Strengths: Solid risk management platform, easy to use with a lot of nice features.
Weaknesses: None that jumped out at us.
Verdict: If your GRC program is missing the “R,” this tool may be for you. It handles risk as well as any tool we’ve seen – and is better than most. At £20,500, it’s going to appeal to medium to large organisations. We certainly think it will scale nicely for the big players.
RiskVision - formerly Agiliance - focuses on the "R" in GRC. It is a nearly pure-play risk analysis and management tool with what the vendor calls "continuous risk" management, which it has named "Always On Assessments." The idea behind this feature is that it is constantly collecting and analysing data. Unlike other systems that claim a similar approach, RiskVision actually does provide real time response to ongoing data collection - as opposed to any time extraction of data that may have been collected several hours prior. This product is available both as an on-premises tool and a cloud-based service.
We dropped into the Key Risks Summary page on the enterprise risk manager module and that let us see key risks for individual departments in the context of the rest of the organisation. Overall, there are seven managers and each provide specialised information: Compliance Manager, Enterprise Risk Manager, Vendor Risk Manager, Threat & Vulnerability Manager, Policy Manager, Incident Manager and Administration.
From our landing page we selected the Finance/Europe department. On our landing page we saw that third-party risks and threat and vulnerability metrics were showing green while all other key risks were amber, except human resources risks, which was red. We selected IT Compliance, which was amber, and drilled down. This gave us a clear picture of exactly where the risks in this area actually resided and what they were. We saw that some of the most important risks had to do with access control specifically in some application software. We saw the problem and the recommended related controls and sub-controls.
This tool can ingest threat and vulnerability feeds where the vulnerability feeds come from scanners. It then compares the threat/vulnerability pairings with its risk catalog. The catalog is available out of the box. In addition to a tabular display, drilling down on one of the elements in the table brings up a graphic of a hierarchy chart that deconstructs the element into its contributors. In our case, we selected Card Solutions, which decomposed into Global Card Services, CAD System, LMFPA7M and HCL Japan. Each of these elements could be decomposed further, giving a complete picture of the risk involved in Card Solutions, who are the people involved, and other elements that might contribute to risk.
The system can create workflow automation and the vulnerability remediation process is closed loop. While the product does not do its own asset discovery, it can ingest data from a third-party source such as a scanner. It can correlate those data with other data that shows the same thing allowing efficient de-duplication.
The product supports a very wide range of standards out of the box as well automated controls, a key risk library, the Agiliance Risk Library and templates. The standards are pre-mapped with ISO as the baseline. Once the controls are mapped to risks on a particular project, every time that risk comes up in any project the mapping will apply.
The vulnerabilities can be identified by asset and can originate from a third-party scanner or a manual analysis so, in addition to vulnerability scans from the likes of Nessus, Qualys or Retina, it also can accommodate penetration tests performed by an individual.
Ticketing is automatic and can be internal or a third party. This is one of the best examples of operationalising risk data that we've seen. For example, the tool can correlate, using external threat feeds, threat and actors.
The website has mostly marketing information, but there is a support portal that customers can log into. Once you are in the support site, there is a knowledge base and a FAQ. Standard support is included at no additional cost and there are premium plans available as well.