Modulo Risk Manager
Strengths: Solid next-generation GRC tool that now covers all of the bases, not just IT risk and policy management.
Weaknesses: We would like to see 24/7 support hours for premium support.
Verdict: This is a gold standard of GRC systems. It has all of the bells and whistles that you need and just about nothing that you don’t.
Modulo Risk Manager is a perennial favourite around here. However, in the past it has had a distinctly traditional look and feel to it. Now it has been acquired by SAI Global, an Australian public company, and integrated into SAI's overall risk management suite and the integration shows. There is a lot more automation evident than we saw last year and the approach is less traditional and more up to date. One of the new capabilities this year that contributed materially to Modulo's acquisition by SAI Global was the introduction of threat intelligence, but Risk Manager also is known for third-party (vendor) risk and reputational risk analysis.
The product still is based on the same five core modules that it was last year: Risk Management, Compliance Management, Policy Management, Workflow Management and Knowledge Management. All five of these modules are so tightly integrated that the feel is that of a single product which, of course, is the intent. Within these five modules you can create multiple joins from assets to operational groups. This gives a historical view with heavy live filtering capabilities. Reports can be built from these screens (organisational risk by business component and asset) for various audiences, making reporting one of Risk Manager's strong points.
Risk Manager supports four types of assets: Environment, Person, Process and Technology. There is no coding necessary - everything is available to be configured with a mouse click. This means that you can create surveys that a third party can fill in - all automated and all out of the box. Additionally, you can create a self-registration portal that lets the third party login and answer the survey. There is a module creation capability with mouse clicks that pulls from existing DB entries, such as names.
Smart workflows are a key capability. As well, threat intelligence sources are embedded with external websites making this a next-generation product.
For control-based risk assessment, the tool addresses Analysis, Inventory, Evaluation, Treatment - all control-based risk assessments use these four pieces. You can create interviews based on controls for the various applicable standards (hundreds of controls are available out of the box) and that include details. Scoring is predefined and consists of Probability, Severity and Relevance. Surveys can be created that force the respondent to provide evidence.
There are lots of collectors for various devices that can gather evidence automatically for the compliance reports. This product is hugely flexible with significant drill-down. Remediation is tracked under Treatment. The workflow engine is very powerful and easy to use - all access and setup is from the admin console so there is no programming required.
Further, access controls are role-based and there is a solid audit trail covering the use of the tool.
While Risk Manager does not do its own auto discovery it can consume output of vulnerability scans and it has a lot of third-party integrations. It can consume xml as well as other file formats for asset mapping. The product tracks remediation and automatically decides what gets remediated. It then performs closed-loop remediation.
The product has mobile device support for approvals and conducting assessments.
Support is solid although we would like to see premium support 24/7. The website largely is a marketing site. Documentation is solid. We have seen quite a few improvements over the past year in functionality, which already was superior.
Overall, we see an improved product and this is one of those rather unusual times when an acquisition actually offers improvement to the product without the product's technology simply being subsumed by the acquisition.