Skip navigation
All Places > Products > RSA Archer Suite > Blog
1 2 3 Previous Next

RSA Archer Suite

408 posts

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Bottom-Up Risk Assessment so important?

The introduction of new products and services, mergers and acquisitions, business process changes, and fraud are often viewed as risk projects to be evaluated when making decisions to move forward or enhance risk treatments. All too often, these kinds of operational project reviews are performed on an ad-hoc basis, using an unstructured and inconsistent approach. Bottom-up, project-oriented risk assessments are prone to incomplete and unreliable information. In addition, IT and business teams are often asked to collect the same assessment data via spreadsheets, Word documents, and email for different risk and compliance assessments. This manual approach results in missed project deadlines,  inconsistent and inaccurate risk assessments, risk treatments, and remediation plans. Manual approaches also often inefficient and expensive, and lack an easy way to compare results of multiple assessments. Since risks cannot be identified or assessed properly, losses, incidents, or other surprises related to the project may arise at a later date. Without visibility to or accountability in addressing known risks identified through bottom-up risk assessments, resource misallocation and slow implementation in risk treatment are the typical results.

 

RSA Archer Bottom-Up Risk Assessment

RSA Archer Bottom-Up Risk Assessment allows you to engage your teams via targeted project risk assessments. Projects can include such things as new and changing business processes, fraud assessments, new products and services, and proposed mergers, acquisitions, and divestitures.  Projects can be documented and questionnaires can be created with custom questions, as well as questions derived from RSA Archer’s extensive library of thousands of out-of-the-box questions. When risks are deemed too high, risk treatments and remediation plans can be documented and tracked through to resolution and approval.

 

Key features include:

  • Consistent approach to identify and assess project-related risk
  • Oversight and management of all risk assessments in process
  • Risk treatment plans are known across all assessments and implementation plans can be monitored to completion
  • Consolidated list of prioritized risk treatments and remediation plans
  • Visibility into assessment progress, risk treatments and remediation activity via pre-defined reports and risk dashboards
  • Named accountability for assessments and remediation plans

 

RSA Archer Bottom-Up Risk Assessment provides:

  • Consistent approach to identify and assess project-related risk
  • Oversight and management of all risk assessments in process
  • Known risk treatment plans across all assessments and implementation plans that can be monitored to completion
  • Consolidated list of prioritized risk treatments and remediation plans
  • Visibility into assessment progress, risk treatments and remediation activity via pre-defined reports and risk dashboards
  • Accountability for risk assessment and remediation activities

 

Today, organizations are faced with complex and fast moving operational risk challenges.  Tracking changing business activities is a core best practice in Operational Risk Management.  RSA Archer Bottom-Up Risk Assessment is a key element of an effective Operational and Integrated Risk Management program to assess risk associated with changing business activities.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively performing Bottom-Up risk assessments is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage risk assessments on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

 

 

Recent high profile cyber attacks demonstrate that cyber incidents can significantly affect capital and earnings. Cyber incidents can have financial, operational, legal, and reputational impact. Costs may include forensic investigations, public relations campaigns, legal fees, consumer credit monitoring, and technology changes. As such, cybersecurity needs to be integrated as part of enterprise-wide governance processes.

 

With the increasing volume and sophistication of cyber threats and incidents, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help financial institutions identify their cyber risks and determine their level of cybersecurity preparedness. This assessment tool incorporates cybersecurity-related principles from the FFIEC's Information Technology Examination Handbook and maps back to the National Institute of Standards and Technology (NIST) Cybersecurity Framework.  The FFIEC developed this framework to help identify factors that contribute to your organization's cyber risks.  By understanding the factors that play into your organization's cyber risk, you can assess your level of preparedness and determine what risk management practices and controls are needed to mitigate and minimize your cyber risks.

 

The RSA Archer FFIEC-Aligned Cybersecurity Framework app-pack aligns with the FFIEC and NIST standards to provide a consistent and repeatable process for determining your organization's inherent risk levels and evaluating your cybersecurity maturity level. Using RSA Archer FFIEC-Aligned Cybersecurity Framework, action plans can be created and tracked to minimize inherent risk levels or achieve a desired cybersecurity maturity level.

 

With the RSA Archer FFIEC-Aligned Cybersecurity Framework offering, financial institutions can assess and measure their cybersecurity posture, address gaps, and report on cybersecurity posture in a meaningful way that is understood by all stakeholders.  

 

RSA Archer FFIEC-Aligned Cybersecurity Framework allows you to:

  • Offer a common language to communicate requirements and progress among stakeholders (internal, partners, contractors, suppliers)
  • Provide a method to understand larger cybersecurity ecosystem
  • Apply FFIEC best practices of risk management to improve cybersecurity and resiliency of critical infrastructure

 

Interested in learning more about the RSA Archer FFIEC-Aligned Cybersecurity Framework app-pack? Join us for a Free Friday Tech Huddle on Friday, March 8 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Key Indicator Management so important?

The use of key indicators of performance, risk, and control are considered one of several best practices of a sound Operational Risk Management program.  In many risk management programs, the use of key indicators is implemented sporadically at the discretion of individual business units and division managers. Key indicator metrics may not be properly designed to accurately measure the intended activity, and the collection of indicator data may be accomplished in an unnecessarily costly and inefficient manner using spreadsheets and email. With missing or inefficient key indicator reporting, the organization is unable to accurately gauge or compare performance in terms of meeting strategic and operational goals, or understand drivers of risk and control. It also limits the organization’s ability to respond to emerging problems as quickly as possible.

 

RSA Archer Key Indicator Management

RSA Archer Key Indicator Management provides a means for organizations to establish and monitor metrics related to each business unit and activity within the organization.  Key indicators are also typically associated with other elements of your governance program, including risks, controls, strategies and objectives, products and services, and business processes to monitor quality assurance and performance.

 

Key features include:

  • Holistic key indicator management program
  • Association of key indicators with business units and named individuals, and establishment of key indicators of performance, risk, control, corporate objectives, business processes, and products and services, depending on your program implementation
  • Utilization of key indicator libraries to ensure consistency and quick deployment throughout the organization
  • Governance to ensure timely collection of indicator data
  • Stakeholder notification when indicators exceed acceptable boundaries
  • Consistent approach to calculating indicator boundaries and limits
  • Consolidated list of indicators that are operating outside boundaries, and associated stakeholder escalation and remediation plans
  • Accountability and management processes around remediation plans and action to bring key indicators back within acceptable boundaries
  • Visibility to key risk indicator metrics and remediation plans via predefined reports, dashboards, workflow, and communication channels.

 

Today, organizations are faced with complex and fast moving operational risk challenges.  To effectively manage risk, it’s not enough to know your organization’s strategies, objectives, risks and controls.  You need a way to understand if your strategies and objectives are being met; if your risk drivers are increasing or decreasing; and whether your controls are operating as designed or are under stress leading to failure. Tracking your key indicators, the Performance, Risk, and Control indicators associated with each of these elements is crucial in successful organizations today.  In addition, indicators associated with changing business activities are a good early warning of changing risk and performance profile. 

 

RSA Archer Key Indicator Management is an essential element of an effective Operational and Integrated Risk Management program to understand the organization’s risk and performance profile and operation of the existing internal control framework.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically), including these key indicators. This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions, as quickly as possible, about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively deploying and utilizing Key Indicator management is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage key indicators on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

 

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, error, fraud, and non-compliance.

 

Why is Loss Event Management so important?

Loss events negatively impact an organization’s income statement.  Under certain circumstances they can be large enough to wipe out current period profitability, erode an organization’s capital cushion, or even force it into bankruptcy.  Consequently, it is critically important for organizations to understand the kinds of losses it could incur, the near-miss losses it avoided, and the losses it actually incurred.  This means understanding how and why a loss arose, what policies were not followed, what controls failed, where the loss is or should be recovered under insurance, and what should be done to reduce the likelihood and impact of similar losses occurring in the future.

 

Understanding and managing loss events is essential to an effective operational risk management program. Many organizations today have impaired visibility into the frequency, amount, type and source of loss events. This is frequently due to lack of complete or comprehensive lists of loss events, lack of accountability for management of loss events, and inadequate root cause analysis. These organizations are not fully aware of their actual losses, nor are they aware of near misses or losses being incurred by others in their industry that may warn of the organization’s own future losses. Lack of accountability promotes a less effective risk management culture, and these organizations typically suffer from a higher frequency and amount of loss events due to poor loss event analysis and remediation.

 

RSA Archer Loss Event Management

RSA Archer® Loss Event Management allows organizations to capture and inventory actual loss events and near misses, as well as relevant external industry-related loss events. Loss event root cause analysis can be performed to understand why the loss occurred and to take appropriate actions to reduce the likelihood and impact of similar losses occurring in the future. Loss events can be evaluated as part of top-down risk assessments and risk self-assessments, if those are utilized, and loss events can be exported to perform Monte Carlo simulations of operational risk using external Monte Carlo engines, such as Palisade @Risk.  Recoverable losses can be monitored and managed until they are reimbursed through insurance or restitution agreements.

 

Key features include:

  • Consolidated loss event catalog including actual losses, near misses, and calibrated external loss events
  • Assignment of loss events by business unit and named individuals
  • Root cause analysis
  • Review and approval of loss events by key stakeholders within their levels of authority
  • Visibility into aggregate losses by type, source, and area of ownership
  • Ability to drill into specific loss events for greater detail
  • Consolidated list of remediation plans to reduce likelihood and impact of similar future loss events
  • Correlation of loss events to applicable risk, policy, and control procedures, as well as correlation to insurance policies.

 

RSA Archer Loss Event Management provides:

  • Consolidated view of loss events by frequency amount, type, source, and owner
  • Clear understanding of the cause of loss events and the actions being taken to remediate problems that led to the loss event, including whether remediation plans are being executed on time, as planned
  • Greater engagement of business unit managers in the management of losses
  • Evidence of the design and effectiveness of an organization’s loss event program within a broader operational risk management program.

 

Today, organizations are faced with complex and fast moving operational risk challenges.  RSA Archer Loss Event Management is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively managing loss events is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage loss events on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Top-Down Risk Assessment so important?

Organizations today face a wide range of risks originating in different areas of their business, related to strategy, credit, corporate and regulatory compliance, interest rates, liquidity, market prices, operations (errors, fraud, and external events), and reputation, among others. While risks are spread out across an organization and often interrelate, it is difficult to get a holistic view of risk necessary to manage it efficiently and effectively.

 

The problem is further compounded with the introduction of new products and services, mergers and acquisitions, business process changes, and new and intensifying sources of fraud. In many organizations, risks are documented haphazardly in spreadsheets and documents without consistent use of a common approach, methodology, or rating scale. In addition, accountability for risk is tenuous because risks are not assigned to named managers and business units. This undermines accountability and increases the likelihood that a significant risk event will occur.

 

In addition, non-standardized risk management terminology, inconsistent risk assessment methodology and inconsistent risk rating scales mean there is no comprehensive visibility to or accountability in addressing known risks. With everyone speaking differently about risk, incomplete risk registers and inconsistent risk assessments can lead to bad risk management decisions, illogical resource allocation, potential violations of regulatory mandates and an overall poor risk management program.

 

Consistently documenting risks and controls and performing reliable risk assessments is essential to establishing an effective risk management program.

 

RSA Archer Top-Down Risk Assessment

RSA Archer Top-Down Risk Assessment enables practitioners to document risks and controls throughout the organization. Risks can be assessed on an inherent and residual basis, both qualitatively and across multiple risk categories using monetary values. Controls can be linked to the risks they treat for consideration as a part of a residual risk assessment. Risks and controls can be assigned to named individuals and organizational structure to establish appropriate accountability and to provide relevant reporting.

 

Key features include:

  • Catalog a consolidated view of risks and internal controls within the organization
  • Map risks to business processes, controls, higher-level risk statements and scenarios
  • Establish a library of agreed-upon scenarios and perform assessments on selected scenarios
  • Perform qualitative and monetary assessments of inherent and residual risk
  • Monitor risks against established tolerances and risk appetite
  • Enforce consistent terminology, risk assessment methodology and rating scales
  • Organized, managed process to escalate issues to ensure proper signoff/ approval of issues
  • Operationalize accountability for risks, controls, business processes, scenarios, risk assessments and outstanding issues
  • Establish delegated authorities for approving risk and enforce those authorities by automatically routing risk decisions to the authorized individuals
  • Visibility into risk and control inventory and assessment progress via predefined reports and risk dashboards

 

Today, organizations are faced with complex and fast moving risk challenges.  RSA Archer Top-Down Risk Assessment is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively performing Top-Down risk assessments is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage risk assessments on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

Today, we’re pleased to announce availability of RSA Exchange Release R7, which introduces 10 new and two updated offerings, as well as new and updated content. We're thrilled that our RSA Exchange Technology Partners continue to develop and deliver innovation for RSA Archer customers via the RSA Exchange, and look forward to much more in future releases.

 

  • App-Packs – pre-built applications addressing adjacent or supporting Integrated Risk Management processes (e.g. niche, industry, geo-specific)
    • Aujas Duplicate Findings Prevention avoids duplicate open findings for periodic assessments, reducing stakeholder overhead in managing duplicate findings
    • RSA Archer Due Diligence Management provides consistent due diligence scoping process, checklist, and recommendations that address multiple due diligence business processes such as mergers and acquisitions
    • RSA Archer FFIEC-Aligned Cybersecurity Framework offers the ability to apply the best practice principles from FFIEC to prioritize and scope business objectives and priorities, create risk profiles, risk assess the environment, analyze the results to identify gaps, and implement an action plan
    • RSA Archer Speak Up, introduced in November 2018, has been updated to enable anonymous whistleblower submissions.

 

 

 

 

For additional documentation, downloads, and alisting of all RSA Exchange offerings, check out theRSA Exchange for RSA Archer on RSA Link. Stay tuned for more new RSA Exchange offerings next quarter!

What is Third Party Governance?

RSA Archer Third Party Governance provides organizations the capability to monitor and manage the performance of the third parties with whom they do business.

 Why is the proper management of Third Party performance so important?

Organizations are increasingly using third parties to support their operations and to deliver products and services to their clients. Every organization entering into a third party relationship has expectations regarding how the third party’s product and services should perform.  It is particularly critical that third parties provide satisfactory performance wherever they are supporting customer-facing activities or contribute to the organization achieving its key objectives. Often performance expectations are formalized via contract by way of agreed-upon service level metrics unique to the product or service being delivered by the third party.   While contractually establishing service level metrics is a best practice, it is only the first step.  Organization’s need to monitor performance metrics throughout the life of each third party relationship and manage deteriorating third party relationships at the earliest possible time.  While an organization may have created some contractual recourse should a third party fail to perform, litigation and financial compensation do not solve the problems posed by underperforming third parties.  The best outcome is represented by third parties that live up to or exceed performance expectations.

 

RSA Archer Third Party Governance

RSA Archer Third Party Governance provides the capability to track the performance of individual third party engagements and to measure the performance of third parties across all of the engagements they are delivering to your organization. Third Party Governance provides the ability to document and track service level agreement metrics, and utilize a metrics library to promote consistency in assigning service level metrics to similar engagements.  Once performance metrics are established, actual performance data can be collected from named individuals or automatically via systems of record.  Stakeholders can be automatically notified if a third party’s performance begins to fall outside acceptable boundaries so that third party performance can be coached back to acceptable levels or remediation and contingency plans created and executed should the third party’s performance become irreparable.

 

Key features include:

  • Define and document performance metrics for third parties
  • Track all contractual service level agreement (SLA) metrics
  • Uncover deteriorating third party performance
  • Capture and monitor remediation plans until performance problems are resolved
  • Create performance metrics and associate them with individual product and service engagements
  • Capture performance metric data on an ongoing basis and score performance based on data collected
  • Report on performance of individual product and service engagements
  • Roll up engagement level performance to obtain overall third party performance profile

 

RSA Archer Third Party Governance enables organizations to:

  • Create and capture performance metrics and associate them with individual product and service engagements on an ongoing basis
  • Report on performance of individual product and service engagements and roll up engagement level performance to obtain an overall third party performance profile
  • Uncover deteriorating vendor performance and quickly resolve third party performance problems
  • More frequently exercise contract remedies due to poor performance
  • Avoid third party-related surprises and losses, and spend less time and money on third party performance remediation
  • Demonstrate the effectiveness of third party performance management programs to executive management and regulators

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  RSA Archer Third Governance is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth through an extended ecosystem strategy, your third party risk and performance management program must evolve and manage risk more holistically, with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is Third Party Engagement?

A third party is any entity with which your organization has an actual or implied contractual relationship for the receipt of goods and services.  Besides being called a third party, these relationships may also be known as vendors or suppliers.  An Engagement refers to the actual product or service being received by way of a contract with a third party. 

 

RSA Archer Third Party Engagement provides organizations the capability to inventory all of the product and service engagements they are receiving from third parties.  Engagements can be mapped to the third parties supplying the product or service, and to the organization’s business units and business processes they support. Third party contacts can be documented and accountability for third party engagements can be established by named individual and by the business units that own the relationship. If you are utilizing the RSA Archer Third Party Engagement, Risk Management, and Governance use cases then the risk and performance of individual engagements can be established and risk and performance information can be rolled-up across all products and services delivered by a third party; and depicting it in aggregate at the appropriate third party organizational level.

 

Why is the proper management of Third Party Engagements so important?

Third parties may relate, to some degree, with every aspect of an organization.  They may impact your organization’s objectives and they support, in one way or another, the products and services your organization delivers.  They support business processes, introduce risk and affect and supplement the extended internal control environment of your organization.  They may provide assets and inputs to the organization such as hardware, software, physical space, and product inputs.  Acting as an agent of your extended organization, they are subject to your regulatory obligations and policies, and they may directly supplement your human resources through consultants and temporary labor, or extend your human resources by the nature of the services that they are providing.  You may have third parties that touch on every one of these elements of your business. 

There are numerous reasons organizations choose to engage third parties.  These include competing better; benefiting from a vendor’s expertise that you don’t have in-house; optimizing resources, acquiring resources (often more cheaply), transferring risk such as under insurance, and expanding market share by capitalizing on the third party’s presence in a market where you don’t currently have a presence, or by offering a more attractive product or service because of the third party’s expertise and capabilities.

Third parties are an extension of your business and, in the end, third parties introduce the same risk to your organization as if you internalized the activities.  In most cases, it is impossible to eliminate the risk altogether.  The best you can do is understand the risk and manage it within acceptable levels.

