Skip navigation
All Places > Products > RSA Archer Suite > Blog
1 2 3 Previous Next

RSA Archer Suite

402 posts

What is Third Party Governance?

RSA Archer Third Party Governance provides organizations the capability to monitor and manage the performance of the third parties with whom they do business.

 Why is the proper management of Third Party performance so important?

Organizations are increasingly using third parties to support their operations and to deliver products and services to their clients. Every organization entering into a third party relationship has expectations regarding how the third party’s product and services should perform.  It is particularly critical that third parties provide satisfactory performance wherever they are supporting customer-facing activities or contribute to the organization achieving its key objectives. Often performance expectations are formalized via contract by way of agreed-upon service level metrics unique to the product or service being delivered by the third party.   While contractually establishing service level metrics is a best practice, it is only the first step.  Organization’s need to monitor performance metrics throughout the life of each third party relationship and manage deteriorating third party relationships at the earliest possible time.  While an organization may have created some contractual recourse should a third party fail to perform, litigation and financial compensation do not solve the problems posed by underperforming third parties.  The best outcome is represented by third parties that live up to or exceed performance expectations.

 

RSA Archer Third Party Governance

RSA Archer Third Party Governance provides the capability to track the performance of individual third party engagements and to measure the performance of third parties across all of the engagements they are delivering to your organization. Third Party Governance provides the ability to document and track service level agreement metrics, and utilize a metrics library to promote consistency in assigning service level metrics to similar engagements.  Once performance metrics are established, actual performance data can be collected from named individuals or automatically via systems of record.  Stakeholders can be automatically notified if a third party’s performance begins to fall outside acceptable boundaries so that third party performance can be coached back to acceptable levels or remediation and contingency plans created and executed should the third party’s performance become irreparable.

 

Key features include:

  • Define and document performance metrics for third parties
  • Track all contractual service level agreement (SLA) metrics
  • Uncover deteriorating third party performance
  • Capture and monitor remediation plans until performance problems are resolved
  • Create performance metrics and associate them with individual product and service engagements
  • Capture performance metric data on an ongoing basis and score performance based on data collected
  • Report on performance of individual product and service engagements
  • Roll up engagement level performance to obtain overall third party performance profile

 

RSA Archer Third Party Governance enables organizations to:

  • Create and capture performance metrics and associate them with individual product and service engagements on an ongoing basis
  • Report on performance of individual product and service engagements and roll up engagement level performance to obtain an overall third party performance profile
  • Uncover deteriorating vendor performance and quickly resolve third party performance problems
  • More frequently exercise contract remedies due to poor performance
  • Avoid third party-related surprises and losses, and spend less time and money on third party performance remediation
  • Demonstrate the effectiveness of third party performance management programs to executive management and regulators

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  RSA Archer Third Governance is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth through an extended ecosystem strategy, your third party risk and performance management program must evolve and manage risk more holistically, with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is Third Party Engagement?

A third party is any entity with which your organization has an actual or implied contractual relationship for the receipt of goods and services.  Besides being called a third party, these relationships may also be known as vendors or suppliers.  An Engagement refers to the actual product or service being received by way of a contract with a third party. 

 

RSA Archer Third Party Engagement provides organizations the capability to inventory all of the product and service engagements they are receiving from third parties.  Engagements can be mapped to the third parties supplying the product or service, and to the organization’s business units and business processes they support. Third party contacts can be documented and accountability for third party engagements can be established by named individual and by the business units that own the relationship. If you are utilizing the RSA Archer Third Party Engagement, Risk Management, and Governance use cases then the risk and performance of individual engagements can be established and risk and performance information can be rolled-up across all products and services delivered by a third party; and depicting it in aggregate at the appropriate third party organizational level.

 

Why is the proper management of Third Party Engagements so important?

Third parties may relate, to some degree, with every aspect of an organization.  They may impact your organization’s objectives and they support, in one way or another, the products and services your organization delivers.  They support business processes, introduce risk and affect and supplement the extended internal control environment of your organization.  They may provide assets and inputs to the organization such as hardware, software, physical space, and product inputs.  Acting as an agent of your extended organization, they are subject to your regulatory obligations and policies, and they may directly supplement your human resources through consultants and temporary labor, or extend your human resources by the nature of the services that they are providing.  You may have third parties that touch on every one of these elements of your business. 

There are numerous reasons organizations choose to engage third parties.  These include competing better; benefiting from a vendor’s expertise that you don’t have in-house; optimizing resources, acquiring resources (often more cheaply), transferring risk such as under insurance, and expanding market share by capitalizing on the third party’s presence in a market where you don’t currently have a presence, or by offering a more attractive product or service because of the third party’s expertise and capabilities.

Third parties are an extension of your business and, in the end, third parties introduce the same risk to your organization as if you internalized the activities.  In most cases, it is impossible to eliminate the risk altogether.  The best you can do is understand the risk and manage it within acceptable levels.

 

RSA Archer Third Party Engagement

RSA Archer offers the Third Party Engagement use case to consolidate the list of third party products and services your organization uses.

 

Key features include:

  • Catalog third parties, their business hierarchy, and the product and services engagements they deliver to your organization
  • Map third party products and services to the business processes they support
  • Roll up engagement risk assessments to obtain an overall third party risk profile
  • Catalog contracts and master services agreements associated with engagements
  • Execute contract risk assessments utilizing standardized questionnaires focused on minimum required contract language to mitigate and transfer risk
  • Capture the third party’s proof of insurance and evaluate the adequacy of the insurance relative to all of the engagements being delivered
  • Integrate the results of your business process impact analysis into your assessment of the inherent resiliency risk of each third party
  • Establish accountability for each third party engagement
  • Document and monitor remediation plans to bring risk within acceptable tolerance
  • Track exceptions related to third party engagements

 

With RSA Archer Third Party Engagement, you can:

  • Establish efficient management of your third party relationships
  • Know where, how, and why third parties are being used throughout your organization, and who is responsible
  • Identify inherently high risk third party products, services, and relationships
  • Better understand the adequacy of each third party’s proof of insurance,
  • Have fewer third party-related audit and regulatory findings
  • Establish the basis for an effective third party risk management program and allocation of scarce resources based on the most significant priorities
  • Provide transparency into third party relationships using robust notifications and reporting
  • Provide positive assurance to senior management, the Board, and regulators regarding the adequacy of the organization’s third party governance program

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  The RSA Archer Third Party Engagement is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leadership with the most holistic understanding of risk facing the organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce the most effective return to the organization.

 

As your company drives business growth through an extended business ecosystem strategy, your risk management program must evolve and manage risk with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

It's official - time to get your creative juices flowing as the RSA Charge 2019 'Call for Speakers' (C4S) is now open and awaiting your submissions!

 

As you are aware, the RSA Charge events represent all RSA products and an increasing number of customers across solutions attend this one-of-a-kind event each year. The RSA 2019 Charge promises to be the biggest event in our history of RSA Charge and Summit conferences. 

 

The RSA Charge event is successful in no small part because of the stellar customer submissions we receive each year. We invite you to submit your presentation brief(s) for consideration.(That'sright, you may submit more than one submission brief!)

 

This year for the first time the '8' Tracksfor RSA Charge 2019 are identical across all products and represent all RSA solutions. We are pleased to present the them to you:

 

Transforming Your Cyber Risk Strategy- Cyber-attacks are at the top of the list of risks for many companies today.  Tell us how you are approaching reducing this risk utilizing RSA products.

 

Beyond the Checkbox: Modernizing Your Compliance Program - The regulatory landscape is always shifting.  How are you keeping up and what steps are you taking towards a sustainable, agile compliance program?

 

Aligning Third Party Risk for the Digital Transformation - Inherited risk from your business partners is a top of mind issue.  Third party risk must be attacked from multiple angles.  Share your strategy.

 

Managing Operational Risk for Impact-  Enterprise risk, operational risk, all things risk management.  Share your experience and strategy on how you identify, assess and treat risk across your business operations.

 

View from Above: Securing the Cloud - From security visibility to managing organizational mandates, what is your risk and security strategy to answer the "go to cloud" call.

 

Under the RSA Hood: Managing Risk in the Dynamic Workforce - The workforce has become a dynamic variable for many organizations - from remote users to BYOD to contractors and seasonal workers.  How are you addressing this shift?

 

Business Resiliency for the 'Always On' Enterprise - The world expects connectivity.  When the lights are off, the business suffers.  Tell us how you are ensuring your business is 'always on' - business continuity, recovery, crisis management and the resilient infrastructure.

 

Performance Optimization: RSA Product Learning Lab - Share your technical insights of how you use RSA products to meet your business objectives.  Extra points for cool 'insider' tips and tricks.

 

We know you have great stories to share with your peers, best practices, teachings, and how-to's. We hope you consider submitting a brief and thank you in advance for your consideration. More information can be found on the RSA Charge 2019 website (scroll to bottom of page) including the RSA Charge 2019 Call for Speakers Submission Form. Submission should be sent to: rsa.events@rsa.com.

 

Call for Speakers 'closes' April 19. 

What would you do if you heard an advertisement on the radio misrepresenting a product your company offered?  I'd like to share a true story and how RSA Archer helped this organization's first line of defense own risk.

 

Sally was listening to the radio on her drive to work when she heard an advertisement about her company but the information was incorrect and misleading.  When she got to work, she didn't know who to report the information to but knew that if she didn't report it, it could cause huge impacts to their organization.  After approaching several people, she decided to call the IT help desk.  While the IT help desk typically "helps" many, they are typically a little further downstream from the risk evaluation process. After some digging, the IT help desk sent the request to the Risk Management team, who then connected Sally with the third party risk team to address the issue with the third party. 

 

When our customer approached RSA, we decided to provide a method via RSA Archer that not only addresses the problem but enables your organization to own risk.  But we took it a bit further than just a risk reporting tool. There are often brilliant ideas that could positively impact your organization. There may also be specific issues or incidents that conflict with your organization's corporate policies and procedures and someone within your organization has the knowledge needed to help avert or mitigate those issues early on. 

 

The RSA Archer Speak Up app-pack provides a mechanism within RSA Archer for the first line of defense to communicate information to your management or risk management team while leveraging workflow to review and approve the information and get it to the right team to take action.

 

RSA Archer Speak Up allows you to:

  • Submit ideas to improve the business;
  • Report issues to responsible authorities or management team within the organization; and
  • Document concerns regarding potential ethics violations, incidents, breaches, issues with third parties, and more.

 

With the RSA Archer Speak Up app-pack, your employees are empowered to speak up and own risk.  And, your management team is empowered with accountability and a consistent governance process for addressing risks.

 

RSA Archer Speak Up Business User Dashboard

Interested in learning more about the RSA Archer Speak Up app-pack? Join us for a Free Friday Tech Huddle on Friday, February 8 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

What is Third Party Risk Management?

A third party is any entity with which your organization has an actual or implied contractual relationship for the receipt of goods and services.  Besides being called a third party, these relationships may also be known as vendors or suppliers.  An Engagement refers to the actual product or service being received by way of a contract with a third party. 

 

RSA Archer Third Party Risk Management provides organizations the capability to assess and manage the risks associated with their third party engagements.

 

Why is the proper management of Third Party Risk so important?

Organizations are increasingly using third parties to support their operations and deliver products and services to their clients. While it is possible to outsource many business activities to third parties, organizations retain the risks associated with their third party relationships. Many of these risks can be significant including regulatory compliance violations, customer and shareholder litigation, information security breaches, financial losses from errors, fraud and business interruption, reputation damage, and impediment to strategic objectives. Organizations need to understand the risks third party relationships pose to their organization and the adequacy of controls that their third party providers have in place to manage risk within acceptable boundaries.

 

RSA Archer Third Party Risk Management

RSA Archer Third Party Risk Management employs a series of risk assessment questionnaires to be completed by a third party to assess the third party’s internal control environment and collect relevant supporting documentation for further analysis. The results of these questionnaires are factored into a determination of the residual risk of each third party engagement across several risk categories (compliance/litigation, financial, information security, reputation, resiliency, strategic, sustainability, and fourth party risk).  Risk results are depicted for each engagement and are rolled up to the third party to depict their overall risk across all of the engagements they deliver to the organization. Risk assessment findings can be automatically captured and managed as exceptions and remediation plans can be established, assigned to accountable individuals, and monitored to resolution.

 

Key features include:

  • Consistent risk assessment and evaluation of third party controls
  • Capture and store supplemental documents such as SSAE-16s, financial statements, and PCI assessments, and monitor when refreshed documents are due
  • Capture declared critical fourth party relationships and understand the quality of governance your third party applies to their own third party relationships
  • Depiction of risk of overall third party relationship, across all engagements being delivered to your organization
  • Consolidated view into known issues
  • Organized, managed process to escalate issues
  • Visibility into known risks and efforts to close/address risks
  • Efficient program management and understanding of program status

 

RSA Archer Third Party Risk Management provides:

  • Methodical and standardized approach to risk assessment
  • Management and mitigation of identified issues and reduced time to resolution
  • Stronger, quicker response to emerging risks
  • Fewer third party related incidents and losses
  • Reduced program administration costs
  • Reduction of overall third party risk
  • Reduced repeat audit and regulatory findings
  • Better understanding of how third parties are used throughout the organization and the risks they pose

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  RSA Archer Third Party Risk Management is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leadership with the most holistic understanding of risk facing the organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization.

 

As your company drives business growth through an extended business ecosystem strategy, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

What do we mean by controls monitoring?

In today's complex regulatory environment, organizations face a daunting task in maintaining compliance amidst constantly shifting obligations and requirements. As organizations attempt to keep pace and adapt control activities (controls) to changes in compliance requirements and operational risk scenarios, often times they are hamstrung by ad-hoc, disconnected compliance efforts that are implemented reactively across separate areas of the business. This severely limits the ability to maintain a real-time, aggregated view of risk and compliance impacts. Efficiency and scale also suffer as the volume of manual systems and processes overload the organization's limited resources.

 

Implementing a program that includes a centralized inventory of assets, requirements, risks, and controls, coupled with a standardized approach to measuring control efficacy, is the key to ensuring diligence and completeness. This also provides the solid foundation necessary for enabling automation and improving the ability to continuously monitor key risk and control performance metrics as the organization adapts to changes in the business climate.

 

Why is a program approach to monitoring control activities so important?

Consolidating organizational compliance projects into a single platform offers business owners a unique level of visibility into critical risk and compliance information, enabling them to make fully informed risk based business decisions in support of organizational priorities. A single control universe can further align with extended corporate stewardship and responsibility goals and other strategic objectives.

 

RSA Archer Controls Monitoring Program Management

RSA Archer Controls Monitoring Program extends the foundation established with RSA Archer Controls Assurance Program Management, with a modernized approach to defining and managing separate compliance projects simultaneously. This includes tools to assess and report on the performance of controls across all enterprise asset levels and the ability to automate control assessments and continuously monitor ongoing compliance efforts. Customers can also enjoy seamless integration with other RSA Archer use cases designed to tackle all aspects of Integrated Risk Management in their unique environments.

 

Businesses that operate with disconnected, ad-hoc programs typically find themselves diverting more and more time and resources to compliance, only to see their overall risk levels continue to increase. Whereas organizations with optimized compliance programs are able to reverse that trend and return more resources to the business which can then be used to invest in future growth initiatives. An optimized program also serves to reduce overall operational risk and provide decision makers with a reliable means for exploring the opportunity landscape by enabling them to identify with confidence the business risks that are worth taking.

 

For more information, please visit RSA.com and review the Datasheet.

Mason Karrer

RSA Archer PCI Management

Posted by Mason Karrer Employee Jan 16, 2019

What are the basics of PCI-DSS Compliance?

The Payment Card Industry Data Security Standard (PCI-DSS) defines a consolidated set of security best practices endorsed by major card brands, which are designed to reduce fraud risk associated with credit card processing. Organizations that fail to comply may lose their ability to accept credit card payments, which could greatly impact their ability to conduct business. However, with the continually increasing velocity and sophistication of new threats, maintaining an effective PCI- DSS compliance program has become an increasingly costly business requirement as well - and those costs can be substantial.

 

The PCI-DSS is considered one of the more prescriptive and technical compliance mandates that companies must typically deal with. This can be both good and bad. In contrast, many higher level government mandates like federal regulations are often written in broader terms that can be difficult to interpret into actionable specifics like precise internal control definitions. The more a company has to guess at what’s expected, the greater the chance of guessing wrong and either undercompensating (raising the inherent risk of running afoul of the regulation); or overcompensating, which can increase the internal costs and burden of compliance unnecessarily.

 

The benefit of PCI’s more prescriptive language is better clarity in terms of understanding what’s expected, how it will be audited, and specific reporting requirements. However, the other side of the coin with PCI is the extensive technical breadth and depth of its coverage. Encryption, network segmentation, multi-factor authentication, and external vulnerability scanning are a few areas where companies often struggle, either because of technical limitations or significant additional technology investments needed.

 

Why is a program approach to PCI Compliance so important?

Companies able to gain efficiencies by optimizing their operational compliance efforts will be more successful at reducing compliance costs and gaps. Consolidating organizational compliance initiatives into a single comprehensive view is the most effective way to identify and eliminate duplicate efforts and reduce overall compliance risk. The technical nature of PCI can often force companies to undertake process improvements, technical infrastructure overhauls, and even facility construction projects simultaneously. A streamlined program approach helps to keep things organized and drive consistent, successful outcomes.

 

RSA Archer PCI Management

RSA Archer Controls Assurance Program and RSA Archer Controls Monitoring Program provide a solid foundation for managing any organizational compliance initiative. However, PCI’s unique characteristics and pervasive global reach offer an opportunity to take things several steps further. RSA Archer PCI Management is designed to do just that, by enabling organizations to streamline the compliance process, simplify stakeholder participation, and reduce overall compliance effort and cost.

 

RSA Archer PCI Management guides merchants through identifying and defining cardholder data flows and environments, engaging the proper stakeholders, completing self-assessment questionnaires (SAQs), testing and gathering evidence for all required controls, and managing the gap remediation process.

 

Key features include:

  • Easy-to-use project workflows to manage CDE (cardholder data environment) scoping and multiple, ongoing compliance assessment projects.
  • Structured content libraries linking each discreet control requirement in the PCI-DSS to an extensive control testing repository ensuring full coverage across internal and external assessment activities.
  • Persona-driven dashboards and questionnaires that simplify the attestation and evidence gathering process and provide clear insight into compliance activity status.
  • Aggregated issues management functionality for tracking findings and gaps and managing the remediation process.
  • One-click reporting templates to assemble all required deliverables into a properly formatted Report on Compliance (ROC) for easy review and submission.

 

Customers can also enjoy seamless integration with other RSA Archer use cases designed to tackle all aspects of Integrated Risk Management in their unique environments. Organizational leaders with optimized programs in place have a distinct advantage for exploring the opportunity landscape, by enabling them to identify with confidence the business risks that are worth taking.

 

For more information, please visit RSA.com and review the Datasheet.

In their ongoing effort to clarify the concepts of integrated risk management (IRM) and digital risk management (DRM), Gartner has begun to discuss the interconnection of IRM and DRM with enterprise risk management (ERM).

 

 

Source: https://blogs.gartner.com/john-wheeler/irm-is-essential-for-digital-transformation-success/

 

I certainly agree with Gartner’s statement in their recent blog: “To keep pace with the increasing risk associated with digital transformation, organizations require an integrated approach to risk management. Not only is it essential to invest in integrated risk management (IRM) technology to enable this approach, it is also imperative to focus on the convergence of technology and operational risk. This convergence represents a key IRM use case called ‘digital risk management.’ Digital risk management (DRM) technology integrates the management of risks of digital business components — such as cloud, mobile, social and big data — and third-party technologies, such as artificial intelligence and machine learning, operational technology (OT), and the Internet of Things (IoT). DRM helps bridge the gap between the Chief Risk Officer (CRO), the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO).”

 

ENTERPRISE RISK MANAGEMENT IS THE FOCUS

While Gartner introduced IRM and DRM concepts some time ago as part of operational risk management, what appears new in Gartner’s most recent IRM discussion is the explicit connection to ERM.  The ascendency of ERM as a business focus is not new.  In 2014, I reported on RIMS declaration that the practice of ERM had reached critical mass. This is borne out by our customers in the financial services industry, of whom 81% stated in a survey conducted last year that they were already using the RSA Archer Suite to support their ERM program!  That’s right, 81% of financial services customers surveyed are already integrating cyber risks with other kinds of operational risks, with their organization’s financial risks and risks to their strategies and objectives.  As RIMS stated in 2013 of ERM, “value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return, goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.”

 

THE FUTURE OF ERM?

I think it’s safe to assume, as with most things risk management-related, organizations vary in their approach to ERM.  We know that approaches to risk identification, risk assessment, risk evaluation and treatment, and monitoring all vary, as does the scope and granularity around the use of performance, risk, and control indicators.  And that’s fine. Everyone executes to their own unique risk management roadmap given the objectives of their management team, board of directors, and available human and capital resources.

Yet, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (remember this is the group that drove the Sarbanes-Oxley Act?) has laid out their goal and roadmap for ERM, as well.  In their 2016 update to the COSO ERM framework, they represented the complex interrelationship between risk profile, performance, and risk appetite in this one graphic:

 

                                          Source: Figure 4.2, COSO ERM Public Exposure Draft, June 2016

 

I’ll leave a discussion of the relationship of each of these variables and how an organization might go about generating this kind of understanding for themselves in one graphical representation for another time. For now, I think it is enough to consider some of the questions that must be answered to achieve the goal laid out by COSO ERM 2016:

  • How do I come up with a risk appetite statement that consistently encompasses all types of risk?
  • If risk capacity is that level of risk that would put my organization out of business, which risks are those and how do I assess them in a way to compare them to my risk capacity?
  • How do I aggregate all of my risks to generate a risk profile?
  • How do I measure target performance?
  • How do I correlate risk profile to performance, let alone visually depict the relationship?

 

Please add a comment.  I would love to hear from you and how you think these questions can be answered.

Managing Third Party contracts can be a daunting task, let alone tracking changes and approval during the negotiation process.  Between your legal department and the third party's legal department, the changes and approvals are horrendous to track and inefficient for all parties involved.  What if you had standardized contract language that was pre-approved by your legal organization?  What if you could use RSA Archer to track the clause changes and the change approvals? 

 

RSA Archer Contract Clause Management is the solution for you.  We've developed a solution to address small to mid-sized companies who do not need an entire contract management suite to assemble contracts and manage their clauses while tracking changes and approvals.  This app-pack can help you establish standard clauses to utilize in contracts.  It also tracks and manages the development, changes, and approvals of the contract clauses used in your contracts. 

RSA Archer Contract Clause Management Clause Owner Dashboard

 

With the RSA Archer Contract Clause Management App-Pack, you will have a central repository for storing standard contract clauses and contract clauses that are used in agreements with third parties, have a consistent process for creating and approving the clauses while providing visibility into changes within contracts and clauses.

 

Interested in learning more about the RSA Archer Contract Clause Management app-pack? Join us for a Free Friday Tech Huddle on Friday, January 11 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

What is a Third Party Catalog?

The RSA Archer Third Party Catalog provides organizations the capability to inventory all of the third parties with whom they do business and to document their third parties in accordance with their organizational structure (parent company, subsidiary, sub-subsidiary). Third party contacts can be documented and accountability for third party relationships can be established by named individual and by the business units that own the relationship. If you are utilizing the RSA Archer Third Party Engagement, Risk Management, and Governance solutions then risk and performance information can be rolled-up across all products and services delivered by the third party and depicted in aggregate at the appropriate third party organizational level.

 

Why is the proper management of Third Parties so important?

A third party is any entity with which your organization has an actual or implied contractual relationship for the receipt of goods and services.  Besides being called a third party, these relationships are also known as vendor or supplier relationships. 

 

Third parties may relate, to some degree, with every aspect of an organization.  They may impact your organization’s objectives and they support, in one way or another, the products and services an organization delivers.  They support business processes, introduce risk and affect and supplement the extended internal control environment of your organization.  They may provide assets and inputs to the organization such as hardware, software, physical space, and product inputs.  Acting as an agent of the extended organization, they are subject to your regulatory obligations and policies, and they may directly supplement your human resources through consultants and temporary labor, or extend your human resources by the nature of the services that they are providing.  You may have third parties that touch on every one of these elements. 

 

There are numerous reasons organizations choose to engage third parties.  These include competing better; benefiting from a vendor’s expertise that you don’t have in-house; optimizing resources, acquiring resources (often more cheaply), transferring risk such as under insurance, and expanding market share by capitalizing on the third party’s presence in a market where you don’t currently have a presence or by offering a more attractive product or service because of the third party’s contributions.

 

Third parties are an extension of your business and, in the end, third parties introduce the same risk to your organization as if you internalized the activities.  In most cases, it is impossible to eliminate the risk altogether.  The best you can do is understand it and manage it down to an acceptable level.

 

RSA Archer Third Party Catalog

RSA Archer offers the Third Party Catalog use case as the starting point to consolidate your third party dependencies.

 

Key features include:

  • Catalog suppliers, partners, service providers and other third parties
  • Capture important details related to third parties, including contracts
  • Map internal business units to third parties
  • Manage contacts with third parties
  • Efficiently manage your third party relationships
  • Establish accountability for each third party relationship
  • Track exceptions related to third party relationships

 

With RSA Archer Third Party Catalog, you can:

  • Obtain an awareness of all third party relationships throughout the organization
  • Reduce time identifying third party relationships and contracts
  • Establish Accountability for individual supplier relationships and quickly identify relationship owners
  • Track contract terms, including notification of key contract events such as contract obligations, and renewal and expiration dates 

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  The RSA Archer Third Party Catalog is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leadership with the most holistic understanding of risk facing the organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce the most effective return to the organization.

 

As your company drives business growth through an extended business ecosystem strategy, your risk management program must evolve and manage risk with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is crisis management?

Crisis management is preparing for and handling larger and more complicated disruptive events from start to finish. Crisis management is aligned with business continuity and disaster recovery planning and execution, allowing organizations to respond holistically in crisis situations to protect and resume ongoing operations and infrastructure.

Why is effective crisis management important?

According to a 2018 Deloitte study, Nearly 60 percent of respondents (of more than 500 crisis management executives) believe that organizations face more crises today than they did 10 years ago. Further, 80 percent of their organizations had to mobilize their crisis management teams at least once in the past two years. It's a sobering statistic which leads to an obvious conclusion that crisis management shouldn’t start with a crisis because at that point it is probably already too late. 

 

Effective crisis management entails preparing for different types of crisis events that could likely occur, as well as adequately managing the event when it happens. Much goes into being ready for a crisis event, in fact 99% of the work happens before a crisis event ever occurs. For example, organizations must identify what types of events could occur (natural and man-made disaster), what could go wrong, and which areas of the organization could be impacted. Crisis plans must be coordinated with recovery plans for areas of the business or IT that could be disrupted. Testing must be performed to see how crisis and recovery plans stand up under different potential scenarios.

 

Crisis management is also important because most organizations have separate teams that manage their business continuity (BC), IT disaster recovery (DR) and crisis functions yet they all need to work seamlessly together. Resiliency means “bend but don’t break”, and it entails evolving into an organization that is naturally able to adapt to adverse conditions, make midcourse corrections and elude the negative impacts of a disruption. When you consider the increasing challenges in today’s complex, global organizations, alignment between these separate groups becomes more imperative to build resiliency across the business. Now more than ever, these teams must work closely to help their organizations become more resilient and minimize the impact of any disruption to their reputation, finances, legal status, employees and customers.

RSA Archer Crisis Management

The RSA Archer Crisis Management use case addresses the problems outlined above through key features that include:

  • Workflow, notifications and reporting that are integrated across BC, IT DR and crisis teams so they can better manage crisis events from start to finish
  • Centralized contact and notification capabilities that can be used for communicating with key constituents before and during a crisis event
  • A lessons-learned assessment that helps these integrated teams evaluate where they can improve before the next event

With RSA Archer Crisis Management, you are able to:

  • Communicate more quickly and effectively, reducing lag time in assessing damage, determining safety of employees, and ascertaining status before, during and after the event
  • Reduce impacts of crisis events by being better prepared for them
  • Reduce downtime of critical business operations or IT systems disrupted by the crisis event by quickly activating BC/DR plans and better coordinating recovery
  • Better incorporate lessons learned from tests or real crisis events back into your plans and activities, which builds resiliency into the organization

RSA Archer Crisis Management is a critical element of Integrated Risk Management. As your company drives business growth with new initiatives, technology adoption or market expansion, it becomes even more susceptible to events that could disrupt your ongoing mission. Your crisis and resiliency programs must evolve and help manage risk with more agility and integration than ever before.  Managing the negative impacts of crisis events is a key ingredient to reducing risk. RSA Archer can help your organization manage multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

My final theory of my Riskicist’s Guide for you to contemplate borrows from an interesting phenomenon in nature. Synchronization of seemingly random events in nature is not uncommon. Flocks of birds and schools of fish synchronize to ward off predators. Inanimate objects can even synchronize. The point is there is no one master object is necessary to give direction for these things to synchronize. In some cases it is instinct, some cases it is physics. But out of chaos comes order.


What does this have to do with the future of risk management?


Culture has a lot to do with risk management. In some respects, culture is one of most direct influences on how well your risk program works. Your program relies on people. And people have personalities. Just like we have dominant personality traits, every employee in your company has a risk personality and they display that personality in everyday life. Do they instinctively speed up when the stoplight is yellow or do they immediately go for the brake? Or do they take a split second to calculate? Do they play the lottery every week or is it only for suckers and a waste of money? Do they wait until the prize is big enough for them to wager?  These personality types vary across a company – and depending on the level of influence a person has within the organization – this risk personality affects the company’s culture. We have seen companies where risk taking – fueled by these personalities - has built empires or destroyed from within.


We need to contemplate the emerging views on what is risky and how that will affect our organization’s culture. We need to contemplate the expectation of the future workforce when it comes to managing risk through technology – and using technology to manage risk.


My last theory is: 

The forces of SYNCHRONICITY will affect your organization’s approach to risk management

MORE than any other force.


Your workforce - including the entry level risk analyst or security admin you hire in the future - is being built on digital natives – those not knowing a world without technology. Their RISK PERSONALITY will continue to change - and be different than many of the established cultural norms. As these new personalities enter your workforce, they will bring much potential. However, your culture will change and eventually your organization will synchronize to these new ways of thinking.


In a future digital world that will be based entirely on data, it will be the personalities of your organization that will be the difference between success and failure. These personalities may be difference between taking a risk that pays off – or missing an opportunity due to caution. For the risk management professional, we must anticipate that synchronization. More importantly, WE need to be ready to change with it and become open to controlled, risk taking. We must become comfortable with the uncomfortable.


So what does the future of risk management look like? As much as I would like it, I can’t see into the future. Even with these theories, it is difficult to know exactly what will come. We know amazing technological advances are coming our way. We know we will change how we think about risk. Your digital transformation will force new paradigms; your workforce will demand new approaches.


When it comes to what we, as a risk management community, need to think about going forward, we have some clear indicators. One thing I know is risk management will be all about speed. Risk management cannot be a hindrance in your organization moving forward. You are faced with a complex and fast-moving landscape that requires an evolution towards Integrated Risk Management. We can use a Cartesian space – horizontal and vertical integration through people, processes and technology - to guide us. We can prepare ourselves for the rapid changes in risk. We will need to factor time into our risk equations. We must also anticipate this synchronization factor.


Our industry is on an evolutionary path and sitting on the precipice of a new digital world.  RSA has been leading the pack in building technology solutions over the past 35 years and proud to be part of your journey. My final thought to leave you with is this…


The future is not in FRONT of you…


It is BUILT on you.


I know you are up for the challenge.

 

This blog series is based on my keynote from the RSA Archer Summit 2018.

What is Incident Management?

Incident management is tracking, treating and resolving incidents that are more common and operational in nature, ranging from cyber and physical events, to minor social media outbreaks or others. Incident management includes capturing the details of the incident, assessing the criticality and executing the appropriate response procedures.

 

Why is effective incident handling important?

Many organizations have developed incident response processes but they are often manual, ad hoc and dispersed, and incidents are managed using spreadsheets or homegrown solutions. As a result, there is usually no end-to-end process to effectively handle them uniformly. An effective incident management process should include prioritizing the incidents as they occur and letting that drive a measured response. Incidents should be categorized, teams assigned to manage them, status tracked, resolved, and post-event investigation performed where necessary. Additionally, reporting should be in place for internal teams and because of requirements to track fraud, cyber incidents, whistleblower and physical security threats mandated by regulations, including the Public Disclosure Act and the Sarbanes-Oxley Act.

 

Organizations are spending more time and resources than necessary to manage their incidents due to the lack of an effective process. More importantly, if not handled correctly or quickly, simple incidents can turn into crisis events that have the potential to interrupt business and cause serious harm to the organization’s people and operations, hinder compliance, damage reputations and so on. Organizations of all size and scope must have an incident management process that allows personnel to react quickly and effectively when events occur.

 

RSA Archer Incident Management

The RSA Archer Incident Management use case addresses the problems outlined above through key features that include:

  • Central repository for reporting all incidents and managing the entire incident lifecycle
  • Workflow and procedures to be implemented as incidents occur, categorized by incident type (denial of service, phishing attack, and more), team or other criteria
  • A fluid connection to crisis management teams and procedures for incidents that escalate into crises

With RSA Archer Incident Management, you will be able to:

  • Centralize all incident management into one tool, eliminating duplicative processes, tools, resources and costs
  • Control access to incident data to protect the integrity of confidential information
  • Link incidents to related findings and monitor related remediation efforts
  • Quickly view dashboards and reports to manage incidents and identify trends, similarities, and relationships

 

RSA Archer Incident Management is one element of Integrated Risk Management. As your company drives business growth with new initiatives, technology adoption or market expansion, new incident types could impact your organization, so you must evolve and manage them and associated risk with more agility and integration than before.  Managing incidents is one ingredient to reducing risk by acting quickly to control incidents before they become larger crises that potentially result in physical damage, financial loss, reputational damage or other negative impacts to the organization.

 

RSA Archer can help your organization manage multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

In my last blog in my Riskicist’s Guide, I posed the Theory of Exponential Growth highlighting the rapid change of risk in today’s world and the need for automation. With automation we can gain better visibility. We then have much more data to drive insights and actions – BUT as things move faster we need to better understand WHEN to deal with an issue as well as how it impacts the business. This brings me to another aspect of my riskics – TIME.  The most constant, ever present variable in hyper risk management is TIME. In fact, time could be one of the most critical variables in the Digital Risk Management transformation.


For example, most data classification schemes are one-time affairs and answer What is the value of this piece of data today? However, the value of data – the currency of the digital transformation – can change over time. I wrote about this in a blog in 2014 entitled “The Data Classification Curve”. In a nutshell, the criticality, value or sensitivity of data depends on time – financial numbers go from extreme confidentiality to public knowledge overnight; the sensitivity of personal data hits a threshold as elements are combined or collected over time.


The point is risk associated with your business, like data sensitivity, goes up or down depending on time. When we apply that concept to our traditional definition of likelihood and impact, we clearly can see both are affected by time. The likelihood of an event may go up or down depending on the time of day. The impact of a financial system outage at the end of the quarter is different than the middle of the quarter.

 

This leads to my next theory:

Measurement of risk will REQUIRE an element of TIME.


Risk when approached with this concept of time becomes less of a dashboard more like a stock ticker. A loss exposure at one time could be $3M, another time $1M, another time $5M… it all depends on time. Going back to our traditional risk formula, risk still depends on likelihood and impact – but each must be considered in relation to time.

 

This concept could be applied to any gap identified during a risk or compliance process. It could also apply to prioritization of events and alerts. RSA’s experience gives us a leg up in helping risk management processes utilize time as an input. RSA Netwitness’ user behavior analytics and RSA’s Adaptive Authentication risk engine already uses this type of approach.


Time as an input to risk management processes in the digital era affects calculating risk exposure and driving action. A security incident may be more or less critical based on the time of the day. A Business Continuity plan may need to factor in the time of the month of a potential event. Not that you would leave an event to chance or ignore something based on this time element but the timing of events will need to factor into prioritization and measurement.


As risk management processes begin to become more and more data driven, fueled by the digital transformation of the business, there will be a need to tighten up the response to that data and prioritize based on the data. As insight into risks are produced, time will be a major input into what actions are needed, when they are needed and how to prioritize those actions. Risks will need to be prioritized not only on automated business context flowing in from different systems – but prioritized based on the time.

 

Join me for my last theory in my next blog as I wrap up my Riskicist's Guide to the Universe.

As I continue my Riskicist’s Guide to the Universe, my first theory regarding the future of risk management deals with change.


In very simple terms, the change of Risk in the past can be thought of as growing on a mainly linear scale as a function of the organizational size or complexity. In other words, a straight line. But there is more to it. Your company has market dynamics within your industry that force change. As your competitive pressures increase and your market changes, it affects your risk. The rate of risk change is therefore a function of your market, or F(x) = Y * x where Y is a measurement of your market volatility. If your market is changing rapidly, the coefficient is > 1. The line is steeper, the rate of risk is higher. If the market pressures are relatively slow than the rate of change is between 0 and 1. The line isn’t as steep – or risk is not expanding as fast. Don’t begin thinking these are actual mathematical models – this is a conceptual depiction – but the logic applies.


Prior to the digital revolution, this might have been an adequate way to graph a simple rate of change of risk. However, risk in the digital world doesn’t grow in this linear fashion. It grows at an exponential rate.

 

This leads to my first theory:


The GROWTH OF RISK will follow an exponential curve based the rate of change of your market taken to the power of your digital transformation.

 

In this conceptual model, Y is your market changes, Z is the rate of adoption of technology within your organization. The market pressures have been a constant force affecting industries. It is the Digital Transformation that can be a massive shift. As your business goes digital, it can represent an explosion of elements in your risk management framework. More systems, more data, more threats, more EVERYTHING. It is this exponential factor that fuels hyper growth and changes how we think of some of our fundamental needs in our risk program.


The main impact of this rapid risk growth I want to explore is the impact on understanding the business context around risk. Business Context is the relationship of any risk management framework element – like an incident or a control – to the business. Business Context sets the aperture by which risk can be viewed - the more context, the more clarity. When you have Hyper Risk Growth, you need Hyper Risk Management. Hyper Risk Management requires Hyper Business Context.

 

Hyper Business Context must be fueled by automation. Manual cataloging anything related to the risk management process in this new world will quickly fall behind. In short, the hyper growth of risk forces us to look to automated inputs with a frequency and reliability that exceeds today’s capabilities. We must rethink what it means to create the relationships to formulate business context. Your risk program must build business context from the insights it gathers – and not rely solely on manual efforts.


The good news is RSA has a unique position when it comes to the future of business context. RSA Archer already helps you build context for your risk program. But we can also think outside the box when it comes to building business context. For example, why not let the systems tell us what is important? Network monitoring systems like RSA Netwitness can tell us how much a system is used to identify availability risks. Identity Management systems like RSA SecurID can connect applications to user profiles building relationships between business functions and IT infrastructure. These are byproducts of those technologies that we can use to inform business context.

 

Automation and integration will be key in ensuring your context keeps up with the data flowing from your many systems especially as your business continues along its digital transformation.

 

Join me next week for my next blog that discusses an ever present variable that will have a tremendous impact on measuring risk in the future. 

Filter Blog

By date: By tag: