Flow GRC Docs

Risk Management Guide - Matrix Scoring & Treatment Workflows

Complete guide to managing risks in Flow - from creation to treatment workflows with configurable matrix scoring and automated review scheduling.

Flow's risk management system provides end-to-end risk lifecycle management with configurable matrix scoring, treatment workflows, and automated review scheduling. Built for organizations that need comprehensive risk visibility and control.

Overview

The risk management module is the core of Flow's GRC platform, providing:

  • Configurable Risk Matrix with 3x3 to 10x10 scoring (default 5x5)
  • Treatment Workflows with decision rationale and residual risk tracking
  • Automated Review Scheduling with customizable cadences
  • Multi-framework Support for ISO 27001, NIST CSF, COSO ERM, and more
  • Audit Trail with complete change history

Creating Risks

Multi-step Risk Creation

Flow uses a guided multi-step process to ensure comprehensive risk documentation:

  1. Risk Details: Title, description, category, and owner assignment
  2. Risk Assessment: Likelihood and impact scoring using your organization's matrix
  3. Treatment Planning: Choose treatment strategy with rationale
  4. Review Scheduling: Set next review date based on organizational cadence

Risk Categories

Risks can be categorized using configurable categories such as:

  • Operational - Business process and operational risks
  • Financial - Financial loss and market risks
  • Compliance - Regulatory and compliance risks
  • Technology - IT systems and cybersecurity risks
  • Strategic - Business strategy and competitive risks

Risk Scoring System

Configurable Matrix

Organizations can configure their risk matrix:

  • Matrix Size: 3x3, 4x4, 5x5 (default), up to 10x10
  • Level Cutoffs: Define Low/Medium/High/Critical thresholds
  • Custom Definitions: Likelihood and impact descriptions

Live Scoring

Risk scores are calculated in real-time using your organization's settings:

  • Inherent Risk: Likelihood × Impact before controls
  • Residual Risk: Likelihood × Impact after control implementation
  • Risk Level: Automatically assigned based on score and cutoffs

Treatment Workflows

Treatment Options

Flow supports four standard treatment strategies:

  1. Accept - Accept the risk as-is with rationale
  2. Mitigate - Implement controls to reduce risk
  3. Transfer - Transfer risk through insurance or contracts
  4. Avoid - Eliminate the risk source entirely

Residual Risk Tracking

After treatment planning:

  • Residual Likelihood: Expected likelihood after controls
  • Residual Impact: Expected impact after controls
  • Residual Score: Calculated automatically
  • Validation: Residual risk cannot exceed inherent risk

Treatment Rationale

Document decision-making with:

  • Treatment Justification: Why this treatment was chosen
  • Implementation Plan: How controls will be implemented
  • Success Metrics: How effectiveness will be measured

Review Scheduling

Automated Reviews

Flow automatically schedules risk reviews:

  • Default Cadence: 90 days (configurable per organization)
  • Custom Periods: Set specific review dates per risk
  • Dashboard Alerts: Visual indicators for overdue reviews
  • Background Jobs: Automated flagging of risks past review date

Review Process

During risk reviews:

  1. Reassess Scoring: Update likelihood and impact
  2. Control Effectiveness: Evaluate current controls
  3. Treatment Progress: Track action completion
  4. Schedule Next Review: Set future review date

Integration with Controls

Control Linking

Risks can be linked to multiple controls:

  • Preventive Controls: Reduce likelihood of occurrence
  • Detective Controls: Improve detection capabilities
  • Corrective Controls: Minimize impact when risks occur

Control Effectiveness

Track how controls impact risk:

  • Effectiveness Rating: High/Medium/Low effectiveness
  • Coverage Analysis: Which risks are covered by controls
  • Gap Identification: Risks lacking adequate controls

Actions Management

Risk-based Actions

Create actions directly from risks:

  • Implementation Actions: Deploy new controls
  • Assessment Actions: Evaluate existing controls
  • Review Actions: Scheduled risk reviews
  • Remediation Actions: Address control gaps

Action Tracking

Monitor action progress:

  • Kanban Board: Visual workflow management
  • Due Date Tracking: Overdue action alerts
  • Assignment Management: Clear ownership
  • Progress Updates: Status and completion tracking

Compliance Mapping

Framework Alignment

Map risks to compliance frameworks:

  • ISO 27001: Information security management
  • NIST CSF: Cybersecurity framework
  • COSO ERM: Enterprise risk management
  • GDPR: Data protection requirements
  • SOC 2: Service organization controls

Multi-framework Support

Single risks can map to multiple frameworks:

  • Cross-framework Visibility: See framework coverage
  • Compliance Reporting: Framework-specific views
  • Gap Analysis: Identify missing framework elements

Risk Analytics

Dashboard Integration

Risk data feeds into Flow's analytics dashboard:

  • Interactive Risk Matrix: Visual risk distribution
  • KPI Tracking: Risk level trends over time
  • Risk Velocity: Creation vs closure rates
  • Treatment Effectiveness: Actual vs planned risk reduction

Business Intelligence

Advanced analytics provide insights:

  • Risk Concentration: Areas of highest risk
  • Control Performance: Most/least effective controls
  • Trend Analysis: Risk patterns over time
  • Benchmark Metrics: Compare against industry standards

Best Practices

Risk Identification

  • Regular Assessments: Quarterly risk identification sessions
  • Stakeholder Input: Include diverse perspectives
  • Scenario Planning: Consider emerging risks
  • Industry Benchmarks: Learn from peer organizations

Risk Documentation

  • Clear Descriptions: Specific, measurable risk statements
  • Impact Quantification: Dollar amounts where possible
  • Probability Estimation: Historical data and expert judgment
  • Regular Updates: Keep risk information current

Treatment Planning

  • Cost-Benefit Analysis: Balance control costs with risk reduction
  • Implementation Timeline: Realistic deployment schedules
  • Success Metrics: Measurable effectiveness indicators
  • Regular Review: Assess treatment effectiveness

Getting Started

  1. Configure Settings: Set up your organization's risk matrix and categories
  2. Import Library Items: Use pre-built risks from compliance frameworks
  3. Create First Risk: Follow the guided multi-step process
  4. Link Controls: Associate relevant controls with your risks
  5. Schedule Reviews: Set up automated review cadences
  6. Monitor Dashboard: Track risk trends and KPIs

Flow's risk management system scales with your organization, providing the structure and automation needed for effective enterprise risk management.

Introduction

Search Documentation

Search through documentation, navigate to pages, or run quick actions