Risk Communicator organizes evidence to visually communicate risk priorities and investment road maps. The following scenario focuses on IT Security prioritization and budget justification. The workflow is similar whether you're evaluating risks associated with cloud computing, mobile devices, or a technical vulnerability.
Estimating risk is a process involving multiple data sources and stakeholders. Risks must be summarized for executives to determine if risks are within business tolerance. Tactical risks must be detailed to understand the frequency of occurrence and the associated impacts.
Speed, consistency, proven workflow, and executive-ready reporting enable Risk Communicator to reduce the time and effort to prioritize risks and justify security investments. Risk Communicator is designed to address all levels of risk assessment, enabling the security team to facilitate a process for risk owners to make proper treatment decisions. The risk model and prioritization workflow incorporated into Risk Communicator are based on NIST SP 800-30r1.
Risk Communicator Overview
Since security teams approach risk and investment prioritization differently, Risk Communicator distills the process into a standard workflow:
1. Build Assessment
Identify risks across your assessment scope and document your current control effectiveness. To streamline this step, Risk Communicator contains a repository of templates covering IT, security, compliance, and emerging technology areas.
A common workflow is to conduct a controls audit using Compliance Communicator. Where controls are absent or insufficient, they can be imported into Risk Communicator. Control deficiencies can then be redefined into risk statements.
2. Prioritize Risks
Choose the right level of detail for your audience. Risk Communicator offers a simple drag-drop ability to move risks across the standard Impact/Likelihood Heat Map. For detailed or controversial risks, Risk Communicator includes a detailed framework to facilitate debate, organize your evidence, and consistently prioritize risks. As appropriate for your organization and assessment, Risk Communicator also includes a Quantified Impact Plot to visually communicate the Expected, Best, and Worst case impacts across risks.
Underneath each risk lies the Risk Panel to construct a detailed risk estimate.
3. Define Projects
Risk Communicator provides a simple approach to associate costs with value in terms of risk reduction. The benefit is communicating the optimal pace of project investment.
4. Justify Spending
Risk Communicator provides a consistent approach to incorporate risk, business importance, and IT's capability to execute projects. This combined Business Value Score facilitates an objective discussion about the costs and benefits of investment priorities. Risk Communicator provides graphical views showing the residual risk from out of budget investments and demonstrates the value of projects in budget, addressing leading questions such as, "when are we done?" "what is the business getting from the investment?" "What would happen if we increased/decreased budget?"
No spreadsheet mastery required. Risk Communicator exports all risk details, investment information, and interactive visuals to a Microsoft Word document, content may be copied to standard presentation applications as needed. Risk Communicator also offers a .csv export to download all information for additional analysis.