Search Results

Have you been to an eye care professional for an eye exam? They use various instruments, shine bright lights at your eyes and have you look through a bunch of different lenses – all to evaluate aspects of your vision. An eye exam helps detect eye problems at their earliest stage — when they're most treatable. At the end of the exam, if eye correction is needed, you’re prescribed lenses to make your vision better. Risk management isn’t much different. As risk managers, we look at risks through many different lenses, but properly treating the most important risks depends on looking at them through the lens of the business. Have you ever talked to the CFO to understand their perspective on what’s important to the strategic objectives of the company, and what success metrics indicate the business is healthy or not? Key metrics could include customer acquisition, satisfaction, or attrition, earnings, gross or net profit, growth indicators, and more. Managing risk is critical to any company, but it must be done through the right lens - with the end goal of what’s important to the strategic objectives of the company and measured by the success metrics that indicate the business is healthy or not. Let’s take the example of a commercial property insurance carrier - FM Global. One of their most important strategic objectives is whether the company’s underlying insurance book of business is generating a profit. The market for commercial property insurance can turn on an insurer quickly. Natural disasters and other events (risks) can cause claims to soar. Other risks could also impact the business, such as cost of capital, impacts from a declining workforce and others. Regardless of the risk, in this example, the lens to view them through is impact to profit. “Our only ability to grow our capital is through our underwriting results…and our capital is what allows us to provide the large, stable underwriting capacity that our policyholders have come to expect,” explains their CFO, Kevin Ingram. There are many objectives for managing risks and impacts to the business. Understanding the strategic objectives of the company and how they’re measured and evaluated is integral to being a better risk manager. For more information on how to better manage risk using risk intelligence, visit Business Risk Quantification - Archer Insight.

Few topics elicit as much debate within a software company as discussion about the product roadmap, particularly features designed to help drive value for the customer in their use of the product. This discussion is active internally, but also extends to the customer base and the market. So when a leading analyst publishes an GRC/IRM market update on highest value future feature interest – such as the IDC Governance, Risk and Compliance Maturity Score Survey published in November – it warrants attention from vendors and practitioners alike. Several of the most interesting take-aways from the study regarding the most valued future features for GRC include: 1. The importance of a consumer-esque experience We are all going through the experience of what I call “app-overload” – service providers or vendors we work with nudging us into purpose-built apps. This experience is a strong positive when those apps bear in mind that use of the app may be fleeting and infrequent. In so doing, they create apps that don’t assume a high level of familiarity and present an overall intuitive experience. The IDC study provided strong reinforcement for this as it relates to risk management. More than 90% of leaders called out the “experience for first-line users” as one of the critical elements of a successful GRC platform and program. 2. Risk Casino Royale If you’ll pardon the play on Monte Carlo, another one of the study’s findings was a steep increase in planned use of Monte Carlo simulation as a means of assessing risk. The raw number of just over 9% currently using this method is notably expecting a nearly 3x jump over the next two years. Similarly, bow tie analysis currently comes in at single digit use but is expected to nearly double over the next two years. I would add that Archer’s experience with bow tie analysis has been that once it is seen and understood, interest and adoption is dramatic. As it turns out, first liners aren’t the only ones seeking a visually appealing way to work. 3. Dialing for dollars Far and away, the biggest takeaway from the study as it relates to shifts in how organizations analyze risk is the move from matrix-based, red/yellow/green heatmaps towards “Dollar Impact” through full quantitative risk analysis. The heatmaps ranked #1 with 43% current use, but then switched over the next year to quantitative financial impact, jumping from 35% to 44%. This desire for better quantitative financial analysis of risks also aligns with one of the study’s primary characteristics for more mature risk functions, specifically the increased participation of the C-suite and senior management in and around GRC and risk management. Studies like IDC’s play an important role in helping all participants in the risk management arena (practitioners and vendors) understand the direction of Archer’s peers and customers. This particular study aligns extremely well with several of Archer’s recent innovations. The launch of Archer Engage was a major shift in user experience, geared toward the less-frequent participant in risk management. The launch of Archer Insight brought a full suite of quantitative analysis tools into the portfolio, which we see customers rapidly embracing across the full range of risk domains. Risk quantification is no longer confined to the purposes of helping CISO’s determine their cyber insurance premiums. It is now a tool for better business impact articulation across stakeholders. We’ve partnered with IDC to deliver a snapshot of these three takeaways highlighted above, as well as other key findings from the study, combined with IDC’s assessment of some of Archer’s new capabilities that address growing and emerging demands. Read the IDC Spotlight paper – and continue to keep an eye on Archer !

Pack your sunscreen and get ready for some sunshine. Here are the top 10 things we are looking forward to seeing and experiencing at Archer Summit 2022. Magic City Welcome Reception We’re kicking off Archer Summit in style with a Magic City reception inspired by the glamour of the late 1950’s Rat Pack-era. The evening will be filled with amazing music, delicious food and Cuban-themed entertainment and surprises. Customer case studies make up 75% of the agenda! Listening to customer case studies is undoubtably one of the most fulfilling parts of attending any conference. At Archer Summit 2022, the case studies are abundant. Customers are excited to share their business challenges and share how they’re tackling complex compliance requirements, supply chain issues, third-party risk and achieving operational resilience. There’s something for everyone to attend at any point during the day. And if you can’t pick between two sessions… we’ve got you! All attendees will have access to the presentations after the event. If you haven’t signed up for Archer Summit , head on over to our registration page and sign up now ! Keynote Presentations Seeking inspiration and vision? Looking to learn how to tackle big challenges and risk management goals head on? Curious about the Archer product roadmap? In search of a good laugh? Our keynote speakers offer all of the above! You’ll hear from Archer executives, industry thought leaders and the Archer product team – who have a lot of exciting things to announce at Archer Summit. Archer Clubhouse – Our Social Hub & Product Pavilion The Archer Clubhouse is where everyone comes together to mingle. Featuring our social media hub and product pavilion, you’ll find yourself networking and learning at the Archer Clubhouse between sessions and events. Social networking extends and enhances your Archer Summit experience. Throughout the event, you’ll have chance to live tweet sessions, participate in our virtual, on-site social games and connect with attendees. If you’re new to social, visit the Archer clubhouse during the event and someone will show you how to get involved! Cuban coffee Let’s be honest, conferences can be tiring. Long days filled with great sessions, conversations and events is a big shift from the 9:00-5:00 workdays we are accustomed to. Especially if you’re used to working from home! So, for all the coffee enthusiasts attending Archer Summit, rest assured knowing there’s a delicious cup of Cuban Coffee ready and waiting to give you the extra boost of energy you need. Partner Pavilion and Expo There’s no better place to connect with Archer partners than Archer Summit . We have 10+ partners attending the event who are beyond excited to share their insights and vision for enhancing your risk management strategy with their technology and services. Attendees can enjoy light food and refreshments while learning more about our partners newest product innovations… and maybe snag a few swag pieces to bring back home! Subject Matter Expert 1:1’s If you’re struggling with challenges or have questions, be sure to schedule some time with the Archer’s subject matter experts during Archer Summit . This is the best way to get the information you are looking for straight from the source. They will be on site all week to answer questions, provide insights, offer strategy advice and share ways to better utilize your applications. Be sure to schedule your one-on-one time once you arrive to get the best experience from Archer Summit. Customer Awards You can’t be in the risk management business and not understand the importance of recognizing a job well done! We are thrilled to celebrate our customers’ success over the past year during the Archer Innovation Awards – more info to come! Archer Connect – Get Involved! The networking opportunities and relationships you build at Archer Summit don’t end when the conference is over. Archer Connect, our online customer community, is your one-stop resource center for information about Archer products and services. If you’re already involved in the community, stop by the Archer clubhouse to meet up with other members! If you’re not involved, get connected. Early Bird Discount Everyone likes a good discount! We’re offering an early bird discount of $995 for the conference until May 31, 2022. After May 31, the rate goes up to $1,295. Get the discount before it’s gone by registering today . We say this every year and we mean it – Archer Summit is going to be bigger and better than the year before. Join the conversation before the event by tweeting your excitement using the hashtag #ArcherSummit or leave a comment below. Let’s start connecting now so we can make the most out of the event this September. See you in Miami!

Uncertainty. It feels as though a new force emerges every day that creates a little more uncertainty in the world. Riding the waves of insecurity in financial markets, competitive industries, legislative and regulatory environments, and societal shifts has become a major challenge as organizations look to the future. This is the fundamental reason organizations today need to take a deeper look at how risk management is approached and integrated within the business. Risk management must take into consideration where your organization is headed. What decisions are you trying to make to meet your objectives? What questions are you trying to answer? What analysis into possible obstacles can help you choose the right path? These are the primary questions risk analysis seeks to answer. Risk analysis could be just simple, qualitative, rational thinking; it could be in-depth statistics; or it could be anything in between. Whatever is the quickest, the most believable, and the most defensible way to help guide decision-making in solving problems -- that is what risk analysis is all about. Risk quantification represents the next phase in driving greater precision and meaning in discussions risk management teams have with their business partners. There are a number of reasons why risk analysis and risk quantification is increasingly important for your organization: REASON #1: Get the most out of your data. Why would you not want to make the best use of the data you have? If your organization is like most organizations, you have implemented multiple processes to gather risk and compliance data, such as risk assessments, business impact analyses, and compliance reviews. These processes provide tactical views into the state of risk and controls in your environment -- but they can be leveraged for so much more. You can only really express the knowledge in your data if you go down a quantitative path. At the rate data is created within organizations, a rational, intelligent method is required to aggregate and derive meaning from the data. Quantification is the best path to take in making the most of your data. REASON #2: Risk quantification is not as difficult as you may think – and you are probably (almost) already doing it. For many people, risk quantification can sound like a little bit scary, even dreadful proposition. You may think “I am going to have to get a PhD in mathematics to do this.” And traditional risk approaches already seek to answer the same questions: “What are the chances of a risk happening? And how big is the risk likely going to be?” In reality, understanding the basics of probability lays a strong foundation. Plus, you can accomplish a great deal even with very little quantitative information. Quantitative approaches are really about being able to say the thing that you mean. At a very simple level, risk quantification enables probability and impact – traditional inputs to the risk equation – to be expressed in increasingly more precise measures. Leveraging the same knowledge, you already use to select between “low” and “high” levels for risk, risk quantification gives you the ability to be more expressive with numbers, rather than relying on ranges. Risk quantification enables you to use the same qualitative measures -- likelihood and impact – as you are today, with added expression of what you think AND the full benefits of quantification. REASON #3: The benefits of risk quantification are exponential. It is nice to say ‘let's do it’, but on its own, risk quantification is not just about starting to use math. By quantifying things, you can essentially add them up, whereas you cannot add up your reds, oranges, and greens. You can say how many reds, how many oranges, and how many greens. And at what point do those become black? When do we have so many blacks that it causes real concern? If all you have is a list of columns of how many of each, that is not effectively telling you just how much exposure you face. You need to lock into what your total amount of risk looks like. When you want to prepare a meal, you can optimize your grocery shopping efforts by balancing cost and quality. Your shopping list lets you know what to buy from the supermarket; you can compare prices of items in the store; and your store receipt adds up the total cost of your groceries; and We all like that flexibility and predictability. We can do the same thing with risk – if you translate those red/yellow/greens into numbers. Archer Insight Delivers Enterprise-Wide Risk Quantification Archer® Insight is a suite of enterprise-wide risk quantification capabilities designed to deliver risk and business leaders a complete view of enterprise risks to improve resilience and ensure achievement of its strategic goals. For example, Archer Insight allows you to use built-in techniques like Monte Carlo simulation, so you do not need to do all of the modeling yourself. Archer Insight can help you aggregate risk into meaningful quantitative measurements -- and when you can add things, you can compare them. It allows you to compare risks and investments needed to mitigate, reduce, transfer or avoid risk. Archer Insight is entirely quantitative, enabling you to combine all the threats to your organization and truly understand the risks that matter. It makes quantitative risk management quick and easy to use by providing a full set of tools and features for understanding and managing all types of risk in one platform: operational, project, cyber-security, health and safety, investment and cashflow risk. For more information, register for our upcoming " It's Not Just Math: Applying Risk Quantification to Benefit Your Business " webinar at 11:00 am EDT on Thursday, July 2 with Archer's quantitative risk management expert Graeme Keith to learn: How risk quantification fits into your long-term risk management strategy Methods to get moving in the right direction to incrementally bring value to the business through risk management Practical approaches to improve how you communicate risk to leadership Register today to learn more!

Financial services institutions (FSIs) should be taking steps now to build operational resilience, which is the ability of firms, financial market infrastructures and the financial sector to prevent, adapt, respond to, recover, and learn from operational disruption. For the past few years, regulators have been focused on the resilience (or lack thereof) of FSIs and with good reason. The global, regional, and personal impacts created by disruptions to this sector – including financial crises, the COVID-19 pandemic, geopolitical unrest, supply chain issues, competition, technology and cyberattacks – have been consequential. Disruptions have cost organizations billions of dollars and impacted entire regions, countries, and industries. The regulatory guidance in some areas, such as the UK, has been formalized and FSIs doing business there must be taking specific and immediate action now to comply. While regulatory bodies have published guidance providing direction for how and when FSIs must become operationally resilient, compliance requires participation and cooperation across multiple functions of your organization. Establishing a common approach that enables siloed teams to act together to build a resilient organization is a challenge. The regulatory guidance suggests some steps that provide a good foundation. Join our May 10 webinar on, Operational Resilience - What Financial Services Institutions Need to Know Now , where we will talk in more detail about how to: Gain a better understanding of regulatory guidance and what it means for your organization Bring your cross-functional teams together to focus on common goals and approaches to operational resilience Leverage Archer to help you build operational resilience Visit Archer Operational Resilience for more information. Contact us to implement a risk-driven, business-prioritized approach to build an operationally resilient organization.

Leadership takes many forms. We recently celebrated our 20th Anniversary at the Archer Summit 2021 in Orlando , marking a long history of leadership in the GRC and Integrated Risk Management space. That same week, Gartner published the second of its two current Risk Management focused Magic Quadrants for the year (IT Risk Management and IT Vendor Risk Management Tools ) both of which once again recognized Archer as a “Leader.” Both reports mark the 6th consecutive time we’ve been a Leader, and in total their publication marks 24 consecutive times Archer has been a Leader in any of the Magic Quadrants focused on Risk Management. This is obviously an outcome we’re very proud of as a team, and I think reflects on our continued commitment to execution and vision. But as I said, leadership takes many forms. And personally, I’m equally proud of many of the areas we’ve executed against a vision in the past year, many of which were not part of the evaluation criteria for Gartner, but were a primary focus at Archer Summit. Advancing the discussion around quantitative risk analysis beyond Cyber Risk is leadership. We all understand the importance of IT risks (including but not limited to cyber security). And maintaining leadership in these areas is of course an important part of delivering true Integrated Risk Management. But it’s not the only area of risk that organizations need to manage carefully. This is why we launched Archer Insight earlier this year, making us the first of the true IRM providers to extent risk quantification, bowtie and other critical tools for analysis across the full range of risk drivers. Innovating the industry’s leading risk management platform to support broader stakeholder engagement is leadership. One of Archer’s core capabilities that customer praise the most is how the platform supports very deep dives for the core risk manager/risk administrator persona. But we also see how risk, as it expands into new areas of the business, really requires the participation of a wide range of users, including many who will have much less frequent interaction with the platform. Our development of Archer Engage is aimed directly at supporting risk management teams in their efforts to help first line operators, vendors and other stakeholders participate in risk efficiently and effectively. Extending core business continuity and IT risk programs into true Operational Resiliency is leadership. The need for organizations to extend beyond what has all to often been a siloed focus on IT business continuity/disaster recovery is not new. But last year’s pandemic and the shock to the system that caused across all aspects of operations has accelerated for many the need to better prepare of disruptive scenarios. And that disruption isn’t limited to IT delivery and in fact needs to be driven by a broad and prioritized view of how these scenarios that could impact the ability to provide products and services. This is exactly where we’ve gone with the recent launch of Archer Operational Resiliency , combining current regulatory guidance and best practices as a foundation for building operational resilience. Supporting our customers in pursuit of new Board-level strategic imperatives is leadership . From the beginning, risk management was meant to focus on the most critical strategic areas of a business. Continuous waves of regulation drove some to turn focus towards regulatory compliance and audit capabilities, also a core tenant of Integrated Risk Management. But we see Boards and CEO’s increasingly expecting their Risk Management functions to focus more fully on awareness, assessment and response to those risks that threaten overall corporate valuation. Few business trends have taken Board-level discussion by storm the way ESG (Environmental, Social & Governance) has over the past year. This drove the very recent launch of Archer ESG , which we see as an incredibly natural extension of how customers leverage our platform today, providing improved ability to gather, assess and align ESG data with internal plans and external regulations. And most importantly, help organizations gain early visibility into the risks that threaten ESG success. A thanks to the entire Archer Community for all that they’ve done and continue to do to drive us to lead. Many of you have spurred the development that supports our Leadership recognition by Gartner. More still have acted as catalysts in these recent areas of innovation. And finally, a thank you to those from the Archer Community that were able to join us at this year’s Archer Summit, in person or virtually. We look forward to the next year of news and developments from Archer, and sharing those with all of you.

Today we are excited to introduce Archer Insight , a set of quantitative risk analysis capabilities which, when paired with Archer’s industry-leading integrated risk management platform, supports improved risk-based decision making. Archer Insight features a wide range of enhanced risk analysis capabilities; this blog focuses on one feature we expect to be of high interest to risk analysts, specifically improved risk heat maps. Risk heat maps are a basic communication tool for the risk manager, providing a visual overview of the portfolio of identified risks. On one axis is the likelihood of the risk occurring, and on the other axis a measure of the impact should the risk occur. Those risks with the highest likelihood and impact are most threatening and the corresponding quadrant is colored red. Those risks with the lowest likelihood and impact plot in the quadrant colored green to reflect their relative unimportance, and the area in between is typically colored yellow or orange. Traditional heat map Despite its ubiquitous popularity, the traditional risk heat map presents several challenges: Clearly not all squares of the same color represent risks of the same severity, but the qualitative evaluation of likelihood and impact magnitude do not allow a rational method for defining finer gradations along the red-to-green spectrum. Likelihood is typically equated to probability of occurrence for events that can occur at most one time (like the destruction of a building or the loss of a dataset to the Dark Web) or frequency of occurrence for events that can occur multiple time (like fatal accidents, system shutdowns or regulatory fines). The former scales from 0 to 1, while the latter can take any non-negative value. It is therefore very challenging to show both types of likelihood on the same plot. For example, if an expected frequency of five times a year is ‘High’, then to be consistent a probability of 100% would be lower, which does not make intuitive sense. Representing low likelihood risks is also challenging. One might say that a risk with a 10% chance of occurrence should fall into a ‘Low’ category, but this is still quite significant – if you have 10 such risks, it is almost certain that one of them would occur. On the other hand, a risk with a one in a thousand chance of occurring would fall into the same ‘Low’ likelihood category. When an impact can take a wide range of values, it is extremely challenging to decide how to present the risk. For example, a factory accident might have a 10% chance of occurring in a year, but its impact could be anything from some minor bruises if lucky (Low), most probably an outpatient visit by a worker (Medium Low), but in the most extreme circumstances there could be several fatalities (High). If the risk is evaluated as [Likelihood,Impact] = [Low,Medium Low], there is no recognition of the very severe possible outcome, but if it is represented as [Low,High], the evaluation is exaggerated. A new vision for heat maps Archer Insight introduces quantitative estimation of risks through simple, intuitive evaluation techniques that require no expertise on probability modeling or math. It resolves the probability/frequency dilemma, and it allows users to express the range of possible resultant impacts if needed. Archer Insight also introduces quantitative bowtie methods to express how one risk may have more than one consequence. For example, a car crash (risk event) could result in several consequences – from being late for work to repair bills to injuries and fatalities to the passengers and larger public: Bowtie analysis for a car crash These consequences produce impacts of different dimensions: money for repairs, time for delays, and level of injuries/fatalities for people. It is even possible to map several risks to the same consequence. For example, several different risks might all lead to the cancellation of a contract (the consequence) with an important financial impact. Archer Insight automatically calculates the aggregate likelihood of the consequence occurring, taking into account all the different ways it could happen. The option to include a richer description of risk has made it possible to rethink the heat map, and produce new visualization that is more precise, comprehensive, and useful for decision makers. The standard Archer Insight heat map has an impact scale that ranges from ‘Extremely Low’ to ‘Catastrophic’ plus a ‘Nil’ category so that one can represent when the impact of a consequence has been avoided completely. The finer gradation, together with guiding definitions, allows a far more precise evaluation of impact. Moreover, Archer Insight allows you to specify ranges of impacts, both qualitative and quantitative. Its sophisticated algorithm translates these inputs into a consistent scaling system, even across different impact types. The algorithm ensures that all consequences plotting in the same color are equivalent in importance. Archer Insight P-I table for consequences with heat map overlay The vertical axis is numeric, accommodating both probability and frequency, which is automatically adjusted to reflect the business time horizon and any changes in the window of opportunity for the risks to occur. Pre-and post-risk treatment evaluations are shown together using “tadpole tails”: Tadpole tails – the head represents the current status, the end of the tail represents the evaluation prior to any risk treatment This allows the manager to appreciate the level of reliance on the effectiveness of risk management strategies. If the line is long, the reliance is large. The heat map allows you to drill down by selecting a specific entity and a specific type of impact if required. Hovering over a consequence will show a description popup, clicking on the dot will highlight the consequence in the accompanying table, and clicking the table entry will show a wealth of information describing the strategy being used to manage the consequence: Archer Insight P-I table filtered for Reputation consequences with heat map overlay One can also view risk events instead of consequences. Archer Insight then displays each risk event, accounting for the multitude of consequences that might arise from it: Archer Insight P-I table for risk events with heat map overlay switched off To learn more about how Archer Insight is enabling an enhanced level of risk-based decision making , contact us today.

The world as we know it is dynamic, and the global pandemic has emphasized the fragility of human and organizational operations in the connected world of today. Companies are not only trying to recover from the drastic changes of the pandemic, such as remote work, but from the impact of the shifting risk landscape and how it has affected their business goals and outcomes. With an eye on the importance of riding the waves of disruptions and change we see today, organizations need to achieve operational resilience to survive. Operational resilience is the ability of an organization to absorb and adapt from any threat or unplanned disruption. It is a coordinated, consistent, and automated approach to business continuity that goes beyond recovery of internal processes to focus on external services and product delivery. Operational resilience includes traditional elements of IT disaster recovery, planning, testing, and execution, that allows for a swift response during crises to protect an organization’s ongoing operations but takes steps closer to the overall business objectives and strategies. An organization that takes time to construct a solid risk management strategy will thrive in this age where business risk is increasingly connected. Therefore, integrated risk management is the foundation for operational resilience. An organization that has achieved operational resilience will continue to function properly and achieve its goals even amidst interruptions. While the burden of resiliency is one that every employee should carry, senior management should focus on assessing and understanding the risk levels of the organization and its readiness for disasters and unexpected scenarios. Gartner predicts that by 2025, “70% of CEOs will mandate a culture of operational resiliency to survive coinciding threats from COVID-19, cybercrime, severe weather events, civil unrest, and political instabilities.”i Our whitepaper, “ The State of Integrated Risk Management ” discusses the importance of resiliency starting top-down from leadership. Communicating Operational Resilience in Your Organization To effectively and optimally manage risks, organizations must adopt a holistic approach to overseeing every aspect of the multiple risk management functions. Usually, organizations carry out risk management in silos; each department deals with its own risk management and possible disruptive scenarios. Occasionally effective, this method is not ideal for companies that seek to thrive in the long run, especially in their digital transformation efforts. The silo method does not take into account the risk assessment of the company as a whole. Any risk assessment done in any sector is only as effective as that sector deems fit. Uncoordinated, ad hoc processes can leave a business vulnerable and recovery plans ineffective. Operational resilience deals with assessing and understanding the risk tolerance levels in every sector - to proactively manage risks throughout the organization. Resilient organizations look at both internal and external risks as they understand that risk can also originate from third parties. They have risk management plans in place for any disruption, whether cyberattack, natural disaster, or global pandemic. Companies with operational resilience also must consider risks beyond their own four walls. They know that good communication is imperative to coordination. When a disruption or threat arises, senior managers must convey information to every party involved, including disaster recovery and crisis teams and, if necessary, consumers. Internal and external communications are incredibly important in risk management to reduce impact and maintain business continuity. An organizations’ resilience can be improved by ensuring visibility and communication with the following: Clients Stakeholders Distributors Vendors Suppliers Partners And every other set of persons that can have an impact on the organization. Interdepartmental communication is crucial to the success of shifting from a reactive to a proactive risk management structure. Operational resilience is a cultural mindset change that drives the implementation of resilient practices throughout the business. How to Embed Operational Resilience in an Organization There are some integral steps that organizations must adopt to transform from recovery to operational resilience. Adopt a Holistic Perspective to Viewing Organizational Risks Organizations should consider both internal and external factors that can have a direct or indirect impact on the organization. Take into consideration the people, technology, programs, and processes, etc. associated with the business. An effective enterprise risk analysis must consider risks across every sector and division of the organization. This strategy enables employees and teams to come together to envision potential disruption scenarios that may arise. Design a Comprehensive Risk Assessment System. To manage risks, organizations must be able to access and predict possible risks scenarios. This is where communication plays a major role, as everyone in the organization must be informed about evolving business priorities that inform recovery and response processes. When members of the organization are on the same page, potential threats and interruptions can be properly analyzed, understood, and documented. Consider the upstream and downstream dependencies, systems, and processes, and how your team plans for them. Identify Possible Failures in Existing Processes and Remedy Them While every failure that may arise from existing processes may not need to be documented, it is critical to identify key scenarios and focus on the capabilities that prepare for those specific scenarios AND related, derivative, or similar situations. Assess different threats levels and types to proactively plan against them. An effective program must include a cycle for learning and improving processes, so it’s important to bring the continuity and recovery professionals managing day-to-day incidents or planning and testing for crisis events together, Operational Resilience and The State of Integrated Risk Management We want companies like you to benefit from the risk management lessons learned by our customers during the height of the global pandemic. In our State of Integrated Risk Management report, we outline the key discoveries and insights garnered from those who thrived despite the worldwide upheaval. Get the whitepaper now to read more about the four themes affecting organizations today, and how your business can benefit from an integrated risk management strategy focused on resiliency. Archer’s Business Resiliency Solution At Archer, we can help you scale through uncertainties and digitally transform your business to the next level through strategic decision-making. Contact us today to discover how to improve your organization’s operational resilience to make your company better suited to handle risks, improve business outcomes, and ease your digital transformation process, especially during times of disruption. i Gartner: Predicts 2021: Operational resiliency. January 2021.

Archer has always believed that risk management requires broad participation to be fully effective. Modern enterprises are diverse, distributed, and dynamic. Risk management and compliance teams facilitate, educate, and monitor. Risks and controls are owned by operational leaders far and wide and are far too numerous to centralize. They are as diverse and dynamic as the business itself. Risk management programs must rely on input from these operational leaders across the organization to realize its potential. Traditional risk management software has been tailored to the needs of risk management and compliance teams. No platform offers this group more capability and out of the box industry knowledge than Archer. But risk owners aren’t looking for robust workflows and flexible data models. They’re looking for ease and speed. They’re looking for risk management to meet them wherever they might be with the seamless delivery of the cloud and on whatever device they’re using. In short, they’re looking for risk management to enable them to do their job, not distract them from it. That’s why we invested so much in enhancing Archer’s user experience and in expanding our mobile applications in recent years. It’s also why we launched Vendor Portal last year. But as we continued to develop and evolve our ethnography of key stakeholders and contributors outside of the risk management program – risk owners, third parties, and executive leadership – the more we were drawn to the conclusion that this group has needs of their software separate from those of risk management professionals. And that led us to Archer Engage: a mobile-first, cloud-native compliment to the Archer platform that’s meant to carry risk management from operational managers to the board of directors. Archer Engage is an expansion of what we began last year with Vendor Portal, now known as Archer Engage for Vendors. It integrates with your Archer instance – be it SaaS or on-prem – to present your assessments and other information requests in a fast, responsive application that’s as easy to use on your smart phone as it is on your company-issued laptop. And as 2021 unfolds you’ll see us add capabilities for content creation, data driven events, and advanced workflows to bring the richness of all your Archer applications to the convenience of Archer Engage. Archer Engage has the same great security posture as Archer SaaS and is resilient enough to continue to operate even when your Archer instance is unreachable. The Archer team has been hard at work to reach this milestone; we are proud to announce that the first release of Archer Engage for Business Users will be generally available to all Archer customers on May 5th, 2021. To learn more about Archer Engage , visit ArcherIRM.com/engage , read the press release introducing Archer Engage , or contact your Archer Account Executive .

Staying on top of the myriad of risks coming at your organization can be a herculean task, but when combined with risks from third parties it can be overwhelming. You have some control over your own risks, but much less control over third-party risks, not to mention risks from their third parties (4th, 5th, Nth parties). There’s only so much you can do, but what you can do is strengthen your own resilience by implementing preventive measures, processes, and controls so you can focus on mitigating the residual impacts your third parties can have on your organization. If you don’t know where to start, I recommend the following areas: Identify critical third parties that support your business . This might require taking a step back to understand which externally provided products and services are the most important. “Important” should be defined as those products and services that generate the most revenue for your company, that have the greatest impact on your reputation or compliance, or that are important by other business metrics. Once you know what your most important products and services are then you can identify and associate those third parties that support your most important products and services. An organization might use many third parties, but the focus needs to be placed on those that are most critical to your organization. Map the interdependencies between third parties and your organization . Third parties are an extension of your organization in the work they do, so a critical next step is understanding the interdependencies between your business and these third parties – which systems do they support, as with a cloud service provider. Which third parties provides critical raw materials ? Or which third parties support your employees. This is critical because as you focus on building operational resilience across your internal “pillars” (business processes, IT infrastructure, facilities, and people) you have a better idea which third parties support each pillar. Your interdependence should also be measured against the level of reliance on each third party, which is particularly important if that third party is the only supplier for a particular input to your business, or that supports a key business process. Understand third-party risks and how they can impact your organization . No longer can you assume that because you have a contract with a third party that they are mitigating risks that may be passed to your organization. You must identify, assess, and mitigate third-party risks that could impact your organization. One way to do this is to work with your third parties to see their risk registers and understand how they’re treating the risks and what the impacts could be to your organization. If they won’t share the information yet they’re a public company, they you might have a bigger problem, but you can always obtain their 10K/Qs and review risk factors in those reports. Another way is to discuss with your third parties which risks have resulted in actual losses, or other risks they have identified and the probability of their occurrence, and other factors to understand how likely they are to affect you. Include appropriate risks in your risk register and treat the risk to your organization accordingly. As part of this step, you must compare the residual risks that could impact your organization to your defined impact tolerances.. If the impacts exceed your defined tolerances, then you should address and mitigate the risks. Address the most important risks from your third parties that could impact your organization, be flexible to pivot to different risks when you need to, and ensure your response is commensurate to the risk and reward. Create visibility through data and insights . Good insights give you the visibility you need to manage the risks and take advantage of the rewards of working with your third parties. Insights come from tracking and measuring quantifiable resilience, performance, and risk metrics. Using balanced dashboards that give executives, program owners, business owners and others the data they need to make decisions and take action. You must be able to make agile decisions in real time to mitigate risk or take advantage of it. Third parties are a critical part of doing business and sometimes they bring risk to your organization. By considering the topics above, you’ll be better able to convert your third parties from a risk factor to a strategic advantage. For more information, visit Archer Operational Resilience . Contact us to learn how Archer can help you build resilience against third-party risks

You know the ‘Death and taxes’ phase? This is the full quote, from a letter Benjamin Franklin wrote in 1789 to Jean-Baptiste Le Roy – a French fellow tech guru and scientist of the time: “Our new Constitution is now established, and has an appearance that promises permanency; but in this world nothing can be said to be certain , except death and taxes.” How many infomercial articles have you read that start "In today's world, [blah blah blah] is more important than ever"? So trite. So, let me change things a bit: “In today's world, we still live with enormous uncertainty and using numbers to effectively manage risk is just as important as it has always been.” After a hiatus of twenty years (this July) of genuflection to SOX, the risk management world is beginning to remember numbers again. Beginning to remember that taking the right risks for the right reasons is an essential part of progress, of success, of creating value. It’s what risk management is meant to do and the secret sauce in rational risk-based decision-making is numbers . Boxes of long-forgotten ideas are being taken down from the attics of veteran risk analysts, the dust of sorry neglect blown away, and carefully opened – with a mixture of curiosity , expectation and trepidation . Inside we find a mysterious collection of tools that have lost none of their lustrous sheen with age. In fact, in today’s world, with the greater access to data and computing power, they offer more potential than ever. If only we’d learned how they work. We should be kicking ourselves that we were so collectively neglectful. Luckily there are lots of grey beards like me, raised in the pre-SOX era, who have kept the secrets alive. Luckier still, Archer has decided to add the full might of risk quantification to our GRC/IRM platform . It’s called Archer Insight and its awesome. I think Benjamin Franklin would have approved. About that mixture of curiosity , expectation and trepidation … Curiosity: what nuggets lie hidden in your data It takes time, care, effort and money to collect data. Your organization has lots of it. If you’ve been using Archer for any length of time you will lots and lots of risk-related data, all beautifully organized and safe. Don’t you wonder what those data might be able to tell you? One of the most common areas in which an organization can dramatically improve is to make use of the data it already collects. Risk management is no different. The discipline that turns data into knowledge is quantitative. Knowing how often your controls have failed helps you estimate their probability of success. Looking at how many of your historic risks actually occurred helps you see how much you over- or underestimate their likelihood. Looking at best and worst case scenarios helps you estimate the range and likely impacts. The list goes on and on. Expectation: will it really help our business? Yes, it will. It will help you manage risks far more cost-effectively simply because you can compare the size of a risk against the costs of different treatment options and pick the option that gives you the greatest bang for your buck. But it also means you can aggregate. Numbers can be added, risk scores cannot. Aggregation allows decision-makers to see the big picture, and that is an essential part of making the right big decisions. Trepidation: You never understood statistics and probability theory Don’t’ worry about that. For many people, when they hear the phrase “risk quantification” they think of their less-than-rewarding experience with statistics classes at university. They understand that probability theory can only be wielded safely by socially-awkward, sartorially-challenged, wild-haired geniuses working feverishly on equations nobody else can understand. To be fair, they do exist – but their natural habitats are academia and perhaps SpaceX, and some of them look like you and me too. We focus a bit too much on that Einstein photo. In the business world, the challenge is figuring out the best strategies for handling risk, not the math. The people who know the business and have a pragmatic, problem-solving head on their shoulders are best-placed to figure out these strategies. Perhaps that’s what you do already. Framed properly, the method used to evaluate risk can make it really simple to provide the right numbers. Archer Insight is set up this way and it builds the risk analysis models for you as you describe the problem. You don’t ever need to pick a probability distribution or write an equation. But it’s still a great idea to know the basics of probability. You’ll be more confident about explaining what’s been learned, checking the results and collecting the right data. It will take a couple of days of training, and Archer can provide that training. You might even find it fun. Archer Insight Delivers Enterprise-Wide Risk Quantification Archer® Insight is a suite of enterprise-wide risk quantification capabilities designed to deliver risk and business leaders a complete view of enterprise risks to improve resilience and ensure achievement of its strategic goals. For example, Archer Insight allows you to use built-in techniques like Monte Carlo simulation so you do not need to do all of the modeling yourself. Archer Insight can help you aggregate risk into meaningful quantitative measurements - and when you can add things, you can compare them. It allows you to compare risks and investments needed to mitigate, reduce, transfer or avoid risk. Archer Insight is entirely quantitative, enabling you to combine all the threats to your organization and truly understand the risks that matter. It makes quantitative risk management quick and easy to use by providing a full set of tools and features for understanding and managing all types of risk in one platform: operational, project, cyber-security, health and safety, investment and cashflow risk. Join us for an upcoming webinar Risk Quantification: Step Up Your GRC Game to learn more about how you can quantifying risk can change the conversation with your management team and business partners. Contact us to learn how Archer Insight can help you quantify your risk management .

As new technologies are rapidly adopted, new opportunities open. At the same time technology also carries the burden of potential negative events. In addition, evolving regulatory environments add new compliance requirements, making the task of managing and mitigating risk ever-expanding. We wanted to know how the organizations are contending with digital risk management maturation, so we analyzed how our customers are dealing with evolving risks. We observed the majority felt that their organizations were able to manage at least some of their new, existing, and developing digital risks – in large part because of their path towards an integrated risk management strategy. This is a promising start and shows that even when facing unprecedented challenges, the road to maturing an integrated risk management program leads to not only reduced risk but more agile and informed business decisions Reaching a high level of maturity with integrated risk management can benefit an organization greatly. Managing a greater variety of risks across domains, and smaller categories of risk within domains are part of a maturing integrated risk management strategy. Maturity also means finding better ways for a risk management program’s findings to be communicated within a department or organization. Discover if your organization is making the right moves to mature your risk management program to guard against expanding risk by reading our report “ The State of Integrated Risk Management .” Creating a Culture of Integrated Risk Management A risk management department doesn’t absolve stakeholders from managing the risk in their domains. In the same way that compliance is the responsibility of every person in an organization, integrated risk management strategies place risk reporting and mitigation in everyone’s hands. Today's challenges require managing a cultural shift from reactively checking boxes in a risk assessment program to a proactive risk management model that necessitates participation across the organization. Integrated risk management is a journey - not a destination. Even organizations with well-structured programs must continually monitor and evolve their program to ensure risk management is connected to business goals with cross-functional processes. Risk management processes and procedures that become fixed and no longer connect with the conditions on the ground can create more issues than they solve. When engaging front-line stakeholders, it is crucially important to ensure that when personnel report on evolving risks, that information is at the very least acknowledged and, ideally, acted on by the organization. In years past this would require taking time to fill out paperwork, something that might not always be practical if the front line is a warehouse or industrial site. The ubiquity of smartphones and wireless networks has created a powerful and rapid method to tighten the loop on reporting, monitoring, and communicating sources of risk. We developed Archer Engage to offer a straightforward risk analysis and treatment platform that allows any stakeholder with a smartphone to report and collect risk data in real-time . The process of engagement can extend to third parties as well. An understanding of the relationships you have with third parties to mitigate risk is key to managing risk and operational resiliency. Engaging a third party to report conditions in real-time helps make the priorities of an organization clear. How Risk Management Matures When an organization begins to develop an integrated risk management program, it is useful to focus on quick wins within the context of a broader strategy. This helps to establish that an integrated risk management program is effective and can deliver on the organization’s strategic goals. Risk is changing so dramatically across so many areas that siloed and manual processes make it difficult to get complete information to stakeholders quickly. Even the most successful point solutions will only magnify this challenge, with information stored in different locations and used in different ways by each department. As an integrated risk management approach matures, risk from multiple domains can be managed centrally, in a coordinated and consistent way. In fact, almost 80% of our customers manage multiple domains of risk on Archer. Expanding an integrated risk management program across and within domains doesn’t just mean taking the same cookie-cutter solution and thoughtlessly applying it. The process of expansion should be sensitive to what is novel about the different domains being managed. There is no guarantee that, for example, the threat of a cyberattack will map directly onto a compliance issue, so procedures to mitigate or manage one may not make sense for the other. However, even when the details differ, the platform on which those procedures are developed and deployed should offer a common interface for managing both. It is important to keep in mind that a mature integrated risk management approach will evolve over time. Steps that are taken to increase maturity will not deliver a final product, destination, or steady-state of risk management. Stakeholders in an organization need to understand that integrated risk management means constant vigilance for existing and novel risks to increase operational resilience. Mature integrated risk management is woven into everything an organization does. Think of how ubiquitous the use of digital technology is in a modern organization and you can start to get an idea of how deeply integrated mature risk management should be. Expanding and Extending Risk Management Strategies With a mature risk management strategy, risk is not a ‘black box’ but a key input into making decisions to exploit business opportunity. If your organization can successfully manage disruptions that sideline other players in the field, those disruptions become a chance to grow. Effective risk management is more than avoiding major failures and business disruptions. Creating a culture of risk awareness can protect your organization and enhance its value. An organization with a mature integrated risk management process that can maintain operations during a crisis is able to take advantage of the new opportunities the changing landscape offers. For example, Home Depot proactively distributes plywood, generators, and equipment to clear fallen trees to stores where hurricanes are expected to make landfall. While other hardware and lumber stores may struggle to meet demand or even stay open, Home Depot is the go-to business for people preparing for or recovering from a disaster (1). The individual components of mature integrated risk management are themselves beneficial to an organization. For example, organizations that engage front-line stakeholders in the risk management process were more likely to experience revenue growth and were faster to recover from disruptions (2). Make your organization more competitive and resilient by downloading our report, “The State of Integrated Risk Management ,” which will teach you how the journey toward mature integrated risk management actually provides tangible benefits and better business outcomes. (1) https://fortune.com/2017/08/31/home-depot-hurricane-harvey-damage-impact/ (2) PricewaterhouseCoopers. Risk in Review: Managing Risk from the Front Line Correlates to Higher Revenue and Profit Growth, Says PwC. 2017. https://www.pwc.com/us/en/press-releases/2017/risk-in-review-managing-risk-from-the-front-line.html