Calculation Reference
Detailed formulas and logic behind Velnoro's health scores, risk tiers, governance coverage, and other metrics.
This page documents how Velnoro calculates the metrics you see across dashboards, reports, and governance views. All metrics update automatically each time a scan completes.
Health Score
Every asset receives a health score from 0 to 100. The score is the sum of four independent factors:
| Factor | Max Points | How It Works |
|---|---|---|
| Owner Attribution | 30 | 30 points if the asset has an identified owner; 0 if orphaned. |
| Freshness | 30 | Based on time since last modification: 30 pts (under 30 days), 20 pts (31 to 90 days), 10 pts (91 to 180 days), 0 pts (over 180 days). Falls back to creation date if no modification date is available. |
| State | 20 | Active states (started, published, on, enabled, active): 20 pts. Draft states (stopped, draft, off, disabled, paused): 10 pts. Suspended or unknown: 0 pts. |
| AI Presence | 20 | No AI connectors: 20 pts. AI connectors present and all covered by allowed policies: 20 pts. AI connectors present but not fully covered: 10 pts. |
Health Tiers:
- Healthy (green): score of 71 or above
- Needs Attention (amber): score between 41 and 70
- At Risk (red): score of 40 or below
Program Health (shown on the dashboard) is the average health score across all scored assets, rounded to the nearest integer.
Governance Coverage
Governance coverage measures the percentage of assets that meet all three criteria simultaneously:
- Has an active owner (owner_id is not null)
- No policy violations (the asset does not use any restricted or blocked connectors)
- In a managed environment (the environment is marked as managed in your environment settings)
Formula: (governed assets / total assets) * 100, rounded to the nearest integer.
An asset missing any one of these criteria is considered ungoverned. For example, an asset with an owner and no violations but in an unmanaged environment does not count as governed.
Risk Tier Classification
Risk tiers classify assets by governance priority. Lower tier number = higher criticality (following Microsoft convention):
| Tier | Classification | Governance Burden |
|---|---|---|
| T1 | Enterprise / Critical | Highest: requires regular review, formal approval, compliance tracking |
| T2 | Departmental | Moderate: periodic review, documented ownership |
| T3 | Personal / Team | Lightest: self-service, standard policies apply |
How tiers are assigned:
The system evaluates multiple signals and assigns the most critical (lowest number) tier:
- T1 signals: Production environment with policy violations, orphaned assets with violations, production and orphaned combination, production with health score below 40.
- T2 signals: Any production environment asset (floor for all production assets), non-production with violations, orphaned non-production, stale active assets (not modified in 90+ days but still active/published), non-production with health score below 40.
- T3 (default): All other assets that do not trigger T1 or T2 signals.
Risk tiers can be manually overridden. When an override is active, the auto-calculated tier is still shown for reference.
Review Cadence Metrics
These metrics track progress through the governance review pipeline:
- Review Completion Rate: Percentage of tracked assets that have received at least one review decision (approved, rejected, needs work, or in review). Formula:
((total tracked - unreviewed) / total tracked) * 100, rounded. - Unreviewed Assets: Count of assets still in the
unreviewedstate (no review decision has been made). - Changed Since Review: Count of previously reviewed assets whose metadata has changed since the last review. These are flagged for re-review because the underlying asset may no longer match what was originally approved or rejected.
Re-review triggers are based on metadata hash comparison (see Change Detection below).
Change Detection
Velnoro detects changes between scans by comparing a deterministic hash of each asset's metadata:
Hashed fields:
- Display name
- State (active, draft, etc.)
- Owner ID
- Asset type
- Environment ID
- AI connectors (sorted for order-independence)
- Last modification date
The hash is computed using SHA-256 over a normalized JSON representation. Null values are converted to empty strings for consistency.
Two uses:
- Scan-to-scan diff: Assets present in both the current and previous scan whose hash differs are counted as "modified."
- Review staleness: When a reviewer approves or rejects an asset, the current hash is stored. If a later scan produces a different hash, the asset is flagged as "changed since review."
KPI Snapshot Fields
Each completed scan produces a KPI snapshot that captures the state of your tenant at that point in time. These snapshots power trend sparklines and delta comparisons.
| Field | Description |
|---|---|
| Total Assets | Count of all discovered apps, flows, agents, and scenarios. |
| Environments | Number of distinct environments discovered during scanning. |
| Active Builders | Count of unique people identified as asset owners. |
| Program Health | Average health score across all scored assets (0 to 100). |
| Orphaned Assets | Assets with no identified owner. |
| Stale Assets | Assets not modified in the last 90 days. |
| AI-Enabled Assets | Assets using AI connectors (Copilot, AI Builder, OpenAI, etc.). |
| Governance Coverage | Percentage meeting all three governance criteria (owned, compliant, managed). |
| Health Distribution | Count of assets in each tier: Healthy, Needs Attention, At Risk, Unscored. |
| Added / Modified / Removed | Asset changes detected since the previous scan. |
| Review Completion Rate | Percentage of tracked assets with a review decision. |
| Unreviewed Count | Assets awaiting first review. |
| Changed Since Review | Previously reviewed assets with metadata changes. |
Hover over any metric on the dashboard for a quick explanation via the info icon tooltip.