Skip to main content


  • Simple - Intuitive workflows Promotes organization-wide adoption.
  • Effective - From "zero to GRC" in minutes.
  • Affordable - Comprehensive Governance, Risk Management and Compliance at a fraction of the cost.



SimpleRisk is a solution that scales with the evolving requirements of your organization.


Enterprise governance activities are designed to ensure that the information that reaches your executive team is complete, accurate and timely.


Risk Management

Ensure that management identifies, analyzes, and responds appropriately to risks that may adversely affect realization of your business objectives.



Assess your state of compliance and the risks and potential costs of non-compliance in order to prioritize, fund and initiate corrective action.


Incident Management

Identify, respond to and recover from events that negatively impact your organization.


Comprehensive GRC solutions by industry





SimpleRisk is trusted by hundreds of companies worldwide


Quote - Allan Alford, CISO

The problem with many GRC tools is that they overreach their mission and become incredibly complex. So complex that they require dedicated resources to manage them. SimpleRisk gives you exactly what you need without all that overhead. And the best part is you can download it and get started for free!

Allan Alford

Quote - Greg Tatum, VP of Infrastructure and Security, DealerSocket

I previously used SimpleRisk prior to joining DealerSocket and was well aware of its value, so one of the first initiatives I undertook was to deploy SimpleRisk here as well. My primary objectives were to streamline the cumbersome process of tracking risks using spreadsheets, make our overall risk posture visible to peers and management, obtain actionable output to prioritize mitigation efforts, and satisfy PCI compliance. SimpleRisk not only meets these requirements, but is also very easy to implement, use, and manage, plus reports can be easily customized to match the needs of key stakeholders. I've found SimpleRisk to be both highly effective, and reasonably priced.

VP of Infrastructure and Security, DealerSocket
Greg Tatum

Quote - Marcelle Bicker, Information Security Compliance Analyst, Rochester Regional Health

Rochester Regional Health chose SimpleRisk because we needed a tool that would allow us to model our risk management program within a purpose built application, versus modifying our program due to product limitations. We selected the hosted version of SimpleRisk to expand our capabilities, eliminate existing manual procedures and end perpetual spreadsheet management. This has proven to be successful for our security risk management program.

Information Security Compliance Analyst
Marcelle Bicker

Quote - Nick Waringa, Information Security and Risk Manager

I have implemented Archer, Lockpath, and RSAM  at my previous employers. They all are super heavy weight and require armies of people or professional services to manage. I don't think you emphasize enough the small amount of body overhead with the payback that SimpleRisk provides. There is no way my current employer could afford the previously mentioned apps.

Information Security and Risk Manager
Nick Waringa

The Latest from the SimpleRisk Blog

What is the right way to do risk management?  We hear this question fairly frequently on calls with prospects and my answer is always the same.  There is no "right way" or "wrong way" to do risk management.  There's only your way...


How SimpleRisk Can Meet Your Custom GRC Requirements

Over the years, we've received a number of inquiries about the OWASP Risk Rating Methdology with some contention around how we have integrated it into SimpleRisk. Some have questioned how SimpleRisk reaches its final risk score while others have pointed to differences in the Skill Level values. Let's delve into this...

The OWASP Risk Rating Methodology and SimpleRisk

If the "textbook" definition of risk scoring is Risk = Likelihood x Impact, then a Severe (5) impact and an Almost Certain (5) likelihood should have a score of 25, right?  The answer isn't quite so simple...

Normalizing Risk Scoring Across Different Methodologies

Learn how to use SimpleRisk's Import-Export and Risk Assessment Extras in order to efficiently use the NIST Cybersecurity Framework's controls to assess your organization's risks and perform a control gap analysis.

Simplifying the NIST Cybersecurity Framework with SimpleRisk

At the end of June 2020, a civil rights coalition, which includes the Anti-Defamation League (ADL) and the NAACP, launched the #StopHateforProfit campaign.  This campaign calls upon major corporations to put a pause on Facebook advertisements, citing the company's...

SimpleRisk Stands Against Hate

Today I had a really interesting conversation with a guy from Japan via LinkedIn.  It started with him trying to sell me...

Risk Management for Dummies

When I first released SimpleRisk as a free tool back in March of 2013, I decided to license it under the open source ...

The Security of Open Source vs Closed Source Software

I've been avoiding sending out an e-mail about this since I know you all have already been inundated by e-mails ...

SimpleRisk's Plan for COVID-19

As the Information Security Program Owner at National Instruments, I spent years contemplating the answer to a ...

SimpleRisk On-Premise or Hosted - Which Deployment Model is Right for You?

Back in 2013, when I first started working on SimpleRisk in my spare time on nights and weekends, I started using a ...

What features do you want to see added to SimpleRisk?

As the Information Security Program Owner at National Instruments, a $1.4B global enterprise, I've spent the past ...

SimpleRisk Now Offering Complimentary Risk Management Program Consulting to Customers

Last week I was invited to participate in Kyle Burt's live podcast featuring leaders in tech and business called ...

SimpleRisk Founder Josh Sokol Featured on Dialed In With Kyle Burt

Currently, SimpleRisk supports six different risk scoring methods.  We have Classic Risk, which is the likelihood ...

There is Nothing Simple About FAIR

This is just a short (1 minute) animated video explaining some of the capabilities around performing internal and ...

How to Perform Risk Assessments (with SimpleRisk)

Unless you've been hiding under a rock for the past three weeks, you're probably familiar with CVE-2019-0708, also ...

How to Manage the Evolving Risk of Bluekeep (with SimpleRisk)