Skip navigation
All Places > Products > RSA Archer Suite > Blog > Author: Patrick Potter
1 2 3 Previous Next

RSA Archer Suite

34 Posts authored by: Patrick Potter Employee

For the fourth consecutive report, Dell (RSA) has been named a Leader in Gartner’s Magic Quadrant (MQ) for Business Continuity Management Program Solutions (BCMP)!


Of note, RSA Archer has again been named a Leader in Gartner Magic Quadrants for Operational Risk Management, IT Vendor Risk Management, and IT Risk Management.


In the BCMP MQ, Gartner states that, “the 2017 BCMP solutions market — with an estimated $300 million global market revenue — has broadened its IT disaster recovery management, crisis management and risk management capabilities since 2016.” 2.  They go on to say that, “the critical capabilities of BCMP solutions center on providing business leaders with a more effective means of evaluating operational risks and business impacts, as well as planning for, responding to, recovering from, and restoring after a business disruption.” 2.  And we couldn’t agree more.  BCM continues to evolve as a critical function that must focus on managing business risk and IT risk, covering the lifecycle from resiliency planning to execution, and providing management with information to make decisions based on real business impacts.  Also, as implied in the name change for this Magic Quadrant, from “Planning” to “Program” solutions, BCM teams now play a larger part in the organization’s risk mission and must run their BCM programs accordingly to support this increased responsibility.


We believe that an important factor in RSA’s placement as a Leader was based on our ability to leverage risk throughout the platform and solutions; especially critical in light of Gartner’s emphasis that BCM is an important contributor to risk management.


We extend our gratitude to our customers for sharing their valuable insights and experiences with Gartner. For as long as the RSA Archer product roadmap and capabilities have existed, our community of active and enthusiastic users has been at the heart of it all, and we thank you.







This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Dell RSA.


Figure 1. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


2. Magic Quadrant for Business Continuity Management Program Solutions, Worldwide. Published: 12 July 2017. Analyst(s): Roberta J. Witty, Mark Thomas Jaggers

I’m dating myself here, but I used to love to watch the Andy Griffith Show. I liked Andy’s calm demeanor as he tried to raise his son Opie while dealing with Barney Fife, his neurotic sidekick. I especially enjoyed this exchange between the two of them as they discussed raising kids:


Barney:  Well, today's eight-year-olds are tomorrow's teenagers. I say this calls for action and now. Nip it in the bud. First sign of youngsters going wrong, you've got to nip it in the bud.

Andy:  I'm going to have a talk with them. What else do you want me to do?

Barney:  Well, don't just mollycoddle them.

Andy:  I won't.

Barney:  Nip it. You go read any book you want on the subject of child discipline and you'll find every one of them is in favor of bud-nipping.


Nip it in the bud. In other words, deal with issues promptly and don’t let them linger. (Having raised a child or two, I’ll add the need for fair rules, love, and consistent treatment relative to the child and their behavior.)   This bud-nipping does help to some extent as younger kids turn into teenagers, but you still get that kid that’s just an unpredictable tsunami regardless.  However, for the most part it helps to have a plan with the younger ones so that when they get older the tsunamis aren’t devastating.


Apply this to incident management versus crisis management: incidents are like young kids and crisis events are like teenagers.  Incidents are typically small events that routinely occur in running an organization.  They could be safety-related, employee-related, or a manufacturing incident, depending on the type of organization. They’re usually not a big deal and are resolved fairly easily. Crises, on the other hand, are incidents that have gotten out of control. They’re bigger and oftentimes very nasty. Each crisis is unique, so we may not have all the details or information at the time on how to deal with them.


My point? Organizations need to spend more time putting solid incident management procedures in place – “bud-nipping” if you will -- to reduce the likelihood that incidents turn into crises. Here are three ways to do that:


  1. Keep it simple and consistent. Have a simple and consistent process for dealing with incidents. Make the process simple because on top of normal resolution procedures, you will also have unique incident types that will require different steps to resolve them. Simple incident resolution processes are more consistent and can be applied the same way. Simplicity also helps people better understand their roles in dealing with incidents.
  2. It takes a village. Just as the adage says “it takes a village to raise a child,” it also takes a village to handle incidents – and even more so if and when they become crisis events. Make sure your process for dealing with incidents includes the appropriate people, depending on the incident type. For example, if the incident is employee-related, include human resources. If the incident could result in public exposure, involve your public relations experts. And include them as needed, but sooner than later, which leads to my last point.
  3. Act quickly and early. If you’re going to make an assumption about incidents in general, assume any one incident has the potential to turn into a crisis and treat them accordingly. Some incidents are just a normal part of doing business, while others are more complex or subjective. For both types, keep in mind that an ounce of prevention is worth a pound of cure. Act quickly and early to resolve them.


Now, having said this, there will still be those incidents that turn into full-scale crisis events -- just like regardless of doing all we can to raise well-behaved kids, those unruly teenagers can still pop up from time to time. You must have plans to deal with crises, too, but that’s the subject of another blog, or a book or two. The main point I wanted to make today, similar to Barney Fife’s approach to “nip it in the bud”, is to treat incidents that occur in the normal course of business seriously.  Deal with them promptly and involve the right participants.  For more interesting conversation, email me at



I’m glad the world didn’t end during DRJ Spring World 2017 conference last week, because over 1,000 of the world’s business continuity and disaster recovery specialists were there!


It was another great conference and I had the pleasure of presenting on building resiliency across the organization’s value chain and the key relationship between business resiliency and operational risk management. Both topics were on the minds of attendees as shown by their questions:


  • Outside of surviving a high profile disaster, how do we make customers understand the value that our resiliency program adds to our product or service?
  • If the company has a critical Third-Party vendor and that vendor outsources, who owns the relationship and the potential risk exposure?


Also, over 20% of the sessions at DRJ dealt with resiliency or risk which shows experts are thinking about the importance of business resiliency on the organization and how risk should be considered more broadly than just recovery.


I mentioned in a previous blog, Driving Resiliency Through Operational Risk Management, that there is a direct correlation between driving business resiliency (versus recovery only) and operational risk management (ORM). I believe collaboration between ORM and business continuity programs is a precursor to improving business resiliency, and the top three reasons are:


  1. The bigger picture – looking outside typical business continuity type risks, like natural or man-made disasters, broadens our horizon. Considering the potential risk and impacts from supply chains, reputation impairment, social media, regulatory compliance, or even the risk culture within the organization highlight new risks that could have larger affects on the organization’s resiliency that were never dealt with before. Coupled with a view across the value chain, resiliency teams are better able to anticipate how these new risks might impact the going concern of the organization.
  2. Aligns the Forces – the ORM “umbrella” by its very nature aligns risk functions across the organization, including their methodologies, approaches, resources and outcomes. The key is ORM gets these separate functions on the same page, working together, aligned on priorities, and striving toward agreed upon and appropriate outcomes. Individuals or siloed groups trying to manage risk may feel that their efforts don’t affect the outcomes, but a larger, more coordinated approach does.
  3. Drives Risk Maturity – as risks become more complex, fluid and pervasive, risk approaches need to mature to enable the organization to become resilient to those risks. ORM is a discipline that continues to evolve and mature, unlike siloed risk functions in every organization that attempt to deal with risks reactively, as best as they can. Every organization should evaluate their holistic risk management capabilities against a maturity model (refer to my blog above), determine where they currently stand and what the end goals is in terms of risk maturity.


Organizations that are able to align siloed risk functions under the auspices of their ORM programs have a better chance to become risk-proactive, even opportunistic. As ORM and Business Resiliency are considered together and measured against the bigger picture of the organization’s value chain, functions like business operations, business continuity, supply chain management and internal audit can understand the risks that impact their organization and implement better measures to ensure the resiliency of the organization.


Send me your comments at or connect with me @pnpotter1017.

I recently had the pleasure of presenting with a panel of RSA Archer customers on the topic of “Building Resiliency Across the Value Chain” for a Disaster Recovery Journal webinar.


Two key questions were posed to the 80 attendees. The first question was: “Where is your organization on the business resilience scale?”  The responses were:


  • Recovery only (5%)
  • Mainly recovery with some focus on resiliency (53%)
  • Mainly resiliency with some focus on recovery (18%)
  • Very resiliency-oriented (18%)
  • Other (5%)


The second question was: “How closely do your business continuity/IT disaster recover/crisis management teams work with or integrate with operational risk teams?”  The responses were:


  • Not at all (2%)
  • Sporadic discussions when required (32%)
  • We are working with ORM more and more (28%)
  • BC/DR/CM is well aligned with or a part of ORM (32%)
  • Other (6%)


90% of respondents indicated they are addressing resiliency at some level, and 92% have BC/DR/CM teams integrated with operational risk management (ORM) teams. The alignment of responses to these two questions is no coincidence.  There is a direct correlation between business resiliency and effective risk management that more and more organizations are benefitting from as they continue to mature their operational risk management and business continuity or resiliency programs.


What does GRC maturity look like? The RSA Archer maturity model defines three stages for GRC maturity:


Diagram 1 – RSA Archer Maturity Model


As organizations mature their operational risk management programs, their business resiliency capabilities grow as well, often due to three factors:  


  1. Methodologies – deploying risk assessment and treatment approaches (e.g., ISO 31000) and common business impact analyses (BIA) consistently across the organization
  2. Priorities – consistently applying common methodologies drives more aligned priorities and higher consensus 
  3. Actions – clear priorities drive better understanding, prioritization, and execution


These three factors initiate proactivity, consistency, and alignment in both the risk management and resiliency practices and culture of the organization.


Risk management is, by its very nature, a proactive practice, as is business resiliency. The two go hand in hand.


For comments, contact me at or @pnpotter1017.

Do you ever use the term, ‘you are creating a tempest in a teapot’? It means, don’t make a big deal out of something that isn’t. Doing a little research, I found other similar phrases I thought were entertaining. They are:


  • 'A storm in a teacup' – Cicero; or ‘Billows in a ladle’ – translation of Cicero’s writings
  • 'A storm in a glass of water' - Netherland
  • 'Tempest in a potty' - Hungary
  • ‘A storm in a wash-hand basin’, or ‘A storm in a cream bowl’ - England


Of course my seven year old loved the ‘tempest in a potty’. Anyway, something these phrases all have in common is “business impact analysis”. Surprised? Let me explain.


Most organizations perform some type of risk management activities. They usually include identifying risks that could impact the organization and its reputation, profitability or strategies; or its key assets, business processes, IT systems and locations. Once the most potentially impactful risks are identified and analyzed, they are treated with controls and other mitigation activities to drive down the residual risk within the organization’s tolerable risk limits. This is all well and good, but what if the elements of the organization (e.g., business processes) that the risk could impact are not that critical and how do you know?


Let me give you a simple example. A cyber attack could potentially impact both an organization’s financial and non-financial systems. The financial system is probably more important to protect, right? Oftentimes, organizations have no reliable way to identify what is critical versus non-critical causing them to spend the same level of time, attention and resources to protect the less critical areas; this is the ‘tempest in a teapot’ syndrome.


It stands to reason that the organization should have a methodology to identify what is critical so that risks can be properly treated relative to what they might impact. Some impact areas and their importance are obvious, such as inputs into the organization’s most important product or service. However, there are so many moving parts to today’s complex enterprises that there must be a methodical way to identify, analyze and prioritize what is truly critical to protect. This methodology is a business impact analysis, or BIA.


A BIA is a way to catalog and prioritize business processes and assets, building context to connect risk issues to business impacts. It is a well-known methodology inside business continuity (BC) circles as these teams have performed them for decades to determine what business assets are most important to recover after a disruption. More broadly, the BIA needs to be a prominent part of the framework of a good risk management program. However, often it is not and this is a common problem many organizations’ risk management programs experience.


To strategically address business risk, enterprises need a well-rounded program. There are specific areas to include to create a healthy and sound foundation for growth. RSA has implemented the RSA® Archer Suite Ignition program to help organizations do just that – establish a solid risk management program foundation focusing on four fundamental capabilities:


  • A process for Issues Management to eliminate ‘churn’ around risk and compliance issues from audits, risk assessments, and internal compliance processes. Check out my Issues Management blog: Facing a Tsunami of issues
  • A Business Impact Analysis framework to catalog and prioritize assets and build the context to connect risk issues to impacts to the business;
  • The ability to catalog and monitor risks to establish a strategic method to view and understand risk across the enterprise; and
  • The ability to identify and track third parties used by the business to understand the emerging ecosystem that affects business risk.


The RSA Archer Suite provides a common platform to address these processes. You can learn more about the program here: RSA Archer Ignition Program.


The Duke of Ormond's letters to the Earl of Arlington in 1678 put it best - "Our skirmish seems to be come to a period, and compared with the great things now on foot, is but a storm in a cream bowl."


The Duke must have had a good BIA such that he did not have to worry that his risk management program would cause him a 'tempest in a potty' (that was for you Elly ;). For comments, contact me at

“Tsunami” is the Japanese term for a series of violent and recurrent waves in the ocean caused by the displacement of a large volume of water. Earthquakes, volcanic eruptions, landslides or other underwater explosions or man-made events are usually the cause. Unlike normal ocean waves that are generated by wind, or tides that are generated by the gravitational pull of the Moon and Sun, a tsunami is much less predictable and often more sudden and impactful.


Do you ever feel like your organization is navigating an unrelenting tsunami of issues generated by multiple groups, such as audit, risk, and compliance, or external auditors and regulators? These fierce waves are usually caused by risk management activities, threats, cyber events, non-compliance with regulations or other forces.


Like tsunamis we don’t see coming, today’s business environment is a challenge for issues management, regardless of your industry, geographic location, or business model. With constant regulatory change, shifts in business strategies and rapid technology transformations, it is easy to become overwhelmed by the magnitude, velocity, and complexity of issues that must be addressed. Like dealing with the aftermath of a tsunami, remediation plans many organizations put in place to “clean up” are reactive, short term and may not solve the real problem.


Let’s look at how most organizations deal with their issues and remediation plans.


  • Issues come from a variety of sources. As a result, there is natural duplication and no real consistency in either the issue or remediation plans. Different individuals or groups document issues in various systems, but the issues are often incomplete or drive remediation plans that don’t address the real problem.
  • Issues are treated differently.   This depends on many factors, such as the group that documented them. For example, audit findings may carry more weight than an issue documented by another group, even when the other issue may have more serious ramifications than the audit finding. This occurs when the organization has no consistent method of prioritizing issues across the board. For the business manager assigned multiple issues and remediation plans, once the audit is final and their day job takes over, priorities change and the issues never get resolved.
  • Tracking and resolution of issues is inadequate. In this case, the audit group or compliance function that first raised the issue has no good way to follow-up on status of the issue or its remediation plans after the audit is over. Often because their first priority is the next audit engagement, and if the business process owner doesn’t track resolution of the issues, they are dropped or forgotten.


To properly address issue management, organizations need a strategic and comprehensive approach, including the following:

  • A process that works for the whole organization. Every environment is different, but every issues management process needs to ensure issues and remediation plans are documented consistently, assigned to the right owners, and tracked to completion.
  • A way to prioritize issues and remediation plans. This must be consistently applied and driven by business priorities, such as the most important products and services the organization produces, and the criticality of the business processes and IT infrastructure that support them.
  • A single automated tool the entire organization can use. RSA® Archer offers an Issues Management use case that enables your organization to manage the lifecycle of all issues regardless of where they originate from. The use case includes a Business Hierarchy to establish the corporate structure and accountability, workflow to drive consistency, and reporting to provide visibility into the results. To learn more visit: RSA Archer Issues Management.


There are other requirements, but these are a few critical areas to set the stage, enable quick implementation of the process and drive buy-in across the organization.


Preparing for tsunamis won’t eliminate all the risk or impacts, but it can significantly reduce the effects and make clean up afterwards that much more manageable. Similarly, implementing a well-thought-out issues management process reduces much of the risk of the findings that are sure to come, as well as make the remediation process that much more complete, streamlined and consistent.


For more discussion, email me at


How many times growing up did my mother say to me after I did something particularly stupid, “I hope you learned your lesson!” Luckily it wasn’t that often, but on those occasions I usually did learn a lesson. However, what was painful was the lesson came after I had made the mistake and suffered the consequences. I’ll never forget the time my mother looked down at me sprawled on the ground in a heap after a very gnarly skateboard wipeout, and say, “that wouldn’t have happened if you had been at work with your father.” Thanks mom.


Anyway, mothers are usually pretty forgiving, but the world of business isn’t always so. We only have so many chances to learn from our mistakes, especially when crises or business disruptions occur, because the ramifications can be so high.


Business Continuity Planning (BCP) and Crisis Management (CM) are disciplines built on the foundation of preparing, planning, testing, assessing risks and other proactive measures so that when a real crisis occurs we are as prepared as we can be. However, you’ve heard the saying that there’s no substitute for real experience? Well, we always learn things when a real crisis occurs that we could not even think to plan for, and it is important to capture those lessons learned and incorporate that insight into our planning and preparation for the next inevitable event. Hence, the reason we have added a Lessons Learned Assessment (LLA) into the RSA Archer Resiliency Management use case.


The RSA Archer Resiliency Management use case (Check out the Business Resiliency Use Cases) enables organizations to manage disruptive events as they occur. The use case integrates with Emergency Mass Notification Systems (EMNS) to manage crisis communications, and helps users activate Business Continuity and IT Disaster Recovery plans to recover parts of the organization disrupted during the crisis. What the LLA adds is an easy, yet inclusive way to capture feedback from each member of the crisis teams after the crisis event is under control, such as what occurred, what could have been done differently to handle the event and so on. The LLA is in a survey format using our new advanced workflow, which makes it easy to identify team members and ask them questions based on their role. For example the Human Resources (HR) person responds to the HR questions and so forth. The results of the surveys are compiled, issues and follow up actions are captured and the information can be easily viewed via Archer reports and dashboards. In short, the LLA is a very practical and simple way to capture real-time, valuable insight from those closest to the crisis event. That insight can later be used to adjust crisis response plans or recovery strategies, as examples.


The LLA was introduced in the RSA Archer 6.2 launch in December 2016. This release also includes other valuable platform and solution enhancements you can see here (6.2 Release Update). One of those is how the updated Issues Management use case now integrates with the Business Continuity and Disaster Recovery Planning use case. This is powerful because you can now create and track issues and remediation plans raised directly from BC/DR plan tests or crisis events, and take advantage of new advanced workflow to better manage the issues. I’ll be talking more about and showing a demo of the LLA on the January 21 Free Friday Tech Huddle (Free Friday Tech Huddles), so dial in and learn more.


To conclude and give my mom some credit, she also says, “If you want to be successful, learn from successful people”. Well, input from many successful people went into developing this new LLA (kudos to the BCM Working Group and our internal SME team). However, success is not only built on smarts and hard work, but lessons learned along the way. Hopefully this Lessons Learned Assessment will help you be more successful in your efforts to better manage the crises your organization faces. As always, send me your feedback at, and good luck!

At the end of each calendar year, I look back at how the year went, mainly in my personal life.  For example, I reflect on what happened in my family - who graduated, got engaged or married or had kids, who accepted new jobs or moved.  I also look at how things went with my career, if my health has improved and how my relationship with my wife got better.  These are some of the most important aspects of my life and that’s why I reflect on them.  Not that I don’t think about them more often, because I do, but the end of the year is a good time to look back.


I was also reflecting recently on the areas I oversee here at RSA - which are Business Resiliency and Audit for Archer.  These two areas are not that similar, but I have noted a common theme in that these two fields continue to turn their sights to risk management, moving more and more from being primarily compliance-driven disciplines.  Specifically, they are looking at what the impacts of risk are to the businesses they support - their organizational goals, revenue and growth projections, customer impacts and strategic objectives, to name a few.  I have also noticed that IT organizations, specifically trying to manage the far-reaching effects of cyber threats, are translating IT risk into business impact so executives and business decision makers can better understand the implications and make better decisions.


That’s the pattern I’ve noticed this year - moving to business risk.  It’s the right trend and a good sign.  Some things are helping this along.  For example, frameworks like the ‘three lines of defense’ are being more widely recognized and adopted and are driving better alignment across groups that deal with risk.  It also helps that industry analysts are touting the benefits of aligning the three lines within the enterprise risk or operational risk management (ERM/ORM) umbrella, and that many solution providers and partners are following suit.  This has been RSA Archer’s mantra for many years so it’s good to see it catching on.


What happens next?  We need to take action and I recommend these areas to consider.  


One Step at a Time.  My personal reflections sometimes (maybe not often enough) result in changes in my life but often fall off because they’re based on “changing the world” goals.  I recommend aiming for incremental change.  Do a little better each day.  How do we know if we’re improving our business risk management? We monitor and report and analyze key risk metrics.  We also need to focus on simplicity.  Not many of us are risk experts, but we all have a role in owning risk, so we need a concise set of indicators (think of your car’s dashboard) we can use to make course corrections.  Recognize small victories and build on them. 


First Things First. We need to focus on the most important risks.  Like my personal reflections about my family, career and life illustrate, they’re the absolutely most important aspects of my life.  Business risk management should follow suit.  Complex businesses throw so many risks at us that we can’t focus on everything and do it well.  So, prioritize and focus on the most important risks.


Today and Tomorrow.  I look back to see how the year went but I also reflect every day on how I can improve some aspect of my life.  Business risk management should also include analysis, reflection and action based on long and short term views.  Risks take different shape and affect our businesses differently over the short and long term.  This goes for negative and positive risks.  We can learn much by looking at both viewpoints and taking action based on what we learn.


Something I’ve learned doing this year after year is to stay as positive as you can and keep working at it.  Have a great end of 2016 and may your 2017 be even better!  Contact me at or @pnpotter1017.  

Sir Francis Bacon is attributed with the quote, “Knowledge is Power”.  There have been many variations on this phrase but I want to add one more twist.


I presented at a conference this week where the session was dedicated to discussing the risks and remedies of ransomware, which are the practices and technologies used by bad guys to gain access to systems and hold information hostage until a ransom is paid.  Sometimes the information they get ahold of is not so important, but other times they hit the jackpot and gain access to the “crown jewels” of a company – customer information, trade secrets or pending business strategies and plans. Company and institutional knowledge/information your company has worked hard to accumulate, formulate, organize and use is the lifeblood of your business.   In some organizations, this information is the most vital asset they possess.


The venue for my presentation was the Washington D.C. Spy Museum.  As I toured the museum afterward, I learned a few things about the history of “spying”.  I learned that people who spy do it for many reasons, but the single most important goal is the attainment of – you guessed it, information.  Information gives them power.  Back to the “knowledge is power” concept – when the bad guys have access to your information, they don’t necessarily have knowledge but they have power.  However, safe and secure in your hands, this information equates to knowledge, and how this knowledge translates into power is in your ability to use it to compete and win in the marketplace.  


My speaking topic at the conference was business resiliency.  A key underlying tenet is having an understanding of what is most important to your organization - and this starts at the top.  For example, (the most critical) products/services provided to customers; the business processes that produce them; supporting IT systems; and the information assets produced or used in that product/service.   Determining what is critical starts at the highest levels and can be determined through business impact analyses (BIA).


Let me share an example and a caution.  Not all information is created equal (or equally important).  For example, Coca Cola’s recipe for Coke is, safe to say, very critical to them, whereas a lower tier vendor’s contract details probably isn’t as critical. Now, these examples are obvious and most companies intuitively know what their most importation information assets are, and maybe have an inkling of what is on the lower end of the scale.  But, what about what is in between?  Herein lies the rub - of the hundreds of information assets organizations produce and use, do they know which of those are critical?  Which of these information assets are undervalued and therefore under-protected?  Which require special compliance considerations?  This all presents exposure and risk. 


There are many implications on information assets across the spectrum of governance, risk and compliance (GRC) activities.  For example, which risks or threats could impact your information; what compliance requirements such as privacy considerations require that you take certain protective steps and implement controls, and could result in penalties if not done; or which vendors have access to your (critical) information and what are they doing with it, and are they protecting it.  Given the far-reaching implications to your organization across many use cases, these GRC activities related to information assets should be coordinated at some level. This blog highlights just a few examples of the exposures our organizations face due to not properly evaluating criticality of and exposures to our information assets. 


I took this picture at the Spy Museum of a Trojan horse exhibit, which depicts the infamous method Greek soldiers used to infiltrate the City of Troy and win the Trojan War.  In today’s world, the goal is access to information.  Now, a Trojan malicious computer program is used to gain unauthorized access to a computer and access personal or proprietary information.  Information assets are the lifeblood of our organizations and we must remember that their proper use, management and protection enables our power to compete and thrive.

Experienced outdoors people, whether they are campers, hikers, bicyclists or otherwise, know that the first rule of thumb is that you always need to know where you are so you can determine where you are headed.  It is no different with business resiliency (BR) teams.  You need a good sense of Screen Shot 2016-07-18 at 10.24.56 AM.pngwhere you are headed and this starts with what is most important in your organization to protect or recover if it is disrupted. 


The best way to determine what is most important is by performing a business impact analysis (BIA).  The BIA is an analytical method to determine what business processes are most critical to achieving your organization’s key objectives.  This includes knowing which business processes produce key products or services, or what strategic objectives they support.  The BIA also helps identify other related information like what dependencies exist between the business process and supporting IT applications and infrastructure, information assets, facilities, suppliers or key human resources.  This information is important because that entire value chain must be planned for and preserved, especially if they are in support of core products or critical strategies.


RSA just launched an updated version of the Archer BIA use case as part of our June 2016 6.1 release.  This BIA builds on our existing model and offers:


  • An easy to follow questionnaire format
  • Three new categories for strategic, information integrity and information confidentiality impacts
  • Features from the new Archer 6.0 platform, like advanced workflow and enhanced reporting


The BIA is ready to use out-of-the-box for each of the participants in the BIA process – business process owners, the BR team and executive reviewers.  The interface is easy to follow.  The built-in workflow follows best practices and regulatory guidance.  Reporting is thorough yet concise so BR teams can see where BIAs need to be performed and easily follow up. 


Like those outdoorsy folks I talked about earlier whose first order of business is to know where they are at all times, the Archer BIA will help BR teams, business process owners and executives know at all times what the most important parts of their organizations are and to plan for and protect them.  With limited resources and expensive recovery strategies, this BIA is a must-have to really hone in on what needs to be protected now.  Click here for more information on the BIA Archer BIA 6.1.  You can also reach me at with questions or feedback.

RSA has introduced two recent, major product updates to enable offering Archer governance, risk and compliance (GRC) solutions by use cases.  We understand that organizations and their GRC disciplines can be in very different places along the maturity spectrum. For example, a compliance function might be much more defined and mature than the risk function.  Our November 2015, 6.0 update was designed to inspire everyone within an organization to own risk, while our June 2015, 6.1 was developed to encourage the thee lines of defense (3LoD) to engage in the risk management process, and inspire every organization to own risk.


Screen Shot 2016-07-15 at 1.27.36 PM.png


These objectives may sound synonymous, but every organization’s road to GRC maturity is different, and as the graphic above depicts, each GRC function could be at a different point along the journey.  Through our new use case approach, we encourage organizations to start small, but gain quick wins within the context of a long-term strategy. As an example, our Audit Management solution has been organized into three use case offerings that customers can deploy separately, or use them to build upon one another.  They are:


Issues Management - to manage issues, gaps and findings with related remediation plans.  Benefits include:

  • A consolidated view into all known issues
  • An organized, managed process to escalate issues
  • Visibility into known risks and efforts to close/address risksScreen Shot 2016-07-15 at 12.41.17 PM.png
  • Workflow to ensure proper sign-off/approval for issues


Audit Engagements & Work papers - to manage all audit projects and related work papers.  Benefits include:

  • An audit universe of audit entities
  • Workflow for consistent audits and procedures
  • Self-serve for external auditors for the information they need


Audit Planning & Quality - to manage audit risk assessments, the audit plan and quality assurance activities   Benefits include:

  • Workflow and change management for audit planning
  • Audit plans aligned with the organization’s priorities
  • Appropriate personnel are staffed on audits
  • Board-relevant reporting
  • Quality management processes for engagements and audits
  • Risk based audit approach


Although Internal Audit (IA) is an established discipline, maturity varies widely depending on many factors, such as adherence to standards, tenure of resources, industry requirements and regulatory scrutiny.  IA departments can use Archer Audit use cases regardless of their maturity because we have offerings that not only provide value (those quick wins) at each level, but also help them move further along the maturity spectrum, not just as a standalone IA function, but in working together with their GRC counterparts.


For more information on these use cases and our approach, go to: Audit Management. As always, you can reach me at with any questions or comments.

For the third year in a row, RSA Archer has been named a Leader in Gartner’s Magic Quadrant (MQ) for Business Continuity Management Planning Software (BCMP)!



Screen Shot 2016-07-11 at 10.50.18 AM.png


Gartner states in their report that the business continuity management (BCM) market is changing because “continuity of operations is being seen by organizations as a growing risk that needs to be managed and mitigated.”  Gartner also mentioned they are now seeing organizations focus more on operational resilience versus only “respond and recover” activities. Although the latter is a critical component of a business resiliency (BR) program, teams must focus on how they fit into the organization’s larger operational risk program and approach. Gartner states BCM is in a unique position to address resiliency as part of an operational risk management (ORM) program because of its strategic focus and board-level attention. BCM is also “well-positioned to address not just availability risk, but also the broader set of operational risks” 2


In addition to being named a Leader in this MQ, during 2016, RSA Archer has also been named a Leader in Gartner Magic Quadrants for Operational Risk Management, IT Vendor Risk Management, and IT Risk Management. Integrating BCM with other risk management activities is critical to building operational resiliency. This integration must happen organizationally and practically. There is some movement in this area, as evidenced by the results of Gartner’s 2015 survey of the Association of Contingency Planners membership, entitled “What Keeps Them Up at Night.” The results from this survey show that enterprise risk management (ERM) functions are more often becoming the “home” for BCM programs. 3


Organizational alignment is a good thing. However, more mature BCM programs also have more mature risk management capabilities, which are aligned with their ORM functions and facilitated by integrated software. There is still room to improve as shown in Gartner’s 2015 BCM Hype Cycle, where Gartner mentions that 48% of surveyed organizations use BCMP software. There is also room to grow overall, as Gartner’s ITScore for Business Continuity Management maturity self-assessment tool shows the average maturity of BCM programs is 2.45 on a scale of 1 to 5. 4


BCM is a mature industry that finds itself changing and in need of reinvention.  However, all indications are that BCM will rise to the challenge and continue to contribute, now as part of an organization’s larger ORM and ERM program. RSA Archer’s inclusion as a Leader in the last three consecutive BCMP MQs, as well as our placement as Leaders in all three Gartner MQs for risk management for the second consecutive year, shows that we are uniquely positioned to help organizations rise to the challenge.




Figure 1 Magic Quadrant for Business Continuity Management Software, Worldwide. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from EMC RSA. Gartner does not endorse any vendor; product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

2 Magic Quadrant for Business Continuity Management Planning Software, Worldwide.  Published: 11 July 2016.  Analyst(s): Roberta J. Witty, John P. Morency

3 Members of the Association of Contingency Planners Report on 'What Keeps Them Up at Night'. Published 29 October 2015.  Analyst: Roberta J. Witty

4 ITScore for Business Continuity Management.  Published 31 August 2015.  Analyst(s): Roberta J. Witty, John P. Morency

We believe organizations today face more risks and changes than they are positioned to keep up with.  Business Continuity Management (BCM) or Business Resiliency (BR) programs are no different. These programs have existed for many years, yet most have not evolved to keep up with the magnitude or velocity of business changes, risks or compliance requirements their organizations face.


In order to truly mature from business recovery to driving true resiliency into their organizations, teams must collectively address risks and compliance with their governance, risk and compliance (GRC) programs.  They must take a coordinated, risk-based approach because siloed, BCM-only approaches are not sustainable.  Most BCM teams agree with this, but the most common question is, “where and how do we start?” 


The first step is to understand where your BCM program lies on the maturity spectrum versus where you should  be.  The RSA Archer Maturity Model defines five stages as follows:


Maturity Model.png


The Siloed stage - where many organizations sit today – relies on the constant fire-fighting mode of BCM teams.

Siloed.pngThe focus is mainly on compliance activities and reacting to basic risks such that they cannot see beyond the immediate threats. BCM programs in the Siloed category are usually addressing risks and compliance by themselves.


In order to move from Siloed to the next phase, you need to Transition by taking “Compliance stress” off the table and solving regulatory needs in the most efficient and effective manner.  This requires building a cohesive strategy to deal with the basic requirements of doing business by:


  • Automating compliance processes and eliminating duplicative efforts and data siloes;
  • focusing on building effective processes such as the business impact analysis (BIA), incident management and recovery planning;
  • and collaborating across IT and business functions to establish connected strategies.


Once you free up resources from compliance activities you can start directing those activities to evaluate and respond to risks, which moves you into the Managed stage.  In the Managed stage, you have expanded your visibility into issues through common data repository and analytical capabilities, defined and improving BCM processes, and efficient methods to measure, monitor and report on BCM activities.  Compliance and risk


processes are in an operational state – repeatable, consistent and resulting in solidreporting of gaps or issues. Organizations in this state become aware of the various risks they are juggling and put in individual plans to manage these risks within the context of a broader strategy. The organization understands the risks on its landscape. This progress is  fueled more and more by visibility into risk through metrics and analysis capabilities.


In order to move from Managed to Advantaged, organizations need to Transform from recovery planning to driving business resiliency by connecting risk to business value, needs and activities, and moving beyond just managing risk to anticipating the business’ needs.  This allows the organization to stay ahead of emerging threats, and to design controls and plans to deal with the full variety of today’s threats while meeting business objectives - moving the program into the Advantaged stage.


In the Advantaged phase, organizations have anticipated and conquered the ‘negative’ risk landscape through prescriptive and pre-emptive measures and are poised to help the business explore the opportunity, or positive Advantaged.pngrisk, landscape.  A good example is of an organization who improved from an over 40-day process to perform risk assessments on new products and services to a six day turnaround. This enabled business executives to evaluate new business opportunities (i.e., positive risks) more quickly.  This is what it means to manage risk at the pace of your business.


RSA Archer’s BR solutions enable organizations to automate much of their planning and execution, focus on addressing risks effectively and become a “business-enabler”.  Our latest Archer release, 6.1 in June 2016, enables organizations to implement individual use cases that help them move up the maturity spectrum.  Look for my next blog where I describe the use cases and how they can benefit your BR program as you advance toward business resiliency.

I’m excited to show you an article Marshall Toburen and I co-authored and just had published in Risk Management Magazine, which talks about the Three Lines of Defense (3LoD) model.  The link is below, so check it out.  If you’re in a hurry and just want to know why you should implement the 3LoD model in your organization, take a look at these six reasons:

  1. Organizations that have a strong 3LoD are generally more risk-intelligent - meaning they are capable of quickly identifying and reacting to risk and they more efficiently deploy scarce resources to manage risk on a prioritized basis.
  2. They can better leverage information without the need to recreate reports or play the ‘telephone tag game’ of information gathering and sharing.
  3. The 3LoD model promotes risk ownership and a stronger risk management culture while eliminating inefficiencies, gaps and overlaps that often occur in the management of risk and compliance by multiple functions.
  4. The 3LoD model helps internal organizations (i.e., the three lines) do a better job of working together to manage risk.  While each of the three lines of defense has its own responsibilities, they are all using the same playbook.
  5. The model contributes to fewer surprises and losses, lower risk transfer costs, and increased likelihood that the organization’s objectives will be achieved.
  6. The Institute of Internal Auditors (IIA) published a position paper effectively endorsing the 3LoD model as a best practice in risk management and control, which generally makes your auditors and regulators happier.

Why do these benefits come from implementing a 3LoD model?  In this day of more and varied risks coming at our organizations at the speed of light, the 3LoD model helps provide an organizational and practical model to give order to the chaos.  Check out the article below and let me know your thoughts at


Risk Management – The 3 Lines of Defense for Good Risk Management.

It’s that time of year again - to submit your nominations for Archer awards to be presented at RSA Charge (formerly Archer Summit) 2016 in New Orleans, October 25-27!  As in the past, this year we will honor companies that are implementing RSA Archer governance, risk, and compliance (GRC) solutions in unique and ground-breaking ways. Award winners will show they are building cutting-edge use cases and integrations using RSA Archer to support process automation, collaboration and reporting.  We will continue this rich tradition with the same award categories as prior years: Innovation, Return on Investment (ROI), Community Advocate and Excellence Awards.  We will also give a “Best in Class” award, which will be the best of the Excellence Award winners; and during RSA Charge, attendees will be able to vote, using the RSA Charge Event App, for the ‘Best in Show’ customer presentation that really rocked it!


To submit your nomination for any of the categories above, complete submission form, attached, and tell us more about your organization’s approach to solving GRC challenges.  If you have any questions regarding your submission, please contact your field sales and/or existing accounts manager.


Please return the completed form to @Patrick Potter at by Friday, July 29th.  This is a hard deadline; extensions cannot be granted.  We look forward to seeing your nominations!

Filter Blog

By date: By tag: