Working with Inherent Risk Scores, Risk Treatment Scores, and Residual Risk Scores
You will use Inherent Risk Scores, Risk Treatment Scores, and Residual Risk Scores together in KCM GRC. These scores help you understand the severity of each risk that your organization faces–both before and after you make efforts to reduce or mitigate risks.
Defined below is an overview of how you will use these scores together in KCM GRC's Risk Management module:
- Assign an Inherent Risk Score to a risk in your Risk Register.
- Establish one or more controls to reduce the likelihood or impact of this risk. Assign a Treatment Score to the control(s).
- Then, the risk's Residual Risk Score is automatically calculated. This score represents the severity of the risk with the preventative controls taken into consideration.
See the following sections to learn more.
Risk Score Definitions
See the below definitions for Inherent Risk Score, Treatment Score, and Residual Risk Score.
Inherent Risk Score
The Inherent Risk Score serves as a baseline measurement of the severity of the risk facing your organization due to a particular threat. This score is determined before efforts are made to reduce or mitigate the threat.
The Inherent Risk Score is determined when you assign Likelihood and Impact ratings to the risk. See this calculation, below:
Likelihood x Impact = Inherent Risk Score
You can reduce the inherent risk by implementing one or more controls for the risk, and applying a Treatment Score to the control(s).
You will assign a treatment score to each control that you establish for a risk. This score acts as a "weight", or measure, of the effectiveness of a control to reduce or mitigate a potential threat or risk. Meaning, the higher a treatment score, the more effective the control is for preventing the risk. Your Risk Management team will need to determine an approach for measuring the Treatment Score for each of your organization's risk management controls.
Once the Treatment Score is established, the system will recalculate your Residual Risk Score. For more information, see the Viewing Residual Risk Score section below.
Residual Risk Score
The Residual Risk Score measures the remaining risk after the associated controls are taken into consideration. Residual Risk Score is automatically calculated from the Inherent Risk Score and the Treatment Score(s) of the mapped control(s). This is represented in the equation, below:
Inherent Risk Score - Treatment Score = Residual Risk Score
The Residual Risk Score provides insight into the severity of risk that your organization still faces after making efforts to reduce the inherent risk. You can use this number as a reference point for monitoring risk.
Assigning Inherent Risk Score
You will define the Inherent Risk Score when you create or import a risk to your Risk Register. However, you will not define the Inherent Risk Score, directly. Instead, you will assign a measure of Likelihood and Impact for the risk, and the Inherent Risk Score is calculated from these specifications, as shown below.
Assigning Treatment Score
You will assign the Treatment Score when you create a control for a risk, or when you map a control that already exists in your account to a risk in your risk register. For instructions, see our How to Create and Map Risk Controls article.
As a best practice, we recommend that you consider the following when assigning Treatment Scores to your controls:
- A Treatment Score should always be less than the Inherent Risk Score of the associated risk.
Note: The highest-possible Inherent Risk Score is "169".
- Therefore, the scale for your organization's Treatment Score should range between 1 - 168, where 168 would be the highest probability of completely mitigating a risk.
- You should not apply a Treatment Score value that would cause the associated risk to have a Residual Risk Score of "0", or less than zero. This is because a Residual Risk Score of "0" will imply that the risk is completely mitigated, where in most cases it is impossible to completely mitigate a risk.
- If you establish more than one control for a risk, all control Treatment Scores are calculated into the Residual Risk Score.
Updating Treatment Score
You can update a control's Treatment Score at any time. See the following steps for instructions:
- Navigate to your Risk Register. From the navigation panel on the left-hand side, click Risk Management > Risk Register.
- From the Risk Register page, find the risk that is mapped to the control for which you want to change the Treatment Score.
- Click on the Risk Name to open the risk, as shown below.
- From the View Risk page, scroll down to the Controls section. From here you can see the current Treatment Score. Click the control name to open the control.
- Click the Update button toward the top right-hand side of the View Control page.
- Enter a new value in the Risk Treatment Score field and click the Save button to save this change.
Viewing Residual Risk Score
The Residual Risk Score is automatically calculated for each risk in your Risk Register. To view the Residual Risk Score for a specific risk, open the risk from your Risk Register.
You can see the Residual Risk score from the View Risk page, as shown below.
By default, the Residual Risk Score will be the same as the Inherent Risk Score. To reduce the Residual Risk Score, you must create or map one or more controls to the risk. For details about creating and mapping controls, see our How to Create and Map Risk Controls article.
When you create or map a control to a risk, the Residual Risk Score is automatically recalculated (if you have applied a Treatment Score to the control).