Menu

KCM GRC Risk Management: Overview

Avatar
Lauren Ashley
Updated
Follow

Risk Management Module: Overview and Risk Components

Risk Management is a module within the KnowBe4 KCM Governance, Risk, and Compliance (GRC) platform that is available to Gold and Platinum subscriptions. This feature is designed to simplify the processes of identifying, assessing, monitoring, and mitigating the various risks faced by your organization. 

This article provides an overview of the concepts and areas of the console you’ll become familiar with when working in KCM GRC’s Risk Management module.

Jump To:
Additional Resources
Risk Wizard
Risk Register
Risk Dashboard
Risk Templates
Components of KCM GRC Risk Items
-Risk Likelihood and Impact
-Inherent Risk Score, Treatment Score, and Residual Risk Score

Additional Resources 

Back to Top

Risk Wizard

As a best practice, we recommend beginning using our Risk Wizard tool. It offers a streamlined approach to identifying and adding the necessary Risks to your account. See our Risk Wizard guide for more information. 

Back to Top

Risk Register

The Risk Register is the central location of your Risk Management module. It contains all of the Risks that have been identified and added to your console. From here you can add new Risks and update your existing Risks. See our Risk Register guide for details on all of the capabilities in the Risk Register.  

Back to Top

Risk Dashboard

The Risk Dashboard provides an overview of your Risk Management processes in KCM GRC. Here you'll find interactive graphs and a list of the greatest Risks currently faced by your organization. See our Risk Dashboard guide for details.

Back to Top

Risk Templates

The Risk Templates area is a master repository for all Risks. It includes the Risks you've uploaded or added to your account, as well the Risks included in our Master Risk Repository. See more information in our Risk Templates guide.

Back to Top

Components of KCM GRC Risk Items

When working in KCM GRC's Risk Management module, there are a few important Risk components that help you better understand the spectrum of risks faced by your organization.

Properly using the following components will increase the efficiency of your risk management process. See the sections below for details. 

Risk Likelihood and Impact

Each Risk added to your account should be assigned a measure of Likelihood and Impact.

  • Likelihood - A rate of probability or chance that a risk will impact your organization.
    KCM GRC offers five states of Likelihood: Rare, Unlikely, Reasonably Possible, Likely, or Almost Certain.
  • Impact - The rate of the effect a risk would impose on your organization, should it occur.
    KCM GRC offers five states of Impact: Low, Minor, Moderate, Major, Catastrophic.

See the table below for KCM GRC's description of each measure of Likelihood and Impact, and the scores of each. These scores determine Inherent Risk Scores. See the next section for more information on Inherent Risk Scores.
For details about KnowBe4's process for developing KCM GRC's risk management scoring scale, please see: KCM GRC: Risk Likelihood and Impact Scoring.

Likelihood Description Score Impact Description Score
Rare Chance of occurrence: 5% Low If the risk occurred it would cause a less than minor mission, system, or program degradation.    1
Unlikely Chance of occurrence: 5% - 9% Minor If the risk occurred it would cause only a small cost and schedule increase; requirements could still be achieved.
Reasonably Possible Chance of occurrence: 10% - 19% Moderate If the risk occurred it would cause moderate costs and schedule increases; important requirements could still be met.  
Likely Chance of occurrence: 20% - 49%  8 Major If the risk occurred it would cause major cost and schedule increases; secondary requirements may not be achieved.  
Almost Certain Chance of occurrence: more than 50%  13 Catastrophic If the risk occurred it would cause a complete program, system or mission failure; minimum acceptable requirements could not be met. 13 

 

Inherent Risk Score, Treatment Score, and Residual Risk Score

Collectively, Inherent Risk Scores, Treatment Scores, and Residual Risk Scores are used to help you understand the spectrum of natural or inherent risks faced by your organization–both before and after making efforts to reduce risks. 

  • Inherent Risk Score - The measure a Risk imposes without controls being taken into consideration. Inherent Risk Score is determined by Risk Likelihood and Impact. 

Likelihood x Impact = Inherent Risk Score

KCM GRC's Inherent Risk Scores range from 1–169, depending on Risk Likelihood and Impact values. Therefore, you must configure the Likelihood and Impact of your organization's Risks. If the Likelihood and Impact are not established for a Risk, the Inherent Risk Score will default to "1".

Inherent Risk Scores should be used as benchmark ratings compared against Residual Risk Scores. Residual Risk Scores are influenced by the "strength" or the "weight" of the Controls put in place for your Risks. Use Treatment Scores to specify a "strength" or "weight" for each of your Controls, as explained below.

  • Treatment Score - A "weight" or measure of adequacy for each Control put in place for your organization's Risks.

Your Risk Management team will need to determine an approach for measuring the "weight" or adequacy of your organization's Controls. This measurement scale will serve as the Treatment Score scale for your Controls. The Treatment Score scale ranges from 1–168, where a Treatment Score of 168 would be the highest probability of completely mitigating a Risk. Note that a Treatment Score cannot be greater than the Inherent Risk Score of the associated Risk. 

  • Residual Risk Score - The measure of Risk remaining after Controls are taken into consideration. Residual Risk Score is determined by Treatment Score.

Inherent Risk Score - Risk Treatment Score = Residual Risk Score

Residual Risk Scores provide insight into the amount of risk your organization faces after making efforts to reduce natural or inherent risks. Note that a Residual Risk Score can never be less than "1".

Back to Top

 

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles