RSA ARCHER GRC Platform, @RISK risk analysis software Implementation Guide

RSA ARCHER GRC Platform, @RISK risk analysis software Implementation Guide

RSA ARCHER and Palisade @RISK 6.3 are two products that work together to help organizations manage risk. ARCHER is a GRC platform that provides a comprehensive set of tools for managing risks, while @RISK is a risk analysis software that can be used to simulate possible outcomes for a risk and calculate the likelihood of occurrence. This guide provides instructions for configuring the two products to work together.

advertisement

Assistant Bot

Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.

RSA ARCHER and Palisade @RISK 6.3 Integration Guide | Manualzz

<Partner Name>

<Partner Product>

RSA

®

ARCHER

®

GRC Platform

Implementation Guide

Palisade @RISK 6.3

Jeffrey Carlson, RSA Partner Engineering

Last Modified: 12/21/2016

Palisade

@RISK 6.3

Solution Summary

Palisade @RISK is risk and decision analysis software that runs in Microsoft Excel and uses Monte Carlo simulation to allow you to see possible outcomes for a risk and the likelihood of occurrence. The Monte

Carlo method takes randomly sampled input data and runs a risk analysis simulation hundreds or thousands of times in order to give you a probability distribution of all possible outcomes.

Partner Integration Overview

GRC Solution Type

Uses Out Of The Box Solution

Uses Custom Application

Requires On-Demand License

Risk Management

Yes, Risk Management

No

No

- 2 -

Palisade

@RISK 6.3

Partner Product Configuration

Before You Begin

This section provides instructions for configuring Palisade @RISK with RSA Archer GRC. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

All Palisade @RISK components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact RSA Professional

Services for assistance.

RSA Archer – Palisade @RISK Integration Files

The Palisade @RISK integration files can be downloaded from the RSA Archer Community here: https://community.rsa.com/docs/DOC-16650

The RSA Archer - Palisade @Risk Integration includes the following files:

 expert_elicitation_import_template.csv

 RSA_Archer_Palisade_1.pdf

The Risk Management Packages that include Monte Carlo support can be found here:

Risk Management for Platform 5.x

Risk Management for Platform 6.x https://community.rsa.com/docs/DOC-10485 https://community.rsa.com/docs/DOC-32562

Install Archer Risk Management with Monte Carlo Simulation SP1

RSA Archer Risk Management with Monte Carlo Simulation contains changes to the Risk Register application to enable the Palisade integration. You must install these updates to your RSA Archer Risk

Management solution before using the integration.

In order to install the application package, follow the steps outlined in the RSA Archer - Palisade @Risk

Integration for Monte Carlo Simulation document found at the corresponding link above.

- 3 -

Palisade

@RISK 6.3

RSA Archer GRC Configuration

Palisade @RISK Overview

The RSA Archer-Palisade @Risk integration allows you to perform risk analysis by running Monte Carlo simulations on your Risk Register application records (in the RSA Archer Risk Management solution) and calculating inherent and residual risk.

During a Monte Carlo simulation, distribution values from your risk data are sampled hundreds or thousands of times, and the inherent and residual impact of the risk is calculated each time. These results enable more accurate analysis of and decision making based on possible outcomes of a risk.

The integration supports two different calculation methods: Expert Elicitation and Historical Loss Data.

The Expert Elicitation method is based on expert predictions whereas the Historical Loss Data method is based on actual previous values.

Using the Palisade @RISK Integration for Expert Elicitation

To use the RSA Archer - Palisade @Risk Integration for Expert Elicitation:

1.

Enter Risk Register Data for Expert Elicitation

2.

Run Palisade Simulation

3.

Import Simulation Results into Risk Register

Enter Risk Register Data for Expert Elicitation

To enter Risk Register data for Expert Elicitation, perform the following procedure:

1. In RSA Archer, create a new record in the Risk Register application for each risk on which you want to run Monte Carlo simulation, and in the Assessment Approach field, select Monte-Carlo.

2. In the Monte Carlo Simulation section, in the Select calculation method for the Residual Risk reporting field, select Expert Elicitation.

3. In the Monte Carlo Simulation section, in the Monte Carlo: Expert Elicitation Inputs fields, enter the following: a. In the Impact Distribution Function field, select one of the following:

 Point Estimate (PERT)

 Point Estimate (Triangular)

 Log Normal

 Normal

 Uniform b. In the Single or Multiple Occurrence field, select Single or Multiple c. Based on the values you selected for the distribution and occurrence, enter data for the other required fields.

4. When you are done filling out the records, in the Is this record ready for simulation? Field, select

Yes.

5. From the Risk Register application navigation menu, open the Expert Elicitation report.

- 4 -

Palisade

@RISK 6.3

Important: Only records with the Status field set to Active are included in the report.

6. Click Export, and select CSV.

7. Select Exclude all HTML formatting tags, and click OK.

8. When the export is complete, access the file and save it as expert_elicitation.csv.

Run Palisade Simulation

To run the Palisade, simulation, perform the following procedure:

1. Launch Palisade @RISK.

2. In the @RISK toolbar, set the number of iterations.

3. Click Start Simulation.

@RISK performs the simulation and populates columns S through Z.

4. Save the simulation results as expert_elicitation_output.csv, and when prompted to save

@RISK Simulation Results and Graphs, click No.

Import Simulation Results into Risk Register

To import the simulation results into the Risk Register, perform the following procedure:

1. Open the provided import template file, expert_elicitation_import_template.csv, and paste in the contents of expert_elicitation_output.csv.

2. Ensure that the values in the Date of Last Execution column are in a Date format, and save the file.

3. Import the file into the Risk Register application as follows: a. In RSA Archer, click Administration > Integration > Manage Data Imports. b. In the Risk Register row, click Import. c. In the General Information section, click Browse. d. From the File Upload window, click Add New, select your .csv file, click Open, and then click OK. e. Click Next. f. In the Import Type field, select Update Existing Records. g. In the Application Field(s) field, select Risk ID. h. In the Import Field Mapping section, ensure that all the values in the Application

Fields row match the column headers. i. Click Next. j. Ensure that the summary information from the Data Import Wizard is correct. Click

Import.

- 5 -

Palisade

@RISK 6.3

Simulation Results

Once you have imported the simulation data back into your RSA Archer system, you can open an individual Risk Register record to see the results in the following places:

 The Monte Carlo Results: Expert Elicitation section displays the inherent and residual Value At

Risk (VaR) values and the inherent and residual expected losses that Palisade @RISK calculated.

 The Monte Carlo Risk Scores Normalization section displays an overall risk rating for inherent and residual risk, based on the Palisade @RISK results. For Expert Elicitation, the Inherent Risk score is based on the Inherent VaR (95%) value and the Residual Risk score is based on the Residual

VaR (95%) value.

Note: The Data Used for Last Execution section displays the data that the simulation results are based on, in the case that the input values have been changed

The Monte Carlo risk scores also factor into the following risk ratings:

 The Calculated Risk tab displays an Adjusted Monte Carlo Residual Risk rating, which estimates the overall risk to the organization using the Residual Risk - Monte Carlo value.

 In the Overall Risk section, the Inherent Risk and Residual Risk ratings are based on the Inherent

Risk - Monte Carlo value and the Calculated Residual Risk rating is based on the Adjusted Monte-

Carlo Residual Risk value.

Using the Palisade @RISK Integration for Historical Loss

To use the RSA Archer - Palisade @RISK Integration for Historical Loss:

1.

Enter Risk Register Data for Historical Loss

2.

Prepare Historical Loss Data for Simulation

3.

Run Palisade Simulation

4.

Import Simulation Results into Risk Register

- 6 -

Palisade

@RISK 6.3

Enter Risk Register Data for Historical Loss

To enter Risk Register data, perform the following procedure:

1. In RSA Archer, for each new record in the Risk Register application on which you want to run

Historical Loss simulation, in the Monte Carlo Simulation section, in the Select calculation method for the Residual Risk reporting field, select Historical Loss.

2. When you are done filling out the record, in the Is this record ready for simulation? Field, select

Yes.

3. From the Risk Register application navigation menu, open the Frequency of Loss Events Per

Month report.

4. Click Export, and select CSV.

5. Select Exclude all HTML formatting tags, and click OK.

6. When the export is complete, access and save the file as Frequency per Month by Risk.csv.

7. Repeat steps 5 to 8 for the Loss Events for Last 3 Years report, and save the file as Loss

Events by Risk.csv.

8. Combine the two .csv files into a single workbook, with Frequency per Month by Risk as the first worksheet and Loss Events by Risk as the second worksheet. Save the workbook as Historical

Loss.xlsx.

Prepare Historical Loss Data for Simulation

Palisade requires simulation data to fit certain formats, so you must make some manual adjustments to your exported RSA Archer data before you can run the Monte Carlo simulation. To do this, perform the following procedure:

1. In Excel, in your Historical Loss workbook, from the Frequency per Month by Risk data, create a new Frequency worksheet, as follows: a. Select the A1 cell. b. Click Insert > PivotTable, ensure that the selected Table/Range values are the entire table and that New Worksheet is selected, and click OK. c. In the PivotTable Field List section, drag the fields to the following areas:

 Risk ID to Row Labels

 Date of Occurrence to Row Labels

 Count of Loss Event Name to Values d. Paste the pivot table data into a new worksheet in your Historical Loss workbook, and name the worksheet Frequency.

Note: You should now have three worksheets in your workbook: Frequency by Month per

Risk, Loss Events per Risk, and Frequency.

2. From the Loss Events by Risk data, create a new Loss worksheet, as follows: a. Insert a new column A, titled Row ID, and copy the following formula to each row.

=IF(B2=B1, A1 + 1,1)

The Row ID value should increment by one for each Risk ID and should reset when the

Risk ID changes.

- 7 -

Palisade

@RISK 6.3 b. Select the A1 cell. c. Click Insert > PivotTable, ensure that the selected Table/Range values are the entire table and that New Worksheet is selected, and click OK. d. In the PivotTable Field List section, drag the fields to the following areas:

 Risk ID to Column Labels

 Row ID to Row Labels

 Gross Loss Amount to Values e. Paste the pivot table data into a new worksheet in your Historical Loss workbook, and name the worksheet Loss.

Note: You should now have four worksheets in your workbook: Frequency by Month per Risk,

Loss Events per Risk, Frequency, and Loss.

3. Run Batch Fit on the Frequency worksheet data to create a Frequency Fit Results worksheet, as follows: a. Select the data in the Frequency worksheet. b. Start Palisade @Risk. c. In the @Risk tab, click Distribution Fittings > Batch Fit. d. In the Range field, ensure that the range covers just the table data, not the header row or first column. e. In the Type field, select Discrete Sample Data. f. Click the Report tab, and in the Options section, deselect Include Detailed Report

Worksheet for Each Fit and Include Correlations. g. Click Fit. h. Copy the results into a new Frequency Fit Results worksheet in your workbook.

Note: You should now have five worksheets in your workbook: Frequency by Month per

Risk, Loss Events per Risk, Frequency, Loss, and Frequency Fit Results.

4. Run Batch Fit on the Loss worksheet data to create a Loss Fit Results worksheet, as follows: a. Select the data in the Loss worksheet. b. In the @RISK tab, click Distribution Fittings > Batch Fit. c. In the Range field, ensure that the range covers just the table data, not the header row or first column. d. In the Type field, select Continuous Sample Data. e. Click the Report tab, and in the Options section, deselect Include Detailed Report

Worksheet for Each Fit and Include Correlations. f. Click Fit. g. Copy the results into a new Loss Fit Results worksheet in your workbook.

Note: You should now have six worksheets in your workbook: Frequency by Month per Risk,

Loss Events per Risk, Frequency, Loss, Frequency Fit Results, and Loss Fit Results.

5. Create a Simulation worksheet in your Historical Loss workbook, as follows:

- 8 -

Palisade

@RISK 6.3 a. Create a new blank worksheet with the following columns:

 Risk ID

 Frequency

 Severity

 Impact

 Historical Residual Expected Loss

 Historical Residual VaR (95%)

 Historical Residual VaR (99%) b. In the Risk ID column, copy the column headers from the Frequency worksheet (Risk

IDs) and click Paste > Transpose. c. In the Frequency column, for each row, reference the Function result cell on the

Frequency Fit worksheet for the matching Risk ID.

Important: The simulation does not work correctly if you either paste the value from the referenced cell or paste the formula from the cell. You must reference the cell for the simulation to work correctly.

For example, if the referenced cell is B9 on the Frequency Fit worksheet, you should enter ='FrequencyFit'!B9, not

=RiskPoisson(8.6) (the actual formula) or 9 (the actual value). d. In the Severity column, for each row, reference the Function result cell on the Loss Fit worksheet for the matching Risk ID. e. In the Impact column, for each row, create a RiskCompound formula against the

Frequency and Severity cells. For example, =RiskCompound(B2,C2) f. In Historical Residual Expected Loss column, for each row, create a RiskMean formula against the Impact cell in that row. For example, =RiskMean(D2) g. In the Historical Residual VaR (95%) column, for each row, create a RiskPercentile formula against the Impact cell in that row. For example, =RiskPercentile(D2,.95) h. In the Historical Residual VaR (99%) column, for each row, create a RiskPercentile formula against the Impact cell in that row. For example, =RiskPercentile(D2,.99)

Run Palisade Simulation

To run the simulation, perform the following procedure:

1. In Excel, with your Simulation worksheet open, click Start Simulation. @Risk runs the Monte

Carlo simulation and updates the Historical Residual Expected Loss, Historical Residual VaR

(95%), and Historical Residual VaR (99%) columns.

2. Save the simulation results as historical_loss_output.csv.

Import Simulation Results into Risk Register

To import the simulation results, perform the following procedure:

1. In RSA Archer, click Administration > Integration > Manage Data Imports.

2. In the Risk Register row, click Import.

- 9 -

Palisade

@RISK 6.3

3. In the General Information section, click Browse.

4. From the File Upload window, click Add New, select historical_loss_output.csv , click

Open, and then click OK.

5. Click Next.

6. In the Import Type field, select Update Existing Records.

7. In the Application Field(s) field, select Risk ID.

8. In the Import Field Mapping section, ensure that the Row ID, Historical Residual Expected

Loss, Historical Residual VaR (95%), and Historical Residual VaR (99%) fields are correctly mapped.

9. Click Next.

10. Ensure that the summary information from the Data Import Wizard is correct, and click Import.

- 10 -

Palisade

@RISK 6.3

Simulation Results

After you import the simulation data back into your RSA Archer system, you can open an individual Risk

Register record to see the results in the following places:

 The Monte Carlo Results: Historical Data section displays the historical residual Value At Risk

(VaR) values and the residual expected loss value that Palisade @Risk calculated.

 The Monte Carlo Risk Scores Normalization section displays an overall risk rating for inherent and residual risk, based on the Palisade @Risk results. For Historical Loss Data, the

Inherent Risk score is still based on the Inherent VaR (95%) value calculated from Expert

Elicitation while the Residual Risk score is based on the Historical Residual VaR (95%) value.

Note: The Data Used for Last Execution section displays the data that the simulation results are based on, in the case that the input values have been changed

The Monte Carlo risk scores also factor into the following risk ratings:

 The Calculated Risk tab displays an Adjusted Monte Carlo Residual Risk rating, which estimates the overall risk to the organization using the Residual Risk - Monte Carlo value.

 In the Overall Risk section, the Inherent Risk and Residual Risk ratings are based on the

Inherent Risk - Monte Carlo value and Calculated Residual Risk rating is based on the Adjusted

Monte-Carlo Residual Risk value.

- 11 -

Palisade

@RISK 6.3

Certification Environment for RSA Archer GRC

Product Name

RSA Archer GRC

Palisade @RISK

Date Tested: December 21, 2016

Certification Environment

Version Information

5.5.4, 6.2

6.3

Operating System

Windows 2008

Windows 7 / Excel 2013

- 12 -

advertisement

Key Features

  • Risk Management
  • Monte Carlo Simulation
  • Expert Elicitation
  • Historical Loss Data
  • Inherent and Residual Risk Calculation
  • Risk Register Integration
  • Value At Risk (VaR) Reporting
  • Risk Rating Normalization

Frequently Answers and Questions

What is the purpose of this document?
This document provides instructions for configuring RSA ARCHER and Palisade @RISK 6.3 to work together.
What is the integration between RSA ARCHER and Palisade @RISK used for?
The integration allows you to perform risk analysis by running Monte Carlo simulations on your Risk Register application records and calculating inherent and residual risk.
What are the different calculation methods supported by the integration?
The integration supports two methods: Expert Elicitation and Historical Loss Data.
How do I import simulation results into RSA ARCHER?
You can import the simulation results by using the Data Import Wizard in RSA ARCHER.
Where can I find the Palisade @RISK integration files?
The integration files can be downloaded from the RSA Archer Community at the following URL: https://community.rsa.com/docs/DOC-16650

Related manuals

Download PDF

advertisement