Risk Management is a module in the KCM Governance, Risk, and Compliance (GRC) platform that is available to Gold and Platinum subscriptions. This module is designed to simplify the processes of identifying, assessing, monitoring, and mitigating the various risks faced by your organization. See our Risk Management Overview article for an introduction to risk management with KCM GRC.
The Risk Register is the central location for managing risks in your KCM GRC account. The following tasks can be carried out through the Risk Register area of your console:
- Add new risks when your organization identifies new risks
- View risks that you've created, imported, or added to your account from the Risk Wizard or the Master Risk Repository
- Edit and update risks, including determining the Likelihood and Impact of your risks
- Export a CSV file that contains the risks in your Risk Register
See the following sections to learn more.
Navigating to the Risk Register
Risks by Category
You can add risks to any category in the risk register. Risks added from the master risk repository while using the risk wizard will be automatically added to the appropriate category. For more information on the risk wizard, please see our Risk Wizard guide.
- A warning banner is displayed in your account whenever you've added risks to your account without determining their likelihood and impact. This will be the case if you've added risks using the risk wizard or if you've imported risks to your account using a CSV file. See here to learn about measuring the likelihood and impact of risks in your account.
- Click the Export Risks button to export a CSV file of all risks in your risk register. See the Exporting Risks section below to learn more about this CSV file.
- Click the Import Risks button to upload risks with a CSV file. See the Import Risks section below for more information.
- Click the Add New Risk button to create a custom risk or to add a risk from the master risk repository.
- Use the Search by Risk Name... search bar to locate a risk by searching for a keyword in the risk name. Once you've entered a keyword, the number of applicable results will display in the category count on the far right side of each category. Expand the category or categories to see the risks that contain the keyword or keywords you're searching for.
- Use the Search by tag... searchable drop-down menu to locate the risks that you've tagged. Once you've selected a tag from this drop-down, the number of applicable risks will display in the category count on the far right side of each category. Expand the category or categories to see the risks that contain the tag or tags you're searching for. Learn more about risk tags in the Create Individual Risks section below.
- Use the Display Only Risks that Need Attention checkbox to only show the risks that need to be assessed and updated with the appropriate likelihood and impact.
- The title of each risk category is displayed next to the expand/collapse arrows. Your risk register is pre-populated with six categories that correlate with the risk wizard.
- This number represents the number of risks in the category. If you type a term in the search bar or select a tag from the drop-down menu, this will change to represent the number of applicable results, as described in numbers five and six, above.
- The warning symbol signifies the number of risks in this category that need to be assessed and updated with appropriate likelihood and impact.
Click the arrow on the left side of a category name to expand the category. Then, you can see the risks in each category and view or update the details of individual risks, as explained in the following section.
Viewing and Editing Risks Within a Category
Click the expand arrow on the left-hand side of a risk name to view and edit the risk details that are outlined below.
- Use the Search by Risk Name... search bar to search for risk names by keyword.
- Risk Name: The title that is assigned to a risk that you've created, imported, or added from the risk wizard or from the risk templates area. Sorting by this column will alphabetically order the risks in this category.
- Date Created: The date for when the risk was created. Sorting by this column will order the risks by how recently they were created. The dates are based on Coordinated Universal Time (UTC).
- Controls: The number of controls that you've added for the risk. Sorting by this column will sort the risks by the number of controls that have been mapped to the risks. To learn more, see our Creating and Mapping Risk Controls article.
- Likelihood: A measure of how likely a risk is to occur. See here for more information on measuring risk likelihood. Sorting by this column will order the risks by their likelihood, in alphabetical order of the measure of likelihood.
- Impact: A measure of the impact that a risk would cause if it were to occur. See here for more information on measuring risk impact.
- Inherent Score: Calculated from risk likelihood and impact. For more information on inherent risk score, see this article.
- Residual Score: Calculated from inherent risk score and the treatment score that is assigned to the risk's mapped control(s). See here for more information about residual risk score.
- Use the Description field to add or edit a risk description.
Tip: If you'd like to format a risk description on multiple lines, press the Return or Enter button on your keyboard and your formatting will be saved.
- Use the slider bars to determine the appropriate likelihood and impact of the risk.
- Inherent Risk Score is determined by likelihood and impact. See this article for more information on risk scores.
- You can optionally select a Risk Status for your risk to track the progress of mitigation efforts. For details about the risk status options, see the Create Individual Risks section below.
- Risk Tags can be used to better organize, find, and sort your risks.
- Affected Asset: When applicable, you can describe a physical assest in your environment that the risk can affect.
- Click the Save button after you've made any changes.
Creating Custom Categories
In addition to the six default categories in your risk register, you can also add custom categories that fit your organization's unique risk management initiatives. You can assign any name and description to each custom category that you create.
For instructions on how to add custom categories to your account, please see the Risk Settings section of our KCM GRC: Managing Account Settings article. After you create a custom category, you can add the risks in your risk register to the custom category.
We recommend using the risk wizard when you're getting started with the risk management module in your KCM GRC account. Alternatively, your options for adding custom risks are to import risks in bulk or to create risks individually. See the following sections to learn more.
If your organization has already identified its applicable risks, you can quickly add them to your account by importing a CSV file.
- Prepare a CSV for import. The CSV can contain a header line consisting of name, description, and affected_asset. The name and description are required, and the affected_asset is optional.
Risk CSVs are allowed a maximum of 5,000 rows of data.
Note: If you are using Excel, your CSV must be saved in the CSV UTF-8 format.
- From the Risk Register page (Risk Management > Risk Register) click the Import Risks button.
- Click the Click to Upload button and select your CSV.
If you'd like, you can review or delete the risks before importing them, as shown below.
- Click the Save Imported Risks button to import your risks to the console.
Note: Imported risks will fall under the Custom category in your risk register. If you'd like to change a risk's category, see the Viewing and Editing Risks section of this article.
Create Individual Risks
To create an individual risk, navigate to the Risk Register page (Risk Management > Risk Register), and then click the Add New Risk button. On the Quick Add page, add the risk details as outlined below.
- Search Master Risk List?: Click this slider button if you'd like to add a risk from our master risk repository. The Search Master Risk List search field will appear and you can search keywords to find applicable risks. For more information on our master risk repository, see our Risk Templates article.
- Risk Name: Give your risk a descriptive title that represents the scope of what the risk poses to your organization.
- Risk Status: Selecting a status for your risk is recommended. Risk status offers insight into the state of the risk and what efforts (if any) can be made toward managing the risk–whether that be mitigation efforts, acceptance, or transference of the risk.
The Risk Status options are outlined in the table below:
Risk Status Description Avoidance Changing plans, parameters, strategies, etc. to avoid the risk. Mitigation Taking actions to reduce the probability and impact of the risk's occurrence. Transfer Moving the risk to an alternative party that is best fit to manage it. Acceptance Acknowledging the risk as is–typically when the risk's likelihood and/or impact are within your organization's range of risk tolerance. Triggered Indicating that an event has taken place, causing the risk to occur. Closed Indicating that the risk is no longer being managed. This is typically used after a risk is completely eliminated. Other Indicating a risk status that does not fit into the options above.
- Risk Tags can be used to better organize, find, and sort your risks.
- To create a new risk tag: Type one or more words in the field, then press enter on your keyboard to save the tag. Tags have a maximum of 25 characters, including spaces.
- To select an existing risk tag: Click the drop-down menu to see existing tags. Click on a tag to add it to the risk.
- Likelihood: Determine the likelihood of the risk occurring. This variable will impact your inherent risk score. See here for more information about measuring likelihood in KCM GRC.
- Impact: Determine the measure of impact that the risk would cause to your organization. This variable will impact your inherent risk score. See here for more information about measuring risk impact in KCM GRC.
- Affected Asset: When applicable, you can describe a physical asset in your environment that the risk can affect.
- Inherent Risk Score: This number will automatically recalculate as you change the risk's likelihood and impact. See our Risk Scoring article for more information.
- Add Another (checkbox): If you're satisfied with the Quick Add risk details, and you'd like to create another risk, click this checkbox before clicking the Create button.
- Alternatively, if you'd like to add additional details to this risk (such as a risk description), click the Details button, instead (see item 10, below).
- Create: If you're finished creating this risk, click Create. Alternatively, you click the Details button to add additional risk details, such as a risk description.
- Details: Click this button to add additional details to your risk, as outlined below:
- Description: Describe the threat that the risk poses to your organization, including the physical location(s), systems, employees, third parties, processes, etc., that would be involved if the event were to occur.
- Consequences: Describe the potential outcomes of the risk occurring, including the physical location(s), systems, employees, third parties, processes, etc., that would be impacted.
- Category: Select the category in which you want the risk to reside in your risk register. If you'd like to create custom categories in your risk register, see the Risk Settings section of our Managing Account Settings article.
- Subcategory: The set of subcategories will differ depending on which category you've selected. Please see the tabs below for a list of each category's subcategories.
- Save: Click to save the risk details and add the risk to your Risk Register.
Risk Categories and Subcategories
- Technological & Obsolescence
- Product Recall
- Negative Publicity
- Hurricanes & Tornadoes
- High Winds
- Plate Tectonics
- Building Strength
- Radioactive Decay
- Ground Water
- Sea Level
- Coastal Erosion
- Systems & Equipment
- Legal & Compliance
- External Events
- Business Processes
- Workplace Health & Safety
- Corrupt Practice
- Social Responsibility
Viewing and Editing Risks
You can view or update your risks from your risk register. Follow the steps below:
- Navigate to the risk register. Click Risk Management > Risk Register from the navigation panel on the left-hand side.
- To find a particular risk, use the search field to search for keywords in the risk name. You can either search all of your risks or expand a category to search for risks within that category.
- Click on the risk's name to open the View Risk page. Here you'll see all risk details, as shown below.
- To edit risk details, click the Update button at the top right-hand side of the View Risk page.
Tip: You will need to update your risks in order to assign the proper likelihood and impact measures as part of the onboarding process of managing risks with KCM GRC.
Each risk includes a risk severity icon based on its inherent risk score. See the table below for icon details.
|Icon||Risk Severity||Inherent Risk Score|
You have the option to export a CSV file with details about your risks. To generate this CSV file, navigate to the Risk Register page and click the Export CSV button. Then, navigate to the Data Exports page and click the download icon () to download the CSV file.
After downloading your CSV file, open it in a spreadsheet program such as Microsoft Excel or Google Sheets to view your data. The table below explains the information that you will find under each column header in the CSV file.
|Risk Name||The risk name.|
|Description||The risk description.|
|Date Created||The date and time that you created the risk. This date and time are based on Coordinated Universal Time (UTC).|
|Consequences||If you've added a description of the risk's consequences, it will display in this column.|
|Mapped Controls||The number of controls that are mapped to this risk, if applicable.|
|Likelihood||The numerical value for the Likelihood that you selected for this risk.
Note: If you have not selected a Likelihood for the risk, the likelihood defaults to Rare, and this column will display "1".
|Impact||The numerical value for the Impact that you selected for this risk.
Note: If you have not selected an Impact rating for the risk, the impact defaults to Low, and this column will display "1".
|Inherent Risk Score||The Inherent Risk Score for the risk.
Note: If you have not assigned a likelihood and impact rating to the risk, the inherent risk score defaults to 1, and "1" will display in this column.
|Residual Risk Score||The Residual Risk Score for the risk.
|Category||The category in your Risk Register where the risk exists.|
|Subcategory||The subcategory that you've selected for the risk.|
|Tags||If you've added tags to the risk, they will display in this column.|
|Risk Status||The status that you've selected for the risk.|
|Number of Mapped Requirements||If the risk is mapped to one or more controls and there are scoped requirements mapped to these controls, this column displays this number of scoped requirements.|