Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2019 > February
2019

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, error, fraud, and non-compliance.

 

Why is Loss Event Management so important?

Loss events negatively impact an organization’s income statement.  Under certain circumstances they can be large enough to wipe out current period profitability, erode an organization’s capital cushion, or even force it into bankruptcy.  Consequently, it is critically important for organizations to understand the kinds of losses it could incur, the near-miss losses it avoided, and the losses it actually incurred.  This means understanding how and why a loss arose, what policies were not followed, what controls failed, where the loss is or should be recovered under insurance, and what should be done to reduce the likelihood and impact of similar losses occurring in the future.

 

Understanding and managing loss events is essential to an effective operational risk management program. Many organizations today have impaired visibility into the frequency, amount, type and source of loss events. This is frequently due to lack of complete or comprehensive lists of loss events, lack of accountability for management of loss events, and inadequate root cause analysis. These organizations are not fully aware of their actual losses, nor are they aware of near misses or losses being incurred by others in their industry that may warn of the organization’s own future losses. Lack of accountability promotes a less effective risk management culture, and these organizations typically suffer from a higher frequency and amount of loss events due to poor loss event analysis and remediation.

 

RSA Archer Loss Event Management

RSA Archer® Loss Event Management allows organizations to capture and inventory actual loss events and near misses, as well as relevant external industry-related loss events. Loss event root cause analysis can be performed to understand why the loss occurred and to take appropriate actions to reduce the likelihood and impact of similar losses occurring in the future. Loss events can be evaluated as part of top-down risk assessments and risk self-assessments, if those are utilized, and loss events can be exported to perform Monte Carlo simulations of operational risk using external Monte Carlo engines, such as Palisade @Risk.  Recoverable losses can be monitored and managed until they are reimbursed through insurance or restitution agreements.

 

Key features include:

  • Consolidated loss event catalog including actual losses, near misses, and calibrated external loss events
  • Assignment of loss events by business unit and named individuals
  • Root cause analysis
  • Review and approval of loss events by key stakeholders within their levels of authority
  • Visibility into aggregate losses by type, source, and area of ownership
  • Ability to drill into specific loss events for greater detail
  • Consolidated list of remediation plans to reduce likelihood and impact of similar future loss events
  • Correlation of loss events to applicable risk, policy, and control procedures, as well as correlation to insurance policies.

 

RSA Archer Loss Event Management provides:

  • Consolidated view of loss events by frequency amount, type, source, and owner
  • Clear understanding of the cause of loss events and the actions being taken to remediate problems that led to the loss event, including whether remediation plans are being executed on time, as planned
  • Greater engagement of business unit managers in the management of losses
  • Evidence of the design and effectiveness of an organization’s loss event program within a broader operational risk management program.

 

Today, organizations are faced with complex and fast moving operational risk challenges.  RSA Archer Loss Event Management is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively managing loss events is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage loss events on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Top-Down Risk Assessment so important?

Organizations today face a wide range of risks originating in different areas of their business, related to strategy, credit, corporate and regulatory compliance, interest rates, liquidity, market prices, operations (errors, fraud, and external events), and reputation, among others. While risks are spread out across an organization and often interrelate, it is difficult to get a holistic view of risk necessary to manage it efficiently and effectively.

 

The problem is further compounded with the introduction of new products and services, mergers and acquisitions, business process changes, and new and intensifying sources of fraud. In many organizations, risks are documented haphazardly in spreadsheets and documents without consistent use of a common approach, methodology, or rating scale. In addition, accountability for risk is tenuous because risks are not assigned to named managers and business units. This undermines accountability and increases the likelihood that a significant risk event will occur.

 

In addition, non-standardized risk management terminology, inconsistent risk assessment methodology and inconsistent risk rating scales mean there is no comprehensive visibility to or accountability in addressing known risks. With everyone speaking differently about risk, incomplete risk registers and inconsistent risk assessments can lead to bad risk management decisions, illogical resource allocation, potential violations of regulatory mandates and an overall poor risk management program.

 

Consistently documenting risks and controls and performing reliable risk assessments is essential to establishing an effective risk management program.

 

RSA Archer Top-Down Risk Assessment

RSA Archer Top-Down Risk Assessment enables practitioners to document risks and controls throughout the organization. Risks can be assessed on an inherent and residual basis, both qualitatively and across multiple risk categories using monetary values. Controls can be linked to the risks they treat for consideration as a part of a residual risk assessment. Risks and controls can be assigned to named individuals and organizational structure to establish appropriate accountability and to provide relevant reporting.

 

Key features include:

  • Catalog a consolidated view of risks and internal controls within the organization
  • Map risks to business processes, controls, higher-level risk statements and scenarios
  • Establish a library of agreed-upon scenarios and perform assessments on selected scenarios
  • Perform qualitative and monetary assessments of inherent and residual risk
  • Monitor risks against established tolerances and risk appetite
  • Enforce consistent terminology, risk assessment methodology and rating scales
  • Organized, managed process to escalate issues to ensure proper signoff/ approval of issues
  • Operationalize accountability for risks, controls, business processes, scenarios, risk assessments and outstanding issues
  • Establish delegated authorities for approving risk and enforce those authorities by automatically routing risk decisions to the authorized individuals
  • Visibility into risk and control inventory and assessment progress via predefined reports and risk dashboards

 

Today, organizations are faced with complex and fast moving risk challenges.  RSA Archer Top-Down Risk Assessment is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively performing Top-Down risk assessments is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage risk assessments on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

Today, we’re pleased to announce availability of RSA Exchange Release R7, which introduces 10 new and two updated offerings, as well as new and updated content. We're thrilled that our RSA Exchange Technology Partners continue to develop and deliver innovation for RSA Archer customers via the RSA Exchange, and look forward to much more in future releases.

 

  • App-Packs – pre-built applications addressing adjacent or supporting Integrated Risk Management processes (e.g. niche, industry, geo-specific)
    • Aujas Duplicate Findings Prevention avoids duplicate open findings for periodic assessments, reducing stakeholder overhead in managing duplicate findings
    • RSA Archer Due Diligence Management provides consistent due diligence scoping process, checklist, and recommendations that address multiple due diligence business processes such as mergers and acquisitions
    • RSA Archer FFIEC-Aligned Cybersecurity Framework offers the ability to apply the best practice principles from FFIEC to prioritize and scope business objectives and priorities, create risk profiles, risk assess the environment, analyze the results to identify gaps, and implement an action plan
    • RSA Archer Speak Up, introduced in November 2018, has been updated to enable anonymous whistleblower submissions.

 

 

 

 

For additional documentation, downloads, and alisting of all RSA Exchange offerings, check out theRSA Exchange for RSA Archer on RSA Link. Stay tuned for more new RSA Exchange offerings next quarter!

What is Third Party Governance?

RSA Archer Third Party Governance provides organizations the capability to monitor and manage the performance of the third parties with whom they do business.

 Why is the proper management of Third Party performance so important?

Organizations are increasingly using third parties to support their operations and to deliver products and services to their clients. Every organization entering into a third party relationship has expectations regarding how the third party’s product and services should perform.  It is particularly critical that third parties provide satisfactory performance wherever they are supporting customer-facing activities or contribute to the organization achieving its key objectives. Often performance expectations are formalized via contract by way of agreed-upon service level metrics unique to the product or service being delivered by the third party.   While contractually establishing service level metrics is a best practice, it is only the first step.  Organization’s need to monitor performance metrics throughout the life of each third party relationship and manage deteriorating third party relationships at the earliest possible time.  While an organization may have created some contractual recourse should a third party fail to perform, litigation and financial compensation do not solve the problems posed by underperforming third parties.  The best outcome is represented by third parties that live up to or exceed performance expectations.

 

RSA Archer Third Party Governance

RSA Archer Third Party Governance provides the capability to track the performance of individual third party engagements and to measure the performance of third parties across all of the engagements they are delivering to your organization. Third Party Governance provides the ability to document and track service level agreement metrics, and utilize a metrics library to promote consistency in assigning service level metrics to similar engagements.  Once performance metrics are established, actual performance data can be collected from named individuals or automatically via systems of record.  Stakeholders can be automatically notified if a third party’s performance begins to fall outside acceptable boundaries so that third party performance can be coached back to acceptable levels or remediation and contingency plans created and executed should the third party’s performance become irreparable.

 

Key features include:

  • Define and document performance metrics for third parties
  • Track all contractual service level agreement (SLA) metrics
  • Uncover deteriorating third party performance
  • Capture and monitor remediation plans until performance problems are resolved
  • Create performance metrics and associate them with individual product and service engagements
  • Capture performance metric data on an ongoing basis and score performance based on data collected
  • Report on performance of individual product and service engagements
  • Roll up engagement level performance to obtain overall third party performance profile

 

RSA Archer Third Party Governance enables organizations to:

  • Create and capture performance metrics and associate them with individual product and service engagements on an ongoing basis
  • Report on performance of individual product and service engagements and roll up engagement level performance to obtain an overall third party performance profile
  • Uncover deteriorating vendor performance and quickly resolve third party performance problems
  • More frequently exercise contract remedies due to poor performance
  • Avoid third party-related surprises and losses, and spend less time and money on third party performance remediation
  • Demonstrate the effectiveness of third party performance management programs to executive management and regulators

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  RSA Archer Third Governance is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth through an extended ecosystem strategy, your third party risk and performance management program must evolve and manage risk more holistically, with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is Third Party Engagement?

A third party is any entity with which your organization has an actual or implied contractual relationship for the receipt of goods and services.  Besides being called a third party, these relationships may also be known as vendors or suppliers.  An Engagement refers to the actual product or service being received by way of a contract with a third party. 

 

RSA Archer Third Party Engagement provides organizations the capability to inventory all of the product and service engagements they are receiving from third parties.  Engagements can be mapped to the third parties supplying the product or service, and to the organization’s business units and business processes they support. Third party contacts can be documented and accountability for third party engagements can be established by named individual and by the business units that own the relationship. If you are utilizing the RSA Archer Third Party Engagement, Risk Management, and Governance use cases then the risk and performance of individual engagements can be established and risk and performance information can be rolled-up across all products and services delivered by a third party; and depicting it in aggregate at the appropriate third party organizational level.

 

Why is the proper management of Third Party Engagements so important?

Third parties may relate, to some degree, with every aspect of an organization.  They may impact your organization’s objectives and they support, in one way or another, the products and services your organization delivers.  They support business processes, introduce risk and affect and supplement the extended internal control environment of your organization.  They may provide assets and inputs to the organization such as hardware, software, physical space, and product inputs.  Acting as an agent of your extended organization, they are subject to your regulatory obligations and policies, and they may directly supplement your human resources through consultants and temporary labor, or extend your human resources by the nature of the services that they are providing.  You may have third parties that touch on every one of these elements of your business. 

There are numerous reasons organizations choose to engage third parties.  These include competing better; benefiting from a vendor’s expertise that you don’t have in-house; optimizing resources, acquiring resources (often more cheaply), transferring risk such as under insurance, and expanding market share by capitalizing on the third party’s presence in a market where you don’t currently have a presence, or by offering a more attractive product or service because of the third party’s expertise and capabilities.

Third parties are an extension of your business and, in the end, third parties introduce the same risk to your organization as if you internalized the activities.  In most cases, it is impossible to eliminate the risk altogether.  The best you can do is understand the risk and manage it within acceptable levels.

 

RSA Archer Third Party Engagement

RSA Archer offers the Third Party Engagement use case to consolidate the list of third party products and services your organization uses.

 

Key features include:

  • Catalog third parties, their business hierarchy, and the product and services engagements they deliver to your organization
  • Map third party products and services to the business processes they support
  • Roll up engagement risk assessments to obtain an overall third party risk profile
  • Catalog contracts and master services agreements associated with engagements
  • Execute contract risk assessments utilizing standardized questionnaires focused on minimum required contract language to mitigate and transfer risk
  • Capture the third party’s proof of insurance and evaluate the adequacy of the insurance relative to all of the engagements being delivered
  • Integrate the results of your business process impact analysis into your assessment of the inherent resiliency risk of each third party
  • Establish accountability for each third party engagement
  • Document and monitor remediation plans to bring risk within acceptable tolerance
  • Track exceptions related to third party engagements

 

With RSA Archer Third Party Engagement, you can:

  • Establish efficient management of your third party relationships
  • Know where, how, and why third parties are being used throughout your organization, and who is responsible
  • Identify inherently high risk third party products, services, and relationships
  • Better understand the adequacy of each third party’s proof of insurance,
  • Have fewer third party-related audit and regulatory findings
  • Establish the basis for an effective third party risk management program and allocation of scarce resources based on the most significant priorities
  • Provide transparency into third party relationships using robust notifications and reporting
  • Provide positive assurance to senior management, the Board, and regulators regarding the adequacy of the organization’s third party governance program

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  The RSA Archer Third Party Engagement is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leadership with the most holistic understanding of risk facing the organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce the most effective return to the organization.

 

As your company drives business growth through an extended business ecosystem strategy, your risk management program must evolve and manage risk with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

It's official - time to get your creative juices flowing as the RSA Charge 2019 'Call for Speakers' (C4S) is now open and awaiting your submissions!

 

As you are aware, the RSA Charge events represent all RSA products and an increasing number of customers across solutions attend this one-of-a-kind event each year. The RSA 2019 Charge promises to be the biggest event in our history of RSA Charge and Summit conferences. 

 

The RSA Charge event is successful in no small part because of the stellar customer submissions we receive each year. We invite you to submit your presentation brief(s) for consideration.(That'sright, you may submit more than one submission brief!)

 

This year for the first time the '8' Tracksfor RSA Charge 2019 are identical across all products and represent all RSA solutions. We are pleased to present the them to you:

 

Transforming Your Cyber Risk Strategy- Cyber-attacks are at the top of the list of risks for many companies today.  Tell us how you are approaching reducing this risk utilizing RSA products.

 

Beyond the Checkbox: Modernizing Your Compliance Program - The regulatory landscape is always shifting.  How are you keeping up and what steps are you taking towards a sustainable, agile compliance program?

 

Aligning Third Party Risk for the Digital Transformation - Inherited risk from your business partners is a top of mind issue.  Third party risk must be attacked from multiple angles.  Share your strategy.

 

Managing Operational Risk for Impact-  Enterprise risk, operational risk, all things risk management.  Share your experience and strategy on how you identify, assess and treat risk across your business operations.

 

View from Above: Securing the Cloud - From security visibility to managing organizational mandates, what is your risk and security strategy to answer the "go to cloud" call.

 

Under the RSA Hood: Managing Risk in the Dynamic Workforce - The workforce has become a dynamic variable for many organizations - from remote users to BYOD to contractors and seasonal workers.  How are you addressing this shift?

 

Business Resiliency for the 'Always On' Enterprise - The world expects connectivity.  When the lights are off, the business suffers.  Tell us how you are ensuring your business is 'always on' - business continuity, recovery, crisis management and the resilient infrastructure.

 

Performance Optimization: RSA Product Learning Lab - Share your technical insights of how you use RSA products to meet your business objectives.  Extra points for cool 'insider' tips and tricks.

 

We know you have great stories to share with your peers, best practices, teachings, and how-to's. We hope you consider submitting a brief and thank you in advance for your consideration. More information can be found on the RSA Charge 2019 website (scroll to bottom of page) including the RSA Charge 2019 Call for Speakers Submission Form. Submission should be sent to: rsa.events@rsa.com.

 

Call for Speakers 'closes' April 26. 

What would you do if you heard an advertisement on the radio misrepresenting a product your company offered?  I'd like to share a true story and how RSA Archer helped this organization's first line of defense own risk.

 

Sally was listening to the radio on her drive to work when she heard an advertisement about her company but the information was incorrect and misleading.  When she got to work, she didn't know who to report the information to but knew that if she didn't report it, it could cause huge impacts to their organization.  After approaching several people, she decided to call the IT help desk.  While the IT help desk typically "helps" many, they are typically a little further downstream from the risk evaluation process. After some digging, the IT help desk sent the request to the Risk Management team, who then connected Sally with the third party risk team to address the issue with the third party. 

 

When our customer approached RSA, we decided to provide a method via RSA Archer that not only addresses the problem but enables your organization to own risk.  But we took it a bit further than just a risk reporting tool. There are often brilliant ideas that could positively impact your organization. There may also be specific issues or incidents that conflict with your organization's corporate policies and procedures and someone within your organization has the knowledge needed to help avert or mitigate those issues early on. 

 

The RSA Archer Speak Up app-pack provides a mechanism within RSA Archer for the first line of defense to communicate information to your management or risk management team while leveraging workflow to review and approve the information and get it to the right team to take action.

 

RSA Archer Speak Up allows you to:

  • Submit ideas to improve the business;
  • Report issues to responsible authorities or management team within the organization; and
  • Document concerns regarding potential ethics violations, incidents, breaches, issues with third parties, and more.

 

With the RSA Archer Speak Up app-pack, your employees are empowered to speak up and own risk.  And, your management team is empowered with accountability and a consistent governance process for addressing risks.

 

RSA Archer Speak Up Business User Dashboard

Interested in learning more about the RSA Archer Speak Up app-pack? Join us for a Free Friday Tech Huddle on Friday, February 8 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

Filter Blog

By date: By tag: