top of page

Search Results

24 éléments trouvés pour «  »

  • Build Operational Resilience to Prepare for Business Disruption and Enable Business Transformation

    Building a resilient organization has traditionally been done through the lens of “what do we do after a disaster strikes? How long can we be down? How do we recover?” These are all valid questions. However, if the recent pandemic, ongoing cyber attacks, and supply chain issues have taught us anything, it is that people and organizations everywhere must be prepared for what may come. Effective preparation not only includes what to do when (not if) a disruption occurs, but it starts earlier and often to identify potential disruptive scenarios and impacts and implement measures to proactively deal with them. Remember, disruption to your organization is not limited to natural disasters, pandemics, and cyber attacks. It can also come from your competition, outdated business models, and other places you may not be readily aware of. Building resilience has, of necessity, become more about proactive planning, understanding what could impact the business, adapting, preparing for the inevitable, and learning from it all. But have you considered that building resilience can be a positive thing? Have you ever thought about how disruptive forces, if managed well, can make your organization stronger? Let me give you an example. Wind plays a major role in a tree’s life. In fact, the presence of wind makes a tree stronger by constantly keeping the tree moving. This causes stress in the wood as the load bearing structure of the tree. To compensate, the tree grows what is called stress wood. This effect helps the tree grow stronger and position itself to get the best light. The tree grows in a more solid manner, thanks to the stress wood formed in response to the wind. Taking this example, the tree is your organization. The winds are disruptive forces coming at you every day – natural disasters, cyber attacks, supply chain issues and more. These factors -- no matter how you react or the impact of these factors -- is in effect creating stress wood, which is what you have learned and measures you have put in place to be prepared or react, that makes your organization stronger to not only survive but thrive. Building a resilient organization includes your people, processes, IT, third parties and more. Your organization becomes resilient by planning and preparing and by going through the experience of disruptions and mistakes made. It is all part of the process of learning and growing. I am of the opinion that business resilience is more than worth the effort and price paid. It can be a daunting undertaking, with many not knowing where or how to start building business resilience for their organization. To learn more, I would like to invite you to register for our upcoming webinar: How Building Operational Resilience Prepares for Business Disruption and Enables Business Transformation. In this webinar, you will learn about: The origins of operational resilience and why it is important Global regulations and industry trends impacting organizations today The foundational elements of building operational resilience You can also find more information on how Archer helps organizations build resilience.

  • Building Resilience Against Third-Party Risks

    Staying on top of the myriad of risks coming at your organization can be a herculean task, but when combined with risks from third parties it can be overwhelming. You have some control over your own risks, but much less control over third-party risks, not to mention risks from their third parties (4th, 5th, Nth parties). There’s only so much you can do, but what you can do is strengthen your own resilience by implementing preventive measures, processes, and controls so you can focus on mitigating the residual impacts your third parties can have on your organization. If you don’t know where to start, I recommend the following areas. Identify critical third parties that support your business. This might require taking a step back to understand which externally provided products and services are the most important. “Important” should be defined as those products and services that generate the most revenue for your company, that have the greatest impact on your reputation or compliance, or that are important by other business metrics. Once you know what your most important products and services are then you can identify and associate those third parties that support your most important products and services. An organization might use many third parties, but the focus needs to be placed on those that are most critical to your organization. Map the interdependencies between third parties and your organization. Third parties are an extension of your organization in the work they do, so a critical next step is understanding the interdependencies between your business and these third parties – which systems do they support, as with a cloud service provider. Which third parties provides critical raw materials ? Or which third parties support your employees. This is critical because as you focus on building operational resilience across your internal “pillars” (business processes, IT infrastructure, facilities, and people) you have a better idea which third parties support each pillar. Your interdependence should also be measured against the level of reliance on each third party, which is particularly important if that third party is the only supplier for a particular input to your business, or that supports a key business process. Understand third-party risks and how they can impact your organization. No longer can you assume that because you have a contract with a third party that they are mitigating risks that may be passed to your organization. You must identify, assess, and mitigate third-party risks that could impact your organization. One way to do this is to work with your third parties to see their risk registers and understand how they’re treating the risks and what the impacts could be to your organization. If they won’t share the information yet they’re a public company, they you might have a bigger problem, but you can always obtain their 10K/Qs and review risk factors in those reports. Another way is to discuss with your third parties which risks have resulted in actual losses, or other risks they have identified and the probability of their occurrence, and other factors to understand how likely they are to affect you. Include appropriate risks in your risk register and treat the risk to your organization accordingly. As part of this step, you must compare the residual risks that could impact your organization to your defined impact tolerances.. If the impacts exceed your defined tolerances, then you should address and mitigate the risks. Address the most important risks from your third parties that could impact your organization, be flexible to pivot to different risks when you need to, and ensure your response is commensurate to the risk and reward. Create visibility through data and insights. Good insights give you the visibility you need to manage the risks and take advantage of the rewards of working with your third parties. Insights come from tracking and measuring quantifiable resilience, performance, and risk metrics. Using balanced dashboards that give executives, program owners, business owners and others the data they need to make decisions and take action. You must be able to make agile decisions in real time to mitigate risk or take advantage of it. Third parties are a critical part of doing business and sometimes they bring risk to your organization. By considering the topics above, you’ll be better able to convert your third parties from a risk factor to a strategic advantage. For more information, visit Archer Operational Resilience (archerirm.com).

  • The ABC's of ESG

    How do you spell ESG? While it is a simple question, oftentimes simple questions are the hardest to answer. It does not matter what industry you work in. Each has its unique language, sayings, and code that is difficult to understand to those not adequately versed. The risk and compliance domains are no different. Risk and compliance functions are awash in techno-speak, anacronyms, abbreviations, and slang that, to the outsider listening in, the conversation can sound like listening to aliens from another planet. But if you can know the “alphabet” of your domain, conversations can flow as naturally as walking down the street. So, the answer to the simple question of how do you spell ESG depends on your understanding of the ESG alphabet. The good news is that the ESG alphabet is quite simple and easy to learn. So let's start with the basics: what does ESG mean? ESG stands for environmental, social, and governance. ESG is a risk management tool to help stakeholders (investors, employees, society) better understand the organizations they engage with regarding social and environmental factors such as the impact on the environment, diversity, and equity policies and practices. Now that we have answered that question, how can you learn to speak ESG? We will stick with the basics for this lesson and focus on the five most common ESG standards and the primary framework that are part of nearly every ESG conversation. ESG standards: GRI - The Global Reporting Initiative (known as GRI) is an international independent standards organization that helps businesses, governments, and other organizations understand and communicate their impacts on issues such as climate change, human rights, and corruption. SASB - The Sustainability Accounting Standards Board (SASB) standard guides companies' disclosure of financially material sustainability information to their investors. The Standards identify the subset of ESG issues most relevant to financial performance in each industry. CDSB - The Climate Disclosure Standards Board (CDSB) standard provides investors and financial markets material information by integrating climate change-related information into mainstream financial reporting. CDP - The CDP (formerly the Carbon Disclosure Project) standard helps companies and cities disclose their environmental impact. It aims to make environmental reporting and risk management a business norm, driving disclosure, insight, and action towards a sustainable economy. IIRC - The International Integrated Reporting Council (IIRC) standard helps demonstrate the linkages between an organization's strategy, governance, and financial performance and the social, environmental, and economic context within which it operates. By reinforcing these connections, Integrated Reporting can help businesses make better-informed decisions regarding sustainability and enable investors and other stakeholders to understand how an organization is performing. ESG framework: TCFD - While many ESG frameworks are being discussed today, the TCFD (Task Force on Climate-Related Financial Disclosures) framework has risen to the top and has achieved global recognition. This framework helps public companies and other organizations more effectively disclose climate-related risks and opportunities through their existing reporting processes and disclose the organization's governance around climate-related risks and opportunities. You now know the basics of the ESG alphabet. These ESG standards and frameworks make up the core of most all ESG conversations. Understanding what these anacronyms stand for and how they can help guide your organization's ESG programs will catapult your ability to lead strategic and impactful ESG conversations with your organization's leadership. Want to learn more about ESG? We invite you (and your ESG colleagues) to join Archer’s Peadar Duffy, Global ESG Practice Lead, and French Caldwell, Chief Strategy Officer for Archer, for a discussion of the critical factors and concepts risk managers need to know before implementing an ESG solution to best leverage their organization’s risk and compliance platform. Webinar: 3 Things Risk Managers Need to Know About ESG 11:00am-12:00pm Eastern Time March 30, 2022 Register now! For information on Archer ESG Management, visit www.ArcherIRM.com/ESG

  • What is Operational Resilience?

    The world as we know it is dynamic, and the global pandemic has emphasized the fragility of human and organizational operations in the connected world of today. Companies are not only trying to recover from the drastic changes of the pandemic, such as remote work, but from the impact of the shifting risk landscape and how it has affected their business goals and outcomes. With an eye on the importance of riding the waves of disruptions and change we see today, organizations need to achieve operational resilience to survive. Operational resilience is the ability of an organization to absorb and adapt from any threat or unplanned disruption. It is a coordinated, consistent, and automated approach to business continuity that goes beyond recovery of internal processes to focus on external services and product delivery. Operational resilience includes traditional elements of IT disaster recovery, planning, testing, and execution, that allows for a swift response during crises to protect an organization’s ongoing operations but takes steps closer to the overall business objectives and strategies. An organization that takes time to construct a solid risk management strategy will thrive in this age where business risk is increasingly connected. Therefore, integrated risk management is the foundation for operational resilience. An organization that has achieved operational resilience will continue to function properly and achieve its goals even amidst interruptions. While the burden of resiliency is one that every employee should carry, senior management should focus on assessing and understanding the risk levels of the organization and its readiness for disasters and unexpected scenarios. Gartner predicts that by 2025, “70% of CEOs will mandate a culture of operational resiliency to survive coinciding threats from COVID-19, cybercrime, severe weather events, civil unrest, and political instabilities.”i Our whitepaper, “The State of Integrated Risk Management” discusses the importance of resiliency starting top-down from leadership. Communicating Operational Resilience in Your Organization To effectively and optimally manage risks, organizations must adopt a holistic approach to overseeing every aspect of the multiple risk management functions. Usually, organizations carry out risk management in silos; each department deals with its own risk management and possible disruptive scenarios. Occasionally effective, this method is not ideal for companies that seek to thrive in the long run, especially in their digital transformation efforts. The silo method does not take into account the risk assessment of the company as a whole. Any risk assessment done in any sector is only as effective as that sector deems fit. Uncoordinated, ad hoc processes can leave a business vulnerable and recovery plans ineffective. Operational resilience deals with assessing and understanding the risk tolerance levels in every sector - to proactively manage risks throughout the organization. Resilient organizations look at both internal and external risks as they understand that risk can also originate from third parties. They have risk management plans in place for any disruption, whether cyberattack, natural disaster, or global pandemic. Companies with operational resilience also must consider risks beyond their own four walls. They know that good communication is imperative to coordination. When a disruption or threat arises, senior managers must convey information to every party involved, including disaster recovery and crisis teams and, if necessary, consumers. Internal and external communications are incredibly important in risk management to reduce impact and maintain business continuity. An organizations’ resilience can be improved by ensuring visibility and communication with the following: Clients Stakeholders Distributors Vendors Suppliers Partners And every other set of persons that can have an impact on the organization. Interdepartmental communication is crucial to the success of shifting from a reactive to a proactive risk management structure. Operational resilience is a cultural mindset change that drives the implementation of resilient practices throughout the business. How to Embed Operational Resilience in an Organization There are some integral steps that organizations must adopt to transform from recovery to operational resilience. Adopt a Holistic Perspective to Viewing Organizational Risks Organizations should consider both internal and external factors that can have a direct or indirect impact on the organization. Take into consideration the people, technology, programs, and processes, etc. associated with the business. An effective enterprise risk analysis must consider risks across every sector and division of the organization. This strategy enables employees and teams to come together to envision potential disruption scenarios that may arise. Design a Comprehensive Risk Assessment System. To manage risks, organizations must be able to access and predict possible risks scenarios. This is where communication plays a major role, as everyone in the organization must be informed about evolving business priorities that inform recovery and response processes. When members of the organization are on the same page, potential threats and interruptions can be properly analyzed, understood, and documented. Consider the upstream and downstream dependencies, systems, and processes, and how your team plans for them. Identify Possible Failures in Existing Processes and Remedy Them While every failure that may arise from existing processes may not need to be documented, it is critical to identify key scenarios and focus on the capabilities that prepare for those specific scenarios AND related, derivative, or similar situations. Assess different threats levels and types to proactively plan against them. An effective program must include a cycle for learning and improving processes, so it’s important to bring the continuity and recovery professionals managing day-to-day incidents or planning and testing for crisis events together, Operational Resilience and The State of Integrated Risk Management We want companies like you to benefit from the risk management lessons learned by our customers during the height of the global pandemic. In our State of Integrated Risk Management report, we outline the key discoveries and insights garnered from those who thrived despite the worldwide upheaval. Get the whitepaper now to read more about the four themes affecting organizations today, and how your business can benefit from an integrated risk management strategy focused on resiliency. Archer’s Business Resiliency Solution At Archer, we can help you scale through uncertainties and digitally transform your business to the next level through strategic decision-making. Contact us today to discover how to improve your organization’s operational resilience to make your company better suited to handle risks, improve business outcomes, and ease your digital transformation process, especially during times of disruption. i Gartner: Predicts 2021: Operational resiliency. January 2021.

