In the Risk Management module, you can use risk scores to assess and prioritize your risks. As part of your risk management process, you can assign Likelihood and Impact ratings to your risks. To assess your risks before and after risk treatment, you can assign Likelihood and Impact ratings before and after mapping controls. Based on the scores that you assign, your Inherent Risk Scores and Residual Risk Scores will calculate automatically to help you determine the severity of your risks.
See the following sections below to learn how to assign risk scores in your Risk Management module.
Likelihood and Impact Ratings
For a description of the Likelihood and Impact ratings and a score that is associated with each rating, see the table below:
For information about KnowBe4's process for developing KCM GRC's Likelihood and Impact scoring scale, see our Risk Likelihood and Impact Scoring document.
Inherent Risk Scores
You can use the Inherent Risk Score as a baseline measurement of your risks. This score represents the severity of risks before you implement controls to reduce or mitigate the risk. The Inherent Risk Score is automatically calculated when you assign Likelihood and Impact ratings by using the Inherent Risk Score matrix.
To learn how to assign Inherent Risk Scores, see the subsection below.
Assigning Inherent Risk Scores
You can use the Inherent Risk Score matrix to Likelihood and Impact ratings to your risks. Then, the Likelihood will be multiplied by the Impact to calculate the Inherent Risk Score.
To assign Likelihood and Impact with this matrix, follow the steps below:
- From your navigation panel, navigate to Risk Management > Risk Register.
- From your Risk Register, select a risk to open the View Risk page.
- Using the Likelihood and Impact table above, determine the Likelihood and Impact ratings to assign to the risk before control treatment.
- In the Inherent Risk Score section of the page, click Recalculate Score.
- Click the square that corresponds to the Likelihood row and Impact column that you would like to select. The Inherent Risk Score will calculate automatically.
Residual Risk Scores
You can use the Residual Risk Score to monitor the remaining severity of a risk after considering mapped controls. The Residual Risk Score can provide insight into the amount of risk that your organization still faces after making efforts to reduce the inherent risk. The Residual Risk Score is automatically calculated when you assign Likelihood and Impact ratings by using the Residual Risk Score matrix.
To learn how to assign Residual Risk Scores, see the subsection below.
Assigning Residual Risk Scores
You can use the Residual Risk Score matrix to Likelihood and Impact ratings to your risks. Then, the Likelihood will be multiplied by the Impact to calculate the Residual Risk Score.
To assign Likelihood and Impact with this matrix, follow the steps below:
- From your navigation panel, navigate to Risk Management > Risk Register.
- From your Risk Register, select a risk to open the View Risk page.
- Using the Likelihood and Impact table above, determine the Likelihood and Impact ratings to assign to the risk after control treatment.
- In the Residual Risk Score section of the page, click Recalculate Score.
- Click the square that corresponds to the Likelihood and Impact ratings that you would like to select. The Residual Risk Score will calculate automatically.
Control Treatment
Control treatment scores have been removed to help you better assess a control's effectiveness for each risk that it is mapped to. To view your previous control treatment scores, you can download the Control Treatment Scores file from the Data Exports page.
To learn how to create and map controls to your risks, see our How to Create and Map Risk Controls article. Then, assign residual risk scores to assess your risks after control treatment.