Sample calculations

You can use the sample calculations as delivered or modify them to meet your requirements. They can also be used as templates and learning tools for your own calculations.

The sample calculations are enabled in fresh installations. Depending on the assessment method selected during the installation process, either the Quantitative Risk Rating and Quantitative Audit Risk Rating calculations or the Qualitative Risk Rating and Qualitative Audit Risk Rating calculations are enabled.

The following sample calculations are included in OpenPages®:
  • Loss Event

    Calculates the Net Loss, Recovery Amount, Gross Loss, and Estimated Gross Loss based on the underlying Loss Impact and Loss Recovery. If the sum of Actual Loss is 0, it uses the Estimated Gross loss.

  • Qualitative Audit Risk Rating

    Automatically calculates the Qualitative Audit Inherent Risk Rating and Qualitative Audit Residual Risk Rating based on defined registry keys and preference objects.

  • Qualitative Risk Rating

    Automatically calculates the Qualitative Inherent Risk Rating and Qualitative Residual Risk Rating based on defined registry keys and preference objects.

  • Quantitative Audit Risk Rating

    Automatically calculates the Quantitative Audit Inherent Risk Rating and Quantitative Audit Residual Risk Rating based on defined registry keys and preference objects.

  • Quantitative Risk Rating

    Automatically calculates the Quantitative Inherent Risk Rating and Quantitative Residual Risk Rating based on defined registry keys and preference objects.

  • Resource CIA

    Calculates the resource criticality based on the high water mark for CIA.

  • TPRM Supply Wisdom Trend

    Calculates the overall risk rating of a vendor, based on the quarterly scores from Supply Wisdom. Compares the current overall risk rating with the ratings from previous quarters to determine the trend.

KRI and KPI calculations

These KRI and KPI calculations are used by multiple solutions.
  • KRIValue – Increasing, KRIValue – Decreasing

    These automatic calculations apply to KRI Values with a parent KRI in an Active status, with separate calculations applied depending on whether the parent KRI’s Direction Information field is set as Increase means greater risk or Decrease means greater risk. The calculation identifies the Yellow Threshold, Red Threshold, and Direction Information from the parent KRI and sets these fields on the KRI Value. The calculation sets the Breach Status on the KRI Value based on the Value field input on the KRI Value record compared against the Yellow and Red Thresholds.

  • KRI Increase, KRI Decrease

    These automatic calculations apply to KRIs in an Active status, with separate calculations applied depending on whether the Direction Information field is set to Increase means greater risk or Decrease means greater risk. The calculation brings in the Value fields from KRI Values in a Collected Collection Status that are related to the KRI. The calculation sorts the values in descending order by Value Date and compares the two latest values. The calculation then sets the Indicator Trend field on the KRI by comparing the two values that are latest in time. It then sets the Value field on the KRI based on the Value from the KRI Value with the latest in time Value Date and uses this same input for determining Breach Status of the KRI by comparing the Value against the Yellow and Red Thresholds on the KRI.

  • KRI Next Collection Date

    This automatic calculation applies to KRIs in an Active status. The calculation sets the Next Collection Date by adding days to the KRI Next Collection Date based on the Frequency field on the KRI and the Expected Collection Date on the related KRI Values.

  • KRI

    This automatic calculation sets the latest Value Date from a KRI Value to the parent KRI. The calculation also sets the KRI Collection Status based on the Collection Status of the KRI Value with the most recent Value Date.

  • KPI calculations
    The following calculations are related to the KPI and KPI Value objects and are similar to the KRI and KRI Value calculations:
    • KPI
    • KPI – Decrease
    • KPI – Increase
    • KPI Next Collection Date
    • KPIValue – Decreasing
    • KPIValue – Increasing

IBM OpenPages Operational Risk Management (ORM) calculations

These calculations determine the next testing due date if a control test occurs on a scheduled basis and bring in the latest Test Result information to the parent Test Plan object.

  • Test Plan

    This automatic calculation sets the latest Performed Date from a Test Result to the parent Test Plan. The calculation also sets the Test Plan Status based on the child Test Result Status with the most recent Performed Date. The calculation sorts the Test Result values in descending order by Performed Date and compares the two latest Results. The calculation then sets the Trend field on the Test Plan by comparing the two Results that are latest in time.

  • Testing Due Date

    Description: This automatic calculation sets the Test Plan Due Date by adding days to the last Test Result Due Date based on the Frequency field on the Test Plan (daily, weekly, monthly, or annually) and the Expected Start Date of the Test Plan.

IBM OpenPages Business Continuity Management (BCM) calculations

Business impact analysis
  • BIA Time-Based Impact
    This automatic calculation does the following operations:
    1. Establishes a weight for each impact assessment (Financial, Legal/Regulatory, Reputational, and Operational)
    2. Converts the enum value to a numeric value (Devastating = 5; Severe = 4, Significant = 3, Moderate = 2; Minor = 1) for each time period assessed (at 24 hours, at 3 days, at 7 days, after 7 days)
    3. Sets the Impact Score for each impact assessment by adding the converted enum values and multiplying by the weight provided
    4. Sets an overall Impact Score by adding all impact assessment scores
    5. Sets the Calculated MAO and Calculated Impact Tier based on the overall impact score.
  • BIA Peak Period Quarter Scoring

    This automatic calculation scores each enum selection (High = 3, Elevated = 2, Normal = 1) and sets the corresponding quarter to High, Medium, or Low based on the selection for the months within that quarter. If the combined score of the three months of the quarter is greater than or equal to 8, then High is selected; if the score is between 7 and 5, then Elevated is selected; and if 3 or 4, then Normal is selected.

  • Business Continuity BIA Scoring

    Determines Impact Score by using requirements, financial, and reputation impacts. Uses Impact Score to determine Impact Tier and Maximum Acceptable Outage.

    This calculation is disabled by default. The BIA Time-Based Impact calculation replaces the Business Continuity BIA Scoring calculation.

  • BIA – Breach Status
    This automatic calculation takes into account the Breach Status of all child KPIs that are mapped to the Business Impact Analysis record. The calculation counts each such KPI Breach Status and sets the KPI Tolerance Breach Status field on the Business Impact Analysis object.
    • If the calculation identifies at least one KPI Breach Status of Red, then the KPI Breach Status is set to Red.
    • If the calculation identifies no related KPIs with a Breach Status of Red and at least one Yellow, the BIA’s KPI Breach Status is set to Yellow.
    • If the calculation identifies no related KPIs with a Breach Status of Red or Yellow and at least one KPI with a Breach Status of Green, the BIA’s KPI Breach Status is set to Green.
    • If a related KPI’s Breach Status does not equal Red, Yellow, or Green, then the BIA KPI Breach Status field is set to Not Applicable.

    The Red and Yellow values for KPI Breach Status are displayed on the BCM Master Dashboard to identify BIAs that might require an update based on the performance that is measured by the mapped KPIs.

Pushing and comparing BIA metrics
  • Process-BCM

    This calculation is an automatic calculation that sets the Impact Tier, Impact Score, RTO, RPO, and MAO fields on the Process based on the most critical metrics established on a child BIA.

    The calculation uses the fields that are set as part of the last stage of the Initial Business Impact Assessment and Recurring BIA Review workflows to ensure that only fields that are fully approved within the BIA are used to set fields on a related Process.

    This calculation sets the Impact Tolerance Duration field from a parent Business Service that is classified as an Important Business Service onto the Process.

    This calculation also sets the RTO Alignment Warning and RPO Alignment Warning field value to Warning on the Process object, if certain conditions are met. The RTO Alignment Warning field value of Warning is set when a fully approved Impact Tolerance (from a related Business Service) is less than the Recovery Time Objective or Recovery Time or when Recovery Time exceeds the Recovery Time Objective. The RPO Alignment Warning field value of Warning is set when the Recovery Point Objective is less than Recovery Point.