 

RSA Archer Third Party Engagement

RSA Archer offers the Third Party Engagement use case to consolidate the list of third party products and services your organization uses.

 

Key features include:

  • Catalog third parties, their business hierarchy, and the product and services engagements they deliver to your organization
  • Map third party products and services to the business processes they support
  • Roll up engagement risk assessments to obtain an overall third party risk profile
  • Catalog contracts and master services agreements associated with engagements
  • Execute contract risk assessments utilizing standardized questionnaires focused on minimum required contract language to mitigate and transfer risk
  • Capture the third party’s proof of insurance and evaluate the adequacy of the insurance relative to all of the engagements being delivered
  • Integrate the results of your business process impact analysis into your assessment of the inherent resiliency risk of each third party
  • Establish accountability for each third party engagement
  • Document and monitor remediation plans to bring risk within acceptable tolerance
  • Track exceptions related to third party engagements

 

With RSA Archer Third Party Engagement, you can:

  • Establish efficient management of your third party relationships
  • Know where, how, and why third parties are being used throughout your organization, and who is responsible
  • Identify inherently high risk third party products, services, and relationships
  • Better understand the adequacy of each third party’s proof of insurance,
  • Have fewer third party-related audit and regulatory findings
  • Establish the basis for an effective third party risk management program and allocation of scarce resources based on the most significant priorities
  • Provide transparency into third party relationships using robust notifications and reporting
  • Provide positive assurance to senior management, the Board, and regulators regarding the adequacy of the organization’s third party governance program

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  The RSA Archer Third Party Engagement is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leadership with the most holistic understanding of risk facing the organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce the most effective return to the organization.

 

As your company drives business growth through an extended business ecosystem strategy, your risk management program must evolve and manage risk with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

It's official - time to get your creative juices flowing as the RSA Charge 2019 'Call for Speakers' (C4S) is now open and awaiting your submissions!

 

As you are aware, the RSA Charge events represent all RSA products and an increasing number of customers across solutions attend this one-of-a-kind event each year. The RSA 2019 Charge promises to be the biggest event in our history of RSA Charge and Summit conferences. 

 

The RSA Charge event is successful in no small part because of the stellar customer submissions we receive each year. We invite you to submit your presentation brief(s) for consideration.(That'sright, you may submit more than one submission brief!)

 

This year for the first time the '8' Tracksfor RSA Charge 2019 are identical across all products and represent all RSA solutions. We are pleased to present the them to you:

 

Transforming Your Cyber Risk Strategy- Cyber-attacks are at the top of the list of risks for many companies today.  Tell us how you are approaching reducing this risk utilizing RSA products.

 

Beyond the Checkbox: Modernizing Your Compliance Program - The regulatory landscape is always shifting.  How are you keeping up and what steps are you taking towards a sustainable, agile compliance program?

 

Aligning Third Party Risk for the Digital Transformation - Inherited risk from your business partners is a top of mind issue.  Third party risk must be attacked from multiple angles.  Share your strategy.

 

Managing Operational Risk for Impact-  Enterprise risk, operational risk, all things risk management.  Share your experience and strategy on how you identify, assess and treat risk across your business operations.

 

View from Above: Securing the Cloud - From security visibility to managing organizational mandates, what is your risk and security strategy to answer the "go to cloud" call.

 

Under the RSA Hood: Managing Risk in the Dynamic Workforce - The workforce has become a dynamic variable for many organizations - from remote users to BYOD to contractors and seasonal workers.  How are you addressing this shift?

 

Business Resiliency for the 'Always On' Enterprise - The world expects connectivity.  When the lights are off, the business suffers.  Tell us how you are ensuring your business is 'always on' - business continuity, recovery, crisis management and the resilient infrastructure.

 

Performance Optimization: RSA Product Learning Lab - Share your technical insights of how you use RSA products to meet your business objectives.  Extra points for cool 'insider' tips and tricks.

 

We know you have great stories to share with your peers, best practices, teachings, and how-to's. We hope you consider submitting a brief and thank you in advance for your consideration. More information can be found on the RSA Charge 2019 website (scroll to bottom of page) including the RSA Charge 2019 Call for Speakers Submission Form. Submission should be sent to: rsa.events@rsa.com.

 

Call for Speakers 'closes' April 19. 

What would you do if you heard an advertisement on the radio misrepresenting a product your company offered?  I'd like to share a true story and how RSA Archer helped this organization's first line of defense own risk.

 

Sally was listening to the radio on her drive to work when she heard an advertisement about her company but the information was incorrect and misleading.  When she got to work, she didn't know who to report the information to but knew that if she didn't report it, it could cause huge impacts to their organization.  After approaching several people, she decided to call the IT help desk.  While the IT help desk typically "helps" many, they are typically a little further downstream from the risk evaluation process. After some digging, the IT help desk sent the request to the Risk Management team, who then connected Sally with the third party risk team to address the issue with the third party. 

 

When our customer approached RSA, we decided to provide a method via RSA Archer that not only addresses the problem but enables your organization to own risk.  But we took it a bit further than just a risk reporting tool. There are often brilliant ideas that could positively impact your organization. There may also be specific issues or incidents that conflict with your organization's corporate policies and procedures and someone within your organization has the knowledge needed to help avert or mitigate those issues early on. 

 

The RSA Archer Speak Up app-pack provides a mechanism within RSA Archer for the first line of defense to communicate information to your management or risk management team while leveraging workflow to review and approve the information and get it to the right team to take action.

 

RSA Archer Speak Up allows you to:

  • Submit ideas to improve the business;
  • Report issues to responsible authorities or management team within the organization; and
  • Document concerns regarding potential ethics violations, incidents, breaches, issues with third parties, and more.

 

With the RSA Archer Speak Up app-pack, your employees are empowered to speak up and own risk.  And, your management team is empowered with accountability and a consistent governance process for addressing risks.

 

RSA Archer Speak Up Business User Dashboard

Interested in learning more about the RSA Archer Speak Up app-pack? Join us for a Free Friday Tech Huddle on Friday, February 8 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

What is Third Party Risk Management?

A third party is any entity with which your organization has an actual or implied contractual relationship for the receipt of goods and services.  Besides being called a third party, these relationships may also be known as vendors or suppliers.  An Engagement refers to the actual product or service being received by way of a contract with a third party. 

 

RSA Archer Third Party Risk Management provides organizations the capability to assess and manage the risks associated with their third party engagements.

 

Why is the proper management of Third Party Risk so important?

Organizations are increasingly using third parties to support their operations and deliver products and services to their clients. While it is possible to outsource many business activities to third parties, organizations retain the risks associated with their third party relationships. Many of these risks can be significant including regulatory compliance violations, customer and shareholder litigation, information security breaches, financial losses from errors, fraud and business interruption, reputation damage, and impediment to strategic objectives. Organizations need to understand the risks third party relationships pose to their organization and the adequacy of controls that their third party providers have in place to manage risk within acceptable boundaries.

 

RSA Archer Third Party Risk Management

RSA Archer Third Party Risk Management employs a series of risk assessment questionnaires to be completed by a third party to assess the third party’s internal control environment and collect relevant supporting documentation for further analysis. The results of these questionnaires are factored into a determination of the residual risk of each third party engagement across several risk categories (compliance/litigation, financial, information security, reputation, resiliency, strategic, sustainability, and fourth party risk).  Risk results are depicted for each engagement and are rolled up to the third party to depict their overall risk across all of the engagements they deliver to the organization. Risk assessment findings can be automatically captured and managed as exceptions and remediation plans can be established, assigned to accountable individuals, and monitored to resolution.

 

Key features include:

  • Consistent risk assessment and evaluation of third party controls
  • Capture and store supplemental documents such as SSAE-16s, financial statements, and PCI assessments, and monitor when refreshed documents are due
  • Capture declared critical fourth party relationships and understand the quality of governance your third party applies to their own third party relationships
  • Depiction of risk of overall third party relationship, across all engagements being delivered to your organization
  • Consolidated view into known issues
  • Organized, managed process to escalate issues
  • Visibility into known risks and efforts to close/address risks
  • Efficient program management and understanding of program status

 

RSA Archer Third Party Risk Management provides:

  • Methodical and standardized approach to risk assessment
  • Management and mitigation of identified issues and reduced time to resolution
  • Stronger, quicker response to emerging risks
  • Fewer third party related incidents and losses
  • Reduced program administration costs
  • Reduction of overall third party risk
  • Reduced repeat audit and regulatory findings
  • Better understanding of how third parties are used throughout the organization and the risks they pose

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  RSA Archer Third Party Risk Management is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leadership with the most holistic understanding of risk facing the organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization.

 

As your company drives business growth through an extended business ecosystem strategy, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

What do we mean by controls monitoring?

In today's complex regulatory environment, organizations face a daunting task in maintaining compliance amidst constantly shifting obligations and requirements. As organizations attempt to keep pace and adapt control activities (controls) to changes in compliance requirements and operational risk scenarios, often times they are hamstrung by ad-hoc, disconnected compliance efforts that are implemented reactively across separate areas of the business. This severely limits the ability to maintain a real-time, aggregated view of risk and compliance impacts. Efficiency and scale also suffer as the volume of manual systems and processes overload the organization's limited resources.

 

Implementing a program that includes a centralized inventory of assets, requirements, risks, and controls, coupled with a standardized approach to measuring control efficacy, is the key to ensuring diligence and completeness. This also provides the solid foundation necessary for enabling automation and improving the ability to continuously monitor key risk and control performance metrics as the organization adapts to changes in the business climate.

 

Why is a program approach to monitoring control activities so important?

Consolidating organizational compliance projects into a single platform offers business owners a unique level of visibility into critical risk and compliance information, enabling them to make fully informed risk based business decisions in support of organizational priorities. A single control universe can further align with extended corporate stewardship and responsibility goals and other strategic objectives.

 

RSA Archer Controls Monitoring Program Management

RSA Archer Controls Monitoring Program extends the foundation established with RSA Archer Controls Assurance Program Management, with a modernized approach to defining and managing separate compliance projects simultaneously. This includes tools to assess and report on the performance of controls across all enterprise asset levels and the ability to automate control assessments and continuously monitor ongoing compliance efforts. Customers can also enjoy seamless integration with other RSA Archer use cases designed to tackle all aspects of Integrated Risk Management in their unique environments.

 

Businesses that operate with disconnected, ad-hoc programs typically find themselves diverting more and more time and resources to compliance, only to see their overall risk levels continue to increase. Whereas organizations with optimized compliance programs are able to reverse that trend and return more resources to the business which can then be used to invest in future growth initiatives. An optimized program also serves to reduce overall operational risk and provide decision makers with a reliable means for exploring the opportunity landscape by enabling them to identify with confidence the business risks that are worth taking.

 

For more information, please visit RSA.com and review the Datasheet.

Mason Karrer

RSA Archer PCI Management

Posted by Mason Karrer Employee Jan 16, 2019

What are the basics of PCI-DSS Compliance?

The Payment Card Industry Data Security Standard (PCI-DSS) defines a consolidated set of security best practices endorsed by major card brands, which are designed to reduce fraud risk associated with credit card processing. Organizations that fail to comply may lose their ability to accept credit card payments, which could greatly impact their ability to conduct business. However, with the continually increasing velocity and sophistication of new threats, maintaining an effective PCI- DSS compliance program has become an increasingly costly business requirement as well - and those costs can be substantial.

 

The PCI-DSS is considered one of the more prescriptive and technical compliance mandates that companies must typically deal with. This can be both good and bad. In contrast, many higher level government mandates like federal regulations are often written in broader terms that can be difficult to interpret into actionable specifics like precise internal control definitions. The more a company has to guess at what’s expected, the greater the chance of guessing wrong and either undercompensating (raising the inherent risk of running afoul of the regulation); or overcompensating, which can increase the internal costs and burden of compliance unnecessarily.

 

The benefit of PCI’s more prescriptive language is better clarity in terms of understanding what’s expected, how it will be audited, and specific reporting requirements. However, the other side of the coin with PCI is the extensive technical breadth and depth of its coverage. Encryption, network segmentation, multi-factor authentication, and external vulnerability scanning are a few areas where companies often struggle, either because of technical limitations or significant additional technology investments needed.

 

Why is a program approach to PCI Compliance so important?

Companies able to gain efficiencies by optimizing their operational compliance efforts will be more successful at reducing compliance costs and gaps. Consolidating organizational compliance initiatives into a single comprehensive view is the most effective way to identify and eliminate duplicate efforts and reduce overall compliance risk. The technical nature of PCI can often force companies to undertake process improvements, technical infrastructure overhauls, and even facility construction projects simultaneously. A streamlined program approach helps to keep things organized and drive consistent, successful outcomes.

 

RSA Archer PCI Management

RSA Archer Controls Assurance Program and RSA Archer Controls Monitoring Program provide a solid foundation for managing any organizational compliance initiative. However, PCI’s unique characteristics and pervasive global reach offer an opportunity to take things several steps further. RSA Archer PCI Management is designed to do just that, by enabling organizations to streamline the compliance process, simplify stakeholder participation, and reduce overall compliance effort and cost.

 

RSA Archer PCI Management guides merchants through identifying and defining cardholder data flows and environments, engaging the proper stakeholders, completing self-assessment questionnaires (SAQs), testing and gathering evidence for all required controls, and managing the gap remediation process.

 

Key features include:

  • Easy-to-use project workflows to manage CDE (cardholder data environment) scoping and multiple, ongoing compliance assessment projects.
  • Structured content libraries linking each discreet control requirement in the PCI-DSS to an extensive control testing repository ensuring full coverage across internal and external assessment activities.
  • Persona-driven dashboards and questionnaires that simplify the attestation and evidence gathering process and provide clear insight into compliance activity status.
  • Aggregated issues management functionality for tracking findings and gaps and managing the remediation process.
  • One-click reporting templates to assemble all required deliverables into a properly formatted Report on Compliance (ROC) for easy review and submission.

