What is issues management?
Issues Management is the process an organization follows to treat issues, gaps or findings, as well as related remediation plans or exception requests that are generated by multiple groups, such as audit, risk and compliance. Issues Management is one of the most fundamental processes for Integrated Risk Management. Control gaps, findings from risk assessments, testing failures from compliance, security, and other types of audits or any issue identified within the business that could lead to an operational error or failure are indicators of risk. Issues Management is the process by which those items are cataloged, reported and tracked from identification to resolution or acceptance by the business as a known risk or gap.
Why is the proper management of issues and remediation plans so important?
Organizations of all size and scope have issues that are generated from internal or external audits, regulatory reviews, vendor assessments or other sources. These issues usually have related remediation plans that the owners have committed to. However, in our experience neither issues nor remediation plans are managed as well as they should be. They’re usually tracked in scattered documents or siloed systems, there’s no effective way to follow up with the owners, and no consolidated reporting or visibility for executives into overall status. Sometimes, management needs to push back on these issues and there is typically no exception request process to do so. Finally, some issues are symptoms of bigger problems, and without a way to look at them through a more strategic lens, the bigger problem might not ever be properly addressed.
This causes three major concerns. First, there is additional cost and effort that comes from this duplicative and inefficient way of handling issues. This ties up multiple teams with tracking, following up, consolidating the issues and reporting. However, secondly, and more importantly, is the fact that most of these issues don’t get properly addressed because the remediation plans aren’t tracked or implemented on time, if ever. This is a major reason auditors identify repeat findings. What’s even more concerning is some of these repeat findings are very critical, and result in financial losses, regulatory fines or sanctions, fraud, reputation impairment or other risks that could have been avoided. Finally, in this day of risk management, most organizations have no way to relate issues to their measurement of risk, and determine whether their remediation plans reduce risk.
RSA Archer Issues Management
RSA Archer offers the Issues Management use case which addresses the heart of the problems outlined above. The key features include:
- Pre-defined workflows, reporting, user roles and notifications, which enable immediate best practices in managing the entire lifecycle of your issues, remediation plan and exception requests
- A repository to establish your corporate hierarchy (business unit, division) and business and related IT infrastructure (contacts, business process, IT applications, locations, information assets), with connections between issues and your risk register
- A consolidated and coordinated repository of issues and remediation plans from all sources, including risk, compliance, audits and management assessments
With RSA Archer Issues Management, you can:
- Immediately implement best practices in managing the entire lifecycle of your issues, remediation plan and exception requests, including measuring real reductions to risk
- Establish your business context and relate findings, remediation plans and exception requests to the right targets and owners. This is fundamental and sets the foundation for your governance, risk and compliance (GRC) program and establishes ownership over issues and remediation plans
- Consolidate and coordinate issues and related remediation plans or exception requests from all sources and identify redundancies, reducing time, frustration and expense
- Reduce repeat findings, time to resolve issues and implement remediation plans and reduce overall risk
As long as audits, regulatory reviews, self-assessments by business areas or assessments by others are done, management, GRC teams and internal auditors will continue to create issues and require remediation plans. However, the days of managing them ineffectively or in siloes must be put in the past as business growth is dependent on better and more integrated ways of handling issues and related risk.
RSA Archer Issues Management is one element of Integrated Risk Management. As your company drives business growth with new initiatives, technology adoption or market expansion, your risk management program must evolve and manage risk with more agility and integration than before. Managing issues and remediation plans effectively is one ingredient to showing real progress and improvement and decreasing business risk. The use case is also integrated with other RSA Archer risk and compliance use cases enabling your organization to move toward Integrated Risk Management (IRM).
RSA Archer can help your organization manage your issues, remediation plans, exception requests and multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.