I have been struggling to find a good resource for juggling GRC and ITAM in a better way than spreadsheet tracking for a few months now.

I can easily create a risk register for a single system, and I can track my GRC compliance for an individual project in a separate spreadsheet fairly easily.  However, attempting to tie-in/track the overall program risks (both IT and operational) is something that has proven too difficult for me to track this way.

I'm curious about the solutions in use in this community (ISC² professionals) and if you have any recommendations of things to avoid or look into.

I have tried my best to look into Eramba as so many people recommend it, but the time investment required to get it to a usable state is too much for me.  I would much rather build a database from scratch than try to understand someone else's concept of what makes for a good GRC solution, but I do not have the time for that either.

I need to be able to create a database of threats, link those to a database of targets, link those to departments and assign individual departmental impacts, and then generate a risk register.  Ideally, I could already have a database that links assets to departments and assigns a criticality to that department's workflow so when I assign a threat to the asset I would not have to manually assign an impact to the various departments.

Is there anything out there like that?