Search Results

Compliance is often a logical, externally driven starting point for risk management programs. Staying ahead of changing regulations can be a daunting task. Factor in disruptions like the pandemic and the evolving business landscape and it becomes clear that no single risk management function standing alone can adequately protect an organization from risk. Rather, companies need an integrated risk management approach focused on operational resilience to adapt and prosper in times of upheaval and increased potential risk. With integrated risk management, companies go beyond compliance to layer on audit management, enterprise and operational risk management, third-party governance, and other functions. This layered, “mesh” approach creates a more holistic model providing depth to the risk management strategy. In our whitepaper, “The State of Integrated Risk Management”, we outline the lessons learned by those who thrived in their digital transformation efforts during the pandemic to help companies along their journey to improving business outcomes through operational resiliency. Get the insights and read more about the four themes of operational resiliency here. Compliance is Still Foundational but Not the Endgame Many times, individual departments may create their own compliance processes to address policies and meet regulatory obligations. This siloed approach makes it difficult to identify, prioritize and respond to issues that impact your business. With changing priorities and resources stretching due to shifting business needs, disconnected processes not only impact an organization’s productivity but also its ability to sustain and grow the business. By establishing a coordinated and consistent compliance program, the executive team can get the full picture of the state of compliance across the entire organization. Organizations should establish formal processes for stakeholders to understand and manage changes that may affect the organization’s compliance, including how new and changing activities may impact the organization’s obligation. A coordinated approach to compliance improves operational resiliency and should create a proactive approach that supports a holistic risk management strategy. More than 1/3 of respondents in our survey stated a risk-based compliance methodology is a priority for them in the next two years illustrating the cross-over between compliance approaches and risk management. Why Operational Resilience is End Game While compliance is a critical component of managing risk, operational resilience has become an increasingly important topic. Risk today is multidimensional, and the frequency and magnitude of disruptions, like the pandemic, have motivated organizations to take a deeper look at how they identify and analyze risk and how they plan to avoid or recover from them. Operational resilience considers the strategic goals of the organization, engages all parts of the organization, and embraces integrated risk management to drive the development of resilient business practices. Strong operational resilience can: Improve the company’s finances by reducing costs that would have been incurred during a disaster. Drastically reduce operational disruptions by preparing for potential disasters before they occur. Allow you to respond swiftly in crisis situations to protect your ongoing operations​. Minimize the impact on your business by breaking down the silos across functions and teams. Help organizations have the capacity to quickly put together mergers and acquisitions Help organizations swiftly adapt to changes in technology due to digital transformations. Improve visibility over all the performances of different sectors paramount to the organization’s growth and the resources necessary to achieve the goals. Provide complete oversight over all the company’s outsourced operations. How to Create a Culture of Operational Resilience The ability to absorb changes and adapt to an evolving risk environment is a regulatory, corporate, and board-level topic within many organizations. Traditionally, building a culture of resiliency is a function of an effective business continuity management program. To build ownership across the entire organization, each department from IT to sales must proactively participate in implementing operational resilience into processes, systems, and practices. This cultural change should be led at the executive level. Gartner predicts that by 2025, “70% of CEOs will mandate a culture of operational resiliency to survive coinciding threats from COVID-19, cybercrime, severe weather events, civil unrest, and political instabilities.”(1) Having change driven by the chief operating officer (COO) or chief information officer (CIO) helps to reinforce the importance of implementation. The first thing organizations should do when creating a culture of resiliency is have a definite purpose and aim. When organizations have a clear vision that every sector can relate to, it is easier to work together and achieve mutually beneficial goals. Second, organizations must establish consistent procedures and policies. For a program to thrive, all departments and functions performing separate risk management activities should be using the same methodologies, tolerances, and toolsets. Last, it is vital that internal and third-party organizations are as aligned in their resiliency efforts as they are in their delivery of products and systems. This alignment can be accomplished in the onboarding process, service-level agreements, or clauses in contracts. The State of Integrated Risk Management: Themes of Operational Resilience Strong compliance processes are one step, albeit a critical foundational step, towards achieving operational resilience. Programs focused on operational resiliency bring risk information together so you can better understand your risk posture, determine more easily how to treat risks, as well as see the interrelationship of these risks to the entire business. Explore the other themes of operational resilience by downloading our whitepaper, “The State of Integrated Risk Management”. Archer Solutions As a leader in providing integrated risk management solutions, we can help you with strategic-decision making and improving your operational resilience. Contact us today to see how Archer Regulatory and Corporate Compliance Management can aid you in providing a clear consolidated view of your organization’s state of compliance and how an integrated risk management approach better prepares you to thrive in a multidimensional and evolving risk landscape. (1) Gartner: Predicts 2021: Operational resiliency. January 2021.

Today we are excited to introduce Archer Insight, a set of quantitative risk analysis capabilities which, when paired with Archer’s industry-leading integrated risk management platform, supports improved risk-based decision making. Archer Insight features a wide range of enhanced risk analysis capabilities; this blog focuses on one feature we expect to be of high interest to risk analysts, specifically improved risk heat maps. Risk heat maps are a basic communication tool for the risk manager, providing a visual overview of the portfolio of identified risks. On one axis is the likelihood of the risk occurring, and on the other axis a measure of the impact should the risk occur. Those risks with the highest likelihood and impact are most threatening and the corresponding quadrant is colored red. Those risks with the lowest likelihood and impact plot in the quadrant colored green to reflect their relative unimportance, and the area in between is typically colored yellow or orange. Traditional heat map Despite its ubiquitous popularity, the traditional risk heat map presents several challenges: Clearly not all squares of the same color represent risks of the same severity, but the qualitative evaluation of likelihood and impact magnitude do not allow a rational method for defining finer gradations along the red-to-green spectrum. Likelihood is typically equated to probability of occurrence for events that can occur at most one time (like the destruction of a building or the loss of a dataset to the Dark Web) or frequency of occurrence for events that can occur multiple time (like fatal accidents, system shutdowns or regulatory fines). The former scales from 0 to 1, while the latter can take any non-negative value. It is therefore very challenging to show both types of likelihood on the same plot. For example, if an expected frequency of five times a year is ‘High’, then to be consistent a probability of 100% would be lower, which does not make intuitive sense. Representing low likelihood risks is also challenging. One might say that a risk with a 10% chance of occurrence should fall into a ‘Low’ category, but this is still quite significant – if you have 10 such risks, it is almost certain that one of them would occur. On the other hand, a risk with a one in a thousand chance of occurring would fall into the same ‘Low’ likelihood category. When an impact can take a wide range of values, it is extremely challenging to decide how to present the risk. For example, a factory accident might have a 10% chance of occurring in a year, but its impact could be anything from some minor bruises if lucky (Low), most probably an outpatient visit by a worker (Medium Low), but in the most extreme circumstances there could be several fatalities (High). If the risk is evaluated as [Likelihood,Impact] = [Low,Medium Low], there is no recognition of the very severe possible outcome, but if it is represented as [Low,High], the evaluation is exaggerated. A new vision for heat maps Archer Insight introduces quantitative estimation of risks through simple, intuitive evaluation techniques that require no expertise on probability modeling or math. It resolves the probability/frequency dilemma, and it allows users to express the range of possible resultant impacts if needed. Archer Insight also introduces quantitative bowtie methods to express how one risk may have more than one consequence. For example, a car crash (risk event) could result in several consequences – from being late for work to repair bills to injuries and fatalities to the passengers and larger public: Bowtie analysis for a car crash These consequences produce impacts of different dimensions: money for repairs, time for delays, and level of injuries/fatalities for people. It is even possible to map several risks to the same consequence. For example, several different risks might all lead to the cancellation of a contract (the consequence) with an important financial impact. Archer Insight automatically calculates the aggregate likelihood of the consequence occurring, taking into account all the different ways it could happen. The option to include a richer description of risk has made it possible to rethink the heat map, and produce new visualization that is more precise, comprehensive, and useful for decision makers. The standard Archer Insight heat map has an impact scale that ranges from ‘Extremely Low’ to ‘Catastrophic’ plus a ‘Nil’ category so that one can represent when the impact of a consequence has been avoided completely. The finer gradation, together with guiding definitions, allows a far more precise evaluation of impact. Moreover, Archer Insight allows you to specify ranges of impacts, both qualitative and quantitative. Its sophisticated algorithm translates these inputs into a consistent scaling system, even across different impact types. The algorithm ensures that all consequences plotting in the same color are equivalent in importance. Archer Insight P-I table for consequences with heat map overlay The vertical axis is numeric, accommodating both probability and frequency, which is automatically adjusted to reflect the business time horizon and any changes in the window of opportunity for the risks to occur. Pre-and post-risk treatment evaluations are shown together using “tadpole tails”: Tadpole tails – the head represents the current status, the end of the tail represents the evaluation prior to any risk treatment This allows the manager to appreciate the level of reliance on the effectiveness of risk management strategies. If the line is long, the reliance is large. The heat map allows you to drill down by selecting a specific entity and a specific type of impact if required. Hovering over a consequence will show a description popup, clicking on the dot will highlight the consequence in the accompanying table, and clicking the table entry will show a wealth of information describing the strategy being used to manage the consequence: Archer Insight P-I table filtered for Reputation consequences with heat map overlay One can also view risk events instead of consequences. Archer Insight then displays each risk event, accounting for the multitude of consequences that might arise from it: Archer Insight P-I table for risk events with heat map overlay switched off To learn more about how Archer Insight is enabling an enhanced level of risk-based decision making, contact us today.

You know the ‘Death and taxes’ phase? This is the full quote, from a letter Benjamin Franklin wrote in 1789 to Jean-Baptiste Le Roy – a French fellow tech guru and scientist of the time: “Our new Constitution is now established, and has an appearance that promises permanency; but in this world nothing can be said to be certain, except death and taxes.” How many infomercial articles have you read that start "In today's world, [blah blah blah] is more important than ever"? So trite. So, let me change things a bit: “In today's world, we still live with enormous uncertainty and using numbers to effectively manage risk is just as important as it has always been.” After a hiatus of twenty years (this July) of genuflection to SOX, the risk management world is beginning to remember numbers again. Beginning to remember that taking the right risks for the right reasons is an essential part of progress, of success, of creating value. It’s what risk management is meant to do and the secret sauce in rational risk-based decision-making is numbers. Boxes of long-forgotten ideas are being taken down from the attics of veteran risk analysts, the dust of sorry neglect blown away, and carefully opened – with a mixture of curiosity, expectation and trepidation. Inside we find a mysterious collection of tools that have lost none of their lustrous sheen with age. In fact, in today’s world, with the greater access to data and computing power, they offer more potential than ever. If only we’d learned how they work. We should be kicking ourselves that we were so collectively neglectful. Luckily there are lots of grey beards like me, raised in the pre-SOX era, who have kept the secrets alive. Luckier still, Archer has decided to add the full might of risk quantification to our GRC/IRM platform. It’s called Archer Insight and its awesome. I think Benjamin Franklin would have approved. About that mixture of curiosity, expectation and trepidation … Curiosity: what nuggets lie hidden in your data It takes time, care, effort and money to collect data. Your organization has lots of it. If you’ve been using Archer for any length of time you will lots and lots of risk-related data, all beautifully organized and safe. Don’t you wonder what those data might be able to tell you? One of the most common areas in which an organization can dramatically improve is to make use of the data it already collects. Risk management is no different. The discipline that turns data into knowledge is quantitative. Knowing how often your controls have failed helps you estimate their probability of success. Looking at how many of your historic risks actually occurred helps you see how much you over- or underestimate their likelihood. Looking at best and worst case scenarios helps you estimate the range and likely impacts. The list goes on and on. Expectation: will it really help our business? Yes, it will. It will help you manage risks far more cost-effectively simply because you can compare the size of a risk against the costs of different treatment options and pick the option that gives you the greatest bang for your buck. But it also means you can aggregate. Numbers can be added, risk scores cannot. Aggregation allows decision-makers to see the big picture, and that is an essential part of making the right big decisions. Trepidation: You never understood statistics and probability theory Don’t’ worry about that. For many people, when they hear the phrase “risk quantification” they think of their less-than-rewarding experience with statistics classes at university. They understand that probability theory can only be wielded safely by socially-awkward, sartorially-challenged, wild-haired geniuses working feverishly on equations nobody else can understand. To be fair, they do exist – but their natural habitats are academia and perhaps SpaceX, and some of them look like you and me too. We focus a bit too much on that Einstein photo. In the business world, the challenge is figuring out the best strategies for handling risk, not the math. The people who know the business and have a pragmatic, problem-solving head on their shoulders are best-placed to figure out these strategies. Perhaps that’s what you do already. Framed properly, the method used to evaluate risk can make it really simple to provide the right numbers. Archer Insight is set up this way and it builds the risk analysis models for you as you describe the problem. You don’t ever need to pick a probability distribution or write an equation. But it’s still a great idea to know the basics of probability. You’ll be more confident about explaining what’s been learned, checking the results and collecting the right data. It will take a couple of days of training, and Archer can provide that training. You might even find it fun. Archer Insight Delivers Enterprise-Wide Risk Quantification Archer® Insight is a suite of enterprise-wide risk quantification capabilities designed to deliver risk and business leaders a complete view of enterprise risks to improve resilience and ensure achievement of its strategic goals. For example, Archer Insight allows you to use built-in techniques like Monte Carlo simulation so you do not need to do all of the modeling yourself. Archer Insight can help you aggregate risk into meaningful quantitative measurements - and when you can add things, you can compare them. It allows you to compare risks and investments needed to mitigate, reduce, transfer or avoid risk. Archer Insight is entirely quantitative, enabling you to combine all the threats to your organization and truly understand the risks that matter. It makes quantitative risk management quick and easy to use by providing a full set of tools and features for understanding and managing all types of risk in one platform: operational, project, cyber-security, health and safety, investment and cashflow risk. Join us for an upcoming webinar Risk Quantification: Step Up Your GRC Game to learn more about how you can quantifying risk can change the conversation with your management team and business partners. Contact us to learn how Archer Insight can help you quantify your risk management.

The world is increasingly connected, and organizations are more exposed to the risks and rewards of other enterprises than ever before. Physical supply networks, digital communications, and integrated business systems have reshaped the risk landscape. The pandemic has reinforced for all of us the complexity of modern organizations, and the need for close coordination across departments and disciplines in response to a crisis. Operational resilience can no longer only consist of the BC/DR function (Business Continuity and Disaster Recovery) that builds reactive recovery plans that are only dusted off during infrequent geo-specific or IT disruptions. An organizational continuity plan that articulates a localized disaster recovery process may not map onto a global disruption. Furthermore, an IT problem isn’t just an issue with the organization’s computer network when infrastructure and physical assets are always connected. The need for a holistic and fully integrated view of risk management has been thrown into focus by the pandemic. The consequences of unmanaged risk for any organization are extensive, and as risk continues to grow, executives and board members are increasingly becoming more involved in risk management initiatives. More and more organizations have begun to integrate risk management into their day-to-day operations. Risk is changing so dramatically across so many areas that siloed and manual processes make it difficult to get complete information to stakeholders quickly. Even the most successful point solutions will only magnify this challenge, with information stored in different locations and used in different ways by each department. This is exactly why our customers see such value in managing multiple dimensions of risk on one platform, in fact almost 80% of our customers manage multiple domains of risk on Archer. An organization that has fully adopted and empowered integrated risk management practices and processes may be forced to contend with third-party risks that are beyond the direct control of the organization. To find out how managing vendors and suppliers outside your walls can increase operational resilience and actually drive growth, download our latest report, “The State of Integrated Risk Management”. Increased Exposure to Supply Chain Disruptions The connected global economy has exposed an increasing number of organizations to risks outside of their traditional domains. Even if an organization was able to formulate and properly categorize a BC/DR for the countless eventualities that can disrupt operations, recognizing emerging risks and promptly shifting into disaster recovery still requires risk management to be deeply integrated into an organizational framework. Local and global disruptions have gone from being blue-moon events to being business as usual. As the risk profiles of more and more organizations expand, being able to continuously manage risk becomes more integral to every level of operations. Accordingly, risk management has become central to the scale and scope of operations. We’ve found that for many organizations, anticipating, recognizing, and managing risk has become a critical component at every level of operation. Our experience with organizations that use Archer gives us an understanding of how organizations have responded to the challenges of the past year. Over 60% of respondents in the 2020 RSA Digital Risk survey stated their companies' integrated risk management programs were somewhat or quite extensive. Compare that with only 7% of respondents stating that their organizations did not have any sort of integrated risk management programs or procedures in place, and it’s clear that risk management is a priority in today’s organizations. Global Changes and Operational Risk Climate change has turned once-in-a-lifetime events into regular occurrences. Some regions are expected to experience 100-year floods nearly every year (1). In the summer of 2021 the Pacific Northwest of North America, a region so mild that most people do not have air conditioning, saw temperatures reach over 120 degrees Fahrenheit. Previously unthinkable weather disruptions are now commonplace, causing unmanaged disruptions. Catastrophic flooding that washes away industrial centers, heat waves that melt power lines and roads, and ice storms that freeze gas lines all have the power to throw supply chains into chaos. Even an organization that uses multiple vendors to help ensure operational resilience will still be out of luck if all of the vendors are disrupted at the same time during a global catastrophe. Sophisticated state-sanctioned cyber warfare has brought disruptions to more and more organizations. The 2020 SolarWinds attacks (2), in which Russian hackers compromised the networks of over 18,000 organizations, is just one example. In this case, the target seems to have been the networks of the United States government, but since the attack involved hacking the software update server for all users of the SolarWinds Orion platform, many non-government networks were also compromised. Early in the COVID-19 pandemic, a shortage of N95 masks highlighted the risks of an interconnected and international business environment. With scarce information about what kinds of preventative measures could limit the spread of the virus, N95 masks were shown to be effective at reducing transmission. Compounding the panic buying that nearly eliminated inventory for the masks was the shutdown of international borders, as the medical-grade wood pulp used for the masks was produced in Canada (3). Any organization that relied on face-to-face interactions to achieve its operational goals was forced to choose between stopping operations, continuing operations while putting personnel at risk, or having to pay exorbitant prices for increasingly scarce face masks. Organizations without an established framework in which to quickly compare and make decisions about operational, compliance, and financial risk suffered. Organizations must routinely plan for and contend with risks that previous generations would consider to be outside of the realm of possibilities. That’s why we recommend organizations manage risk by coordinating efforts across organizational domains, such as resiliency, audit, compliance, IT, and operational risk. Instead of assuming any given eventuality will occur in isolation, to be addressed alone, modern organizations will soon recognize that multiple disruptions can occur simultaneously. Operational Resilience is the Primary Motivator We recommend organizations approach risk domains holistically by connecting the risks seen in day-to-day operations to the implications of those events to the business strategy. 1 in 5 of the respondents in the 2020 RSA Digital Risk survey stated they are prioritizing the alignment of business resiliency and enterprise risk management approaches in the next two years. An organizational culture that relies on processes and procedures to deliver operational resilience is not enough. Global risks cannot necessarily be managed with the same processes that work for internal or even vendor risks. Learn how to not only respond to global risks outside of your four walls but to actually turn risk to your advantage in our report “The State of Integrated Risk Management.” (1) https://www.nature.com/articles/s41467-019-11755-z (2) https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12 (3) https://www.theglobeandmail.com/canada/article-vancouver-island-pulp-mill-supplies-materials-for-medical-protective/

Any organization managing cybersecurity risks has a daunting challenge. Security issues are identified and published online daily, mitigations may not arrive for weeks, and threats can originate across international borders. Narrowly focused best practices can become liabilities overnight. Conscientious and inflexible security practices may mitigate the risk of theft or intrusions but may come at the cost of efficiency and responsiveness. Risks can be invisible right up until they are a problem, and even trusted and seemingly secure supply chains can be disrupted or compromised. The lines that define safe operations are constantly shifting, as even existing technologies require fresh security assessments. It isn’t enough to make a one-time risk analysis of possible threats when integrating new practices or assets. We recommend organizations routinely determine the scope and business implications of cyber-attacks. In addition, being able to quantify and categorize risk can make the development of a risk management culture a concrete exercise with metrics and clearly defined goals. Establishing how each process and practice manages risk and increases operational resilience is easier with an integrated risk management approach to security. Leaders in integrated risk management have been expanding their abilities for mitigating risk with new tools that allow for coordinated security processes. See how to protect your organization with robust risk defenses by reading our report, “The State of Integrated Risk Management.” All Risk is Connected and Your Security Approach Should Be Too In the physical world, a strong perimeter defense can mitigate losses while still allowing businesses to operate within protected perimeters of a facility. However, cybersecurity perimeter defenses have long been problematic due to the very nature of digital risks and threats. When everything relies on the impregnability of a firewall or the secrecy of a password, everything is at risk if a firewall is breached, or a password is compromised. When the global COVID-19 pandemic led to workplace shutdowns, the opportunities for cyberattacks skyrocketed. Organizations that did not have an integrated security approach to cyberthreats were more vulnerable to attacks when their workforce was distributed across a spectrum of network security settings. When a flood of remote workers began accessing sensitive assets through home networks, many organizations relied on VPNs to allow personnel to tunnel into protected organization networks. Unfortunately, this adds as many points of security weaknesses as there are personnel remotely accessing the organization’s network. For example, the Colonial Pipeline ransomware attack used virtual private network login credentials to hold the Colonial Pipeline Company’s operations hostage.[1] A single point of failure led to disruptions in mission critical operations. Reinforced Defenses against Disruption The concept of defense in depth has been around for decades and adds layers of protection wherever possible and practical. An integrated risk management approach to security builds on that concept by connecting processes and data from other risk functions since e every part of an operation is a possible security concern or source of risk. The key to designing and maintaining an integrated risk management approach to security is to make sure the entire process is aligned with operational resilience. The ability to remain in operation despite disruptions should be the primary motivating force behind your security approach. 1 in 5 of respondents in the RSA Digital Risk 2020 survey stated they are prioritizing the alignment of business resiliency and enterprise risk management approaches in the next two years. With an integrated risk management approach to security, different areas of an organization can manage their risk in a way that strengthens overall operational resilience. The efforts of IT and security weave together with regulatory and corporate compliance, third-party management, and other stakeholders to create a reinforced risk management program. Granular Risk and Response We recommend organizations compile a complete picture of technology and digital security related risks and understand their financial impacts. Without knowing how a data breach will disrupt operations, it can be impractical to gauge the appropriate level of effort and capital to invest in precautions and countermeasures. A well-defined process and taxonomy that quantifies the impact of risks can help to align risk management practices with organizational goals. Without an integrated risk management approach to security in place, a single security risk can propagate through an organization’s assets. With more and more elements being digitized, automated, and controlled with connected technology, a data breach can even result in the disruption of physical operations. When operational resilience relies on the strength of a single measure, that one defense becomes so critical that it becomes difficult to quantify the results of that defense being compromised. A defense in depth, integrated risk management-based security strategy allows for atomized risk appraisals of any given practice or process. The growing necessity of defense in depth security practices places a new responsibility on the risk management landscape. While the integrity of a single perimeter defense system can be determined with existing industry practices, the sheer density of security measures calls for new processes to monitor and control an organization’s risk management practices. The pandemic revealed previously ignored or unaddressed weaknesses in many organizations. Our 2020 Digital Risk survey found that nearly 75% of respondents expect their digital initiatives to accelerate due to the disruptions and shifts over the past year. While some of this acceleration will include expansion of existing approaches and practices, new processes to meet the expanding risk profile can help an organization match the shifting environment. Operational risk programs should bring risk information together so you can better understand your risk posture, determine more easily how to treat risks, as well as see the interrelationship of these risks to the entire business. Integrated Risk Management Moving Forward Comprehensive approaches to operational resilience require detailed audits of weaknesses in every part of a risk management strategy. Most of our customers expect their risk profile to expand significantly in the next two years. We work with organizations to manage their expanding risk profile on our powerful integrated risk management platform. To discover how the organizations that utilize a mesh security approach are outcompeting even in times of disruption, read our whitepaper, “The State of Integrated Risk Management.” [1] https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

As your organization evolves, so too does your risk landscape. Risk is inherent in all types of initiatives within business operations such as the expansion of digital processes can increase security risk and outsourcing business operations to third-party vendors creates complexities in your supply chain. For any organization to thrive in these transformative times, it must have a solid risk management strategy. The growing recognition that all risk is connected has led to companies realizing that they need coordination across all risk functions – including leveraging the same data, platform, taxonomy, and output. This coordinated strategy is called an integrated risk management approach. Integrated risk management gives organizations the ability to navigate risks and deal with them effectively (should they arise) without hindrance in business operations. An integrated risk management approach gives senior management and executives actionable and detailed data so that they decide on an action plan that is best for the organization ultimately improving overall performance. The pandemic put a spotlight on the need for companies to have an integrated risk management approach with emphasis on operational resilience, or a company’s ability to absorb and adapt to sudden disruptions and continue to meet business goals. We recently analyzed the Archer customer base to discover how our customers not only survived but thrived during this global upheaval. What we found fundamentally accentuated the need for integrated risk management strategies. When respondents to the RSA 2020 Digital Risk Survey were asked about the need to coordinate risk management, the “extremely coordinated” response jumped more than 90% in the short time between the question being asked in a 2019 survey and the 2020 survey. The key learnings and the four integral themes of integrated risk management are outlined in our new whitepaper, “The State of Integrated Risk Management”. Digital Transformation, the Pandemic and Major Forces on Risk Change is constant, but the alarming rate at which the world is digitally transforming has major impacts on existing business models and operations. Almost 55% of respondents in the 2020 RSA Digital Risk survey stated their organizations were extensively engaged in digital transformation initiatives highlighting the pervasive use of technology to advance business operations. The pace of digital efforts were accelerated in light of the pandemic, forcing organizations to find alternative, technology enabled methods to support their workforce and deliver products and services to customers. As Gartner found, “The momentum of digital transformation projects is outpacing the ability of organizations to accommodate the changes and will introduce additional complexity of threats.” (1) This rapid digital transformation also makes organizations more vulnerable to cyber-attacks and virtual disruption. A more fluid risk landscape has emerged requiring a more holistic and integrated approach to risk management. The pressure to manage risk is evident with over 60% of respondents in the 2020 RSA Digital Risk survey stating their companies' integrated risk management programs were somewhat or quite extensive. Obviously, integrated risk management approaches have become the norm – not the exception. How did COVID Affect Risk Management? The COVID 19 pandemic had a severe negative impact on organizations all around the globe. COVID brought about major changes in the technological, social, economic, and political aspects of the world. These changes have made organizations pay more attention to overseeing, anticipating, and mitigating threats caused by unfavorable interruptions to business operations. A PwC study found that respondents that shifted risk management responsibilities to the first line were more likely to show profit and revenue growth over the next two years and were able to recover from adverse events more quickly. (2) While the pandemic affected multiple areas of risk, two areas of risk highlight the coordination needed to address today’s risk environment. Cyber Attacks The pandemic forced many companies to go remote and conduct business virtually. Opportunistic cyber breaches increased in 2020 and adopted technologies put more undue pressure on business and IT resource availability making it more important than ever to have solid and effective recovery plans. Often, IT disaster recovery teams are on a different page than business continuity teams of what’s critical to protect and recover, highlighting the need for an integrated approach and improving cyber resiliency. Additionally, remote working promotes fraudulent activities like phishing. The cybercrime economy thrives in times of chaos, with unchecked growth in fraud attempts and other risks. 79% of respondents in the RSA 2020 Digital Risk Survey expect to rely more heavily on the IT and security risk management portions of their risk programs over the next two years. Compliance This remote working environment then made it even more difficult to enforce compliant behavior among staff. In addition, regulators saw how the pandemic affected different industries and have begun addressing some of the gaps they have observed through new regulations. The result is a more complex regulatory environment with a challenging enforcement playing field. In response, risk-based approaches are necessary to identify the most impactful compliance requirements. This played out in the RSA Digital Risk Survey with more than 1/3 of respondents in the survey stating a risk-based compliance methodology is a priority for them in the next two years. In addition, the technology operations have a tremendous impact on the compliance strategy. Therefore, the overlap in compliance and IT and security risk management is obvious. A coordinated strategy, via Integrated risk management, needs to focus on compliance measures that are suitable for the present working environment. The convergence of compliance and IT and security risk management is evident within the Archer customer base. Of the 1100+ deployments Archer has for IT and security risk management, more than 80% utilize compliance processes on the Archer platform. How to Achieve Resilience Through Integrated Risk Management One thing is certain, the pandemic has highlighted the need for resilience, especially as other high-magnitude disruptions continue to mount. Achieving resiliency, however, is another matter – it requires forethought, discipline, and constant vigilance. These five steps are key to building resiliency: Develop and adopt a holistic enterprise-wide integrated risk management system and governance. Develop a risk profile, assess your risk landscape, and a strategy for operational resilience. implement change initiatives that are focused on proactive instead of reactive. Lead from the top to maintain and adopt management protocols that ensure the company's growth. Ensure compliance via enforcement of organization standards, policies, and regulations across all sectors of the organization. The State of Integrated Risk Management While many companies were caught off guard by the pandemic, a lucky few were able to quickly pivot and thrive in their ongoing business operations and digital transformation efforts. Our whitepaper, “The State of Integrated Risk Management”, outlines key themes related to operational resiliency and integrated risk management and the underlying success factors of those who were able to take advantage of extraordinary opportunities presented. Download the paper now, and contact us today and begin your journey to operational resilience. (1) Gartner: Predicts 2021: Operational resiliency. January 2021. (2) PricewaterhouseCoopers. Risk in Review: Managing Risk from the Front Line Correlates to Higher Revenue and Profit Growth, Says PwC. 2017. https://www.pwc.com/us/en/press-releases/2017/risk-in-review-managing-risk-from-the-front-line.html

The world as we know it is dynamic, and the global pandemic has emphasized the fragility of human and organizational operations in the connected world of today. Companies are not only trying to recover from the drastic changes of the pandemic, such as remote work, but from the impact of the shifting risk landscape and how it has affected their business goals and outcomes. With an eye on the importance of riding the waves of disruptions and change we see today, organizations need to achieve operational resilience to survive. Operational resilience is the ability of an organization to absorb and adapt from any threat or unplanned disruption. It is a coordinated, consistent, and automated approach to business continuity that goes beyond recovery of internal processes to focus on external services and product delivery. Operational resilience includes traditional elements of IT disaster recovery, planning, testing, and execution, that allows for a swift response during crises to protect an organization’s ongoing operations but takes steps closer to the overall business objectives and strategies. An organization that takes time to construct a solid risk management strategy will thrive in this age where business risk is increasingly connected. Therefore, integrated risk management is the foundation for operational resilience. An organization that has achieved operational resilience will continue to function properly and achieve its goals even amidst interruptions. While the burden of resiliency is one that every employee should carry, senior management should focus on assessing and understanding the risk levels of the organization and its readiness for disasters and unexpected scenarios. Gartner predicts that by 2025, “70% of CEOs will mandate a culture of operational resiliency to survive coinciding threats from COVID-19, cybercrime, severe weather events, civil unrest, and political instabilities.”i Our whitepaper, “The State of Integrated Risk Management” discusses the importance of resiliency starting top-down from leadership. Communicating Operational Resilience in Your Organization To effectively and optimally manage risks, organizations must adopt a holistic approach to overseeing every aspect of the multiple risk management functions. Usually, organizations carry out risk management in silos; each department deals with its own risk management and possible disruptive scenarios. Occasionally effective, this method is not ideal for companies that seek to thrive in the long run, especially in their digital transformation efforts. The silo method does not take into account the risk assessment of the company as a whole. Any risk assessment done in any sector is only as effective as that sector deems fit. Uncoordinated, ad hoc processes can leave a business vulnerable and recovery plans ineffective. Operational resilience deals with assessing and understanding the risk tolerance levels in every sector - to proactively manage risks throughout the organization. Resilient organizations look at both internal and external risks as they understand that risk can also originate from third parties. They have risk management plans in place for any disruption, whether cyberattack, natural disaster, or global pandemic. Companies with operational resilience also must consider risks beyond their own four walls. They know that good communication is imperative to coordination. When a disruption or threat arises, senior managers must convey information to every party involved, including disaster recovery and crisis teams and, if necessary, consumers. Internal and external communications are incredibly important in risk management to reduce impact and maintain business continuity. An organizations’ resilience can be improved by ensuring visibility and communication with the following: Clients Stakeholders Distributors Vendors Suppliers Partners And every other set of persons that can have an impact on the organization. Interdepartmental communication is crucial to the success of shifting from a reactive to a proactive risk management structure. Operational resilience is a cultural mindset change that drives the implementation of resilient practices throughout the business. How to Embed Operational Resilience in an Organization There are some integral steps that organizations must adopt to transform from recovery to operational resilience. Adopt a Holistic Perspective to Viewing Organizational Risks Organizations should consider both internal and external factors that can have a direct or indirect impact on the organization. Take into consideration the people, technology, programs, and processes, etc. associated with the business. An effective enterprise risk analysis must consider risks across every sector and division of the organization. This strategy enables employees and teams to come together to envision potential disruption scenarios that may arise. Design a Comprehensive Risk Assessment System. To manage risks, organizations must be able to access and predict possible risks scenarios. This is where communication plays a major role, as everyone in the organization must be informed about evolving business priorities that inform recovery and response processes. When members of the organization are on the same page, potential threats and interruptions can be properly analyzed, understood, and documented. Consider the upstream and downstream dependencies, systems, and processes, and how your team plans for them. Identify Possible Failures in Existing Processes and Remedy Them While every failure that may arise from existing processes may not need to be documented, it is critical to identify key scenarios and focus on the capabilities that prepare for those specific scenarios AND related, derivative, or similar situations. Assess different threats levels and types to proactively plan against them. An effective program must include a cycle for learning and improving processes, so it’s important to bring the continuity and recovery professionals managing day-to-day incidents or planning and testing for crisis events together, Operational Resilience and The State of Integrated Risk Management We want companies like you to benefit from the risk management lessons learned by our customers during the height of the global pandemic. In our State of Integrated Risk Management report, we outline the key discoveries and insights garnered from those who thrived despite the worldwide upheaval. Get the whitepaper now to read more about the four themes affecting organizations today, and how your business can benefit from an integrated risk management strategy focused on resiliency. Archer’s Business Resiliency Solution At Archer, we can help you scale through uncertainties and digitally transform your business to the next level through strategic decision-making. Contact us today to discover how to improve your organization’s operational resilience to make your company better suited to handle risks, improve business outcomes, and ease your digital transformation process, especially during times of disruption. i Gartner: Predicts 2021: Operational resiliency. January 2021.

Whether you call it Integrated risk management or Governance, Risk and Compliance or just plain old organizational common sense, the idea to manage risk within today’s competitive and constantly changing environment is an absolute necessity. In the past year, technology shifts, market disruptions and unique obstacles have made keeping tabs on the barriers to strategic business goals a constant battle. Piling on top of the usual suspects of security, operational risk, and regulatory compliance are the topics of operational resilience, third party risk and Environmental, Social and Governance (ESG) risk. While those themes have been part of the risk landscape for years, they seem to have matured from precocious toddlers to full blown adolescence – wreaking havoc - overnight. At this juncture, we felt it was important to take a step back and look at the risk management industry. The Archer State of Integrated Risk Management report is based on several inputs. We analyzed our customer base to identify trends and indicators. With over 1500 deployments, Archer is used by companies of all sizes, in all industries and across the globe. Additionally, we have customers that have deployments of over 15 years. This coverage gives us unique insights into what capabilities companies target as they mature their risk management programs. We also analyzed specific results from the 2020 RSA Digital Risk Survey relevant to integrated risk management priorities. This survey consisted of targeted questions regarding risk priorities today with responses from 1,100 risk, security and business professionals. Based on our own experiences working with our customers and these inputs, we identified four industry themes that provide a perspective on integrated risk management. Compliance is still foundational, but operational resilience is the end game. Convergence of digital and traditional business means organizations must not stop at IT and security risk management or disaster recovery. Quantification based on well-established mathematical principles is the best way to calculate risk—and it’s easier than ever. Risk management maturity over time is complex yet achievable. We also noted how risk management technology has evolved in the face of change. Over the last 20 years, Archer has evolved from organizing catalogs of key elements of the risk management program into the enterprise business support tool with workflow, reporting and decision support that enables integrated risk management and bring significant ROI. 2020 brought tremendous disruption to organizations but also offered an extreme example on what it takes to be resilient. Disruption doesn’t play favorites – but those organizations prepared for it can not only survive but thrive. Operational resilience takes forethought, discipline and constant vigilance. Integrated risk management plays a critical role in developing these capabilities. Risk management is both a proactive and reflective process taking not only experience and expertise to learn from the past, but also commitment and focus to innovate for the future. Download the report to learn more about the state of integrated risk management and see how your organization stacks up towards building the resilience it needs in today’s risk landscape.

In another of what will be a long series of proposals related to oversight of corporate environmental impact, the U.S. Securities and Exchange Commission (SEC) recently announced its own proposal on disclosure. Joining the efforts of many other governing and regulatory bodies worldwide, including the recent Corporate Sustainability Reporting Directive (CSRD) and Sustainable Finance Disclosure Regulation (SFDR) out of Europe, the SEC has now stepped fully into the fray as stakeholders ranging from conservationists to institutional investors seek greater visibility into the actions of large corporations to manage their environmental impacts. This announced proposal from the SEC has several key aspects that beyond accelerating current ESG efforts, warrant special consideration for large organizations, including: Accountability for not only quantifying the progress towards their environmental goals, but also clear identification of the risks and opportunities to those outcomes Requirements that will emerge from the call for more, better, standardized data that can help create a normalized view of progress across organizations As environmental impacts are only one component the current ESG push, it is reasonable (if not responsible) for organizations to assume similar proposals that extend into other areas. If the direction set by the SEC’s proposal moves in a similar direction to other geographies, it is also wise for organizations smaller than those within current scope to assume “scope creep” down into their realm. Unsurprisingly, the proposal has been met with immediate push-back from both sides of the isles, and it would be wise to assume that this proposal will go through several iterations before being finalized. But it would be similarly unwise to not view this as another significant signal of accelerated involvement by regulators in ESG. With that in mind, the SEC’s proposal also has some very specific impacts for Risk Management professionals: The near-term need for a focus on data gathering, risk register and cataloging of controls, other common GRC or Enterprise/Integrated Risk Management practices Regulation will be a likely driver for some (but not all) integration of ESG into Enterprise/Integrated Risk Management This will require starting with an approach that scales bi-directionally: integration across the growing array of regulations AND that expands across various data sources covering not only environmental impacts but social as well Again, this is an early but undoubtedly a significant step in what is growing momentum around ESG. At Archer, we believe ESG is much more than another regulatory thorn-in-the-side but is in fact one of the biggest drivers for more involvement in strategic planning for the Risk Management function. To learn more about how Archer customers are looking at the likely near-term and longer-term impacts of ESG on the Risk Management function, register now for our webinar, “3 Things Risk Managers Need to Know About ESG,” at 11:00am Eastern on March 30.

As new technologies are rapidly adopted, new opportunities open. At the same time technology also carries the burden of potential negative events. In addition, evolving regulatory environments add new compliance requirements, making the task of managing and mitigating risk ever-expanding. We wanted to know how the organizations are contending with digital risk management maturation, so we analyzed how our customers are dealing with evolving risks. We observed the majority felt that their organizations were able to manage at least some of their new, existing, and developing digital risks – in large part because of their path towards an integrated risk management strategy. This is a promising start and shows that even when facing unprecedented challenges, the road to maturing an integrated risk management program leads to not only reduced risk but more agile and informed business decisions Reaching a high level of maturity with integrated risk management can benefit an organization greatly. Managing a greater variety of risks across domains, and smaller categories of risk within domains are part of a maturing integrated risk management strategy. Maturity also means finding better ways for a risk management program’s findings to be communicated within a department or organization. Discover if your organization is making the right moves to mature your risk management program to guard against expanding risk by reading our report “The State of Integrated Risk Management.” Creating a Culture of Integrated Risk Management A risk management department doesn’t absolve stakeholders from managing the risk in their domains. In the same way that compliance is the responsibility of every person in an organization, integrated risk management strategies place risk reporting and mitigation in everyone’s hands. Today's challenges require managing a cultural shift from reactively checking boxes in a risk assessment program to a proactive risk management model that necessitates participation across the organization. Integrated risk management is a journey - not a destination. Even organizations with well-structured programs must continually monitor and evolve their program to ensure risk management is connected to business goals with cross-functional processes. Risk management processes and procedures that become fixed and no longer connect with the conditions on the ground can create more issues than they solve. When engaging front-line stakeholders, it is crucially important to ensure that when personnel report on evolving risks, that information is at the very least acknowledged and, ideally, acted on by the organization. In years past this would require taking time to fill out paperwork, something that might not always be practical if the front line is a warehouse or industrial site. The ubiquity of smartphones and wireless networks has created a powerful and rapid method to tighten the loop on reporting, monitoring, and communicating sources of risk. We developed Archer Engage to offer a straightforward risk analysis and treatment platform that allows any stakeholder with a smartphone to report and collect risk data in real-time. The process of engagement can extend to third parties as well. An understanding of the relationships you have with third parties to mitigate risk is key to managing risk and operational resiliency. Engaging a third party to report conditions in real-time helps make the priorities of an organization clear. How Risk Management Matures When an organization begins to develop an integrated risk management program, it is useful to focus on quick wins within the context of a broader strategy. This helps to establish that an integrated risk management program is effective and can deliver on the organization’s strategic goals. Risk is changing so dramatically across so many areas that siloed and manual processes make it difficult to get complete information to stakeholders quickly. Even the most successful point solutions will only magnify this challenge, with information stored in different locations and used in different ways by each department. As an integrated risk management approach matures, risk from multiple domains can be managed centrally, in a coordinated and consistent way. In fact, almost 80% of our customers manage multiple domains of risk on Archer. Expanding an integrated risk management program across and within domains doesn’t just mean taking the same cookie-cutter solution and thoughtlessly applying it. The process of expansion should be sensitive to what is novel about the different domains being managed. There is no guarantee that, for example, the threat of a cyberattack will map directly onto a compliance issue, so procedures to mitigate or manage one may not make sense for the other. However, even when the details differ, the platform on which those procedures are developed and deployed should offer a common interface for managing both. It is important to keep in mind that a mature integrated risk management approach will evolve over time. Steps that are taken to increase maturity will not deliver a final product, destination, or steady-state of risk management. Stakeholders in an organization need to understand that integrated risk management means constant vigilance for existing and novel risks to increase operational resilience. Mature integrated risk management is woven into everything an organization does. Think of how ubiquitous the use of digital technology is in a modern organization and you can start to get an idea of how deeply integrated mature risk management should be. Expanding and Extending Risk Management Strategies With a mature risk management strategy, risk is not a ‘black box’ but a key input into making decisions to exploit business opportunity. If your organization can successfully manage disruptions that sideline other players in the field, those disruptions become a chance to grow. Effective risk management is more than avoiding major failures and business disruptions. Creating a culture of risk awareness can protect your organization and enhance its value. An organization with a mature integrated risk management process that can maintain operations during a crisis is able to take advantage of the new opportunities the changing landscape offers. For example, Home Depot proactively distributes plywood, generators, and equipment to clear fallen trees to stores where hurricanes are expected to make landfall. While other hardware and lumber stores may struggle to meet demand or even stay open, Home Depot is the go-to business for people preparing for or recovering from a disaster (1). The individual components of mature integrated risk management are themselves beneficial to an organization. For example, organizations that engage front-line stakeholders in the risk management process were more likely to experience revenue growth and were faster to recover from disruptions (2). Make your organization more competitive and resilient by downloading our report, “The State of Integrated Risk Management,” which will teach you how the journey toward mature integrated risk management actually provides tangible benefits and better business outcomes. (1) https://fortune.com/2017/08/31/home-depot-hurricane-harvey-damage-impact/ (2) PricewaterhouseCoopers. Risk in Review: Managing Risk from the Front Line Correlates to Higher Revenue and Profit Growth, Says PwC. 2017. https://www.pwc.com/us/en/press-releases/2017/risk-in-review-managing-risk-from-the-front-line.html

Modern organizations must contend with risk from many different sources. Disruptions can come from internal sources, such as process interruptions, accidental damage to physical operations, or a myriad of other potential problems. Even an organization that manages internal risks well will likely encounter difficulties from external sources. Gartner predicts that by 2025, “70% of CEOs will mandate a culture of operational resiliency to survive coinciding threats from COVID-19, cybercrime, severe weather events, civil unrest, and political instabilities.”(1) We also saw evidence of the shift in risk profiles. Over 75% of respondents to our 2020 RSA Digital Risk Survey expected the risk profile of their organization to expand over the next two years. Only 7% of those surveyed anticipated a shrinking risk profile. Based on these changes, we analyzed Archer’s customer base consisting of a wide variety of organizations about risk challenges they faced over the last year, and outline the insights and lessons learned in our whitepaper, “The State of Integrated Risk Management”. How Qualitative Methods Fall Flat When Sizing up Risk One major observation we noted was the need for more precise measurement of risk. Qualitative risk analysis can provide a framework for thinking about individual threats or issues. A qualitative assessment can translate jargon like “supply-chain software update attack” into an appropriately category with an eye catching term like “critical threat”. It is important to make sure the relevant parties are aware of how dire the outcomes could be, even when a risk sounds unlikely or outside of a stakeholder’s domain. Due to the wide-ranging nature of threats and disruptions in modern organizations, qualitative visual aids may still be useful when utilized with other measurement approaches. A heatmap that compares the likelihood of a given event to the consequences of said event can give a good idea of which issues are mission-critical but doesn’t necessarily offer a means of figuring out how much overhead should be devoted to mitigating those risks. Replacing words like “mildly adverse” and “catastrophic” with green-yellow and dark red squares doesn’t get around the fact that ultimately a heatmap represents qualitative judgments. This might be a great tool for getting the attention of stakeholders, but real operational impacts will be felt in dollars and cents, not shades of red. The colors of a risk heat map give a false impression of hard data without offering concrete guidance. Why Quantitative Methods Make for Better Risk Management With so many different types of risk from so many sources with widely varying likelihoods, organizations need better ways to manage potential risk. Qualitative descriptions of risk using words and colors require human interpretation when implementing risk management processes, which can lead to inconsistent practices. It also clouds the picture when aggregating risks – what do two reds equal, or 5 yellows? This is why quantitative risk assessment is so important for risk management. Assigning hard numbers to both the likelihood of a given threat and the consequence of said threat provides several advantages over qualitative assessments. Being able to say an event has a 15% chance of taking 90% of an organization’s operational capacity offline in a given year makes it easier to figure out how much time and money should be spent mitigating that risk. Having hard numbers on eventualities also allows for risk assessment across domains. What may count as a catastrophe for one department may not have a very large operational effect. Conversely, creeping normalcy can lead stakeholders to become so accustomed to operating under what has been termed “unacceptable” risks that the term loses all meaning. The numbers placed on risk by a quantitative approach can not only be compared directly but combined so that multidimensional risks can be translated into an easily understood number. Quantitative analysis can capture the probability and effects of a dozen low likelihood, low impact events happening simultaneously. The cascade of disruptions from COVID-19 should serve as a stark reminder that risk is increasingly hyperconnected. Managing the Data of Quantitative Risk Management We recommend organizations manage risk by coordinating efforts across organizational domains, such as resiliency, audit, compliance, IT, and operational risk. Archer provides a way to coordinate efforts between departments, just like quantitative risk analysis provides a common language between departments to communicate risk. Organizations that have established programs in individual domains should be working to expand their risk focus and improve visibility, analysis, and metrics​. Finding common processes or data to share is a great first step to bring together risk management functions. Quantitative risk analysis produces hard numbers that can guide decision-making in definite ways but can also produce a large amount of information. Real-time monitoring of evolving operational risk produces a flood of information. Risk is changing so dramatically across so many areas that siloed and manual processes make it difficult to get complete information to stakeholders quickly. Even the most successful point solutions will only magnify this challenge, with information stored in different locations and used in different ways by each department. This is exactly why our customers see such value in managing multiple dimensions of risk on one platform. Almost 80% of our customers manage multiple domains of risk on Archer. Of the 250+ customers that have been with Archer for over a decade, almost 60% have branched into three or more domains of risk management. Measuring Risk in an Evolving Threat Landscape The past year has shown just how quickly the risk environment can shift. Disruptions due to the effects of COVID-19, the wide variety of regulatory responses even within a single country, and the rapid transition to a fully remote workforce caught many organizations off guard. 2020 was a wake-up call for many organizations, leading to a growing recognition of the need for integrated risk management. When respondents to our 2020 Digital Risk Survey were asked about the need to coordinate risk management, the “extremely coordinated” response jumped more than 90% in the short time between the question being asked in a 2019 survey and the 2020 survey. Get our key insights on quantifying risk and how best to prepare your organization for expanding risk profiles in our whitepaper, “The State of Integrated Risk Management.” (1) Gartner: Predicts 2021: Operational resiliency. January 2021.

The last two years have thrust many organizations into a series of concurrent and overlapping crises and escalating risk. The direct effects of workplace shutdowns are still being felt with supply chain disruptions, shortages, and permanent closures of vendors that have gone out of business. Cyberattacks of enormous scale and sophistication shut down gas pipelines and even breached departments of the U.S. federal government. For any organization that hadn’t considered the evolution of digital risk due to workplace disruption as an important part of risk profile, the pandemic was a wake-up call. The speed with which digital risks expanded as organizations went remote was unprecedented. Reports of a new respiratory illness were barely newsworthy in early January of 2020. Some organizations had already begun voluntary suspension of in-person operations before official lockdown mandates were declared. Organizations that had relevant continuity plans implemented them, others scrambled to put together ad hoc fixes for unprecedented challenges. The transition to fully remote work brought with it new types of risk. Sensitive information was being routinely accessed from home networks, and the chances of a data breach or other IT threats went up. To see how the most resilient organizations not only navigated this change, but thrived during this disruption, read our whitepaper, “The State of Integrated Risk Management”. The Pandemic Accelerated Existing Trends in Digital Initiatives and Risk Even before the pandemic, we found that a full 90% of respondents in our Digital Risk Survey felt that overall, their organization’s risk profile had expanded in the two years preceding 2019. Almost half of the respondents expected their risk profiles to expand significantly in the next two years (1). Our whitepaper, “The State of Integrated Risk Management” details how the pandemic reinforced trends of already expanding risk profiles. For organizations that had already made the transition to a distributed model prior to the workplace shutdowns required to stop the spread of COVID-19, there were fewer novel challenges. For nearly everyone else, the last two years expanded the risk profile immensely. Only 2% of the organizations we’ve analyzed claimed that their digital risks had not been impacted by the pandemic (2). Many organizations were faced with hard choices during the COVID-19 shutdowns. Workplaces could either become partially remote, fully remote or suspend operations entirely. Our findings revealed that in the previous two years, less than half of respondents’ organizations had begun to enable a “work anywhere” or dynamic workforce. More than three out of four respondents felt that in the next two years their organizations were going to accelerate their efforts to allow personnel to “work anywhere”. Rapid Acceleration Introduces Novel Digital Risk Organizations were forced to accelerate digital initiatives under the threat of a global pandemic. Almost one in five respondents in the RSA Digital Risk Survey felt that their organization was mostly reactive to digital threats. Digital initiatives bring with them the expansion of what is known as the “attack surface” of an organization. Moving data to the cloud requires storing sensitive information with third parties, which may introduce or increase the risk of a data breach. When moved to the cloud, data that may have previously been “air-gapped” or stored on machines rather than the internet to prevent a cyberattack, is now open to increasingly sophisticated hacking. The challenge and cost of provisioning and securing devices as well as installing and updating software has led many organizations to move more and more systems to the cloud. As organizations onboard and secure more and more remote devices and users, cloud infrastructure and bandwidth have had to increase as well. Software as a service often requires little more than a web browser to offer state-of-the-art digital tools. This also introduces risk, as with every username and password created to access a service, there is another opportunity for a cyberattack. The risks associated with moving toward a dynamic or “work anywhere” workforce were already being considered by organizations when we conducted our 2019 survey. In our 2019 survey, we found that the risks associated with transitioning to a dynamic or “work anywhere” workforce were ranked as the second-highest source of digital risk. How Integrated Risk Management Helps Digital Transformation ​​If an organization adds a new method, process, or platform for every source of risk, it can be difficult if not impossible to quickly assess how a risk profile is changing. Risk management should work with the goals of an organization. We recommend organizations merge essential capabilities across disaster recovery, data backup and recovery, business continuity, crisis management and security incident response strategies, and programs. Organizations accelerate their digital initiatives to become more efficient, increase operational resilience, and be more effective overall at achieving their mission. If new risks aren’t proactively planned for, organizations could end up opening themselves to other threats that overwhelm the expected benefits of the digital transformation. Effective risk management is more than avoiding major failures and business disruptions. Creating a culture of operational resilience through integrated risk management can protect your organization and enhance business outcomes. When integrated risk management is a part of the culture of an organization, the digital transformation is viewed as another component that, like all tools and processes, carries risk. The pandemic expanded and accelerated existing trends, but did so at a pace that caught some organizations by surprise. Based on an amalgamation of inputs from analyzing our customer implementations and our 20+ years of industry leadership we’ve outlined how top organizations have successfully navigated the changing risk landscape in our “The State of Integrated Risk Management”. Download our whitepaper now to get a better sense of whether your organization is playing catch up, middle of the road, or ahead of the curve with operational resilience and integrated risk management. (1) RSA Digital Risk Report (2019) (2) RSA Digital Risk Report Third Edition