The RSA Archer Business Risk Management Reference Architecture

Jan 30, 2018 | by Steve Schlarman

Risk today is a complex problem for any enterprise.  Regardless of your industry, your business model or your mission, risk comes in all forms and no risk stands alone.  A security breach can become a compliance violation can become a public relations mess can become a hit to the bottom line… The web of risk is undeniable.  20 years ago a security vulnerability on some desktop couldn’t lead to an executive losing his/her job and a drop in stock price but today it can – and has – happened.   A localized event on the other side of the world rarely affected an entire business but it can – and has – happened.  Risk Management must be approached with a holistic, and integrated, strategy.

In 2013, RSA Archer published a GRC Reference Architecture outlining the many layers of a GRC program.  We recently updated this publication to reflect today’s reality of the need for integrated business risk management.   The RSA® Archer® Business Risk Management Reference Architecture is a high-level visual representation of the framework needed within an organization to understand and manage risk and compliance obligations across the enterprise.    

When building your own approach to risk management, some key objectives must be folded into your strategy:

Depth and Breadth.  Business risk management requires several disciplines working together in a flexible framework that goes deep into the organization to fulfill the changing needs of today’s modern enterprise.     

Adaptable. The Business Risk Management architecture must be adaptable in order to evolve as the business evolves.

Unified. Related and common business risk management activities must be layered into a cohesive approach that allows for flexibility to meet business needs while maintaining an integrated front against risk. 

Automated. Automation comes in many forms – from correlating business data into consolidated views to automating risk and compliance management processes. 

Correlation.  Connecting the dots of correlated business elements is an essential exercise to understand critical interdependencies and the holistic business context of risk and compliance obligations. 

End-to-End. For a Business Risk Management program to be truly effective, risk and compliance management initiatives need to be viewed from start to finish.

Easy to Use. The Business Risk Management architecture must clarify key concepts to stakeholders in terms they understand to make tasks actionable and clear.

These elements underpin any integrated approach and the RSA Archer Business Risk Management Reference Architecture provides an illustration of the components necessary to help management and the board fulfill their governance obligations.  The illustration can help you articulate risk management strategies - including the many different levels and objectives of the initiative – giving context for the high level vision.  Business Risk Management is a means to an end – not the end itself.  Management and the Board of Directors are focused on making decisions that increase the likelihood that the organization will reach its desired outcome. The RSA Archer Business risk Management Reference Architecture is meant to give risk, compliance and security practitioners a starting point when working through their own organization’s complex strategy towards an integrated approach to risk management. 

# # #

Learn more about this important tool to depict your integrated risk management strategy and download the RSA Archer Business Risk Management Reference Architecture.

Author: Steve Schlarman

Category: RSA Fundamentals, Blog Post

Keywords: GRC, RSA Archer, Risk Management, Business Risk Management, Compliance, IT Risk Management, Operational Risk Management