Never really thought about it, but is there a sort of “mandates segregation” in Eramba?
Our usecase: We use Eramba strictly for security risk management, there is no connection to the enterprise risk level within Eramba (except some custom fields to manually aggregate the risks etc.). Now our entreprise risk team is looking for some solutiions for a entreprise grc-tool. Is it possible to use our existing installation and to setup a 2nd “environment” with other risks, other controls, other responsibles etc.? Only central functions like users / ldap / mail connection would be shared.
Or do you recommend to install a 2nd instance (which doesn’t cost a fortune anyway?
Isn’t possible to use different labels or custom dropdown-fields to select if you are doing it-risk or enterprise risk?
Then do different reports related to the selected custom fields, and use good access management on functions?
Yes, of course this is a way to tag what belongs to what team, but if your plan is to use the “reports” from eramba, the section report has no clue about the custom field and will use all data on the system (mixing both, grc and enterprise risk)
This is another way, yes - just make sure they understand how the system works remember that risks needs controls, policies, etc and those needs reviews and audits, etc…not sure why but many times i have the impression that enterprise risk looks more into a risk rather into its solution (treatment) , in particular treatment follow up over time.