ZenGRC

Simply Powerful GRC

Risk Management

The Debut of Advanced ZenGRC Risk Management

· ·

Written by: Scott Nash, VP of Product

ZenGRC’s mission is to connect the people, processes, and technologies critical to our customers information security risk and compliance management. As InfoSec becomes increasingly more complex, our customers want to become more agile in their risk management strategy. It is important for them to have better visibility and be able to respond to changes quickly.

We’ve built upon ZenGRC’s core risk functionality to introduce a powerful new set of risk intelligence tools. The latest additions provide visibility on how multiple risks interact, its potential impact, probability occurrence, and remediation plans.  ZenGRC Risk Management helps organizations increase their risk intelligence and evolve towards a proactive risk management strategy. 

Here’s what we’ve launched: 
 We’ve expanded ZenGRC’s Risk Management solution to provide a centralized, fully-customizable platform that will advance your InfoSec Risk program while furthering your organization’s business goals.

 These enhancements to ZenGRC enable our customers to have a comprehensive understanding of their organization’s complete risk landscape. With the ability to aggregate risks, ZenGRC provides objective insight and illustrates interconnected risks across the organization.  

Notable features: 

  •   Pre-loaded Risk Content leverages industry-standard tools and techniques.  Risk registers like SCF’s and NIST’s, the Cyber Risk Catalog, and the RISQ Management Enterprise Risk Register facilitate identification and tracking of risk exposure. Incorporating multiple risk assessment methods, like CIS-RAM Simplified and RISQ Simplified, bolsters risk modeling and analytics.

  • Risk Calculations, customized around the factors most important to your organization, give meaningful insights.  Select the attributes to be tracked and assign weights across multiple variables. With customer-defined vectors, you can evaluate the impact, likelihood, and velocity of risks.

  • Better workflows increase efficiency and turn ad-hoc processes into repeatable workflows, customizable to reflect the nuances of your organization’s operational and business decisions.

  • Real-time Visibility facilitates tracking, reporting, and required actions on all risk objects.  You can visualize overall risks, or drill down into risks accepted, mitigated, shifted, or avoided. 


Better Risk Intelligence Creates Value
The new features we’ve released today, and all that is to come in our roadmap, enable ZenGRC to provide the highest level of risk intelligence for our customers.  With real-time information, our customers are empowered to make data-backed decisions, resulting in huge cost savings and return on investments. 

With our additional enhancements for identifying, assessing, and managing InfoSec risks, ZenGRC delivers more value, provides better visibility, and enables faster decision making. 

Contact us to schedule a demo today.
Learn more about ZenGRC Risk Management.

RECIPROCITY DEBUTS ADVANCED ZENGRC RISK MANAGEMENT

· ·

Provides Powerful Risk Management and Deep Insights Across Enterprise Risk Areas, Business and Information Security Applications, and Third-Party Vendors 

SAN FRANCISCO – February 5, 2020 Reciprocity, the company behind ZenGRC, the industry-leading information security risk and compliance solution, today announced significant enhancements to ZenGRC Risk Management. Building on the ZenGRC core risk functionality, customers now gain a powerful new set of tools in their efforts to evaluate and mitigate risk. In addition to providing insight into how multiple risks interact, how they could impact the business, the probability of occurrence, and actions the company can take to remediate risks, organizations will also get enhanced visibility into risks through the library of pre-built connectors available through Reciprocity’s ZenConnect platform.

ZenGRC Risk Management capabilities include:

  • Fully Customizable Risk Calculations: establishes relationships across systems, business divisions, and controls to understand the impact to the company risk profile and see the connections holistically; considers the interaction of multiple risks rather than focusing on a single risk or event, and considers the potential impacts of multiple threats
  • Advanced Risk Workflows: after identification and assessment of a potential risk, automatic remediation options are presented to resolve compliance gaps and strengthen risk posture
  • Custom Dashboards, Reporting, and Heat Maps: help identify key issues and provides executive-level insights that support leveraging risk intelligence for reward and value creation, rather than risk avoidance
  • Pre-loaded Content: compatible with existing programs and methods, allowing an easy move from spreadsheets, reduced change management process, and fast time to value

“Reciprocity is committed to listening to our customers and delivering a solution that simplifies complex processes, helps take their risk management program from reactive to proactive, and transforms risk management into a competitive advantage,” said Scott Nash, Vice President of Product at Reciprocity, “With ZenGRC, we’ve delivered a fully customizable risk solution, with integrations to leading business, workflow, and information security apps, getting customers closer to continuous-monitoring and real-time risk statuses across the entire tech stack.”

