Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2014 > December
Steve Schlarman

The Twelve Days of GRC

Posted by Steve Schlarman Employee Dec 22, 2014

Greetings and Happy Holidays.   As this year draws to a close, we can all take a deep breath as this has been a big year in the world of GRC.  Collectively as an industry, we have seen the advent of new laws and industry regulations; we have embraced new technologies; we have weathered financial storms and organizational challenges; we have made great personal strides; and we have had our share of experiences – both good and bad – that give us the unique title of GRC professional.  Before we let next year’s challenges overwhelm us, take some time this holiday season to enjoy a cup of eggnog, watch George Bailey and Clarence in “It’s A Wonderful Life”, giggle at the Grinch with the kids or do whatever you do to enjoy this holiday season.


For those of you needing a little extra holiday inspiration, here is a little own holiday jingle for you to sing and reminiscence about 2014.


The Twelve Days of GRC

On the first day of 2014 my big boss gave to me: a project called G-R-C.


On the second day of 2014, my big boss gave to me: two APTs and a project called G-R-C.


On the third day of 2014, my big boss gave to me: Three new laws, Two APTs and a project called G-R-C.


On the fourth day of 2014, my big boss gave to me: Four calling auditors, Three new laws, Two APTs and a project called G-R-C.


On the fifth day of 2014, my big boss gave to me: FIVE LOSS EVENTS…Four calling auditors, Three new laws, Two APTS and a project called G-R-C.


On the sixth day of 2014, my big boss gave to me: Six vendors vending, FIVE LOSS EVENTS…Four calling auditors, Three new laws, Two APTS and a project called G-R-C.


On the seventh day of 2014, my big boss gave to me: Seven incidents still open, Six vendors vending, FIVE LOSS EVENTS…Four calling auditors, Three new laws, Two APTS and a project called G-R-C.


On the eighth day of 2014, my big boss gave to me: Eight policies approved, Seven incidents still open, Six vendors vending, FIVE LOSS EVENTS…Four calling auditors, Three new laws, Two APTS and a project called G-R-C.


On the ninth day of 2014, my big boss gave to me: Nine Continuity Plans, Eight policies approved, Seven incidents still open, Six vendors vending, FIVE LOSS EVENTS…Four calling auditors, Three new laws, Two APTS and a project called G-R-C.


On the tenth day of 2014, my big boss gave to me: Ten execs meeting, Nine Continuity Plans, Eight policies approved, Seven incidents still open, Six vendors vending, FIVE LOSS EVENTS…Four calling auditors, Three new laws, Two APTS and a project called G-R-C.


On the eleventh day of 2014, my big boss gave to me: Eleven audits to finish, Ten execs meeting, Nine Continuity Plans, Eight policies approved, Seven incidents still open, Six vendors vending, FIVE LOSS EVENTS…Four calling auditors, Three new laws, Two APTS and a project called G-R-C.


On the twelfth day of 2014, my big boss gave to me:  Twelve Risks reducing, Eleven audits to finish, Ten execs meeting, Nine Continuity Plans, Eight policies approved, Seven incidents still open, Six vendors vending, FIVE LOSS EVENTS…Four calling auditors, Three new laws, Two APTS and a project called G-R-C.



Bing Crosby – Eat your heart out.  Happy Holidays!

RSA Archer GRC Roadshow Guest Speaker Opportunity



Without great customers you cannot truly become a great company.  The greatest asset RSA has is its people and its customers. The tremendous wealth of ideas, viewpoints, backgrounds, industries and technologies that our community brings to together is unique to RSA and is an invaluable resource that drives our innovation process.  The RSA Archer Roadshows provides a unique opportunity for customers to come together to network, socialize and hear from their peers how they have addressed their GRC challenges with RSA Archer.


This event offers the opportunity for RSA Archer customers to discuss with peers their GRC challenges, how they were able to implement a GRC program, share ideas, lessons learned as well as the opportunity to promote their GRC program as a leader in the GRC community.


If you would like to have the opportunity to present at one the 2015 RSA Archer Roadshows, below are some details describing the benefits received and general session guidelines.

  • Presenters will have a 30-45 minute speaking session
  • Opportunity to promote the success of their GRC programs
  • Establish themselves and their organization as a GRC leader
  • Help promote the expansion of GRC across their industry and region
  • Showcase unique GRC Use Cases and how RSA Archer was able to help meet those challenges
  • Provide lessons learned, best practices and guidance on how to establish and grow a GRC program


Suggested Topic Areas for Sessions

  • Operational Risk Management
  • IT Security Risk Management
  • Regulatory & Corporate Compliance Management
  • Audit Management
  • Third Party (Vendor) Risk Management
  • Business Continuity Management


If you are interested in presenting at one the 2015 RSA Archer Roadshows, would like additional information or talk to someone to learn more, please reach out to your local RSA Account Executive or contact

Chris Dodge:


Risk remained in the forefront in 2014 and shows no sign of abating in the future.  Natural disasters, internal and external fraud, third party risk, product liability, regulatory sanctions, and of course, unrelenting cyber-attacks continue to flood the news.  Many organizations have been hard hit by risk this year while many others worry that they have just been lucky and wonder if their operational risk management program is truly effective. 


Running an effective risk management program requires a framework to be in place that is designed to help your organization minimize surprises and maximize the likelihood that your objectives will be met.  For operational risk this means understanding and proactively managing risk around many aspects of people, process, and technology internally and externally.  The breadth and complexity of this kind of risk can be daunting, making it impossible to manage without technology orchestration.

So, it is welcome news that Gartner, one of the leading analysts of operational risk management software applications, just released their Magic Quadrant for Operational Risk Management to offer guidance on how technology can help you solve risk management challenges. Gartner has placed RSA in the Leaders Quadrant positioned highest on the “ability to execute” axis. 


We believe the placement of RSA Archer in this Leaders Quadrant extends last year’s exciting Enterprise GRC Magic Quadrant momentum, as well as our position in the Leaders Quadrant in the first-ever Gartner Magic Quadrant for IT Vendor Risk Management.

Gartner has placed a great deal of emphasis on your (our customer’s) thoughts and opinions about risk as well as the technology you have employed to address risk challenges. You’ll notice an interesting new tone in the ORM Magic Quadrant.  As I read through the report, I noticed many phrases like “Customer perception of Vendor X [insert capability] was rated highly by survey respondents…” or “Customers provided low ratings for Vendor Y’s [insert capability]…”  This Gartner Magic Quadrant has been highly influenced by customers, like you, who are hard at work building effective programs to proactively manage the tide of risks instead of just relying on luck.  Frankly, we can’t help but agree with Gartner’s approach.  Our best advocate for solving complex risk management challenges is YOU, the Archer Community. 

Thank you!!! 

Thank you to those who spent their precious time providing their thoughts and opinions to Gartner via the survey. 

Thank you to those that have provided case studies and videos to share their guidance to like-minded professionals that are struggling with the same risk challenges.

Thank you to our customers that have offered their thoughts to new Archer customers that are trying to decide which technology best suits their needs and which use case to tackle first.

Thank you to the countless Archer Community members that have participated in working groups, regional user groups and our Customer Advocacy Council to make Archer what it is today…a leader in risk management technology.

Interested in seeing more Gartner ORM Magic Quadrant details?  We have made the report available here so that you can share it with your colleagues and management team. 


This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from EMC. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Top Audit Risks For 2015

Posted by PatrickP Employee Dec 16, 2014

As we head into 2015 and Internal Audit (IA) organizations finalize their audit plans, it's always interesting to hear what they're going to focus on and how that aligns with management's perceptions of risk. Recent surveys of audit organizations by several global auditing and consulting organizations show some of the top global risks audit groups are talking to their audit committees about and including in their audit planning are:


  • Regulatory changes and scrutiny
  • Cyber risk and data security
  • Reputational risk
  • Business innovation
  • Talent recruiting and succession planning
  • Economic conditions restricting growth
  • Timely risk identification and escalation
  • Disruptive innovations and IT


It's refreshing that a separate survey of CEOs noted most of these risks as high priority also, with one exception being financial performance as the highest priority.  Some of these risks are areas IA is adept at dealing with, such as risk identification or regulatory changes and compliance.  But how does IA evaluate economic conditions restricting growth, or talent recruiting and succession planning?  Even more difficult is a nebulous topic like reputation risk because so many factors can impact it, such as cyber attacks to social media campaigns to inadequate responses to business or IT disruptions.


On top of these risks being factored into the ongoing motions of audit planning and execution are the recent changes to Institute of Internal Auditor (IIA) standards and COSO 2013 guidelines that many companies are electing to implement soon or are in the process of doing so.  By the way, these two areas were also listed often as risks to IA organizations.


The question becomes how does IA factor these risks into their audit plans?  How are these risks audited? What controls need to be considered to mitigate these risks?  Finally, what metrics need to be monitored to show if progress is being made?  These are all questions that become more difficult to answer as IA groups face risks that are becoming more diverse and strategic to the organization's business objectives.


I won't disclose the answers here, but in an upcoming white paper, I'll discuss these risks and some real life where IA groups are addressing them, as well as how an integrated Governance, Risk and Compliance (GRC) program can significantly help. In the meantime, have happy holidays and if you want to contact me directly, I'm at

Who do you do business with, associate with, outsource to, and share information with? How can those relationships hurt you and how can relying on them in a critical moment impact your mission? Will their security posture save you from peril or kick you while you’re down? How many of your partners, vendors, and suppliers are soft targets and vectors to use to attack you from a trusted source? These are issues that are coming to the forefront more and more.


To address these issues, just this summer, NIST released the second draft of its related publication, NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.


There have been many workshops and events in Washington DC this year already on supply chain risk management (SCRM) and, even as I write this, there is another underway this week in McLean, VA, Winter 2014 Software and Supply Chain Assurance Working Group, involving NIST, DHS, MITRE and the usual cast of federal players and vendors.


The NIST Cybersecurity Framework (CSF) was written to help the critical infrastructure sectors. Although it was intended to foster/build/manage an entire comprehensive cybersecurity program, it has had increasing attention and focus as a way for organizations to share information about their security posture with their partners, vendors, and intra-organizationally.


I did a webcast earlier this year on Vendor and Supply Chain Management with my colleague, Marshall Toburen, that goes further into this topic, especially focusing on how it applies to the federal community. And if you’re more interested in the private sector perspective, here are several recent related posts from team mates: here, here, here, and here.


Now, for the good news:

In Gartner’s latest IT Vendor Risk Management Magic Quadrant, analysts Christopher Ambrose, Kris Doering, and Gayla Sullivan evaluated 10 enterprise-class IT Vendor Risk Management solutions. 104056


As you can see in the report, RSA Archer is again ahead of the pack - something we’re very proud of. We take these analyses and use them to continually improve, as well as using inputs from our customers and prospects and our working group members. If you are interested in seeing a demo or being a member of the Vendor Management working group please feel free to contact .


Thanks for reading. As always, email me with questions or comments.




@chrish00ver on Twitter

Yes, the 2015 RSA Archer GRC Roadshows dates and locations for Minneapolis, Washington, D.C., Southern California, New York City, and Boston. We are pleased to share the schedule with you: 




1500 Park Place, Blvd.

Minneapolis, MN  55416


801 Mount Vernon Place Northwest

Washington, DC  20001



MARCH 5, 2015

Ritz-Carlton, Laguna Niguel

One Ritz-Carlton Drive

Dana Point, CA  92629

Marriott Marquis - Times Square

1535 Broadway

New York, NY 10036



202 Burlington Road

Bedford, MA 01772



The 2015 GRC Roadshow Microsite, with Agendas, Speakers, and Registration Information will be live on or before January 19. We are, however, able to share the 'Agenda at a Glance' with you today:


Registration, Networking and Product Demonstrations

Welcome and Introductions


RSA Archer Session:  Harness Risk and Fuel the Enterprise

In this presentation RSA will discuss how companies can embrace and harness risk to fuel their enterprise, derive value and gain a competitive advantage over companies that do not.  Risk Management will be the primary source of competitive advantage in tomorrow’s market.  Risk must be harnessed to fuel the enterprise towards the next level of success.


Client Discussions:

GRC leaders will discuss how they are using RSA Archer to tackle today’s biggest GRC challenges around enterprise, operational, IT and third party risk, regulatory & corporate compliance, audit and business continuity management. 


Birds of Feather / GRC Working Group Lunch

Enjoy a great lunch and the opportunity to talk with other RSA Archer customers and share ideas, lessons learned and best practices from your peers facing similar GRC challenges.


Advisory Partners:

Insights and best practices for successfully building and deploying a GRC program across your organization.


RSA Product Information

Come see and learn about the newest RSA Archer solutions and offerings, talk to our GRC experts and see the latest RSA solutions in action.


Social and Networking Hour(s)

After a great day of learning about how RSA Archer solutions can help you solve your GRC challenges, kick back and join your fellow Roadshow attendees with a relaxing social and networking event.  Cocktails, conversation, hors d’oeuvres and fun abound. (Where venues permit)


We hope you can join us and attend one of these complimentary GRC Roadshow events.

See you at the Roadshow!

There is a lot of uncertainty these days and back in my college days in my Quantum Physics class, the Heisenberg Uncertainty Principle took the prize for uncertainty.    Heisenberg Uncertainty Principle states that you can never simultaneously know the exact position and the exact speed of an object.


104002Security operations team could put the Heisenberg Uncertainty Principle to shame by using a combination of intelligence and context during security investigations.


Think of it this way, when an incident occurs, the security operations team needs to take a holistic approach when investigating threats.   By using a combination of intelligence and context, the security operations team can effectively detect, investigate, respond and remediate security threats.    Let’s see how this plays out during the investigation process:


  • Visibility - An event happens; the team has visibility to see attacker’s every move and be able to reconstruct the event. How did the attacker infiltrate our environment, what other systems did they access, did they install malware, have they opened up a backdoor for future attacks?


  • Business Context - Prioritize with business context; the team should always prioritize the events that affect the critical assets of the organization. There are a lot of events but if you are able to quickly identify and prioritize events that affect the critical assets, you can minimize the risk impact to your organization.


  • Vulnerability Information -  If an incident happens due to an existing vulnerability, let’s prevent that incident from happening again by addressing the vulnerability.  It is important for the security analyst to quickly take an incident, see the affected asset, the criticality of that asset and see if any vulnerabilities exist.


  • Identity Context - Is the access appropriate? It is important for the security operations team to have a view into asset access entitlements, user entitlements and roles.  If an incident happened due to an orphaned account, it is important to close those attack surfaces to prevent future attacks.


  • Threat Intelligence – Are there threats that are targeting companies in my region or vertical? If so, can I leverage what other companies have done to detect these threats and respond effectively.


When I talk to customers building out their incident response teams, I always mention VISIBILITY, ANALYSIS and ACTION. The ability to leverage advancements in technology and big data analytics as well as a combination of intelligence and context to better detect, investigate and respond to security incidents.


Uncertainty NO-MORE — Certainty YES during the security investigation process.    Let’s limit the Uncertainty Principle to Quantum Physics.

Confidentiality, Integrity, Availability – the holy trinity of the information security profession.  Chapter One of (almost) every information security document has these three words highlighted, underlined, bolded, mantra-sized…Deified.  And for good reason.  These three guiding lights of the security vocation are the stars upon which our paths are navigated.  They provide the X, Y and Z coordinates for us to determine our position.  They are the boundaries that we operate in.  As security professionals, they COMPLETE us…


Until now.


Recently, I attend the Information Security Forum’s World Congress in Copenhagen.  This event brought together a multitude of information security leaders representing enterprises from around the globe.  Several of the sessions included CISOs presenting their own individual challenges and accomplishments as they guide their organizations through the murky and dangerous waters of the security ocean.  And as the steer their security strategies, whether explicitly or implicitly stated, are the three magical stars of InfoSec navigation – Confidentiality, Integrity and Availability.  However, the discussions consistently pointed to another star.  Once hidden on the horizon and dimly lit, this star is constantly growing in size and brightness:  Value.


Security has gone from a push to a pull: Executive management reads about security issues every day in the news.  CISOs are now reporting the interest in security has gone from a bullet point somewhere on the IT section of the board presentation to a seat at the table. In some cases it still may be a backseat but a seat nonetheless.  Thus, security must be able to talk in terms of the business and highlight the value of Infosec initiatives.


Security must be thought of, and managed, as a business investment – not an administrative cost:  The convergence of digital and business risk is unavoidable and the reputational and financial impact of a data breach is evident.  Forrester just released an interesting report on how customer facing risks must be addressed.  Risks that affect the people that spend money on your company’s products and services must be addressed.  I wrote a blog a while back on the CISO as investment advisor.   This type of conversation – spending on security perceived as investment into the business – has to be on the CISO’s radar.


Security must report to, first, someone who cares and then someone who can make a difference:  Much debate has unfolded on the organizational position of the security function – IT? Legal?  Finance? Operations?  I think first it needs to report to someone who cares that the business is protected.  Secondly, it should report to someone who can then make a difference.  If you find someone with BOTH of those attributes, then security is in good hands.  The trick is to then translate that concern and action into discernible value to the organization.


Each of these indicates this rising star – Value – as another guiding principle for information security.  If security cannot articulate the business value, and be driven by business priority through context, then the seat at the table will be lost.  It is one thing to say “You gave me $X to invest in security and nothing bad happened.”  It is another thing to say “You gave me $X to invest in security and we secured $Y in business resulting in $Z in revenue.”   This is the difference in reporting ‘We shut down an active attack on systems that support 1/3 of our business operations in North America representing a daily revenue of $1M’ rather than ‘Our AV infrastructure identified 50 machines infected with a serious malware and we remediated it.’  I would propose that the CIA mantra in security be modified in today’s competitive and hazardous marketplace.


Forrester even calls this out directly in their report:

'Business leaders desperately need better analytics and risk context to ensure they make the right strategic decisions, but they hesitate to invest more resources into risk programs because risk management is seen as a cost that doesn’t offer a solid return on investment. This is a failure of risk management to demonstrate value to the business, and it’s a failure to align with morphing market trends that put the customer front and center of every business initiative.' *


Protecting information these days goes beyond ensuring Confidentiality, Integrity and Availability.  Protecting information today includes understanding the Value of the information and maintaining that worth for the business.   While this concept is implied in maintaining C,I and A, it does not get its proper place at the forefront of WHY we secure information.  As a profession, the more we instill this concept of value in the discussion, the closer security will get to the business.  The Impact part of Risk = Likelihood X Impact seems to have taken a back seat but no longer can we focus on reducing likelihood by implementing control after control.  We need to articulate the value back to the business to improve the investment portfolio of the security function and ultimately take a seat as a crucial part of the business strategy of the organization.


* Forrester Report:  Dissecting Global Risk Perceptions And The Effects Of Customer Obsession by Nick Hayes, December 5, 2014

Years ago Billy Joel was "In a New York State of Mind" when he returned home to the Empire State. Over the last few weeks my fellow colleagues have been illustrating various scenarios on how third party risk management can play a vital role in a company’s operations in a series of discussions on the current state of mind as it relates to trends in third party and supply chain risk management. This comes on the heels of Gartner’s latest IT Vendor Risk Management Magic Quadrant placing RSA Archer well ahead of the pack in continued market leadership. This is something we’re very proud of as it represents not only a lot of diligent work but also the tremendous gift we enjoy by virtue of having so many amazing, creative, loyal customers who continuously collaborate with us to improve our products. Billy Joel might call that "A Matter of Trust".


Let’s discuss how some of those non-IT external relationships can also factor into the overall operational risk picture. Consider insurance for instance where carrier liquidity and disqualified losses can dramatically impact the quality of coverage; say in the wake of previously identified security weaknesses. “You May Be Right” that coverage should apply but the insurer may disagree in which case you may have just become “Easy Money”, unless of course you can produce compelling evidence to the contrary. Even then it can still be a protracted battle of wills to finalize any settlement which could likely fall short of actual realized losses for a major privacy or credit card breach. A disciplined approach to exploring these types of scenarios up front is necessary to ensure the organization has a healthy understanding of its entire portfolio of third party risks and isn’t blindly accepting more inherent risk than it realizes.


Other types of representative services like legal counsel or marketing and public relations can also benefit from a stronger dose of operational risk scrutiny. For example companies often retain specialty firms full of hired guns to help manage tough situations like breaches or other crises. In politics the term "risk management" usually relates more to spin control than security controls. It’s also common for companies to engage outside assistance when launching new products or other initiatives, or maybe just to help rejuvenate a tired brand with a fresh image makeover. The exposure risk is usually low for most of these pursuits given the level of iteration and approval required before any work sees the light of day provided no inadvertent leaks or other dumbdumbery occurs. Other times though they can bite in a hurry if the wrong firm was chosen or the project mishandled. When there’s only one chance to get it right what happens when things go wrong?


Two scenarios come to mind where this can quickly get interesting from a third party risk perspective. The first is crisis response. A company experiences an impactful event (breach, fraud, corporate scandal, whatever). Incident response best practices include initiating a predetermined chain of communication with clear guidance on interacting with the public (press inquiries, public statements, etc.) Controlling the flow of information is crucial to ensure the right things are communicated clearly as well as guarding against misinformation or leaks further hampering response and remediation efforts. From a certain viewpoint having the right PR firm on retainer in those types of situations could almost be regarded as its own form of insurance; intended to reduce the risk of further reputational damage by transferring certain communications and message crafting responsibilities to a more qualified outside expert.


What happens if that service fails to deliver? Whether in response to a crisis or something else entirely how are the terms of service and dispute resolution mechanisms managed? When a company has servers at a hosting facility that gets knocked offline by a clumsy technician or power outage it’s easier to identify a fault chain. Something like five 9s of uptime can be measured empirically so enforcement through a service level agreement is pretty straightforward. But if a company retains a professional spinster to help control a sensitive public message and it backfires, is similar recourse is available? What kinds of SLAs are best defined? Can fault be established? How should the company best manage those types of inherent third party risk adjacencies?


Here’s a second hypothetical, this time from the product side. Let’s pretend you’re a software product vendor participating in one of these analyst bakeoffs like the Gartner MQ. Just for fun let’s even say you’re actually one of our competitors in the GRC space. The whole process is competitive by nature and while different analysts have different styles, across the board there’s usually a large questionnaire you have to answer and other product information you must provide, typically on a very tight timeframe. So let’s further pretend you decided to try and stack the deck by engaging an outside industry “consultant” to help you prepare your responses (surprisingly some vendors really do this.) It’s all in secret of course as you would never want anybody to know you actually needed help representing your own product! Heck, the disclosure of that alone would be embarrassing, maybe even triggering a crisis response event by itself!


Fast forward to the release of the report and let’s say unfortunately for you, rather than rocking the house your product actually falls well short of the mark in the rankings. Your hired gun strategy didn’t pan out but at least nobody knows about it, right? So what would happen instead it wasn’t kept secret? Let’s say the industry pundit you hired had her finger in all sorts of different pies trying to promote herself as a vendor consultant, buyer consultant, and maybe even as an alternative “impartial” product ranker. Let’s further suppose (unbeknownst to you when you engaged her) that she was also providing the same spit polish services to several of your competitors at the same time, essentially nullifying any supposed advantage you paid a premium for; which is why she’s in crisis mode trying to save face the only way she can - by going on the offensive! In her mind there’s no way SEVERAL vendors could hire her in all her glory only to have NONE of them to do any better unless the SYSTEM is rigged. Cue Jon Lovitz…”It’s the system’s fault! That’s the ticket!” It couldn’t possibly be that her services added no value, right? Of course not!


Now let’s say before you can remind her of the NDA you have place she takes things to the next level, fuming across the digital airwaves in her newsletter and social media shamelessly protecting her brand. Like a scene from a movie, Billy Joel’s “Big Shot” rings out in Muzak over your office speakers as you realize it wasn’t even some internal slip of the tongue that betrayed you but rather the actual consultant you hired! Out there on display for all to see ranting away and throwing you under the bus in the process! You quickly learn you’re no more a valued customer than she is a trusted adviser. Nope you’re just an expendable pawn in a desperate saga to preserve her brand against those evil establishment analysts. At least she didn’t refer to you directly by name but it’s easy enough to read between the lines and figure out who’s who. Talk about a hot mess!


So what would you do? What’s your next move? A poor showing in the rankings was bad enough but now you stand to suffer further reputational loss from this disaster. Is this an incident you need to escalate? What kind of public relations damage control might be needed? Considering your confidentiality was sacrificed for the self-preservation purposes of the one person who should have known better, maybe she’s opened herself up to litigation? But how much will THAT cost to pursue and how will it help? What about investor and board confidence in your product leadership and direction? What kind of third party risk management process improvements should you implement going forward?


Lots of tough questions to answer which now have you wishing you’d just slogged through the whole ranking process yourself and let the chips fall where they may, making your own luck like we do here. Hey we might not be the smoothest talking bunch and we've taken our fair share of dings too but at least we’re authentic. What you see is what you get and I can tell you from firsthand experience we wouldn't dream of entrusting to some outsider anything as important as representing our products in a professional analysis like the Gartner MQ…ever…because it’s always about more than just products. It’s about the people and the company standing behind those products and the customers rallying around them globally. Come what may we sail under own power, our customers alongside us at the helm, and our integrity intact. No outside caricatures with mixed agendas or venture capitalists to worry about. Just us with all the passion and commitment we can muster. Considering the spot we've earned atop the leaderboard, who are we to argue with the results? Like Billy Joel said…#JustBeYourself

I thought I'd make everyone feel guilty (why should I be alone?) before the holiday gluttony begins!  The title of this blog refers to the adage that says "you are what you eat", meaning what goes in is usually what ends up hanging over the belt.  Conversely, if you carefully measure what you eat in moderation, then you'll likely have better results.  So it is with organizations in a manner of speaking.


What are the right measures and metrics for an organization to track to drive the right behaviors? A Harvard Business Review column gives an example about CEO compensation and how stock price is such an integral measurement, for good or bad. However, that measure may drive more short term thinking and results that aren't necessarily what's best for the organization in the long run. Another example shows that states that use standardized education assessment tests produce kids who perform well on these tests but may fall short when they have to demonstrate their knowledge in a different way. So, how do companies measure performance, especially related to governance, risk and compliance (GRC) and are they driving the right behaviors?

RSA sponsored an OCEG ( survey where 190 respondents weighed in on their organization's use of GRC metrics, which include measures for financial, strategic, reputational, personnel, efficien102514cy, responsiveness, education and awareness, and effectiveness categories.  The results were analyzed to determine the impact of GRC integration (i.e., Internal Audit is aligned and integrated with Compliance and Risk functions and vice versa)  on metrics maturity and value, as well as the confidence level in the design of metrics for performance and GRC.  One of the key findings was that the more integrated a GRC program is, the more mature their program metrics are. This was broken down into some component parts as you can see at the right.


Another key findings was around automation.  The survey categorized organizations as Siloed GRC, Standardized GRC or Integrated GRC.  As you can see from the results below, the integrated organizations also used more GRC systems versus point solutions or disconnected systems, which helped them drive more integration because they could then better share best practices, standard approaches and align more fully.



Finally, one last interesting result I wanted to share was how confident senior executives are with GRC metrics and their ability to relate to and drive organizational performance. Once again, the integrated GRC programs drove greater confidence among senior executives.




In conclusion, it was overwhelmingly apparent that metrics and measures are a critical part of any GRC program, it is important to have the right related measures in place for both GRC and company performance to drive the right behaviors, and integrated GRC programs enjoy greater success in these areas.


Regardless of how I started this blog, I do want you to enjoy your holidays - and measure your personal results a little less before the holidays than you do after For more information on this topic, contact me at

In Deloitte’s 2014 Global Outsourcing and Insourcing Survey, IT outsourcing was found to be commonplace with nearly 60% penetration across survey respondents, with outsourcing growth expected to continue at rates of 12%-26% across functions.  Deloitte reported that “Vendor management is recognized as a critical factor for successful outsourcing”, yet 74% of respondents said their organizations do not currently have adequate tools and processes to manage their vendor portfolios while 62% believe their vendor management organizations are inadequately staffed.


These statistics are shocking and are no doubt at the root of why we continue to hear so many horror stories about third-party relationships gone bad – and there have been plenty of notable examples over the years:


  • Classified national security practices leaked by a contract employee supplied by a major subcontractor
  • A structural failure in a hotel killed 114 people as a result of the gross negligence of the hotel’s engineering subcontractor
  • A shoe manufacturer was exposed to child labor violations associated with a foreign vendor’s manufacturing operation
  • $6B in claimed damages incurred to credit card issuing banks as a result of 134 million credit cards being compromised through a major payment processor
  • An energy company experienced an oil platform blowout that resulted in an 87 day oil spill, 11 deaths, and $47B in fines, litigation, and settlements.  Two subcontractors were faulted in the event
  • The host country of a major international sporting event experienced security issues arising from outsourced security services
  • A food chain was accused of animal rights abuse as a result of the practices of one of their key suppliers
  • Thousands of companies experienced business outages as a result of the outage of a major cloud-based IT hosting provider
  • A State retirement system class action claimed $351B in damages from fraud of a mortgage-backed securities originator
  • A clothing retailer lost $45M in revenue from a product recall and supply interruption due to poor quality fabric from a manufacturing partner
  • A food chain’s revenue and stock price declined due to reputation risk arising from allegations the food chain was using expired meat from a supplier who was fraudulently representing it as fresh
  • A home improvement retailer had over 50 million customer credit card and email addresses exposed due to an information breach originating from the compromise of a vendor’s sign-on credentials

What if you could better manage the risk of these kinds of nasty surprises cropping up in your third party relationships?  What if you could more effectively prioritize resources to manage third parties, recapturing time and resources to devote to more important things?  This is what RSA Archer’s Third Party Risk and Performance Management solution is all about. 

RSA Archer’s Third Party Risk and Performance Management solution was developed based on best practice, giving careful attention to addressing regulatory obligations imposed on many organizations to better manage third party relationships. This solution helps organizations understand and manage the risk and performance of their third party relationships across the entire lifecycle of the third party, taking into account multifaceted risk scenarios, including those that might arise further down the supply chain.  Attention to these details has resulted in important recognition! 

Extending on last year’s exciting Enterprise GRC Magic Quadrant momentum, RSA Archer has been positioned as a Leader in the first-ever Gartner Magic Quadrant for IT Vendor Risk Management. RSA Archer’s Third Party Risk and Performance Management Solution was only one of two vendors ranked in the Leaders quadrant, and the vendor ranked highest in “Ability to Execute”.



Visit the RSA Archer Community to learn more about the RSA Archer Third Party Risk and Performance Management solution and how we can help organizations like yours to better manage third party relationships.

Filter Blog

By date: By tag: