Skip navigation
All Places > Products > RSA Archer GRC > Blog
1 2 3 Previous Next

RSA Archer GRC

266 posts

If you haven't yet registered for RSA Charge 2016, you have just over a week to save $200 off the onsite fee; the discount registration fee of $695 ends on September 23. This year's venue takes place Oct. 25-27, at the Ernest N. Morial Convention Center, New Orleans.


This must-attend event will be the largest gathering of Archer customers, partners, and risk and compliance experts from around the world, providing GRC professionals – from experts to novices – with the premier venue to share knowledge, gain hands-on experience, and learn best practices from other GRC professionals and subject matter experts.


Like last year, your RSA Charge 2016 registration pass will give you full access, without additional fees, to ‘all’ RSA Charge sessions, under one roof, including RSA Archer GRC Summit presentations, Security Operations, Identity, and Fraud.


The conference registration package also includes access to keynotes, the Archer super session, breakouts, birds-of-a-feather sessions, hands-on labs, and the Innovation Zone. And, if you need more reasons, registration also includes your access to evening events, as well as a continental breakfast and lunch on Wednesday and Thursday.


Don’t miss out on this Savings; REGISTER TODAY and visit the RSA Charge 2016 microsite for more information.

If you haven't heard, RSA Charge is just around the corner!


This year, New Orleans will play host to our customers, partners and the RSA team. If you can spare a few hours between trips to the French Quarter, Café Du Monde for a beignet (or 12), and Fritzel's for traditional jazz, the RSA team wants to hear from you.


RSA Charge provides a unique opportunity for you to engage face to face with the RSA Archer team in focused working groups. The working groups provide an opportunity for you to influence the product roadmap; learn about the future of our solutions, use-cases and features; and to interact with your peers.


To learn more about the Archer Working Groups at RSA Charge, please view Antoine Damelincourt, recent blog Join the Archer Product Management team @RSA Charge!


Still need to register for RSA Charge? Take advantage of the discounted rate before time runs out!


See you in a few weeks!



You know that RSA Charge 2016 will be the largest gathering of Archer customers, partners, and risk and compliance experts from around the world, providing GRC professionals – from experts to novices – with the premier venue to share knowledge, gain hands-on experience, and learn best practices from other GRC professionals and subject matter experts.


Now, RSA University (formerly known as Education Services) is making RSA Charge 2016 even better, with their announcement of pre-Charge courses being offered at 20% OFF normal pricing. Seats fill up fast and are limited to 10 students maximum per class. Don't miss this opportunity - REGISTER today using the links below. 


RSA Archer Pre-Summit Admin Boot Camp (2-day class

This 2-day course provides an overview to the concepts, processes, and procedures necessary to successfully design and administer the RSA Archer Platform.  Students will gain knowledge of the key RSA Archer 6.x platform components such as applications, security management, and communication tools through presentations and hands-on practice.   This course is a compact version of the standard four-day RSA Archer Administration I course. Many of the same core components will be included.  

Target audience includes new Archer administrators who are responsible for building in and managing the RSA Archer 6.x Platform.


October 24-25, 2016  ($1600 per person, 10 students maximum)



RSA Archer GRC 6 Advanced Workflow & Navigation  (1 day class, offered twice) 

This 1-day workshop for experienced 5.x admins provides an overview of the RSA Archer GRC 6 interface and hands-on practice using the Advanced Workflow feature.  Target audience is existing RSA Archer administrators who are well-versed in RSA Archer versions 5.5 and earlier. 

Prerequisite Knowledge/Skills:  Students must be comfortable with the administrative features of the RSA Archer GRC Platform, including but not limited to: Data-Driven Events, calculated fields, and On-Demand Notification Templates. Experience building out business workflow using these features is essential.


October 24, 2016 ($800 per person, 10 students max on this day)

October 25, 2016 ($800 per person, 10 different students max on this day)



RSA Archer GRC 6 Platform Fundamentals for Business Users  (1 day class, offered twice)

This one-day workshop includes a thorough overview of RSA Archer Platform features, including but not limited to: Application and questionnaire creation and management, essential access control concepts, email notification options, reporting and dashboard options, integration possibilities, and more.

Target audience includes RSA Archer business users with a need to understand what is possible with the platform. Ideal audience includes those who may need to create business requirements but will not actually administer the platform.


October 24, 2016 ($800 per person, 10 students max on this day)

October 25, 2016 ($800 per person, 10 different students max on this day)



Also being offered:

RSA Hunting Workshop for Analysts – Security Analytics/ECAT  (2-day class)

This 2-day workshop presents the opportunity to spend class time working in a hands-on virtual environment, with minimal lecture and materials. Students will be provided with a complex use cases to work through, involving a network-based attack resulting in end-point malware infection. 

Target audience includes Security Analysts interested in using RSA NetWitness Logs and Packets and RSA NetWitness Endpoint to locate anomalies on the network and endpoint devices, to diagnose and track malware infections, and to reconstruct a cyber-attack in a realistic virtual enterprise setting.

October 24-25, 2016  ($1600 per person, 10 students maximum)


The Agenda for the October 13 RSA EMEA Archer GRC Summit in Amsterdam has been announced. 


This is the fourth year for the RSA EMEA Archer GRC Summit and promises to be one of the best with the largest gathering of customers, partners plus risk and compliance experts from across Europe, the Middle East, and Africa.


Join us for this 'complimentary' must attend event to share in driving GRC innovation through education and collaboration with the industry's best minds at the RSA EMEA Archer GRC Summit.

Location: The Grand Sofitel, Oudezijds Voorburgwal 197, 1012 EX Amsterdam Netherlands.





Sir Francis Bacon is attributed with the quote, “Knowledge is Power”.  There have been many variations on this phrase but I want to add one more twist.


I presented at a conference this week where the session was dedicated to discussing the risks and remedies of ransomware, which are the practices and technologies used by bad guys to gain access to systems and hold information hostage until a ransom is paid.  Sometimes the information they get ahold of is not so important, but other times they hit the jackpot and gain access to the “crown jewels” of a company – customer information, trade secrets or pending business strategies and plans. Company and institutional knowledge/information your company has worked hard to accumulate, formulate, organize and use is the lifeblood of your business.   In some organizations, this information is the most vital asset they possess.


The venue for my presentation was the Washington D.C. Spy Museum.  As I toured the museum afterward, I learned a few things about the history of “spying”.  I learned that people who spy do it for many reasons, but the single most important goal is the attainment of – you guessed it, information.  Information gives them power.  Back to the “knowledge is power” concept – when the bad guys have access to your information, they don’t necessarily have knowledge but they have power.  However, safe and secure in your hands, this information equates to knowledge, and how this knowledge translates into power is in your ability to use it to compete and win in the marketplace.  


My speaking topic at the conference was business resiliency.  A key underlying tenet is having an understanding of what is most important to your organization - and this starts at the top.  For example, (the most critical) products/services provided to customers; the business processes that produce them; supporting IT systems; and the information assets produced or used in that product/service.   Determining what is critical starts at the highest levels and can be determined through business impact analyses (BIA).


Let me share an example and a caution.  Not all information is created equal (or equally important).  For example, Coca Cola’s recipe for Coke is, safe to say, very critical to them, whereas a lower tier vendor’s contract details probably isn’t as critical. Now, these examples are obvious and most companies intuitively know what their most importation information assets are, and maybe have an inkling of what is on the lower end of the scale.  But, what about what is in between?  Herein lies the rub - of the hundreds of information assets organizations produce and use, do they know which of those are critical?  Which of these information assets are undervalued and therefore under-protected?  Which require special compliance considerations?  This all presents exposure and risk. 


There are many implications on information assets across the spectrum of governance, risk and compliance (GRC) activities.  For example, which risks or threats could impact your information; what compliance requirements such as privacy considerations require that you take certain protective steps and implement controls, and could result in penalties if not done; or which vendors have access to your (critical) information and what are they doing with it, and are they protecting it.  Given the far-reaching implications to your organization across many use cases, these GRC activities related to information assets should be coordinated at some level. This blog highlights just a few examples of the exposures our organizations face due to not properly evaluating criticality of and exposures to our information assets. 


I took this picture at the Spy Museum of a Trojan horse exhibit, which depicts the infamous method Greek soldiers used to infiltrate the City of Troy and win the Trojan War.  In today’s world, the goal is access to information.  Now, a Trojan malicious computer program is used to gain unauthorized access to a computer and access personal or proprietary information.  Information assets are the lifeblood of our organizations and we must remember that their proper use, management and protection enables our power to compete and thrive.



Planning to join us for RSA Charge, but missed the early bird discount period? Well, you’re in luck! Register online with code 8C6THRWBCKAUG, between August 25 – 31, to take advantage of a special discount promotion: 


The conference registration package includes access to keynotes, Archer super sessions, breakouts, birds-of-a-feather sessions, hands-on labs, and the Innovation Zone. It also includes your access to evening events, as well as a continental breakfast and lunch on Wednesday and Thursday.


Remember, you only have until Aug. 31 to take advantage of the 'Throwback Thursday' rate of $595.  Don't delay ...


We hope we see you in New Orleans Oct. 25-27, 2016! 

I was travelling to a user meeting last week and going through Logan airport in Boston, I saw very long lines at some Delta counters. This was on Wednesday, 3 full days after the IT system outage that grounded almost 500 flights on Sunday morning and they were still feeling the damages from that outage. Earlier this year, Southwest had to cancel 2300 flights after one router in one of its data centers failed, that’s thousands of grounded passengers for one incident. That’s a lot of angry customers, a lot of bad publicity and a huge operations burden to get back to normal.


I thought this was a good reminder to never consider risk in a vacuum, especially risk for your IT assets. A recurring conversation I have with customers is the separation of IT Risk, Security and Vulnerabilities Management from Enterprise GRC. You can argue that the processes are different, the technologies are different and the people using them are different, and you’d be right. An Operational Risk Manager and an IT Security Analyst do not do the same job, but, they pursue the same goal.


IT resources in an organization are there to support a business process and deliver a business outcome. A risk to an IT asset, say a router from an airline data center, is a risk that could derail the entire operations of the whole company for a whole day. I’d say that qualifies as a major risk. And yet, the only way you can assess the router’s risk correctly is by going beyond the IT resource itself and assessing the business process it supports, the criticality of the asset to the process and the criticality of the process to the operations. The router in itself is not critical; it’s a fairly simple IT asset, easy to replace, containing decent monitoring. It’s only critical because its failure would ground thousands of planes.


When considering recovery plans and controls you need to have plans and controls for the asset AND the affected processes. Otherwise it would be like slipping on a patch of ice and breaking your leg, then only working on removing the ice. You should probably get your leg fixed at some point. Context matters and downstream dependencies matter. How can you have a board level discussion when considering only the IT side? It won’t mean anything to the board that routers have a medium-high risk of failing. On the other hand, if you tell them that a router failure could result in 2300 grounded planes, it might be easier to get their attention.

Hello everybody! The bad news is there's more Summer behind us than ahead of us. I hope yours has been as enjoyable as mine has been. And here in the midwest at least it's pretty hot still. So plenty of warm weather left before it turns cold. The good news is we're less than 80 days away from RSA Charge 2016! The other good news is we have another major content resource available for your library, PCI DSS v3.2!


Just like the previous v3.1 content, we've worked very hard to ensure this latest version is as robust and tightknit as possible. Alone it's a fully functional content set to drive PCI compliance activities. Add our specialized PCI solution functionality to the mix and together the two provide a powerful resource to efficiently manage PCI compliance programs of any size. A separate update will follow for the PCI solution itself, so stay tuned for that.


As far as the content goes, this latest version includes additions to the following core libraries:

  • Authoritative Sources
  • Control Procedures
  • Question Library


Everything is cross-mapped and the Authoritative Source also has 700+ mappings to Archer Control Standards.


The content updates themselves can be obtained from Customer Support. As always, we're here to answer any questions you have. And please don't forget to register for RSA Charge 2016! You don't want to miss out!




Experienced outdoors people, whether they are campers, hikers, bicyclists or otherwise, know that the first rule of thumb is that you always need to know where you are so you can determine where you are headed.  It is no different with business resiliency (BR) teams.  You need a good sense of Screen Shot 2016-07-18 at 10.24.56 AM.pngwhere you are headed and this starts with what is most important in your organization to protect or recover if it is disrupted. 


The best way to determine what is most important is by performing a business impact analysis (BIA).  The BIA is an analytical method to determine what business processes are most critical to achieving your organization’s key objectives.  This includes knowing which business processes produce key products or services, or what strategic objectives they support.  The BIA also helps identify other related information like what dependencies exist between the business process and supporting IT applications and infrastructure, information assets, facilities, suppliers or key human resources.  This information is important because that entire value chain must be planned for and preserved, especially if they are in support of core products or critical strategies.


RSA just launched an updated version of the Archer BIA use case as part of our June 2016 6.1 release.  This BIA builds on our existing model and offers:


  • An easy to follow questionnaire format
  • Three new categories for strategic, information integrity and information confidentiality impacts
  • Features from the new Archer 6.0 platform, like advanced workflow and enhanced reporting


The BIA is ready to use out-of-the-box for each of the participants in the BIA process – business process owners, the BR team and executive reviewers.  The interface is easy to follow.  The built-in workflow follows best practices and regulatory guidance.  Reporting is thorough yet concise so BR teams can see where BIAs need to be performed and easily follow up. 


Like those outdoorsy folks I talked about earlier whose first order of business is to know where they are at all times, the Archer BIA will help BR teams, business process owners and executives know at all times what the most important parts of their organizations are and to plan for and protect them.  With limited resources and expensive recovery strategies, this BIA is a must-have to really hone in on what needs to be protected now.  Click here for more information on the BIA Archer BIA 6.1.  You can also reach me at with questions or feedback.

RSA has introduced two recent, major product updates to enable offering Archer governance, risk and compliance (GRC) solutions by use cases.  We understand that organizations and their GRC disciplines can be in very different places along the maturity spectrum. For example, a compliance function might be much more defined and mature than the risk function.  Our November 2015, 6.0 update was designed to inspire everyone within an organization to own risk, while our June 2015, 6.1 was developed to encourage the thee lines of defense (3LoD) to engage in the risk management process, and inspire every organization to own risk.


Screen Shot 2016-07-15 at 1.27.36 PM.png


These objectives may sound synonymous, but every organization’s road to GRC maturity is different, and as the graphic above depicts, each GRC function could be at a different point along the journey.  Through our new use case approach, we encourage organizations to start small, but gain quick wins within the context of a long-term strategy. As an example, our Audit Management solution has been organized into three use case offerings that customers can deploy separately, or use them to build upon one another.  They are:


Issues Management - to manage issues, gaps and findings with related remediation plans.  Benefits include:

  • A consolidated view into all known issues
  • An organized, managed process to escalate issues
  • Visibility into known risks and efforts to close/address risksScreen Shot 2016-07-15 at 12.41.17 PM.png
  • Workflow to ensure proper sign-off/approval for issues


Audit Engagements & Work papers - to manage all audit projects and related work papers.  Benefits include:

  • An audit universe of audit entities
  • Workflow for consistent audits and procedures
  • Self-serve for external auditors for the information they need


Audit Planning & Quality - to manage audit risk assessments, the audit plan and quality assurance activities   Benefits include:

  • Workflow and change management for audit planning
  • Audit plans aligned with the organization’s priorities
  • Appropriate personnel are staffed on audits
  • Board-relevant reporting
  • Quality management processes for engagements and audits
  • Risk based audit approach


Although Internal Audit (IA) is an established discipline, maturity varies widely depending on many factors, such as adherence to standards, tenure of resources, industry requirements and regulatory scrutiny.  IA departments can use Archer Audit use cases regardless of their maturity because we have offerings that not only provide value (those quick wins) at each level, but also help them move further along the maturity spectrum, not just as a standalone IA function, but in working together with their GRC counterparts.


