Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2016 > January

A great deal has been written about what makes for Good Governance.  This is a topic of interest for organizations in every industry and geography, profit and non-profit.  I have written about this a little bit before in my blogs: the importance of having a strong risk culture and the Role Tone at the Top Plays.  Good Governance means having a strong risk culture, reinforced by the organization’s leadership team.  As the adage goes, this isn’t just about saying what you mean but meaning what you say.  To motivate an organization, leaders should not only say “do the right things”, they must lead by doing the right things, and reinforce their message that everyone should do the right things.


One of the easiest steps that leaders can take to demonstrate that they mean what they say and to reinforce their message that everyone should do the right things is to actively pay attention to the organization’s outstanding issues.  Issues arise in the normal course of business in every organization.  Sometimes issues are raised by internal and external auditors and regulators but often they are self-identified by managers such as Operations, Legal, Compliance, and Risk Management.  When leaders track issues they better understand where they need to remove barriers to success, allocating limited resources to solve problems on a prioritized basis.  When leadership shows that they are monitoring the issues faced by their management team and that they have a keen interest in their resolution, guess what? Managers throughout the organization pay a lot more attention to resolving issues in a timely manner.  Issues don’t accumulate, get stale, or, get sometimes forgotten.  The volume of Audit and regulatory findings decline and dreaded repeat findings never occur.


Of all of the Archer use cases an organization can implement, Issues Management may be the easiest and most impactful.  If your organization does not actively manage its issues, I encourage you to learn more about Archer Issue Management and enjoy this fun video!

With Glenn Frey’s passing last week, I was reminded of all the great songs he wrote for the Eagles. As I started going down a list of hits, something dawned on me, a lot of Eagles song can be used as recommendations for an efficient risk management program. Here are a few examples:


Take it to the limit: Risk management is all about knowing what level of risk is acceptable. Risk is a by-product of innovation and production. You need to have some risk in order to achieve goals. The key is to know what the limit is, what the acceptable risk is, your risk appetite and tolerance, and not go beyond.


You are not alone: If you are a risk manager, you are not the only person responsible for managing risk in your organization. In fact, you could argue that every employee has a responsibility to manage risk. This especially true when you look at the 3 lines of defense concept that outlines responsibilities for the 1st line of defense (Business Owners), the 2nd line of defense (Risk Managers) and the 3rd line of defense (internal auditors).


I can’t tell you why: But a Risk Manager should be able to. Whenever your company suffers a loss, you should be able to determine the underlying reasons for such a loss. Performing root cause analysis is crucial to avoid reproducing the same mistakes.


Life in the fast lane / The long run: There is a fundamental paradox with Risk management. It’s a reactive discipline that deals with emergencies and crisis as they arise but it’s also a long term program that relies on processes, planning, policies and tools to make dealing with the crisis easier. Solving that tension between the fast lane and the long run is not a small challenge.


Wasted time: Running a risk management program takes time. A Self-assessment campaign, where you need to get inputs from business owners throughout your organization is a big undertaking with a lot a low added value tasks. This process can be made easier and more time efficient by tools.


Lying eyes: I know the song is about kept women and cheating, but the idea that your eyes can not only betray you but also deceive you is relevant to risk management. Your eyes might be lying to you when assessing likelihood and impact of a risk. Expert opinion is valuable but so are hard data and analytics. Trust your eyes and your assessments, but back them up by cross-referencing losses, findings and Controls to root you assessment in reality.


Take it easy: Risk Management programs generate a lot of noise and traffic. There are events, new risks, failing controls, new findings on a weekly if not daily basis. It’s easy to get lost and feel overwhelmed without some kind of filter to sift through all the information and focus on what is relevant. Take it easy on the small stuff so that you can devote your resources to what is an actual threat.


Peaceful easy feeling: what you should ultimately feel, not that nothing wrong is going to happen, but being confident you have the processes and tools in place to deal with what will happen when it does.


Now, even if I tried really hard, I wouldn’t be able to explain how Hotel California relates to Risk Management, it has more of a Business Continuity Management feel to it I’d say.



Whoa wait a minute…is this a psychology lesson? Well if so hopefully it's no less comfortable than your favorite chair!


Last week we kicked off a new blog series on Issues Management. Read Steve’s initial volley here which neatly frames up the problem of the "Issues Pit". This week I'll discuss the process of compensating for gaps, an often overlooked aspect of managing issues.


Basic risk and control doctrine calls for identifying multiple methods to address risk. We generically refer to these risk mitigation methods as controls. Typically (though not always) the more controls we can identify for a particular risk, the better. As such, it's the nature of things that some controls will be deemed more important than others. Some will be so important that they'll be required to be in place all the time and will usually receive some kind of flashy label like “key control”, “primary control”, etc.


Since it’s inevitible that controls can and will fail, those important key controls will often benefit from having other secondary controls to backstop the primaries and reduce the impact of a control failure. This is all very sensible and seemingly omnipresent not just in business but practically every aspect of daily life. (The generic example of speed limits + seatbelts + airbags + baby seats comes to mind.)


If control issues are unavoidable then it's certainly preferred to discover them on your terms versus some external actor. That's the worst case scenario. Nothing throws an organization into a panic faster than an unplanned crisis. And in almost every case, after action analysis will point to control failures as contributing factors or root causes. In other words, controls must be regularly tested to ensure they function properly; underpinning the essential discipline of compliance. As control issues (gaps) are discovered, a remediation process to address those issues must also be in place. This is unfortunately where organizations that think they have a good handle on things may often roll the dice unknowingly.


Suppose a control issue is found as the result of implementing new business technology and the only remediation is implementing some other new, expensive system on top of it? If the only quantitative decision criterion is the purchasing cost then the organization's leadership isn't very well equipped to make an informed decision, and increases the likelihood the purchase will be pushed off. This is where the value of a GRC program can really shine.


What if the leadership had quantitative metrics on the risks associated with the control gaps that showed the cost was less than the risk? Or, what if the risk could be partially reduced through other resources the company already has under roof? Perhaps a smaller investment could sufficiently address the remaining gap. Regardless, management would have a much better framework for balancing that decision against the other strategic decisions they have to make. And when there's good intel available to inform a decision, no executive would prefer to blindly guess instead.


This mix of risks and controls and exposure is constantly shifting as businesses and markets and security threats fluctuate. A healthy remediation strategy includes the ability to quickly identify alternative controls to supplement primary control activities, or even fully compensate for them in a pinch. Understanding the criteria for determing those compensating controls, inherent limitations, and mapping all that together is impossible without a full inventory of risks, assets, and controls and a solid system of record for managing them. This is another area where GRC capabilities are perfectly suited to deliver value through process enablement, efficiency, and risk reduction.


We've spoken before about the potential competitive advantage that organizations can harness by maturing their GRC processes. Imagine if your organization never feared an audit because your compliance posture was already assured through healthy business processes. By replacing guesswork with the ability to make informed, risk-rationalized decisions, not just for compliance, but for risk taking growth strategies, organizational leaders can much more confidently guide the business forward. In these times of extreme global competition and front page security breaches, what would that kind of assurance be worth to the leaders in your organization?


For more information check out this short video that shows how RSA Archer can help with your Issues Management process.

Gartner Revised.PNG


About this time last year, I had the pleasure of reporting on RSA's placement as a Leader in the Gartner Magic Quadrant for Operational Risk Management. Well, I'm very happy to report that RSA has done it again: Gartner has placed RSA Archer in the Leaders Quadrant of the Magic Quadrant for Operational Risk Management which was published in December 2015.



Gartner ORM MQ grid 2015.JPG


This is the first of several reports that will be published by Gartner in the coming months as part of their integrated "OneGRC" research program. Gartner's OneGRC program adheres to a use case based methodology for reviewing GRC technology as opposed to their historical all-encompassing Enterprise GRC Magic Quadrant approach. The placement of RSA Archer in the Leaders Quadrant in this year's Magic Quadrant report extends last year's placement as a Leader for Operational Risk Management and we believe demonstrates continued momentum in GRC and operational risk. 


Gartner uses our customers' reviews of RSA Archer technology capabilities as part of their evaluation process along with other criteria. So, thanks to all of you that took time to participate in this year's survey. We truly appreciate you spending your valuable time to share your thoughts and experiences with the Gartner team!


We value Gartner's insight on changes in the practice of risk management because they interact with so many organizations around the world regarding risk management program activities. Of particular interest to us this year is Gartner's observation that "Chief risk officers and information security officers are seeking to integrate their GRC software solutions to gain a more holistic view of risk across the enterprise." We, too, are hearing this from our customers and see it in analyses via Enterprise Risk Management (ERM) surveys. Organizations globally seem to be moving toward ERM. In fact the practice of ERM has reached critical mass. Why is this? Perhaps as EY reported this year, companies in the top 20% for risk maturity generated three times (3x) the level of EBITA than those in the bottom 20%!


If your organization is in the process of of enhancing its Operational Risk Management program maturity or testing the ERM waters, I encourage you to reach out to our team and learn more about our Operational Risk Maturity Model Assessment program.


Interested in seeing more details from the Gartner Magic Quadrant for Operational Risk Management? We've made the report available here and encourage you to share it with your colleagues and management team.


This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from EMC RSA.  Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Issues – we all have them.   I should clarify that statement.   I am not talking about you personally or referring to the ‘lie on the couch, tell me about your relationship with your mother’ types of issues.  I mean – all organizations have issues.   Some are big and some are little but all organizations find gaps in their processes that cause some level of concern.

Security, risk and compliance professionals must feel like therapists at times.  Every Risk and Compliance process identifies issues and most organizations end up with a virtual yellow legal pad of issues (just like a therapist uses).  The story is always the same:  an issue is found and then cataloged in some spreadsheet.  That spreadsheet is then emailed around to various parties who dispute the issue, plan the remediation or assess the risk.  Ultimately, that issue becomes a bullet point on some presentation for management to review.  The spreadsheet ends up on some file share and hopefully, the correct actions are taken to close the Issue mitigating the risk.

This process is replicated across the spectrum of risk and compliance processes.  Risk assessments identify possible risks.  Compliance assessments find ineffective controls. Security assessments find vulnerabilities.  Audits identify regulatory or compliance gaps.   That is nature of GRC – find those areas where the business is at risk.   Each one of those issues represents a possible exposure for the organization.  That control gap could lead to a compliance violation; the security vulnerability could lead to a data breach.  The longer those issues sit, the more likely something bad will come out of it.

I call this phenomenon “The Issues Pit”.   Scattered lists of issues and findings in various documents (Excel, Word, Exchange, Sharepoint) with no consolidated view of outstanding issues related to audits, compliance or risk assessments leads to missed issues that fall through the cracks.  Limited documentation on current or planned remediation efforts to address open risks can lead to missed deadlines or poorly planned projects to remediate identified exposures.  All of this spells doom – or possible doom – for the organization.

Issues Management is one of the foundations of governance, risk and compliance.  Regardless of your level of maturity in risk management, there are issues being raised by some processes.  How those issues are treated and tracked is the deciding point of failure for many organizations.  Sometimes things are missed and there are consequences.  That happens.  But too often, known issues are the root cause of serious consequences such as breaches of personal information, a business disruption or a repeat audit finding.

What can be done?

First, identifying the processes that raise issues to the surface is the best place to start.  Where do the issues come from in the first place?  What is the method of delivering the issue (audit report, spreadsheet, automated system)?  Who owns the process that finds the issues?

Second, determine how issues can be consolidated.  Once you know which processes are identifying the issues and how those issues are delivered, defining a common taxonomy to describe the issue is necessary to start consolidating.  What makes an issue?  What are the best descriptors to “bucket” issues such as business unit, business process, application or organizational function?

Third, work out the process that communicates, tracks and manages the issues.   Issue resolution will be owned by various parties so keep in mind prioritization will be critical in how issues are presented.  Designing a process to fold in more and more business context (what the issue really means in terms of business risk) should be part of the long term plan.

In December, I participated in a webinar through Compliance Week discussing Issues Management.  We talked about the “Issues Pit” and strategies to address this critical part of your GRC program.  Our customer panelist shared his experience with this pressing issue and gave some great advice on how to think about improving your Issues Management process.  In addition, check out this short video that shows how RSA Archer can help with your Issues Management process.

Marshall Toburen

SDLC Risk is Huge

Posted by Marshall Toburen Employee Jan 7, 2016

In a previous blog I suggested that the biggest operational risk to an organization these days relates to System Development Life Cycle (SDLC) failures.  I was again reminded of this when I saw the article in the Wall Street Journal this morning related to Finish Line Inc.  According to the article, “a new warehouse and order-management system caused a supply-chain disruption” as “the new system couldn’t process orders fast enough.”  This systems failure significantly impacted sales revenue, profitability, and stock price and the organization is now planning to close a quarter of its stores and change its chief executive.


In the Digital world today, it seems as if almost all organizations are becoming critically dependent on software in one way or another.  Bringing new  software on board, operating, changing and retiring software can pose material risk to organizations, potentially even putting them out of business.  The management of software system risks requires a thorough understanding of the interconnectedness of the software in supporting the organization’s business processes, product delivery, and strategic objectives.  SDLC mistakes can manifest themselves in myriad ways including but not limited to transaction processing errors, unacceptable response times, information security vulnerabilities, regulatory compliance violations, the inability to recover from a disaster, the inability to effectively manage third party relationships, and reputational damage.


As with any operational risk, the first step in managing this risk is to acknowledge that it exists and reasonably estimate how big it is worst-case scenario.  From that point you can plan the risk mitigation and transfer steps and move into a monitoring mode to ensure the issues get resolved as quickly as necessary to meet your objectives.  All of this is much easier said than done but  you’ve got to see through and understand the complexity if you want your organization to have sustained success.

Filter Blog

By date: By tag: