Search Results

As we continue to analyze the fallout of the latest sequence of security breaches (SolarWinds, JBS, Colonial Pipeline), the conversation invariably swings toward attribution and of course, who should know and when should they know. Spurred by these events, another legislation of breach notification is circulating…again. This time the discussion revolves around critical infrastructure rather than personal data. We have seen this play out before. While the details may be a bit different, the challenge being laid at the feet of those in the critical infrastructure segment is considerable – a 24 hour after discovery requirement of notification. Although still in draft mode, the legislation is a reminder of a battle that we continue to fight against increasingly tenacious and skilled adversaries on a battlefield that continues to expand. Several years ago, I wrote a blog referencing Castor and Pollux as the ‘patron’ gods of this ongoing battle. Castor and Pollux are the two twins of the “Gemini” in Greek Mythology. They are reminders that a two headed approach involving proactive measures (such as Vulnerability Risk Management) and reactive preparations (such as an agile Security Operations strategy) is necessary when it comes to security strategies. Ultimately, though, the objective is not to meet the notification requirements. While this may be a considerable incentive (given the proposed sanctions for violations), the recent breaches are a reminder of the end game – operational resilience. Vulnerabilities pop on the radar from all sources – some lying dormant for decades to be uncovered; some introduced with the latest code – and a security organization that is thinking in terms of a balanced approach is best positioned to address shifting priorities. Potential threat and attack vectors must be identified and responded to as fast as possible. A Vulnerability Risk Management program is a critical mechanism for this. Actual active attacks must also be identified and responded to as fast as possible. A Security Operations Management strategy is the main device necessary for this. This is a blend of proactive measures and reactive preparations. The two-pronged approach seen in security strategies are an example for broader risks. A resilient organization is thinking in this same manner – what can we do to prevent an issue and what will we do when there is an issue. At the heart of this approach is an understanding of business risk powered by an integrated approach to risk management. Several factors will give your organization a significant advantage as you target a balance of approaches: Establishing a common taxonomy for discussing risk enables preventative and response measures to be balanced based on business impact. Common catalogs of risk management program elements such as risks, controls, incidents and assets allow your second line functions to analyze overall risk by setting a mutual point of reference. Standardized processes to monitor risk and assess controls permit a balanced view of residual risk via the effectiveness of preventive measures in place. Unified processes to report, track and monitor gaps such as operational incidents and issues provides insight into the efficiency of response actions. These core capabilities set the framework for an integrated, balanced approach for preventive and responsive controls. As we saw in the last 18 months, security breaches are not the only major disruption organizations can experience. The shift towards operational resilience as an end game is resonating across all teams mandated with risk management. Organizations are on the path to put the complimentary approaches of proactive and reactive preparation in place. It is, therefore, fitting that travelers and sailors appealed to Castor and Pollux for safe voyages. Those that found favor to the Gemini were thought to be aided in in moments of crisis. Given the ongoing journey organizations are on towards operational resilience, Castor and Pollux are appropriate patrons.

Even the slightest bit of resistance can get in the way in completing a key risk process. If a form is hard to figure out or cumbersome to navigate, users will avoid it, putting it off until the last minute or forgetting about it completely. That resistance then leads to delays in information getting to the people who need it to understand where the potential risks are in the organization and to act in a timely fashion. They find out about something this week, that if they found out that last week could have prevented an incident. Throughout the various processes that make up an integrated risk management (IRM) program, there is a shared need to engage users quickly and effectively. It can’t be a burden on these users, many of whom don’t consider risk or compliance as their primary function. It must be seamless to them, something that easily fits into their busy schedules. If it takes time to figure out a form, users are likely to procrastinate completing it. But if it’s something that just takes a minute, that’s accessible from whatever device they are on, wherever they are, then the request becomes easier for them to fulfill. It’s something that’s just a small part of a normal day’s activities. When business users in the organization can perform their risk-related tasks quickly and easily, the whole system flows more smoothly. The risk managers of the world don’t have to spend time and effort worrying about creating a specific user experience, creating extensive training materials that are only used infrequently, or following up to remind people they need to respond. Whether for Control Attestations or Evidence Requests, Quarterly Certifications or Risk Assessments, these are all parts of successful risk programs that rely on input from individuals who don’t have “risk” or “compliance” in their titles. To help address this issue, we are pleased to announce general availability of Archer Engage™ for Business Users , designed to help accelerate the flow of your risk processes and programs . It is a cloud-based companion product that integrates with your Archer instance – be it SaaS or on-prem – to present assessments and requests to business users in a fast, responsive application that’s as easy to use on a smart phone as it is on a company-issued laptop. It provides an intuitive and easy to use experience whether the user is seeing it for the first time or the first time in a few months. With Archer Engage for Business Users , you can publish any questionnaire or application from Archer to Archer Engage. Later this year, we’ll continue to add capabilities for content creation and other exciting features to join the richness of your Archer applications with the convenience of Archer Engage . Learn more about how business users can quickly and easily complete assessments or initiate risk management activities with Archer Engage for Business Users . Contact us to get a demonstration of Archer Engage for Business Users.

Many organizations begin their journey towards an integrated approach to risk management in the realm of compliance. The immediate threat of a compliance violation due to an emerging regulatory requirement has always been a compelling event. The resulting efforts to identify effected business operations, subsequently design and implement controls and ultimately demonstrate compliance form the foundation upon which many GRC programs were built. While compliance activities are just one part of managing overall business risk, the discipline required to define controls and measure effectiveness is a key ingredient for successful, long-term risk management practices. The next step logically is to begin putting compliance into the context of operational risk. The ability for an organization to leverage compliance in this manner is much more valuable than a standalone compliance function. Integrated compliance and audit functions are more effective as a 3rd line of defense – especially as control design and implementations to manage business risks can draw on the experience from compliance programs. For Chief Audit Executives and Corporate Compliance functions, integrating compliance into risk management strategies is an excellent opportunity to up level your visibility and show that compliance is not just a check-the-box exercise. Compliance and audit, when executed in the context of risk management and business strategy, adds real value towards an organization’s goals. Additionally, you can get the executives to appreciate what the compliance and audit teams are doing by getting most bang out of your audit budget and limited resources and focus on the right risk areas. Ask yourself: How can I report on compliance issues in the context of broader operational risk management efforts? How am I prioritizing compliance and audit activities and allocating limited resources towards the right risks? If you can answer these questions positively, you are on the right track to evolving compliance towards a major contributor to risk management. From a Chief Risk Officer perspective, risk processes can be built right on top of the existing compliance and audit program. For example, leveraging the controls assessment processes already in place saves time and energy while establishing a core part of residual risk measurement. Managing risk is dependent on how good you are at implementing controls and visibility into our compliance state helps you really understand risk exposure. Integrated compliance and audit processes feeding insights to the risk program provides a key ingredient in understanding the business’ true gaps. At Archer , we see the symbiotic connection of Audit, Compliance and Risk functions in action. 91% of Enterprise and Operational Risk Management customers own Compliance use cases. 84% of our customers who own our Audit solution also own risk management use cases. These are natural combinations towards Integrated Risk Management . If you have worked hard on establishing your audit and compliance program – and most companies have - and have not broadened into Enterprise or Operational Risk Management , you are behind the curve. Enterprise and operational risk management is the natural progression for compliance. Compliance is only one type of risk, and therefore focusing on just compliance is not the final state. Audit functions are traditionally considered the 3rd line of defense in traditional Ops Risk strategies. Audit provides the independent review and assurance that controls are effective. Adding risk management processes on top of Compliance and Audit programs can ‘uplevel’ the value that compliance activities are providing the organization and help the organization more effectively achieve business goals by properly identifying and managing risk. Maintaining an effective compliance program can be one of the most difficult, time-consuming and expensive activities organizations face today and into the future. Read our white paper on eight modern principles and techniques that can allow organizations to demonstrate compliance more efficiently, effectively and at a lower cost.

Archer recently hosted a virtual Financial Services User Group (FSUG) event for current and prospective Archer customers. The participants were provided an opportunity to hear from our CEO, Bill Diaz, as well as get a sneak peek into the Archer Product Roadmap with Wes Loeffler from our Product Management team. Following a brief update on the upcoming Archer Summit , the event concluded with a panel discussion on hot topics facing the Financial Services industry. As Archer continues to expand its brand dominance in the GRC/IRM space, we have recognized the need to make it easier for all parties to be involved in the risk management process. It is in this light that Mr. Diaz introduced Archer Engage . Archer Engage delivers a role-based user experience for business users across the organization , and the SaaS based interface does not require access to the corporate network. From external parties, such as the Archer Engage for Vendors , to first-line users involved in periodic risk assessments, and up to the Executive and Board level with risk summaries and “heat maps”, Archer Engage will be the primary point of access for “light” users across the organization. And whether you’re using a PC, tablet, or smart phone, Archer Engage will right-size to the applicable technology. The FSUG then turned its focus to the Archer Product Roadmap. Operational Resiliency has been a tremendous challenge across all industries in 2020 and into 2021, and the financial services industry is certainly no exception. Three of the primary drivers for operational resiliency were discussed: threats like COVID-19; the constant threat of cyber-attacks; and disruptive incidents due to third parties. As a result, regulatory agencies have increased their expectations in this area to include: Determine critical business products & services Identify any internal resources and third-party Dependencies supporting critical products & services Define impact tolerances Perform scenario testing and take corrective actions Complete a regular self-assessment In response to the heightened scrutiny by regulators on operational resiliency, the Archer Product Management team is proposing enhancements in three of Archer’s solution areas: Business Resiliency Enterprise and Operational Risk Management Third Party Risk Management We feel the proposed enhancements in these areas will position our customers to address operational resiliency in a manner that will not only satisfy the regulators, but will also provide Executive Management and the Boards of Directors comfort that their company is prepared to address any potential disruptions to its operations. Patrick Potter, Archer Risk Strategist, provided the participants an update on Archer Summit 2021, planned for September 13-15 in Orlando. This event will be both virtual and in-person to provide everyone the opportunity to attend. We encourage all our customers to attend this event and even consider participating as a speaker. This is a fantastic opportunity to network with your peers and learn how other companies are utilizing Archer for their integrated risk management needs. To learn more about this event, please check out the link at https://www.thearchersummit.com/ . The Q1 Archer Financial Services User Group concluded with a panel discussion of hot topics in the Financial Services industry. The panelists included Tim Carbery, Managing Partner at CastleHill Managed Risk Solutions; Shelley Migliore, Archer Presales Systems Engineer; and Blake Murphy, Archer Strategic Business Development Manager. Mr. Carbery provided insights from a professional services perspective on challenges firms are facing in addressing operational resiliency. Of particular interest was the discussion on the recent interagency paper: “Sound Practices to Strengthen Operational Resilience” and how firms are reacting to changes in business resilience expectations from management, regulators, and customers. Mr. Murphy followed these comments with a discussion of why two recent studies from Big 4 Accounting & Consulting firms identified change management as the No. 1 regulatory challenge for financial services in 2021. From a practical standpoint, he also spoke to a few of the primary challenges financial institutions face in operationalizing regulatory change management. Ms. Migliore responded with the following questions to be considered when defining a regulatory change management program: What are common structures for regulatory change management programs (centralized, decentralized, etc.) and is this influenced by the type of risk management program or culture? What are some mechanisms for filtering the “right information” for monitoring regulatory and industry sources, and how do we help to avoid information overload? Are Financial Institutions leveraging tools or partners for implementing regulatory change management programs or responses? We had a great turnout and a number of interesting questions throughout the session. If you’d like to explore further how Archer is helping customers with their unique paths to Operational Resiliency , take a look at this eBook . Also, please review our website at www.ArcherIRM.com , where you can find links to all of our solutions, including Archer’s approach to Regulatory & Corporate Compliance Management .

I recently had the pleasure of hosting a webinar in conjunction with the DRJournal to discuss lessons learned from the year 2020 as it relates to Business Continuity and overall Operational Resiliency. To say last year brought many lessons learned would be a huge understatement . . . surely too many to explore in a one-hour webinar. But like any lesson, the impact relies heavily on the ‘teachers’ . . . and in this case I was fortunate to have the expertise of two seasoned practitioners, Stacey Jonasen from Franklin Templeton and Patrick Potter, currently with Archer but a former Business Continuity Management professional with leading companies in both the airline and hospitality industries. Here are a few areas we explored. The Value of a Head Start As we prepared for the webinar, what struck me was how well prepared overall Franklin Templeton seemed to respond quickly to the immediate impacts of the pandemic. What came to light as we explored that is that in reality many of the actions needed in those early days were well understood, tested and often operationalized in terms of enabling remote workforce and other aspects of critical business operations. This is because Franklin Templeton had been actively executing a plan for broad business transformation. This idea of business or digital transformation that was already underway giving some companies a head start in responding to the disruption was familiar to me . . . in a survey conducted in mid-2020 we found a very similar reality for many organizations. These points were discussed at length, including the sharing of market data points reinforcing specific areas of transformation that were 1) impactful in responding to the pandemic; and 2) are being impacted by organizations reassessing post-pandemic. Common Destination with Uncommon Starting Points It of course was no accident that we looked to drive the discussion of 2020 lessons learned towards the topic of Operational Resiliency. It’s difficult these days to get in-and-out of any customer or partner conversation without the concept coming up . . . so it would seem one uber lesson learned for many organizations is, in simple terms “OK we survived that, but we can do better.” And the area our experts agreed most organizations want to do better is around an advanced understanding of how modern, agile businesses and all of their interdependencies can coordinate and collaborate more effectively in the event of a disruptive occurrence. Agility Will Continue to be Key We all had to be agile in 2020, in our personal and our work lives. And our experts highlighted that for organizations looking to learn from last year and improve on their ability to respond and reduce operational impacts, a key aspect of agility will be that of the technology they use to share information and drive data-driven decision making. Specifically, Stacey spoke to the challenges facing Franklin Templeton in those early days, saying “all 40 crisis management teams active at one time. We have a corporate team, site based teams and business recovery teams. We’ve never had to support all of them at one time.” She then highlighted how they used Archer to get these disparate teams coordinated across the pandemic response process. We had a great turnout and a number of interesting questions at the end of the session, highlighting to me that the topic of Operational Resiliency is, itself, resilient. But it also doesn’t have to be intimidated or thought of as only relevant to those facing immediate regulatory pressures and/or way down a maturity path on Risk Management. Again, I encourage you to listen to the What 2020 Taught Us About Risk and Resiliency webinar recording , or if you’d like to explore further how Archer is helping customers with their unique paths to Operational Resiliency , take a look at this eBook .

