FAQ for the Risk Management Module
In this article, you can find frequently asked questions about the KCM GRC Risk Management module. If this article doesn't include the question you're looking for, please submit a ticket to our support team.
For general information about the Risk Management module, see our Risk Management Module Guide.
Jump to:
General Information
1. How can I use KCM GRC to perform a risk management assessment?
2. How does KnowBe4 select the risks that are in the Risk Wizard?
3. What are risk templates, and how can I use them?
4. What is the benefit of mapping controls to my risks?
1. Question: How can I use KCM GRC to perform a risk management assessment?
Answer: You can use the KCM GRC Risk Management module to get started with your risk management program or to maintain your existing risk management program.
To learn how you can perform a risk management assessment in KCM GRC, see the list below:
- You can use the Risk Wizard tool to perform a baseline risk management assessment. To learn about the Risk Wizard, see our How to Use the Risk Wizard article.
- When you create or update risks, you can document the consequences and affected assets of each risk. This information can help you determine the areas of your organization that would be affected by the risk. To learn how to create or update risks, see our How to Use Your Risk Register article.
- You can assign Likelihood and Impact scores to your risks. KCM GRC will use these scores to calculate the Inherent Risk Score to each risk. You can use the inherent risk score to prioritize the risks in your Risk Register. To learn about the Likelihood and Impact scores, see the Risk Likelihood and Impact section of our Risk Management Module Guide.
- To document the preventative measures your organization uses to mitigate risks, you can map controls to your risks. To learn how to map controls to risks, see our How to Create and Map Risk Controls article.
- As your organization implements new processes or encounters new issues, you can use your Risk Register to perform issue-based risk management assessments. To perform an issue-based risk assessment, you can reevaluate your existing risks to update the Likelihood and Impact scores, consequences, and affected assets. As you update existing risks, you can document the new process or issue and the updates you make by using the risk Notes widget. Then, you can create new risks for any threats that the new process or issue poses for your organization. To learn how to create or update risks, see our How to Use Your Risk Register article.
- You can maintain your risk management program by performing a continuous risk management assessment. To perform a continuous risk management assessment, you can regularly reevaluate the risks in your Risk Register. Then, you can document the updates you make to risks by using the risk Notes widget. You can also use your Risk Dashboard to monitor your top risks. To learn how to update risks, see our How to Use Your Risk Register article. To learn about your Risk Dashboard, see our How to Use the Risk Dashboard article.
2. Question: How does KnowBe4 select the risks that are in the Risk Wizard?
Answer: The risks in the Risk Wizard are from the National Institute of Standards and Technology (NIST) Special Publication 800-30, Guide for Conducting Risk Assessments.
To learn more about the Risk Wizard, see our How to Use the Risk Wizard article.
3. Question: What are risk templates, and how can I use them?
Answer: Risk templates are risks that KnowBe4 provides from our master risk repository, which are the same risks that appear in the Risk Wizard. You can use risk templates to add risks to your Risk Register. You can also import risk templates into your account, which may be useful if you would like to reuse a risk name or description for multiple risks.
For more information about risk templates, see our How to Use the Risk Templates Tab article.
4. Question: What is the benefit of mapping controls to my risks?
Answer: You can use controls to document the preventative measures your organization uses to mitigate risks. After you map a control to a risk, you can create task schedules or one-time tasks for the control so that your organization can submit evidence that demonstrates how you are meeting the control. This process can help your organization prepare for risks that you may encounter.
To learn how to map controls to your risks, see our How to Create and Map Risk Controls article.
Risk Register
1. Can I add custom categories to my Risk Register?
2. Can I delete the risks in my Risk Register?
3. Can I assign different risk Treatment Scores to a control that is mapped to multiple risks?
4. How does KCM GRC calculate the Inherent Risk Score based on risk Likelihood and Impact scores?
5. How do I send information from my Risk Register to auditors?
1. Question: Can I add custom categories to my Risk Register?
Answer: Yes. You can add custom categories to your Risk Register from your Account Settings. To learn how to add custom categories to your Risk Register, see the Creating Custom Categories section of our How to Use Your Risk Register article.
2. Question: Can I delete risks from my Risk Register?
Answer: At this time, you cannot permanently delete risks from your Risk Register. However, you can archive risks to remove them from your Risk Register. When you archive a risk, it will be moved to the Archived Items section of your account (Settings > Archived Items). You can unarchive the risk to add it back to your Risk Register.
To learn how to archive a risk in your Risk Register, see the Archiving Risks section of our Archiving Items Guide.
3. Question: Can I assign different Treatment Scores to a control that is mapped to multiple risks?
Answer: No. When you assign a Treatment Score to a control, it will affect the control for all risks that the control is mapped to. However, if you would like to assign different Treatment Scores to a control, you can clone the control for each risk you would like to map the control to. Then, when you map the cloned controls to the risks, you can assign a different Treatment Score to each cloned control.
To learn how to clone a control, see the Viewing Individual Controls from the View Control Page section of our How to Use Controls in Your KCM GRC Platform article. To learn more about the Treatment Score, see the Treatment Score section of our Risk Scoring Guide article.
4. Question: How does KCM GRC calculate the Inherent Risk Score based on risk Likelihood and Impact scores?
Answer: The KCM GRC risk Likelihood and Impact scales are based on the qualitative method. After you assign Likelihood and Impact scores to a risk, KCM GRC uses the Fibonacci sequence to calculate the risk's Likelihood and Impact scores. Then, KCM GRC multiplies the Likelihood score by the Impact score to calculate the Inherent Risk Score, which you can use to prioritize your risks.
To learn more about the Likelihood and Impact scores, see the Risk Likelihood and Impact section of our Risk Management Module Guide article. To learn more about the Inherent Risk Score, see the Inherent Risk Score section of our Risk Scoring Guide article.
5. Question: How do I send information from my Risk Register to auditors?
Answer: You can export a list of the risks that are in your Risk Register. Then, you can download the list as a data export and send it to auditors.
To learn more about exporting the risks in your Risk Register, see the Exporting Risks section of our How to Use Your Risk Register article.
Comments
0 comments
Article is closed for comments.