Overview
Risk management defines the hypothetical possibilities of events that may or may not occur, and is often conducted after problems have already happened. But with a simple shift in perspective, resources spent putting out fires can instead protect against threats.
ZenGRC provides an end-to-end Risk Management solution that can be tailored to any risk management methodology. Setting up a program to manage risk is unique to each organization, but it may manifest as: security monitoring, training, continuous risk improvement, enterprise risk management, developing risk committees, and technical network monitoring.
Risk Management Definitions
Risk - An event or condition that, if it materializes, could have a negative effect on business objectives. Risk is neither proactive nor reactive, it simply defines the hypothetical possibilities of events that may or may not occur. In the compliance sphere, controls are written to minimize risk to the organization. By mapping relevant controls to identified risks, an organization can identify controls that have been put in place to minimize risk.
- Inherent Risk - A risk without controls.
- Residual Risk - The amount of risk remaining after controls are implemented.
Threats - These objects identify potential exploitations of vulnerabilities. A threat can be environmental (earthquake, snowstorm, flood), physical (hardware failure, building issues, people), or technical (virus, malware, software bug), or other categories as appropriate. It is critical to recognize that a threat is able to exploit a vulnerability. You can typically reduce the impact of the threat on the vulnerability, but it is very difficult to avoid the threat altogether. By creating and mapping relevant Issues to threats within ZenGRC, a remediation plan can be identified and implemented to minimize or eliminate the threat.
Vulnerability - A risk related object within ZenGRC that is defined as a weakness that causes or contributes to a risk exploited by a threat. It is a gap that increases the likelihood that something will happen. While a risk is theoretical, a vulnerability is real.
For instance, those drivers who are distracted by texting - a vulnerability - put the phone away while driving: a control. Maybe they're not confident drivers, so they take a driving class: a remediation.
Incident - Objects to track risks and/or vulnerability events. They can be used to monitor failures in patching processes, which could lead to a risk manifesting. Note that an incident is not a risk, nor is it a vulnerability. Oftentimes, these are confused and this confusion reduces the effectiveness of a risk management program.
Mapping these objects together within ZenGRC can give your organization a clearer picture of 1) how you currently approach risk, 2) your risk protection methods and/or gaps, 3) improvements to your risk management system.
Mitigation - The steps taken to reduce adverse effects of risk incidents. There are four types of risk mitigation to remember: You may do one of the following:
- Accept the risk.
- Choose to Avoid the risk.
- Decide to Transfer the risk.
- Work to Reduce the risk.