24 éléments trouvés pour « »
- Build Operational Resilience to Prepare for Business Disruption and Enable Business Transformation
Building a resilient organization has traditionally been done through the lens of “what do we do after a disaster strikes? How long can we be down? How do we recover?” These are all valid questions. However, if the recent pandemic, ongoing cyber attacks, and supply chain issues have taught us anything, it is that people and organizations everywhere must be prepared for what may come. Effective preparation not only includes what to do when (not if) a disruption occurs, but it starts earlier and often to identify potential disruptive scenarios and impacts and implement measures to proactively deal with them. Remember, disruption to your organization is not limited to natural disasters, pandemics, and cyber attacks. It can also come from your competition, outdated business models, and other places you may not be readily aware of. Building resilience has, of necessity, become more about proactive planning, understanding what could impact the business, adapting, preparing for the inevitable, and learning from it all. But have you considered that building resilience can be a positive thing? Have you ever thought about how disruptive forces, if managed well, can make your organization stronger? Let me give you an example. Wind plays a major role in a tree’s life. In fact, the presence of wind makes a tree stronger by constantly keeping the tree moving. This causes stress in the wood as the load bearing structure of the tree. To compensate, the tree grows what is called stress wood. This effect helps the tree grow stronger and position itself to get the best light. The tree grows in a more solid manner, thanks to the stress wood formed in response to the wind. Taking this example, the tree is your organization. The winds are disruptive forces coming at you every day – natural disasters, cyber attacks, supply chain issues and more. These factors -- no matter how you react or the impact of these factors -- is in effect creating stress wood, which is what you have learned and measures you have put in place to be prepared or react, that makes your organization stronger to not only survive but thrive. Building a resilient organization includes your people, processes, IT, third parties and more. Your organization becomes resilient by planning and preparing and by going through the experience of disruptions and mistakes made. It is all part of the process of learning and growing. I am of the opinion that business resilience is more than worth the effort and price paid. It can be a daunting undertaking, with many not knowing where or how to start building business resilience for their organization. To learn more, I would like to invite you to register for our upcoming webinar: How Building Operational Resilience Prepares for Business Disruption and Enables Business Transformation. In this webinar, you will learn about: The origins of operational resilience and why it is important Global regulations and industry trends impacting organizations today The foundational elements of building operational resilience You can also find more information on how Archer helps organizations build resilience.
- Building Resilience Against Third-Party Risks
Staying on top of the myriad of risks coming at your organization can be a herculean task, but when combined with risks from third parties it can be overwhelming. You have some control over your own risks, but much less control over third-party risks, not to mention risks from their third parties (4th, 5th, Nth parties). There’s only so much you can do, but what you can do is strengthen your own resilience by implementing preventive measures, processes, and controls so you can focus on mitigating the residual impacts your third parties can have on your organization. If you don’t know where to start, I recommend the following areas. Identify critical third parties that support your business. This might require taking a step back to understand which externally provided products and services are the most important. “Important” should be defined as those products and services that generate the most revenue for your company, that have the greatest impact on your reputation or compliance, or that are important by other business metrics. Once you know what your most important products and services are then you can identify and associate those third parties that support your most important products and services. An organization might use many third parties, but the focus needs to be placed on those that are most critical to your organization. Map the interdependencies between third parties and your organization. Third parties are an extension of your organization in the work they do, so a critical next step is understanding the interdependencies between your business and these third parties – which systems do they support, as with a cloud service provider. Which third parties provides critical raw materials ? Or which third parties support your employees. This is critical because as you focus on building operational resilience across your internal “pillars” (business processes, IT infrastructure, facilities, and people) you have a better idea which third parties support each pillar. Your interdependence should also be measured against the level of reliance on each third party, which is particularly important if that third party is the only supplier for a particular input to your business, or that supports a key business process. Understand third-party risks and how they can impact your organization. No longer can you assume that because you have a contract with a third party that they are mitigating risks that may be passed to your organization. You must identify, assess, and mitigate third-party risks that could impact your organization. One way to do this is to work with your third parties to see their risk registers and understand how they’re treating the risks and what the impacts could be to your organization. If they won’t share the information yet they’re a public company, they you might have a bigger problem, but you can always obtain their 10K/Qs and review risk factors in those reports. Another way is to discuss with your third parties which risks have resulted in actual losses, or other risks they have identified and the probability of their occurrence, and other factors to understand how likely they are to affect you. Include appropriate risks in your risk register and treat the risk to your organization accordingly. As part of this step, you must compare the residual risks that could impact your organization to your defined impact tolerances.. If the impacts exceed your defined tolerances, then you should address and mitigate the risks. Address the most important risks from your third parties that could impact your organization, be flexible to pivot to different risks when you need to, and ensure your response is commensurate to the risk and reward. Create visibility through data and insights. Good insights give you the visibility you need to manage the risks and take advantage of the rewards of working with your third parties. Insights come from tracking and measuring quantifiable resilience, performance, and risk metrics. Using balanced dashboards that give executives, program owners, business owners and others the data they need to make decisions and take action. You must be able to make agile decisions in real time to mitigate risk or take advantage of it. Third parties are a critical part of doing business and sometimes they bring risk to your organization. By considering the topics above, you’ll be better able to convert your third parties from a risk factor to a strategic advantage. For more information, visit Archer Operational Resilience (archerirm.com).
- The ABC's of ESG
How do you spell ESG? While it is a simple question, oftentimes simple questions are the hardest to answer. It does not matter what industry you work in. Each has its unique language, sayings, and code that is difficult to understand to those not adequately versed. The risk and compliance domains are no different. Risk and compliance functions are awash in techno-speak, anacronyms, abbreviations, and slang that, to the outsider listening in, the conversation can sound like listening to aliens from another planet. But if you can know the “alphabet” of your domain, conversations can flow as naturally as walking down the street. So, the answer to the simple question of how do you spell ESG depends on your understanding of the ESG alphabet. The good news is that the ESG alphabet is quite simple and easy to learn. So let's start with the basics: what does ESG mean? ESG stands for environmental, social, and governance. ESG is a risk management tool to help stakeholders (investors, employees, society) better understand the organizations they engage with regarding social and environmental factors such as the impact on the environment, diversity, and equity policies and practices. Now that we have answered that question, how can you learn to speak ESG? We will stick with the basics for this lesson and focus on the five most common ESG standards and the primary framework that are part of nearly every ESG conversation. ESG standards: GRI - The Global Reporting Initiative (known as GRI) is an international independent standards organization that helps businesses, governments, and other organizations understand and communicate their impacts on issues such as climate change, human rights, and corruption. SASB - The Sustainability Accounting Standards Board (SASB) standard guides companies' disclosure of financially material sustainability information to their investors. The Standards identify the subset of ESG issues most relevant to financial performance in each industry. CDSB - The Climate Disclosure Standards Board (CDSB) standard provides investors and financial markets material information by integrating climate change-related information into mainstream financial reporting. CDP - The CDP (formerly the Carbon Disclosure Project) standard helps companies and cities disclose their environmental impact. It aims to make environmental reporting and risk management a business norm, driving disclosure, insight, and action towards a sustainable economy. IIRC - The International Integrated Reporting Council (IIRC) standard helps demonstrate the linkages between an organization's strategy, governance, and financial performance and the social, environmental, and economic context within which it operates. By reinforcing these connections, Integrated Reporting can help businesses make better-informed decisions regarding sustainability and enable investors and other stakeholders to understand how an organization is performing. ESG framework: TCFD - While many ESG frameworks are being discussed today, the TCFD (Task Force on Climate-Related Financial Disclosures) framework has risen to the top and has achieved global recognition. This framework helps public companies and other organizations more effectively disclose climate-related risks and opportunities through their existing reporting processes and disclose the organization's governance around climate-related risks and opportunities. You now know the basics of the ESG alphabet. These ESG standards and frameworks make up the core of most all ESG conversations. Understanding what these anacronyms stand for and how they can help guide your organization's ESG programs will catapult your ability to lead strategic and impactful ESG conversations with your organization's leadership. Want to learn more about ESG? We invite you (and your ESG colleagues) to join Archer’s Peadar Duffy, Global ESG Practice Lead, and French Caldwell, Chief Strategy Officer for Archer, for a discussion of the critical factors and concepts risk managers need to know before implementing an ESG solution to best leverage their organization’s risk and compliance platform. Webinar: 3 Things Risk Managers Need to Know About ESG 11:00am-12:00pm Eastern Time March 30, 2022 Register now! For information on Archer ESG Management, visit www.ArcherIRM.com/ESG
- The SEC Mandatory Climate Disclosures Proposal & Its Impact on Risk Management
In another of what will be a long series of proposals related to oversight of corporate environmental impact, the U.S. Securities and Exchange Commission (SEC) recently announced its own proposal on disclosure. Joining the efforts of many other governing and regulatory bodies worldwide, including the recent Corporate Sustainability Reporting Directive (CSRD) and Sustainable Finance Disclosure Regulation (SFDR) out of Europe, the SEC has now stepped fully into the fray as stakeholders ranging from conservationists to institutional investors seek greater visibility into the actions of large corporations to manage their environmental impacts. This announced proposal from the SEC has several key aspects that beyond accelerating current ESG efforts, warrant special consideration for large organizations, including: Accountability for not only quantifying the progress towards their environmental goals, but also clear identification of the risks and opportunities to those outcomes Requirements that will emerge from the call for more, better, standardized data that can help create a normalized view of progress across organizations As environmental impacts are only one component the current ESG push, it is reasonable (if not responsible) for organizations to assume similar proposals that extend into other areas. If the direction set by the SEC’s proposal moves in a similar direction to other geographies, it is also wise for organizations smaller than those within current scope to assume “scope creep” down into their realm. Unsurprisingly, the proposal has been met with immediate push-back from both sides of the isles, and it would be wise to assume that this proposal will go through several iterations before being finalized. But it would be similarly unwise to not view this as another significant signal of accelerated involvement by regulators in ESG. With that in mind, the SEC’s proposal also has some very specific impacts for Risk Management professionals: The near-term need for a focus on data gathering, risk register and cataloging of controls, other common GRC or Enterprise/Integrated Risk Management practices Regulation will be a likely driver for some (but not all) integration of ESG into Enterprise/Integrated Risk Management This will require starting with an approach that scales bi-directionally: integration across the growing array of regulations AND that expands across various data sources covering not only environmental impacts but social as well Again, this is an early but undoubtedly a significant step in what is growing momentum around ESG. At Archer, we believe ESG is much more than another regulatory thorn-in-the-side but is in fact one of the biggest drivers for more involvement in strategic planning for the Risk Management function. To learn more about how Archer customers are looking at the likely near-term and longer-term impacts of ESG on the Risk Management function, register now for our webinar, “3 Things Risk Managers Need to Know About ESG,” at 11:00am Eastern on March 30.
- What Benjamin Franklin Said
You know the ‘Death and taxes’ phase? This is the full quote, from a letter Benjamin Franklin wrote in 1789 to Jean-Baptiste Le Roy – a French fellow tech guru and scientist of the time: “Our new Constitution is now established, and has an appearance that promises permanency; but in this world nothing can be said to be certain, except death and taxes.” How many infomercial articles have you read that start "In today's world, [blah blah blah] is more important than ever"? So trite. So, let me change things a bit: “In today's world, we still live with enormous uncertainty and using numbers to effectively manage risk is just as important as it has always been.” After a hiatus of twenty years (this July) of genuflection to SOX, the risk management world is beginning to remember numbers again. Beginning to remember that taking the right risks for the right reasons is an essential part of progress, of success, of creating value. It’s what risk management is meant to do and the secret sauce in rational risk-based decision-making is numbers. Boxes of long-forgotten ideas are being taken down from the attics of veteran risk analysts, the dust of sorry neglect blown away, and carefully opened – with a mixture of curiosity, expectation and trepidation. Inside we find a mysterious collection of tools that have lost none of their lustrous sheen with age. In fact, in today’s world, with the greater access to data and computing power, they offer more potential than ever. If only we’d learned how they work. We should be kicking ourselves that we were so collectively neglectful. Luckily there are lots of grey beards like me, raised in the pre-SOX era, who have kept the secrets alive. Luckier still, Archer has decided to add the full might of risk quantification to our GRC/IRM platform. It’s called Archer Insight and its awesome. I think Benjamin Franklin would have approved. About that mixture of curiosity, expectation and trepidation … Curiosity: what nuggets lie hidden in your data It takes time, care, effort and money to collect data. Your organization has lots of it. If you’ve been using Archer for any length of time you will lots and lots of risk-related data, all beautifully organized and safe. Don’t you wonder what those data might be able to tell you? One of the most common areas in which an organization can dramatically improve is to make use of the data it already collects. Risk management is no different. The discipline that turns data into knowledge is quantitative. Knowing how often your controls have failed helps you estimate their probability of success. Looking at how many of your historic risks actually occurred helps you see how much you over- or underestimate their likelihood. Looking at best and worst case scenarios helps you estimate the range and likely impacts. The list goes on and on. Expectation: will it really help our business? Yes, it will. It will help you manage risks far more cost-effectively simply because you can compare the size of a risk against the costs of different treatment options and pick the option that gives you the greatest bang for your buck. But it also means you can aggregate. Numbers can be added, risk scores cannot. Aggregation allows decision-makers to see the big picture, and that is an essential part of making the right big decisions. Trepidation: You never understood statistics and probability theory Don’t’ worry about that. For many people, when they hear the phrase “risk quantification” they think of their less-than-rewarding experience with statistics classes at university. They understand that probability theory can only be wielded safely by socially-awkward, sartorially-challenged, wild-haired geniuses working feverishly on equations nobody else can understand. To be fair, they do exist – but their natural habitats are academia and perhaps SpaceX, and some of them look like you and me too. We focus a bit too much on that Einstein photo. In the business world, the challenge is figuring out the best strategies for handling risk, not the math. The people who know the business and have a pragmatic, problem-solving head on their shoulders are best-placed to figure out these strategies. Perhaps that’s what you do already. Framed properly, the method used to evaluate risk can make it really simple to provide the right numbers. Archer Insight is set up this way and it builds the risk analysis models for you as you describe the problem. You don’t ever need to pick a probability distribution or write an equation. But it’s still a great idea to know the basics of probability. You’ll be more confident about explaining what’s been learned, checking the results and collecting the right data. It will take a couple of days of training, and Archer can provide that training. You might even find it fun. Archer Insight Delivers Enterprise-Wide Risk Quantification Archer® Insight is a suite of enterprise-wide risk quantification capabilities designed to deliver risk and business leaders a complete view of enterprise risks to improve resilience and ensure achievement of its strategic goals. For example, Archer Insight allows you to use built-in techniques like Monte Carlo simulation so you do not need to do all of the modeling yourself. Archer Insight can help you aggregate risk into meaningful quantitative measurements - and when you can add things, you can compare them. It allows you to compare risks and investments needed to mitigate, reduce, transfer or avoid risk. Archer Insight is entirely quantitative, enabling you to combine all the threats to your organization and truly understand the risks that matter. It makes quantitative risk management quick and easy to use by providing a full set of tools and features for understanding and managing all types of risk in one platform: operational, project, cyber-security, health and safety, investment and cashflow risk. Join us for an upcoming webinar Risk Quantification: Step Up Your GRC Game to learn more about how you can quantifying risk can change the conversation with your management team and business partners. Contact us to learn how Archer Insight can help you quantify your risk management.
- How to Achieve Integrated Risk Management Maturity
As new technologies are rapidly adopted, new opportunities open. At the same time technology also carries the burden of potential negative events. In addition, evolving regulatory environments add new compliance requirements, making the task of managing and mitigating risk ever-expanding. We wanted to know how the organizations are contending with digital risk management maturation, so we analyzed how our customers are dealing with evolving risks. We observed the majority felt that their organizations were able to manage at least some of their new, existing, and developing digital risks – in large part because of their path towards an integrated risk management strategy. This is a promising start and shows that even when facing unprecedented challenges, the road to maturing an integrated risk management program leads to not only reduced risk but more agile and informed business decisions Reaching a high level of maturity with integrated risk management can benefit an organization greatly. Managing a greater variety of risks across domains, and smaller categories of risk within domains are part of a maturing integrated risk management strategy. Maturity also means finding better ways for a risk management program’s findings to be communicated within a department or organization. Discover if your organization is making the right moves to mature your risk management program to guard against expanding risk by reading our report “The State of Integrated Risk Management.” Creating a Culture of Integrated Risk Management A risk management department doesn’t absolve stakeholders from managing the risk in their domains. In the same way that compliance is the responsibility of every person in an organization, integrated risk management strategies place risk reporting and mitigation in everyone’s hands. Today's challenges require managing a cultural shift from reactively checking boxes in a risk assessment program to a proactive risk management model that necessitates participation across the organization. Integrated risk management is a journey - not a destination. Even organizations with well-structured programs must continually monitor and evolve their program to ensure risk management is connected to business goals with cross-functional processes. Risk management processes and procedures that become fixed and no longer connect with the conditions on the ground can create more issues than they solve. When engaging front-line stakeholders, it is crucially important to ensure that when personnel report on evolving risks, that information is at the very least acknowledged and, ideally, acted on by the organization. In years past this would require taking time to fill out paperwork, something that might not always be practical if the front line is a warehouse or industrial site. The ubiquity of smartphones and wireless networks has created a powerful and rapid method to tighten the loop on reporting, monitoring, and communicating sources of risk. We developed Archer Engage to offer a straightforward risk analysis and treatment platform that allows any stakeholder with a smartphone to report and collect risk data in real-time. The process of engagement can extend to third parties as well. An understanding of the relationships you have with third parties to mitigate risk is key to managing risk and operational resiliency. Engaging a third party to report conditions in real-time helps make the priorities of an organization clear. How Risk Management Matures When an organization begins to develop an integrated risk management program, it is useful to focus on quick wins within the context of a broader strategy. This helps to establish that an integrated risk management program is effective and can deliver on the organization’s strategic goals. Risk is changing so dramatically across so many areas that siloed and manual processes make it difficult to get complete information to stakeholders quickly. Even the most successful point solutions will only magnify this challenge, with information stored in different locations and used in different ways by each department. As an integrated risk management approach matures, risk from multiple domains can be managed centrally, in a coordinated and consistent way. In fact, almost 80% of our customers manage multiple domains of risk on Archer. Expanding an integrated risk management program across and within domains doesn’t just mean taking the same cookie-cutter solution and thoughtlessly applying it. The process of expansion should be sensitive to what is novel about the different domains being managed. There is no guarantee that, for example, the threat of a cyberattack will map directly onto a compliance issue, so procedures to mitigate or manage one may not make sense for the other. However, even when the details differ, the platform on which those procedures are developed and deployed should offer a common interface for managing both. It is important to keep in mind that a mature integrated risk management approach will evolve over time. Steps that are taken to increase maturity will not deliver a final product, destination, or steady-state of risk management. Stakeholders in an organization need to understand that integrated risk management means constant vigilance for existing and novel risks to increase operational resilience. Mature integrated risk management is woven into everything an organization does. Think of how ubiquitous the use of digital technology is in a modern organization and you can start to get an idea of how deeply integrated mature risk management should be. Expanding and Extending Risk Management Strategies With a mature risk management strategy, risk is not a ‘black box’ but a key input into making decisions to exploit business opportunity. If your organization can successfully manage disruptions that sideline other players in the field, those disruptions become a chance to grow. Effective risk management is more than avoiding major failures and business disruptions. Creating a culture of risk awareness can protect your organization and enhance its value. An organization with a mature integrated risk management process that can maintain operations during a crisis is able to take advantage of the new opportunities the changing landscape offers. For example, Home Depot proactively distributes plywood, generators, and equipment to clear fallen trees to stores where hurricanes are expected to make landfall. While other hardware and lumber stores may struggle to meet demand or even stay open, Home Depot is the go-to business for people preparing for or recovering from a disaster (1). The individual components of mature integrated risk management are themselves beneficial to an organization. For example, organizations that engage front-line stakeholders in the risk management process were more likely to experience revenue growth and were faster to recover from disruptions (2). Make your organization more competitive and resilient by downloading our report, “The State of Integrated Risk Management,” which will teach you how the journey toward mature integrated risk management actually provides tangible benefits and better business outcomes. (1) https://fortune.com/2017/08/31/home-depot-hurricane-harvey-damage-impact/ (2) PricewaterhouseCoopers. Risk in Review: Managing Risk from the Front Line Correlates to Higher Revenue and Profit Growth, Says PwC. 2017. https://www.pwc.com/us/en/press-releases/2017/risk-in-review-managing-risk-from-the-front-line.html
- The Acceleration of the Digital Transformation and Expanded Digital Risks
The last two years have thrust many organizations into a series of concurrent and overlapping crises and escalating risk. The direct effects of workplace shutdowns are still being felt with supply chain disruptions, shortages, and permanent closures of vendors that have gone out of business. Cyberattacks of enormous scale and sophistication shut down gas pipelines and even breached departments of the U.S. federal government. For any organization that hadn’t considered the evolution of digital risk due to workplace disruption as an important part of risk profile, the pandemic was a wake-up call. The speed with which digital risks expanded as organizations went remote was unprecedented. Reports of a new respiratory illness were barely newsworthy in early January of 2020. Some organizations had already begun voluntary suspension of in-person operations before official lockdown mandates were declared. Organizations that had relevant continuity plans implemented them, others scrambled to put together ad hoc fixes for unprecedented challenges. The transition to fully remote work brought with it new types of risk. Sensitive information was being routinely accessed from home networks, and the chances of a data breach or other IT threats went up. To see how the most resilient organizations not only navigated this change, but thrived during this disruption, read our whitepaper, “The State of Integrated Risk Management”. The Pandemic Accelerated Existing Trends in Digital Initiatives and Risk Even before the pandemic, we found that a full 90% of respondents in our Digital Risk Survey felt that overall, their organization’s risk profile had expanded in the two years preceding 2019. Almost half of the respondents expected their risk profiles to expand significantly in the next two years (1). Our whitepaper, “The State of Integrated Risk Management” details how the pandemic reinforced trends of already expanding risk profiles. For organizations that had already made the transition to a distributed model prior to the workplace shutdowns required to stop the spread of COVID-19, there were fewer novel challenges. For nearly everyone else, the last two years expanded the risk profile immensely. Only 2% of the organizations we’ve analyzed claimed that their digital risks had not been impacted by the pandemic (2). Many organizations were faced with hard choices during the COVID-19 shutdowns. Workplaces could either become partially remote, fully remote or suspend operations entirely. Our findings revealed that in the previous two years, less than half of respondents’ organizations had begun to enable a “work anywhere” or dynamic workforce. More than three out of four respondents felt that in the next two years their organizations were going to accelerate their efforts to allow personnel to “work anywhere”. Rapid Acceleration Introduces Novel Digital Risk Organizations were forced to accelerate digital initiatives under the threat of a global pandemic. Almost one in five respondents in the RSA Digital Risk Survey felt that their organization was mostly reactive to digital threats. Digital initiatives bring with them the expansion of what is known as the “attack surface” of an organization. Moving data to the cloud requires storing sensitive information with third parties, which may introduce or increase the risk of a data breach. When moved to the cloud, data that may have previously been “air-gapped” or stored on machines rather than the internet to prevent a cyberattack, is now open to increasingly sophisticated hacking. The challenge and cost of provisioning and securing devices as well as installing and updating software has led many organizations to move more and more systems to the cloud. As organizations onboard and secure more and more remote devices and users, cloud infrastructure and bandwidth have had to increase as well. Software as a service often requires little more than a web browser to offer state-of-the-art digital tools. This also introduces risk, as with every username and password created to access a service, there is another opportunity for a cyberattack. The risks associated with moving toward a dynamic or “work anywhere” workforce were already being considered by organizations when we conducted our 2019 survey. In our 2019 survey, we found that the risks associated with transitioning to a dynamic or “work anywhere” workforce were ranked as the second-highest source of digital risk. How Integrated Risk Management Helps Digital Transformation If an organization adds a new method, process, or platform for every source of risk, it can be difficult if not impossible to quickly assess how a risk profile is changing. Risk management should work with the goals of an organization. We recommend organizations merge essential capabilities across disaster recovery, data backup and recovery, business continuity, crisis management and security incident response strategies, and programs. Organizations accelerate their digital initiatives to become more efficient, increase operational resilience, and be more effective overall at achieving their mission. If new risks aren’t proactively planned for, organizations could end up opening themselves to other threats that overwhelm the expected benefits of the digital transformation. Effective risk management is more than avoiding major failures and business disruptions. Creating a culture of operational resilience through integrated risk management can protect your organization and enhance business outcomes. When integrated risk management is a part of the culture of an organization, the digital transformation is viewed as another component that, like all tools and processes, carries risk. The pandemic expanded and accelerated existing trends, but did so at a pace that caught some organizations by surprise. Based on an amalgamation of inputs from analyzing our customer implementations and our 20+ years of industry leadership we’ve outlined how top organizations have successfully navigated the changing risk landscape in our “The State of Integrated Risk Management”. Download our whitepaper now to get a better sense of whether your organization is playing catch up, middle of the road, or ahead of the curve with operational resilience and integrated risk management. (1) RSA Digital Risk Report (2019) (2) RSA Digital Risk Report Third Edition
- How to Go Beyond Information Technology Security with Integrated Risk Management
The walls between digital and information technology risk and physical operations are dissolving. It is hard, if not impossible, to think of a single domain in which information technology has no effect on operations. Even with physical operations, new IoT technology takes previously offline infrastructure and firmly connects it to both the benefits and dangers of the internet. Without a responsive IT risk management system in place, the danger posed by exposing so many assets to the web can be catastrophic. Monitoring IT risk and having insight into how the various parts of an organization’s IT systems are connected is critical to operational resilience. For example, the Colonial Pipeline ransomware attack did not directly affect the function of the pipeline. However, the company that operates the pipeline decided that until the extent of the cyberattack was known, the best course of action was to suspend pipeline operations. Events like the Colonial Pipeline attack, as well as the global shutdowns due to the pandemic, have shifted thinking about IT and digital risk. Through our experience as industry leaders and our analysis of Archer customers in our 2020 Digital Risk survey, we found that nearly 75% of respondents expected their digital initiatives to accelerate due to the disruptions and shifts of the past year. To get key learnings on the convergence of digital and traditional risk, read our whitepaper “The State of Integrated Risk Management”. The Current State of IT Compliance IT security and compliance is often tied to IT risk management. In some cases, IT compliance helps with security like using NIST 800 standards when creating passwords. By complying with the strict NIST 800 standards for employee passwords, the risk of unauthorized access is mitigated. There are other situations where an IT compliance solution does not offer any sort of risk management. Many IT systems utilize software and systems that can track issues through tickets, allowing for close monitoring of how problems are resolved. An IT ticket management system provides greater accountability for IT departments, but an IT ticket system needs to be tied to an integrated risk management platform to provide the greatest benefits to operational resilience. There are many major information technology compliance standards published by private companies, non-governmental organizations, and governmental departments. Whether complying with COBIT, ISO 27000, or the European Union’s GDPR (1) , IT compliance on the Archer platform works seamlessly with IT security and risk management. Of the 1100+ deployments Archer has for IT and security risk management, more than 80% utilize compliance processes on the Archer platform. Properly securing internal, third-party, or customer data not only increases operational resilience, but is becoming central to IT compliance. Many IT compliance standards provide strict guidelines and requirements for the collection and storage of personal data, and there are governmental regulations either already enacted or set to take effect that mandate higher data privacy standards. It’s projected that 65% of the world’s population will have its personal information covered under a privacy regulation by 2023, up from just 10% in December 2020 (2). Third-Party Regulations and IT Risk Regulators increasingly require organizations to perform extensive due diligence both when selecting a third party for a service, and the duration of the engagement with the third party. Treating the activities of third parties as an extension of the organization retaining their services is not only required in many jurisdictions, but for information technology services it is sound practice to mitigate risk. The nature of information technology security issues makes third-party compliance particularly important. With physical goods or services, if a third party fails to properly secure their infrastructure, the damage or disruption to operations can be relatively easy to contain. A damaged or stolen shipment of goods could result in reduced capacity to operate but pales in comparison to the kind of disruption information technology security lapses can cause. An IT security lapse by a third party can result in a cascade of IT systems being compromised. For example, no matter how conscientious the tens of thousands of organizations that used SolarWinds Orion software to manage their information technology stack were with IT security, they were susceptible to risk related to the SolarWinds’ security breach. What Organizations Should Expect from their IT and Security Risk Management Vendors More than 70% of Archer customers’ early-stage deployments target IT and security risk management use cases, reflecting the criticality of digital technology and data in achieving their business objectives, which is no surprise given RSA’s reputation for IT security. Risk between departments has become more tightly linked as digital transformation has allowed more and more operations to be controlled with the same systems. The digital transformation that has merged physical operations with information technology is driving the need for greater integration. Ideally, IT and security risks should be managed with the same tools used to manage other forms of risk. An IT and security risk management tool should be able to handle as many risk domains as your organization has to deal with. Most Archer customers don’t stop with one domain of risk, almost 80% of our customers manage multiple domains of risk on the Archer platform. An IT and security risk management solution should offer real-time monitoring and reporting. The speed with which an attack or breach can compromise IT systems means that organizations need to be able to flag and monitor issues in real-time. Real-time monitoring tightens the loop, making it easier to address IT security and compliance issues before they become larger problems. But cyber attacks are only one part of the IT risk puzzle. Third party risk, resiliency, continuity and disaster recovery, compliance and a whole host of other risk categories affect an organization's overall technology risk profile. Organizations should be using a risk management platform that allows for multiple risk domains to be tracked and managed with real-time reporting. An IT security and integrated risk management platform should drive operational resilience and growth. See how the right IT security risk management tools are protecting organizations and helping them expand in our industry report, “The State of Integrated Risk Management.” (1) https://www.rsa.com/en-us/solutions/advance-gdpr-and-privacy-compliance (2) Focal Point Insights. Nine Data Privacy Trends to Watch in 2021. December 2020. https://blog.focal-point.com/the-9-data-privacy-trends-to-watch-out-for-in-2021
- Why Quantifying Risk Is Essential to Achieving Operational Resilience
Modern organizations must contend with risk from many different sources. Disruptions can come from internal sources, such as process interruptions, accidental damage to physical operations, or a myriad of other potential problems. Even an organization that manages internal risks well will likely encounter difficulties from external sources. Gartner predicts that by 2025, “70% of CEOs will mandate a culture of operational resiliency to survive coinciding threats from COVID-19, cybercrime, severe weather events, civil unrest, and political instabilities.”(1) We also saw evidence of the shift in risk profiles. Over 75% of respondents to our 2020 RSA Digital Risk Survey expected the risk profile of their organization to expand over the next two years. Only 7% of those surveyed anticipated a shrinking risk profile. Based on these changes, we analyzed Archer’s customer base consisting of a wide variety of organizations about risk challenges they faced over the last year, and outline the insights and lessons learned in our whitepaper, “The State of Integrated Risk Management”. How Qualitative Methods Fall Flat When Sizing up Risk One major observation we noted was the need for more precise measurement of risk. Qualitative risk analysis can provide a framework for thinking about individual threats or issues. A qualitative assessment can translate jargon like “supply-chain software update attack” into an appropriately category with an eye catching term like “critical threat”. It is important to make sure the relevant parties are aware of how dire the outcomes could be, even when a risk sounds unlikely or outside of a stakeholder’s domain. Due to the wide-ranging nature of threats and disruptions in modern organizations, qualitative visual aids may still be useful when utilized with other measurement approaches. A heatmap that compares the likelihood of a given event to the consequences of said event can give a good idea of which issues are mission-critical but doesn’t necessarily offer a means of figuring out how much overhead should be devoted to mitigating those risks. Replacing words like “mildly adverse” and “catastrophic” with green-yellow and dark red squares doesn’t get around the fact that ultimately a heatmap represents qualitative judgments. This might be a great tool for getting the attention of stakeholders, but real operational impacts will be felt in dollars and cents, not shades of red. The colors of a risk heat map give a false impression of hard data without offering concrete guidance. Why Quantitative Methods Make for Better Risk Management With so many different types of risk from so many sources with widely varying likelihoods, organizations need better ways to manage potential risk. Qualitative descriptions of risk using words and colors require human interpretation when implementing risk management processes, which can lead to inconsistent practices. It also clouds the picture when aggregating risks – what do two reds equal, or 5 yellows? This is why quantitative risk assessment is so important for risk management. Assigning hard numbers to both the likelihood of a given threat and the consequence of said threat provides several advantages over qualitative assessments. Being able to say an event has a 15% chance of taking 90% of an organization’s operational capacity offline in a given year makes it easier to figure out how much time and money should be spent mitigating that risk. Having hard numbers on eventualities also allows for risk assessment across domains. What may count as a catastrophe for one department may not have a very large operational effect. Conversely, creeping normalcy can lead stakeholders to become so accustomed to operating under what has been termed “unacceptable” risks that the term loses all meaning. The numbers placed on risk by a quantitative approach can not only be compared directly but combined so that multidimensional risks can be translated into an easily understood number. Quantitative analysis can capture the probability and effects of a dozen low likelihood, low impact events happening simultaneously. The cascade of disruptions from COVID-19 should serve as a stark reminder that risk is increasingly hyperconnected. Managing the Data of Quantitative Risk Management We recommend organizations manage risk by coordinating efforts across organizational domains, such as resiliency, audit, compliance, IT, and operational risk. Archer provides a way to coordinate efforts between departments, just like quantitative risk analysis provides a common language between departments to communicate risk. Organizations that have established programs in individual domains should be working to expand their risk focus and improve visibility, analysis, and metrics. Finding common processes or data to share is a great first step to bring together risk management functions. Quantitative risk analysis produces hard numbers that can guide decision-making in definite ways but can also produce a large amount of information. Real-time monitoring of evolving operational risk produces a flood of information. Risk is changing so dramatically across so many areas that siloed and manual processes make it difficult to get complete information to stakeholders quickly. Even the most successful point solutions will only magnify this challenge, with information stored in different locations and used in different ways by each department. This is exactly why our customers see such value in managing multiple dimensions of risk on one platform. Almost 80% of our customers manage multiple domains of risk on Archer. Of the 250+ customers that have been with Archer for over a decade, almost 60% have branched into three or more domains of risk management. Measuring Risk in an Evolving Threat Landscape The past year has shown just how quickly the risk environment can shift. Disruptions due to the effects of COVID-19, the wide variety of regulatory responses even within a single country, and the rapid transition to a fully remote workforce caught many organizations off guard. 2020 was a wake-up call for many organizations, leading to a growing recognition of the need for integrated risk management. When respondents to our 2020 Digital Risk Survey were asked about the need to coordinate risk management, the “extremely coordinated” response jumped more than 90% in the short time between the question being asked in a 2019 survey and the 2020 survey. Get our key insights on quantifying risk and how best to prepare your organization for expanding risk profiles in our whitepaper, “The State of Integrated Risk Management.” (1) Gartner: Predicts 2021: Operational resiliency. January 2021.
- Why Resilient Organizations Consider Risk Beyond Their Four Walls
No matter where an organization is positioned in a value chain, it will have to contend with risk. Even the most reliable and stable processes experience disruption, whether it be natural disasters or an altered compliance landscape. Chaotic upstream challenges, fluctuating downstream capacity, regulations created in response to extreme market conditions, and changing public opinion mean that every organization needs to be prepared for risk beyond its four walls. When more than one vendor exists, there is a tradeoff in the efficiency of using a single third-party supplier or vendor and the threat to operational resilience should that single source be disrupted. However, if there is only one vendor, or if every supplier is disrupted at the same time, the need to include third-party risk into risk management plans becomes clear. There is no possibility of simply switching suppliers or vendors, so the third-party’s operational resilience directly impacts your organization. Furthermore, in a digital era when anyone can research the relationships between your organization and the third parties within your organization’s network, the behaviors, and practices of those third parties can lead to reputational damage to your organization. See how third-party risk should be woven into an organization’s risk management practices in “The State of Integrated Risk Management.” Why You Need to Consider Third-party Risk When mitigating risk and creating a culture of integrated risk management, focusing on the domains that are directly answerable to an organization itself is a great starting point. A risk-aware and compliant organization can respond faster during a disruption, leading to increased operational resilience. No matter how robust the internal processes and procedures are, in today’s world no organization can be truly independent. Third-party disruptions can take the form of input scarcity, a lack of qualified personnel to fill positions, softening demand, logistics issues, and even cyberattacks. There simply is no way to completely insulate an organization from third-party risk. As the Solarwinds attacks demonstrated, even something as simple as running a software update can introduce serious risk. SAAS or other cloud services can expose an organization to third-party risk, even if the management and provisioning of the cloud software are performed by industry leaders. An organization that doesn’t integrate the risk posed by third parties into its risk management process remains vulnerable. Moreover, when third-party risk is dismissed or ignored, the threat of disruption cannot be properly quantified, potentially leaving threats unmanaged and opportunities squandered. Visibility into third-party dependencies improves the oversight of products and services provided by third parties and needs to consider potential business impacts - both positive and negative - of the relationship. Third-party Relationships Can Pose Reputational Risk The ability to perform due diligence to identify the types of risk third parties pose, monitor third-party activities, and mitigate risks and threats are key elements to managing vendor and supply chain risks. More than one-third of respondents in the 2020 RSA Digital Risk Survey stated that their number one priority regarding vendor and supply chain risk is an approach that integrates third-party risk management with enterprise and operational risk management. The deeply interconnected nature of today’s world hasn’t escaped the notice of end-users either. It is no longer considered credible to treat third-party malfeasance or negative externalities as outside the scope of an organization’s oversight process. Consumers making choices informed by ethical concerns have come to expect organizations to devote resources to third-party monitoring and to enforce higher standards from third-party vendors. Extreme labor conditions at a third-party supplier for a major device manufacturer can quickly redound on an otherwise well-respected organization. The complexity of an enormous web of suppliers and vendors may not insulate an organization from negative public opinion. We recommend organizations implement a programmatic and risk-driven approach to identify, assess, evaluate, treat, and monitor third-party risk, including risk related to third-party employees and their activities. Compliance in the Financial Sector and Elsewhere During and after the mortgage crisis, the practices of financial organizations that relied upon third-party assessments for credit ratings of investment instruments were called into question. The press and regulators are more often viewing an organization’s relationships with third parties as less of an airtight barrier to ethical and legal concerns than before. When it comes to reputation and regulation, third parties are often seen as an extension of an organization rather than completely independent. Regulators are establishing increasingly higher standards of accountability for the oversight of third-party relationships and therefore, organizations need to consider multiple elements of third-party risk including financial impacts, resiliency, security, and compliance. The United States Department of Justice has updated its guidance on evaluating corporate compliance to include whether an organization has made a good faith effort to ensure their third-party vendors are compliant.(1) Resilience to outside risk is now directly mandated by regulators. Financial institutions must undertake rigorous stress tests that quantify the results of extreme disruption. A financial organization that is found to lack the capital reserves to survive a tested risk is required to either grow its reserves or alter its operational profile to be able to meet the stress-test requirements. We have found that this has become a key concern for many financial organizations. Almost 50% of financial services respondents in the 2020 RSA Digital Risk survey stated a risk-based compliance methodology is the number 1 priority when it comes to keeping up with regulatory obligations. Why Third-party Risks Effect Operational Resilience like Internal Risks A consolidated view of all third-party relationships and an understanding of which third parties are most important to ongoing operations provides the ability to scale the number of assessments that can be completed and streamlines response to open issues identified during the assessment process. It is important to start to quantify third-party risks the same way internal risks are measured. This will provide a common framework for analyzing the impact of both internal and external disruptions. The ability to perform due diligence to identify the types of risk third parties pose, monitor third-party activities, and mitigate risks and threats are key elements to managing vendor and supply chain risks. Benefit from our analysis of Archer customers and 20+ years of evaluating risk trends. Download our whitepaper, “The State of Integrated Risk Management” to discover how to make your organization more resilient by protecting against multiple sources of risk, including those beyond your four walls. (1) https://www.justice.gov/criminal-fraud/page/file/937501/download
- Moneyball and Risk Analytics
With the World Series wrapping up, it reminded me of Moneyball, a 2011 film based on an account of the Oakland Athletics baseball team's 2002 season and their general manager Billy Beane's attempts to assemble a competitive team. In the film, Beane and assistant general manager Pete Brand, a math whiz straight out of Yale University, were faced with one of the league’s lowest budgets for players, yet they built a team of undervalued talent by taking a sophisticated sabermetric approach to scouting and analyzing players. This approach flew in the face of traditional scouting made up of men who believed that they could predict a player’s future success simply by observing how well they could hit a ball, throw a pitch, or steal a base. After Beane’s wheeling and dealing for players that fit the mathematical profile, the A’s were reborn, going on to qualify for the playoffs and win the AL West Division with a 2002 regular season record of 103-59—just behind the Yankees for the best record in all of Major League Baseball. What does this have to do with risk management? Risk Qualification One of the traditional ways of evaluating risks is on a qualitative scale, such as high/medium/low, 1 – 5, - the typical approach to batting, pitching or stealing bases. However, as David Vose of Archer points out, “when (should) the probability of a risk be described as low? Below 10%? How about very low? Below 1%?” He goes on to say, “Qualitative terms describing risk are far too ambiguous, too difficult to challenge and agree upon, make poor use of available data and do not allow us to work out the most efficient risk management strategy.” This qualitative approach is like the baseball scouts that rated batters as ‘superior’ or ‘average’. Both ways of rating risks and batters are inherently biased. Though these measures are useful under some circumstances, they don’t tell you about the potential impacts in dollars and cents; terms decision-makers can act on. Billy tells the old-school scouts that they must do something differently if they’re going to win with the salary restrictions they have. Risk Quantification Billy and Pete took a different, quantitative approach to arrive at the outcome they wanted, which was to win. They calculated the interim goals that would get them there, like average runs they needed per game, on base percentage, etc. Then they selected the least expensive or most undervalued players with the right performance metrics that met their criteria which maximized their budget. Businesses need to make money, turn a profit, and meet revenue goals and market expectations. Executives make decisions every day on business growth strategies, competitive moves or organizational changes based on the financial benefit or cost. For these executives to evaluate whether they should spend resources to address a risk versus seize a business opportunity, they need to compare the cost and benefit against each other – in “apples to apples” terms. In its most simple terms, what’s the cost and the benefit of the risk? Risk quantification is the art and science of understanding the monetary impacts risks could have on the organization’s goals and strategies. Risk quantification puts risk management into the language executives need to evaluate risks against the business’ strategic and operational goals and is particularly important when risks are present that threaten the organization’s ability to meet its goals – just look back at the impacts the pandemic had on businesses and industries of all type and size. The sabermetric approach to scouting and analyzing players, and the quantitative approach to measuring risks both start with the end in mind, and that’s wins and achievement of strategic goals – both of which are why the game is played. For more information on integrated risk management (IRM) and risk quantification, visit archerirm.com.
- Get Better Business Outcomes with a New Approach to Risk Communication
Communication plays a vital role in enabling organizations to integrate the concept of risk management into day-to-day operations. Your risk program communication isn’t just a way to manage your reputation and image with third parties, media, and regulators. Being able to effectively communicate risk within the four walls of an organization is a crucial tool for creating a more risk-aware organization in order to optimize your business while managing risk. Communicating risk effectively is a continuous process requiring all parties to articulate not just the sources of risk, but the bottom-line consequences. All involved must be made aware of potential risks, and the lines of communication must always be left open. It isn’t enough anymore to treat risk communication as a simple tick-the-box exercise that only demonstrates process compliance without connecting to the real-world consequences of the risks being communicated. Being able to place hard and fast numbers on the consequences of types of risk allows for real-world effects to be communicated in a universal language. This can increase operational resilience by helping to align responses to threats with the goals of the organization. Increasing operational resilience with risk communication is only one part of a mature integrated risk management strategy, which we outline in our whitepaper, “The State of Integrated Risk Management.” Communicating Risk across Departments Effective communication of operational risk should put specific eventualities in the context of the disruption that could occur. For many organizations, translating risk between departments can be a serious challenge. Traditional tools like qualitative risk analysis try to use subjective terms or visual heat maps to communicate the severity of various eventualities, but this can fall flat when two different domains are being compared. An organization’s reduced ability to operate might mean lost uptime, lower profits, or other negative outcomes. This needs to be quantified and communicated to the personnel that are in a position to mitigate risk. Furthermore, when the likelihood and impact of risk are quantified, it becomes possible to communicate and aggregate the impact of risks to stakeholders without hitting interdepartmental language barriers. How Risk Quantification Helps Risk Communication Risk management is the core ingredient toward mitigating any potential threats to the success of an organization. Threats should ideally be identified and dealt with before their effects can be felt in your project. Risk assessment involves the measurement and analysis of risk to provide concrete information for risk control programs. The process of quantitative risk assessment involves four fundamental steps which include; Identification of risk and establishment of an applicable mathematical model. Collection of the basic and necessary information or data available via historical records, extrapolation, expert surveys, and so on. Select suitable analytical methods and models to evaluate the data and modify models about specific circumstances. Define the scale and likelihood of risk The process of identifying risk has traditionally been either a top-down exercise or the domain of risk management departments or consultants. New digital tools have made it possible to have front-line personnel communicate emergent risk in real-time. Instead of risk communication tools being an output-only means of relaying directives to the front lines, organizations utilizing integrated risk management software can gather information from stakeholders about conditions on the ground. The ability to monitor conditions with real-time reporting from personnel closest to the risks couldn’t come at a better time. Today's challenges require managing a cultural shift from reactively checking the boxes for compliance to a proactive risk management model that necessitates participation across the organization. Instead of front-line workers only identifying risks during an audit or during an emergency, integrated risk management platforms allow for constant communication through every level of an operation. A study by PwC (1) found organizations that shift risk management responsibilities to the front line were more likely to show profit and revenue growth over the next two years and were able to recover from adverse events more quickly. Communication, Compliance, and Management Organizations that have established programs in individual domains should be working to expand their risk focus and improve visibility, analysis, and metrics. Finding common processes or data to share is a great first step to bring together risk management functions and achieving risk maturity. The overwhelming majority of organizations that have begun to use the Archer platform for operational risk management extend their engagement with our tools into compliance management. In fact, 91% of our customers who license operational risk management use cases also license compliance use cases substantiating the close connection between risk and compliance processes. With a well-established and integrated communication program, stakeholders should understand that they are not just passive participants in an organization's operations. Compliance and risk management are everyone’s responsibility. We recommend organizations establish formal processes for stakeholders to understand and manage changes that may affect the organization’s compliance including how new and changing activities may impact the organization’s obligation. We also recommend organizations implement controls based on issues or gaps identified via the compliance process to reduce risks and prevent compliance issues from happening again. New technologies can provide a tight connection between issues being identified on the ground and organizational responsiveness. A technology-enabled approach to build operational resilience across the organization will transform the efficiency of your incident, crisis, and recovery teams. By knowing the most critical areas of the business and effectively handling day-to-day incidents, you can respond swiftly in crisis situations to protect your ongoing operations. The last year has shown just how rapidly changes in operational risk and regulatory compliance can be. Fitting Risk Communication into an Overall Integrated Risk Management Strategy Without the ability to effectively and efficiently address increasing risk, organizations struggle to respond to business risks and miss opportunities to capitalize for growth or to meet other strategic objectives. That’s why organizations need to focus on achieving operational resilience through integrated risk management. Benefit from our 20+ years of industry leadership knowledge. Get our whitepaper, “The State of Integrated Risk Management” today to discover how your organization can break down communication siloes to better mitigate and thrive through disruptions and an evolving risk landscape. (1) PwC. 2020. PwC 2020 Global Risk Study. [online] Available at: < https://www.pwc.com/us/en/services/consulting/risk-regulatory/library/2020-global-risk-study.html/> [Accessed April 12 2021].