  • Archer Continues to Lead the Way

    Leadership takes many forms. We recently celebrated our 20th Anniversary at the Archer Summit 2021 in Orlando, marking a long history of leadership in the GRC and Integrated Risk Management space. That same week, Gartner published the second of its two current Risk Management focused Magic Quadrants for the year (IT Risk Management and IT Vendor Risk Management Tools) both of which once again recognized Archer as a “Leader.” Both reports mark the 6th consecutive time we’ve been a Leader, and in total their publication marks 24 consecutive times Archer has been a Leader in any of the Magic Quadrants focused on Risk Management. This is obviously an outcome we’re very proud of as a team, and I think reflects on our continued commitment to execution and vision. But as I said, leadership takes many forms. And personally, I’m equally proud of many of the areas we’ve executed against a vision in the past year, many of which were not part of the evaluation criteria for Gartner, but were a primary focus at Archer Summit. Advancing the discussion around quantitative risk analysis beyond Cyber Risk is leadership. We all understand the importance of IT risks (including but not limited to cyber security). And maintaining leadership in these areas is of course an important part of delivering true Integrated Risk Management. But it’s not the only area of risk that organizations need to manage carefully. This is why we launched Archer Insight earlier this year, making us the first of the true IRM providers to extent risk quantification, bowtie and other critical tools for analysis across the full range of risk drivers. Innovating the industry’s leading risk management platform to support broader stakeholder engagement is leadership. One of Archer’s core capabilities that customer praise the most is how the platform supports very deep dives for the core risk manager/risk administrator persona. But we also see how risk, as it expands into new areas of the business, really requires the participation of a wide range of users, including many who will have much less frequent interaction with the platform. Our development of Archer Engage is aimed directly at supporting risk management teams in their efforts to help first line operators, vendors and other stakeholders participate in risk efficiently and effectively. Extending core business continuity and IT risk programs into true Operational Resiliency is leadership. The need for organizations to extend beyond what has all to often been a siloed focus on IT business continuity/disaster recovery is not new. But last year’s pandemic and the shock to the system that caused across all aspects of operations has accelerated for many the need to better prepare of disruptive scenarios. And that disruption isn’t limited to IT delivery and in fact needs to be driven by a broad and prioritized view of how these scenarios that could impact the ability to provide products and services. This is exactly where we’ve gone with the recent launch of Archer Operational Resiliency, combining current regulatory guidance and best practices as a foundation for building operational resilience. Supporting our customers in pursuit of new Board-level strategic imperatives is leadership. From the beginning, risk management was meant to focus on the most critical strategic areas of a business. Continuous waves of regulation drove some to turn focus towards regulatory compliance and audit capabilities, also a core tenant of Integrated Risk Management. But we see Boards and CEO’s increasingly expecting their Risk Management functions to focus more fully on awareness, assessment and response to those risks that threaten overall corporate valuation. Few business trends have taken Board-level discussion by storm the way ESG (Environmental, Social & Governance) has over the past year. This drove the very recent launch of Archer ESG, which we see as an incredibly natural extension of how customers leverage our platform today, providing improved ability to gather, assess and align ESG data with internal plans and external regulations. And most importantly, help organizations gain early visibility into the risks that threaten ESG success. A thanks to the entire Archer Community for all that they’ve done and continue to do to drive us to lead. Many of you have spurred the development that supports our Leadership recognition by Gartner. More still have acted as catalysts in these recent areas of innovation. And finally, a thank you to those from the Archer Community that were able to join us at this year’s Archer Summit, in person or virtually. We look forward to the next year of news and developments from Archer, and sharing those with all of you.

  • What Benjamin Franklin Said

    You know the ‘Death and taxes’ phase? This is the full quote, from a letter Benjamin Franklin wrote in 1789 to Jean-Baptiste Le Roy – a French fellow tech guru and scientist of the time: “Our new Constitution is now established, and has an appearance that promises permanency; but in this world nothing can be said to be certain, except death and taxes.” How many infomercial articles have you read that start "In today's world, [blah blah blah] is more important than ever"? So trite. So, let me change things a bit: “In today's world, we still live with enormous uncertainty and using numbers to effectively manage risk is just as important as it has always been.” After a hiatus of twenty years (this July) of genuflection to SOX, the risk management world is beginning to remember numbers again. Beginning to remember that taking the right risks for the right reasons is an essential part of progress, of success, of creating value. It’s what risk management is meant to do and the secret sauce in rational risk-based decision-making is numbers. Boxes of long-forgotten ideas are being taken down from the attics of veteran risk analysts, the dust of sorry neglect blown away, and carefully opened – with a mixture of curiosity, expectation and trepidation. Inside we find a mysterious collection of tools that have lost none of their lustrous sheen with age. In fact, in today’s world, with the greater access to data and computing power, they offer more potential than ever. If only we’d learned how they work. We should be kicking ourselves that we were so collectively neglectful. Luckily there are lots of grey beards like me, raised in the pre-SOX era, who have kept the secrets alive. Luckier still, Archer has decided to add the full might of risk quantification to our GRC/IRM platform. It’s called Archer Insight and its awesome. I think Benjamin Franklin would have approved. About that mixture of curiosity, expectation and trepidation … Curiosity: what nuggets lie hidden in your data It takes time, care, effort and money to collect data. Your organization has lots of it. If you’ve been using Archer for any length of time you will lots and lots of risk-related data, all beautifully organized and safe. Don’t you wonder what those data might be able to tell you? One of the most common areas in which an organization can dramatically improve is to make use of the data it already collects. Risk management is no different. The discipline that turns data into knowledge is quantitative. Knowing how often your controls have failed helps you estimate their probability of success. Looking at how many of your historic risks actually occurred helps you see how much you over- or underestimate their likelihood. Looking at best and worst case scenarios helps you estimate the range and likely impacts. The list goes on and on. Expectation: will it really help our business? Yes, it will. It will help you manage risks far more cost-effectively simply because you can compare the size of a risk against the costs of different treatment options and pick the option that gives you the greatest bang for your buck. But it also means you can aggregate. Numbers can be added, risk scores cannot. Aggregation allows decision-makers to see the big picture, and that is an essential part of making the right big decisions. Trepidation: You never understood statistics and probability theory Don’t’ worry about that. For many people, when they hear the phrase “risk quantification” they think of their less-than-rewarding experience with statistics classes at university. They understand that probability theory can only be wielded safely by socially-awkward, sartorially-challenged, wild-haired geniuses working feverishly on equations nobody else can understand. To be fair, they do exist – but their natural habitats are academia and perhaps SpaceX, and some of them look like you and me too. We focus a bit too much on that Einstein photo. In the business world, the challenge is figuring out the best strategies for handling risk, not the math. The people who know the business and have a pragmatic, problem-solving head on their shoulders are best-placed to figure out these strategies. Perhaps that’s what you do already. Framed properly, the method used to evaluate risk can make it really simple to provide the right numbers. Archer Insight is set up this way and it builds the risk analysis models for you as you describe the problem. You don’t ever need to pick a probability distribution or write an equation. But it’s still a great idea to know the basics of probability. You’ll be more confident about explaining what’s been learned, checking the results and collecting the right data. It will take a couple of days of training, and Archer can provide that training. You might even find it fun. Archer Insight Delivers Enterprise-Wide Risk Quantification Archer® Insight is a suite of enterprise-wide risk quantification capabilities designed to deliver risk and business leaders a complete view of enterprise risks to improve resilience and ensure achievement of its strategic goals. For example, Archer Insight allows you to use built-in techniques like Monte Carlo simulation so you do not need to do all of the modeling yourself. Archer Insight can help you aggregate risk into meaningful quantitative measurements - and when you can add things, you can compare them. It allows you to compare risks and investments needed to mitigate, reduce, transfer or avoid risk. Archer Insight is entirely quantitative, enabling you to combine all the threats to your organization and truly understand the risks that matter. It makes quantitative risk management quick and easy to use by providing a full set of tools and features for understanding and managing all types of risk in one platform: operational, project, cyber-security, health and safety, investment and cashflow risk. Join us for an upcoming webinar Risk Quantification: Step Up Your GRC Game to learn more about how you can quantifying risk can change the conversation with your management team and business partners. Contact us to learn how Archer Insight can help you quantify your risk management.

  • Drive Better Risk-Based Decision Making with Enhanced Heat Mapping in Archer Insight

    Today we are excited to introduce Archer Insight, a set of quantitative risk analysis capabilities which, when paired with Archer’s industry-leading integrated risk management platform, supports improved risk-based decision making. Archer Insight features a wide range of enhanced risk analysis capabilities; this blog focuses on one feature we expect to be of high interest to risk analysts, specifically improved risk heat maps. Risk heat maps are a basic communication tool for the risk manager, providing a visual overview of the portfolio of identified risks. On one axis is the likelihood of the risk occurring, and on the other axis a measure of the impact should the risk occur. Those risks with the highest likelihood and impact are most threatening and the corresponding quadrant is colored red. Those risks with the lowest likelihood and impact plot in the quadrant colored green to reflect their relative unimportance, and the area in between is typically colored yellow or orange. Traditional heat map Despite its ubiquitous popularity, the traditional risk heat map presents several challenges: Clearly not all squares of the same color represent risks of the same severity, but the qualitative evaluation of likelihood and impact magnitude do not allow a rational method for defining finer gradations along the red-to-green spectrum. Likelihood is typically equated to probability of occurrence for events that can occur at most one time (like the destruction of a building or the loss of a dataset to the Dark Web) or frequency of occurrence for events that can occur multiple time (like fatal accidents, system shutdowns or regulatory fines). The former scales from 0 to 1, while the latter can take any non-negative value. It is therefore very challenging to show both types of likelihood on the same plot. For example, if an expected frequency of five times a year is ‘High’, then to be consistent a probability of 100% would be lower, which does not make intuitive sense. Representing low likelihood risks is also challenging. One might say that a risk with a 10% chance of occurrence should fall into a ‘Low’ category, but this is still quite significant – if you have 10 such risks, it is almost certain that one of them would occur. On the other hand, a risk with a one in a thousand chance of occurring would fall into the same ‘Low’ likelihood category. When an impact can take a wide range of values, it is extremely challenging to decide how to present the risk. For example, a factory accident might have a 10% chance of occurring in a year, but its impact could be anything from some minor bruises if lucky (Low), most probably an outpatient visit by a worker (Medium Low), but in the most extreme circumstances there could be several fatalities (High). If the risk is evaluated as [Likelihood,Impact] = [Low,Medium Low], there is no recognition of the very severe possible outcome, but if it is represented as [Low,High], the evaluation is exaggerated. A new vision for heat maps Archer Insight introduces quantitative estimation of risks through simple, intuitive evaluation techniques that require no expertise on probability modeling or math. It resolves the probability/frequency dilemma, and it allows users to express the range of possible resultant impacts if needed. Archer Insight also introduces quantitative bowtie methods to express how one risk may have more than one consequence. For example, a car crash (risk event) could result in several consequences – from being late for work to repair bills to injuries and fatalities to the passengers and larger public: Bowtie analysis for a car crash These consequences produce impacts of different dimensions: money for repairs, time for delays, and level of injuries/fatalities for people. It is even possible to map several risks to the same consequence. For example, several different risks might all lead to the cancellation of a contract (the consequence) with an important financial impact. Archer Insight automatically calculates the aggregate likelihood of the consequence occurring, taking into account all the different ways it could happen. The option to include a richer description of risk has made it possible to rethink the heat map, and produce new visualization that is more precise, comprehensive, and useful for decision makers. The standard Archer Insight heat map has an impact scale that ranges from ‘Extremely Low’ to ‘Catastrophic’ plus a ‘Nil’ category so that one can represent when the impact of a consequence has been avoided completely. The finer gradation, together with guiding definitions, allows a far more precise evaluation of impact. Moreover, Archer Insight allows you to specify ranges of impacts, both qualitative and quantitative. Its sophisticated algorithm translates these inputs into a consistent scaling system, even across different impact types. The algorithm ensures that all consequences plotting in the same color are equivalent in importance. Archer Insight P-I table for consequences with heat map overlay The vertical axis is numeric, accommodating both probability and frequency, which is automatically adjusted to reflect the business time horizon and any changes in the window of opportunity for the risks to occur. Pre-and post-risk treatment evaluations are shown together using “tadpole tails”: Tadpole tails – the head represents the current status, the end of the tail represents the evaluation prior to any risk treatment This allows the manager to appreciate the level of reliance on the effectiveness of risk management strategies. If the line is long, the reliance is large. The heat map allows you to drill down by selecting a specific entity and a specific type of impact if required. Hovering over a consequence will show a description popup, clicking on the dot will highlight the consequence in the accompanying table, and clicking the table entry will show a wealth of information describing the strategy being used to manage the consequence: Archer Insight P-I table filtered for Reputation consequences with heat map overlay One can also view risk events instead of consequences. Archer Insight then displays each risk event, accounting for the multitude of consequences that might arise from it: Archer Insight P-I table for risk events with heat map overlay switched off To learn more about how Archer Insight is enabling an enhanced level of risk-based decision making, register today to attend our August 4 webinar, where we will explore these improved heat maps and many other features of Archer Insight.

  • The Acceleration of the Digital Transformation and Expanded Digital Risks

    The last two years have thrust many organizations into a series of concurrent and overlapping crises and escalating risk. The direct effects of workplace shutdowns are still being felt with supply chain disruptions, shortages, and permanent closures of vendors that have gone out of business. Cyberattacks of enormous scale and sophistication shut down gas pipelines and even breached departments of the U.S. federal government. For any organization that hadn’t considered the evolution of digital risk due to workplace disruption as an important part of risk profile, the pandemic was a wake-up call. The speed with which digital risks expanded as organizations went remote was unprecedented. Reports of a new respiratory illness were barely newsworthy in early January of 2020. Some organizations had already begun voluntary suspension of in-person operations before official lockdown mandates were declared. Organizations that had relevant continuity plans implemented them, others scrambled to put together ad hoc fixes for unprecedented challenges. The transition to fully remote work brought with it new types of risk. Sensitive information was being routinely accessed from home networks, and the chances of a data breach or other IT threats went up. To see how the most resilient organizations not only navigated this change, but thrived during this disruption, read our whitepaper, “The State of Integrated Risk Management”. The Pandemic Accelerated Existing Trends in Digital Initiatives and Risk Even before the pandemic, we found that a full 90% of respondents in our Digital Risk Survey felt that overall, their organization’s risk profile had expanded in the two years preceding 2019. Almost half of the respondents expected their risk profiles to expand significantly in the next two years (1). Our whitepaper, “The State of Integrated Risk Management” details how the pandemic reinforced trends of already expanding risk profiles. For organizations that had already made the transition to a distributed model prior to the workplace shutdowns required to stop the spread of COVID-19, there were fewer novel challenges. For nearly everyone else, the last two years expanded the risk profile immensely. Only 2% of the organizations we’ve analyzed claimed that their digital risks had not been impacted by the pandemic (2). Many organizations were faced with hard choices during the COVID-19 shutdowns. Workplaces could either become partially remote, fully remote or suspend operations entirely. Our findings revealed that in the previous two years, less than half of respondents’ organizations had begun to enable a “work anywhere” or dynamic workforce. More than three out of four respondents felt that in the next two years their organizations were going to accelerate their efforts to allow personnel to “work anywhere”. Rapid Acceleration Introduces Novel Digital Risk Organizations were forced to accelerate digital initiatives under the threat of a global pandemic. Almost one in five respondents in the RSA Digital Risk Survey felt that their organization was mostly reactive to digital threats. Digital initiatives bring with them the expansion of what is known as the “attack surface” of an organization. Moving data to the cloud requires storing sensitive information with third parties, which may introduce or increase the risk of a data breach. When moved to the cloud, data that may have previously been “air-gapped” or stored on machines rather than the internet to prevent a cyberattack, is now open to increasingly sophisticated hacking. The challenge and cost of provisioning and securing devices as well as installing and updating software has led many organizations to move more and more systems to the cloud. As organizations onboard and secure more and more remote devices and users, cloud infrastructure and bandwidth have had to increase as well. Software as a service often requires little more than a web browser to offer state-of-the-art digital tools. This also introduces risk, as with every username and password created to access a service, there is another opportunity for a cyberattack. The risks associated with moving toward a dynamic or “work anywhere” workforce were already being considered by organizations when we conducted our 2019 survey. In our 2019 survey, we found that the risks associated with transitioning to a dynamic or “work anywhere” workforce were ranked as the second-highest source of digital risk. How Integrated Risk Management Helps Digital Transformation ​​If an organization adds a new method, process, or platform for every source of risk, it can be difficult if not impossible to quickly assess how a risk profile is changing. Risk management should work with the goals of an organization. We recommend organizations merge essential capabilities across disaster recovery, data backup and recovery, business continuity, crisis management and security incident response strategies, and programs. Organizations accelerate their digital initiatives to become more efficient, increase operational resilience, and be more effective overall at achieving their mission. If new risks aren’t proactively planned for, organizations could end up opening themselves to other threats that overwhelm the expected benefits of the digital transformation. Effective risk management is more than avoiding major failures and business disruptions. Creating a culture of operational resilience through integrated risk management can protect your organization and enhance business outcomes. When integrated risk management is a part of the culture of an organization, the digital transformation is viewed as another component that, like all tools and processes, carries risk. The pandemic expanded and accelerated existing trends, but did so at a pace that caught some organizations by surprise. Based on an amalgamation of inputs from analyzing our customer implementations and our 20+ years of industry leadership we’ve outlined how top organizations have successfully navigated the changing risk landscape in our “The State of Integrated Risk Management”. Download our whitepaper now to get a better sense of whether your organization is playing catch up, middle of the road, or ahead of the curve with operational resilience and integrated risk management. (1) RSA Digital Risk Report (2019) (2) RSA Digital Risk Report Third Edition

  • How to Go Beyond Information Technology Security with Integrated Risk Management

    The walls between digital and information technology risk and physical operations are dissolving. It is hard, if not impossible, to think of a single domain in which information technology has no effect on operations. Even with physical operations, new IoT technology takes previously offline infrastructure and firmly connects it to both the benefits and dangers of the internet. Without a responsive IT risk management system in place, the danger posed by exposing so many assets to the web can be catastrophic. Monitoring IT risk and having insight into how the various parts of an organization’s IT systems are connected is critical to operational resilience. For example, the Colonial Pipeline ransomware attack did not directly affect the function of the pipeline. However, the company that operates the pipeline decided that until the extent of the cyberattack was known, the best course of action was to suspend pipeline operations. Events like the Colonial Pipeline attack, as well as the global shutdowns due to the pandemic, have shifted thinking about IT and digital risk. Through our experience as industry leaders and our analysis of Archer customers in our 2020 Digital Risk survey, we found that nearly 75% of respondents expected their digital initiatives to accelerate due to the disruptions and shifts of the past year. To get key learnings on the convergence of digital and traditional risk, read our whitepaper “The State of Integrated Risk Management”. The Current State of IT Compliance IT security and compliance is often tied to IT risk management. In some cases, IT compliance helps with security like using NIST 800 standards when creating passwords. By complying with the strict NIST 800 standards for employee passwords, the risk of unauthorized access is mitigated. There are other situations where an IT compliance solution does not offer any sort of risk management. Many IT systems utilize software and systems that can track issues through tickets, allowing for close monitoring of how problems are resolved. An IT ticket management system provides greater accountability for IT departments, but an IT ticket system needs to be tied to an integrated risk management platform to provide the greatest benefits to operational resilience. There are many major information technology compliance standards published by private companies, non-governmental organizations, and governmental departments. Whether complying with COBIT, ISO 27000, or the European Union’s GDPR (1) , IT compliance on the Archer platform works seamlessly with IT security and risk management. Of the 1100+ deployments Archer has for IT and security risk management, more than 80% utilize compliance processes on the Archer platform. Properly securing internal, third-party, or customer data not only increases operational resilience, but is becoming central to IT compliance. Many IT compliance standards provide strict guidelines and requirements for the collection and storage of personal data, and there are governmental regulations either already enacted or set to take effect that mandate higher data privacy standards. It’s projected that 65% of the world’s population will have its personal information covered under a privacy regulation by 2023, up from just 10% in December 2020 (2). Third-Party Regulations and IT Risk Regulators increasingly require organizations to perform extensive due diligence both when selecting a third party for a service, and the duration of the engagement with the third party. Treating the activities of third parties as an extension of the organization retaining their services is not only required in many jurisdictions, but for information technology services it is sound practice to mitigate risk. The nature of information technology security issues makes third-party compliance particularly important. With physical goods or services, if a third party fails to properly secure their infrastructure, the damage or disruption to operations can be relatively easy to contain. A damaged or stolen shipment of goods could result in reduced capacity to operate but pales in comparison to the kind of disruption information technology security lapses can cause. An IT security lapse by a third party can result in a cascade of IT systems being compromised. For example, no matter how conscientious the tens of thousands of organizations that used SolarWinds Orion software to manage their information technology stack were with IT security, they were susceptible to risk related to the SolarWinds’ security breach. What Organizations Should Expect from their IT and Security Risk Management Vendors More than 70% of Archer customers’ early-stage deployments target IT and security risk management use cases, reflecting the criticality of digital technology and data in achieving their business objectives, which is no surprise given RSA’s reputation for IT security. Risk between departments has become more tightly linked as digital transformation has allowed more and more operations to be controlled with the same systems. The digital transformation that has merged physical operations with information technology is driving the need for greater integration. Ideally, IT and security risks should be managed with the same tools used to manage other forms of risk. An IT and security risk management tool should be able to handle as many risk domains as your organization has to deal with. Most Archer customers don’t stop with one domain of risk, almost 80% of our customers manage multiple domains of risk on the Archer platform. An IT and security risk management solution should offer real-time monitoring and reporting. The speed with which an attack or breach can compromise IT systems means that organizations need to be able to flag and monitor issues in real-time. Real-time monitoring tightens the loop, making it easier to address IT security and compliance issues before they become larger problems. But cyber attacks are only one part of the IT risk puzzle. Third party risk, resiliency, continuity and disaster recovery, compliance and a whole host of other risk categories affect an organization's overall technology risk profile. Organizations should be using a risk management platform that allows for multiple risk domains to be tracked and managed with real-time reporting. An IT security and integrated risk management platform should drive operational resilience and growth. See how the right IT security risk management tools are protecting organizations and helping them expand in our industry report, “The State of Integrated Risk Management.” (1) https://www.rsa.com/en-us/solutions/advance-gdpr-and-privacy-compliance (2) Focal Point Insights. Nine Data Privacy Trends to Watch in 2021. December 2020. https://blog.focal-point.com/the-9-data-privacy-trends-to-watch-out-for-in-2021

