An Enterprise Risk plan should start with a Baseline understanding of the following:

  1. An understanding of the Business environment. Business size, scope of industry verticals, risk factors, risk tolerances etc.
  2. An understanding of the types of Data involved to run and manage the Enterprise.
  3. Full understanding of Industry Mandated requirements. HIPAA, FISMA, FEDRamp, CMMC, GDPR etc.
  4. Understanding of People, Process and Technology of IT/IS, Finance, Legal etc.
  5. GRC should be structured as a Program with supporting Projects to deliver a Programmatic approach to reducing risk. GRC is a journey with many moving parts.
  6. Start with a baseline Risk Assessment (People and Process’), Vulnerability Assessment, PenTest and Wireless Network Assessment (Technology).
  7. Consider a Compromise Assessment to see if you have been breached and do not know it.
  8. Gather these findings and prioritize a remediation plan to reduce Enterprise risk as it relates to budgeted funding.
  9. Cost out the cumulative OpEx and CapEx funds required to execute the various Projects that: A. Are Mandated by your industry. B. Should be done but are not necessarily mandated. C. The right thing to do.
  10. Build out your prioritized Remediation Plan as it relates to available resources (Budget, People, Process and Technology.)
  11. Perform Remediation per #10.
  12. Rinse, Repeat. Execute in a Programmatic manor. Review on a quarterly basis.
  13. Build the above findings into the Budget request plan. Allocated funds should represent the risk tolerance of the Board, Executive Team and Stake holders..
  14. Reach out for help. It takes a community!!

Reach us with questions: 214-336-1286