Search Results

Archer recently hosted a virtual Financial Services User Group (FSUG) event for current and prospective Archer customers. The participants were provided an opportunity to hear from our CEO, Bill Diaz, as well as get a sneak peek into the Archer Product Roadmap with Wes Loeffler from our Product Management team. Following a brief update on the upcoming Archer Summit , the event concluded with a panel discussion on hot topics facing the Financial Services industry. As Archer continues to expand its brand dominance in the GRC/IRM space, we have recognized the need to make it easier for all parties to be involved in the risk management process. It is in this light that Mr. Diaz introduced Archer Engage . Archer Engage delivers a role-based user experience for business users across the organization , and the SaaS based interface does not require access to the corporate network. From external parties, such as the Archer Engage for Vendors , to first-line users involved in periodic risk assessments, and up to the Executive and Board level with risk summaries and “heat maps”, Archer Engage will be the primary point of access for “light” users across the organization. And whether you’re using a PC, tablet, or smart phone, Archer Engage will right-size to the applicable technology. The FSUG then turned its focus to the Archer Product Roadmap. Operational Resiliency has been a tremendous challenge across all industries in 2020 and into 2021, and the financial services industry is certainly no exception. Three of the primary drivers for operational resiliency were discussed: threats like COVID-19; the constant threat of cyber-attacks; and disruptive incidents due to third parties. As a result, regulatory agencies have increased their expectations in this area to include: Determine critical business products & services Identify any internal resources and third-party Dependencies supporting critical products & services Define impact tolerances Perform scenario testing and take corrective actions Complete a regular self-assessment In response to the heightened scrutiny by regulators on operational resiliency, the Archer Product Management team is proposing enhancements in three of Archer’s solution areas: Business Resiliency Enterprise and Operational Risk Management Third Party Risk Management We feel the proposed enhancements in these areas will position our customers to address operational resiliency in a manner that will not only satisfy the regulators, but will also provide Executive Management and the Boards of Directors comfort that their company is prepared to address any potential disruptions to its operations. Patrick Potter, Archer Risk Strategist, provided the participants an update on Archer Summit 2021, planned for September 13-15 in Orlando. This event will be both virtual and in-person to provide everyone the opportunity to attend. We encourage all our customers to attend this event and even consider participating as a speaker. This is a fantastic opportunity to network with your peers and learn how other companies are utilizing Archer for their integrated risk management needs. To learn more about this event, please check out the link at https://www.thearchersummit.com/ . The Q1 Archer Financial Services User Group concluded with a panel discussion of hot topics in the Financial Services industry. The panelists included Tim Carbery, Managing Partner at CastleHill Managed Risk Solutions; Shelley Migliore, Archer Presales Systems Engineer; and Blake Murphy, Archer Strategic Business Development Manager. Mr. Carbery provided insights from a professional services perspective on challenges firms are facing in addressing operational resiliency. Of particular interest was the discussion on the recent interagency paper: “Sound Practices to Strengthen Operational Resilience” and how firms are reacting to changes in business resilience expectations from management, regulators, and customers. Mr. Murphy followed these comments with a discussion of why two recent studies from Big 4 Accounting & Consulting firms identified change management as the No. 1 regulatory challenge for financial services in 2021. From a practical standpoint, he also spoke to a few of the primary challenges financial institutions face in operationalizing regulatory change management. Ms. Migliore responded with the following questions to be considered when defining a regulatory change management program: What are common structures for regulatory change management programs (centralized, decentralized, etc.) and is this influenced by the type of risk management program or culture? What are some mechanisms for filtering the “right information” for monitoring regulatory and industry sources, and how do we help to avoid information overload? Are Financial Institutions leveraging tools or partners for implementing regulatory change management programs or responses? We had a great turnout and a number of interesting questions throughout the session. If you’d like to explore further how Archer is helping customers with their unique paths to Operational Resiliency , take a look at this eBook . Also, please review our website at www.ArcherIRM.com , where you can find links to all of our solutions, including Archer’s approach to Regulatory & Corporate Compliance Management .

I recently had the pleasure of hosting a webinar in conjunction with the DRJournal to discuss lessons learned from the year 2020 as it relates to Business Continuity and overall Operational Resiliency. To say last year brought many lessons learned would be a huge understatement . . . surely too many to explore in a one-hour webinar. But like any lesson, the impact relies heavily on the ‘teachers’ . . . and in this case I was fortunate to have the expertise of two seasoned practitioners, Stacey Jonasen from Franklin Templeton and Patrick Potter, currently with Archer but a former Business Continuity Management professional with leading companies in both the airline and hospitality industries. Here are a few areas we explored. The Value of a Head Start As we prepared for the webinar, what struck me was how well prepared overall Franklin Templeton seemed to respond quickly to the immediate impacts of the pandemic. What came to light as we explored that is that in reality many of the actions needed in those early days were well understood, tested and often operationalized in terms of enabling remote workforce and other aspects of critical business operations. This is because Franklin Templeton had been actively executing a plan for broad business transformation. This idea of business or digital transformation that was already underway giving some companies a head start in responding to the disruption was familiar to me . . . in a survey conducted in mid-2020 we found a very similar reality for many organizations. These points were discussed at length, including the sharing of market data points reinforcing specific areas of transformation that were 1) impactful in responding to the pandemic; and 2) are being impacted by organizations reassessing post-pandemic. Common Destination with Uncommon Starting Points It of course was no accident that we looked to drive the discussion of 2020 lessons learned towards the topic of Operational Resiliency. It’s difficult these days to get in-and-out of any customer or partner conversation without the concept coming up . . . so it would seem one uber lesson learned for many organizations is, in simple terms “OK we survived that, but we can do better.” And the area our experts agreed most organizations want to do better is around an advanced understanding of how modern, agile businesses and all of their interdependencies can coordinate and collaborate more effectively in the event of a disruptive occurrence. Agility Will Continue to be Key We all had to be agile in 2020, in our personal and our work lives. And our experts highlighted that for organizations looking to learn from last year and improve on their ability to respond and reduce operational impacts, a key aspect of agility will be that of the technology they use to share information and drive data-driven decision making. Specifically, Stacey spoke to the challenges facing Franklin Templeton in those early days, saying “all 40 crisis management teams active at one time. We have a corporate team, site based teams and business recovery teams. We’ve never had to support all of them at one time.” She then highlighted how they used Archer to get these disparate teams coordinated across the pandemic response process. We had a great turnout and a number of interesting questions at the end of the session, highlighting to me that the topic of Operational Resiliency is, itself, resilient. But it also doesn’t have to be intimidated or thought of as only relevant to those facing immediate regulatory pressures and/or way down a maturity path on Risk Management. Again, I encourage you to listen to the What 2020 Taught Us About Risk and Resiliency webinar recording , or if you’d like to explore further how Archer is helping customers with their unique paths to Operational Resiliency , take a look at this eBook .

Third parties add a layer of complexity and risk that can lead to many different types of disruptions and business impacts. Organizations are becoming a complex tapestry of products and services, processes and technologies provided by third parties and this complex and changing ecosystem makes it increasingly difficult to clearly manage risk. The recent SolarWinds breach is an unfortunate event that highlights the challenge organizations face today in the combination of cyber-attacks and third party risk. This event highlights three major areas of IT, security and risk management. Organizations must be constantly vigilant for cyber-attacks from many different threat vectors and actors. Organizations must understand vendor and supply chain relationships including not only suppliers of components of their products and services but also software and IT services providers. Business resiliency including continuity and crisis management must be ingrained in the organization to deal with a wide variety of events - from physical events to IT disruptions. In this example, the connection between different dimensions of risk management is evident. Unfortunately, third party risk management can be a resource challenge. As your organization spreads its connections to outside parties, inherited risks become a significant issue. Organizations struggle to efficiently manage and govern these third parties because traditional methods aren’t scalable. Many times, third-party relationships introduce unpredictable, inherited risks that can lead to surprises and potential losses. When third-party oversight is managed differently across an organization, it creates gaps due to inconsistencies when identifying, assessing, and managing risk from the third parties. Finally, with inconsistent and incomplete governance processes, organizations cannot get a complete and accurate view of the risks introduced by third parties to their organization. Fundamental to the strategy of dealing with third party risk is a clear view of your third-party ecosystem such as vendors, consultants, and service providers. Formalizing third party risk management via integrated processes enhances all of risk management. Better yet, resources can be focused on the most important and impactful activities. When we look at Archer customers, enterprise and operational risk management is a prevalent entry point for third party risk management. Our customers who own enterprise and operational risk management use cases are almost twice as likely to own third party governance use cases. IT and security risk management use cases are another adjacency we see. Almost 40% of our IT and security risk management customers also own third party use cases. As regulators are establishing increasingly higher standards of accountability for the oversight of third-party relationships, expanding your strategy to third party risk management is especially pertinent. While many organizations have some programs or risk assessment processes in place related to third party risk, the wide spectrum of potential business impacts requires organizations to take a step further towards third party governance. Enterprise and operational risk, compliance or IT risk programs are excellent steppingstones to begin integrating third party risk management efforts. If your organization is struggling with any kind of supply chain or third-party disruption, read our short paper on suggestions to refocus your organization on the basics of vendor and third-party risk management . In addition, you can read this complimentary Gartner report: “ Monitor Key Risk Criteria to Mitigate Vendor Failure .”

If 2020 didn’t heighten organizations’ awareness of the importance of resiliency, I am not sure what would. The disruptions experienced in 2020 highlight the need for resiliency to be baked into business operations. Technology has clearly demonstrated its value in keeping organizations resilient in the face of change and ahead of the competition. Nearly 75% of respondents in RSA’s Digital Risk Survey expect their digital initiatives to accelerate due to the disruptions and shifts we saw this year. Unsurprisingly, 75% of respondents in that same survey stated their organization’s risk profile will expand over the next two years. Invariably, the conversation at the top of your organization to innovate, optimize or expand your business quickly shifts to discussing risk. And resiliency is right in the heart of that discussion. For Chief Risk Officers or Chief Information Security Officers, resiliency is no stranger. Resiliency is a big part of managing risk. 2020 spurred the full spectrum of risks that are on the radar of the CRO office ranging from massive market shifts to supply chain interruptions to disruptions in business operations. We also know full well how IT and security events can lead to disruption. If the teams that focus on continuity, recovery and crises are not plugged into your security and risk management strategies, it is time to cross the bridge. Resiliency efforts must follow the changing landscape of your operational risks, prioritizing efforts on the right parts of your business. Continuity and recovery processes also must be aligned with your IT and security risk strategy. Leveraging information across IT and security and continuity/recovery plans to prioritize activities can cut to the chase when it comes to knowing what systems are important to the business. For the teams that focus on resiliency, plugging into what the risk and security groups are doing can make resiliency efforts better – and cheaper. Plus, sharing data can create insight into the bigger picture of IT and operational risk. Archer customers are no exception. They understand how these functions flow into each other. 70% of our customers who own enterprise and operational risk management use cases also own our business resiliency solution. In addition, the combination of IT and security risk management use cases and business continuity and disaster recovery use cases are evident. An IT and Security Risk Management customer is 2.4 times more likely to own resiliency use cases. The synergy between operational risk, IT risk and resiliency programs is self-evident. IT and security events can lead to many different types of disruptions and crises. CISOs are often times also responsible for continuity or disaster recovery. In addition, the intersection of resiliency efforts and risk processes can assist the multiple teams to understand business impacts, criticality of business operations and control effectiveness. If you are looking for a place to start on improving operational resiliency, start at the crossroads of your risk, security and continuity/recovery programs. Building operational resiliency has become a priority for organizations across industries in recent months. Read our short briefing on five key principles for building an operational resiliency program designed to help your organization maintain critical processes and minimize any negative financial impact from crisis events.

By most accounts, we are closing in on exactly one year removed from the timeframe when COVID-19 transitioned from a regionally-focused concern to a health crisis of global scale and consequence. For those of us that are part of the risk management community, we have all been trained to think about the risks on some basic level through the lens of likelihood and impact . COVID-19 was obviously not history’s first pandemic, but it was unique and taught us that likelihood however low has no ‘floor’ such that risks with large scale impact can go unmanaged. Adding pressure to this equation is the pace with which the impact of the pandemic was felt, not only due to the rapid spread of virus itself, but also the level of interdependency built into modern businesses. The new realities can be vividly seen in the input of top executives in their assessment of key priorities for the business in 2021. Survey after survey of business leaders exhibit some consistent views: Businesses must learn to be more resilient to broad, sweeping changes that can force a shift in both strategic focus and operational execution This heightened level of resiliency can come only with effective enterprise wide operational risk management A high digital IQ and the use of advanced analytical capabilities can be a force multiplier in their ability to predict, respond to, and recover from such disruptions Obviously, Business Continuity Management (BCM) has long been an element of organization’s risk programs, but some approaches let us down through this pandemic. The typically siloed nature of BCM plans having some boundary (geography, business function, etc.) did not support businesses needs to recover in concert to an event as sweeping as COVID-19. And through that short coming they have fueled what we see as an active dialogue around the concept of Operational Resiliency—the idea of a plan for continuity and resiliency that is more conscious of the interdependencies within and across businesses. As we consider the past as momentum to drive change for the future, it’s important be sure we have a handle on lessons learned, including some areas we saw success this past year in adapting the change and applying technology to adjust critical operations. As hard as 2020 was in so many ways, one redeeming element was observing several customers leveraging Archer to provide agility within acceptable boundaries of risk. For example, a nonprofit health system supporting more than 1,500 doctors and 250,000 patients across 6 states needed to address a complicated physician, licensing and credentialing situation in response to a spike in demand. To secure temporary licenses for each physician in each state this customer used Archer to quickly build, collect, track physician information and licensing. They documented and built workflow for a chain of review/approval all the way up to the Chief Licensing Officer, and also automatically created an audit trail for historic reference. This flexibility greatly enhanced this customers’ ability to meet the urgent and expanding needs of COVID-19 patients. A second example comes from one of largest family-controlled commercial banks in the United States, with over 500 branches across 19 states and $39 billion in assets. Their extensive ecosystem of suppliers needed to be quickly assessed in terms of risk for maintaining branch operations. Additionally, bank employee services and working capabilities needed to be assessed to ensure operations in a remote working environment. Archer’s Third-Party Risk solution was leveraged to quickly tailor assessments needs and gather critical information from suppliers that when combined with business impact analysis allowed the customer to understand vendor criticality and adjust plans accordingly. Both of these examples are of course rewarding for me . . . seeing customers apply the capabilities of Archer in times of great stress gives a higher purpose to what we do. But they also tie to three existing trends in risk management that I see being fueled by the challenges of 2020. Accounting for the complex interdependences that make up modern businesses. By now it’s understood that most businesses rely on an expansive ecosystem to deliver goods and services. A new urgency is shifting focus from cataloguing third-parties towards enabling a more proactive, ongoing assessment of vendors and operational or regulatory risk they pose. The opportunity presented by leveraging technology platforms that truly understand risk. If ever there was an area of risk management ripe for benefits of a consolidated platform for assessing and managing risk, it would be BCM. The gaps that 2020 presented to organizations is one of the reasons we see leading analysts and other experts predicting that as BCM programs transform, many will move into an Integrated Risk Management (IRM) platform to better support responsiveness. The value of peer insights that reside collectively within the risk management community. Within the Archer team we’ve been doing a great deal of research around the over 1,300 deployments of our technology, and how intersections across certain risk domains tend to correlate to higher measures of risk management maturity. 2020 created many opportunities for our team to apply the collective knowledge to help customers respond to new challenges. These three take-aways from the events of 2020 remain very much on the minds of the team at Archer, and will be areas that in 2021 we look forward to continuing to work closely with customers and the risk management community to advance us all on the journey towards greater operational resiliency. Read our Key Principles in Building Operational Resiliency whitepaper to learn from Archer experts about how to transform from business continuity to broader operational resiliency.

As businesses chart a path into the next phase of the new normal, they face a myriad of risk management challenges. For some, settling into a future of full-time remote working is leading to a re-think on business process and cyber risk. For others, the complex task of transitioning employees back to physical locations means juggling safety, business continuity and regulatory requirements. For others, monitoring the health and well-being of onsite employees and ensuring strict social distancing measures at physical sites is creating significant burden. Bundle that with the emerging business priorities that include minimising costs, running “lean” and simplifying operations, and leaders now have a lot to deal with. By the way – you may not be able to leave your house to achieve any of this. With businesses rapidly shifting to digital to engage their customers and shifting to Software-as-a-Service (SaaS) to embrace cost savings and simplicity, it’s time risk teams do the same. With that in mind, I’d like to present to you the business case for Archer SaaS, an integrated risk management (IRM) solution delivered securely and efficiently in the cloud . Why Digital for Risk Management? Regardless of which “next normal” challenge you are working on right now, the one constant is that our operational business environment is going to continue changing. With the health crisis demanding a new approach for business operations, it’s obvious we also need a re-think on how to manage risk. With the move to remote working, there are no more water-cooler moments, corridor conversations or café catch-ups. Like it or not, these were important engagement channels for the risk team and often helped them pick up on emerging issues and problems “on the ground.” Archer believes that technology has a role to play in helping you engage your business for emerging matters that might otherwise go unreported – especially when those matters can’t simply “walk” into your office. Having a digital solution in place that can underpin, standardise and automate elements of the organisation’s risk framework, while enabling rapid change, will be critical for any organisation that is serious about managing risk. Archer is built on these principles. Having a simple, approachable portal that makes it easy to engage the business in risk and compliance matters will be critical for bridging the gap created by remote and dispersed workforces. Whether it’s simple activities like reporting incidents, issues or ideas, or more sophisticated tasks like completing Risk & Control Self Assessments, Archer SaaS makes it easy to deliver your risk methodology in any location – be it home, office or on the road. Furthermore, being able to use the platform to integrate with other internal systems to automatically derive risk insights helps risk team further bridge this gap. Archer provides the tools and techniques to ingest, analyse and report insights to the right people so that action can be taken. In short, Archer allows risk teams to extend their reach and support a positive risk culture in this increasingly virtual business environment. Why SaaS for Risk Management? SaaS offerings eliminate many of the costly and time-consuming activities associated with implementing and running business applications on-premises, such as purchasing and deploying hardware, administering upgrades and patching systems. Risk teams can achieve faster time to value with the rapid set-up and deployment that a SaaS model brings, compared to the significant lead times associated with getting your own infrastructure up-and-running on-premises. Second, risk teams don’t have to wait for upgrades or for access to new, efficiency-boosting and experience-enhancing features. With SaaS offerings, upgrades are seamless and regularly scheduled, giving risk teams and business users the ability to access the latest features and capabilities more quickly. Equally important, SaaS solutions generally scale more readily than on-premises applications. This is essential for the many organisations needing to rapidly provision access to their dynamic workforces. There is no need to have IT deploy and configure additional servers to accommodate more users or configure remote access. The fact that the solution is cloud-based means it’s accessible from anywhere , helping you extend your reach not just to your remote workforce, but to your extended enterprise of third-party suppliers. In short, Archer SaaS allows risk teams to focus on managing risk, rather than IT infrastructure. But, is SaaS for Me? The common questions I receive from risk and compliance leaders includes: “Will a SaaS solution comply with requirements for local data storage?” “Will it be as configurable as an on-premises system?” “What happens if a SaaS provider experiences an outage?” While it’s true that data storage and configuration can be issues for some SaaS providers, Archer SaaS offers an Asia-Pacific-based (Australian) hosting option and maintains the robust configurability that customers have come to expect from the Archer on-premises offering. We’ve been doing this for more than 10 years and have customers from all around the world, including Asia-Pacific, running Archer in the cloud already. In a Time of Crisis, Archer Can Help Amid an unprecedented global disruption, Archer has proven to help customers globally, adapt for their next normal. For example, when a large health insurance provider needed to activate its business continuity plan to quickly make risk-based decisions across its IT, supply chain and workforce, they relied on the Archer Integrated Risk Management Suite. This customer was able to automate workflow and quickly analyse employee, process and risk data to execute its business continuity plan, order necessary equipment and prioritise how and when to activate appropriate recovery strategies. Customers from Asia-Pacific have shared that having access to updated business impact analysis (BIA) information has helped them more confidently and effectively respond to the disruption itself, and the ability to keep their risk and compliance processes running during the crisis has been beneficial. Embracing SaaS for IRM can bring agility, simplicity and cost flexibility. At Archer, we are proud to support many of our customers’ journeys to IRM maturity and to the cloud with Archer SaaS. Contact us to learn more about Archer SaaS . Sam O’Brien is the Director of integrated risk management for Archer APJ.

With the World Series wrapping up, it reminded me of Moneyball, a 2011 film based on an account of the Oakland Athletics baseball team's 2002 season and their general manager Billy Beane's attempts to assemble a competitive team. In the film, Beane and assistant general manager Pete Brand, a math whiz straight out of Yale University, were faced with one of the league’s lowest budgets for players, yet they built a team of undervalued talent by taking a sophisticated sabermetric approach to scouting and analyzing players. This approach flew in the face of traditional scouting made up of men who believed that they could predict a player’s future success simply by observing how well they could hit a ball, throw a pitch, or steal a base. After Beane’s wheeling and dealing for players that fit the mathematical profile, the A’s were reborn, going on to qualify for the playoffs and win the AL West Division with a 2002 regular season record of 103-59—just behind the Yankees for the best record in all of Major League Baseball. What does this have to do with risk management? Risk Qualification One of the traditional ways of evaluating risks is on a qualitative scale, such as high/medium/low, 1 – 5, - the typical approach to batting, pitching or stealing bases. However, as David Vose of Archer points out, “ when (should) the probability of a risk be described as low? Below 10%? How about very low? Below 1%? ” He goes on to say, “ Qualitative terms describing risk are far too ambiguous, too difficult to challenge and agree upon, make poor use of available data and do not allow us to work out the most efficient risk management strategy .” This qualitative approach is like the baseball scouts that rated batters as ‘superior’ or ‘average’. Both ways of rating risks and batters are inherently biased. Though these measures are useful under some circumstances, they don’t tell you about the potential impacts in dollars and cents; terms decision-makers can act on. Billy tells the old-school scouts that they must do something differently if they’re going to win with the salary restrictions they have. Risk Quantification Billy and Pete took a different, quantitative approach to arrive at the outcome they wanted, which was to win. They calculated the interim goals that would get them there, like average runs they needed per game, on base percentage, etc. Then they selected the least expensive or most undervalued players with the right performance metrics that met their criteria which maximized their budget. Businesses need to make money, turn a profit, and meet revenue goals and market expectations. Executives make decisions every day on business growth strategies, competitive moves or organizational changes based on the financial benefit or cost. For these executives to evaluate whether they should spend resources to address a risk versus seize a business opportunity, they need to compare the cost and benefit against each other – in “apples to apples” terms. In its most simple terms, what’s the cost and the benefit of the risk? Risk quantification is the art and science of understanding the monetary impacts risks could have on the organization’s goals and strategies . Risk quantification puts risk management into the language executives need to evaluate risks against the business’ strategic and operational goals and is particularly important when risks are present that threaten the organization’s ability to meet its goals – just look back at the impacts the pandemic had on businesses and industries of all type and size. The sabermetric approach to scouting and analyzing players, and the quantitative approach to measuring risks both start with the end in mind, and that’s wins and achievement of strategic goals – both of which are why the game is played. For more information on integrated risk management (IRM) and risk quantification , visit archerirm.com .

No matter where an organization is positioned in a value chain, it will have to contend with risk. Even the most reliable and stable processes experience disruption, whether it be natural disasters or an altered compliance landscape. Chaotic upstream challenges, fluctuating downstream capacity, regulations created in response to extreme market conditions, and changing public opinion mean that every organization needs to be prepared for risk beyond its four walls. When more than one vendor exists, there is a tradeoff in the efficiency of using a single third-party supplier or vendor and the threat to operational resilience should that single source be disrupted. However, if there is only one vendor, or if every supplier is disrupted at the same time, the need to include third-party risk into risk management plans becomes clear. There is no possibility of simply switching suppliers or vendors, so the third-party’s operational resilience directly impacts your organization. Furthermore, in a digital era when anyone can research the relationships between your organization and the third parties within your organization’s network, the behaviors, and practices of those third parties can lead to reputational damage to your organization. See how third-party risk should be woven into an organization’s risk management practices in “The State of Integrated Risk Management .” Why You Need to Consider Third-party Risk When mitigating risk and creating a culture of integrated risk management, focusing on the domains that are directly answerable to an organization itself is a great starting point. A risk-aware and compliant organization can respond faster during a disruption, leading to increased operational resilience. No matter how robust the internal processes and procedures are, in today’s world no organization can be truly independent. Third-party disruptions can take the form of input scarcity, a lack of qualified personnel to fill positions, softening demand, logistics issues, and even cyberattacks. There simply is no way to completely insulate an organization from third-party risk. As the Solarwinds attacks demonstrated, even something as simple as running a software update can introduce serious risk. SAAS or other cloud services can expose an organization to third-party risk, even if the management and provisioning of the cloud software are performed by industry leaders. An organization that doesn’t integrate the risk posed by third parties into its risk management process remains vulnerable. Moreover, when third-party risk is dismissed or ignored, the threat of disruption cannot be properly quantified, potentially leaving threats unmanaged and opportunities squandered. Visibility into third-party dependencies improves the oversight of products and services provided by third parties and needs to consider potential business impacts - both positive and negative - of the relationship. Third-party Relationships Can Pose Reputational Risk The ability to perform due diligence to identify the types of risk third parties pose, monitor third-party activities, and mitigate risks and threats are key elements to managing vendor and supply chain risks. More than one-third of respondents in the 2020 RSA Digital Risk Survey stated that their number one priority regarding vendor and supply chain risk is an approach that integrates third-party risk management with enterprise and operational risk management. The deeply interconnected nature of today’s world hasn’t escaped the notice of end-users either. It is no longer considered credible to treat third-party malfeasance or negative externalities as outside the scope of an organization’s oversight process. Consumers making choices informed by ethical concerns have come to expect organizations to devote resources to third-party monitoring and to enforce higher standards from third-party vendors. Extreme labor conditions at a third-party supplier for a major device manufacturer can quickly redound on an otherwise well-respected organization. The complexity of an enormous web of suppliers and vendors may not insulate an organization from negative public opinion. We recommend organizations implement a programmatic and risk-driven approach to identify, assess, evaluate, treat, and monitor third-party risk , including risk related to third-party employees and their activities. Compliance in the Financial Sector and Elsewhere During and after the mortgage crisis, the practices of financial organizations that relied upon third-party assessments for credit ratings of investment instruments were called into question. The press and regulators are more often viewing an organization’s relationships with third parties as less of an airtight barrier to ethical and legal concerns than before. When it comes to reputation and regulation, third parties are often seen as an extension of an organization rather than completely independent. Regulators are establishing increasingly higher standards of accountability for the oversight of third-party relationships and therefore, organizations need to consider multiple elements of third-party risk including financial impacts, resiliency, security, and compliance. The United States Department of Justice has updated its guidance on evaluating corporate compliance to include whether an organization has made a good faith effort to ensure their third-party vendors are compliant.(1) Resilience to outside risk is now directly mandated by regulators. Financial institutions must undertake rigorous stress tests that quantify the results of extreme disruption. A financial organization that is found to lack the capital reserves to survive a tested risk is required to either grow its reserves or alter its operational profile to be able to meet the stress-test requirements. We have found that this has become a key concern for many financial organizations. Almost 50% of financial services respondents in the 2020 RSA Digital Risk survey stated a risk-based compliance methodology is the number 1 priority when it comes to keeping up with regulatory obligations. Why Third-party Risks Effect Operational Resilience like Internal Risks A consolidated view of all third-party relationships and an understanding of which third parties are most important to ongoing operations provides the ability to scale the number of assessments that can be completed and streamlines response to open issues identified during the assessment process. It is important to start to quantify third-party risks the same way internal risks are measured. This will provide a common framework for analyzing the impact of both internal and external disruptions. The ability to perform due diligence to identify the types of risk third parties pose, monitor third-party activities, and mitigate risks and threats are key elements to managing vendor and supply chain risks. Benefit from our analysis of Archer customers and 20+ years of evaluating risk trends. Download our whitepaper, “ The State of Integrated Risk Management ” to discover how to make your organization more resilient by protecting against multiple sources of risk, including those beyond your four walls . (1) https://www.justice.gov/criminal-fraud/page/file/937501/download

Communication plays a vital role in enabling organizations to integrate the concept of risk management into day-to-day operations. Your risk program communication isn’t just a way to manage your reputation and image with third parties, media, and regulators. Being able to effectively communicate risk within the four walls of an organization is a crucial tool for creating a more risk-aware organization in order to optimize your business while managing risk. Communicating risk effectively is a continuous process requiring all parties to articulate not just the sources of risk, but the bottom-line consequences. All involved must be made aware of potential risks, and the lines of communication must always be left open. It isn’t enough anymore to treat risk communication as a simple tick-the-box exercise that only demonstrates process compliance without connecting to the real-world consequences of the risks being communicated. Being able to place hard and fast numbers on the consequences of types of risk allows for real-world effects to be communicated in a universal language. This can increase operational resilience by helping to align responses to threats with the goals of the organization. Increasing operational resilience with risk communication is only one part of a mature integrated risk management strategy , which we outline in our whitepaper, “ The State of Integrated Risk Management .” Communicating Risk across Departments Effective communication of operational risk should put specific eventualities in the context of the disruption that could occur. For many organizations, translating risk between departments can be a serious challenge. Traditional tools like qualitative risk analysis try to use subjective terms or visual heat maps to communicate the severity of various eventualities, but this can fall flat when two different domains are being compared. An organization’s reduced ability to operate might mean lost uptime, lower profits, or other negative outcomes. This needs to be quantified and communicated to the personnel that are in a position to mitigate risk. Furthermore, when the likelihood and impact of risk are quantified, it becomes possible to communicate and aggregate the impact of risks to stakeholders without hitting interdepartmental language barriers. How Risk Quantification Helps Risk Communication Risk management is the core ingredient toward mitigating any potential threats to the success of an organization. Threats should ideally be identified and dealt with before their effects can be felt in your project. Risk assessment involves the measurement and analysis of risk to provide concrete information for risk control programs. The process of quantitative risk assessment involves four fundamental steps which include; Identification of risk and establishment of an applicable mathematical model. Collection of the basic and necessary information or data available via historical records, extrapolation, expert surveys, and so on. Select suitable analytical methods and models to evaluate the data and modify models about specific circumstances. Define the scale and likelihood of risk The process of identifying risk has traditionally been either a top-down exercise or the domain of risk management departments or consultants. New digital tools have made it possible to have front-line personnel communicate emergent risk in real-time. Instead of risk communication tools being an output-only means of relaying directives to the front lines, organizations utilizing integrated risk management software can gather information from stakeholders about conditions on the ground. The ability to monitor conditions with real-time reporting from personnel closest to the risks couldn’t come at a better time. Today's challenges require managing a cultural shift from reactively checking the boxes for compliance to a proactive risk management model that necessitates participation across the organization. Instead of front-line workers only identifying risks during an audit or during an emergency, integrated risk management platforms allow for constant communication through every level of an operation. A study by PwC (1) found organizations that shift risk management responsibilities to the front line were more likely to show profit and revenue growth over the next two years and were able to recover from adverse events more quickly. Communication, Compliance, and Management Organizations that have established programs in individual domains should be working to expand their risk focus and improve visibility, analysis, and metrics​. Finding common processes or data to share is a great first step to bring together risk management functions and achieving risk maturity. The overwhelming majority of organizations that have begun to use the Archer platform for operational risk management extend their engagement with our tools into compliance management. In fact, 91% of our customers who license operational risk management use cases also license compliance use cases substantiating the close connection between risk and compliance processes. With a well-established and integrated communication program, stakeholders should understand that they are not just passive participants in an organization's operations. Compliance and risk management are everyone’s responsibility. We recommend organizations establish formal processes for stakeholders to understand and manage changes that may affect the organization’s compliance including how new and changing activities may impact the organization’s obligation. We also recommend organizations implement controls based on issues or gaps identified via the compliance process to reduce risks and prevent compliance issues from happening again. New technologies can provide a tight connection between issues being identified on the ground and organizational responsiveness. A technology-enabled approach to build operational resilience across the organization will transform the efficiency of your incident, crisis, and recovery teams. By knowing the most critical areas of the business and effectively handling day-to-day incidents, you can respond swiftly in crisis situations to protect your ongoing operations.​ The last year has shown just how rapidly changes in operational risk and regulatory compliance can be. Fitting Risk Communication into an Overall Integrated Risk Management Strategy Without the ability to effectively and efficiently address increasing risk, organizations struggle to respond to business risks and miss opportunities to capitalize for growth or to meet other strategic objectives. That’s why organizations need to focus on achieving operational resilience through integrated risk management. Benefit from our 20+ years of industry leadership knowledge. Get our whitepaper , “ The State of Integrated Risk Management ” today to discover how your organization can break down communication siloes to better mitigate and thrive through disruptions and an evolving risk landscape . (1) PwC. 2020. PwC 2020 Global Risk Study . [online] Available at: < https://www.pwc.com/us/en/services/consulting/risk-regulatory/library/2020-global-risk-study.html/> [Accessed April 12 2021].

Are you familiar with the "Who's on First?" comedy routine made famous by Abbott and Costello? The premise: Abbott is identifying the players on a baseball team for Costello, but the players’ names create confusion. For example, Costello asks Abbott the question "Who's on first?". The first baseman’s name is Who so Abbott simply replies “yes,” confusing Costello who thought Abbott wasn’t answering his question. This goes on and on with the unlikely and confusing names of all the players on the team. While this is a funny scenario for comedy, similar scenarios for organizations that rely on or are part of a complex and extensive supply chain or third-party ecosystem are problematic. Third-party ecosystems can often feel like “Who’s on First” due to a multitude of players with changing roles, not to mention constantly evolving supply chains. Supply chains are critical in the successful creation and flow of products, services, and related information. There are different types of supply chains depending on the industry -- retail, building products, healthcare, oil and gas, the seed industry, grocery stores and timber production – each with different objectives and risks. Supply chain management has evolved significantly, from simply keeping track of things and trying to manage the flow, to extremely complex systems that are subject to rapid adjustment across participant networks. Managing supply chains today requires understanding the diverse roles of supply chain members, their interactions, and the transaction models they use. Optimizing these flows for timeliness, yield, cost, and a host of other objectives is complex. Add a variety of supply chain risks into the mix and you’ve got potential chaos if it is not managed effectively. Third-party or supply chain risks typically include inaccurate forecasting, manufacturing shortfalls or surpluses, competition, single points of failure across the supply chain and more. The past two years have introduced even more risks into supply chains due to drastically changing supply and demand, workforce disruption, logistical logjams, and geopolitical impacts. All of this has turned traditional supply chain risk modelling on its head. In addition, the increased impact of environmental, social and governance (ESG) risks is causing organizations and their suppliers to reconsider their impacts on the world and shift from a do-no-harm to a do-net-good approach. Supply chain resilience is also a quickly emerging topic brought to light during the pandemic that everyone should seriously consider. So how do organizations deal with the complexity their supply chains represent and effectively manage the risks and ensure resilience? If we go back to Abbott and Costello’s skit, it’s all about knowing who is on first, second and third bases. One way that is done is with more effective and agile third-party risk and resilience management . Here are a few steps to consider: Understand your third parties. Break down the myriad of suppliers you have by performing business impact analyses and determining which of your third parties are most important by virtue of your products and services they support. This allows you to prioritize your suppliers by criticality. Your third parties must also identify their third parties (your fourth parties), and their third parties do the same, and so on. The dependencies can be complex but are critical to identify and understand. Set common objectives. Risk and resilience management cannot be done effectively in organizational siloes with different goals and approaches. It is very difficult to manage inter-related risks or build resilience inside your organization and across your supply chain if you do not set a foundation between your company and your third parties of common goals, approaches, and so on. This foundation gets your internal teams on the same page and also sets the direction for your suppliers to do likewise. Identify potentially disruptive scenarios. Managing supply chain risk and building resilient third-party ecosystems requires knowing what could disrupt your business and your third parties. These could be individual risks or threats but also those ‘perfect storms’ or disruptive scenarios – a pandemic being the perfect example. It is critical to identify these risks, understand their potential impact on your organization, and if that impact is acceptable. Take corrective action. All this analysis will drive you toward gaps that need to be addressed -- controls that should be implemented, recovery plans that should be drawn up and tested, and risks to be mitigated. These corrective actions represent the necessary improvement between your current state and required state, and these should be assigned ownership, tracked, brought to conclusion, and measured. Monitor and measure. You cannot improve what you don’t measure, so it is important to translate your goals, risk tolerances, and business objectives into key risk, resilience, and performance metrics you can track, measure, and monitor. Executive and program dashboards are powerful tools to paint a picture of your supply chain at each level of risk and resilience. Putting effective third-party risk and resilience measures in place like these helps clarify “Who’s on First,” second, and third, and helps you hit a homerun in harnessing the power of your supply chain to achieve your business objectives. For more information about how Archer can help you with third-party risk management , visit archerirm.com .

The world is fast becoming a more turbulent place and disruptive events are occurring more frequently and they are less predictable as the following McKinsey study shows. The recent public health crisis, coupled with a consistent increase in cyber-attacks, natural disasters, geopolitical conflicts and a myriad of other events are causing organizations to reflect on the need to evolve from just being recoverable to becoming resilient – which is the ability to absorb disruption and not only continue to deliver on strategic objectives, but to quickly adapt and prosper. Surviving disruption is not the only reason to build a resilient organization – operational resilience is a required trait in business today. Competition is fierce, shareholders require consistently strong returns, the public and many investment funds demand that organizations be socially conscious and actively engaged in contributing to the greater good. As a result, organizations can’t afford to operate in a reactive mode – these demands require that organizations be resilient. Resilience is good business practice as illustrated by a McKinsey study performed after the 2007 financial crisis which showed that resilient organizations emerged from the crisis more quickly and stronger and not only out-performed non-resilient organizations, but the S&P 500 index well after the recovery period. A Harvard Business School study broke resilience down into attributes that include being adaptable, prioritized, data-driven, aligned and continuously improving. These attributes contribute to being a well-performing organization. Building a resilient organization focuses on what the organization does to provide products and services to its end customers, and the interdependencies. Organizations quickly learn that building resilience across an intricate, interconnected organization with many interdependencies is complex and expensive. A challenge is not creating more cost as you build resilience but developing an approach that provides a return on investment on your efforts over the short to medium term. In this respect, building resilience must be somewhat self-sustaining. Risk management is also an integral part of building a resilient organization because as new risks emerge, the organization must be prepared to identify, assess, treat and monitor them and their effects on the organization. Turning the strategic objective of building a resilient organization into real results can be a challenge. It takes executive focus, a programmatic approach that aligns risk, resiliency, compliance, and third-party management teams, and drives active participation across the organization. The underpinnings include prioritization, planning, coordination, engagement, and constant improvement to drive the actions that will result in building a resilient organization. Learn about how Archer Operational Resilience solution can help you build a resilient organization .

Amid the on-going global health crisis, questions and concerns circulate over the future of privacy. Now, with the increasing deployment of contact tracing apps, headlines like, “ Can You Track COVID-19 and Protect Privacy at the Same Time? ,” are appearing regularly. While the increased attention on data privacy is important, let’s focus on the basics and remember that data collection and surveillance is not new. As we look towards our future, it’s important to first acknowledge the recent past. The principles of privacy are not new. Discussions about privacy have been growing steadily on the global stage over the past several years. The most prominent example is from just over two years ago, when the European Union (EU) ratified the General Data Protection Regulation (GDPR). This was a watershed moment – not only for those in privacy and risk management – but for organizations around the globe. While privacy regulations exist at different levels in various regions around the globe, this concentrated effort redefined how businesses should store, manage, secure and use personal and sensitive information. The GDPR also helped the global community acknowledge the pivotal role data has in the digital economy. Now in 2020, “ it’s raining privacy bills ,” particularly in the United States. From Washington to Florida, State houses recognize that action needs to be taken to protect people. On the heels of the GDPR two year anniversary, a draft bill ( Data Accountability and Transparency Act of 2020 ) was introduced to the United States Senate that would bring GDPR-like protections to the U.S. This is just one of many bills, but goes further to hold data custodians accountable to safeguard our information. The progress is positive and a lot more needs to be done. In the middle of a global health crisis, the topic of privacy is mainstream news again. However, with the GDPR in mind, governments are looking to limit the amount of data transferred by contact tracing apps to local agencies. Will this health crisis change our perception of privacy? It’s unlikely. Until something material happens, privacy is a background issue that many citizens don’t think about actively over the course of their daily life. Consumers are already programmed to hand over personal data in exchange for something they want. The same trade-off applies today: do I activate a contact tracing app to stay safe, or do I avoid it to maintain my privacy? In some parts of the world, downloading these apps are mandatory . In countries like Iceland , voluntary adoption surpassed 40 percent. For those, like myself, who work in healthcare, the issue of privacy and data security is not a phenomenon or a fleeting moment – it’s what we do every day. We have regulations that govern our actions and inform our business operations. That said, businesses are reopening and may be required to start collecting sensitive health data on employees and customers. For many, this is likely the first time they’re challenged with securing this type of data. What steps should they take to prioritize privacy? Go slow. While this is contrary to the mantra of modern business, when it comes to privacy, get it right the first time. A data breach of any health data could have catastrophic impacts, such as reputational damage. Pay careful attention to how you manage and secure this data as a way to enable greater efficiency long-term. Rely on your peers. Many in the healthcare and financial services community have navigated the challenge of securing personally identifiable information (PII) for years. We have best practices and know what vendors to trust. Don’t make assumptions based on a vendor pitch in your inbox or the guarantees of an Internet display ad. Take advantage of the resources provided by independent organizations, and your colleagues who have already tested the waters. Put increased attention on third-party risk. Whether an external vendor is implementing parts of your privacy program, or they just have access to your network, monitor them carefully. Conduct the necessary assessments beforehand and implement governance to ensure vendors only have access to use the systems and information they need for their specific job. Limit the data you share. If you’re in a position where data needs to be shared across functions or outside of the business, limit what is moving and ensure it’s the minimum required. It’s imperative that you know what data is being shared and with whom in the information supply chain. In many ways, the conversation about privacy is in its infancy – particularly in the United States. In my view, it is not a black and white discussion. It’s complex and subjective. That’s why I advocate for doing what is right versus what needs to be done. Data has value. It’s not just a set of numbers or information; it’s derived from a human being. With that comes incredible responsibility. Whether you work in compliance, risk management or information security, don’t forget that the actions you take have consequences beyond the walls of the business. It’s not enough to worry about just your shareholders. Remember that your stakeholders (customers, partners, employees) are impacted by the decisions you make related to securing and managing data. Kevin Haynes is Chief Privacy Officer at Nemours Children’s Health System . Check out his recent discussion with Security & Compliance Weekly on how Nemours uses Archer to manage compliance risks