Flow GRC Docs

Platform Setup

Get started with Flow's GRC platform. Learn how to set up your organization, configure risk settings, and begin managing risks effectively.

Welcome to Flow! This guide will help you set up your organization's GRC platform and configure the essential settings needed to begin effective risk management.

Initial Setup Process

1. Account Creation

Sign Up Process

  • Create your Flow account using email or SSO
  • Verify your email address
  • Complete initial user profile

Organization Creation

  • Set up your organization profile
  • Choose organization name and settings
  • Invite initial team members
  • Configure basic preferences

2. Authentication Setup

Flow uses Clerk for secure authentication with multiple options:

Email Authentication

  • Standard email/password login
  • Secure password requirements
  • Multi-factor authentication support
  • Password reset capabilities

Single Sign-On (SSO)

  • SAML 2.0 integration
  • OAuth providers (Google, Microsoft)
  • Active Directory integration
  • Custom SSO configurations

3. Organization Configuration

Basic Information

  • Organization name and description
  • Industry classification
  • Company size and structure
  • Contact information

User Management

  • Invite team members via email
  • Assign roles and permissions
  • Set up organizational hierarchy
  • Configure approval workflows

Risk Matrix Configuration

Matrix Size Setup

Configure your organization's risk assessment matrix:

Available Sizes

  • 3x3: Simple assessment for smaller organizations
  • 4x4: Balanced approach for medium organizations
  • 5x5: Default comprehensive matrix (recommended)
  • Up to 10x10: Advanced assessment for complex organizations

Selection Considerations

  • Organization complexity
  • Risk assessment maturity
  • Stakeholder preferences
  • Industry standards

Risk Level Cutoffs

Define how risk scores translate to risk levels:

Default 5x5 Configuration

  • Low: Scores 1-5 (Green)
  • Medium: Scores 6-12 (Yellow)
  • High: Scores 15-20 (Orange)
  • Critical: Scores 21-25 (Red)

Custom Configuration

  • Adjust cutoffs based on risk appetite
  • Align with organizational tolerance
  • Consider regulatory requirements
  • Match industry benchmarks

Likelihood and Impact Definitions

Create clear, organization-specific definitions:

Likelihood Levels (1-5)

  • 1 - Rare: <5% probability in next 12 months
  • 2 - Unlikely: 5-25% probability
  • 3 - Possible: 25-50% probability
  • 4 - Likely: 50-75% probability
  • 5 - Almost Certain: >75% probability

Impact Levels (1-5)

  • 1 - Negligible: <$10K financial impact
  • 2 - Minor: $10K-$100K impact
  • 3 - Moderate: $100K-$1M impact
  • 4 - Major: $1M-$10M impact
  • 5 - Catastrophic: >$10M impact

Note: Customize these definitions to match your organization's scale and context.

Risk Categories

Standard Categories

Flow provides common risk categories:

Operational Risks

  • Business process failures
  • Supply chain disruptions
  • Facility and infrastructure issues
  • Human resource challenges

Financial Risks

  • Market volatility
  • Credit and liquidity risks
  • Foreign exchange exposure
  • Interest rate fluctuations

Compliance Risks

  • Regulatory violations
  • Legal and contractual issues
  • Policy non-compliance
  • Audit findings

Technology Risks

  • Cybersecurity threats
  • System failures and outages
  • Data breaches and privacy
  • Technology obsolescence

Strategic Risks

  • Competitive threats
  • Market changes
  • Innovation failures
  • Reputation damage

Custom Categories

Add organization-specific categories:

  • Industry-specific risks
  • Geographic risks
  • Product-specific risks
  • Customer segment risks

Framework Library Setup

Pre-built Frameworks

Flow includes comprehensive framework libraries:

Risk Library (21 Items)

  • Common organizational risks
  • Industry-specific threats
  • Cybersecurity risks
  • Operational vulnerabilities

Control Library (17 Items)

  • Preventive controls
  • Detective controls
  • Corrective controls
  • Implementation guidance

Supported Frameworks (8)

  • ISO 27001: Information security management
  • NIST CSF: Cybersecurity framework
  • COSO ERM: Enterprise risk management
  • GDPR: Data protection requirements
  • OWASP: Web application security
  • ISO 31000: Risk management principles
  • SOC 2: Service organization controls
  • FAIR: Factor analysis of information risk

Library Import

Selective Import

  • Choose relevant framework elements
  • Customize descriptions for your organization
  • Map to existing organizational structures
  • Avoid importing irrelevant items

Bulk Import Process

  1. Review available library items
  2. Select relevant frameworks
  3. Customize imported content
  4. Map to organizational categories
  5. Assign ownership and responsibility

User Roles and Permissions

Standard Roles

Flow provides role-based access control:

Organization Admin

  • Full system access
  • User management
  • Settings configuration
  • System administration

Risk Manager

  • Risk creation and management
  • Action assignment
  • Report generation
  • Framework management

Risk Owner

  • Assigned risk management
  • Action completion
  • Status updates
  • Review participation

Analyst

  • Risk assessment support
  • Data analysis
  • Report creation
  • Dashboard monitoring

Custom Permissions

Configure granular permissions:

  • Risk creation and editing
  • Action assignment
  • Settings modification
  • Report access

Review Cadence Setup

Default Settings

Configure organization-wide review schedules:

Standard Cadence

  • 90 Days: Default review period (recommended)
  • Quarterly: Aligns with business cycles
  • Adjustable: Per-risk customization
  • Automated: System-generated reminders

Risk-based Variations

  • Critical Risks: Monthly review (30 days)
  • High Risks: Bi-monthly review (60 days)
  • Medium Risks: Quarterly review (90 days)
  • Low Risks: Semi-annual review (180 days)

Automated Scheduling

Flow automatically manages review schedules:

  • Background Jobs: Automated flagging
  • Dashboard Alerts: Visual indicators
  • Email Notifications: Reminder system (planned)
  • Escalation Procedures: Overdue management

Initial Data Setup

Seed Data Import

Start with pre-configured content:

Template Risks

  • Industry-standard risk examples
  • Customizable descriptions
  • Pre-mapped controls
  • Framework alignments

Control Templates

  • Best-practice controls
  • Implementation guidance
  • Testing procedures
  • Effectiveness criteria

Data Migration

Import existing risk data:

Supported Formats

  • CSV files with standard schema
  • Excel templates
  • API integration
  • Manual entry interface

Migration Process

  1. Export data from existing systems
  2. Map to Flow's data structure
  3. Validate and clean data
  4. Import using Flow's tools
  5. Verify accuracy and completeness

Integration Setup

Single Sign-On (SSO)

Configure enterprise authentication:

SAML 2.0 Setup

  • Identity provider configuration
  • Attribute mapping
  • User provisioning
  • Access control integration

OAuth Integration

  • Google Workspace
  • Microsoft 365
  • Active Directory
  • Custom OAuth providers

API Access

Enable programmatic integration:

API Keys

  • Generate organization API keys
  • Set appropriate permissions
  • Configure rate limiting
  • Monitor usage

Webhook Configuration

  • Real-time event notifications
  • Custom integration workflows
  • External system updates
  • Audit trail integration

Validation and Testing

Configuration Verification

Ensure setup is correct:

Settings Review

  • Verify risk matrix configuration
  • Confirm level definitions
  • Test scoring calculations
  • Validate user permissions

Workflow Testing

  • Create test risks
  • Assign test actions
  • Verify notifications
  • Confirm integrations

User Acceptance

Validate with stakeholders:

Training Sessions

  • User onboarding
  • Feature demonstrations
  • Workflow training
  • Best practice guidance

Feedback Collection

  • User experience feedback
  • Configuration adjustments
  • Process refinements
  • Performance optimization

Next Steps

After completing platform setup:

  1. Create First Risk: Follow guided risk creation process
  2. Import Library Data: Add relevant framework content
  3. Invite Team Members: Set up user accounts and roles
  4. Configure Dashboards: Customize analytics views
  5. Schedule Training: Educate users on platform features
  6. Begin Risk Assessments: Start formal risk management process

Your Flow platform is now configured and ready for comprehensive risk management. The next sections will guide you through specific features and workflows to maximize your GRC program effectiveness.

Introduction

Search Documentation

Search through documentation, navigate to pages, or run quick actions