Corporations are in the business of managing risks for financial gain. Depending on the industry in which it operates, a corporation must manage risks including but not limited to: information technology (IT) security risks to safeguard its IT assets and access to such assets; financial risks to ensure that its capital investments will yield positive returns; and management risks to ensure honest, effective, and constructive management of its organization, especially in the aftermath of ENRON and WORLDCOM.
A corporation typically manages its risks through internal audits of its systems and organizations. Thus, each targeted system or organization is physically audited in isolation to determine the risk posed by such a system or organization. This process is manual, time consuming, and expensive. Furthermore, because each individual audit is performed in isolation and dependent on the target system or organization, the resulting risk assessments are inconsistent and do not provide a clear picture of the overall risk of the corporation. For example, current risk auditing tools typically present auditors and system owners with all risk indicators for a given system or organization. Thus, the metrics of one system may be overlaid graphically with the metrics of one or more other systems. However, there is no attempt by conventional risk auditing tools to combine all risk indicators and provide rankings among the various systems based on the same risk indicators or to automatically report or direct attention towards high risk areas of a given system. Consequently, it is left to the viewer of the graphs and data to determine which are the riskier systems or riskier areas within a system.