  • How Increased Global Connections have Exposed Organizations to Risk

    The world is increasingly connected, and organizations are more exposed to the risks and rewards of other enterprises than ever before. Physical supply networks, digital communications, and integrated business systems have reshaped the risk landscape. The pandemic has reinforced for all of us the complexity of modern organizations, and the need for close coordination across departments and disciplines in response to a crisis. Operational resilience can no longer only consist of the BC/DR function (Business Continuity and Disaster Recovery) that builds reactive recovery plans that are only dusted off during infrequent geo-specific or IT disruptions. An organizational continuity plan that articulates a localized disaster recovery process may not map onto a global disruption. Furthermore, an IT problem isn’t just an issue with the organization’s computer network when infrastructure and physical assets are always connected. The need for a holistic and fully integrated view of risk management has been thrown into focus by the pandemic. The consequences of unmanaged risk for any organization are extensive, and as risk continues to grow, executives and board members are increasingly becoming more involved in risk management initiatives. More and more organizations have begun to integrate risk management into their day-to-day operations. Risk is changing so dramatically across so many areas that siloed and manual processes make it difficult to get complete information to stakeholders quickly. Even the most successful point solutions will only magnify this challenge, with information stored in different locations and used in different ways by each department. This is exactly why our customers see such value in managing multiple dimensions of risk on one platform, in fact almost 80% of our customers manage multiple domains of risk on Archer. An organization that has fully adopted and empowered integrated risk management practices and processes may be forced to contend with third-party risks that are beyond the direct control of the organization. To find out how managing vendors and suppliers outside your walls can increase operational resilience and actually drive growth, download our latest report, “The State of Integrated Risk Management”. Increased Exposure to Supply Chain Disruptions The connected global economy has exposed an increasing number of organizations to risks outside of their traditional domains. Even if an organization was able to formulate and properly categorize a BC/DR for the countless eventualities that can disrupt operations, recognizing emerging risks and promptly shifting into disaster recovery still requires risk management to be deeply integrated into an organizational framework. Local and global disruptions have gone from being blue-moon events to being business as usual. As the risk profiles of more and more organizations expand, being able to continuously manage risk becomes more integral to every level of operations. Accordingly, risk management has become central to the scale and scope of operations. We’ve found that for many organizations, anticipating, recognizing, and managing risk has become a critical component at every level of operation. Our experience with organizations that use Archer gives us an understanding of how organizations have responded to the challenges of the past year. Over 60% of respondents in the 2020 RSA Digital Risk survey stated their companies' integrated risk management programs were somewhat or quite extensive. Compare that with only 7% of respondents stating that their organizations did not have any sort of integrated risk management programs or procedures in place, and it’s clear that risk management is a priority in today’s organizations. Global Changes and Operational Risk Climate change has turned once-in-a-lifetime events into regular occurrences. Some regions are expected to experience 100-year floods nearly every year (1). In the summer of 2021 the Pacific Northwest of North America, a region so mild that most people do not have air conditioning, saw temperatures reach over 120 degrees Fahrenheit. Previously unthinkable weather disruptions are now commonplace, causing unmanaged disruptions. Catastrophic flooding that washes away industrial centers, heat waves that melt power lines and roads, and ice storms that freeze gas lines all have the power to throw supply chains into chaos. Even an organization that uses multiple vendors to help ensure operational resilience will still be out of luck if all of the vendors are disrupted at the same time during a global catastrophe. Sophisticated state-sanctioned cyber warfare has brought disruptions to more and more organizations. The 2020 SolarWinds attacks (2), in which Russian hackers compromised the networks of over 18,000 organizations, is just one example. In this case, the target seems to have been the networks of the United States government, but since the attack involved hacking the software update server for all users of the SolarWinds Orion platform, many non-government networks were also compromised. Early in the COVID-19 pandemic, a shortage of N95 masks highlighted the risks of an interconnected and international business environment. With scarce information about what kinds of preventative measures could limit the spread of the virus, N95 masks were shown to be effective at reducing transmission. Compounding the panic buying that nearly eliminated inventory for the masks was the shutdown of international borders, as the medical-grade wood pulp used for the masks was produced in Canada (3). Any organization that relied on face-to-face interactions to achieve its operational goals was forced to choose between stopping operations, continuing operations while putting personnel at risk, or having to pay exorbitant prices for increasingly scarce face masks. Organizations without an established framework in which to quickly compare and make decisions about operational, compliance, and financial risk suffered. Organizations must routinely plan for and contend with risks that previous generations would consider to be outside of the realm of possibilities. That’s why we recommend organizations manage risk by coordinating efforts across organizational domains, such as resiliency, audit, compliance, IT, and operational risk. Instead of assuming any given eventuality will occur in isolation, to be addressed alone, modern organizations will soon recognize that multiple disruptions can occur simultaneously. Operational Resilience is the Primary Motivator We recommend organizations approach risk domains holistically by connecting the risks seen in day-to-day operations to the implications of those events to the business strategy. 1 in 5 of the respondents in the 2020 RSA Digital Risk survey stated they are prioritizing the alignment of business resiliency and enterprise risk management approaches in the next two years. An organizational culture that relies on processes and procedures to deliver operational resilience is not enough. Global risks cannot necessarily be managed with the same processes that work for internal or even vendor risks. Learn how to not only respond to global risks outside of your four walls but to actually turn risk to your advantage in our report “The State of Integrated Risk Management.” (1) https://www.nature.com/articles/s41467-019-11755-z (2) https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12 (3) https://www.theglobeandmail.com/canada/article-vancouver-island-pulp-mill-supplies-materials-for-medical-protective/

  • How an Integrated Risk Management Approach to Security Increases Operational Resilience

    Any organization managing cybersecurity risks has a daunting challenge. Security issues are identified and published online daily, mitigations may not arrive for weeks, and threats can originate across international borders. Narrowly focused best practices can become liabilities overnight. Conscientious and inflexible security practices may mitigate the risk of theft or intrusions but may come at the cost of efficiency and responsiveness. Risks can be invisible right up until they are a problem, and even trusted and seemingly secure supply chains can be disrupted or compromised. The lines that define safe operations are constantly shifting, as even existing technologies require fresh security assessments. It isn’t enough to make a one-time risk analysis of possible threats when integrating new practices or assets. We recommend organizations routinely determine the scope and business implications of cyber-attacks. In addition, being able to quantify and categorize risk can make the development of a risk management culture a concrete exercise with metrics and clearly defined goals. Establishing how each process and practice manages risk and increases operational resilience is easier with an integrated risk management approach to security. Leaders in integrated risk management have been expanding their abilities for mitigating risk with new tools that allow for coordinated security processes. See how to protect your organization with robust risk defenses by reading our report, “The State of Integrated Risk Management.” All Risk is Connected and Your Security Approach Should Be Too In the physical world, a strong perimeter defense can mitigate losses while still allowing businesses to operate within protected perimeters of a facility. However, cybersecurity perimeter defenses have long been problematic due to the very nature of digital risks and threats. When everything relies on the impregnability of a firewall or the secrecy of a password, everything is at risk if a firewall is breached, or a password is compromised. When the global COVID-19 pandemic led to workplace shutdowns, the opportunities for cyberattacks skyrocketed. Organizations that did not have an integrated security approach to cyberthreats were more vulnerable to attacks when their workforce was distributed across a spectrum of network security settings. When a flood of remote workers began accessing sensitive assets through home networks, many organizations relied on VPNs to allow personnel to tunnel into protected organization networks. Unfortunately, this adds as many points of security weaknesses as there are personnel remotely accessing the organization’s network. For example, the Colonial Pipeline ransomware attack used virtual private network login credentials to hold the Colonial Pipeline Company’s operations hostage.[1] A single point of failure led to disruptions in mission critical operations. Reinforced Defenses against Disruption The concept of defense in depth has been around for decades and adds layers of protection wherever possible and practical. An integrated risk management approach to security builds on that concept by connecting processes and data from other risk functions since e every part of an operation is a possible security concern or source of risk. The key to designing and maintaining an integrated risk management approach to security is to make sure the entire process is aligned with operational resilience. The ability to remain in operation despite disruptions should be the primary motivating force behind your security approach. 1 in 5 of respondents in the RSA Digital Risk 2020 survey stated they are prioritizing the alignment of business resiliency and enterprise risk management approaches in the next two years. With an integrated risk management approach to security, different areas of an organization can manage their risk in a way that strengthens overall operational resilience. The efforts of IT and security weave together with regulatory and corporate compliance, third-party management, and other stakeholders to create a reinforced risk management program. Granular Risk and Response We recommend organizations compile a complete picture of technology and digital security related risks and understand their financial impacts. Without knowing how a data breach will disrupt operations, it can be impractical to gauge the appropriate level of effort and capital to invest in precautions and countermeasures. A well-defined process and taxonomy that quantifies the impact of risks can help to align risk management practices with organizational goals. Without an integrated risk management approach to security in place, a single security risk can propagate through an organization’s assets. With more and more elements being digitized, automated, and controlled with connected technology, a data breach can even result in the disruption of physical operations. When operational resilience relies on the strength of a single measure, that one defense becomes so critical that it becomes difficult to quantify the results of that defense being compromised. A defense in depth, integrated risk management-based security strategy allows for atomized risk appraisals of any given practice or process. The growing necessity of defense in depth security practices places a new responsibility on the risk management landscape. While the integrity of a single perimeter defense system can be determined with existing industry practices, the sheer density of security measures calls for new processes to monitor and control an organization’s risk management practices. The pandemic revealed previously ignored or unaddressed weaknesses in many organizations. Our 2020 Digital Risk survey found that nearly 75% of respondents expect their digital initiatives to accelerate due to the disruptions and shifts over the past year. While some of this acceleration will include expansion of existing approaches and practices, new processes to meet the expanding risk profile can help an organization match the shifting environment. Operational risk programs should bring risk information together so you can better understand your risk posture, determine more easily how to treat risks, as well as see the interrelationship of these risks to the entire business. Integrated Risk Management Moving Forward Comprehensive approaches to operational resilience require detailed audits of weaknesses in every part of a risk management strategy. Most of our customers expect their risk profile to expand significantly in the next two years. We work with organizations to manage their expanding risk profile on our powerful integrated risk management platform. To discover how the organizations that utilize a mesh security approach are outcompeting even in times of disruption, read our whitepaper, “The State of Integrated Risk Management.” [1] https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

  • How to Leverage Compliance Towards Operational Resilience

    Compliance is often a logical, externally driven starting point for risk management programs. Staying ahead of changing regulations can be a daunting task. Factor in disruptions like the pandemic and the evolving business landscape and it becomes clear that no single risk management function standing alone can adequately protect an organization from risk. Rather, companies need an integrated risk management approach focused on operational resilience to adapt and prosper in times of upheaval and increased potential risk. With integrated risk management, companies go beyond compliance to layer on audit management, enterprise and operational risk management, third-party governance, and other functions. This layered, “mesh” approach creates a more holistic model providing depth to the risk management strategy. In our whitepaper, “The State of Integrated Risk Management”, we outline the lessons learned by those who thrived in their digital transformation efforts during the pandemic to help companies along their journey to improving business outcomes through operational resiliency. Get the insights and read more about the four themes of operational resiliency here. Compliance is Still Foundational but Not the Endgame Many times, individual departments may create their own compliance processes to address policies and meet regulatory obligations. This siloed approach makes it difficult to identify, prioritize and respond to issues that impact your business. With changing priorities and resources stretching due to shifting business needs, disconnected processes not only impact an organization’s productivity but also its ability to sustain and grow the business. By establishing a coordinated and consistent compliance program, the executive team can get the full picture of the state of compliance across the entire organization. Organizations should establish formal processes for stakeholders to understand and manage changes that may affect the organization’s compliance, including how new and changing activities may impact the organization’s obligation. A coordinated approach to compliance improves operational resiliency and should create a proactive approach that supports a holistic risk management strategy. More than 1/3 of respondents in our survey stated a risk-based compliance methodology is a priority for them in the next two years illustrating the cross-over between compliance approaches and risk management. Why Operational Resilience is End Game While compliance is a critical component of managing risk, operational resilience has become an increasingly important topic. Risk today is multidimensional, and the frequency and magnitude of disruptions, like the pandemic, have motivated organizations to take a deeper look at how they identify and analyze risk and how they plan to avoid or recover from them. Operational resilience considers the strategic goals of the organization, engages all parts of the organization, and embraces integrated risk management to drive the development of resilient business practices. Strong operational resilience can: Improve the company’s finances by reducing costs that would have been incurred during a disaster. Drastically reduce operational disruptions by preparing for potential disasters before they occur. Allow you to respond swiftly in crisis situations to protect your ongoing operations​. Minimize the impact on your business by breaking down the silos across functions and teams. Help organizations have the capacity to quickly put together mergers and acquisitions Help organizations swiftly adapt to changes in technology due to digital transformations. Improve visibility over all the performances of different sectors paramount to the organization’s growth and the resources necessary to achieve the goals. Provide complete oversight over all the company’s outsourced operations. How to Create a Culture of Operational Resilience The ability to absorb changes and adapt to an evolving risk environment is a regulatory, corporate, and board-level topic within many organizations. Traditionally, building a culture of resiliency is a function of an effective business continuity management program. To build ownership across the entire organization, each department from IT to sales must proactively participate in implementing operational resilience into processes, systems, and practices. This cultural change should be led at the executive level. Gartner predicts that by 2025, “70% of CEOs will mandate a culture of operational resiliency to survive coinciding threats from COVID-19, cybercrime, severe weather events, civil unrest, and political instabilities.”(1) Having change driven by the chief operating officer (COO) or chief information officer (CIO) helps to reinforce the importance of implementation. The first thing organizations should do when creating a culture of resiliency is have a definite purpose and aim. When organizations have a clear vision that every sector can relate to, it is easier to work together and achieve mutually beneficial goals. Second, organizations must establish consistent procedures and policies. For a program to thrive, all departments and functions performing separate risk management activities should be using the same methodologies, tolerances, and toolsets. Last, it is vital that internal and third-party organizations are as aligned in their resiliency efforts as they are in their delivery of products and systems. This alignment can be accomplished in the onboarding process, service-level agreements, or clauses in contracts. The State of Integrated Risk Management: Themes of Operational Resilience Strong compliance processes are one step, albeit a critical foundational step, towards achieving operational resilience. Programs focused on operational resiliency bring risk information together so you can better understand your risk posture, determine more easily how to treat risks, as well as see the interrelationship of these risks to the entire business. Explore the other themes of operational resilience by downloading our whitepaper, “The State of Integrated Risk Management”. Archer Solutions As a leader in providing integrated risk management solutions, we can help you with strategic-decision making and improving your operational resilience. Contact us today to see how Archer Regulatory and Corporate Compliance Management can aid you in providing a clear consolidated view of your organization’s state of compliance and how an integrated risk management approach better prepares you to thrive in a multidimensional and evolving risk landscape. (1) Gartner: Predicts 2021: Operational resiliency. January 2021.

bottom of page