Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2015 > February

2nd Annual Awards Program Recognizes Real-World Implementations Advancing the Value of GRC Strategy, Process, and Technology


2014 GRC Value Award.jpg


GRC analyst firm GRC 20/20 has announced that a large Commercial Bank in the U.S. and RSA Archer have been honored with a 2014 GRC Value Award for the category of Enterprise GRC Platform. The 2nd annual GRC Value Awards recognize real-world implementations for Governance, Risk Management and Compliance programs and processes that have returned significant and measurable value to an organization.


According to Michael Rasmussen, Chief GRC Pundit for GRC 20/20 and internationally recognized expert, “This large Commercial Bank has demonstrated proven business value in Enterprise GRC Platforms with its implementation of RSA Archer as the backbone of their integrated Enterprise Governance, Risk and Compliance program.” In the report, Mr. Rasmussen indicates that the greatest strength in this financial institution's GRC Platform architecture is the interconnectedness of the Platform and the ability to quickly enhance existing solutions or add new use cases.


The GRC Value Awards evaluate and verify both quantitative and qualitative measures of GRC agility, effectiveness, and efficiency within an organization’s GRC implementation.  This large Commercial Bank has a large risk and compliance technology implementation that addresses many business users across multiple business units for a variety of GRC use cases. Through their risk and compliance technology innovation, they have been able to save approximately $1.65 million annually and report significant reductions in time and cost of managing the disparate and disconnected solutions that existed prior to RSA Archer.


According to Mr. Rasmussen, “It is imperative that we recognize today’s successes as a milestone toward advancing GRC maturity. In achieving maturity, GRC is part of the organization’s strategy and operations and supported by a range of technology, knowledge and services - enabling the organization to achieve greater efficiency, effectiveness, and agility in GRC processes and broader business operations.”  We cannot agree more!  RSA Archer heartily congratulates this financial institution on their award-winning and innovative implementation of the RSA Archer GRC Platform and we look forward to seeing continued risk and compliance growth for this Commercial Bank.


You can obtain more information about this GRC implementation by reviewing their case study.  In addition, we encourage you to visit the GRC 20/20 website for more information about the GRC Value Awards.


The value of Governance, Risk and Compliance programs today is no longer some intangible nebulous theory.  Organizations can gain real advantages in their market due to effective risk management. For example, we have seen customers streamline new product launch cycles with improved risk management processes that enable them to move faster into new markets.  GRCprograms that drive a constant increase of effectiveness in managing risk and compliance strengthen the safety net the business can rely on as it pursues new opportunities.  As the risk and compliance functions mature, the program protects more and more of the organization.    These two factors – Results and Reach - are what take a GRC program from Compliance to Risk to Opportunity, ultimately bringing great Value to the organization.



To be successful in GRC, you must present a compelling picture to the business to get buy-in. It isn’t rocket science but it is a challenge.    GRC programs that get better results and drive broader reach across the organizational boundaries propel the business. To unlock this “Fuel for your Enterprise”, you must focus on some critical Keys to Success:


First, Reduce the Risk of Execution.  GRC initiatives involve multiple personas, multiple operating units, multiple processes and multiple data sources.   Whether you are just embarking on your drive to GRC, or are a veteran established program, you must always look at ways to reduce risks around implementing GRC processes. This can be accomplished by ensuring transparent communication with your stakeholders, building your strategy based on realistic, manageable chunks and gathering agreement to ease implementations first before plowing ahead.


Secondly, Foster a Culture of Adoption.  GRC does take a village and the more stakeholders – or supporters – you have vested in your program the more reach you will get across organizational boundaries. Understanding the business’ and end users pains goes along with towards making the solution personal and giving people the incentive to buy-in to the program.


And finally, Take Command of the Journey.  You – as the sponsors and executors of your risk and compliance strategies – are in control of your destiny.  As you get better results, and expand your reach, you start walking up those “stairs” and you can have a tremendous impact on your organization.  Addressing the pain within the organization when it comes to risk and compliance processes is only half the battle.   You must keep the end game in mind – fueling the enterprise.


Every year RSA Archer hosts a series of Roadshows.  This year the theme is “Fuel the Enterprise”.  Following along with last year’s Summit topic of Risk Intelligence, we will again focus on discussing the value GRC programs can bring to the organization through customer presentations and networking.  


Have you heard of the "domino effect"? It's the reaction produced when one event sets off a chain of related events.  A good example of this is literally setting up a chain of dominos to see how many you can add and how far the chain will go. I used to do this as a kid.  I'd set up dozens of dominos in different formations and then I'd add ramps, jumps and other obstacles to see how far I could take it and how cool I could make it.  However, if a ramp or jump was off a little bit or if any of the dominos were out of line, the dominos would tumble over to the side and I wouldn't get the full effect. Looking back, it took creativity and some foresight to really plan out an awesome domino chain. If I had to translate this into business terms, I'd say the key to success was alignment, coordination and having a strategy.

So, what does this have to do with Internal Audit (IA) and Operations Risk Management  (ORM)?  I'll draw an analogy - IA and ORM are the dominos.  The better aligned they are, the better the end result is going to be in terms of identifying and managing risk.  The strategy is having the right pieces and steps to the process in place.  For example, this chart to the right shows those pieces in the ORM lifecycle, starting with the strategy at the top, and having the right organization, a framework and execution.

106567Marshal Toburen, GRC Strategist for RSA Archer, said in a recent OCEG webcast, "Too many organizations are implementing risk management in bits and pieces and in differing ways in silos across their organization.  Operational risk management suffers when these silos don’t communicate and when they put together an incomplete and inaccurate picture of risk."

Why is it that most organizations have this disjointed and incomplete picture of risk affecting their organization?  Here's just one example. In the majority of organizations we work with, IA is separate from ORM organizationally.  That's not a bad thing in and of itself.  However, in most cases, not only are they separate, but their methodologies and approaches to identify and evaluate risk are different.  Both ORM and IA groups may have valid approaches, and they may even communicate and compare results but it's cursory and results from their different approaches is like comparing apples to oranges.  Or, they may be doing many of the same things, like identifying, evaluating and measuring risk and finding ways to mitigate them, but they're not working together.  The dominos in this example aren't even in the same line!  To make the dominos fall correctly, IA and ORM should be working in tandem and with business owners (1st line of defense) to implement risk approaches, coordinate efforts, report results and follow up on issues. IA can and should have some level of independence, but they should also consider aligning their approaches with their ORM group based on regulations, best practices and industry standards.

Creating this formation of dominos isn't going to get any easier.  As a kid when I'd set up the dominos, I always had to keep an eye on my little sister who took great delight in knocking over my grand creation. Like that threat I faced, according to the American Institute of Certified Public Accountants, 83% of organizations surveyed have seen the volume and complexity of risks increase over the past five years.  In addition, 20% of these organizations have seen the volume and complexity of risks extensively increase over the past five years. As complexity of risk increases, our approaches to evaluate and mitigate risk must also rise to the challenge.

Just as creating the perfect domino chain takes a lot of practice, so does creating an effective, aligned risk approach and partnership between business owners, IA and ORM.  Think of it in terms of a maturity spectrum - on one end, the groups don't even know each other exist; to the far end of the spectrum where they work in perfect harmony.  Every organization is at a different place on that spectrum, but what's important is to know where your organization is today versus where it needs to get to. Devise a plan and begin to make progress - any amount of progress is good.  Consistency through practices, technologies, communication, dissemination, training and personnel will also build trust and better reliance between the three lines of defense.

I'm interested in your thoughts! Add your comments below or email me at  Also check out the latest Gartner Magic Quadrant for Operational Risk Management for more information here Magic Quadrant for Operational Risk Management.

Mason Karrer

Dont Mess With Naptime

Posted by Mason Karrer Employee Feb 3, 2015

Long story short an electrical malfunction caused my neighbor’s house to catch fire over the weekend. Fortunately nobody was hurt but things certainly could have turned out much worse for a few scary simple reasons. According to the NFPA the likelihood of a home fire is 1 in 4 in your lifetime and the likelihood of injury is 1 in 10. Here’s the kicker: Those statistics are for a single fire. My neighbor’s house caught fire not once, but twice in 24 hours! As I replayed things in light of seemingly much longer odds some interesting operational risk correlations came to mind.


It all began midday on Saturday right after lunch as our 2 year old went down for a nap. Those of you with children appreciate the intense desire to covet and protect naptimes at all cost. This meant the house was more quiet than usual which was likely the only reason I happened to overhear the yelling outside. I discovered this was my neighbor across the street barking orders to his family and his son’s Boy Scout troop (coincidently working on their Eagle Scout project on the driveway) to seek safety as thick black smoke rolled out their front door. I scrambled for a fire extinguisher and raced across to help only to have it fail after a tiny, embarrassing “pffffffft”. Not that it would have made a big difference anyway; the fire was quickly growing beyond control. But still, neither my finest moment nor the time for a key control failure.


Other family members soon assembled having escaped out the back of the house in a nick of time. With all accounted for we retreated to the curb to await the cavalry. Acrid smoke filled the whole street so I dashed back home to close the garage and somehow had the presence of mind to also turn off the furnace before it inhaled smoke throughout the house. I returned to find my neighbor, soot faced and coughing, remarking how the fire was so hot and smoky and spread so fast he figured if it had happened while they were asleep they wouldn’t have survived. Emergency services arrived on the scene and extinguished the fire just before it spread to the roof and beyond. It seemed the worst was over.


Fast forward to the same time the next day as I arrived home to find a different neighbor kid waving for help and shouting the fire had restarted. Really? Again during naptime? Nothing was visible, but he was acting frantic so I went for a closer look and sure enough saw fire quickly spreading up the stairway inside. Yet from the outside there was no smoke or other indication. So how had he known? The answer is keen observation and lucky timing. From his vantage point at home he just happened to notice a trace of flame through the lone 6-inch pane of glass that somehow hadn’t been completely blacked over with soot the day before. He was home alone and ran outside where he found me pulling into my driveway. I dialed 911 to get things moving and 10 minutes later our street was again lined with fire trucks and other EMS personnel.


Turns out there must have been a latent ember or enough residual heat to reignite everything. It was already very dry and had been windy since the night before. Several smashed windows also remained open around the house which all conspired to create a strong draft condition inside, essentially converting the entire house into a big fireplace with the stairway acting as the chimney flue. What if things had kicked up overnight instead and spread to the roof unabated? Between the wind and several huge pine trees in our yards things could have been really wild. Yikes!


From an operational risk standpoint it’s interesting to note the random dynamics that occurred to create a system of circumstantial risk events. What lessons can we apply to broader organizational risk management practices across the enterprise?


  • Preparedness – How enabled is the organization to respond when risk alarms (metrics) sound?
  • Escalation – Everybody has the potential to save the day by simply noticing something out of place and calling attention. What’s the organizational sounding board? Who’s listening?
  • Context – Unfortunately, too often the significance of isolated observations wasn’t made clear in time to prevent (or minimize) the impact of a disaster (for example the unused school busses during Hurricane Katrina). How can we coax real time, meaningful context out of seemingly unrelated items to extend the view over the horizon and adjust to changing conditions?
  • Feedback and refinement – There’s an old saying that it’s better to learn your fire extinguisher is worthless when your neighbor’s house is on fire (my neighbor disagrees). As I go to replace my fire extinguisher should I buy the same kind or consider learning a lesson and implementing a more effective control (continuous improvement)? Does the current risk model contemplate everything it should? (Tip: Start by defining higher order risks and then fill in gaps with more specific risk definitions as needed over time.)
  • External party risk – The smoke from my neighbor’s house posed downstream risk to neighboring houses like mine. I responded by turning off the furnace and closing up our house and also packed up a few essentials in preparation to leave if necessary (escalated incident response). When a vendor or supplier experiences a security event or business interruption the resulting increased uncertainty and risk can ripple throughout the supply chain. An organization’s ability to detect and compensate for these often unpredictable fluctuations is crucial to minimizing the impact.
  • 4th line of Defense – The items above notwithstanding, a balance must always be struck between too much and not enough. This is true in all areas of the business not just security or risk management. The concept of the black swan is all about asymmetric risk either from unforeseen events or predictable events whose impact magnitudes exceed predicted thresholds or outcomes. Even the most mature risk programs can’t prevent impacts when all **** breaks loose. What’s the plan for business resilience? How do you stay viable in the short term and improve in the long term? The fire department investigators are certainly hunting for lessons to learn and I can promise you my neighbor’s already planned to get escape ladders for the upstairs bedrooms among other things.


In case you’re wondering, despite all the noise and excitement our daughter slept through both events like…well…like a baby. If the Boy Scouts’ motto is “Be prepared,” then maybe the weary parents’ motto could be “Don’t mess with naptime!”


For more on Operational Risk Management, please visit my colleagues’ blogs here, here, and here and see Gartner's latest report.


Thanks for reading. Please feel free to email me with questions or comments anytime!



Steve Schlarman

Designing for Scale

Posted by Steve Schlarman Employee Feb 3, 2015

I love TED talks. I am not sure if there is a better source for 10 minute chunks of information and inspiration. As I do a fair share of presenting in my career – never on the scale of a Ted talk (yet) – I appreciate the nuances of the speeches – the quick pace; the professional demeanor of the speaker; the powerful messages; the simplicity of the delivery. In the quiet times of my day (usually while munching on my lunch at my desk), TED talks provide me with food for thought. Many times I come upon a talk that truly trips something in my brain. And this is one of those moments.


This TED talk by Margaret Gould Stewart discusses the design challenges of massive websites – Facebook and YouTube namely. Based on her work in managing user experiences for those sites, she outlines a few key nuggets of advice. As I listened to her experiences, I realized these are really good points for CISOs today. While she was faced with a complex, massive user base, she makes the point that Designing for Scale is as much an art as science. CISOs too face a complex challenge and must think about designing a security program that scales. She lists three main points when designing for scale:


The little things really matter. Citing the update of the Facebook “Like” button, the speaker highlights the preparation and study it took to make such a seemingly meaningless change. Sound familiar? Oh, this little change to the firewall rule set isn’t a big deal… Oh yes it can be. A CISO must help build the culture of an organization where, when it comes to security, little things DO matter. Those pesky phishing attempts, that suspect attachment on the email, the development server that ‘is just going to be online (unpatched, unsecured) for ONLY a few weeks.’ I did a Pen Test years ago and happened to stumble onto a password file copied off for safe keeping by an admin ‘for a few days.’ 60,000 cracked accounts and passwords later… You get my point.


Designing with data includes relying on iteration, research, testing, intuition and human empathy. The speaker makes a note that being “Data driven” doesn’t mean just making decisions based on numbers alone. Rather we must use the data to augment and improve our understanding while applying our own context and intuition around those numbers to make better decisions. Context around security data is imperative. It is the context that makes the difference between a non-event and a serious malware on a system administrator’s or executive’s laptop. Intuition is critical for a CISO to know when an idea needs to be vetted harder when it comes to risk; human empathy will protect a CISO from being seen as the bully that says “No” every time.


Manage change very carefully. Change is a powerful thing. It can go well. But it can just as easily go really bad. Regardless, change is going to happen nonetheless. The speaker says ‘it’s impossible to completely avoid change aversion when you’re making changes to products that so many people use.’ CISOs face a considerable change management challenge. Security typically interrupts, or at least, modifies how people behave and use products, services or software. An awareness of this impact – understood at the human level – can go a long way in gaining supporters across the organization.


My favorite part of the presentation is the statement of ‘being a part of something that is so big, you can hardly get your head around it, and the promise that it just might change the world.’ That, my security friends, is the definition of being in your role today.

Filter Blog

By date: By tag: