Benefits
Risk management defines the hypothetical possibilities of events that may or may not occur. Unfortunately, Risk management is often conducted after problems have already happened.
With ZenGRC's Risk Management solution and a simple shift in perspective, resources spent putting out fires can instead protect against threats.
Overview
As the first of several enhancements for the ZenGRC Risk Management program, we're announcing the new Risk Heatmap. Now organizations can jump start a new risk program or incorporate a mature program through various customization options.
For additional information on this feature, please see Risk Heatmap.
Risk Management Terminology
Risk - An event or condition that, if it materializes, could have a negative effect on business objectives. Risk is neither proactive nor reactive, it simply defines the hypothetical possibilities of events that may or may not occur.
In the compliance sphere, controls are written to minimize risk to the organization. By mapping relevant controls to identified risks, an organization can identify controls that have been put in place to minimize risk.
- Inherent Risk - A risk without controls.
- Residual Risk - The amount of risk remaining after controls are implemented.
Threats - These objects identify potential exploitations of vulnerabilities. A threat can be environmental (earthquake, snowstorm, flood), physical (hardware failure, building issues, people), or technical (virus, malware, software bug), or other categories as appropriate. It is critical to recognize that a threat is able to exploit a vulnerability.
You can typically reduce the impact of the threat on the vulnerability, but it is very difficult to avoid the threat altogether. By creating and mapping relevant Issues to threats within ZenGRC, a remediation plan can be identified and implemented to minimize or eliminate the threat.
Vulnerability - A risk related object within ZenGRC that is defined as a weakness that causes or contributes to a risk exploited by a threat. It is a gap that increases the likelihood that something will happen. While a risk is theoretical, a vulnerability is real.
For instance, those drivers who are distracted by texting - a vulnerability - put the phone away while driving: a control. Maybe they're not confident drivers, so they take a driving class: a remediation.
Incident - Objects to track risks and/or vulnerability events. They can be used to monitor failures in patching processes, which could lead to a risk manifesting. Note that an incident is not a risk, nor is it a vulnerability. Often, these are confused and this confusion reduces the effectiveness of a risk management program.
Mapping these objects together within ZenGRC gives your organization a clearer picture of 1) how you currently approach risk, 2) your risk protection methods and/or gaps, 3) improvements to your risk management system.
Mitigation - The steps taken to reduce adverse effects of risk incidents. There are four types of risk mitigation to remember: You may do one of the following:
- Accept the risk.
- Choose to Avoid the risk.
- Decide to Transfer the risk.
- Work to Reduce the risk.
Likelihood - The probability that risk will materialize. These probabilities are reduced by controls.
Severity - The effect that would be felt if the event did occur. Severity and impact are reduced by mitigation.
Velocity - How fast a materialized risk will affect an organization. Velocity is slowed by mitigation.
Control Strength - Control strength is increased by mitigation.