You are here:
How Risk Scores Are Calculated for IT Compliance
Agentforce IT Service calculates two scores for every risk—an inherent score that reflects raw severity before any safeguards, and a residual score that shows what remains after mapped controls are factored in. Both scores are calculated automatically by the Business Rules Engine using the active risk scoring expression set.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, and Unlimited Editions with Agentforce IT Service. |
Scores give your compliance team an objective, repeatable way to compare threats across business units, products, and IT assets. Instead of relying on subjective judgment, the scoring formula turns stakeholder survey ratings into numbers your team can track, trend, and act on.
The Two Scores on Every Risk
Each risk carries two scores that update automatically based on different changes to your environment.
- Inherent risk score: The severity of the risk before any controls are considered. It answers the question: how bad is this threat on its own? Use it to prioritize which risks need the most attention, regardless of the safeguards already in place.
- Residual risk score: The severity that remains after the controls mapped to the risk are factored in. It answers the question: how much exposure remains after everything your team is doing to manage the risk? Use it to decide whether current safeguards are sufficient or whether further treatment is needed.
Both scores are numeric values. A decision table in the expression set maps each number to a severity band—such as Low, Medium, High, or Critical—that appears on risk records, dashboards, and the Risk Heat Map.
How the Expression Set Reads Your Risk Data
The Business Rules Engine doesn't read record fields directly. Instead, it uses a context definition, a structured mapping that tells the expression set exactly which fields to read from which records, and which fields to write the results back to.
The default risk scoring context definition connects three types of records to the expression set.
| Record type | What the expression set reads (Input) | What the expression set writes (Output) |
|---|---|---|
| Risk Evaluation | ImpactNumber—the numeric impact rating collected from stakeholder surveys. LikelihoodNumber—the numeric likelihood rating collected from stakeholder surveys. |
InherentRiskScore—the calculated inherent score, written back to the Risk Evaluation record. ResidualRiskScore—the calculated residual score, written back to the Risk Evaluation record. |
| Control Version (one row per mapped control) | EffectivenessRatingNumber—the numeric effectiveness rating assigned to the control version. ControlWeightPercentage—the weight assigned to the control, which determines how much influence it has on the residual score relative to other mapped controls. |
WeightedEffectivenessValue—the per-control weighted score, calculated as effectiveness multiplied by weight. This intermediate value feeds the residual score formula. |
| Risk | Risk metadata that provides context for the evaluation, such as the risk category and owner. | No output written directly to the Risk record by the default formula. |
Attributes marked as input-only are read by the expression set but never overwritten. Attributes marked as input-output can be both read and updated, which is how the expression set writes the final scores back to the evaluation record.
How Inherent Risk Score Is Calculated
The inherent score is calculated first, before controls are considered. The default formula multiplies the two ratings that stakeholders provide on the Risk Assessment survey.
Inherent Risk Score = Likelihood × Impact
For example, if stakeholders rate a risk as Likelihood 4 out of 5 and Impact 5 out of 5, the inherent score is 20. The decision table then maps 20 to the Critical severity band.
The expression set writes this result to the Inherent Risk Score field on the Risk Evaluation record as an output.
How Residual Risk Score Is Calculated
The residual score starts from the inherent score and reduces it based on the collective effectiveness of the controls mapped to the risk. The default formula runs in four steps.
| Sequence | Step | Explanation |
|---|---|---|
| 1 | Calculate a weighted effectiveness value for each control | For every control version mapped to the risk, the expression set multiplies the control's effectiveness rating by its assigned weight percentage. This produces a weighted contribution value for that control. |
| 2 | Add the weighted values across all controls | The expression set adds up the weighted contribution values from all mapped controls to get a total weighted effectiveness score. |
| 3 | Calculate the average weighted effectiveness | The expression set divides the total weighted effectiveness by the sum of all control weight percentages. This produces a single average figure that represents how well the combined set of controls is reducing the risk. |
| 4 | Apply the residual formula | The expression set applies the average weighted effectiveness as a reduction factor to the inherent score: Residual Risk Score = Inherent Risk Score × (1 − Average Weighted Control Effectiveness ÷ 100) |
A higher average control effectiveness means a larger reduction and a lower residual score. If no controls are mapped, the average effectiveness is zero, and the residual score equals the inherent score.
Customizing the Scoring Formula
Agentforce IT Service provides a default risk scoring expression set so your team can start scoring risks as soon as Risk Management is activated. An admin activates the default expression set during setup.
The default expression set is a starting point, not a constraint. If your organization needs a different scoring methodology—for example, weighting financial risks more heavily than operational ones, or using a 1-to-10 scale instead of 1-to-5—an admin can clone the default expression set in the Business Rules Engine and modify the formulas.
Custom expression sets can use different weights, add additional logic for ineffective controls, or introduce a minimum residual score floor. When the custom version is activated, all evaluations use the updated logic.
How Scores Recalculate Automatically
Scores are dynamically refreshed as conditions change.
- When a Risk Assessment survey reaches its response threshold, the Business Rules Engine recalculates likelihood and impact on the parent evaluation, and the inherent score is updated.
- When a control is mapped to or unmapped from the risk, the residual score recalculates to reflect the new set of safeguards.
- When a treatment plan completes and new controls are mapped to the risk, the residual score updates to reflect the improved posture.
- When Continuous Risk Monitoring is on, the background agent watches for changes—such as a control becoming ineffective or a new scope being added—and triggers a fresh evaluation when scores may have shifted.
How Scores Are Tracked
- Each Risk record's details page shows both the inherent and residual scores, along with the trend across past evaluations.
- Each Risk Evaluation record shows the scores produced by that specific evaluation cycle.
- The Risk Heat Map plots every risk on a likelihood-by-impact grid, using the inherent scores to position risks so leadership can see severity at a glance.
The compliance team at Cumulus Bank registers a Phishing Attack risk for the North America Sales business unit and runs a Q1 evaluation. Here is how the numbers flow through the expression set.
Step 1: Collect survey ratings. Stakeholders respond to the Risk Assessment survey. The aggregated ratings come back as Likelihood 4 and Impact 5.
Step 2: Calculate the inherent score. The expression set reads
LikelihoodNumber (4) and ImpactNumber (5) from the Risk
Evaluation record and multiplies them. Inherent Risk Score = 4 × 5 = 20. The expression set
writes 20 to the InherentRiskScore field. The decision table maps 20 to
Critical.
Step 3: Calculate weighted effectiveness for each mapped control. The compliance team has mapped three controls to the risk.
| Control | Effectiveness rating | Weight (%) | Weighted effectiveness |
|---|---|---|---|
| Hardware-key MFA | 60 | 40 | 2,400 |
| Email security gateway | 65 | 35 | 2,275 |
| Phishing awareness program | 50 | 25 | 1,250 |
| Totals | — | 100 | 5,925 |
Step 4: Calculate average weighted effectiveness. Sum of weighted effectiveness (5,925) ÷ Sum of control weights (100) = Average weighted effectiveness of 59.25.
Step 5: Calculate the residual score. Residual Risk Score = 20 × (1 − 59.25 ÷ 100) = 20 ×
0.4075 = 8.15, rounded to 8. The expression set writes 8 to the
ResidualRiskScore field. The decision table maps 8 to Medium.
The result tells leadership that while the phishing threat is inherently Critical, the existing controls have brought the residual exposure down to Medium. The risk is still actively monitored, and any change to a control's effectiveness—such as the phishing awareness program lapsing—triggers a recalculation that could push the residual score back up.
