Companies dealing with compliance, regulatory standards and business needs could consider taking on each project as they come, but Michael Sanchez suggests companies managing risk look to address needs across the entire enterprise.

"Risk management is a big undertaking, but people need to look at the overall enterprise - not just one regulation or compliance project," says Sanchez, director of NERC Service Area at Sirius Solutions, a regulatory compliance consultant in Houston. Charged with complying with the North American Electric Reliability Council (NERC) standards and regulations, Sanchez went in search of a tool to help him and his Sirius clients avoid penalties of up to $1 million per day per violation. "I needed something business and IT risk oriented, something that blended people, process and technology," he explains.

That is when he discovered CA's GRC Manager about a year ago. The software provides self-assessment features, which Sanchez says helped more than one client save between $300,000 and $400,000 in determining the risk levels of their facilities. Because the software is "very configurable" and provides workflow capabilities, Sanchez says he plans to evaluate the latest release, GRC Manager 2.0 announced this week by CA. 

GRC Manager 2.0, according to CA, now includes additional features such as a risk library and risk scorecard that enable IT and business managers to more accurately assess risk and plan to minimize it. The software is available in a standard license, hosted by CA or in a software-as-a-service (SaaS) model. If deploying the software on premises, customers would install it on a server and configure it to map to business processes and collect data from systems to best assess risk.

"We focused in this release on expanding the risk intelligence of the product. We wanted to help customers better asses, monitor and respond to risk in their environments," says Marc Camm, senior vice president and general manager of Governance, Risk and Compliance products at CA.

While CA is probably best known for dealing with IT and technology risk, Tom McHale, vice president of product management in the same group at CA, says this product ups the business know-how for customers.

"We are very familiar with security, availability and other kinds of technology-related risks, and with this version, we increased the knowledge around financial and business risks," McHale says. For instance, if a company was looking to open a facility in South America, McHale says, GRC Manager 2.0 could factor in potential geographical risks such as the local talent pool, competition in the region as well as any regulatory and compliance issues that would come into play there.

Denise Dubie is senior editor with Network World.