For more information on these use cases and our approach, go to: Audit Management. As always, you can reach me at with any questions or comments.

For the third year in a row, RSA Archer has been named a Leader in Gartner’s Magic Quadrant (MQ) for Business Continuity Management Planning Software (BCMP)!



Screen Shot 2016-07-11 at 10.50.18 AM.png


Gartner states in their report that the business continuity management (BCM) market is changing because “continuity of operations is being seen by organizations as a growing risk that needs to be managed and mitigated.”  Gartner also mentioned they are now seeing organizations focus more on operational resilience versus only “respond and recover” activities. Although the latter is a critical component of a business resiliency (BR) program, teams must focus on how they fit into the organization’s larger operational risk program and approach. Gartner states BCM is in a unique position to address resiliency as part of an operational risk management (ORM) program because of its strategic focus and board-level attention. BCM is also “well-positioned to address not just availability risk, but also the broader set of operational risks” 2


In addition to being named a Leader in this MQ, during 2016, RSA Archer has also been named a Leader in Gartner Magic Quadrants for Operational Risk Management, IT Vendor Risk Management, and IT Risk Management. Integrating BCM with other risk management activities is critical to building operational resiliency. This integration must happen organizationally and practically. There is some movement in this area, as evidenced by the results of Gartner’s 2015 survey of the Association of Contingency Planners membership, entitled “What Keeps Them Up at Night.” The results from this survey show that enterprise risk management (ERM) functions are more often becoming the “home” for BCM programs. 3


Organizational alignment is a good thing. However, more mature BCM programs also have more mature risk management capabilities, which are aligned with their ORM functions and facilitated by integrated software. There is still room to improve as shown in Gartner’s 2015 BCM Hype Cycle, where Gartner mentions that 48% of surveyed organizations use BCMP software. There is also room to grow overall, as Gartner’s ITScore for Business Continuity Management maturity self-assessment tool shows the average maturity of BCM programs is 2.45 on a scale of 1 to 5. 4


BCM is a mature industry that finds itself changing and in need of reinvention.  However, all indications are that BCM will rise to the challenge and continue to contribute, now as part of an organization’s larger ORM and ERM program. RSA Archer’s inclusion as a Leader in the last three consecutive BCMP MQs, as well as our placement as Leaders in all three Gartner MQs for risk management for the second consecutive year, shows that we are uniquely positioned to help organizations rise to the challenge.




Figure 1 Magic Quadrant for Business Continuity Management Software, Worldwide. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from EMC RSA. Gartner does not endorse any vendor; product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

2 Magic Quadrant for Business Continuity Management Planning Software, Worldwide.  Published: 11 July 2016.  Analyst(s): Roberta J. Witty, John P. Morency

3 Members of the Association of Contingency Planners Report on 'What Keeps Them Up at Night'. Published 29 October 2015.  Analyst: Roberta J. Witty

4 ITScore for Business Continuity Management.  Published 31 August 2015.  Analyst(s): Roberta J. Witty, John P. Morency


We have all had that moment walking out of the shopping mall or the airport.  Everyone knows the feeling when that rush of doubt takes hold of our brains.  We stand frozen and frantically wait for our cerebral cortex to do its thing and pluck that single memory out of our vast network of synapses… “Where did I park my car?”   I am pretty sure this momentary lapse of memory has something to do with the radiation levels of the lights in Exit signs.  The frequency that I experience such occurrences couldn’t be the result of distractions from the avalanche of my daily thoughts and surely has nothing to do with my age.

For those of you who have been seeing the communications about RSA Charge, I hope you have not suffered this same tinge of hesitation.   Of course, I am referring to any questions as to the whereabouts the legendary RSA Archer Summit, the premier GRC event of the year.    The Archer Summit is alive and waiting for you – parked in a well-lit, spacious place, protected and ready to go – at RSA Charge.

Last year, the Archer Summit was referred to by name and co-located with RSA Charge as the user event for all RSA products.  This year, we have completed the transition and now refer to entire event as RSA Charge.   RSA Charge harnesses the innovative power of thought-leaders, industry experts and the RSA community, providing you with insightful educational sessions, hands-on training, and valuable expert & peer networking opportunities.

In the tradition of the Archer Summit, we will have many customer led sessions highlighting the most innovative and forward thinking GRC programs.   You will learn how to inspire your organization to own risk.  We will discuss approaches, strategies and recommendations for building organizational capabilities that bring maturity to your overall risk and compliance program.   Case studies ranging from how companies are approaching critical IT Security and IT Risk challenges to how Archer is used to transform compliance programs will give insight that can immediately be applied when you return to your desk after the conference.   Technical presentations, labs and training will dig into the details for beginners and advanced administrators.

This year will be the 13th gathering of Archer customers.  Every year the assembly has gotten bigger and better.  With RSA Charge 2016, you will feel like you walked out to the parking lot and your 2003 Toyota Camry has transformed into a 2016 Tesla Model S.

RSA CHARGE 2016 will take place in New Orleans, LA, from October 25 – 27!  I hope you will mark the date on your calendars and join me in beautiful New Orleans, to experience in-depth sessions, insightful conversations, interactive product experiences, and much more.

For more information or to register, go to


As I mentioned in my last blog, one of the important benefits of our recent release of RSA Archer 6.1 is an alignment of organization maturity with the technology to support it. Building a mature Information Assurance (IA) program in the public sector takes time and commitment.  It requires and is marked by a balance of the right technologies, processes, and people. 
At RSA, we have developed a maturity model that we use a communication tool with our prospects and clients to recommend changes and correlate them to stages of the maturity journey.


I very recently did a webcast that walks through this mapping of Public Sector use cases to steps in the maturity model in a detailed. I would encourage you to view that recording here if you’re interested in more information.

With the release of RSA Archer 6.1 we are making individual Public Sector use cases available that align to this maturity journey.  With RSA Archer 6.1, we have aligned our solution use cases with the maturity journey.  In this way, customers are acquiring just the right amount of technology to enable their IA program as they need it.  They are not biting off more than they can chew or over purchasing functionality they may never use. The Public Sector use cases are as follows:
• Plan of Actions and Milestones (POA&M)
• Assessment and Authorization (A&A)
• Continuous Monitoring (CM)

We realize that FISMA and OMB compliance and risk management are not challenges that can be solved simply with technology. They are mission imperatives that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging everyone, you can eliminate operational inefficiency and achieve your most strategic growth objectives. That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.”
To see how these use cases can enable the stakeholders in your organization to own risk, remember to watch the webcast or you can visit the Public Sector page for general information.  

Thanks for reading.
Email me with comments or questions.
Chris Hoover




We are pleased to announce the return of 'Community Selects.' Beginning Tuesday, July 5 and running through Tuesday, July 19, you and your GRC peers will be able to 'voice your choice' from the Archer Track submissions described here. The session with the most votes in each Track will automatically be a Community Selects presentation and be included in the RSA Charge 2016 Agenda.


The sessions for the 'Community Selects' are only a small subset of the speaking proposals we received; all the other submitted proposals are still under consideration by the Program Committee; notifications will be emailed soon to those garnering a spot on this year's presentation Agenda.


So let your voice be heard - this is your chance to 'vote your choice' and have a say in this year's RSA Charge 2016 Agenda for Archer. To vote, simply click on the Proposal Abstracts listed on this link and cast your vote. Remember, one vote per abstract!

In my last blog I discussed the benefits of the of new RSA Archer 6.1 release, aligning an organization’s Operational Risk Management program maturity with the RSA Archer technology to support it.  This holds true for third party governance too.


Financial Services organizations are heavily regulated to have a comprehensive third party governance program in place (See OCC Bulletin 2013-29 for example).  Outside of the financial services industry, the regulatory obligations are less pervasive but many business drivers for third party governance are still present:


• 42% of companies now describe themselves as highly vulnerable to vendor, supplier, or procurement fraud – (source: Kroll Global Fraud Survey)

• 85% of companies reported suffering at least one supply chain disruption – (source: Zurich Financial Survey)

• 90% of all Foreign Corrupt Practices Act (FCPA) cases involved third-party intermediaries – (source: Corporate Executive Board)

• 76% of data breaches analyzed by TrustWave resulted from a third-party which introduced the security deficiencies that were ultimately exploited – (source: Trustwave Global Security Report)


Some organizations may be concerned about supply chain interruption and quality while others may worry about third party corruption or information security.  These organizations are not prepared, have the resources, or even desire to have a third party governance program that addresses all potential third party problems at one time.  They have immediate, pressing concerns with their third parties that they want to address and then grow their governance program over time.  These organization’s third party governance programs are maturing consistent with their own priorities.


This is where RSA Archer 6.1 comes in.  With the release of RSA Archer 6.1 we are making individual Third Party Governance use cases available that align to an organization’s maturity journey.  No longer do organizations have to purchase an entire product suite to address the problem.  They only need to spend resources on that technology that is relevant to their program.  This also removes much of the complexity inherent when implementing broad product suites. For organizations on the other end of the maturity spectrum they can put together all of the RSA Archer 6.1 use cases into a broad third party governance program and even interconnect it with their Enterprise and Operational Risk Management programs.


RSA Archer 6.1 enables organizations to better take command of their journey, empowering organizations to incrementally build their Third Party Governance program as it matures.  The Third Party Governance -related activities (or use cases) we typically see implemented as organizations build their third party governance program are as follows:


Issues Management is a core foundational use case to document audit issues and issues identified by management and external parties.  It captures issues that may arise be identified in the process of third party governance or via other Archer use case implementations.  From this foundation, the following use cases are often enabled.  The exact sequence of the following use cases will depends on your business priorities and resources.


Business Impact Analysis is a foundational package for the Third Party Governance program and includes the Business Hierarchy to establish corporate structure and accountability for third party relationships; a business process catalog and a pre-built Business Impact Analysis to identify critical Business processes that are supported by third party relationships.


Third Party Catalog is used to document all of an organization’s third party relationships and associated contracts, and to document the named individuals in the organization that are responsible for the relationship.  With the Third Party Catalog you have a system of record for all of your third parties and their related business subsidiaries.


Third Party Engagement allows you to catalog all of the products and services being delivered by the third parties in your Third Party Catalog.  You have the capability to perform inherent risk assessments across multiple risk categories and by associating the engagements with the Business Impact Analysis you have visibility into the critical third party products and services which you rely on.  The interconnection between the Third party Catalog and Third Party Engagement allows you to obtain an overall aggregate risk profile of a third party across all of the products and services they deliver to your organization.


Third Party Risk Management provides a series of risk assessment questionnaires covering several risk categories (Compliance/Litigation, Financial, Information Security, Reputation, Resiliency, Strategic, Sustainability, and 4th party risk) that can be launched manually to a third party or launched based on the level of inherent risk of each assessed risk category.  Completed questionnaires are scored to derive residual risk of each risk category and supplemental documentation is captured and cataloged for evaluation.  Risk results are depicted for each engagement and are rolled-up across all engagements to depict risk of the third party across all of the engagements they are delivering.  Findings from the vendor engagement can be automatically captured and managed as exceptions or remediation plans can be established and monitored to resolution.


Third party Governance brings together all of the use cases, adding a performance monitoring capability so that you can track service level agreement (SLA) metrics you use to evaluate third party performance.  Scorecards can be staged to third parties to collect commitments to remediate performance.


Third Party Use Cases vs Maturity.JPGWe realize that risk management is not a challenge that can be solved simply with technology. It is a business imperative that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging all of the affected stakeholders in the third party governance process, you can eliminate administrative inefficiency, improve your understanding of third party risk and performance, and manage third party relationships consistent with your risk appetite and strategic growth objectives.


That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.” That is our passion. That is our commitment.