Skip navigation
All Places > Products > RSA Archer Suite > Blog
1 2 3 Previous Next

RSA Archer Suite

417 posts

Wouldn’t it be great if the size and resources of your third-party risk management team actually kept pace with your growing number of third parties? Hey, it never hurts to dream. But in case that dream never becomes a reality, RSA Archer has got your back.

 

Third-party relationships aren’t just growing in number and complexity -- they’re also growing in their potential impact to your business. As innovative companies lean into digital transformation, they’re increasingly leveraging third parties to host new infrastructure, improve customer experiences, and fuel digital-native products. So as our reliance on third parties grows, we have to ask ourselves how our risk management can work better, smarter, and faster.

 

Third-party risk management has traditionally been limited to questionnaires. These assessments remain important today, but they leave several gaps in effective risk management. First, they only tell you the risk at the "point in time" the assessment is conducted. Second, they only tell you what the third party knows and wants you to hear. They do nothing to illuminate security gaps that a vendor isn’t aware of. They tell you which controls are in place, but leave you with no assurance that those controls are operating effectively. And lastly, they’re just downright time-consuming for everyone involved, from respondents to reviewers. In a world where third parties are critical to bringing new products to market, that means hindering the pace of progress for the entire business.  

 

So how can we do risk better? The key is to maximize efficiency and minimize risk. Doing that means focusing on protecting value at risk. This requires having context for what matters to the business and where the value lies. But it’s not enough to just identify risk. Effective risk management also requires action.

 

That’s why we’re so excited to announce the new RSA Archer Third Party Security Risk Monitoring use case. While questionnaires and risk rating services alone only provide a partial view of risk, RSA Archer now enables you to build the complete picture. This new RSA Archer use case brings together business context, technical valuation powered by machine learning, objective verification of operating effectiveness, and actionable workflow to provide the most efficient, effective approach to risk management.

 

With both questionnaire-based assessments and new continuous monitoring of a third party’s internet presence, you can focus on how risk is actually implemented and operated. Prioritizing actions based on inherent business risk, asset value, and known defficiencies keeps you focused on what matters most. RSA Archer’s powerful workflow engine then ensures that the most critical issues get triaged both internally and externally for immediate response. As part of the broader RSA Archer platform for integrated risk management (IRM), you can also maximize the business value of your risk management program by providing a single place to share third party risk dashboards with stakeholders from the first line of defense, compliance, business resiliency, information security, and more.

 

Interested in taking your third-party risk program to the next level? Join us on Wednesday, May 22, 2019 at 11:00 AM Eastern for our webinar, "Third Party Risk Management: Making Sense of Your Vendor Data." To sign up, register here. Learn more about the new RSA Archer Third Party Security Risk Monitoring use case and be sure to join us for a Free Friday Tech Huddle on June 14, 2019.

With today’s launch of RSA Exchange Release R8, we’re excited to bring you new offerings that can help you in continuing to advance in your integrated risk management (IRM) journey.

 

One RSA objective for this year is delivering advanced IRM capabilities to help your organization achieve greater visibility and insights. RSA Exchange Release R8 is one of our largest releases to date and brings to market new capabilities in managing tax risk and strategic risk, as well as managing your organization’s conflict of interest policies with gift registration. In addition, 13 new and updated integrations offer enhanced insight from industry-leading software providers, and 6 new authoritative sources can help widen your view of risk.

 

The RiskRecon integration has been updated to optimize the new RSA Archer Third Party Security Risk Monitoring use case, which is now generally available.

 

Here is a full list of the new and updated offerings available in Release R8.

 

 

 

 

 

There are so many new capabilities available in Release R8, and I know it can be overwhelming.  My suggestion is to start by reviewing the product advisory to learn a bit more about each of the new and updated offerings.

 

Next, I invite you to join me for a Free Friday Tech Huddle on Friday, May 31 for an overview of the RSA Exchange Release R8 offerings. Christine Tran will also provide a demonstration of the new RSA Archer Strategic Risk Management and RSA Archer Gift Registration app-packs.

 

Lastly, there is a wealth of documentation, downloads, and more on the RSA Exchange on RSA Link.  I recommend that you bookmark the listing of all RSA Exchange offerings. And if you have new ideas for the RSA Exchange, please send them our way on RSA Ideas

Let's talk about entropy. No, I'm serious, we have to talk about it. Entropy is the natural tendency for things to become less organized over time, a natural decay of order and planning that creates chaos and uncertainty. And it is a natural tendency. As the work piles up, the new tasks, the urgent tasks will replace the mundane and old tasks at the top of your conscious mind. They have not become less important, they just are a victim of entropy.

 

I fight against entropy all the time, we all do. We try to create order and structure through a calendar, a to do list, reminders… Anything can become a tool in the fight against entropy. And that does bring us to a new feature in Archer 6.6, the automated metrics update.

 

Metrics are a great tool to monitor data, whether is it performance, risk or control data. It can give you a quick snapshot of a situation, it can give you early warning if something is not quite right, it can be used for trending, it has a lot of uses. The issue is that what you get from your metrics program is what you put in. If your metrics are not updated on a regular basis then you won't get anything of value out of them. Entropy is fighting against you, who will remember to go in an update a key indicator when there are ten new tasks to perform?

 

That is why we leveraged the new rules based enrollment feature in Advanced Workflow to implement an automatic upgrade of key indicators. Based on the update frequency and the last update date, metrics that are past their due update date are now going to be automatically enrolled in a workflow. The metric users will receive a notification, and have a task created for them to update their outstanding metrics. It’s a simple one step process that will ensure the key indicators stay up to date.

 

The end result is that since metrics will be more reliably up to date, all the information you use them for, dashboard, reports, trends, alerts will also be more up to date and reliable. So will the metrics you decide to feature on a dashboard through the new featured metric feature. The insights you will get from them will be better and timelier. And your fight against entropy will be made easier since there will be no need to chase metrics owners down to get them to update their data.

 

Now, this is only one illustration of how the new rules based enrollment workflow feature can be used, I am impatient to see what you will actually use it for. What do you think will be the first workflow you build using this?

Available beginning today, RSA Archer Release 6.6 represents our next step forward in creating a next-generation user experience that brings the power of RSA Archer to an evolving user base, where they are, with the context they need, and in the format they want.

 

With this release, we’ve focused on continuing to elevate the user experience with RSA Archer, with user interface, usability, and accessibility updates that support the growing scope and importance of risk and compliance at all levels of our customers’ organizations. Release 6.6 includes a number of improvements to key features of the main navigation, dashboards, and records pages for a more modern look and feel and enhanced functionality.

 

Other enhancements to the RSA Archer Platform include search and reporting improvements for easier and faster analysis. A new “Refine By” pane on the search results page – similar to what you would see in the left column on Amazon.com -- makes it easy to slice and dice initial search results by clicking attributes to filter the results without leaving the results page. Users can also add, remove, and reorder display fields directly from the search results page, for more efficient modifications to search results. To enable faster navigation and search, Global Search now provides search suggestions that appear in real-time as text is entered to enable faster navigation, and prioritizes content that matches the Key Field, Tracking ID, or both.

 

Release 6.6 includes workflow management enhancements for greater efficiency, including while on the move. As one of the customer-voted “Top 10” features on RSA Ideas, the new Advanced Workflow Actions by Email capability enables users to quickly and easily complete workflow actions, such as approving or rejecting a record, via email without the need to log in to RSA Archer. The release also includes performance improvements to optimize management of data at scale, support for an Application Managed Output Writer for JavaScript Transporter to enable more data in a single data feed, and removal of inactive jobs to reduce the job engine load.

 

RSA Archer Release 6.6 also includes updates for several use cases:

  • RSA Archer Key Indicator Management use case updates enable past due active metrics or metrics that do not have recorded results to be automatically enrolled into workflow. Metric owners are notified that action is required and can then determine the appropriate remediation actions for the metric.
  • RSA Archer Corporate Obligations Management and RSA Archer IT Regulatory Management use cases have been updated to remove pre-configured data feeds from the use case package, allowing customers to customize configuration based on their regulatory requirements. Data feeds are now available from the RSA Exchange on RSA Link.
  • RSA Archer Enterprise Catalog is a new package designed to simplify the process of updating releases by aggregating shared applications across multiple use cases.

