# Risk factors configuration

The Risk Factors page allows administrators to configure and manage IAM risk assessment factors used to compute user entitlement risk scores. This is useful when configuring [risk event-driven certification](/access-review/risk-event-driven-certification.md).

Access it in the webconsole at **Administration → Risk Factors Configuration**.

The page displays a summary panel and a grid of configurable risk factor cards. Each factor contributes to an overall risk score that helps identify users with potentially excessive or under-reviewed access.

The top panel shows:

* **Total Factors** — count of enabled factors.
* **Pie Chart** — distribution of factors across High, Medium, and Low impact levels.
* **Overall Risk** — the average weight of all enabled factors, classified as High, Medium, or Low.

## Impact levels

Impact levels classify how critical an entitlement, role, or access decision is if it is incorrectly granted or retained. They help prioritize reviewer attention during certification campaigns. Impact levels are derived from a factor's weight:

<table><thead><tr><th width="188.6666259765625">Level</th><th>Weight Range</th><th>Color</th></tr></thead><tbody><tr><td>High</td><td>0.7 or above</td><td><mark style="color:$primary;">Red</mark></td></tr><tr><td>Medium</td><td>0.4 – 0.7</td><td><mark style="color:$warning;">Orange</mark></td></tr><tr><td>Low</td><td>Below 0.4</td><td><mark style="color:$success;">Green</mark></td></tr></tbody></table>

## Risk factors

Risk factors are the individual attributes, signals, or conditions used to calculate the overall risk score of a user's access. They explain why an impact level is assigned and are combined to determine whether an entitlement is low, medium, or high risk during certification.

<table><thead><tr><th width="223.33331298828125">Factor</th><th>Description</th></tr></thead><tbody><tr><td><code>ENTITLEMENT_SENSITIVITY</code></td><td>Measures the sensitivity of entitlements assigned to a user. Higher sensitivity entitlements (e.g. admin access, financial systems) contribute more to the overall risk score.</td></tr><tr><td><code>ENTITLEMENT_ORIGIN</code></td><td>Evaluates how entitlements were granted. Directly assigned entitlements may carry different risk than those inherited through roles or groups.</td></tr><tr><td><code>ENTITLEMENT_LIFETIME</code></td><td>Assesses how long an entitlement has been held. Long-standing entitlements that have not been reviewed may indicate elevated risk.</td></tr><tr><td><code>APPROVAL_PATH</code></td><td>Analyzes the approval workflow used to grant access. Entitlements granted without proper approval or via expedited paths carry higher risk.</td></tr><tr><td><code>UAR_AWARENESS</code></td><td>Tracks whether entitlements have been reviewed in User Access Reviews. Entitlements that have not been recently certified carry higher risk.</td></tr></tbody></table>

## Configuring a risk factor

Each risk factor card has the following settings:

<table><thead><tr><th width="192">Setting</th><th>Description</th></tr></thead><tbody><tr><td><strong>Enabled</strong></td><td>Toggle to enable or disable the factor. Disabled factors are excluded from the overall risk score and appear dimmed.</td></tr><tr><td><strong>Risk Weight</strong></td><td>Slider from 0.0 to 1.0 (step 0.1). Controls how much this factor contributes to the risk score. The impact level chip updates in real time as the slider moves.</td></tr><tr><td><strong>Custom Parameters</strong></td><td>A JSON object for factor-specific configuration. The JSON must deserialize to a valid <code>RiskFactorCustomParams</code> structure; the backend rejects malformed or unknown fields.</td></tr><tr><td><strong>Updated At</strong></td><td>Timestamp of the last modification.</td></tr><tr><td><strong>Updated By</strong></td><td>Display name of the user who last saved the factor.</td></tr></tbody></table>

All save operations are audit-logged under the `SAVE_RISK_SCORE_FACTOR` action.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs-beta.openiam.com/access-review/risk-factors-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.