Skip navigation
All Places > Products > RSA Archer Suite > Blog > Author: PatrickP
1 2 3 Previous Next

RSA Archer Suite

39 Posts authored by: PatrickP Employee

I think back to a handful of audits over my career as an internal auditor where the people performing the function we audited just seemed to get it right.  They knew how to run their business, but they were also managing their risks well, they had good controls in place, and there were very few, insignificant findings.  Ahhh, what a dream.  However, the vast majority of the audits were a different story.  The thought I had over and over again was, “I just wish these people would think through their risks and their potential impacts, and consistently implement the right controls" (versus what they thought the auditors would want).  Their issues were lack of understanding, incentive and ownership.  In my first example, ownership existed.  In the second, ownership over risks and controls was lacking.


In all fairness, these poor folks were stretched about as far as they could be just running their business, let alone performing risk management.  Fast forward to today’s world where risk management is expected at all levels of the business - and not just because it’s good practice, but because everyone expects it, from regulators to customers to boards of directors, and more. The good news is more companies are starting to recognize this and do something about it.  I’m not just talking about industries where risk management has been standard practice for years, but most industries are seeing significant advances in maturity.  This is where the auditors can begin to breathe a little easier (just a little) for two reasons.  One, the 2nd Line of Defense (LOD) groups, such as Operational Risk Management (ORM) and Compliance, are getting their act together in terms of their approaches, capabilities and people, insomuch that Internal Audit (IA) can rely on their work more than ever before.  However, the second reason is more significant and points to the title of this blog - everyone is starting to own risk.


Do we have a long way to go before everyone actually owns risk at their level in their organization? Of course, but it’s starting to take place and I’ll give you some reasons why.  Certain industries like financial services, utilities and transportation, out of necessity have had risk management in place for many years and have matured ahead of the curve; for example, insurance practices have incorporated risk management into their standard operating procedures and how they make money from their inception, so the concept is more fully integrated.  Next, risk standards like ISO 31000 and COSO have long expounded the reasons and benefits of managing risk and those companies following the standards have moved forward at a faster pace in their risk management capabilities.  Further, as regulatory bodies and their standards across most industries and geographies have advanced, they almost all include requirements for risk management practices.   Finally, and more personally, consequences on customers and even company executives of not having effective risk management programs in place have all but brought some well-known companies to their knees lately.


As risk experts at RSA Archer, we work with hundreds of companies to help them manage their risks and implement controls, and even though we have a long way to go, I see a collective improvement - I’ll call it the “rising tide effect”.  Ever heard the analogy that a rising tide lifts all ships? I used it in a prior blog but I love it and it’s applicable here because it’s happening in risk management, and helping more people in more companies at all levels understand, take ownership and do something more about their risks than ever before.  Because of the reasons I stated earlier and many more, this rising tide of risk management is helping us all to be better managers of risk.


Another factor I’ll mention is technological advances.  Risk systems have improved over the years as Governance, Risk and Compliance (GRC) technologies have become more and more engrained into companies, helping the tide rise even more.  In fact, I’ll say the tide is turning because Archer is helping companies not only reduce bad risks but take advantage of positive risks to gain competitive advantage.  We believe that the ability to harness risk and transform compliance is an untapped source of competitive advantage to fuel the enterprise. That’s why we’re so excited to announce the recent launch of RSA Archer GRC 6. With new features to bring technology and business processes together we’re better able to help everyone own risk within their organization.  Two fundamental improvements we think will help raise all ships which include:

  • User Friendliness - We recognize that not everyone uses Archer every day, so we’ve completely redesigned the look and feel to include a walk-up friendly, task-driven user landing page and drag-and-drop advanced workflow functionality to still configure Archer to meet your business needs.
  • Managing Risk - One of the main challenges in most organizations is not identifying the risks, but doing something about them.  Our new ORM capabilities walk users through the process to self-assess, and identify and act on known and emerging risks with specific workflow for business users (1st LOD) and 2nd LOD groups like ORM, enabling them to work together.

There is lots more to this launch, so check out our Virtual Launch event to hear more about RSA Archer 6.

I want to mention the effects all of this rising tide of risk management has on our audit friends.  IA has been extolling the virtues of risk management for years through the recommendations they make to companies in implementing controls and better understanding their risks and exposures.  The fact that we see more companies and individuals within them understanding and owning risks is a fundamental and welcome shift.  The goal of every internal auditor I’ve ever met has been for “the business” to own their risks and controls, like my example at the beginning.  The fact that this tide is definitely rising isn’t lost on this former internal auditor and I can’t wait to see where it goes next! 

If you have additional thoughts, views or examples, email me at or tweet me at @pnpotter1017.

It Started Like Any Other Day

Posted by PatrickP Employee Aug 21, 2015

You don’t know when a disaster is going to strike.  The day usually starts like any other day. Disasters come in all shapes and sizes - natural and man-made, personal tragedies, workplace related events and others, and if you’ve ever experienced one you know it changes you.  Many thoughts run through your mind such as, “Why is this happening to me, are my loved ones safe, where do we go and what do we do?“ Afterward, you reflect on what more you could have done to prepare, because once the disaster strikes, the time for preparation has passed.  The following account of the Leidenheimer Baking Company’s response during Hurricane Katrina in 2005 illustrates my point and teaches some valuable lessons.


Sandy Whann is the president of the family owned-and-operated Leidenheimer Baking Company founded in 1896 in New Orleans, Louisiana.  As a lifetime citizen of New Orleans, Sandy has become adept at hurricane planning through the years. When the hurricane alert was issued on Saturday, August 27, this veteran immediately put his family emergency plan into effect as his wife and two children prepared to leave the city. Sandy remained near his bread production facility to keep a close eye on his company and keep production working at a minimal capacity. With his family out of the city, Sandy now focused on his employees and their families.


On Sunday, after meeting with his upper management, Sandy uncharacteristically decided to shut the bakery down, secure its exterior, gas lines and doors and encouraged his employees to prepare their own homes and loved ones for the storm and potential evacuation. After most of his employees had left, only Sandy, his plant manager, and chief engineer, all of whom play key roles in the business's preparedness plan, remained in New Orleans.


Once Sandy and the others had completed their assigned duties in the emergency shutdown, they left as well. While driving to meet his family in Baton Rouge, Sandy was struck by the unusualness of the event, particularly because the drive, which normally takes one hour, took seven hours.


"Things were very different this time around," said Sandy. "But in the gridlock I still made the most of the little time we had before the storm hit. Having an emergency preparedness plan helps you focus your priorities and helps you know what you need to be doing with the limited time you have in any situation."


En route, Sandy checked with his insurance provider, accountants, legal consultant, and spoke with customers to keep them abreast of the situation and the affect of his shutdown on their supply of baked goods. Sandy's business evacuation kit played a large part in his success. Sandy's kit included: financial and payroll records, utility contact information, updated phone lists for his customers and employees, back-up files and software, as well as computer hard drives. Well before the evacuation Sandy placed the kit in a mobile waterproof/fireproof case that could be taken with him at a moment's notice. As part of Sandy's written plan, he set-up a satellite office for the company in Baton Rouge where he made contact with his bank, forwarded phone lines, and was receiving mail within two days.


Sandy breathed a sigh of relief that his family and his company had escaped a major disaster. Fortunately, Sandy was able to return to his plant within a week of the storm. When he returned, he saw widespread damage. The roof had severe damage, there was no power, no usable water, and no one was permitted back into the city except the National Guard.


Despite caring deeply for his business, the most important thing to Sandy was his employees and he felt fortunate that all of them were safe. In summing up his experience Sandy said, "Katrina was severe enough to teach even us experienced hurricane survivors a few new things about emergency planning."


I hope we can all learn a few things about organizational and personal preparedness and focus a little more during National Preparedness Month on building a more resilient society for all of us. Contact me at and @pnpotter1017

In the first blog in this series, I used the analogy of a rocket lifting into space with the countdown, 3...2...1... equating to the Three Lines of Defense (LOD) model, and how an organization truly achieves “lift off” or success really comes down to the 1st LOD.  In this blog, I’d like to focus on the 1st LOD and three ways to help them achieve lift off for your organization.


Walk In Each Someone Else’s Shoes

I’ve found that when I don’t understand someone else and may be at odds with them, then I need to try to understand their perspective.  When I do this I become more understanding, the other side often tries to do the same, we’re both better able to soften our position and we typically start to get along better.  We might even start to change some things we do for the better.  Often, the three LODs are so entrenched in their own individual objectives being separate groups just coming together, that they don’t understand what the other LODs do and why.  Let me give you an example.  Internal Audit is pretty good about understanding what a function does as they are auditing that function.  They review their processes and controls and then determine where to spend their time auditing.  However, it rarely goes the other way.  A completely worthwhile exercise is for each LOD to understand each other because it promotes better understanding, more alignment and will begin to effect change for the better.


No One Likes to Be Audited

There are not many things worse than hearing that your department is going to be audited.  You begin to wonder if you’ve made mistakes that are going to be disclosed and if you’ll be in trouble, not to mention the time it’s going to take away from getting your work done.  Audits are a necessary practice but what most “auditees” don’t know is how to reduce the impact of audits.   To my firstpoint above, do business operations take the time to understand why Internal Audit decides to audit them and what they can do to reduce the impacts of an audit? I’m not talking about being sneaky to avoid an audit but understanding Internal Audit’s concerns and objectives and then making real changes to improve, to not only reduce impacts of audits in the future but to actually strengthen controls and processes and reduce risk.


Replace Good with Better

Ever thought about how you could do your job better?  What is the definition of “better"? I’ll bet if you were to ask your CEO, she or he would define “better” as owning and improving your job so the company can save money and drive growth.  Ask the 2nd and 3rd LODs and they’ll say “better” means improving controls and reducing risks.  However, who knows your business processes better than you business operations people - the 1st LOD?  Yes, experts can recommend process changes and auditors can recommend controls, but you live the process day in and day out.  Now, it’s tough to come up with new changes in a vacuum, meaning you have to look for ideas to improve and that’s where walking in someone else’s shoes comes in handy, but the more you really look at making good processes and controls better, the lesser the impacts of audits on your organization will be.


In closing, until the 1st LOD better understands the 2nd and 3rd LOD objectives around risk and control, and autonomously strengthen processes and controls to really get at the heart of mitigating risk, your organization will never achieve the real benefits and you’ll be frustrated at the unending parade of audits coming your way.  Believe me, the auditors get tired of it too.  Conversely, the more the 2ndand 3rd LODs understand the 1st LOD perspective, the smarter their approaches will be. As a result, all thee LODs will better work together toward – 3…2…1… lift off!


Marshall Toburen is doing a great blog series that explains the Three Lines of Defense in It Takes a Village: The Three Lines of Defense Model.  Check that out to get a thorough understanding of the 3LoD model. Also check out my first blog in the series Blog Series: 3...2...1...Liftoff!


Contact me at with feedback and follow me at @pnpotter1017.  Thanks for reading!


Prior to the launch of every spaceship that lifts high above the earth is a countdown that ends with 3...2...1...lift off! This signals the final moments before the spaceship takes off to fulfill its mission.  My blog is a play on the 3, 2, 1, liftoff analogy and how it relates to the "Three Lines of Defense" model.


Marshall Toburen is doing a great blog series that explains the Three Lines of Defense in It Takes a Village: The Three Lines of Defense Model.  Check that out to get a thorough understanding of the 3LoD model.  In short, each line of defense refers to a part of the governance, risk and compliance (GRC) structure.  The 1st LoD are business process owners - operations, IT, Sales, etc.  The 2nd LoD are Enterprise Risk Management (ERM) and Compliance groups, and the 3rd LoD is Internal Audit.  Each has their role in the GRC structure to manage risks and controls and must work together.


Internal Audit was one of the original risk and control groups with the charge to identify risks and evaluate controls.  Then ERM became en vogue and many companies implemented ERM or Operations Risk Management (ORM) groups as well as separate Compliance organizations.  This has taken some of the load off of Internal Audit but there are still many challenges in aligning across all of these areas.  Here's the crux of the matter.  These groups have a role to play in the risk and compliance picture, but who is in the best posture to do something about risks when whey pop up? Who is in the best seat to make sure controls are functioning? It's that 1st LoD - the business processes themselves.   However, while they're closest to these risks, it's not their primary focus and their perception of how to manage and address these risks can be very different from the 2nd and 3rd LoD.  Internal Audit, ORM and Compliance groups are struggling to implement programs and processes and just keep up with the velocity of new regulations and risks, so it's imperative that more be done by the 1st LoD.


Through this blog series I'll be discussing ways that realization, accountability and ownership over risks and controls can and should transition from the 3rd and 2nd LoDs to the 1st LoD, and why.  What's more important is I'll talk about ways that don't add to the already heavy loads these 1st LoD functions already have.  In fact, I'm convinced that as we launch from 3..2..1 that companies will lift off in their risk and compliance programs!


I'm presenting on this topic at the September 10th Phoenix, AZ Security and Audit Conference, so if you're in Phoenix - come and join me!  Follow me @pnpotter1017 on Twitter and give me your ideas at


Can businesses and organizations be resilient on their own?


By this I mean is it enough for a business organization to build resilient internal processes, IT infrastructure, facilities, and even third party relationships and rest assured they're prepared for the next big event that comes along. To answer this question, I think we have to look at what businesses rely on to operate - both inside and outside of the company.  Of course, there are external needs, like utilities (electric and water), transportation and roads, police and fire support and many others.  However, the one I'm going to focus on are its people.  Specifically, employees and what they need to do to personally prepare for disasters so they can return quickly after a disaster and help your business recover.


Around this topic of people, Business Continuity (BC) disciplines tend to focus on employ safety, ensuring people can do their jobs after a disruption and determining which employees are "critical" to recovery efforts and to operating the company as a whole.  However, I don't think we focus enough on other aspects of employee preparedness that can significantly affect whether employees can and will stick by the company and help it recover in the aftermath of a disruption.  After Hurricane Katrina hit in August 2005, an estimated 300,000 homes were destroyed or otherwise made uninhabitable.  In 2012, Superstorm Sandy plunged Lower Manhattan into darkness, flooded the subway system and left more than 8 million people along the Eastern Seaboard without power.  When the  2003 European heat wave struck, it resulted in a health crisis in several countries as well as a drought which led to crop shortages.  Thousands died, with most casualties resulting from old people in nursing homes or single family homes with no air conditioning systems.


We always focus on the dollar impacts of disasters.  However, these examples highlight real impacts devastating disasters can have on employees and their families outside of work.  My proposition today is that without the personal preparedness of individuals and families, our businesses are vulnerable.  This is a tough topic to handle because most organizations don't know where to start and can barely get their arms around their own resiliency and recover planning.  However, the more a business organization focuses on its people and encouraging their personal preparedness, the better off its business will be.


There's not much our employees can do if the subway is down or power is off across the city, but there are ways they can make at least short term plans, and there are many resources available to your employees to help them build personal preparedness, like support groups, churches, websites, federal and state government resources, and many other groups devoted to emergency preparedness.  What companies can do is incorporate this into their messaging and communications and encourage employees to build personal preparedness.  Companies can and should be supportive and point employees to resources that will teach and help them build personal preparedness.


The better prepared our employees and their loved ones are for disasters, the better able they'll be to get their houses in order and jump back in and help the company recover as well.  For more information or input, email me at

You may be familiar with the story of Frodo Baggins of the Lord of the Rings trilogy.  He was an unassuming hobbit from the Shire who inherited a ring.  Once he came to understand the power and dark purposes of the ring, he set out to destroy it in the fires of Mount Doom before the Dark Lord Sauron could use it to destroy Middle Earth. There were many times on his long journey that Frodo tried to do this alone.  He did so because he felt it was his quest to accomplish, he didn't agree with how others wanted to proceed or he was scared for the safety of his friends.  It was only when he relied on help from friends like Samwise Gamgee, Lord Aragorn and the wizard Gandalf, did his quest finally succeed. There were many adventures, new characters, close calls and misdirection along the way.  But in the end, he accomplished his goal of destroying the ring and saving Middle Earth.


You may be less familiar with the story of the ARC.  The ARC finds themselves in a very similar position as Frodo and his counterparts.  The ARC consists of three groups that set off on similar but separate quests, each to destroy evil and restore peace in the land. The problem is they were very much separate even though their goals were the same.  At first, they didn't know much about each other only than they each existed.  There were times they crossed paths in their journey and even fought against each other not knowing they could be allies. In the end, only when truly perilous times came upon them all did they begin to work together to achieve their quest.


Ok, I guess it's time to bring this back to the purpose that I'm writing about, and it's not to become the next J.R.R. Tolkien! This ARC group I"m referring to exists in most every substantial organization today.  It's the Audit, Risk and Compliance (ARC) teams and when you think about it, they really have been on a similar quest, or what I'd call a maturity journey to abolish evil (risks) and establish control(s).  As a Governance, Risk and Control (GRC) company with over 1,300 customers, we've seen our share of organizations all along this journey.  Some very separate in their quest to manage risks, implement controls and help steer the destiny of their organizations.  Others, working together with similar approaches, sharing the load and reporting results consistently and holistically.  Just like when Frodo and his counterparts worked together as a team did they triumph over their foes, the organizations that align their ARC teams (and there are many ways to do this) are more successful.  This could be done by evaluating risks in the same way, dividing up the work of evaluating controls, coordinating with regulators or becoming more involved in strategic initiatives to give the unique perspective only ARC groups can provide.


Frodo needed directions to the fires of Mount Doom where the ring could be destroyed.  ARC and other groups also need a roadmap, so we've recently implemented Maturity Models to light the way.  These Maturity Models cover each area - Audit, Compliance, Risk, Third Party Management, IT Security and more.  Each one helps the organization understand where they are on the road to maturity and how to advance further.  Finally, just as Frodo and his colleagues had swords, shields and bucklers, organizations have access to the Archer GRC tool, which is a strong enabler if coupled with the Maturity Models to help teams accomplish this shared mission.


It's not an easy journey, so check out our White Papers on the RSA Archer Community RSA Archer Maturity Model White Papers.

Alright, I admit my five year old daughter is my literary consultant and gives me ideas for my blogs. In this one I'm going to talk about RSA Archer Maturity Models we've recently developed to help organizations in their journey to mature their Governance, Risk and Compliance (GRC) programs using RSA Archer as a key enabler. But first, to introduce the concept, let me tell you the story of the Three Little Pigs (this is my daughter's part). 

The Three Little Pigs is an old English nursery rhyme that begins with three pigs being sent out i111413nto the world by their mother to seek their fortune. The first little pig builds a house of straw, but a wolf blows it down and eats him. The second pig builds a house of sticks, which the wolf also blows down and, you guessed it, has barbecue pork for dinner. The third pig builds a house of bricks, which the wolf can't blow over. The wolf tries to trick the pig out of the house but he is outwitted by the brickhouse pig (yes, she's a Finally, the wolf tries to come down the chimney, where the pig catches the wolf in a pot of boiling water, slams the lid on, then has wolf stew (try that Andrew Zimmern) for dinner.

As I said, we have just launched a series of Maturity Models to help organizations advance their GRC programs through the use of different Archer solutions, one of them being Business Resiliency (BR). The Model and accompanying White Paper below discuss the five phases of the Model (Siloed, Transition, Managed, Transform and Advantaged) and the key capabilities organizations should implement  in building maturity into their BR programs.  Each phase explains characteristics of BR programs that fall within each phase.  For example, BR programs in a Siloed phase might be like the little pig who built his house out of straw.  It was built very quickly, maybe even just to be compliant or to "check a box".  It was a good idea but maybe not completely thought out. As a result, when the disaster struck, the house came down.  In the middle of the Maturity Model is the Managed phase (we'll call that one the house made of sticks).  Stronger than the house made of straw, this one was planned out better, it might have been tested to see how it withstood a breeze or two, and it maybe even had some reinforced windows; but when the wolf blew, that house came down too.  Finally, the last and most mature phase in the Model is the Advantaged phase.  In this phase, our Advantaged pig built her BR program out of bricks. She anticipated the danger, planned accordingly, consulted her risk advisors, and then built a resilient house that not only withstood the impending disaster, but became a competitive advantage as a wolf trapper, processor and cooker.

In all seriousness, the Maturity Model has been received extremely well as organizations are already starting to use it to map out their journey in maturing their BR programs using Archer as a key enabler.  For more information, read the BR White Paper – and check out White Papers on our other Maturity Models on the RSA Archer Community.  Email me at if you're interested in hearing more or give me any feedback you have.  In my next blog I'll talk about the Maturity Model for Internal Audit.  So until then...wait, why am I hungry for pork chops?

One of the top universal issues that business executives, boards of directors and audit committees deal with is they hate surprises.  I'm not talking about the good ones, like an unexpected jump in stock price, a product launch that's a runaway success, or a favorable tax position.  I'm talking about bad surprises.  Those that bring to the forefront risks that the company, its risk and assurance functions, and "the auditors" failed to identify and do something about.  This especially hits home to auditors when they recently spent time auditing a particular area and could have identified certain risks and alerted management before it led to a bad surprise.  Bad surprises come in all shapes and sizes but they usually spring from unidentified or misdiagnosed risks.  A risk category that is a top five for most executives, and is becoming more prevalent (but is much less understood) is IT risks.

Gartner recently released its Magic Quadrant for IT Risk Management (again naming EMC/RSA a leader for its Archer GRC platform offering).  Gartner defines this space as risks within the scope and responsibility of IT, the IT department, or IT dependencies that create uncertainty in daily tactical business activities, as well as IT risk events resulting from inadequate or failed internal IT processes, people or systems, or from external events. Gartner reiterates that IT risk management is a core competency for governance, risk, and compliance programs. This means that the line between business and IT risk management is becoming blurred as processes evolve and incorporate more and more technologies or become the technologies themselves. This raises IT risks that ORM/ERM and business process auditors, second and third lines of defense, may not be adept at recognizing and knowing how to deal with.

Among the many questions to address in proper risk management is one I'll focus on today.  Which is this - does your organization have the right risk management structure, approach, org109916anization and skills to properly manage IT risks?  A potential weak link in the chain exists in many organizations' organizational approach to risk management.  Operations Risk Management (ORM) or Enterprise Risk Management (ERM) functions typically address business risks, while IT risks are mainly tackled by the IT organization.  Similarly, Internal Audit (IA) departments are often delineated between business auditors and IT auditors, who perform business process audits and IT audits, respectively.  The weak link manifests itself if these separate groups don't have similar if not related risk management methodologies, don't communicate, and don't track or resolve findings through common approaches. IT organizations usually understands their risks fairly well, but they must do a better job at being the conduit between their business counterparts to translate IT risks into business impacts that make sense to executives.  On a positive note, most ORM/ERM groups and their IT counterparts do connect at some level, either through similar risk management approaches, risk registers or other methods. Similarly, IT auditors typically have the skills to identify and raise issues around IT risks and do a good job of communicating them through their audit findings.


Most organizations have a ways to go until they can manage their IT risks to the point that they won't be seeing many surprises - but that's more of a journey than a destination that we're all on. Let's keep the dialogue going! Check out our Community page for more information on the Gartner Magic Quadrant series. Use this link for the “Community page” and email me at with your thoughts!

Have you heard the term, "a rising tide lifts all boats"? It's an aphorism that refers to the broad, 109140positive effect that benefits all participants of something such as a strengthening economy or a particular public program.  For example, as the economy improves, theoretically so does the prosperity of businesses and individuals.  Here's another example that's near and dear to my heart.  Business resiliency (BR) is the ability an organization has developed to quickly adapt to disruptions while maintaining continuous business operations and IT systems, and safeguarding people, assets and reputation. The more resilient an organization is, the better their strategy execution, profitability, sustainability, competitiveness and innovation.  BR also lifts the tide for other factors, like risks. What I mean is generally, a resilient organization does a better job at identifying, measuring and mitigating risk than one who is not.

The most recent Gartner Magic Quadrant for IT Risk Management evaluated governance, risk and compliance (GRC) software (and coincidentally names RSA as a leader) that perform IT risk management.  When we think of BR, we usually relate it to the "business" and don't necessarily correlate BR to IT risk or as a factor in reducing IT risks.  However, let's try to separate the two.  Gartner states that the definition of IT risks for the purpose of their report are those within the scope and responsibility of IT, the IT department or IT dependencies.  Now, let's identify those business processes or functions within any given organization that don't rely on IT systems or the IT department.  Wait, I'm counting....uh, zero. In this day and age, the business has become synonymous with IT systems and capabilities.

In a 2015 study by Protiviti, a global internal audit consulting organization, on top risks cited by executives and boards, they included among top strategic risks - the rapid speed of disruptive innovations and new technologies, mobile applications and other internet-based technologies; and operational threats such as information security and big data - with cyber threats being a top five risk.  These are all IT risks but each has deep business implications.

BR is not only a trait of successful organizations, but is also a risk mitigation strategy and approach to address business and IT risks.  BR speaks directly to the heart of IT risk management by implementing strategies and tactical steps to mitigate the risk of IT dependencies that can create uncertainty in daily tactical business activities; reducing IT risk events resulting from inadequate or failed internal processes, people or systems; and improving the availability of services, including incident management and disaster recovery.

I'm proud that RSA was again named a leader and we have the capabilities to help organizations build business resiliency and address business and IT risks.  Send me your thoughts at  Also, check out our Community page for more information on the MQ series.


Have you heard of the "domino effect"? It's the reaction produced when one event sets off a chain of related events.  A good example of this is literally setting up a chain of dominos to see how many you can add and how far the chain will go. I used to do this as a kid.  I'd set up dozens of dominos in different formations and then I'd add ramps, jumps and other obstacles to see how far I could take it and how cool I could make it.  However, if a ramp or jump was off a little bit or if any of the dominos were out of line, the dominos would tumble over to the side and I wouldn't get the full effect. Looking back, it took creativity and some foresight to really plan out an awesome domino chain. If I had to translate this into business terms, I'd say the key to success was alignment, coordination and having a strategy.

So, what does this have to do with Internal Audit (IA) and Operations Risk Management  (ORM)?  I'll draw an analogy - IA and ORM are the dominos.  The better aligned they are, the better the end result is going to be in terms of identifying and managing risk.  The strategy is having the right pieces and steps to the process in place.  For example, this chart to the right shows those pieces in the ORM lifecycle, starting with the strategy at the top, and having the right organization, a framework and execution.

106567Marshal Toburen, GRC Strategist for RSA Archer, said in a recent OCEG webcast, "Too many organizations are implementing risk management in bits and pieces and in differing ways in silos across their organization.  Operational risk management suffers when these silos don’t communicate and when they put together an incomplete and inaccurate picture of risk."

Why is it that most organizations have this disjointed and incomplete picture of risk affecting their organization?  Here's just one example. In the majority of organizations we work with, IA is separate from ORM organizationally.  That's not a bad thing in and of itself.  However, in most cases, not only are they separate, but their methodologies and approaches to identify and evaluate risk are different.  Both ORM and IA groups may have valid approaches, and they may even communicate and compare results but it's cursory and results from their different approaches is like comparing apples to oranges.  Or, they may be doing many of the same things, like identifying, evaluating and measuring risk and finding ways to mitigate them, but they're not working together.  The dominos in this example aren't even in the same line!  To make the dominos fall correctly, IA and ORM should be working in tandem and with business owners (1st line of defense) to implement risk approaches, coordinate efforts, report results and follow up on issues. IA can and should have some level of independence, but they should also consider aligning their approaches with their ORM group based on regulations, best practices and industry standards.

Creating this formation of dominos isn't going to get any easier.  As a kid when I'd set up the dominos, I always had to keep an eye on my little sister who took great delight in knocking over my grand creation. Like that threat I faced, according to the American Institute of Certified Public Accountants, 83% of organizations surveyed have seen the volume and complexity of risks increase over the past five years.  In addition, 20% of these organizations have seen the volume and complexity of risks extensively increase over the past five years. As complexity of risk increases, our approaches to evaluate and mitigate risk must also rise to the challenge.

Just as creating the perfect domino chain takes a lot of practice, so does creating an effective, aligned risk approach and partnership between business owners, IA and ORM.  Think of it in terms of a maturity spectrum - on one end, the groups don't even know each other exist; to the far end of the spectrum where they work in perfect harmony.  Every organization is at a different place on that spectrum, but what's important is to know where your organization is today versus where it needs to get to. Devise a plan and begin to make progress - any amount of progress is good.  Consistency through practices, technologies, communication, dissemination, training and personnel will also build trust and better reliance between the three lines of defense.

I'm interested in your thoughts! Add your comments below or email me at  Also check out the latest Gartner Magic Quadrant for Operational Risk Management for more information here Magic Quadrant for Operational Risk Management.

Gartner published their Market Guide for Audit Management Solutions in December 2014 to provide audit teams with insight into the market and offerings available.  Here's the link to their report: Market Guide for Audit Management Solutions


Gartner defines the market as solutions that automate internal audit operations through core and value-added offerings. Core offerings are those that primarily address the needs of internal audit departments, while value-add offerings position internal audit to add value to business operations, growth and innovation. Per Gartner, the use of core offerings far outweigh value-adds, which are growing at a much slower pace. Demand for mobile devices for conducting audits is growing quickly and by Gartner's estimate, 40% of internal audit teams will use portable devices to conduct audits by 2017.

Gartner further divides the audit management solution market into two segments - pure-play solutions and governance, risk and compliance (GRC) applications. They state that internal audit teams use both pure play and GRC; some groups integrate with their GRC organization's systems while others use standalone systems. The core offerings market is mature and well-defined, whereas GRC systems are newer and evolving.


RSA Archer's Audit Management Solution was highlighted for audit planning and risk assessment capabilities, which is a crucial part of the entire audit lifecycle that is available in Archer's solution.  In selecting a solution, Gartner recommends audit departments prioritize their requirements and differentiate based on them, as well as on price and delivery option.  They recommend considering GRC applications (like Archer) when more than one department in the organization has made a purchase or is considering investment in GRC applications.  They feel that SaaS is a more cost-effective solution, but on-premises implementations may be dictated by the need to secure sensitive data in highly regulated companies.


What we've seen in our research and interactions with hundreds of audit departments around the world is very few are not considering GRC capabilities mainly because audit committees, regulators and market conditions are demanding that internal audit play a more significant and strategic role in defining and mitigating risk, validating compliance and shoring up the three lines of defense.


For more information on Archer's perspective, contact me at

Top Audit Risks For 2015

Posted by PatrickP Employee Dec 16, 2014

As we head into 2015 and Internal Audit (IA) organizations finalize their audit plans, it's always interesting to hear what they're going to focus on and how that aligns with management's perceptions of risk. Recent surveys of audit organizations by several global auditing and consulting organizations show some of the top global risks audit groups are talking to their audit committees about and including in their audit planning are:


  • Regulatory changes and scrutiny
  • Cyber risk and data security
  • Reputational risk
  • Business innovation
  • Talent recruiting and succession planning
  • Economic conditions restricting growth
  • Timely risk identification and escalation
  • Disruptive innovations and IT


It's refreshing that a separate survey of CEOs noted most of these risks as high priority also, with one exception being financial performance as the highest priority.  Some of these risks are areas IA is adept at dealing with, such as risk identification or regulatory changes and compliance.  But how does IA evaluate economic conditions restricting growth, or talent recruiting and succession planning?  Even more difficult is a nebulous topic like reputation risk because so many factors can impact it, such as cyber attacks to social media campaigns to inadequate responses to business or IT disruptions.


On top of these risks being factored into the ongoing motions of audit planning and execution are the recent changes to Institute of Internal Auditor (IIA) standards and COSO 2013 guidelines that many companies are electing to implement soon or are in the process of doing so.  By the way, these two areas were also listed often as risks to IA organizations.


The question becomes how does IA factor these risks into their audit plans?  How are these risks audited? What controls need to be considered to mitigate these risks?  Finally, what metrics need to be monitored to show if progress is being made?  These are all questions that become more difficult to answer as IA groups face risks that are becoming more diverse and strategic to the organization's business objectives.


I won't disclose the answers here, but in an upcoming white paper, I'll discuss these risks and some real life where IA groups are addressing them, as well as how an integrated Governance, Risk and Compliance (GRC) program can significantly help. In the meantime, have happy holidays and if you want to contact me directly, I'm at

I thought I'd make everyone feel guilty (why should I be alone?) before the holiday gluttony begins!  The title of this blog refers to the adage that says "you are what you eat", meaning what goes in is usually what ends up hanging over the belt.  Conversely, if you carefully measure what you eat in moderation, then you'll likely have better results.  So it is with organizations in a manner of speaking.


What are the right measures and metrics for an organization to track to drive the right behaviors? A Harvard Business Review column gives an example about CEO compensation and how stock price is such an integral measurement, for good or bad. However, that measure may drive more short term thinking and results that aren't necessarily what's best for the organization in the long run. Another example shows that states that use standardized education assessment tests produce kids who perform well on these tests but may fall short when they have to demonstrate their knowledge in a different way. So, how do companies measure performance, especially related to governance, risk and compliance (GRC) and are they driving the right behaviors?

RSA sponsored an OCEG ( survey where 190 respondents weighed in on their organization's use of GRC metrics, which include measures for financial, strategic, reputational, personnel, efficien102514cy, responsiveness, education and awareness, and effectiveness categories.  The results were analyzed to determine the impact of GRC integration (i.e., Internal Audit is aligned and integrated with Compliance and Risk functions and vice versa)  on metrics maturity and value, as well as the confidence level in the design of metrics for performance and GRC.  One of the key findings was that the more integrated a GRC program is, the more mature their program metrics are. This was broken down into some component parts as you can see at the right.


Another key findings was around automation.  The survey categorized organizations as Siloed GRC, Standardized GRC or Integrated GRC.  As you can see from the results below, the integrated organizations also used more GRC systems versus point solutions or disconnected systems, which helped them drive more integration because they could then better share best practices, standard approaches and align more fully.



Finally, one last interesting result I wanted to share was how confident senior executives are with GRC metrics and their ability to relate to and drive organizational performance. Once again, the integrated GRC programs drove greater confidence among senior executives.




In conclusion, it was overwhelmingly apparent that metrics and measures are a critical part of any GRC program, it is important to have the right related measures in place for both GRC and company performance to drive the right behaviors, and integrated GRC programs enjoy greater success in these areas.


Regardless of how I started this blog, I do want you to enjoy your holidays - and measure your personal results a little less before the holidays than you do after For more information on this topic, contact me at

You know the age old joke right?  Suppliers, vendors, or third parties as they are commonly known, have become an integral part of business operations for most organizations.  Wal-Mart utilizes over 60,000 of them, while Boeing has over 21,000. Know how many suppliers it takes to make pencils? Even the Dixon Ticonderoga Company has thousands. Alright, they do much more than change light bulbs as each has its critical role in the supply chain of large, complex organizations. The question I want to pose today though is if you are the Internal Audit (IA) group for one of these companies using thousands of vendors or suppliers, how do you audit such complex third party management and supply chain programs?

Understanding complex supply chains is challenging enough, let alone trying to audit them.  Even some of the simplest supply chains often include third parties, fourth parties, fifth parties, partners and more - and their inter-relationships are mind-numbing.  Why is auditing an organization's supply chain so important?  It's because controlling supply chain risk is absolutely critical and top of mind for boards of directors, risk groups and regulators. The myriad of studies done by advisory firms, universities and the supply chain industry itself all come to similar conclusions.  For example, a recent PricewaterhouseCoopers (PwC) analysis shows that businesses that experienced supply chain disruptions experienced steeper shareholder value drops than their peers; more intense stock price volatility; and deeper declines in return on sales and assets. To further complicate matters, supply chains are not getting simpler - they're getting more complex and this is true globally.  Furthermore, there isn't parity in supply chain disciplines around the world.  For example, US companies are applying greater regulatory scrutiny to business operations and supplier integrity, while there are more supply chain issues with companies in developing countries. 


