Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2017 > February
2017

“Tsunami” is the Japanese term for a series of violent and recurrent waves in the ocean caused by the displacement of a large volume of water. Earthquakes, volcanic eruptions, landslides or other underwater explosions or man-made events are usually the cause. Unlike normal ocean waves that are generated by wind, or tides that are generated by the gravitational pull of the Moon and Sun, a tsunami is much less predictable and often more sudden and impactful.

 

Do you ever feel like your organization is navigating an unrelenting tsunami of issues generated by multiple groups, such as audit, risk, and compliance, or external auditors and regulators? These fierce waves are usually caused by risk management activities, threats, cyber events, non-compliance with regulations or other forces.

 

Like tsunamis we don’t see coming, today’s business environment is a challenge for issues management, regardless of your industry, geographic location, or business model. With constant regulatory change, shifts in business strategies and rapid technology transformations, it is easy to become overwhelmed by the magnitude, velocity, and complexity of issues that must be addressed. Like dealing with the aftermath of a tsunami, remediation plans many organizations put in place to “clean up” are reactive, short term and may not solve the real problem.

 

Let’s look at how most organizations deal with their issues and remediation plans.

 

  • Issues come from a variety of sources. As a result, there is natural duplication and no real consistency in either the issue or remediation plans. Different individuals or groups document issues in various systems, but the issues are often incomplete or drive remediation plans that don’t address the real problem.
  • Issues are treated differently.   This depends on many factors, such as the group that documented them. For example, audit findings may carry more weight than an issue documented by another group, even when the other issue may have more serious ramifications than the audit finding. This occurs when the organization has no consistent method of prioritizing issues across the board. For the business manager assigned multiple issues and remediation plans, once the audit is final and their day job takes over, priorities change and the issues never get resolved.
  • Tracking and resolution of issues is inadequate. In this case, the audit group or compliance function that first raised the issue has no good way to follow-up on status of the issue or its remediation plans after the audit is over. Often because their first priority is the next audit engagement, and if the business process owner doesn’t track resolution of the issues, they are dropped or forgotten.

 

To properly address issue management, organizations need a strategic and comprehensive approach, including the following:

  • A process that works for the whole organization. Every environment is different, but every issues management process needs to ensure issues and remediation plans are documented consistently, assigned to the right owners, and tracked to completion.
  • A way to prioritize issues and remediation plans. This must be consistently applied and driven by business priorities, such as the most important products and services the organization produces, and the criticality of the business processes and IT infrastructure that support them.
  • A single automated tool the entire organization can use. RSA® Archer offers an Issues Management use case that enables your organization to manage the lifecycle of all issues regardless of where they originate from. The use case includes a Business Hierarchy to establish the corporate structure and accountability, workflow to drive consistency, and reporting to provide visibility into the results. To learn more visit: RSA Archer Issues Management.

 

There are other requirements, but these are a few critical areas to set the stage, enable quick implementation of the process and drive buy-in across the organization.

 

Preparing for tsunamis won’t eliminate all the risk or impacts, but it can significantly reduce the effects and make clean up afterwards that much more manageable. Similarly, implementing a well-thought-out issues management process reduces much of the risk of the findings that are sure to come, as well as make the remediation process that much more complete, streamlined and consistent.

 

For more discussion, email me at Patrick.potter@rsa.com

 

If as a child you marveled at watching the simple, fascinating micro-example of physics of a pebble dropped into a puddle, you know what the results are. The pebble drops; the water’s surface is broken; ripples fan out from the point of impact… such an unassuming yet beautiful study of cause and effect.   Now imagine instead of a puddle, it’s a lake, with stones dropping at a continuous and rapid rate, all in different spots. I am sure you can visualize the effect - the water agitated in all directions, waves tossing to and fro…

Many organizations today face this churn when it comes to risk. It is not that organizations aren’t thinking about risk. Survey after survey indicates risk is a board level topic.   But the rocks keep falling. Those that are tasked with managing risk are riding the roiling waves. Issues are identified through a variety of sources such as audits, risk assessments and security assessments but are not managed properly to closure. Prioritization of these issues is near impossible because there is no common understanding of the business criticality of business assets and processes affected by these issues. Companies then lack any consolidated view of general risks or have very manual (spreadsheet) based approach to cataloging and assigning risks. And the lake and those falling rocks aren’t always in the control of your company. Third parties (outsourcers, contractors, service providers, business partners, etc.) are becoming increasingly important and organizations just don’t know what entities are impacting their risk profile.

To address this churn, RSA Archer is pleased to announce the RSA Archer Ignition Program – a fast track approach to launch a business risk management strategy. To strategically address risk, enterprises need a strong foundation for their program. While the risk management program vision may be long term initiative, there are some specific areas that need to be addressed at the beginning of the effort that not only provide quick value to the organization but set up a much healthier and sounder foundation for the future. A strategic foundation needs:

  • A process for Issues Management to eliminate ‘churn’ around risk and compliance issues from audits, risk assessments, and internal compliance processes;
  • A Business Impact Analysis framework to catalog and prioritize assets and build the context to connect risk issues to impacts to the business;
  • The ability to catalog and monitor Risks to establish a strategic method to view and understand risks across the enterprise; and
  • The ability to identify and track Third Parties used by the business to understand the emerging ecosystem that affects business risk.

 

The RSA Archer Ignition package includes integrated use cases to address these four key areas via RSA Archer Use Cases with Quick Launch services and education offerings to get your program off the ground quickly.   This package is priced and scoped based on the size of the organization allowing you to maximize your initial return on your investment.   Once your organization gets these processes in place, RSA Archer provides a maturity driven approach to build on these foundations to develop a strategic approach for Business Risk Management.   Our suite of use cases allows you to grow your risk management program to the level of maturity necessary for your business and ensure your lake, while still full of waves, is manageable and navigable.

For more information, see the RSA Archer Ignition Program.

Political risk is the risk of financial, market or personnel losses resulting from political decisions or disruptions.  In the past, organizations doing business internationally were significantly concerned about political risk.  Top of mind were worst-case scenarios such as government nationalization, trade restrictions, and the imposition of barriers to access resources.  Things have changed and organizations of all kind are realizing they must become much more savvy political risk managers in order to thrive. 

 

The most poignant example of domestic political risk so far this week was the announcement by two Western cities to pull their business from the financial institution financing the Dakota Access Pipeline project.  This amounts to more than $3 billion in annual cash flow! 

 

Less recent but frequent examples include being specifically called out and criticized by the executive branch, vacillation in the enforceability of government mandates, and uncertainty over future government policies, regulations, trade agreements, and tax codes.

 

Organizations do not thrive in an environment of uncertainty and so must find ways to cushion themselves from political risk.  Risk management principles that are effective for operational risk can be equally applied in the management of political risk.

  • Catalog your organization’s strategic objectives, products and services, business processes, infrastructure, and third party relationships. This gives you business context and a baseline of exactly what your organization is doing and who they are doing it with.
  • For each of the items catalogued, document what politically-related things could happen that would be adverse to the organization.
  • Assess these political risks. How likely is the political risk to occur, how would it manifest, and what would be the worst-case impact to the organization should it happen?
  • Examine the complete portfolio of risks to your organization and prioritize actions to be taken to reduce those risks that exceed your organization’s risk appetite.
  • For political risks that exceed acceptable levels, actions may include reducing the activity that introduces political risk, creating contingency plans to minimize the impact if the political risk incident arises, proactively adjusting the business plan to hedge the risk, and negotiating with the counterparties that are the source of the political risk.
  • Monitor the political risk as the political environment changes. Political risk tends to be volatile, and can be quite sudden to appear.  This volatility warrants great diligence to constantly monitor.

 

Today, political risk can severely damage an organization’s reputation, financial performance, and fulfillment of objectives.  It warrants the application of proven risk management tools such as the RSA Archer suite to methodically apply accepted risk management principles to this vexing risk.

Filter Blog

By date: By tag: