Risk Management Module

Risk Scoring Guide

In the Risk Management module, you can use risk scores to assess and prioritize your risks. As part of your risk management process, you can assign Likelihood and Impact ratings to your risks. To assess your risks before and after risk treatment, you can assign Likelihood and Impact ratings before and after mapping controls. Based on the scores that you assign, your Inherent Risk Scores and Residual Risk Scores will calculate automatically to help you determine the severity of your risks. 

See the following sections below to learn how to assign risk scores in your Risk Management module.

Jump to:

Likelihood and Impact Ratings

Inherent Risk Scores

Residual Risk Scores

Control Treatment

Likelihood and Impact Ratings

For a description of the Likelihood and Impact ratings and a score that is associated with each rating, see the table below:

Likelihood Description Score Impact Description Score
Rare The chance of occurrence is less than 5%. Low If the risk occurred, it would cause a less than minor mission, system, or program degradation.   1
Unlikely The chance of occurrence is between 5% and 9%. 3 Minor If the risk occurred, it would cause only a small cost and schedule increase. Requirements could still be met. 3
Reasonably Possible The chance of occurrence is between 10% and 19%. 5 Moderate If the risk occurred it would cause moderate costs and schedule increases. Important requirements could still be met.   5
Likely The chance of occurrence is between 20% and 49%.  8 Major If the risk occurred, it would cause major cost and schedule increases. Secondary requirements may not be met. 8
Almost Certain The chance of occurrence is more than 50%.  13 Catastrophic If the risk occurred, it would cause a complete program, system, or mission failure. Minimum acceptable requirements could not be met. 13

For information about KnowBe4's process for developing KCM GRC's Likelihood and Impact scoring scale, see our Risk Likelihood and Impact Scoring document. 

Inherent Risk Scores

You can use the Inherent Risk Score as a baseline measurement of your risks. This score represents the severity of risks before you implement controls to reduce or mitigate the risk. The Inherent Risk Score is automatically calculated when you assign Likelihood and Impact ratings by using the Inherent Risk Score matrix.

To learn how to assign Inherent Risk Scores, see the subsection below.

Assigning Inherent Risk Scores

You can use the Inherent Risk Score matrix to Likelihood and Impact ratings to your risks. Then, the Likelihood will be multiplied by the Impact to calculate the Inherent Risk Score.

To assign Likelihood and Impact with this matrix, follow the steps below:

  1. From your navigation panel, navigate to Risk Management > Risk Register.
  2. From your Risk Register, select a risk to open the View Risk page.
  3. Using the Likelihood and Impact table above, determine the Likelihood and Impact ratings to assign to the risk before control treatment.
  4. In the Inherent Risk Score section of the page, click Recalculate Score
  5. Click the square that corresponds to the Likelihood row and Impact column that you would like to select. The Inherent Risk Score will calculate automatically. Updating Inherent Score

Residual Risk Scores

You can use the Residual Risk Score to monitor the remaining severity of a risk after considering mapped controls. The Residual Risk Score can provide insight into the amount of risk that your organization still faces after making efforts to reduce the inherent risk. The Residual Risk Score is automatically calculated when you assign Likelihood and Impact ratings by using the Residual Risk Score matrix.

To learn how to assign Residual Risk Scores, see the subsection below.

Assigning Residual Risk Scores

You can use the Residual Risk Score matrix to Likelihood and Impact ratings to your risks. Then, the Likelihood will be multiplied by the Impact to calculate the Residual Risk Score.

To assign Likelihood and Impact with this matrix, follow the steps below:

  1. From your navigation panel, navigate to Risk Management > Risk Register.
  2. From your Risk Register, select a risk to open the View Risk page.
  3. Using the Likelihood and Impact table above, determine the Likelihood and Impact ratings to assign to the risk after control treatment.
  4. In the Residual Risk Score section of the page, click Recalculate Score. Update Score button
  5. Click the square that corresponds to the Likelihood and Impact ratings that you would like to select. The Residual Risk Score will calculate automatically.Updating Residual Score

Control Treatment

Control treatment scores have been removed to help you better assess a control's effectiveness for each risk that it is mapped to. To view your previous control treatment scores, you can download the Control Treatment Scores file from the Data Exports page. 

To learn how to create and map controls to your risks, see our How to Create and Map Risk Controls article. Then, assign residual risk scores to assess your risks after control treatment. 

Can't find what you're looking for?

Contact Support