SimpleRisk is an enterprise grade tool that can be used for all of your Governance, Risk Management and Compliance needs. It boasts functionality that is comprehensive enough to be utilized by some of the largest organizations on the planet while presenting a user interface that is so simple and intuitive it can be used by the least technical people in your organization. Our SimpleRisk Core can be downloaded for free from our website, installed in minutes, and provides all of the capabilities that you need when first launching your GRC program. As your organization grows and matures its processes, our SimpleRisk Extras are licensed modules that provide enhanced functionality that is on par with competitors that cost orders of magnitude more and require months of professional services to install and configure. There's no need to waste all of that time and money when you can be up and running with SimpleRisk today.
What is Enterprise Risk Management?
Enterprise risk management activities are designed to ensure that management identifies, analyzes, and responds appropriately to risks that may adversely affect realization of the organization's business objectives. Management's response to risks will depend on the likelihood of the event happening and the impact if it does. Based on this risk assessment, the organization will need to choose whether to accept the risk, mitigate the risk, or transfer the risk to another party. When done effectively, these risk management activities will ensure that the organization's limited resources will be prioritized to most efficiently address the issues that will affect them the most.
Frameworks for Risk Management
When we talk about how to perform various risk management activities, there are a multitude of frameworks that can be used. The Federal Information Security Management Act (FISMA) points to the NIST SP 800-30 Guide for Conducting Risk Assessments as the minimum requirements for federal information systems. This document does an excellent job of outlining all of the facets of risk management and what activities it entails. As such, it has become the de facto standard for many risk management practices, and served as the basis for SimpleRisk's risk management functionality. That said, there are many other frameworks out there including:
- COSO's Enterprise Risk Management - Integrated Framework
- ISO's 31000:2018 Risk Management Framework
- The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework
This is by no means a complete list, but just goes to show that the process of managing risks can be very subjective and ultimately your organization will want to document its own procedures for risk management that will likely be rooted in one of these methodologies.
Creating Your Risk Registry
Regardless of which framework your risk management program is based on, the very first step will be some form of assessing and documenting your risks. The repository of all of your active risks is what we refer to as a "risk registry". Many organizations, when first starting out, will use spreadsheet software, like Microsoft Excel, as their risk registry because it is fairly straightforward and readily available. Using spreadsheet software to track your risks usually starts out well because its only one person managing them, but issues begin to arise as your risk management program expands. You begin to see flaws in the approach once you invite others to participate in your risk evaluation processes because it is difficult to have multiple people utilizing the spreadsheet at the same time. You'll realize that your program cannot grow without others submitting their risks, but a spreadsheet doesn't allow for separating out permissions of those who can contribute risks from those who will manage them. Ultimately, the model of using spreadsheets to manage risk will fall over the moment you want to build automation into your workflows as functionality like using customized assessment questionnaires and sending emails about pending actions are virtually impossible. This is the point where organizations typically will begin looking into tools to perform Governance, Risk Management, and Compliance (GRC) activities.
Unfortunately, the point where organizations begin looking into GRC tools is also typically the point where they become incredibly frustrated. The gap between what is effectively a free spreadsheet and a GRC tool that can easily cost hundreds of thousands to over a million dollars is massive. Often times they require tens of thousands of dollars in professional services and several months to implement. This adds up to a massively discouraging outlook when your spreadsheets are operational, albeit imperfect, and didn't cost you a dime. SimpleRisk works with organizations in this predicament on a daily basis and understands what they're going through because our Founder and CEO was in this same boat. SimpleRisk was created as a total replacement for your spreadsheet based risk registry. Our free SimpleRisk Core product can be downloaded right now, installed in minutes and it will immediately enable you to scale beyond your existing capabilities. You'll be able to track all of the fields that you are currently tracking with ample opportunities to expand beyond that with no restrictions on the number of users you can have or the number of risks you can enter.
Once your risks are in the registry, you'll have access to a variety of pre-defined reporting along with a Dynamic Risk Report that gives you the ability to report on virtually any aspect of your risk management program. If you have already gone down the spreadsheet path and are looking to move into a comprehensive GRC platform, we highly recommend our licensed Import-Export functionality. With this plug-and-play module, there's no need to manually recreate all of your risks. You simply map the columns in your spreadsheet to the fields in SimpleRisk and it will automatically ingest all of your risk data. If you find that our default fields don't reflect everything that you would like to track, we would also recommend our licensed Customization functionality. This module provides you with the ability to create your own custom fields in SimpleRisk, remove existing fields, and change the ordering of fields on the page. It is this level of customization that makes SimpleRisk flexible enough to accommodate virtually any risk management framework or desired workflow.
Assessing Your Risks
Often times organizations will become so laser focused on the goal of having a registry in which to store their risks that they will completely bypass the topic of how they will assess the risks that will go in there. Risks can be discovered through a wide variety of means. Probably the most common way for a risk to be discovered is accidentally by a staff member who happens to come across one while doing something else job related. At that point, they will have a choice to make. Will they continue on with what they were doing in hopes that they will still remember to note the risk later? Or will they note the risk now and then move on with what they were doing? The answer will likely depend on how cumbersome it is for them to submit their new found risk. It is for this reason that we highly recommend that our customers enable the ability for everyone in their organization to be able to submit new risks. They don't have to fill out all of the details or even have a verbose description of the risk. Even something as simple as submitting a risk subject that will remind them at a later point about what it was that they discovered. Somebody from the risk management team can then note the submission and follow up with the submitter at a later time when they're not in the middle of a task.
Another common means of assessing risks is through the use of vulnerability management tools. These tools will scan your environment and test for open ports and known vulnerabilities that affect your servers. While these tools typically have some level of built in mechanism for remediation and re-assessment, they usually do a poor job of managing the risk itself. For this reason, one of the other benefits of our licensed Import-Export feature is a direct integration with common vulnerability assessment tools like Rapid7 Nexpose and Tenable.io. SimpleRisk will take all of the vulnerabilities discovered by this tool and compress them into a risk for each unique vulnerability and all of the assets associated with it. Additionally, it can create tagging for those vulnerabilities based on things like the affected operating system or software version, making it easy to report on the things you're interested in. Management of these vulnerability risks becomes far simpler and more efficient with this approach.
Lastly, a risk assessment use case that is becoming increasingly prevalent is a desire to use questionnaires to drive both internal and external (third-party) risk assessments. Both of these scenarios can be easily handled with SimpleRisk's licensed Risk Assessment feature. We give you a catalog of questions that you can ask or you can create your own as either multiple-choice or fill-in-the-blank questions. If you elect a multiple-choice question, then you have the ability to define the possible answers, tie them as a pass or fail for a control assessment, and even submit a new risk based on a given answer. If you plan to re-assess them again, SimpleRisk will even save time by providing them with their previous answers and update your risk registry according to any new information provided. This integrated solution makes managing vendor risk a consistent and repeatable process across your entire organization.
Planning Mitigations for your Risks
Once you've documented all of your organization's risks in the risk registry, the next step would be to determine what you're going to do about those risks, otherwise known as risk mitigation. Identifying which risks haven't had a mitigation planned for them yet is very simple in SimpleRisk. The "Plan Mitigation" menu will show you all risks that haven't had a mitigation planned in decreasing order of their Inherent Risk score.
When you click on "NO" in the Mitigation Planned column, you will be taken to the page in SimpleRisk to plan a mitigation for that risk. There, you will find the ability to specify the planned mitigation date, how much effort is involved, who will be responsible for the mitigation, and the mitigation percent, which will be used to calculate the residual risk score. You will also be able to add text describing the proposed mitigation and link the risk being mitigated to any of the controls that you've defined in Governance.
When evaluating a risk, you do it under the lens of what your leadership is willing to accept as is versus what they feel they need to take action on. Which decision they make will be different for every organization and is sometimes referred to as their "risk appetite". In SimpleRisk, we represent this line with a configurable Risk Appetite slider.
Once you have your risk appetite defined, then you can use this as the guideline to determine which risks are outside of your appetite and require additional investment versus which risks are inside of your appetite and are able to be accepted. In SimpleRisk, our Risk Appetite Report evaluates the residual risk remaining in order to determine which risks fall into which category. This helps you to prioritize your time working on the items that have the biggest risk for your organization.
Performing Management Reviews of your Risks
While it's true that having a risk registry and planning mitigations for your risks are probably the two most critical risk management activities, the reality is that your risk management program will not be successful if management is not involved in the process. As SimpleRisk's Founder and CEO, Josh Sokol, explains in his "Why Management Doesn't Understand Your Security Woes" blog post, the role of the security practitioner in the risk management process is to assess and convey risk. Their goal should be to drive visibility and accountability up the chain of management. And since management controls how the organization's limited resources (people and money) are allocated, it is only natural that the risk acceptance responsibility belongs to them.
The challenge that comes with involving management in the risk acceptance process is that not every manager needs to see, let alone review, every single risk. For example, the manager of the Unix Team doesn't care about a risk resulting from failing Windows patching. For this reason, we want our risk review process to only require input from the relevant managers. Additionally, we need to take the severity of a risk into account when determining which manager should be performing the review. This is because the severity of a risk is a measure of the likelihood and impact to the organization. That same Unix Team manager likely does care about a Very High risk resulting from a data breach on one of their systems, but when we contextualize it, we realize that the resources required to mitigate that risk in a reasonable timeframe may be outside of their direct control. More importantly, if that data breach were to actually occur before a mitigation could be put in place, the consequences of that would likely be felt across the entire organization. This means that, ideally, it would be a member of our organization's Executive Leadership Team who would review that risk and determine the course of action. What we really need is a risk management platform that is capable of handling risk acceptance taking both the risk ownership and the severity contexts into account.
SimpleRisk makes the management review process as simple as possible. One of the benefits of our licensed Team-Based Separation feature is to build walls between the different teams so that a risk will only be viewable, and hence actionable, to the teams that are assigned to it. This approach allows a risk to be assigned to multiple teams to encourage collaboration, while simultaneously limiting access to those who do not have the need to know the information contained in the risk. You can provide the Executive Leadership Team with a wide view of all of the risks in their organization by adding them to each of the different teams, while limiting the scope of access for area managers. Additionally, SimpleRisk has fine-grained access controls so you can build out a hierarchy of risk review permissions based on the risk severity level. Typically, we will encourage organizations to implement something like:
- Area Managers review Insignificant and Low level risks
- Section Managers review Medium level risks
- Directors review High level risks
- Vice Presidents review Very High level risks
This approach doesn't preclude the VP from seeing the lower level risks. They still have visibility into all of the risks in their organization. But it does spread the risk review workload across the organization's management team while simultaneously ensuring that the right people are making the decisions on the appropriate risks. Our licensed Email Notification feature can drive further automation into this workflow by sending email reminders of unreviewed and past due risks to the appropriate stakeholders on your preferred schedule.
Similar to planning the mitigation for a risk, there is also a page in SimpleRisk dedicated to efficiently identifying all of the risks that haven't had a management review performed yet. You will find this under the "Perform Reviews" option in the "Risk Management" menu. There, you will see a list of all risks that do not have a management review performed for them yet, listed in order of their Inherent Risk score.
When you click on "NO" in the Management Review column, you will be taken to the page in SimpleRisk to perform a review for that risk. There, you will find the ability to specify whether you are approving or rejecting the risk, define the next step (accept until the next review, consider for a project, or submit as a production issue), and add any commentary for the risk. Based on the risk severity, SimpleRisk will automatically calculate the next review date for your risk, ensuring that the risk is being re-reviewed on a regular basis. The amount of time allowed between each review can be set in the Configuration menu and management always has the ability to override the default date and set their own.
One of the biggest factors that separates using a GRC tool from a spreadsheet-based risk management program is the ability to report on your data in a meaningful way. Both should be able to present data in a tabular format where you can search and filter through your data based on the information you are interested in, but the place where spreadsheets begin to fall down is in data associations. Some examples of important things that you will likely eventually need to report on are:
- Risk Appetite: This will show you the risks that fall outside of your defined "risk appetite" level. Risks inside of your appetite can likely be accepted while risks outside of your appetite should be mitigated or transferred.
- Risk Advice: This will show you the risks with the lowest level of effort and the highest risk score. This is helpful in identifying the low-hanging fruit in your organization where you can effectively get the "most bang for your buck".
- Assets and Risks: This will show you all of the risks that are associated with a specific asset. This is helpful in identifying which assets are harboring an excessive amount of risk and should be patched or retired.
- Risks and Assets: This will show you all of the assets that are associated with a specific risk. This is helpful in highlighting the risks with significant impacts across your organization. If you have defined values for your assets, then this can even help you step up your maturity from qualitative to quantitative risk assessment.
- Controls and Risks: This will show you all of the controls that are associated with a specific risk. This is helpful in determining all of the mitigating controls that exist for a given risk and discovering where there may be a lack of depth in your defenses.
- Risks and Controls: This will show you all of the risks that are associated with a specific control. This is helpful in identifying the effects that a control failure has for your environment.
At SimpleRisk, we firmly believe that spreadsheets should not be considered a viable option for risk management and that's why all of these reports and many more are available as part of the free SimpleRisk Core solution.
SimpleRisk was built by a security professional with a decade of experience running the Information Security Program for a large, publicly traded, global enterprise. He realized that it was critically important for an auditor to be able to look at the data contained in SimpleRisk and trust that it has not been modified. For that reason, all activities that take place within the tool are logged and an audit trail is maintained. At any point in time, an auditor can go back and establish what has been done, who did it, and when.
SimpleRisk was designed from the ground up to be as simple and intuitive as possible in order to enable users of varying skill levels to be effective in using it. Over the years, SimpleRisk has evolved into a comprehensive GRC platform encompassing all of the Governance, Risk Management, and Compliance needs of organizations, regardless of their size or industry, while retaining its underlying simplicity. Most of the features discussed here are available in the free SimpleRisk Core, but even the licensed functionality can be obtained for a fraction of the cost of other GRC tools. We would welcome the opportunity to join you on your GRC journey and would encourage you to schedule a call with our team, where we can discuss your requirements and demonstrate, firsthand, how SimpleRisk can help you accomplish your goals.