Flow GRC Docs

Organization Configuration

Configure your organization's risk matrix, categories, frameworks, and user permissions in Flow.

After platform setup, configure your organization's specific risk management parameters. This includes risk matrix settings, categories, compliance frameworks, and user roles.

Risk Matrix Configuration

Matrix Size Selection

Choose the appropriate risk assessment matrix for your organization:

3×3 Matrix - Simple

  • Best for: Small organizations, simple risk landscapes
  • Risk levels: Low (1-3), Medium (4-6), High (7-9)
  • Quick assessments with broad risk categories

4×4 Matrix - Balanced

  • Best for: Medium organizations, moderate complexity
  • Risk levels: Low (1-4), Medium (5-10), High (11-16)
  • Good balance of granularity and simplicity

5×5 Matrix - Comprehensive (Default)

  • Best for: Most organizations, industry standard
  • Risk levels: Low (1-5), Medium (6-12), High (15-20), Critical (21-25)
  • Detailed assessment with clear risk differentiation

6×6+ Matrix - Advanced

  • Best for: Large enterprises, complex risk environments
  • Highly granular assessment capabilities
  • Requires mature risk management processes

Risk Level Cutoffs

Define how risk scores translate to organizational risk levels:

Customizing Cutoffs

  • Align with organizational risk appetite
  • Consider regulatory requirements
  • Match industry benchmarks
  • Reflect stakeholder expectations

Example 5×5 Configuration

Low: 1-5 (Green)
Medium: 6-12 (Yellow)  
High: 15-20 (Orange)
Critical: 21-25 (Red)

Validation Rules

  • No gaps in score ranges
  • No overlapping ranges
  • All scores 1-25 covered
  • Logical progression from low to high

Likelihood and Impact Definitions

Create clear, measurable definitions for your organization:

Likelihood Scales
Customize probability definitions:

  • Quantitative: Use percentage ranges (e.g., <5%, 5-25%, 25-50%)
  • Qualitative: Use descriptive terms (e.g., Rare, Unlikely, Possible)
  • Time-based: Specify timeframes (e.g., "in next 12 months")
  • Frequency-based: Use occurrence rates (e.g., "once per year")

Impact Scales
Define impact in relevant terms:

  • Financial: Dollar amounts appropriate to organization size
  • Operational: Service disruption duration
  • Reputational: Media coverage and customer loss
  • Regulatory: Fine amounts and sanctions

Risk Categories

Standard Categories

Configure primary risk categories for your organization:

Operational Risks

  • Business process failures
  • Supply chain disruptions
  • Human resource issues
  • Facility and infrastructure

Financial Risks

  • Market volatility
  • Credit and liquidity
  • Foreign exchange
  • Interest rate changes

Technology Risks

  • Cybersecurity threats
  • System failures
  • Data breaches
  • Technology obsolescence

Compliance Risks

  • Regulatory violations
  • Legal issues
  • Policy non-compliance
  • Audit findings

Strategic Risks

  • Competitive threats
  • Market changes
  • Innovation failures
  • Reputation damage

Custom Categories

Add organization-specific categories:

  • Industry-specific: Healthcare, financial services, manufacturing
  • Geographic: Regional regulatory requirements
  • Product-specific: Product line risks
  • Customer-specific: Key customer dependencies

Category Management

Best Practices

  • Limit to 5-8 main categories
  • Ensure mutual exclusivity
  • Align with business structure
  • Update as organization evolves

Compliance Frameworks

Framework Selection

Choose relevant frameworks for your organization:

Information Security

  • ISO 27001: Information security management
  • NIST CSF: Cybersecurity framework
  • OWASP: Web application security

Enterprise Risk Management

  • COSO ERM: Enterprise risk management
  • ISO 31000: Risk management principles
  • FAIR: Factor analysis of information risk

Regulatory Compliance

  • GDPR: Data protection (EU)
  • SOC 2: Service organization controls
  • HIPAA: Healthcare data protection (US)

Multi-framework Mapping

Configure relationships between frameworks:

  • Primary Framework: Main organizational standard
  • Secondary Frameworks: Additional compliance requirements
  • Cross-mapping: Link requirements across frameworks
  • Gap Analysis: Identify uncovered requirements

Framework Customization

Adapt frameworks to your organization:

  • Scope Definition: Applicable business areas
  • Control Customization: Modify for organizational context
  • Implementation Guidance: Add organization-specific procedures
  • Evidence Requirements: Define proof of compliance

User Roles and Permissions

Standard Roles

Configure user access levels:

Organization Admin

  • Full system access and configuration
  • User management and role assignment
  • Settings modification
  • System administration

Risk Manager

  • Risk creation and management
  • Action assignment and tracking
  • Report generation
  • Framework management

Risk Owner

  • Assigned risk management
  • Action completion and updates
  • Review participation
  • Status reporting

Analyst

  • Risk assessment support
  • Data analysis and reporting
  • Dashboard monitoring
  • Documentation support

Viewer

  • Read-only access to risks and reports
  • Dashboard viewing
  • No modification permissions
  • Limited data export

Permission Granularity

Configure specific permissions:

Risk Management

  • Create new risks
  • Edit risk details
  • Delete risks
  • Assign risk ownership

Action Management

  • Create actions
  • Assign actions to users
  • Update action status
  • Close completed actions

Settings Access

  • Modify organization settings
  • Configure risk matrix
  • Manage user roles
  • Update frameworks

Reporting

  • Generate standard reports
  • Export data
  • Create custom reports
  • Access analytics dashboard

Review Cadence Settings

Default Review Periods

Set organization-wide review schedules:

Risk-based Scheduling

  • Critical Risks: 30 days (monthly)
  • High Risks: 60 days (bi-monthly)
  • Medium Risks: 90 days (quarterly)
  • Low Risks: 180 days (semi-annual)

Custom Scheduling

  • Project-based risks: Milestone-driven
  • Regulatory risks: Compliance calendar-based
  • Operational risks: Business cycle-aligned
  • Strategic risks: Annual planning-aligned

Automated Notifications

Configure review reminders:

Advance Notifications

  • 30 days before review due
  • 7 days before review due
  • Day of review due
  • Overdue notifications

Escalation Procedures

  • Risk owner notification
  • Manager escalation
  • Executive dashboard alerts
  • Audit committee reporting

Integration Settings

Single Sign-On (SSO)

Configure enterprise authentication:

SAML 2.0 Setup

  • Identity provider configuration
  • User attribute mapping
  • Group-based role assignment
  • Session management

OAuth Integration

  • Google Workspace integration
  • Microsoft 365 integration
  • Custom OAuth providers
  • Multi-factor authentication

API Configuration

Enable system integrations:

API Access

  • Generate organization API keys
  • Set rate limiting
  • Configure permissions
  • Monitor usage

Webhook Configuration

  • Real-time event notifications
  • Custom integration workflows
  • External system updates
  • Audit trail integration

Data Retention and Privacy

Retention Policies

Configure data lifecycle management:

Risk Data Retention

  • Active risk retention period
  • Closed risk archival timeline
  • Historical data preservation
  • Compliance requirements

Audit Log Retention

  • Change history preservation
  • User activity logging
  • System event tracking
  • Regulatory compliance

Privacy Settings

Ensure data protection compliance:

Personal Data Handling

  • User consent management
  • Data anonymization options
  • Export and deletion requests
  • Privacy policy alignment

Cross-border Data Transfer

  • Data residency requirements
  • International transfer controls
  • Regional compliance needs
  • Encryption requirements

Validation and Testing

Configuration Verification

Ensure settings work correctly:

Matrix Testing

  • Create test risks at each level
  • Verify score calculations
  • Confirm level assignments
  • Test cutoff boundaries

Permission Testing

  • Test each user role
  • Verify access restrictions
  • Confirm workflow permissions
  • Validate escalation procedures

User Acceptance

Validate with stakeholders:

Stakeholder Review

  • Risk owners approve categories
  • Managers validate matrix settings
  • Executives confirm reporting
  • Compliance validates frameworks

Training Requirements

  • User onboarding sessions
  • Role-specific training
  • Feature demonstrations
  • Best practice guidance

Ongoing Maintenance

Regular Reviews

Keep configuration current:

Quarterly Reviews

  • Assess matrix effectiveness
  • Review category relevance
  • Update framework requirements
  • Validate user permissions

Annual Updates

  • Strategic alignment review
  • Industry benchmark comparison
  • Regulatory requirement updates
  • Technology platform upgrades

Change Management

Manage configuration changes:

Change Process

  • Stakeholder approval required
  • Impact assessment
  • User communication
  • Training updates

Version Control

  • Configuration change tracking
  • Rollback capabilities
  • Historical configuration archive
  • Audit trail maintenance

Your organization configuration forms the foundation of effective risk management in Flow. Take time to align these settings with your organizational needs and risk appetite.

Introduction

Search Documentation

Search through documentation, navigate to pages, or run quick actions