Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2016 > December

For the third consecutive year, Gartner has placed Dell Technologies (RSA) as a Leader in the 2016 Magic Quadrant for Operational Risk Management Solutions.

As you can see in the MQ graphic (above), Gartner has positioned Dell Technologies (RSA) based on “ability to execute” and “completeness of vision.” 


This year’s Magic Quadrant (MQ) evaluation was based on RSA Archer Release 6.1. This release represents a collection of individual use-case-based-solutions that can be purchased and deployed independently or collectively. RSA Archer developed this new approach to align with the way our customers typically mature their operational risk management (ORM) programs. Customers are able to affordably purchase and install exactly what they need, when they need it, and then easily build out a more comprehensive ORM solution when they are ready. When combined with other RSA Archer solutions, organizations can extend their ORM solution into a broader, enterprise risk management deployment.


Gartner evaluates customers’ reviews of solution capabilities, and we thank all of you that took time to participate in this year’s survey from Gartner. We sincerely appreciate your valuable time in sharing your thoughts and experiences with the Gartner team. Much of RSA Archer’s strength stems from the passion of our customers across numerous industries, in more than 50 countries, and what they share with us and more than 6,000 of their peers in the RSA Archer Community on RSA Link.


We value Gartner’s insight on changes in the practice of risk management because they invest significant time and effort in talking with so many organizations around the world regarding their risk management program activities. Of particular interest to us is Gartner’s observation that “security and risk management leaders are seeking to integrate their risk management solutions to gain a more holistic view of risk across the enterprise,” and that “operational risk management solutions serve as the core element of integrated risk management.” We’ve also heard this from our customers and see it in analyses of various enterprise risk management (ERM) surveys. Organizations globally seem to be moving toward ERM, and, in fact, the practice of ERM has reached critical mass. Why? Perhaps because, as Ernst & Young reported, companies in the top 20% of risk maturity generate three times the level of EBITA than those in the bottom 20%!

If your organization is in the process of extending your ORM program or “testing the waters” for ERM, we encourage you to reach out to us to learn more about our how Archer can provide your organization with a proven path for your risk and compliance roadmap.

Interested in reading more about the Gartner Magic Quadrant for ORM Solutions? We’ve made the report available to you here to share with your colleagues and management team.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Dell Technologies RSA. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

On November 1, the U.K. government published its National Cyber Security Strategy 2016-2021 This 81-page strategy explains the U.K. government’s approach to tackling and managing cyber threats in the U.K. and sets out how the U.K. will aim to be one of the most secure places in the world to do business in cyberspace.


Having read a number of information security policies over the years, I am struck by how much more detailed this U.K. Strategy is compared with heretofore efforts.  Here are a few examples of what I mean:

  • The document defines “cyber security as the protection of information systems (hardware, software and associated infrastructure), the data on them, and the services they provide, from unauthorised access, harm or misuse. This includes harm caused intentionally by the operator of the system, or accidentally, as a result of failing to follow security procedures.” This seems to me to be a broad but accurate definition.  It acknowledges that effective cyber security is both an electronic and physical security challenge and that there are a number of other operational risk considerations to cyber security including intentional and unintentional human error, and harm resulting from natural and man made disasters.
  • The strategy defines threats and vulnerabilities, the role of defense and deterrence and the strategy for strengthening cyber security skills and human resources.
  • The strategy is forward looking, calling for “effective horizon scanning” while promoting the use of metrics to gauge progress and effectiveness of the cyber security strategy.
  • The strategy sets a cyber security bar for all U.K. organizations, public and private, stating: “we will not accept significant risk being posed to the public and the country as a whole as a result of businesses and organisations failing to take the steps needed to manage cyber threats” To do this, the strategy states: “The Government will make use of all available levers, including the forthcoming General Data Protection Regulation (GDPR), to drive up standards of cyber security across the economy, including, if required, through regulation.
  • It endorses The National Data Guardian for Health and Care data security standards.
  • The strategy will be promoted to businesses, by working “through organisations such as insurers, regulators and investors which can exert influence over companies to ensure they manage cyber risk” and to “highlight the clear business benefits and the pricing of cyber risk by market influencers.”


If there was any question as to whether “Brexit” meant the U.K. was going to exit the EU General Data Protection Regulation, this Strategy makes it clear that complying with GDPR remains a priority.  There is much to comply with the GDPR.  Please read my blog to get more background about this significant regulation.  If your organization is doing business in the U.K., it is time to familiarize yourself with this new Strategy and prepare your organization for the compliance obligations which will follow on.

At the end of each calendar year, I look back at how the year went, mainly in my personal life.  For example, I reflect on what happened in my family - who graduated, got engaged or married or had kids, who accepted new jobs or moved.  I also look at how things went with my career, if my health has improved and how my relationship with my wife got better.  These are some of the most important aspects of my life and that’s why I reflect on them.  Not that I don’t think about them more often, because I do, but the end of the year is a good time to look back.


I was also reflecting recently on the areas I oversee here at RSA - which are Business Resiliency and Audit for Archer.  These two areas are not that similar, but I have noted a common theme in that these two fields continue to turn their sights to risk management, moving more and more from being primarily compliance-driven disciplines.  Specifically, they are looking at what the impacts of risk are to the businesses they support - their organizational goals, revenue and growth projections, customer impacts and strategic objectives, to name a few.  I have also noticed that IT organizations, specifically trying to manage the far-reaching effects of cyber threats, are translating IT risk into business impact so executives and business decision makers can better understand the implications and make better decisions.


That’s the pattern I’ve noticed this year - moving to business risk.  It’s the right trend and a good sign.  Some things are helping this along.  For example, frameworks like the ‘three lines of defense’ are being more widely recognized and adopted and are driving better alignment across groups that deal with risk.  It also helps that industry analysts are touting the benefits of aligning the three lines within the enterprise risk or operational risk management (ERM/ORM) umbrella, and that many solution providers and partners are following suit.  This has been RSA Archer’s mantra for many years so it’s good to see it catching on.


What happens next?  We need to take action and I recommend these areas to consider.  


One Step at a Time.  My personal reflections sometimes (maybe not often enough) result in changes in my life but often fall off because they’re based on “changing the world” goals.  I recommend aiming for incremental change.  Do a little better each day.  How do we know if we’re improving our business risk management? We monitor and report and analyze key risk metrics.  We also need to focus on simplicity.  Not many of us are risk experts, but we all have a role in owning risk, so we need a concise set of indicators (think of your car’s dashboard) we can use to make course corrections.  Recognize small victories and build on them. 


First Things First. We need to focus on the most important risks.  Like my personal reflections about my family, career and life illustrate, they’re the absolutely most important aspects of my life.  Business risk management should follow suit.  Complex businesses throw so many risks at us that we can’t focus on everything and do it well.  So, prioritize and focus on the most important risks.


Today and Tomorrow.  I look back to see how the year went but I also reflect every day on how I can improve some aspect of my life.  Business risk management should also include analysis, reflection and action based on long and short term views.  Risks take different shape and affect our businesses differently over the short and long term.  This goes for negative and positive risks.  We can learn much by looking at both viewpoints and taking action based on what we learn.


Something I’ve learned doing this year after year is to stay as positive as you can and keep working at it.  Have a great end of 2016 and may your 2017 be even better!  Contact me at or @pnpotter1017.  

Filter Blog

By date: By tag: