Every comic book superhero has a story behind them describing how they overcame some form of adversity in order to become the crime-fighting protector of all things good that we've come to know and love. Just like those champions of justice, SimpleRisk also has an origin story. It all started in 2012, when Josh Sokol was tasked with starting an enterprise risk management program at National Instruments. His initial research pointed him at the NIST SP 800-30 "Guide for Conducting Risk Assessments". This 95 page document was chalked full of interesting information that could be used to facilitate a risk management program. It provided examples of how to perform a risk assessment, suggestions on how to quantify risk, and a process for planning mitigations and performing reviews. What it did not provide, however, was a tool that could be used to keep track of it all.
The first phase of risk management at National Instruments began with a simple Microsoft Word document template for the risks and a Microsoft Excel spreadsheet to keep track of all of the documents. It worked well for the first few risks that we captured, but as the number of risks grew, the concept of tracking risks via documents and spreadsheets became more and more complicated. If we were struggling with managing a dozen risks in that manner, the prospect of managing hundreds of risks did not bode well for us. There had to be a better way.
That was when I discovered that a previous employee at National Instruments had created a crude risk registry in the form of a Lotus Notes database. While this made it infinitely easier to track a larger volume of risks, it also meant that I lost a lot of flexibility. Not being a Domino Administrator myself, I was stuck having to request resources from another team with each new field that I needed added or each new scoring methodology that I was looking to try out. It was a step in the right direction, but I had gained scalability while sacrificing all amounts of flexibility.
There I was, a few months into my fledgling risk management program. I knew what I wanted my program to look like, but I was struggling with the tooling to make it work. That was when I stumbled across a package of tools called "GRC", which stands for Governance, Risk, and Compliance. These tools looked amazing to me at first. I started sitting down with some of the popular vendors in the space and evaluating all of the different features and functionality of their platforms. To be honest, they had everything that I could ever want to be able to do risk management and then some. I was looking at managing my risks, but having the ability to manage our policies and audit testing as well couldn't hurt, right?
So, I did what anyone in my position would have. I asked for a quote and took it to our VP of IT. She was, after all, the person who had tasked me with building this risk management program. All it took was her seeing the $500k+ price tag on the tool and she started laughing. In hindsight, I should have known better. My Security Team had a $0 budget at that time and I was trying to sprint without ever having learned to walk.
If money was the issue, though, I had an idea. I pulled in members of all of the different risk aware teams in our organization into the conversation (trade compliance, health and safety, legal, etc). The vendor gave them the same dog and pony show that they had given me and after they left I took a poll asking them whether they would be interested in a tool like that. I was met with a resounding "Yes!" My excitement turned into frustration when I asked each of those same people if they would be willing to spend a portion of their budget to buy it and they told me "No". That was when I finally gave up on the idea trying to purchase a GRC tool.
I knew that I wasn't alone in where I ended up with my risk management program. I had heard many stories from friends in the industry about how they either were using spreadsheets and documents to manage their risks or, in many cases, had given up on risk management completely. It was in that moment that I decided that instead of reverting back to those painful ways, I was going to do something to make my life, and the lives of my friends better.
SimpleRisk started as a web form that was based on the Word document template that I had been previously using. I wrote a single page to view all of the risks in the system and another page to view and edit the risks once they were submitted. Once I had something that seemed to work, I submitted a talk called "Convincing Your Management, Your Peers, and Yourself that Risk Management Doesn't Suck" to the BSides Austin 2013 conference. It was accompanied with the 20130315-001 release of SimpleRisk, my very first. I decided to release it under a Mozilla Public License 2.0 since it was the least restrictive license I could find. At BSides Austin 2013, SimpleRisk was brought into the world with a round of applause and a standing ovation.
I could have never anticipated what happened after that. My little free and open source tool was suddenly the talk of the town. People started reaching out and asking for new features and functionality so that was when I started creating the SimpleRisk "Extras". Then they started asking for support and, finally, for hosting. I had to start SimpleRisk, the company, in order to properly support SimpleRisk, the tool. And, today, what we call the "SimpleRisk Core", all of the risk management functionality, is still completely free and open sourced under that very same Mozilla Public License 2.0. That, my friends, is the origin story of SimpleRisk.