Skip to content

Scoring Methodology

Mitch‑Risk uses a three‑layer risk model: inherent risk (before any assessment), assessment scoring (the vendor's answers to your questionnaire), and residual risk (what remains after you account for compensating controls). Together they tell a complete story about each vendor in your portfolio.

Inherent Risk

Inherent risk is a pre-assessment estimate of the risk a vendor introduces purely by virtue of who they are and what data they touch. It is computed from static vendor attributes the moment the vendor record is created — before any questionnaire is sent.

Inherent Risk Factors

FactorValuesNotes
Vendor tierCRITICAL, HIGH, MEDIUM, LOWHow important or integrated this vendor is to your business
Data sensitivityRESTRICTED, CONFIDENTIAL, INTERNAL, PUBLICThe highest classification of data the vendor handles
Contract value$0–$50K, $50K–$250K, $250K–$1M, $1M–$5M, $5M+Financial exposure — larger contracts mean more reliance
Geographic riskGLOBAL, HIGH_RISK_JURISDICTION, REGIONAL, DOMESTICWhere the vendor operates or stores data

Inherent Risk Formula

Each factor maps to a 0–1 scale:

TierWeightData SensitivityWeight
CRITICAL1.0RESTRICTED1.0
HIGH0.75CONFIDENTIAL0.75
MEDIUM0.5INTERNAL0.5
LOW0.25PUBLIC0.25
inherentRisk = (tierWeight + sensitivityWeight) / 2

Contract value and geographic risk shift the score by up to ±0.15:

  • Contract value over $1M adds up to +0.10
  • Contract value between $250K–$1M adds up to +0.05
  • High-risk jurisdiction adds +0.10
  • Global or regional scope adds +0.05
  • Domestic-only reduces by −0.05

The resulting value is clamped to the 0–1 range.

Interpreting Inherent Risk

ScoreLabelWhat it means
0.75–1.0CriticalCore vendor, highly sensitive data — asses immediately and frequently
0.50–0.74HighImportant vendor, significant exposure — needs regular assessment
0.25–0.49MediumModerate reliance — standard due diligence cycle
0.00–0.24LowMinimal exposure — lighter assessment cadence

Inherent risk is displayed on the vendor detail page alongside the residual score. The gap between the two — an inherent risk of 0.85 dropping to a residual of 0.42 — is the value your assessment and controls program delivers.

Assessment Scoring (Weighted Score)

When a vendor completes a questionnaire and a reviewer finalizes it, the scoring engine computes a compliance score from every auto-scorable answer. This is the residual risk — risk that remains after the vendor's actual controls are evaluated.

Step 1: Exclude Unscorable Question Types

Seven question types are not auto-scored because they lack a machine-evaluable "right answer":

TypeReason
FREE_TEXTOpen-ended — needs human review
FILE_UPLOADEvidence files — needs human review
DATEContext-dependent — no single "correct" date
URLContext-dependent
EMAILContext-dependent

These questions return a null compliance status and do not contribute to the score numerator or denominator. They must be reviewed manually by staff, who may create a manual finding if the answer is unsatisfactory.

Step 2: Exclude N/A Responses

If the vendor marks a question Not Applicable (because it genuinely does not apply to their service), it is excluded from both the numerator and denominator of the score. This prevents irrelevant questions from unfairly dragging down a vendor's score.

The platform default is to exclude N/A responses. You can change this to treat N/A as non-compliant in Settings → Scoring.

Step 3: Compare Each Response Against Its Expected Answer

For each remaining (auto-scorable, not-N/A) response, the engine compares the vendor's answer to the expected answer defined on the question:

Question TypeComparison
YES_NO"YES" === "YES" → compliant
MULTIPLE_CHOICE"Option A" === "Option A" → compliant
NUMERIC256 === 256 → compliant (uses numeric coercion — "256" works)
RATINGSame as Numeric
COMBOBOX"ISO 27001" === "ISO 27001" → compliant
MULTI_SELECT["A","B"] === ["A","B"] → compliant (sorted, exact match, same length)
CHECKBOXtrue === true → compliant (boolean parsing: "yes", "on", "1", "checked" all parse to true)

A null answer (unanswered) is always non-compliant.

Step 4: Apply the Risk Weight

Each question carries a risk weight that determines how much it contributes to the score:

Risk WeightDefault ValueDescription
CRITICAL10Essential control — failure represents high risk (e.g., "Does the vendor encrypt data at rest?")
HIGH6Important control with significant security impact (e.g., "Does the vendor perform penetration testing?")
MEDIUM3Standard due diligence question (e.g., "Does the vendor have a change management process?")
LOW1Supplementary or nice-to-have (e.g., "Does the vendor publish a transparency report?")

Weight values are configurable in Settings → Scoring.

For each response:

  • Compliant → earns the full risk weight (weightedScore = weight, maxScore = weight)
  • Non-compliant → earns zero (weightedScore = 0, maxScore = weight)

Step 5: The Weighted Score Formula

Total Score = sum(weightedScores) / sum(maxScores)

This produces a 0–1 ratio displayed as a percentage (0%–100%). A score of null means no scorable questions exist (all N/A or all unscorable types).

Worked Example

A 6-question assessment with questions weighted as shown below. The vendor answered questions 1-5; question 6 is an unscorable free text field (included here for illustration — it is excluded from the calculation).

#QuestionRisk WeightAnswerExpectedCompliant?WeightedMax
1Encrypt data at rest?CRITICAL (10)YesYes1010
2Penetration testing?HIGH (6)NoYes06
3MFA enforced?CRITICAL (10)YesYes1010
4Background checks?MEDIUM (3)NoYes03
5Not ApplicableLOW (1)N/A00
6Describe your IR planMEDIUM (3)free text00
Total Score = (10 + 0 + 10 + 0) / (10 + 6 + 10 + 3) = 20 / 29 = 0.690 = 69%
  • Question 5 is N/A — excluded from both numerator and denominator.
  • Question 6 is FREE_TEXT — unscorable, excluded from both numerator and denominator.
  • Questions 2 and 4 are non-compliant — they contribute 0 to the numerator but their full weight to the denominator, pulling the score down.
  • Result: 69% — Amber band.

RAG Classification

The computed score maps to a Red-Amber-Green band using configurable thresholds:

BandDefault ThresholdScore RangeMeaning
Green≥ 85%85%–100%Vendor meets expectations — low residual risk
Amber60%–84%60%–84%Partial compliance — gaps exist, monitor and follow up
Red< 60%0%–59%Significant gaps — action needed, findings require remediation
UnscoredNo auto-scorable questions answered

The thresholds are configurable. If you want stricter scoring, raise the green threshold to 90%. If you tolerate more risk, lower it to 80%.

RAG Colours

The visual colours for each band (--rag-green, --rag-amber, --rag-red) are configurable under Settings → Appearance. These are cosmetic only — they do not change the threshold logic. RAG colour tokens are used exclusively for score and compliance indicators; UI chrome (success/error states) uses separate semantic tokens.

Inherent Risk vs Residual Risk

The two scores appear together on every vendor detail page, telling a complete story:

┌─────────────────────────────────────────────────────────┐
│  INHERENT RISK (pre-assessment)    │  RESIDUAL (assessed)  │
│  ───────────────────────────────── │  ─────────────────── │
│  Based on who the vendor is and    │  Based on the vendor's │
│  what they handle                  │  actual answers        │
│                                    │                       │
│  Vendor Tier: CRITICAL    (1.00)   │  Assessment Score: 69% │
│  Data Sensitivity: RESTRICTED(1.00)│  Findings: 2 open      │
│  ───────────────────────────────── │                       │
│  Inherent: 87%                     │                       │
└─────────────────────────────────────────────────────────┘

How to read the gap:

  • Inherent 87% → Residual 69%: The vendor handles critical/restricted data but their controls have gaps. The residual score (69%, Amber) confirms that risk is partially mitigated but follow-up is needed. The 18-point gap is the "verified risk position" — it tells you exactly what your assessment uncovered.
  • Inherent 87% → Residual 92%: The vendor is inherently high-risk in profile but their actual controls are strong. The residual score (92%, Green) indicates the risk is well-managed.
  • Inherent 55% → Residual 55%: A medium-risk vendor with no completed assessments yet shares the inherent score as the best available estimate.

The residual score is only available after at least one assessment is completed (reviewer-finalized). Until then, the inherent risk is the primary risk indicator.

Findings Reconciliation

After scoring, the engine reconciles findings — the non-compliant answers that need attention:

Auto-Findings

For each non-compliant auto-scored response:

  • A Finding record is created (or updated if one already exists for that response)
  • Severity is derived from the question's risk weight (CRITICAL finding for a CRITICAL-weighted question, etc.)
  • Control codes are populated from the question's framework mappings (e.g., ISO 27001 A.5.3, SOC 2 CC6.1)
  • Title and description are populated from the question text and a standard message

Reconciliation Behaviour

When the scoring engine re-runs (vendor resubmits, reviewer finalizes after a send-back):

ScenarioBehaviour
Response was non-compliant, still non-compliantFinding upserted — status/resolution note preserved
Response was non-compliant, now compliantFinding deleted only if its status is OPEN
Response was non-compliant, now compliant, finding is RISK_ACCEPTED or REMEDIATEDFinding preserved — reviewer's decision stands
Response is newly non-compliantNew finding created with OPEN status
Manual finding (no responseId)Never touched by reconciliation

Key design decision: Once a reviewer accepts a risk or marks it as remediated, the engine will not re-open it. Only OPEN findings are automatically cleaned up when the underlying answer becomes compliant. This prevents the system from undoing deliberate reviewer decisions.

Manual Findings

Reviewers can create findings that are not tied to any auto-scored response:

  • Unscorable responses (free text, file uploads) that contain concerning content
  • Issues observed during review that are not question-specific
  • General observations about the vendor's posture

Manual findings have no responseId and are completely unaffected by scoring reconciliation — they persist until manually updated or deleted.

Vendor Aggregate Score

After each assessment is scored, the vendor's overallScore is recalculated as the average of all completed assessments for that vendor:

vendor.overallScore = avg(score of all COMPLETED assessments)
  • Only COMPLETED assessments contribute — drafts, in-progress, and submitted-but-unreviewed assessments are excluded
  • The lastAssessedAt timestamp is updated to the most recent submittedAt
  • If a vendor has no completed assessments, overallScore is null

This means the vendor's displayed score on the vendor list and dashboard reflects the most current residual risk picture across all questionnaires sent to that vendor.

Dashboard & Visualizations

The scoring system feeds multiple dashboard views:

ViewWhat it shows
Vendor listOverall score per vendor as RAG-colored percentage badge
Dashboard donutRAG distribution across all scored vendors (Green/Amber/Red/Unscored)
Dashboard barFindings broken down by severity (CRITICAL/HIGH/MEDIUM/LOW)
Risk by TierStacked RAG bars per vendor tier — see which tiers concentrate your risk
Vendor DetailInherent vs residual side-by-side, score history timeline, trend direction
Framework HeatmapPer-control compliance ratio with RAG-coloured indicators
Domain BreakdownCompliance percentage per domain (grouped from control→domain mappings)

Trend Direction

The vendor's score history is analysed with a linear regression to determine trend:

  • Up (slope > +0.005): Score improving over time — vendor is addressing findings
  • Stable (slope between ±0.005): No meaningful change
  • Down (slope < −0.005): Score deteriorating — may need escalation

Configurable Parameters

All scoring parameters are managed in-app under Settings → Scoring (requires Settings: manage permission):

ParameterDefaultRange
CRITICAL weight10Numeric (min 0)
HIGH weight6Numeric (min 0)
MEDIUM weight3Numeric (min 0)
LOW weight1Numeric (min 0)
Green threshold0.850–1
Amber threshold0.600–1
Exclude N/AEnabledToggle

RAG visual colours are configured separately under Settings → Appearance.

Scoring via the API

The REST API exposes scores and findings:

EndpointWhat it returns
GET /api/v1/vendorsList with overallScore per vendor
GET /api/v1/vendors/{id}Inherent risk score, residual score, assessment history
GET /api/v1/vendors/{id}/scoreCurrent score, trend, score history array
GET /api/v1/assessments/{id}Assessment score, per-response compliance, linked findings
GET /api/v1/dashboardRAG distribution (green/amber/red counts + percentages), average portfolio score, open findings by severity
GET /api/v1/findingsFilter by vendor, framework, severity, status

See the API Reference for full request/response schemas. The interactive Swagger UI at /docs provides live API documentation.

Summary

ConceptWhat it measuresHow it's computedWhen it updates
Inherent RiskPre-assessment risk from vendor profileWeighted average of tier + data sensitivity, adjusted by contract value and geographyOn vendor create/update
Assessment ScoreCompliance on a single questionnaireWeighted ratio of compliant answersOn assessment finalization
Residual RiskPost-assessment risk (the complement of the score)1 − assessmentScoreOn assessment finalization
Vendor Overall ScoreAverage compliance across all assessmentsMean of all completed assessment scoresOn each assessment finalization
FindingA specific non-compliant answer or observationAuto-generated per non-compliant response or manually createdOn assessment finalization
TrendDirection of score movement over timeLinear regression on score historyOn each assessment finalization

Open-source, self-hosted third party vendor risk management.