So how does IA go about auditing their organization's supply chain to mitigate risk?  Here are a few ideas.


First of all, IA should ensure they have supply chain expertise on their team or external experts they can leverage.   IA must then understand their role versus that of management.  It's management's job to implement a supply chain framework and program that includes a strategy and approach to manage the best suppliers that will enable them to successfully achieve their business objectives. IA can work with business leaders to develop this supply chain program, but ultimately management owns it.  The program must include end-to-end risk management across the entire supply chain.


Each time the supply chain program is audited, IA should ensure it is implemented and functioning as intended.  One way to do this is for IA to evaluate a sample of vendors by risk or criticality to the organization according to procedures set forth in the supply chain program.  This may include leveraging key risk indicators to identify any troubled vendors within the supply chain. As part of their review, it is important for IA not to just focus on controls, but to evaluate strategies as well.  Basic blocking and tackling (onboarding, managing, monitoring, correcting) is critical to any supply chain program, but evaluating supply chain performance from a strategic and holistic perspective is critical. IA must also ensure the program aligns with corporate objectives, addresses risks and considers compliance obligations.


I will conclude with a simple anecdote that illustrates the point.  A Harvard Business Review study showed that ever since retailers equipped their cash registers with bar code scanners, they promised a brave new world of supply chain management. Stores would automatically track the flow of goods and electronically transmit precise replenishment orders. Suppliers would synchronize their production schedules to real-time demand data. Fewer goods would sit around in warehouses; fewer customers would find products out of stock. However, in an in-depth study of 35 leading retailers, it was discovered that the data was often wildly inaccurate. The executives at one company with a reputation for expert data handling estimated that their data were “99% accurate.” Physical audits, however, showed that inventory levels were way off the mark for two-thirds of the stores, and it was estimated that those errors reduced the company’s overall profits by 10% through unnecessary inventory carrying costs and lost sales from out-of-stock items, or stock outs.


Although a good supply chain program or structure is in place, audits may show otherwise.  It is critical for IA to understand its company's supply chain, focus not only on the structure and program but perform audits to validate results.  For more information, contact me at

I recently participated on a webinar panel sponsored by Everbridge and RSA with participants from the medical, transportation and emergency management disciplines where we discussed the Ebola outbreak and impacts to organizations. Each expert had fascinating information to report and there were excellent questions by the 550 person audience on the webinar.

So, what do we know about Ebola? Ebola is a rare and deadly disease caused by infection with a strain of Ebola virus. The 2014 Ebola epidemic is the largest in history, affecting over 10,000 people in multiple West African countries. Ebola is spread through direct contact with blood and body fluids of a person already showing symptoms, but is not spread through the air, water, food, or mosquitoes. The World Health Organization (WHO) provides a data sheet here WHO | Ebola virus disease that is very informative.

The U.S. Centers for Disease Control and Prevention (CDC) reports that the risk of an Ebola outbreak affecting multiple people in the U.S. is very low. The CDC has tried to establish a national standard, recommending that only people who had direct contact with Ebola patients without any protective gear submit to isolation at home for 21 days, the maximum period for symptoms to develop. However, a month after the first confirmed case of Ebola in the U.S., state and local health authorities across the country have imposed a hodgepodge of often conflicting rules.  Some states, such as New York and New Jersey, have gone as far as quarantining all healthy people returning from working with Ebola patients in West Africa. In Minnesota, people being monitored by the state’s health department are banned from going on trips on public transit that last longer than three hours. Others, such as Virginia and Maryland, said they will monitor returning healthcare workers and only quarantine those who had unprotected contact with patients.


The international community is also responding.  For example, North Korea announced it will quarantine foreigners for 21 days over fears of the spread of the Ebola virus, even though no cases of the disease have been reported in the country, or anywhere in Asia, and very few foreigners are allowed to enter.  The Australian government announced that it was canceling non-permanent or temporary visas held by people from the affected countries who were not yet traveling, and that new visa applications would not be processed. If the outbreak is not controlled soon it may continue to have affects on other regions such as Europe, where we are seeing some uncertainty and unrest.

The question is, how does this affect your organization currently or in the near future? Is it affecting third parties you do business with, or key customers?  Looking ahead and putting contingency plans in place relative to the risk to your organization is a smart move. A good place to start is to dust off those pandemic plans you Business Continuity folks probably compiled a few years back during the H1N1 scare. A key step is to understand the potential impact of the Ebola situation (current and future - as much as possible) on your organization and employees, then create an action plan and communications plan accordingly.  For your communications plan, take such action as monitor information from formal authoritative (CDC and WHO) and informal (social media) sources and craft factual information into regular and frequent updates to employees and their families, and external constituents (customers, public, regulators).  The communications could include what is known and unknown, what the organization is doing to stay informed of the situation, how the organization and its employees are affected and how the organization is responding proactively. Include both push (emails, notifications) and self-serve (intranet, company website, social media) communications.  Be honest, factual and frequent.  Avoid rumors.  Showing the company is proactive, actively monitoring and assessing the situation and communicating openly and frequently goes a long way towards reducing uncertainty and concern.


Contact me at if you would like the webinar presentation or have questions.

Filter Blog

By date: By tag: