Risk management is the identification and assessment of the elements of risk, those being threats and vulnerabilities and the prioritization and remediation of these elements to prevent or mitigate impact. One of the largest challenges to managing risk is the need to take massive amounts of information from the entire organization, correlate it to industry regulatory requirements, identify areas where threats and vulnerabilities have the possibility of coming together to provide and impact, and provide a usable measure of the value of that risk to the business. Risk management is an enterprise initiative and not limited to information technology. Business risk exists where adherence to corporate policies and regulatory requirements is not maintained. Operational risk exists when controls are not deployed to support business policies or regulatory requirements or when those deployed controls are either not effective or can be circumvented. IT risk exists where systems are not configured properly, applications not secured, systems not patched in a timely fashion or disaster recovery planning is not sufficiently defined.
Whether you are a small company with a single individual responsible for all areas of risk or a larger enterprise with multiple groups - such as internal audit, information technology, compliance and regulatory management, enterprise risk management, operational risk, incident management, finance, legal and formal audit committees - the reality is that governance, risk and compliance (GRC) is no easy task for any size organization. In most enterprises, information resides and people operate in silos with very little sharing of information, frameworks and systems. It is a time consuming and complex challenge bringing together the stakeholders to truly provide a comprehensive view of an integrated GRC program. Having gone through this process many times in consultative engagements, I can truly appreciate having a technology solution to manage the audit aspect, as well as to discover and maintain an inventory of IT and business systems or assets, and collect all the vulnerability and threat data within the organization. It also maintains an up-to-date inventory of content on all compliance requirements, correlates all that information and provides an easy view into gaps, while delivering an accurate risk profile to assist in determining mitigation strategies. Too, it provides an easy to manage workflow tool that allows for ticket and responsibility creation and accountability management for all tasks assigned to the audit and risk management process.
This Group Test focused on risk, but also looked at the ability of each offering to tie risk to other aspects of compliance and governance. We had nine products to study this month. All set out to address some to all of the wish list above. All of the offerings all had some great features and all provided help in managing a very complex process. The write-ups focus on key components and new features. We would need three times the space to truly document all the key features that make each of these products unique or useful to one's efforts. Our reviews this month were done via vendor webinar demos and reviews of the product install, surveying administrator and user guides. Our tests were done at a very high level, so it is definitely a good idea to research and try these products when trying to determine what solution is right for your organization.
Although each and every one of these products had a definable value, they all had different strengths, capabilities and focus on the various areas of risk management. Each one did come with quite a bit of pre-populate content relating to policy, compliance data and report templates. Some were stronger in the assessment/audit side, measuring risk as it related to compliance and policy adherence. Others were stronger in gathering threat and vulnerability data and compiling a very nice risk view based on an asset inventory. The solutions also varied in how they were offered - some as a software offering, some as a hosted SaaS model, and others that supported both. It is important to consider the pricing model of the offerings, as well as the requirements to move data offsite when using a hosted model.
Good governance, effective and real-time risk management, and adhering to regulatory compliances have direct impact on one's organizations. Regardless of which of the solutions chosen, each will provide a great deal of help in gaining control of the data gathering, audit, assessment, visualization and management of the mitigation workflow and as such, they will enhance the enterprise's risk and compliance posture.