Risk Management is a module in the KCM Governance, Risk, and Compliance (GRC) platform that is available to Gold and Platinum subscriptions. This feature is designed to simplify the processes of identifying, assessing, monitoring, and mitigating the various risks faced by your organization. See our Risk Management Overview article for an introduction to risk management with KCM GRC.
The Risk Register is the central location for managing risks in your KCM GRC account. The following tasks can be carried out through the Risk Register area of your console:
- Create new risks identified by your organization
- View risks you've created, imported or added to your account from the Master Risk Repository
- Edit and update risks, including determining the Likelihood and Impact of your risks
See the following sections to learn more.
Risks by Category
You can add risks to any of the five categories in the Risk Register. Risks added from the Master Risk Repository while using the Risk Wizard will be automatically added to the appropriate category. For more information on the Risk Wizard, please see our Risk Wizard guide, found here.
- The warning banner will display throughout the Risk Management module whenever you've added risks to your account without determining their Likelihood and Impact. This will be the case if you've added risks using the Risk Wizard or if you've imported risks to your account using a CSV file. The banner is a reminder of the importance of assessing the Likelihood and Impact of your risks. See here for more information about measuring Likelihood and Impact in your KCM GRC account.
- Click the Export Risks button to export a CSV file of all risks in your Risk Register.
- Click the Import Risks button to upload risks with a CSV file. See the Import Risks section below for more information.
- Click the Add New Risk button to create a custom risk or to add a risk from the Master Risk Repository.
- Use the Search by Risk Name... search bar to locate a risk using a keyword from the risk name. Once you've entered a keyword, the number of applicable results will display in the category count on the far right side of each category. Expand the category or categories to see the risks containing the keyword(s) you're searching for.
- Use the Search by tag... searchable drop-down menu to locate the risk(s) that you've tagged with a custom tag you've created in your Risk Settings. Learn more about risk tags in the Create Individual Risks section below. See this section of our Managing Account Settings article to learn how to create risk tags.
Once you've selected a tag, the number of applicable risks will display in the category count on the far right side of each category.
- Use the Display Only Risks that Need Attention checkbox to only show the risks that need to be assessed and updated with the appropriate Likelihood and Impact.
- The title of each risk category is displayed next to the expand/collapse arrows. The Risk Register is pre-populated with six categories that correlate with the Risk Wizard.
- This number represents the number of risks in the category. If you type a term in the search bar or select a tag from the drop-down menu, this will change to represent the number of applicable results, as described in numbers five and six, above.
- The warning symbol signifies the number of risks in this category that need to be assessed and updated with appropriate Likelihood and Impact.
Expand the category accordions to see the risks in each category and the details of individual risks, as explained below.
Use the expand arrows next to risk names to view and edit the risk details (including risk Likelihood and Impact ratings).
- Use the Search by Risk Name... search bar to search for risk names by keyword.
- Risk ID: The ID signifies the order in which the risk was added to your Risk Register. By default, risks are ordered by Risk ID within categories.
- Risk Name: The title assigned to a Risk you've created or imported, or the title of a risk from our Master Risk Repository. Sorting by this column will alphabetically order the risks in this category.
- Controls: The number of controls you've added for the risk. See the Creating and Mapping Risk Controls section below for more information about creating risk controls. Sorting by this column will sort the risks by the number of controls that have been added to the risks.
- Likelihood: A measure of how likely a risk is to occur. See here for more information on measuring risk likelihood. Sorting by this column will order the risks by their Likelihood, in alphabetical order of the measure of Likelihood.
- Impact: A measure of the impact that a risk would cause if it were to occur. See here for more information on measuring risk impact.
- Inherent Score: Calculated from risk Likelihood and Impact. For more information on Inherent Risk Score, see this article.
- Residual Score: Calculated from Inherent Risk Score and the Treatment Score assigned to the risk's control(s). See here for more information about the risk's Residual Score.
- Use the Description field to add or edit a risk description.
- Use the slider bars to determine the appropriate Likelihood and Impact of the risk.
- Inherent Risk Score is determined by Likelihood and Impact. See this article for more information on Risk Scores.
- You can optionally select a Risk Status for your risk to track the progress of mitigation efforts.
- Risk Tags can be used to better organize, find, and sort your risks. See the Create Individual Risks section below for more information on tags.
- Click the Save button after you've made any changes.
We recommend using the Risk Wizard when you're getting started with the Risk Management module in your KCM GRC account. See our Risk Wizard guide for details. Your alternative options for adding Risks are to import Risks in bulk or to create risks individually.
If your organization has already identified its applicable risks, you can quickly add them to your KCM GRC account by importing a CSV file.
- Prepare a CSV for import. The CSV can contain a header line consisting of name and description.
Risk CSVs are allowed a maximum of 5,000 rows of data.
Note: If you are using Excel, your CSV must be saved in the CSV UTF-8 format.
- From the Risk Register page (Risk Management > Risk Register) click the Import Risks button.
- Click the Click to Upload button and select your CSV.
If you'd like, you can review or delete the risks before importing them, as shown below.
- Click the Save Imported Risks button to import your risks to the console.
Note: By default, imported risks will fall under the Custom category in your Risk Register. See the Viewing and Editing Risks section of this article if you'd like to change a risk's category.
Create Individual Risks
From the Risk Register page (Risk Management > Risk Register) click the Add New Risk button.
Specify the risk details from the Quick Add page (shown below). These are the minimum details necessary for creating a new risk. You can add additional risk information by clicking the Details button, as explained below.
- Search Master Risk List?: Enable this slider button if you'd like to add a risk from our Master Risk Repository. Once clicked, the Search Master Risk List search field will appear and you can use keywords to find applicable risks included in the Master Risk Repository.
For more information on our Master Risk Repository, see our Risk Wizard guide.
- Risk Name: Give your risk a descriptive title that represents the scope of what the Risk poses to your organization.
- Risk Status: Selecting a status for your risk is recommended. Risk Status offers insight into the state of the risk and what efforts (if any) can be made toward managing the risk–whether that be mitigation efforts, acceptance, or transference of the risk.
The Risk Status options are outlined in the table below.
Risk Status Description Avoidance Changing plans, parameters, strategies, etc. to avoid the risk. Mitigation Taking actions to reduce the probability and impact of the risk's occurrence. Transfer Moving the risk to an alternative party that is best fit to manage it. Acceptance Acknowledging the risk as is–typically when the Risk's Likelihood and/or Impact are within your organization's range of risk tolerance. Triggered Indicating that an event has taken place, causing the risk to occur. Closed Indicating that the risk is no longer being managed. This is typically used after a risk is completely eliminated. Other Indicating a risk status that does not fit into the options above.
- Tag(s): Your KCM GRC Risk Management platform offers custom tagging features. You can create custom tags and assign them to the applicable risks. Tags can have a maximum of 25 characters.
- Likelihood: Determine the likelihood of the risk occurring. This variable will impact your Inherent Risk Score. See here for more information on Likelihood and risk management with KCM GRC.
- Impact: Determine the measure of impact that the risk would cause to your organization. This variable will impact your Inherent Risk Score. See here for more information on measuring risk impact in KCM GRC.
- Inherent Risk Score: This number will automatically recalculate as you change the Risk Likelihood and Impact. See our Risk Scoring article for more information.
- Add Another (checkbox): If you're satisfied with including only the "quick add" risk details, you can click this checkbox before clicking the Create button to instantly "quick add" another risk. Deselect this checkbox if you want to add more details to your risk.
- Create: Click this button to create the risk and add it to your Risk Register with only the "quick add" details.
- Details: Click this button to add additional details to your risk, as outlined below:
- Description: Describe the threat that the risk poses to your organization, including the physical location(s), systems, employees, third parties, processes, etc., that would be involved if the event were to occur.
- Consequences: Describe the potential outcomes of the risk occurring, including the physical location(s), systems, employees, third parties, processes, etc., that would be impacted.
- Category: Select the category in which you want the risk to reside in your Risk Register. Choose between Business & Strategic, Environmental & Natural, Financial, Operational & Infrastructure, Compliance, or Custom.
- Subcategory: The set of subcategories will differ depending on which category you've selected. Please see the tabs below for a list of each category's subcategories. Note there are no subcategories for the custom category.
- Save: Click the Save button to save the risk details and add it to your Risk Register.
Risk Categories and Subcategories
- Technological & Obsolescence
- Product Recall
- Negative Publicity
- Hurricanes & Tornadoes
- High Winds
- Plate Tectonics
- Building Strength
- Radioactive Decay
- Ground Water
- Sea Level
- Coastal Erosion
- Systems & Equipment
- Legal & Compliance
- External Events
- Business Processes
- Workplace Health & Safety
- Corrupt Practice
- Social Responsibility
Viewing and Editing Risks
You can view or update your risks from your Risk Register. Follow the steps below:
- Navigate to the Risk Register by clicking Risk Management > Risk Register from the navigation panel on the left-hand side.
- To find a particular risk, use the search field to search for keywords in the risk name. You can either search all of your risks or expand a category to search for risks within that category.
- Click on the risk's name to open the View Risk page. Here you'll see all of the details included for the risk, as shown below.
- To edit risk details, click the Update button at the top-right of the View Risk page.
Tip: You will need to update your risks in order to assign the proper Likelihood and Impact measures as part of the onboarding process of managing risks with KCM GRC.
Each risk includes a risk severity icon based on its Inherent Risk Score. See the table below for icon details.
|Icon||Risk Severity||Inherent Risk Score|
Creating and Mapping Risk Controls
In your KCM GRC platform, you will use controls to document the preventative measures your organization takes as part of an effective risk management plan. You can create controls for your risks, or you can map your existing compliance controls to the risks in your Risk Management module.
To create or map a control to a risk, find the desired risk in your Risk Register and click the risk's name to open the View Risk page. The Controls panel is located at the bottom of this page.
Use the Create Control button to add a new control for the risk.
Add a control Name and Description to define your control. Control Descriptions are included in the reminder emails that are sent to the users who are responsible for completing control tasks. For more information about controls and control tasks, see this article: How Do I Create Control Tasks?
The Risk Treatment Score is a numerical representation of how adequate, or sufficient the Control is for preventing the Risk. The Risk Treatment Score determines the Residual Risk Score. See our Risk Scoring article for more information about Risk Treatment Scores and Residual Risk Scores.
To create a task for the new control, click the Create & Assign Control button. If you'd rather add a control task at a later time, click the Create Control button, instead. For more information about assigning tasks for controls, see: How Do I Create Control Tasks?
In your KCM account, you may already have controls in place for your compliance efforts that will also assist in monitoring or preventing your organization's risks.
If you'd like to map an existing control to your risk, click the Map to Control button in the Controls panel of the View Risk page (shown above). Then, follow the steps below.
- Use the search bar at the top-left of the page to search for the control. You can search for keywords that are in the control's name.
- Once you find the control you need, click the green button in the far-right column to map it to the risk. You will be prompted to enter a Treatment Score (T. Score) for the control. See here for more information about Treatment Scores.
- Using the field in the T. Score column, enter an appropriate Treatment Score for the control. The Risk Treatment Score is a numerical representation of how adequate, or sufficient the control is for preventing the risk.
NOTE: The control's Treatment Score determines the Risk's Residual Risk Score. See our Risk Scoring article to learn more.
- Use the checkmark button to save the Treatment Score.
- Click the Done button once you've finished mapping the Control(s) to your Risk.
TIP: If you need to unmap a control from the risk, use the red button(s) in the Is Mapped column.
If you'd like to add a new task for your risk's control, click on the control's name from the View Risk Page. From the View Control page, use the New One Time button shown below. See this article for more information on creating tasks and assigning controls.