Back to Risk Management component
Capability RA.19

Risk Scoring Calibration

"Risk scoring is calibrated using quantitative (impact, frequency) and qualitative (intent, access) indicators."

This capability evaluates whether the organization has the ownership, process, evidence, methodology, and oversight needed to manage this area of insider-risk assessment.

Scope & Context

What This Capability Means

Risk Scoring Calibration assesses whether the organization has a defined, repeatable, and evidence-supported approach to this risk-assessment capability. This includes the methodology, roles, workflows, data sources, risk artifacts, documentation practices, stakeholder inputs, and oversight needed to make the capability operational.

Strategic Importance

Why This Capability Matters

This capability matters because insider-risk programs need more than activity; they need a defensible way to identify exposure, compare priorities, and decide what to fix next. Weaknesses can create blind spots in Risk Prioritization & Scoring, Insider Risk & Trust, Governance & Oversight, inconsistent residual-risk decisions, delayed investment, and weak executive evidence. A mature capability helps the organization move from informal concern to repeatable, risk-informed assessment and action.

AI & Automation Context

AI can help identify patterns and normalize evidence, but assessment scoring should remain governed, calibrated, reviewable, and explainable. The public framework should not expose RiskTKO® scoring formulas, weighting logic, or model relationships.

Capability Assessment

Weakness vs. Maturity Indicators

Signs of Weak Capability
  • Technology or scoring is used without clear governance, evidence quality review, calibration, or explainable decision support.
  • Risk assessment is informal, undocumented, or dependent on individual judgment.
  • Scope, ownership, cadence, criteria, and evidence expectations are unclear.
  • Assets, users, threats, vulnerabilities, impacts, and controls are assessed in isolation.
  • Residual risk decisions are not clearly documented, accepted, assigned, or reviewed.
  • Assessment outputs do not consistently drive risk register updates, roadmap actions, or resource decisions.
  • AI-enabled workflows, AI-use expectations, or AI-assisted threat patterns are not reflected in assessment practices.
Signs of Mature Capability
  • Formal model weighting impact, likelihood, intent, access-level, trust violation.
  • Calibration uses incident data and red-team outcomes at least yearly.
  • Scores drive mitigation priorities, not just ranking; weighting rationale documented.
  • The capability has a named owner, documented methodology, defined evidence expectations, and clear governance support.
  • Assessments connect assets, users, threats, vulnerabilities, impacts, controls, residual risk, and business-owner decisions.
  • Assessment results are reviewed by appropriate stakeholders across Security, HR, Legal, Privacy, IT, business units, and executive risk governance.
  • Outputs are connected to risk register items, prioritized recommendations, roadmap actions, and control improvements.
Governance Guidance

Questions Leaders Should Ask

Question 1

Who owns RA.19, and do they have authority to define scope, evidence, cadence, and escalation?

Question 2

Which assets, users, insider pathways, business processes, and third parties are in scope?

Question 3

How are threat, vulnerability, impact, control effectiveness, and residual risk connected?

Question 4

What evidence shows this assessment practice is operating, reviewed, and kept current?

Question 5

How are AI-enabled workflows, AI-use expectations, and AI-assisted threat patterns reflected in the assessment?

Question 6

How do results drive risk register updates, roadmap actions, funding decisions, and executive reporting?

Defensible Program Artifacts

Evidence Examples

Evidence Type

Risk assessment methodology and scope statement

Evidence Type

Insider-risk strategy or program procedures

Evidence Type

Asset inventory and critical asset classification records

Evidence Type

Risk register entries and exposure narratives

Evidence Type

Threat, vulnerability, impact, and control-effectiveness inputs

Evidence Type

Business-owner reviews, risk decisions, and residual-risk acceptance records

Evidence Type

Assessment reports, heat maps, dashboards, or executive summaries

Evidence Type

Roadmap actions, milestones, and control-enhancement records

Evidence Type

Version history, review logs, and triggering-event update records

Evidence Type

Tool configuration summaries, scoring calibration notes, data-quality reviews, and human review records

Regulatory Context

Mapped Standards and Framework References

Standard / Framework ReferenceHow It Relates to This Capability
NIST 800-53 (RA-3, RA-5, RA-7), ISO 27002 (6.1.1, 6.1.2, 6.1.3)Reference mapping for RA.19; validate applicability based on assets, workforce, legal, privacy, data, AI-use, and operational context.
Standards mappings are provided for reference only. Organizations should validate applicability based on their regulatory environment, workforce locations, data types, internal policies, and legal obligations.
RiskTKO® Bridge

How RiskTKO® Operationalizes This Capability

Assessment evidence

Methodology, scope, asset records, risk inputs, control reviews, scoring records, stakeholder decisions, workflows, or documents used to evaluate current capability.

Risk evidence

Risk register items or exposure narratives connected to asset priority, threat conditions, vulnerability gaps, residual risk, AI-enabled workflows, or control effectiveness.

Roadmap evidence

Recommended actions, owners, milestones, dependencies, control improvements, reassessment cycles, and completion status.

Executive evidence

Summaries showing current state, priority exposure, progress, remaining gaps, risk decisions, and risk reduction over time.

Assess, Prioritize, and Report with RiskTKO®

Protecting proprietary logic (scoring, weightings, and roadmap generation formulas) remains inside the software layer. RiskTKO® provides your team with the complete operational dashboard to evaluate this capability, document evidence, track actions, and deliver clean, executive-ready maturity metrics.