top of page

Search Results

128 items found for ""

  • Quantitative Risk Assessment in Enterprise Risk Management

    Organizations have long recognized the need to standardize risk management practices for consistency in identifying and assessing risks across the organization in enterprise risk management (ERM) programs. Today, most organizations currently use qualitative or semi-quantitative assessments, which are simple and repeatable, so they can be scaled across an entire enterprise. But they can be coarse, unauditable, highly subjective, and ambiguous, and – crucially – they can not be meaningfully aggregated. This leaves a highly fragmented representation of the organization’s risk landscape. Apart from substantially improving the fidelity and richness of individual risk assessments, quantitative assessment provides a method to aggregate risks, which allows for the defragmentation of this landscape. Risk quantification has become a common objective for risk management teams. In fact, there has been a slow march in that direction for years. Most organizations have transitioned from purely qualitative methods (High, Medium, Low) to placing categorized measures of likelihood and impact, such as estimated probabilities, bands of loss estimates and other semi-quantitative factors. But the incorporation of true quantitative measures using event frequencies and financial exposures to calculate risk has not yet become the norm. An Enterprise Risk Management (ERM) process should identify risks across an enterprise and assign ownership to them resulting in a register of risks that articulates uncertainties that affect the objectives of the enterprise. A combination of bottom-up and top-down identification can help build this picture. The former captures the immediate concerns and activities of the front line engaged in generating and protecting value in the enterprise; the latter imposes a categorical structure on the uncertainties supposed to influence objectives and uses that to try to drive completeness. Quantitative assessment allows you more faithfully to depict risks, better to differentiate between risks, and to synthesize risks across the organization to deliver more insightful business information to help guide decisions. The major upside of embracing quantitative assessments is to transform risk management into a much more proactive and less reactive contributor to the business. Join us for an informative webinar as we discuss the important role and benefits of risk quantification in assessing, representing, and analyzing risks, how you can make informed decisions at an enterprise level through quantification and practical steps to merge quantification techniques into your existing programs and workflows.

  • Organizational Trust and Third-Party Risk Management

    As organizations increasingly rely on third-party solutions and services to perform business functions, effective third-party risk management has become critical. With increasingly complex vendor ecosystems, third parties can introduce potential risks that organizations must prioritize in their risk management strategy. These risks include financial, security, reputational, and regulatory risks that can have significant impacts on an organization’s operations, finances, and reputation. One key element of effective third-party risk management is building and maintaining organizational trust. Organizational trust is a key factor in mitigating third-party risks. Including organizational trust in selecting vendors, due diligence, continuous monitoring, and building critical vendor relationships is important to ensure that your third party's values align with your organization’s goals and priorities. Selecting a vendor When selecting a vendor, it is crucial to consider whether the vendor shares your organization’s values and goals. To be confident that a potential vendor is the right fit for your organization, you need to understand the vendor’s reputation for transparency, collaboration, and accountability. This knowledge will help you make informed decisions that align with your organization's priorities. Performing due diligence The due diligence process is essential to assess potential risks and vulnerabilities, avoid potential pitfalls, and establish relationships with third parties to ensure that the relationship is productive and collaborative. By setting clear expectations and guidelines, establishing communication, and building trust with third parties during the due diligence process, you can ensure that the relationship is productive and collaborative. Including continuous monitoring in your third-party risk management strategy Continuous monitoring is a critical component of any effective third-party risk management strategy. By tracking and evaluating vendor performance on an ongoing basis, organizations can identify and respond to potential risks and vulnerabilities, ensure that vendors are meeting their expectations over time, and maintain strong relationships with their vendors. Building strong vendor relationships Building strong relationships with critical vendors is essential to maintaining trust and ensuring effective third-party risk management. Effective communication and transparency are critical components of organizational trust in third-party risk management. You need to establish clear expectations for your vendors around reporting and ensure that everyone understands the importance of reporting potential risks. Including organizational trust in your third-party risk management strategy is important to mitigate risks and ensure effective third-party relationships. Prioritize trust in vendor selection, due diligence, continuous monitoring, and building vendor relationships to ensure your third parties' values align with your organization’s values and risk is managed effectively. Visit Archer Third Party Governance for more information. Contact us to speak to an Archer Expert.

  • How Can You Understand Your Vendor's ESG Practices

    Organizations are increasingly prioritizing their Environmental, Social, and Governance (ESG) practices. As ESG gains prominence as a critical factor in evaluating the sustainability and ethical performance of organizations, it isn’t surprising that organizations want to understand and assess the ESG practices of their critical third parties. Understanding their vendor’s ESG practices is important for organizations to be confident that their vendor’s practices align with their own ESG practices and values. With ESG rising as a third-party concern the ability to determine a vendor’s ESG practices is becoming more and more important. How can an organization understand the ESG practices of its critical third parties? An effective way for an organization to understand its vendor’s ESG practices is through third-party assessments . These assessments are designed to evaluate a vendor’s ESG performance based on predetermined criteria and provide insight into their environmental, social, and governance practices. A third-party assessment can be conducted the same way an organization leverages questionnaires to determine a vendor’s risk. ESG assessments can be conducted through questionnaires that cover areas such as environmental impact, social responsibility, labor practices, governance, and ethical standards. These ESG assessments can provide valuable insights to an organization about its vendor’s ESG practices. The responses to questions can be used to calculate ESG ratings. Organizations can make decisions about vendors by leveraging the insights and ratings from these questionnaires – similar to how organizations manage and mitigate risk, based on a vendor’s responses to risk assessments. Understanding a vendor’s ESG practices is crucial for organizations that are prioritizing ESG performance. Through third-party assessments, organizations can gain insights into their vendor’s ESG practices and make informed decisions about their vendors based on alignment with their own ESG practices and values. Archer is addressing the need for organizations to understand their vendor’s ESG practices by adding ESG capabilities to our Archer Third Party Governance solution. Organizations will be able to provide assessments to their vendors that include ESG questions and can use those responses to determine inherent and residual ESG ratings. Contact us to speak to an Archer expert about how you can monitor your critical third parties ESG practices.

  • Assignment: Chief Risk Officer

    We are all familiar with the famous tagline that accompanied the Mission Impossible assignments: “Your mission, should you choose to accept it…” This phrase was then followed by a seemingly unachievable goal that included incredible peril and a good chance of a dreadful demise. However, the team always pulled the assignment off using skill, creativity, and a good deal of luck. In today's rapidly changing and complex business environment, the job description of a Chief Risk Officer should probably start with the same line. Companies face a wide range of risks that could have significant impacts on their operations, financial performance, and reputation. Many companies have established the role of Chief Risk Officer (CRO) to shoulder the responsibility. In fact, Deloitte’s Global Risk Management Survey (12th edition) cited that 100% of its respondents had a CRO equivalent position. This survey targeted Financial Service companies underscoring the role of CRO has been a stalwart within that industry for years but the role of CRO has emerged across many sectors. The CRO is a senior executive responsible for helping the business manage all types of risks that the company faces, from operational and financial risks to strategic and reputational risks. The primary reason most organizations have a CRO is to improve risk management practices ensuring the company has a comprehensive risk management framework in place. This includes the fundamentals of risk management - identifying and assessing all types of risks, developing risk mitigation plans, and monitoring risk exposure over time. The CRO should work closely with other senior leaders in the company to understand the business strategy and implement risk mitigation plans for possible obstacles. Ultimately, then, the CRO is primarily put in place to help the business make better business decisions. Companies that have a CRO in place can make better business decisions because the CRO provides senior management with timely and accurate information on the risks associated with various business activities. It takes a certain dedication to look at business objectives, such as entering new markets or launching new products, and analyze the possible obstacles. This is the mission of the CRO should they choose to accept it : Inspect corporate objectives and subject them to a level of scrutiny that identifies potential issues. Unfortunately, the results may sometimes be counter to the aspirations of the business, but that circumspection is incredibly valuable to success. With some skill, creativity and some luck for good measure, this mission impossible makes your business possible – or in risk terms, more probable. To learn more about the role of the CRO and integrated risk management, read our white paper “ Integrated Risk Management: The Enterprise Capability Your Organization Needs ”.

  • The Digital Operational Resilience Act (DORA)

    The Digital Operational Resilience Act (DORA) is a legislative proposal by the European Commission to strengthen the operational resilience of the financial sector in the European Union (EU). The proposed regulation aims to address the increasing reliance on information and communication technology (ICT) systems and digital operational processes in the financial sector. DORA sets out a framework for ICT risk management, incident reporting, and outsourcing arrangements for financial firms, such as banks, insurance companies, and investment firms. DORA puts the onus on the firm’s management to take “full and ultimate accountability” for the management of ICT risks, for setting and approving its digital operational resilience strategy, and for reviewing and approving the firm’s policy on the use of ICT Third Party Providers (TPPs), among other responsibilities. The DORA proposal was published in December 2022 and implemented in January 2023. Organizations must begin to comply with DORA starting January 2025. DORA applies to the vast majority of FS firms operating in the EU. Even though DORA is an EU regulation, if your organization is located outside the EU, it’s considered in scope if you have offices in the EU or provide services to a financial institution that provides services in the EU. What are firms required to do under DORA? Set risk tolerances for ICT disruptions supported by key performance indicators and risk metrics. Identify their “Critical or Important Functions”. Carry out business impact analyses based on “severe business disruption” scenarios. Use the new classification, notification and reporting framework to collect, analyze, escalate, and disseminate information concerning ICT incidents and threats. Quantify the impact of incidents and analyze their root causes. In the event of a significant cyber threat, notify regulators and provide information on appropriate protection measures taken to defend against the threat. Demonstrate they conduct an appropriate set of digital operational resilience and security tests on their “critical ICT systems and applications”. “Fully address” any vulnerabilities identified by the testing. If above a certain threshold, conduct “advanced” Threat-Led Penetration Testing (TLPT) every three years and include all TPPs supporting CIFs in advanced testing exercises. Include all the above terms with third party provider agreements. Conduct concentration risk assessments of all outsourcing contracts that support the delivery of CIFs. Firms should be conducting a gap analysis to develop a roadmap to design and implement an enhanced operational resilience framework by January 2025, in line with DORA’s new requirements. For help implementing this guidance, check out Archer Operational Resilience . Contact us to speak to an Archer expert.

  • The Risk You Can Talk To

    We have all seen the movies. Robots wreaking havoc and taking the reins of civilization. As a fan of science fiction, I have read many tales of artificial intelligence manifesting in some form or fashion. It is interesting that most of those tales portray two sides to the binary characters. One side is benevolent bringing progress and prosperity to humankind; the other is a malevolent force that threatens society’s very existence. With all of the talk of ChatGPT, Google’s Bard, Microsoft’s Bing AI and others, the topic of how artificial intelligence (AI) will affect the world has jumped to the forefront. Reminiscent of when Deep Blue beat Kasparov in chess, this discussion is another reminder that technology doesn’t walk through the information age – it leapfrogs. But the recent AI advancements are just the latest version of machine learning and technology modelling that, in recent years, have been transforming industries from healthcare to finance. However, with the headline power of AI, there are certainly risks associated with its development and deployment that risk management professionals must have squarely on the radar. The good news is that the ball is rolling in helping define approaches. NIST launched the Trustworthy and Responsible AI Resource Center on March 30th. This new effort will facilitate implementation of, and international alignment with, the NIST AI Risk Management Framework released in January of this year. Another source is the US Department of Energy publication the AI Risk Management Playbook (AIRMMP) . These are just the tip of the iceberg of emerging guidance on AI risk. The topic of risks in AI and machine learning has been covered by a host of academic research and will continue to be a source of investigation as new models and techniques emerge. From a GRC/Integrated Risk Management (IRM) perspective, AI risk has several basic touchpoints. For example: Policies and Standards: The bedrock of governance and compliance are policies and standards . Usage of any type of AI must be covered in corporate policies to establish control requirements. Security Controls : AI systems can be vulnerable to cyber-attacks , just like any other computer system. If an AI system is hacked, it could lead to sensitive data being stolen, manipulated, or even destroyed. Malicious actors could also use AI to launch attacks, such as creating deepfakes to spread disinformation or manipulating financial markets. Compliance and Risk Assessments : More than likely, your assessment processes cover many bases – from regulatory requirements to internal control compliance . The laundry list of topics to consider continues to increase. The frameworks referenced above are excellent starting points to begin incorporating simple questions to identify potential use of machine learning and AI to get ahead of the game. Data Governance: Part of IRM is understanding how data flows through the organization. Data Governance may first affect privacy efforts but increasingly needs to account for all types of data as well as how that data is being used. This should also now include any use of machine learning or AI to ensure those efforts are being monitored for risks such as bias. As organizations contemplate how AI can further business objectives, risk, compliance and security teams must be preparing for the inevitable. On the one hand it isn’t something that new – these functions have faced technology advancements before. On the other hand, this is a completely new animal. The funny thing about AI is that you can actually ask it what its risk is. I can’t think of any other risk that can answer the question “What risk do you pose?” As ChatGPT told me: While AI has the potential to revolutionize industries and improve people's lives, there are also risks associated with its development and deployment. These risks include bias, security, unemployment, autonomy, and lack of accountability. As AI continues to develop, it is important that we are aware of these risks and take steps to mitigate them. This includes developing AI systems that are transparent, accountable, and ethical, and ensuring that humans remain in control of AI systems. I couldn’t have said it better myself. For more information read IDC’s report on the modern needs of risk management .

  • Supply Chain Management is Critical to Your Third-Party Risk Management Strategy

    The reality is that supply chain risk continues to become more and more complex, with organizations increasingly relying on third parties for critical products and services. Any disruption from third parties can impact an organization’s supply chain significantly. Additionally, an organization’s exposure to risk increases due to cyber-attacks, economic conditions, geopolitical uncertainty, and natural disasters. Thinking about your supply chain risk management strategy and how that strategy fits into your third-party risk management program is critical. Having the right strategy to identify, assess and manage your organization’s supply chain risk as a component of your third-party risk management program will result in an effective holistic third-party risk management program. To learn more, join us for our webinar “ How to Effectively Manage Supply Chain Risk ” featuring IDC Research Manager Amy Cravens and Archer’s Wes Loeffler to learn: What gaps exist in typical supply chain risk management programs How understanding the risk profile of your suppliers delivers a competitive advantage How to build an effective strategy to manage evolving supply chain risk Webinar: April 18, 2023 11:00 am Eastern Time Register Now! Visit Archer Third Party Governance for more information. Contact us to speak to an Archer Expert.

  • The SEC Mandatory Climate Disclosures Proposal & Its Impact on Risk Management

    In another of what will be a long series of proposals related to oversight of corporate environmental impact, the U.S. Securities and Exchange Commission (SEC) recently announced its own proposal on disclosure. Joining the efforts of many other governing and regulatory bodies worldwide, including the recent Corporate Sustainability Reporting Directive (CSRD) and Sustainable Finance Disclosure Regulation (SFDR) out of Europe, the SEC has now stepped fully into the fray as stakeholders ranging from conservationists to institutional investors seek greater visibility into the actions of large corporations to manage their environmental impacts. This announced proposal from the SEC has several key aspects that beyond accelerating current ESG efforts, warrant special consideration for large organizations, including: Accountability for not only quantifying the progress towards their environmental goals, but also clear identification of the risks and opportunities to those outcomes Requirements that will emerge from the call for more, better, standardized data that can help create a normalized view of progress across organizations As environmental impacts are only one component the current ESG push, it is reasonable (if not responsible) for organizations to assume similar proposals that extend into other areas. If the direction set by the SEC’s proposal moves in a similar direction to other geographies, it is also wise for organizations smaller than those within current scope to assume “scope creep” down into their realm. Unsurprisingly, the proposal has been met with immediate push-back from both sides of the aisle, and it would be wise to assume that this proposal will go through several iterations before being finalized. But it would be similarly unwise to not view this as another significant signal of accelerated involvement by regulators in ESG. With that in mind, the SEC’s proposal also has some very specific impacts for Risk Management professionals: The near-term need for a focus on data gathering, risk register and cataloging of controls, other common GRC or Enterprise/Integrated Risk Management practices Regulation will be a likely driver for some (but not all) integration of ESG into Enterprise/Integrated Risk Management This will require starting with an approach that scales bi-directionally: integration across the growing array of regulations AND that expands across various data sources covering not only environmental impacts but social as well Again, this is an early but undoubtedly a significant step in what is growing momentum around ESG. At Archer, we believe ESG is much more than another regulatory thorn-in-the-side but is in fact one of the biggest drivers for more involvement in strategic planning for the Risk Management function. To learn more about how Archer customers are looking at the likely near-term and longer-term impacts of ESG on the Risk Management function, watch the replay of our webinar, “3 Things Risk Managers Need to Know About ESG,” on-demand now.

  • Archer's Fiscal Year in Review

    At Archer we recently wrapped up the books on our fiscal year, and so I wanted to share our progress and outstanding results. Uncertainty in various market conditions worked to our benefit again in 2021. Between the pandemic, environmental and social concerns, supply chain disruptions, increasing regulation, and the horrific war in Ukraine, Risk Management and Operational Resiliency have never played a more crucial role. These seismic shocks are requiring companies to manage Risk across their Enterprise – just as they do with CRM, HCM and Finance. Archer is uniquely positioned to meet these demands with over 300 customers in each Risk Function (Operations, Audit , IT , 3rd Parties and Business Resilience ) - with over 80% of customers using our products for several, or all, departments. Our goal is to provide the best Risk Management platform to be the system of record to identify, plan, manage, mitigate/avoid and quantify your risk. I would like to personally and sincerely thank our clients, employees and partners who helped make last year so special. Archer’s CY 2021/FY 2022 highlights include: After our divesture from Dell in Sept ’20, Archer is now a fully autonomous company where we now have our own systems, processes, dedicated team and board. With this independence, we have grown the team by 30% last year to 750 employees. 17% organic revenue growth which extends our position as the largest pure-play GRC / IRM provider. New account bookings grew by +60%. SaaS revenues more than doubled and bookings increased by 94%. Substantial product improvements such as Operational Resilience , CMMC and an improved User Interface that removed a dependency on Microsoft Silverlight. Released Archer Engage as a mobile-first, zero training, no code companion product to facilitate remote access. Released Archer ESG ( Environmental Social Governance ) led by industry expert Peadar Duffy and his Soluxr team who joined Archer last summer. Released Archer Insight to enable Risk Quantification and Intelligence led by renown expert David Vose who joined as our VP of Risk Management. Added Dr. French Caldwell, former Gartner lead analyst and one of leading experts of the GRC space as our Chief Strategy Officer Launched a customer success program centered on time-to-value and continuous improvements. Our latest fiscal year is off to another great start as we look to expand adoption of the many new capabilities released last year and continue to support our customers as they look to navigate complex business challenges in uncertain times. Contact us to learn how Archer can help you establish, adapt, and mature your integrated risk management program.

  • How to Build Business Resilience Beyond Recovery

    Organizations across the world continue to deal with the significant impacts of a global financial crisis, a pandemic, supply chain disruptions, increasing cyberattacks and more. While many have relied on traditional business recovery to withstand these and other factors, this confluence of threats has shown that disruption can be prolonged and evolving. The paradigm for has shifted from ‘if’ disruption will occur to ‘when’ it will occur. Traditional approaches to recovering after disruption are vital -- but they are no longer enough. Organizations need to ask: Are we proactively dealing with threats and risks? What do we need to do to build resilience? How do we know when we’re resilient enough? There are no quick or easy answers, but there are important steps your organization must take. Focus on your highest priorities. The organization should be building resilience into what enables them to achieve their strategic and operating objectives. This includes producing and offering their products and services to end customers, complying with regulations, satisfying investors, etc. The business impact analyses (BIA) is the best way to do that. However, traditional BIA approaches are often focused on the organization’s internal business processes, which is only part of the dependencies or value chain that produces the end product or service. A question to ask is, will this traditional approach help build resilience into all that is needed to produce that that product and achieve our strategic and operating objectives? A better focus for the BIA might be to identify the organization’s most important product and services offered to customers, and to make that supporting value chain, including internal business processes, systems, people, facilities, and third parties resilient. Identify risks and threats that could impact your organization and the right mix of mitigation and response to reduce the impacts. Half of the equation to building a resilient organization is being prepared for what may come. The first half is identifying the threats (known and unknown) and mitigating the risks they pose to your organization. This is done by identifying likely and plausible threats and scenarios that could impact your organization, assessing their risk, then implementing the best mix of preventive and reactive measures to mitigate the risk to within your organization’s risk tolerance. Once your measures are in place a vital step is to test them to determine how well they actually work to reduce the residual impacts to your organization. Measure and monitor your progress in building resilience. The question mentioned at the beginning of this blog - How do we know when we’re resilient enough – is an important one. I’m not sure an organization can be “too resilient” but I do know an organization can be not resilient enough. The answer only comes once you have set goals appropriate for your organization relative to its resilience and have metrics in place that allow you to measure and monitor status and progress. Examples include quantitative and qualitative impact tolerances, recovery time objectives, recovery point objectives, and residual risk compared to your risk appetite. These goals must also be aligned to your business goals. Once these resilience goals are set, it’s vital to test your capabilities, evaluate your responses in real situations, address gaps identified along the way, and continue to measure and improve. Interested in learning more? Register for our March 1 at 2:00pm Eastern webinar, How to Build Business Resilience Beyond Recovery , and check out Archer Business Resiliency .

  • What is Risk Management Worth To Your Organization?

    Frank Sinatra is an icon. No one can dispute that. But exactly how much of an icon? Sure, he was a prolific music entertainer, movie star, and the epitome of cool -- but does that make him “iconic”? Noting that Sinatra sold approximately 11,415 years of music over the course of his career – enough to play from the time man invented farming until Captain Kirk took the command of the Starship Enterprise – puts more weight on the scale towards “iconic” status. My point is that numbers make an impact. Most often, the benefits to an organization in taking a strategic and comprehensive approach to risk management are evident across different types of metrics, including fewer compliance violations, less disruptions, and more effective responses to operational events. This integrated risk management (IRM) approach seeks to connect different domains of risk management within a cohesive picture. It requires an extensive list of processes across different operational groups, creating a complex tapestry of activity. Since “it takes a village” to manage risk, true financial impact of risk management is not something easy to calculate. Why would you need to calculate its impact? Well, risk management activities require investments in time and resources and someone along the way needs to foot the bill. Can you put a number to the overall impact of an integrated risk management program? I explored this topic by applying a technique typically used for micro risks to this macro issue. Bow tie analysis is often used to analyze individual risk events but can also be applied at the macro level. To provide an illustrative example of this approach, I used Archer Insight to create multiple bow tie analyses of IRM elements and to determine a measurable impact. I then ran control scenarios utilizing common IRM processes against through these models. The result was an interesting exploration of the financial impact of IRM programs. Want to learn more? You are cordially invited to register to attend our webinar, What Is Risk Management Worth To Your Organization? at 2:00pm Eastern on January 24, 2023. I hope you can attend!

  • Supply Chain Risk – What to Expect in 2023

    Looking ahead at 2023, it will be more important than ever for organizations to manage their supplier risk. Larger and more complex supplier networks, changing regulatory requirements, and an often volatile global risk landscape will require organizations to ensure effective evaluation of their supply chain dependencies. Having the right strategy and the right tools in place is essential in helping to circumvent potential issues with your suppliers and can significantly contribute to the financial health and overall well-being of your organization. The ability to consistently assess, monitor, and manage your organization’s supply chain risk results in better business outcomes for both your organization and your supply chain management program. To learn more, join us for our webinar “ Prioritizing Supply Chain Risk Management in 2023 – A Look Ahead ” featuring GRC 20/20 market analyst Michael Rasmussen and Archer’s Wes Loeffler to learn: How supply chain risk is expected to impact organization in the year ahead How to make supply chain risk management a strategic priority for your organization How Archer can help you manage supply chain risk more effectively Webinar: January 19, 2023 2:00 pm Easter Time Register Now! Visit Archer Third Party Governance for more information. Contact us to speak to an Archer Expert.

bottom of page