Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2015 > January

Enterprise Risk Management (ERM) is a large and sometimes confusing topic. It’s difficult to put boundaries around, by which I mean we have different tools, processes, and regulations to manage different types of risk. Questions arise, such as: if we already have tools, processes, and regulations to manage financial risk and IT Risk, for example, do they still fall under the umbrella term “ERM”? If yes, is there another ERM layer of tools, processes, and regulations that we must also use and follow? The underlying question then is “what is ERM?”.


So let's start with examples of federal enterprise risks. The “Maroon Book”, which I will discuss more below, gives many examples:

  • cyber attacks on our critical infrastructure
  • strategic human capital management
  • the BP oil spill a few years back
  • unfunded/underfunded pension programs
  • protecting public health through oversight of medical products and food safety
  • managing spending and acquisition programs that are constantly over budget
  • financial viability of postal service


You can see that previous examples of financial and IT risk do fall under ERM, as do so many others. In the past some of these types of risk were poorly managed, or not managed at all. Even knowing where to start was confusing. This was made worse in the federal space where the Intelligence Community and DoD have invented so many unique risk management processes to protect sensitive areas, operatives, and operations. The federal government is so big and diverse that it has in the past had a schizophrenic understanding about what risk is, how to classify it, how to manage it, etc. Fortunately, that era seems to be coming to an end.


As a practitioner, I have personally seen a lot of meaningful development in the last 2-3 years, and I feel like 2015 is going to be the turning point for federal ERM. Some developments I would point out:               

  • The Association of Federal Enterprise Risk Management (AFERM) started small in 2008 as a steering group, but has built a lot of momentum in the last few years in terms of membership, visibility, and influence.
  • The recent release of Enterprise Risk Management - A Guide for Government Professionals aka the “The Maroon Book” provides a single authoritative position on what federal ERM is and how to use it
  • Embrace of ISO 31000 . The US federal government loves to create processes (even redundant layers of them) and to embrace this international standard without reinventing the wheel is a huge step forward and enables the federal space to be aligned with so many potential vendors, partners, industries, etc. and share a common taxonomy and processes.
  • OMB repeatedly stating that risk management is a top management priority for federal agencies, and to that affect releasing revised version of circulars A-11, A-129, and working on an update for A-123 all with new language stressing risk-based decision making and
  • Many Departments and agencies have recently created and filled positions titled “Chief Risk Officer” and “Risk Management Officer”
  • Most compelling to me personally as an employee of a GRC company, is that we are starting to get regular invites from large federal civilian Departments and agencies to discuss RSA Archer’s approach to ERM through our solutions. This was not something that was happening even two years ago.


For more information on ERM visit the links above. You can also check out my colleagues’ blogs on RSA’s take on Operational Risk Management here and here and see Gartner's latest report which is also relevant. 


As always, thanks for reading, and email me with questions or comments.


Warren Buffett recently sent out biennial letter to Berkshire Hathaway managers re-emphasizing the top priority “we can afford to lose money – even a lot of money. But we can’t afford to lose reputation – even a shred of reputation”. This is a powerful statement & goes to the heart of managing a business.


Given the security landscape today, reputation is at risk not just from bad governance in the company, but also from how the security is managed so adversaries are kept at bay.


Picture this: a global organization, with thousands of employees, billions of dollars in revenue and a stellar reputation. The IT team is tasked to get a good handle on managing the ever growing pile of vulnerabilities. This is a big pile of unknown risk that needs to be addressed.


Since the IT team understands the problem well, they decide to create a homegrown solution figuring it will be easy to customize and they can then shape the solution based on the unique business requirements. The team then builds a case for quick return on investment and wins go-ahead.

As the team embarks on this journey, they start to feel some of the challenges. The first step is to nail down the requirements then build the solution. However, the requirements seem to be a never ending stream. As they get close to finishing the solution they get the feeling that building the solution was probably the easy part.


This is when they begin to realize that the solution may not be sustainable!


Some of the challenges they run into –

  • Full time resources are required to continue to enhance & maintain the solution.
  • The brightest resources are taken away from security tasks and are dedicated to managing the solution.
  • Functionality is limited. As an example, cannot identify unique assets since the algorithm is based off IP addresses as primary keys, which leads to assets with overlapping IP addresses.
  • Can’t get away from using Sharepoint in some form or the other.
  • Reports are still generated manually and not consistent quarter-over-quarter.


From a business perspective, what does this lead to?

  • More resources are required for managing vulnerabilities.
  • Lack of resources push some of the required activities such as penetration testing into corner.
  • Unaddressed vulnerabilities are still rising. Rapid remediation validation is not happening leading to closing of vulnerabilities that have not been remediated.
  • Tracking of vulnerability is quite tedious. Business line managers are unable to see where their requests are in review & approval process.
  • The IT team is limited in the metrics & KPIs (key performance indicators) they can create for the vulnerability management process.


You can be proactive and avoid these negative business outcomes.

In the end you are looking to guard the reputation of the business. Managing security in the right way can yield a significant competitive advantage by protecting the reputation of business in the long run. Do it the right way.



Stay in touch @RajMeel7

Gartner published their Market Guide for Audit Management Solutions in December 2014 to provide audit teams with insight into the market and offerings available.  Here's the link to their report: Market Guide for Audit Management Solutions


Gartner defines the market as solutions that automate internal audit operations through core and value-added offerings. Core offerings are those that primarily address the needs of internal audit departments, while value-add offerings position internal audit to add value to business operations, growth and innovation. Per Gartner, the use of core offerings far outweigh value-adds, which are growing at a much slower pace. Demand for mobile devices for conducting audits is growing quickly and by Gartner's estimate, 40% of internal audit teams will use portable devices to conduct audits by 2017.

Gartner further divides the audit management solution market into two segments - pure-play solutions and governance, risk and compliance (GRC) applications. They state that internal audit teams use both pure play and GRC; some groups integrate with their GRC organization's systems while others use standalone systems. The core offerings market is mature and well-defined, whereas GRC systems are newer and evolving.


RSA Archer's Audit Management Solution was highlighted for audit planning and risk assessment capabilities, which is a crucial part of the entire audit lifecycle that is available in Archer's solution.  In selecting a solution, Gartner recommends audit departments prioritize their requirements and differentiate based on them, as well as on price and delivery option.  They recommend considering GRC applications (like Archer) when more than one department in the organization has made a purchase or is considering investment in GRC applications.  They feel that SaaS is a more cost-effective solution, but on-premises implementations may be dictated by the need to secure sensitive data in highly regulated companies.


What we've seen in our research and interactions with hundreds of audit departments around the world is very few are not considering GRC capabilities mainly because audit committees, regulators and market conditions are demanding that internal audit play a more significant and strategic role in defining and mitigating risk, validating compliance and shoring up the three lines of defense.


For more information on Archer's perspective, contact me at

When I chose information security as my profession, it was a conscious decision.  I felt compelled towards the technology and the fascinating challenge of securing a shifting, metamorphic ecosystem.  When we think of the term “security”, in our technology context today, immediately we conjure up images of putting up walls, defenses and traps to keep the hackers, thieves and spies at bay.  But given the harsh consequences, bordering on the catastrophic in some cases, of the security incidents today, I feel we need to re-think how we define security.  I wrote in my blog about adding “Value” to the Confidentiality, Integrity and Availability principles of information security.  The more I think about it, I think we may need to redefine the term Security, in general, in our industry.


As a father and husband, my family’s security is always a consideration.  However, I don’t just think of the locks on the doors and windows of our home.  I factor in many other elements.  I consider our financial future.  Am I investing enough to ensure financial stability in the future?  I consider our health.  Are we going to the right doctors?  I consider our emotional happiness, my children’s education, our values, and our ability to live long productive lives.  My vision of my family’s security goes well beyond just their personal safety.  It projects into the future.  It is holistic.  It isn’t just “defense against bad things”.  My definition of the security of my family is protection of their immediate and long term well-being.


Working for RSA – the SECURITY division of EMC – I am constantly aware of some of the immediate (and I assert inaccurate) reactions to that label.  Security in this age does NOT mean just defensive measures.  To me, RSA, as the SECURITY division of EMC , is therefore chartered to help our customers protect their immediate and long term well-being.   Just like considering more than locks on the doors of my home, this mandate goes well beyond traditional security concepts.


Is the business protecting its financial viability for the future against all threats? Some of the threats are absolutely related to the hackers, thieves and spies.  Cyber-risk is top of mind for all companies now and the connection between the technology and the business has undeniably hardened.  However, threats such as natural disasters, compliance failures, poor governance, fraud, and a host of others can impact this financial viability with equal violence.


Is the business making the right relationships – or managing the risks around the external parties that contribute to the company’s strategy? No company is an island today.  Some business function, operational element or widget critical to the company’s success is outside its control.  Managing relationships with vendors, service providers and business partners is essential to long term welfare.


Is the company fostering a risk aware culture and enabling their employees to make the right decisions? Just like concern around my family’s education and values, a secure organization means that the people, the first line of defense against many of today’s risks, understand the long term implications of their actions and make the right choices.


These elements of ‘security’ point to a broader, grander vision beyond the traditional boundaries of technology security.  Within RSA, the addition of Governance, Risk and Compliance concepts on top of conventional protection strategies implemented through innovative technologies brings these extra, necessary elements to the mix.  If today, business IS technology – regardless of the industry – we can no longer think in the same terms and differentiate between technology security and business security.  Business security, like my family’s security, is beyond locks on doors.


There has been much prognostication on what 2015 holds.  My proposal for you to consider is to explore a broader definition of security with your business stakeholders and engage in the discussion of the health and wellness of the company.  Take security beyond its traditional boundaries.  Go beyond the bits and the bytes.  Factor in the full range of threats your organization faces.  It cannot just rest on the few InfoSec resources within the company.  We have seen what happens when the entire company - management included - has not engaged against digital threats.  When you discuss Security (capital “S”), think of it as the protection of the immediate and long term well-being of the company.  


This mindset elevates your conversation of IT security into the world of operational risk management connecting digital risks with the broader business risk.  For more information on Operational Risk Management, see Gartner's latest report. 

Filter Blog

By date: By tag: