White Paper

The State of Integrated Risk

Management
August 2021
Recent news headlines, the pandemic, and the daily lives of people everywhere
have laid bare the fragility within our increasingly connected world. Countries,
communities, families, companies, and their workers are reeling from not only the
IRM
Integrated
tangible upheavals of the past 18 months but also the more subtle impacts of being Risk Management
unprepared for risk run amok. Suddenly, most of humanity is sharing the same real-
world experience of risk management—making daily decisions around what may be
a risk, who and what in their microcosm might be impacted, what the results of that Integrated risk
impact will be, and whether those impacts are tolerable. management is the
underpinning of
Companies are facing their own moment of reckoning around risk and their ability
operational resilience.
to manage it. While many organizations were caught off guard by the pandemic
and other disruptions, some found their footing relatively quickly. A lucky few have Integrated risk
been able to take advantage of extraordinary opportunities. In the midst of it all, management—especially
operational resilience has emerged as a resounding theme and a high priority as when bolstered by
companies plot their course forward. quantification—gives
executives and managers
Regardless of where they are on the path to stabilization, companies are rethinking
their strategies for managing risk and achieving operational resilience. When concise, clear, actionable
respondents to the RSA 2020 Digital Risk Survey were asked about the need to data so they can draw
coordinate risk management, the “extremely coordinated” response jumped more accurate conclusions and
than 90% in the short time between the question being asked in a 2019 survey and make the right decisions.
the 2020 survey. Fueled by technology,
These results reflect a growing recognition that all business risks are connected, integrated risk
and management of significant risks requires coordination across multiple risk management empowers
management functions. That is, all risk functions should work together in an leaders to more agilely
integrated way, leveraging the same data, platform, taxonomy, and output to and effectively navigate
better inform the business about potential risks — what Archer calls integrated
risk and disruption,
risk management.
move forward with
Our customer engagements and research point to a number of important themes new opportunities, and
related to operational resilience and integrated risk management. These themes, meet their business
examined in detail below, reflect what Archer customers and other organizations are objectives. Integrated
doing to achieve and maintain resilience now and in the future. A highlight to note is the
risk management is also
need to communicate the business impact of risk in ways that resonate with business
associated with higher
leaders and show the business value of risk management. Quantification—based on
measurable, comparable methods of risk analysis—is a critical and potent tool for doing growth. In a 2019 study,
so, especially as risk becomes increasingly hyperconnected and multidimensional. Deloitte found that
92% of companies that
Although the journey to operational resilience and integrated risk management is
achieved greater than
different for every company, the underlying success factors—as documented here—
are the same. Archer has dedicated more than 20 years to providing customers with 5% CAGR characterized
practical solutions for managing risk and strengthening operational resilience, and their risk programs
we are committed to making every customer successful. With more than 1,500 global as integrated.¹
deployments, our SaaS and on-premises solutions serve customers ranging from
small enterprises to global multinationals. Every day, our innovative technologies and
proven strategies help companies not only survive but continue to thrive—regardless
of what comes their way.

The State of Integrated Risk Management | 2

Operational Resilience Takes Center Stage

I
Operational resilience refers to an organization’s ability to absorb and adapt to rapid Theme
changes, sudden disruptions, or other challenges—and not only continue to achieve
objectives, but also adapt and prosper in times of uncertainty. While operational resil-
ience has been on the minds of risk managers and industry analysts for several years,
recent events have brought the concept into sharper focus. The following themes
have particular resonance as organizations consider operational resilience and how
an integrated risk management approach can help them achieve their business goals.

§§ Compliance is still foundational, but operational resilience is the end game.

§§ Convergence of digital and traditional business means organizations must not

stop at IT and security risk management or disaster recovery.

§§ Quantification based on well-established mathematical principles is the best way

to calculate risk—and it’s easier than ever.

§§ Risk management maturity over time is complex yet achievable.

