Using Your Risk Register
Risk Management is a module in the KCM GRC platform that is available to Gold and Platinum subscriptions. This module is designed to simplify the processes of identifying, assessing, monitoring, and mitigating the various risks faced by your organization. See our Risk Management Module Guide for an introduction to risk management with KCM GRC.
In the Risk Management module, you can use your Risk Register as the central location for managing your risks. In your Risk Register, you can complete the tasks listed below:
- Add new risks as your organization identifies and encounters risks.
- View the risks that you've created or added to your account from the Risk Wizard or the Master Risk Repository.
- Edit and update risks.
- Assign Likelihood and Impact scores to your risks.
- Export a CSV file that contains the risks in your Risk Register.
See the following sections to learn more.
Jump to:
Navigating to the Risk Register
Navigating to the Risk Register
After logging in to your account, navigate to your Risk Register by clicking Risk Management, then Risk Register from your navigation panel.
Risks by Category
You can add risks to any category in your Risk Register. Risks added from the Master Risk Repository while using the Risk Wizard will be automatically added to categories. For more information about the Risk Wizard, see our How to Use the Risk Wizard article.
To learn about the items on the Risk Register page, see the screenshot and list below:
- A warning banner will display whenever you've added risks to your account without assigning their Likelihood and Impact. When you add risks by using the Risk Wizard or import risks by using a CSV file, the risks will be added without a Likelihood or Impact. See the Risk Likelihood and Impact section of our Risk Management Module Guide to learn how to measure the Likelihood and Impact of risks in your account.
- Export Risks: Click this button to export a CSV file of all risks in your risk register. See the Exporting Risks section below to learn more about this CSV file.
- Import Risks: Click this button to upload risks with a CSV file. See the Import Risks section below for more information.
- Add New Risk: Click this button to create a custom risk or to add a risk from the Master Risk Repository.
- Search by Risk Name: Use this search bar to search for a risk by entering a key word in the risks's name. Once you've entered a word, the number of results in each category will display next to each category. Expand a category to view the risks that contain the key word or key words you're searching for.
- Search by tag: Use this drop-down menu to search for risks by entering or selecting a tag. Once you've selected a tag from this drop-down, the number of risks that have the tag will display next to each category. Expand a category to view the risks that contain the tag or tags you're searching for. For more information about risk tags, see the Create Individual Risks section below.
- Display Only Risks that Need Attention: Select this check box to only display the risks that need to be assessed and updated for Likelihood and Impact.
- View the name of each risk category. Your risk register is pre-populated with six categories that correlate with the Risk Wizard.
Tip: You can create additional, custom categories in the Risk Settings section of your Account Settings. See the Risk Settings section of our How to Manage Your KCM GRC Account Settings article to learn how to create custom risk categories. - This number represents the number of risks in the category. If you enter a key word into the search bar or select a tag from the drop-down menu, this number will change to represent the number of results.
- The number next to the warning symbol displays the number of risks in the category that need to be assessed and updated for Likelihood and Impact.
Click the arrow next to a category name to expand the category. Then, you can view the risks that are in each category and view or update the details of individual risks, as explained in the following section.
Viewing and Editing Risks Within a Category
Click the expand arrow on the left-hand side of a risk name to view and edit the risk details that are outlined below.
- Search by Risk Name: Use this search bar to search for risk names by key word.
- Risk Name: The title that is assigned to a risk that you've created, imported, or added from the Risk Wizard or from the Risk Templates area. Sorting by this column will alphabetically order the risks in this category.
- Date Created: The date for when the risk was created. Sorting by this column will order the risks by how recently they were created. The dates are based on Coordinated Universal Time (UTC).
- Controls: The number of controls that you've added for the risk. Sorting by this column will sort the risks by the number of controls that have been mapped to the risks. To learn more, see our How to Create and Map Risk Controls article.
- Likelihood: A measure of how likely a risk is to occur. See the Risk Likelihood and Impact section of our Risk Management Module Guide for more information about measuring risk likelihood. Sorting by this column will order the risks by their likelihood, in alphabetical order of the measure of likelihood.
- Impact: A measure of the impact that a risk would cause if it were to occur. See the Risk Likelihood and Impact section of our Risk Management Module Guide for more information about measuring risk impact.
- Inherent Score: Calculated from risk Likelihood and Impact. For more information on inherent risk score, see our Risk Scoring Guide.
- Residual Score: Calculated from inherent risk score and the treatment score that is assigned to the risk's mapped control(s). See the Residual Score section of our Risk Scoring Guide for more information about the residual risk score.
- Description: Add or edit a risk description.
Tip: If you would like to format a risk description on multiple lines, press the Return or Enter button on your keyboard and your formatting will be saved. - Use the slider bars to determine the appropriate Likelihood and Impact of the risk.
- Inherent Risk Score is determined by Likelihood and Impact. See our Risk Scoring Guide for more information about risk scores.
- Risk Owner: Enter the name of the person in your organization who is responsible for managing the risk.
- Risk Status: Select a status for your risk. Risk statuses describe the state of the risk and what efforts can be made toward managing the risk, such as mitigation efforts, acceptance, or transference of the risk. For more information about risk statuses, see the Create Individual Risks section below.
- Tags: Assign tags to better organize, find, and sort your risks.
- Affected Asset: Describe a physical asset in your environment that the risk would affect if it occurred.
- Click the Save button to save your changes.
Creating Custom Categories
In addition to the six default categories in your risk register, you can also add custom categories that fit your organization's unique risk management initiatives. You can assign any name and description to each custom category that you create.
For instructions on how to add custom categories to your account, see the Risk Settings section of our How to Manage Your KCM GRC Account Settings article. After you create a custom category, you can add the risks in your risk register to the custom category.
Creating and Importing Risks
We recommend using the Risk Wizard when you're getting started with the risk management module in your KCM GRC account. Alternatively, you can add custom risks by importing risks in bulk or creating risks individually. For more information, see the subsections below.
Import Risks
If your organization has already identified its applicable risks, you can quickly add them to your account by importing a CSV file. For more information, see our How Do I Import Risks into My Risk Register with a CSV File? article.
Create Individual Risks
To create an individual risk, navigate to the Risk Register page (Risk Management > Risk Register), and then click the Add New Risk button. On the Quick Add page, add the risk details as outlined below.
- Search Master Risk List?: Click this slider button if you would like to add a risk from our Master Risk Repository. The Search Master Risk List search field will appear and you can search keywords to find applicable risks. For more information on our Master Risk Repository, see our How to Use the Risk Templates Tab article.
- Risk Name: Give your risk a descriptive title that represents the scope of what the risk poses to your organization.
- Description: Describe the threat that the risk poses to your organization, such as the physical locations, systems, employees, third parties, and processes that would be affected by the risk.
- Consequences: Describe the potential outcomes of the risk occurring, such as the physical locations, systems, employees, third parties, and processes, that would be impacted by the risk.
- Risk Owner: Enter the name of the person in your organization who is responsible for managing the risk.
- Affected Asset: Describe a physical asset in your environment that the risk would affect if it occurred.
- Category: Select the category that the risk fits in. The risk categories are Business & Strategic, Environmental & Natural, Financial, Operational & Infrastructure, Compliance, and Custom. If you would like to create custom categories in your risk register, see the Risk Settings section of our How to Manage Your KCM GRC Account Settings article.
- Subcategory: The set of subcategories will differ depending on which category you've selected. See the tabs below for a list of each category's subcategories.
- Risk Status: Select a status for your risk. Risk statuses describe the state of the risk and what efforts can be made toward managing the risk, such as mitigation efforts, acceptance, or transference of the risk.
The Risk Status options are outlined in the table below:
Risk Status Description Avoidance Changing plans, parameters, strategies, etc. to avoid the risk. Mitigation Taking actions to reduce the probability and impact of the risk's occurrence. Transfer Moving the risk to an alternative party that is best fit to manage it. Acceptance Acknowledging the risk as is–typically when the risk's likelihood and/or impact are within your organization's range of risk tolerance. Triggered Indicating that an event has taken place, causing the risk to occur. Closed Indicating that the risk is no longer being managed. This is typically used after a risk is completely eliminated. Other Indicating a risk status that does not fit into the options above. - Tags: Assign tags to risks to organize, find, and sort the risks.
- To create a new risk tag, enter one or more words in the field, then press Enter on your keyboard. Tags have a maximum of 25 characters, including spaces.
- To select an existing risk tag, click the drop-down menu to view existing tags. Then, select a tag to add it to the risk.
- Likelihood: Determine the Likelihood of the risk occurring. This variable will impact your Inherent Risk Score. For more information about risk Likelihood and Impact, see the Risk Likelihood and Impact section of our Risk Management Module Guide.
- Impact: Determine the Impact that the risk would cause to your organization. This variable will impact your Inherent Risk Score. For more information about risk Likelihood and Impact, see the Risk Likelihood and Impact section of our Risk Management Module Guide.
- Inherent Risk Score: This number will automatically calculate as you change the risk's Likelihood and Impact. See our Risk Scoring Guide for more information.
- Add Another (checkbox): If you're satisfied with the Quick Add risk details, and you would like to create another risk, click this checkbox before clicking the Create button.
- Create: If you're finished creating this risk, click Create.
- Cancel: Click this button to exit the Quick Add page.
Risk Categories and Subcategories
- Commercial
- Reputation
- Stakeholder
- Technological & Obsolescence
- Lawsuit
- Product Recall
- Negative Publicity
- Hurricanes & Tornadoes
- High Winds
- Plate Tectonics
- Earthquake
- Building Strength
- Asteroids
- Volcanoes
- Radioactive Decay
- Radiation
- Asbestos
- Ground Water
- Sea Level
- Coastal Erosion
- Credit
- Insurance
- Pension
- Market
- People
- Systems & Equipment
- Legal & Compliance
- Security
- Project
- External Events
- Business Processes
- Environmental
- Workplace Health & Safety
- Corrupt Practice
- Social Responsibility
- Quality
- Process
Creating Risks for Vendors
If you have access to the Vendor Risk Management and Risk Management modules, you can create risks for the vendors or third parties your organization works with. To learn how to create risks for vendors, see the Creating Risks for Vendors section of our How to Create and Manage Vendor Profiles article.
Viewing and Editing Risks
From your risk register, you can view and update your risks. You can also use the Notes widget to communicate information about risks.
Follow the steps below to edit a risk.
- Navigate to the risk register. Click Risk Management > Risk Register from the navigation panel on the left-hand side.
- To find a particular risk, use the search field to search for keywords in the risk name. You can either search all of your risks or expand a category to search for risks within that category.
- Click the risk's name to open the View Risk page. Here you'll see all risk details, as shown below.
- To edit risk details, click the Update button in the top-right corner of the risk details section.
Tip: You will need to update your risks in order to assign a Likelihood and Impact scores, which is part of the KCM GRC risk management onboarding process.
Exporting Risks
You have the option to export a CSV file with details about your risks. To generate this CSV file, navigate to the Risk Register page and click the Export CSV button. Then, navigate to the Data Exports page and click the download icon () to download the CSV file.
After downloading your CSV file, open it in a spreadsheet program such as Microsoft Excel or Google Sheets to view your data. The table below explains the information that you will find under each column header in the CSV file.
Column Header | Description |
Risk Name | The risk name. |
Description |
The risk description. |
Risk Owner |
The name of the person who is responsible for managing the risk. |
Date Created | The date and time that you created the risk. This date and time are based on Coordinated Universal Time (UTC). |
Consequences | If you've added a description of the risk's consequences, it will display in this column. |
Mapped Controls | The number of controls that are mapped to this risk, if applicable. |
Likelihood | The numerical value for the Likelihood that you selected for this risk.
Note: If you have not selected a Likelihood for the risk, the Likelihood defaults to Rare, and this column will display "1".
|
Impact | The numerical value for the Impact that you selected for this risk.
Note: If you have not selected an Impact score for the risk, the impact defaults to Low, and this column will display "1".
|
Inherent Risk Score | The Inherent Risk Score for the risk.
Note: If you have not assigned a Likelihood and Impact score to the risk, the inherent risk score defaults to 1, and "1" will display in this column.
|
Residual Risk Score | The Residual Risk Score for the risk.
|
Category | The category in your Risk Register where the risk exists. |
Subcategory | The subcategory that you've selected for the risk. |
Tags | If you've added tags to the risk, they will display in this column. |
Risk Status | The status that you've selected for the risk. |
Number of Mapped Requirements | If the risk is mapped to one or more controls and there are scoped requirements mapped to these controls, this column displays this number of scoped requirements. |
Affected Asset | If you've added affected asset details for the risk, they will be displayed in this column. |
Comments
0 comments
Article is closed for comments.