 

Last, but certainly not least, for our global customers, RSA Archer Release 6.6 includes localization for the eight languages supported by RSA Archer. We’re very pleased to be able to provide localization with general availability for the first time with RSA Archer Release 6.6. Customers can immediately download RSA Archer in their language of preference, and translated documentation is also available.

 

For more details on RSA Archer Release 6.6 features and functionality, RSA Archer customers can review the product advisory. Customers are invited to join us for a Free Friday Tech Huddle on Friday, May 3. You can also read the blog series and check out the documentation available on the RSA Archer Release 6.6 subspace on RSA Link.

 

If you haven’t yet upgraded to 6.x to take advantage of these and other great features, please reach out to your account representative. You don’t know how much you’re missing!

 

Stay tuned for even more great things coming soon for the RSA Archer Suite.

In the RSA Exchange R6 release, we introduced the RSA Archer Speak Up app-pack which empowers your first line of defense to Speak Up regarding concerns in the form of ideas, issues, or complaints.  Using the RSA Archer Speak Up app-pack, your employees don't have to worry about how to classify the information or where to submit it and you can receive insights from your organization to improve the business.

 

In our most recent release of the RSA Exchange R7, we updated the RSA Archer Speak Up app-pack to allow capability for anonymous submissions.  Information can now be submitted anonymously to protect the identification of whistleblowers and management can solely focus on the issues at hand.

 

With the RSA Archer Speak Up App-Pack, you can:

  • Empower users within your organization to speak up regarding the business
  • Provide ownership and accountability for information reported
  • Employ a consistent governance process for reporting information
  • Be informed of organizational risks related to Speak Up requests
  • Inspire everyone to own risk

 

Interested in learning more about the RSA Archer Speak Up app-pack? Join us for a Free Friday Tech Huddle on Friday, April 12 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

 

This is not an April Fools’ Day joke – RSA Charge registration fees go up from $595 to $995 on April 2. Trust us, you will not want to miss this year’s Charge event. REGISTER TODAY!

 

RSA Charge 2019 will provide you a place to discover game-changing business-driven security solutions to meet today’s greatest business challenges. Attendees will explore best practices and have opportunities to problem-solve and discuss ideas for product and service innovation to increase productivity. From customer case studies to training as well as one-on-one consultations and motivating keynotes, this year’s conference has something for everyone!

 

RSA Charge 2019 will deliver a host of new content and exciting opportunities through:

Customer-led case studies and hands-on workshops to share trends and issues specific to your industry

Thought-provoking keynote presentations that provides insights on RSA’s products, solutions and customer successes

Partner Expo highlights solutions that are driving high-impact business benefits using RSA’s solutions

Unparalleled Networking invites you to exchange ideas with your peers and RSA experts and save – early bird rates are $595 and available through April 1, 2019, then the regular registration price kicks in at $995. The RSA Charge 2019 website should be your go-to destination for all ‘Charge’ information - Call for Speakers, Agendas at a Glance, Full Agendas and speakers, Keynotes, and so much more.

 

RSA Charge 2019 will be in Orlando from September 16-19, 2019 @ Walt Disney World Dolphin & Swan Hotel, Orlando. 

 

REGISTER before April 2, save $400 and check out the RSA Charge 2019 website for continual updates like the one below:

 

Just Added: Looking for pre-conference training? Due to RSA Charge starting on a Monday and being on the Disney grounds, RSA has decided not to offer any pre-conference training this year but instead offer a whole RSA University track dedicated to your favorite training topics at no extra cost. That’s right, no additional cost!

 

There will also be RSAU representatives, onsite to talk shop and answer any and all of your questions, just another reason to attend RSA Charge 2019. We look forward to seeing you all in Orlando.

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Sources of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is the proper management of Risk so important?

In addition to operational risk, organizations today face a wide range of risks originating in different areas of their business, including risk to achieving strategies and objectives, credit risk, interest rate, liquidity, and market risk, political risk, and reputation risk, to name a few.  Many of these risks arise within the four walls of the organization and many are inherited through the extended third-party ecosystem that the organization engages. 

 

As an organization grows in size and complexity, converts to digital, moves into new markets, introduces new, more sophisticated or novel products and services, is subject to more regulatory obligations, extends its third party dependencies, or is exposed to political, social, or environmental challenges, it becomes much more difficult for the organization’s management and board of directors to understand and manage its risks.  Without a clear understanding of their risks, these organizations tend to experience more surprises and losses, and have a more difficult time achieving their objectives and strategies.  Some of these risks may threaten the very existence of the organization, or the livelihood of its managers and board of directors.  Consequently, these risks must be effectively identified, assessed, and managed to protect the organization’s leadership and ensure the organization can meet its objectives.

 

RSA Archer Risk Catalog

RSA Archer Risk Catalog provides the foundation to record and track risks across your enterprise, and establish accountability by named first and second line of defense managers. It provides a three-level roll-up of risk, from a granular level up through enterprise risk statements. Inherent and residual risk can be assessed utilizing a top-down, qualitative approach, with assessed values rolling up to intermediate and enterprise risk statements.

 

Key features include:

  • Consistent approach to documenting risk, assigning accountability, and assessing risks
  • Oversight and management of all risks in one central location
  • Ability to understand granular risks that are driving enterprise risk statements
  • Consolidated list of prioritized risk statements

 

RSA Archer Risk Catalog enables organizations to:

  • Obtain a consolidated list of the organization’s risk
  • Enforce a consistent approach to risk assessments
  • Prioritize risks to make informed decisions about risk treatment plans
  • Create accountability for the ownership and management of risk

 

The RSA Archer Risk Catalog is an essential use case of the RSA Archer Ignition Program, designed to empower organizations of all sizes to respond to risk with data-driven facts using a streamlined, fast time-to-value approach

 

Today, organizations are faced with complex and fast moving challenges.  RSA Archer Risk Catalog is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization grows and changes, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effective risk management is essential for improving an organization’s risk profile.  RSA Archer can help your organization better understand and manage its risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

Thorough due diligence is a necessity when entering into an agreement or contract with another party, especially in the case of mergers and acquisitions.  However, due diligence activities can apply to any business situation requiring an investigation where proof that a "diligent" effort was put forth to obtain pertinent information in a forthcoming matter.  In the case of mergers and acquisitions, due diligence is a vital activity and can take several months of intense analysis if the target firm is a large business with a global presence.  This process often unveils risk insights and can help your organization plan for impacts to the business.      

 

Organizations need a way to define what due diligence activities are required and to track the results of those activities.  The RSA Archer Due Diligence Management app-pack enables you to define and manage the due diligence activities required for a thorough investigation of the target entity. The offering defines a framework for all due diligence activities making it consistent and repeatable, while providing visibility into the status of due diligence activities.  The due diligence framework can be defined specifically for your organization to ensure everyone within the organization is conducting the required due diligence for every target entity.  Due diligence activities are assigned and reviewed to ensure all activities have been completed, resulting in lower risk mergers and acquisitions.

 

With the RSA Archer Due Diligence Management app-pack, you can determine the scope of each due diligence project, track the due diligence tasks to completion, confirm and verify information through investigation, and provide recommendations based off of factual data and reports.

 

RSA Archer Due Diligence Management allows you to:

  • Offer a consistent and repeatable process for conducting due diligence
  • Implement a structure for due diligence checklist
  • Obtain visibility into the status of the due diligence activities required

 

Interested in learning more about the RSA Archer Due Diligence Management app-pack? Join us for a Free Friday Tech Huddle on Friday, March 29 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Sources of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Operational Risk Management so important?

For many organizations, effective operational risk management is inherently complex. As organizations grow in size and complexity, convert to digital, move into new markets, introduce new, more sophisticated or novel products and services, becomes subject to more regulatory obligations, or extends its third party dependencies, it becomes much more difficult for the organization’s management and board of directors to understand and manage its risks.  Without a clear understanding of their risks, these organizations tend to experience more surprises and losses, and have a more difficult time achieving their objectives and strategies.  Some operational risks may threaten the very existence of the organization, or the livelihood of its managers and board members.  Consequently, these risks must be effectively identified, assessed, and managed by business unit leaders (the first line of defense) and executive management to adequately protect the organization’s leadership and ensure the organization can meet its objectives.

 

Without engaging the first line of defense in identifying risk, and using consistent methodologies and measurements to assess risk, there is no way to provide executive management and the Board with an accurate and aggregated view of risk across the business.  Good operational risk management protects the organization from operational losses and surprises.

 

RSA Archer Operational Risk Management

RSA Archer Operational Risk Management is a combination of use cases that are core to a typical operational risk management program. These elements include: Top-Down Risk Assessment, Bottom-Up Risk Assessment, Loss Event Management, Key Indicator Management, Risk and Control Self-Assessments, Issues Management, and Scenario Analysis. RSA Archer Operational Risk Management enables cataloging business processes and sub-processes, documenting risks associated with business processes, and  control procedures. Risk self-assessments can be performed on a top-down basis, through first line of defense self-assessments, and through targeted bottom-up assessments. Loss events can be cataloged, root-cause analysis performed and routed for review and approval. Key risk and control indicators can be established and associated with risk and control registers, respectively, and monitored to provide early warning of changes in the organization’s risk profile. By integrating these use cases, risk managers have a comprehensive operational risk management program that reinforces desired accountability and risk management culture throughout the organization, providing necessary transparency through reporting, dashboards, and notification alerts.

 

Key features include:

  • Consolidated view into business processes, risks, controls, loss events, key indicators, and outstanding issues; an understanding of how they are all related; and accountability for each
  • Support for first line of defense self-assessments, and top down and bottom up risk assessments
  • Efficient management of self-assessment campaigns by second line of defense stakeholders, including necessary workflow to vet and challenge first line of defense assessments
  • Capture and perform root cause analysis on internal losses and near misses, and relevant external loss events, routing loss events to stakeholders for review and approval consistent with delegated authorities and loss type.
  • Enforce consistency in creation of risk and control registers through the use of risk and control libraries
  • Catalogue risk scenarios and capture and perform scenario risk assessments
  • Understand inherent and residual risk and observe changes in calculated residual risk while rolling up risks by business unit and enterprise risk statement
  • Robust key risk and control indicator program management to provide early warning and remediation
  • Consolidated issues management with a clear understanding at all times of the status of all open remediation plans and exceptions
  • Visibility into operational risk via predefined reports, risk dashboards, workflow, and notifications
  • Perform risk assessments qualitatively, quantitatively using monetary values, and support Monte Carlo simulation based on expert elicitation and loss events.

 

RSA Archer Operational Risk Management enables:

  • Better understanding of risks and controls throughout the organization
  • Improved risk management and risk management culture by engaging the first line of defense (business users) to take ownership of their risks and controls
  • Quicker detection and management of changes in risk profile
  • More efficient administration of the operational risk management program, allowing second line of defense teams to spend more time on analysis and less time on administration and reporting
  • Less time required to identify and resolve operational risk-related problems
  • Reduction in audit findings, surprises, loss events, and incidents,
  • Ability to clearly demonstrate the design and effectiveness of your organization’s risk management program

 

Today, organizations are faced with complex and fast moving challenges.  RSA Archer Operational Risk Management addresses the core requirements of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

As your organization drives business growth through an extended ecosystem strategy, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effective risk management is essential for improving an organization’s risk profile.  RSA Archer can help your organization better understand and manage its risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Bottom-Up Risk Assessment so important?

The introduction of new products and services, mergers and acquisitions, business process changes, and fraud are often viewed as risk projects to be evaluated when making decisions to move forward or enhance risk treatments. All too often, these kinds of operational project reviews are performed on an ad-hoc basis, using an unstructured and inconsistent approach. Bottom-up, project-oriented risk assessments are prone to incomplete and unreliable information. In addition, IT and business teams are often asked to collect the same assessment data via spreadsheets, Word documents, and email for different risk and compliance assessments. This manual approach results in missed project deadlines,  inconsistent and inaccurate risk assessments, risk treatments, and remediation plans. Manual approaches also often inefficient and expensive, and lack an easy way to compare results of multiple assessments. Since risks cannot be identified or assessed properly, losses, incidents, or other surprises related to the project may arise at a later date. Without visibility to or accountability in addressing known risks identified through bottom-up risk assessments, resource misallocation and slow implementation in risk treatment are the typical results.

 

RSA Archer Bottom-Up Risk Assessment

RSA Archer Bottom-Up Risk Assessment allows you to engage your teams via targeted project risk assessments. Projects can include such things as new and changing business processes, fraud assessments, new products and services, and proposed mergers, acquisitions, and divestitures.  Projects can be documented and questionnaires can be created with custom questions, as well as questions derived from RSA Archer’s extensive library of thousands of out-of-the-box questions. When risks are deemed too high, risk treatments and remediation plans can be documented and tracked through to resolution and approval.

 

Key features include:

  • Consistent approach to identify and assess project-related risk
  • Oversight and management of all risk assessments in process
  • Risk treatment plans are known across all assessments and implementation plans can be monitored to completion
  • Consolidated list of prioritized risk treatments and remediation plans
  • Visibility into assessment progress, risk treatments and remediation activity via pre-defined reports and risk dashboards
  • Named accountability for assessments and remediation plans

 

RSA Archer Bottom-Up Risk Assessment provides:

  • Consistent approach to identify and assess project-related risk
  • Oversight and management of all risk assessments in process
  • Known risk treatment plans across all assessments and implementation plans that can be monitored to completion
  • Consolidated list of prioritized risk treatments and remediation plans
  • Visibility into assessment progress, risk treatments and remediation activity via pre-defined reports and risk dashboards
  • Accountability for risk assessment and remediation activities

 

Today, organizations are faced with complex and fast moving operational risk challenges.  Tracking changing business activities is a core best practice in Operational Risk Management.  RSA Archer Bottom-Up Risk Assessment is a key element of an effective Operational and Integrated Risk Management program to assess risk associated with changing business activities.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively performing Bottom-Up risk assessments is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage risk assessments on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

 

 

Recent high profile cyber attacks demonstrate that cyber incidents can significantly affect capital and earnings. Cyber incidents can have financial, operational, legal, and reputational impact. Costs may include forensic investigations, public relations campaigns, legal fees, consumer credit monitoring, and technology changes. As such, cybersecurity needs to be integrated as part of enterprise-wide governance processes.

 

With the increasing volume and sophistication of cyber threats and incidents, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help financial institutions identify their cyber risks and determine their level of cybersecurity preparedness. This assessment tool incorporates cybersecurity-related principles from the FFIEC's Information Technology Examination Handbook and maps back to the National Institute of Standards and Technology (NIST) Cybersecurity Framework.  The FFIEC developed this framework to help identify factors that contribute to your organization's cyber risks.  By understanding the factors that play into your organization's cyber risk, you can assess your level of preparedness and determine what risk management practices and controls are needed to mitigate and minimize your cyber risks.

 

The RSA Archer FFIEC-Aligned Cybersecurity Framework app-pack aligns with the FFIEC and NIST standards to provide a consistent and repeatable process for determining your organization's inherent risk levels and evaluating your cybersecurity maturity level. Using RSA Archer FFIEC-Aligned Cybersecurity Framework, action plans can be created and tracked to minimize inherent risk levels or achieve a desired cybersecurity maturity level.

 

With the RSA Archer FFIEC-Aligned Cybersecurity Framework offering, financial institutions can assess and measure their cybersecurity posture, address gaps, and report on cybersecurity posture in a meaningful way that is understood by all stakeholders.  

 

RSA Archer FFIEC-Aligned Cybersecurity Framework allows you to:

  • Offer a common language to communicate requirements and progress among stakeholders (internal, partners, contractors, suppliers)
  • Provide a method to understand larger cybersecurity ecosystem
  • Apply FFIEC best practices of risk management to improve cybersecurity and resiliency of critical infrastructure

 

Interested in learning more about the RSA Archer FFIEC-Aligned Cybersecurity Framework app-pack? Join us for a Free Friday Tech Huddle on Friday, March 8 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Key Indicator Management so important?

The use of key indicators of performance, risk, and control are considered one of several best practices of a sound Operational Risk Management program.  In many risk management programs, the use of key indicators is implemented sporadically at the discretion of individual business units and division managers. Key indicator metrics may not be properly designed to accurately measure the intended activity, and the collection of indicator data may be accomplished in an unnecessarily costly and inefficient manner using spreadsheets and email. With missing or inefficient key indicator reporting, the organization is unable to accurately gauge or compare performance in terms of meeting strategic and operational goals, or understand drivers of risk and control. It also limits the organization’s ability to respond to emerging problems as quickly as possible.

 

RSA Archer Key Indicator Management

RSA Archer Key Indicator Management provides a means for organizations to establish and monitor metrics related to each business unit and activity within the organization.  Key indicators are also typically associated with other elements of your governance program, including risks, controls, strategies and objectives, products and services, and business processes to monitor quality assurance and performance.

 

Key features include:

  • Holistic key indicator management program
  • Association of key indicators with business units and named individuals, and establishment of key indicators of performance, risk, control, corporate objectives, business processes, and products and services, depending on your program implementation
  • Utilization of key indicator libraries to ensure consistency and quick deployment throughout the organization
  • Governance to ensure timely collection of indicator data
  • Stakeholder notification when indicators exceed acceptable boundaries
  • Consistent approach to calculating indicator boundaries and limits
  • Consolidated list of indicators that are operating outside boundaries, and associated stakeholder escalation and remediation plans
  • Accountability and management processes around remediation plans and action to bring key indicators back within acceptable boundaries
  • Visibility to key risk indicator metrics and remediation plans via predefined reports, dashboards, workflow, and communication channels.

 

Today, organizations are faced with complex and fast moving operational risk challenges.  To effectively manage risk, it’s not enough to know your organization’s strategies, objectives, risks and controls.  You need a way to understand if your strategies and objectives are being met; if your risk drivers are increasing or decreasing; and whether your controls are operating as designed or are under stress leading to failure. Tracking your key indicators, the Performance, Risk, and Control indicators associated with each of these elements is crucial in successful organizations today.  In addition, indicators associated with changing business activities are a good early warning of changing risk and performance profile. 

 

RSA Archer Key Indicator Management is an essential element of an effective Operational and Integrated Risk Management program to understand the organization’s risk and performance profile and operation of the existing internal control framework.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically), including these key indicators. This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions, as quickly as possible, about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively deploying and utilizing Key Indicator management is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage key indicators on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

 

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, error, fraud, and non-compliance.

 

Why is Loss Event Management so important?

Loss events negatively impact an organization’s income statement.  Under certain circumstances they can be large enough to wipe out current period profitability, erode an organization’s capital cushion, or even force it into bankruptcy.  Consequently, it is critically important for organizations to understand the kinds of losses it could incur, the near-miss losses it avoided, and the losses it actually incurred.  This means understanding how and why a loss arose, what policies were not followed, what controls failed, where the loss is or should be recovered under insurance, and what should be done to reduce the likelihood and impact of similar losses occurring in the future.

 

Understanding and managing loss events is essential to an effective operational risk management program. Many organizations today have impaired visibility into the frequency, amount, type and source of loss events. This is frequently due to lack of complete or comprehensive lists of loss events, lack of accountability for management of loss events, and inadequate root cause analysis. These organizations are not fully aware of their actual losses, nor are they aware of near misses or losses being incurred by others in their industry that may warn of the organization’s own future losses. Lack of accountability promotes a less effective risk management culture, and these organizations typically suffer from a higher frequency and amount of loss events due to poor loss event analysis and remediation.

 

RSA Archer Loss Event Management

RSA Archer® Loss Event Management allows organizations to capture and inventory actual loss events and near misses, as well as relevant external industry-related loss events. Loss event root cause analysis can be performed to understand why the loss occurred and to take appropriate actions to reduce the likelihood and impact of similar losses occurring in the future. Loss events can be evaluated as part of top-down risk assessments and risk self-assessments, if those are utilized, and loss events can be exported to perform Monte Carlo simulations of operational risk using external Monte Carlo engines, such as Palisade @Risk.  Recoverable losses can be monitored and managed until they are reimbursed through insurance or restitution agreements.

 

Key features include:

  • Consolidated loss event catalog including actual losses, near misses, and calibrated external loss events
  • Assignment of loss events by business unit and named individuals
  • Root cause analysis
  • Review and approval of loss events by key stakeholders within their levels of authority
  • Visibility into aggregate losses by type, source, and area of ownership
  • Ability to drill into specific loss events for greater detail
  • Consolidated list of remediation plans to reduce likelihood and impact of similar future loss events
  • Correlation of loss events to applicable risk, policy, and control procedures, as well as correlation to insurance policies.

 

RSA Archer Loss Event Management provides:

  • Consolidated view of loss events by frequency amount, type, source, and owner
  • Clear understanding of the cause of loss events and the actions being taken to remediate problems that led to the loss event, including whether remediation plans are being executed on time, as planned
  • Greater engagement of business unit managers in the management of losses
  • Evidence of the design and effectiveness of an organization’s loss event program within a broader operational risk management program.

 

Today, organizations are faced with complex and fast moving operational risk challenges.  RSA Archer Loss Event Management is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively managing loss events is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage loss events on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Top-Down Risk Assessment so important?

Organizations today face a wide range of risks originating in different areas of their business, related to strategy, credit, corporate and regulatory compliance, interest rates, liquidity, market prices, operations (errors, fraud, and external events), and reputation, among others. While risks are spread out across an organization and often interrelate, it is difficult to get a holistic view of risk necessary to manage it efficiently and effectively.

 

The problem is further compounded with the introduction of new products and services, mergers and acquisitions, business process changes, and new and intensifying sources of fraud. In many organizations, risks are documented haphazardly in spreadsheets and documents without consistent use of a common approach, methodology, or rating scale. In addition, accountability for risk is tenuous because risks are not assigned to named managers and business units. This undermines accountability and increases the likelihood that a significant risk event will occur.

 

In addition, non-standardized risk management terminology, inconsistent risk assessment methodology and inconsistent risk rating scales mean there is no comprehensive visibility to or accountability in addressing known risks. With everyone speaking differently about risk, incomplete risk registers and inconsistent risk assessments can lead to bad risk management decisions, illogical resource allocation, potential violations of regulatory mandates and an overall poor risk management program.

 

Consistently documenting risks and controls and performing reliable risk assessments is essential to establishing an effective risk management program.

 

RSA Archer Top-Down Risk Assessment

RSA Archer Top-Down Risk Assessment enables practitioners to document risks and controls throughout the organization. Risks can be assessed on an inherent and residual basis, both qualitatively and across multiple risk categories using monetary values. Controls can be linked to the risks they treat for consideration as a part of a residual risk assessment. Risks and controls can be assigned to named individuals and organizational structure to establish appropriate accountability and to provide relevant reporting.

 

Key features include:

  • Catalog a consolidated view of risks and internal controls within the organization
  • Map risks to business processes, controls, higher-level risk statements and scenarios
  • Establish a library of agreed-upon scenarios and perform assessments on selected scenarios
  • Perform qualitative and monetary assessments of inherent and residual risk
  • Monitor risks against established tolerances and risk appetite
  • Enforce consistent terminology, risk assessment methodology and rating scales
  • Organized, managed process to escalate issues to ensure proper signoff/ approval of issues
  • Operationalize accountability for risks, controls, business processes, scenarios, risk assessments and outstanding issues
  • Establish delegated authorities for approving risk and enforce those authorities by automatically routing risk decisions to the authorized individuals
  • Visibility into risk and control inventory and assessment progress via predefined reports and risk dashboards

 

Today, organizations are faced with complex and fast moving risk challenges.  RSA Archer Top-Down Risk Assessment is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively performing Top-Down risk assessments is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage risk assessments on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

Today, we’re pleased to announce availability of RSA Exchange Release R7, which introduces 10 new and two updated offerings, as well as new and updated content. We're thrilled that our RSA Exchange Technology Partners continue to develop and deliver innovation for RSA Archer customers via the RSA Exchange, and look forward to much more in future releases.

 

  • App-Packs – pre-built applications addressing adjacent or supporting Integrated Risk Management processes (e.g. niche, industry, geo-specific)
    • Aujas Duplicate Findings Prevention avoids duplicate open findings for periodic assessments, reducing stakeholder overhead in managing duplicate findings
    • RSA Archer Due Diligence Management provides consistent due diligence scoping process, checklist, and recommendations that address multiple due diligence business processes such as mergers and acquisitions
    • RSA Archer FFIEC-Aligned Cybersecurity Framework offers the ability to apply the best practice principles from FFIEC to prioritize and scope business objectives and priorities, create risk profiles, risk assess the environment, analyze the results to identify gaps, and implement an action plan
    • RSA Archer Speak Up, introduced in November 2018, has been updated to enable anonymous whistleblower submissions.

 

 

 

 

For additional documentation, downloads, and alisting of all RSA Exchange offerings, check out theRSA Exchange for RSA Archer on RSA Link. Stay tuned for more new RSA Exchange offerings next quarter!

Filter Blog

By date: By tag: