RSA Archer Risk
Intelligence
Harnessing Risk to Exploit Opportunity
June 4, 2014
Steve Schlarman
GRC Strategist
Risk and Compliance
Global, Technology and Organizational factors have created significant risk
landscapes for organizations.
We must focus on building sustainable risk programs to address the rate and velocity of risk
to navigate the risk landscape.
Compliance can become a barrier to success or a competitive advantage. The path is
decided by how well compliance processes are positioned for the future.
We must focus on priority, the flow of incoming regulatory obligations and automation to
turn compliance into a competitive advantage.
Since 2009 • 131 new major regulations enacted • $70 billion in costs In 2012 • 2,605 new rules • 69 classified as major • >$100 Million annual impact
In 2013 • 134 new rules enacted just by the EPA
Source: Heritage Foundation
Risk or Opportunity?
Big
Data
Gl
ob
al
izati
on
Cloud
Computing
Regulatory
Change
M
ob
ile
What your
market wants
What you want
to do
What you are
good at
Opportunity
The Opportunity Landscape
Opportunity
What you
have to do
Got it
covered
“Must
Haves”
Fuels growth
but no time to
execute
Compliance Activities
$216B 87M hours
Risks
83% 20%
?
Risk Management Maturity
-11% +37%
What your
market wants
What you want
to do
What you are
good at
The Compliance Burden
Transform Compliance
Harness risks
Exploit Opportunity
Risk Intelligence
What you
have to do
Got it
covered
“Must
Haves”
Fuels growth
but no time to
execute
?
What your
market wants
What you want
to do
What you are
good at
PassionCompliance Activities
$216B 87M hours
Risks
83% 20%
Risk Management Maturity
-11% +37%
Change the Game…
Automate compliance, reallocate resources/budget to manage risk, and proactively
exploit opportunity
Compliance
Governance
Risk
Proactive
Risk Intelligence
Reactive
Today’s GRC Focus
Risk Intelligence
Harness risk for to exploit opportunities for
competitive advantage
•
through better visibility,
•
enhanced analysis, and
•
improved metrics
to drive intelligent, stream-lined actions;
enabling the business to move quickly and
Intelligence driven actions gives you priority, results and
progress.
Intelligence Driven GRC
Analysis
Visibility + Analysis =
Priority
Metrics
Results + Metrics =
Progress
Visibility
Priority + Action =
Results
Action
Opportunity
Harnessing Risks…
What you
have to do
Got it
covered
“Must
Haves”
What your
market wants
What you want
to do
What you are
good at
1
1
Core to Business;
Vital to Success
2
2
Market Table Stakes;
Vital for Growth
•
Reputation
•
Ethics
•
Safety
•
Security
•
Resiliency
The HIGH RISK
Wedge
3
3
Everything else…
4
4
Safety Net
The HIGH RISK
Wedge
Exploiting Opportunity
What you are
good at
Obligated Differentiators
• Obligated Differentiators: Build and support the Business Case
Elective Differentiators
• Elective Differentiators: Freed up resources to build on core competencies
• Improvement Wedge: Streamline processes, free up resources, encourage and enable continuous improvement
Improvement Wedge
• Opportunity Landscape
• Protect the Innovation Frontier (Opportunities adjacent to what you are good at) through reduction of risk in new products, services and market initiatives
Innovation Frontier
• High Risk Wedge
• Drive through the Risk Frontier (“Must haves” adjacent to what you are good at) with Quick Wins and steady progress
Risk Frontier
The Journey
IT
Business
Building Risk Intelligence
Security threats
IT disruptions
Poor misaligned IT practices
Regulatory violations and fines
Business disruptions
Poor misaligned business practices
Poor internal controls and governance
Risks inherited from outside providers
Harmful operational events
Operational compliance failures
Unknown, unidentified risks
Significant business crises
Board Business Operations Managers CISO
RSA Archer
Risk Intelligence
LOB Executives CIOManage the lifecycle of 3rd
party
relationships Identify & meet regulatory
obligations Implement and Monitor
Controls
Prepare for & recover from IT Detect & respond
to attacks Identify & resolve
security deficiencies
Independently review & assure management actions
Identify & prepare business resumption strategies
Manage crisis &
Establish IT policies & standards
Establish business policies &
standards Identify, assess & track
emerging & operational risks
Building Risk Intelligence
Security Threats
IT Disruptions Inherited risks from external
parties Operational compliance failures Unknown, unidentified risks Significant business crises Business disruptions Poor misaligned business &
IT practices
Regulatory violations & failures
Poor internal controls and governance
Harmful incidents & events
Manage the lifecycle of 3rd
party
relationships Identify & meet regulatory
obligations Implement and Monitor
Controls
Prepare for & recover from IT outages
Detect & respond to attacks Identify & resolve
security deficiencies
Independently review & assure management actions
Identify & prepare business resumption strategies
Manage crisis &
communications Catalog & resolve operational incidents
Establish IT policies & standards
Establish business policies &
standards Identify, assess & track
emerging & operational risks
Building Risk Intelligence
Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management
Drivers…
Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management PCI Compliance Anti-Money Laundering ISMS FoundationRegulatory Change Management
Environmental Health & Safety
Foreign Corrupt Practices Act (FCPA)
Code of Federal Regulations
Unified Compliance Framework
Model Risk Management
Market Conduct Management Stakeholders Evaluation
Privacy Program Management Legal Matters Management
Conflict Minerals
Key & Certificate Management Access Risk Management
WhiteHat Security Sentinel Qualys Guard
RedSeal Networks
McAfee Vulnerability Manager Veracode Security Review
Manage the lifecycle of 3rd
party
relationships Identify & meet regulatory
obligations Implement and Monitor
Controls
Prepare for & recover from IT outages
Detect & respond to attacks Identify & resolve
security deficiencies
Independently review & assure management actions
Identify & prepare business resumption strategies
Manage crisis &
communications Catalog & resolve operational incidents
Establish IT policies & standards
Establish business policies &
standards Identify, assess & track
emerging & operational risks
Persona-centric
Security Threats
IT Disruptions
Inherited risks from external parties Operational compliance failures Unknown, unidentified risks Significant business crises Business disruptions Poor misaligned business & IT practices Regulatory violations & failures Poor internal controls and governance Harmful incidents & events Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management Chief Risk Officer
Manage the lifecycle of 3rd
party
relationships Identify & meet regulatory
obligations Implement and Monitor
Controls
Prepare for & recover from IT
Detect & respond to attacks Identify & resolve
security deficiencies
Independently review & assure management actions
Identify & prepare business resumption strategies
Manage crisis &
Establish IT policies & standards
Establish business policies &
standards Identify, assess & track
emerging & operational risks
Issue-centric
Security Threats
IT Disruptions Inherited risks from
external parties Operational compliance failures Unknown, unidentified risks Significant business crises Business disruptions Poor misaligned business & IT practices Regulatory violations & failures Poor internal controls and governance Harmful incidents & events Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management Supply Chain Resiliency
Benefits of a Risk Intelligence Approach
Better, more predictable
decision-making
•
Comprehensive Business Context
•
Prioritized Decisions Based on
Impact
•
Predictable Outcomes
Greater business
opportunity
•
Embrace Known Risks to Exploit
Opportunity
•
Transition from Defense to
Offense
Better business
performance
•
Improved Allocation of
Resources/Budget
•
Align Risk Objectives to Business
Planning Your Journey
Compliance
Risk
Opportunity
Siloed
compliance focus, disconnected risk, basic
reporting
Managed
automated compliance, expanded risk focus, improved analysis/metrics
Advantaged
fully risk aware, exploit opportunity
Reduce
Siloed
The CEO & CISO ride the elevator…
So how’s security these
days? We rolled out the last
Microsoft security patches in less than 30 days, we shut down 50 virus infections and we passed our quarterly vulnerability
scan for PCI. Soooo….that’s all good
Managed
The CEO & CISO ride the elevator…
So how’s security these
days? We did an end to end
review of customer record processing, found a few issues but
resolved them. We also rolled out some
special controls to support “Project Barracuda” – which I
know is one of your key objectives.
Advantaged
The CEO & CISO ride the elevator…
So how’s security these
days? I have a great idea
on how to give customers secure
access to their information that will
blow the socks off our competition. Let’s talk about it
Enterprise Risk
Market Observations & Trends - ERM
•
The level of maturity of ERM programs
varies greatly by industry and by
company within the same industry
•
Agreement on taxonomy, framework,
and approach remains a challenge
•
Getting all silos / stakeholders on-board
and working together is never ending
process
•
Regulated companies are under
increasing pressure to demonstrate risk
management capabilities
The Perfect World
Liquidity Risk Operational Risk Market Risk Credit Risk Strategic RiskIT Risk ORM Risk Area #2
ORM Risk Area #3
ORM Risk Area #4
ORM Risk Area #5
ORM Risk Area #6
ORM Dashboard
Third Party Risk Resiliency Service Levels Security IT Operations ComplianceIT
IT Risk Dashboard
Network Security Application Security Physical Threat Intelligence Security Incidents Vulnerability
•
Desire to better anticipate and predict risk
–
Historical event analysis alone not adequate future
predictor
–
What-if scenario analysis and “black swan”
identification
–
Growing use of metrics (breadth, collection speed, &
governance)
–
Identification of leading causal indicators
–
Data trending (metrics, meta-data, unstructured data)
–
Capturing changes in risk profile on on-going basis
•
More sophisticated risk assessment
–
Use of quantitative and qualitative risk assessment
–
Advanced analytics
Key Archer Capabilities
•
Questionnaires
–
Target asset types and identify
common risks across assets
•
Risk Register
–
Catalog risks and track
inherent/residual risks
–
KRIs and Metrics
–
Issues and Control
Compliance
–
“Calculated Residual Risk”
•
Loss Events and Incidents
•
Rollups and Reporting
•
Risk Specific Monitoring
–
Security Operations
–
Vulnerability Risk
–
Resiliency Risk
–
Compliance Risk
RSA Archer and ISO:31000
Dashboards
and Reports
Enterprise Management
Workflow and Notifications
KRIs/Metrics
Loss Events
Questionnaires
Risk Register
Controls and Issues
Management
Introduction to RSA
Archer
RSA GRC Reference
Architecture
RSA Archer Ecosystem
50+ Partners
Technology
Advisory
Service
Platform
Data Exchange
Business Fundamentals
Business Logic
RSA Archer GRC Foundation
Solutions
100+ Use Cases
Workflows
Content & Reports
Expert Services
Online
Summit
Executive Forums
Solution Exchange
Partners
Community
All key components required to lay a strong foundation for your
enterprise wide GRC program
RSA Archer Foundation
Business Process
Business Objectives
Products & Services
Facilities & Locations
IT Infrastructure Applications Information Assets Organizational Hierarchy Organizational Units & Departments
Business Context Solution Configuration Common Data Model
Data Integration
GRC Foundation
Visualization Branding Workflow Roles/Responsibilities Calculations Search & Reporting
Questionnaires Mobile Access Consolidated Data Central Repository System Auditing Data Management
Role Based Access
Common Taxonomies Data Import Integration APIs Data Mapping Pre-built Data Connectors Multiple Transport Modes
Scheduled Data Feeds
Data Publication
RSA Archer Solutions
Business Continuity
Audit
Compliance
Vulnerability Risk
Risk
Vendor
Policy
Security Operations
Incident
Core Modules
RSA Archer GRC Foundation
Regulatory Change Mgmt
UCF
Key & Certificate Mgmt
Stakeholder Evaluations
ISMS
Anti-Money Laundering
Environmental Health & Safety
PCI
Code of Federal Regulations
Manage the lifecycle of 3rd
party
relationships Identify & meet regulatory
obligations Implement and Monitor
Controls
Prepare for & recover from IT outages
Detect & respond to attacks Identify & resolve
security deficiencies
Independently review & assure management actions
Identify & prepare business resumption strategies
Manage crisis &
communications Catalog & resolve operational incidents
Establish IT policies & standards
Establish business policies &
standards Identify, assess & track
emerging & operational risks
RSA Archer Solutions
Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management
Extending Solutions
Business Resiliency Management IT Security Risk Management Regulatory & Corporate Compliance Management Operational Risk Management Third Party Management Audit Management PCI Compliance Anti-Money Laundering ISMS FoundationRegulatory Change Management
Environmental Health & Safety
Foreign Corrupt Practices Act (FCPA)
Code of Federal Regulations
Unified Compliance Framework
Model Risk Management
Market Conduct Management Stakeholders Evaluation
Privacy Program Management Legal Matters Management
Conflict Minerals
Key & Certificate Management Access Risk Management
WhiteHat Security Sentinel Qualys Guard
RedSeal Networks
McAfee Vulnerability Manager Veracode Security Review
RSA Archer Partner Ecosystem
50
+
Partners for data transfer,
• 120+ sessions
• Annual event since 2003
• Peer best practice sessions • Peer to peer networking • Access to GRC content • Certified new apps
• Executive Forum • Key Finding Reports
• 10,000+ Archer members • Interactive online community
• Birds-of-a-feather groups • Periodic meet ups
• Customer Advisory Council • Available at a city near you • Annual event since 2007 • Plug-ins and integrations • Services, ideas and more • 800+ GRC practitioners
• F2F access to product experts • Access to expert content • Ideas, requests and more
• Influence product roadmap • Facilitated by Archer and / or