At the big user conference last week in Nashville for RSA Archer, the market leading GRC solution, the loud and clear message from center stage was that the future of risk management belongs to risk quantification, the FAIR model and Integrated Risk Management (IRM).
- RSA Archer announced last March its Archer/RiskLens integration to bring FAIR analysis into the tool that’s industry leading for tracking governance, risk and compliance (GRC).
- Integrated Risk Management is the concept that the influential tech consultancy Gartner has been pushing for two years as the next evolutionary step up from the GRC approach and that RSA is now adopting within Archer
- In June, Gartner named quantitative risk analysis as one of the five critical capabilities of IRM.
“Thank you, thank you, thank you” to Gartner for reinventing GRC as IRM, RSA President Rohit Ghai said in his keynote speech to the conference (and for including RSA Archer in Gartner’s first Magic Quadrant of recommended products for IRM). Ghai said that IRM answers a fundamental problem in cyber risk management: “Organizations feel grossly underprepared to manage digital risk because it requires cross-domain competencies.”
“When we say IRM, we mean a business-driven, agile strategy to not only connect multiple domains of risk but to also connect strategic risk with operational business transactions,” added David Walter, Vice President of RSA Archer, in the second keynote.
And that leads straight to FAIR. As RSA Archer Principal Product Manager Corey Carpenter said, for IRM to work, “we need a Rosetta Stone that ensures we are all speaking the same language. In this case, that is the FAIR approach to risk quantification and the RSA Archer/RiskLens integration…FAIR is the industry standard that is repeatable and defensible and consistent in (expressing risk in) a scale that everyone understands: money.”
The current RSA Archer/RiskLens integration is just a start, Carpenter said. “In the next year, you will see a more seamless integration of RSA Archer/RiskLens with the inclusion of scoping data and more analysis. Additionally, we want to extend this capability to other risk disciplines: vendor risk, compliance, operational risk”.