Marshall Toburen

Third Party Governance and RSA Archer 6.1

Blog Post created by Marshall Toburen Employee on Jul 1, 2016

In my last blog I discussed the benefits of the of new RSA Archer 6.1 release, aligning an organization’s Operational Risk Management program maturity with the RSA Archer technology to support it.  This holds true for third party governance too.


Financial Services organizations are heavily regulated to have a comprehensive third party governance program in place (See OCC Bulletin 2013-29 for example).  Outside of the financial services industry, the regulatory obligations are less pervasive but many business drivers for third party governance are still present:


• 42% of companies now describe themselves as highly vulnerable to vendor, supplier, or procurement fraud – (source: Kroll Global Fraud Survey)

• 85% of companies reported suffering at least one supply chain disruption – (source: Zurich Financial Survey)

• 90% of all Foreign Corrupt Practices Act (FCPA) cases involved third-party intermediaries – (source: Corporate Executive Board)

• 76% of data breaches analyzed by TrustWave resulted from a third-party which introduced the security deficiencies that were ultimately exploited – (source: Trustwave Global Security Report)


Some organizations may be concerned about supply chain interruption and quality while others may worry about third party corruption or information security.  These organizations are not prepared, have the resources, or even desire to have a third party governance program that addresses all potential third party problems at one time.  They have immediate, pressing concerns with their third parties that they want to address and then grow their governance program over time.  These organization’s third party governance programs are maturing consistent with their own priorities.


This is where RSA Archer 6.1 comes in.  With the release of RSA Archer 6.1 we are making individual Third Party Governance use cases available that align to an organization’s maturity journey.  No longer do organizations have to purchase an entire product suite to address the problem.  They only need to spend resources on that technology that is relevant to their program.  This also removes much of the complexity inherent when implementing broad product suites. For organizations on the other end of the maturity spectrum they can put together all of the RSA Archer 6.1 use cases into a broad third party governance program and even interconnect it with their Enterprise and Operational Risk Management programs.


RSA Archer 6.1 enables organizations to better take command of their journey, empowering organizations to incrementally build their Third Party Governance program as it matures.  The Third Party Governance -related activities (or use cases) we typically see implemented as organizations build their third party governance program are as follows:


Issues Management is a core foundational use case to document audit issues and issues identified by management and external parties.  It captures issues that may arise be identified in the process of third party governance or via other Archer use case implementations.  From this foundation, the following use cases are often enabled.  The exact sequence of the following use cases will depends on your business priorities and resources.


Business Impact Analysis is a foundational package for the Third Party Governance program and includes the Business Hierarchy to establish corporate structure and accountability for third party relationships; a business process catalog and a pre-built Business Impact Analysis to identify critical Business processes that are supported by third party relationships.


Third Party Catalog is used to document all of an organization’s third party relationships and associated contracts, and to document the named individuals in the organization that are responsible for the relationship.  With the Third Party Catalog you have a system of record for all of your third parties and their related business subsidiaries.


Third Party Engagement allows you to catalog all of the products and services being delivered by the third parties in your Third Party Catalog.  You have the capability to perform inherent risk assessments across multiple risk categories and by associating the engagements with the Business Impact Analysis you have visibility into the critical third party products and services which you rely on.  The interconnection between the Third party Catalog and Third Party Engagement allows you to obtain an overall aggregate risk profile of a third party across all of the products and services they deliver to your organization.


Third Party Risk Management provides a series of risk assessment questionnaires covering several risk categories (Compliance/Litigation, Financial, Information Security, Reputation, Resiliency, Strategic, Sustainability, and 4th party risk) that can be launched manually to a third party or launched based on the level of inherent risk of each assessed risk category.  Completed questionnaires are scored to derive residual risk of each risk category and supplemental documentation is captured and cataloged for evaluation.  Risk results are depicted for each engagement and are rolled-up across all engagements to depict risk of the third party across all of the engagements they are delivering.  Findings from the vendor engagement can be automatically captured and managed as exceptions or remediation plans can be established and monitored to resolution.


Third party Governance brings together all of the use cases, adding a performance monitoring capability so that you can track service level agreement (SLA) metrics you use to evaluate third party performance.  Scorecards can be staged to third parties to collect commitments to remediate performance.


Third Party Use Cases vs Maturity.JPGWe realize that risk management is not a challenge that can be solved simply with technology. It is a business imperative that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging all of the affected stakeholders in the third party governance process, you can eliminate administrative inefficiency, improve your understanding of third party risk and performance, and manage third party relationships consistent with your risk appetite and strategic growth objectives.


That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.” That is our passion. That is our commitment.