Search Results

The world is increasingly connected, and organizations are more exposed to the risks and rewards of other enterprises than ever before. Physical supply networks, digital communications, and integrated business systems have reshaped the risk landscape. The pandemic has reinforced for all of us the complexity of modern organizations, and the need for close coordination across departments and disciplines in response to a crisis. Operational resilience can no longer only consist of the BC/DR function (Business Continuity and Disaster Recovery) that builds reactive recovery plans that are only dusted off during infrequent geo-specific or IT disruptions. An organizational continuity plan that articulates a localized disaster recovery process may not map onto a global disruption. Furthermore, an IT problem isn’t just an issue with the organization’s computer network when infrastructure and physical assets are always connected. The need for a holistic and fully integrated view of risk management has been thrown into focus by the pandemic. The consequences of unmanaged risk for any organization are extensive, and as risk continues to grow, executives and board members are increasingly becoming more involved in risk management initiatives. More and more organizations have begun to integrate risk management into their day-to-day operations. Risk is changing so dramatically across so many areas that siloed and manual processes make it difficult to get complete information to stakeholders quickly. Even the most successful point solutions will only magnify this challenge, with information stored in different locations and used in different ways by each department. This is exactly why our customers see such value in managing multiple dimensions of risk on one platform, in fact almost 80% of our customers manage multiple domains of risk on Archer. An organization that has fully adopted and empowered integrated risk management practices and processes may be forced to contend with third-party risks that are beyond the direct control of the organization. To find out how managing vendors and suppliers outside your walls can increase operational resilience and actually drive growth , download our latest report, “The State of Integrated Risk Management”. Increased Exposure to Supply Chain Disruptions The connected global economy has exposed an increasing number of organizations to risks outside of their traditional domains. Even if an organization was able to formulate and properly categorize a BC/DR for the countless eventualities that can disrupt operations, recognizing emerging risks and promptly shifting into disaster recovery still requires risk management to be deeply integrated into an organizational framework. Local and global disruptions have gone from being blue-moon events to being business as usual. As the risk profiles of more and more organizations expand, being able to continuously manage risk becomes more integral to every level of operations. Accordingly, risk management has become central to the scale and scope of operations. We’ve found that for many organizations, anticipating, recognizing, and managing risk has become a critical component at every level of operation. Our experience with organizations that use Archer gives us an understanding of how organizations have responded to the challenges of the past year. Over 60% of respondents in the 2020 RSA Digital Risk survey stated their companies' integrated risk management programs were somewhat or quite extensive. Compare that with only 7% of respondents stating that their organizations did not have any sort of integrated risk management programs or procedures in place, and it’s clear that risk management is a priority in today’s organizations . Global Changes and Operational Risk Climate change has turned once-in-a-lifetime events into regular occurrences. Some regions are expected to experience 100-year floods nearly every year (1). In the summer of 2021 the Pacific Northwest of North America, a region so mild that most people do not have air conditioning, saw temperatures reach over 120 degrees Fahrenheit. Previously unthinkable weather disruptions are now commonplace, causing unmanaged disruptions. Catastrophic flooding that washes away industrial centers, heat waves that melt power lines and roads, and ice storms that freeze gas lines all have the power to throw supply chains into chaos. Even an organization that uses multiple vendors to help ensure operational resilience will still be out of luck if all of the vendors are disrupted at the same time during a global catastrophe. Sophisticated state-sanctioned cyber warfare has brought disruptions to more and more organizations. The 2020 SolarWinds attacks (2), in which Russian hackers compromised the networks of over 18,000 organizations, is just one example. In this case, the target seems to have been the networks of the United States government, but since the attack involved hacking the software update server for all users of the SolarWinds Orion platform, many non-government networks were also compromised. Early in the COVID-19 pandemic, a shortage of N95 masks highlighted the risks of an interconnected and international business environment. With scarce information about what kinds of preventative measures could limit the spread of the virus, N95 masks were shown to be effective at reducing transmission. Compounding the panic buying that nearly eliminated inventory for the masks was the shutdown of international borders, as the medical-grade wood pulp used for the masks was produced in Canada (3). Any organization that relied on face-to-face interactions to achieve its operational goals was forced to choose between stopping operations, continuing operations while putting personnel at risk, or having to pay exorbitant prices for increasingly scarce face masks. Organizations without an established framework in which to quickly compare and make decisions about operational, compliance, and financial risk suffered. Organizations must routinely plan for and contend with risks that previous generations would consider to be outside of the realm of possibilities. That’s why we recommend organizations manage risk by coordinating efforts across organizational domains, such as resiliency, audit, compliance, IT, and operational risk. Instead of assuming any given eventuality will occur in isolation, to be addressed alone, modern organizations will soon recognize that multiple disruptions can occur simultaneously. Operational Resilience is the Primary Motivator We recommend organizations approach risk domains holistically by connecting the risks seen in day-to-day operations to the implications of those events to the business strategy. 1 in 5 of the respondents in the 2020 RSA Digital Risk survey stated they are prioritizing the alignment of business resiliency and enterprise risk management approaches in the next two years. An organizational culture that relies on processes and procedures to deliver operational resilience is not enough. Global risks cannot necessarily be managed with the same processes that work for internal or even vendor risks. Learn how to not only respond to global risks outside of your four walls but to actually turn risk to your advantage in our report “The State of Integrated Risk Management.” (1) https://www.nature.com/articles/s41467-019-11755-z (2) https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12 (3) https://www.theglobeandmail.com/canada/article-vancouver-island-pulp-mill-supplies-materials-for-medical-protective/

Any organization managing cybersecurity risks has a daunting challenge. Security issues are identified and published online daily, mitigations may not arrive for weeks, and threats can originate across international borders. Narrowly focused best practices can become liabilities overnight. Conscientious and inflexible security practices may mitigate the risk of theft or intrusions but may come at the cost of efficiency and responsiveness. Risks can be invisible right up until they are a problem, and even trusted and seemingly secure supply chains can be disrupted or compromised. The lines that define safe operations are constantly shifting, as even existing technologies require fresh security assessments. It isn’t enough to make a one-time risk analysis of possible threats when integrating new practices or assets. We recommend organizations routinely determine the scope and business implications of cyber-attacks. In addition, being able to quantify and categorize risk can make the development of a risk management culture a concrete exercise with metrics and clearly defined goals. Establishing how each process and practice manages risk and increases operational resilience is easier with an integrated risk management approach to security. Leaders in integrated risk management have been expanding their abilities for mitigating risk with new tools that allow for coordinated security processes. See how to protect your organization with robust risk defenses by reading our report, “ The State of Integrated Risk Management .” All Risk is Connected and Your Security Approach Should Be Too In the physical world, a strong perimeter defense can mitigate losses while still allowing businesses to operate within protected perimeters of a facility. However, cybersecurity perimeter defenses have long been problematic due to the very nature of digital risks and threats. When everything relies on the impregnability of a firewall or the secrecy of a password, everything is at risk if a firewall is breached, or a password is compromised. When the global COVID-19 pandemic led to workplace shutdowns, the opportunities for cyberattacks skyrocketed. Organizations that did not have an integrated security approach to cyberthreats were more vulnerable to attacks when their workforce was distributed across a spectrum of network security settings. When a flood of remote workers began accessing sensitive assets through home networks, many organizations relied on VPNs to allow personnel to tunnel into protected organization networks. Unfortunately, this adds as many points of security weaknesses as there are personnel remotely accessing the organization’s network. For example, the Colonial Pipeline ransomware attack used virtual private network login credentials to hold the Colonial Pipeline Company’s operations hostage. [1] A single point of failure led to disruptions in mission critical operations. Reinforced Defenses against Disruption The concept of defense in depth has been around for decades and adds layers of protection wherever possible and practical. An integrated risk management approach to security builds on that concept by connecting processes and data from other risk functions since e every part of an operation is a possible security concern or source of risk. The key to designing and maintaining an integrated risk management approach to security is to make sure the entire process is aligned with operational resilience. The ability to remain in operation despite disruptions should be the primary motivating force behind your security approach. 1 in 5 of respondents in the RSA Digital Risk 2020 survey stated they are prioritizing the alignment of business resiliency and enterprise risk management approaches in the next two years. With an integrated risk management approach to security, different areas of an organization can manage their risk in a way that strengthens overall operational resilience. The efforts of IT and security weave together with regulatory and corporate compliance, third-party management, and other stakeholders to create a reinforced risk management program. Granular Risk and Response We recommend organizations compile a complete picture of technology and digital security related risks and understand their financial impacts. Without knowing how a data breach will disrupt operations, it can be impractical to gauge the appropriate level of effort and capital to invest in precautions and countermeasures. A well-defined process and taxonomy that quantifies the impact of risks can help to align risk management practices with organizational goals. Without an integrated risk management approach to security in place, a single security risk can propagate through an organization’s assets. With more and more elements being digitized, automated, and controlled with connected technology, a data breach can even result in the disruption of physical operations. When operational resilience relies on the strength of a single measure, that one defense becomes so critical that it becomes difficult to quantify the results of that defense being compromised. A defense in depth, integrated risk management-based security strategy allows for atomized risk appraisals of any given practice or process. The growing necessity of defense in depth security practices places a new responsibility on the risk management landscape. While the integrity of a single perimeter defense system can be determined with existing industry practices, the sheer density of security measures calls for new processes to monitor and control an organization’s risk management practices. The pandemic revealed previously ignored or unaddressed weaknesses in many organizations. Our 2020 Digital Risk survey found that nearly 75% of respondents expect their digital initiatives to accelerate due to the disruptions and shifts over the past year. While some of this acceleration will include expansion of existing approaches and practices, new processes to meet the expanding risk profile can help an organization match the shifting environment. Operational risk programs should bring risk information together so you can better understand your risk posture, determine more easily how to treat risks, as well as see the interrelationship of these risks to the entire business. Integrated Risk Management Moving Forward Comprehensive approaches to operational resilience require detailed audits of weaknesses in every part of a risk management strategy. Most of our customers expect their risk profile to expand significantly in the next two years. We work with organizations to manage their expanding risk profile on our powerful integrated risk management platform. To discover how the organizations that utilize a mesh security approach are outcompeting even in times of disruption, read our whitepaper , “The State of Integrated Risk Management. ” [1] https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

Extending IT products to address multiple business challenges is a prudent goal for every organization. Unfortunately, this goal often accompanies a strong temptation to go beyond the inherent functionality of a product designed for one purpose, swayed by marketing claims, in the hope of extending IT budgets that can lead to decreased productivity, increased business challenges, and poor user adoption. Organizations that focus on selecting the risk management platform that can meet and adapt to their risk and business needs are far more likely to succeed than those trying to extend existing IT service management products to solve dynamic and evolving risk management challenges. #1: Risk management involves much more than just IT risk Recent global economic and social disruptions have proven the necessity of implementing business systems that provide decision-makers with the critical information needed to make informed business decisions concerning risk to ensure the organization's longevity and ability to achieve strategic business goals in times of crisis. Attempting to address risks such as security, compliance, resiliency, risk quantification, environment, social and governance (ESG), and third-party governance in an IT ticketing and service management product will not meet your evolving business environment. Business leaders need a global and comprehensive view of the risks facing the organizations. These risks need to be connected from top-down and bottom-up. The technology solution should enable that convergence without causing disruption. This requires a purpose-built risk management solution to handle the multiple dimensions of risk, from enterprise risk analysis to IT security, quantification, operational resiliency, audit, and compliance . #2: Reacting to risk is not effective risk management Surprises are great for birthdays and celebrations, but not for a CEO waking up to a breaking news article about a security breach or compliance failure that could permanently impact their business and reputation. Organizations that can better predict and anticipate risks rather than reacting to risks are less likely to fall victim to unwelcome surprises and unintended outcomes. The ability to calculate, analyze and extrapolate risk probabilities in measurable terms the business understands enables organizations to take advantage of risk rather than falling victim to it. Board members, senior business leaders, and decision-makers are looking for more than a "red, yellow, green" indicator of risk severity. They need measurable, quantifiable information about risk. Using IT service management and workflow products, simple qualitative guesses are the extent of their risk prediction and analysis capabilities. While IT service management products might generate colorful graphs and charts with a rainbow of colors equating risk distribution, these charts provide little value to a person making a decision based on risk likelihood and impact that could significantly impact the business. #3: Risk is constantly evolving Risk is not constant. It's dynamic and continually changes and evolves. As a result, every organization has unique needs and requirements for its risk solution. These can include tracking and monitoring ad-hoc data fields, modifying workflows, creating new reports, or tracking a new risk. Your risk management solution should make these changes easy to enact. IT service management and other workflow products are not designed nor intended to be configured and modified by risk and compliance management teams. The lack of configurability in IT service management products leads to inflexibility and rigidity and a system that cannot effectively support the dynamic nature of risk. Organizations need an integrated risk management platform capable of changing and adapting to risk to protect the business. If a platform cannot easily and quickly adapt to the risk and compliance needs of the business, what value is it providing? #4: Operational resilience is critical Recent times have subjected organizations to unprecedented disruptions that highlight the imperative for integrated approaches to risk management. For example, the acceleration of digital transformation spurred by the pandemic requires security and risk functions to pick up speed. Likewise, keeping pace with digital initiatives requires efforts to modernize security and risk management. Operational resilience refers to an organization's ability to absorb and adapt to rapid changes, sudden disruptions, or other challenges—and continue to achieve its objectives. Operational resilience is more than business or IT recovery after a disruption; it also includes building resilient business practices across the organization in preparation for disruption . Organizations attempting to use IT service management products for operational resilience often fall short due largely to the product's inability to connect resiliency information to critical notification services in IT security management, audit, and health and safety sectors. This lack of connectivity leaves gaps in the capability of the IT service management products to act and adapt to changing business, environmental impacts, and social disruptions. With so many organizations facing industry shifts, market pressures, and increasingly competitive landscapes, a focus on operational resilience makes sense. Business today is all about speed, and organizations cannot afford to let risk hinder their efforts. Implementing integrated risk management allows your risk program to keep pace with the business. #5: Risk management must be a core discipline Risk management is a broad and complex discipline, encompassing audit management, compliance, risk quantification and analytics, third party management, ESG, operational resilience, business continuity, IT security risk management, and operational risk management. New risk challenges driven by regulations and fueled by the dynamically changing nature of risk are constantly evolving. The only way for organizations to effectively harness and manage this broad spectrum of risk is to employ a platform dedicated to addressing risk management challenges . With such a broad risk landscape, adjacent products like IT service management vendors claim they have the tools and capabilities needed to address the complete risk spectrum. Unfortunately, this is where the temptation by those focused on cost-cutting and operational streamlining can make the costly mistake of assuming risk management can be adequately managed by IT service management and workflow products. Conclusion Selecting a technology solution to support your risk management initiatives is a critical part of ensuring your program's success. The stronger your technical approach to risk management, the higher degree of granularity you can achieve when identifying, assessing, and monitoring risks. Technology can serve as the backbone of your program, offering multiple benefits such as: Efficient and effective processes Common data taxonomies to establish consistent internal language around risk improving communication Data consolidation and sharing to improve analytics and empirical support for your risk decisions Solutions that address the breadth of IT and business risk and built on deep best practices, configurability, growth path, and pedigree are critical factors to consider in the selection of your risk management solution provider. Archer empowers organizations to manage multiple dimensions of risk on one configurable, integrated software platform . With Archer, you can efficiently implement risk management processes, using industry standards and best practices to significantly improve the effectiveness and maturity of your evolving risk management program. Contact us to learn more about how Archer can help you build a robust risk management program in your organization.

Compliance is often a logical, externally driven starting point for risk management programs. Staying ahead of changing regulations can be a daunting task. Factor in disruptions like the pandemic and the evolving business landscape and it becomes clear that no single risk management function standing alone can adequately protect an organization from risk. Rather, companies need an integrated risk management approach focused on operational resilience to adapt and prosper in times of upheaval and increased potential risk. With integrated risk management, companies go beyond compliance to layer on audit management, enterprise and operational risk management, third-party governance, and other functions. This layered, “mesh” approach creates a more holistic model providing depth to the risk management strategy. In our whitepaper, “ The State of Integrated Risk Management ”, we outline the lessons learned by those who thrived in their digital transformation efforts during the pandemic to help companies along their journey to improving business outcomes through operational resiliency. Get the insights and read more about the four themes of operational resiliency here . Compliance is Still Foundational but Not the Endgame Many times, individual departments may create their own compliance processes to address policies and meet regulatory obligations. This siloed approach makes it difficult to identify, prioritize and respond to issues that impact your business. With changing priorities and resources stretching due to shifting business needs, disconnected processes not only impact an organization’s productivity but also its ability to sustain and grow the business. By establishing a coordinated and consistent compliance program, the executive team can get the full picture of the state of compliance across the entire organization. Organizations should establish formal processes for stakeholders to understand and manage changes that may affect the organization’s compliance, including how new and changing activities may impact the organization’s obligation. A coordinated approach to compliance improves operational resiliency and should create a proactive approach that supports a holistic risk management strategy. More than 1/3 of respondents in our survey stated a risk-based compliance methodology is a priority for them in the next two years illustrating the cross-over between compliance approaches and risk management. Why Operational Resilience is End Game While compliance is a critical component of managing risk, operational resilience has become an increasingly important topic. Risk today is multidimensional, and the frequency and magnitude of disruptions, like the pandemic, have motivated organizations to take a deeper look at how they identify and analyze risk and how they plan to avoid or recover from them. Operational resilience considers the strategic goals of the organization, engages all parts of the organization, and embraces integrated risk management to drive the development of resilient business practices. Strong operational resilience can: Improve the company’s finances by reducing costs that would have been incurred during a disaster. Drastically reduce operational disruptions by preparing for potential disasters before they occur. Allow you to respond swiftly in crisis situations to protect your ongoing operations​. Minimize the impact on your business by breaking down the silos across functions and teams. Help organizations have the capacity to quickly put together mergers and acquisitions Help organizations swiftly adapt to changes in technology due to digital transformations. Improve visibility over all the performances of different sectors paramount to the organization’s growth and the resources necessary to achieve the goals. Provide complete oversight over all the company’s outsourced operations. How to Create a Culture of Operational Resilience The ability to absorb changes and adapt to an evolving risk environment is a regulatory, corporate, and board-level topic within many organizations. Traditionally, building a culture of resiliency is a function of an effective business continuity management program. To build ownership across the entire organization, each department from IT to sales must proactively participate in implementing operational resilience into processes, systems, and practices. This cultural change should be led at the executive level. Gartner predicts that by 2025, “70% of CEOs will mandate a culture of operational resiliency to survive coinciding threats from COVID-19, cybercrime, severe weather events, civil unrest, and political instabilities.”(1) Having change driven by the chief operating officer (COO) or chief information officer (CIO) helps to reinforce the importance of implementation. The first thing organizations should do when creating a culture of resiliency is have a definite purpose and aim. When organizations have a clear vision that every sector can relate to, it is easier to work together and achieve mutually beneficial goals. Second, organizations must establish consistent procedures and policies . For a program to thrive, all departments and functions performing separate risk management activities should be using the same methodologies, tolerances, and toolsets. Last, it is vital that internal and third-party organizations are as aligned in their resiliency efforts as they are in their delivery of products and systems. This alignment can be accomplished in the onboarding process, service-level agreements, or clauses in contracts. The State of Integrated Risk Management: Themes of Operational Resilience Strong compliance processes are one step, albeit a critical foundational step, towards achieving operational resilience. Programs focused on operational resiliency bring risk information together so you can better understand your risk posture, determine more easily how to treat risks, as well as see the interrelationship of these risks to the entire business. Explore the other themes of operational resilience by downloading our whitepaper, “ The State of Integrated Risk Management ”. Archer Solutions As a leader in providing integrated risk management solutions, we can help you with strategic-decision making and improving your operational resilience. Contact us today to see how Archer Regulatory and Corporate Compliance Management can aid you in providing a clear consolidated view of your organization’s state of compliance and how an integrated risk management approach better prepares you to thrive in a multidimensional and evolving risk landscape. (1) Gartner: Predicts 2021: Operational resiliency. January 2021.

As your organization evolves, so too does your risk landscape. Risk is inherent in all types of initiatives within business operations such as the expansion of digital processes can increase security risk and outsourcing business operations to third-party vendors creates complexities in your supply chain. For any organization to thrive in these transformative times, it must have a solid risk management strategy. The growing recognition that all risk is connected has led to companies realizing that they need coordination across all risk functions – including leveraging the same data, platform, taxonomy, and output. This coordinated strategy is called an integrated risk management approach. Integrated risk management gives organizations the ability to navigate risks and deal with them effectively (should they arise) without hindrance in business operations. An integrated risk management approach gives senior management and executives actionable and detailed data so that they decide on an action plan that is best for the organization ultimately improving overall performance. The pandemic put a spotlight on the need for companies to have an integrated risk management approach with emphasis on operational resilience , or a company’s ability to absorb and adapt to sudden disruptions and continue to meet business goals. We recently analyzed the Archer customer base to discover how our customers not only survived but thrived during this global upheaval. What we found fundamentally accentuated the need for integrated risk management strategies. When respondents to the RSA 2020 Digital Risk Survey were asked about the need to coordinate risk management, the “extremely coordinated” response jumped more than 90% in the short time between the question being asked in a 2019 survey and the 2020 survey. The key learnings and the four integral themes of integrated risk management are outlined in our new whitepaper, “ The State of Integrated Risk Management ”. Digital Transformation, the Pandemic and Major Forces on Risk Change is constant, but the alarming rate at which the world is digitally transforming has major impacts on existing business models and operations. Almost 55% of respondents in the 2020 RSA Digital Risk survey stated their organizations were extensively engaged in digital transformation initiatives highlighting the pervasive use of technology to advance business operations. The pace of digital efforts were accelerated in light of the pandemic, forcing organizations to find alternative, technology enabled methods to support their workforce and deliver products and services to customers. As Gartner found, “The momentum of digital transformation projects is outpacing the ability of organizations to accommodate the changes and will introduce additional complexity of threats.” (1) This rapid digital transformation also makes organizations more vulnerable to cyber-attacks and virtual disruption. A more fluid risk landscape has emerged requiring a more holistic and integrated approach to risk management. The pressure to manage risk is evident with over 60% of respondents in the 2020 RSA Digital Risk survey stating their companies' integrated risk management programs were somewhat or quite extensive. Obviously, integrated risk management approaches have become the norm – not the exception. How did COVID Affect Risk Management? The COVID 19 pandemic had a severe negative impact on organizations all around the globe. COVID brought about major changes in the technological, social, economic, and political aspects of the world. These changes have made organizations pay more attention to overseeing, anticipating, and mitigating threats caused by unfavorable interruptions to business operations. A PwC study found that respondents that shifted risk management responsibilities to the first line were more likely to show profit and revenue growth over the next two years and were able to recover from adverse events more quickly. (2) While the pandemic affected multiple areas of risk, two areas of risk highlight the coordination needed to address today’s risk environment. Cyber Attacks The pandemic forced many companies to go remote and conduct business virtually. Opportunistic cyber breaches increased in 2020 and adopted technologies put more undue pressure on business and IT resource availability making it more important than ever to have solid and effective recovery plans. Often, IT disaster recovery teams are on a different page than business continuity teams of what’s critical to protect and recover, highlighting the need for an integrated approach and improving cyber resiliency. Additionally, remote working promotes fraudulent activities like phishing. The cybercrime economy thrives in times of chaos, with unchecked growth in fraud attempts and other risks. 79% of respondents in the RSA 2020 Digital Risk Survey expect to rely more heavily on the IT and security risk management portions of their risk programs over the next two years. Compliance This remote working environment then made it even more difficult to enforce compliant behavior among staff. In addition, regulators saw how the pandemic affected different industries and have begun addressing some of the gaps they have observed through new regulations. The result is a more complex regulatory environment with a challenging enforcement playing field. In response, risk-based approaches are necessary to identify the most impactful compliance requirements. This played out in the RSA Digital Risk Survey with more than 1/3 of respondents in the survey stating a risk-based compliance methodology is a priority for them in the next two years. In addition, the technology operations have a tremendous impact on the compliance strategy. Therefore, the overlap in compliance and IT and security risk management is obvious. A coordinated strategy, via Integrated risk management, needs to focus on compliance measures that are suitable for the present working environment. The convergence of compliance and IT and security risk management is evident within the Archer customer base. Of the 1100+ deployments Archer has for IT and security risk management, more than 80% utilize compliance processes on the Archer platform. How to Achieve Resilience Through Integrated Risk Management One thing is certain, the pandemic has highlighted the need for resilience, especially as other high-magnitude disruptions continue to mount. Achieving resiliency, however, is another matter – it requires forethought, discipline, and constant vigilance. These five steps are key to building resiliency: Develop and adopt a holistic enterprise-wide integrated risk management system and governance. Develop a risk profile, assess your risk landscape, and a strategy for operational resilience. implement change initiatives that are focused on proactive instead of reactive. Lead from the top to maintain and adopt management protocols that ensure the company's growth. Ensure compliance via enforcement of organization standards, policies, and regulations across all sectors of the organization. The State of Integrated Risk Management While many companies were caught off guard by the pandemic, a lucky few were able to quickly pivot and thrive in their ongoing business operations and digital transformation efforts. Our whitepaper, “ The State of Integrated Risk Management ”, outlines key themes related to operational resiliency and integrated risk management and the underlying success factors of those who were able to take advantage of extraordinary opportunities presented. Download the paper now , and contact us today and begin your journey to operational resilience . (1) Gartner: Predicts 2021: Operational resiliency. January 2021. (2) PricewaterhouseCoopers. Risk in Review: Managing Risk from the Front Line Correlates to Higher Revenue and Profit Growth, Says PwC. 2017. https://www.pwc.com/us/en/press-releases/2017/risk-in-review-managing-risk-from-the-front-line.html

What a week! Thank you to everyone who attended Archer Summit 2021 in Orlando and virtually. It was a jam-packed week of innovative sessions, networking, idea sharing, exciting Archer product updates and – of course – Disney. Archer Summit 2021 included: Over 40 breakout sessions with 20+ customer speakers discussing risk challenges and trends and how they’re Archer’s technologies in their organizations. Leaders from the healthcare, finance and supply chain industry came together in a customer panel to discuss challenges and successes in navigating enterprise risk. An Archer Superhero product roadmap keynote that unveiled how risk leaders can easily share enterprise risk with key stakeholder across their organizations using Archer Engage and the future of risk quantification and the deep level of risk analysis organizations can perform with Archer Insight . Industry analysts French Caldwell and Michael Rasmussen discussing everything from organization’s immediate and ongoing response to the COVID-19 pandemic and environmental, health and safety risks to ESG to operational resiliency and risk agility. Don’t just take our word for it. Check out the Archer Summit 2021 highlight video and a few of our favorite tweets from the event. We’re looking forward to building on the momentum of Archer Summit 2021 – can’t wait to see what 2022 brings with Archer Summit heading to South Beach, Miami! Save the dates will be sent soon. Click here for Archer Summit Highlight Video. Contact us to learn more about Archer and how we can help with your integrated risk management journey .

Preparing for CMMC Assessment is a new and enormous challenge for organizations seeking certification. Though CMMC is based on the NIST framework, it introduces several new concepts and tightens the security requirements to a heightened level of cybersecurity hygiene. By introducing new CMMC Processes, requiring per-subsystem evaluation of Assessment Objectives, and mandating that all POA&Ms be fully remediated and closed, CMMC Assessments truly enforce a new breed of cybersecurity professionals in the commercial space. As organizations work to digest and understand this new Standard, Archer CMMC is here to support and alleviate the challenges to manage and engage in the preparatory pre-assessment work. The CMMC Challenge #1 Keeping track of the CMMC Practices and Processes The first step in a CMMC self-assessment is to determine which certification level (i.e., Level 1, Level 2, Level 3, etc.) you want to achieve. Based on that level, you will need to understand which Practices and Processes are required for certification. CMMC has a total of 171 Practices and 5 Processes that are associated with different domains. Each CMMC level of certification contains a different subset of these Practices and Processes, so you want to be certain you are selecting the correct Practices and Processes for your self-assessment. The Archer Solution Archer has created a catalog of security requirements that directly aligns to the appropriate Maturity Levels, saving you hours of time when setting up your self-assessment while also ensuring you are assessing the correct CMMC Practices and Processes. Archer CMMC maintains a catalog with the latest version of all Practices and Processes from the CMMC framework. Archer CMMC automatically maps the correct Practices and Processes to your self-assessment based on the CMMC certification level you choose. Archer CMMC provides reports and a snapshot view of the current assessment status of all Practices and Processes across each CMMC Domain during your self-assessment. The CMMC Challenge #2 Ensuring all assessment objectives have been properly completed Let’s use a CMMC Maturity Level 3 certification as an example. There are 130 Practices and 51 Processes that need to be met to achieve a Maturity Level 3 certification. There are also hundreds of Assessment Objectives that roll up to the Practices and Processes. Every system-specific Assessment Objective must be individually mapped and assessed for each subsystem in your boundary scope. That means if you have five subsystems, you must map and certify against the allocated list of Assessment Objectives five times. As you can tell, it's very possible to have thousands of Assessment Objectives that have to be allocated and evaluated depending on how many subsystems need to be assessed. Maintaining clarity and visibility into each subsystem and all of its related Assessment Objectives, as well as the Practices and Processes, can quickly become a logistical nightmare. The Archer Solution Archer CMMC provides a number of capabilities to help you manage this enormous task of tracking and completing thousands of Assessment Objectives across all your subsystems. Archer CMMC automatically maps every relevant Assessment Objective to each of your subsystems, ensuring you have proper alignment for assessment across all the subsystems within your boundary scope. Archer allows bulk status updates and manual override options for each Assessment Objective to ensure flexibility and efficiency in your assessment workflow. Archer CMMC enables evidence documentation (i.e., artifacts, comments, screenshots, etc.) at both the Practices and Processes top level as well as at the individual Assessment Objective level across each subsystem for assessment defensibility. The CMMC Challenge #3 Managing deficiencies and remediation activities To pass a CMMC certification assessment by a C3PAO, open POA&Ms are not permitted. This means you need to resolve all of your security requirement deficiencies during your self-assessment and maintain proof of their remediation. The Archer Solution Archer facilitates end-to-end lifecycle management of any gap and deficiency identified within your CMMC program. Since open POA&Ms will result in a failed CMMC assessment, Archer CMMC is designed to help you identify, manage and track deficiencies through to their closure with thorough remediation plans, workflow, and task management support. Archer CMMC facilitates the identification of deficiencies at every level of CMMC preparation – from defining system components, allocated Practices, Processes, and even at the individual Assessment Objective level – to give full visibility into any potential issues, large or small. Archer CMMC saves time and reduces errors by allowing you to create a library of deficiencies, as well as a library of remediation action plans, that can be used repeatedly. Using native reporting capabilities, Archer CMMC gives you real time visibility into the status and prioritization of any deficiency and its remediation progress. Once resolved, this information natively integrates into your System Security Plan to be shared with your C3PAO. Contact us to find out how Archer CMMC Management can help you manage CMMC requirements.

As a new initiative of the U.S. Department of Defense (DoD), Cybersecurity Maturity Model Certification (CMMC) is designed to enforce and maintain contractor and subcontractor cybersecurity compliance across the federal defense industrial base. CMMC requires that any commercial organization doing business with the DoD be certified by a third-party CMMC assessor to validate that they meet the appropriate CMMC specifications. To help our customers prepare for CMMC certification, we are pleased to introduce the new Archer CMMC Management use case . It enables Archer customers to identify, document, and manage the appropriate CMMC practices and processes required for improved cybersecurity hygiene for storage and management of Federal Contract Information and Controlled Unclassified Information . Archer CMMC Management alleviates many of the challenges of scoping and engaging in preparatory pre-assessment work. Archer CMMC Management focuses on pre-assessment activities such as defining scoped boundaries, system components, policies, and procedures; allocating the appropriate level of assessment processes, assessment practices, and assessment objectives across the different components of the system; identifying deficiencies, remediating POA&Ms; and creating the appropriate system security plan (SSP) documentation. Does your organization work with the U.S. DoD? Contact us to find out how Archer CMMC Management can help you manage CMMC requirements .

Whether you call it Integrated risk management or Governance, Risk and Compliance or just plain old organizational common sense, the idea to manage risk within today’s competitive and constantly changing environment is an absolute necessity. In the past year, technology shifts, market disruptions and unique obstacles have made keeping tabs on the barriers to strategic business goals a constant battle. Piling on top of the usual suspects of security, operational risk, and regulatory compliance are the topics of operational resilience, third party risk and Environmental, Social and Governance (ESG) risk . While those themes have been part of the risk landscape for years, they seem to have matured from precocious toddlers to full blown adolescence – wreaking havoc - overnight. At this juncture, we felt it was important to take a step back and look at the risk management industry. The Archer State of Integrated Risk Management report is based on several inputs. We analyzed our customer base to identify trends and indicators. With over 1500 deployments, Archer is used by companies of all sizes, in all industries and across the globe. Additionally, we have customers that have deployments of over 15 years. This coverage gives us unique insights into what capabilities companies target as they mature their risk management programs . We also analyzed specific results from the 2020 RSA Digital Risk Survey relevant to integrated risk management priorities. This survey consisted of targeted questions regarding risk priorities today with responses from 1,100 risk, security and business professionals. Based on our own experiences working with our customers and these inputs, we identified four industry themes that provide a perspective on integrated risk management. Compliance is still foundational, but operational resilience is the end game. Convergence of digital and traditional business means organizations must not stop at IT and security risk management or disaster recovery. Quantification based on well-established mathematical principles is the best way to calculate risk—and it’s easier than ever. Risk management maturity over time is complex yet achievable. We also noted how risk management technology has evolved in the face of change. Over the last 20 years, Archer has evolved from organizing catalogs of key elements of the risk management program into the enterprise business support tool with workflow, reporting and decision support that enables integrated risk management and bring significant ROI. 2020 brought tremendous disruption to organizations but also offered an extreme example on what it takes to be resilient. Disruption doesn’t play favorites – but those organizations prepared for it can not only survive but thrive. Operational resilience takes forethought, discipline and constant vigilance. Integrated risk management plays a critical role in developing these capabilities. Risk management is both a proactive and reflective process taking not only experience and expertise to learn from the past, but also commitment and focus to innovate for the future. Download the report to learn more about the state of integrated risk management and see how your organization stacks up towards building the resilience it needs in today’s risk landscape.

As we continue to analyze the fallout of the latest sequence of security breaches (SolarWinds, JBS, Colonial Pipeline), the conversation invariably swings toward attribution and of course, who should know and when should they know. Spurred by these events, another legislation of breach notification is circulating…again. This time the discussion revolves around critical infrastructure rather than personal data. We have seen this play out before. While the details may be a bit different, the challenge being laid at the feet of those in the critical infrastructure segment is considerable – a 24 hour after discovery requirement of notification. Although still in draft mode, the legislation is a reminder of a battle that we continue to fight against increasingly tenacious and skilled adversaries on a battlefield that continues to expand. Several years ago, I wrote a blog referencing Castor and Pollux as the ‘patron’ gods of this ongoing battle. Castor and Pollux are the two twins of the “Gemini” in Greek Mythology. They are reminders that a two headed approach involving proactive measures (such as Vulnerability Risk Management) and reactive preparations (such as an agile Security Operations strategy) is necessary when it comes to security strategies. Ultimately, though, the objective is not to meet the notification requirements. While this may be a considerable incentive (given the proposed sanctions for violations), the recent breaches are a reminder of the end game – operational resilience. Vulnerabilities pop on the radar from all sources – some lying dormant for decades to be uncovered; some introduced with the latest code – and a security organization that is thinking in terms of a balanced approach is best positioned to address shifting priorities. Potential threat and attack vectors must be identified and responded to as fast as possible. A Vulnerability Risk Management program is a critical mechanism for this. Actual active attacks must also be identified and responded to as fast as possible. A Security Operations Management strategy is the main device necessary for this. This is a blend of proactive measures and reactive preparations. The two-pronged approach seen in security strategies are an example for broader risks. A resilient organization is thinking in this same manner – what can we do to prevent an issue and what will we do when there is an issue. At the heart of this approach is an understanding of business risk powered by an integrated approach to risk management. Several factors will give your organization a significant advantage as you target a balance of approaches: Establishing a common taxonomy for discussing risk enables preventative and response measures to be balanced based on business impact. Common catalogs of risk management program elements such as risks, controls, incidents and assets allow your second line functions to analyze overall risk by setting a mutual point of reference. Standardized processes to monitor risk and assess controls permit a balanced view of residual risk via the effectiveness of preventive measures in place. Unified processes to report, track and monitor gaps such as operational incidents and issues provides insight into the efficiency of response actions. These core capabilities set the framework for an integrated, balanced approach for preventive and responsive controls. As we saw in the last 18 months, security breaches are not the only major disruption organizations can experience. The shift towards operational resilience as an end game is resonating across all teams mandated with risk management. Organizations are on the path to put the complimentary approaches of proactive and reactive preparation in place. It is, therefore, fitting that travelers and sailors appealed to Castor and Pollux for safe voyages. Those that found favor to the Gemini were thought to be aided in in moments of crisis. Given the ongoing journey organizations are on towards operational resilience, Castor and Pollux are appropriate patrons.

Even the slightest bit of resistance can get in the way in completing a key risk process. If a form is hard to figure out or cumbersome to navigate, users will avoid it, putting it off until the last minute or forgetting about it completely. That resistance then leads to delays in information getting to the people who need it to understand where the potential risks are in the organization and to act in a timely fashion. They find out about something this week, that if they found out that last week could have prevented an incident. Throughout the various processes that make up an integrated risk management (IRM) program, there is a shared need to engage users quickly and effectively. It can’t be a burden on these users, many of whom don’t consider risk or compliance as their primary function. It must be seamless to them, something that easily fits into their busy schedules. If it takes time to figure out a form, users are likely to procrastinate completing it. But if it’s something that just takes a minute, that’s accessible from whatever device they are on, wherever they are, then the request becomes easier for them to fulfill. It’s something that’s just a small part of a normal day’s activities. When business users in the organization can perform their risk-related tasks quickly and easily, the whole system flows more smoothly. The risk managers of the world don’t have to spend time and effort worrying about creating a specific user experience, creating extensive training materials that are only used infrequently, or following up to remind people they need to respond. Whether for Control Attestations or Evidence Requests, Quarterly Certifications or Risk Assessments, these are all parts of successful risk programs that rely on input from individuals who don’t have “risk” or “compliance” in their titles. To help address this issue, we are pleased to announce general availability of Archer Engage™ for Business Users , designed to help accelerate the flow of your risk processes and programs . It is a cloud-based companion product that integrates with your Archer instance – be it SaaS or on-prem – to present assessments and requests to business users in a fast, responsive application that’s as easy to use on a smart phone as it is on a company-issued laptop. It provides an intuitive and easy to use experience whether the user is seeing it for the first time or the first time in a few months. With Archer Engage for Business Users , you can publish any questionnaire or application from Archer to Archer Engage. Later this year, we’ll continue to add capabilities for content creation and other exciting features to join the richness of your Archer applications with the convenience of Archer Engage . Learn more about how business users can quickly and easily complete assessments or initiate risk management activities with Archer Engage for Business Users . Contact us to get a demonstration of Archer Engage for Business Users.

Many organizations begin their journey towards an integrated approach to risk management in the realm of compliance. The immediate threat of a compliance violation due to an emerging regulatory requirement has always been a compelling event. The resulting efforts to identify effected business operations, subsequently design and implement controls and ultimately demonstrate compliance form the foundation upon which many GRC programs were built. While compliance activities are just one part of managing overall business risk, the discipline required to define controls and measure effectiveness is a key ingredient for successful, long-term risk management practices. The next step logically is to begin putting compliance into the context of operational risk. The ability for an organization to leverage compliance in this manner is much more valuable than a standalone compliance function. Integrated compliance and audit functions are more effective as a 3rd line of defense – especially as control design and implementations to manage business risks can draw on the experience from compliance programs. For Chief Audit Executives and Corporate Compliance functions, integrating compliance into risk management strategies is an excellent opportunity to up level your visibility and show that compliance is not just a check-the-box exercise. Compliance and audit, when executed in the context of risk management and business strategy, adds real value towards an organization’s goals. Additionally, you can get the executives to appreciate what the compliance and audit teams are doing by getting most bang out of your audit budget and limited resources and focus on the right risk areas. Ask yourself: How can I report on compliance issues in the context of broader operational risk management efforts? How am I prioritizing compliance and audit activities and allocating limited resources towards the right risks? If you can answer these questions positively, you are on the right track to evolving compliance towards a major contributor to risk management. From a Chief Risk Officer perspective, risk processes can be built right on top of the existing compliance and audit program. For example, leveraging the controls assessment processes already in place saves time and energy while establishing a core part of residual risk measurement. Managing risk is dependent on how good you are at implementing controls and visibility into our compliance state helps you really understand risk exposure. Integrated compliance and audit processes feeding insights to the risk program provides a key ingredient in understanding the business’ true gaps. At Archer , we see the symbiotic connection of Audit, Compliance and Risk functions in action. 91% of Enterprise and Operational Risk Management customers own Compliance use cases. 84% of our customers who own our Audit solution also own risk management use cases. These are natural combinations towards Integrated Risk Management . If you have worked hard on establishing your audit and compliance program – and most companies have - and have not broadened into Enterprise or Operational Risk Management , you are behind the curve. Enterprise and operational risk management is the natural progression for compliance. Compliance is only one type of risk, and therefore focusing on just compliance is not the final state. Audit functions are traditionally considered the 3rd line of defense in traditional Ops Risk strategies. Audit provides the independent review and assurance that controls are effective. Adding risk management processes on top of Compliance and Audit programs can ‘uplevel’ the value that compliance activities are providing the organization and help the organization more effectively achieve business goals by properly identifying and managing risk. Maintaining an effective compliance program can be one of the most difficult, time-consuming and expensive activities organizations face today and into the future. Read our white paper on eight modern principles and techniques that can allow organizations to demonstrate compliance more efficiently, effectively and at a lower cost.