Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2015 > November

I think back to a handful of audits over my career as an internal auditor where the people performing the function we audited just seemed to get it right.  They knew how to run their business, but they were also managing their risks well, they had good controls in place, and there were very few, insignificant findings.  Ahhh, what a dream.  However, the vast majority of the audits were a different story.  The thought I had over and over again was, “I just wish these people would think through their risks and their potential impacts, and consistently implement the right controls" (versus what they thought the auditors would want).  Their issues were lack of understanding, incentive and ownership.  In my first example, ownership existed.  In the second, ownership over risks and controls was lacking.


In all fairness, these poor folks were stretched about as far as they could be just running their business, let alone performing risk management.  Fast forward to today’s world where risk management is expected at all levels of the business - and not just because it’s good practice, but because everyone expects it, from regulators to customers to boards of directors, and more. The good news is more companies are starting to recognize this and do something about it.  I’m not just talking about industries where risk management has been standard practice for years, but most industries are seeing significant advances in maturity.  This is where the auditors can begin to breathe a little easier (just a little) for two reasons.  One, the 2nd Line of Defense (LOD) groups, such as Operational Risk Management (ORM) and Compliance, are getting their act together in terms of their approaches, capabilities and people, insomuch that Internal Audit (IA) can rely on their work more than ever before.  However, the second reason is more significant and points to the title of this blog - everyone is starting to own risk.


Do we have a long way to go before everyone actually owns risk at their level in their organization? Of course, but it’s starting to take place and I’ll give you some reasons why.  Certain industries like financial services, utilities and transportation, out of necessity have had risk management in place for many years and have matured ahead of the curve; for example, insurance practices have incorporated risk management into their standard operating procedures and how they make money from their inception, so the concept is more fully integrated.  Next, risk standards like ISO 31000 and COSO have long expounded the reasons and benefits of managing risk and those companies following the standards have moved forward at a faster pace in their risk management capabilities.  Further, as regulatory bodies and their standards across most industries and geographies have advanced, they almost all include requirements for risk management practices.   Finally, and more personally, consequences on customers and even company executives of not having effective risk management programs in place have all but brought some well-known companies to their knees lately.


As risk experts at RSA Archer, we work with hundreds of companies to help them manage their risks and implement controls, and even though we have a long way to go, I see a collective improvement - I’ll call it the “rising tide effect”.  Ever heard the analogy that a rising tide lifts all ships? I used it in a prior blog but I love it and it’s applicable here because it’s happening in risk management, and helping more people in more companies at all levels understand, take ownership and do something more about their risks than ever before.  Because of the reasons I stated earlier and many more, this rising tide of risk management is helping us all to be better managers of risk.


Another factor I’ll mention is technological advances.  Risk systems have improved over the years as Governance, Risk and Compliance (GRC) technologies have become more and more engrained into companies, helping the tide rise even more.  In fact, I’ll say the tide is turning because Archer is helping companies not only reduce bad risks but take advantage of positive risks to gain competitive advantage.  We believe that the ability to harness risk and transform compliance is an untapped source of competitive advantage to fuel the enterprise. That’s why we’re so excited to announce the recent launch of RSA Archer GRC 6. With new features to bring technology and business processes together we’re better able to help everyone own risk within their organization.  Two fundamental improvements we think will help raise all ships which include:

  • User Friendliness - We recognize that not everyone uses Archer every day, so we’ve completely redesigned the look and feel to include a walk-up friendly, task-driven user landing page and drag-and-drop advanced workflow functionality to still configure Archer to meet your business needs.
  • Managing Risk - One of the main challenges in most organizations is not identifying the risks, but doing something about them.  Our new ORM capabilities walk users through the process to self-assess, and identify and act on known and emerging risks with specific workflow for business users (1st LOD) and 2nd LOD groups like ORM, enabling them to work together.

There is lots more to this launch, so check out our Virtual Launch event to hear more about RSA Archer 6.

I want to mention the effects all of this rising tide of risk management has on our audit friends.  IA has been extolling the virtues of risk management for years through the recommendations they make to companies in implementing controls and better understanding their risks and exposures.  The fact that we see more companies and individuals within them understanding and owning risks is a fundamental and welcome shift.  The goal of every internal auditor I’ve ever met has been for “the business” to own their risks and controls, like my example at the beginning.  The fact that this tide is definitely rising isn’t lost on this former internal auditor and I can’t wait to see where it goes next! 

If you have additional thoughts, views or examples, email me at or tweet me at @pnpotter1017.

Through the years, as federal information assurance professionals, we’ve seen a lot of adjustments and evolution. We had an arms race in buying newer and better firewalls, more secure networking devices, IDSs, IPSs, and SIEM tools. We bought generations of scanners and sensors. We watched several iterations of C&A and A&A methodologies come and go. FISMA took its first lumbering steps, and about a dozen VERY expensive years later, it was rewritten.  The evolution in each case was toward a more dynamic and risk-based approach. From bastion to defense in depth. From rules-based to heuristic. From a mountain of logs to a prioritized few. FISMA is trying to do the same thing: to move from a checklist exercise to embracing continuous monitoring and from crusty, three-year-old ATOs to using tangible risk metrics.


Since the economic crash of 2008, the message has begun to sink in that war time spending increases are gone, and even thought the missions seem to grow and grow, the budget has either finally hit a ceiling or a very slow increase for the foreseeable future. The DoD and Intelligence Community may get a little consideration for their classified systems, but overall, the federal community knows we cannot throw resources at security problems like we have in the past.


Fortunately, this fits in with the evolution examples I just gave. Moving to embrace real risk management and real risk-based allocation doesn’t just save money, it will actually force federal organizations to think and behave in ways which make them more secure.


To this end, at RSA, we strive to make tools to enable true risk management and inspire it within organizations. This is why I’m happy to announce the upcoming launch of RSA Archer GRC 6. I don’t want to derail the risk message I’m building up to by stopping to describe the new features, so here is a short video that hits the high points and shows the new interface, etc.


Back to my point: Federal organizations need to continue to infuse more risk-based decision making into their cultures. What do I mean by that? As part of the launch of RSA Archer GRC 6, we had a virtual launch event. I would recommend you watch the launch video here . I mention the video because my colleagues centered the event on the theme “Inspire Everyone to Own Risk”. This theme strikes the perfect tone because, first, it showcases the best new features of Archer v6, but, more importantly, it ties in with the evolution thread above.


Federal organizations must empower more, if not all, employees to understand risk, and to make risk decisions and help manage risk at their own respective levels within the organization. In the launch video I mentioned, one of my colleagues points out an excellent white paper from COSO related to this subject. It is similar in many ways to federal documents like NIST SP 800-37 and 39, but adds a few extra elements and is refreshing and enlightening to hear these topics being discussed by a different community, with a slightly different perspective. This doesn’t just mean FISMA and OMB compliance. It means getting the teams within your organization to agree on a common risk taxonomy and common goals. It means ORM/ERM and using resources like AFERM and the Maroon Book in your organization.


It is for all of these reasons that when I see our new RSA Archer GRC 6, I notice and appreciate most the new features focused on role-based views and reports, task-driven landing screens, and advanced workflow capabilities. These features break down the silos between teams and empower each layer in the organizational hierarchy to own and manage their piece of the risk.


Inspire everyone to own risk.


Thanks for reading. Comments or questions? Email me.



We often speak about the rate of change in today’s fast paced business environment and the challenges associated with trying to keep up and adapt. So why does “operating in a reactive mode” keep getting a bad name? What’s so inherently wrong with that? Wouldn’t “not” reacting be worse? And what other choice do we have…really? Heck in some cases not only does it make sense to “wait and see,” there’s practically no other option.


The reality is there’s actually a lot of truth in that contrarian view. If you’re able to react quickly and effectively and manage the churn reasonably well then yes, on any given day things are probably fine. You monitor a few metrics here and there and things hum right along. That is until they don’t.


While the faceless straw man has always been available to enliven the debate, for the longest time it was limited to the theoretical and therefore easy to disregard, or at least to tune out. But that was then and today things look much different. Today we need terms like advanced persistent threat, global hacktivism and crushing regulatory pressure to even begin to describe the business environment we’re all operating in. Yesterday chances were the infrequent normal network anomaly actually was just a power spike. Today it could legitimately be the ground zero event that signaled the end of your business.


And therein lies the first big problem with being strictly reactive. Even with vigilant preparation it’s simply becoming less and less effective to procrastinate until there’s something tangible to react to. Inherent operational risk has skyrocketed in today’s interconnected global marketplace. Combined with the volume and velocity of changes an average organization deals with it’s become too much for many to keep in check, which is the second big problem with a purely reactive posture. Companies that can’t react efficiently enough to beat the buzzer to do so have by definition failed to react in time.


The good news is there is an alternative approach to reposition further ahead of the threat landscape and reclaim that lost time horizon. It begins with increasing our inherent risk intelligence and a philosophy shift toward choosing to actively hunt for threats to the business just like we hunt for opportunities. Because today those two concepts are in fact one and the same and those able to embrace that new operational paradigm will not only survive, they'll thrive. We remain vocal about our belief that the ability to harness risk and transform compliance is an untapped source of competitive advantage to fuel the enterprise. That’s why we’re so excited to announce the upcoming launch of RSA Archer GRC 6!


With loads of new features to bring technology and business processes together we’ll not only enable but INSPIRE everyone to own risk within an organization:

  • A new user experience for all RSA Archer GRC solutions, including a walk-up friendly, task-driven user interface and drag-and-drop advanced workflow functionality. All solutions will see the updated interface that includes the new color scheme, fonts, icons, navigation and more. Advanced configuration options include task-driven landing screen integration, workflow chevrons, action-driven user interface, multi-layout workflow, and more.
  • Identify, assess and act on known and emerging risks – RSA Archer Operational Risk Management provides an end-to-end risk management framework to identify, assess, decision, treat, and monitor existing and emerging operational risks. Archer’s advanced workflow capabilities enable first line of defense business unit managers and second line of defense risk managers to quickly and easily adjust risk management processes as part of their daily routine.
  • New capabilities for RSA Archer Operational Risk Management risk and control self-assessment lifecycle functionality; enhancements for loss event origination, routing, and approval; and metrics management. Plus, improved out-of- the-box workflow, reports, user personas and dashboards that align with the “three lines of defense” principle.


RSA Archer GRC 6 is the latest milestone in our GRC mission, which is to equip you with the best possible tools to navigate your own GRC journeys. By connecting the dots between key business elements, strategies, risks, and obligations, organizations can get a clear picture across the entire enterprise to make proactive decisions that minimize the effects of external change and maximize opportunities to grow the bottom line.


Don’t miss our Virtual Launch event Tuesday, November 10th at 11:00 EST to hear how RSA Archer 6 can inspire your users to own risk.

Today’s business environment is fraught with risk. Economic, technology and market conditions affect organizations on a daily basis. The constantly “changing risk landscape” is a discussion point in headlines, industry forums, media outlets and board rooms.   Risk management will become the core capability which separates winners from losers. Organizations that understand and manage risk effectively will prosper while those that can’t will fail.  Success starts with the ability to manage risk in a manner that frees up resources to focus on the company’s long term, strategic objectives. Risk Intelligence gives companies the confidence to harness risk to explore new opportunities.

The RSA Archer Risk Intelligence Index is a simple measurement of the six major dimensions of risk management that organizations must address in order to turn risk into a competitive advantage to fuel the enterprise.  In October 2015, RSA completed a global survey of almost 400 organizations to gather insight into current trends and perceptions regarding Risk Management. The survey utilized RSA’s proprietary Risk Intelligence Index to ask questions around key areas of risk and how organizations are addressing the changing risk landscape.

I am happy to announce the publication of an eBook highlighting the results from the survey.

Download the eBook here.

There is no question organizations today are in a rapidly changing risk environment and the pressure to improve risk management practices is being driven top down from boards and executives. Managing a cultural shift from the reactive checking the box of compliance to a more proactive risk management model requires change and participation across the organization. A cohesive risk environment protects against loss while supporting as much growth as possible.  But this shift relies on common processes for measuring and reporting risk postures across the enterprise being integrated into daily business practices. Plus, organizations must be able to share risk information with stakeholders, provide a thorough understanding of the risk environment, and communicate the potential impact risk could have on the business, both good and bad. When you can proactively link risk management to business objectives, risk becomes a new source of competitive advantage.


In addition,  given the velocity at which risks continue to emerge, risk management can no longer be the sole responsibility of the risk professional. While the risk management team is a critical part of the organization’s risk management framework, business units or operations management must be more directly involved in the identification, assessment and remediation of risk. Business unit managers are the most likely to know what is going on within their business units, what is changing, what risks are emerging and what risk treatments are being implemented. Business units have the best knowledge of which controls are operating and which are not, and they are ultimately accountable for their risk and internal control framework.


Hence the many drivers for Governance, Risk and Compliance are churning away and technology is a key part of those strategies.  When you think of GRC technology solutions, most people immediately focus on the technology itself. However, technology is not just about writing code. Technology today is about inspiring people to change the way they think and live. Think about the piece of technology everyone has in their pocket or purse today. Mobile technologies inspire people to change the way they live every day. They connect to old friends through Facebook, they manage their finances on a daily basis through mobile banking and monitoring stocks, they share a picture of their lunch on Instagram.


GRC solutions must do the same. They need to INSPIRE the users to change the way they think about compliance and risk. Just as the GRC program needs to change the way the business unit managers and front line employees conduct their business, the technology underpinning that effort needs to fuel that shift in thinking.


This is why I am so pleased to announce the upcoming launch of RSA Archer GRC 6 which brings together technology and business processes to inspire everyone to own risk within an organization.  This release offers:

  • A new user experience for all RSA Archer GRC solutions, with new features including a walk-up friendly, task-driven user interface and drag-and-drop advanced workflow capabilities. All solutions will see the updated interface that includes the new color scheme, fonts, icons, navigation and more. Advanced configuration options include task-driven landing screen integration, workflow chevrons, action-driven user interface, multi-layout workflow, and more.
  • New capabilities for RSA Archer Operational Risk Management includes end-to-end support for the self-assessment lifecycle; enhancements for loss event origination, routing, and approval; and metrics management. These features are designed to better engage business unit managers (the first line of defense) and risk managers (the second line of defense) in the organization’s risk management program. Operational risk use cases come with out-of-the-box workflow, reports, user personas and dashboards that align with the “three lines of defense” principle.

Trying to get a clear risk picture across the business is typically chaotic and incomplete, despite an organization’s best efforts. RSA Archer GRC 6 is the latest step in providing a solution that uniquely provides a holistic risk viewpoint, with business context tracked across all risk use cases. Business units can establish the business entities, assets, products, services, and processes that have the highest impact on the bottom line, and use RSA Archer as a lens through which to review different risk types, including continuity, compliance, cyber or security, resiliency, and supplier risk.


Join us for a Virtual Launch event next Tuesday, November 10th at 11:00 EST to hear how RSA Archer 6 can inspire your users.

Filter Blog

By date: By tag: