Skip to content

Scoring Configuration

Scoring weights and RAG thresholds are configurable under Settings → Scoring (requires Settings: manage permission).

For a complete walkthrough of the scoring methodology — including inherent risk, worked examples, findings reconciliation, and the relationship between inherent and residual risk — see the Scoring Methodology guide.

Risk weights

Each question carries a risk weight that determines its impact on the overall assessment score:

WeightDefaultWhen to use
Critical10Answer would be deal-breaking if non-compliant
High6Core security or compliance requirements
Medium3Standard due diligence questions
Low1Supplementary or nice-to-have questions

RAG thresholds

The overall score maps to a red-amber-green band:

BandDefaultMeaning
Green≥ 85%Vendor meets expectations
Amber60% – 84%Some gaps — monitor closely
Red< 60%Significant risks — action needed
UnscorednullNo scorable questions answered

Thresholds are configurable — e.g. if you want stricter scoring, raise the green threshold to 90%.

Formula

For each response:
  if N/A → excluded from score
  if answer matches expected → contributes full risk weight
  if answer does not match → contributes 0, generates a finding
  if unscorable (Free Text, File Upload, etc.) → excluded

Total Score = sum(weighted scores) / sum(max scores)
              (0.0 – 1.0 ratio)

Excluding N/A responses

By default, questions answered "Not Applicable" are excluded from the score denominator. This behaviour is configurable — you can include N/A responses as non-compliant instead, which would lower the score.

RAG colours

The visual colours for each band are configurable under Settings → Appearance. These are cosmetic only — they don't affect the threshold logic.

RAG colour tokens (--rag-green, --rag-amber, --rag-red) are only for score/compliance indicators. UI chrome like success/error badges uses separate semantic tokens (--success, --destructive).

Open-source, self-hosted third party vendor risk management.