Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2016 > July

Experienced outdoors people, whether they are campers, hikers, bicyclists or otherwise, know that the first rule of thumb is that you always need to know where you are so you can determine where you are headed.  It is no different with business resiliency (BR) teams.  You need a good sense of Screen Shot 2016-07-18 at 10.24.56 AM.pngwhere you are headed and this starts with what is most important in your organization to protect or recover if it is disrupted. 


The best way to determine what is most important is by performing a business impact analysis (BIA).  The BIA is an analytical method to determine what business processes are most critical to achieving your organization’s key objectives.  This includes knowing which business processes produce key products or services, or what strategic objectives they support.  The BIA also helps identify other related information like what dependencies exist between the business process and supporting IT applications and infrastructure, information assets, facilities, suppliers or key human resources.  This information is important because that entire value chain must be planned for and preserved, especially if they are in support of core products or critical strategies.


RSA just launched an updated version of the Archer BIA use case as part of our June 2016 6.1 release.  This BIA builds on our existing model and offers:


  • An easy to follow questionnaire format
  • Three new categories for strategic, information integrity and information confidentiality impacts
  • Features from the new Archer 6.0 platform, like advanced workflow and enhanced reporting


The BIA is ready to use out-of-the-box for each of the participants in the BIA process – business process owners, the BR team and executive reviewers.  The interface is easy to follow.  The built-in workflow follows best practices and regulatory guidance.  Reporting is thorough yet concise so BR teams can see where BIAs need to be performed and easily follow up. 


Like those outdoorsy folks I talked about earlier whose first order of business is to know where they are at all times, the Archer BIA will help BR teams, business process owners and executives know at all times what the most important parts of their organizations are and to plan for and protect them.  With limited resources and expensive recovery strategies, this BIA is a must-have to really hone in on what needs to be protected now.  Click here for more information on the BIA Archer BIA 6.1.  You can also reach me at with questions or feedback.

RSA has introduced two recent, major product updates to enable offering Archer governance, risk and compliance (GRC) solutions by use cases.  We understand that organizations and their GRC disciplines can be in very different places along the maturity spectrum. For example, a compliance function might be much more defined and mature than the risk function.  Our November 2015, 6.0 update was designed to inspire everyone within an organization to own risk, while our June 2015, 6.1 was developed to encourage the thee lines of defense (3LoD) to engage in the risk management process, and inspire every organization to own risk.


Screen Shot 2016-07-15 at 1.27.36 PM.png


These objectives may sound synonymous, but every organization’s road to GRC maturity is different, and as the graphic above depicts, each GRC function could be at a different point along the journey.  Through our new use case approach, we encourage organizations to start small, but gain quick wins within the context of a long-term strategy. As an example, our Audit Management solution has been organized into three use case offerings that customers can deploy separately, or use them to build upon one another.  They are:


Issues Management - to manage issues, gaps and findings with related remediation plans.  Benefits include:

  • A consolidated view into all known issues
  • An organized, managed process to escalate issues
  • Visibility into known risks and efforts to close/address risksScreen Shot 2016-07-15 at 12.41.17 PM.png
  • Workflow to ensure proper sign-off/approval for issues


Audit Engagements & Work papers - to manage all audit projects and related work papers.  Benefits include:

  • An audit universe of audit entities
  • Workflow for consistent audits and procedures
  • Self-serve for external auditors for the information they need


Audit Planning & Quality - to manage audit risk assessments, the audit plan and quality assurance activities   Benefits include:

  • Workflow and change management for audit planning
  • Audit plans aligned with the organization’s priorities
  • Appropriate personnel are staffed on audits
  • Board-relevant reporting
  • Quality management processes for engagements and audits
  • Risk based audit approach


Although Internal Audit (IA) is an established discipline, maturity varies widely depending on many factors, such as adherence to standards, tenure of resources, industry requirements and regulatory scrutiny.  IA departments can use Archer Audit use cases regardless of their maturity because we have offerings that not only provide value (those quick wins) at each level, but also help them move further along the maturity spectrum, not just as a standalone IA function, but in working together with their GRC counterparts.


For more information on these use cases and our approach, go to: Audit Management. As always, you can reach me at with any questions or comments.

For the third year in a row, RSA Archer has been named a Leader in Gartner’s Magic Quadrant (MQ) for Business Continuity Management Planning Software (BCMP)!



Screen Shot 2016-07-11 at 10.50.18 AM.png


Gartner states in their report that the business continuity management (BCM) market is changing because “continuity of operations is being seen by organizations as a growing risk that needs to be managed and mitigated.”  Gartner also mentioned they are now seeing organizations focus more on operational resilience versus only “respond and recover” activities. Although the latter is a critical component of a business resiliency (BR) program, teams must focus on how they fit into the organization’s larger operational risk program and approach. Gartner states BCM is in a unique position to address resiliency as part of an operational risk management (ORM) program because of its strategic focus and board-level attention. BCM is also “well-positioned to address not just availability risk, but also the broader set of operational risks” 2


In addition to being named a Leader in this MQ, during 2016, RSA Archer has also been named a Leader in Gartner Magic Quadrants for Operational Risk Management, IT Vendor Risk Management, and IT Risk Management. Integrating BCM with other risk management activities is critical to building operational resiliency. This integration must happen organizationally and practically. There is some movement in this area, as evidenced by the results of Gartner’s 2015 survey of the Association of Contingency Planners membership, entitled “What Keeps Them Up at Night.” The results from this survey show that enterprise risk management (ERM) functions are more often becoming the “home” for BCM programs. 3


Organizational alignment is a good thing. However, more mature BCM programs also have more mature risk management capabilities, which are aligned with their ORM functions and facilitated by integrated software. There is still room to improve as shown in Gartner’s 2015 BCM Hype Cycle, where Gartner mentions that 48% of surveyed organizations use BCMP software. There is also room to grow overall, as Gartner’s ITScore for Business Continuity Management maturity self-assessment tool shows the average maturity of BCM programs is 2.45 on a scale of 1 to 5. 4


BCM is a mature industry that finds itself changing and in need of reinvention.  However, all indications are that BCM will rise to the challenge and continue to contribute, now as part of an organization’s larger ORM and ERM program. RSA Archer’s inclusion as a Leader in the last three consecutive BCMP MQs, as well as our placement as Leaders in all three Gartner MQs for risk management for the second consecutive year, shows that we are uniquely positioned to help organizations rise to the challenge.




Figure 1 Magic Quadrant for Business Continuity Management Software, Worldwide. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from EMC RSA. Gartner does not endorse any vendor; product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

2 Magic Quadrant for Business Continuity Management Planning Software, Worldwide.  Published: 11 July 2016.  Analyst(s): Roberta J. Witty, John P. Morency

3 Members of the Association of Contingency Planners Report on 'What Keeps Them Up at Night'. Published 29 October 2015.  Analyst: Roberta J. Witty

4 ITScore for Business Continuity Management.  Published 31 August 2015.  Analyst(s): Roberta J. Witty, John P. Morency


We have all had that moment walking out of the shopping mall or the airport.  Everyone knows the feeling when that rush of doubt takes hold of our brains.  We stand frozen and frantically wait for our cerebral cortex to do its thing and pluck that single memory out of our vast network of synapses… “Where did I park my car?”   I am pretty sure this momentary lapse of memory has something to do with the radiation levels of the lights in Exit signs.  The frequency that I experience such occurrences couldn’t be the result of distractions from the avalanche of my daily thoughts and surely has nothing to do with my age.

For those of you who have been seeing the communications about RSA Charge, I hope you have not suffered this same tinge of hesitation.   Of course, I am referring to any questions as to the whereabouts the legendary RSA Archer Summit, the premier GRC event of the year.    The Archer Summit is alive and waiting for you – parked in a well-lit, spacious place, protected and ready to go – at RSA Charge.

Last year, the Archer Summit was referred to by name and co-located with RSA Charge as the user event for all RSA products.  This year, we have completed the transition and now refer to entire event as RSA Charge.   RSA Charge harnesses the innovative power of thought-leaders, industry experts and the RSA community, providing you with insightful educational sessions, hands-on training, and valuable expert & peer networking opportunities.

In the tradition of the Archer Summit, we will have many customer led sessions highlighting the most innovative and forward thinking GRC programs.   You will learn how to inspire your organization to own risk.  We will discuss approaches, strategies and recommendations for building organizational capabilities that bring maturity to your overall risk and compliance program.   Case studies ranging from how companies are approaching critical IT Security and IT Risk challenges to how Archer is used to transform compliance programs will give insight that can immediately be applied when you return to your desk after the conference.   Technical presentations, labs and training will dig into the details for beginners and advanced administrators.

This year will be the 13th gathering of Archer customers.  Every year the assembly has gotten bigger and better.  With RSA Charge 2016, you will feel like you walked out to the parking lot and your 2003 Toyota Camry has transformed into a 2016 Tesla Model S.

RSA CHARGE 2016 will take place in New Orleans, LA, from October 25 – 27!  I hope you will mark the date on your calendars and join me in beautiful New Orleans, to experience in-depth sessions, insightful conversations, interactive product experiences, and much more.

For more information or to register, go to


As I mentioned in my last blog, one of the important benefits of our recent release of RSA Archer 6.1 is an alignment of organization maturity with the technology to support it. Building a mature Information Assurance (IA) program in the public sector takes time and commitment.  It requires and is marked by a balance of the right technologies, processes, and people. 
At RSA, we have developed a maturity model that we use a communication tool with our prospects and clients to recommend changes and correlate them to stages of the maturity journey.


I very recently did a webcast that walks through this mapping of Public Sector use cases to steps in the maturity model in a detailed. I would encourage you to view that recording here if you’re interested in more information.

With the release of RSA Archer 6.1 we are making individual Public Sector use cases available that align to this maturity journey.  With RSA Archer 6.1, we have aligned our solution use cases with the maturity journey.  In this way, customers are acquiring just the right amount of technology to enable their IA program as they need it.  They are not biting off more than they can chew or over purchasing functionality they may never use. The Public Sector use cases are as follows:
• Plan of Actions and Milestones (POA&M)
• Assessment and Authorization (A&A)
• Continuous Monitoring (CM)

We realize that FISMA and OMB compliance and risk management are not challenges that can be solved simply with technology. They are mission imperatives that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging everyone, you can eliminate operational inefficiency and achieve your most strategic growth objectives. That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.”
To see how these use cases can enable the stakeholders in your organization to own risk, remember to watch the webcast or you can visit the Public Sector page for general information.  

Thanks for reading.
Email me with comments or questions.
Chris Hoover




We are pleased to announce the return of 'Community Selects.' Beginning Tuesday, July 5 and running through Tuesday, July 19, you and your GRC peers will be able to 'voice your choice' from the Archer Track submissions described here. The session with the most votes in each Track will automatically be a Community Selects presentation and be included in the RSA Charge 2016 Agenda.


The sessions for the 'Community Selects' are only a small subset of the speaking proposals we received; all the other submitted proposals are still under consideration by the Program Committee; notifications will be emailed soon to those garnering a spot on this year's presentation Agenda.


So let your voice be heard - this is your chance to 'vote your choice' and have a say in this year's RSA Charge 2016 Agenda for Archer. To vote, simply click on the Proposal Abstracts listed on this link and cast your vote. Remember, one vote per abstract!

In my last blog I discussed the benefits of the of new RSA Archer 6.1 release, aligning an organization’s Operational Risk Management program maturity with the RSA Archer technology to support it.  This holds true for third party governance too.


Financial Services organizations are heavily regulated to have a comprehensive third party governance program in place (See OCC Bulletin 2013-29 for example).  Outside of the financial services industry, the regulatory obligations are less pervasive but many business drivers for third party governance are still present:


• 42% of companies now describe themselves as highly vulnerable to vendor, supplier, or procurement fraud – (source: Kroll Global Fraud Survey)

• 85% of companies reported suffering at least one supply chain disruption – (source: Zurich Financial Survey)

• 90% of all Foreign Corrupt Practices Act (FCPA) cases involved third-party intermediaries – (source: Corporate Executive Board)

• 76% of data breaches analyzed by TrustWave resulted from a third-party which introduced the security deficiencies that were ultimately exploited – (source: Trustwave Global Security Report)


Some organizations may be concerned about supply chain interruption and quality while others may worry about third party corruption or information security.  These organizations are not prepared, have the resources, or even desire to have a third party governance program that addresses all potential third party problems at one time.  They have immediate, pressing concerns with their third parties that they want to address and then grow their governance program over time.  These organization’s third party governance programs are maturing consistent with their own priorities.


This is where RSA Archer 6.1 comes in.  With the release of RSA Archer 6.1 we are making individual Third Party Governance use cases available that align to an organization’s maturity journey.  No longer do organizations have to purchase an entire product suite to address the problem.  They only need to spend resources on that technology that is relevant to their program.  This also removes much of the complexity inherent when implementing broad product suites. For organizations on the other end of the maturity spectrum they can put together all of the RSA Archer 6.1 use cases into a broad third party governance program and even interconnect it with their Enterprise and Operational Risk Management programs.


RSA Archer 6.1 enables organizations to better take command of their journey, empowering organizations to incrementally build their Third Party Governance program as it matures.  The Third Party Governance -related activities (or use cases) we typically see implemented as organizations build their third party governance program are as follows:


Issues Management is a core foundational use case to document audit issues and issues identified by management and external parties.  It captures issues that may arise be identified in the process of third party governance or via other Archer use case implementations.  From this foundation, the following use cases are often enabled.  The exact sequence of the following use cases will depends on your business priorities and resources.


Business Impact Analysis is a foundational package for the Third Party Governance program and includes the Business Hierarchy to establish corporate structure and accountability for third party relationships; a business process catalog and a pre-built Business Impact Analysis to identify critical Business processes that are supported by third party relationships.


Third Party Catalog is used to document all of an organization’s third party relationships and associated contracts, and to document the named individuals in the organization that are responsible for the relationship.  With the Third Party Catalog you have a system of record for all of your third parties and their related business subsidiaries.


Third Party Engagement allows you to catalog all of the products and services being delivered by the third parties in your Third Party Catalog.  You have the capability to perform inherent risk assessments across multiple risk categories and by associating the engagements with the Business Impact Analysis you have visibility into the critical third party products and services which you rely on.  The interconnection between the Third party Catalog and Third Party Engagement allows you to obtain an overall aggregate risk profile of a third party across all of the products and services they deliver to your organization.


Third Party Risk Management provides a series of risk assessment questionnaires covering several risk categories (Compliance/Litigation, Financial, Information Security, Reputation, Resiliency, Strategic, Sustainability, and 4th party risk) that can be launched manually to a third party or launched based on the level of inherent risk of each assessed risk category.  Completed questionnaires are scored to derive residual risk of each risk category and supplemental documentation is captured and cataloged for evaluation.  Risk results are depicted for each engagement and are rolled-up across all engagements to depict risk of the third party across all of the engagements they are delivering.  Findings from the vendor engagement can be automatically captured and managed as exceptions or remediation plans can be established and monitored to resolution.


Third party Governance brings together all of the use cases, adding a performance monitoring capability so that you can track service level agreement (SLA) metrics you use to evaluate third party performance.  Scorecards can be staged to third parties to collect commitments to remediate performance.


Third Party Use Cases vs Maturity.JPGWe realize that risk management is not a challenge that can be solved simply with technology. It is a business imperative that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging all of the affected stakeholders in the third party governance process, you can eliminate administrative inefficiency, improve your understanding of third party risk and performance, and manage third party relationships consistent with your risk appetite and strategic growth objectives.


That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.” That is our passion. That is our commitment.

We have all heard the adage that great things come in threes. Stooges. Pigs. Blind Mice. The list goes on and on. I have am very pleased to announce another thrilling combination of three – Gartner Magic Quadrants. EMC (RSA) has been positioned in the leader’s quadrant in three Gartner Magic Quadrants: Operational Risk Management, IT Risk Management and IT Vendor Risk Management.


Today, every organization is facing risk from multiple angles.   The business must understand and respond to risks within operations on a daily basis.   Third parties, vendors, suppliers and host of other participants in the business create a complex ecosystem that must be managed appropriately.  Finally, IT risks ranging from security to resiliency to technology strategy must be tackled for organizations to fully leverage the immense benefits of technology innovations to drive business growth.     The combination of these three vectors of risk produces a tremendous challenge as companies seek to exploit business opportunities while keeping risk in check.


We believe these reports highlight RSA Archer’s commitment in providing organizations with the most comprehensive solution to take command control of your risk.  Through our partnerships with our customers and our continued execution towards the goal of inspiring everyone to own risk, we are honored to be recognized by Gartner as leaders in these markets.

For more information, visit our special Gartner Magic Quadrant page.

Filter Blog

By date: By tag: