To comply with the Gramm Leach Bliley Act (GLBA), Kansas City, Mo.-based UMB Financial Corp. ($8.9 billion in total assets) first began looking for an automated solution to manage enterprise risk in 2003. "Back then, we had manual processes for managing risk across some assets," explains Marshall Toburen, SVP and operations risk manager, UMB.
UMB developed a wish list for scoring enterprise risk management solution (ERMS) vendors. "At the time, none of the ERMS vendors satisfied all of the criteria," recalls Toburen. By late 2005, however, a total of 15 vendors had been evaluated, and "our executive management team determined we needed to begin to automate in 2006," he says.
Meanwhile, in an unrelated project, UMB had started deploying a security management solution from Archer Technologies (Overland Park, Kan.) in 2004. Subsequently, Archer began expanding its offerings and in early 2006 released a management tool to support GLBA compliance.
With Archer's SmartSuite Framework and Risk Management solution in the mix, UMB again scored vendors. "Archer's suite was the only one that fit," says Amy Rodgers, enterprise architect, UMB. Based on a centralized asset management database, the Archer Risk Management solution generates online risk assessment questionnaires, asset risk scorecards and actionable plans for managing risk, Archer says.
According to Rodgers, to accommodate the SmartSuite production environment, UMB purchased an HP (Palo Alto, Calif.) Web server; for development and quality assurance tasks, in-house servers were redeployed. "Archer is built on Microsoft's [Redmond, Wash.] .NET platform and includes a Web-based user interface," she explains. "So it requires a [Microsoft] SQL database and IIS Web server."
UMB spent six months configuring and implementing the ERM solution. Significant development efficiencies were realized by building out the previously created Archer-enabled security asset database to include additional enterprise assets, Rodgers notes.
During the testing phase, informal training was conducted by E-mail. "One of our selection criteria was ease of use," Rodgers notes. "We wanted a tool that didn't require every end user to sit down in a classroom."
After a late-2006 launch, the solution brought dramatic improvements. "During our most recent GLBA risk assessment we could drill down to view individual assets," says Toburen. "Previously, ... we were unable to supply regulators with [such] detail."
However, the advantages of Archer's integrated ERMS go beyond GLBA compliance, Toburen stresses. "For example, we use Archer to track internal and external issues," he says. "This has resulted in identifying exposures and addressing them far more quickly than ever was possible before."
In fact, the systemic benefits of centralizing disparate information can't be overstated, says Toburen. "Prior to Archer, we managed issues and risks as silos," he says. "Now we can determine how any specific issue will impact every aspect of the enterprise. As a result, we're significantly improving our business decision-making because Archer provides us with specific, actionable items."
If there's been a downside, it's the administrative details created by UMB's embrace of the tool. "We're up to 900 users," explains Rodgers. "Management of access rights has been an issue. But this is a business challenge for UMB and not an insufficiency in Archer's technology."
Going forward, "We'll be able to develop risk-based product pricing and capital allocation," Toburen says. "And we'll be better positioned to compete with larger institutions."