Implementation Guide
Your roadmap to successful GRC adoption.
Three guides—one for GRC rollout, one for risk scoring, one for business continuity.
GRC Rollout: Three Phases
Phase 1: Discovery
Identify key stakeholders and map your current risk landscape. Import existing spreadsheets into ActiveERM.
Phase 2: Configuration
Set up your risk matrices, customize impact scales, and define user roles.
Phase 3: Rollout
Train department heads and launch automated compliance assessments.
Risk Management Scoring Guide
A practical reference for inherent risk, residual risk, risk appetite, and how to score and prioritize risks.
Risk score buckets at a glance
| Bucket | Score range | Typical action |
|---|---|---|
| Low | 1–4 | Monitor; accept if within appetite. |
| Medium | 5–9 | Review; consider treatment if trend worsens. |
| High | 10–15 | Treat; reduce likelihood or impact. |
| Extreme | 16–25 | Immediate action; escalate and treat. |
Inherent Risk
The risk level before any controls or mitigations. Assess likelihood and impact as if no safeguards existed. Use this as the baseline before treatment.
Residual Risk
The risk that remains after controls and mitigations. Score likelihood and impact taking existing controls into account. Compare residual to inherent to show risk reduction.
Risk Appetite & Tolerance
Define how much risk the organization is willing to accept (appetite) and the maximum acceptable level before action is required (tolerance). Use these thresholds to flag risks that need treatment or escalation.
Likelihood & Impact
Use consistent scales (e.g. 1–5 or 1–4) for likelihood and impact. Multiply or use a matrix to get a risk score. Define criteria so assessors score consistently across the organization.
Likelihood scale (1–5)
| Score | Label | Bucket |
|---|---|---|
| 1 | Rare | Low |
| 2 | Unlikely | Low |
| 3 | Possible | Medium |
| 4 | Likely | High |
| 5 | Almost certain | High |
Impact scale (1–5)
| Score | Label | Bucket |
|---|---|---|
| 1 | Negligible | Low |
| 2 | Minor | Low |
| 3 | Moderate | Medium |
| 4 | Major | High |
| 5 | Severe | High |
Risk Matrix & Heat Map
Plot risks on a matrix (likelihood × impact) and use color bands (e.g. green / yellow / red) to prioritize. Review the heat map regularly and focus treatment on high and extreme risks first.
| 1 Rare | 2 Unlikely | 3 Possible | 4 Likely | 5 Almost certain | |
|---|---|---|---|---|---|
| 5 Severe | 5 | 10 | 15 | 20 | 25 |
| 4 Major | 4 | 8 | 12 | 16 | 20 |
| 3 Moderate | 3 | 6 | 9 | 12 | 15 |
| 2 Minor | 2 | 4 | 6 | 8 | 10 |
| 1 Negligible | 1 | 2 | 3 | 4 | 5 |
Treatment & Monitoring
For each risk, choose treat, tolerate, transfer, or terminate. Assign owners and deadlines. Track KRIs and control effectiveness so residual risk stays within appetite.
BCMS Implementation Guide (ISO 22301)
A structured approach to implementing a Business Continuity Management System aligned with ISO 22301.
Context, Leadership & Planning
Understand the organization, interested parties, and scope of the BCMS. Secure top management commitment, define roles and responsibilities, and set BCMS objectives aligned with strategy.
BCMS Policy & Objectives
Establish a business continuity policy and measurable objectives. Ensure the policy is communicated and available to relevant parties. Review and update it periodically.
Business Impact Analysis (BIA)
Identify critical activities, dependencies, and the impact of disruption. Define recovery time objectives (RTO) and recovery point objectives (RPO). Use BIA outputs to prioritize and design continuity and recovery strategies.
BCP & Response Plans
Develop business continuity plans (BCP) and incident response procedures. Document how to activate plans, communicate internally and externally, and recover critical activities. Keep plans accessible and up to date.
Testing, Exercises & Evaluation
Test and exercise BC plans through tabletop exercises, simulations, or full rehearsals. Evaluate results and update plans and procedures. Ensure key personnel know their roles during an incident.
Performance Evaluation & Continual Improvement
Monitor and measure BCMS performance against objectives. Conduct internal audits and management reviews. Act on nonconformities and lessons learned from incidents and exercises to continually improve the BCMS.