Glossary of Terms for the Risk Management Module
This glossary contains terms that will help you use the Risk Management module of your KCM GRC platform. For general information about the Risk Management module, see our KCM GRC Risk Management: Overview article.
In the Risk Management module, you can use controls to document the preventative measures that your organization uses to mitigate potential risks. You can create new controls for your risks, or if your organization has already added relevant controls to your platform, you can map those controls to the risks in the Risk Register. For the full definition of controls, see Controls in our KCM GRC: Glossary of Compliance Terms article.
For instructions on how to use controls in the Risk Management module, see our KCM GRC Risk Management: Creating and Mapping Controls article.
A risk is a potential threat to your organization. The purpose of the Risk Management module is for you to identify, assess, monitor, and mitigate risks. You can add risks to your Risk Register by using the Risk Wizard, creating custom risks, and importing custom risks. When you create custom risks, you can assign an impact, a likelihood, a status, and a tag to the risks. You can also add additional details to risks, including a description, a category, consequences, and an affected asset. For more information about the Risk Management module, see our KCM GRC Risk Management: Overview article.
The bullet points below are examples of risks.
- Exploit Known Vulnerabilities in Mobile Systems
- Craft Spear Phishing Attacks
- Conduct Physical Attacks on Organizational Facilities
Risk categories group risks by the area that a risk would affect if it occurred. By default, the Risk Register has six categories, but you can also add custom categories. The default categories are Business & Strategic, Environmental & Natural, Financial, Operational & Infrastructure, Compliance, and Custom.
Risk statuses describe the current state of a risk and what efforts your organization can make to manage the risk. The risk statuses are Acceptance, Avoidance, Mitigation, Transfer, Triggered, Closed, and Other.
Risk tags can help you categorize and find your risks. For example, you can categorize your risks by location if you have different risks in different facilities. Then, you can filter your Risk Register by tag to focus on one or more locations. When you create or update a risk, you can create a new risk tag or select an existing risk tag.
The Risk Dashboard provides an overview of the risks in your Risk Register. You can view your Risk Dashboard to monitor your risks by tag, category, and score.
For more information about the Risk Dashboard, see our KMC GRC Risk Management: Risk Dashboard article.
Risk Likelihood and Impact
The Likelihood and Impact levels can help you estimate the threat that a risk poses for your organization. You can also use the Likelihood and Impact levels to compare and prioritize risks. You can assign a Likelihood and Impact when you create a new risk.
The Likelihood represents the probability that a risk will impact your organization. The Likelihood levels are Rare, Unlikely, Reasonably Possible, Likely, and Almost Certain.
The Impact represents the potential damage that a risk may cause for your organization. The Impact levels are Low, Minor, Moderate, Major, and Catastrophic.
The Risk Register stores all risks that your organization has added to the Risk Management module. We recommend that you add risks to the Risk Register with the Risk Wizard, but you can also import risks in bulk and create risks individually. The Risk Register organizes your risks by category.
For more information about the Risk Register, see our KCM GRC Risk Management: Risk Register article.
A risk template is either a risk that KnowBe4 provides for users or a custom risk that users create. You can use risk templates to add risks to your Risk Register.
For more information about using risk templates in your platform, see our KMC GRC Risk Management: Risk Templates article.
Risk scores can help you estimate the damage that a risk can cause before and after you make efforts to mitigate the risk. You can assign risk scores to compare and prioritize your risks.
Inherent Risk Score
The Inherent Risk Score measures the severity of a risk. The score is calculated by multiplying the Likelihood and the Impact. You assign the Inherent Risk Score to risks in your Risk Register.
Residual Risk Score
The Residual Risk Score measures the remaining severity of a risk after considering the controls that are associated with the risk. This score is automatically calculated by subtracting the Treatment Score from the Inherent Risk Score. You can view the Residual Risk Score from the View Risk page.
Risk Treatment Score
The Risk Treatment Score measures how well a control prevents or mitigates a risk. You can set this score for controls in your account. The Risk Treatment Score is also referred to as “Treatment Score” in the platform. You must map a risk to a control before you can add a Treatment Score to the control. After you add a Treatment Score to the control, the Treatment Score will appear on the View Control page.
The Risk Wizard is a tool that can help you identify risks and add risks to your platform. We recommend that you use the Risk Wizard if your organization has not established a risk management program yet. KnowBe4 provides the risks in the Risk Wizard, which all come from the National Institute of Standards and Technology (NIST) Special Publication 800-30, Guide for Conducting Risk Assessments.
For more information about the Risk Wizard, see our KCM GRC Risk Management: Risk Wizard article for more information.