Risk Management Module

How to Use Your Risk Register

The KCM GRC Risk Management module includes the Risk Register, which is a central location where you can manage risks. In your Risk Register, you can add new risks that your organization identifies, view the risks that you've created, assign Likelihood and Impact to risks, and export a CSV file of your risks.

You can navigate to your Risk Register by selecting the Risk Register tab from your navigation panel. For general information about the Risk Management module, see our Risk Management Module Guide.

For more information about your Risk Register, see the sections below:

Using the Risk Register Page

To learn about the actions you can perform and the items you can view from your Risk Register, see the screenshot and list below: Risk Register Page

  1. Add New Risk: Click this button to create an individual risk or to add a risk from the Master Risk Repository. For more information, see the Creating Individual Risks section below.
  2. Import Risks: Click this button to import risks with a CSV file. For more information, see the Importing Risks section below. 
  3. View All Risks: Click this button to view all risks in your Risk Register.
  4. Search bar: Use this search bar to search for a risk's name or description. 
  5. Filter: Use this drop-down menu to filter your Risk Register by affected asset, category, number of controls, and more.Filter widget
  6. Export CSV: Click this button to export a CSV file of the risks in your Risk Register. For more information, see the Exporting Risks section below.
  7. Category: View the name of each category. You can also click a category to view the risks in that category.
    Tip: You can create additional, custom categories in the Risk Settings section of your Account Settings. For more information, see the Creating Custom Categories section below.
  8. # items need to be updated: This label displays the number of risks in each category that need to be updated for likelihood and impact. If you narrowed your risks by using the search bar or filters, this number will change to represent the number of results in each category.
    Note:When you add risks by using the Risk Wizard or importing risks, the risks will be added without a Likelihood or Impact. Therefore, those risks will be included in this count.

Risk Categories and Subcategories

Your Risk Register automatically includes six categories, including a Custom category. When you add risks to your Risk Register, you can select a category and subcategory to add the risk to.

To learn about the subcategories under each category in your Risk Register, select a category from the tabs below:

  • Commercial
  • Reputation
  • Stakeholder
  • Technological & Obsolescence
  • Lawsuit
  • Product Recall
  • Negative Publicity
  • Hurricanes & Tornadoes
  • High Winds
  • Plate Tectonics
  • Earthquake
  • Building Strength
  • Asteroids
  • Volcanoes
  • Radioactive Decay
  • Radiation
  • Asbestos
  • Ground Water
  • Sea Level
  • Coastal Erosion
  • Credit
  • Insurance
  • Pension
  • Market
  • People
  • Systems & Equipment
  • Legal & Compliance
  • Security
  • Project
  • External Events
  • Business Processes
  • Environmental
  • Workplace Health & Safety
  • Corrupt Practice
  • Social Responsibility
  • Quality
  • Process

Creating Custom Categories

In addition to the six default categories in your Risk Register, you can also add custom categories that fit your organization's unique risk management initiatives. You can assign a name and description to each custom category that you create.

To learn how to add custom categories to your account, see the Risk Settings section of our How to Manage Your KCM GRC Account Settings article. After you create a custom category, you can add the risks in your Risk Register to the custom category. 

Note: Your custom categories will not display in the Risk Wizard.

Adding Risks to Your Risk Register

We recommend that you start adding risks by using our Risk Wizard tool. For more information, see our How to Use the Risk Wizard article.

You can also add custom risks by importing risks in bulk, creating risks individually, or creating risks for vendors. For more information about each of these methods, see the subsections below.

Tip: After you add risks to your Risk Register, we recommend using controls to document the preventative measures that your organization is taking towards risks. For more information, see our How to Create and Map Risk Controls article.

Importing Risks with a CSV File

If your organization has already identified its applicable risks, you can quickly add them to your account by importing a CSV file. For more information, see our How Do I Import Risks into My Risk Register with a CSV File? article.

Creating Individual Risks 

To create an individual risk, follow the steps below:

  1. Log in to your KCM GRC platform.
  2. From your navigation panel, navigate to Risk Management > Risk Register.
  3. Click the Add New Risk button.
  4. Fill out the fields on the Quick Add Risk page. For more information, see the screenshot and list below:
    Note:We recommend that you avoid including the < and > special characters in these fields. These characters may result in text being removed from fields.
    Quick Add Risk Page
    1. Search Master Risk List?: Enable this toggle if you would like to add a risk from our Master Risk Repository instead of creating a custom risk. The Search Master Risk List search field will appear and you can search keywords to find applicable risks. For more information about our Master Risk Repository, see our How to Use the Risk Templates Tab article.
    2. Risk Name: Enter a name that represents the scope of what the risk poses to your organization. For example, you could enter "Data Breach".
    3. Description: Describe the threat that the risk poses to your organization, such as the physical locations, systems, employees, third parties, and processes that would be affected by the risk.
    4. Consequences: Describe the potential outcomes of the risk occurring, such as the physical locations, systems, employees, third parties, and processes that would be impacted by the risk.
    5. Risk Owner: Enter the name of the person in your organization who is responsible for managing the risk.
    6. Affected Asset: Describe a physical asset in your environment that the risk would affect if it occurred.
    7. Category: Select the category that the risk fits in. For more information, see the Risk Categories and Subcategories section above.
    8. Subcategory: After selecting a Category, select the subcategory that the risk fits in. The set of subcategories will differ depending on the category that you've selected. For more information, see the Risk Categories and Subcategories section above.
    9. Risk Status: Select a status for your risk. Risk statuses describe the state of the risk and what efforts your organization needs to perform to manage the risk, such as mitigation efforts, acceptance, or transference of the risk. For more information about the risk statuses, see the table below: 
      Risk Status Description
      Avoidance Select this status if your organization is changing plans, parameters, or strategies to avoid the risk.
      Mitigation Select this status if your organization is performing actions to reduce the likelihood and impact of the risk occurring.
      Transfer Select this status if your organization is transferring the responsibility of the risk to another person, group, or organization that can better manage the risk.
      Acceptance Select this status if your organization is accepting the risk instead of working to mitigate it. Typically, this status means that the risk's Likelihood and Impact are within your organization's range of tolerance.
      Triggered Select this status if an event has happened that caused the risk to occur.
      Closed Select this status if your organization is no longer managing the risk. Typically, this status means that the risk has been eliminated.
      Other Select this status if the risk does not fit into any of the statuses above.
    10. Tags: Assign tags to risks to organize, find, and sort your risks. To create a new risk tag, enter one or more words in the field, then press Enter on your keyboard. Tags have a maximum of 25 characters, including spaces. To select an existing risk tag, click the drop-down menu to view existing tags. Then, select a tag to add it to the risk.
    11. Likelihood: Determine the likelihood of the risk occurring. The Likelihood will impact your Inherent Risk Score. For more information about risk Likelihood and Impact, see the Risk Likelihood and Impact section of our Risk Management Module Guide.
    12. Impact: Determine the impact that the risk would cause for your organization. The Impact will impact your Inherent Risk Score. For more information about risk Likelihood and Impact, see the Risk Likelihood and Impact section of our Risk Management Module Guide.
    13. Inherent Risk Score: This number will automatically calculate as you change the risk's Likelihood and Impact. For more information, see our Risk Scoring Guide
  5. (Optional) If you would like to create another risk, select the Add Another check box.
  6. Click the Create button to add the risk to your Risk Register.

Creating Risks for Vendors

If you have access to the Vendor Risk Management and Risk Management modules, you can create risks for the vendors or third parties your organization works with. To learn how to create risks for vendors, see the Creating Risks for Vendors section of our How to Create and Manage Vendor Profiles article.

Viewing and Updating Risks

From your Risk Register, you can view and update your risk information. You can also select a risk name to open the View Risk page.

Updating Risks Individually

To update a risk from the Risk Register, follow the steps below: 

  1. Log in to your KCM GRC platform.
  2. From your navigation panel, navigate to Risk Management > Risk Register.
  3. To find the risk that you would like to update, use the search bar or the Filter drop-down menu.
  4. Click any of the risk's details except for the name. For example, click the risk's Likelihood.
  5. In the fields that display, update the information that you would like to change. Updating risk information from the Risk Register
  6. Click the Save button.
Tip:You can also update a risk by navigating to the View Risk page and clicking the Update button (click to view).

Updating Risks in Bulk

You can also update risks in bulk from your Risk Register. For example, you could use this feature to update the Likelihood of three risks to Reasonably Possible

To update multiple risks at once, follow the steps below:

  1. Log in to your KCM GRC platform.
  2. From your navigation panel, navigate to Risk Management > Risk Register.
  3. To find the risks that you would like to update, use the search bar or the Filter drop-down menu.
  4. Select the check boxes next to each risk.Bulk edit risks
  5. In the top-right corner of the page, click the Actions button.
  6. Select Update from the drop-down menu. When you select this option, an Update Risks pop-up window will open. Update button
  7. In the drop-down menus, select the options that you would like to update. To keep the options that are currently selected for a field, leave the drop-down menu blank. Selecting bulk update fields
  8. Click the Update button to make the changes to all of your selected risks.

Exporting Risks

If you would like, you can export a CSV file that contains information about the risks in your Risk Register. To generate this CSV file, navigate to your Risk Register and click the Export CSV button. Then, navigate to the Data Exports tab and click the cloud icon next to the export. For more information, see our Data Exports Guide.

After downloading your CSV file, open the file to view your risk information. For details about the information that will display under each column header, see the table below:

Note:If you've selected specific columns in the Select Columns widget (click to view), only the selected columns will display in your CSV file.
Column Header Description
Risk Name This column will display the name of the risk.

Description

This column will display the description of the risk.

Risk Owner

This column will display the name of the person who is responsible for managing the risk.
Date Created This column will display the date and time that you created the risk. The date and time use Coordinated Universal Time (UTC).
Consequences This column will display the description of the risk's consequences.
Likelihood

This column will display the Likelihood that is assigned to the risk.

For information, see the Risk Likelihood and Impact section of our Risk Management Module Guide.

Note: If you haven't selected a Likelihood for the risk, the Likelihood will default to Rare and this column will display 1.
Impact

This column will display the Impact that is assigned to the risk.

For information, see the Risk Likelihood and Impact section of our Risk Management Module Guide

Note: If you haven't selected an Impact for the risk, the impact will default to Low and this column will display 1.
Inherent Risk Score

This column will display the Inherent Risk Score for the risk.

For more information, see the Inherent Risk Score section of our Risk Management Module Guide

Note: If you haven't assigned a Likelihood and Impact to the risk, this column will display 1.
Residual Risk Score

This column will display the Residual Risk Score for the risk.

For more information, see the Residual Risk Score section of our Risk Scoring Guide.

Category This column will display the category that the risk is in.
Subcategory This column will display the subcategory that the risk is in. 
Tags This column will display tags that are added to the risk. 
Risk Status This column will display the status that is selected for the risk.
Number of Mapped Requirements If the risk is mapped to one or more controls and there are scoped requirements mapped to these controls, this column will display the number of scoped requirements.
Affected Asset This column will display any affected asset information that you've entered for the risk.

Deleting Risks in Bulk

If you no longer need a set of risks you can permanently delete them from your Risk Register.

Note:If you think you may need these risks in the future, we recommend that you archive them instead. To learn how to archive risks, see the Archiving Risks section of our Archiving Items Guide.

To delete risks in bulk, follow the steps below:

  1. From your navigation panel, navigate to Risk Management > Risk Register.
  2. Select the check boxes next to the risks that you would like to delete.
  3. Click the Delete button. 
  4. In the pop-up window that opens, enter DELETE into the field to confirm the deletion.Delete confirmation window
  5. Click the Delete button.

Can't find what you're looking for?

Contact Support
circle-arrow-up