By Rob Ellis, SVP of Product Strategy at Reciprocity
There’s a refrain I hear more and more often when I talk to compliance people in organizations across industries: “We need to move beyond compliance. It just isn’t enough on its own.” They tell me that the rapid pace of change, unrelenting barrage of cyber crimes and data leaks, as well as the challenges wrought by the COVID-19 pandemic have all combined to put sophisticated risk management on the front burner.
Organizations that planned to mature into a risk-centric posture in two or more years now find they need to do it in six months. The problem is that few compliance-focused organizations are equipped to make the transition. They may be able to create a risk registry and even score it qualitatively, but they often find themselves stuck at essentially Step One.
Bringing in outside consultants to do the job of risk scoring can take too long and still leave the issue of ongoing risk management unresolved. Recruiting and hiring additional risk talent is similarly time-consuming and costly. Leaders within these organizations tell me they need a live view of risk that maps back to their compliance efforts so they can determine what they need to mitigate it.
Now, I have an answer that gets them excited: Risk Intellect, our new risk-analysis tool that leverages the Reciprocity® ZenGRC® platform to create a jumping off point on the path toward risk maturity. Risk Intellect maps your current compliance control assessments to cyber risks, providing immediate context and visibility into which controls offer the greatest opportunity for reducing risk by assigning quantitative scores to each risk and offering advice on the types of controls needed to remediate them.
Tools like ZenGRC are indispensable for compliance. But to evolve from compliance to risk management, organizations need more – augmenting a traditional rule-based approach with a fluid and agile methodology that not only evaluates compliance risk, but also takes a broader, more long-term approach.
Bridging that gap is what Risk Intellect is all about. It’s the first bridge (or better yet – express elevator!) between compliance and risk to help companies take their check-the-box compliance initiatives and transform them into a living, breathing risk management program.
3 steps toward risk maturity – and beyond
There are three initial steps any organization must take to transform from compliance-centric to risk-centric: creating a risk registry, quantifying each risk, and assigning controls against them. Risk Intellect can automate all three, as well as support ongoing risk analysis and management.
In fact, Risk Intellect is the first tool on the market that can take your compliance scores and control tasks to automatically build a risk registry, quantitatively score that registry, highlight gaps, and suggest corresponding controls using artificial intelligence. And it can do it without significantly altering your organization’s familiar workflow. Here’s a closer look at those three steps and how Risk Intellect streamlines each:
Step 1: Create a risk registry. By seamlessly integrating with your existing compliance program data in ZenGRC, Risk Intellect draws from a single source of truth to build a comprehensive risk registry using the Secure Control Framework’s (SCF) catalog of cybersecurity risk. This gives you an immediate view of your current risk posture in minutes rather than days or weeks.
Step 2: Score your risks. Risk Intellect immediately calculates expert-provided inherent versus residual risk scores for each of the 32 SCF cyber risks. This gives you a fast start in identifying the strength of your compliance program with insights into how well current controls are working – the same insight you’d get from a risk assessment, but without the effort.
Step 3: Assign controls. One of the capabilities that our customers are most excited about is Risk Intellect’s ability to recommend which controls to adopt, update, or remediate so you focus limited resources on the areas with the greatest opportunity for risk reduction. A simple, interactive dashboard that goes beyond traditional heatmaps helps you quickly assess and prioritize compliance remediation activities. You can see your overall residual risk score, view and analyze gaps towards defined targets, and gain an understanding of how specific controls are affecting risk.
Give ongoing visibility and insight. Once you’ve completed these three onboarding steps, you’re ready to run your risk program on an ongoing basis. Thanks to Risk Intellect’s integration with ZenGRC, you get a continuously updated view of risk scores so you can take action with direct links to specific controls within ZenGRC and track progress made towards defined risk reduction goals. Your team can continue to perform familiar compliance tasks, without the heavy lift of learning complex new tools.
Transforming your organization from a compliance-first posture to one that prioritizes risk is a critical step in its risk management maturity, but it doesn’t have to be a difficult one. Risk Intellect seamlessly integrates with your existing compliance program control and assessment data, and generates a customized view into your current risk posture in minutes – not weeks or months. With a few simple clicks, you gain insight and a detailed understanding of how to strengthen your compliance program and reduce risk. Read more about Risk Intellect now.