Security Risk Advisors

Getting Started with Business Continuity Management in the RSA Archer GRC tool

February 5, 2015 | Posted in GRC by Matt Schneck

I’m helping a client transition their business continuity program into the RSA Archer GRC platform to increase process consistency and repeatability across their many business units. My client’s regulators emphasized the need to automate processes including Continuity Plan creation and periodic update, asset dependency, plan testing, and tracking recovery tasks during an incident.  Prior to Archer, these processes were fulfilled via MS Word documents and email, which made it difficult to understand dependencies between business processes, applications, systems, facilities, etc.

Now that configuration and pilots with business unit plan owners are complete, I have some tips and benefits to share.

Tips:

  • Take time to understand existing processes including plan creation, plan updates, business impact analysis, dependency mapping, and plan activation and tracking.  The transition to Archer can increase the consistency of the program but it’s no reason to scrap prior work.
  • Be open to process adjustments.  The Archer BCM out-of-the-box configuration may offer a fresh take on how to execute certain processes that may me more effective than current processes.  Aligning with the Archer configuration will require less time to get up and running.
  • Ensure that assets that will be referred to in business continuity plans are accurately documented in Archer Enterprise Management including business units, business processes, applications, devices, facilities, etc.  This is critical for dependency mapping and making plans actionable.
  • Pilot early and often to engage end users in the development process. Provide opportunities for end users to offer feedback and ask questions.

Benefits:

  • Archer’s out-of-the-box solution is based on best practice and can introduce significant process improvements over legacy practices.  However, existing processes that are best left unaltered can be preserved thanks to Archer’s flexibility.
  • Business continuity program owners can get a real-time view of the status of plan creation, updates, testing exercises, etc. and notifications can be used to send reminder emails when a plan update cycle or testing exercise is approaching.
  • Business impact analyses in Archer yield a mapping of the business unit to critical processes, applications, systems, and facilities and drive identification of recovery time objectives. With this information on hand, plan owners can allocate appropriate resources to ensure that critical processes and assets can be recovered based on criticality.
  • Users have the option to download and save or print hard copies of plans from Archer.  Archer mail merge templates can be customized to include pertinent plan info in these offline versions. 

We’re happy to share more on our experiences with Business Continuity Management in Archer.  Feel free to reach out to Matt Schneck (matt.schneck@securityriskadvisors.com) and Scott Byrum (scott.byrum@securityriskadvisors.com).