What is the right way to do risk management?
We hear this question fairly frequently on calls with prospects and my answer is always the same. There is no "right way" or "wrong way" to do risk management. There's only your way. Sure, there are plenty of standards to guide us with best practices, but even within those guidelines there are an infinite number of ways to implement a program for Governance, Risk Management and Compliance. When evaluating platforms to aide you, there is one thing that you should always keep in mind. You shouldn't ever be forced to change how your organization does things in order to fit the capabilities of a tool. You should be able to mold the tool to fulfill your requirements.
I won't ever tell you that SimpleRisk has every possible feature you might find in a GRC platform, but we have had plenty of experts with significant GRC platform experience tell us that our features are comparable to those of the leading GRC platform, with a far more intuitive interface and at a fraction of the price. We frequently collect feedback from our users on the features they would like to see in our product and maintain a healthy roadmap to address these requests. With so many different directions we could go, we need to prioritize what items we will work on first. Factors that influence these decisions include:
- Severity: Coming from a background of running the Information Security Program for a large enterprise, I've always put my reputation in security above all else. As such, security vulnerabilities will always receive the highest level of attention from me and my team. We have a formal Responsible Disclosure Policy and host a Bug Bounty Program on HackerOne. Many of the bugs we come across in the product will also fall into the high-severity category for prioritization. If it's something that impacts one of our customers, then it's something that needs to be fixed, plain and simple.
- Broad Appeal: Once we've addressed all of the high-severity cards, we will typically prioritize the cards which we believe have the broadest level of customer appeal. Typically, these stem from customer suggestions where we hear over and over again something like "It would be really useful if SimpleRisk did X". To date, the majority of the newly added features over the past few years were rooted in these requests and we do our best to track each requestor and notify them once the feature has been implemented.
- Low Hanging Fruit: As we are preparing for a new release, there's a point in time where we are doing a lot of testing and don't want to add any new major functionality so as not to create last-minute issues. This is where we will typically try and squeeze in smaller items that are less about function and more about visual appeal and utility.
We also have a Customer Advisory Board who represents a diverse subset of our overall customer base. We meet with this Board on a regular basis and solicit their feedback on the features that they feel will provide the most value-add to our users.
But what happens when your organization's requirements don't fall inline with the prioritization factors above? How do you facilitate molding a tool to fulfill your requirements when that functionality doesn't exist yet? At SimpleRisk, we've created a unique service to address this need: Custom Development.
We begin by having a call to understand the specific use cases which you are trying to address and the features which you require in order to address them. From there, our team creates a design specification that highlights the work that would need to be performed in order to meet your requirements and how long it will take to develop each item. We charge $150/hr for this Custom Development work, but that is a one-time charge. There is no ongoing maintenance fee and we will continue to support the newly created functionality going forward. The end result is that you get exactly the functionality you need to meet your requirements and it will almost always still be less expensive than purchasing that feature with another platform. Add in the fact that other SimpleRisk users now get to take advantage of the new functionality and we feel that's a win-win-win scenario!
Don't worry, you wouldn't be the first organization to do a Custom Development effort with us. Here's a few examples of SimpleRisk features that were introduced through a Custom Development effort:
- Risk Assessment: This SimpleRisk Extra originally began as a Custom Development effort in 2018 between SimpleRisk, a large university on the East Coast who wanted to perform internal application development assessments and a large manufacturing company on the West Coast who wanted to perform third-party/vendor risk assessments.
- Contributing Risk Scoring Methodology: This Custom Development effort took place in 2018 between SimpleRisk and a data center company in the UK. They liked SimpleRisk, but wanted to use their own custom scoring methodology with it. Now, we've got customers all over the globe using it and we just received sign-off from them on a second Custom Development effort to add a deeper feature set around this scoring methodology.
- Risk Mappings, Control Validation & Dynamic Risk Assessment Questionnaires: This Custom Development effort took place in 2020 between SimpleRisk and an organization associated with the New Zealand government. The result of this effort is that they are now setting the GRC bar for many of the other New Zealand government organizations and we are already working on another Custom Development effort with them to move that needle further.
SimpleRisk already has a core feature set that rivals the competition, but there will inevitably be requirements we weren't prepared for. The thing that really sets us apart from our rivals is our ability to quickly match these requirements in an efficient and cost-effective manner. Don't give up on GRC just because you're not finding the features you need. Consider a Custom Development effort with SimpleRisk and we will gladly help to get you from Zero to GRC in minutes!
