Risk scoring
Covenant's score is explainable by design: every point comes from a named factor with a visible delta. Change one questionnaire answer and you can see exactly which factor moved and by how much. There are no unexplained score changes.
The composite score (0–100)
The residual composite starts at 100 (safest) and subtracts itemized penalties. Higher is safer. It is shown on the vendor card, the detail header, the ledger, and on the Explainable composite score card with a full factor table.
| Factor | What it subtracts |
|---|---|
| Inherent exposure | A baseline penalty by tier: Critical −20, High −12, Medium −6, Low 0. (Riskier vendors start lower.) |
| Security questionnaire | Up to −45, scaled by the share of weighted controls the vendor failed. |
| External posture findings | Sum of severity costs for open/disputed findings: critical −25, high −15, medium −8, low −3, info 0. |
| BAA gap | −15 when a PHI vendor has no BAA on file. |
| Risk decision | 0 (recorded as a traceable factor; documenting an accepted/mitigated risk doesn't change raw posture). |
The score is clamped to 0–100. The factor table on the score card lists each factor with its detail and signed delta, so the math is always auditable.
Letter grades
| Score | Grade |
|---|---|
| 90–100 | A |
| 80–89 | B |
| 70–79 | C |
| 60–69 | D |
| below 60 | F |
Inherent vs residual
The score card shows both:
- Inherent — the vendor's exposure ignoring its controls and findings (just the tier baseline and any BAA gap). This is "how risky this vendor is by nature."
- Residual (live) — the full composite, after the questionnaire results and findings are applied. This is "how risky they are given what we know."
The arrow between them shows the buy-down delta — how much the vendor's controls have reduced (or, if findings dominate, increased) the risk. The ledger has an Inh→Res column showing this at a glance.
Risk decisions (accept / mitigate / transfer / avoid)
On the score card you can record a formal risk decision with a justification and a review-by date:
- Pick a decision: accept, mitigate, transfer, or avoid.
- Add a justification / compensating control and a Review by date.
- Click Record decision.
This is recorded as a zero-delta score factor (it documents ownership of the residual risk, it does not hide it) and counts as risk_acceptance evidence in framework coverage. If the review-by date passes, the factor is flagged EXPIRED — re-review.