Non-standard policy mgmt content?
Looking for some discussion on how others have gone about adding or managing Policy Management content not available from Archer content updates. Regulations, laws, standards, controls, etc that may be industry specific or newer versions than provided from Content Library updates.
Is it outsourced or written in-house? How are changes monitored then analyzed for updates needed?
-
Hi Louis - thanks for the inquiry. Great discussion topic! I can add some quick color commentary from an internal RSA Archer perspective. Like you I'm also always eager to learn about new things our customers are doing too. Hopefully some other folks out there will chime in here.
In my experience customers rarely limit themselves to only what RSA Archer provides out-of-the-box, especially in the policy and control realm. Even though the default libraries are quite large, customers almost always have additional internal resources (existing policies are a common one) which they want to bring into the platform to manage going forward. Often times it's not about replacing those existing policies as much as optimizing the process around managing & distributing them. As well as establishing a greater degree of diligence, completeness, and accountability for ensuring the policies are aligned with higher order business requirements and followed appropriately.
By default RSA Archer's libraries are "open", meaning customers aren't limited to only what we provide and can also freely modify or remove anything which we do provide. This includes not just the content itself, but the app & solution configurations as well. In fact it's highly encouraged to "make it your own". Don't like the way it looks or what it says? No problem! Just change it! The world is your oyster in that regard.
In some cases we've actually planned for this too. For example, many Archer Control Standards have boilerplate language intended as a placeholder for customers to overwrite with their own specifics such as contact phone numbers, email addresses, corporate mission statements, etc.
The built-in Data Import and Data Feed platform functionality are the most common way that customers bring things into their libraries. Other methods like APIs are also available in addition to entering things manually.
One final comment on Authoritative Sources specifically. Most of those are large frameworks and standards that don't change very often. When they do we typically bring that updated version into the library as a net new Authoritative Source instead of adapting the old version (PCI for example). With laws & regulations it's a little trickier. But also, the trend over the past few years on those has been to focus less on replicating the full text of legal narratives like that in favor of managing through their changes. Which was the original catalyst for creating the Regulatory Intelligence and Regulatory Change functionality within the Regulatory and Corporate Compliance solution set.
Customers have routinely told us they don't want Archer to function as a legal research tool. But rather to help efficiently manage and guide the processes associated with how the organization determines the impact of rule changes and adapts its own internal policies and controls accordingly. So we built the Regulatory Intelligence application and associated workflows to be an easily configurable foundation for driving those fundamental business processes, down to the individual stakeholder accountability level. And we kept it flexible so customers could easily aggregate relevant info from whichever providers or other resources they wanted to source those updates from. This way customers have maximum latitude and choice in how they go about it. And we're not inadvertently holding them back from pursuing whatever creative solutions will work best for them.
Hope this helps provide some background info. Happy to continue the conversation with you here or offline directly if you have any other specific questions we can help answer.
Mason
0 -
Hi Louis Hebben?, I do not have the full answer but here is what I can share from my experience: I helped one client (an airline) to roll out Policy Program Management realm in Archer.
For policies: we did not use any out of the box "content" but happily adapted the default configuration that came out of the box. The intent was to do more than just "migrating" from spreadsheets into Archer. As Mason Karrer? nailed it right - it was a perfect opportunity for them to mature and improve from their current state. We used the Data Import feature to do an one-time import into Archer and then manage the policies into Archer.
For Controls, it was hybrid. We updated some, added some more and did not use the others.
Authoritative Sources, we used it AS-IS and added one more airline specific regulation into Archer.
For Corporate Objectives, we did an import of content and changed (hide) a lot of the default fields. It was NOT easy to get this information from the Business side but hey that's a given challenge!
Look forward to others participation!
0
Please sign in to leave a comment.
Comments
2 comments