Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2016 > June
2016

We believe organizations today face more risks and changes than they are positioned to keep up with.  Business Continuity Management (BCM) or Business Resiliency (BR) programs are no different. These programs have existed for many years, yet most have not evolved to keep up with the magnitude or velocity of business changes, risks or compliance requirements their organizations face.

 

In order to truly mature from business recovery to driving true resiliency into their organizations, teams must collectively address risks and compliance with their governance, risk and compliance (GRC) programs.  They must take a coordinated, risk-based approach because siloed, BCM-only approaches are not sustainable.  Most BCM teams agree with this, but the most common question is, “where and how do we start?” 

 

The first step is to understand where your BCM program lies on the maturity spectrum versus where you should  be.  The RSA Archer Maturity Model defines five stages as follows:

 

Maturity Model.png

 

The Siloed stage - where many organizations sit today – relies on the constant fire-fighting mode of BCM teams.

Siloed.pngThe focus is mainly on compliance activities and reacting to basic risks such that they cannot see beyond the immediate threats. BCM programs in the Siloed category are usually addressing risks and compliance by themselves.

 

In order to move from Siloed to the next phase, you need to Transition by taking “Compliance stress” off the table and solving regulatory needs in the most efficient and effective manner.  This requires building a cohesive strategy to deal with the basic requirements of doing business by:

 

  • Automating compliance processes and eliminating duplicative efforts and data siloes;
  • focusing on building effective processes such as the business impact analysis (BIA), incident management and recovery planning;
  • and collaborating across IT and business functions to establish connected strategies.

 

Once you free up resources from compliance activities you can start directing those activities to evaluate and respond to risks, which moves you into the Managed stage.  In the Managed stage, you have expanded your visibility into issues through common data repository and analytical capabilities, defined and improving BCM processes, and efficient methods to measure, monitor and report on BCM activities.  Compliance and risk

Managed.png

processes are in an operational state – repeatable, consistent and resulting in solidreporting of gaps or issues. Organizations in this state become aware of the various risks they are juggling and put in individual plans to manage these risks within the context of a broader strategy. The organization understands the risks on its landscape. This progress is  fueled more and more by visibility into risk through metrics and analysis capabilities.

 

In order to move from Managed to Advantaged, organizations need to Transform from recovery planning to driving business resiliency by connecting risk to business value, needs and activities, and moving beyond just managing risk to anticipating the business’ needs.  This allows the organization to stay ahead of emerging threats, and to design controls and plans to deal with the full variety of today’s threats while meeting business objectives - moving the program into the Advantaged stage.

 

In the Advantaged phase, organizations have anticipated and conquered the ‘negative’ risk landscape through prescriptive and pre-emptive measures and are poised to help the business explore the opportunity, or positive Advantaged.pngrisk, landscape.  A good example is of an organization who improved from an over 40-day process to perform risk assessments on new products and services to a six day turnaround. This enabled business executives to evaluate new business opportunities (i.e., positive risks) more quickly.  This is what it means to manage risk at the pace of your business.

 

RSA Archer’s BR solutions enable organizations to automate much of their planning and execution, focus on addressing risks effectively and become a “business-enabler”.  Our latest Archer release, 6.1 in June 2016, enables organizations to implement individual use cases that help them move up the maturity spectrum.  Look for my next blog where I describe the use cases and how they can benefit your BR program as you advance toward business resiliency.

For those of you who don’t know me, I am Anya.  And, I have been part of the Archer team for almost 10 years.  Not only that, but I have also spent all of these 10 years being part of Archer support in various capacities.  Tenure like that is almost unheard of in this day and age, and some may think that I am a relic in my thinking, but I will tell you why I have done it.

 

My background was not in service.  Yet, when I joined the Archer team and began my journey in support, I was amazed at the focus the company put on customers and their satisfaction.  Of course, in support we focus on solving technical problems, but I believe it goes much further than that.  We, as a business, have always focused on making our customers successful.  And, that was always at the core of what we were doing.

 

For me, that has struck something that I have not been able to shake off or get bored with for this long of a time.  And, while that has always been the fabric of our being here, it has taken on a renewed life as we have formed a Total Customer Experience (TCE) forum to ensure that we don’t only preserve this approach, but instill it as a culture to each and every person who walks through our doors.

 

Focusing on customer experience is not limited to a particular team.  Of course our Professional Service teams try to ensure that customer satisfaction is maximized when planning and building out a project; of course our support engineers focus on solving the problems so that customers are more successful.  But customer experience begins before the first call to a vendor is made and is present throughout the lifecycle of the relationship.  It involves everything from our community and marketing materials, to our admin who is greeting people at the door of our office buildings. 

 

As part of our TCE forum, we are focusing on every interaction we have with our customers and examining all of our processes.  We are working to ensure that we are operating with customers’ goals and experience in mind.  As with anything, there are some quick wins and short term opportunities, but there are also big things to work on over time.  This is definitely a journey.  But, my hope is, that it is a journey that we all take together and through it become even better partners and advocates of each other.

 

It has been my focus to ensure that we in support do everything possible to make our customers successful for almost 10 years now.  And now, I am so excited to spread that focus to the whole team.  If you have any thoughts or ideas to share about your experience (good or bad), opportunities for our focus, or ideas to consider – please do. 

 

Thank you!

 

An important benefit from our recent release of RSA Archer 6.1 is an alignment of organization maturity with the technology to support it. Building a mature IT and Security Risk Management program takes time and commitment.  It requires and is marked by a balance of the right technologies, processes, and people. 
The progression of an organization’s IT and Security Risk Management program maturity can be characterized in stages:

Siloed
Less-mature organizations are typically very reactive and compliance-oriented. They attack individual risks and compliance initiatives within an isolated strategy. Their strategy relies on the constant fire-fighting modes of their front line and functional employees.  Their focus is so much on compliance and tactical risks that they cannot see beyond the immediate. 
Organizations at this level have the basic capabilities to detect and remediate threats and defects and they can manage incidents, but their tools and process are siloed. This leads to poor reporting and visibility and maximum pain and stress for the security admins. Another effect of this culture is that the organization is exposed to individual threats and defects for longer than necessary.

Managed
In order to transition from the Siloed to the Managed stage of maturity, organizations need to focus on integration between tools and how to use automation where possible to streamline assessments and compliance activities.  When tools and people are better integrated and share data more freely, visibility is improved, new insight s can be made, and these insights lead to better decision making.
Another hallmark of this stage of maturity is the transition from compliance-driven to risk-driven. This means that instead of prioritizing things based on which compliance activity is due (or overdue), decisions are made using meaningful security metrics (ex: what can I fix right now that is introducing the most risk?) For these reasons, the Managed stage of maturity is the point where processes become more repeatable, consistent, and less painful for the security team to perform.

Advantaged
In order to transform an organizations program from Managed to Advantaged, organizations need to manage known and unknown risk, and identify new business opportunities.  They do root cause analyses to prevent repeats of findings. They also need to strive to roll business context into all risk decisions.  Lastly, the frequency of control assessments needs to change based on this business context. This means that the Advantaged organization has a risk view that is current and complete but does not overwhelm the staff.
An organization in this position is now ready to realize the competitive advantage of harnessing risk – beating competitors to market, launching new products and services with calculated efficiencies, avoiding those major issues that affect reputations and the bottom line.  Organizations in this phase focus on speaking “business language” instead of “risk language”. 



With the release of RSA Archer 6.1 we are making individual IT and Security Risk Management use cases available that align to this maturity journey.  
Recognizing the fact that risk management programs go through multiple stages of maturity, maturing over time, with RSA Archer 6.1 we have aligned our solution use cases with the maturity journey.  In this way, customers are acquiring just the right amount of technology to enable their IT and Security Risk Management program as they need it.  They are not biting off more than they can chew or over purchasing functionality they may never use. The IT and Security Risk Management -related activities (or use cases) we typically see implemented as organizations build their risk management program are as follows:

RSA Archer IT and Security Policy Program Management
provides the framework for establishing a scalable and flexible environment to manage corporate and regulatory policies and ensure alignment with compliance obligations. This includes documenting policies and standards, assigning ownership, and mapping policies to key business areas and objectives. Out-of-the-box content includes the most current security frameworks and control catalogs, such as the ISO 27000 series, COBIT 5, NIST 800 series, and PCI-DSS.

RSA Archer IT Controls Assurance
provides the ability to assess and report on the performance of controls across all IT assets and automate control assessment and monitoring.

RSA Archer IT Security Vulnerabilities Program
offers security teams a big data approach to identify and prioritize high risk threats. Proactively manage IT security risks by combining asset business context, actionable threat intelligence, vulnerability assessment results, and comprehensive workflows in one place. IT assets can be cataloged with a full business context overlay to prioritize scanning and response. The consolidated research platform for vulnerability management enables centralized tracking and remediation of related issues.

RSA Archer IT Risk Management
enables you to comprehensively catalog organizational hierarchies and IT assets to ensure all business critical connections are documented and understood in the proper context of IT risk management. This use case forms the basis for completeness when populating the included Risk Register with all relevant IT risks. Pre-built IT risk assessments, threat assessment methodology, and IT control repository enable you to document and assess IT controls.

RSA Archer PCI Management
enables organizations to streamline the compliance process, simplify stakeholder participation, and reduce overall compliance effort and cost. It allows organizations to jumpstart a PCI compliance program by conducting continuous assessments and providing visibility to manage and mitigate risk. PCI Management guides merchants through the completion of relevant self-assessment questionnaires (SAQs). It also provides packaging and export of compliance program results and attestation articles in a properly formatted PCI Report on Compliance (ROC) for easy submission and review.

RSA Archer Security Incident Management
enables you to address security alerts through managed processes designed to effectively escalate, investigate, and resolve security incidents. Organizational and IT assets can be centrally cataloged with a full business context overlay to drive appropriate prioritization of security events. Built-in workflows streamline the process and enable teams to work effectively through their defined incident response and triage procedures. Any issues related to incident investigations can be tracked and managed in a centralized portal to enable full visibility and reporting.

RSA Archer Security Operations and Breach Management
enables you to centrally catalog organizational and IT assets, to establish a full business context overlay to drive incident prioritization.  Built-in workflows and reporting for security incidents enable security managers to stay on top of the most pressing issues. Best practices and procedures for incident handling help security analysts effectively and efficiently triage alerts. Any issues related to incident investigations can be tracked and managed in a centralized portal, enabling full visibility and reporting. Finally, the security operations manager can effectively monitor key performance indicators, measure control efficacy, and manage the overall SOC team.

RSA Archer IT Regulatory Management
provides organizations with the necessary tools and capabilities to document external regulatory obligations. Organizations can establish a systematic review and approval process for tracking changes to regulatory obligations, understand the business impact, and prioritize a response.

RSA Archer Information Security Management System (ISMS)
allows you to quickly scope your information security management system (ISMS) and document your Statement of Applicability for reporting and certification. You can also catalog individual resources related to your ISMS, including information assets, applications, business processes, devices, and facilities, and document and maintain related policies, standards, and risks. This centralized view of your ISMS makes it easier to understand asset relationships and manage changes to the infrastructure. Issues identified during assessments can be centrally tracked to ensure remediation efforts for gaps are consistently documented and monitored and effectively addressed.
 
The RSA Archer IT and Security Risk Management solution pulls all of the use cases mentioned above to enable greater business context, greater cohesion between the elements of the program, and better visibility.

We realize that risk management is not a challenge that can be solved simply with technology. It is a business imperative that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging everyone in IT security and risk processes, you can eliminate operational inefficiency and achieve your most strategic growth objectives. That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.”

 

For more information about RSA Archer IT&SRM, click here.

 

Thanks for reading.
Email me with comments or questions.

RSA Archer is very excited to be recognized by Gartner once again as a Leader in the 2016 Magic Quadrant for IT Risk Management! Of the nearly dozen vendors evaluated, RSA was cited as the vendor with the highest rating for "Ability to Execute".  According to Gartner, "RSA Archer's fulfillment of critical needs, customer understanding, and insight into primary buyer identification are among the best-observed in the market."

 

This exciting accomplishment comes on the heels of similar leadership positions announced in the IT Vendor Risk and Operational Risk Management Magic Quadrants earlier this year. Together these represent a true market-leading ability that Archer's customers have to manage business and IT operational risk programs effectively to accomplish their goals.

 

2016 itrm mq.png

We're doubly excited for this announcement as it actually reflects an evaluation of a prior version of Archer (v5.5.3). And today our current v6.1 takes Archer's core capabilities several levels further!

 

We also offer a sincere thank you to our customers for sharing their valuable insights and experiences with Gartner directly. It isn't difficult to find vendors in any market preaching the importance of their customers whether they practice that or not. However here at RSA Archer our customers really do define our success and our large community of active users is at the heart of how we drive the product forward. Gartner specifically recognized us for actively gathering & considering customer input in our strategy and design decisions. Our redesigned user interface and new pricing model are just two examples of the transformational product outputs our customers have helped inspire.

 

Whether you're new to GRC or managing a successful program already, I encourge you to review Gartner's full report. Many valuable market insights and important elements to consider throughout all stages of GRC program maturity can be found. And we are standing by to engage with you and answer any questions you have as we continue our mission to inspire everyone to own risk. And if you haven't already, be sure to register for 2016 RSA Charge, October 25-27 in New Orleans. This year promises to be the biggest event ever! Hope to see you there and best wishes!

 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from EMC RSA. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

In part I of this blog, I described the typical maturity progression of an Operational Risk Management Program.

 

Recognizing the fact that risk management programs go through multiple stages of maturity, maturing over time, with RSA Archer 6.1, we have aligned our solution use cases with the maturity journey.  In this way, customers are acquiring just the right amount of technology to enable their Operational Risk Management program as they need it.  They are not biting off more than they can chew or over purchasing functionality they may never use.

 

RSA Archer 6.1 enables organizations to better take command of their GRC Journey, empowering organizations to incrementally build their Operational Risk Management program as it matures.  The Operational Risk Management-related activities (or use cases) we typically see implemented as organizations build their risk management program are as follows:

 

Issues Management is a core foundational use case to document and manage audit issues and issues identified by management and external parties.  It captures issues that may arise through the implementation of other use cases.  From this foundation, the following use cases are often enabled.  The exact sequence of the following use cases depends on your business priorities and resources.

 

Risk Catalog is also a foundational use case for organizations that only want a central location to document their risks, typically moving from an EXCEL or Sharepoint based approach.  With Risk Catalog you get a place to document your organization’s risk and roll granular risk statements up to intermediate and enterprise risk statements.  You also get basic qualitative risk assessment.  You do not get several element of a more robust risk register that provide greater business context through association with business processes, internal controls, and other risk treatment.

 

Top-Down Risk Assessment gives you the capability to catalog and associate your business processes, risks, and controls to better understand business activities and the internal control framework.  You can assess the inherent and residual risk of each risk register record using qualitative and monetary values across multiple risk categories.  Furthermore, risk register records can be aggregated and rolled up to intermediate and enterprise risk statements and reporting allows you the capability to drill through records to understand the business context and drivers of risk

Loss Event Management gives you a means to capture internal losses, near misses, and relevant external loss events, perform root cause analysis, execute workflow to communicate,  analyze, and approve losses, calibrate external loss events, and produce numerous relevant loss reports

 

Key Indicator Management allows you to document key risk, control, performance, and business indicators.  Indicator values can be collected from source systems or via manual input from data owners.  In any case, you can oversee that all data is collected in a timely manner and that missing data and indicators outside acceptable limits are communicated and addressed in an appropriate and timely manner.

 

Bottom-Up Risk Assessment allows you the capability to perform consistent risk assessments on projects and activities such as new and changing business processes, products and services, M&As, and fraud incidents. Questionnaires can be created and repeatedly used to ensure all items in scope are being considered consistently.

 

The Operational Risk Management use case pulls all of these other use cases together to enable greater business context and introduces a purpose built solution to initiate and manage self-assessments. Three different kinds of assessments can be automatically created (Control self-assessments (CSAs),  Risk and Control self-assessments (RCSAs), and Process, Risk, and Control Assessments (pRCSAs)) and distributed to the first line of defense (business unit managers), for completion through the use of an intuitive interface.  The overall status of the assessment campaign can be monitored by the second line of defense and when assessments are completed, they are routed to the designated second line of defense persons to review, challenge, and reroute, if needed.  At the completion of the assessment campaign, when all assessments have been approved by the 2ND line of defense, the results are automatically updated to the risk and control registers.  Lastly, the Operational Risk Management use case provides a means to document and manage your organizations insurance program and understand which risks are being transferred and whether the coverage is adequate.

 

By integrating Adjacent use cases available from RSA Archer you can create an Enterprise view of risk

 

OpsRisk 6.1 Use Cases vs Maturity.JPG

 

We realize that risk management is not a challenge that can be solved simply with technology. It is a business imperative that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging everyone in the risk process, you can eliminate operational inefficiency and achieve your most strategic growth objectives. That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.” That is our passion. That is our commitment.

An important benefit from our release of RSA Archer 6.1 this week is an alignment of organization maturity with the technology to support it.

 

Building a good Operational Risk Management program takes time.  It requires a commitment from executive management to make it happen, human resources to administer the program, capital to acquire necessary technology, and a culture of engagement from the affected stakeholders.  Some heavily regulated organizations may mature their programs more quickly to satisfy regulatory demands while others are driven to respond to a big loss, incident in the news, or by best practices around strategy and enterprise risk management.

 

The progression of an organization’s Operational Risk Management program maturity can be characterized in stages:

 

Compliance

Organizations just starting a program are typically very Compliance oriented, attacking individual risks and compliance initiatives within an isolated strategy. Their strategy relies on the constant fire-fighting modes of their front line and functional employees.  Their focus is so much on compliance and tactical risks that they cannot see beyond the immediate.  They are hunkered down in the trenches too scared to move forward or relying on old fashioned approaches that may get the job done but will never keep pace with today’s market.  These organizations need to take “Compliance” off the table and solve the regulatory and industry needs in a more efficient and effective manner.  This requires automating compliance and building a cohesive strategy to deal with the ‘basic requirements’ of doing business.

 

Managed

In order to transition from a Compliance focus to a Managed stage of maturity, organizations need to reduce compliance costs through automation and reallocate budgets to gain resources and risk visibility.  Organizations in the Risk Managed stage have solved (or are considerably on their way to solving) the ‘advanced requirements’ of Compliance.   They have common policies, standards and controls, an effective control infrastructure and efficient methods to measure, monitor and report on their compliance state.  Organizations in this stage need to become aware of the various risks they are juggling and put in individual plans to manage these risks within the context of a broader strategy. Organizations need to understand the risks in their landscape and be navigating (or at least identifying changes) to avoid major issues.   This progress is being fueled more and more by visibility into risk through metrics and analysis capabilities.

 

Advantaged

In order to transform an organizations program from Risk Managed to Opportunity Advantaged, organizations need to manage known and unknown risk, and identify new business opportunities.  The Opportunity Advantaged organization has mapped out and conquered the risk landscape and are poised to explore the Opportunity Landscape.  These organizations are now ready to realize the competitive advantage of harnessing risk – beating competitors to market, launching new products and services with calculated efficiencies, avoiding those major issues that affect reputations and the bottom line.  Organizations in this phase focus on speaking “business language” instead of “risk language”.  They are able to identify and respond to emerging risks ahead of the curve – using common taxonomies, common approaches, finely-tuned decision making processes and most importantly DATA to support their conclusions.

 

Take Command of Your Journey.JPG

 

With the release of RSA Archer 6.1 we are making individual Operational Risk Management use cases available that align to this maturity journey.  Please look for The Operational Risk Management Journey (part II) to learn how you can take advantage of this new approach.

RSA Archer GRC 6 (6.0) was launched in November 2015 under the theme “Inspire Everyone to Own Risk.”  GRC 6 focused on providing organizations with an industry leading GRC platform to transform risk management by engaging everyone within an organization in the risk process. Today, organizations must implement the “three lines of defense,” making risk part of corporate culture at every level, in every role. The enhanced user experience, advanced workflow and task-driven dashboards introduced with GRC 6 allow business users to quickly and easily understand and complete their assigned risk-related tasks using a centralized platform.

 

I am very pleased to announce the launch of RSA Archer GRC 6.1.  This release takes the theme of “Inspire Everyone to Own Risk” to the next level. Through the implementation of integrated use cases, GRC 6.1 enables organizations of all sizes, regardless of the level of maturity in their GRC program, to implement RSA’s enterprise-class GRC platform. While the journey to risk and compliance maturity varies by organization, RSA Archer’s use case approach, newly implemented in GRC 6.1, nurtures successful risk and compliance programs by enabling customers to start small, seek quick wins, and plot a long-term risk and compliance strategy based on their organization’s objectives.

 

Key highlights of this release:

Our solution areas – Audit Management, Business Resiliency, IT & Security Risk Management, Enterprise & Operational Risk Management, Regulatory & Corporate Compliance Management, Third Party Governance, and Public Sector Solutions – are now comprised of individual use cases designed to solve specific risk and compliance needs. We have implemented a Maturity driven Use Case approach to help organizations of all sizes and business needs realize their risk management strategies:

RSA Archer Solutions - transparent.png

Click graphic for a detailed view

  • Foundation use cases provide a starting point for organizations that are just beginning their GRC journey. These use cases enable organizations to move away from spreadsheets to gain efficiency, accountability and visibility in managing issues and risks.
  • Managed use cases provide organizations that have more mature GRC programs the ability to connect processes to collaborate across several risk functions within the business, integrate multiple data sources, and focus on building repeatable, consistent processes that bring consolidated risk visibility to the organization.
  • Advantaged use cases transform risk into a competitive advantage for the organization. These use cases allow your program to connect risks to business objectives, enabling an open dialog and the visibility necessary to move beyond managing risk to anticipating the business’ needs.

 

All RSA Archer solutions and use cases have undergone updates with the new user interface and features of GRC 6.1. In addition, we’re introducing enhanced functionality for:

  • Business Impact Analysis – a Foundation use case that offers robust assessments allowing business process owners to understand the criticality of their processes based on seven impact categories: financial, compliance, data integrity, data confidentiality, strategic, reputation, and operational.
  • Issues Management – a Foundation use case that engages control owners to own risks and issues related to their business domains. Control owners can manage findings, remediation plans and handle exception requests in one central location, and use Advanced Workflow capabilities to route issues to the right team.
  • Operational Risk Management – an Advantaged use case for the RSA Archer Enterprise & Operational Risk Management solution, it now offers additional assessment targets to allow a risk manager to initiate Control Self-Assessment (CSA), Risk and Control Self-Assessment (RCSA) or Process, Risk and Control Self-Assessment (pRCSA) campaigns focused on business process, business unit, or product/service.
  • Information Security Management System (ISMS) – a use case designed specifically to manage the ISO:27001/2 certification process for organizations implementing the internationally recognized information security standard.

 

A company’s success hinges on its ability to drive growth across the business.  With growth comes risk.  Every growth strategy depends on leveraging today’s constantly shifting technology landscape intrinsically linking cyber and business risk.  RSA Archer, as a recognized leader in both operational and IT risk, enables effective risk management practices that address cyber risk and business risk on equal terms and provide a consolidated view of risk to executives and practitioners.   Built on a common, centralized RSA Archer GRC Platform, RSA Archer GRC 6.1 enables all organizations to own risk with a broad offering of use cases based on risk type -- cyber risk, operational risk, regulatory compliance, business resiliency, third party governance, and audit -- as well as the level of maturity of the organization’s GRC efforts.

 

We have created a host of resources to learn more about this release.  To start, watch our Solution videos to get more information on the RSA Archer Suite of GRC solutions.   For customers and partners, the best place to start is the “Everything 6.1” page on RSA Link.   From videos to white papers to data sheets, this page is a launching point for you to investigate everything that RSA Archer 6.1 offers.  In addition, we have several upcoming webcasts and Tech Huddles highlighting new use cases and features.

In April, I wrote two blogs (How Hungry… and Appetite and Exercise) on the concept of risk appetite. I highlighted the fact that organizations must take on risk to drive growth within the business. That risk must be balanced with activities to manage the risk within a tolerance that is acceptable to the organization. Some organizations will be forward leaning and willing to accept more risk or invest heavily in mitigating risks. Other organizations will be more risk adverse.   Where your organization sits in this spectrum should be an ongoing dialogue within your risk management strategies.

 

Today, the convergence of business and digital risk is undeniable. Business growth and technology strategies are intimately connected.  For example, expectations of healthcare providers are driving IT innovation in clinical analytics, call centers and connectivity of wearable devices. Financial services companies are constantly pushing boundaries for better customer service. Every industry is seeing this renaissance in how technology fuels business growth. With that connection comes the irrefutable union of risk. While business initiatives seek to create value, risk management efforts seek to protect value. “Value” is the common language that both sides of that equation should understand.

 

I am pleased to announce a new white paper “Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise”.  This paper begins our exploration of Cyber Risk expanding beyond the discussion of security threats into the broader dialogue of how technology, risks and sources of exposure affect your organization.

 

One highlight of the paper is the definition of categories of cyber risk.  While the topic of security threats MUST be on the table for all organizations, thinking in broader terms of how technology is fueling your business is also an imperative. The categories include the intersection of Internal or External sources of risk with Malicious or Unintentional motives of threats. This simple quadrant classification gives perspective around the variety of cyber risks your organization faces today and an easy method to organize your efforts.

 

Ask yourself and your risk management peers to what extent do you believe your organization has a clear understanding of its exposure to cyber risk?  Does the organization view cyber risk beyond the headline grabbing data breaches and security threats?  At what point does your organization escalate cyber events (breaches, disruption, etc.) to the most significant level?   These and other indicators will give you a sense of how cyber risk is perceived and what the appetite level is within your organization. I invite you to read the paper and start the dialogue in your organization around cyber risk appetite.

 

Read RSA’s press release in our newsroom. 

 

Also, listen to the new September 13 panel webinar from Risk.Net, 'Cyber Risk: Systematic Threats and Business Continuity Management'

 

Check out RSA's Cyber Risk Appetite microsite for more information.


RSA Charge is the pinnacle conference for Governance, Risk and Compliance and the premier event for RSA Archer every year.  The insights, networking, friendships and experiences shared not only help attendees with their day to day jobs but broaden their careers.   I can personally attest to the value of presenting at conferences such as RSA Charge.  Having been a presenter in countless conferences (and yes, I have been around long enough to consider it countless), I know the commitment and courage it takes to get up in front of a room full of peers and share your own thoughts and opinions.    However, the benefits far outweigh any trepidation or fear.    Making myself rein in my experiences, put together a thoughtful presentation and then share them with my fellow GRCers has given me the best opportunity to learn and grow.

 

For this year's RSA Charge, we have created six tracks for presentations.  Our approach was based on our key messages and themes:

Taking Command of Your Journey

Sessions should focus approaches, strategies and recommendations for building organizational capabilities that bring maturity to your overall risk and compliance program. Content should include maturation criteria, organizational barriers or obstacles and how they were overcome, and case studies or war stories. Examples include how to achieve consensus, measure value of the program, maturity processes, etc. The presentation should include an explanation of the GRC approach taken (centralized, top-down, decentralized, federated, or some combination), the rationale, the phases of organizational achievement, and the major milestones in risk and compliance maturity.

 

Inspiring Everyone to Own Risk

Sessions should focus on how you were able to inspire your organization to own risk - especially in terms of the Three Lines of Defense.  Risks could include operational risks, third party risk, resiliency or enterprise risk. Content should include best practices, case studies or war stories. Examples include how to identify, assess and monitor risk, track loss events, model processes, audit risk, etc. The presentation should include an explanation of the business problem, desired outcomes, required functionality, solution outcomes and metrics used to measure success.

 

Where Cyber Risk Meets Business Risk

Sessions should focus on the approach for leveraging Archer solution(s) to solve a critical IT Security and/or IT Risk business problems. Content should include best practices, case studies or war stories. Examples include how to integrate security tools, address remediation activities, respond to incidents, managing IT Security policy & compliance, IT Business context, etc. The presentation should include an explanation of the business problem, desired outcomes, required functionality, solution outcomes and metrics used to measure success.

