Male executive drawing a risk assessment diagram

Developing formal risk tracking


Recent events in the retail industry had raised awareness for the need to operate an information security program based on risk as opposed to compliance. A major part of an information security program refocus to a risk-based program is a solid governance, risk, and compliance component that can deliver meaningful key performance indicators (KPIs) and metrics to top leadership.

The organization requested outside domain expertise to evaluate and recommend a Governance, Risk Management, and Compliance (GRC) tool that would help their organization move from Excel spreadsheets and Word documents to documenting risk assessments in a relational database and better align with the Risk Management Framework.


Kalles Group consultants performed a gap analysis by reviewing our client’s ‘As Is’ risk assessment process against the NIST 800-37 Risk Management Framework. Results of the gap analysis included a prioritized list of recommendations to remediate identified gaps and bring about a more mature and efficient information security process.

Kalles Group consultants briefed key stakeholders on the recommendations, resulting in authorization to start a proof of concept (POC) of GRC tools. The immediate need was for a risk register with reporting and dashboard capabilities. Ideally, automation would be built into the selected tools to cover risk assessments, compliance, risk register, vulnerability management, and incident response.

Kalles Group consultants briefed key stakeholders on the recommendations, resulting in authorization to start a proof of concept (POC) of GRC tools.


Upon completion of data collection to provide the bulk of content for a risk management program, the team evaluated several GRC toolsets; namely Archer RSA, Allgress, and Risk Radar. Kalles Group consultants were able to demonstrate how these tools would provide a central repository for all risk assessments tied to asset inventory, PCI assessments, business-adjusted risk assessments (BARs), remediation plans, risk register, vulnerabilities, policy and policy exceptions, incident response, reporting, and dashboards. The Allgress GRC toolset was selected for the development of a POC.


Kalles Group consultants were able to use the risk data that was collected from throughout the organization and build a POC with the Allgress toolset that demonstrated the operational functionality of a risk-based security program as well as a mature risk management

Upon completion of the Allgress POC, all related information security teams gave overwhelming positive feedback, and expressed excitement about incorporating the toolset into their workflows, and moving to a more risk-based approach.

The overall risk-based visibility helped the organization to understand the value of a strong GRC component and has directly led to the implementation of the risk management program. This has brought the client’s overall information security posture to a much more mature state and is better positioned to accomplish any challenges they may elect to take on moving forward.