# Risk Formulas (draft outline)

> Draft scaffold; fill once 66-003/66-004 inputs (engine rollout notes + factor contract) are available. Keep math examples deterministic with fixed fixtures.

## Purpose
- Describe how normalized factors combine into a 0–100 risk score with severity bands.
- Capture gating, weighting, normalization, and override rules.

## Scope & Audience
- Audience: risk engineers, policy authors, auditors.
- In scope: weighting strategies, aggregation functions, severity thresholds, gating rules, tie-breakers.
- Out of scope: full API payloads (see `api.md`), factor definitions (see `factors.md`).

## Formula Building Blocks (to fill)
- Weighted sum / capped contribution
- Max/min guards per factor family
- Threshold gates (e.g., block if exploitability + reachability high)
- Decay/time weighting
- Tenant/asset overrides and imposed rules

## Severity Mapping (outline)
- Proposed bands (example placeholder):
  - Critical: 90–100
  - High: 70–89
  - Medium: 40–69
  - Low: 1–39
  - Info: 0
- Final bands pending governance approval; update once PLLG0104 confirms.

## Determinism
- Stable ordering of factors before aggregation.
- Use fixed precision (e.g., 4 decimals) before severity mapping.
- Hash fixtures and record SHA256 for every example payload.

Interim notes: mirror legacy rule — simulation and production must share the exact evaluation codepath; no per-environment divergences. Severity buckets must be deterministic and governed by Authority scopes.

## Examples (placeholders)
- TBD sample JSON: input factors + output score + contributions table.
- TBD CLI/Console screenshots once telemetry assets provided.

## Open Items
- Engine rollout notes for gating/weighting defaults
- Severity band approval
- Sample payloads and UI traces

## References
- `docs/risk/overview.md`
- `docs/risk/profiles.md`
- `docs/risk/factors.md`
- `docs/risk/api.md`