ZenGRC Risk Management is available immediately across all geographies. ZenGRC helps companies from all vertical markets, particularly those facing strict governance and compliance standards and complex risk management, and has seen rapid growth and adoption across mid-market and enterprise organizations in technology and technology-enabled industries. 

ZenGRC provides exceptional value, including the best-in-class time to value and total cost of ownership, with a flexible platform that fits unique program requirements, pre-loaded with content and templates, and white-glove onboarding from our team of industry experts. Current customers can contact their customer success manager, and access educational materials at ZenUniversity. For more information or to schedule a demo, go to www.zengrc.com.

 

 

For more information contact:

Kari Curto
press@reciprocity.com
(650) 504-1076

What is the Gartner Magic Quadrant for Integrated Risk Management?

· ·

The Gartner Magic Quadrant for Integrated Risk Management (IRM) evaluates software vendors that provide IRM solutions for various use cases.

The 2019 Gartner Magic Quadrant for Integrated Risk Management Solutions, which was published on July 15, was written by Gartner Inc. analysts Jie Zhang and Brian Reed.

Over the last few years, Gartner has advanced its research of governance, risk and compliance (GRC) technology software to meet the changing needs of risk managers and their companies. As such, Gartner has shifted its focus from GRC to IRM.

“Integrated risk management (IRM) solutions combine technology, processes and data to enable the simplification, automation and integration of strategic, operational and IT risk management across an organization,” according to the report.

An integrated risk management approach reduces the chance that risk domains will be siloed. An IRM strategy supports dynamic business decision making through shared risk processes and risk-data correlations.

The Gartner Magic Quadrant for Integrated Risk Management Solutions can help risk managers and security leaders identify technology tools that support an IRM strategy.

To understand and manage risk, companies need a comprehensive view across business units and risk and compliance functions, as well as across suppliers, key business partners and outsourced organizations, according to Gartner. Consequently, software providers are developing new technology to improve the collaborative nature of risk management, inside and outside a company.

To make the best use of IRM tools, organizations need to think about risk appetite vs. risk tolerance. Risk appetite is the level of risk that a company is willing to accept while pursuing its goals. Risk tolerance is the degree of variance from the company’s risk appetite that it is willing to tolerate.

When a company determines that risks go beyond their stated risk tolerance levels, they must develop action plans to ensure that they take the right mitigation steps to meet the risk appetite set by their boards of directors or other governance bodies. IRM tools can help risk professionals and business leaders manage and test their associated risk mitigation efforts.

Although Gartner evaluates the software providers, the research organization makes it clear that it does not endorse any vendor, product or service represented in its Gartner research publications. In addition, Gartner also doesn’t advise technology users to only choose those vendors with the highest ratings or other designations.

“Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact,” according to the company. “Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.”

What is Risk Identification?

· ·

Risk identification is the first step in risk assessment or risk analysis, and a critical part of the risk management process.

“You can’t manage what you don’t measure,” the saying goes.

Identifying the extent and nature of the risks to your organization is key to risk management. By “risk,” we mean any threat or event that could hinder your organization from achieving its objectives.

The risk identification process, therefore, begins with understanding your organization’s objectives. It should then include all potential risks, threats, and events that could harm its ability to attain those goals, whether or not they are under your control.

Because risks change and new risks emerge over time, risk identification should not be a one-and-done process but one that is continual and ongoing throughout the lifecycle of the project, program, or organization being assessed for risk.

The risk identification process starts with interviewing project management and leadership to begin devising a list of risks. Team members should comprise a diverse cross-section of the organization. All stakeholders, not just project managers, should be consulted, for the most comprehensive list of risks.

Other sources of potential risks include:

  • External and internal audit reports
  • Committee reports
  • Financial analyses
  • Historic data analyses
  • Loss data
  • Key performance indicators (KPIs)
  • Market and sector information
  • Scenario analyses
  • Forecasting and stress testing results

Types of identified risks might include:

  • Project risk
  • Operational risk
  • Financial risk
  • Legal risk
  • Cybersecurity risk
  • Reputational risk

Every risk identified as well as its root cause should be documented in a risk register for management, project team members, and stakeholders to use when deciding how to treat each risk-whether to accept/ignore it or mitigate it, and what risk mitigation strategies to use.

Top 5 Predictions for InfoSec GRC in 2020

· ·

January 1 ushers in a new year, a new decade, and new challenges—as well as new dimensions and re-ordering of existing challenges.  ZenGRC’s Team of GRC Experts share likely developments, trends to watch out for, and how your organization can navigate Information Security Risk, & Compliance in 2020.  With foresight, an organization can proactively take steps to address the challenges of the future.

Our expert panel explores what’s coming:

1. Risk-based, Layered Approaches Eclipse One-dimensional Efforts

“Risk Management and Risk Assurance will overshadow other approaches to GRC as organizations satisfy operational needs”  – Gerard Scheitlin, Founder of RISQ Management

“While the requirements on information security, privacy, and compliance will only continue to expand and tighten, organizations are realizing that it is not technology or compliance that prevents financial or reputational harm. Rather, it is a combination of technology, systems, and governance that manages and reduces the organization’s overall exposure. The only way to encompass all of these areas is through a robust risk management system that provides a tiered approach to risk assurance.” In much the same way that information security applies “defense in depth” methodology for technology, effective risk assurance approaches layer prioritized technical, administrative, and governance defense mechanisms across the entire organization.

Gerard Scheitlin has over 35 years of experience in GRC across multiple industries. He is the founder of RISQ Management, a GRC implementation, services and consulting organization that specializes in custom tailored, client centered solutions.  

2. The GRC Landscape Develops and Expands

“Additional privacy laws and frameworks will continue to be released” – Alan Gouveia, GRC Expert 

 “More requirements will be introduced, and guidance will continue to evolve, which will further complicate the work that organizations will need to do to remain in compliance.”  As these numerous and often disparate requirements expand, how can organizations contend with expectations? With thorough controls and focused attention, says Gouveia. “The need for a comprehensive privacy control set to satisfy diverse requirements grows as demands expand. In 2020 and beyond, that need will become more urgent.”

Alan Gouveia has been working in the regulatory and IT compliance industry for over 20 years, across numerous industries.  

3. New Sources and Dimensions of Data Requirements Push Boundaries

 “Organizations will be overwhelmed by new requirements—from customers, as well as  regulators and governments—which will be compounded by a focus on supply chain/third party risk”  – David Driggers, Product Strategist at ZenGRC.

 
“Organizations still grappling with the idea that those requirements come with very real financial consequences will be hit hard with the realization that obligations can’t be outsourced using contracts. Their responsibility for customer data doesn’t end at the border of their own infrastructure.” To be as efficient as possible in a resource-constrained environment, Driggers anticipates that scalable GRC processes, people, and technology will be key. “Looking forward, security posture will be further commoditized, eventually treated much like service level agreements today.” 

David Driggers is a GRC expert with over 20 years of experience delivering common sense cyber security solutions.  

4. Hazards of Noncompliance, Encountered the Hard Way

 “Bad data privacy policies and lack of processes will result in costly fines and loss of business for many organizations” – Dr. Maxine Henry, President of Cyvient 

As more legislators and regulators turn their attention to data privacy, more companies become potentially subject to financial penalties. And, with increased awareness of privacy issues in the marketplace, more consumers prioritize information security.  Organizations that do not recognize and mitigate their risk exposure will experience these negative outcomes. To avoid these pitfalls, Dr. Henry suggests, “Focus on the data. Do you have processes in place that protect data privacy? Can you document information security activities? If there is low-hanging fruit that will enable your organization to better demonstrate compliance, now is the time to take it.”

Dr. Maxine Henry is a global strategist and GRC consultant with over 30 years of experience in information technology. Dr. Henry specializes in cybersecurity, data privacy and protection, governance, risk and compliance.

5. Destinations and Roadmaps Begin to Overlap

“As additional data privacy laws are established, information security and GRC needs will continue to align with data privacy rules.” – Tricia Scherer, IT GRC Expert

This prediction highlights the growing convergence among topics once treated separately.  As the discipline evolves, it becomes increasingly clear that InfoSec, data privacy, and GRC are interconnected and mutually reinforcing; actions necessary to achieve one objective are also needed for another. This overlap can be positive or negative for an organization. “Investments in InfoSec often benefit GRC and data privacy as well, and vice versa. On the other hand, unaddressed gaps can be damaging on multiple fronts.”

Tricia Scherer has 20 years of IT Consulting and GRC experience across a variety of industries with a specialization in Cybersecurity, Data Privacy, IT internal audit, and a multitude of regulatory frameworks. 

As the landscape continues to evolve, risk and privacy considerations are critical to charting a course to meet objectives.  An organization’s value proposition is not simply what product or service it provides, but how it operates and interacts with its customers, stakeholders, and team. Effective risk and data management is so vital that it may determine not only how fraught the journey is, but whether or not an organization reaches its destination. 

ZenGRC’s in-house team of experts are both leading thinkers on GRC and InfoSec, as well as, practitioners with extensive experience.  With ZenGRC’s expert guidance, organizations can prioritize and focus efforts on the most pressing challenges.