Try our new research platform with insights from 80,000+ expert users
GRC Archer Consultant at a tech services company with 10,001+ employees
Consultant
Flexible record permissions and data import features; could be simplified in several key areas
Pros and Cons
  • "Flexible record permissions and data import features."
  • "The solution as a whole could be simplified."

What is our primary use case?

My primary use cases of RSA Archer are for business resiliency, business continuity management, third party vendor management, IT risk management and some of the other governance and compliance applications. We are partners with RSA and I'm an Archer system administrator. 

How has it helped my organization?

There are many benefits to using Archer as a platform. Previously, all processes in the organization were scattered. Once Archer was implemented, everybody had a role to play. It was just a matter of logging in, doing the work, and moving the workflow to the next stage. Prior to Archer, all the work took place via emails or sharing of Excel files. Archer has streamlined everything and it's really helping the organization to manage potential risk and data security. Security is key these days.

What is most valuable?

I believe the record permissions and data import are the most flexible and user-friendly features because they enable all information to be available on the platform.

What needs improvement?

Compared to other GRC tools, RSA Archer is a little complex in the sense that even users need to have some knowledge of the tool. Without any knowledge, both users and developers will have a hard time. I'd like to see the access control part simplified. Reduced complexity in the Advance Workflow and on the front end part of the tool would be really helpful. 

System administrators have overall control over the system, but it would be good if they could get more control over Archer. Finally, Archer has the option of custom coding things not currently supported by RSA. If it were supported that would be a great innovation because clients have needs that are not adjustable or incorporated in the tool. All those changes require coding which increases complexity.

Buyer's Guide
RSA Archer
January 2025
Learn what your peers think about RSA Archer. Get advice and tips from experienced pros sharing their opinions. Updated: January 2025.
831,265 professionals have used our research since 2012.

For how long have I used the solution?

I've been using this solution for close to four years. 

What do I think about the stability of the solution?

I think the level of stability and performance is connected to the size of the organization. There can be issues when there is an Excel load in the system, or when there are too many users and too many processes running on the backend. Things can slow down and we've seen glitches and delays. If processing speed could be increased, that would likely solve the issue. 

What do I think about the scalability of the solution?

Scalability is there but it's not easy. You need to be familiar with the system, which can take a couple of months. Once there's familiarity it becomes more user-friendly. It's not as easy as ServiceNow or OneTrust. Those are much lighter tools and easier to learn. Scaling should be more user-friendly. We currently have around 9,000 active users and I expect that to increase in the future.

How are customer service and support?

Customer support is working well and I don't have any complaints about that. 

Which solution did I use previously and why did I switch?

I have used ServiceNow but nowhere near as extensively as I've used Archer. The problem with GRC ServiceNow is that it has limited features, which is why we switched to Archer. It has better features and functionalities.

How was the initial setup?

The initial deployment needs to be carried out in coordination with RSA because it's their product. It requires a web service, application service, database service, everything needs to be designed for the platform. It would be great to have some kind of video or technical demo to help with this. 

If the process of going from the ESC environment all the way to the production environment could be easier that would be really helpful because it's very likely that not all environments will be in sync in most organizations. Features are going to differ from the broad environment to the lower environment and while packaging, the features of the lower environment also come into the production environment. Maintaining synchronization takes a lot of time so if there could be some flexibility and ease, that would save a lot of time for the organization.

What was our ROI?

In terms of return on investment, I think the processes and management as far as risk and governance compliance is concerned, have been very effective. Achieving their objectives and tasks in a timely manner with all the necessary security and parameters along with streamlining is a return on investment. I'm unsure about the benefit in revenue, it's more about improving risk and the governance processes.

What's my experience with pricing, setup cost, and licensing?

Archer is expensive compared to other GRC tools. The product is generally used in multi-national companies like JP Morgan, Morgan Stanley, Amazon, Goldman, or eCommerce. They all use Archer. The cost would be prohibitive for a small or medium-scale company. If Archer is looking at promoting this product, they need to work on the pricing because only large organizations can afford it. There are many additional costs involved so that if one needs to develop some features in the tool there is an additional charge; if you ask RSA for any kind of enhancement or development, they will charge you; and if you'd like some consultation in regards to the product, they will charge you for that too.

What other advice do I have?

This is a really nice tool because the majority of what it provides is not offered by other solutions. It's a matter of learning the tool and accepting how it works with an open mind. Anyone using it will find it really helpful for the GRC processes.

I rate the solution seven out of 10. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
reviewer1696191 - PeerSpot reviewer
Senior System Developer at a financial services firm with 5,001-10,000 employees
Real User
Workflows are easily automated; great risk management and policy compliance features
Pros and Cons
  • "Enables development of any application, automation of any workflow including the GRC work processes."
  • "GUI could be improved."

What is our primary use case?

My role is as a developer or administrator of this tool, but I'm also a user. I work as a senior system developer and we are customers of RSA Archer. 

How has it helped my organization?

Previously, the process we required was carried out in Excel data with follow-up emails through Outlook and it was very difficult to track. After we implemented Archer, things worked a lot more smoothly, and rather than looking for things, the system sends a notification reminder. We can do everything within the tools; updating records and publishing them, maintaining approvals, reminders, reporting, and dashboards. 

Some of our clients who use Archer bring the activities scan and present data into Archer, and can then manage their workflow. They can see the overall risk rating, how it relates and where it's coming from, the device causing it, those kinds of things. They wouldn't have been able to do that without Archer. 

What is most valuable?

The tool is really well designed overall and you can develop any application, automate any workflow including the GRC work processes. Workflow can be automated very easily so that providing access and making changes are all relatively simple. I find that integrations are very easy in this tool. For example, bringing data from an external tool is easy and manageable. It also provides a single tool to manage all the different workflows and different processes. For example, you can perform risk management, policy compliance, audit, and all other processes. It's really a one-stop-shop and a great feature compared to what other tools offer. Finally, the core solution and library provided with the tool are great compared to other tools like ServiceNow, which still process metrics. I don't think they come close to Archer. 

What needs improvement?

Other tools, specifically designed for audit management have a better GUI than Archer. The problem with Archer is the business process. If you design in Archer you get a lot of tasks and a lot of information that gets congealed, which users don't like. The issues can be solved using the advanced workflow feature of Archer but it was only recently introduced and most clients are still using the old version to run the workflow.

If your process requests many tasks, many approvals, workflows, etc., then you're definitely going to see a lot of information in one sheet which makes the job harder. It's all dependent on your process. There are some flaws in the system, which are generally rectified over time but there is still room for improvement. I've previously given some feedback and, in general, there are a lot of complaints about the GUI. 

For how long have I used the solution?

I've been using this solution for three years. 

What do I think about the stability of the solution?

The solution is very stable but as the data grows and the size of the database grows, you need to add additional servers or sources to manage latency. It creates a lot of logs and the data fills up if it's not properly maintained. It doesn't require daily maintenance but a clean-up is needed at least once a year. If you have really good hardware resources, you don't really need to do that.

What do I think about the scalability of the solution?

The solution is easy to scale. Just add a server, then store the tool in it and then load balance it. It's not difficult. We have around 2,000 regular users and we're likely to increase that.

How are customer service and support?

I think customer support is really good. There are some times when they don't have a solution to a new problem, something newly identified, but they submit it to the engineering team and ultimately it gets fixed. It can sometimes take a few months but I don't see any major issues with their support. I think they're pretty good.

How was the initial setup?

The initial setup is reasonably straightforward. Deployment is generally carried out by one person. If a company wants to maintain segregation of duties, then multiple teams are necessary; one for development and another for deploying the change in production. Deployment time depends on the change you are pushing. If there are multiple items involved, the best option is to deploy the package. If the application has millions of records, then it will take longer to recalculate. If there's a smaller number of records, deployment can be done in a couple of hours. 

What was our ROI?

We've definitely seen a saving with the automation of the process. It saves time which can be spent on other activities. And, of course, that means a cost saving. 

What's my experience with pricing, setup cost, and licensing?

I believe our licensing costs are around $100,000 for the tool and that possibly includes a basic solution that comes with the tool. If you then need another solution then there is an added cost for that. I don't know how that compares to the cost of other tools. 

What other advice do I have?

For anyone trying to automate a data GI processor, Archer is a good product.

I rate the solution nine out of 10. 

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
RSA Archer
January 2025
Learn what your peers think about RSA Archer. Get advice and tips from experienced pros sharing their opinions. Updated: January 2025.
831,265 professionals have used our research since 2012.
reviewer1262205 - PeerSpot reviewer
Vice President and Risk Management at a financial services firm with 10,001+ employees
Real User
Robust and feature rich solution
Pros and Cons
  • "The part I liked about Archer was the risk assessment for deficiencies and being able to use it there."
  • "It's resource-hungry, that's the best way of putting it."

What is our primary use case?

For Archer, today there is everything from risk management to looking at security and how to track all the security defects. We don't have Archer connected to ServiceNow. We had the better version when I was at Albertsons. Just before I joined UFG, we used it not only tracking deficiencies, but also doing all the risk work and all of the vulnerability management, but we tied it to ServiceNow so we could issue tickets and track stuff. That's the way to do it.

How has it helped my organization?

Our version is on-prem, which I used also used at Wells Fargo where we had it on-prem as well. I thought the best version we used was at Albertsons, we were in the cloud and we were using their stuff. To me, that's a better way to go. You want to keep it up to par, and you can't screw around with the data structures. It really keeps you current which is probably the best example so you get the best bang for your buck.

What is most valuable?

When you get it to work, then it's valuable to me. The part I liked about Archer was the risk assessment for deficiencies and being able to use it there. The part I don't like is what it takes to get it really working right. That's not trivial. You need people that really understand it, and you also have to get people to stop making changes to the data schema and the rules, because if they do that, then it defeats the whole purpose of Archer.

What needs improvement?

The problem is, and I've had years and years of experience using it, let's say decades of experience with it, and they keep changing it. It could be as much as two years or so and they change the product. My concern is when they go from module to module, what do they do? Is it consistent to what the industry wants? And they could also add some things and improve on their product for when we want to match up CVS to it and a few other things. And I think the training is hard. I think they need to emphasize that you take people and send them to training. But today with COVID, how do you do that?

For how long have I used the solution?

I use RSA Archer on a daily basis. Some people in the Archer group call me a pain, they keep saying, "Well, we can't do this and we can't do that." I say, "Let me show you how it's done."

I have been using it since they first started. So that's got to be almost 15 years now. I knew it when it wasn't even Archer, when it was part of Ernst & Young's suite of risk products. And then Silver Shire took it out of there, formed his own company called Archer. And that's how it was developed. I go that far back with Archer. I've seen it evolve, and they keep changing modules, names, pricing. It's kind of fun to watch the industry.

What do I think about the stability of the solution?

In terms of stability, if you do it yourself, it can grow big depending on how you want to use it. I've seen and been in companies that want to do all this fancy stuff and all the rules and everything else and it just eats resources you could point at, being 20, 30 servers. It's big.

It's resource-hungry, that's the best way of putting it.

What do I think about the scalability of the solution?

In terms of scalability, that's a problem. When you want it to scale, it costs you resources, just like that other product I hate, Splunk. I love the products, but not the resources they eat. It is expensive that way.

How are customer service and technical support?

When you find the right one in tech support, it's good. They're all good, but some are better than others. When you're in a crunch, you want the best person right away. Guess what? I want it now. It's like a kid. I want it now.

I'd give tech support an eight to nine.

How was the initial setup?

The initial setup is complex. It's not straightforward and never was.

It requires knowing what all the modules do, understanding what you want to do, and then finding the right people that can program it. And finding those experts is not trivial.

Which other solutions did I evaluate?

At one time, it was the only thing available. Now there are other products that I would consider.

What other advice do I have?

Make sure you know what you want to really do and pick the right modules and do a lot of planning, planning, planning. It's like building a house. If you don't do the planning, when it comes down to trying to build it, you really get screwed or the team gets screwed. And I don't think people do a lot of planning.

On a scale of one to ten, I'd give RSA Archer an eight.

It's Archer - there are days when their stuff is awesome, there are other days when the frustration level is way too high.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Consultant at a financial services firm with 10,001+ employees
Real User
Excellent process automation, audit management and more
Pros and Cons
  • "First of all, its access control feature where it provides application level access, solution level access, and even recall access, as well."
  • "In terms of what can be improved, our client always says their user experience, IU/UX in RSA Archer. They found it is not as user friendly as other tools."

What is our primary use case?

We are using RSA Archer to provide GRC services to our client. GRC means, governance, risk and compliance. In Archer we implement business continuity management, policy management, risk management solutions, audit management solutions, and third party governance solutions. We even utilize a privacy governance model of RSA Archer, as well.

Currently, we are analyzing and evaluating software as a service option for one client to reduce effort and time on infra related activities.

How has it helped my organization?

Our clients are using RSA Archer to automate their manual processes and activies to avoid manual intervention and have a clear visibility to leadership. This increased the client's process efficiency, they are more compliant and reduces the risk and overall governance structure improved. Also, it adds some value added features on the reporting and gives clear visibility of the entire business unit or   divisions of the company. Suppose the CEO of company want to see their high risk BUs , he or she can easily see the count and detail. Automated timely email trigger and integration with other tools/application helps client to assess their processes and BUs to find out risks and remediate risk on time.

What is most valuable?

There are lots of features which motivate our client to use RSA Archer. First of all, its access control feature which provides access at application level, access at record level and  at page level. It helps client to avoid any unauthorised access.

Also, there is a strong integration between the RSA Archer modules and also option to integrate with other application/ process help client to increase confidence on data integrity.

Suppose if anyone is using RSA Archer audit management or any out of the box use cases, it also provides some of the inbuilt capability of the assessment, like some of the questionnaires and some of the controls that are available in RSA Archer.

 Capability of sending automated email triggers to the stakeholder on a fix frequency.

Workflow feature, reports and dashboard capability etc. lucrate client towards Archer.

What needs improvement?

 UI/UX can be improved and a feature to allow end user to update assessment question and add or remove recipients from a notification will help client to minimize their dependecy on Archer developer.RSA Archer somehow lag behind in the user interface.

Additionally, the reporting capability of Archer should be improved. Because generally what clients do is analyze processes, their records, their status. They integrate it with either Tableau or Power BI just to customize their reports and see more user friendly reports. So I would suggest to improve reporting capabilities as well.

What do I think about the stability of the solution?

In terms of stability and performance, Archer is good.

What do I think about the scalability of the solution?

RSA Archer is easy to scale, it's not complex.

It is a requirement to maintain RSA Archer. Our team even provides the managed services to the client, as well.

Some of my clients are moving their GRC solution from other platforms to RSA Archer because of scalability.

How are customer service and support?

Support is good, but sometimes I feel there are some queries or issues, where I or our client need a resolution quickly, but sometimes it gets delayed from the customer support side.

Which solution did I use previously and why did I switch?

Generally client without GRC framework move to Archer to automate their processes.

How was the initial setup?

Generally we deploy the RSA Archer on client's infrastructure. It is not complex, even for the first time user, process to setup Archer is easy if they refer manuals or guide.

Generally, one person can easily install if it is a small or medium and not a complex deployment. But if it is a large scale deployment I think there will be more requirement of other team involvement as well.

Which other solutions did I evaluate?

Yes, we do evaluate other options/framework available in market e.g. ServiceNow GRC, OneTrust etc.

But we suggest best option basis the client requirement and which suites most in terms of cost and effort.

What other advice do I have?

My advice to anyone considering RSA Archer would be to use it for their GRC capability and automate their manual tasks. If they are doing any manual task, they can simply automate through RSA Archer. It will increase efficiency, minimize their risk and will make them more compliant.

On a scale of one to ten, I would give RSA Archer an 8 out of 10

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Head OT Risk Management & Compliance at a energy/utilities company with 10,001+ employees
Real User
A rich feature set helps save time and effort, making us more efficient and saving us money
Pros and Cons
  • "The most valuable feature is the enterprise module, which provides the capability of having all of the information stored and linked with everything else."
  • "The bullet chart is the best graph for my purposes, and it should be available for inclusion in the dashboards."

What is our primary use case?

We use this solution for task management and reporting, with a focus on Risk Management services. We have this solution deployed on-premises.

How has it helped my organization?

Before we adopted this solution, everything was done in Excel. One of the main modules that we are using is the Risk Management module. We're in IT, and IT is a big domain, so if we have a lot of findings then the Excel worksheet would be passed between different people, and the data would be scrambled. Someone would later have to come back and bring all of the information together into one sheet. It was very hectic, troublesome, and time-consuming. We had a lot of things to take care of, and we needed a dedicated team just to bring the information together. We also needed expertise in terms of who can put the information together into a graphical format to make it easier for management to understand, as well as more general reporting.

Previously, we had almost zero reporting because of this hectic chaos. Now, we have all of the information right there, like a central repository. All of the risk owners have access to it. They can see their own and they can automatically fill in their actions and give us updates. With the central location, we have minimal resources required in order to prepare the review. We can export, report, create dashboards, drag and drop, etc. It has saved us a lot of effort.

What is most valuable?

The most valuable feature is the enterprise module, which provides the capability of having all of the information stored and linked with everything else. For me, that is eye-catching.

What needs improvement?

The dashboarding in this solution needs to be improved, specifically the graphics. I am trying to find other solutions because I want to create management dashboards. This product has its own built-in design capabilities and how to present things, but it doesn't have a bullet chart. The bullet chart is the best graph for my purposes, and it should be available for inclusion in the dashboards. We are doing audits and risk management, and there are timelines related to when things are due. All of that can be very easily seen in a bullet chart graph, but what is available now are pie charts, bar charts, and the simple information that is not as meaningful.

The reporting features are very basic, PowerPoint-like capabilities, that should be improved. They should be more like the features available in Power BI, or Tableau. As a workaround, I tried dumping the information from Archer into these two solutions, but it would be much better to have the functionality built-in.

When it comes to searching, the filtering process is not very intuitive. If I want to filter then I have to use too many buttons to get to what I'm trying to search for. If they can simplify the researching process then that would be good.

For how long have I used the solution?

We have been using this solution for five years.

What do I think about the stability of the solution?

This solution is very, very stable.

What do I think about the scalability of the solution?

This is a very scalable solution. After we implemented this solution, two different departments saw it and were impressed with the tool and how the work could be done centrally. We spoke with the vendor and added the scope for these departments. Now, it is centralized throughout the company.

We do plan to increase our usage of this solution. Its capabilities are almost infinite, but we're probably utilizing just twenty percent of it. We know its capabilities and what it can do, but there is a shortage in the availability of resources that can actually utilize the tool. There are perhaps three or four people that can use at least forty percent of the functionality.

We've assigned a task to a few team members so that someone can get a fresh look at how we can fully utilize it. It's a heavy tool and we want to use it. The problem is that it's just not that easy because you need someone who will actually understand the logic behind it, and also has the experience with the functionality. This is not expertise in the solution, but rather, the management. For example, we need someone who can understand the entire risk management flow in order for them to be able to use the tool efficiently.

Because of the vast differences in the domains being used in Archer, each team member is using a section of it. It's not really utilized how I want it, because I'm the leader of the team and I want to use this as the main tool for the entire IT department. However, I don't have the resources who can actually spend that much time to use it.

How are customer service and technical support?

Technical support for this solution is very good.

We had one person as an expert that was providing level one and level two support for the solution. We had minimal occasions where we had to go to level three, which is to contact RSA directly. We did have some questions here and there, and we understood that the technical support team is very good at their job.

Which solution did I use previously and why did I switch?

We did not use another solution prior to choosing this one. Everything was done using Microsoft Excel.

How was the initial setup?

The initial setup of this solution was very complex because of our organization. We had to manually put in the entire organization and the functional design. We had multiple teams, departments, and divisions. It is a very mature organization that has more than seven thousand employees, and there are a lot of sections. We have gone through multiple re-organizations and still haven't had the time to actually change the structure in this solution, because of how complex it is. It was complicated and still is.

Deployment took a full year with dedicated resources. Seven people were involved in the deployment, each one working on a different thing. One was doing the logic, another was doing the structure, etc. We have very different models, including Risk Management, Audit, and Enterprise, so each person was working on something.

What about the implementation team?

We hired a consultant to help us out with the deployment. After it was complete, we gave him a job and he came to work for us. Because it was so complex, we didn't have the resource in terms of someone to actually understand the tool because of how complicated it was to build it from scratch to match our organizational structure. It takes time for someone to understand the entire company, and since the integrators did that within the year, it was easier for us to bring him on board and then train people along the way.

What was our ROI?

We have seen ROI with this solution, although not directly. Before Archer, we needed people to come in to perform services for us. For example, if we needed to do risk management then we needed someone. They had to create the document, the module, and the framework, and then they come and do the assessment themselves. They are the ones that actually do the questioning, get the results, and give us the reports. That, itself, costs a lot of money because we have many services in IT.

Our on-premise expertise is aware of most of the things that are on the ground, but we just don't have the capacity to deal with all of them. So, we do it in small batches, here and there. We want people for cloud, people for risk management, people for audit, and people for compliance. Each of those different modules has a different price tag on it.

With this tool, once it was built and designed, we were able to use our own internal resources. We don't need to go outside. All of the questions are already there. The policies and procedures are already built-in, and you just need to tweak them a bit. So, it helps us just in understanding what's there, on the ground, and then we can mark our territory from there. Overall, it saves us a lot of money to be spent if we are taking care of these services individually.

Which other solutions did I evaluate?

We did evaluate other products back when I was in the metrics team. I was also looking into other tools just recently because we need the contract for the extension of the maintenance for another five years. So far, Archer has been the best. It stands out among the other tools that are coming into the market, and there is no comparison.

What really separates RSA Archer from the other solutions is the depth and richness of the different features and functionality that it has.

I've seen other tools that are very intuitive, easy to deploy, and easy to understand, but not as rich in functionality as RSA. This is the solution that I want to make the best use of, but I'm not prepared to do that because of the dashboarding. In three years, we will re-visit the evaluation process.

What other advice do I have?

My advice for anybody considering this solution is that if you are a mature organization then this is the best tool to use. It has cross-disciplinary functionalities in which multiple teams can be using the same solution. Companies who are not yet mature, but want to develop, can use this tool as a baseline that will help them mature.

It has the entire process. It will help you streamline what you want, have visibility of what you need, and you can build up. Basically, it's a central repository for everything. We have enterprise architects who are interested in this solution because of the Enterprise module, and it's capabilities. Having all of the information connected, within itself, is the best value that you can have.

I, myself, wanted to become an expert and certified in using this tool. The only thing that stopped me was the lack of bullet chart capabilities in reporting. It's what is holding me back.

Without the support for bullet charts, the visibility that we need is lacking. For example, if there is a textual date like the 25th of April 2020, for us there is no visible representation of the date. A bullet chart will tell you how far it is, how far we have come already, and what the target is to get there. This is an amazing tool, but without that graphical representation, it just puts that aside. This is why I'm trying to find another tool that will compensate for that.

I would rate the closest runner-up to this solution a six out of ten, with all of the other solutions somewhere below that.

When it comes to this solution, I would rate it an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1746588 - PeerSpot reviewer
Sr. Internal Auditor at a energy/utilities company with 10,001+ employees
Real User
Highly scalable, provides flexibility for creating reports, and reduces a lot of paperwork
Pros and Cons
  • "Its user interface is pretty neat, and there is flexibility in generating the data. You can customize reports at any level. You can directly get reports in Tableau format. If you want to generate statistical data, you can create reports with graphs. There is an adequate amount of flexibility for changing the format, the type of graphs, etc."
  • "There should be a way to export and get data from the system in PDF or PowerPoint presentation format. This would be a great addition."

What is our primary use case?

I am using RSA Archer for internal audit management. It is used for the entire life cycle for audit, which includes engagement planning, reporting, action management, and so on. It is also used for internal resource management. The timesheet management, resource management, and training are being managed through the same system. 

It has been deployed on-premises. My organization has 16 groups. It is installed and managed centrally by the headquarters, and we are using the application.

How has it helped my organization?

We got rid of a lot of paperwork. As an internal auditor, we have to comply with IIA guidelines. There are standards that we need to follow while completing an engagement. A lot of requirements have been automated through the system, such as quality assurance, engagement review, audit follow-ups, and so on. It has supported the organization as a whole.

It is highly customized for our organization. It is primarily for GRC, but we are using it for audit management, resource management, timesheet management, and so on. These were add-ons features that were customized and developed by the vendor.

What is most valuable?

Its user interface is pretty neat, and there is flexibility in generating the data. You can customize reports at any level. You can directly get reports in Tableau format. If you want to generate statistical data, you can create reports with graphs. There is an adequate amount of flexibility for changing the format, the type of graphs, etc. 

What needs improvement?

The dashboard that is a part of the RSA Archer could be more aesthetic. 

There should be a way to export and get data from the system in PDF or PowerPoint presentation format. This would be a great addition.

For how long have I used the solution?

It has been almost two years since we have been using the product. We have been using it almost on a daily basis.

What do I think about the stability of the solution?

We have been using the web application, and sometimes, there are issues related to the network availability, etc. Other than that, we have not seen any issues in terms of performance and input and output controls. We never had any reports that were not correct. So, more or less, it is fine.

What do I think about the scalability of the solution?

Scalability-wise, we already have a proven case. Deploying a solution in one company with a fixed, organized structure is one thing, but deploying at a mass level in multiple companies and bringing them all together in one single platform is a completely different thing. It proves the scalability of the solution. There is no doubt that it can be scaled to multiple organizations in one go.

We have more than 200 users. They are internal auditors, but if we also count the auditees who use the same system, the number would be much higher.

How are customer service and support?

Our version of RSA Archer is heavily customized. Therefore, at the initial stage of the deployment, there were a few issues for which we needed support. We had a few workflow issues or anomalies in the reporting. 

At the organization level, we have a uniform IT management system for IT tickets. We have an IT support team at the group level, and then we have a support team in headquarters. It is being managed just like any other solution in the organization. We are satisfied with the support.

Which solution did I use previously and why did I switch?

I have seen the deployment of the SAP-based audit management system in 2013 or 2014, which might have changed a lot over these years. From a user's point of view, RSA Archer has a better user interface. It is easier to use. SAP had a typical structure and user interface. It might not have been user-friendly for everyone. RSA Archer is more user-friendly. Its acceptability is much higher when you are deploying it in an organization.

How was the initial setup?

It followed the usual SDLC life cycle. They came and understood the processes. They understood the way the audit was being managed in our organization. It was a joint effort between our organization and the vendor. There were a lot of sessions to understand how we conduct our processes and what are the challenges that we face. Bringing almost 16 to 17 companies in one single platform was a challenge in itself. Even though we had the same policy procedure, there were some differences in the way things were being done, the formats of the files that we were using, and the way people were doing the audits.

It took a lot of time to have a good base of the design itself, but it was worth it. The deployment was done phase-wise. It was not a single-phase deployment; it was a multi-phase deployment. Initially, we just implemented the basic audit management in which we were able to create engagements and add the findings. Later on, more complexities were added related to quality management, timesheet management, detailed reporting, and so on.

It required a lot of interaction with the group companies and the development team in the HQ. There was one whole team in the HQ that had 15 to 20 people. From each company, there were about two to three people. It was a big team. My estimate is that we had at least 20 to 30 people.

The initial deployment probably happened in a span of six months. Every quarter or every six months, they take feedback from different companies, and they ask for whatever modification is required from our side, and they keep on releasing the updates, small modifications, and so on. It is a continuous process, and we are still fine-tuning the system.

I'm not an administrator, so I don't have information about the maintenance it requires in the backend. Because it is heavily customized, whatever development happens, it happens only internally. The production and the development environments are optimized. Apart from that, the routine activities that we require are related to any data modification with reference to the audit parameters of the attributes. We usually request to change or modify them. There is also an approval process. These are the kinds of interactions that we have as users.

What other advice do I have?

There is absolutely no doubt that it is a very good tool for audit management as a whole. If you are deploying RSA Archer, the most important thing is that you need to be very clear of your requirements and the processes for audit management. It can maintain the organization hierarchy, business hierarchy, processes, projects, and assets. It can maintain a lot of repositories and attributes related to an organization for mapping individual audits. It is a wonderful tool, but if you are not clear about how you want to deploy it, it could be a mess. This is applicable to any enterprise-level tool. 

The reason I'm certifying with RSA Archer is that when you are using it for audit, there is a particular strategy and the way to do it, which may vary from organization to organization. So, you have to be very particular about what you want from the tool before deploying it. You should not deploy it and then define your processes. 

I would rate RSA Archer a nine out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Executive Network Administrator at Tredence Inc.
Real User
Top 20
Offers essential modules and features needed for risk management and compliance activities
Pros and Cons
  • "It has various valuable features. For example, showing us if a control aligns with specific standards or frameworks helps us understand it better and verify its compliance."
  • "The user interface needs work. There are many small text boxes, like credit card size's boxes, where we need to input a lot of text. You can't see what you're typing beyond the tiny window, so you have to scroll or type elsewhere and copy-paste it. It's very inconvenient."

What is our primary use case?

We primarily use the system control module and specific IT control models for ongoing risk assessment activities. We use it on a day-to-day basis. 

What is most valuable?

It has various valuable features. For example, showing us if a control aligns with specific standards or frameworks helps us understand it better and verify its compliance.

What needs improvement?

The user interface needs work. There are many small text boxes, like credit card size's boxes, where we need to input a lot of text. You can't see what you're typing beyond the tiny window, so you have to scroll or type elsewhere and copy-paste it. It's very inconvenient.

So, improving the user interface would be beneficial.

For how long have I used the solution?

I have been using this solution for two years. 

What do I think about the stability of the solution?

I would rate the stability a seven out of ten. It's stable, but most of the time it takes a long time to load, even with good internet. Maybe it's on our end or because it's on-premises.

So it could be faster to load. I would like to see improvement in the stability of the solution.

What do I think about the scalability of the solution?

There are around 300 end users using this solution in our company. We all access it to manage compliance through the system.

How was the initial setup?

I would rate my experience with the initial setup an eight out of ten, where one is difficult, and ten is easy. 

What other advice do I have?

From my perspective, it's a useful tool with all the essential modules and features for governance, risk management, and compliance activities. The reference information linked to controls and risks is also beneficial and provides flexibility. Overall, I would recommend RSA Archer.

Moreover, I would rate the solution an eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer1741266 - PeerSpot reviewer
Principal Consultant at a transportation company with 1,001-5,000 employees
Consultant
Help us save a lot of time
Pros and Cons
  • "The most valuable features of RSA Archer are the asset management, risk management, and vendor management."
  • "If you need to integrate the RSA products with another SEIM solution, then it doesn't work properly."

What is our primary use case?

RSA Archer is a governance tool, used especially for bank applications. At the same time, there is the NetWitness tool, a SIEM solution that was created by the RSA division. They have integrated the incident management, along with RSA Archer. Whenever the SIEM solution creates alerts, Archer can be triggered, and you can elect notifications to your mailbox. 

If you click on the link, it'll link to you the actual incident, what happened in cybersecurity. You can do a number of things, like a workflow and approval from the manager level.

How has it helped my organization?

The features help save a lot of time in the organization.

What is most valuable?

The most valuable features of RSA Archer are the asset management, risk management, and vendor management. It's a very simple tool that you can learn within a short period of time.

If I use an AGP, for the onboarding process, for example, I'll create a workflow. An item will go to my manager, the manager approves, and I'll automatically get an alert notification sent to me saying that you are being onboarded. 

You can also put a lot of limitations, like permissions and values, in the AGP. As a security person, that is important to me. You can use any number of groups and permission levels. Now I created vendor management and many people have different kinds of applications in the AGP. Many people are users, but that doesn't mean each particular person can access all the applications in the AGP; it'll be limited. At the same time, I also can give edit permissions at the system level.

What needs improvement?

One area that could be improved is the solution needs to go further with most of the APIs. They need to create multiple APIs and integrations, in my opinion. A few things can't be done from the RSA level and it's not user-friendly when you're working with the other tools. With the RSA products, it's very easy, because it's an inbuilt application. If you need to integrate the RSA products with another SIEM solution, then it doesn't work properly. You have to create a new API for that integration of Archer.

Beyond that, additional features would make the solution too complex. If additional features were added, the solution would need better sustainability and marketing. RSA would also need better online support. The solution would be more attractive with improvement to these items.

For how long have I used the solution?

I've been working with RSA since 2013.

What do I think about the stability of the solution?

The stability and performance of the solution is good.

What do I think about the scalability of the solution?

The solution is easy and simple to scale.

How was the initial setup?

The initial setup is not complex; anyone can do it. Deployment should not take more than two people. The time it takes depends upon the cluster environment. If it's a single instance, you have only one database server, it shouldn't take more than four to five hours for the deployment. If it is a cluster with a lot of employees and a big organization, they'll have disaster recovery and more involved. In that case, it'll require at least two days or so.

What about the implementation team?

We are involved in the integration of everything.

What's my experience with pricing, setup cost, and licensing?

The license is costly for the solution, but the remaining setup and maintenance is a lot cheaper.

What other advice do I have?

The RSA Archer tool is useful for governance listing, workflow, risk management, incident management, and auditing. It's a very easy methodology for senior management. In Archer, even though it's confidential data, you can store it in the proper way, and there were a lot of APIs which can integrate with Archer. For senior management, it'll trigger an alert and you'll see a project automatically to approve. You can do wonders with this tool, but you have to be very specific in your utilization.

If you only use two to three products in RSA, you're wasting a lot of money and people resources. You have to bring awareness; what is this tool? Show users the solutions that can be implemented.  

I would rate the solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free RSA Archer Report and get advice and tips from experienced pros sharing their opinions.
Updated: January 2025
Buyer's Guide
Download our free RSA Archer Report and get advice and tips from experienced pros sharing their opinions.