Risk Assessment Extra

 

The Risk Assessment Extra provides users with the ability to define contacts, create questions (including logic), assemble multiple questions with a questionnaire template, create questionnaires and send them to contacts, view the questionnaire results, add risks based on those results, and compare the results over time, import and export externally customized assessments, and review the risk assessment audit trail.

What are SimpleRisk Extras?

SimpleRisk Core is our widely acclaimed, award winning, free and open source product that has been downloaded over 60,000 times and contains all of the basic Governance, Risk Management and Compliance (GRC) functionality needed to establish a foundational GRC program. As an organization’s GRC program matures, extended functionality is often required to meet requirements beyond what is available in the SimpleRisk Core offering.

To address these expanded needs, SimpleRisk has developed a variety of plug-and-play modules termed "Extras" that provide functionality above and beyond our SimpleRisk Core offering. These plug-and-play modules will be essential to the success of your GRC program as your organization grows and matures its processes. While all of our Extras are available in packaged bundles with both SimpleRisk On-Premise and Hosted deployment models, they can also be purchased A La Carte for those organizations that choose to deploy our platform on-premise.

Why was the Risk Assessment Extra created?

Prior to introducing the SimpleRisk Risk Assessment Extra in 2018, SimpleRisk contained four available stock assessments (CIS Critical Security Controls, HIPAA, NIST 800-171, and PCI DSS 3.2) where users could take these assessments and answer the questions posed to them. The resulting answers then become pending risks that could either be added as a risk into SimpleRisk or deleted. While these assessments were effective, they were relatively basic and did not address many of the extended risk assessment requirements found in most organizations.

The SimpleRisk Risk Assessment Extra originated from a custom development effort funded by a large university customer on the East coast of the US and a large manufacturing customer on the West coast.  The manufacturing company wanted to streamline the vendor risk assessments they were performing manually at a rate of over 400 annually. The university had several internal teams who were doing custom development and their Security Team was responsible for ensuring that data security and privacy standards were upheld.  

Both essentially wanted to be able to send a list of questions to a contact, receive a response back, use the response to document new risks, and compare results over time. SimpleRisk helped to create a specification that both organizations agreed to and once the development effort was completed, the Risk Assessment Extra was integrated alongside the existing SimpleRisk functionality that they were already using.  This Extra is widely used across our customer base and has undergone countless enhancements since it was first introduced in 2018 and is now able to effectively meet the risk assessment requirements of any size organization.

How is the Risk Assessment Extra used?

The Risk Assessment Extra provides enhanced functionality to perform both internal and external risk assessments. It allows you to create your own custom questionnaires with "Multiple Choice" or "Fill in the Blank" answers, including logic based responses, to your questions. These assessments can be emailed to contacts and the results can then be tied back to control audits or create new risks.  The Risk Assessment Extra also provides a "one-click" import of a variety of risk assessment questionnaires and enables maturity assessments to gauge levels of compliance against your standards. You’re also able to compare the results over time and share the results with others and the system maintains a full audit trail of all risk assessment activities.

In addition, you have the ability to dynamically build Risk Assessment questionnaires. This feature creates both standard (Yes/No/Not Applicable) and maturity (specifying CMMI levels for each control) questionnaires across over 200 different control frameworks and contains questions based on over 1,000 security and privacy related common controls.  Automating this process makes it easily repeatable and has proven to be a huge time saver for organizations.

In addition to these 200+ frameworks, below is a screenshot displaying a variety of other frameworks in SimpleRisk that can be installed at the click of a button, where risk assessment questionnaires can be automatically generated.  

Risk Assessment

What users would benefit from the Risk Assessment Extra?

Below are examples as to how the Risk Assessment Extra provides benefits to the entire organization and key stakeholders.  

Organizations are able to: 

  • Baseline security maturity, identify gaps, determine desired maturity levels and measure progress; 
  • Demonstrate security maturity to Customers;
  • Demonstrate security maturity to Executive Management and/or Board Members.

Compliance Teams and Auditors are able to:

  • Determine where security gaps exist to help ensure regulatory compliance is being met. 

Security Teams are able to: 

  • Leverage risk assessments to promote security awareness and drive mitigation efforts;
  • Automate and streamline the Risk Assessment process and continually track progress.

Vendors are able to: 

  • Mitigate risk to satisfy Customer requirements resulting from Vendor Risk Assessments.

Risk Assessment

How can I learn more about the Risk Assessment Extra or try it out for myself?

To learn more about the Risk Assessment Extra or discuss specific use cases for how your organization could use it, feel free to schedule a demo online. If you would like to try out the Risk Assessment Extra functionality for yourself, we offer a free (no credit card required!) 30 day trial. Please reach out to SimpleRisk Support if you have any additional questions about the Risk Assessment Extra or any of the additional functionality that we offer.