The screenshots below illustrate how Citicus ONE automates the typical risk management cycle workflow and show what’s involved in deploying it in your organisation. Click on the images to see them in more detail.
Accessing Citicus ONE
Users gain access to Citicus ONE via a web browser (Internet Explorer, Chrome, Firefox or Safari).
Authentication of users and administration of their details (contact information, business units, roles etc) can be controlled in several ways. Integration with Windows authentication or with Active Directory (or other LDAP-compliant directory) allows the user administration and authentication process to be integrated with your IT architecture and can provide seamless access for users. We support federated authentication via SAML 2.0 (e.g. using ADFS or OKTA).
Citicus ONE employs a role-based access model allowing you easy control over the capabilities and scope of individual users or groups of users.
Modelling your enterprise structure
You can model the structure of your organization within Citicus ONE as a hierarchy of any depth and breadth. For example this could be along geographic or business function lines. Easy-to-use drag and drop controls enable you to reorganize this structure at any time to keep in step with organizational changes. The entities that will be subject to risk assessment are defined as 'targets of evaluation' within this enterprise structure.
The organizational structure can be use to control access to information held within Citicus ONE according to individuals' location and roles within the enterprise. It can also be used for consolidating reporting, for example to produce risk reports covering a specific branch of the organization.
Defining targets of evaluation
The entities in the organization that will be subject to risk management activities are known as ‘targets of evaluation’. You can define these quickly and categorize then as different types, such as information resources, suppliers, supplied services, sites, or your own locally-defined types.
Targets of evaluation can be further characterized in terms of their business owner, the part of the enterprise to which they belong and by any number of customizable ‘attributes’. Attributes of targets of evaluation can be synchronized with an external database (such as a CMDB) though our data exchange API. Targets of evaluation can be added manually or imported through a bulk upload facility.
Determining business criticality
The first stage in the risk management cycle is to assess the business criticality of your defined targets of evaluation.
This is achieved through a simple criticality assessment that can be completed by business owners on-line and which objectively probes the potential impact of incidents using business scenarios.
Citicus ONE’s workflow helps you to issue these assessments and email their links to the assigned owner. You can monitor progress in completing the assessments and chase up delayed responses where necessary.
Completing risk assessments for the critical targets of evaluation
The objective rankings of business criticality enable you to prioritise risk assessments so that effort is focussed in the most critical areas first.
Risk scorecards can be issued for completion by their owners on-line, through facilitated risk workshops or using our unique offline completion form. The evaluation of risk can be conducted at multiple levels of details and can incorporate assessment of compliance with detailed checklists of controls and collection of the supporting evidence.
The screenshot shows a sample control checklist where structured control ratings can be combined with free-text commentary and supporting attachments. Similar checklists are used to evaluate the level of threat and other special circumstances that drive up risk.
Providing instant results to business owners
Business owners obtain access to the results of their criticality, compliance or risk assessments as soon as they are completed. A series of graphical and interactive reports are provided to help asset owners understand the risk status of their areas of responsibility. Reports include heat maps, criticality/risk/compliance status reports, trend analysis and dependency risk maps. Selected reports can be combined into a consolidated PDF report that can be circulated or stored off line.
The Citicus ONE reports help risk analysts to review completed assessments and either approve them or return them for further work if necessary. This process is supported by the software's workflow capabilities that automate the assessment lifecycle and communicate with stakeholders via e-mail notiifications.
Keeping track of remedial action
Citicus ONE’s constructive approach and graphical results are purposely designed to motivate ‘owners’ to reduce risk to an acceptable level, and the system helps them to keep track of remediation activity.
You can record the issues identified during a risk evaluation that need to be addressed and the specific actions required to resolve then. Actions can be prioritized, assigned to individuals, costed and tracked. Action plans can be monitored for each targets of evaluation and can be consolidated to gain a business unit or enterprise-level view of remediation activity. Owners of individual issues and actions can be notified automaically by e-mail when remediation activities are due for completion or when their status changes.
Compiling high-level results for decision-makers
Citicus ONE’s business-oriented reporting capabilities are designed to give to keep top decision-makers informed about the risk and/or compliance status of their business unit or the enterprise as a whole. Consolidated reports include ranked league tables, interactive drill-down status reports, risk dashboards and trend analysis.
Risk managers have fine control over the type and scope of information presented in consolidated reports.
Risk and compliance data can also be exported from Citicus ONE for analysis and presentation in external reporting tools.