parties, engagements, assessments, and questionnaires.
    The following risk ratings are available to view.
    • Computed risk rating: The overall risk rating for the third party, calculated after the assessment.
    • Third party rating: An aggregate of all engagement ratings.
    • Engagement risk rating: Determined by the component criteria
    • Subsidiary risk rating: If company1 has company2 and company3 as subsidiaries, the aggregate of final ratings on company2 and company3 are the subsidiary ratings on company1.
    • Risk intelligence rating: Aggregate of all provider ratings.
    • Assessment rating: Determined by weights defined by category, calculations, and more.
    Note:
    Risk ratings and scores are only available to view after assessments have been completed and scores have been integrated from a provider.
    You can view all associated ratings for a third party by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > Third Parties > All Third Parties and select the third party you want. The following example shows you can view all available risk ratings as well as the Third-party risk components, Third-party risk areas, Assessments, Tiering assessments, Repeating assessments related lists, and more.
    Figure 1. Example of a third-party record
    Risk ratings and associated background information available for a Third party record.
    You can view all associated ratings for an engagement by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > Engagements > All Engagements and select the engagement you want. The following example shows you can view all available risk ratings as well as the Engagement risk components, Third-party risk areas, Assessments, Tiering assessments, Repeating assessments related lists, and more.
    Figure 2. Example of an engagement record
    Risk ratings and associated background information for an engagement record.
    You can view all associated ratings for an assessment by navigating to its Risk ratings related list. Navigate to All > Third-party Risk Management > External Risk Assessments > All Assessments and then select the assessment you want. The following example shows you can view all available risk ratings as well as the Third-party risk areas, Questionnaires, Document requests, Downstream supplier related lists, and more.
    Figure 3. Example of assessment record
    Risk ratings and associated background information available for an assessment record.
    You can view all associated ratings for a questionnaire by navigating to its Risk ratings list. After navigating to an assessment, select the questionnaire you want to view. The following example shows you can view all available risk ratings, risk scores, and more.
    Figure 4. Example of a questionnaire record
    Risk ratings and scores available in questionnaire record.