Skip to main content

Understanding questionnaire calculations

This article explains answer scoring, total scoring, and vendor risk scoring.

Individual answer scoring

Individual answer scoring is based on how much each answer is worth as determined by the author of the questionnaire. For answers without points, the points default to 'Not set'. Note that scoring is not yet available for the following question types: single-select with explanation, multi-select with explanation, open-text, and proof upload.

  • Default - Not set

  • Scores for single-select questions must be between 0 and 1, inclusive—e.g. 0, .5, 1. Scores cannot be higher than 1.

    Sum = Score of response

    Example - 1 (the user selected an answer worth 1 point)

  • Scores for multi-select questions can be additive up to 1, e.g. .2, .2, .3, .3. An error is shown if the values add up to more than 1.

    Sum = Score of selected responses

    Example - .2 + .3 = .5 (the user selected an answer worth .2 points and an answer worth .3 points)

Total scoring

The total possible score is calculated based on the highest theoretical score, i.e. the summarized weights.

Example

A questionnaire has 10 single-select YES/NO questions. Each 'no' answer is worth .5 points and each 'yes' answer is worth 1 point. Each question weight is 5.

5 * 10 = 50 (this is the total possible score)

The total actual score is calculated as the the question weight * the answer value.

Example

Using the example above, a respondent answered 'no' to 3 questions and 'yes' to 7 questions. Each question weight is 5.

1 * 7 * 5 = 35 (questions answered 'yes')

.5 * 3 * 5 = 7.5 (questions answered 'no')

35 + 7.5 = 42.5 (this is the total actual score out of 50)

Calculating vendor risk

Vendor risk is an umbrella term that covers a wide range of risks your organization may face due to relationships with third-party vendors and the services they provide. Hyperproof focuses on two areas of vendor risk:

  • Risk level - The overall level of risk a vendor poses to your organization.

  • Assessed risk - This is directly related to how a vendor answers a questionnaire. The lower a vendor scores on a questionnaire, the higher the assessed risk level. It cannot be edited.

Tip

Think of the risk level as the residual risk and the assessed risk as the inherent risk. The risk level is only impacted when linked controls are mitigated. If there are no mitigated controls, the risk level and the assessed risk remain the same.

Risk level

The risk level is calculated from the latest questionnaire risk and the mitigation of linked controls. It can be overwritten in the event that your organization's risk mapping differs from the default Hyperproof risk map (shown below).

Assessed risk

The most recent questionnaire score determines the assessed risk. If the most recent questionnaire does not have any risk associated, it does not affect the assessed risk, i.e. the assessed risk stays at 'Not set' OR retains the preceding questionnaire risk score, whichever is applicable.

The assessed risk is calculated as the total question score divided by the total question weight. It is displayed according to the following scale:

  • Very low - 90-100%

  • Low - 70-90%

  • Moderate - 30-70%

  • High - 10-30%

  • Very high - 0-10%

Mitigation

Vendor health