RSA Archer Reviews

We use this solution for task management and reporting, with a focus on Risk Management services. We have this solution deployed on-premises.

Before we adopted this solution, everything was done in Excel. One of the main modules that we are using is the Risk Management module. We're in IT, and IT is a big domain, so if we have a lot of findings then the Excel worksheet would be passed between different people, and the data would be scrambled. Someone would later have to come back and bring all of the information together into one sheet. It was very hectic, troublesome, and time-consuming. We had a lot of things to take care of, and we needed a dedicated team just to bring the information together. We also needed expertise in terms of who can put the information together into a graphical format to make it easier for management to understand, as well as more general reporting.

Previously, we had almost zero reporting because of this hectic chaos. Now, we have all of the information right there, like a central repository. All of the risk owners have access to it. They can see their own and they can automatically fill in their actions and give us updates. With the central location, we have minimal resources required in order to prepare the review. We can export, report, create dashboards, drag and drop, etc. It has saved us a lot of effort.

The most valuable feature is the enterprise module, which provides the capability of having all of the information stored and linked with everything else. For me, that is eye-catching.

The dashboarding in this solution needs to be improved, specifically the graphics. I am trying to find other solutions because I want to create management dashboards. This product has its own built-in design capabilities and how to present things, but it doesn't have a bullet chart. The bullet chart is the best graph for my purposes, and it should be available for inclusion in the dashboards. We are doing audits and risk management, and there are timelines related to when things are due. All of that can be very easily seen in a bullet chart graph, but what is available now are pie charts, bar charts, and the simple information that is not as meaningful.

The reporting features are very basic, PowerPoint-like capabilities, that should be improved. They should be more like the features available in Power BI, or Tableau. As a workaround, I tried dumping the information from Archer into these two solutions, but it would be much better to have the functionality built-in.

When it comes to searching, the filtering process is not very intuitive. If I want to filter then I have to use too many buttons to get to what I'm trying to search for. If they can simplify the researching process then that would be good.

We have been using this solution for five years.

This solution is very, very stable.

This is a very scalable solution. After we implemented this solution, two different departments saw it and were impressed with the tool and how the work could be done centrally. We spoke with the vendor and added the scope for these departments. Now, it is centralized throughout the company.

We do plan to increase our usage of this solution. Its capabilities are almost infinite, but we're probably utilizing just twenty percent of it. We know its capabilities and what it can do, but there is a shortage in the availability of resources that can actually utilize the tool. There are perhaps three or four people that can use at least forty percent of the functionality.

We've assigned a task to a few team members so that someone can get a fresh look at how we can fully utilize it. It's a heavy tool and we want to use it. The problem is that it's just not that easy because you need someone who will actually understand the logic behind it, and also has the experience with the functionality. This is not expertise in the solution, but rather, the management. For example, we need someone who can understand the entire risk management flow in order for them to be able to use the tool efficiently.

Because of the vast differences in the domains being used in Archer, each team member is using a section of it. It's not really utilized how I want it, because I'm the leader of the team and I want to use this as the main tool for the entire IT department. However, I don't have the resources who can actually spend that much time to use it.

Technical support for this solution is very good.

We had one person as an expert that was providing level one and level two support for the solution. We had minimal occasions where we had to go to level three, which is to contact RSA directly. We did have some questions here and there, and we understood that the technical support team is very good at their job.

We did not use another solution prior to choosing this one. Everything was done using Microsoft Excel.

The initial setup of this solution was very complex because of our organization. We had to manually put in the entire organization and the functional design. We had multiple teams, departments, and divisions. It is a very mature organization that has more than seven thousand employees, and there are a lot of sections. We have gone through multiple re-organizations and still haven't had the time to actually change the structure in this solution, because of how complex it is. It was complicated and still is.

Deployment took a full year with dedicated resources. Seven people were involved in the deployment, each one working on a different thing. One was doing the logic, another was doing the structure, etc. We have very different models, including Risk Management, Audit, and Enterprise, so each person was working on something.

We hired a consultant to help us out with the deployment. After it was complete, we gave him a job and he came to work for us. Because it was so complex, we didn't have the resource in terms of someone to actually understand the tool because of how complicated it was to build it from scratch to match our organizational structure. It takes time for someone to understand the entire company, and since the integrators did that within the year, it was easier for us to bring him on board and then train people along the way.

We have seen ROI with this solution, although not directly. Before Archer, we needed people to come in to perform services for us. For example, if we needed to do risk management then we needed someone. They had to create the document, the module, and the framework, and then they come and do the assessment themselves. They are the ones that actually do the questioning, get the results, and give us the reports. That, itself, costs a lot of money because we have many services in IT.

Our on-premise expertise is aware of most of the things that are on the ground, but we just don't have the capacity to deal with all of them. So, we do it in small batches, here and there. We want people for cloud, people for risk management, people for audit, and people for compliance. Each of those different modules has a different price tag on it.

With this tool, once it was built and designed, we were able to use our own internal resources. We don't need to go outside. All of the questions are already there. The policies and procedures are already built-in, and you just need to tweak them a bit. So, it helps us just in understanding what's there, on the ground, and then we can mark our territory from there. Overall, it saves us a lot of money to be spent if we are taking care of these services individually.

We did evaluate other products back when I was in the metrics team. I was also looking into other tools just recently because we need the contract for the extension of the maintenance for another five years. So far, Archer has been the best. It stands out among the other tools that are coming into the market, and there is no comparison.

What really separates RSA Archer from the other solutions is the depth and richness of the different features and functionality that it has.

I've seen other tools that are very intuitive, easy to deploy, and easy to understand, but not as rich in functionality as RSA. This is the solution that I want to make the best use of, but I'm not prepared to do that because of the dashboarding. In three years, we will re-visit the evaluation process.

My advice for anybody considering this solution is that if you are a mature organization then this is the best tool to use. It has cross-disciplinary functionalities in which multiple teams can be using the same solution. Companies who are not yet mature, but want to develop, can use this tool as a baseline that will help them mature.

It has the entire process. It will help you streamline what you want, have visibility of what you need, and you can build up. Basically, it's a central repository for everything. We have enterprise architects who are interested in this solution because of the Enterprise module, and it's capabilities. Having all of the information connected, within itself, is the best value that you can have.

I, myself, wanted to become an expert and certified in using this tool. The only thing that stopped me was the lack of bullet chart capabilities in reporting. It's what is holding me back.

Without the support for bullet charts, the visibility that we need is lacking. For example, if there is a textual date like the 25th of April 2020, for us there is no visible representation of the date. A bullet chart will tell you how far it is, how far we have come already, and what the target is to get there. This is an amazing tool, but without that graphical representation, it just puts that aside. This is why I'm trying to find another tool that will compensate for that.

I would rate the closest runner-up to this solution a six out of ten, with all of the other solutions somewhere below that.

When it comes to this solution, I would rate it an eight out of ten.

We use RSA Archer to connect to the purchasing department so that vendors can sell new projects, and we can connect these sales to our project management. This solution connects both areas to develop demand and activities, allowing us to control technical resources and manage hours. RSA Archer also helps with Project Builder and Microsoft Project to check activities, start and finish times, and layered activities.

The solution has helped our organization manage our internal and external activities.

The price of the solution is very affordable.

The financial area of RSA Archer has room for improvement. I would like to be able to send invoices to our customers through the solution.

I have been using the solution for three years.

I give the stability an eight out of ten.

We have 100 people using the solution. I give the scalability an eight out of ten.

Technical support is the best.

Positive

The initial setup is straightforward. The deployment required five people.

I have seen a return on investment.

I give the price a five out of ten.

I give the solution an eight out of ten.

I recommend the solution to others.

Public Cloud

My primary use case of this solution is for government risk compliance, including risk management, cost reviews, and security management.

The risks which impact the organization or the IT section are presented in a well-displayed manner, which helps us to plan for, manage, or even mitigate risks. In short, Archer helps us plan our risk management very easily. 

The most valuable features are the advanced workflow and the dashboards. This tool can present data wonderfully to management, and it is easy for them to manage the risk plans.

An area for improvement would be the user interface. They could also offer more on-demand applications free of cost.

I've been using Archer for seven or eight years.

Archer has some performance issues when working on a single server. There is also a tendency for bugs to appear with every update.

I found this product easy to scale.

The tech support team is very good, but they need to be a little quicker to respond.

The complexity of the setup varies depending on the size of your network. With one server, installation is easy and shouldn't take a knowledgeable person more than three hours to complete.

We've seen a good return on investment in terms of time saved.

I would advise anyone thinking of implementing Archer to go for it. I would give this tool a score of eight out of ten.

On-premises

My main use cases are risk assessment and policy use. I also use this solution to create on-demand applications.

RSA Archer allows you to implement government risk compliance and acts as a mechanism to ensure that the compliance policies and standards are met. It also documents every exception with proper reasoning. This makes auditing much more convenient.

The most valuable feature is the advanced workflow, which has totally ruled out any issues with data-driven events and which makes it easier to explain things to end-users because you can show them a screenshot of the workflow.

An area for improvement is Archer's use of Internet Explorer as a core browser due to its dependence on Silverlight, despite Microsoft ending its support for IE and moving to Edge. I would like to see an end to the use of Silverlight and IE and for Archer to add the ability to use any browser to make key changes and configurations. In addition, I would like for the new questionnaire feature to be developed further and for Archer to develop a proper built-in framework for working with organizations with sub-organizations and multiple companies.

I've been working with RSA Archer for 28 years.

Archer's performance could be improved - older versions can be very slow, and the application crashes from time to time.

Archer is easy to scale.

I have to contact technical support about once a month due to some issues with logging in. Generally, the team is responsive and proficient, though sometimes they can be a little slow to respond.

Initial setup is quite complex because every organization requires three instances of Archer, which requires changing the specific components for each instance and needs three teams to be involved in deployment. Deployment can take anywhere from a couple of hours to a full day or two, depending on how many different modules are being installed and the areas being impacted.

Archer is fairly highly-priced, especially for smaller companies.

If using the on-premises version of Archer, it's necessary to train at least a couple of people who can provide ongoing support. Prior to purchasing the product, make sure that you define your exact requirements and go over them with the RSA Archer team. I would rate this product as seven out of ten.

On-premises

My primary use cases are IT risk management, policy management, IT compliance management, vendor risk management, and vulnerability management. 

RSA Archer allows you to create on-demand policies and custom solutions. It automates all our governance, risk, and compliance processes so that they can be easily managed and organized. Archer can build and automate workflows for anything that contributes to your risk.

The most valuable features of this solution are the ease of developing solutions and managing advanced workflows.

The main improvement I would like to see in the on-premises version is the amount of data the product can hold. You need to have a really good server to make it run if you have a large amount of data, which may be challenging for bigger organizations. Another improvement would be making more features available as APIs. There are also some automation issues - some areas are not truly automated but are only scheduled, requiring someone to be present to monitor the process, meanwhile using a lot of automation can slow the system. Finally, I would like to see more scope for developers to play around with the project - currently, it is so tightly coupled that you do not have many options compared to some other products.

I've been working with RSA Archer for ten years.

Assuming you stay within the limits stated in Archer's documentation, the stability is good. However, if you exceed their limits, you may need to play around with your power distribution to keep everything running smoothly. New patches or updates can also cause hiccups with stability.

The product is easy to scale.

Archer's technical support is pretty good - they are supportive, and their ticketing system provides real-time updates about any incidents that occur. The team also responds quickly to high-priority issues.

Setup was straightforward - for the on-premises version, the vendor sends an executable file, then you procure your resources and deploy yourself. The installation itself takes about twenty minutes at most, although preparation to install can take some time.

This product is at the higher end of the price scale, but it provides better, more accessible functionality and customization than cheaper products.

You don't need any experience with coding language to use this solution as it has drag-and-drop functionality. In two to three months, even non-technical people can be masters of the product. In addition, out-of-box solutions like risk management and policy management are really good. Maintenance is not a big problem, but if you heavily customize the product, you may need someone to keep an eye on those. I would also say that if you don't have your processes measured, don't jump directly into any of these products, including Archer. Make sure your processes are mature before implementing a product like this. I would rate this product as seven out of ten.

On-premises

I am developing applications in Archer from RSA (Rivest, Shamir, and Adelman). It is quite easy to implement the application. You just configure the workflow, define the forms and how the data is processed in the application. Everything can be configured without coding. You can use a code also to create special functionalities, but it is easy to do almost everything without coding at all.  

It gives me the opportunity to create custom security applications easily.  

The most valuable part of the product is the ease-of-use.  

I am currently using an older version of the product so my installation is not current. There have already been two new versions of Archer released after the version I have. I use 6.5 and 6.6 and 6.7 have been released. These two are minor releases. They are not really affecting the inner workings of how to do tasks but improving certain features like the interface. When I am creating applications I like to have what I know is a stable and familiar version of the product, so I do not automatically upgrade to the newest versions available.  

Because I have not upgraded, the graphical user interface is not the current one. It is not very modern and as user-friendly as it could be. I heard that the new versions have improved the graphical interface very much in this respect, and it should no longer be a problem at all. So, for now, I have some issues with the interface for this version but it may already be repaired and simplified in the new versions that exist.  

One thing I might like added is the ability to record a workflow in another application. It is really a sort of very technical thing and it is possible to do it in other ways, but adding this to the product could really help with the simplification of creating new workflows. This could make it easier, to implement some technical things.  

I have been using RSA Archer for one year.  

I have not experienced any problems with the stability of the product. It works as expected in accordance with the resources and feedback I received from my IT department. It can use a SQL server, a web server, or whatever I need. There is no problem with lag or overuse of resources on the server.  

The product is flexible and scalable. The processes that are created with the product are going to be used by every manager in this company. That is a total of about forty to sixty people right now.  

As far as how extensively I will use RSA Archer in development, everything I develop is per request. When somebody requests functionality, I am the one responsible for implementing it. It is not really possible to predict how often or how many requests come in or how complicated they will be. Usually, I am using it at least a few days every month. But I may be asked to implement an application that the other employees may use daily.  

I had a few problems initially understanding the sample they showed for the implementation. Once I contacted support they told me a few things to try and sent me links to additional documentation. When I read about it, I was able to easily resolve the issues I was having. When I was then also introduced to the community, I was able to continue to quickly solve any problems I had. There is a huge community of users that is quite active and can help other users to solve issues. It is great when others who have already solved similar problems in real life share their knowledge about how to solve those problems in your own environment.  

But in general, from my experiences, I would rate the support at RSA as very good.  

Another benefit is that — although there are many features already — you can propose new features directly to the company. There is a place in the user community to propose those features where they can be discussed. If they are popular features with users, they are implemented. So you can ask for anything and if you have an idea which is good — something which is required by others — it is usually implemented. I have recommended about four or five features that are in the process of being considered. It is a really good way for the company to guide their efforts in improving the product.  

A similar product that we used before RSA Archer was LDRPS (Living Disaster Recovery Planning System). We had to move from LDRPS to the RSA product because LDRPS went to the cloud. The security requirements of our management and of our customers are generally that they do not want to have very critical information on the cloud. In some cases, they can not have it there at all. We have to use a tool that is possible to install on-premises. When we were evaluating solutions, I was testing several of the products. I chose RSA Archer because it met this requirement and other needs we had for flexibility.  

I chose RSA Archer because I was tasked to find a tool that could implement business continuity planning. Archer can implement more processes in many ways, so it not difficult to implement anything from incident management to business continuity, to change management. Anything somebody asks me to do, they provide the requirements and it is really easy to implement it in this. On top of that, it is easy to customize.  

So this is the reason why we chose Archer. It is easy to implement, it is easy to change the workflow, and it is easy to customize the processes.  

Archer can be set up for use in very small environments and you can use one tool for several installations. It can be installed on several servers concurrently, so every server might be configured to have special features and styles and the instances of the installations cooperate together to provide the functionality of the tool. So the complexity of the setup depends on how large an environment you have. At this moment, I have experience only with very small environments, running the product on one computer. But the product also has great documentation. Just using the documentation alone I was able to install the product really easily and get it up and running on the one server.  

It took me a little more than one day to install. The deployment really depends on the use case. The use case is processing or the kind of process you are creating. For example, processing may need to analyze requirements supplied by customers. The more requirements and more processes you need in Archer the more complex the setup will be. Usually, it takes a few days to create a process. I would say on average that processes are implemented in five days. The options and features that the tool has are really quite vast. There are lots of features and every company only chooses to use some of them, which they license and use separately. It can be compared to something like Jira.  

I did not have to consider using an outside vendor for the installation and I was able to complete the install by myself with the help of the documentation.  

Many tools that I tested had processes wired into the application without any option to change them. When I needed to fill requirements that differed even slightly from what was already implanted in the tool I would need to make a workaround or need to implement another tool. This would not have been the best way to go about what I would need to accomplish regularly.  

For people considering this product, they have to be sure that it is a product that could really do what they need it to do. Mostly any workflow can be implemented in the process in the application if they want to build it. The best thing would probably be that they should just try it and see. I would definitely recommend this product, but it may not be the tool everyone likes the best.  

On a scale from one to ten where one is the worst and ten is the best, I would rate RSA Archer as a nine-out-of-ten.  

On-premises

We use RSA Archer as an Information Security Management Systems Compliance solution in sectors such as business resiliency, operational and enterprise risk management, audit management, public sector, security and IT risk management, third-party governance, and regulatory compliance management.

RSA Archer GRC modules allow you to build efficient, collaborative enterprise governance, risk, and compliance (GRC) programs across IT, finance, operations, and legal domains. With RSA Archer, you can manage risks, demonstrate compliance, and automate business processes.

This solution allows us to define and automate business processes for streamlining the management of content, tasks, statuses, and approvals.

We are able to consolidate governance, risk, and compliance information of any type.

Archer seamlessly integrates data systems without requiring additional software.

Automate movement of data into and out of the platform to support data analysis, process management, and reporting.

I would like to have the ability to build and maintain an inventory of personal data processing activities and assets utilizing a purpose-built taxonomy and data structure.

Tracking data retention schedules and executing a checklist based on Article 30 requirements as it relates to processing activities would be a helpful addition.

Having the ability to manage activities related to notifications and consents linked to the processing activity inventory would improve this solution.

- Community content in the Archer Exchange is very valuable - Easy to use - Highly configurable

We evaluated Archer but at the time its poor support for Basel (e.g. cap allocation) was a deal stopper for us. If you're not in the financial services industry then Archer might be a better fit. We also found Archer to be on the expensive side but we didn't get to the point of negotiating a better price.