RSA Archer Risk Management enables users to proactively address risks to reputation, finances, operations and IT infrastructure as part of a governance, risk management and compliance (GRC) program. The software provides a central GRC management system for identifying risks, evaluating their likelihood of impact and then ties those to mitigating controls and tracks resolution progress.

Risk Manager is part of an Enterprise GRC product portfolio sold and licensed as modules. The modules include: audit, policy, risk, compliance, enterprise, incident, vendor, threat and business continuity management.

This product is offered as either on-premise software or as a hosted, rapid-deployment model. The platform is composed of three logical tiers including interface, application and database tiers. The platform itself is deployed on two physical tiers that can be hosted on one physical or deployed across multiple servers. The platform uses a common data model across all of its solutions and applications. The user interface is common for all modules and tabs are simply activated via licensing.

The risk module can be used standalone, but, in reality, users will want to employ it in conjunction with the enterprise (asset tool), incident and threat management modules for a complete view of risk. RSA Archer Platform can integrate with hundreds of different solutions, as long as the offering can send information to an SQL server for integration into the RSA Archer eGRC Platform. The content library offers more than 10,000 questions grouped into prebuilt assessments for evaluating risks in one's environment and measuring compliance with authoritative sources, control standards and procedures. The delivery and management process for assessments is fully automated.

The model is built on the ISO 31000 standard. The outputs are delivered in a series of dashboard reports with drill-down capabilities to granular data. Risk is categorized as inherent, residual and operational. When bundled with the Enterprise Management module, assets are easily imported, categorized and managed. One has the ability to classify physical assets or groups of assets into "business assets" for looking at risk at the business level. Coupled with the Incident Management module, the report findings give a clean graphical view of risk and gaps and users could easily develop workflows for assigning tasks, tracking mitigation and logging responses.

All the modules for this offering roll up to a single, web-based user interface with tabs for the various licensed products. The reporting, dashboarding and correlation of data from all modules is well done. It is easy to see the level of maturity in the product.

Maintenance is included in the price of the RSA solution. Enhanced maintenance also is available and offers 24/7 support for a fee of 25 percent of perpetual licence cost and seven percent of term contract. Documentation appears to be built into the user interface, but we did not have a chance to view it during the review.