Third parties add a layer of complexity and risk that can lead to many different types of disruptions and business impacts. Organizations are becoming a complex tapestry of products and services, processes and technologies provided by third parties and this complex and changing ecosystem makes it increasingly difficult to clearly manage risk. The recent SolarWinds breach is an unfortunate event that highlights the challenge organizations face today in the combination of cyber-attacks and third party risk. This event highlights three major areas of IT, security and risk management. Organizations must be constantly vigilant for cyber-attacks from many different threat vectors and actors. Organizations must understand vendor and supply chain relationships including not only suppliers of components of their products and services but also software and IT services providers. Business resiliency including continuity and crisis management must be ingrained in the organization to deal with a wide variety of events - from physical events to IT disruptions. In this example, the connection between different dimensions of risk management is evident. Unfortunately, third party risk management can be a resource challenge. As your organization spreads its connections to outside parties, inherited risks become a significant issue. Organizations struggle to efficiently manage and govern these third parties because traditional methods aren’t scalable. Many times, third-party relationships introduce unpredictable, inherited risks that can lead to surprises and potential losses. When third-party oversight is managed differently across an organization, it creates gaps due to inconsistencies when identifying, assessing, and managing risk from the third parties. Finally, with inconsistent and incomplete governance processes, organizations cannot get a complete and accurate view of the risks introduced by third parties to their organization. Fundamental to the strategy of dealing with third party risk is a clear view of your third-party ecosystem such as vendors, consultants, and service providers. Formalizing third party risk management via integrated processes enhances all of risk management. Better yet, resources can be focused on the most important and impactful activities. When we look at Archer customers, enterprise and operational risk management is a prevalent entry point for third party risk management. Our customers who own enterprise and operational risk management use cases are almost twice as likely to own third party governance use cases. IT and security risk management use cases are another adjacency we see. Almost 40% of our IT and security risk management customers also own third party use cases. As regulators are establishing increasingly higher standards of accountability for the oversight of third-party relationships, expanding your strategy to third party risk management is especially pertinent. While many organizations have some programs or risk assessment processes in place related to third party risk, the wide spectrum of potential business impacts requires organizations to take a step further towards third party governance. Enterprise and operational risk, compliance or IT risk programs are excellent steppingstones to begin integrating third party risk management efforts. If your organization is struggling with any kind of supply chain or third-party disruption, read our short paper on suggestions to refocus your organization on the basics of vendor and third-party risk management . In addition, you can read this complimentary Gartner report: “ Monitor Key Risk Criteria to Mitigate Vendor Failure .”

If 2020 didn’t heighten organizations’ awareness of the importance of resiliency, I am not sure what would. The disruptions experienced in 2020 highlight the need for resiliency to be baked into business operations. Technology has clearly demonstrated its value in keeping organizations resilient in the face of change and ahead of the competition. Nearly 75% of respondents in RSA’s Digital Risk Survey expect their digital initiatives to accelerate due to the disruptions and shifts we saw this year. Unsurprisingly, 75% of respondents in that same survey stated their organization’s risk profile will expand over the next two years. Invariably, the conversation at the top of your organization to innovate, optimize or expand your business quickly shifts to discussing risk. And resiliency is right in the heart of that discussion. For Chief Risk Officers or Chief Information Security Officers, resiliency is no stranger. Resiliency is a big part of managing risk. 2020 spurred the full spectrum of risks that are on the radar of the CRO office ranging from massive market shifts to supply chain interruptions to disruptions in business operations. We also know full well how IT and security events can lead to disruption. If the teams that focus on continuity, recovery and crises are not plugged into your security and risk management strategies, it is time to cross the bridge. Resiliency efforts must follow the changing landscape of your operational risks, prioritizing efforts on the right parts of your business. Continuity and recovery processes also must be aligned with your IT and security risk strategy. Leveraging information across IT and security and continuity/recovery plans to prioritize activities can cut to the chase when it comes to knowing what systems are important to the business. For the teams that focus on resiliency, plugging into what the risk and security groups are doing can make resiliency efforts better – and cheaper. Plus, sharing data can create insight into the bigger picture of IT and operational risk. Archer customers are no exception. They understand how these functions flow into each other. 70% of our customers who own enterprise and operational risk management use cases also own our business resiliency solution. In addition, the combination of IT and security risk management use cases and business continuity and disaster recovery use cases are evident. An IT and Security Risk Management customer is 2.4 times more likely to own resiliency use cases. The synergy between operational risk, IT risk and resiliency programs is self-evident. IT and security events can lead to many different types of disruptions and crises. CISOs are often times also responsible for continuity or disaster recovery. In addition, the intersection of resiliency efforts and risk processes can assist the multiple teams to understand business impacts, criticality of business operations and control effectiveness. If you are looking for a place to start on improving operational resiliency, start at the crossroads of your risk, security and continuity/recovery programs. Building operational resiliency has become a priority for organizations across industries in recent months. Read our short briefing on five key principles for building an operational resiliency program designed to help your organization maintain critical processes and minimize any negative financial impact from crisis events.

By most accounts, we are closing in on exactly one year removed from the timeframe when COVID-19 transitioned from a regionally-focused concern to a health crisis of global scale and consequence. For those of us that are part of the risk management community, we have all been trained to think about the risks on some basic level through the lens of likelihood and impact . COVID-19 was obviously not history’s first pandemic, but it was unique and taught us that likelihood however low has no ‘floor’ such that risks with large scale impact can go unmanaged. Adding pressure to this equation is the pace with which the impact of the pandemic was felt, not only due to the rapid spread of virus itself, but also the level of interdependency built into modern businesses. The new realities can be vividly seen in the input of top executives in their assessment of key priorities for the business in 2021. Survey after survey of business leaders exhibit some consistent views: Businesses must learn to be more resilient to broad, sweeping changes that can force a shift in both strategic focus and operational execution This heightened level of resiliency can come only with effective enterprise wide operational risk management A high digital IQ and the use of advanced analytical capabilities can be a force multiplier in their ability to predict, respond to, and recover from such disruptions Obviously, Business Continuity Management (BCM) has long been an element of organization’s risk programs, but some approaches let us down through this pandemic. The typically siloed nature of BCM plans having some boundary (geography, business function, etc.) did not support businesses needs to recover in concert to an event as sweeping as COVID-19. And through that short coming they have fueled what we see as an active dialogue around the concept of Operational Resiliency—the idea of a plan for continuity and resiliency that is more conscious of the interdependencies within and across businesses. As we consider the past as momentum to drive change for the future, it’s important be sure we have a handle on lessons learned, including some areas we saw success this past year in adapting the change and applying technology to adjust critical operations. As hard as 2020 was in so many ways, one redeeming element was observing several customers leveraging Archer to provide agility within acceptable boundaries of risk. For example, a nonprofit health system supporting more than 1,500 doctors and 250,000 patients across 6 states needed to address a complicated physician, licensing and credentialing situation in response to a spike in demand. To secure temporary licenses for each physician in each state this customer used Archer to quickly build, collect, track physician information and licensing. They documented and built workflow for a chain of review/approval all the way up to the Chief Licensing Officer, and also automatically created an audit trail for historic reference. This flexibility greatly enhanced this customers’ ability to meet the urgent and expanding needs of COVID-19 patients. A second example comes from one of largest family-controlled commercial banks in the United States, with over 500 branches across 19 states and $39 billion in assets. Their extensive ecosystem of suppliers needed to be quickly assessed in terms of risk for maintaining branch operations. Additionally, bank employee services and working capabilities needed to be assessed to ensure operations in a remote working environment. Archer’s Third-Party Risk solution was leveraged to quickly tailor assessments needs and gather critical information from suppliers that when combined with business impact analysis allowed the customer to understand vendor criticality and adjust plans accordingly. Both of these examples are of course rewarding for me . . . seeing customers apply the capabilities of Archer in times of great stress gives a higher purpose to what we do. But they also tie to three existing trends in risk management that I see being fueled by the challenges of 2020. Accounting for the complex interdependences that make up modern businesses. By now it’s understood that most businesses rely on an expansive ecosystem to deliver goods and services. A new urgency is shifting focus from cataloguing third-parties towards enabling a more proactive, ongoing assessment of vendors and operational or regulatory risk they pose. The opportunity presented by leveraging technology platforms that truly understand risk. If ever there was an area of risk management ripe for benefits of a consolidated platform for assessing and managing risk, it would be BCM. The gaps that 2020 presented to organizations is one of the reasons we see leading analysts and other experts predicting that as BCM programs transform, many will move into an Integrated Risk Management (IRM) platform to better support responsiveness. The value of peer insights that reside collectively within the risk management community. Within the Archer team we’ve been doing a great deal of research around the over 1,300 deployments of our technology, and how intersections across certain risk domains tend to correlate to higher measures of risk management maturity. 2020 created many opportunities for our team to apply the collective knowledge to help customers respond to new challenges. These three take-aways from the events of 2020 remain very much on the minds of the team at Archer, and will be areas that in 2021 we look forward to continuing to work closely with customers and the risk management community to advance us all on the journey towards greater operational resiliency. Read our Key Principles in Building Operational Resiliency whitepaper to learn from Archer experts about how to transform from business continuity to broader operational resiliency.

As businesses chart a path into the next phase of the new normal, they face a myriad of risk management challenges. For some, settling into a future of full-time remote working is leading to a re-think on business process and cyber risk. For others, the complex task of transitioning employees back to physical locations means juggling safety, business continuity and regulatory requirements. For others, monitoring the health and well-being of onsite employees and ensuring strict social distancing measures at physical sites is creating significant burden. Bundle that with the emerging business priorities that include minimising costs, running “lean” and simplifying operations, and leaders now have a lot to deal with. By the way – you may not be able to leave your house to achieve any of this. With businesses rapidly shifting to digital to engage their customers and shifting to Software-as-a-Service (SaaS) to embrace cost savings and simplicity, it’s time risk teams do the same. With that in mind, I’d like to present to you the business case for Archer SaaS, an integrated risk management (IRM) solution delivered securely and efficiently in the cloud . Why Digital for Risk Management? Regardless of which “next normal” challenge you are working on right now, the one constant is that our operational business environment is going to continue changing. With the health crisis demanding a new approach for business operations, it’s obvious we also need a re-think on how to manage risk. With the move to remote working, there are no more water-cooler moments, corridor conversations or café catch-ups. Like it or not, these were important engagement channels for the risk team and often helped them pick up on emerging issues and problems “on the ground.” Archer believes that technology has a role to play in helping you engage your business for emerging matters that might otherwise go unreported – especially when those matters can’t simply “walk” into your office. Having a digital solution in place that can underpin, standardise and automate elements of the organisation’s risk framework, while enabling rapid change, will be critical for any organisation that is serious about managing risk. Archer is built on these principles. Having a simple, approachable portal that makes it easy to engage the business in risk and compliance matters will be critical for bridging the gap created by remote and dispersed workforces. Whether it’s simple activities like reporting incidents, issues or ideas, or more sophisticated tasks like completing Risk & Control Self Assessments, Archer SaaS makes it easy to deliver your risk methodology in any location – be it home, office or on the road. Furthermore, being able to use the platform to integrate with other internal systems to automatically derive risk insights helps risk team further bridge this gap. Archer provides the tools and techniques to ingest, analyse and report insights to the right people so that action can be taken. In short, Archer allows risk teams to extend their reach and support a positive risk culture in this increasingly virtual business environment. Why SaaS for Risk Management? SaaS offerings eliminate many of the costly and time-consuming activities associated with implementing and running business applications on-premises, such as purchasing and deploying hardware, administering upgrades and patching systems. Risk teams can achieve faster time to value with the rapid set-up and deployment that a SaaS model brings, compared to the significant lead times associated with getting your own infrastructure up-and-running on-premises. Second, risk teams don’t have to wait for upgrades or for access to new, efficiency-boosting and experience-enhancing features. With SaaS offerings, upgrades are seamless and regularly scheduled, giving risk teams and business users the ability to access the latest features and capabilities more quickly. Equally important, SaaS solutions generally scale more readily than on-premises applications. This is essential for the many organisations needing to rapidly provision access to their dynamic workforces. There is no need to have IT deploy and configure additional servers to accommodate more users or configure remote access. The fact that the solution is cloud-based means it’s accessible from anywhere , helping you extend your reach not just to your remote workforce, but to your extended enterprise of third-party suppliers. In short, Archer SaaS allows risk teams to focus on managing risk, rather than IT infrastructure. But, is SaaS for Me? The common questions I receive from risk and compliance leaders includes: “Will a SaaS solution comply with requirements for local data storage?” “Will it be as configurable as an on-premises system?” “What happens if a SaaS provider experiences an outage?” While it’s true that data storage and configuration can be issues for some SaaS providers, Archer SaaS offers an Asia-Pacific-based (Australian) hosting option and maintains the robust configurability that customers have come to expect from the Archer on-premises offering. We’ve been doing this for more than 10 years and have customers from all around the world, including Asia-Pacific, running Archer in the cloud already. In a Time of Crisis, Archer Can Help Amid an unprecedented global disruption, Archer has proven to help customers globally, adapt for their next normal. For example, when a large health insurance provider needed to activate its business continuity plan to quickly make risk-based decisions across its IT, supply chain and workforce, they relied on the Archer Integrated Risk Management Suite. This customer was able to automate workflow and quickly analyse employee, process and risk data to execute its business continuity plan, order necessary equipment and prioritise how and when to activate appropriate recovery strategies. Customers from Asia-Pacific have shared that having access to updated business impact analysis (BIA) information has helped them more confidently and effectively respond to the disruption itself, and the ability to keep their risk and compliance processes running during the crisis has been beneficial. Embracing SaaS for IRM can bring agility, simplicity and cost flexibility. At Archer, we are proud to support many of our customers’ journeys to IRM maturity and to the cloud with Archer SaaS. Contact us to learn more about Archer SaaS . Sam O’Brien is the Director of integrated risk management for Archer APJ.

With the World Series wrapping up, it reminded me of Moneyball, a 2011 film based on an account of the Oakland Athletics baseball team's 2002 season and their general manager Billy Beane's attempts to assemble a competitive team. In the film, Beane and assistant general manager Pete Brand, a math whiz straight out of Yale University, were faced with one of the league’s lowest budgets for players, yet they built a team of undervalued talent by taking a sophisticated sabermetric approach to scouting and analyzing players. This approach flew in the face of traditional scouting made up of men who believed that they could predict a player’s future success simply by observing how well they could hit a ball, throw a pitch, or steal a base. After Beane’s wheeling and dealing for players that fit the mathematical profile, the A’s were reborn, going on to qualify for the playoffs and win the AL West Division with a 2002 regular season record of 103-59—just behind the Yankees for the best record in all of Major League Baseball. What does this have to do with risk management? Risk Qualification One of the traditional ways of evaluating risks is on a qualitative scale, such as high/medium/low, 1 – 5, - the typical approach to batting, pitching or stealing bases. However, as David Vose of Archer points out, “ when (should) the probability of a risk be described as low? Below 10%? How about very low? Below 1%? ” He goes on to say, “ Qualitative terms describing risk are far too ambiguous, too difficult to challenge and agree upon, make poor use of available data and do not allow us to work out the most efficient risk management strategy .” This qualitative approach is like the baseball scouts that rated batters as ‘superior’ or ‘average’. Both ways of rating risks and batters are inherently biased. Though these measures are useful under some circumstances, they don’t tell you about the potential impacts in dollars and cents; terms decision-makers can act on. Billy tells the old-school scouts that they must do something differently if they’re going to win with the salary restrictions they have. Risk Quantification Billy and Pete took a different, quantitative approach to arrive at the outcome they wanted, which was to win. They calculated the interim goals that would get them there, like average runs they needed per game, on base percentage, etc. Then they selected the least expensive or most undervalued players with the right performance metrics that met their criteria which maximized their budget. Businesses need to make money, turn a profit, and meet revenue goals and market expectations. Executives make decisions every day on business growth strategies, competitive moves or organizational changes based on the financial benefit or cost. For these executives to evaluate whether they should spend resources to address a risk versus seize a business opportunity, they need to compare the cost and benefit against each other – in “apples to apples” terms. In its most simple terms, what’s the cost and the benefit of the risk? Risk quantification is the art and science of understanding the monetary impacts risks could have on the organization’s goals and strategies . Risk quantification puts risk management into the language executives need to evaluate risks against the business’ strategic and operational goals and is particularly important when risks are present that threaten the organization’s ability to meet its goals – just look back at the impacts the pandemic had on businesses and industries of all type and size. The sabermetric approach to scouting and analyzing players, and the quantitative approach to measuring risks both start with the end in mind, and that’s wins and achievement of strategic goals – both of which are why the game is played. For more information on integrated risk management (IRM) and risk quantification , visit archerirm.com .

No matter where an organization is positioned in a value chain, it will have to contend with risk. Even the most reliable and stable processes experience disruption, whether it be natural disasters or an altered compliance landscape. Chaotic upstream challenges, fluctuating downstream capacity, regulations created in response to extreme market conditions, and changing public opinion mean that every organization needs to be prepared for risk beyond its four walls. When more than one vendor exists, there is a tradeoff in the efficiency of using a single third-party supplier or vendor and the threat to operational resilience should that single source be disrupted. However, if there is only one vendor, or if every supplier is disrupted at the same time, the need to include third-party risk into risk management plans becomes clear. There is no possibility of simply switching suppliers or vendors, so the third-party’s operational resilience directly impacts your organization. Furthermore, in a digital era when anyone can research the relationships between your organization and the third parties within your organization’s network, the behaviors, and practices of those third parties can lead to reputational damage to your organization. See how third-party risk should be woven into an organization’s risk management practices in “The State of Integrated Risk Management .” Why You Need to Consider Third-party Risk When mitigating risk and creating a culture of integrated risk management, focusing on the domains that are directly answerable to an organization itself is a great starting point. A risk-aware and compliant organization can respond faster during a disruption, leading to increased operational resilience. No matter how robust the internal processes and procedures are, in today’s world no organization can be truly independent. Third-party disruptions can take the form of input scarcity, a lack of qualified personnel to fill positions, softening demand, logistics issues, and even cyberattacks. There simply is no way to completely insulate an organization from third-party risk. As the Solarwinds attacks demonstrated, even something as simple as running a software update can introduce serious risk. SAAS or other cloud services can expose an organization to third-party risk, even if the management and provisioning of the cloud software are performed by industry leaders. An organization that doesn’t integrate the risk posed by third parties into its risk management process remains vulnerable. Moreover, when third-party risk is dismissed or ignored, the threat of disruption cannot be properly quantified, potentially leaving threats unmanaged and opportunities squandered. Visibility into third-party dependencies improves the oversight of products and services provided by third parties and needs to consider potential business impacts - both positive and negative - of the relationship. Third-party Relationships Can Pose Reputational Risk The ability to perform due diligence to identify the types of risk third parties pose, monitor third-party activities, and mitigate risks and threats are key elements to managing vendor and supply chain risks. More than one-third of respondents in the 2020 RSA Digital Risk Survey stated that their number one priority regarding vendor and supply chain risk is an approach that integrates third-party risk management with enterprise and operational risk management. The deeply interconnected nature of today’s world hasn’t escaped the notice of end-users either. It is no longer considered credible to treat third-party malfeasance or negative externalities as outside the scope of an organization’s oversight process. Consumers making choices informed by ethical concerns have come to expect organizations to devote resources to third-party monitoring and to enforce higher standards from third-party vendors. Extreme labor conditions at a third-party supplier for a major device manufacturer can quickly redound on an otherwise well-respected organization. The complexity of an enormous web of suppliers and vendors may not insulate an organization from negative public opinion. We recommend organizations implement a programmatic and risk-driven approach to identify, assess, evaluate, treat, and monitor third-party risk , including risk related to third-party employees and their activities. Compliance in the Financial Sector and Elsewhere During and after the mortgage crisis, the practices of financial organizations that relied upon third-party assessments for credit ratings of investment instruments were called into question. The press and regulators are more often viewing an organization’s relationships with third parties as less of an airtight barrier to ethical and legal concerns than before. When it comes to reputation and regulation, third parties are often seen as an extension of an organization rather than completely independent. Regulators are establishing increasingly higher standards of accountability for the oversight of third-party relationships and therefore, organizations need to consider multiple elements of third-party risk including financial impacts, resiliency, security, and compliance. The United States Department of Justice has updated its guidance on evaluating corporate compliance to include whether an organization has made a good faith effort to ensure their third-party vendors are compliant.(1) Resilience to outside risk is now directly mandated by regulators. Financial institutions must undertake rigorous stress tests that quantify the results of extreme disruption. A financial organization that is found to lack the capital reserves to survive a tested risk is required to either grow its reserves or alter its operational profile to be able to meet the stress-test requirements. We have found that this has become a key concern for many financial organizations. Almost 50% of financial services respondents in the 2020 RSA Digital Risk survey stated a risk-based compliance methodology is the number 1 priority when it comes to keeping up with regulatory obligations. Why Third-party Risks Effect Operational Resilience like Internal Risks A consolidated view of all third-party relationships and an understanding of which third parties are most important to ongoing operations provides the ability to scale the number of assessments that can be completed and streamlines response to open issues identified during the assessment process. It is important to start to quantify third-party risks the same way internal risks are measured. This will provide a common framework for analyzing the impact of both internal and external disruptions. The ability to perform due diligence to identify the types of risk third parties pose, monitor third-party activities, and mitigate risks and threats are key elements to managing vendor and supply chain risks. Benefit from our analysis of Archer customers and 20+ years of evaluating risk trends. Download our whitepaper, “ The State of Integrated Risk Management ” to discover how to make your organization more resilient by protecting against multiple sources of risk, including those beyond your four walls . (1) https://www.justice.gov/criminal-fraud/page/file/937501/download

Communication plays a vital role in enabling organizations to integrate the concept of risk management into day-to-day operations. Your risk program communication isn’t just a way to manage your reputation and image with third parties, media, and regulators. Being able to effectively communicate risk within the four walls of an organization is a crucial tool for creating a more risk-aware organization in order to optimize your business while managing risk. Communicating risk effectively is a continuous process requiring all parties to articulate not just the sources of risk, but the bottom-line consequences. All involved must be made aware of potential risks, and the lines of communication must always be left open. It isn’t enough anymore to treat risk communication as a simple tick-the-box exercise that only demonstrates process compliance without connecting to the real-world consequences of the risks being communicated. Being able to place hard and fast numbers on the consequences of types of risk allows for real-world effects to be communicated in a universal language. This can increase operational resilience by helping to align responses to threats with the goals of the organization. Increasing operational resilience with risk communication is only one part of a mature integrated risk management strategy , which we outline in our whitepaper, “ The State of Integrated Risk Management .” Communicating Risk across Departments Effective communication of operational risk should put specific eventualities in the context of the disruption that could occur. For many organizations, translating risk between departments can be a serious challenge. Traditional tools like qualitative risk analysis try to use subjective terms or visual heat maps to communicate the severity of various eventualities, but this can fall flat when two different domains are being compared. An organization’s reduced ability to operate might mean lost uptime, lower profits, or other negative outcomes. This needs to be quantified and communicated to the personnel that are in a position to mitigate risk. Furthermore, when the likelihood and impact of risk are quantified, it becomes possible to communicate and aggregate the impact of risks to stakeholders without hitting interdepartmental language barriers. How Risk Quantification Helps Risk Communication Risk management is the core ingredient toward mitigating any potential threats to the success of an organization. Threats should ideally be identified and dealt with before their effects can be felt in your project. Risk assessment involves the measurement and analysis of risk to provide concrete information for risk control programs. The process of quantitative risk assessment involves four fundamental steps which include; Identification of risk and establishment of an applicable mathematical model. Collection of the basic and necessary information or data available via historical records, extrapolation, expert surveys, and so on. Select suitable analytical methods and models to evaluate the data and modify models about specific circumstances. Define the scale and likelihood of risk The process of identifying risk has traditionally been either a top-down exercise or the domain of risk management departments or consultants. New digital tools have made it possible to have front-line personnel communicate emergent risk in real-time. Instead of risk communication tools being an output-only means of relaying directives to the front lines, organizations utilizing integrated risk management software can gather information from stakeholders about conditions on the ground. The ability to monitor conditions with real-time reporting from personnel closest to the risks couldn’t come at a better time. Today's challenges require managing a cultural shift from reactively checking the boxes for compliance to a proactive risk management model that necessitates participation across the organization. Instead of front-line workers only identifying risks during an audit or during an emergency, integrated risk management platforms allow for constant communication through every level of an operation. A study by PwC (1) found organizations that shift risk management responsibilities to the front line were more likely to show profit and revenue growth over the next two years and were able to recover from adverse events more quickly. Communication, Compliance, and Management Organizations that have established programs in individual domains should be working to expand their risk focus and improve visibility, analysis, and metrics​. Finding common processes or data to share is a great first step to bring together risk management functions and achieving risk maturity. The overwhelming majority of organizations that have begun to use the Archer platform for operational risk management extend their engagement with our tools into compliance management. In fact, 91% of our customers who license operational risk management use cases also license compliance use cases substantiating the close connection between risk and compliance processes. With a well-established and integrated communication program, stakeholders should understand that they are not just passive participants in an organization's operations. Compliance and risk management are everyone’s responsibility. We recommend organizations establish formal processes for stakeholders to understand and manage changes that may affect the organization’s compliance including how new and changing activities may impact the organization’s obligation. We also recommend organizations implement controls based on issues or gaps identified via the compliance process to reduce risks and prevent compliance issues from happening again. New technologies can provide a tight connection between issues being identified on the ground and organizational responsiveness. A technology-enabled approach to build operational resilience across the organization will transform the efficiency of your incident, crisis, and recovery teams. By knowing the most critical areas of the business and effectively handling day-to-day incidents, you can respond swiftly in crisis situations to protect your ongoing operations.​ The last year has shown just how rapidly changes in operational risk and regulatory compliance can be. Fitting Risk Communication into an Overall Integrated Risk Management Strategy Without the ability to effectively and efficiently address increasing risk, organizations struggle to respond to business risks and miss opportunities to capitalize for growth or to meet other strategic objectives. That’s why organizations need to focus on achieving operational resilience through integrated risk management. Benefit from our 20+ years of industry leadership knowledge. Get our whitepaper , “ The State of Integrated Risk Management ” today to discover how your organization can break down communication siloes to better mitigate and thrive through disruptions and an evolving risk landscape . (1) PwC. 2020. PwC 2020 Global Risk Study . [online] Available at: < https://www.pwc.com/us/en/services/consulting/risk-regulatory/library/2020-global-risk-study.html/> [Accessed April 12 2021].