 

Transforming Compliance

Sessions should focus on how your organization transformed compliance processes by leveraging Archer solution(s) to solve a critical Corporate and/or Regulatory Compliance or Industry challenge. Content should include best practices, case studies or war stories. Examples include how to develop policies and standards, measure controls, report on compliance posture, audit program management, etc. The presentation should include an explanation of the business problem, desired outcomes, required functionality, solution outcomes and metrics used to measure success.

 

We also have two tracks open for Technical presentations - Basic and Advanced.

Sessions should cover beginner to advanced uses of the platform, custom objects, data feeds, on demand applications, integrations, etc. The content must include demonstrations of a business problem that is addressed using the RSA Archer platform. Screen shots, recorded or interactive demonstrations are required. These should be a “How To” presentation to instruct the audience on optimal platform configuration.  Other technical presentations may cover topics such as the administration of the platform, backup/recovery, system architecture, etc.

 

I highly suggest you submit to present.  Don't discount your story. If you are in the early phases of your GRC program or Archer implementation, your insights can help others in the same situation.   For those of you with mature programs or Archer implementations, sharing use cases, lessons learned or tips and tricks –from a practitioner, technical or program management perspective – can provide inspiration to others.   Don't miss this opportunity to share your experience with others.  Your peers will benefit from your story and  you will be sure to learn something from the experience.

 

Call for Speakers

 

Charge2016CfS.jpg

I’m excited to show you an article Marshall Toburen and I co-authored and just had published in Risk Management Magazine, which talks about the Three Lines of Defense (3LoD) model.  The link is below, so check it out.  If you’re in a hurry and just want to know why you should implement the 3LoD model in your organization, take a look at these six reasons:

  1. Organizations that have a strong 3LoD are generally more risk-intelligent - meaning they are capable of quickly identifying and reacting to risk and they more efficiently deploy scarce resources to manage risk on a prioritized basis.
  2. They can better leverage information without the need to recreate reports or play the ‘telephone tag game’ of information gathering and sharing.
  3. The 3LoD model promotes risk ownership and a stronger risk management culture while eliminating inefficiencies, gaps and overlaps that often occur in the management of risk and compliance by multiple functions.
  4. The 3LoD model helps internal organizations (i.e., the three lines) do a better job of working together to manage risk.  While each of the three lines of defense has its own responsibilities, they are all using the same playbook.
  5. The model contributes to fewer surprises and losses, lower risk transfer costs, and increased likelihood that the organization’s objectives will be achieved.
  6. The Institute of Internal Auditors (IIA) published a position paper effectively endorsing the 3LoD model as a best practice in risk management and control, which generally makes your auditors and regulators happier.

Why do these benefits come from implementing a 3LoD model?  In this day of more and varied risks coming at our organizations at the speed of light, the 3LoD model helps provide an organizational and practical model to give order to the chaos.  Check out the article below and let me know your thoughts at patrick.potter@rsa.com

 

Risk Management – The 3 Lines of Defense for Good Risk Management.

It’s that time of year again - to submit your nominations for Archer awards to be presented at RSA Charge (formerly Archer Summit) 2016 in New Orleans, October 25-27!  As in the past, this year we will honor companies that are implementing RSA Archer governance, risk, and compliance (GRC) solutions in unique and ground-breaking ways. Award winners will show they are building cutting-edge use cases and integrations using RSA Archer to support process automation, collaboration and reporting.  We will continue this rich tradition with the same award categories as prior years: Innovation, Return on Investment (ROI), Community Advocate and Excellence Awards.  We will also give a “Best in Class” award, which will be the best of the Excellence Award winners; and during RSA Charge, attendees will be able to vote, using the RSA Charge Event App, for the ‘Best in Show’ customer presentation that really rocked it!

 

To submit your nomination for any of the categories above, complete submission form, attached, and tell us more about your organization’s approach to solving GRC challenges.  If you have any questions regarding your submission, please contact your field sales and/or existing accounts manager.

 

Please return the completed form to @Patrick Potter at patrick.potter@rsa.com by Friday, July 29th.  This is a hard deadline; extensions cannot be granted.  We look forward to seeing your nominations!

Filter Blog

By date: By tag: