Using Your Risk Register
The KCM GRC Risk Management module includes the Risk Register, which is a central location where you can manage risks. In your Risk Register, you can add new risks that your organization identifies, view the risks that you've created, assign Likelihood and Impact to risks, and export a CSV file of your risks.
You can navigate to your Risk Register by selecting the Risk Register tab from your navigation panel. For general information about the Risk Management module, see our Risk Management Module Guide.
For more information about your Risk Register, see the sections below:
Using the Risk Register Page
To learn about the actions you can perform and the items you can view from your Risk Register, see the screenshot and list below:
- Banner: A warning banner will display whenever you've added risks to your account without assigning their Likelihood and Impact.
Note: When you add risks by using the Risk Wizard or importing risks, the risks will be added without a Likelihood or Impact. Therefore, these risks will be included in the count displayed in this banner.
- Export Risks: Click this button to export a CSV file of the risks in your Risk Register. See the Exporting Risks section below for more information.
- Import Risks: Click this button to upload risks with a CSV file. See the Importing Risks section below for more information.
- Add New Risk: Click this button to create an individual risk or to add a risk from the Master Risk Repository.
- Search by Risk Name: Use this search bar to search for a risk's name. Once you've entered a word, the number of results in each category will display next to each category. Expand a category to view the risks that contain the word you're searching for.
- Search by tag: Use this drop-down menu to search for risks by entering or selecting a tag. Once you've selected a tag from this drop-down menu, the number of risks that have the tag will display next to each category. Expand a category to view the risks that contain the tag or tags you're searching for. For more information about risk tags, see the Creating Individual Risks section below.
- Display Only Risks that Need Attention: Select this check box to only display the risks that need to be updated for Likelihood and Impact.
- Category: View the name of each category.
- # item(s): This number displays the number of risks in each category. If you enter a keyword into the search bar or select a tag from the drop-down menu, this number will change to represent the number of results in each category.
- Warning: The number next to the warning icon will display the number of risks in the category that still need to be updated for Likelihood and Impact.
Click the drop-down arrow next to a category name to expand the category. Then, you can view and update the risks that are in each category.
Risk Categories and Subcategories
Your Risk Register automatically includes six categories, including a Custom category. When you add risks to your Risk Register, you can select a category and subcategory to add the risk to.
To learn about the subcategories under each category in your Risk Register, select a category from the tabs below:
- Technological & Obsolescence
- Product Recall
- Negative Publicity
- Hurricanes & Tornadoes
- High Winds
- Plate Tectonics
- Building Strength
- Radioactive Decay
- Ground Water
- Sea Level
- Coastal Erosion
- Systems & Equipment
- Legal & Compliance
- External Events
- Business Processes
- Workplace Health & Safety
- Corrupt Practice
- Social Responsibility
Creating Custom Categories
In addition to the six default categories in your Risk Register, you can also add custom categories that fit your organization's unique risk management initiatives. You can assign a name and description to each custom category that you create.
To learn how to add custom categories to your account, see the Risk Settings section of our How to Manage Your KCM GRC Account Settings article. After you create a custom category, you can add the risks in your Risk Register to the custom category.
Adding Risks to Your Risk Register
We recommend that you start adding risks by using our Risk Wizard tool. For more information, see our How to Use the Risk Wizard article.
You can also add custom risks by importing risks in bulk, creating risks individually, or creating risks for vendors. For more information about each of these methods, see the subsections below.
Importing Risks with a CSV File
If your organization has already identified its applicable risks, you can quickly add them to your account by importing a CSV file. For more information, see our How Do I Import Risks into My Risk Register with a CSV File? article.
Creating Individual Risks
To create an individual risk, navigate to Risk Management > Risk Register, and then click the Add New Risk button. From the Quick Add page, add details about the risk. For more information, see the screenshot and list below:
- Search Master Risk List?: Enable this toggle if you would like to add a risk from our Master Risk Repository instead of creating a custom risk. The Search Master Risk List search field will appear and you can search keywords to find applicable risks. For more information about our Master Risk Repository, see our How to Use the Risk Templates Tab article.
- Risk Name: Enter a name that represents the scope of what the risk poses to your organization. For example, you could enter "Data Breach".
- Description: Describe the threat that the risk poses to your organization, such as the physical locations, systems, employees, third parties, and processes that would be affected by the risk.
- Consequences: Describe the potential outcomes of the risk occurring, such as the physical locations, systems, employees, third parties, and processes that would be impacted by the risk.
- Risk Owner: Enter the name of the person in your organization who is responsible for managing the risk.
- Affected Asset: Describe a physical asset in your environment that the risk would affect if it occurred.
- Category: Select the category that the risk fits in. For more information, see the Risk Categories and Subcategories section above.
- Subcategory: After selecting a Category, select the subcategory that the risk fits in. The set of subcategories will differ depending on the category that you've selected. For more information, see the Risk Categories and Subcategories section above.
- Risk Status: Select a status for your risk. Risk statuses describe the state of the risk and what efforts your organization needs to perform to manage the risk, such as mitigation efforts, acceptance, or transference of the risk. For more information about the risk statuses, see the table below:
Risk Status Description Avoidance Select this status if your organization is changing plans, parameters, or strategies to avoid the risk. Mitigation Select this status if your organization is performing actions to reduce the likelihood and impact of the risk occurring. Transfer Select this status if your organization is transferring the responsibility of the risk to another person, group, or organization that can better manage the risk. Acceptance Select this status if your organization is accepting the risk instead of working to mitigate it. Typically, this status means that the risk's Likelihood and Impact are within your organization's range of tolerance. Triggered Select this status if an event has happened that caused the risk to occur. Closed Select this status if your organization is no longer managing the risk. Typically, this status means that the risk has been eliminated. Other Select this status if the risk does not fit into any of the statuses above.
- Tags: Assign tags to risks to organize, find, and sort your risks. To create a new risk tag, enter one or more words in the field, then press Enter on your keyboard. Tags have a maximum of 25 characters, including spaces. To select an existing risk tag, click the drop-down menu to view existing tags. Then, select a tag to add it to the risk.
- Likelihood: Determine the likelihood of the risk occurring. The Likelihood will impact your Inherent Risk Score. For more information about risk Likelihood and Impact, see the Risk Likelihood and Impact section of our Risk Management Module Guide.
- Impact: Determine the impact that the risk would cause for your organization. The Impact will impact your Inherent Risk Score. For more information about risk Likelihood and Impact, see the Risk Likelihood and Impact section of our Risk Management Module Guide.
- Inherent Risk Score: This number will automatically calculate as you change the risk's Likelihood and Impact. For more information, see our Risk Scoring Guide.
- Add Another: If you would like to create another risk, select this check box before clicking the Create button.
- Create: Click the Create button to add the risk to your Risk Register.
- Cancel: Click this button to exit the Quick Add page.
Creating Risks for Vendors
If you have access to the Vendor Risk Management and Risk Management modules, you can create risks for the vendors or third parties your organization works with. To learn how to create risks for vendors, see the Creating Risks for Vendors section of our How to Create and Manage Vendor Profiles article.
Viewing and Editing Risks
From your risk register, you can view and update your risks. You can also use the Notes widget to communicate information about risks.
Follow the steps below to edit a risk.
- From your navigation panel, navigate to Risk Management > Risk Register.
- To find a risk, use the search field to search for keywords in the risk name. You can either search all of your risks or expand a category to search for risks within that category.
- Select a risk's name to open the View Risk page for that risk.
- Click the Update button in the Risk Details section of the page.
Tip: You will need to update your risks to assign Likelihood and Impact scores, which is part of our recommended KCM GRC risk management onboarding process.
You have the option to export a CSV file with details about your risks. To generate this CSV file, navigate to the Risk Register page and click the Export CSV button. Then, navigate to the Data Exports page and click the cloud icon to download the CSV file.
After downloading your CSV file, open the file to view your data. For details about the information that will display under each column header, see the table below:
|Risk Name||This column will display the name of the risk.|
|This column will display the description of the risk.|
|This column will display the name of the person who is responsible for managing the risk.|
|Date Created||This column will display the date and time that you created the risk. The date and time use Coordinated Universal Time (UTC).|
|Consequences||This column will display the description of the risk's consequences.|
|Mapped Controls||This column will display the number of controls that are mapped to this risk.|
This column will display the Likelihood that is assigned to the risk.
Note: If you have not selected a Likelihood for the risk, the Likelihood will default to Rare, and this column will display 1.
This column will display the Impact that is assigned to the risk.
Note: If you have not selected an Impact for the risk, the impact will default to Low, and this column will display 1.
|Inherent Risk Score||
This column will display the Inherent Risk Score for the risk.
For more information, see our Risk Management Module Guide
Note: If you have not assigned a Likelihood and Impact to the risk, this column will display 1.
|Residual Risk Score||
This column will display the Residual Risk Score for the risk.
For more information, see our Risk Scoring Guide.
|Category||This column will display the category that the risk is in.|
|Subcategory||This column will display the subcategory that the risk is in.|
|Tags||This column will display tags that are added to the risk.|
|Risk Status||This column will display the status that is selected for the risk.|
|Number of Mapped Requirements||If the risk is mapped to one or more controls and there are scoped requirements mapped to these controls, this column will display the number of scoped requirements.|
|Affected Asset||This column will display any affected asset information that you've entered for the risk.|