The Riskicist’s Guide: The Theory of Exponential Growth

EMC logo


As I continue my Riskicist’s Guide to the Universe, my first theory regarding the future of risk management deals with change.

In very simple terms, the change of Risk in the past can be thought of as growing on a mainly linear scale as a function of the organizational size or complexity. In other words, a straight line. But there is more to it. Your company has market dynamics within your industry that force change. As your competitive pressures increase and your market changes, it affects your risk. The rate of risk change is therefore a function of your market, or F(x) = Y * x where Y is a measurement of your market volatility. If your market is changing rapidly, the coefficient is > 1. The line is steeper, the rate of risk is higher. If the market pressures are relatively slow than the rate of change is between 0 and 1. The line isn’t as steep – or risk is not expanding as fast. Don’t begin thinking these are actual mathematical models – this is a conceptual depiction – but the logic applies.

Prior to the digital revolution, this might have been an adequate way to graph a simple rate of change of risk. However, risk in the digital world doesn’t grow in this linear fashion. It grows at an exponential rate.

 

This leads to my first theory:

The GROWTH OF RISK will follow an exponential curve based the rate of change of your market taken to the power of your digital transformation.

 

In this conceptual model, Y is your market changes, Z is the rate of adoption of technology within your organization. The market pressures have been a constant force affecting industries. It is the Digital Transformation that can be a massive shift. As your business goes digital, it can represent an explosion of elements in your risk management framework. More systems, more data, more threats, more EVERYTHING. It is this exponential factor that fuels hyper growth and changes how we think of some of our fundamental needs in our risk program.

The main impact of this rapid risk growth I want to explore is the impact on understanding the business context around risk. Business Context is the relationship of any risk management framework element – like an incident or a control – to the business. Business Context sets the aperture by which risk can be viewed – the more context, the more clarity. When you have Hyper Risk Growth, you need Hyper Risk Management. Hyper Risk Management requires Hyper Business Context.

 

Hyper Business Context must be fueled by automation. Manual cataloging anything related to the risk management process in this new world will quickly fall behind. In short, the hyper growth of risk forces us to look to automated inputs with a frequency and reliability that exceeds today’s capabilities. We must rethink what it means to create the relationships to formulate business context. Your risk program must build business context from the insights it gathers – and not rely solely on manual efforts.

The good news is RSA has a unique position when it comes to the future of business context. RSA Archer already helps you build context for your risk program. But we can also think outside the box when it comes to building business context. For example, why not let the systems tell us what is important? Network monitoring systems like RSA Netwitness can tell us how much a system is used to identify availability risks. Identity Management systems like RSA SecurID can connect applications to user profiles building relationships between business functions and IT infrastructure. These are byproducts of those technologies that we can use to inform business context.

 

Automation and integration will be key in ensuring your context keeps up with the data flowing from your many systems especially as your business continues along its digital transformation.

 

Join me next week for my next blog that discusses an ever present variable that will have a tremendous impact on measuring risk in the future. 


Update your feed preferences


   

   


   


   

submit to reddit
   

Related:

  • No Related Posts

RSA Archer Audit Engagements & Workpapers

EMC logo


What are audit engagements and workpapers?

Audit engagements are the mechanism that internal audit teams use to scope, plan and execute their evaluations of risks and associated internal controls, and related areas of their organization. Audit workpapers are the means to document the results of their evaluations, or test work.

Why is the proper execution of audit engagements, including workpaper documentation, so important?

A significant challenge internal audit teams face managing their audit engagements is lack of risk-driven audit coverage, inconsistency and inefficiency. Many internal audit groups cannot focus more time on risk and compliance activities because they are too absorbed in administrative work. Further, audit procedures and engagements are often performed inconsistently, and audit teams spend countless hours inefficiently managing audit resources.

They also struggle to track the status of engagements and workpapers because their teams use multiple documents and systems. Teams cannot effectively reconcile their time and expense back to their audit plan nor report real-time updates to audit executives. They lack visibility into the status of findings generated during past audits. Audit reports are not easily updated with changes to audit findings, remediation plans and workpapers, and there are constant fire drills getting information to external auditors.

RSA Archer Audit Engagements & Workpapers

The RSA Archer Audit Engagements & Workpapers use case addresses the problems outlined above through key features that include:

  • Audit universe tracking with automatic updates on time and expense from audit engagements
  • Best practices and industry standards are built into workflows for audit engagement and workpaper documentation, review and approval workflow
  • Centralized Audit Program Library and workpaper repository
  • Audit report and planning memo templates
  • Audit findings and remediation plan management with review comments capabilities through the RSA Archer Issues Management use case (see Data Sheet)
  • Offline audit engagement capabilities

 

With RSA Archer Audit Engagement & Workpapers, you will be able to:

  • Ensure audit engagements and workpapers are performed consistently and per prevailing standards
  • Reduce external auditor time and requests by allowing them to self-serve the information they need
  • Easily generate audit reports with up-to-date detail and findings
  • Free up time to place more focus on risk-based auditing and strategic projects
  • Provide management and the Board with the information they need more readily

 

Often, internal audit teams cannot focus on helping the business evaluate new risks and opportunities because they are spending too much time performing administrative and duplicative tasks. The RSA Archer Audit Engagements & Workpapers use case helps transform the efficiency of the audit department, complete better-scoped audits more efficiently, and decrease audit expenses. The use case is also integrated with other RSA Archer risk and compliance use cases enabling your organization to move toward Integrated Risk Management (IRM). As your company drives business growth with new initiatives, technology adoption or market expansion, your overall governance, risk and compliance (GRC) or IRM program must evolve, innovate and manage risk with more agility and integration than before.  Managing the audits performed by internal audit – the third line of defense, alongside risk management and compliance testing performed by second line of defense groups, and control self-assessments performed by management is one ingredient to becoming more integrated, efficient and effective across all three lines of defense.

RSA Archer can help your organization manage multiple dimensions of compliance and risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

For more information, visit RSA.com or read the Audit Engagements & Workpapers Datasheet.


Update your feed preferences


   

   


   


   

submit to reddit
   

Related:

  • No Related Posts

A Theoretical Riskicist’s Guide to the Universe

EMC logo


It’s that time of the year. As we wrap up another celestial measurement of time, people begin predicting things that will happen in the future. I don’t know why it is – but my crystal ball says over the next few weeks you will see a slew of predictions about what will be coming over the horizon of 2019. In the spirit of the season, I wanted to contribute my thoughts towards this time-honored tradition.

I must admit I do a lot of thinking about the future of risk management. Earlier this year, we held our 15th RSA Archer Summit. Last month, we also held our EMEA Summit. These events are highlights for the RSA Archer community – a time to gather and share insights – and I had the honor of addressing the community at both events on the future of risk management. That opportunity got my wheels turning as I contemplated this thought provoking topic.

We all know technology has moved blindingly fast and the coming years will be mind boggling. The way we do business today will not be how we conduct business in the future. The Digital Transformation is undeniable. For us in risk management, while the Digital Transformation is unfolding, there must be a Risk Transformation that moves at the same pace, and I would argue even faster. Risk has so many variables. It is really overwhelming as we try to investigate the future and predict how risk management will transform. When I started to think about the future of risk management, I knew I had to approach risk like something else really, really complex… like the universe.

And it hit me… If theoretical physicists can pose theories to understand the universe, a theoretical riskicist can pose theories on the future of risk management. I have been using Schrodinger’s cat as an analogy for Risk and Opportunity for years so it seemed like a good fit. Plus I have seen every Big Bang Theory episode numerous times… You know it’s bad when your wife says “Ok – Sheldon – just give me the cliff notes…” on a regular basis. But before one explores a universe – a Cartesian coordinate system to describe the space comes in handy.

The first dimension we can think of as our X axis is the different domains of risk. Security, compliance, operational risk, vendor management, audit, and business continuity – all of the functions in an organization we traditionally associate with risk management – must be horizontally aligned. Alignment across these domains means you are using the same language to discuss risk. It means that your data, your processes, and your discussions are focused and meaningful to each other.  RSA is blending security and risk management as part of its core strategy. We see these worlds converging. Communication and coordination across operational functions is absolutely critical in dealing with risk.

 

The second dimension of risk is our Y axis indicating the spectrum of strategic to operational risks.  Our risk management strategies must be vertically aligned to connect strategic objectives to day-to-day operations. Small events can quickly turn into major catastrophes and we have to connect those dots. We need the context to put an operational event into the big picture. We also need the ability to drill into more detail when looking at strategic business risks. RSA’s strategy of integrating threat detection and risk management is a great example of this alignment, for instance, by being able to connect a security alert to a business application that stores personal data. It is the connection between risk management at the strategic and operational levels that creates a true picture of what risks mean to your business.

The final dimension is our Z axis. It may sound cliché but the “People, Process and Technology” paradigm is even more crucial in managing risk today. Moving towards a digital world, the pressure to push the envelope will be on the technology front. There will be much more data for us to consider but we can’t forget the other two elements – we need the right talent pool and we need optimized processes.

 

 

This gives us our Cartesian space – our X, Y and Z – as a foundation. As your company matures in each of these dimensions, the view of risk gets clearer and clearer. This space gives us our guideposts to explore our universe. See, that wasn’t so bad…

Over the next several blogs, I will expound on three simple theories for you to contemplate for the future. I hope you join me for my Theoretical Riskicist’s Guide to the Universe.


Update your feed preferences


   

   


   


   

submit to reddit
   

Related:

  • No Related Posts

RSA Archer Audit Planning & Quality

EMC logo


What is audit planning?

Audit planning is the practice where internal audit functions assess the risk across their audit universe and determines the audit engagements they need to perform in the months and quarters ahead. They plan their audits based on risk and compliance gaps, strategic objectives of the organization, important topics and other priorities.

 

What is audit quality measurement?

Audit quality measurement is the execution of quality surveys to monitor the effectiveness and comprehensiveness of audit processes.  These surveys provide key insight on how well the audit function is meeting the business’ needs and working with business and IT management during an audit.

 

Why is audit planning and quality important?

According to PwC’s 2018 State of the Internal Audit Profession Study and survey of more than 2,500 audit executives, 82% of innovative audit functions collaborate with other lines of defense to align technology tools’ uses and functions, vs. 45% for non-innovative audit functions.  Internal audit’s main challenge is not having access to broad, dynamic enterprise risk and control information and analysis, but it’s actually using the information for agile audit planning.  Instead, many audit teams rely only on their point-in-time risk assessments to drive audit work. This prevents internal audit from adjusting their audit plans to rapidly changing risks and business concerns.

 

With decentralized audit plan and risk assessment documentation captured in multiple tools and systems that are difficult to integrate, there is no easy, fluid way to manage audit plans, let alone coordinate objectives among risk and compliance groups.  Internal audit is also under pressure from audit committees and management to improve their processes; yet their quality control procedures are sporadic, inconsistent and difficult to follow up on.

 

RSA Archer Audit Planning & Quality

The RSA Archer Audit Planning & Quality use case addresses the problems outlined above through key features that include:

  • Complete workflow to create and assess audit entities, perform risk assessments, and create and manage audit plans
  • Workflow to schedule audits and tie forecast and actual expense and time in between audit engagements and the audit plan
  • Centralized location for storing and managing audit plans, audit entities, and assessment results
  • Audit quality assurance and review questionnaire workflows

 

With RSA Archer Audit Planning & Quality, you will be able to:

  • Execute a more dynamic, risk-driven audit plan that is easily adjusted to match the organization’s priorities and focuses on the most important risks
  • Easily provide Board-level reporting that keeps the audit committee well-informed of the status of audit plans, risks and critical findings
  • Demonstrate the strategic value of internal audit and more efficient use of audit resources
  • Reduce external auditor fees by providing self-access to information they need

 

RSA Archer Audit Planning & Quality enables internal audit teams to define their audit universe, assess risks and plan audit engagements that better address risk, and manage their audit staff and audit schedule. RSA Archer Audit Planning & Quality is a critical element of Integrated Risk Management (IRM). Since RSA Archer Audit Planning & Quality integrates management risk and control information, internal audit can ensure their audit objectives are aligned with IRM teams and play their essential role as the third line of defense. As your company drives business growth with new initiatives, technology adoption or market expansion, your internal audit function can evolve and react to risk with more agility and integration than ever before.

 

RSA Archer can help your organization manage multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.


Update your feed preferences


   

   


   


   

submit to reddit
   

Related:

  • No Related Posts

RSA Exchange Release R6 Delivers Integrations for RSA Archer Mobility and More

EMC logo


With today’s launch of RSA Exchange Release R6, we’re very excited to deliver two new integrations in support of our mobility strategy. As we previewed at RSA Archer Summit 2018 in August:

  • A new integration with Mendix enables customers to access the RSA Archer Platform via a variety of supported mobile devices both on iOS and Android. Customers can customize their Mendix-based apps to suit their specific user experience and business requirements and interact with the RSA Archer Suite using the RSA Archer public APIs.
  • A new integration with KONEXUS provides an intuitive mobile solution that integrates with RSA Archer Business Resiliency use cases. The integration streamlines crisis response and transforms business continuity and crisis management plans into actionable, role-based, task lists that put critical information in the hands of users via their mobile devices.  

 

RSA Exchange Release R6 also includes integrations with, erwin, Rapid Ratings, SoftWarfare, ThreatConnect, and ThreatQuotient. as well as the following offerings:

 

  • App-Packs – pre-built applications addressing adjacent or supporting GRC processes (e.g. niche, industry, geo-specific)

     

    • Tools & Utilities – pre-built functions enabling administrators to more easily manage their RSA Archer implementations

     

     

    RSA Exchange Release R6 also includes updated content for Australian Government Information Security Manual (ISM) to include Controls. Content library packages are available on the RSA Exchange Documentation & Downloads subspace.

     

    All RSA Exchange offerings are available on RSA Link, along with implementation guides, demo videos, and installation guides where available. For existing RSA Archer customers, you can learn more about these new and updated offerings in upcoming Free Friday Tech Huddles.


    Update your feed preferences


       

       


       


       

    submit to reddit
       

    Related:

    • No Related Posts

    RSA Archer Cyber Incident & Breach Response

    EMC logo


    What is a cyber incident / breach response program?

    Cyber and security breaches continue dominating front page headlines all over the world. It’s not enough to hope it doesn’t happen to you or assume you’ll be able to respond effectively if it does. Companies need a proactive, program-level approach to IT & security risk management based on sound methods for prioritizing actionable security events combined with consistent operational response procedures. Poor handoffs between security functions and IT teams leave limited visibility into remediation efforts to close declared cyber incidents, and can weaken the overall process to the point where it breaks down when needed most, namely during a breach.

     

    Why are cyber incident & breach response capabilities so important?

    The identification of potential security issues and the process of responding to a possible cyber incident are the first lines of defense against a significant business event. Many organizations have deployed security information and event management (SIEM) technology and log collection tools in their infrastructures to track events and provide alerts. These systems produce an overwhelming amount of data for the security team to review. Uncoordinated security response processes managed in spreadsheets, email, and through other ad-hoc mechanisms further raises the overall risk that the organization will not be able to respond in time and effectively.

     

    RSA Archer Cyber Incident & Breach Response Program Management

    RSA Archer Cyber Incident and Breach Response enables customers to centrally catalog organizational and IT assets, establishing insightful business context to drive incident prioritization and implement processes designed to escalate, investigate and resolve declared incidents effectively. This use case is designed for teams to work effectively through their defined incident response and triage procedures and prepare for data breaches. Built-in workflows and reporting allow security managers to streamline processes while staying on top of the most pressing concerns. Issues related to a declared incident investigation can be tracked and managed in a centralized portal, enabling full visibility, stakeholder accountability and reporting. If an incident escalates into a data breach, prebuilt workflows and assessments are designed to help the broader business team work with your security team to respond appropriately.

     

    With RSA Archer Cyber Incident and Breach Response, declared cyber and security events are escalated quickly and consistently, a crucial aspect of robust Integrated Risk Management programs. Advanced workflows and insights allow more efficient utilization of security team resources, resulting in faster response, analysis, and closure rates for critical security incidents. With improved processes and capabilities, the security team can more effectively leverage existing infrastructure, such as SIEMs, log and packet capture tools, and endpoint security technologies, to focus on the most impactful incidents. These capabilities improve the security team’s preparedness for serious incidents involving potential data breaches, while increasing the return on infrastructure investments and lowering overall security risk.

     

    For more information, please visit RSA.com and review the Datasheet.


    Update your feed preferences


       

       


       


       

    submit to reddit
       

    Related:

    RSA Archer Business Continuity & IT Disaster Recovery Planning

    EMC logo


    What is Business Continuity & IT Disaster Recovery Planning?

    Business continuity (BC) and IT disaster recovery (DR) planning is defined as the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise.

     

    Why is Business Continuity & IT Disaster Recovery Planning important?

    In today’s world, 24/7 service delivery requirements are putting greater pressure on business and IT resource availability, making it even more important to have effective recovery plans. Interruptions ranging from isolated infrastructure failures to natural disasters have the potential to cause serious harm to the organization’s finances and reputation. Unfortunately, recovery efforts are often chaotic, ad hoc and uncoordinated due to little or non-existent planning efforts and business recovery and IT disaster recovery teams working in silos.

    Your continuity and recovery teams live in a world of regulatory saturation, with dozens of regulations, methodologies, maturity models, guidelines and laws. These authoritative sources affect how you implement and manage your business continuity programs. The demands from regulators for strengthened programs have increased, while the number and type of catastrophic man-made and natural disasters are on the rise, resulting in regulatory fines and penalties due to the inability to comply during a disruption.

     

    Another challenge affecting the ability of companies to recover after a disruption are recovery plans kept in multiple, inadequate tools that don’t allow management visibility to quickly answer questions, like which business processes or IT infrastructure are missing recovery plans or which plans have not been tested. Further, many IT disaster recovery teams are working with an understanding of what is critical or most important to recover that is different than that of business continuity teams. This results in an inability to align on and recover critical business and supporting IT infrastructure to deliver products and services according to recovery objectives.

     

    RSA Archer Business Continuity & IT Disaster Recovery Planning

    The RSA Archer Business Continuity & IT Disaster Recovery Planning use case addresses the problems outlined above through key features that include:

    • Centralized location, templates, workflow, review and approval processes for developing standardized business continuity and IT disaster recovery plans that are built around best practices and industry standards
    • Project management capabilities to help drive the entire lifecycle of continuity planning, from plan development, to testing, to continuous improvement
    • Dashboards and reports that provide visibility into the current state of the organization’s plans status, review dates, test results and remediation status
    • Workflows and reporting that enables coordination between business continuity, IT DR, and crisis teams

    With RSA Archer Business Continuity & IT Disaster Recovery Planning, you will be able to:

    • Improve your response to disruptions, which can reduce the impact on revenue, brand and customer loyalty and availability of products and services for customers, employees and third parties
    • Implement a consistent and coordinated planning process and methodology for business and IT supported through one central tool
    • Increase trust by senior management, the board, regulators and employees with higher-quality, tested recovery plans
    • Ensure plans are aligned with the organization’s priorities and include the most critical processes and company assets
    • Coordinate information, priorities and objectives among business continuity, IT disaster recovery and crisis teams, and responders, enabling better focus on the right priorities in the event of a disaster

     

    RSA Archer Business Continuity & IT Disaster Recovery Planning is one element of Integrated Risk Management. This use case provides a coordinated, consistent and automated approach to business continuity and IT disaster recovery planning and execution, allowing you to respond swiftly in crisis situations to protect your ongoing operations. As your company drives business growth with new initiatives, technology adoption or market expansion, your program must evolve and manage risk with more agility and integration than before.  Managing recovery planning is one ingredient to building resiliency across the organization and reducing risk.

     

    RSA Archer can help your organization manage multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

     

    For more information, visit RSA.com or read the Datasheet.


    Update your feed preferences


       

       


       


       

    submit to reddit
       

    Related:

    New 200TB Fast Track Solution Proves Dell EMC is the Go-To Platform for SQL Server Success

    EMC logo


    Dell EMC now offers the LARGEST, SMALLEST and MOST array-based solutions in Microsoft’s SQL Server Fast Track catalog – what else would you expect from the leader in midrange storage? Today’s business thrives on a steady diet of data – and Microsoft SQL Server is one of the premier technologies helping companies of all sizes capitalize on the value of that data, delivering real-time operational intelligence to create competitive advantage in nearly every industry. Some assembly required? But before you can achieve the benefits of SQL Server, you’ll need more than just software – an entire … READ MORE



    ENCLOSURE:https://blog.dellemc.com/uploads/2018/11/Data-1000×500-600×356.jpg

    Update your feed preferences


       

       


       


       

    submit to reddit
       

    Related:

    • No Related Posts

    4 Ways PowerEdge MX Simplifies IT for VMware Environments

    EMC logo


    Every day, we hear about the need for IT modernization and transformation, but what high-tech companies today are providing meaningful solutions to drive IT simplification, efficiency, scalability, and automation for the software-defined data center? Dell EMC and VMware. Sure, PowerEdge is the world’s #1 server1, and when paired with the world’s #1 vendor of enterprise virtualization2 and HCI software,3 the duo sounds promising. But what are they doing to help empower IT to lead the business? The answer includes  close collaboration around Dell EMC PowerEdge MX, the modular infrastructure solution designed with kinetic infrastructure. PowerEdge MX … READ MORE



    ENCLOSURE:https://blog.dellemc.com/uploads/2018/11/vmware-600×356.jpg

    Update your feed preferences


       

       


       


       

    submit to reddit
       

    Related:

    • No Related Posts

    Simplified Converged Infrastructure Operations: 10 Things to Know About VxBlock Central

    EMC logo


    The demand for increased automation and clouds where converged infrastructure (CI) plays a vital role create an opportunity for partners. Customers want more value from their CI investment and are looking to improve management, simplify operations and provide a path to a cloud operating model. The introduction of VxBlock Central software can help partners deliver the solution customers want. VxBlock Central brings enhanced system-level awareness, automation and analytics to VxBlock Systems, and significant sales opportunities for partners. Ready to make the most of this product introduction and the converged opportunity? Here are 10 key things to … READ MORE



    ENCLOSURE:https://blog.dellemc.com/uploads/2018/11/VxBlock-Blog_Image_1000x500-600×356.jpg

    Update your feed preferences


       

       


       


       

    submit to reddit
       

    Related:

    • No Related Posts