How Do I Use the Risk Register?
Risk Management is a module in the KCM Governance, Risk, and Compliance (GRC) platform that is available to Gold and Platinum subscriptions. This feature is designed to simplify the processes of identifying, assessing, monitoring, and mitigating the various risks faced by your organization. See our Risk Management Overview article for an introduction to Risk Management with KCM GRC.
The Risk Register is the central location for managing Risks in your KCM GRC account. The following tasks can be carried out through the Risk Register area of your console:
- Create new Risks identified by your organization
- View Risks you've created, imported or added to your account from the Master Risk Repository
- Edit and update Risks, including determining the Likelihood and Impact of your Risks
Risks by Category
You can add risks to any of the five categories in the Risk Register. Risks added from the Master Risk Repository while using the Risk Wizard will be automatically added to the appropriate category. For more information on the Risk Wizard, please see our Risk Wizard guide, found here.
- The warning banner will display throughout the Risk Management module whenever you've added Risks to your account without determining their Likelihood and Impact. This will be the case if you've added Risks using the Risk Wizard or if you've imported Risks to your account using a CSV file. The banner is a reminder of the importance of assessing the Likelihood and Impact of your Risks. For more information on using Likelihood and Impact in your KCM GRC account, please see our Risk Management Overview article.
- Use the Export Risks button to export a CSV file of all Risks in your Risk Register.
- Use the Import Risks button to upload your own Risks with a CSV file. See the Import Risks section below for more information.
- Use the Add New Risk button to create a custom Risk or to add a Risk from the Master Risk Repository.
- Use the Search by Risk Name... search bar to locate a Risk using a keyword from the Risk name. Once you've entered a keyword, the number of applicable results will display in the category count on the far right side of each category. Expand the category or categories to see the Risks containing the keyword(s) you're searching for.
- Use the Search by tag... searchable drop-down menu to locate the Risk(s) that you've tagged with a custom tag you've created in your Risk Settings. Learn more about Risk Tags in the Create Individual Risks section below. See this section of our Managing Account Settings article to learn more about creating Risk tags.
Once you've selected a tag, the number of applicable risks will display in the category count on the far right side of each category.
- Use the Display Only Risks that Need Attention checkbox to only show the Risks needing to be assessed and updated with the appropriate Likelihood and Impact.
- The title of each Risk Category is displayed next to the expand/collapse arrows. The Risk Register is pre-populated with six categories that correlate with the Risk Wizard.
- This number represents the number of Risks in the category. If you type a term in the search bar or select a tag from the drop-down menu, this will change to represent the number of applicable results, as described in numbers five and six, above.
- The warning symbol signifies the number of Risks in this category that need to be assessed and updated with appropriate Likelihood and Impact.
Expand the category accordions to see the Risks in each category and the details of individual Risks, as explained below.
Use the expand arrows next to Risk names to view and edit primary Risk details.
- Use the Search by Risk Name... search bar to search for Risk names by keyword.
- Risk ID: The ID signifies the order in which the Risk was added to your Risk Register. By default, Risks are ordered by Risk ID within categories.
- Risk Name: The title assigned to a Risk you've created or imported, or the title of a Risk from our Master Risk Repository. Sorting by this column will alphabetically order the Risks in this category.
- Controls: The number of Controls you've added for the Risk. See the Creating and Mapping Risk Controls section below for more information about creating Risk Controls. Sorting by this column will sort the Risks by the number of Controls that have been added to the Risks.
- Likelihood: A measure of how likely a Risk is to occur. See here for more information on Risk Likelihood. Sorting by this column will order the Risks by their Likelihood, in alphabetical order of the measure of Likelihood.
- Impact: A measure of the impact that a Risk would cause if it were to occur. See here for more information on Risk Impact. Sorting by this column will order the Risks by their Impact, in alphabetical order of the measure of Impact.
- Inherent Score: Calculated from Risk Likelihood and Impact. See here for a description of Inherent Score. Sorting by this column will order the Risks in numerical order of Inherent Scores.
- Residual Score: Calculated from Inherent Risk Score and the Treatment Score assigned to the Risk Control(s). See here for a description of Residual Score. Sorting by this column will order the Risks in numerical order of Residual Scores.
- Use the Description field to add or edit a Risk description.
- Use the slider bars to determine the appropriate Likelihood and Impact of the Risk.
- Inherent Risk Score is determined by Likelihood and Impact. See our Risk Management Overview article for more information.
- You can optionally select and set a Risk Status for your Risk to better track the progress of mitigation efforts.
- Risk Tags can be used to better organize, find, and sort your Risks. See the Create Individual Risks section below for more information on Tags.
- Use the Save button after you've made any changes.
We recommend using the Risk Wizard when you're getting started with the Risk Management module in your KCM GRC account. See our Risk Wizard guide for details. Your alternative options for adding Risks are to import Risks in bulk, or to create Risks individually.
If your organization has already identified its applicable Risks, you can quickly add them to your KCM GRC account by importing a CSV file.
- Prepare a CSV for import. The CSV can contain a header line consisting of name and description.
Risk CSVs are allowed a maximum of 5,000 rows of data.
- From the Risk Register page (Risk Management > Risk Register) click the Import Risks button.
- Click the Click to Upload button and select your CSV.
If you'd like, you can review or delete the Risks before importing them, as shown below.
- Click the Save Imported Risks button to import your Risks to the console.
By default, imported Risks will fall under the Custom category in your Risk Register. See the Viewing and Editing Risks section of this article if you'd like to change a Risk's category.
Create Individual Risks
From the Risk Register page (Risk Management > Risk Register) click the Add New Risk button.
Specify the Risk details from the Quick Add page (shown below). These are the minimum details necessary for creating a new Risk, you can add additional Risk information by clicking the Details button, as explained below.
- Search Master Risk List?: Use this slider button if you'd like to add a Risk from our Master Risk Repository. Once clicked, the Search Master Risk List search field will appear and you can use keywords to find applicable Risks included in the Master Risk Repository. For more information on our Master Risk Repository, see our Risk Wizard guide.
- Risk Name: Give your Risk a descriptive title that represents the scope of what the Risk poses to your organization.
- Risk Status: Selecting a status for your risk is recommended. Risk Status offers insight into the state of the Risk and what efforts (if any) can be made toward managing the Risk–whether that be mitigation efforts, acceptance, or transference of the Risk.
The Risk Status options are outlined in the table below.
Risk Status Description Avoidance Changing plans, parameters, strategies, etc. to avoid the risk. Mitigation Taking actions to reduce the probability and impact of the risk's occurrence. Transfer Moving the risk to an alternative party that is best fit to manage it. Acceptance Acknowledging the risk as is–typically when the Risk's Likelihood and/or Impact are within your organization's range of risk tolerance. Triggered Indicating that an event has taken place, causing the risk to occur. Closed Indicating that the risk is no longer being managed. This is typically used after a risk is completely eliminated. Other Indicating a risk status that does not fit into the options above.
- Tag(s): Your KCM GRC Risk Management platform offers custom tagging features. You can create custom tags and assign them to the applicable risks.
You may want to create tags for your sister companies, subsidiaries, different locations, or for your individual departments to keep your management processes better organized.
See this section of our Managing Account Settings article to learn more about creating Risk tags.
- Likelihood: Determine the likelihood of the Risk occurring. This variable will impact your Inherent Risk Score. See here for more information on Likelihood and risk management with KCM GRC.
- Impact: Determine the measure of impact that the Risk would cause to your organization. This variable will impact your Inherent Risk Score. See here for more information on Impact and risk management with KCM GRC.
- Inherent Risk Score: This number will automatically recalculate as you change the Risk Likelihood and Impact. See our Risk Management Overview article for more information.
- Add Another (checkbox): If you're satisfied with including only the "quick add" Risk details, you can click this checkbox before clicking the Create button to instantly "quick add" another Risk. Deselect this checkbox if you want to add more details to your Risk.
- Create: Click this button to create the Risk and add it to your Risk Register with only the "quick add" details.
- Details: Click this button to add additional details to your Risk, as explained below.
- Description: Describe the threat that the Risk poses to your organization, including the physical location(s), systems, employees, third parties, processes, etc., that would be involved if the event were to occur.
- Consequences: Describe the potential outcomes of the Risk occurring, including the physical location(s), systems, employees, third parties, processes, etc., that would be impacted.
- Category: Select the category in which you want the Risk to reside in your Risk Register. Choose between Business & Strategic, Environmental & Natural, Financial, Operational & Infrastructure, Compliance, or Custom.
- Subcategory: The set of subcategories will differ depending on which Category you've selected. Please see the tabs below for a list of each category's subcategories. Note there are no subcategories for the Custom category.
- Save: Click the Save button to save the Risk details and add it to your Risk Register.
Risk Categories and Subcategories
- Technological & Obsolescence
- Product Recall
- Negative Publicity
- Hurricanes & Tornadoes
- High Winds
- Plate Tectonics
- Building Strength
- Radioactive Decay
- Ground Water
- Sea Level
- Coastal Erosion
- Systems & Equipment
- Legal & Compliance
- External Events
- Business Processes
- Workplace Health & Safety
- Corrupt Practice
- Social Responsibility
Viewing and Editing Risks
You can view or update your Risks from your Risk Register. To find a particular Risk, search Risk name keywords from the Risk Register screen. You can either search all Risks or expand a category to search for Risks in that category.
Click on the Risk Name to open the View Risk page. Here you'll see all of the details included for the Risk, as shown below.
To edit Risk details, click the Update button at the top-right of the View Risk page. You'll need to update your Risks in order to assign the proper Likelihood and Impact measures as part of the onboarding process of managing risks with KCM GRC.
Each Risk includes a Risk Severity Icon based on its Inherent Risk Score. See the table below for icon details.
|Icon||Risk Severity||Inherent Risk Score|
Creating and Mapping Risk Controls
Use KCM GRC's Control feature to document the preventative measures your organization takes as part of an effective risk management plan. You can create Controls for your Risks, or you can map your existing compliance Controls to the Risks in your Risk Management module.
To create or map a Control to a Risk, find the desired Risk in your Risk Register and click the Risk name to open the View Risk page. The Controls panel is located at the bottom of this page.
Use the Create Control button to add a new Control for the Risk.
Add a Control Name and Description to define your Control. Control Descriptions are included in reminder emails sent to the users responsible for Control Tasks. For more information about Controls and Control Tasks, see this article: How Do I Create Control Tasks?
The Risk Treatment Score is a numerical representation of how adequate, or sufficient the Control is for preventing the Risk. The Risk Treatment Score determines the Residual Risk Score. See our KCM GRC Risk Management: Overview article for more information about Risk Treatment Scores and Residual Risk Scores.
To create a Task for the new Control, click the Create & Assign Control button. If you'd rather add a Control Task at a later time, click the Create Control button, instead. For more information about assigning Controls, see: How Do I Create Control Tasks?
You may have Controls for your KCM GRC Compliance Scopes that also assist in monitoring or preventing your organization's Risks.
If you'd like to use an existing Control for your Risk, use the Map to Control button in the Controls panel of the View Risk page (shown above), and follow the steps below.
- Search for Control name keywords in the search bar at the top-left of the page.
- Once you find the Control you need, use the green button in the far-right column to map it. You'll immediately be prompted to enter a Treatment Score for the Control.
- Using the field in the T. Score column, enter an appropriate Treatment Score for the Control. The Risk Treatment Score is a numerical representation of how adequate, or sufficient the Control is for preventing the Risk.
NOTE: The Control's Treatment Score determines the Risk's Residual Risk Score. See our Risk Management Overview article to learn more about Treatment Scores and managing Risks in KCM GRC.
- Use the checkmark button to save the Treatment Score.
- Click the Done button once you've finished mapping the Control(s) to your Risk.
TIP: If you need to unmap a Control from the Risk, you'll use the red button(s) in the Is Mapped column.
If you'd like to add a new Task to your Risk Control, click on the Control name from the View Risk Page. From the View Control page, use the New One Time button shown below. See this article for more information on creating Tasks and assigning Controls.