Methodware Enterprise Risk Assessor Risk Analysis Software

Transcription

1 Kristen Noakes-Fry, Trude Diamond Product Report 26 March 2003 Methodware Enterprise Risk Assessor Risk Analysis Software Summary Methodware Enterprise Risk Assessor provides an internal audit and risk management framework customizable to company needs, but it has yet to reflect key standards of the world to be considered an international product. Table of Contents Overview Analysis Pricing Competitors Strengths Limitations Insight List Of Tables Table 1: Overview: ERA Table 2: Features and Functions: ERA Table 3: User Support: ERA Table 4: Definition of Risk Categories Table 5: Data Analysis Table 6: Evaluation Techniques Table 7: Reporting Table 8: Foundation of Design: Common Tools Compatibilities Table 9: System Requirements Table 10: Price List: ERA Products Table 11: ERA Competition Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 Corporate Headquarters Methodware, Ltd. Level 2, Crombie Lockwood House 150 Cuba Street P.O. Box Wellington 6001, New Zealand Tel: Toll Free: ASSESS (within New Zealand), (within Australia) Fax: Internet: Overview Methodware s Enterprise Risk Assessor (ERA) previously Operational Risk Builder provides a consistent companywide approach to business risk management that allows integration of input from all the necessary types of users, from risk management professionals to unit managers and others who provide only limited information. To enable risk managers to identify, record, assess, treat and monitor risks across the company, ERA provides an internal audit and risk management framework customizable to organizational requirements. The tool permits consolidation, tracking and monitoring of enterprise risk and audit information over time, for increasing accuracy of predictions and more value-targeted choice of mitigation tactics. ERA s core qualitative or subjective risk assessment features are supplemented by an interface from Palisade Corp., which provides the quantitative techniques. ERA s central repository for all risk-related information is regulated by user identification and specific authorizations. Thus, information is available to (and may be entered by) internal auditors, risk managers, business managers, the board and other stakeholders, depending on their security-controlled levels of access to reports. Three data-entry mechanisms accommodate different types of users at their appropriate levels of access, as well: Assessor End-User Models facility for Risk/Audit Managers automatically processes and reports on the qualitative or subjective aspects of risk assessment, which are defined using two tools for model creation and data consolidation: Builder Tool to define risk or internal audit framework and establish the standard risk management/internal audit approach and terminology at the enterprise level. Consolidation Tool to develop an enterprise-level risk profile, enabling reporting of top risks across the business, comparison of risk profiles from its business areas (or over time in a single business unit) and identification of risk trends. Java Client for operational unit and staff organization contributors provides access to a securitycontrolled range of risks, controls, findings and other features. Word/HTML Forms for users who do not need direct access to the databases enables gathering of risk management information from occasional contributors in easily understood formats. 26 March

3 Table 1: Overview: ERA Versions Version 1 of ERA (version 4 of previous Operational Risk Builder) Date Announced December 2002 Platforms Supported Windows 2000/XP/NT 4.0 Database Both thin and thick client configurations comply with Open Database Connectivity Compatibility (ODBC) and interface with Microsoft Excel. Installed Base More than 800 corporate clients in over 60 countries (80 in U.S., 50 in U.K.). Of these, more than 50 clients have migrated to ERA from the former Operational Risk Builder. Target Market Organizations of any size desiring enterprisewide consolidation of risk-related information. Users at all levels of sophistication and with diverse system access needs. Example Embedded risk management data models: Applications Project Management Procurement Corporate Governance Application Audit Builder version 3 Development and Internet Utility Table 2: Features and Functions: ERA Scope of Programmed Intelligence Models: Pre-Defined or Customizable Surveys: Questions and Responses Pre-Defined Project Management Applies the Projects in Controlled Environments (PRINCE II) Methodology, a U.K. Government standard used widely in the private sector, both in the U.K. and internationally by organizations such as the Project Management Institute. The PRINCE methodology offers nonproprietary, best-practice guidance on project management. PRINCE is in the public domain. Procurement Corporate Governance Customizable ERA allows users to define the risk universe based on the organization. ERA does not restrict, or require, the user to use the Methodware models (templates) outlined above. ERA can generate Word and HTML forms for a variety of purposes, including Control Self-Assessment and responses to Audit letters. Table 3: User Support: ERA User Manual and Documentation Frequently asked questions (FAQ) on Methodware s Web site. User manual as an electronic document self-installs directly with the InstallShieldmanaged product installation. For the Client/Server/Java installations, installation support is available directly from Methodware. 26 March

4 Table 3: User Support: ERA Training and Certification Online and Telephone Support Demonstration copies of the software contain online help and Quick Start, which guides users through the basic process of using the software. Instructor-led training: Partnership alliance members in various countries provide Methodware training and consulting. Cost: UK 950 (US$1,550)/day plus expenses. Current number of partners: two in Canada, two in U.S.A., four in Central America, six in South America, one in U.K., one in Belgium, one in Spain, one in South Africa, one in India, one in Malaysia, one in Indonesia and five in Australia/New Zealand. Online training program via the WebEx Meeting Center allows a trainer to walk a user through the product in real time via a Web page while conversing with the user on the phone. Cost: $190/hour. and fax respond to all correspondence within one business day. Phone Help Desk support desk operates from 7:30 a.m. to 7:00 p.m. New Zealand time. U.K. technical support hours: 8:30 a.m. to 6:00 p.m. U.K. time. A tollfree U.S. number is planned to transfer to the appropriate office to provide coverage during most of the U.S. workday. Maintenance agreements provide flexible priority help desk arrangements. Table 4: Definition of Risk Categories Identification Parameters Risk Preference Functions Functional Areas Loss Categories Asset Categories Threats Vulnerabilities Safeguards Risk models can be structured and labeled based on the structure of the organization. The Builder tool allows users to define most risk selection items, including Risk Consequence and Risk Likelihood. The Risk Severity can also be defined including identification of parameters for risk tolerance. Models include: Committee of Sponsoring Organizations of the Treadway Commission (COSO) Business Models Project Management Procurement Corporate Governance IT Security Users can also develop other models specific to their business risk universe. Defined in the Builder tool. Defined in the Builder tool and can be added to by the user. Pick lists of threats defined as risks are provided, and users can develop customized pick lists in the Builder. Pick lists of vulnerabilities defined as risks are the core of the ERA system and allow up to three levels of Risk evaluation (with user-defined scales and criteria). ERA defines Safeguards as Controls (against Risks). User-customizable Controls listing is provided. Controls in ERA are separate entities and can be assessed and reported on as such. Table5:DataAnalysis Individual Assets in Asset Categories Annual Frequencies of Threats User-created listing; no pick lists. Users can define three levels of likelihood (frequency): 1) without controls, 2) controls in place and 3) a goal. 26 March

5 Table5:DataAnalysis Determination of Vulnerabilities Safeguards Incidents The risk evaluation can be at a number of levels, any or all of which may be deactivated by the Builder. Risks can be allocated to people with primary responsibility, as well as being allocated to Risk Areas, Business Objectives or Processes. Safeguards, defined as Controls against Risks, can be assessed and analyzed. ERA provides a separate loss event/incident database. Individual events can be linked to the respective risks for further analysis. Table 6: Evaluation Techniques Simulation Engine Method Statistical Algorithms Available Analytical Techniques Included Creating and Editing Links Among Assessment Elements Calculating Annual Loss Expectancy (ALE) Evaluating Safeguards for Recommendation Monte Carlo via interface with Palisade Software product. No. Qualitative ERA is primarily a qualitative risk management tool. Guidelines for compliance with: The U.S. Sarbanes-Oxley Reforms The International Standards Organization/International Electrotechnical Commission (ISO/IEC) 17799:2000 standard Australian/New Zealand Risk (AZ/NZ) Management Standard 4360:1999 Identifying risks, controls and treatments (based on the AS/NZ 4360:1999 Risk Management framework). Quantitative Offered via interface: What-if Scenarios. In the Assessor the user has the ability (if turned on by the Builder) to look at the impact on a risk assessment of removing specific controls or treatments from a risk. Scenario Analysis Sensitivity Analysis Stress Analysis The end users can add to the relationships defined by the Builder, but cannot delete or modify the framework outlined by the Builder. ERA does not specifically calculate the ALE, but users can determine the ALE from summarizing the loss events database. Loss events can be linked to specific risks. This allows for comprehensive analysis of the incidents. Additionally, the loss event information can be mapped using the interface to tools, allowing for calculation of risk values based on consequence and likelihood (frequency). ERA allows the user to capture the cost of the controls, but does not by default map the risks to potential loss values. These calculations are available from the Monte Carlo simulation available through product. 26 March

6 Table 7: Reporting Reports Graphs Key mapping and graphical information include: Heat maps showing comparative risk data Risk Matrices for graphical evaluation of risk Pivot tables to analyze detailed information by variable criteria in a matrix format Consolidated risk data for individual business units or across the entire enterprise/group Export into MS Word/Excel on all risk and audit information Report Levels: Executive summary Safeguard-threat report for Risk Controls Audit trail reports Final management report Graph types general: Heat maps RiskMatrices Graphs can be formatted in any way the user requires by incorporating Excel macros into the report format for bar, line and tornado diagram reports. Graphs are generated internally within ERA for display purposes. Reports generated in Word allow the use of Excel graphs, which gives the users the ability to customize the formatting where required. Table 8: Foundation of Design: Common Tools Compatibilities Independent System vs. Host-System- Dependent Spreadsheet Management Internal Development; Export/Import Database Management Internal Development; Export/Import User Interface Independent Import/export with Excel and MS Word Import/export uses flat files and dbase file (DBF) formats to provide compatibility with virtually any other system. Server versions are ODBC-compliant. Based on the familiar Windows model. Table 9: System Requirements Hardware Pentium II processor 128MB or higher of available RAM 100MB free disk space Operating Systems Windows 2000/XP/NT 4.0 Applications None required, but Methodware integrates with: Microsoft Word 97 or higher Microsoft Excel 95 or higher Netscape 4.0 or higher/internet Explorer 4.0 or higher 26 March

7 Table 9: System Requirements System Memory Recommended Setup Standard and Multiuser Client/Server 128MB or higher of available RAM IBM PC-compatible with Pentium II processor Windows 95/98/NT/ME/ MB or higher of available RAM 100MB free disk space ODBC 3.0 servers MS Structured Query Language (SQL) and Oracle databases Analysis Methodware s Enterprise Risk Assessor (ERA) version 1 was introduced in 2002, but it has been evolving for over 10 years. Starting as the Optional Risk Builder software which goes back to 1991, the new product has been renamed Enterprise Risk Assessor and focuses on the internal audit integration of risk management. Each Methodware tool uses the same underlying engine, which ensures consistency and compatibility among the products. The Advisor Pathfinder Engine provides a development toolset with screen builder, rule builder, link builder and report builder that allows any analytical framework or model to be automated. Methodware s developers use these development tools to customize the software to meet users unique requirements. Enterprise Risk Assessor allows user creation of custom assessment models. The Methodware Tools Suite Different Mechanisms for Each Type of User For enterprise-level risk managers, business unit managers who regularly contribute risk analysis information and base decisions on risk assessment for their units, as well as others whose input is on an ad hoc basis, Enterprise Risk Assessor provides the levels of power and complexity appropriate to the individual: Power Users Risk managers and system administrators use the Builder Tool to define the risk or internal audit framework and establish a standard risk management/internal audit approach and terminology at the enterprise level. The Assessor generated from the Builder Tool is structured according to the risk or internal audit framework defined in the Builder Tool. The Assessor conducts detailed assessments across the enterprise and provides Risk/Audit Managers within the company a management/audit tool for identifying, assessing, treating and monitoring the risk profile within the business/audit area. ERA provides these power users with a comprehensive range of analysis and reporting tools. With the Consolidation Tool, power users develop an enterprise-level risk profile, enabling reporting of top risks across the business, comparison of risk profiles from its business areas (or over time in a single business unit), and identification of risk trends. Such users can then plan, track and manage risk assessments across the organization. They can set up new users, provide infrequent users with easy-to-use input forms and import information from external systems. Individual Contributors These end users have access to the database via the Java Client (JC). The JC is intended for those users who do not require access to multiple reviews or to the comprehensive planning and analysis tools offered by the Assessor. These users cannot create or consolidate assessments, but they can access and assess those risks, controls, findings and other items to which they have read or update permission. Their entries are immediately available to all authorized users. JC users access the database through their browser, so they can update their risk information from any machine. 26 March

8 Infrequent Contributors Occasional users can receive Word Forms & HTML Forms generated from the Assessor to provide input and feedback into the database without direct access to the software. Word Forms generated by power users collect data via Microsoft Word software and automatically load it back into the database. These forms can also be generated as HTML documents. This allows any necessary personnel to have input into the risk database, without incurring the expense of extra licenses or software training. The Methodware Tools Suite Technical Configurations The suite of Methodware products supports enterprisewide risk assessment for users with primary responsibility for risk management, those with business-unit level responsibility for data input and executives who require reporting only to support decisions: Standard Solution applications incorporate all of the nonworkgroup features of Multi-User solutions. They operate on the single user s local hard disk and can exchange data with Multi-User solutions. Multi-User Solution allows all members of a risk management team to access the application and work on the same assessment, regardless of their location at offices or off-site. Security (configuration management) features permit several members of a team to work on one audit/risk management file simultaneously by checking out only the part of the file they want to update, while retaining the ability to read the entire file; security then manages synchronization of the master file update as users check their working sections back in. The security administrator can view audit trails and control user names, access levels and rights. Multi-User solutions can exchange data with Standard solutions. Client/Server Solution uses the ODBC 3.0 standard to interface with a server, as a thick client application; most of the application resides and runs on the user s workstation while the data is stored on a data server. The Client/Server solution supports a scalable, fully integrated Enterprise Wide Risk Management System. The Java Client also utilizes this platform as the underlying data storage facility, with a middleware component to communicate between the server and the client. Compliance With Standards The United States Sarbanes-Oxley reforms ISO/IEC 17799:2000 standard (US$750 for this separate model) Australian/New Zealand Risk Management Standard 4360:1999 PRINCE II Methodology for project management (a standard used extensively by the U.K. Government and widely used in the private sector, both in the U.K. and internationally) Support Technical support from Methodware is available through: responds to all correspondence within one business day; fax urgent requests or those not responded to in one day. Phone Help Desk support desk operates from 9 a.m. to 5 p.m. New Zealand time. Maintenance Agreements provide flexible priority help desk arrangements. Methodware provides free technical support for 90 days following the purchase of the software. A maintenance contract allows for continued support at the agreed-upon annual rate. Users without a maintenance contract pay standard support charges each time they request support. 26 March

9 Consulting partners services (two in Canada, two in U.S.A., four in Central America, six in South America, one in England, one in Belgium, one in Spain, one in South Africa, one in India, one in Malaysia, one in Indonesia, five in Australia/New Zealand). Solution Partners provide Methodware products as part of an entire solution to a client. These partners typically offer consulting services in the industry. Pricing Table 10: Price List: ERA Products Product Environment Price (US$) ERA Standard Solution Windows 2000/XP/NT 4.0 $7,500 (one Builder license and three End-User licenses) Note This price does not include the Risk Indicator Module. ERA Multi-User Solution Windows 2000/XP/NT 4.0 $9,000 (one Builder license and three End-User licenses) ERA Client/Server Solution Windows 2000/XP/NT 4.0 Price on request, depends on scope of purchase. ($30,000 full ERA Client/Server and middleware base cost) Enterprisewide Licenses Priced upon request. Educational Discount Yes. Negotiable, but typically includes an administration fee, as well as stamped (with the Universities information), time-expired versions. Customization Development customization 1,000 (US$1,520)/day Programming customization 1,200 (US$2,000)/day Maintenance: Annual maintenance is charged at 20 percent per annum of the license fee costs. The first year s maintenance fee is due three months from the delivery of the software. GSA Pricing No. Competitors The Enterprise Risk Assessor products compete with risk management tools that vary in the scope of analysis (quantitative alone or with qualitative/subjective support as well); in the varieties of the risk analysis methodologies applied; and in the embedded databases (if any) for assets, threats, vulnerabilities and safeguards. 26 March

10 Table 11: ERA Palisade Buddy System Countermeasures Corp. Commercial Risk Analysis And Management Method (CRAMM) U.K. Government Standard COBRA C&ASystems Security RiskWatch RiskWatch Corp. Palisade a quantitative product, stresses quantitative analysis and employs a virtual statistician to meet a full range of corporate security issues concerning unlimited risks, situational complexities and uncertain boundaries. It works as a risk analysis and simulation add-in for Microsoft Excel and Project and provides the quantitative features and functions for Methodware s ERA. After risk analysts with an Excel spreadsheet-structured business model or situational scenario, or a Project facilitates the progress throughout a user-driven process of iterative what-if scenarios. The Buddy System is a generic hybrid application that offers qualitative and quantitative risk assessment, analysis and reporting capabilities. The tool focuses on system, project and physical risks. CRAMM is the U.K. tool of choice for security risk analysis and management. Like RiskWatch, CRAMM uses the ALE and Return On Investment (ROI) as its risk gauges. CRAMM s methodology balances the quantitative elements with its quantitative techniques. Available for small to large systems, the primary market focus is IT, finance, insurance and government, and it is available in versions for commercial enterprises and government. Consultative, Objective and Bifunctional Risk Analysis (COBRA) is a security risk analysis and BS 7799 compliance-driven application. It provides a quantitative risk analysis as well as consultative and security review tools. Its qualitative questionnaires use expert system principles and draws from an extensive knowledge base. Additional products are COBRA ISO17799 Security Consultant, COBRA Policy Compliance Analyst and COBRA Data Protection Consultant. RiskWatch risk analysis software uses both qualitative (or subjective factors) and quantitative factors to assess the key risks facing an organization, calculates ALE and ranks effectiveness of prescribed safeguards by ROI. It applies Monte Carlo simulations to appraise the assets, threats, vulnerabilities, losses and safeguards of an enterprise s information and physical resources in six standard loss categories. Pre-defined risk analysis templates can also be customized by the user. Survey questionnaires for physical and information systems security garner input from all business units. Strengths Enterprisewide Risk Management Risk management executives can obtain a broad perspective on risk factors across the entire enterprise as well as those of specific business and operations units. Managers of divisions or units can also perform risk assessments for their own areas of authority, and then review the results both within their area and throughout the company. The risk management database can reflect the corporate structure with precision, and exchange information with other ODBC-compliant databases. Flexible Input Mechanisms Three input mechanisms accommodate different categories of users needs to contribute data, access data, or perform risk analyses. Each type of user can receive as much or as little training as necessary for their risk-related tasks, making for an efficient as well as an effective data gathering process. Security-Controlled Access 26 March

11 Each user s profile determines the databases the user can update and manipulate, as well as the reports the user can view. The configuration-management features of the multiuser and client/server configurations facilitate simultaneous update of different sections of a file by different users while preventing contradictory updates of any single section. Solution Configurations Matching Corporate Size and Complexity Standard (individual user), Multi-User and Client/Server solution structures accommodate the needs of any size company, and even the most complex global physical configurations of large companies. Each configuration can exchange information with the others, which permits each inclusion of all corporate entities in the risk analysis. ERA provides models with the software (COSO models are included, and others can be purchased), but the framework allows users to build any methodology into the system as required to comply with various standards and regulations. Online Training Synchronous e-learning via the WebEx Meeting Center can provide effective, just-in-time training for general familiarization with the product or for targeting specific complex tasks. Limitations Time Zone Problems With International Support Although a client s maintenance agreement may provide flexible priority help desk arrangements, Methodware s standard telephone help desk operates only Monday through Friday, from 7:30 a.m. to 7:00 p.m. New Zealand time and 8:30 a.m. to 6:00 p.m. U.K. time. Once the time zones are taken into consideration, support for the U.S. and Canada would be available from the U.K. only in the morning hours and from New Zealand only during the evening. While a toll-free number for U.S. support is planned, it is not yet in operation. The support request turnaround time promised is one day, which implies that support staff does not monitor that communications line , either. Insufficient International Standards and Regulatory Compliance Support Lack of industry specificity could very well hamper users in banking, engineering and international government agencies. Although the product does provide guidance for the U.S. Sarbanes-Oxley reforms and recommended standards for data security and project management risk issues, it fails to assist with other major financial standards. In addition, it also does not specifically support compliance with several U.S. information systems security standards and regulations for data security, including the Health Information Portability and Accountability Act (HIPAA) and the U.S. Occupational Safety and Health Administration (OSHA) regulations. Users in the U.K. would not find specific guidance for risk assessment related to the Control of Substances Hazardous to Health Regulations (COSHH), the Health and Safety Executive (HSE) directive, the Health and Safety at Work Act or the Environmental Protection Act. Users in Japan would find no specific support for risk assessment in regard to the Financial Reconstruction Law or the Financial Supervisory Agency (FSA) regulations. Insight Methodware s Enterprise Risk Assessor (ERA) provides a flexible toolset for enterprise risk management with its three data-entry mechanisms for users with different levels of skill in using the tool, managed with security-controlled access. Users can apply quantitative analytical methods with ERA s interface (Palisade Corp.), a tool with no automated qualitative assessment features. ERA provides an excellent mix of data-gathering and reporting mechanisms to support all levels of contributors in their tasks for developing risk assessments and then making mitigation decisions. Input from a broad range of 26 March

12 contributors results in a highly reliable database of information, upon which risk managers can base both unit-level and enterprisewide risk management plans. ERA permits useful information to be input and extracted for individual business units as well as the entire enterprise. Once Methodware creates a clear support network to cover North America and reflects the standards and regulations present in various areas of the world, ERA will be able to take its place as a true international product. 26 March