Search Results

In today's complex environment, audit functions must strike a balance by retaining autonomy while integrating with compliance and risk functions. This balance ensures that organizations follow policies, manage risk, and comply with regulatory requirements. Audit autonomy is critical to ensure objectivity, provide unbiased assessments, preserve the credibility of audit findings, and maintain trust with internal and external stakeholders. At the same time, integration with other business functions is essential to gain a holistic view of risks across the organization, monitor emerging risks, and anticipate risks to take proactive measures. Importance of Audit Autonomy Audit autonomy is critical for effective auditing and is essential to maintaining objectivity, credibility, and trust, which are crucial for the audit function's success. Autonomy ensures auditors can perform their responsibilities objectively without undue influence from any business functions they are auditing. This autonomy is essential for providing unbiased assessments of risk management, control, and governance processes. In addition, auditors can evaluate policies without pressure, leading to accurate and reliable findings. For an effective audit function, auditors must be trusted by stakeholders, including the board, senior management, and external regulators. Stakeholders who trust auditors' integrity and independence are likelier to act on audit recommendations and findings. This trust is foundational for fostering a culture of accountability and improvement in an organization. An independent audit function can detect issues, inefficiencies, and non-compliance. When auditors lack autonomy, they might be pressured to overlook or downplay negative findings. With autonomy, auditors can conduct investigations and report candid findings to ensure that issues are addressed and risks are mitigated before they escalate. Ensuring auditors can operate independently while maintaining the integrity and effectiveness of the audit process ensures organizations manage risks, improve compliance, and strengthen governance. Importance of Integration with Other Functions While audit autonomy is critical, integrating with risk and compliance functions is equally important. This integration enhances the audit process. Integration with other business functions allows auditors to have a comprehensive view of risks across the organization. When understanding an organization's risks, auditors can provide more proactive measures and strategic recommendations. With integration and better information sharing, auditors perform more efficient audits and more effective risk management. Integration enables auditors to access critical data and improve the quality of audit outcomes. Getting insights from visibility into other functions allows for better risk management by addressing issues before they escalate. Auditors help develop proactive strategies to mitigate risk instead of reactive management. Auditors can ensure that policies are enforced consistently across the organization, reducing the risk of non-compliance and helping avoid penalties. Integration with audit, risk, and compliance functions allows an organization to manage risks effectively, ensure compliance, and enhance operational efficiency. Maintaining autonomy while integrating audit functions with risk and compliance functions enhances the organization's ability to effectively identify, assess, and mitigate risks. By implementing these strategies, organizations can achieve a proactive approach to risk management, compliance, and governance, ensuring resilience and sustainability in today's business environment. This integration is critical for conducting effective audits that provide insights and recommendations to support decision-making and regulatory compliance. The Archer Solution With Archer Audit Management you have the flexibility to define your audit universe independently or by leveraging the controls defined in the rest of the system. Archer is uniquely positioned to allow for flexibility based on how your company operates. With the introduction of Audit Engagement Templates companies now have a faster way to go from zero to engagement. The new process reduces the dependencies on other departments all while allowing for integration where and when it is needed. Contact us  to learn more about how Archer Audit Management can give your audit teams autonomy without losing visibility into other functions for proactive and risk-based audits.

AI will most likely win the buzzword award for 2023. ChatGPT and Google Bard have opened the eyes of millions to the potential benefits of AI. Additionally, AI introduces opportunities for organizations to exponentially increase efficiency and cut costs; unfortunately, AI also introduces new risks to these same organizations. In March 2023, over 30,000 individuals, including well known technology leaders, signed an open letter asking organizations to pause their work on advancing AI beyond the capabilities of ChatGPT-4 for at least six months. In their letter, they called for policy makers and AI developers to work together to accelerate the development of strong AI governance. They claimed governance should include the oversight and tracking of high-risk AI systems, research of watermarking technologies to distinguish reality from fiction, robust auditing systems in place, and to enforce risk management of AI-specific risks. While generative AI has caused quite a stir today, regulations around AI have been in the works for quite some time. The European Union (EU), per usual, arrived first at the scene with their wide-sweeping AI Act. Penalties under this law could cost organizations up to 30M euros or 6% of their revenue for non-compliance. Regulators over the financial sectors in the US and the UK have also declared that AI models need the same level of attention and rigor as any other model undergoing model risk management. In addition, the White House has released an AI Bill of Rights, specifically intended to help policy makers draft effective AI regulations, hinting that more regulations are coming to the AI space. Why AI Governance is Needed In short, the purpose of AI governance is to avoid and mitigate harm by building trustworthy AI. Organizations serious about AI governance should consider taking a “do no harm” oath regarding AI. When AI is used to make decisions that affect humans, harm may befall your customers, employees, community, or society. AI governance needs to address the potential impacts and harm to groups during the entire lifecycle of AI. Trustworthy AI has different definitions based on who you ask, but most have the same general premise. The EU AI Act defines trustworthy AI as “legally compliant, technically robust, and ethically sound.” The National Institute of Technology and Standards (NIST) outlines characteristics of trustworthy AI in the AI Risk Management Framework (AI RMF), such as valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair – with harmful bias