Flow GRC Docs

First Risk Assessment

Create your first risk in Flow using the guided multi-step process with matrix scoring and treatment planning.

This guide walks you through creating your first risk assessment in Flow. You'll learn the core risk management workflow and see how Flow's features work together.

Prerequisites

Before starting, ensure you have:

  • Completed Platform Setup
  • Configured your organization's risk matrix
  • Set up basic risk categories
  • Invited initial team members

Step 1: Access Risk Management

From your Flow dashboard:

  1. Navigate to Risks using the sidebar menu
  2. Click "New Risk" to start the guided creation process
  3. Choose creation method: Manual entry or import from library

Step 2: Multi-step Risk Creation

Flow guides you through a comprehensive risk creation process:

2.1 Risk Details

Basic Information

  • Title: Clear, descriptive risk name (e.g., "Data breach due to weak access controls")
  • Description: Detailed risk scenario and potential causes
  • Category: Select from your configured categories (Operational, Financial, Technology, etc.)
  • Owner: Assign a risk owner from your team

2.2 Risk Assessment

Inherent Risk Scoring

  • Likelihood: Rate 1-5 based on your organization's definitions
  • Impact: Rate 1-5 considering financial and operational effects
  • Automatic Calculation: Flow calculates the risk score (Likelihood × Impact)
  • Risk Level: Automatically assigned based on your organization's cutoffs

2.3 Treatment Planning

Choose Treatment Strategy

  • Accept: Document rationale for accepting the risk
  • Mitigate: Plan control implementation
  • Transfer: Arrange insurance or contracts
  • Avoid: Eliminate the risk source

Residual Risk Assessment

  • Post-treatment Likelihood: Expected likelihood after controls
  • Post-treatment Impact: Expected impact after controls
  • Validation: System ensures residual ≤ inherent risk

2.4 Review Scheduling

Set Review Cadence

  • Default Period: Based on organizational settings (typically 90 days)
  • Custom Schedule: Adjust based on risk level and complexity
  • Automatic Reminders: Flow tracks and alerts for upcoming reviews

Once your organization is created, you'll land on the main dashboard. Here's what you'll see:

  • Risk Summary: Overview of your current risk posture
  • Recent Activity: Latest updates and changes
  • Compliance Status: Progress on your compliance frameworks
  • Quick Actions: Common tasks and shortcuts

Step 3: Create Your First Risk

Let's create your first risk assessment:

  1. Navigate to Risks using the sidebar menu
  2. Click "Add Risk" button
  3. Choose a risk creation method:
    • Manual Entry: Create a risk from scratch
    • AI Generator: Use AI to suggest risks based on your industry
    • Import: Upload risks from a CSV file

Manual Risk Creation

If you choose manual entry:

  1. Risk Title: Enter a descriptive title (e.g., "Data Breach from Phishing Attack")
  2. Category: Select the appropriate risk category
  3. Description: Provide detailed description of the risk
  4. Impact Assessment: Rate the potential impact (1-5 scale)
  5. Likelihood: Assess the probability of occurrence (1-5 scale)
  6. Current Controls: List existing mitigation measures
  7. Risk Owner: Assign responsibility for this risk

Using AI Risk Generator

For a faster start, try the AI Risk Generator:

  1. Select your business area (e.g., IT, Finance, Operations)
  2. Choose risk types you want to explore
  3. Review AI suggestions and select relevant risks
  4. Customize the generated risks to fit your organization

Step 4: Set Up Controls

Controls are the measures you put in place to mitigate risks:

  1. Navigate to Controls in the sidebar
  2. Click "Add Control"
  3. Fill in control details:
    • Control Name: Descriptive title
    • Type: Preventive, Detective, or Corrective
    • Implementation Status: Not Started, In Progress, Implemented
    • Owner: Person responsible for the control
    • Testing Frequency: How often the control is tested

Step 5: Link Controls to Risks

Connect your controls to relevant risks:

  1. Open a risk from your risk register
  2. Scroll to the "Controls" section
  3. Click "Link Control"
  4. Select existing controls or create new ones
  5. Define the relationship (how the control mitigates the risk)

Step 6: Explore Compliance Frameworks

Flow comes with built-in compliance frameworks:

  1. Navigate to Compliance in the sidebar
  2. View available frameworks:
    • SOC 2 Type II
    • ISO 27001
    • NIST Cybersecurity Framework
  3. Enable frameworks relevant to your organization
  4. Review control mappings to see how your controls align

Step 7: Set Up Assets and Vendors

Track your organizational assets and third-party relationships:

Assets

  1. Navigate to Assets
  2. Add your first asset:
    • Asset Name: Server, Application, Database, etc.
    • Type: Hardware, Software, Data, etc.
    • Criticality: High, Medium, Low
    • Owner: Person responsible

Vendors

  1. Navigate to Vendors
  2. Add a vendor:
    • Vendor Name: Third-party organization
    • Service Type: What they provide
    • Risk Level: Assessment of vendor risk
    • Contract Details: Key contract information

Step 8: Generate Your First Report

See your progress with Flow's reporting features:

  1. Navigate to Reports
  2. Select a report type:
    • Risk Summary: Overview of your risk landscape
    • Compliance Dashboard: Framework compliance status
    • Executive Summary: High-level overview for leadership
  3. Customize parameters and generate the report

Key Concepts to Remember

Risk Assessment

  • Impact: What happens if the risk occurs?
  • Likelihood: How probable is the risk?
  • Risk Score: Calculated from Impact × Likelihood

Control Types

  • Preventive: Stop risks from occurring
  • Detective: Identify when risks materialize
  • Corrective: Respond to and recover from incidents

Risk Treatment

  • Accept: Acknowledge and monitor the risk
  • Avoid: Eliminate the risk by changing processes
  • Mitigate: Reduce likelihood or impact
  • Transfer: Share risk through insurance or contracts

Next Steps

Now that you're familiar with the basics:

  1. Explore Features - Learn about advanced capabilities
  2. AI Tools - Leverage AI for risk management
  3. Best Practices - Learn effective risk management strategies
  4. Integrations - Connect Flow with your existing tools

Getting Help

  • In-app Help: Look for the (?) icons throughout the interface
  • Documentation: Comprehensive guides for all features
  • Support: Contact our team for assistance
  • Community: Join our user community for tips and best practices

Congratulations! You're now ready to effectively manage risks with Flow. 🎉

Introduction

Search Documentation

Search through documentation, navigate to pages, or run quick actions