Theme 1: Compliance is still foundational, but operational

resilience is the end game.
The discipline of modern risk management has strong roots in compliance, and
compliance is often a logical, externally-driven starting point for risk management
programs. Although regulatory and corporate compliance is extremely important,
organizations cannot stop there if they want to thrive. Just because they meet
compliance requirements doesn’t necessarily mean they are managing risks that Risk assessment
could impact their business. Organizations must also consider audit management, methodologies
enterprise and operational risk management, third-party governance, and other can be qualitative
functions—in effect, expanding the scope of risk management to create a more holistic
model. This doesn’t mean creating layer upon layer of bureaucracy, complexity or
or quantitative;
costs. Streamlining processes, sharing insights and leveraging work from other teams the appropriate
creates a more cohesive picture of risk., breaks down silos and reduces, or focuses, methodology
efforts This strikes at the heart of an integrated approach. often depends on
Risk today is multidimensional and requires a higher-level strategy. the maturity of an
organization’s risk
This expanded scope reflects the growing recognition that risk today is multi-di-
mensional, and no single risk management function can adequately protect an or- management program
ganization from all the potential risks that exist. Rather, risk management requires and available resources.
a focus on the business - targeting operational resilience while improving business
performance. Gartner predicts that by 2025, “70% of CEOs will mandate a culture of
organizational resiliency to survive coinciding threats from COVID-19, cybercrime,
severe weather events, civil unrest, and political instabilities.” 1

When operational resilience is the focus, functional areas of integrated risk manage-
ment—IT and security risk, regulatory and corporate compliance, business resilience,
audit management, third-party/supply chain, and enterprise and operational risk—are
woven together to form a tight mesh of control. Addressed in this way, risk manage-
ment not only helps ensure compliance, but also increases the chances of achieving
strategic business goals while managing risks in the right way for the business.
1
Gartner: Predicts 2021: Organizational Resiliency. January 2021.

The State of Integrated Risk Management | 3

Archer customers understand this and are well-poised to enhance operational

91%
resilience and overall performance. Ninety-one percent of Archer customers that
license enterprise and operational risk management (EORM) use cases also license
compliance use cases. In addition, customers who license EORM use cases are five
times more likely to also own audit use cases. These deployments illustrate the “mesh”
approach of layering on more capabilities to expand beyond compliance. of Archer customers

Operational resilience improves business outcomes. who utilize archer

operational risk
Achieving operational resilience goes beyond ensuring business continuity, which
management solutions
is reactive and often carried out in siloes. Operational resilience focuses on
understanding the impacts and tolerance levels for disruption to the organization’s
also utilize Archer
most important products and services in order to proactively manage risks and compliance solutions.
impacts to the organization. This approach enables a company to nimbly adapt to
innovation, disruption, and other changes—and in doing so, advance its business goals
and mission. A McKinsey study conducted before and after the 2007 recession found
that resilient organizations not only outpaced their non-resilient participants in the
study, they also outpaced the S&P 500. 2

To meet resilience requirements, focus on delivery of products and

services rather than internal processes and systems.

Regulators in the financial sector have been paving the way for guidelines around
3

#1
achieving operational resilience. Their requirements force financial institutions to
shift focus from the recovery of internal processes and systems to the delivery of
customer products and services. This shift in focus is also important for companies
outside the financial world as it stresses the ability to prioritize the organization’s
most critical products and services, identify dependencies (people, third parties, priority regarding
processes, and technologies), evaluate threat scenarios and their potential impact, vendor and supply
and build resilience holistically across those dependencies. When these variables
chain risk is an
are quantified using statistically sound methodologies coupled with financial loss
estimates (new technology makes this easier than it sounds), the focus on delivery approach that
of products and services also enables risk managers to precisely communicate the integrates third-party
business impact of various scenarios compared to defined impact tolerances. risk management
Resilient organizations consider risk beyond their own four walls. with enterprise
and operational
The link between third-party risk and operational resilience has become more apparent
risk management.
than ever. The pandemic-related global shutdown, the SolarWinds malware attack,
the ship Ever Given wedged into the Suez Canal, and other disruptions powerfully - RSA 2020
demonstrated the risk that third parties present as well as the complexity and Digital Risk Survey
underlying fragility of supply chains. These events also highlighted that today’s third-
party risks aren’t always isolated to a single vendor, localized, or of short duration, and
often extend to an organization’s fourth, fifth and sixth parties, making it more difficult
to pinpoint and manage risks. Further complicating matters, third-party compliance is
particularly difficult to manage because organizations have limited control over third
parties—apart from signed contracts and stipulations regarding basic compliance, risk
management and reporting. Organizations cannot overlook third-party and supply-
chain risk management as they strive for operational resilience.
2
Levy et al. McKinsey & Company. The emerging resilients: Achieving ‘escape velocity.’ October 2020.
3
For more information, see 1) Financial Conduct Authority Policy Statement. Building operational resilience: Feedback to CP19/32 and final
rules. March 2021, and 2) The Bank of England, Prudent Regulation Authority Statement of Policy. Operational resilience. March 2021.

The State of Integrated Risk Management | 4

More than one-third of respondents in the RSA Digital Risk Survey stated that
their number one priority regarding vendor and supply chain risk is an approach

2
that integrates third-party risk management with enterprise and operational risk Theme
management. Their response highlights the reality that understanding operational
risk depends on the ability to fold in a view of third-party related risk.

Theme 2: Convergence of digital and traditional business

means organizations must not stop at IT and security
risk management.
Digital innovation pervades nearly every aspect of the modern enterprise and is
a fundamental component of operations and service delivery. The past year—and
the need to conduct business virtually—was a proving ground for remote work,
telehealth, intelligent automation, cloud enablement and other digital ways of doing “We took advantage
business. To innovate, optimize, and broaden their portfolio of products and services, of the flexibility of the
organizations must continue to expand their adoption of digital solutions. Archer platform and
Nearly 75% of respondents in our 2020 Digital Risk survey said they expect their added an in-house
digital initiatives to accelerate due to the disruptions and shifts of the past year. 4
on-demand module
Rapid expansion and adoption of technology creates a massive and dynamic risk where we assess the
landscape. Risks come from both the potential failure of digital operations and the risk of new products,
potential loss or breach of critical information. As Gartner found, “The momentum services, applications,
of digital transformation projects is outpacing the ability of organizations to and vendor onboarding.
accommodate the changes and will introduce additional complexity of threats.” 5

with Archer we’re now

In the modern enterprise, IT and security risk management is a key able to capture a fully
enabler of business growth. holistic view of projects
Seventy-nine percent of approximately 1,000 respondents in Archer’s 2020 Digital before they even start.”
Risk Survey expect to rely more heavily on the IT and security risk management
- Senior Vice President and
portions of their governance, risk, and compliance (GRC) programs over the
Director of Operational
next two years. 6

Risk and Information

Archer customers are already ahead of the curve. More than 70% of Archer Security, U.S. Mutual Bank
customers’ early-stage deployments target IT and security risk management use
cases, reflecting the criticality of digital technology and data in achieving their
business objectives.

IT and security risk management helps ensure that digital processes can securely
and consistently support delivery of products and services to the organization’s
customers and business partners. While a complete picture of technology-
related risks across the enterprise ecosystem is critical, the more important goal
is to incorporate this view into a broader understanding of business risk. IT risk
management processes provide a good foundation, but the effort can’t stop there.
Protecting a growing and changing business is the ultimate goal.

4
RSA Archer. Digital Risk Report. October 2020.
5
Gartner: Predicts 2021: Organizational Resiliency. January 2021.
6
RSA Archer. Digital Risk Report. October 2020.

The State of Integrated Risk Management | 5

Just because it says “risk management” on the package,
doesn’t mean it’s so.
In choosing an IT and security risk management vendor, it’s critical to differentiate.
Not all solutions are truly designed for risk management. For example, IT ticket
management (e.g., opening and closing tickets; managing ticket workflows) is not risk
management. These siloed, rudimentary solutions do not meet the rigor required
to analyze changes in risks, nor can they examine risks in the context of overall
risk management. Many customers with such solutions come to Archer for help in
aggregating, analyzing, and quantifying asset and control data from these processes.

Compliance management goes hand in hand with IT and security

risk management.
Archer customers do not stop at IT and security risk management. Of the 1100+
deployments Archer has for IT and security risk management, more than 80% also
utilize compliance processes on the Archer platform.

88%
Privacy, a major aspect of IT compliance, provides a clear example of the need for
compliance processes to keep pace with change and growth. It’s projected that 65%
of the world’s population will have its personal information covered under a privacy
regulation by 2023, up from just 10% in December 2020. Besides implementing 7

controls for the ever-growing number of data privacy requirements, organizations of Archer customers
must also comply with numerous laws related to data integrity and availability.
who utilize Archer’s
To manage IT-related risks, organizations should be able to evaluate how government, business resiliency
industry, and internal regulations apply to their IT implementations and the data solution also deploy
within them, implement the necessary controls to mitigate risk, and audit those
Archer it & security risk
controls. They also need to ensure third-parties and supply chains meet compliance
regulations that relate to the labor, materials, and other processes used to produce management solutions
the organization’s digital technology.

IT and security risk management must be tightly linked to

operational resilience.
Given the role IT assets play in the delivery of products and services, having complete
insight into technology-related risks, understanding the interconnections of IT-driven
business processes, building in preventive measures, and being able to prioritize how
they’re handled in a crisis is critical to preparing for and reducing the impact of IT-
related business disruptions.

To address the convergence of operational resilience and IT risk, 88% of Archer’s

business resilience customers also license IT and security risk management use cases.

7
Focal Point Insights. Nine Data Privacy Trends to Watch in 2021. December 2020.
https://blog.focal-point.com/the-9-data-privacy-trends-to-watch-out-for-in-2021

The State of Integrated Risk Management | 6

Theme 3: Quantification is the best way to calculate risk —
and it’s easier than ever.

3
Theme
Risk quantification is essential to establish priorities and evaluate business practices.
CEOs and Boards increasingly expect their managers to quantify the impact of risk on
the company’s finances, its brand, and society. Placing risk analysis and quantification
at the center of the risk management process drives more precise, meaningful
insights into risk and cost-benefit analysis. It helps organizations understand
potential exposures and impacts, as well as the value of mitigating controls. With this
understanding, organizations can then design controls and implement processes to
manage those risks and optimize the business.

Heat maps, ranges of probability, and other qualitative tools don’t

cut it anymore. “We will save an
While heatmaps and qualitative analysis may play a role in moving the risk estimated $238,948
conversation forward, they can’t take organizations where they need to go in terms of per year in productivity
rationalizing spending and making other decisions to protect against risk and maintain and efficiency
operational resilience. Qualitative measures usually consider risks one by one
with (archer) data
(instead of in aggregate) and miss the bigger picture. In addition, subjective measures
make the challenging task of comparing risks even more difficult. automation in place. in
addition, we are able
The language of numbers is universal.
to respond to critical
By contrast, quantification provides a more flexible, mathematical language that cybersecurity issues
allows risk managers to calculate, correlate, and perform analysis in aggregate on faster to shut down
multiple layers of multiple variables within the risk register. This capability allows
cyber-attacks, thereby
“apples to apples” comparisons and the evaluation of risks in multiple dimensions. It’s
important to note that, for Archer, quantification is not simply a matter of replacing a further protecting
red/yellow/green scale with a numeric scale. In our world, the heart of quantification our customers’ and
is precision. It includes statistical analysis so companies can be more precise about associates’ data, which
things such as probability of risk, and it emphasizes dollar-and-cents financial ultimately saves money
impacts so companies can be more precise about potential loss exposure. With
and time responding to/
quantification integrated into risk management tools, organizations can connect risks
to operational resilience and business outcomes. In addition, mathematics provides a remediating a breach.”
common language—that is, numbers and hard data—for clearly communicating risks,
- Manager, U.S. Insurance
opportunities, and costs and having constructive dialogue with business leaders, as
and Financial Services Group
well as first, second, and third lines of defense.

Quantification is appropriate at every level of risk management maturity.

With the right technology, risk quantification becomes accessible, understandable,

and actionable for risk managers, compliance and security officers, auditors, and
others whose background is not in mathematics or statistical analysis. Risk managers
enter the numbers, and the technology does the math. Risk quantification is possible
regardless of risk management maturity or the amount of data in place. Organizations
can create meaningful models from day one.

The State of Integrated Risk Management | 7

Theme 4: Maturity over time is complex yet achievable.

4
A mature, integrated risk management approach goes beyond keeping the business Theme
out of trouble. By enabling organizations to set the right priorities, make better
investments, and operate at the speed of risk and opportunity, risk management
propels the journey to operational resilience and better business outcomes overall.
Organizations can exploit opportunities, reduce costs, improve productivity, and
create a company-wide culture that contributes to and relies on risk management in
order to elevate the business.

Maturity and expansion require a broad, disciplined strategy that allows

for incremental evolution.

Of the 250+ customers that have been with Archer for more than 10 years, almost
60% have branched out into at least three domains of risk management. Domains in
this context include different aspects of a risk management program such as IT and
security risk management, operational risk management, audit, and compliance.

80+%
Organizations typically start out by focusing on one type of risk (e.g., compliance or IT
and security). From there, maturity evolves in various directions:

§§ Expanding into additional risk domains.

of Archer customers
§§ Expanding within domains (e.g., adding use cases and broader capabilities).
manage multiple
§§ Broadening the program (e.g., improving visibility, analysis, and metrics domains of risk on the
within domains). Archer platform
§§ Extending reach further into the organization (e.g., finding commonalities,
adopting the same taxonomies, enhancing collaboration with first lines and
third parties).

Time and experience also contribute to the maturation process. For example, one
Archer customer is a global retailer that started its integrated risk management
journey more than 15 years ago. The company was ahead of the game when
COVID-19 struck because it had already utilized Archer when dealing with the H1N1
and Zika viruses.

Engaging the front line improves speed, effectiveness, and reach.

Organizations achieve better outcomes with broad participation from first line
business operations, IT and third parties. The more they engage with people closest
to the risks—the front line—and include them as part of the solution, the better their
insights will be. A PwC study found that respondents that shifted risk management
responsibilities to the first line were more likely to show profit and revenue growth
over the next two years and were able to recover from adverse events more
quickly. Solutions such as Archer’s Engage and mobile capabilities can help drive
8

frontline participation by simplifying the process of gathering, exchanging, and

reporting information.

8
PricewaterhouseCoopers. Risk in Review: Managing Risk from the Front Line Correlates to Higher Revenue and Profit Growth,
Says PwC. 2017. https://www.pwc.com/us/en/press-releases/2017/risk-in-review-managing-risk-from-the-front-line.html

The State of Integrated Risk Management | 8

Integrated risk management isn’t only for large enterprises.
Archer’s customer base extends from small, regional companies to massive • 40% less time
multinationals. In today’s fast-paced environment, organizations of all sizes and types to initiate risk
must— and can— embrace integrated risk management to agilely manage risk and mitigation plans
make the best decisions for the health of their business. Archer’s SaaS offering makes
integrated risk management more accessible for organizations with smaller teams • 25% less time
and budgets. The Archer solutions integrate lessons learned and best practices so to collect and
that organizations do not have to “learn the hard way” or “re-invent the wheel.” Archer
report on risk data
can also alleviate the burden of managing integrated risk management solutions in-
house and add predictability to budgeting.
• 20% less time
to complete full
Innovation in Integrated Risk Management Technology risk review cycles
The risk management toolset has evolved significantly since its GRC beginnings.
Many risk managers remember the days (or may still be in the midst of them) of • 20% less time
organizing catalogs of disparate elements (controls, policies, assets, incidents, and spent on manual
so on) into separate spreadsheets, manually circulating spreadsheets to the various email requests/asks
people who needed to fill them in, and then compiling the results. Over time, GRC
tools have digitized, standardized, and simplified many of these processes, and • 40% overall
workflow has become a key element of GRC technology.
efficiency
Now, both new and seasoned integrated risk management practitioners are benefiting improvement
from the lessons learned over the years. Software as a service (SaaS) and on-premises by centralizing
solutions offer out-of-the-box (OOB) capabilities, pre-built taxonomies, built-in best
risk management
practices, and other features.
- Sr. Engineering
At the same time, integrated risk management processes are beginning to incorporate
Program Manager,
emerging technologies and other innovations that enable companies to analyze and
Multinational Computer
understand their data in new ways. For example:
Software Corporation
§§ User-friendly risk modeling software makes quantification accessible to users
outside of the “quant” community.

§§ Visualization methods, such as bowties and advanced reporting, help

connect various aspects of risks to provide more meaningful insights to non-
risk professionals.

§§ Mobile capabilities take risk reporting (e.g., incident, compliance, and issues
reporting) to frontline employees and other groups.

§§ Machine learning can be applied on multiple fronts to simplify work, analyze

incidents, and predict possible outcomes.

§§ Natural language processing can be applied to document analysis (for example,

to analyze written responses to questions, or to map service level agreements to
metrics or assessment results).

The State of Integrated Risk Management | 9

Although it’s tempting to dismiss these methods and technologies as too far in
the future to consider, risk management teams may find that their company is
already using some of them for a strategic advantage in other areas of the business.
About Archer
Using them within the risk management sphere is mainly a matter of mindset and Archer, an RSA
imagination. Forward-looking risk management teams and technology leaders like company, is a leader in
Archer are developing clear use cases that will spur further innovation. providing integrated risk
management solutions
that enable customers to
Maintaining Momentum improve strategic decision
As business leaders and risk managers take stock of where they are today and where making and operational
they need to go, the lessons and experiences of this extraordinary time will likely leave resiliency. As true
a lasting imprint. While there is light at the end of the tunnel for many, the personal pioneers in GRC software,
and collective toll of the pandemic and other high-magnitude disruptions continues Archer remains solely
to mount. Even so, what stands out already—and what will continue to resonate—is dedicated to helping
the theme of resilience. If history has shown anything, it is that resilient individuals, customers understand risk
communities, and companies are better prepared to endure and even thrive in the holistically by engaging
midst of upheaval. stakeholders, leveraging
a modern platform that
What’s less obvious is that resilience isn’t something that is simply acquired overnight.
spans key domains of risk
It requires forethought, discipline, and constant vigilance. In the case of operational
and supports analysis
resilience, it also requires tools and strategies that allow companies to see the big
driven by both business
picture, analyze the details, and stay focused on how risks impact the delivery of
and IT impacts. The Archer
goods and services.
customer base represents
Regardless of where a company is on its journey to operational resilience and one of the largest
risk management maturity, it’s vital to maintain momentum. The most harmful pure risk management
barrier to achieving maturity is putting programs on hold. In our experience, small, communities globally, with
consistent steps are more likely to sustain momentum than larger, irregularly paced over 1,500 deployments
undertakings. The ‘old’ risk management adage ‘don’t ever let a good crisis go to including more than 90 of
waste’ strikes a resounding chord today. In other words, companies everywhere the Fortune 100.
have seen major disruptions in the last 18 months. Some weathered the storm
more successfully than others. Those that fared better did so because, whether
they realized it or not, they managed risk better - either before, during or after
the pandemic.

Risk management is both a proactive and reflective process taking not only
experience and expertise to learn from the past, but also commitment and focus to
innovate for the future. 2020 gave organizations an extreme opportunity to examine
their resiliency and understand what it takes going forward. With state-of-the-art
integrated risk management technology and more than 20 years’ experience in
helping customers achieve their risk management and business goals, Archer is ideally
positioned to help companies on the path to operational resilience.

To find out more, visit www.archerirm.com

©2021 RSA Security LLC or its affiliates. All rights reserved. RSA and the RSA logo are registered trademarks or trademarks of RSA Security
LLC or its affiliates in the United States and other countries. All other trademarks are the property of their respective owners. RSA believes
the information in this document is accurate. The information is subject to change without notice. 06/21 White Paper.