Schedule a Demo

The #1 DoCRA-based GRC SaaS Platform that combines Risk Management with powerful project management and executive reporting.

From Tools To Results: Cybersecurity Governance That Guarantees Outcomes

Outcome-as-a-Service (OaaS) is a business model where providers deliver specific, measurable outcomes, not just products or dashboards.

Action Items Tiles

The Action Items Tiles serve as a dashboard for the user to both inform them of important statistics and to drive behavior. In general, all tiles should be approaching zero or zero.
Findings Module

The Findings module is a “sandbox” area to record items that are, or might be, risks (i.e., “Findings”). Items in the Findings area record important information regarding the item that assist the user in determining the likelihood ...
Findings Module

(made up of Threat Cluster statistics and Control Maturity) and impact of a risk (the highest score of an impact to Mission, Objectives, and Obligations). In this manner, a risk score is calculated (likelihood x impact = risk score).
Archived Findings

Unused Findings may be archived and may be referred to for historical purposes but do not impact the Action Tiles results.
Risk Analysis Scenarios

Risk Analysis Scenarios are snapshots of Findings that were considered but ultimately disregarded as the Safeguard and resulting Risk Score generally did not satisfy the user’s objectives.
Risk Register

The Risk Register serves as the “database of record” for all active Risks. While similar to the Findings screens, the Risk Register panels add several key attributes not found in other GRC packages.
Risk Register

First, industry controls (ISO 27001, CIS Controls, HIPAA, etc.) are mapped to a control set called the “Common Security Program”. This enables translation between industry control sets. Secondly, the Risk Register introduces Initial Risk Score, Current Risk Score, and Safeguard Risk Score. Reasonable Risk has three scores enabling the user to track risk reduction over time. Finally, Risks in Reasonable Risk can be mapped directly to a Remediation Project.
Remediation Projects Module

The Project Details screen provides basic project management metrics and status.
Remediation Projects Module

Each project consists of any number of Tasks.
Remediation Projects Module

Task details include more project management specificity as well as linkage to any number of Risks. In this manner, Projects, Tasks, and Risks are connected to better facilitate Risk Management and Risk Remediation.
Remediation Projects Module

The user can also view the collective Risks that a project addresses. There is a many-to-many relationship between Risks and Projects.
Remediation Projects Module

Additionally, some Risk details can be viewed and edited directly from the Projects Module.
Remediation Projects Module

Audits and Assessments Module

The Audits and Assessment module allows the user to plan, track, and report status on recurring audits.
Audits and Assessments Module

The Audits and Assessments detail allows the user to configure and report status and timing of recurring audits.
Audits and Assessments Module

The Audits and Assessments module also provides a Completion Log to detail which audits have been completed in the past.
Reasonable Risk PowerPoint Presentations

Reasonable Risk generates PowerPoint presentations based on the data within the application and two proprietary methodologies for presenting that data. The presentations are a “Budget Request Presentation” and an “Executive Status Presentation”.
Reasonable Risk PowerPoint Presentations

Presentations are configured by following a simple wizard.
Reasonable Risk PowerPoint Presentations

The presentation wizard includes date criteria to help configure the PowerPoint output for both presentation types.
Calculated Acceptable Risk Definitions (CARD)

Reasonable Risk allows administrative users to define Likelihood and Impact definitions at both a Customer and Scope level.
Calculated Acceptable Risk Definitions (CARD)

Up to 10 impact definitions per Impact level can be defined for each of the Mission, Objectives, and Obligations impact types.

With Reasonable Risk, you get:

  • Deliverable – focused risk management and governance models.
  • Includes: Risk Registers, Board Reports, Risk Remediation Projects, Audit Responses. Documenting Scenarios (Sandboxing, identifying all your options, and picking the right one. Justification of risk resolution (selection or elimination of solution as it pertains to business impacts, mission objective, and/or obligations.) Justifiable risk acceptance diminishes liability.
  • Recurring, measurable, and defensible results for clients.
  • Role Based
  • Technicians: Executives will get your message. General Counsel will know you have protected their interests.
  • Executives: Your technicians will learn to speak business. They will present you with the information you need to make informed decisions. You will be able to run cybersecurity as well as any other part of your business.
  • Corporate Counsel: have the basis for an affirmative defense after a security incident.

Why It Matters:

  • Automation where possible, expert judgment where necessary

  • Risk governance aligned with frameworks (DoCRA, CIS RAM, NIST SP800-30, ISO 27005)

  • Defensible results that stand up under regulatory or legal scrutiny

Dashboard with Overview of Organization’s Risk Posture

  • Facilitates risk identification, definition, and prioritization with DoCRA-based scoring in an easy-to-use Risk Register.
  • Different user roles with a variety of permissions and audit log.
  • Alerts users on findings and risks that have gone unaddressed for specified periods of time.
  • Sandbox capabilities for assessment “Findings” and remediation snapshots, or “Scenarios,” to model safeguard controls.

Remediation Projects - Tasks and Updates with Built-in Dependencies

  • Reasonable Risk identifies an acceptable level of risk for the program.
  • Only remediate unacceptable risks based on what is reasonable.
  • Map risks to remediation projects with ongoing tracking.
  • Roadmap of risk reduction as you mitigate identified risks.
  • Risk scoring updates as tasks are completed.

Executive Reporting & Budget Approval

  • Simple wizard for instant executive report PPT presentations.
  • Pre-mapped field data instantly imported with meaningful findings, risks, projects, and tasks.
  • Visualize program progress over time and identify program changes.
  • Visualize planned vs. actual risk reduction, and list of identified unacceptable risks.
  • Budget requests and budget variances and why.
  • Project-level & risk-level budget details

Reasonable Risk solves the following business problems:

Communication with C-Suite

Communicating risks in business terms.

Providing executive-level program status so that the C-Suite can make informed decisions.

Providing C-Suite a roadmap for your program that reduces risk to an acceptable level (answering “are we where we need to be and if not, when will we get there?”)

Approving expenditures or securing the budget you need for your program.

Ensuring your security program is legally defensible and complies with the SEC Cybersecurity Rule (July 26, 2023)

Security Risk Management

Managing your Risk Register in a spreadsheet is difficult and often makes it unusable. (Cannot collaborate, manage up or down, tie a risk to a project, track risk reduction over time, etc.)

Tracking risk score reduction across remediation efforts (connecting risk score management to project management).

Understanding the “overall risk” level to your organization (i.e., your risk GPA or FICO score).

Defining a “clear line of acceptable risk” below which you accept risks and above which you remediate.

Demonstrating your security program is effective

Client Testimonials

Reporting our security program progress to the board has never been easier!
CTOLeading Non-Profit in Healthcare
It's important to me that Reasonable Risk is shared with my colleagues because I believe it is a valuable tool. It fills a gap that so many are facing with regard to risk management and having the capability to present that risk to others in a meaningful manner.
CISOA Billion Dollar Global Conglomerate
"...I think the thing I like about Reasonable Risk too is that the ease of use is there. We’ve been fortunate to be one of the early adopters. I’ve worked with other GRC tools before and just the implementation process for some of those GRC tools took us months. It was one thing for an information security team or even an IT team to use some of those governance tools. But then when we tried to propagate that to the rest of the organization, it presented another challenge. It was confusing. It was time consuming. It was overly complicated when it didn’t need to be. So, I know for all twelve people on our team, we all have visibility. We all use and understand how the risk tool can help us, achieve our mission and continue to mature the program.”
Large Parking Management CompanyCISO

Product Updates

View All

Project Management tools for DoCRA-based Risk Management
All-in-One GRC Platform