Archer Strategic Risk Management

Management struggles throughout all levels within an organization to proactively identify when risks impact the execution of an organization's strategy. Management must relate strategic risks to their strategies and know when to implement action plans that minimize risks and monitor the performance of those action plans. Strategic Risk Management is a business discipline that involves identifying, assessing, and managing risks and uncertainties, affected by internal and external events or scenarios, that could inhibit an organization's ability to achieve its strategy, strategic objectives, and execution.

On this page

Overview of Archer Strategic Risk Management

About Archer Strategic Risk Management

Strategic Risk Management can potentially identify situations in which risk can be a competitive advantage instead of a threat to the strategic plan. Strategic Risk Management encompasses the interdisciplinary intersection of strategic planning, risk management, and strategy execution in managing risks and seizing opportunities, which protects against losses, reducing uncertainties and seizing opportunities, to enable better performance in achieving the organization’s objectives and greater resilience in an uncertain environment.

Strategic risks may include:

  • Shifts in consumer demand and preferences

  • Legal and regulatory change

  • Competitive pressure

  • Merger integration

  • Technological changes

  • Senior management turnover

  • Stakeholder pressure

By monitoring strategic risks within an organization, management can be prepared and proactively define plans to minimize the impacts to the organization, should the risks exceed the organization's tolerance.

Key features and benefits

Archer Strategic Risk Management App-Pack provides:

  • Consistent and repeatable process for identifying and mitigating strategic risk

  • Strategic risk alignment with the organization's risk tolerance

  • Understanding of the level of preparedness against risks that impact the organization

  • A minimized strategic risk for successful strategy execution

Key terminology

Application: Database that stores a specific type of data record, for example, policies, assessments, assets, threats, vulnerabilities, and controls.

Authorized User: A user who has logged into the system and has a right to perform some operation. The system knows the identity and permissions granted to this individual.

Cross-Reference: A field type that allows users to create associations between records in the same application (internal references) or records in two separate applications (external references). By adding a cross-reference to an application, the system automatically adds a Related Record field.

Dashboard: With reports defined and saved in the inventory of system reports, those identified as Global Reports can be added to dashboards. Each dashboard can include one of many reports in the format they were saved.

Notifications: Emails sent from Archer to Users or Groups, based on a schedule or a change in the record status.

Record: A collection of field values, stored within applications, sub-forms, or questionnaires. 

Report: Saved search criteria that can be run again later. In Archer, the construct for reports is a combination of a query and its related output presentation options. The data returned is filtered by a user permission, allowing users to see only the data for which they have been granted access. 

Sub-Form: For one application, administrators can develop multiple sub-forms to hold all related data. Sub-forms can be shared across applications; however, changing a sub-form affects all applications using that sub-form. 

Task: Action items that have been assigned to a user in relation to the Support Request. 

User: Any person who uses and is registered within the system. In this guide, the user is assumed to be an employee using Archer Support Requests.

User Profile: Preferences of the registered user that are saved within the system.

Workspace: Display mechanism that provides the user with a way to access their data.

Prerequisites (ODA and system requirements)

Components

Recommended Software

Operating System

Windows Server 2012 R2

Database Server

Microsoft SQL Server 2014 (64-bit)

Services Server

Java Runtime Environment (JRE) 8 (64-bit)

Archer

Archer 6.5 P2 and later

On-Demand Licenses

The Archer Strategic Risk Management App-Pack requires one (1) On-Demand Application license and one (1) Questionnaire.

Pre-Requisite Applications

Requirements for the installation and operation of Archer Strategic Risk Management includes the following use cases:

  • Findings – (Archer Issues Management)

  • Exception Requests – (Archer Issues Management)

  • Remediation Plans – (Archer Issues Management)

The following applications are optional:

  • Control Procedures

  • Business Unit

  • Business Process

  • Strategies

  • Risk Register

  • Corporate Objectives

Compatible Use Cases and Applications

Related Applications

Application

Use Case

Primary Purpose(s) of the Relationship

Strategies

Archer Strategic Planning App-Pack

  • To relate strategic risks to organization strategies and know when to implement action plans that can minimize the risks related to strategies.

Control Procedures

Archer IT Controls Assurance, Archer Information Security Management System, Archer PCI Management, Archer IT Risk Management, Archer Controls Assurance Program Management, Archer Data Governance, Archer Top-Down Assessment, Archer Federal Assessments & Authorization

  • To relate controls that will be applied to reduce the strategic risk.

Business Unit

Archer Issues Management, Archer Business Impact Analysis, Archer Third Party Catalog, Archer Policy Program Management, Archer Cyber Incident & Breach Response, Archer Key Indicator Management, Archer IT Asset Catalog **, Archer Business Asset Catalog **, Archer Federal Assessments & Authorizations, Archer Federal Continuous Monitoring

  • To relate Business Units that will be affected by the strategic risk.

Business Process

Archer Audit Engagements & Workpapers, Archer Business Impact Analysis, Archer IT Risk Management, Archer Controls Assurance Program Management, Archer Data Governance, Archer Top-Down Assessment, Archer Policy Program Management, Archer IT Controls Assurance, Archer Business Asset Catalog **, Archer Risk Assessment Management, Archer Federal Assessments & Authorizations, Archer Federal Continuous Monitoring

  • To relate process that will be affected by the strategic risk

Risk Register

Archer Information Security Management System, Archer IT Risk Management, Archer Risk Catalog, Archer Top-Down Assessment

  • To relate strategic risk to risks

Corporate Objectives

Archer Policy Program Management, Archer Controls Monitoring Program Management, Archer Business Asset Catalog, Archer Operational Risk Management

  • To relate corporate objectives that will be affected by the strategic risk.

Archer Strategic Risk Management components

Architecture diagram

The following diagram shows the relationship between the applications in Archer Strategic Risk Management.

Swim Lane diagram

The following diagram shows the general workflow of the App-Pack.

Applications

The following table describes the applications in Archer Strategic Risk Management.

Application

Description    

Strategic Risk

The Strategic Risk application documents all the information when a strategic risk is identified, captures an overview of the strategic risk assessment, and findings and remediation plans resulting from the assessment.

Strategic Risk Assessment

The Strategic Risk Assessment is a questionnaire used to determine the likelihood and impact of the risk and the level of preparedness. Controls can be referenced, if available, to minimize the risk.

Personas and Access Roles

The following table describes the functions that make up the application’s organization roles. Depending on the organization of your company, these functions and responsibilities may vary.

Persona

Description

How many (per Information System)?

Optional / Required

 

Strategic Risk Manager

Responsible for identifying the strategic risk, conducting risk assessment, evaluating the organization’s level or preparedness, approving action plans, and monitoring and communicating results. This could be someone mandated from the Board, Risk Management, or another division.

Can be more than one

Required

Strategies Manager

Responsible for working with the appropriate teams to develop and implement action plans. This could be someone who owns or executes a strategy.

Can be more than one

Optional

Permissions chart

Applications

SRM: Risk Manager

SRM: Strategies Manager

SRM: Read Only

Strategic Risk

CRU

R

R

Strategic Risk Assessment

CRU

R

R

Findings

CRU

RU

R

Remediation Plans

CRU

CRU

R

Exception Requests

CRU

CRU

R

Strategies

R

R

R

Control Procedures

R

R

R

Risk Register

R

R

R

Corporate Objectives

R

R

R

Business Unit

R

R

R

Business Process

R

R

R

C = Create, R = Read, U = Update, D = Delete

Users should at least have read access at record level for the applications related to Strategic Risk.

Installing Archer Strategic Risk Management

Task 1: Prepare for the installation

  1. Ensure that your Archer system meets the following requirements:

    • Archer Platform version 6.5 P2 or above

  2. Download the ODA install package from the Archer Exchange on: https://community.rsa.com/community/products/archer-grc/exchange/documentation-downloads.

  3. Read and understand the "Packaging Data" section of the Archer Help.

Task 2: Install the package

Installing a package requires that you import the package file, map the objects in the package to objects in the target instance, and then install the package. See “Installing the Application Package” for complete information.

Task 3: Test the installation

Test the Archer Strategic Risk Management App-Pack according to your company standards and procedures, to ensure that it works with your existing processes.

Installing the Archer Strategic Risk Management package

Task 1: Backup your database

There is no Undo function for a package installation. Packaging is a powerful feature that can make significant changes to an instance. Archer strongly recommends backing up the instance database before installing a package. This process enables a full restoration if necessary.

An alternate method for undoing a package installation is to create a package of the affected objects in the target instance before installing the new package. This package provides a snapshot of the instance before the new package is installed, which can be used to help undo the changes made by the package installation. New objects created by the package installation must be manually deleted.

Task 2: Import the package

  1. Go to the Install Packages page.

    1. From the menu bar, click .

    2. Under Application Builder, click Install Packages.

  2. In the Available Packages section, click Import.

  3. Click Add New, then locate and select the package file that you want to import.

  4. Click OK.

The package file is displayed in the Available Packages section and is ready for installation.

Task 3: Map objects in the package

  1. From the menu bar, click Admin menu > Application Builder > Install Packages.

  2. In the Available Packages section, locate the package you want to map.
  3. In the Actions column, click Map package for that package.

    The analyzer examines the information in the package. The analyzer automatically matches the system IDs of the objects in the package with the objects in the target instance and identifies objects from the package that are successfully mapped to objects in the target instance, objects that are new or exist but are not mapped, and objects that do not exist (the object is in the target but not in the source).

    When the analyzer is complete, the Advanced Package Mapping page lists the objects in the package file and corresponding objects in the target instance.

  4. On the Advanced Mapping page, click to open each category and review the icons next to each object to determine which objects you must map manually.
    The following table describes the icons.

    Icon

    Name

    Description

    Awaiting mapping review

    Awaiting Mapping Review

    Indicates that the system could not automatically match the object or one of its children to a corresponding object in the target instance.

    Objects marked with this icon must be mapped manually.

    New objects should not be mapped. Select Do Not Map from the drop-down menu to clear this icon for an individual object, or click Do Not Map to clear the icon for all unmapped objects.

    Mapping completed

    Mapping Completed

    Indicates that the object and all children are mapped to objects in the target instance, or that they have been marked as Do Not Map. Nothing more needs to be done with these objects in Advanced Package Mapping.

    Note: You can run the mapping process without mapping all objects. The Awaiting mapping review icon is for informational purposes only.

  5. For objects awaiting mapping review, do one of the following:
    • To map each object individually, use the drop-down menu in the Target column to select the object in the target instance to which you want to map the source object. To leave an object unmapped, select Do Not Map in the Target column.
    • To automatically map all objects in a category that have different system IDs but the same object name as an object in the target instance, click Auto Map. Select whether to ignore case and spaces when matching object names. Click OK.
    • To mark all unmapped objects as Do Not Map, click Do Not Map.

  6. (Optional) Click Filter to enable filter fields that you can use to find specific objects in each mapping category. To undo your mapping selections, click Undo, then select whether to undo all mappings in the category or only the mappings on a single page. If you choose to undo all mappings, you will be returned to the categories list.

  7. (Optional) To save your mapping selections and return to the categories list without committing changes to the target instance, click RSA.
  8. After you review and map all objects, click Execute.
  9. Select I understand the implications of performing this operation. Click OK.

    When the mapping is complete, the Import and Install Packages page displays.

    Important: Advanced Package Mapping modifies the system IDs in the target instance. You must update any Data Feeds and Web Service APIs that use these objects with the new system IDs.

Task 4: Install the package

All objects from the source instance are installed in the target instance unless the object cannot be found or is flagged to not be installed in the target instance. A list of conditions that may cause objects not to be installed is provided in the Log Messages section. A log entry is displayed in the Package Installation Log section.

  1. Go to the Install Packages page.

    1. From the menu bar, click .

    2. Under Application Builder, click Install Packages.

  2. In the Available Packages section, locate the package file that you want to install, and click Install.

Note: Items in the package that do not match an existing item in the target instance are selected by default. All reports will be matched by default. Uncheck the checkbox beside the report to unselect them.

  1. In the Configuration section, under Install Method, select an option for each selected component. To use the same Install Method for all selected components, select a method from the top-level drop-down list.

Note: If you have any existing components that you do not want to modify, select Create New Only. You may have to modify those components after installing the package to use the changes made by the package.

  1. In the Configuration section, under Install Option, select an option for each selected component. To use the same Install Option for all selected components, select an option from the top-level drop-down list.

Note: If you have any custom fields or formatting in a component that you do not want to lose, select Do not Override Layout. You may have to modify the layout after installing the package to use the changes made by the package.

  1. To deactivate target fields and data-driven events that are not in the package, in the Post-Install Actions section, select the Deactivate target fields and data-driven events that are not in the package checkbox. To rename the deactivated target fields and data-driven events with a user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a prefix. This can help you identify any fields or data-driven events that you may want to review for cleanup post-install.

  2. Click Install.

  3. Click OK.

Task 5: Review the package installation log

  1. Go to the Package Installation Log tab of the Install Packages page.

    1. From the menu bar, click .

    2. Under Application Builder, click Install Packages.

    3. Click the Package Installation Log tab.

  2. Click the package that you want to view.

  3. In the Package Installation Log page, in the Object Details section, click View All Warnings.

  4. Manually activate Advanced Workflow by clicking Active button in Advanced Workflow tab in Archer Strategic Risk Management application.

  5. If users do not have Strategies application (Archer Strategic Planning App-pack), move field Strategy Owners off layout and inactivate it.

Using Archer Strategic Risk Management

Task 1: Create strategic risk record

Users: Strategic Risk Manager

  1. Enter Strategic Risk, Description, Strategic Risk Categories, Priority, Review Frequency in the General Information section.

  2. Enter Stakeholders and Strategies Manager, if available, in the Stakeholders section.

  3. Provide any other necessary details.

  4. To save the strategic risk profile, click the Save button in the top left of the screen. At this stage profile is created and strategic risk manager will have to perform risk assessment.

Task 2: Generate strategic risk assessment

Users: Strategic Risk Manager

  1. To generate Strategic Risk assessment, click on Generate Risk Assessment button at the top left of the screen.

  2. Once the Strategic Risk assessment is generated, it can be accessed through the Strategic Risk Assessment section of the Risk Assessment tab.  At this point, the Assessment Status is Not Started.

Task 3: Complete risk rating

Users: Strategic Risk Manager

  1. Edit Strategic Risk record.

  2. Enter Inherent Impact, Inherent Likelihood, Residual Impact, Residual Likelihood in Strategic Risk Assessment Section in Risk Assessment tab.

  3. Click on Save Changes button at the top of the page or Save button at the end of the row in Strategic Risk Assessment section.

  4. Click on Save in Strategic Risk record.

  5. Inherent and Residual Risk values from the latest assessment will be populated in Strategic Risk Summary section. Assessment Status in Assessment Summary section in Risk Assessment tab will change to In Progress.

Task 4: Assess level of preparedness

Users: Strategic Risk Manager

  1. Edit strategic risk record.

  2. Provide status for SR: Analysis Completed in Strategic Risk Assessment section under Risk Assessment tab.

    1. Select status N/A, if risk analysis is not required. 

    2. Select status In Progress, if risk analysis is in progress. 

    3. Select status Complete, if risk analysis is complete.

    4. Click on Save Changes button at the top of the page or Save button at the end of the row in Strategic Risk Assessment section.

  3. ​ Provide status for SR: Responsibilities Defined in Strategic Risk Assessment section under Risk Assessment tab.

    1. Select status N/A, if not required. 

    2. Select status In Progress, if the board is still being briefed. 

    3. Select status Complete, if responsibilities have been defined.

    4. Click on Save Changes button at the top of the page or Save button at the end of the row in Strategic Risk Assessment section.

  4. Provide status for SR: Board Briefed in Strategic Risk Assessment section under Risk Assessment tab.

    1. Select status N/A, if not required. 

    2. Select status In Progress, if the responsibilities are being defined. 

    3. Select status Complete, if the board has been briefed.

    4. Click on Save Changes button at the top of the page or Save button at the end of the row in Strategic Risk Assessment section

  5. ​Provide status for Remediation Plan Created in Strategic Risk Assessment Section under Risk Assessment tab.

    1. Select status N/A, if not remediation plan is not required. 

    2. If remediation plan is required for the strategic risk,

      1. Click on Add New or Look Up at the right corner of Findings section in Related Findings tab. To add a new finding, assign Strategies Manager in Assigned To field in finding when adding a new finding. The Strategies Manager is responsible for creating a remediation plan.

      2. Select status In Progress, if remediation plan is under development. 

    3. Select status Under Review, if remediation plan is Awaiting Review from the Strategic Risk Manager.

    4. Select status Complete, if remediation plan has been Approved or Rejected.

    5. Click on Save Changes button at the top of the page or Save button at the end of the row in Strategic Risk Assessment section.

  1. Level of Preparedness from the latest assessment will be populated in Level of Preparedness section.

  2. If Risk Ratings, SR: Analysis, SR: Board Briefed, SR: Responsibilities Defined and Remediation Plan Created are complete then Assessment status will change to Complete.

Note: Findings and Remediation Plans utilize the out-of-the-box workflow. In addition, to relate Findings to Strategies through the Archer Strategic Planning App-Pack, create a cross-reference to the Strategies application and add it to the Findings layout.

Task 5: Monitor remediation execution

Users: Strategic Risk Manager

  1. Provide status for Remediation Plan In Execution in Strategic Risk Assessment section under Risk Assessment tab.

    1. Select status N/A, if a remediation plan was not required.

    2. Select status In Progress, if remediation plan is in execution. 

    3. Select status Complete, if remediation plan has been executed.

  2. Click on Save Changes button at the top of the page or Save button at the end of the row in Strategic Risk Assessment section.

Task 6: Overall recommendation

Users: Strategic Risk Manager

  1. To provide an Overall Recommendation regarding the Strategic Risk in scope.

    1. Edit Strategic Risk record.

    2. Complete the Overall Recommendation in Level of Preparedness section.

    3. Click Save.

  2. To export the Overall Recommendation Report.

    1. Click on Export at the top right corner of the Strategic Risk record page.

    2. Click on Archer Strategic Risk Overall Recommendation report.

Task 7: Re-assess strategic risk

Users: Strategic Risk Manager

  1. Click on Generate Strategic Risk Assessment button at the top right corner of the page.

  2. Once the strategic risk assessment is generated, it can be accessed through the Strategic Risk Assessment section of the Risk Assessment tab.  The Assessment Status is Not Started.

Troubleshooting guidelines

  • If users do not have any of the optional applications, they would receive warnings related to those modules. Users can ignore those warnings or take action if required. The App-Pack’s operation will not be affected due to these warnings/errors.

For example, below are few warnings/failures which might be observed if users do not have the Strategies Application (Archer Strategic Planning App-Pack):

  1. Warning for Access Roles “SRM: Risk Manager”, “SRM: Strategies Manager”, “SRM: Read Only”: Access rights to the following page could not be configured due to missing module: Strategies.

  1. Minor failure for report Strategic Risks by Strategies: Strategic Risks by Strategies report could not be created. There are no display fields for this report.

  1. Minor failure for Impacted Strategies: Field Impacted Strategies could not be saved due to inability to identify the related module.

  1. Warnings for reports: Warnings regarding missing Impacted Strategies field or fields from Strategies application (Category, Priority, Strategy, Status and Strategy owner fields) from RSA Archer Strategic Planning App-Pack.

  1. Warning for Inherited User/Group field Strategy Owners: Strategy Owner was not found in the target instance and was removed from field: Strategy Owners.

  • If users do not have any of the optional applications following changes can be made post-installation to keep the layout neat:

  1. If Strategies is not available:

  1. Move Strategic Owner off layout in Default layout of Strategic Risk Application.

  2. Remove iView: Strategies affected by Strategic Risk from Strategic Risk Manager Dashboard.

  3. Remove report My Strategic Risk by Residual Risk and Strategies from My Strategic Risk Summary iView in Strategies Manager.

  4. Remove Impacted Strategies section from Archer Strategic Risk Overall Recommendation Report Mail Merge template.

2. If Business Unit is not available:

  1. Remove Strategic Risks by Business Unit iView from SRM: Executives Dashboard.

3. If Control Procedures are not available:

  1. Remove Strategic Risk and Related Controls iView from SRM: Executives Dashboard

  2. Remove Related Controls section from Mail Merge template.