managed. While we’re speaking of NIST, Archer customers should check out the Archer NIST AI Risk Management Framework app-pack on the Archer Exchange. It enables you to utilize the NIST AI Risk Management Framework to assess your AI implementations and determine the posture of your current AI implementation through a comprehensive risk assessment. It helps you design and implement effective risk mitigation strategies to address the gaps from the current implementation to the target implementation. The idea is that building and using trustworthy AI reduces harm. That’s what we are striving for when instituting AI Governance. How to Govern AI at Your Organization If you have been in risk management for a while, you can guess what general steps are required. At a high level, a general framework of AI governance would include identification and documentation of your AI systems, risk analysis and evaluation, implementation and testing of controls, and ongoing monitoring. Let’s break these down. #1 Identification To start managing AI systems, you have to know what AI systems you are using. NIST and EU AI Act provide good definitions of AI. Basically, any system using machine learning, logic-based, knowledge-based, or statistical approaches are considered to be AI. That covers a lot. And that is much more than just ChatGPT. When you document your AI systems, it’s critical you collect and document specific information. Important details include: Context – the intended purpose, benefits, norms and expectations, people involved, settings in which it’s deployed, goals, instructions on use, etc. Development details – methods and steps used to develop the AI system, key design choices, system architecture, data requirements, validation and testing information, etc. Monitoring information – the incident management process, key performance indicators, review cycles, etc. Risks and impacts – identified risks, how risks are managed, potential impacts to consumers, employees, society, communities, organizations, etc. Change management – historical log of changes to the AI system For more information, review the “map” categories in the NIST AI RMF, as well as the EU AI Act section on technical documentation and summary data sheet. #2 Risk Assessment The purpose of assessing the risk of your AI systems is to understand the potential harm it could cause and to know the level of controls you should apply. Typical information system risk assessments prioritize systems based on the data classification housed and processed within the system, as well as the functional importance of the system to the organization. This same thought process applies for AI systems, but organizations should also take into consideration the usage of the system as well. The EU AI Act for example outright bans certain uses of AI, or AI systems that cause specific impacts. Any systems that might exploit vulnerable groups or violates rights in any way are prohibited in the market. Using AI to socially score an individual or perform real-time biometric identification in public spaces is also prohibited. High risk AI systems might include systems that assist with education, like determining which students to admit to your school, which ones get into certain programs, etc. Any system used for hiring or firing would be considered high risk. Systems that determine who gets access to essential services, like determining your future credit score, would be considered high risk. AI systems that don’t make predictions or decisions are generally less risky. For more information, review the NIST AI RMF “Measure” categories, the EU AI Act on risk levels, the NIST Risk Management Framework, or regulations on Model Risk. #3 Implement and Assess Controls It is recommended to put in place strong controls at every stage of the AI lifecycle. This includes stages like design, development, evaluation and testing, deployment, operation, and eventual retirement. Generally, controls should be put in place to respond to and manage identified risks during your risk assessments. The objective is to maximize the benefits of AI, while minimizing the negative impacts. Examples of controls include, but are not limited to: Drafting policies that cover AI values and governance Conducting ethical assessments Keeping up-to-date technical documentation Enforcing data governance Continuously identifying and managing risks and impacts Conducting model reviews, validation, and performance monitoring Creating clear deployment strategies Implementing strong change management Setting clear decommission strategies for AI systems NIST recommends implementing and testing these types of controls based on the risk level of your AI systems. Under the EU AI Act, high-risk AI systems must undergo a conformity assessment to prove that their system has conformed to the highest standard of controls. This conformity assessment covers topics as shown above and more. Without a conformity assessment, you cannot deploy your AI system in the EU market. It’s expected that the US will have similar requirements in future legislation. #4 Ongoing Monitoring Once the risk analysis, evaluation, and control selection has been completed, organizations should continuously monitor their AI systems in production. Ongoing monitoring includes activities like control reassessment, regular reviews, incident tracking and management, and risk identification. Organizations should be proactive in reporting incidents to the proper stakeholders, as there has been greater emphasis on incident disclosure requirements. Trust that it’s better to be ahead of the curve in this space than behind. Organizations should be tracking their own incidents and managing them in an effective way. When logging and reporting incidents, organizations should track things such as the incident summary, reporter, source system, dates of occurrence, impacts of the incident, and the affected stakeholders. These incidents will need to be shared both internally and externally in many cases, so organizations should plan now on their communication strategy. Conclusion Risk managers can leverage current frameworks in place to help govern AI, but will need to adapt to the unique challenges presented by AI. By identifying AI systems, prioritizing them based on risk, applying controls, and monitoring their systems, organizations can build and use more trustworthy AI and avoid negative impacts and harm. Teams working to manage risks posed from AI will also need to be very agile in the rapidly developing regulatory space. For example, the current version of the NIST AI Framework, most model-related regulations, and even the EU AI Act were written to help mitigate risks from traditional AI, not generative AI (GAI). GAI presents its own unique challenges and risks. While these regulations and frameworks have lots of overlap, organizations that don’t adapt to these new AI technologies expose themselves to very large risks. Risk teams need to be looking ahead at what is to come and start their efforts now to institute proper AI governance.

The Australian Prudential Regulation Authority (APRA) has finalized its Prudential Standard CPS 230 aimed at ensuring banks, insurers, and superannuation trustees can better manage operational risks, build operational resilience, and respond to business disruptions. The standard replaces several existing standards, including CPS/SPS 232 Business Continuity Management and CPS/SPS 231 Outsourcing. The key requirements of CPS 230 are: Strengthen operational risk management through new requirements to address identified weaknesses in existing controls. Improve business continuity planning to ensure organizations are positioned to respond to severe disruptions. Enhance third-party risk management by ensuring risks from material service providers are appropriately managed. An APRA-regulated entity’s approach to operational risk must be appropriate to its size, business mix, and complexity. Latest Updates APRA has released an updated timeline for the implementation of CPS 230. In response to feedback received during the consultation period, APRA intends to: Move the effective date for the new standard to 1 July 2025 Provide transitional arrangements for pre-existing contractual arrangements with service providers, with the requirements in the standard applying from the earlier of the next contract renewal date or 1 July 2026. How Archer Can Help Archer can play an important part in helping organizations manage their compliance with CPS 230. For example: Archer Enterprise and Operational Risk Management enables organizations to: Define risk appetite supported by indicators, limits, and tolerance levels. Assess the organization’s risk profile, including identifying and documenting processes and resources. Ensure internal controls are designed and operating effectively. Provide reporting that enables operational risk oversight at every level of the organization. Archer Resilience Management enables organizations to: Identify and document its processes and resources for critical operations. Document a business continuity plan (BCP) that sets out how the entity would identify, manage, and respond to a disruption within tolerance levels and can be regularly tested against severe but plausible scenarios. Monitor, analyze, and report on operational risks and escalation of incidents and events. Archer Third Party Governance enables organizations to: Manage service provider arrangements. Archer facilitates reporting and notifications to APRA and other stakeholders, including the board, which oversees the entity’s operational risk management, BCP, and management of service providers. For more information or to speak to an Archer expert, you can contact us here.

The Office of the Superintendent of Financial Institutions (OSFI) released a draft guideline on October 13, 2023, on the operational resilience and operational risk management requirements of Federally regulated financial institutions (FRFIs) operating in Canada and foreign bank branches authorized to conduct business in Canada. The draft guideline is open to public consultation until February 5, 2024. Key Requirements of the Guideline Identifying the FRFI’s critical operations and mapping the internal and external dependencies (e.g., people, systems, processes, third parties, facilities, etc.) required to support critical operations. Establishing tolerances for disruption in respect of an FRFI’s critical operations. Conducting scenario testing to gauge the ability of the FRFI to operate within its tolerances for disruption across a range of severe but plausible scenarios. Establishing a culture that promotes and reinforces behaviors that support operational resilience and proactively managing culture and behavior risks that may influence resiliency. The design and implementation of the FRFI’s operational resilience approach and operational risk management should be proportionate to the FRFI’s size, nature, scope, complexity of operations, strategy, risk profile, and interconnectedness to the financial system. The Relationship Between Operational Risk Management and Operational Resilience OSFI states that operational resilience (OpsRes) is built on the foundation of operational risk management (ORM). OSFI further asserts that OpsRes emphasizes the end-to-end performance of the FRFI’s critical operations across the organization, and as ORM matures it should also focus on the performance of operations end-to-end. How Archer Can Help The Guideline lists four outcomes FRFIs are expected to achieve related to operational resilience and managing operational risks: The FRFI can deliver critical operations through disruption. Operational risk management is integrated within the FRFI’s enterprise-wide risk management program and supports operational resilience. Operational risks are managed within the FRFI’s risk appetite. Operational resilience is underpinned by operational risk management subject areas, including business continuity management, disaster recovery, crisis management, change management, technology and cyber risk management, third-party risk management, and data risk management. Archer can play an important part in helping organizations build these operational risk management and operational resilience capabilities. For example: Archer Enterprise and Operational Risk Management enables organizations to: Establish an enterprise-wide operational risk management framework. Set a risk appetite for operational risks. Ensure comprehensive identification and assessment of operational risk using appropriate operational risk management practices. Conduct ongoing monitoring of operational risk to identify control weaknesses and potential breaches of limits/thresholds, provide timely reporting, and escalate significant issues. Archer Resilience Management enables organizations to: Identify its critical operations and map internal and external dependencies. Establish tolerances for the disruption of critical operations. Develop and regularly conduct scenario testing on critical operations to gauge its ability to operate within established tolerances for disruption across a range of severe but plausible operational risk events. For more information or to speak to an Archer expert, you can contact us here.

ESG management, like any innovative concept, has sparked its fair share of controversy. Experts and nations engage in heated debates about the approach, the scope, and even the economic value of implementing an ESG management system in business. Amidst the ongoing debates, McKinsey has shed light on a compelling aspect—evidence is emerging that a strong ESG score can lead to approximately a 10% reduction in the cost of capital. Why, you may ask? Well, it all comes down to risk. When your business boasts a robust ESG proposition, it's better equipped to weather the storms threatening its ability to operate. MSCI Research noted that companies with high ESG ratings tend to be less vulnerable to systematic risks impacting the broad equity market or market-like sectors or industries than those with low ESG-rated companies. Credit rating agencies are now factoring in ESG performance when assessing companies; those with lower credit ratings face higher risk premiums. Of course, ESG ratings have their fair share of critics, often lambasted for the inconsistency and opaque methodologies employed by the rating providers. However, financial institutions still rely on these ratings to evaluate the ESG performance of corporations. The alternative of hiring an army of ESG analysts to scrutinize every company in their portfolio is simply impractical. So, if your corporation aims to secure an accurate and positive ESG rating, you must understand the rating methodologies and align your ESG management programs and policies accordingly. Most methodologies assess two critical factors: exposure to ESG risks and ESG risk management. The former primarily revolves around your core business, which may be difficult to change without altering the fundamental nature of your operations. However, the latter is entirely within your control and responsibility. The question then becomes, how can you demonstrate effective ESG risk management? First , ESG efforts need to be seamlessly integrated into your governance structure. ESG risk management should become integral to your company's core operations, flowing through all three lines: from business users to risk managers to assurance functions like internal audit. Motivation plays a crucial role as well. It's incumbent upon management to establish ESG-related incentives for employees or even ESG challenges for individuals or teams. Healthy competition never hurts, especially when it aligns with corporate values, strategy goals, and a purposeful mission. Second, ESG risks must be appropriately managed and mitigated. Common sense dictates integrating ESG risk management into your existing enterprise risk management framework. And most importantly , companies must allocate sufficient resources to their sustainability initiatives, such as investing in technology to integrate sustainability into risk management. This includes investments in technology to integrate sustainability into risk management. Many of today's ESG challenges focus on data collection processes, standardization, and maintaining a dynamic overview of ESG risk management posture. A robust ESG risk management program inherently leads to more consistent operational performance and sustainable long term growth. Archer's ESG solution enables organizations to collect and centralize ESG data into a single platform, evaluate the impact of risks and the opportunities on business strategy, understand 3rd party ESG risks, set ESG goals, and produce auditable reporting all from one integrated platform. If you would like to learn more about how Archer ESG Management can help your organization achieve its ESG goals and objectives, we invite you to our webinar hosted by Verdantix and Archer titled "California's Climate Change Legislation: What Your Business Needs to Know". In this webinar, we will discuss: Gain an understanding of the key provisions of California's new regulations and how they impact your organization's compliance and sustainability reporting. Discover the broader implications of these groundbreaking California laws on corporate climate reporting, accountability, and sustainability programs. Learn about technology that can help you manage and advance your ESG program. We hope you can join us for this informative webinar.

As a go to market lead at Archer for our Enterprise Risk Quantification practice and Archer Insight product, I’ve had the opportunity to speak with thousands of customers and risk practitioners across the ERM and GRC space. While there is a market desire to quantify risks, the desire to adopt risk quantification is often met with hesitancy, no thanks to perceptions around risk quantification being reserved for the only mature users, users with access to rich data analytics, modeling expertise, or challenges in demonstrating the value of risk quantification beyond specific risk functions like cyber. At Archer, we’ve taken these perceptions and challenges head-on when developing the Enterprise Risk Quantification practice behind our Archer Insight solution. Why Archer Insight? Archer Insight takes an enterprise approach to risk quantification shifts previous perceptions and challenges associated with adopting risk quantification by prescribing a purpose-built risk quantification methodology for getting started with quantified risk assessment. Why Enterprise Risk Management? As you well know, the purpose of an Enterprise Risk Management program is to provide a holistic view of risk across the enterprise for visibility and governance of risks impacting the enterprise’s key initiatives. Recognizing the objective of the enterprise risk management program, quantification doesn’t need to be complex, quantification just needs to better than what we are doing, which is likely qualitative and semi-qualitative risk heatmaps. Please join OCEG and Archer for our December 12 webinar, “ Debunking the Complexity Around Risk Quantification ,” where I’ll discuss how risk quantification is best suited for the enterprise risk management program, strengthening and delivering on ERM program objectives.

It might seem like yesterday you were getting ready for spring and today you’re thinking about the new year. Like most people, you have a variety of resolutions in different buckets: physical health, mental health, finances, relationships, etc. Your company also makes resolutions in the form of corporate objectives. Corporate objectives are not mere aspirations or vague intentions; they are tangible targets that drive an organization's growth and success. They provide a roadmap for decision-making, resource allocation, and performance evaluation, ensuring that the organization's actions are aligned with its overarching goals. Chief risk officers and risk management teams play an important role in ensuring success as your company strives to reach new heights in the coming year. As you kick off strategic planning, there are some key questions to keep in mind: #1 - Which objectives matter most? Identifying the objectives that matter most requires a thorough assessment of your organization's internal and external environment. Consider factors such as: Strategic priorities: Align objectives with the organization's strategic plan and long-term goals. Industry trends: Identify emerging trends, monitor upcoming and current regulation, and adapt objectives to remain competitive. Stakeholder expectations: Address the needs and expectations of key stakeholders, such as customers, employees, and investors. #2 - How can I demonstrate how corporate objectives were determined? Transparency and accountability are essential for building trust with stakeholders. Demonstrate how corporate objectives were determined by: Documenting the process: Clearly document the steps involved in objective setting, including stakeholder input, risk assessment, and alignment with strategic priorities. Communicating rationale: Clearly communicate the rationale behind each objective, explaining its relevance to the organization's overall goals. Seeking feedback: Encourage feedback from stakeholders on the objectives and the process used to develop them. #3 - How can I measure the progress of corporate objectives? Measuring progress towards achieving corporate objectives is essential for staying on track and making informed decisions. Establish clear metrics and indicators for each objective, such as: Key performance indicators (KPIs): Quantifiable measures that track progress towards achieving specific objectives. Milestones: Significant markers of progress along the way, indicating successful completion of intermediate steps. Regular reviews: Conduct periodic reviews to assess progress, identify challenges, and make adjustments as needed. #4 - How can I track progress made from the starting point? Tracking progress from the starting point provides valuable insights into the organization's growth and development. Compare current performance against initial objectives using: Benchmarking: Establish industry benchmarks to assess relative performance and identify areas for improvement. Trend analysis: Track performance trends over time to identify patterns and assess progress towards objectives. Gap analysis: Identify the difference between current performance and desired outcomes, providing a basis for improvement initiatives. #5 - What can be done if progress is off track? Recognizing and addressing deviations from objectives is crucial for ensuring success. When faced with setbacks: Analyze the reasons: Identify the root causes of the deviation, whether they are internal challenges or external factors. Develop corrective actions: Implement appropriate strategies to address the underlying causes and get back on track. Communicate openly: Keep stakeholders informed about the situation and the steps being taken to rectify it. #6 - How can we reliably achieve corporate objectives? Achieving corporate objectives reliably requires a comprehensive and well-structured approach: Establish clear ownership: Assign ownership of each objective to specific individuals or teams. Provide adequate resources: Allocate necessary resources, such as funding, personnel, and technology, to support objective achievement. Embed objectives into processes: Integrate objectives into day-to-day operations and decision-making processes. Monitor and measure progress: Regularly monitor progress towards objectives and make adjustments as needed. Celebrate successes: Recognize and celebrate achievements to maintain motivation and engagement. Risk management teams must work closely with company executives and the board to ensure that strategic planning and decision-making processes produce reliable results. By aligning individual and team goals with the company's objectives, and fostering a culture of accountability, your company can achieve and even surpass your desired outcomes. Contact us today to learn how Archer can help you reach your corporate objectives in 2024.

Today, global regulatory pressures coupled with unforeseen disruptive events pose substantial challenges for companies that are working to build operational resilience. These challenges are driven by a myriad of factors including rapid technological advances, geopolitical unrest, and the escalating pace of global economic shifts. Now more than ever, your organization must be proactive in mitigating these challenges to remain operational and competitive. The Growing Focus on Operational Resilience Operational resilience has become a key topic in boardrooms and executive suites for good reason: Cybersecurity threats : As organizations digitize their operations, the risk of cyber threats increases. From ransomware attacks to data breaches, the potential impact on operational resilience and reputation is substantial. Supply chain vulnerabilities : Global supply chains are interconnected and vulnerable to disruptions caused by geopolitical events, natural disasters, or unforeseen challenges such as the recent global supply chain issues. Regulatory demands : Regulatory bodies are increasingly emphasizing the importance of operational resilience. Compliance with standards such as the Digital Operational Resilience Act (DORA) in the European Union highlights the need for a proactive and strategic approach. Technological dependencies : Reliance on intricate technological ecosystems means that a failure in infrastructure or a critical system can have cascading effects across an organization. Strategies for Enhancing Operational Resilience Operational resilience requires a coordinated, company-wide approach that goes beyond planning for recovery from disruption to fortifying all facets that drive your organization’s success. For many organizations, this approach necessitates a pivotal shift. But in doing so, you are able to better adapt to changes and disruptions while also optimizing processes, enhancing productivity, and fostering innovation. A comprehensive strategy should consider the following elements: Prioritization : Your organization must use business impact analysis to prioritize what is most important to make resilient. These priorities should start with products and services offered to customers and cascade to the business units, process, technologies, data, and other interdependencies. Integrated risk assessment : Conducting thorough risk assessments allows you to identify vulnerabilities and potential points of failure. This includes assessing risks related to business processes, technology, supply chains, and regulatory compliance. This risk assessment should incorporate groups across the second line of defense to coordinate their efforts. Robust cybersecurity measures : Investment in robust cybersecurity measures is essential, including regular assessments, employee training, and the implementation of advanced threat detection and response systems. Diversification of supply chains : Recognizing the vulnerabilities in global supply chains, it’s important to explore strategies for diversification and localization to mitigate risks. Scenario planning and testing : Adopting a proactive approach involves scenario planning and testing. Simulating potential disruptions enables you to identify weaknesses, refine response strategies, and enhance overall preparedness. Technological innovation : Utilizing technologies such as Archer, you can leverage artificial intelligence and data analytics to enhance predictive capabilities and improve overall resilience. Collaboration and information sharing : The importance of collaboration extends beyond organizational boundaries. Information sharing among industry peers and public-private partnerships can enhance collective resilience against shared threats. The Evolving Landscape The state of operational resilience for your organization must mirror the dynamic landscape your organization is navigating. Operational resilience is not a static goal; it is an ongoing process of adaptation. As threats evolve, so must strategies for resilience. By embracing a proactive and strategic approach, investing in technology, and fostering collaboration, businesses can not only survive disruptions but emerge more resilient and better prepared for the uncertainties of the future. To learn more, register today to join Archer and BCI on January 11 for an informative webinar, Operational Resilience: Lessons Learned & Key Strategies for Success , to: Gain insights into lessons learned, current trends and best practices in operational resilience, and how to leverage these to enhance your organization's capacity to respond to unexpected disruptions. Understand the latest regulatory guidance concerning operational resilience and the potential implications for your organization. Learn effective strategies for adopting and executing Archer as an integral part of your organization's existing business continuity plans.

Archer CEO Bill Diaz addressed these three terms in his keynote at Archer Summit 2023. Bill was speaking about the mindset necessary for chief risk officers and risk teams need to adopt for success in today's operating environment.   Coincidentally, I couldn't think of three better words to describe the mindset of the many people that we work with day in and day out, including our customers, our partners, executives and risk professionals working inside organisations that are looking for solutions to improve their programs. We listen and we understand the challenges they face, as well as the opportunities they want to harness.   These terms also reflect the changing appetite for risk technology in the India market. We see organisations across all industries looking for risk technology that demonstrates:   Agility -- the ability to reach multiple audiences and have the solution bend and shape to their needs. Resilience -- risk technology delivered in a resilient manner (i.e. secure and highly available) but that also delivers workloads that enable resilience in the organisation itself (e.g. enterprise risk management, cyber risk management, third party risk management). Foresight -- solutions that fuse global best practices, emerging practices (such as risk quantification and ESG) and emerging technology (such as AI) that also cater to local requirements (such as in-country cloud).   In March 2023, Archer announced  investments it was making in India, including doubling of our local account and solutions consulting team and plans for a new SaaS data center in India.   Today, we’re pleased to launch the newest data center for Archer SaaS in India, which enables us to address the requirements of our customers in the region. SaaS adoption is climbing quickly, with the Indian SaaS ecosystem already the second largest globally. The Indian economy set to become the third largest globally by 2030 and the demand for SaaS based risk technology has never been higher.   Local regulators, including SEBI and the RBI, expect organisations doing business in India to have increasingly robust risk and IT governance programs, while ensuring their critical IT systems are secure and onshore. These capabilities are now must haves. The Archer team in India is proud to enable risk management excellence for many Indian organisations. We are actively working with multiple marquee Indian customers in financial services and IT/IS to already run risk workloads in the cloud and to migrate some on-premises deployed customers to Archer SaaS.   To learn more about Archer SaaS in India, please register your interest here.

“By 2027, 45% of chief information security officers (CISOs) will expand their remit beyond cybersecurity, due to increasing regulatory pressure and attack surface expansion” per Gartner®. We believe this isn't just an expansion of responsibility; it's a strategic shift towards unified security management, recognizing the interconnectedness of threats and vulnerabilities. But what are the actual benefits for CISOs and their businesses? Let's explore three key advantages:   1. Holistic Risk Mitigation:  Imagine a security siloed in a bunker, unaware of the cracks in the foundation. Traditional, cyber-focused approaches often miss broader vulnerabilities arising from physical security gaps, business continuity vulnerabilities, and even employee error. Unifying IT, physical, and operational security under one umbrella allows CISOs to identify and address holistic risks, preventing cascading failures and minimizing their impact on the business.   Impact:  This proactive approach can significantly reduce overall risk exposure, preventing costly breaches, production downtime, and reputational damage. Businesses benefit from increased resilience, a more agile security posture, and the ability to proactively manage potential crisis scenarios.   2. Streamlined Operations and Reduced Costs: Duplication of effort is a resource drain. Managing separate security tools and processes for each domain is inefficient and expensive. By consolidating under a unified platform, CISOs can streamline operations, optimize resource allocation, and eliminate redundant tasks.   Impact:  This reduces overall security management costs, frees up valuable resources for innovative initiatives, and improves operational efficiency. Teams can collaborate more effectively, share intelligence across domains, and respond to threats faster, boosting overall productivity and security effectiveness.   3. Enhanced Decision-Making and Strategic Alignment: Siloed data leads to siloed insights. Without a holistic view of threats and vulnerabilities across the organization, CISOs struggle to make informed decisions and secure buy-in from key stakeholders. A unified platform provides a single source of truth, enabling data-driven decision-making and strategic alignment with business objectives.   Impact : CISOs gain a deeper view of security risks and can prioritize investments based on business impact. This fosters trust and collaboration with leadership, aligning security initiatives with business goals and creating a culture of proactive risk management across the organization.   According to us, Gartner prediction isn't just a trend; it's a glimpse into the future of effective security management. By embracing a unified approach, CISOs can move beyond firefighting, mitigate holistic risks, streamline operations, and elevate their strategic impact. Businesses reap the rewards of increased resilience, reduced costs, and a more robust security posture, ultimately navigating the ever-evolving threat landscape with confidence.   For a very limited time, we’re offering Archer customers and future Archer customers a complimentary copy of the report “ Gartner’s Top Strategic Predictions for 2024 and Beyond — Living With the Year Everything Changed. ”   This Gartner report offers predictions for trends, challenges, and strategies that will impact risk management in 2024 and beyond. The report covers Gartner insights on the evolving risk management landscape, advancements in technology, regulatory changes, and their consequential impact on business practices. It also provides actionable insights and proven strategies for effective decision-making and risk mitigation in the coming year.   Don't miss the opportunity to leverage Gartner expertise to stay ahead of the curve in 2024 and beyond. Read the report now!     Gartner, [AC1]   Gartner’s Top Strategic Predictions for 2024 and Beyond — Living With the Year Everything Changed, Daryl Plummer, Frances Karamouzis, and 36 more   GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

On March 4, AWS announced plans for a new infrastructure region within the Kingdom of Saudi Arabia in 2026, supporting Saudi Arabia's ambitious Vision 2030 goals, accelerating digital transformation, and promoting a secure and technologically advanced business environment. This strategic move signifies AWS’s commitment to the Middle East and also heralds a new era of integrated risk management for the region with Archer SaaS.   Archer intends to leverage AWS infrastructure in the region as soon as it becomes available, to enable delivery of unparalleled service performance and reliability for Archer SaaS. We understand the critical importance of data residency and security for businesses operating within Saudi Arabia. The planned AWS region in the Kingdom provides an opportunity to revolutionize how organizations operating in Saudi Arabia manage risk, assurance, and resiliency using Archer SaaS.   Archer's integrated risk management platform, powered by AWS, is far more than a mere tool – it's a comprehensive solution crafted to streamline compliance, enrich decision-making, and cultivate a culture of resilience and innovation. By leveraging advanced quantification and AI capabilities, Archer ensures assurance and fortifies enterprise resilience. Our holistic approach assures that organizations meet regulatory compliance and effectively mitigate risks. Archer SaaS paves the way for a more disruption-resistant digital transformation, enhancing resilience across technology, operations, and the extended enterprise.   As part of our continued support and investment in the region, the combination of AWS’s robust infrastructure and Archer's innovative risk management platform will ensure that Saudi businesses remain at the forefront of risk management best practices. Archer is ready to help redefine the landscape of risk management for businesses operating in the Kingdom. We aim to be a key player in enabling organizations to turn risk and compliance into a strategic advantage.   Interested in learning how Archer SaaS can elevate your organization’s risk and compliance management program? Contact us today.

On March 6, 2024, the SEC finalized its much-anticipated climate disclosure rule for public companies.   The final ruling introduces new mandatory reporting requirements and presents a significant shift for public companies, impacting the entire C-Suite (CFOs, CIOs, CSOs, CCO). Here's a breakdown of the key things executives need to know to prepare for these new mandatory disclosures. What the New Rule Requires: Material Climate-Related Risks. Companies must identify and disclose the present and predicted impact of climate change on their business. This includes physical risks (extreme weather, rising sea levels) and transition risks (regulatory changes, carbon pricing). Risk Mitigation Strategies. Outline the actions your company is taking to mitigate or adapt to climate-related risks. This could involve investments in clean energy, supply chain resilience strategies, or climate-resilient infrastructure. Board Oversight and Management Role. Demonstrate how the board oversees climate-related risks and how management integrates these considerations into strategic decision-making. Climate-Related Targets and Goals (if material). If your company has set climate targets (e.g., net-zero emissions by 2050), you'll need to disclose those, as well as any progress made towards achieving them. Financial Statement Impacts. Companies will need to disclose the financial implications of climate change, including capitalized costs associated with severe weather events and potential write-downs of assets affected by climate risks. Action Steps for Your C-Suite: Cross-functional Collaboration. Effective ESG reporting requires collaboration between finance, IT, sustainability, and legal teams. Establish a clear ESG task force with representatives from each department. Data Gathering and Management. Climate disclosures hinge on robust data. Assess your current data collection and aggregation practices. Identify any gaps in your information and manual processes that could hinder the efficient collection of data related to climate risks and opportunities. Standardization and Consistency. Ensure consistent application of ESG metrics across the organization. For metrics and guidance, consider leveraging frameworks like the Sustainability Accounting Standards Board (SASB) or the Task Force on Climate-Related Financial Disclosures (TCFD). Technology Integration. ESG software solutions can significantly improve data collection, reporting, and scenario modeling. Evaluate and implement software that simplifies compliance and streamlines ESG integration into existing workflows and your enterprise risk management platforms. Internal Communication and Training: Educate your team on the new SEC rules and their impact on different departments. Foster a culture of transparency and accountability around ESG practices. How Archer ESG Solutions Can Help: Automated Data Collection. Archer ESG Management can quickly and efficiently gather, aggregate, and analyze ESG data internally and across your supply chain, empowering decision-makers with actionable, accurate, and timely data. Streamlined Reporting. Generate standardized ESG reports that comply with the SEC's new regulations and streamline disclosure processes.  Archer ESG Disclosure Management is a comprehensive solution that addresses the growing demand for transparency in ESG reporting and allows for systematic and efficient capture of climate-related disclosures. Materiality Assessment.  Archer Double Materiality Calculator helps you quickly and easily assess, calculate, and report on double materiality impacts. Pre-configured assessments based on the E.U. ESRS framework allow for the evaluation of impact and financial materiality assessment. Integrate to the ERM Suite.  The Archer platform allows you to connect to governance, risk, and compliance use cases for a holistic and programmatic approach.  This connectivity provides an integrated view that ensures that ESG is not treated in isolation but rather as an integral part of a broader corporate ERM strategy. The Road to Sustainability The SEC's new climate disclosure rules mark a significant step towards greater transparency in corporate sustainability practices. By taking a proactive approach, prioritizing collaboration, and leveraging technology solutions, your organization can comply with regulations and demonstrate leadership in the evolving ESG landscape. Archer’s ESG solution enables organizations to collect and centralize ESG data into a single platform, evaluate the impact of risks and the opportunities on business strategy, understand 3rd party ESG risks, set ESG goals, and produce auditable reporting all from one integrated platform. If you would like to learn more about how Archer ESG Management Solutions can help your organization address the SEC’s latest rule on climate-related disclosures, download the whitepaper, ESG Reporting: From Data to Action.   For more information or if you would like to speak to an Archer ESG expert, you can contact us here.