Platform Configuration Guide

The Asenion platform uses a set of configurable settings to control how risk scores, alignment statuses, and compliance levels are computed. These are platform-wide defaults: one set of values for the whole deployment, not separate values per customer organisation. They act as the “dials” that tune risk appetite and compliance classification behaviour across the platform.

Where to edit them: Users with the appropriate System Admin access open the System Admin dashboard, go to the System Admin page, and use the configuration table there to view and change existing keys.

This guide explains every available configuration key, how each one affects scoring, how to update values in that table, and how to ask the Asenion team to add new keys.

Table of Contents

Overview

When a user completes an assessment, the platform computes several metrics:

  • Risk status — is this project HIGH, MEDIUM, or LOW risk?
  • Operational risk status — same classification for operational risk dimensions.
  • Alignment status — is this assessment aligned or not aligned with the policy?
  • Compliance status — does the answer bundle score meet the minimum threshold?
  • Policy alignment risk — across all assessments, is the overall policy alignment HIGH, MEDIUM, or LOW?

Each of these computations compares a calculated score (or percentage) against configurable thresholds. The configuration keys described in this guide control those thresholds.

Control-level answer     ──▶   Answer risk/alignment   ──▶   Assessment-level   ──▶   Project-level
scores (from policy)           scores (summed)                percentages              risk status
                                                                    │
                                                                    ▼
                                                        Compared against platform
                                                        CONFIGURATION thresholds

How Configuration Works

Each configuration is a key-value pair stored in the platform:

Property Type Description
key string Unique identifier for the setting (e.g., RISK_SCORE_HIGH)
value number or string The current value of the setting
description string Human-readable explanation of what the setting controls
dataType string One of NUMBER, STRING, BOOLEAN, or OBJECT
category string Grouping for related settings (e.g., RISK_MANAGEMENT, COMPLIANCE)

Configurations are platform-scoped. The same key-value set applies to all organisations and projects on that deployment. Defaults are established when the platform is set up; System Admins can adjust them from the configuration table on the System Admin page (see Updating Configuration).

Important: Configuration values are cached for up to 5 minutes. After a change, it may take a few minutes for the new values to take effect across all computations.

Configuration Keys

Risk Management

These settings control the overall risk classification of assessments and projects.

Key Type Default Description
PLATFORM_RISK_APPETITE_PERCENT number 25 The percentage threshold at or below which the overall risk status is LOW. If the calculated risk percentage is ≤ this value, the project/assessment is considered low risk.
PLATFORM_UNACCEPTABLE_RISK_PERCENT number 75 The percentage threshold above which the overall risk status is HIGH. If the calculated risk percentage exceeds this value, the project/assessment is considered high risk.

How they work together:

Risk Percentage    ──▶   Status
────────────────────────────────
≤ 25%                    LOW
> 25% and ≤ 75%          MEDIUM
> 75%                    HIGH

Any risk percentage that falls between the two thresholds is classified as MEDIUM.

Risk Scoring

These settings define the numeric weight given to each risk level when aggregating risk scores across multiple assessments in a project.

Key Type Default Description
RISK_SCORE_HIGH number 1 Score weight assigned to an assessment with HIGH risk status.
RISK_SCORE_MEDIUM number 0.75 Score weight assigned to an assessment with MEDIUM risk status.
RISK_SCORE_NONE number 0 Score weight assigned to an assessment with LOW, UNAVAILABLE, or NONE risk status.

When are these used?

When the platform computes the project-level risk status, it first determines each assessment’s individual risk status (HIGH, MEDIUM, LOW, or UNAVAILABLE). It then assigns the corresponding weight from these settings to each assessment, sums them up, and divides by the number of assessments to produce an overall risk percentage. That percentage is then compared against PLATFORM_RISK_APPETITE_PERCENT and PLATFORM_UNACCEPTABLE_RISK_PERCENT to determine the project’s risk status.

Project risk score = Σ (weight per assessment) / number of assessments × 100

Example with 3 assessments (1 HIGH, 1 MEDIUM, 1 LOW):
  = (1 + 0.75 + 0) / 3 × 100
  = 58.3%
  → Compared against thresholds → MEDIUM (between 25% and 75%)

Note: LOW-risk assessments receive the same weight as UNAVAILABLE (0). This means they do not contribute to the aggregate risk score — only HIGH and MEDIUM assessments drive the project-level risk upward.

RISK_SCORE_HIGH is also used as a fallback at the individual answer level when a numeric value cannot be parsed or when threshold arrays are misconfigured on an answer option.

Operational Risk

These settings control the risk classification for assessments that are identified as operational risk assessments (those associated with control bundles labeled operational_risk).

Key Type Default Description
PLATFORM_OP_RISK_APPETITE number 0.25 The score threshold below which operational risk is LOW.
PLATFORM_OP_RISK_UNACCEPTABLE number 0.75 The score threshold above which operational risk is HIGH.

Note: Unlike the general risk management settings which use percentages (0–100), operational risk thresholds are compared against raw summed scores (typically 0–1 range). Keep this in mind when adjusting these values.

Operational Risk Score    ──▶   Status
──────────────────────────────────────
< 0.25                          LOW
≥ 0.25 and ≤ 0.75               MEDIUM
> 0.75                          HIGH

Alignment

These settings control how the platform determines policy alignment risk — the overall alignment status across all assessments in a project.

Key Type Default Description
PLATFORM_POLICY_ALIGNMENT_RISK_HIGH_THRESHOLD number 0.5 If the percentage of aligned assessments is ≤ this value, the policy alignment risk status is HIGH.
PLATFORM_POLICY_ALIGNMENT_RISK_MEDIUM_THRESHOLD number 0.75 If the percentage of aligned assessments is ≤ this value (but above the high threshold), the policy alignment risk status is MEDIUM. Above this value, it is LOW.

How policy alignment risk works:

The platform counts how many assessments in a project are “Aligned” vs “Not Aligned”, then computes the aligned percentage:

Aligned % = (number of aligned assessments) / (total assessments)

Aligned %                                    ──▶   Policy Alignment Risk
────────────────────────────────────────────────────────────────────────
≤ 0.5  (50% or fewer aligned)                      HIGH
> 0.5 and ≤ 0.75  (51%–75% aligned)                MEDIUM
> 0.75  (more than 75% aligned)                     LOW

Compliance

This setting defines the default minimum score for determining whether an answer bundle (a group of answers within an assessment) is compliant.

Key Type Default Description
PLATFORM_COMPLIANCE_MIN_PERCENT number 75 The minimum score percentage an answer bundle must achieve to be considered aligned/compliant. If the score falls below this, the bundle is “Not Aligned”.

Note: This is a fallback default. If a control bundle in your policy defines its own compliance_min_percent, that value takes precedence over the platform-level setting. See Policy Configuration — Control Bundle Object for details.

The maximum score boundary is fixed at 100%. If you need a different maximum for a specific control bundle, set compliance_max_percent directly on that bundle in your policy configuration.

Bundle Score %          ──▶   Alignment Status
──────────────────────────────────────────────
< 75%                         Not Aligned
75% – 100%                    Aligned
> 100%                        Not Aligned

Assessment

Key Type Default Description
NUMBER_OF_ANSWERS_BUNDLES number 32 Maximum number of answer bundles (control bundle responses) retrieved per assessment. This is a performance setting — increase it only if your policies contain more than 32 control bundles per assessment.

How the Scoring Pipeline Uses Configuration

This section explains the end-to-end flow from individual answers to project-level statuses, showing where each configuration key is consulted.

Risk Status Calculation

Scope: Individual assessment → project-level aggregation.

Step 1 — Answer-level risk score

Each answer’s risk score is determined by the thresholds and riskScore arrays defined on the answer option in the policy configuration. This step does not use platform configuration — it uses the policy’s own threshold definitions. See Policy Configuration — Threshold-Based Scoring for details.

If a numeric value cannot be parsed or the threshold arrays are misconfigured, the platform falls back to RISK_SCORE_HIGH (default: 1).

Step 2 — Assessment-level risk percentage

All answer-level risk scores within the assessment are summed and divided by the maximum possible risk score:

Assessment risk % = (Σ answer risk scores) / (max possible risk score) × 100

This percentage is compared against:

  • PLATFORM_UNACCEPTABLE_RISK_PERCENT (default: 75) → above this = HIGH
  • PLATFORM_RISK_APPETITE_PERCENT (default: 25) → at or below this = LOW
  • Between the two = MEDIUM

Step 3 — Project-level risk status

Each assessment’s risk status is converted to a numeric weight using the RISK_SCORE_* configuration keys. The weighted sum is divided by the number of assessments:

Project risk % = (Σ risk score weights) / (number of assessments) × 100

This percentage is again compared against PLATFORM_UNACCEPTABLE_RISK_PERCENT and PLATFORM_RISK_APPETITE_PERCENT.

Operational Risk Calculation

Scope: Assessments linked to control bundles labeled operational_risk.

The platform identifies operational risk assessments by checking whether any associated control bundle carries the operational_risk label. For these assessments, the raw summed risk score is compared against:

  • PLATFORM_OP_RISK_UNACCEPTABLE (default: 0.75) → above this = HIGH
  • PLATFORM_OP_RISK_APPETITE (default: 0.25) → below this = LOW
  • Between the two = MEDIUM

Policy Alignment Risk Calculation

Scope: All assessments in a project, aggregated.

Each assessment is individually classified as “Aligned” or “Not Aligned” (see next section). The platform then counts the proportion of aligned assessments:

Aligned % = aligned assessments / total assessments

This is compared against:

  • PLATFORM_POLICY_ALIGNMENT_RISK_HIGH_THRESHOLD (default: 0.5) → at or below = HIGH risk
  • PLATFORM_POLICY_ALIGNMENT_RISK_MEDIUM_THRESHOLD (default: 0.75) → at or below = MEDIUM risk
  • Above 0.75 = LOW risk

Compliance / Alignment Status Calculation

Scope: Individual answer bundles within an assessment.

For each answer bundle, the platform computes a score percentage:

Bundle score % = (Σ alignment scores for answered controls) / (max possible score) × 100

This percentage is checked against:

  • compliance_min_percent on the control bundle (falls back to PLATFORM_COMPLIANCE_MIN_PERCENT if not set)
  • compliance_max_percent on the control bundle (falls back to 100 if not set)

If the score falls within [min, max], the bundle is Aligned. Otherwise, it is Not Aligned.

An assessment is considered Aligned only if all of its answer bundles are aligned and its completion percentage exceeds PLATFORM_RISK_APPETITE_PERCENT.

Worked Examples

Example 1: Adjusting Risk Appetite

Scenario: You want the platform to treat any risk above 50% as unacceptable, and to widen the “low risk” band up to 30%.

Configuration changes:

Key Default New Value
PLATFORM_RISK_APPETITE_PERCENT 25 30
PLATFORM_UNACCEPTABLE_RISK_PERCENT 75 50

Effect:

Before:                           After:
≤ 25% → LOW                      ≤ 30% → LOW
26%–75% → MEDIUM                  31%–50% → MEDIUM
> 75% → HIGH                     > 50% → HIGH

A project with a 60% risk score would change from MEDIUM to HIGH under the new settings.

Example 2: Tightening Compliance Thresholds

Scenario: You want at least 90% bundle score required for alignment (instead of the default 75%).

Configuration change:

Key Default New Value
PLATFORM_COMPLIANCE_MIN_PERCENT 75 90

Effect:

A control bundle with an 80% score would change from Aligned to Not Aligned under the new setting. This cascades upward — if any bundle is Not Aligned, the entire assessment becomes Not Aligned.

Tip: You can also set compliance_min_percent directly on individual control bundles in your policy configuration for bundle-level control, rather than changing the platform-wide default. See Policy Configuration — Control Bundle Object.

Example 3: Adjusting Policy Alignment Risk Thresholds

Scenario: You want stricter alignment requirements — only projects where more than 90% of assessments are aligned should be considered LOW policy alignment risk.

Configuration changes:

Key Default New Value
PLATFORM_POLICY_ALIGNMENT_RISK_HIGH_THRESHOLD 0.5 0.6
PLATFORM_POLICY_ALIGNMENT_RISK_MEDIUM_THRESHOLD 0.75 0.9

Effect:

Before:                                    After:
≤ 50% aligned → HIGH                      ≤ 60% aligned → HIGH
51%–75% aligned → MEDIUM                   61%–90% aligned → MEDIUM
> 75% aligned → LOW                       > 90% aligned → LOW

A project where 80% of assessments are aligned would change from LOW to MEDIUM.

Relationship to Policy Configuration

Platform configuration and policy configuration work together at different levels:

Level What it controls Where it is defined Documentation
Answer option How a specific answer maps to risk/alignment scores thresholds, riskScore, alignmentScore on the answer option Policy Configuration — Threshold-Based Scoring
Control bundle Compliance thresholds for a specific bundle compliance_min_percent, compliance_max_percent on the control bundle Policy Configuration — Control Bundle Object
Policy Compliance levels with score ranges compliance array on the policy Policy Configuration — Compliance Level
Platform Deployment-wide defaults for risk/alignment/compliance classification Configuration keys described in this guide (managed in the System Admin configuration table) This document

Precedence rule: Control-bundle-level settings override platform-level defaults. If a control bundle defines its own compliance_min_percent, the platform’s PLATFORM_COMPLIANCE_MIN_PERCENT is not used for that bundle.

Quick Reference

All Configuration Keys

Key Category Type Default Used For
PLATFORM_RISK_APPETITE_PERCENT Risk Management number 25 Upper bound for LOW risk (percentage)
PLATFORM_UNACCEPTABLE_RISK_PERCENT Risk Management number 75 Lower bound for HIGH risk (percentage)
RISK_SCORE_HIGH Risk Scoring number 1 Weight for HIGH-risk assessments
RISK_SCORE_MEDIUM Risk Scoring number 0.75 Weight for MEDIUM-risk assessments
RISK_SCORE_NONE Risk Scoring number 0 Weight for LOW/UNAVAILABLE/NONE assessments
PLATFORM_OP_RISK_APPETITE Operational Risk number 0.25 Upper bound for LOW operational risk (raw score)
PLATFORM_OP_RISK_UNACCEPTABLE Operational Risk number 0.75 Lower bound for HIGH operational risk (raw score)
PLATFORM_POLICY_ALIGNMENT_RISK_HIGH_THRESHOLD Alignment number 0.5 Upper bound for HIGH alignment risk (ratio)
PLATFORM_POLICY_ALIGNMENT_RISK_MEDIUM_THRESHOLD Alignment number 0.75 Upper bound for MEDIUM alignment risk (ratio)
PLATFORM_COMPLIANCE_MIN_PERCENT Compliance number 75 Minimum bundle score % for alignment
NUMBER_OF_ANSWERS_BUNDLES Assessment number 32 Max answer bundles per assessment query

Risk Status Decision Flowchart 

                    ┌──────────────────────┐
                    │  Calculate risk %    │
                    │  for assessment      │
                    └──────────┬───────────┘
                               │
                    ┌──────────▼───────────┐
                    │  risk % > PLATFORM_  │──── Yes ───▶ HIGH
                    │  UNACCEPTABLE_RISK_  │
                    │  PERCENT (75)?       │
                    └──────────┬───────────┘
                               │ No
                    ┌──────────▼───────────┐
                    │  risk % ≤ PLATFORM_  │──── Yes ───▶ LOW
                    │  RISK_APPETITE_      │
                    │  PERCENT (25)?       │
                    └──────────┬───────────┘
                               │ No
                               ▼
                            MEDIUM

Updating Configuration

Changing existing values (self-service)

Users with System Admin access can update any existing configuration value from the System Admin dashboard:

  1. Open the System Admin dashboard and go to the System Admin page.
  2. Use the configuration table on that page to find the key (you can filter by name).
  3. Update the value and save.

Updated values take effect within 5 minutes due to caching.

Note: The configuration table may list additional keys not documented here. Those are reserved for internal platform use and should not be modified without consulting the Asenion team:

Key Category Why it is reserved
RISK_SCORE_LOW Risk Scoring Reserved. LOW-risk assessments are currently weighted the same as RISK_SCORE_NONE (0).
PLATFORM_ALIGNMENT_APPETITE Alignment Reserved for future use. Not currently consumed by the scoring engine.
PLATFORM_COMPLIANCE_MAX_PERCENT Compliance Reserved. The maximum compliance boundary is fixed at 100%. Set compliance_max_percent on individual control bundles if you need a different maximum.
ENTRA_ID_MODE Authentication Managed by the Asenion team during deployment. Controls Entra ID authentication mode (single-tenant or multi-tenant).
AZURE_AD_CLIENT_ID Authentication Managed by the Asenion team during deployment. Azure AD Application (client) ID for Entra ID authentication.

Tip: Before changing a value, review the Worked Examples to understand how the change will affect scoring. For control-bundle-level overrides (e.g., setting a different compliance_min_percent for a specific bundle), submit those as part of your policy configuration update instead. See Policy Configuration.

Creating new configurations (requires review)

If you need a configuration key that does not yet exist on the platform, send a request to the Asenion team. Include who to contact and which deployment or environment the change applies to in your message (email or ticket), together with a payload like:

{
  "newConfigurations": [
    {
      "key": "CUSTOM_KEY_NAME",
      "value": 50,
      "dataType": "NUMBER",
      "description": "What this configuration controls and why it is needed."
    }
  ]
}

The Asenion team will review the request and create the platform-level configuration on your behalf.