You will use Inherent Risk Scores, Risk Treatment Scores, and Residual Risk Scores together in KCM GRC. These scores help you understand the severity of each risk that your organization faces–both before and after you make efforts to reduce or mitigate risks.
Defined below is an overview of how you will use these scores together in KCM GRC's Risk Management module:
- Assign an Inherent Risk Score to a risk in your Risk Register.
- Establish one or more controls to reduce the likelihood or impact of this risk. Assign a Treatment Score to the control(s).
- Then, the risk's Residual Risk Score is automatically calculated. This score represents the severity of the risk with the preventative controls taken into consideration.
See the following sections to learn more.
Inherent Risk Score
The Inherent Risk Score serves as a baseline measurement of the severity of the risk facing your organization due to a particular threat. This score is determined before efforts are made to reduce or mitigate the threat.
The Inherent Risk Score is determined when you assign Likelihood and Impact ratings to the risk. See this calculation, below:
You can reduce the inherent risk by implementing one or more controls for the risk, and applying a Treatment Score to the control(s).
You will assign a treatment score to each control that you establish for a risk. This score acts as a "weight", or measure, of the effectiveness of a control to reduce or mitigate a potential threat or risk. Meaning, the higher a treatment score, the more effective the control is for preventing the risk. Your Risk Management team will need to determine an approach for measuring the Treatment Score for each of your organization's risk management controls.
Once the Treatment Score is established, the system will recalculate your Residual Risk Score. For more information, see the Viewing Residual Risk Score section, below.
Residual Risk Score
The Residual Risk Score measures the remaining risk after the associated controls are taken into consideration. Residual Risk Score is automatically calculated from the Inherent Risk Score and the Treatment Score(s) of the mapped control(s). This is represented in the equation, below:
Inherent Risk Score - Treatment Score = Residual Risk Score
The Residual Risk Score provides insight into the severity of risk that your organization still faces after making efforts to reduce the inherent risk. You can use this number as a reference point for monitoring risk.
Assigning Inherent Risk Score
You will define the Inherent Risk Score when you create or import a risk to your Risk Register. However, you will not define the Inherent Risk Score, directly. Instead, you will assign a measure of Likelihood and Impact for the risk, and the Inherent Risk Score is calculated from these specifications, as shown below.
To learn more about adding risks to your Risk Register and assigning Inherent Risk Scores, please see this article.
Assigning Treatment Score
You will assign the Treatment Score when you create a control for a risk, or when you map a control (that already exists in your account) to a risk in your risk register. For details, please see the Creating and Mapping Risk Controls section of our Risk Register article.
As a best practice, we recommend that you consider the following when assigning Treatment Scores to your controls:
- A Treatment Score should always be less than the Inherent Risk Score of the associated risk.
Note: The highest-possible Inherent Risk Score is "169".
- Therefore, the scale for your organization's Treatment Score should range between 1 - 168, where 168 would be the highest probability of completely mitigating a risk.
- You should not apply a Treatment Score value that would cause the associated risk to have a Residual Risk Score of "0", or less than zero. This is because a Residual Risk Score of "0" will imply that the risk is completely mitigated, where in most cases it is impossible to completely mitigate a risk. See the next section to learn more.
- If you establish more than one control for a risk, all control Treatment Scores are calculated into the Residual Risk Score.
Updating Treatment Score
You can update a control's Treatment Score at any time. See the following steps for instructions:
- Navigate to your Risk Register. From the navigation panel on the left-hand side, click Risk Management > Risk Register.
- From the Risk Register page, find the risk that is mapped to the control for which you want to change the Treatment Score.
- Click on the Risk Name to open the risk, as shown below.
- From the View Risk page, scroll down to the Controls section. From here you can see the current Treatment Score. Click the control name to open the control.
- Click the Update Control button toward the top right-hand side of the View Control page.
- Enter a new value in the Risk Treatment Score field and click the Update Control button to save this change.
Viewing Residual Risk Score
The Residual Risk Score is automatically calculated for each risk in your Risk Register. To view the Residual Risk Score for a specific risk, open the risk from your Risk Register (see this article for navigation instructions).
You can see the Residual Risk score from the View Risk page, as shown below.
By default, the Residual Risk Score will be the same as the Inherent Risk Score. To reduce the Residual Risk Score, you must create or map one or more controls to the risk. For details about creating and mapping controls, see the Creating and Mapping Risk Controls section of our Risk Register article.
When you create or map a control to a risk, the Residual Risk Score is automatically recalculated (if you have applied a Treatment Score to the control).
The below image shows an example of mapping a control to a risk, and how the control's Treatment Score impacts the Residual Risk Score.
There are two different areas in your account where you can generate or download a report that includes Residual Risk Scores:
- Use the Custom Reporting feature to create a risk report that you can view in your console, or download in a CSV file format. See this article for more information.
- From your Risk Register, download a CSV file of all of the risks that you have added to your account. See this article for more information.