Recently I have heard of more and more inquiries as to how Risk Management is being handled and what is being used as far as tools. This appears to be a current topic of renewed interest. What have others seen or heard?
In my organization, ($800M revenue), we have not been able to receive funding for a GRC tool. So I have used the Gartner/CEB spreadsheet template, constructed within SharePoint a Risk Register and a Security Risk Exception repositories and request and approval workflows. Not bad for a poor-person's solution. It has passed SOC2, Type II and ISO 27001 External Certification two years now, and Hitrust Certification as well.
My org has updated to RSA Archer 6.x. As a submitter, I find it pretty easy to use and our information protection team has customized intake questionnaires to expedite the assessment/review process.
I am relatively new to my organization, it does not appear the we have a culture that is thinking integrated risk management at this time. I appreciate the insight about the Gartner spreadsheet, perhaps I can use this as an introduction to the need for change towards an integrated risk management approach within the organization.