Search Results

The last two years have thrust many organizations into a series of concurrent and overlapping crises and escalating risk. The direct effects of workplace shutdowns are still being felt with supply chain disruptions, shortages, and permanent closures of vendors that have gone out of business. Cyberattacks of enormous scale and sophistication shut down gas pipelines and even breached departments of the U.S. federal government. For any organization that hadn’t considered the evolution of digital risk due to workplace disruption as an important part of risk profile, the pandemic was a wake-up call. The speed with which digital risks expanded as organizations went remote was unprecedented. Reports of a new respiratory illness were barely newsworthy in early January of 2020. Some organizations had already begun voluntary suspension of in-person operations before official lockdown mandates were declared. Organizations that had relevant continuity plans implemented them, others scrambled to put together ad hoc fixes for unprecedented challenges. The transition to fully remote work brought with it new types of risk. Sensitive information was being routinely accessed from home networks, and the chances of a data breach or other IT threats went up. To see how the most resilient organizations not only navigated this change, but thrived during this disruption, read our whitepaper, “The State of Integrated Risk Management”. The Pandemic Accelerated Existing Trends in Digital Initiatives and Risk Even before the pandemic, we found that a full 90% of respondents in our Digital Risk Survey felt that overall, their organization’s risk profile had expanded in the two years preceding 2019. Almost half of the respondents expected their risk profiles to expand significantly in the next two years (1). Our whitepaper, “The State of Integrated Risk Management” details how the pandemic reinforced trends of already expanding risk profiles. For organizations that had already made the transition to a distributed model prior to the workplace shutdowns required to stop the spread of COVID-19, there were fewer novel challenges. For nearly everyone else, the last two years expanded the risk profile immensely. Only 2% of the organizations we’ve analyzed claimed that their digital risks had not been impacted by the pandemic (2). Many organizations were faced with hard choices during the COVID-19 shutdowns. Workplaces could either become partially remote, fully remote or suspend operations entirely. Our findings revealed that in the previous two years, less than half of respondents’ organizations had begun to enable a “work anywhere” or dynamic workforce. More than three out of four respondents felt that in the next two years their organizations were going to accelerate their efforts to allow personnel to “work anywhere”. Rapid Acceleration Introduces Novel Digital Risk Organizations were forced to accelerate digital initiatives under the threat of a global pandemic. Almost one in five respondents in the RSA Digital Risk Survey felt that their organization was mostly reactive to digital threats. Digital initiatives bring with them the expansion of what is known as the “attack surface” of an organization. Moving data to the cloud requires storing sensitive information with third parties, which may introduce or increase the risk of a data breach. When moved to the cloud, data that may have previously been “air-gapped” or stored on machines rather than the internet to prevent a cyberattack, is now open to increasingly sophisticated hacking. The challenge and cost of provisioning and securing devices as well as installing and updating software has led many organizations to move more and more systems to the cloud. As organizations onboard and secure more and more remote devices and users, cloud infrastructure and bandwidth have had to increase as well. Software as a service often requires little more than a web browser to offer state-of-the-art digital tools. This also introduces risk, as with every username and password created to access a service, there is another opportunity for a cyberattack. The risks associated with moving toward a dynamic or “work anywhere” workforce were already being considered by organizations when we conducted our 2019 survey. In our 2019 survey, we found that the risks associated with transitioning to a dynamic or “work anywhere” workforce were ranked as the second-highest source of digital risk. How Integrated Risk Management Helps Digital Transformation ​​If an organization adds a new method, process, or platform for every source of risk, it can be difficult if not impossible to quickly assess how a risk profile is changing. Risk management should work with the goals of an organization. We recommend organizations merge essential capabilities across disaster recovery, data backup and recovery, business continuity, crisis management and security incident response strategies, and programs. Organizations accelerate their digital initiatives to become more efficient, increase operational resilience, and be more effective overall at achieving their mission. If new risks aren’t proactively planned for, organizations could end up opening themselves to other threats that overwhelm the expected benefits of the digital transformation. Effective risk management is more than avoiding major failures and business disruptions. Creating a culture of operational resilience through integrated risk management can protect your organization and enhance business outcomes. When integrated risk management is a part of the culture of an organization, the digital transformation is viewed as another component that, like all tools and processes, carries risk. The pandemic expanded and accelerated existing trends, but did so at a pace that caught some organizations by surprise. Based on an amalgamation of inputs from analyzing our customer implementations and our 20+ years of industry leadership we’ve outlined how top organizations have successfully navigated the changing risk landscape in our “The State of Integrated Risk Management”. Download our whitepaper now to get a better sense of whether your organization is playing catch up, middle of the road, or ahead of the curve with operational resilience and integrated risk management. (1) RSA Digital Risk Report (2019) (2) RSA Digital Risk Report Third Edition

The walls between digital and information technology risk and physical operations are dissolving. It is hard, if not impossible, to think of a single domain in which information technology has no effect on operations. Even with physical operations, new IoT technology takes previously offline infrastructure and firmly connects it to both the benefits and dangers of the internet. Without a responsive IT risk management system in place, the danger posed by exposing so many assets to the web can be catastrophic. Monitoring IT risk and having insight into how the various parts of an organization’s IT systems are connected is critical to operational resilience. For example, the Colonial Pipeline ransomware attack did not directly affect the function of the pipeline. However, the company that operates the pipeline decided that until the extent of the cyberattack was known, the best course of action was to suspend pipeline operations. Events like the Colonial Pipeline attack, as well as the global shutdowns due to the pandemic, have shifted thinking about IT and digital risk. Through our experience as industry leaders and our analysis of Archer customers in our 2020 Digital Risk survey, we found that nearly 75% of respondents expected their digital initiatives to accelerate due to the disruptions and shifts of the past year. To get key learnings on the convergence of digital and traditional risk, read our whitepaper “The State of Integrated Risk Management”. The Current State of IT Compliance IT security and compliance is often tied to IT risk management. In some cases, IT compliance helps with security like using NIST 800 standards when creating passwords. By complying with the strict NIST 800 standards for employee passwords, the risk of unauthorized access is mitigated. There are other situations where an IT compliance solution does not offer any sort of risk management. Many IT systems utilize software and systems that can track issues through tickets, allowing for close monitoring of how problems are resolved. An IT ticket management system provides greater accountability for IT departments, but an IT ticket system needs to be tied to an integrated risk management platform to provide the greatest benefits to operational resilience. There are many major information technology compliance standards published by private companies, non-governmental organizations, and governmental departments. Whether complying with COBIT, ISO 27000, or the European Union’s GDPR (1) , IT compliance on the Archer platform works seamlessly with IT security and risk management. Of the 1100+ deployments Archer has for IT and security risk management, more than 80% utilize compliance processes on the Archer platform. Properly securing internal, third-party, or customer data not only increases operational resilience, but is becoming central to IT compliance. Many IT compliance standards provide strict guidelines and requirements for the collection and storage of personal data, and there are governmental regulations either already enacted or set to take effect that mandate higher data privacy standards. It’s projected that 65% of the world’s population will have its personal information covered under a privacy regulation by 2023, up from just 10% in December 2020 (2). Third-Party Regulations and IT Risk Regulators increasingly require organizations to perform extensive due diligence both when selecting a third party for a service, and the duration of the engagement with the third party. Treating the activities of third parties as an extension of the organization retaining their services is not only required in many jurisdictions, but for information technology services it is sound practice to mitigate risk. The nature of information technology security issues makes third-party compliance particularly important. With physical goods or services, if a third party fails to properly secure their infrastructure, the damage or disruption to operations can be relatively easy to contain. A damaged or stolen shipment of goods could result in reduced capacity to operate but pales in comparison to the kind of disruption information technology security lapses can cause. An IT security lapse by a third party can result in a cascade of IT systems being compromised. For example, no matter how conscientious the tens of thousands of organizations that used SolarWinds Orion software to manage their information technology stack were with IT security, they were susceptible to risk related to the SolarWinds’ security breach. What Organizations Should Expect from their IT and Security Risk Management Vendors More than 70% of Archer customers’ early-stage deployments target IT and security risk management use cases, reflecting the criticality of digital technology and data in achieving their business objectives, which is no surprise given RSA’s reputation for IT security. Risk between departments has become more tightly linked as digital transformation has allowed more and more operations to be controlled with the same systems. The digital transformation that has merged physical operations with information technology is driving the need for greater integration. Ideally, IT and security risks should be managed with the same tools used to manage other forms of risk. An IT and security risk management tool should be able to handle as many risk domains as your organization has to deal with. Most Archer customers don’t stop with one domain of risk, almost 80% of our customers manage multiple domains of risk on the Archer platform. An IT and security risk management solution should offer real-time monitoring and reporting. The speed with which an attack or breach can compromise IT systems means that organizations need to be able to flag and monitor issues in real-time. Real-time monitoring tightens the loop, making it easier to address IT security and compliance issues before they become larger problems. But cyber attacks are only one part of the IT risk puzzle. Third party risk, resiliency, continuity and disaster recovery, compliance and a whole host of other risk categories affect an organization's overall technology risk profile. Organizations should be using a risk management platform that allows for multiple risk domains to be tracked and managed with real-time reporting. An IT security and integrated risk management platform should drive operational resilience and growth. See how the right IT security risk management tools are protecting organizations and helping them expand in our industry report, “The State of Integrated Risk Management.” (1) https://www.rsa.com/en-us/solutions/advance-gdpr-and-privacy-compliance (2) Focal Point Insights. Nine Data Privacy Trends to Watch in 2021. December 2020. https://blog.focal-point.com/the-9-data-privacy-trends-to-watch-out-for-in-2021

With the World Series wrapping up, it reminded me of Moneyball, a 2011 film based on an account of the Oakland Athletics baseball team's 2002 season and their general manager Billy Beane's attempts to assemble a competitive team. In the film, Beane and assistant general manager Pete Brand, a math whiz straight out of Yale University, were faced with one of the league’s lowest budgets for players, yet they built a team of undervalued talent by taking a sophisticated sabermetric approach to scouting and analyzing players. This approach flew in the face of traditional scouting made up of men who believed that they could predict a player’s future success simply by observing how well they could hit a ball, throw a pitch, or steal a base. After Beane’s wheeling and dealing for players that fit the mathematical profile, the A’s were reborn, going on to qualify for the playoffs and win the AL West Division with a 2002 regular season record of 103-59—just behind the Yankees for the best record in all of Major League Baseball. What does this have to do with risk management? Risk Qualification One of the traditional ways of evaluating risks is on a qualitative scale, such as high/medium/low, 1 – 5, - the typical approach to batting, pitching or stealing bases. However, as David Vose of Archer points out, “when (should) the probability of a risk be described as low? Below 10%? How about very low? Below 1%?” He goes on to say, “Qualitative terms describing risk are far too ambiguous, too difficult to challenge and agree upon, make poor use of available data and do not allow us to work out the most efficient risk management strategy.” This qualitative approach is like the baseball scouts that rated batters as ‘superior’ or ‘average’. Both ways of rating risks and batters are inherently biased. Though these measures are useful under some circumstances, they don’t tell you about the potential impacts in dollars and cents; terms decision-makers can act on. Billy tells the old-school scouts that they must do something differently if they’re going to win with the salary restrictions they have. Risk Quantification Billy and Pete took a different, quantitative approach to arrive at the outcome they wanted, which was to win. They calculated the interim goals that would get them there, like average runs they needed per game, on base percentage, etc. Then they selected the least expensive or most undervalued players with the right performance metrics that met their criteria which maximized their budget. Businesses need to make money, turn a profit, and meet revenue goals and market expectations. Executives make decisions every day on business growth strategies, competitive moves or organizational changes based on the financial benefit or cost. For these executives to evaluate whether they should spend resources to address a risk versus seize a business opportunity, they need to compare the cost and benefit against each other – in “apples to apples” terms. In its most simple terms, what’s the cost and the benefit of the risk? Risk quantification is the art and science of understanding the monetary impacts risks could have on the organization’s goals and strategies. Risk quantification puts risk management into the language executives need to evaluate risks against the business’ strategic and operational goals and is particularly important when risks are present that threaten the organization’s ability to meet its goals – just look back at the impacts the pandemic had on businesses and industries of all type and size. The sabermetric approach to scouting and analyzing players, and the quantitative approach to measuring risks both start with the end in mind, and that’s wins and achievement of strategic goals – both of which are why the game is played. For more information on integrated risk management (IRM) and risk quantification, visit archerirm.com.

No matter where an organization is positioned in a value chain, it will have to contend with risk. Even the most reliable and stable processes experience disruption, whether it be natural disasters or an altered compliance landscape. Chaotic upstream challenges, fluctuating downstream capacity, regulations created in response to extreme market conditions, and changing public opinion mean that every organization needs to be prepared for risk beyond its four walls. When more than one vendor exists, there is a tradeoff in the efficiency of using a single third-party supplier or vendor and the threat to operational resilience should that single source be disrupted. However, if there is only one vendor, or if every supplier is disrupted at the same time, the need to include third-party risk into risk management plans becomes clear. There is no possibility of simply switching suppliers or vendors, so the third-party’s operational resilience directly impacts your organization. Furthermore, in a digital era when anyone can research the relationships between your organization and the third parties within your organization’s network, the behaviors, and practices of those third parties can lead to reputational damage to your organization. See how third-party risk should be woven into an organization’s risk management practices in “The State of Integrated Risk Management.” Why You Need to Consider Third-party Risk When mitigating risk and creating a culture of integrated risk management, focusing on the domains that are directly answerable to an organization itself is a great starting point. A risk-aware and compliant organization can respond faster during a disruption, leading to increased operational resilience. No matter how robust the internal processes and procedures are, in today’s world no organization can be truly independent. Third-party disruptions can take the form of input scarcity, a lack of qualified personnel to fill positions, softening demand, logistics issues, and even cyberattacks. There simply is no way to completely insulate an organization from third-party risk. As the Solarwinds attacks demonstrated, even something as simple as running a software update can introduce serious risk. SAAS or other cloud services can expose an organization to third-party risk, even if the management and provisioning of the cloud software are performed by industry leaders. An organization that doesn’t integrate the risk posed by third parties into its risk management process remains vulnerable. Moreover, when third-party risk is dismissed or ignored, the threat of disruption cannot be properly quantified, potentially leaving threats unmanaged and opportunities squandered. Visibility into third-party dependencies improves the oversight of products and services provided by third parties and needs to consider potential business impacts - both positive and negative - of the relationship. Third-party Relationships Can Pose Reputational Risk The ability to perform due diligence to identify the types of risk third parties pose, monitor third-party activities, and mitigate risks and threats are key elements to managing vendor and supply chain risks. More than one-third of respondents in the 2020 RSA Digital Risk Survey stated that their number one priority regarding vendor and supply chain risk is an approach that integrates third-party risk management with enterprise and operational risk management. The deeply interconnected nature of today’s world hasn’t escaped the notice of end-users either. It is no longer considered credible to treat third-party malfeasance or negative externalities as outside the scope of an organization’s oversight process. Consumers making choices informed by ethical concerns have come to expect organizations to devote resources to third-party monitoring and to enforce higher standards from third-party vendors. Extreme labor conditions at a third-party supplier for a major device manufacturer can quickly redound on an otherwise well-respected organization. The complexity of an enormous web of suppliers and vendors may not insulate an organization from negative public opinion. We recommend organizations implement a programmatic and risk-driven approach to identify, assess, evaluate, treat, and monitor third-party risk, including risk related to third-party employees and their activities. Compliance in the Financial Sector and Elsewhere During and after the mortgage crisis, the practices of financial organizations that relied upon third-party assessments for credit ratings of investment instruments were called into question. The press and regulators are more often viewing an organization’s relationships with third parties as less of an airtight barrier to ethical and legal concerns than before. When it comes to reputation and regulation, third parties are often seen as an extension of an organization rather than completely independent. Regulators are establishing increasingly higher standards of accountability for the oversight of third-party relationships and therefore, organizations need to consider multiple elements of third-party risk including financial impacts, resiliency, security, and compliance. The United States Department of Justice has updated its guidance on evaluating corporate compliance to include whether an organization has made a good faith effort to ensure their third-party vendors are compliant.(1) Resilience to outside risk is now directly mandated by regulators. Financial institutions must undertake rigorous stress tests that quantify the results of extreme disruption. A financial organization that is found to lack the capital reserves to survive a tested risk is required to either grow its reserves or alter its operational profile to be able to meet the stress-test requirements. We have found that this has become a key concern for many financial organizations. Almost 50% of financial services respondents in the 2020 RSA Digital Risk survey stated a risk-based compliance methodology is the number 1 priority when it comes to keeping up with regulatory obligations. Why Third-party Risks Effect Operational Resilience like Internal Risks A consolidated view of all third-party relationships and an understanding of which third parties are most important to ongoing operations provides the ability to scale the number of assessments that can be completed and streamlines response to open issues identified during the assessment process. It is important to start to quantify third-party risks the same way internal risks are measured. This will provide a common framework for analyzing the impact of both internal and external disruptions. The ability to perform due diligence to identify the types of risk third parties pose, monitor third-party activities, and mitigate risks and threats are key elements to managing vendor and supply chain risks. Benefit from our analysis of Archer customers and 20+ years of evaluating risk trends. Download our whitepaper, “The State of Integrated Risk Management” to discover how to make your organization more resilient by protecting against multiple sources of risk, including those beyond your four walls. (1) https://www.justice.gov/criminal-fraud/page/file/937501/download

Communication plays a vital role in enabling organizations to integrate the concept of risk management into day-to-day operations. Your risk program communication isn’t just a way to manage your reputation and image with third parties, media, and regulators. Being able to effectively communicate risk within the four walls of an organization is a crucial tool for creating a more risk-aware organization in order to optimize your business while managing risk. Communicating risk effectively is a continuous process requiring all parties to articulate not just the sources of risk, but the bottom-line consequences. All involved must be made aware of potential risks, and the lines of communication must always be left open. It isn’t enough anymore to treat risk communication as a simple tick-the-box exercise that only demonstrates process compliance without connecting to the real-world consequences of the risks being communicated. Being able to place hard and fast numbers on the consequences of types of risk allows for real-world effects to be communicated in a universal language. This can increase operational resilience by helping to align responses to threats with the goals of the organization. Increasing operational resilience with risk communication is only one part of a mature integrated risk management strategy, which we outline in our whitepaper, “The State of Integrated Risk Management.” Communicating Risk across Departments Effective communication of operational risk should put specific eventualities in the context of the disruption that could occur. For many organizations, translating risk between departments can be a serious challenge. Traditional tools like qualitative risk analysis try to use subjective terms or visual heat maps to communicate the severity of various eventualities, but this can fall flat when two different domains are being compared. An organization’s reduced ability to operate might mean lost uptime, lower profits, or other negative outcomes. This needs to be quantified and communicated to the personnel that are in a position to mitigate risk. Furthermore, when the likelihood and impact of risk are quantified, it becomes possible to communicate and aggregate the impact of risks to stakeholders without hitting interdepartmental language barriers. How Risk Quantification Helps Risk Communication Risk management is the core ingredient toward mitigating any potential threats to the success of an organization. Threats should ideally be identified and dealt with before their effects can be felt in your project. Risk assessment involves the measurement and analysis of risk to provide concrete information for risk control programs. The process of quantitative risk assessment involves four fundamental steps which include; Identification of risk and establishment of an applicable mathematical model. Collection of the basic and necessary information or data available via historical records, extrapolation, expert surveys, and so on. Select suitable analytical methods and models to evaluate the data and modify models about specific circumstances. Define the scale and likelihood of risk The process of identifying risk has traditionally been either a top-down exercise or the domain of risk management departments or consultants. New digital tools have made it possible to have front-line personnel communicate emergent risk in real-time. Instead of risk communication tools being an output-only means of relaying directives to the front lines, organizations utilizing integrated risk management software can gather information from stakeholders about conditions on the ground. The ability to monitor conditions with real-time reporting from personnel closest to the risks couldn’t come at a better time. Today's challenges require managing a cultural shift from reactively checking the boxes for compliance to a proactive risk management model that necessitates participation across the organization. Instead of front-line workers only identifying risks during an audit or during an emergency, integrated risk management platforms allow for constant communication through every level of an operation. A study by PwC (1) found organizations that shift risk management responsibilities to the front line were more likely to show profit and revenue growth over the next two years and were able to recover from adverse events more quickly. Communication, Compliance, and Management Organizations that have established programs in individual domains should be working to expand their risk focus and improve visibility, analysis, and metrics​. Finding common processes or data to share is a great first step to bring together risk management functions and achieving risk maturity. The overwhelming majority of organizations that have begun to use the Archer platform for operational risk management extend their engagement with our tools into compliance management. In fact, 91% of our customers who license operational risk management use cases also license compliance use cases substantiating the close connection between risk and compliance processes. With a well-established and integrated communication program, stakeholders should understand that they are not just passive participants in an organization's operations. Compliance and risk management are everyone’s responsibility. We recommend organizations establish formal processes for stakeholders to understand and manage changes that may affect the organization’s compliance including how new and changing activities may impact the organization’s obligation. We also recommend organizations implement controls based on issues or gaps identified via the compliance process to reduce risks and prevent compliance issues from happening again. New technologies can provide a tight connection between issues being identified on the ground and organizational responsiveness. A technology-enabled approach to build operational resilience across the organization will transform the efficiency of your incident, crisis, and recovery teams. By knowing the most critical areas of the business and effectively handling day-to-day incidents, you can respond swiftly in crisis situations to protect your ongoing operations.​ The last year has shown just how rapidly changes in operational risk and regulatory compliance can be. Fitting Risk Communication into an Overall Integrated Risk Management Strategy Without the ability to effectively and efficiently address increasing risk, organizations struggle to respond to business risks and miss opportunities to capitalize for growth or to meet other strategic objectives. That’s why organizations need to focus on achieving operational resilience through integrated risk management. Benefit from our 20+ years of industry leadership knowledge. Get our whitepaper, “The State of Integrated Risk Management” today to discover how your organization can break down communication siloes to better mitigate and thrive through disruptions and an evolving risk landscape. (1) PwC. 2020. PwC 2020 Global Risk Study. [online] Available at: < https://www.pwc.com/us/en/services/consulting/risk-regulatory/library/2020-global-risk-study.html/> [Accessed April 12 2021].

At the UN Climate Change Conference COP 26 in Glasgow, the IRS foundation announced the creation of the International Sustainability Standards Board (ISSB). While this announcement was not necessarily a surprise as there was considerable support of the move, this announcement is a clear indicator of the acceleration of the production of ESG standards. For the risk management community, the effort underscores the importance of the core pillars as defined by the Task Force on Climate-related Financial Disclosures (TCFD) – governance, strategy, risk management and metrics and targets. This is also reflected in many of the conversations we are having with customers on ESG. We are seeing, in addition to having representatives from investor relations, corporate affairs, communications and the various sustainability leads, a growing, strong presence of risk functions in ESG strategies. The biggest challenge for organizations is the tsunami of demands and queries from a variety of stakeholders – investors, in particular. However, with the consolidation of standards as indicated by the announcement, the path towards a combined reporting structure – with both financial and non-financial information – may help alleviate some of this pressure. Organizations need to take steps now to prepare for this convergence. For organizations gathering information manually through hundreds of spreadsheets, there is time to transition to systems that allow you to substantiate ESG reporting at the top level, proving your viability going forward. Producing a report is only the first step. Operationalizing ESG data, exposing it to business operations to drive action, is the critical step to drive accountability, improve visibility, collaborate on issues, and build efficiencies in remediation efforts. In other words, an integrated risk management approach to establish that common language and taxonomy to effectively prioritize action. Archer – as a leader in integrated risk management capabilities – provides an onramp to not only address ESG efforts today, but also fold that effort into the broader risk management strategy for the future. The announcement reiterates ESG efforts are a business issue – not just a regulatory issue. Of course, there are regulations organizations must comply with, but ESG, at its core, is about the imperative to demonstrate to all stakeholders, the viability of the business and they can perform and prosper going forward. Watch Peader Duffy and Steve Schlarman discuss the announcement. Learn more about how Archer ESG enables you to measure, quantify, assess, and report ESG readiness across your organization and global supply.

Are you familiar with the "Who's on First?" comedy routine made famous by Abbott and Costello? The premise: Abbott is identifying the players on a baseball team for Costello, but the players’ names create confusion. For example, Costello asks Abbott the question "Who's on first?". The first baseman’s name is Who so Abbott simply replies “yes,” confusing Costello who thought Abbott wasn’t answering his question. This goes on and on with the unlikely and confusing names of all the players on the team. While this is a funny scenario for comedy, similar scenarios for organizations that rely on or are part of a complex and extensive supply chain or third-party ecosystem are problematic. Third-party ecosystems can often feel like “Who’s on First” due to a multitude of players with changing roles, not to mention constantly evolving supply chains. Supply chains are critical in the successful creation and flow of products, services, and related information. There are different types of supply chains depending on the industry -- retail, building products, healthcare, oil and gas, the seed industry, grocery stores and timber production – each with different objectives and risks. Supply chain management has evolved significantly, from simply keeping track of things and trying to manage the flow, to extremely complex systems that are subject to rapid adjustment across participant networks. Managing supply chains today requires understanding the diverse roles of supply chain members, their interactions, and the transaction models they use. Optimizing these flows for timeliness, yield, cost, and a host of other objectives is complex. Add a variety of supply chain risks into the mix and you’ve got potential chaos if it is not managed effectively. Third-party or supply chain risks typically include inaccurate forecasting, manufacturing shortfalls or surpluses, competition, single points of failure across the supply chain and more. The past two years have introduced even more risks into supply chains due to drastically changing supply and demand, workforce disruption, logistical logjams, and geopolitical impacts. All of this has turned traditional supply chain risk modelling on its head. In addition, the increased impact of environmental, social and governance (ESG) risks is causing organizations and their suppliers to reconsider their impacts on the world and shift from a do-no-harm to a do-net-good approach. Supply chain resilience is also a quickly emerging topic brought to light during the pandemic that everyone should seriously consider. So how do organizations deal with the complexity their supply chains represent and effectively manage the risks and ensure resilience? If we go back to Abbott and Costello’s skit, it’s all about knowing who is on first, second and third bases. One way that is done is with more effective and agile third-party risk and resilience management. Here are a few steps to consider: Understand your third parties. Break down the myriad of suppliers you have by performing business impact analyses and determining which of your third parties are most important by virtue of your products and services they support. This allows you to prioritize your suppliers by criticality. Your third parties must also identify their third parties (your fourth parties), and their third parties do the same, and so on. The dependencies can be complex but are critical to identify and understand. Set common objectives. Risk and resilience management cannot be done effectively in organizational siloes with different goals and approaches. It is very difficult to manage inter-related risks or build resilience inside your organization and across your supply chain if you do not set a foundation between your company and your third parties of common goals, approaches, and so on. This foundation gets your internal teams on the same page and also sets the direction for your suppliers to do likewise. Identify potentially disruptive scenarios. Managing supply chain risk and building resilient third-party ecosystems requires knowing what could disrupt your business and your third parties. These could be individual risks or threats but also those ‘perfect storms’ or disruptive scenarios – a pandemic being the perfect example. It is critical to identify these risks, understand their potential impact on your organization, and if that impact is acceptable. Take corrective action. All this analysis will drive you toward gaps that need to be addressed -- controls that should be implemented, recovery plans that should be drawn up and tested, and risks to be mitigated. These corrective actions represent the necessary improvement between your current state and required state, and these should be assigned ownership, tracked, brought to conclusion, and measured. Monitor and measure. You cannot improve what you don’t measure, so it is important to translate your goals, risk tolerances, and business objectives into key risk, resilience, and performance metrics you can track, measure, and monitor. Executive and program dashboards are powerful tools to paint a picture of your supply chain at each level of risk and resilience. Putting effective third-party risk and resilience measures in place like these helps clarify “Who’s on First,” second, and third, and helps you hit a homerun in harnessing the power of your supply chain to achieve your business objectives. For more information about how Archer can help you with third-party risk management, visit archerirm.com.

The world is fast becoming a more turbulent place and disruptive events are occurring more frequently and they are less predictable as the following McKinsey study shows. The recent public health crisis, coupled with a consistent increase in cyber-attacks, natural disasters, geopolitical conflicts and a myriad of other events are causing organizations to reflect on the need to evolve from just being recoverable to becoming resilient – which is the ability to absorb disruption and not only continue to deliver on strategic objectives, but to quickly adapt and prosper. Surviving disruption is not the only reason to build a resilient organization – operational resilience is a required trait in business today. Competition is fierce, shareholders require consistently strong returns, the public and many investment funds demand that organizations be socially conscious and actively engaged in contributing to the greater good. As a result, organizations can’t afford to operate in a reactive mode – these demands require that organizations be resilient. Resilience is good business practice as illustrated by a McKinsey study performed after the 2007 financial crisis which showed that resilient organizations emerged from the crisis more quickly and stronger and not only out-performed non-resilient organizations, but the S&P 500 index well after the recovery period. A Harvard Business School study broke resilience down into attributes that include being adaptable, prioritized, data-driven, aligned and continuously improving. These attributes contribute to being a well-performing organization. Building a resilient organization focuses on what the organization does to provide products and services to its end customers, and the interdependencies. Organizations quickly learn that building resilience across an intricate, interconnected organization with many interdependencies is complex and expensive. A challenge is not creating more cost as you build resilience but developing an approach that provides a return on investment on your efforts over the short to medium term. In this respect, building resilience must be somewhat self-sustaining. Risk management is also an integral part of building a resilient organization because as new risks emerge, the organization must be prepared to identify, assess, treat and monitor them and their effects on the organization. Turning the strategic objective of building a resilient organization into real results can be a challenge. It takes executive focus, a programmatic approach that aligns risk, resiliency, compliance, and third-party management teams, and drives active participation across the organization. The underpinnings include prioritization, planning, coordination, engagement, and constant improvement to drive the actions that will result in building a resilient organization. Learn about how Archer Operational Resilience solution can help you build a resilient organization.