CONFIDENTIAL Archer Enterprise & Operational Risk Management Maturity Model - PowerPoint Presentation

1. CONFIDENTIALArcher Enterprise & Operational Risk Management Maturity ModelStage 1Stage 2Stage 3Stage 4Stage 5Reporting is: Enterprise wideProcesses are: OptimizedFocus is: Business OpportunityReporting is: IncompleteProcesses are: IsolatedFocus is: ComplianceReporting is: FragmentedProcesses are: ConsistentFocus is: Effective ProcessesReporting is: CoordinatedProcesses are: DefinedFocus is: RiskReporting is: BalancedProcesses are: MeasuredFocus is: Business AwarenessAdvantagedTransformManagedTransitionUse CasesRelated Use CasesSiloedMaturityAs organizations develop Integrated Risk Management (IRM) and compliance capabilities, the natural push to build a cohesive program drives IRM functions to look at opportunities to leverage processes, share data and streamline efforts. The Archer® IRM Maturity Model outlines key capabilities necessary to support an organization’s journey from siloed reactive, compliance-driven processes to an integrated risk-centric, IRM program.Key Indicator ManagementKRIs + ReportingIssues ManagementFindings + Remediation PlansEnterprise Risk ManagementRisk CatalogBC/DR ManagementAudit PlanningOperational Risk ManagementRCSAspRCSAsBusiness Change RiskThird Party GovernanceControl Assurance Program ManagementIT Risk ManagementBottom-Up Risk AssessmentManual assessmentsRisk issuesExecutive RisksKey Drivers:Loss EventsMetricsRiskAssessmentsLoss Event ManagementLoss Event Catalog + Root Cause AnalysisRisk Inventory/Top Down RiskAssessmentRisk Hierarchy & Risk Register

2. CONFIDENTIALArcher Enterprise & Operational Risk Management Maturity ModelUse CaseQuestions to ConsiderKey FeaturesRisk CatalogDo you have a consolidated list of risks to your organization?Do you know the risks that support the enterprise-wide risk statements you make in public filings (10-Q/K), if applicable?Are you able to assign accountability for risks throughout the organization?Catalog all of the organization’s risk in one central location, creating a system of recordCreate a risk roll-up from granular risk statements to enterprise risk statementsEstablish accountability for named risks by individual and business unitTop-Down RiskAssessmentDo you have centralized risk and control registers?Are you able to assign accountability for individual risks and controls and are these individualsaware of their accountability?Does management at all levels of the organization have a view into all of the risks and controls they are responsible for?Consolidated view of risks and internal controls within theorganizationNamed accountability for individual risks and controlsConsistent terminology, risk assessment methodology, and rating scales.Loss Event ManagementHow does your organization track and learn from loss events, near misses, and relevant external loss events?Do you have any centralized view of loss events by frequency and impact by source and responsible area?How do you establish ownership for loss events?Consolidated loss event catalogueRoot Cause AnalysisReview and approval of loss events by key stakeholdersVisibility into aggregate losses by type, source, and area of ownershipKey IndicatorManagementHow does your organization know if risk is increasing or controls and objectives aredeteriorating?Do you have a program to utilize key indicators in the management of objectives, risks, and internal controls?Consolidated key indicator Management processKey indicators provide early warning of changes in risk, control procedures, corporate objectives or other framework elements such as business processes, and products and servicesBottom-Up Risk AssessmentHow does your organization perform risk assessments of special projects like new products and services, business processes, and Mergers and acquisitions?How does your organization perform risk assessments when fraud events arise?How do you query business owners to identify possible risks?Consistent approach to identification and assessment of project-related risksConsolidated list of prioritized risk treatments and remediation plans.Operational RiskManagementHow does your organization capture and track operational risks and controls?Do you have a way to easily engage management in risk and control self-assessments?Do you track, categorize, and report on operational loss events, near misses, and relevant external loss events?Do you have a key indicator program in place to identify changes in risk and deterioration in control procedures?Are you able to provide Executive Management and the Board a consolidated view of Operational Risk?Consolidated view into risks and controls and how they arerelated.Engagement of the 1st Line of Defense in risk and control assessment (CSA, RCSA, pRCSA) and 2nd line of defense in vetting and challenge processConsolidated view of actual losses, near misses, and relevant external loss eventsRobust key indicator management programOther use cases to considerThird Party Governance Extend your operational risk management program to address inherited risks from 3rd and 4th parties.Controls Assurance ProgramAdd control testing and control assurance to documented control procedures to obtain ongoing evidence of the design and effectiveness of the organization’s internal controls. (RCCM)IT Risk Management Extend your operational risk management program toincorporate operational risk from IT activities including operational risks such as asset administration, privacy and information security. (IT&SRM)Audit PlanningProvides your internal audit team with a planning, engagement management, and work paper solution that leverages information directly from other use cases managed in RSA Archer. (Audit Management)Business Continuity/Disaster Recovery ManagementPrepare for business disruptions and ensure business operations (Business Resiliency)