Customizing the risk rating formula

The risk rating formula is the most important attribute that you use to describe your applications. Use this example to customize the built-in risk rating. In this example, the business impact is calculated automatically, based on different application attributes.

About this task

Note: User role: Product Administrator

Ensure that you understand Built-in Formulas.

If you are a security analyst (or a similar role), you probably care about key information about your applications. For example:
  • Exposure
  • PCI requirement
  • SOX requirement
  • Revenue-generating
  • Confidential data
  • Number of users
Use these factors to determine the business impact and the risk rating of your applications.
Warning: If you modify the risk rating formula, the Security Risk Rating trend chart changes as of the month when you change the formula.


  1. On the Portfolio tab of the Monitor view, click Edit Application Profile Template.
  2. Create an attribute that is called "Exposure" and select the Dropdown type.
  3. Click Edit to open the list of values for the attribute.
  4. Add Internal and set the numeric value to 1.
  5. Add External, set the numeric value to 2, and click Save.
  6. Repeat steps 2-5 to add more attributes that are used in calculations.
  7. Save the application profile template so that the attributes are available to use in formulas.
  8. Reopen the Edit Application Profile Template.
  9. Create an attribute that is called "Calculated Business Impact" and select Formula as the type.
  10. Click Edit to enter the formula: IF(exposure=2,5, IF(exposure=1,2,0))
  11. Save the formula, and then save the application profile template.
  12. Reopen the Edit Application Profile Template.
  13. Edit the Risk Rating formula and replace the two occurrences of businessimpactwith calculatedbusinessimpact and click Save.
    Note: You can hide the 'Calculated Business Impact' attribute from the application list but still use it in your formulas by clearing the Enabled check box in the application profile template.
  14. Save the application profile template.
  15. Edit the new Exposure attribute to either Internal or External.


After the system recalculates the risk rating, the result of your new risk rating calculation displays. You can also click Refresh in the application list menu.