Search Results

We’re nearing the end of another successful Archer Summit and it’s been an extraordinary three days of sharing ideas, making connections, and having fun! Day 3 of Archer Summit 2024 marked a pivot from product roadmap updates and customer panels to breakout sessions and learning labs where ‘the rubber meets the road.’ On the heels of industry user group meetings earlier this week, breakout sessions led by Archer clients and the Archer Executive Forum focused on how Archer can help address today’s most critical business challenges. Topics ran the gamut from assessments to AI, regulatory topics to resilience, and intelligence to next-generation risk management. Attendees gleaned practical knowledge from real-world success stories from Archer clients and partners, including: Ally Apollo Best Buy CastleHill Corebridge Financial Crowe Electric Reliability Council of Texas (ERCOT) Ent Credit Union EY Federal National Mortgage Association (Fannie Mae) Fifth Third Bank Haleon HESTA & Securus Home Depot Intuitive Surgery KPMG Maersk Mars Inc. MTN Group Nationwide Mutual Insurance Company NiSource Raiffeisen Bank Rakuten Saudi Aramco South Side Bank State Farm TD Bank The MITRE Corporation Truist Vanguard Bank of the Philippine Islands Verterim Zions Bancorporation The crescendo for the day was the announcement of Archer Summit 2024 Award winners – stay tuned for more to come on that later. This evening, attendees are invited to a Client Appreciation event at the historic Generations Hall to indulge in the vibrant local cuisine and enjoy an electrifying performance by Cowboy Mouth, a beloved band from New Orleans. Although parting with the lively spirit of the Big Easy for Archer Summit 2024 is bittersweet, anticipation is already building for Archer Summit 2025! We extend our heartfelt gratitude to all of our clients, partners, and colleagues for making Archer Summit 2024 compelling and rewarding. Your involvement and engagement have been invaluable, and we eagerly await the next Archer Summit!

The opening keynotes and "Southern Charm" welcome reception at Archer Summit 2024 on Monday night kicked off events in typical fashion – fun, friends, and lots of sharing of risk and compliance ideas! Today was equally amazing as we jumped into everything, from product keynotes to client panels to user groups to breakout sessions and more: Industry user groups for Public Sector, Energy, Healthcare, Supply Chain/Manufacturing and Financial services gave participants a chance to interact with like-minded folks and discuss topics relevant to their industries. The Archer Product team delivered a view into the groundbreaking capabilities available now and coming soon. Highlights included presentations on Archer’s next generation risk experience and a client panel discussion with executives from Truist, Allied Irish Bank, Rakuten, and Cardworks giving us a glimpse into the challenges their organizations face and how they’re overcoming them with Archer. Breakout sessions featured speakers from Saudi Aramco, Ally Bank, Best Buy, Fannie Mae, Rakuten, TD Bank, Truist, Kellanova, Haleon, Highmark Health. Archer partners CastleHill, NiSource, and Cential joined Archer clients and staff to present insightful perspectives on using Archer. Session topics included how to elevate your internal controls with Archer; how Archer RMIS AI can reduce costs and enhance the value of your GRC program; how to build efficient GRC frameworks; and the importance of data driven insights in risk management. The Archer Executive Forum, a group of 23 chief risk, compliance, audit and security officers, met with Archer executives to discuss the importance of AI in GRC, how to drive value using risk quantification, and how Archer can help organizations strategically deploy their risk and compliance capabilities as real business differentiators and drivers. We’re grateful for our valued partners and their partnership with Archer and our clients. If you haven’t stopped by the Partner Pavilion yet, check it out. The day ended with dine around dinners at some renowned New Orleans restaurants – great food and company!

Greetings from the dynamic and vibrant city of New Orleans. Today is the opening stanza to Archer Summit 2024, our annual user conference set in a city where the rhythm of jazz echoes the heartbeat of endless possibilities.  New Orleans is picture-perfect backdrop – culturally rich, steeped in history, full of life and always willing to invent anew.   In a world of seemingly non-stop change, risk and compliance teams often find themselves in uncharted territory. At Archer Summit, we explore strategies to not only manage but anticipate risks in a world where unpredictability is the new normal. There’s no better place to delve into these discussions than New Orleans, a city that has rebounded from its own complex challenges, demonstrating resilience and adaptability. This vibrant location provides an inspiring backdrop for our discussions on risk, resilience, and innovation.   This year’s Archer Summit kicked off in grand style with CEO Bill Diaz announcing a truly exciting strategy to help our clients transform their risk management strategies.  On the heels of record expansion and growth for the Archer business, Bill announced Archer Evolv , an innovative SaaS solution that brings together transformative enhancements to help our clients transcend today’s challenges. Archer Evolv incorporates deep learning AI capabilities to provide guidance and insights throughout the risk management program. Built on our SaaS platform, Archer Evolv is global, scalable, easy to integrate and mobile. Our clients can address emerging challenges and quickly leverage the capabilities they need throughout their business.  With a next generation user experience and intelligent workflows, Archer Evolv empowers users at all levels with real-time data insights that guide them to make informed decisions and take action. Our compliance and risk solutions help clients turn siloed, reactive and transactional risk and compliance approaches into strategic, proactive and opportunistic business differentiators.  A key element of our strategy is our unmatched ability to automate   staying informed about regulatory developments and anticipate changes that may impact operations, compliance obligations, and risk profiles.  Bill outlined the transformative approach delivered by Archer Assurance AI as we announced last month .  Bill also elaborated on the differentiated capabilities we have developed for risk quantification with Archer Insight and the expansion of capabilities of Archer RMIS AI. The result is an integrated approach to risk, compliance and audit that transforms risk management programs from being seen as simply a cost center driving administrative overhead to a core business function that delivers strategic value. Across industries, regulatory requirements are intensifying. Compliance teams must navigate stringent regulations, ensuring that compliance is not merely reactive but embedded into the organization’s culture and processes. At the same time, risk managers face the challenge of preparing for events that can cause sudden, widespread disruptions, from natural disasters to geopolitical events.  Set against the background of New Orleans’ enigmatic charm and diverse influences, Day One was just the start as Archer Summit 2024 unveils more innovations that will help our clients unmask boundless opportunities lying beneath the surface of uncertainty.

While the need for risk management has never been more critical, the challenge goes beyond just managing risks. It requires evolving processes to fuel innovation and business growth. The Archer Platform empowers businesses to manage risk  across the organization through a transformative user experience, intelligent workflows, and real-time insights. Empowering Your Users Archer is built with the user in mind, delivering a truly transformational experience that simplifies the most complex aspects of risk management.  A clean, intuitive UI allows teams to spend less time trying to remember how to do risk management and more time on critical steps, improving the quality and timeliness of information, reducing bottlenecks and improving decision-making processes. Redefining Risk and Compliance Management with Intelligent Workflows Going beyond just making risk management easier, Archer introduces intelligent AI-driven workflows that completely redefine how organizations manage GRC. These workflows are designed to automate repetitive tasks, streamline processes, and provide end-to-end visibility, ensuring that users can respond to risks with better information and with greater precision. Archer workflows transform risk and compliance from being reactive processes to proactive, value-driving activities that fuel growth for your business. Redefining Risk and Compliance Management with Intelligent Workflows Going beyond just making risk management easier, Archer introduces intelligent AI-driven workflows that completely redefine how organizations manage GRC. These workflows are designed to automate repetitive tasks, streamline processes, and provide end-to-end visibility, ensuring that users can respond to risks with better information and with greater precision. Archer workflows transform risk and compliance from being reactive processes to proactive, value-driving activities that fuel growth for your business. Delivering Real-Time Business Insights for Informed Decisions One of the most significant advantages of Archer is delivery of quantifiable business insights that guide users in making informed decisions. In risk management, having financial information to evaluate risks is critical. Archer integrates quantifiable data from across your business, offering a comparable view of risks, compliance status, and potential pitfalls. With these insights at your fingertips, you can identify trends, anticipate challenges, and take measured steps to mitigate risk. Quantifiable insights also provide a clear, actionable picture of the organization’s enterprise risk posture, enabling leadership to make strategic decisions that align with their strategic and operating objectives. Conclusion Archer doesn’t just help organizations manage risk. We help our clients —transform the way they approach GRC to drive business innovation and growth. Through a simplified user experience, intelligent workflows, and real-time insights, Archer empowers users to take control of risk management and make smarter, faster decisions. By integrating risk management seamlessly into your business, Archer ensures that your organization is not only protected from risk but also positioned to thrive in an ever-changing landscape. Interested in learning more about the Next Generation Risk Experience with Archer? Watch the video, check out the website, or contact us.

Businesses are increasingly turning to artificial intelligence (AI) as a tool for innovation and growth. A recent Gartner survey found that 44% of companies are now using AI in some capacity, up from 37% last year. But with this growth comes responsibility. Without proper oversight, businesses risk mismanaging the use of AI tools, potentially leading to ethical concerns and regulatory issues. Strong AI governance is no longer optional but an essential consideration for any business looking to thrive in the AI era. The use of AI brings new challenges for risk managers Risk managers face numerous challenges in managing and governing AI technologies. One of the biggest hurdles is the absence of centralized AI oversight. With AI systems deployed across various departments, the task of tracking AI assets and ensuring cohesive management becomes a formidable obstacle. This fragmentation can lead to unmanaged deployments, escalating the risk of ethical lapses and regulatory non-compliance, fines, and penalties. New AI regulations will have a substantial impact on how organizations use AI. Navigating the intricate requirements of the European Union (EU) AI Act and other regulatory frameworks can be daunting. Risk managers must continuously update policies and controls to adhere to evolving standards, which can be resource intensive and prone to errors.  Identifying, assessing, and mitigating risks, including biases in AI models, is critical to avoid legal and reputational damage. However, risk management programs tend to lack the necessary tools and expertise to conduct thorough risk assessments and audits, leaving them vulnerable to unintended consequences of AI usage.  Transparency and explainability of AI processes are crucial yet challenging to achieve. Stakeholders often struggle to understand and trust AI decision making due to the opaque nature of many AI models. Without clear explanations, gaining stakeholder buy in and ensuring accountability becomes difficult.  Furthermore, data governance is a critical area where many organizations falter. Ensuring data quality, integrity, and security throughout the AI lifecycle is essential. Maintaining high standards and complying with data protection regulations requires robust governance practices that many organizations find challenging to implement effectively.  What is AI Governance? The purpose of AI governance is to avoid and mitigate potential harm and build trustworthy AI systems that serve the interests of your customers, employees, community, and society. AI governance is a framework of policies, processes, and controls designed to ensure that AI systems are developed, deployed, and used ethically, responsibly, and in compliance with legal and societal norms.   When AI systems are employed to make decisions affecting individuals, there is a risk of unintended harm to customers, employees, communities, or broader society. AI governance must consider the potential risks and impacts at every stage of the AI lifecycle.   Trustworthy AI has varied definitions based on perspective, yet most converge on a set of core principles:   The European Union (EU) AI Act defines trustworthy AI as being "legally compliant, technically robust, and ethically sound." The National Institute of Standards and Technology (NIST) outlines characteristics of trustworthy AI in its AI Risk Management Framework (AI RMF), including valid and reliable, safe and secure, accountable, transparent, explainable, privacy-enhanced, and fair with regard to managing harmful bias. Five questions to ask your risk management team to evaluate your AI readiness How do you manage and track all AI assets across your business? What steps have you taken to ensure compliance with the EU AI Act? How do you assess and mitigate risk and biases in your AI models? How transparent are your AI decision-making processes to stakeholders, and what tools do you use to ensure explainability?  How scalable are your AI Governance practices to ensure compliance with new and changing AI Governance regulations? The answer to these questions is not a simple yes or no.  They require a thoughtful and thorough evaluation of the AI initiatives in use and the policies and processes in place to govern them. This evaluation should involve collaboration between risk managers, IT leaders, data scientists, and other key stakeholders to ensure a holistic understanding of AI usage across the organization. 83% of business leaders believe they need to adopt AI governance frameworks to ensure ethical AI usage and reduce bias. World Economic Forum May 2024 By regularly evaluating and adapting AI governance practices, the risk management function can anticipate potential risks and stay ahead of regulatory changes. Employing a robust AI Governance program also demonstrates a commitment to stakeholders and promotes trust in the organization's use of AI technologies. Introducing Archer AI Governance Archer AI Governance  empowers risk managers to tackle these challenges and ensure responsible AI use throughout the organization. Aligned with the stringent requirements of the EU AI Act, Archer AI Governance provides a robust suite of features that help to manage AI risks effectively, maintain compliance, and promote ethical AI practices.  Interested in learning how Archer AI Governance can help your organization effectively manage AI usage risks?  Archer clients and partners are invited to join us on October 4 for a Free Friday Tech Huddle .

Meeting regulatory and risk requirements can be challenging. The complexity and volume of regulations can overwhelm compliance teams. Additionally, managing corporate policies alongside these regulations adds even more complexity because organizations must ensure that internal policies align with regulatory obligations. Many organizations have scattered information and data with no holistic view of either their regulatory or non-regulatory obligations and policies. This flawed system leads to inefficiencies, errors, and a lack of scalability. Moreover, this approach leaves the organization vulnerable to non-compliance, reputational damage, and financial penalties. How do organizations overcome this struggle and achieve the effectiveness and efficiency needed to manage risk, compliance, and corporate policies in today’s dynamic environment? Introducing Archer Assurance AI, the only solution that uses AI to monitor and respond to regulatory changes to meet regulatory requirements, create a global catalog that includes both regulatory and non-regulatory obligations, and perform gap analysis and propose resolutions to ensure control procedures are aligned to business requirements. Archer Assurance AI offers horizon scanning to automatically monitor global regulatory environments to stay on top of new and updated regulations. It also uses AI to filter and categorize content and deliver only relevant updates. Assurance AI processes your corporate policies needed to manage risk in their original format. The solution categorizes, parses, and versions the content to develop a centralized global regulatory and non-regulatory obligations library. Keeping regulatory obligations and corporate policies in a single library provides visibility to all your organization’s commitments and ensures no obligations are overlooked. Archer Assurance AI allows you to manage the full lifecycle of regulatory changes by keeping up with the constantly changing regulations to ensure your compliance efforts are always aligned with business objectives and industry standards. Embrace the future of risk management with Archer Assurance AI! Contact us ( https://go.archerirm.com/archer-contact-sales ) to learn more about how Archer Assurance AI can enhance your compliance program.

In today's complex environment, audit functions must strike a balance by retaining autonomy while integrating with compliance and risk functions. This balance ensures that organizations follow policies, manage risk, and comply with regulatory requirements. Audit autonomy is critical to ensure objectivity, provide unbiased assessments, preserve the credibility of audit findings, and maintain trust with internal and external stakeholders. At the same time, integration with other business functions is essential to gain a holistic view of risks across the organization, monitor emerging risks, and anticipate risks to take proactive measures. Importance of Audit Autonomy Audit autonomy is critical for effective auditing and is essential to maintaining objectivity, credibility, and trust, which are crucial for the audit function's success. Autonomy ensures auditors can perform their responsibilities objectively without undue influence from any business functions they are auditing. This autonomy is essential for providing unbiased assessments of risk management, control, and governance processes. In addition, auditors can evaluate policies without pressure, leading to accurate and reliable findings. For an effective audit function, auditors must be trusted by stakeholders, including the board, senior management, and external regulators. Stakeholders who trust auditors' integrity and independence are likelier to act on audit recommendations and findings. This trust is foundational for fostering a culture of accountability and improvement in an organization. An independent audit function can detect issues, inefficiencies, and non-compliance. When auditors lack autonomy, they might be pressured to overlook or downplay negative findings. With autonomy, auditors can conduct investigations and report candid findings to ensure that issues are addressed and risks are mitigated before they escalate. Ensuring auditors can operate independently while maintaining the integrity and effectiveness of the audit process ensures organizations manage risks, improve compliance, and strengthen governance. Importance of Integration with Other Functions While audit autonomy is critical, integrating with risk and compliance functions is equally important. This integration enhances the audit process. Integration with other business functions allows auditors to have a comprehensive view of risks across the organization. When understanding an organization's risks, auditors can provide more proactive measures and strategic recommendations. With integration and better information sharing, auditors perform more efficient audits and more effective risk management. Integration enables auditors to access critical data and improve the quality of audit outcomes. Getting insights from visibility into other functions allows for better risk management by addressing issues before they escalate. Auditors help develop proactive strategies to mitigate risk instead of reactive management. Auditors can ensure that policies are enforced consistently across the organization, reducing the risk of non-compliance and helping avoid penalties. Integration with audit, risk, and compliance functions allows an organization to manage risks effectively, ensure compliance, and enhance operational efficiency. Maintaining autonomy while integrating audit functions with risk and compliance functions enhances the organization's ability to effectively identify, assess, and mitigate risks. By implementing these strategies, organizations can achieve a proactive approach to risk management, compliance, and governance, ensuring resilience and sustainability in today's business environment. This integration is critical for conducting effective audits that provide insights and recommendations to support decision-making and regulatory compliance. The Archer Solution With Archer Audit Management you have the flexibility to define your audit universe independently or by leveraging the controls defined in the rest of the system. Archer is uniquely positioned to allow for flexibility based on how your company operates. With the introduction of Audit Engagement Templates companies now have a faster way to go from zero to engagement. The new process reduces the dependencies on other departments all while allowing for integration where and when it is needed. Contact us  to learn more about how Archer Audit Management can give your audit teams autonomy without losing visibility into other functions for proactive and risk-based audits.

AI will most likely win the buzzword award for 2023. ChatGPT and Google Bard have opened the eyes of millions to the potential benefits of AI. Additionally, AI introduces opportunities for organizations to exponentially increase efficiency and cut costs; unfortunately, AI also introduces new risks to these same organizations. In March 2023, over 30,000 individuals, including well known technology leaders, signed an open letter asking organizations to pause their work on advancing AI beyond the capabilities of ChatGPT-4 for at least six months. In their letter, they called for policy makers and AI developers to work together to accelerate the development of strong AI governance. They claimed governance should include the oversight and tracking of high-risk AI systems, research of watermarking technologies to distinguish reality from fiction, robust auditing systems in place, and to enforce risk management of AI-specific risks. While generative AI has caused quite a stir today, regulations around AI have been in the works for quite some time. The European Union (EU), per usual, arrived first at the scene with their wide-sweeping AI Act. Penalties under this law could cost organizations up to 30M euros or 6% of their revenue for non-compliance. Regulators over the financial sectors in the US and the UK have also declared that AI models need the same level of attention and rigor as any other model undergoing model risk management. In addition, the White House has released an AI Bill of Rights, specifically intended to help policy makers draft effective AI regulations, hinting that more regulations are coming to the AI space. Why AI Governance is Needed In short, the purpose of AI governance is to avoid and mitigate harm by building trustworthy AI. Organizations serious about AI governance should consider taking a “do no harm” oath regarding AI. When AI is used to make decisions that affect humans, harm may befall your customers, employees, community, or society. AI governance needs to address the potential impacts and harm to groups during the entire lifecycle of AI. Trustworthy AI has different definitions based on who you ask, but most have the same general premise. The EU AI Act defines trustworthy AI as “legally compliant, technically robust, and ethically sound.” The National Institute of Technology and Standards (NIST) outlines characteristics of trustworthy AI in the AI Risk Management Framework (AI RMF), such as valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair – with harmful bias managed. While we’re speaking of NIST, Archer customers should check out the Archer NIST AI Risk Management Framework app-pack on the Archer Exchange. It enables you to utilize the NIST AI Risk Management Framework to assess your AI implementations and determine the posture of your current AI implementation through a comprehensive risk assessment. It helps you design and implement effective risk mitigation strategies to address the gaps from the current implementation to the target implementation. The idea is that building and using trustworthy AI reduces harm. That’s what we are striving for when instituting AI Governance. How to Govern AI at Your Organization If you have been in risk management for a while, you can guess what general steps are required. At a high level, a general framework of AI governance would include identification and documentation of your AI systems, risk analysis and evaluation, implementation and testing of controls, and ongoing monitoring. Let’s break these down. #1 Identification To start managing AI systems, you have to know what AI systems you are using. NIST and EU AI Act provide good definitions of AI. Basically, any system using machine learning, logic-based, knowledge-based, or statistical approaches are considered to be AI. That covers a lot. And that is much more than just ChatGPT. When you document your AI systems, it’s critical you collect and document specific information. Important details include: Context – the intended purpose, benefits, norms and expectations, people involved, settings in which it’s deployed, goals, instructions on use, etc. Development details – methods and steps used to develop the AI system, key design choices, system architecture, data requirements, validation and testing information, etc. Monitoring information – the incident management process, key performance indicators, review cycles, etc. Risks and impacts – identified risks, how risks are managed, potential impacts to consumers, employees, society, communities, organizations, etc. Change management – historical log of changes to the AI system For more information, review the “map” categories in the NIST AI RMF, as well as the EU AI Act section on technical documentation and summary data sheet. #2 Risk Assessment The purpose of assessing the risk of your AI systems is to understand the potential harm it could cause and to know the level of controls you should apply. Typical information system risk assessments prioritize systems based on the data classification housed and processed within the system, as well as the functional importance of the system to the organization. This same thought process applies for AI systems, but organizations should also take into consideration the usage of the system as well. The EU AI Act for example outright bans certain uses of AI, or AI systems that cause specific impacts. Any systems that might exploit vulnerable groups or violates rights in any way are prohibited in the market. Using AI to socially score an individual or perform real-time biometric identification in public spaces is also prohibited. High risk AI systems might include systems that assist with education, like determining which students to admit to your school, which ones get into certain programs, etc. Any system used for hiring or firing would be considered high risk. Systems that determine who gets access to essential services, like determining your future credit score, would be considered high risk. AI systems that don’t make predictions or decisions are generally less risky. For more information, review the NIST AI RMF “Measure” categories, the EU AI Act on risk levels, the NIST Risk Management Framework, or regulations on Model Risk. #3 Implement and Assess Controls It is recommended to put in place strong controls at every stage of the AI lifecycle. This includes stages like design, development, evaluation and testing, deployment, operation, and eventual retirement. Generally, controls should be put in place to respond to and manage identified risks during your risk assessments. The objective is to maximize the benefits of AI, while minimizing the negative impacts. Examples of controls include, but are not limited to: Drafting policies that cover AI values and governance Conducting ethical assessments Keeping up-to-date technical documentation Enforcing data governance Continuously identifying and managing risks and impacts Conducting model reviews, validation, and performance monitoring Creating clear deployment strategies Implementing strong change management Setting clear decommission strategies for AI systems NIST recommends implementing and testing these types of controls based on the risk level of your AI systems. Under the EU AI Act, high-risk AI systems must undergo a conformity assessment to prove that their system has conformed to the highest standard of controls. This conformity assessment covers topics as shown above and more. Without a conformity assessment, you cannot deploy your AI system in the EU market. It’s expected that the US will have similar requirements in future legislation. #4 Ongoing Monitoring Once the risk analysis, evaluation, and control selection has been completed, organizations should continuously monitor their AI systems in production. Ongoing monitoring includes activities like control reassessment, regular reviews, incident tracking and management, and risk identification. Organizations should be proactive in reporting incidents to the proper stakeholders, as there has been greater emphasis on incident disclosure requirements. Trust that it’s better to be ahead of the curve in this space than behind. Organizations should be tracking their own incidents and managing them in an effective way. When logging and reporting incidents, organizations should track things such as the incident summary, reporter, source system, dates of occurrence, impacts of the incident, and the affected stakeholders. These incidents will need to be shared both internally and externally in many cases, so organizations should plan now on their communication strategy. Conclusion Risk managers can leverage current frameworks in place to help govern AI, but will need to adapt to the unique challenges presented by AI. By identifying AI systems, prioritizing them based on risk, applying controls, and monitoring their systems, organizations can build and use more trustworthy AI and avoid negative impacts and harm. Teams working to manage risks posed from AI will also need to be very agile in the rapidly developing regulatory space. For example, the current version of the NIST AI Framework, most model-related regulations, and even the EU AI Act were written to help mitigate risks from traditional AI, not generative AI (GAI). GAI presents its own unique challenges and risks. While these regulations and frameworks have lots of overlap, organizations that don’t adapt to these new AI technologies expose themselves to very large risks. Risk teams need to be looking ahead at what is to come and start their efforts now to institute proper AI governance.

The Australian Prudential Regulation Authority (APRA) has finalized its Prudential Standard CPS 230 aimed at ensuring banks, insurers, and superannuation trustees can better manage operational risks, build operational resilience, and respond to business disruptions. The standard replaces several existing standards, including CPS/SPS 232 Business Continuity Management and CPS/SPS 231 Outsourcing. The key requirements of CPS 230 are: Strengthen operational risk management through new requirements to address identified weaknesses in existing controls. Improve business continuity planning to ensure organizations are positioned to respond to severe disruptions. Enhance third-party risk management by ensuring risks from material service providers are appropriately managed. An APRA-regulated entity’s approach to operational risk must be appropriate to its size, business mix, and complexity. Latest Updates APRA has released an updated timeline for the implementation of CPS 230. In response to feedback received during the consultation period, APRA intends to: Move the effective date for the new standard to 1 July 2025 Provide transitional arrangements for pre-existing contractual arrangements with service providers, with the requirements in the standard applying from the earlier of the next contract renewal date or 1 July 2026. How Archer Can Help Archer can play an important part in helping organizations manage their compliance with CPS 230. For example: Archer Enterprise and Operational Risk Management enables organizations to: Define risk appetite supported by indicators, limits, and tolerance levels. Assess the organization’s risk profile, including identifying and documenting processes and resources. Ensure internal controls are designed and operating effectively. Provide reporting that enables operational risk oversight at every level of the organization. Archer Resilience Management enables organizations to: Identify and document its processes and resources for critical operations. Document a business continuity plan (BCP) that sets out how the entity would identify, manage, and respond to a disruption within tolerance levels and can be regularly tested against severe but plausible scenarios. Monitor, analyze, and report on operational risks and escalation of incidents and events. Archer Third Party Governance enables organizations to: Manage service provider arrangements. Archer facilitates reporting and notifications to APRA and other stakeholders, including the board, which oversees the entity’s operational risk management, BCP, and management of service providers. For more information or to speak to an Archer expert, you can contact us here.

The Office of the Superintendent of Financial Institutions (OSFI) released a draft guideline on October 13, 2023, on the operational resilience and operational risk management requirements of Federally regulated financial institutions (FRFIs) operating in Canada and foreign bank branches authorized to conduct business in Canada. The draft guideline is open to public consultation until February 5, 2024. Key Requirements of the Guideline Identifying the FRFI’s critical operations and mapping the internal and external dependencies (e.g., people, systems, processes, third parties, facilities, etc.) required to support critical operations. Establishing tolerances for disruption in respect of an FRFI’s critical operations. Conducting scenario testing to gauge the ability of the FRFI to operate within its tolerances for disruption across a range of severe but plausible scenarios. Establishing a culture that promotes and reinforces behaviors that support operational resilience and proactively managing culture and behavior risks that may influence resiliency. The design and implementation of the FRFI’s operational resilience approach and operational risk management should be proportionate to the FRFI’s size, nature, scope, complexity of operations, strategy, risk profile, and interconnectedness to the financial system. The Relationship Between Operational Risk Management and Operational Resilience OSFI states that operational resilience (OpsRes) is built on the foundation of operational risk management (ORM). OSFI further asserts that OpsRes emphasizes the end-to-end performance of the FRFI’s critical operations across the organization, and as ORM matures it should also focus on the performance of operations end-to-end. How Archer Can Help The Guideline lists four outcomes FRFIs are expected to achieve related to operational resilience and managing operational risks: The FRFI can deliver critical operations through disruption. Operational risk management is integrated within the FRFI’s enterprise-wide risk management program and supports operational resilience. Operational risks are managed within the FRFI’s risk appetite. Operational resilience is underpinned by operational risk management subject areas, including business continuity management, disaster recovery, crisis management, change management, technology and cyber risk management, third-party risk management, and data risk management. Archer can play an important part in helping organizations build these operational risk management and operational resilience capabilities. For example: Archer Enterprise and Operational Risk Management enables organizations to: Establish an enterprise-wide operational risk management framework. Set a risk appetite for operational risks. Ensure comprehensive identification and assessment of operational risk using appropriate operational risk management practices. Conduct ongoing monitoring of operational risk to identify control weaknesses and potential breaches of limits/thresholds, provide timely reporting, and escalate significant issues. Archer Resilience Management enables organizations to: Identify its critical operations and map internal and external dependencies. Establish tolerances for the disruption of critical operations. Develop and regularly conduct scenario testing on critical operations to gauge its ability to operate within established tolerances for disruption across a range of severe but plausible operational risk events. For more information or to speak to an Archer expert, you can contact us here.

ESG management, like any innovative concept, has sparked its fair share of controversy. Experts and nations engage in heated debates about the approach, the scope, and even the economic value of implementing an ESG management system in business. Amidst the ongoing debates, McKinsey has shed light on a compelling aspect—evidence is emerging that a strong ESG score can lead to approximately a 10% reduction in the cost of capital. Why, you may ask? Well, it all comes down to risk. When your business boasts a robust ESG proposition, it's better equipped to weather the storms threatening its ability to operate. MSCI Research noted that companies with high ESG ratings tend to be less vulnerable to systematic risks impacting the broad equity market or market-like sectors or industries than those with low ESG-rated companies. Credit rating agencies are now factoring in ESG performance when assessing companies; those with lower credit ratings face higher risk premiums. Of course, ESG ratings have their fair share of critics, often lambasted for the inconsistency and opaque methodologies employed by the rating providers. However, financial institutions still rely on these ratings to evaluate the ESG performance of corporations. The alternative of hiring an army of ESG analysts to scrutinize every company in their portfolio is simply impractical. So, if your corporation aims to secure an accurate and positive ESG rating, you must understand the rating methodologies and align your ESG management programs and policies accordingly. Most methodologies assess two critical factors: exposure to ESG risks and ESG risk management. The former primarily revolves around your core business, which may be difficult to change without altering the fundamental nature of your operations. However, the latter is entirely within your control and responsibility. The question then becomes, how can you demonstrate effective ESG risk management? First , ESG efforts need to be seamlessly integrated into your governance structure. ESG risk management should become integral to your company's core operations, flowing through all three lines: from business users to risk managers to assurance functions like internal audit. Motivation plays a crucial role as well. It's incumbent upon management to establish ESG-related incentives for employees or even ESG challenges for individuals or teams. Healthy competition never hurts, especially when it aligns with corporate values, strategy goals, and a purposeful mission. Second, ESG risks must be appropriately managed and mitigated. Common sense dictates integrating ESG risk management into your existing enterprise risk management framework. And most importantly , companies must allocate sufficient resources to their sustainability initiatives, such as investing in technology to integrate sustainability into risk management. This includes investments in technology to integrate sustainability into risk management. Many of today's ESG challenges focus on data collection processes, standardization, and maintaining a dynamic overview of ESG risk management posture. A robust ESG risk management program inherently leads to more consistent operational performance and sustainable long term growth. Archer's ESG solution enables organizations to collect and centralize ESG data into a single platform, evaluate the impact of risks and the opportunities on business strategy, understand 3rd party ESG risks, set ESG goals, and produce auditable reporting all from one integrated platform. If you would like to learn more about how Archer ESG Management can help your organization achieve its ESG goals and objectives, we invite you to our webinar hosted by Verdantix and Archer titled "California's Climate Change Legislation: What Your Business Needs to Know". In this webinar, we will discuss: Gain an understanding of the key provisions of California's new regulations and how they impact your organization's compliance and sustainability reporting. Discover the broader implications of these groundbreaking California laws on corporate climate reporting, accountability, and sustainability programs. Learn about technology that can help you manage and advance your ESG program. We hope you can join us for this informative webinar.

As a go to market lead at Archer for our Enterprise Risk Quantification practice and Archer Insight product, I’ve had the opportunity to speak with thousands of customers and risk practitioners across the ERM and GRC space. While there is a market desire to quantify risks, the desire to adopt risk quantification is often met with hesitancy, no thanks to perceptions around risk quantification being reserved for the only mature users, users with access to rich data analytics, modeling expertise, or challenges in demonstrating the value of risk quantification beyond specific risk functions like cyber. At Archer, we’ve taken these perceptions and challenges head-on when developing the Enterprise Risk Quantification practice behind our Archer Insight solution. Why Archer Insight? Archer Insight takes an enterprise approach to risk quantification shifts previous perceptions and challenges associated with adopting risk quantification by prescribing a purpose-built risk quantification methodology for getting started with quantified risk assessment. Why Enterprise Risk Management? As you well know, the purpose of an Enterprise Risk Management program is to provide a holistic view of risk across the enterprise for visibility and governance of risks impacting the enterprise’s key initiatives. Recognizing the objective of the enterprise risk management program, quantification doesn’t need to be complex, quantification just needs to better than what we are doing, which is likely qualitative and semi-qualitative risk heatmaps. Please join OCEG and Archer for our December 12 webinar, “ Debunking the Complexity Around Risk Quantification ,” where I’ll discuss how risk quantification is best suited for the enterprise risk management program, strengthening and delivering on ERM program objectives.