Flow GRC Docs

Settings & Configuration

Comprehensive guide to Flow's organizational settings including risk matrix configuration, user management, review schedules, and system preferences.

Flow's settings system allows organizations to customize the platform to match their specific risk management needs, processes, and preferences. This guide covers all configuration options available to organization administrators.

Overview

Flow provides comprehensive configuration options for:

  • Risk Matrix Settings with customizable scoring and level definitions
  • User Management with role-based access control
  • Review Schedules with automated cadence settings
  • Category Management for organizational risk taxonomy
  • Integration Settings for external system connectivity
  • Audit and Compliance configuration options

Risk Matrix Configuration

Matrix Size Settings

Available Matrix Sizes

  • 3×3: 9 possible risk scores (1-9)
  • 4×4: 16 possible risk scores (1-16)
  • 5×5: 25 possible risk scores (1-25) - Default
  • 6×6: 36 possible risk scores (1-36)
  • Up to 10×10: 100 possible risk scores (1-100)

Configuration Process

  1. Access Settings → Risk Matrix
  2. Select desired matrix size
  3. Configure risk level cutoffs
  4. Define likelihood and impact scales
  5. Save and apply changes

Impact of Changes

  • Existing risks recalculated automatically
  • Dashboard and reports update immediately
  • Historical data preserved with change audit
  • Users notified of matrix updates

Risk Level Cutoffs

Default 5×5 Configuration

Low: 1-5 (Green)
Medium: 6-12 (Yellow)
High: 15-20 (Orange)
Critical: 21-25 (Red)

Customization Guidelines

  • Ensure no gaps in score ranges
  • Avoid overlapping score ranges
  • Align with organizational risk appetite
  • Consider regulatory requirements

Risk Appetite Alignment

  • Conservative: Lower thresholds for high/critical
  • Moderate: Balanced distribution across levels
  • Aggressive: Higher thresholds for escalation

Likelihood Definitions

Quantitative Approach

1 - Rare: <5% probability in next 12 months
2 - Unlikely: 5-25% probability
3 - Possible: 25-50% probability
4 - Likely: 50-75% probability
5 - Almost Certain: >75% probability

Qualitative Approach

1 - Remote: Highly unlikely to occur
2 - Unlikely: Low probability of occurrence
3 - Possible: Moderate probability
4 - Likely: High probability of occurrence
5 - Certain: Very high probability or inevitable

Time-based Approach

1 - Rare: Once in 10+ years
2 - Unlikely: Once every 5-10 years
3 - Possible: Once every 2-5 years
4 - Likely: Once per year
5 - Frequent: Multiple times per year

Impact Definitions

Financial Impact Scale
Customize dollar amounts based on organization size:

Small Organization (<$10M revenue):
1 - Negligible: <$10K
2 - Minor: $10K-$50K
3 - Moderate: $50K-$250K
4 - Major: $250K-$1M
5 - Catastrophic: >$1M

Large Organization (>$1B revenue):
1 - Negligible: <$1M
2 - Minor: $1M-$10M
3 - Moderate: $10M-$50M
4 - Major: $50M-$250M
5 - Catastrophic: >$250M

Operational Impact Scale

1 - Negligible: <1 hour service disruption
2 - Minor: 1-8 hours disruption
3 - Moderate: 8-24 hours disruption
4 - Major: 1-7 days disruption
5 - Catastrophic: >7 days disruption

Reputational Impact Scale

1 - Negligible: Internal awareness only
2 - Minor: Local media attention
3 - Moderate: Regional media coverage
4 - Major: National media attention
5 - Catastrophic: International coverage, brand damage

User Management

User Roles

Organization Administrator

  • Permissions: Full system access and configuration
  • Responsibilities: System administration, user management
  • Limitations: None - complete access
  • Assignment: Typically CEO, CTO, or designated admin

Risk Manager

  • Permissions: Risk and action management, reporting
  • Responsibilities: Risk oversight, team coordination
  • Limitations: Cannot modify organization settings
  • Assignment: Risk management professionals, managers

Risk Owner

  • Permissions: Assigned risk management and updates
  • Responsibilities: Risk assessment, action completion
  • Limitations: Only assigned risks and actions
  • Assignment: Business unit leaders, process owners

Analyst

  • Permissions: Read access, report generation, data analysis
  • Responsibilities: Risk analysis, reporting support
  • Limitations: Cannot create or modify risks
  • Assignment: Risk analysts, business analysts

Viewer

  • Permissions: Read-only access to dashboards and reports
  • Responsibilities: Monitoring and awareness
  • Limitations: No modification capabilities
  • Assignment: Executives, board members, stakeholders

User Invitation Process

Invitation Workflow

  1. Navigate to Settings → Users
  2. Click "Invite User" button
  3. Enter email address and select role
  4. Add optional welcome message
  5. Send invitation via email
  6. User receives email with setup link
  7. User completes profile and password setup

Bulk User Import

  • CSV file upload with user details
  • Role assignment during import
  • Automatic invitation generation
  • Import validation and error handling

Permission Granularity

Risk Management Permissions

  • Create new risks
  • Edit risk details and assessments
  • Delete risks (with restrictions)
  • Assign risk ownership
  • Approve risk treatments

Action Management Permissions

  • Create and assign actions
  • Update action status and progress
  • Close completed actions
  • View action performance metrics

Reporting Permissions

  • Generate standard reports
  • Export data to CSV/PDF
  • Create custom report views
  • Access analytics dashboard

Administrative Permissions

  • Modify organization settings
  • Manage user accounts and roles
  • Configure integrations
  • Access audit logs

Review Schedule Configuration

Default Cadence Settings

Risk Level-Based Scheduling

Critical Risks: 30 days (Monthly)
High Risks: 60 days (Bi-monthly)
Medium Risks: 90 days (Quarterly)
Low Risks: 180 days (Semi-annually)

Custom Scheduling Options

  • Fixed intervals (30, 60, 90, 180, 365 days)
  • Calendar-based (monthly, quarterly, annually)
  • Business cycle-aligned (fiscal quarters, budget cycles)
  • Event-driven (post-incident, after major changes)

Automated Notifications

Review Reminder Schedule

  • 30 days before review due
  • 14 days before review due
  • 7 days before review due
  • Day of review due
  • Overdue notifications (daily)

Notification Recipients

  • Risk owners receive primary notifications
  • Risk managers receive summary notifications
  • Organization admins receive overdue alerts
  • Custom distribution lists for escalation

Review Process Configuration

Review Requirements

  • Mandatory risk reassessment
  • Control effectiveness evaluation
  • Action progress review
  • Treatment strategy validation
  • Next review date scheduling

Approval Workflows

  • Single-stage approval (risk owner only)
  • Two-stage approval (owner + manager)
  • Committee approval for critical risks
  • Automatic approval for low-risk items

Category Management

Standard Categories

Pre-configured Categories

  • Operational Risks
  • Financial Risks
  • Technology Risks
  • Compliance Risks
  • Strategic Risks
  • Reputational Risks

Category Configuration

  • Add new categories
  • Modify existing categories
  • Set category colors and icons
  • Define category descriptions
  • Assign category owners

Custom Categories

Industry-Specific Categories

  • Healthcare: Patient safety, HIPAA compliance
  • Financial Services: Credit risk, market risk
  • Manufacturing: Supply chain, product liability
  • Technology: Data security, intellectual property

Organizational Categories

  • Geographic regions
  • Business units
  • Product lines
  • Customer segments
  • Project phases

Category Management

Best Practices

  • Limit to 5-8 main categories
  • Ensure categories are mutually exclusive
  • Align with organizational structure
  • Use clear, descriptive names
  • Regular review and updates

Integration Settings

Single Sign-On (SSO) Configuration

SAML 2.0 Setup

  1. Obtain identity provider metadata
  2. Configure SAML attributes mapping
  3. Set up user provisioning rules
  4. Test authentication flow
  5. Enable for organization

OAuth Integration

  • Google Workspace configuration
  • Microsoft 365 integration
  • Custom OAuth provider setup
  • Multi-factor authentication support

User Provisioning

  • Automatic user creation
  • Role assignment based on groups
  • Attribute synchronization
  • Deprovisioning on account removal

API Configuration

API Key Management

  • Generate organization API keys
  • Set expiration dates
  • Configure rate limiting
  • Monitor API usage
  • Revoke compromised keys

Webhook Configuration

  • Real-time event notifications
  • Custom payload formatting
  • Retry and error handling
  • Security token validation

External System Integration

SIEM Integration

  • Security event forwarding
  • Risk status updates
  • Incident correlation
  • Automated alerting

GRC Platform Integration

  • Risk data synchronization
  • Control status updates
  • Compliance reporting
  • Audit trail sharing

Audit and Compliance Settings

Audit Logging

Logged Events

  • Risk creation and modifications
  • User login and logout
  • Settings changes
  • Report generation
  • Data exports

Log Retention

  • Standard retention: 7 years
  • Configurable retention periods
  • Automatic archival
  • Compliance-driven retention

Log Access

  • Organization admins: Full access
  • Risk managers: Limited access
  • Auditors: Read-only access
  • Automated log analysis

Compliance Configuration

Regulatory Requirements

  • Data residency settings
  • Privacy policy compliance
  • Audit trail requirements
  • Reporting standards

Certification Support

  • ISO 27001 compliance mode
  • SOC 2 audit preparation
  • GDPR compliance features
  • Industry-specific requirements

System Preferences

Display Settings

Dashboard Configuration

  • Default dashboard view
  • KPI display preferences
  • Chart and graph options
  • Color scheme selection

Notification Preferences

  • Email notification frequency
  • In-app notification settings
  • Mobile push notifications
  • Digest email configuration

Data and Privacy

Data Export Settings

  • Allowed export formats
  • Data classification handling
  • Personal data protection
  • Export approval workflows

Privacy Controls

  • User consent management
  • Data retention policies
  • Right to erasure support
  • Data portability features

Change Management

Settings Change Process

Change Approval

  • Risk assessment for major changes
  • Stakeholder notification
  • Approval workflow
  • Implementation scheduling

Change Communication

  • User notification of changes
  • Training requirements
  • Documentation updates
  • Support during transition

Version Control

Configuration Versioning

  • Settings change history
  • Rollback capabilities
  • Configuration comparison
  • Audit trail of changes

Impact Assessment

  • Risk recalculation effects
  • User workflow impacts
  • Integration considerations
  • Training requirements

Getting Started with Settings

Initial Configuration Checklist

  1. Review Default Settings: Understand current configuration
  2. Customize Risk Matrix: Align with organizational needs
  3. Configure User Roles: Set up appropriate permissions
  4. Set Review Schedules: Establish review cadences
  5. Import Framework Content: Add relevant compliance frameworks
  6. Test Configuration: Validate settings with test data
  7. Train Users: Educate team on new configuration

Ongoing Maintenance

Regular Review Schedule

  • Quarterly settings review
  • Annual comprehensive assessment
  • Post-incident configuration updates
  • Regulatory change adaptations

Continuous Improvement

  • User feedback integration
  • Performance optimization
  • Security enhancement
  • Feature utilization analysis

Flow's comprehensive settings system ensures the platform adapts to your organization's unique risk management requirements while maintaining consistency and control across all users and processes.

Introduction

Search Documentation

Search through documentation, navigate to pages, or run quick actions