... tell you how much you can expect to lose per year to a specific threat. This gives you an idea of how much you can cost effectively spend on a specific threat.
Risk management software
Of course, all of this calculation can be done manually but it's much
easier to let software do it for you. Some popular enterprise level
packages include:
- COBRA Risk Consultant from C&A Systems
- Risk Commander from TruSecure
- Enterprise Risk Assessor from MethodWare
- Risk Register from Noweco
Some of these and other risk management software packages provide evaluation versions or "lite" versions. However, commercial risk assessment software tends to be expensive. For example, Enterprise Risk Assessor (ERA) Lite costs over $5000 (£2,900).
Starting small
But what if your company is still small? Does that mean you don't need
a risk management program? On the contrary, because small businesses
usually operate on tighter budgets, with less surplus funds, it's more
difficult for your small company to absorb a large loss than for a
large organisation. Thus, identifying and managing your risks is, in
many ways, even more important. But your needs are different, and so is
your ability to fund a risk management program.
No matter what size your business is, you should have a written business plan. Risk management should be a part of that plan, rather than a standalone project. And it should be looked at as an ongoing process, rather than a short-term project. Risks, especially in the IT area, are constantly changing.
Scaling risk management
The basic concepts of risk management don't change as your business
grows, but your implementation of risk controls probably will. Your
security risk management team may start out as one person, but as the
organisation grows, so should the team. The risk management process
evolves along with your overall security framework.
Free tools can remain useful even if you decide to implement more sophisticated software solutions. The software simply makes the process more automated. Building a solid knowledge of risk management practices while the organisation is small will help you to retain control over the process when it becomes more automated, rather than simply relying on the software to do everything for you.
Even if your company can't afford a risk management package now, you should plan ahead as you begin to formulate your initial risk management plan, so that you'll already know which package is right for you when the time comes and what's required to implement it. That will make the transition much smoother.
