RSA Archer Operational Risk Management

Use Case Guide

6.1 and 6.2
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers:
https://community.rsa.com/community/rsa-customer-support.
Trademarks
RSA, the RSA Logo, RSA Archer, RSA Archer Logo, and Dell are either registered trademarks or trademarks of Dell
Corporation ("Dell") in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm.
License agreement
This software and the associated documentation are proprietary and confidential to Dell, are furnished under license, and may
be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This
software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by Dell.
Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-
party software in this product may be viewed on RSA.com. By using this product, a user of this product agrees to be fully
bound by terms of the license agreements.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
For secure sites, Dell recommends that the software be installed onto encrypted storage for secure operations.
For customers in high security zones, Dell recommends that a full application sanitization and reinstallation from backup occur
when sensitive or classified information is spilled.
Note on Section 508 Compliance
The RSA Archer® Suite is built on web technologies which can be used with assistive technologies, such as screen readers,
magnifiers, and contrast tools. While these tools are not yet fully supported, RSA is committed to improving the experience of
users of these technologies as part of our ongoing product road map for RSA Archer.
The RSA Archer Mobile App can be used with assistive technologies built into iOS. While there remain some gaps in support,
RSA is committed to improving the experience of users of these technologies as part of our ongoing product road map for the
RSA Archer Mobile App.
Distribution
Use, copying, and distribution of any Dell software described in this publication requires an applicable software license.
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice. Use of the software described herein does not ensure compliance with any laws, rules, or regulations, including
privacy laws that apply to RSA’s customer’s businesses. Use of this software should not be a substitute for consultation with
professional advisors, including legal advisors. No contractual obligations are formed by publication of these documents.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." DELL INC. MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright © 2010-2017 Dell Inc. or its subsidiaries. All Rights Reserved.

March 2016
RSA Archer Operational Risk Management Use Case Guide

Contents

Operational Risk Management Release Notes 5

What's New in Release 6.1 5

Chapter 1: Operational Risk Management 8

RSA Archer Operational Risk Management 8
Get started 9

Chapter 2: Operational Risk Management Design 10

Architecture Diagram 10
Applications 12
Access Roles 13
Dashboards 14
Data Feeds 15
Advanced Workflow 16

Chapter 3: Installing Operational Risk Management 19

Step 1: Prepare for the Installation 19
Step 2: Update the License Key 19
Step 3: Install the Package 20
Step 4: Perform Post-Installation Cleanup 20
Step 5: Set Up Data Feeds 20
Step 6: Resolve Dependencies Between Packages 21
Step 7: Test the Installation 21
Installing the Operational Risk Management Package 21
Step 1: Back Up Your Database 21
Step 2: Import the Package 22
Step 3: Map Objects in the Package 22
Step 4: Install the Package 25
Step 5: Review the Package Installation Log 26
Performing Post-Installation Cleanup for Operational Risk Management 26
Step 1: Review and Fix Dependencies on Other Use Cases 26
Step 2: Delete Obsolete Objects 49

3
RSA Archer Operational Risk Management Use Case Guide

Step 3: Validate Formulas and Calculation Orders 50

Step 4: Verify Key Fields 51
Step 5: Update Inherited Record Permissions Fields 51
Setting Up Operational Risk Management Data Feeds 51
Step 1: Import a Data Feed 51
Step 2: Schedule a Data Feed 52

Chapter 4: Creating Self Assessments 55

Create a pRCSA 55
Create an RCSA 55
Create a CSA 56

Chapter 5: Using Palisade @Risk with Operational Risk Management 58

Using the Expert Elicitation Method 58
Step 1: Enter Risk Register Data for Expert Elicitation 58
Step 2: Run Palisade Simulation 59
Step 3: Import Simulation Results into the Risk Register 60
Expert Elicitation Simulation Results 60
Using the Historical Loss Method 61
Step 1: Enter Risk Register Data for Historical Loss 61
Step 2: Prepare Historical Loss Data for Simulation 62
Step 3: Run Palisade Simulation 65
Historical Loss Simulation Results 65

Appendix A: Package Installation Log Message Examples 67

4
RSA Archer Operational Risk Management Use Case Guide

Operational Risk Management Release Notes

What's New in Release 6.1

The following items have been changed in the 6.1 release.

Enhancement Description

Workspace The following changes have been made:

l The Risk Assessments workspace was removed.

l The Risk Management workspace was renamed to Operational Risk

Management.

l The Operational Risk Management workspace was updated to include all

new sub-solutions and dashboards.

DDE The following changes have been made:

l Added and updated DDE's in many of the Metrics layouts. This allows
Metrics of any type target a Business Unit in order to support the Key
Indicator Management use case.

l Updated the Action Required Risk and Insurance Claim Status DDE in many
of the Loss Event layouts.

Operational Risk Management Release Notes 5

RSA Archer Operational Risk Management Use Case Guide

Enhancement Description

Dashboards The following dashboards have been removed:

l Enterprise Risk Management

l Business Unit Risk Overview

l Metric Owner

l Metric Tracking

l Operational Risk Management

l Operational Risk Management Program Administration

The following persona-based dashboards have been added:

l Executive Management

l Business Unit Manager

l Risk Manager

l Data Quality Administration

These dashboards include both new and existing iViews.

Risk Catalog The following applications were added to the Risk Catalog sub-solution:
Sub-solution
l Risk Register

l Risk Hierarchy

Data feeds Two new data feeds were created to support creating metrics from the Metrics
Library to associate to a Business Unit. The new data feeds are:
l Create Metrics from Metric Library for BU, which creates the records

l Clear Metrics Library Linkage from Business Unit, which clears the cross-
reference to the Metrics Library

Operational Risk Management Release Notes 6

RSA Archer Operational Risk Management Use Case Guide

Enhancement Description

Sub-solution The following sub-solutions were created:

l Loss Event Management

l Key Indicator Management

l Risk Catalog

The following subsolutions have been renamed:

l The Risk Management sub-solution has been renamed to Risk Inventory and
Top Down Assessment

l The Risk Assessments sub-solution has been renamed to Bottom-Up Risk

Assessment.

Report The report DFM_Create Metrics For BU From Metric Library was added to the
Business Unit application in order to support the two new data feeds (Create
Metrics From Metric Library For BU and Clear Metric Library Linkage From
Business Unit)

Report iViews Report iViews were added for Risk Catalog and Risk Taxonomy to the
Executive Management and Business Unit Manager dashboards.

Workspace The following changes have been made:

l The Risk Assessments workspace was removed.

l The Risk Management workspace was renamed to Operational Risk

Management.

l The Operational Risk Management workspace was updated to include all

new sub-solutions and dashboards.

Operational Risk Management Release Notes 7

RSA Archer Operational Risk Management Use Case Guide

Chapter 1: Operational Risk Management

Effective management of errors and fraud associated with people, processes, and technology is
inherently complex. As organizations change and grow, the complexity, frequency, and impact of
errors and fraud increase, and can be catastrophic in some cases. It is very difficult for businesses to
manage this operational risk due to its complexity and the speed at which it can develop. Managing
operational risk requires an organization to tie together all the necessary pieces that provide an
understanding of the business context of the risk. For risk managers, this undertaking can overwhelm
available resources and tax the limits of their knowledge and understanding of the inner workings of
the organization’s business activities. Risk management teams can counter this by better engaging
business managers, the first line of defense, in risk management. The first line of defense is best
able to identify and manage the risks and controls within their domain of responsibility.
Without engaging the first line of defense in identifying risk, and using consistent methodologies and
measurements to assess risk, there is no way to provide executive management and the Board with
an accurate and aggregated view of risk across the business so that it can be managed within the
organization’s risk appetite.

RSA Archer Operational Risk Management

RSA Archer Operational Risk Management is a combination of use cases that are core to a typical
operational risk management program. These elements include: Top-Down Risk Assessment,
Bottom-Up Risk Assessment, Loss Event Management, Key Indicator Management, Risk and
Control Self-Assessments, and Issues Management. Operational Risk Management enables
cataloging business processes and sub-processes, documenting risks associated with business
processes, and mitigating controls. Risk assessments can be performed on a top-down basis, through
first line of defense self-assessments, and through targeted bottom-up assessments. Loss events can
be cataloged, root-cause analysis performed and routed for review and approval. Key risk and
control indicators can be established and associated with risk and control registers, respectively, and
monitored to provide early warning of changes in the organization’s risk profile. By integrating these
use cases, risk managers have a comprehensive operational risk management program that
reinforces desired accountability and risk management culture throughout the organization, providing
necessary transparency through reporting, dashboards, and notification alerts.

Key Features
l Consolidated view into business processes, risks, controls, loss events, key indicators, and
outstanding issues and how they are all related

l Support for first line of defense self-assessments and top down and bottom up risk assessments

l Efficient management of self-assessment campaigns by second line of defense stakeholders,

including necessary workflow to vet and challenge first line of defense assessments

Chapter 1: Operational Risk Management 8

RSA Archer Operational Risk Management Use Case Guide

l Capture and perform root cause analysis on internal losses and near misses, and relevant external
loss events

l Understand inherent and residual risk and observe changes in calculated residual risk while
rolling up risks by business unit and enterprise risk statement

l Robust key risk and control indicator program management to provide early warning and
remediation

l Consolidated issues management with a clear understanding at all times of the status of all open
remediation plans and exceptions

l Visibility into operational risk via predefined reports, risk dashboards, workflow, and notifications

Key Benefits
Operational Risk Management provides:
l Better understanding of risks throughout the organization

l Improved risk management and risk management culture by engaging the first line of defense
(business users) to take ownership of their risks and controls

l Quicker detection and management of changes in risk profile

l More efficient administration of the operational risk management program, allowing second line
of defense teams to spend more time on analysis and less time on administration and reporting

l Less time required to identify and resolve operational risk related problems

l Reduction in audit findings, surprises, loss events, and incidents

l Ability to demonstrate design and effectiveness of risk management program

Get started
l Learn more about the use case design

l Install and set up the use case

l Use the use case

Chapter 1: Operational Risk Management 9

RSA Archer Operational Risk Management Use Case Guide

Chapter 2: Operational Risk Management Design

This topic contains high-level use case design information.

Architecture Diagram
The following diagram shows the relationships between the applications in the Operational Risk
Management use case.

Chapter 2: Operational Risk Management Design 10

RSA Archer Operational Risk Management Use Case Guide

Chapter 2: Operational Risk Management Design 11

 RSA Archer Operational Risk Management Use Case Guide

Note:
1. Feeds that create Metrics from a metric library (either the Business Process or Risk Register) do
not also create Risk Register records from the associated Risk Library records.

2. Business Asset Catalog objects and their associated assessments are not automatically scoped
into Risk Project and must each be scoped in manually.
Ap p lic a tio n s

Applications

Application Description

Self-Assessment The Self-Assessment application contains records of the various self-

assessments that have been created.

Risk Assessment The Risk Assessment Data application houses the various records relating to
Data the self-assessments that your company can undertake.

Assessment The Assessment Campaign application allows you to create self-assessment

Campaign records at either the business process or business unit level. Additionally,
you can generate a campaign that, once completed, is automatically enrolled
in an Advanced Workflow.

Business Processes The Business Processes Assessment Data application houses the self-
Assessment Data assessment data related to business processes.

Control Assessment The Control Assessment Data application houses the self-assessment data
Data related to control procedures.

Corporate The Corporate Objectives application tracks strategic, operational,

Objectives reporting, and compliance objectives as they relate to company policies and
risks. Key performance indicators allow the corporation to track its progress
with regard to meeting these objectives.

Applications The Applications application stores all software applications used by the
organization to perform business operations. You can view how an
application is used, the people that use it, and the devices on which the
application is installed. You can also track the business impact, customer
impact, and licensing details, and associate it with other aspects of the
enterprise infrastructure.

Chapter 2: Operational Risk Management Design 12

 RSA Archer Operational Risk Management Use Case Guide

Application Description

Contacts The Contacts application serves as a central repository for contact

information, is utilized across multiple areas of RSA Archer, and contains
information that is often leveraged by other use cases. Updates to a profile
record within this application automatically propagate in any records where
that contact information is displayed.

Insurance The Insurance application is designed to serve as a repository of all of the

organization’s insurance policies. Policies can be managed along with
associated claims, risks can be mapped to policy inclusion and exclusion,
and losses cataloged against the policies to which they apply.
Through the Insurance application, you can:
l Manage corporate insurance programs by tracking insurance applications,
insurance policies, premiums, deductibles, brokers, underwriters,
underwriter financial strength, and expiration dates.

l Identify gaps associated with uninsured risks and analyzing over and
under insured risks by mapping insurance policies to risk register items.

l Analyze losses incurred vs. insurance premiums paid (loss ratios).

l Perform basic insurance claims management via Loss Events.

l Rationalize the corporate insurance risk transfer program in terms of the

organization’s overall risk profile.

Ac c e s s r o le s

Access Roles
The use case provides the following access roles.

Access Role Description

RM: Admin This role serves as the administrator for the use case. (Risk Manager, Risk
Manager Specialist)

RM: Executives This role provides the appropriate access levels within the use case to the
executives team (CFO, CEO, Controller).

RM: Manager This role provides create, read, and update access to management stakeholders
within the use case.

Chapter 2: Operational Risk Management Design 13

 RSA Archer Operational Risk Management Use Case Guide

Access Role Description

RM: Owner This role provides create, read, and update access to business process owners
within the use case.

RM: Read Only This role provides read-only access for the use case.

Note: For detailed, page-level access rights, see the Data Dictionary.

For a complete list of application record permission fields, including which user/groups fields
populate the fields and where the fields inherit permissions from, see the Data Dictionary.

Groups
The use case provides the following groups.

Groups Description

Risk Individuals associated to this group are responsible for monitoring the effectiveness
Manager of the risk management process, and implementing necessary changes. They
2nd line of identify, assess, prioritize, and monitor risk trends within the broader business
defense infrastructure. Chief Risk Officers and Risk Managers are persona's that align with
the 2nd line of defense, and are ultimately responsible for the oversight of the 1st
line's risk management.

Enterprise Individuals associated to this Group are responsible for identifying and managing
1st line of risks in processes under their business line. Organizational positions that might be
defense included in the category of the 1st line of defense include the Business Line
Manager and the Business Line Coordinator. The Business Line Managers are
accountable for managing the business line's operational risks, while the Business
Line Coordinators typically contribute efforts toward completing business line self-
assessment activities as defined by the organization's risk self-assessment program.

Compliance Individuals associated to this group are responsible for monitoring the effectiveness
2nd line of of the compliance management process, and implementing necessary changes.
defense
Da s h b o a r d s

Dashboards
The use case provides the following dashboards.

Chapter 2: Operational Risk Management Design 14

 RSA Archer Operational Risk Management Use Case Guide

Dashboard Description

Business This persona-based dashboard returns the entire Business Process Hierarchy,
Process including Risks tied directly to any level of the process hierarchy. The report
Hierarchy shows any mitigating Control Procedures for those Risks as well as any Findings
filed against a Control Procedure.

Business Unit This persona-based dashboard is used by Business Unit Managers and Business
Manager Unit Coordinators to create new loss events and to view active assessments,
unapproved loss events, and loss events requiring executive review or sign-off.

Executive This persona-based dashboard is used by Controllers, CFOs, and CEOs to view
Management business unit/company risks, track risk exposure, and review loss events that
require executive sign-off.

Risk Manager This persona-based dashboard is used by Risk Managers and Risk Specialists to
view active assessments, loss events awaiting review, and open risk projects.

Data Quality This persona-based dashboard contains several iViews which report on potential
Administration data quality or integrity issues, such as Business Processes, Risks, or Controls
with multiple owners/managers, Risks not tied to Business Processes, Risks
without mitigating controls, etc.

Self- This persona-based dashboard returns the entire Business Process Hierarchy
Assessment being assessed in a pRCSA. It will also show Risks tied directly to any level of
Data with the process hierarchy that are included in the assessment. Finally, the report will
Business show any mitigating Control Procedures for those Risks.
Process
Hierarchy
Da ta fe e d s

Data Feeds
The use case provides the following Business Unit data feeds.

Data Feeds Description

Create Risks and Targets the Risk Register and allows users to create unique copies
Associated Metrics from of Risk Register and Metrics records from specific selections of the
Library Individual (BU) Risk Library, and associates them back to the Business Unit.

Clear Metric Risk Library Targets the Business Unit application, and clears Risk Library
Individual Settings From selections from the Business Unit application.
Business Process

Chapter 2: Operational Risk Management Design 15

 RSA Archer Operational Risk Management Use Case Guide

Data Feeds Description

Create Risks and Targets the Risk Register and allows users to create unique copies
Associated Metrics From of Risk Register and Metrics records by matching the selected
Library Grouping (BU) Business Theme and/or Risk Event Category in the Risk library,
and associating them back to the Business Process.

Clear Metric Risk Library This data feed targets the Business Unit application and is intended
Grouping Settings From to clear the Risk Library matching selections from the Business
Business Unit (BU) Unit.

Create Metrics From Metric This feed is intended to copy metric records from the Metric
Library For BU Library and associates them to the Business Unit application.

Clear Metric Library This data feed is intended to clear Metrics Library selections that
Linkage From Business Unit link to the Business Unit application.

This use case provides the following Business Process data feeds.

Data Feeds Description

Create Risks and Targets the Risk Register and allows users to create unique copies
Associated Metrics from of Risk Register and Metrics records from specific selections of the
Library Individual (BP) Risk Library, and associates them back to the Business Process.

Clear Metric Risk Library Targets the Business Unit application, and clears Risk Library
Individual Settings From selections from the Business Process application.
Business Process

Create Risks and Targets Risk Register and allows users to create unique copies of
Associated Metrics From Risk Register and Metrics records by matching the selected
Library Grouping (BP) Business Theme and/or Risk Event Category in the Risk library,
and associating them them back to the Business Process.

Clear Metric Risk Library This data feed targets the Business Process application and is
Grouping Settings From intended to clear the Risk Library matching selections from the
Business Unit (BP) Business Unit.
Ad v a n c e d Wo r k flo w

Advanced Workflow
The following workflow is applied to all self-assessments in the Self-Assessments application.

Chapter 2: Operational Risk Management Design 16

RSA Archer Operational Risk Management Use Case Guide

Step 1: Assessment Stage

The Risk Manager begins the workflow process by evaluating what entities he wants assessed:
Business Units, Business Processes, and Products and Services. The Risk Manager creates a
campaign to scope the desired entities. He can create a pRCSA, RCSA, or CSA self-assessment.
Next, the Risk Manager auto-generates the self-assessments from the campaign. Once the Risk
Manager has chosen the Business Unit, Business Process, or Products and Services to assess, the
Assessment Campaign application generates self-assessments, places them into the Self-
Assessments application, and the Assess Stage begins.
Immediately before the Assess Stage, notifications are sent to the Business Unit Manager and the
Business Unit Coordinator in charge of the self-assessment. The self-assessment is immediately
assigned to the Business Unit Manager. The reassign path is available if the self-assessment needs
to be assigned to another Business Unit Manager.
The Business Unit Manager or Business Unit Coordinator then evaluates the risks. They can choose
to override the previous Inherent and Residual ratings for individual risk or they can simply mark the
risk as evaluated to keep the previous ratings. They can also rate the controls associated to each risk
and/or add new Findings to risks or controls. Once all of the risks are marked as Evaluated, the
Business Risk Manager submits the self-assessment to the Risk Manager, who receives a
notification, and the Review Stage begins.

Step 2: Review Stage

The Risk Manager then reviews the risk records to see if he agrees with the assessments made by
the Business Unit Manager or Business Unit Coordinator. If the Risk Manager agrees with all of the
assessments made by the Business Unit Manager or Business Unit Coordinator, the Risk Manger
can approve the entire assessment. If the Risk Manager disagrees with any of the assessments made
by the Business Unit Manager or Business Unit Coordinator, he can mark each risk he disagrees
with individually and add comments to the risk to clarify his reasoning. He then rejects the entire
assessment and it is sent back to the Business Unit Manager and/or the Business Unit Coordinator.

Step 3: Re-Assess and Review Stages

The Business Unit Manager or Business Unit Coordinator then reviews the records that the Risk
Manager rejected. Once the changes are made, the Business Unit Manager or Business Unit
Coordinator re-submits the assessment to the Risk Manager. The Risk Manager can then re-review
the assessment, and either accept the evaluation, or reject it again. If the Risk Manager accepts the
updates, the changes and ratings made during the assessment are published to the Risk Register and
Control Procedures evaluated during the assessment. If the Risk Manager rejects the updates, step 3:

Chapter 2: Operational Risk Management Design 17

RSA Archer Operational Risk Management Use Case Guide

the Re-Assess and Re-Review Stages begins again.

Step 4: Publish

In the Evaluate Stage, RSA Archer goes through the accepted assessment and attempts to publish
the Business Processes, Risk Register, and Control Procedures records with the assessment data. If
the publish is successful, the changes are made, and the assessment is complete and is marked as
Validated. If the publish was unsuccessful, the Risk Manager can attempt to fix whatever issue
prevented the publish from successfully occurring. Once the fixes are made, the Risk Manager can
then attempt to re-publish the records.

Note: If any of the assessment content fails to publish, the entire assessment is marked as Failed.
Publish nodes do not revert all of the data that was successfully pushed to the registers. The Failed
status means that not all of the self-assessment was published to the registers. Once the self-
assessment is marked as Validated, all updates have been successfully posted to the register.

Chapter 2: Operational Risk Management Design 18

 RSA Archer Operational Risk Management Use Case Guide

Chapter 3: Installing Operational Risk Management

Complete the following tasks to install the Operational Risk Management use case.
Ste p 1 :P r e p a r e fo r th e in s ta la tio n

Step 1: Prepare for the Installation

1. Ensure that your RSA Archer system meets the following requirements:
l RSA Archer Platform version 6.1 or later.

l Valid license for Operational Risk Management 6.1 or later.

l You have already installed the following use case(s): Issues Management, Risk Catalog,
Bottom-Up Risk Assessment, Key Risk Indicator, Loss Event Management, Risk Inventory
and Top-Down Risk Assessment.

l A user account on the Platform with access rights to the Data Feed Manager.

l User account on RSA Link to download the use case files.

2. Download the use case file(s) from the Archer Customer/Partner Community on RSA Link on
the RSA Archer Solutions and Use Cases page
(https://community.rsa.com/community/products/archer-grc/archer-customer-partner-
community/solutions).
The following files are included in the RSA_Archer_Operational_Risk_Management_6.2.zip
file:
l Use case install package

l Data feed file

3. Obtain the Data Dictionary for the use case by contacting your RSA Archer Account
Representative or calling 1-888-539-EGRC. The Data Dictionary contains the configuration
information for the use case.

4. Read and understand the "Packaging Data" section of the RSA Archer Online Documentation.

5. Review the Release Notes to understand any known issues before installing and configuring the
use case.
Ste p 2 :Up d a te th e lic e n s e k e y

Step 2: Update the License Key

You must update the license key if you are installing a new application, questionnaire, workspace, or
dashboard.

Chapter 3: Installing Operational Risk Management 19

 RSA Archer Operational Risk Management Use Case Guide

Note: All customers who are upgrading from version 6.0 or earlier are required to get a new license
key for 6.1 or later. Ensure that you are using a valid 6.1 or later license key prior to installing
packages.

The administrator (a web or database administrator) on the server on which the Archer Control
Panel resides must update the license key in the Archer Control Panel before the application
package is imported in order for the new items to be available for use.
1. Open the RSA Archer Control Panel.

2. From the Instance Management list, click to expand the Instances list.

3. Right-click the instance that you want to update, and click Update License Key.

4. Update the applicable information: Serial Number, Contact Info, and Activation Method.

5. Click Activate.

Important: If you do not update your license key to 6.1 or later prior to installing the package, you
will not be able to access workspaces, dashboards and applications.

Ste p 3 :In s ta lth e p a c k a g e

Step 3: Install the Package

Installing a package requires that you import the package file, map the objects in the package to
objects in the target instance, and then install the package. See Installing the Operational Risk
Management Package.
Ste p 4 :P e r fo r mp o s t-in s ta la tio n c le a n u p

Step 4: Perform Post-Installation Cleanup

The package installation does not update some attributes of objects, or delete obsolete objects that
are not included in the current solution. RSA recommends that you compare the objects in your
database with the information in the Data Dictionary to determine which objects are obsolete or
have been updated. See Performing Post-Installation Cleanup for Operational Risk Management.
Ste p 5 :S e tu p d a ta fe e d s

Step 5: Set Up Data Feeds

You must import and schedule each use case data feed that you want to use. See Setting Up
Operational Risk Management Data Feeds.

Chapter 3: Installing Operational Risk Management 20

 RSA Archer Operational Risk Management Use Case Guide

Ste p 6 :Re s o lv e d e p e n d e n c ie s b e twe e n p a c k a g e s

Step 6: Resolve Dependencies Between Packages

After completing the initial installation, you must re-install the use case package and any applicable
prerequisite use case packages to resolve any dependencies.
1. Install the Risk Catalog package file. See the RSA Archer Risk Catalog Use Case Guide.

2. Install the Top-Down Risk Assessment package file. See the RSA Archer Top-Down Risk
Assessment Use Case Guide.

3. Install the Loss Event Management package file. See the RSA Archer Loss Event Management
Use Case Guide.

4. Install the Key Indicator Management package file. See the RSA Archer Key Indicator
Management Use Case Guide.

5. Install the Bottom-Up Risk Assessment package file. See the RSA Archer Bottom-Up
Risk Assessment Use Case Guide.

6. Install the Issues Management package file. See the RSA Archer Issues Management Use Case
Guide.

7. Install the Operational Risk Management package file.

Ste p 7 :T e s th e in s ta la tio n

Step 7: Test the Installation

Test the Operational Risk Management use case according to your company standards and
procedures, to ensure that the use case works with your existing processes.

Installing the Operational Risk Management Package

Ste p 1 :Ba c k u p y o u r d a ta b a s e

Step 1: Back Up Your Database

There is no Undo function for a package installation. Packaging is a powerful feature that can make
significant changes to an instance. RSA strongly recommends backing up the instance database
before installing a package. This process enables a full restoration if necessary.
An alternate method for undoing a package installation is to create a package of the affected objects
in the target instance before installing the new package. This package provides a snapshot of the
instance before the new package is installed, which can be used to help undo the changes made by
the package installation. New objects created by the package installation must be manually deleted.

Chapter 3: Installing Operational Risk Management 21

 RSA Archer Operational Risk Management Use Case Guide

Ste p 2 :Imp o r th e p a c k a g e

Step 2: Import the Package

1. Go to the Install Packages page.

a. From the menu bar, click .

b. Under Application Builder, click Install Packages.

2. In the Available Packages section, click Import.

3. Click Add New, then locate and select the package file that you want to import.

4. Click OK.
The package file is displayed in the Available Packages section and is ready for installation.

Ste p 3 :Ma p o b je c ts in th e p a c k a g e

Step 3: Map Objects in the Package

1. In the Available Packages section, select the package you want to map.

2. In the Actions column, click for that package.

The analyzer runs and examines the information in the package. The analyzer automatically
matches the system IDs of the objects in the package with the objects in the target instances and
identifies objects from the package that are successfully mapped to objects in the target instance,
objects that are new or exist but are not mapped, and objects that do not exist (the object is in the
target but not in the source).

Note: This process can take several minutes or more, especially if the package is large, and may
time out after 60 minutes. This time-out setting temporarily overrides any IIS time-out settings
set to less than 60 minutes.

When the analyzer is complete, the Advanced Package Mapping page lists the objects in the
package file and corresponding objects in the target instance. The objects are divided into tabs,
depending on whether they are found within Applications, Solutions, Access Roles, Groups, Sub-
forms, or Questionnaires.

3. On each tab of the Advanced Mapping Page, review the icons that are displayed next to each
object name to determine which objects require you to map them manually.

Chapter 3: Installing Operational Risk Management 22

RSA Archer Operational Risk Management Use Case Guide

Icon Name Description

Awaiting Indicates that the system could not automatically match the object or
Mapping children of the object to a corresponding object in the target instance.
Review Objects marked with this symbol must be mapped manually through the
mapping process.
Important: New objects should not be mapped. This icon should remain
visible. The mapping process can proceed without mapping all the objects.

Note: You can execute the mapping process without mapping all the

objects. The icon is for informational purposes only.

Mapping Indicates that the object and all child objects are mapped to an object in
Completed the target instance. Nothing more needs to be done with these objects in
Advanced Package Mapping.

Do Not Indicates that the object does not exist in the target instance or the object
Map was not mapped through the Do Not Map option. These objects will not be
mapped through Advanced Package Mapping, and must be remedied
manually.

Undo Indicates that a mapped object can be unmapped. This icon is displayed in
the Actions column of a mapped object or object flagged as Do Not Map.

4. For each object that requires remediation, do one of the following:

l To map each item individually, on the Target column, select the object in the target instance
to which you want to map the source object. If an object is new or if you do not want to map
an object, select Do Not Map from the drop-down list.
Important: Ensure that you map all objects to their lowest level. When objects have child or
related objects, a drill-down link is provided on the parent object. Child objects must be
mapped before parent objects are mapped. For more details, see "Mapping Parent/Child
Objects" in the RSA Archer Online Documentation.

l To map all objects in a tab automatically that have different system IDs but the same object
name as an object in the target instance, do the following:

Chapter 3: Installing Operational Risk Management 23

RSA Archer Operational Risk Management Use Case Guide

a. In the toolbar, click Auto Map.

b. Select an option for mapping objects by name.

Option Description

Ignore Select this option to match objects with similar names regardless of the case
case of the characters in the object names.

Ignore Select this option to match objects with similar names regardless of whether
spaces spaces exist in the object names.

c. Click OK.
The Confirmation dialog box opens with the total number of mappings performed. These
mappings have not been committed to the database yet and can be modified in the
Advanced Package Mapping page.

d. Click OK.

l To set all objects in the tab to Do Not Map, in the toolbar, click Do Not Map.

Note: To undo the mapping settings for any individual object, click in the Actions column.

When all objects are mapped, the icon is displayed in the tab title. The icon is displayed
next to the object to indicate that the object will not be mapped.

5. Verify that all other objects are mapped correctly.

6. (Optional) To save your mapping settings so that you can resume working later, see "Exporting
and Importing Mapping Settings" in the RSA Archer Online Documentation.

7. Once you have reviewed and mapped all objects, click .

8. Select I understand the implications of performing this operation, and then click OK.
The Advanced Package Mapping process updates the system IDs of the objects in the target
instance as defined on the Advanced Package Mapping page. When the mapping is complete, the
Import and Install Packages page is displayed.

Important: Advanced Package Mapping modifies the system IDs in the target instance. Any
Data Feeds and Web Service APIs that use these objects will need to be updated with the new
system IDs.

Chapter 3: Installing Operational Risk Management 24

 RSA Archer Operational Risk Management Use Case Guide

Ste p 4 :In s ta lth e p a c k a g e

Step 4: Install the Package

All objects from the source instance are installed in the target instance unless the object cannot be
found or is flagged to not be installed in the target instance. A list of conditions that may cause
objects not to be installed is provided in the Log Messages section. A log entry is displayed in the
Package Installation Log section.
1. Go to the Install Packages page.

a. From the menu bar, click .

b. Under Application Builder, click Install Packages.

2. In the Available Packages section, locate the package file that you want to install, and click
Install.

3. In the Configuration section, select the components of the package that you want to install.

l To select all components, select the top-level checkbox.

l To install only specific global reports in an already installed application, select the checkbox
associated with each report that you want to install.

Note: Items in the package that do not match an existing item in the target instance are selected
by default.

4. In the Configuration section, under Install Method, select an option for each selected component.
To use the same Install Method for all selected components, select a method from the top-level
drop-down list.

Note: If you have any existing components that you do not want to modify, select Create New
Only. You may have to modify those components after installing the package to use the changes
made by the package.

5. In the Configuration section, under Install Option, select an option for each selected component.
To use the same Install Option for all selected components, select an option from the top-level
drop-down list.

Note: If you have any custom fields or formatting in a component that you do not want to lose,
select Do not Override Layout. You may have to modify the layout after installing the package to
use the changes made by the package.

Chapter 3: Installing Operational Risk Management 25

 RSA Archer Operational Risk Management Use Case Guide

6. To deactivate target fields and data-driven events that are not in the package, in the Post-
Install Actions section, select the Deactivate target fields and data-driven events that are not in
the package checkbox. To rename the deactivated target fields and data-driven events with a
user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a
prefix. This can help you identify any fields or data-driven events that you may want to review
for cleanup post-install.

7. Click Install.

8. Click OK.
Ste p 5 :Re v ie wth e p a c k a g e in s ta la tio n lo g

Step 5: Review the Package Installation Log

1. Go to the Package Installation Log tab of the Install Packages page.

a. From the menu bar, click .

b. Under Application Builder, click Install Packages.

c. Click the Package Installation Log tab.

2. Click the package that you want to view.

3. In the Package Installation Log page, in the Object Details section, click View All Warnings.
For a list of packaging installation log messages and remediation information for common
messages, see Package Installation Log Messages.

Performing Post-Installation Cleanup for Operational Risk

Management
Ste p 1 :Re v ie wa n d fix d e p e n d e n c ie s o n o th e r u s e c a s e s

Step 1: Review and Fix Dependencies on Other Use Cases

After you have installed the use case, certain items may not appear or function as designed because
they are dependent on use cases that you have not licensed. For example, a calculated field that
references an application outside of this use case will not validate unless you have also licensed
another use case that contains that application. The following sections list the most common
dependencies and provide steps to resolve the dependencies. In each section, the Related Use Case
column lists the use case(s) that you may or may not have licensed. If you have licensed any of the
listed use cases, you can skip that row. If you have not licensed any of the listed use cases, then the

Chapter 3: Installing Operational Risk Management 26

RSA Archer Operational Risk Management Use Case Guide

dependencies apply to your installation and you may want to resolve them.

Note: Resolving these dependencies is not required. You may opt to skip this step, but leaving these
fields as they are may cause confusion or generate calculation errors.

Review the following sections and resolve any dependencies that apply to your installation. You only
need to resolve any dependencies that apply to use cases you have not licensed.

Note: In the calculation dependency scenarios, some of the formulas do not validate because of
unlicensed fields. Some validate, but not function because they are dependent on other fields that are
not valid.

Risk Register

Related Use Case Dependency Resolution

Incident Management The Incident reference field is not No action

available. needed.

Security Incident Management The following reference fields are not No action
available: needed.
l Incident Investigations

l Security Incident

Audit Engagements and The following reference fields are not No action
Workpapers available: needed.
l Audit Engagements

l Audit Entity

Chapter 3: Installing Operational Risk Management 27

RSA Archer Operational Risk Management Use Case Guide

Risk Register (Full)

Related Use Case Dependency Resolution

Control Assurance Program The following calculations do not validate: Drag off layout or
Management delete.
l Count of Non-Compliant Controls

l Percentage Of Non-Compliant Controls

l Calculated Risk Likelihood Factor

l Previous Calculated Risk Likelihood

Factor

l Date Risk Factors Last Changed

l Risk Factors Used To Adjust Qualitative

Risk Likelihood

l Residual Risk Helper

l Adjusted Qualitative Risk Likelihood

l Adjusted Qualitative Residual Risk

l Adjusted Quantitative Risk Helper

l Adjusted Quantitative Residual Risk

l Calculated Residual Risk

l Warning Indicator

Chapter 3: Installing Operational Risk Management 28

RSA Archer Operational Risk Management Use Case Guide

Risk Register (Full) - Intermediate Risk Level

Related Use Case Dependency Resolution

Control Assurance Program The following calculations do not Drag off layout or
Management validate: delete.
l Calculated Risk Value

l Risk Scorecard

l Average % of Failed Controls

l Average Calculated Residual

Risk Level

l Warning Indicator

l Count of Warning Indicator

l Maximum Calculated Residual

Risk Level

l Risk Warning Level

l Maximum % of Failed Controls

l Average Risk Level Status

l Maximum Risk Level Status

l Control Tolerance Status

Chapter 3: Installing Operational Risk Management 29

RSA Archer Operational Risk Management Use Case Guide

Risk Register (Full) - Enterprise Level

Related Use Case Dependency Resolution

Control Assurance Program The following calculations do not validate: Drag off layout or
Management delete.
l Calculated Risk Value

l Average Calculated Residual Risk Level

l Maximum Calculated Residual Risk Level

l Risk Scorecard (Averages)

l Risk Scorecard (Maximums)

l Average % of Failed Controls

l Maximum % of Failed Controls

l Count of Warning Indicators

l Risk Warning Level

l Average Risk Level Status

l Maximum Risk Level Status

l Control Tolerance Status

Third Party Management The Averaged % of Failed KRIs calculation Drag off layout or
does not validate. delete.

Business Processes

Related Use Case Dependency Resolution

Business Impact Analysis The Business Impact Analysis reference field is No action
not available. needed.

Third Party Catalog The Engagements reference field is not available. No action
needed.

Any use case that contains the The Information Assets reference field is not No action
Information Assets available. needed.
application.

Chapter 3: Installing Operational Risk Management 30

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

Any use case that contains the The Storage Devices reference field is not No action
Devices application. available. needed.

Controls Monitoring Program The G/L Accounts reference field is not available. No action
Management needed.

IT Security Vulnerabilities The Vulnerability Trending (Business Processes) No action

Program reference field is not available. needed.

Crisis Management The Crisis Events (Business Processes) reference No action

field is not available. needed.

Corporate Obligations The Regulatory Intelligence Review (Impacted No action

Management Business Processes) reference field is not needed.
available.

BC/DR Planning The following fields are not available: No action

needed.
l Activated Plans

l BCM Risk Register

l Business Continuity Plans

Audit Engagements and The following reference fields are not available: No action
Workpapers needed.
l Audit Engagements

l Audit Entity

IT Risk Management The Threat Project (Business Process) reference No action

field is not available. needed.

Chapter 3: Installing Operational Risk Management 31

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

Business Impact Analysis The following fields calculations do not validate: Drag off
layout or
l Criticality Rating
delete.
l Financially Significant

l Recover Time Objective (RTO)

l Recover Point Objective (RPO)

l Maximum Tolerable Period of Disruption

(MTPD)

l Impact Analysis Performed?

Controls Assurance The following calculations do not validate: Drag off

Monitoring Program layout or
l Count of Non-Compliant Controls
delete.
l % of Non-Compliant Controls

l Compliance Rating

l Sum of Calculated Residual Risk Ratings

l Average Calculated Residual Risk Level

l Maximum Calculated Residual Risk Level

l Risk Rating

l Count of Non-Compliant Controls

l % of Non-Compliant Controls

l Compliance Rating

Business Unit

Related Use Case Dependency Resolution

Incident Management The Incident reference field is not available. No action

needed.

Security Incident Management The Security Incident (Affected Business No action

Unit) reference field is not available. needed.

Chapter 3: Installing Operational Risk Management 32

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

Audit Planning The Audit Entity reference field is not No action

available. needed.

Third Party Catalog The Engagements reference field is not No action

available. needed.

Security Operations & Breach The Data Breach reference field is not No action
Management available. needed.

Any use case that contains the The Information Assets reference field is not No action
Information Assets application. available. needed.

Any use case that contains the The Storage Devices reference field is not No action
Devices application. available. needed.

Audit Engagements and The following reference fields are not No action
Workpapers available: needed.
l Audit Engagements

l Audit Entity

Crisis Management The Crisis Events reference field is not No action

available. needed.

Loss Event Management The Loss Events reference field is not No action
available. needed.

Crisis Management The Crisis Events reference field is not No action

available needed.

Federal Continuous Monitoring The Vulnerabilities Scan Results reference No action

field is not available. needed.

Chapter 3: Installing Operational Risk Management 33

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

Controls Monitoring Program The following reference fields are not No action
Management available: needed.
l Quarterly Financial Certifications - BU

l Last Quarterly Certification Date

l Last Quarterly Certification Quarter

l Last Quarterly Certification Year

l Current Financial Certification Status

IT Risk Management The Threat Project (Business Unit) No action

reference field is not available. needed.

BC/DR Planning The Activated Plans reference field is not No action

available. needed.

IT Security Vulnerabilities The following reference fields are not No action

Program available: needed.
l Vulnerability Trending (Business Unit)

l Vulnerability Scan Results

Corporate Obligations The Regulatory Intelligence Review No action

Management reference field is not available. needed.

Not all Enterprise Apps Licensed The following calculations do not validate: Drag off
layout or
l Total Devices
delete.
l Total Information Assets

Chapter 3: Installing Operational Risk Management 34

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

Controls Assurance Program The following calculations do not validate: Drag off
Management layout or
l Operational Risk Value
delete.
l Calculated Risk

l Maximum Calculated Risk Level

l Risk Scorecard

l Average Risk Level Status

l Maximum Risk Level Status

l KRI Tolerance Status

l Count of Warning Indicators

l Risk Warning Level

l Warning Indicator

Division

Related Use Case Dependency Action

Corporate Obligations The Regulatory Intelligence Review reference No action

Management field is not available. needed.

Controls Monitoring The Quarterly Financial Certifications - BU No action

Program Management reference field is not available needed.

Chapter 3: Installing Operational Risk Management 35

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Action

Controls Monitoring The following calculations do not validate: Drag off layout
Program Management or delete.
l Last Quarterly Certification Date

l Last Quarterly Certification Quarter

l Last Quarterly Certification Year

l Current Financial Certification Status

l Count of Certified Business Units

l % of Certified Business Units

l Subsidiary Financial Certification Status

l Overall Financial Certification Status

Not all Enterprise Apps The following calculations do not validate: Drag off layout
Licensed or delete.
l Dependent on Total Devices from Business
Unit

l Dependent on Total Information Assets from

Business Unit

Chapter 3: Installing Operational Risk Management 36

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Action

Controls Assurance The following calculations do not validate: Drag off layout
Program Management or delete.
l Count of Non-Compliant Controls

l % of Non-Compliant Controls

l Compliance Rating

l Operational Risk Value

l Calculated Risk

l Maximum Calculated Risk Level

l Average Risk Level Status

l Maximum Risk Level Status

l Business Unit Scorecard (Averages)

l Business Unit Scorecard (Maximums)

l Count of Warning Indicators

l Risk Warning Level

Company

Related Use Case Dependency Action

Corporate Obligations The Regulatory Intelligence Review reference No action

Management field is not available. needed.

Controls Monitoring The Quarterly Financial Certifications - BU No action

Program Management reference field is not available. needed.

Chapter 3: Installing Operational Risk Management 37

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Action

Controls Monitoring The following calculations do not validate: Drag off layout
Program Management or delete.
l Last Quarterly Certification Date

l Last Quarterly Certification Quarter

l Last Quarterly Certification Year

l Current Financial Certification Status

l Count of Certified Divisions

l % of Certified Divisions

l Subsidiary Financial Certification Status

l Overall Financial Certification Status

Not all Enterprise Apps The following calculations do not validate: Drag off layout
Licensed or delete.
l Total Devices

l Total Information Assets

Controls Assurance The following calculations do not validate: Drag off layout
Program Management or delete.
l Count of Non-Compliant Controls

l % of Non-Compliant Controls

l Compliance Rating

l Operational Risk Value

l Calculated Residual Risk

Chapter 3: Installing Operational Risk Management 38

RSA Archer Operational Risk Management Use Case Guide

Control Procedures

Related Use Case Dependency Resolution

Audit Engagements and The following reference fields are not No action needed.
Workpapers available:
l Audit Engagements (Control
Procedures)

l Audi Entity

l Audit Workpapers (Control Procedures)

l Audit Program Library

(Control Procedures)

Audit Engagements and The following calculations do not validate: Drag off layout or
Workpapers delete.
l Audit Design Effectiveness Rating

l Audit Operating Effectiveness Rating

Any use case that contains the The Storage Devices reference field is not No action needed.
Storage Devices application. available.

Policy Program Management The following reference fields are not No action needed.
available:
l Control Standards

l Authoritative Sources

l Policy Change Requests

IT Controls Assurance The following reference fields are not No action needed.
available:
l Control Self Assessments

l Configuration Checks

l Operating Test Results

l Design Test Results

Chapter 3: Installing Operational Risk Management 39

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

Control Monitoring Program The following reference fields are not No action needed.
Management available:
l Control Standards

l Authoritative Source

l Operating Test Results

l Design Test Results

l Control Self Assessments

Information Security The Configuration Checks reference field No action needed.

Management Systems is not available.

Controls Assurance Program The Historical Compliance Data reference No action needed.
Management field is not available.

Chapter 3: Installing Operational Risk Management 40

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

Controls Assurance Program The following calculations do not validate: Drag off layout or
Management delete.
l Total Sample Tested

l Total Exceptions

l Tested %

l Sample Progress

l Exception %

l Compliance Operating Effectiveness

Rating

l Compliance Design Effectiveness

Rating

l Management Assessment Rating From

Control Assessments

l Sox Scoping

l Compliance

l ELC Reliance

l Operational Risk Exposure Value

l Operational Risk Exposure

l SOX Management Assessment Rating

l SOX Compliance Design Effectiveness

Rating

l SOX Compliance Operating

Effectiveness Rating

l SOX Compliance

BC/DR Planning The BCM Risk Register (Control No action needed.

Procedures) reference field is not
available.

Chapter 3: Installing Operational Risk Management 41

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

Business Impact Analysis The following calculations do not validate: Drag off layout or
delete.
l Material Business Process

l Activity Level Control Evaluation

Not all Enterprise Apps The following calculations do not validate: Not all Enterprise
Licensed Apps Licensed.
l Device Risk Value

l Device Risk Rating

l High Criticality Devices

l ITGC Evaluation

l Entity Level Control Evaluation

l Sox Evaluation

Applications

Related Use Case Dependency Resolution

Audit Planning The Audit Entity (Control Procedures) No action

reference field is not available. needed.

Any use case that contains the The Storage Devices reference field is not No action
Storage Devices application. available. needed.

Any use case that contains the The Information Assets reference field is No action
Information Assets application not available. needed.

Audit Engagements and Workpapers The Audit Engagements (Applications) No action

reference field is not available. needed.

IT Security Vulnerabilities Program The Vulnerability Trending (Application) No action

reference field is not available. needed.

Chapter 3: Installing Operational Risk Management 42

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

IT Risk Management The following reference fields are not No action

available: needed.
l Applications Assessment

l Threat Project (Applications)

BC/DR Planning The following reference fields are not No action

available: needed.
l BCM Risk Register (Applications)

l Requirements (Applications)

l Activated Plans (Applications)

l Business Continuity Plans

IT Security Vulnerabilities Program The Vulnerability Scans (Application) No action

reference field is not available. needed.

Crisis Management The Crisis Events reference field is not No action

available. needed.

Controls Monitoring Program The following calculations do not validate: Drag off
Management layout or
l Criticality Rating
delete.
l Recovery Time Objective (RTO)

l Recovery Point Objective (RTO)

Business Impact Analysis The following calculations do not validate: Drag off
layout or
l Next Assessment Date
delete.
l Average Inherent Risk Score

l Number of Assessments

l Average Residual Risk Score

l Last Assessment Risk Rating

l Number of Open Assessment Findings

l Last Assessment Date

Chapter 3: Installing Operational Risk Management 43

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

Not all Enterprise Apps Licensed The following calculations do not validate: Drag off
layout or
l High Risk Vulnerabilities
delete.
l High Risk Vulnerabilities

l Avg % of Non-Compliance

l Compliance Rating

l Roll-up Risk Rating Helper

l Roll-up Risk Rating

l Roll-up Risk Rating

l Roll-up Risk Rating Helper RATING

Contacts

Related Use Case Dependency Action

Third Party Catalog The Third Party Profile reference field is not No action
available. needed.

Any use case that contains the The Devices (Alternate Administrator) No action
Devices application reference field is not available. needed.

Any use case that contains the The Storage Devices reference field is not No action
Storage Devices application. available. needed.

Security Operations & Breach The following reference fields are not No action
Management available: needed.
l Emergency Notifications (Call Initiator)

l Emergency Notifications (Call Recipient)

l Training Courses.

Chapter 3: Installing Operational Risk Management 44

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Action

Business Impact Analysis The following reference fields are not No action
available: needed.
l BIA (Audit Participant)

l BIA (Finance Participant)

l BIA (Process Owner)

l BIA (Real Estate Participant)

l BIA (IT Participant)

l BIA (Regulatory Participant)

Audit Engagements & Workpapers The following reference fields are not No action
available: needed.
l Expense Reports

l Base Availability

l Degrees and Certifications

BC/DR Planning The following reference fields are not No action

available: needed.
l Activated Plans (Recovery Team)

l Roles and Responsibilities (Primary Lead)

l Roles and Responsibilities (Secondary

Contact)

l Roles and Responsibilities Tertiary

Contact)

l Business Continuity Plans (Plan

Declaration Authority)

l Business Continuity Plans (BCP Team

Members)

l Business Continuity Plans (External

Contacts)

Chapter 3: Installing Operational Risk Management 45

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Action

Security Operations & Breach The Degrees and Certifications reference No action
Management field is not available. needed.

Security Incident Management The Security Alerts (Related Contact) No action

reference field is not available. needed.

Corporate Objectives

Related Use Case Dependency Action

Audit Engagements and Workpapers The following reference fields are No action
not available: needed.
l Audit Engagements (Corporate
Objectives)

l Audit Entity

Security Operations & Breach Management The Related Policies reference No action
and Policy Program Management field is not available. needed.

Business Impact Analysis The following reference fields are No action

not available: needed.
l Business Impact Analysis
(Corporate Objectives)

l Business Impact Analysis

Archive (Corporate Objectives)

Facilities

Related Use Case Dependency Resolution

Audit Engagements and The following reference fields are not No action
Workpapers available: needed.
l Audit Engagements

l Audit Entity

Chapter 3: Installing Operational Risk Management 46

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

Third Party Catalog The Engagements (Facilities) reference No action

field is not available. needed.

Any use case that contains the The Devices reference field is not No action
Devices application available. needed.

IT Security Vulnerabilities Program The Vulnerability Trending (Facility) No action

reference field is not available. needed.

IT Risk Management The Threat Project (Facilities) reference No action

field is not available. needed.

BC/DR Planning The following reference fields are not No action

available: needed.
l BCM Risk Register (Facilities)

l Requirements (Facility)

l Requirements (Affected Facilities)

l Activated Plans (Facilities)

IT Security Vulnerabilities Program The Vulnerability Scans (Application) No action

reference field is not available. needed.

Crisis Management The Crisis Events (Facilities) reference No action

field is not available. needed.

Third Party Catalog The Vendors reference field is not No action

available. needed.

Third Party Catalog The Vendor Related Helper calculation Drag off
does not validate. layout or
delete.

Incident Management The Incidents reference field is not No action

available. needed.

Incident Management The Total # of Incidents calculation does Drag off

not validate. layout or
delete.

Chapter 3: Installing Operational Risk Management 47

RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Resolution

Security Operations & Breach The Security Controls (Affected Facility) No action
Management reference field is not available. needed.

Security Incident Management The Security Incidents (Affected Facility) No action

reference field is not available. needed.

Corporate Obligations Management The Regulatory Intelligence Review No action

reference field is not available. needed.

Not all Enterprise Apps Licensed The following calculations do not validate: Drag off
layout or
l Criticality Rating
delete.
l Next Assessment Date

Any use case that contains the The Information Assets reference field is No action
Information Assets application not available. needed.

Loss Events

Related Use Case Dependency Action

Incident Management The Incidents reference field is not available. No action

needed.

Policy Program The Violated Policies reference field is not available. No action
Management needed.

Third Party Catalog The Associated Engagements reference fields are not No action
available. needed.

Crisis Management The Related Crisis Events reference field is not No action
available. needed.

Products and Services

Related Use Case Dependency Action

Audit Engagements and The following reference fields are not available: No action
Workpapers needed.
l Audit Engagements

l Audit Entity

Chapter 3: Installing Operational Risk Management 48

 RSA Archer Operational Risk Management Use Case Guide

Related Use Case Dependency Action

Crisis Management The Crisis Events (Products and Services) No action

reference field is not available. needed.

Corporate Obligations The Regulatory Intelligence Review reference field No action

Management is not available. needed.

BC/DR Planning The BCM Risk Register (Products and Services) No action
reference field is not available. needed.

Control Assurance The following calculations do not validate: Drag off layout
Program Management or delete.
l Compliance Rating

l Average Business Process Risk Level

l Maximum Business Process Risk Level

l Risk Rating

Risk Project

Related Use Case Dependency Action

Any use case that contains the Information The Information Assets reference No action
Assets application. field is not available. needed.

Any use case that contains the Devices The Devices reference field is not No action
application available. needed.

IT Risk Management The following reference fields are not No action

available: needed.
l Application Assessments

l Device Assessments

Ste p 2 :De le te o b s o le te o b je c ts

Step 2: Delete Obsolete Objects

Packaging does not delete obsolete objects. RSA recommends that you delete these objects because
they may affect how the applications function. For the following examples, follow these guidelines:

Chapter 3: Installing Operational Risk Management 49

 RSA Archer Operational Risk Management Use Case Guide

l If you select Override Layout when you install the package, the package installation process
removes old fields from the layout, if those fields do not also exist on the Source Package layout.
All fields removed from the layout are in the Available Fields list.

l Evaluate your need for certain data driven events (DDE), pre-existing rules, and actions that were
not updated through Packaging. Delete any obsolete rules and actions.

l Verify the DDE and calculation order and update it if necessary.

l Evaluate pre-existing notifications and reports that Packaging did not update. Delete obsolete
notifications and reports.

To ensure that all obsolete objects are deleted, compare the Data Dictionary to your environment.
For more information about objects, see "Packaging" in the RSA Archer Online Documentation.
Ste p 3 :V a lid a te fo r mu la s a n d c a lc u la tio n o r d e r s

Step 3: Validate Formulas and Calculation Orders

Follow these guidelines on validating formulas and calculation orders:
l The packaging process logs an error if a formula does not validate. This error may be caused by a
formula that references applications or fields that do not exist in the instance and were not part of
the package (for example, fields in applications that are part of a different use case). Review
those fields to determine if they are needed.
o If a field is needed, modify the formula to remove references to applications or fields that do
not exist in your instance. Fields that do not exist in your instance are identified with an
exclamation mark.
o If a field is not needed, delete the field or remove it from the layout. If the field is not deleted,
removing the formula prevents errors from being written in the log files when records are
saved.

l Verify the order of calculations for each application and sub-form in the use case. See the Data
Dictionary for calculation orders for each individual application or sub-form.

l Update the order of calculations as needed for each application and subform in the use case.

For more information about deleting objects, see "Deleting Fields" in the RSA Archer Online
Documentation.

Chapter 3: Installing Operational Risk Management 50

 RSA Archer Operational Risk Management Use Case Guide

Ste p 4 :V e r ify k e y fie ld s

Step 4: Verify Key Fields

Packaging does not change key fields. To verify the key fields in each application, see the Data
Dictionary.
Ste p 5 :Up d a te in h e r ite d r e c o r d p e r mis s io n s fie ld s

Step 5: Update Inherited Record Permissions Fields

Packaging does not remove inherited record permissions fields or user/groups populated in a record
permissions field. To verify the record permissions fields in each application, see the Data
Dictionary.

Setting Up Operational Risk Management Data Feeds

Import the data feeds in the following order:
1. Create Risks and Associated Metrics from Library Individual (BU)

2. Clear Metric Risk Library Individual Settings From Business Process

3. Create Risks and Associated Metrics From Library Grouping (BU)

4. Clear Metric Risk Library Grouping Settings From Business Unit (BU)

5. Create Metrics From Metric Library For BU

6. Clear Metric Library Linkage From Business Unit

Ste p 1 :Imp o r ta d a ta fe e d

Step 1: Import a Data Feed

1. Go to the Manage Data Feeds page.

a. From the menu bar, click .

b. Under Integration, click Data Feeds.

Chapter 3: Installing Operational Risk Management 51

 RSA Archer Operational Risk Management Use Case Guide

2. In the Manage Data Feeds section, click Import.

3. Locate and select the .dfx5 file for the data feed.

4. From the General tab in the General Information section, in the Status field, select Active.

5. Click the Transport tab. Complete the fields in the Transport Configuration section as follows:

a. In the URL field, type: YourServerName/VirtualDirectoryName/ws/search.asmx

b. In the User Name and Password fields, type the username and password of a Platform user
that has API access and access to all of the records on the Platform instance (from which the
data feed is coming).

c. In the Instance field, type the name of the Platform instance from which the data feed is
coming (this is the instance name as you enter it on the Login window).

6. Verify that key field values are not missing from the data feed setup window.

7. Click Save.
Ste p 2 :S c h e d u le a d a ta fe e d

Step 2: Schedule a Data Feed

Important: A data feed must be active and valid to successfully run.

As you schedule your data feed, the Data Feed Manager validates the information. If any
information is invalid, an error message is displayed. You can save the data feed and correct the
errors later; but the data feed does not process until you make corrections.
1. Go to the Schedule tab of the data feed that you want to modify.

a. From the menu bar, click .

b. Under Integration, click Data Feeds.

c. Select the data feed.

d. Click the Schedule tab.

2. Go to the Recurrences section and complete frequency, start and stop times, and time zone.

Chapter 3: Installing Operational Risk Management 52

RSA Archer Operational Risk Management Use Case Guide

Field Description

Frequency Specifies the interval in which the data feed runs, for example, Minutely, Hourly,
Daily, Weekly, Monthly, or Reference.

Minutely Runs the data feed by the interval set.

For example, if you specify 45 in the Every list, the data feed
executes every 45 minutes.

Hourly Runs the data feed by the interval set, for example, every hour (1),
every other hour (2) and so forth.

Daily Runs the data feed by the interval set, for example, every day (1),
every other day (2) and, so forth.

Weekly Runs the data feed based on a specified day of the week, for
example, every Monday of the first week (1), every other Monday
(2), and so forth.

Monthly Runs the data feed based on a specified week of the month, for
example, 1st, 2nd, 3rd, 4th, or Last.

Reference Runs a specified data feed as runs before the current one. This
option indicates to the Data Feed Service that this data feed starts
as soon as the referenced data feed completes successfully.
For example, you can select to have a Threats data feed run
immediately after your Assets data feed finishes. From the
Reference Feed list, select after which existing data feed the
current data feed starts.
A reference data feed will not run when immediately running a data
feed. The Run Data Feed Now option only runs the current data
feed.

Every Specifies the interval of the frequency in which the data feed runs.

Start Specifies the time the data feed starts running.

Time

Start Date Specifies the date on which the data feed schedule begins.

Time Specifies the time zone in of the server that runs the data feed.
Zone

3. (Optional) To override the data feed schedule and immediately run your data feed, in the Run
Data Feed Now section, click Start.

Chapter 3: Installing Operational Risk Management 53

RSA Archer Operational Risk Management Use Case Guide

4. Click Save.

Chapter 3: Installing Operational Risk Management 54

 RSA Archer Operational Risk Management Use Case Guide

Chapter 4: Creating Self Assessments

The same advanced workflow applies to each self-assessment.
Cr e a te a p RCSA

Create a pRCSA
User: Risk Manager
The pRCSA originates in the Assessment Campaign application. A Risk Manager can create a new
Campaign that, in turn, creates self-assessments to be filled.
1. From the Assessment Campaign Record Browser, click New Record.

2. In the Assessment Campaign Name field, enter an assessment campaign name.

3. In the Scoping Self-Assessment section, for the Assessment Type field, select pRCSA.

4. In the Scoping Method field, select a scoping method for the assessment:

l By Business Unit. RSA Archer creates a self-assessment for each selected Business Unit,
with all the risks, controls, and Business Processes tied to it.

l By Business Processes. RSA Archer creates a self-assessment for each Business Unit tied to
a selected Business Process, with all of the risks and controls tied to it.

l By Products and Services. RSA Archer creates a self-assessment for each Business Unit tied
to a selected Business Process, with all of the risks and controls tied to it.

5. In the Business Unit, Business Process, or Products & Service field, select the Business Units,
Business Processes, or Products & Services that you want to the scope of the campaign to
include.

Note: Based on the selected scope and scoping method, RSA Archer creates the corresponding
self-assessments for all Business Processes, Risks, and Controls in the Process.

6. Click the Generate Self-Assessments button.

Cr e a te a n RCSA

Create an RCSA
User: Risk Manager
The RCSA originates in the Assessment Campaign application. A Risk Manager can create a new
Campaign that creates self-assessments to be filled.

Chapter 4: Creating Self Assessments 55

 RSA Archer Operational Risk Management Use Case Guide

1. From the Assessment Campaign Record Browser, click New Record.

2. In the Assessment Campaign Name field, enter an assessment campaign name.

3. In the Scoping Self-Assessment section, for the Assessment Type field, select RCSA.

4. In the Scoping Method field, select a scoping method for the assessment:

l By Business Unit. RSA Archer creates a self-assessment for each selected Business Unit,
with all the risks, controls, and Business Processes tied to it.

l By Business Processes. If the Business Processes scoping method is selected, RSA Archer
creates a self-assessment for each Business Unit tied to a selected Business Process, with all
of the risks and controls tied to it.

l By Products and Services. RSA Archer creates a self-assessment for each Business Unit tied
to a selected Business Process, with all of the risks and controls tied to it.

5. In the Business Unit, Business Process, or Products & Service field, select the Business Units,
Business Processes, or Products & Services that you want to the scope of the campaign to
include.
Based on the selected scope and scoping method, RSA Archer creates the corresponding self-
assessments for all Risks and Controls in the Process.

6. Click the Generate Self-Assessments button.

Cr e a te a CSA

Create a CSA
User: Risk Manager
The CSA originates in the Assessment Campaign application. A Risk Manager can create a new
Campaign that will, in turn, create self-assessments to be filled.
1. From the Assessment Campaign Record Browser, click New Record.

2. In the Assessment Campaign Name field, enter an assessment campaign name.

3. In the Scoping Self-Assessment section, for the Assessment Type field, select CSA.

4. In the Scoping Method field, select a scoping method for the assessment:

l By Business Unit. RSA Archer creates a self-assessment for each selected Business Unit,
with all the risks, controls, and Business Processes tied to it.

l By Business Processes. RSA Archer creates a self-assessment for each Business Unit tied to
a selected Business Process, with all of the risks and controls tied to it.

Chapter 4: Creating Self Assessments 56

RSA Archer Operational Risk Management Use Case Guide

l By Products and Services. RSA Archer creates a self-assessment for each Business Unit tied
to a selected Business Process, with all of the risks and controls tied to it.

5. In the Business Unit, Business Process, or Products & Service field, select the Business Units,
Business Processes, or Products & Services that you want to the scope of the campaign to
include.
Based on the selected scope and scoping method, RSA Archer creates the corresponding self-
assessments for all Controls in the Process.

6. Click the Generate Self-Assessments button.

Chapter 4: Creating Self Assessments 57

RSA Archer Operational Risk Management Use Case Guide

Chapter 5: Using Palisade @Risk with Operational

Risk Management
You can optionally use the Palisade @Risk integration with the RSA Archer Operational Risk
Management use case. When using Palisade @Risk, you can use either the Expert Elicitation
method or the Historical Loss method.
The Expert Elicitation method requires that you enter data based on expert predictions whereas the
Historical Loss Data method requires that you have actual Loss Events tied to your Risk Register
records. Both methods require you to export data, prepare the data for simulation, run Monte Carlo
simulation, and import the Monte Carlo results data into the Risk Register application. While RSA
Archer supports Monte Carlo simulation using the Palisade @Risk tool, you can use other Monte
Carlo tools to use those tools following similar data export and import procedures.
The Expert Elicitation method generates both inherent and residual risk ratings, whereas the
Historical Loss method only generates historical residual risk ratings. It is not possible to derive
Inherent Risk solely utilizing historical loss events. If you are performing Monte Carlo simulation
based on historical loss events and you want to express inherent risk, you must first complete the
expert elicitation for those risk register records, and run Monte Carlo based on expert elicitation.

Note: Once you install the Operational Risk Management license key, you still need to apply the
Monte Carlo package. The Monte Carlo package provides the extra fields and reports needed to
execute the following steps for either Expert Elicitation or Historical Loss methods.

Using the Expert Elicitation Method

Step 1: Enter Risk Register Data for Expert Elicitation

1. In RSA Archer GRC, in the Risk Register application, create a new record for each risk you
want to run with Monte Carlo simulation.

2. In the Assessment Approach field, select Monte-Carlo.

3. In the Monte Carlo Simulation section, in the Select calculation method for the Residual Risk
reporting field, select Expert Elicitation.

4. In the Monte Carlo Simulation section, in the Monte Carlo: Expert Elicitation Inputs fields, do
the following:

Chapter 5: Using Palisade @Risk with Operational Risk Management 58

RSA Archer Operational Risk Management Use Case Guide

a. In the Impact Distribution Function field, select one of the following:

l 3-Point Estimate (PERT)

l 3-Point Estimate (Triangular)

l Log Normal

l Normal

l Uniform

b. In the Single or Multiple Occurrence field, select Single or Multiple.

c. Based on the values you selected for the distribution and occurrence, enter data for the other
required fields.

5. After filling out the records, in the Is this record ready for simulation? field, select Yes.

6. From the Risk Register application navigation menu, open the Expert Elicitation report.

Note: Only records with the Status field set to Active are included in the report.

7. Click Export, and select CSV.

8. Select Exclude all HTML formatting tags, and click OK.

9. When the export is complete, access the file and save it as expert_elicitation.csv.

Step 2: Run Palisade Simulation

1. Open Palisade @Risk.

2. In the @Risk toolbar, set the number of iterations.

3. Click Start Simulation.

@Risk performs the simulation and populates columns S through Z.

4. Save the simulation results as expert_elicitation_output.csv.

5. When prompted to save @Risk Simulation Results and Graphs, click No.

Chapter 5: Using Palisade @Risk with Operational Risk Management 59

RSA Archer Operational Risk Management Use Case Guide

Step 3: Import Simulation Results into the Risk Register

1. Open the provided import template file, expert_elicitation_import_template.csv, and paste in the
contents of expert_elicitation_output.csv.

2. Ensure that the values in the Date of Last Execution column are in a Date format.

3. Save the file.

4. Import the file into the Risk Register application:

a. In RSA Archer GRC, click Administration > Integration > Manage Data Imports.

b. In the Risk Register row, click Import.

c. In the General Information section, click Browse.

d. Click Add New, select your .csv file, click Open, and then click OK.

e. Click Next.

f. In the Import Type field, select Update Existing Records.

g. In the Application Field(s) field, select Risk ID.

h. In the Import Field Mapping section, ensure that all the values in the Application Fields row
match the column headers.

i. Click Next.

j. Ensure that the summary information from the Data Import Wizard is correct. Click Import.

Expert Elicitation Simulation Results

Once you have imported the simulation data back into your RSA Archer system, you can open an
individual Risk Register record to see the results in the following places:
l The Monte Carlo Results: Expert Elicitation section displays the inherent and residual Value at
Risk (VaR) values and the inherent and residual expected losses that Palisade @Risk calculated.

l The Monte Carlo Risk Scores Normalization section displays an overall risk rating for inherent
and residual risk, based on the Palisade @Risk results. For Expert Elicitation, the Inherent Risk
score is based on the Inherent VaR (95%) value and the Residual Risk score is based on the
Residual VaR (95%) value.

Chapter 5: Using Palisade @Risk with Operational Risk Management 60

RSA Archer Operational Risk Management Use Case Guide

Note: The Data Used for Last Execution section displays the data that the simulation results are
based on, in the case that the input values have been changed

The Monte Carlo risk scores also factor into the following risk ratings:
l The Calculated Risk tab displays an Adjusted Monte Carlo Residual Risk rating, which estimates
the overall risk to the organization using the Residual Risk - Monte Carlo value.

l In the Overall Risk section, the Inherent Risk and Residual Risk ratings are based on the Inherent
Risk - Monte Carlo value and the Calculated Residual Risk rating is based on the Adjusted
Monte-Carlo Residual Risk value.

Using the Historical Loss Method

Step 1: Enter Risk Register Data for Historical Loss

1. For each record in the Risk Register application you want to run with Historical Loss simulation,
in the Monte Carlo Simulation section, select Historical Loss as the calculation method for the
Residual Risk reporting field.

2. After filling out the record, in the Is this record ready for simulation? field, select Yes.

3. From the Risk Register application navigation menu, open the Frequency of Loss Events Per
Month report.

4. Click Export, and select CSV.

5. Select Exclude all HTML formatting tags, and click OK.

6. When the export is complete, access and save the file as Frequency per Month by Risk.csv.

7. Repeat steps 5 to 8 for the Loss Events for Last 3 Years report, and save the file as Loss Events
by Risk.csv.

8. Combine the two .csv files into a single workbook, with Frequency per Month by Risk as the first
worksheet and Loss Events by Risk as the second worksheet. Save the workbook as Historical
Loss.xlsx.

Chapter 5: Using Palisade @Risk with Operational Risk Management 61

RSA Archer Operational Risk Management Use Case Guide

Step 2: Prepare Historical Loss Data for Simulation

1. In Excel, in your Historical Loss workbook, from the Frequency per Month by Risk data, create
a new Frequency worksheet:

a. Select the A1 cell.

b. Click Insert > PivotTable, ensure that the selected Table/Range values are the entire table
and that New Worksheet is selected, and click OK.

c. In the PivotTable Field List section, drag the fields to the following areas:

l Risk ID to Row Labels

l Date of Occurrence to Row Labels

l Count of Loss Event Name to Values

d. Paste the pivot table data into a new worksheet in your Historical Loss workbook, and name
the worksheet Frequency.

Note: Ensure that you have three worksheets in your workbook: Frequency by Month per
Risk, Loss Events per Risk, and Frequency.

2. From the Loss Events by Risk data, create a new Loss worksheet:

a. Insert a new column A, titled Row ID, and copy the following formula to each row.
=IF(B2=B1, A1 + 1,1)
The Row ID value should increment by one for each Risk ID and should reset when the Risk
ID changes.

b. Select the A1 cell.

c. Click Insert > PivotTable, ensure that the selected Table/Range values are the entire table
and that New Worksheet is selected, and click OK.

d. In the PivotTable Field List section, drag the fields to the following areas:

l Risk ID to Column Labels

l Row ID to Row Labels

l Gross Loss Amount to Values

e. Paste the pivot table data into a new worksheet in your Historical Loss workbook, and name
the worksheet Loss.

Chapter 5: Using Palisade @Risk with Operational Risk Management 62

RSA Archer Operational Risk Management Use Case Guide

Note: Ensure that you have four worksheets in your workbook: Frequency by Month per
Risk, Loss Events per Risk, Frequency, and Loss.

3. Run Batch Fit on the Frequency worksheet data to create a Frequency Fit Results worksheet:

a. Select the data in the Frequency worksheet.

b. Open Palisade @Risk.

c. In the @Risk tab, click Distribution Fittings > Batch Fit.

d. In the Range field, ensure that the range covers just the table data, not the header row or first
column.

e. In the Type field, select Discrete Sample Data.

f. Click the Report tab, and in the Options section, deselect Include Detailed Report Worksheet
for Each Fit and Include Correlations.

g. Click Fit.

h. Copy the results into a new Frequency Fit Results worksheet in your workbook.

Note: Ensure that you have five worksheets in your workbook: Frequency by Month per Risk,
Loss Events per Risk, Frequency, Loss, and Frequency Fit Results.

4. Run Batch Fit on the Loss worksheet data to create a Loss Fit Results worksheet:

a. Select the data in the Loss worksheet.

b. In the @Risk tab, click Distribution Fittings > Batch Fit.

c. In the Range field, ensure that the range covers just the table data, not the header row or first
column.

d. In the Type field, select Continuous Sample Data.

e. Click the Report tab, and in the Options section, deselect Include Detailed Report Worksheet
for Each Fit and Include Correlations.

f. Click Fit.

g. Copy the results into a new Loss Fit Results worksheet in your workbook.

Note: Ensure that you have six worksheets in your workbook: Frequency by Month per Risk,
Loss Events per Risk, Frequency, Loss, Frequency Fit Results, and Loss Fit Results.

Chapter 5: Using Palisade @Risk with Operational Risk Management 63

RSA Archer Operational Risk Management Use Case Guide

5. Create a Simulation worksheet in your Historical Loss workbook:

a. Create a new blank worksheet with the following columns:

l Risk ID

l Frequency

l Severity

l Impact

l Historical Residual Expected Loss

l Historical Residual VaR (95%)

l Historical Residual VaR (99%)

b. In the Risk ID column, copy the column headers from the Frequency worksheet (Risk IDs)
and click Paste > Transpose.

c. In the Frequency column, for each row, reference the Function result cell on the Frequency
Fit worksheet for the matching Risk ID.
Important: The simulation does not work correctly if you either paste the value from the
referenced cell or paste the formula from the cell. You must reference the cell for the
simulation to work correctly. For example, if the referenced cell is B9 on the Frequency Fit
worksheet, you should enter ='FrequencyFit'!B9, not =RiskPoisson(8.6) (the actual formula)
or 9 (the actual value).

d. In the Severity column, for each row, reference the Function result cell on the Loss Fit
worksheet for the matching Risk ID.

e. In the Impact column, for each row, create a RiskCompound formula against the Frequency
and Severity cells. For example, =RiskCompound(B2,C2)

f. In Historical Residual Expected Loss column, for each row, create a RiskMean formula
against the Impact cell in that row. For example, =RiskMean(D2)

g. In the Historical Residual VaR (95%) column, for each row, create a RiskPercentile formula
against the Impact cell in that row. For example, =RiskPercentile(D2,.95)

h. In the Historical Residual VaR (99%) column, for each row, create a RiskPercentile formula
against the Impact cell in that row. For example, =RiskPercentile(D2,.99)

Chapter 5: Using Palisade @Risk with Operational Risk Management 64

 RSA Archer Operational Risk Management Use Case Guide

Step 3: Run Palisade Simulation

1. In RSA Archer GRC, click Administration > Integration > Manage Data Imports.

2. In the Risk Register row, click Import.

3. In the General Information section, click Browse.

4. Click Add New, select historical_loss_output.csv, click Open, and then click OK.

5. Click Next.

6. In the Import Type field, select Update Existing Records.

7. In the Application Field(s) field, select Risk ID.

8. In the Import Field Mapping section, ensure that the Row ID, Historical Residual Expected Loss,
Historical Residual VaR (95%), and Historical Residual VaR (99%) fields are correctly mapped.

9. Click Next.

10. Ensure that the summary information from the Data Import Wizard is correct, and click Import.

Historical Loss Simulation Results

After you import the simulation data back into your RSA Archer system, you can open an individual
Risk Register record to see the results in the following places:
l The Monte Carlo Results: Historical Data section displays the historical residual Value At Risk
(VaR) values and the residual expected loss value that Palisade @Risk calculated.

l The Monte Carlo Risk Scores Normalization section displays an overall risk rating for inherent
and residual risk, based on the Palisade @Risk results. For Historical Loss Data, the Inherent
Risk score is still based on the Inherent VaR (95%) value calculated from Expert Elicitation
while the Residual Risk score is based on the Historical Residual VaR (95%) value.

Note: The Data Used for Last Execution section displays the data that the simulation results are
based on, in the case that the input values have been changed

Chapter 5: Using Palisade @Risk with Operational Risk Management 65

RSA Archer Operational Risk Management Use Case Guide

The Monte Carlo risk scores also factor into the following risk ratings:
l The Calculated Risk tab displays an Adjusted Monte Carlo Residual Risk rating, which estimates
the overall risk to the organization using the Residual Risk - Monte Carlo value.

l In the Overall Risk section, the Inherent Risk and Residual Risk ratings are based on the Inherent
Risk - Monte Carlo value and Calculated Residual Risk rating is based on the Adjusted Monte-
Carlo Residual Risk value.

Chapter 5: Using Palisade @Risk with Operational Risk Management 66

RSA Archer Operational Risk Management Use Case Guide

Appendix A: Package Installation Log Message

Examples
When you install a use case package, certain error messages are expected, depending on which
other use cases you have licensed in your system. The following sections describe some of the most
common error messages that you may see. You may use these as guidelines, but you should review
your package installation log and determine any actions you need to take.
For information on the dependencies for each solution, see the Data Dictionary.

Object
Message Explanation Remediation
Type

Alias Object Name This message is an informational warning This message is only
Alias was indicating that the Alias was updated on the potentially an issue if
changed from object. There are two reasons for an alias in the change occurs on
Original Alias the Target Instance to have been updated: a field that is utilized
to New Alias. in a Mail Merge
l Update was in the Source Package.
Template or Data
l Alias has to be unique in the Target Publication Service.
Instance. If the alias already exists in In that scenario,
update the DPS or the
Target, packaging adds a unique
mail merge template
identifier to the end. with the new alias.

Field Field Name in This message is an informational warning Change the field to
the notifying you that packaging does not public manually
application change a private field in the target instance (optional).
Application to a public field.
Name cannot
be changed
from a private
field to a
public field.

Appendix A: Package Installation Log Message Examples 67

RSA Archer Operational Risk Management Use Case Guide

Object
Message Explanation Remediation
Type

Field Field Field This message is seen when a cross- If the use case is not
Name could reference or related record field could not licensed, no action is
not be saved be created because the related application necessary.
due to does not exist in the target instance. This
inability to message usually occurs because the field is Note: If you later
identify the part of a related use case that is not license a use case
related licensed or has not been updated in the that contains that
module. target instance. application, you may
re-install the Use
Case Name package
in order to resolve this
warning.

If the use case has not

been updated, do the
following:
1. Install the
package for the
use case
containing the
related
application. You
must have a
license for the
related
application.

2. Reapply the
original package
to resolve the
warning.
See the Data
Dictionary.

Appendix A: Package Installation Log Message Examples 68

RSA Archer Operational Risk Management Use Case Guide

Object
Message Explanation Remediation
Type

Field The The formula in the calculated field is Do either of the

calculated incorrect. Most often, this message occurs following:
field Field when the formula references a field in a
l Modify the formula
Name in the related application and either the field or the
application application does not exist in the target to remove the
Application instance or is not licensed. This may be reference to the
Name cannot because the application is in a related use unavailable field.
be verified. case that has not been updated.
l Install the package

for the use case

containing the
related application.
(You must have a
license for the
related
application), then
reapply the original
package to resolve
the warning.

See the Data

Dictionary.

Appendix A: Package Installation Log Message Examples 69

RSA Archer Operational Risk Management Use Case Guide

Object
Message Explanation Remediation
Type

Field Field Field This warning may be seen on Inherited 1. Install the
Name was not Record Permission fields, cross- package for the
found and reference/related record fields (record
use case
removed from lookup and grid display), or as a display
a collection. field in a report. The warning means that containing the
the field could not be found in the target related application
instance and was not included in the (to obtain the
package. This is usually because the field is missing field).
part of an application in a related core
You must have a
solution that has not been updated in the
target instance or is not licensed. license for the
related
application.

2. Reapply the
original package
to resolve the
warning.
See the Data
Dictionary.
If you do not have a
license for the related
application, you may
ignore this message,
and the field remains
omitted from the
object.

Advanced The advanced All advanced workflows are installed as Go to the Advanced
Workflow workflow was inactive. You must review and activate the Workflow tab in the
installed, but workflow. application or
is inactive. questionnaire, review
Please review the workflow, then
and activate. click Activate.

Appendix A: Package Installation Log Message Examples 70

RSA Archer Operational Risk Management Use Case Guide

Object
Message Explanation Remediation
Type

Advanced Minor failure: This failure message may appear if certain 1. Verify that the
Workflow Advanced services were not running when you Advanced
workflow installed the package.
Workflow Service
HTTP request
error: 404 not and the Job
found. Service are
running.

2. Reapply the
package.

Access Access rights The Module Name application or None.

Role to the questionnaire belongs to a use case that you If you later license a
following have not licensed or does not exist in the use case that contains
page could instance. that application, you
not be may re-install the Use
configured Case Name package
due to missing in order to resolve this
module warning.
Module
Name.

Access The following Page Name belongs to an application in a None.

Role page use case that you have not licensed. If you later license a
referenced in use case that contains
a link cannot that application, you
be resolved: may re-install the Use
Page Name. Case Name package
in order to resolve this
warning.

Appendix A: Package Installation Log Message Examples 71

RSA Archer Operational Risk Management Use Case Guide

Object
Message Explanation Remediation
Type

Event Module Name This warning usually occurs when a cross- Review the DDE and
Action DDE Name reference or related record field is on the the layout and
was updated layout in the package but is not licensed or determine if any
but has page does not exist in the target instance. Occurs modifications should
layout on Apply Conditional Layout actions. be made to the layout.
discrepancies. If you later license a
use case that contains
that application, you
may re-install the Use
Case Name package
in order to resolve this
warning.

Field Contained Field Name 1 references an application that None.

Reference does not exist in the target instance or is not If you later license a
field :Field licensed. use case that contains
Name 1 was that application, you
not found in may re-install the Use
the target Case Name package
instance and in order to resolve this
was removed warning.
from multi-
reference
field : Field
Name 2.

Field Cross Field Name 1, configured to display in the No action is

Reference reference field grid, is missing from the necessary. You can
View/Edit application it belongs to. also add the field to
Display field : the other application
Field Name 1 by installing the
was not found package that the
in the target related application
instance and belongs to.
was removed
from field :
Field Name 2.

Appendix A: Package Installation Log Message Examples 72

RSA Archer Operational Risk Management Use Case Guide

Object
Message Explanation Remediation
Type

Field Related Field Name 1, configured to display in the No action is

Record reference field grid, is missing from the necessary. You can
View/Edit application it belongs to. also add the field to
Display field the other application
:Field Name by installing the
1 was not package that the
found in the related application
target belongs to.
instance and
was removed
from field :
Field Name 2.

Field History Log This message usually occurs when a history None.
Field log field includes a cross-reference or If you later license a
Selection related record as a tracked field, but that use case that contains
field : Field cross-reference or related record could not that application, you
Name was not be created because the related application may re-install the Use
found in the either does not exist in the target or is not Case Name package
target licensed. in order to resolve this
instance and warning.
was removed
from history
log field :
History Log.

Field Inherited Field Name 1 belongs to an application in a None.

User/Group use case that does not exist in the target or If you later license a
field : Field is not licensed. use case that contains
Name 1 was that application, you
not found in may re-install the Use
the target Case Name package
instance and in order to resolve this
was removed warning.
from field :
Field Name 2.

Appendix A: Package Installation Log Message Examples 73

RSA Archer Operational Risk Management Use Case Guide

Object
Message Explanation Remediation
Type

iView The following Page Name belongs to an application in a Modify the iView to
page use case that does not exist in the target or remove the
referenced in is not licensed. unresolved link or
a link cannot delete the iView
be resolved: If you later license a
Page Name. use case that contains
that application, you
may re-install the Use
Case Name package
in order to resolve this
warning.

Navigation Unable to Application Name belongs to an use case None.

Menu update that does not exist or is not licensed. If you later license a
Navigation use case that contains
Menu that application, you
Application may re-install the Use
Name. Field Case Name package
Field Name in order to resolve this
not found. warning.

Report Report Name Occurs when no display fields could be None.

report could included in the report because the fields do
not be not exist in the target or are not licensed.
created. This error is most common on statistics
There are no reports.
display fields
for this report.

Appendix A: Package Installation Log Message Examples 74

RSA Archer Operational Risk Management Use Case Guide

Object
Message Explanation Remediation
Type

Report Display field : Field Name belongs to an application in a If the report functions
Field Name use case that does not exist or that is not without that field,
was not found licensed. then no action is
in the target needed. Otherwise,
instance and modify the report or
was removed remove it.
from report: If you later license a
Report Name. use case that contains
that application, you
may re-install the Use
Case Name package
in order to resolve this
warning.

Report Field : Field Field Name belongs to an application in a If the report functions
Name use case that does not exist or is not without that field,
referenced by licensed. then no action is
a statistic step needed. Otherwise,
was not found modify the report or
in the target remove it.
instance and If you later license a
was removed use case that contains
from report : that application, you
Report Name. may re-install the Use
Case Name package
in order to resolve this
warning.

Appendix A: Package Installation Log Message Examples 75

RSA Archer Operational Risk Management Use Case Guide

Object
Message Explanation Remediation
Type

Report Field : Field Field Name belongs to an application in a If the report functions
Name used use case that does not exist or is not without that field,
for charting licensed. then no action is
was not found needed. Otherwise,
in the target modify the report or
instance and remove it.
was removed If you later license a
from report : use case that contains
Report Name. that application, you
may re-install the Use
Case Name package
in order to resolve this
warning.

Report Field : Field Occurs when a filter condition in a report is If the report functions
Name was not referencing an application that does not without that field,
found in the exist or is not licensed. then no action is
target needed. Otherwise,
instance and modify the report or
the condition remove it.
was removed If you later license a
from the use case that contains
filter. that application, you
may re-install the Use
Case Name package
in order to resolve this
warning.

Appendix A: Package Installation Log Message Examples 76

RSA Archer Operational Risk Management Use Case Guide

Object
Message Explanation Remediation
Type

Report Module The Module Name application or If the report functions

Module Name questionnaire belongs to a use case that you without that field,
was not found have not licensed. then no action is
and removed needed. Otherwise,
from a search modify the report or
report. remove it.
If you later license a
use case that contains
that application, you
may re-install the Use
Case Name package
in order to resolve this
warning.

Report Module Occurs with n-tier reports when the report If the report functions
Module Name includes display fields from a related without that field,
was not application that does not exist or is not then no action is
found. The licensed. needed. Otherwise,
relationship modify the report or
and remove it.
associated If you later license a
display fields use case that contains
were removed that application, you
from a search may re-install the Use
report. Case Name package
in order to resolve this
warning.

Workspace The following The Module Name application or None.

module questionnaire belongs to a use case that If you later license a
referenced in does not exist or is not licensed. use case that contains
the that application, you
Navigation may re-install the Use
menu could Case Name package
not be in order to resolve this
resolved: warning.
Module
Name.

Appendix A: Package Installation Log Message Examples 77