  • Resource-BCM

    This automatic calculation sets and compares fields that derive from a parent Process. The calculation sets the Impact Tier, Impact Score, Process Recovery Time Objective, Process Recovery Point Objective, and MAO fields from the Process with the most critical metrics on the Asset (Resource) object. This calculation sets the RTO Alignment Warning and RPO Alignment Warning field values to Warning on the Asset object, if certain conditions are met. The RTO Alignment Warning field value of Warning is set when the Process Recovery Time Objective is less than the Resource Recovery Time Objective or Recovery Time or when Recovery Time exceeds Resource Recovery Time Objective. The RPO Alignment Warning field value of Warning is set when the Process Recovery Point Objective is less than the Resource Recovery Point Objective or Recovery Point or when Recovery Point exceeds Resource Recovery Point Objective.

  • Vendor-BCM

    This automatic calculation sets and compares fields that derive from a parent Process. The calculation sets the Impact Tier, Impact Score, Process Recovery Time Objective, Process Recovery Point Objective, and MAO fields from the Process with the most critical metrics on the Vendor object. This calculation sets the RTO Alignment Warning and RPO Alignment Warning field values to Warning on the Vendor object, if certain conditions are met. The RTO Alignment Warning field value ofWarning is set when the Process Recovery Time Objective is less than the Vendor Recovery Time Objective or Recovery Time or when Recovery Time exceeds Vendor Recovery Time Objective. The RPO Alignment Warning field value of Warning is set when the Process Recovery Point Objective is less than the Vendor Recovery Point Objective or Recovery Point or when Recovery Point exceeds Vendor Recovery Point Objective.

Operational resiliency
  • KRI - Impact Tolerance Metric

    This automatic calculation sets the value of Impact Tolerance Metric to Yes for any KRI that has a parent Business Service that is classified as an Important Business Service.

  • Process – Impact Tolerance Breach Status

    This automatic calculation takes into account the Breach Status of all KRIs related to the Process where Impact Tolerance Metric = Yes. The calculation counts each such KRI Breach Status and sets the Impact Tolerance Breach Status field on the Process. If the calculation identifies at least one KRI Breach Status of Red, then the Process Impact Tolerance Breach status is set to Red. If the calculation identifies no related KRIs with a Breach Status of Red and at least one Yellow, the Process Impact Tolerance Breach Status is set to Yellow. If the calculation identifies no related KRIs with a Breach Status of Red or Yellow and at least one with a Breach Status of Green, the Process Impact Tolerance Breach Status is set to Green. If a related KRI’s Breach Status does not equal Red, Yellow, or Green, or the KRI does not have a value of Impact Tolerance Metric = Yes, then the field is set to Not Applicable.

    The Red and Yellow values for Impact Tolerance Breach Status are used within public filters to identify potential dependencies of Business Services that might be in breach within association views on SysView-Task-BusService-5 and on the BCM Master Dashboard.

  • Location – Impact Tol Breach Status

    This automatic calculation takes into account the Breach Status of all KRIs related to the Location where Impact Tolerance Metric = Yes. The calculation counts each such KRI Breach Status and sets the Impact Tolerance Breach Status field on the Location. If the calculation identifies at least one KRI Breach Status of Red, then the Location Impact Tolerance Breach status is set to Red. If the calculation identifies no related KRIs with a Breach Status of Red and at least one Yellow, the Location Impact Tolerance Breach Status is set to Yellow. If the calculation identifies no related KRIs with a Breach Status of Red or Yellow and at least one KRI Breach Status of Green, the Location Impact Tolerance Breach Status is set to Green. If a related KRI’s Breach Status does not equal Red, Yellow, or Green, or the KRI does not have a value of Impact Tolerance Metric = Yes, then the field is set to Not Applicable.

    The Red and Yellow values for Impact Tolerance Breach Status are used within public filters to identify potential dependencies of Business Services that might be in breach within association views on SysView-Task-BusService-5 and on the BCM Master Dashboard.

  • Resource – Impact Tol Breach Status

    This automatic calculation takes into account the Breach Status of all KRIs related to the Asset where Impact Tolerance Metric = Yes. The calculation counts each such KRI Breach Status and sets the Impact Tolerance Breach Status field on the Asset. If the calculation identifies at least one KRI Breach Status of Red, then the Resource Impact Tolerance Breach status is set to Red. If the calculation identifies no related KRIs with a Breach Status of Red and at least one Yellow, the Resource Impact Tolerance Breach Status is set to Yellow. If the calculation identifies no related KRIs with a Breach Status of Red or Yellow and at least one KRI with a Breach Status of Green, the Resource Impact Tolerance Breach Status is set to Green. If a related KRI’s Breach Status does not equal Red, Yellow, or Green, or the KRI does not have a value of Impact Tolerance Metric = Yes, then the field is set to Not Applicable.

    The Red and Yellow values for Impact Tolerance Breach Status are used within public filters to identify potential dependencies of Business Services that might be in breach within association views on SysView-Task-BusService-5 and on the BCM Master Dashboard.

  • Vendor – Impact Tol Breach Status

    This automatic calculation takes into account the Breach Status of all KRIs related to the Vendor where Impact Tolerance Metric = Yes. The calculation counts each such KRI Breach Status and sets the Impact Tolerance Breach Status field on the Vendor. If the calculation identifies at least one KRI Breach Status of Red, then the Vendor Impact Tolerance Breach status is set to Red. If the calculation identifies no related KRIs with a Breach Status of Red and at least one Yellow, the Vendor Impact Tolerance Breach Status is set to Yellow. If the calculation identifies no related KRIs with a Breach Status of Red or Yellow and at least one KRI with a Breach Status of Green, the Vendor Impact Tolerance Breach Status is set to Green. If a related KRI’s Breach Status does not equal Red, Yellow, or Green, or the KRI does not have a value of Impact Tolerance Metric = Yes, then the field is set to Not Applicable.

    The Red and Yellow values for Impact Tolerance Breach Status are used within public filters to identify potential dependencies of Business Services that might be in breach within association views on SysView-Task-BusService-5 and the BCM Master Dashboard.

  • Business Service - Breach Status

    This automatic calculation takes into account the Breach Status of all KRIs related to the Business Service. The calculation counts each such KRI Breach Status and sets the Impact Tolerance Breach Status field on the Business Service. If the calculation identifies at least one KRI Breach Status of Red, then the Business Service Impact Tolerance Breach status is set to Red. If the calculation identifies no related KRIs with a Breach Status of Red and at least one Yellow, the Business Service Impact Tolerance Breach Status is set to Yellow. If the calculation identifies no related KRIs with a Breach Status of Red or Yellow and at least one KRI with a Breach Status of Green, the Business Service Impact Tolerance Breach Status is set to Green. If a related KRI’s Breach Status does not equal Red, Yellow, or Green, then the field is set to Not Applicable.

    The Red and Yellow values for Impact Tolerance Breach Status are used within an Enumeration rule for SysView-Task-BusService-5 to display a task view for a Business Service with an impact tolerance that is close to or in breach. The values are also used on the BCM Master Dashboard.

IBM OpenPages Financial Controls Management calculations

Account Scoping – Assets
When the Classification field of the Account object = Assets, this calculation:
  • Calculates and sets the Annualized Value Percentage field of the Account record based on the sum of all Account object records with the same classification value and parent Business Entity.
  • Sets the Account In Scope field based on a threshold percentage.
Account Scoping – Equity
When the Classification field of the Account object = Equity, this calculation:
  • Calculates and sets the Annualized Value Percentage field of the Account record based on the sum of all Account object records with the same classification value and parent Business Entity.
  • Sets the Account In Scope field based on a threshold percentage.
Account Scoping – Expenses
When the Classification field of the Account object = Expenses, this calculation:
  • Calculates and sets the Annualized Value Percentage field of the Account record based on the sum of all Account object records with the same classification value and parent Business Entity.
  • Sets the Account In Scope field based on a threshold percentage.
Account Scoping – Liabilities
When the Classification field of the Account object = Liabilities, this calculation:
  • Calculates and sets the Annualized Value Percentage field of the Account record based on the sum of all Account object records with the same classification value and parent Business Entity.
  • Sets the Account In Scope field based on a threshold percentage.
Account Scoping – Revenue
When the Classification field of the Account object = Liabilities, this calculation:
  • Calculates and sets the Annualized Value Percentage field of the Account record based on the sum of all Account object records with the same classification value and parent Business Entity.
  • Sets the Account In Scope field based on a threshold percentage.
Account Scoping – Unknown
When the Classification field of the Account object = Unknown, this calculation:
  • Calculates and sets the Annualized Value Percentage field of the Account record based on the sum of all Account object records with the same classification value and parent Business Entity.
  • Sets the Account In Scope field based on a threshold percentage.
BE – Account Classification Totals
Calculates fields on the Business Entity object:
  • Calculates and sets the totals of the related Account object Classification field values for each of the following: Asset, Liability, Equity, Revenue, Expenses, and Unknown.
  • Calculates a combined total of all Account object Classification field values.
Control Eval Certification
Supports the sub-certification process in IBM OpenPages Financial Controls Management.
Process Eval Certification
Supports the sub-certification process in IBM OpenPages Financial Controls Management.

IBM OpenPages Internal Audit Management calculations

Summary Audit Plan Budget and Plans
Calculates the following fields for the Summary Audit Plan object view: Under Over Hours, Assigned Audit Hours, Completed Hours, and Remaining Hours. The values from these fields are totaled from the related Auditable Entity and Audit objects.

IBM OpenPages IT Governance calculations

Asset - Vulnerability Rating
This calculation sets the Vulnerability Assessment Rating on the Asset based on the highest rated open Vulnerability related to the Asset.
System - Vulnerability Rating
This calculation sets the Vulnerability Assessment Rating on the System based on the highest rated open Vulnerability related to the System or a related Asset.
Vulnerability - Threat Assessment
This calculation sets the Overall Likelihood and Risk Rating fields based on inputs provided for threat assessment fields. The scoring is based on NIST SP 800-30 Rev. 1.

IBM OpenPages Model Risk Governance (MRG) calculations

  • Metric Next Collection Date

    Automatically sets Next Collection Date for active Metrics, based on the frequency of the Metric.

    Note: This calculation is not applicable to IBM Watson® OpenScale metrics.
  • Metric Value - Update from Parent Metric

    Sets the Threshold and Direction information from the parent Metric, and calculates the Breach Status of a Metric Value.

    Note: This calculation is not applicable to IBM Watson OpenScale metrics.
  • Metric Value - Update

    Automatically updates active Metrics with data from the most recent child Metric Value. Also updates the Metric indicator trend if there is more than one collected Metric Value.

  • Model Risk Scorecard

    Calculates a tier for a model that can be used to assess the level of model risk. Typically, an organization will tier a model through the assessment of a number of factors. IBM OpenPages Model Risk Governance uses the following four factors: Complexity, Materiality, Operational, and Regulatory. The outcome is that each Model is assigned to Tier 1, Tier 2, or Tier 3. This calculation replaces a trigger that did the same model tiering in previous versions.

    Note: This calculation is not applicable to IBM Watson OpenScale models.

IBM OpenPages Policy Management (PCM) calculations

  • Policy Review Comment

    Populates the Policy Review Comment (PRC) object description with the Policy Name. This information provides context to users when they view the PRC object in a list or grid view.

    This calculation is optional. You can disable it, if needed.

IBM OpenPages Regulatory Compliance Management (RCM) calculations

These calculations aggregate the data from the Requirement Evaluations to Compliance Theme and Compliance Theme to Compliance Plan. These calculated metrics can help users to perform assessments.

The outputs from these calculations are stored within the corresponding Requirement Eval Value, Compliance Theme Value, and Compliance Plan Eval records for trending analysis purposes.

  • Compliance Theme – Requirement Eval

    This automatic calculation captures and sets fields on the Requirement Evaluation object from child Controls. The calculation counts all Controls that are mapped to the Requirement Evaluation, Controls with an Effective selection for Design Effectiveness, and Controls with an Effective selection for Operating Effectiveness. The calculation then sets the Control Count, DE Effective Count, and OE Effective Count fields on the Requirement Evaluation. The calculation also divides the count of Controls rated as Effective for Design and Operating Effectiveness from the Count of all controls and sets the Percent DE Effective and Percent OE Effective fields on the Requirement Evaluation.

  • Compliance Theme – Business Entity

    The calculation is applicable to Compliance Themes that are within the Business Entity hierarchy. The calculation is a roll-up of Requirement Evaluations to set the number and percent of Requirement Evaluations that were rated as Over-Target and On-Target for Design Effectiveness and Operating Effectiveness. The calculation also sets the average score for Design Effectiveness, Operating Effectiveness, and an Overall Rating for all related Requirement Evaluations that were rated as something other than 6 - Not Applicable. The average score is determined by scoring and adding each enum value from all associated Requirement Evaluations (1 – Over Target = 1; 2 – On-Target = 2; 3 – Under Target = 3; 4 – Significantly Under Target = 4; and 5 – No Relevant Control = 5) and dividing this total score by the number of Requirement Evaluations with one of the five enum values listed. A lower score indicates a higher level of compliance.

  • Compliance Theme – Library

    The calculation is applicable to Compliance Themes that are within the Library hierarchy. The calculation is a roll-up of Requirement Evaluations to set the number and percent of Requirement Evaluations that were rated as Over-Target and On-Target for Design Effectiveness, and Operating Effectiveness. The calculation also sets the average score for Design Effectiveness, Operating Effectiveness, and an Overall Rating for all related Requirement Evaluations that were rated as something other than 6 - Not Applicable. The average score is determined by scoring and adding each enum value from all associated Requirement Evaluations (1 – Over Target = 1; 2 – On-Target = 2; 3 – Under Target = 3; 4 – Significantly Under Target = 4; and 5 – No Relevant Control = 5) and dividing this total score by the number of Requirement Evaluations with one of the five enum values listed. A lower score indicates a higher level of compliance.

    Additionally, this calculation counts the number of Requirements within the Compliance Theme under assessment and sets the Requirement Count field.

  • Compliance Plan

    Similar to the calculation for Compliance Themes, the Compliance Plan calculation aggregates scores provided on child Compliance Themes. The calculation is a roll-up of Compliance Themes to set the number and percent of Compliance Themes that were rated as Over-Target and On-Target for Design Effectiveness and Operating Effectiveness. The calculation also sets the average score for Design Effectiveness, Operating Effectiveness, and an Overall Rating for all related Compliance Themes that were rated as something other than 6 - Not Applicable. The average score is determined by scoring and adding each enum value from all associated Compliance Themes (1 – Over Target = 1; 2 – On-Target = 2; 3 – Under Target = 3; 4 – Significantly Under Target = 4; and 5 – No Relevant Control = 5) and dividing this total score by the number of Compliance Themes with one of the five enum values listed. A lower score indicates a higher level of compliance. The calculation also counts the number of Compliance Themes that are included in the Compliance Plan.

IBM OpenPages Risk Management for ESG calculations

Objective Priority Score
Calculates an Objective Priority Score.
Gets the values from the Importance to Firm and Importance to Stakeholders fields. The values are: Very Low = 1 , Low = 2, Medium = 3, High = 4, Very High = 5. The two values are then added together to get the Objective Priority Score, which can range from 2-10.
Objective Progress
Calculates the difference between the Objective Progress and the Objective Target. The calculation then sets the Progress Status field to Under Achieving, Over Achieving, or On Target.