SimpleRisk is a fully integrated GRC platform that can be used to meet all of your Governance, Risk Management and Compliance needs. It boasts functionality that is comprehensive enough to be utilized by some of the largest organizations on the planet while presenting a user interface that is so simple and intuitive it can be used by the least technical people in your organization.
Our SimpleRisk Core can be downloaded for free from our website, installed in minutes, and provides all of the capabilities that you need when first launching your GRC program. As your organization grows and matures its processes, our SimpleRisk Extras are licensed modules that provide enhanced functionality on par with competitors that cost orders of magnitude more and require months of professional services to install and configure. There's no need to waste all of that time and money when you can be up and running with SimpleRisk today.
What is Enterprise Risk Management?
Enterprise risk management activities are designed to ensure that management identifies, analyzes, and responds appropriately to risks that may adversely affect realization of an organization's business objectives. Management's response to risks will depend on the likelihood of the event happening and the impact if it does. Based on this risk assessment, an organization will need to choose whether to accept the risk, mitigate the risk, or transfer the risk to another party. When performed effectively, these risk management activities will ensure that the organization's limited resources will be prioritized to most efficiently address the issues that will affect them the most.
Frameworks for Risk Management
When we talk about how to perform various risk management activities, there are a multitude of frameworks that can be used. The Federal Information Security Management Act (FISMA) points to the NIST SP 800-30 Guide for Conducting Risk Assessments as the minimum requirements for Federal information systems. This document does an excellent job of outlining all of the facets of risk management and what activities it entails. As such, it has become the de facto standard for many risk management practices, and served as the foundation for SimpleRisk's risk management functionality. That said, there are many other frameworks out there including:
- COSO's Enterprise Risk Management - Integrated Framework
- ISO's 31000:2018 Risk Management Framework
- The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework
This is by no means a complete list, but it demonstrates that the process of managing risks can be very subjective and ultimately your organization will want to document its own procedures for risk management that will likely be rooted in one of these methodologies.
Creating Your Risk Registry
Regardless of which framework your risk management program is based on, the very first step will be some form of assessing and documenting your risks. The repository of all of your active risks is what we refer to as a "risk registry". Many organizations, when first starting out, will use spreadsheet software, like Microsoft Excel, as their risk registry because it is fairly straightforward and readily available. Using spreadsheet software to track your risks usually starts out well because its only one person managing them, but issues begin to arise as your risk management program expands. Flaws begin to surface once you invite others to participate in your risk evaluation processes because it is difficult to have multiple people utilizing the spreadsheet at the same time. You'll realize that your program cannot grow without others submitting their risks, but a spreadsheet doesn't allow for separating out permissions of those who can contribute risks from those who will manage them. Ultimately, the model of using spreadsheets to manage risk will breakdown when you attempt to build automation into your workflows. Basic functionality like scheduling emails to be sent about pending actions or performing risk assessments with reusable questionnaires are virtually impossible. This is a common inflection point where organizations will begin looking into tools to perform Governance, Risk Management, and Compliance (GRC) activities.
Unfortunately, the point where organizations begin looking into GRC tools is also typically the point where they become incredibly frustrated. The gap is massive between what is effectively a free spreadsheet and a GRC tool that can easily cost hundreds of thousands to over a million dollars. Often times they require tens of thousands of dollars in professional services and several months to implement.
Evaluating GRC tools can quickly become dispiriting when compared to your spreadsheets, which were at least operational, albeit imperfect, but didn't cost you a dime. SimpleRisk works with organizations in this predicament, daily, and understands what they're going through because our Founder and CEO was in this same boat. SimpleRisk Core, our free and open source product, not only serves as a total replacement for your spreadsheet based risk registry, but is exponentially advanced in comparison and can be downloaded here. It can be installed in minutes and will immediately enable you to scale beyond your existing capabilities. You'll be able to track all of the fields that you are currently tracking with a ton of flexibility to expand beyond that, with no restrictions on the number of users you can have or the number of risks you can enter.
Once your risks are in the registry, you'll have access to a variety of pre-defined reporting along with a Dynamic Risk Report that gives you the ability to report on virtually any aspect of your risk management program. If you have already gone down the spreadsheet path and are looking to move into a comprehensive GRC platform, we highly recommend our licensed Import-Export functionality. With this plug-and-play module, there's no need to manually recreate all of your risks. You simply map the columns in your spreadsheet to the fields in SimpleRisk and it will automatically ingest all of your risk data. If you find that our default fields don't reflect everything that you would like to track, we would also recommend our licensed Customization functionality. This module provides you with the ability to create your own custom fields in SimpleRisk, remove existing fields, and change the ordering of fields on the page. This level of customization is a key component in making SimpleRisk flexible enough to accommodate virtually any risk management framework or desired workflow.
Assessing Your Risks
Often times organizations will become so laser focused on the goal of having a registry in which to store their risks that they will completely bypass the topic of how they will assess the risks that will go in there. Risks can be identified in a wide variety of means. Probably the most common way for a risk to be discovered occurs accidentally by a staff member who happens to come across one while performing their day-to-day activities. At that point, they will have a choice to make. Will they continue on with what they were doing in hopes that they will still remember to note the risk later? Or will they document the risk now and then move on with what they were doing? The answer will likely depend on how cumbersome it is for them to submit their newly found risk. It is for this reason that we highly recommend to our customers that they enable the ability for everyone in their organization to be able to submit new risks. They don't have to fill out all of the risk details or even enter a verbose description of the risk. If staff members are encouraged to simply enter a risk subject to serve as a reminder at a later point about what it was that they discovered, this can be a very effective best practice. Somebody from the risk management team can then note the submission and follow up with the submitter at a more convenient time in the future.
Another common means of assessing risks is through the use of vulnerability management tools. These tools will scan your environment and test for open ports and known vulnerabilities that affect your servers. While these tools typically have some level of built in mechanism for remediation and re-assessment, they usually do a poor job of managing the risk itself. For this reason, one of the other benefits of our licensed Import-Export feature is a direct integration with common vulnerability assessment tools like Rapid7 Nexpose and Tenable.io. SimpleRisk will take all of the vulnerabilities discovered with these tools and compress them into a single risk for each unique vulnerability and all of the assets associated with it. This eliminates the notoriously annoying issue of duplicate vulnerabilities with scanning tools. Additionally, it can create tagging for those vulnerabilities based on things like the affected operating system or software version, making it easy to report on the categories in which you're most interested. Management of these vulnerability risks becomes far simpler and more efficient with this approach.
Lastly, a risk assessment use case that is becoming increasingly prevalent is a desire to use questionnaires to drive both internal and external (third-party) risk assessments. Both of these scenarios can easily be addressed with SimpleRisk's licensed Risk Assessment feature. We give you a catalog of questions that you can ask or you can create your own as either multiple-choice or fill-in-the-blank questions.
If you create a multiple-choice question, you have the ability to define the possible answers, automatically link a response as a pass or fail for a control assessment and create response-based risks that you can then submit into your risk registry. Also, if you perform a follow-up assessment, you can streamline the process by resubmitting the same questions that contain their answers from the prior assessment and then update your risk registry according to any new information provided. This integrated solution makes managing vendor risk assessment a consistent, repeatable and scalable process across your entire organization.
Planning Mitigations for your Risks
Once you've documented all of your organization's risks in the risk registry, the next step is to determine what you're going to do about those risks, otherwise known as risk mitigation. SimpleRisk makes identifying which risks have not yet had a mitigation planned very simple. Just select the "Plan Mitigation" menu and all risks that haven't had a mitigation planned will be displayed, sorted by decreasing order of their Inherent Risk score, which helps you prioritize mitigation efforts.
When you click on "NO" in the Mitigation Planned column, you will be taken to the page in SimpleRisk to plan a mitigation for that risk. There, you will find the ability to specify the planned mitigation date, how much effort is involved, who will be responsible for the mitigation, and the mitigation percent, which will be used to calculate the Residual Risk score. You will also be able to add text describing the proposed mitigation and link the risk being mitigated to any of the controls that you've defined in Governance.
When evaluating a risk, it should be done through the lens of what your leadership is willing to accept "as is" versus those risks where they feel action should be taken. Which decision they make will vary from one organization to another and is often times referred to as their "risk appetite". In SimpleRisk, we represent this line of risk tolerance with a configurable Risk Appetite slider.
Once you define your risk appetite, this can be used as the guideline to determine which risks are outside of your appetite and require additional investment versus which risks are inside of your appetite and are able to be accepted. In SimpleRisk, our Risk Appetite Report automatically evaluates the Residual Risk score as the reference point to determine which risks fall into which category. This helps prioritize your time so you end up working on the items that present the biggest risk for your organization.
Performing Management Reviews of your Risks
While it's true that having a risk registry and planning mitigations for your risks are probably the two most critical risk management activities, the reality is that your risk management program will not be successful if management is not involved in the process. As SimpleRisk's Founder and CEO, Josh Sokol, explains in his "Why Management Doesn't Understand Your Security Woes" blog post, the role of the security practitioner in the risk management process is to assess and convey risk. Their goal should be to drive visibility and accountability up management chain. And since management controls how the organization's limited resources (people and money) are allocated, it is only natural that they should own the responsibility of risk acceptance.
The challenge that comes with involving management in the risk acceptance process is that not every manager needs to see, let alone review, every single risk. For example, the manager of the Unix Team doesn't care about a risk resulting from failing Windows patching. For this reason, we want our risk review process to only require input from the relevant managers. Additionally, we need to take the severity of a risk into account when determining which manager should be performing the review. This is because the severity of a risk is a measure of the likelihood and impact to the organization. That same Unix Team manager may care a great deal about a Very High risk resulting from a data breach on one of their systems, but when we contextualize it, we realize that the resources required to mitigate that risk in a reasonable timeframe may be outside of their direct control. More importantly, if that data breach were to actually occur before a mitigation could be put in place, the consequences of that would likely be felt across the entire organization. This means that, ideally, it would be a member of our organization's Executive Leadership Team who would review that risk and determine the course of action. The goal here is to leverage a risk management platform that is capable of handling risk acceptance by taking both the context of risk ownership and risk severity into account.
SimpleRisk makes the management review process as simple as possible. One of the benefits of our licensed Team-Based Separation feature is to build "walls" between the different teams so that a risk will only be viewable, and hence actionable, to the teams that are assigned to it. This approach allows a risk to be assigned to multiple teams to encourage collaboration, while simultaneously limiting access to those who do not have the need to know the information contained in the risk. You can provide the Executive Leadership Team with a wide view of all of the risks in their organization by adding them to each of the different teams, while limiting the scope of access for area managers. Additionally, SimpleRisk has fine-grained access controls so you can build out a hierarchy of risk review permissions based on the risk severity level. Typically, we will encourage organizations to implement something like:
- Area Managers review Insignificant and Low level risks
- Section Managers review Medium level risks
- Directors review High level risks
- Vice Presidents review Very High level risks
This approach doesn't preclude the VP from seeing the lower level risks, as they still have visibility into all of the risks in their organization. But it does spread the risk review workload across the organization's management team while simultaneously ensuring that the right people are making the decisions on the appropriate risks. Our licensed Email Notification feature can drive further automation into this workflow by sending email reminders of unreviewed and past due risks to the appropriate stakeholders on your preferred schedule.
Similar to planning the mitigation for a risk, there is also a page in SimpleRisk dedicated to clearly identify all of the risks that haven't yet had a management review performed yet. You will find this under the "Perform Reviews" option in the "Risk Management" menu. There, you will see a list of all risks that do not have a management review performed for them yet, ordered by their Inherent Risk score, to help you prioritize the review process.
When you click on "NO" in the Management Review column, you will be taken to the page in SimpleRisk to perform a review for that risk. There, you will find the ability to specify whether you are approving or rejecting the risk, define the next step (accept until the next review, consider for a project, or submit as a production issue), and add any commentary for the risk. Based on the risk severity, SimpleRisk is able to automatically calculate the next review date for that risk, ensuring the risk re-reviewed on a regular basis. The amount of time allowed between each review can be set in the Configuration menu and management always has the ability to override this default setting at any time, by manually entering a different date.
One of the biggest factors that separates using a GRC platform from a spreadsheet-based risk management program is the ability to report on your data in a meaningful way. Both should be able to present data in a tabular format where you can search and filter through your data based on the information you are interested in, but the place where spreadsheets begin to fall down is in data associations. Some examples of important items that you will likely be reporting on regularly include:
- Risk Appetite: This will show you the risks that fall outside of your defined "risk appetite" level. Risks inside of your appetite can likely be accepted while risks outside of your appetite should be mitigated or transferred.
- Risk Advice: This will show you the risks with the lowest level of effort and the highest risk score. This is helpful in identifying the low-hanging fruit in your organization where you can effectively get the "most bang for your buck".
- Assets and Risks: This will show you all of the risks that are associated with a specific asset. This is helpful in identifying which assets are harboring an excessive amount of risk and should be patched or retired.
- Risks and Assets: This will show you all of the assets that are associated with a specific risk. This is helpful in highlighting the risks with significant impacts across your organization. If you have defined values for your assets, then this can even help you advance your maturity from qualitative to quantitative risk assessment.
- Controls and Risks: This will show you all of the controls that are associated with a specific risk. This is helpful in determining all of the mitigating controls that exist for a given risk and discovering where there may be a lack of depth in your defenses.
- Risks and Controls: This will show you all of the risks that are associated with a specific control. This is helpful in identifying the effects that a control failure has for your environment.
At SimpleRisk, we firmly believe that spreadsheets should not be considered a viable option for those organizations that are serious about risk management and that's why all of these reports and many more are available as part of the free SimpleRisk Core solution.
SimpleRisk was built by a security professional with a decade of experience running the Information Security Program for a large, publicly traded, global enterprise. He realized that it was critically important for an auditor to be able to look at the data contained in SimpleRisk and trust that it has not been modified. For that reason, all activities that take place within the tool are logged and an audit trail is maintained. At any point in time, an auditor can go back and establish what has been done, who did it, and when.
SimpleRisk was designed from the ground up to be as simple and intuitive as possible in order to enable users of varying skill levels to be effective using it. Over the years, SimpleRisk has evolved into a comprehensive and fully integrated GRC platform encompassing all of the Governance, Risk Management, and Compliance needs of organizations, regardless of their size or industry, while retaining its underlying simplicity. Most of the features discussed here are available in our free and open source SimpleRisk Core product, but even the licensed functionality can be obtained for a fraction of the cost of other GRC tools. We would welcome having an opportunity to join you on your GRC journey and would encourage you to schedule a call with our team, where we can discuss your requirements and demonstrate, firsthand, how SimpleRisk can help you accomplish your goals.