 

Customers can also enjoy seamless integration with other RSA Archer use cases designed to tackle all aspects of Integrated Risk Management in their unique environments. Organizational leaders with optimized programs in place have a distinct advantage for exploring the opportunity landscape, by enabling them to identify with confidence the business risks that are worth taking.

 

For more information, please visit RSA.com and review the Datasheet.

In their ongoing effort to clarify the concepts of integrated risk management (IRM) and digital risk management (DRM), Gartner has begun to discuss the interconnection of IRM and DRM with enterprise risk management (ERM).

 

 

Source: https://blogs.gartner.com/john-wheeler/irm-is-essential-for-digital-transformation-success/

 

I certainly agree with Gartner’s statement in their recent blog: “To keep pace with the increasing risk associated with digital transformation, organizations require an integrated approach to risk management. Not only is it essential to invest in integrated risk management (IRM) technology to enable this approach, it is also imperative to focus on the convergence of technology and operational risk. This convergence represents a key IRM use case called ‘digital risk management.’ Digital risk management (DRM) technology integrates the management of risks of digital business components — such as cloud, mobile, social and big data — and third-party technologies, such as artificial intelligence and machine learning, operational technology (OT), and the Internet of Things (IoT). DRM helps bridge the gap between the Chief Risk Officer (CRO), the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO).”

 

ENTERPRISE RISK MANAGEMENT IS THE FOCUS

While Gartner introduced IRM and DRM concepts some time ago as part of operational risk management, what appears new in Gartner’s most recent IRM discussion is the explicit connection to ERM.  The ascendency of ERM as a business focus is not new.  In 2014, I reported on RIMS declaration that the practice of ERM had reached critical mass. This is borne out by our customers in the financial services industry, of whom 81% stated in a survey conducted last year that they were already using the RSA Archer Suite to support their ERM program!  That’s right, 81% of financial services customers surveyed are already integrating cyber risks with other kinds of operational risks, with their organization’s financial risks and risks to their strategies and objectives.  As RIMS stated in 2013 of ERM, “value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return, goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.”

 

THE FUTURE OF ERM?

I think it’s safe to assume, as with most things risk management-related, organizations vary in their approach to ERM.  We know that approaches to risk identification, risk assessment, risk evaluation and treatment, and monitoring all vary, as does the scope and granularity around the use of performance, risk, and control indicators.  And that’s fine. Everyone executes to their own unique risk management roadmap given the objectives of their management team, board of directors, and available human and capital resources.

Yet, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (remember this is the group that drove the Sarbanes-Oxley Act?) has laid out their goal and roadmap for ERM, as well.  In their 2016 update to the COSO ERM framework, they represented the complex interrelationship between risk profile, performance, and risk appetite in this one graphic:

 

                                          Source: Figure 4.2, COSO ERM Public Exposure Draft, June 2016

 

I’ll leave a discussion of the relationship of each of these variables and how an organization might go about generating this kind of understanding for themselves in one graphical representation for another time. For now, I think it is enough to consider some of the questions that must be answered to achieve the goal laid out by COSO ERM 2016:

  • How do I come up with a risk appetite statement that consistently encompasses all types of risk?
  • If risk capacity is that level of risk that would put my organization out of business, which risks are those and how do I assess them in a way to compare them to my risk capacity?
  • How do I aggregate all of my risks to generate a risk profile?
  • How do I measure target performance?
  • How do I correlate risk profile to performance, let alone visually depict the relationship?

 

Please add a comment.  I would love to hear from you and how you think these questions can be answered.

Managing Third Party contracts can be a daunting task, let alone tracking changes and approval during the negotiation process.  Between your legal department and the third party's legal department, the changes and approvals are horrendous to track and inefficient for all parties involved.  What if you had standardized contract language that was pre-approved by your legal organization?  What if you could use RSA Archer to track the clause changes and the change approvals? 

 

RSA Archer Contract Clause Management is the solution for you.  We've developed a solution to address small to mid-sized companies who do not need an entire contract management suite to assemble contracts and manage their clauses while tracking changes and approvals.  This app-pack can help you establish standard clauses to utilize in contracts.  It also tracks and manages the development, changes, and approvals of the contract clauses used in your contracts. 

RSA Archer Contract Clause Management Clause Owner Dashboard

 

With the RSA Archer Contract Clause Management App-Pack, you will have a central repository for storing standard contract clauses and contract clauses that are used in agreements with third parties, have a consistent process for creating and approving the clauses while providing visibility into changes within contracts and clauses.

 

Interested in learning more about the RSA Archer Contract Clause Management app-pack? Join us for a Free Friday Tech Huddle on Friday, January 11 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

Filter Blog

By date: By tag: