Recently I have heard of more and more inquiries as to how Risk Management is being handled and what is being used as far as tools. This appears to be a current topic of renewed interest. What have others seen or heard?
In my organization, ($800M revenue), we have not been able to receive funding for a GRC tool. So I have used the Gartner/CEB spreadsheet template, constructed within SharePoint a Risk Register and a Security Risk Exception repositories and request and approval workflows. Not bad for a poor-person's solution. It has passed SOC2, Type II and ISO 27001 External Certification two years now, and Hitrust Certification as well.
I'm in the same boat as you, we have not been able to receive funding for a GRC tool. Where could I get a copy of the Gartner/CEB spreadsheet template?
My org has updated to RSA Archer 6.x. As a submitter, I find it pretty easy to use and our information protection team has customized intake questionnaires to expedite the assessment/review process.
I am relatively new to my organization, it does not appear the we have a culture that is thinking integrated risk management at this time. I appreciate the insight about the Gartner spreadsheet, perhaps I can use this as an introduction to the need for change towards an integrated risk management approach within the organization.