Risk Management Module: Overview and Risk Components
Risk Management is a module within the KnowBe4 KCM Governance, Risk, and Compliance (GRC) platform that is available to Gold and Platinum subscriptions. This feature is designed to simplify the processes of identifying, assessing, monitoring, and mitigating the various risks faced by your organization.
This article provides an overview of the concepts and areas of the console you’ll become familiar with when working in KCM GRC’s Risk Management module.
Components of KCM GRC Risk Items
-Risk Likelihood and Impact
-Inherent Risk Score, Treatment Score, and Residual Risk Score
- KCM GRC Risk Management: Risk Wizard
- KCM GRC Risk Management: Risk Register
- KCM GRC Risk Management: Risk Dashboard
- KCM GRC Risk Management: Risk Templates
As a best practice, we recommend beginning using our Risk Wizard tool. It offers a streamlined approach to identifying and adding the necessary Risks to your account. See our Risk Wizard guide for more information.
The Risk Register is the central location of your Risk Management module. It contains all of the Risks that have been identified and added to your console. From here you can add new Risks and update your existing Risks. See our Risk Register guide for details on all of the capabilities in the Risk Register.
The Risk Dashboard provides an overview of your Risk Management processes in KCM GRC. Here you'll find interactive graphs and a list of the greatest Risks currently faced by your organization. See our Risk Dashboard guide for details.
The Risk Templates area is a master repository for all Risks. It includes the Risks you've uploaded or added to your account, as well the Risks included in our Master Risk Repository. See more information in our Risk Templates guide.
Components of KCM GRC Risk Items
Properly using the following components will increase the efficiency of your risk management process. See the sections below for details.
Risk Likelihood and Impact
Each Risk added to your account should be assigned a measure of Likelihood and Impact.
- Likelihood - A rate of probability or chance that a risk will impact your organization.
KCM GRC offers five states of Likelihood: Rare, Unlikely, Reasonably Possible, Likely, or Almost Certain.
- Impact - The rate of the effect a risk would impose on your organization, should it occur.
KCM GRC offers five states of Impact: Low, Minor, Moderate, Major, Catastrophic.
See the table below for KCM GRC's description of each measure of Likelihood and Impact, and the scores of each. These scores determine Inherent Risk Scores. See the next section for more information on Inherent Risk Scores.
For details about KnowBe4's process for developing KCM GRC's risk management scoring scale, please see: KCM GRC: Risk Likelihood and Impact Scoring.
Inherent Risk Score, Treatment Score, and Residual Risk Score
Collectively, Inherent Risk Scores, Treatment Scores, and Residual Risk Scores are used to help you understand the spectrum of natural or inherent risks faced by your organization–both before and after making efforts to reduce risks.
- Inherent Risk Score - The measure a Risk imposes without controls being taken into consideration. Inherent Risk Score is determined by Risk Likelihood and Impact.
Likelihood x Impact = Inherent Risk Score
KCM GRC's Inherent Risk Scores range from 1–169, depending on Risk Likelihood and Impact values. Therefore, you must configure the Likelihood and Impact of your organization's Risks. If the Likelihood and Impact are not established for a Risk, the Inherent Risk Score will default to "1".
Inherent Risk Scores should be used as benchmark ratings compared against Residual Risk Scores. Residual Risk Scores are influenced by the "strength" or the "weight" of the Controls put in place for your Risks. Use Treatment Scores to specify a "strength" or "weight" for each of your Controls, as explained below.
- Treatment Score - A "weight" or measure of adequacy for each Control put in place for your organization's Risks.
Your Risk Management team will need to determine an approach for measuring the "weight" or adequacy of your organization's Controls. This measurement scale will serve as the Treatment Score scale for your Controls. The Treatment Score scale ranges from 1–168, where a Treatment Score of 168 would be the highest probability of completely mitigating a Risk. Note that a Treatment Score cannot be greater than the Inherent Risk Score of the associated Risk.
- Residual Risk Score - The measure of Risk remaining after Controls are taken into consideration. Residual Risk Score is determined by Treatment Score.
Residual Risk Scores provide insight into the amount of risk your organization faces after making efforts to reduce natural or inherent risks. Note that a Residual Risk Score can never be less than "1".