Summary
Archer announces the general availability of Archer Insight with enterprise-wide risk quantification capabilities which improve the prioritization of risks and controls. Archer's implementation offers real enterprise risk quantification. Other quantification tools are decoupled from GRC and existing risk inventories, or have a narrow focus on cyber only.
Platforms
Available to SaaS (software as a service), and on-premises customers on Archer Platform Version 2024.06 and later.
Details
Archer Insight has reinvented the process for facilitating risk managers in moving from qualitative to quantitative risk management programs. The Risks application, formerly known as Risk Register, contains process updates for creating, managing, and aggregating financial expected loss for quantitative risks. Organizations can analyze meaningful, aggregated risk exposure across existing hierarchy structures such as assets, regions, divisions, functions, etc. Archer Insight provides an intuitive and robust user-interface offering risk managers 3 options for assessing risks:
Actual - actual state of a risk without knowing the specific control environment. Actual assessment alleviates the process to provide specific controls that differentiate uncontrolled (inherent) rates and impacts versus the actual rates and impacts. Requires minimal input of an actual rate of occurrence for a risk event. Actual rate is leverage to define a probability distribution, indicating the probability for different number of annual occurrences for the risk event. Users also provide minimal inputs for both economic and non-economic consequences of a risk event which are then utilized to calculate the annualized expected loss.
Inherent / Actual – comparison of inherent and actual state of a risk without knowing the specific control environment. With this assessment approach, a user provides both an actual and inherent rate for the risk event, where Insight then calculates the value of collective controls, still without providing specifics for the control environment. Both the inherent and actual rates are leveraged to define a probability distribution, indicating the probability for different number of annual occurrences for the risk event. And users continue to provide minimal inputs for both economic and non-economic consequences of a risk event which are then utilized to calculate the annualized expected loss.
Control Specification - comparison of inherent, actual, and full state of a risk, by indicating specifics about the control environment. The Control Specification assessment provides visibility into the effectiveness and value that each control contributes to preventing the risk occurrence or mitigating its impacts. With this assessment, we also consider the lifecycle and testing of the controls allowing for easy comparison of the risk impact in three control environments: fully functional controls, actual current state, and completely uncontrolled.
The concept of a Lifecycle Status has been added to control procedures to facilitate workflows around the lifecycle of a control. And by leveraging the combination of the Lifecycle Status and the Compliance status, we determine an actual control value. Users assess the aggregate control values and the control costs to understand each control’s full return on investment (ROI) in managing risks.
The Insight feature also provides visualization of full uncertainty around economic losses leveraging the common downside metrics of VaR and CVaR. Additionally, it provides the ability to aggregate the downside uncertainties to any level of any risk quantification hierarchy. The Insight UI uses an analytical convolution methodology for robust aggregation calculations, rendering the feature much faster than a Monte Carlo analysis.
The value these capabilities provide for Risk Managers includes:
Ability to track downside losses as well as (expected) average losses. Ensures control optimization doesn’t compromise downside outcomes
Provides full risk picture and motivates informed conversation about risk appetite – how much can you save on expected costs + losses while protecting your downside and ensuring manageable downsides
Provides investor confidence in downside outcomes
The Risk Statements application, formerly known as the Risk Register Library, not only continues to serve as a template for risk generation, but now also functions as an additional aggregation level for both qualitative and quantitative risks. Risks are now truly an instantiation of the Risk Statement.
A new Risk Generator application has been also added which allows users to quickly generate multiple Risks records, based on the combination of selected Risk Statements and target applications. A risk is generated per unique combination of statement and target upon execution.
Quick Links
Archer Insight 2024.06 Release Notes
Archer Insight Documentation
Archer Insight 5-Minute Demo
Download
Please contact your account representative for details on deploying and installing the Archer Insight use case.
One of the following use cases is a pre-req to Archer Insight:
IT Risk Management or
Enterprise Risk
End of Product Support Policy
Archer has a defined End of Primary Support policy associated with all major versions. For additional details, refer to the Product Version Life Cycle.
View full article