Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2013 > December
2013

One of the things I love most about the RSA Archer community is that members share their tips for overcoming not just the technical challenges, but also for winning support across the organization. My current favorite example of this comes from Bank of the West, who received a GRC Innovation Award at the RSA Archer Roadshow on 6th December in San Francisco.

 

When Andrea Dollen joined Bank of the West as business systems administrator, RSA Archer was being used for just one application, a highly customized version of Policy Exceptions. Her goal was to use RSA Archer and on-demand applications to transform more processes, and to build confidence in RSA Archer across the organization. “More users on the Archer platform means more information in it, which means a more accurate and thorough GRC program at Bank of the West.  I needed to ‘wow’ the crowd with new Archer functionality,” she said.

 

She built and deployed several on-demand applications and customized core applications to provide efficiencies where end user tools were desperately needed, and where executive management wanted visibility (via Dashboards). These covered:

  • Security Case Tracking
  • Legal & Compliance Projects
  • Business Continuity Plan Review with Annual Approvals
  • Disaster Recovery Exercise Action Items
  • Security Strategy Programs & Tasks
  • Archer Support Requests
  • Finding & Task Tracking for Information Security, Information Technology, and Third Party Services (Vendor)
  • Incident Management for Information Security

 

This innovation in the first few months won over many users, and word started to spread in the organization about RSA Archer. Today, she has a non-stop line of requests for new functionality to be added every day. “Executive management now has visibility into data in ways they never did before,” she said. “This allows them to better plan, make more informed decisions, and balance workloads.  Front-line employees are no longer spending hours massaging data and creating reports for management consumption, as they have all been put into real-time dashboards.  The successful implementation of Archer resulted in hundreds of man hours being saved each month that is now better spent on tasks that were getting overlooked. The Bank of the West team is now more efficient, more confident, and more organized, which also results in happier employees!”

 

Congratulations to Bank of the West on winning this award! We look forward to seeing the impact RSA Archer will have as the bank continues to innovate its GRC program.

 

74805

I am frequently asked if you can “aggregate” multiple risks together so that you can identify which strategic objective, product, business process, operating unit, or other framework element has the greatest risk.  The quick and dirty answer is no, you can’t aggregate multiple risks together into one overall risk score unless the risks are related.  And in most, but not all cases, risks rolling up through an organization are not going to be related.

 

As an example, let’s say we run a subscription on-line publishing website.  Our revenue stream is dependent on our providing quality content to our customers on a timely basis and in a format that is appealing and user friendly.  Examples of risk we face in achieving our objective include:

 

  • Business interruption due to a natural or man-made disaster
  • Litigation from publishing content that violates a third party’s copyright or slanders a prominent person
  • The employee handling customer subscription payments commits fraud and diverts payments for their own personal use
  • Our most popular columnists jump ship to competitors due to sweetheart offers that we can’t match and we are unable to find comparable writers in the market to replace them
  • The internet service provider on which we host our website goes out of business due to financial problems
  • Customer demand for our product shifts because of a general economic downturn and subscription volume materially declines

 

None of these risks are related. A business interruption from a hurricane will not result in a copyright violation nor will an employee stealing customer subscription payments affect columnists being bid away from us by competitors.  So, to “add up” all of these risks would be misleading as there is no covariance between the risks.

 

The next question always is, but we have multiple objectives, products, business processes, and operating units and each of these have multiple risks assigned to them.  How can we tell which one has the greatest overall risk if we can’t aggregate the individual risks? 

 

This example is a Business Unit record titled “Alberta”.

 

74135

 

The risk scale is depicted as follows:

 

Visual

Narrative

Ordinal Value

Red

High

5

Orange

Medium-High

4

Yellow

Medium

3

Blue

Medium-Low

2

Green

Low

1

 

There are 14 risks associated with Alberta.  From the Risk Scorecard portion of the record you can see that 6 of the risks have a High Inherent Risk, 6 a Medium Inherent Risk, 1 a Medium Inherent Risk, and 1 a Medium Low Inherent Risk.  There are 3 basic ways of depicting overall risk for the business unit: (1) Scorecard sum; (2) Average; and (3) Maximum. 

 

The calculations are as follows:

 

Scorecard sum of Inherent Risk = (6*5)+(6*4)+(1*3)+(1*2)+(0*1) = 59

 

Average Inherent Risk = Scorecard sum of Inherent Risk/14 = 4.21 or Orange

 

Maximum Inherent Risk = 5 or Red.  Which means there is at least 1 risk associated with the Alberta business unit that has an inherent risk score of 5.

 

The Maximum scoring method provides the most useful information for risk management.  Because it tells you the highest values of risk that are associated with the business unit, you are able to immediately determine whether the business unit’s risk exceeds your operating tolerance.  If your organization does not accept any risk over “Medium”, you know that you must respond to every risk above that level.

 

The Scorecard sum and Average methods produce much less meaningful information and may in fact obfuscate critical risks that should be addressed.  If there is 1 High risk and 9 low risks associated with Alberta, then the sum is only 14 and the average is 1.4!  Not very helpful from a risk practitioner’s perspective.

 

Finally, if the purpose behind your desire to aggregate risk is to determine which business units you should focus on the most, you should consider adding up the count of those risks that exceed your risk tolerance.  In this example, there are 6 High Inherent Risks + 6 Medium High Inherent Risks. This business unit’s risk should be addressed before business units with 11 or fewer High and Medium High risks.

 

Now for the caveats.  The examples above utilize qualitative scales. Qualitative scales are themselves inherently flawed when it comes to conversations about aggregate risk.  When using qualitative scales, it is very difficult to say how much are 2 High risks? How high is a High risk? Or, do 2 Mediums make a High?  This is a primary motivation for trying to monetize rating scales.  The other caveat is that some risks ARE related to one another and do have a covariance.  We will save these topics for a later day.

Filter Blog

By date: By tag: