We just raised a $30M Series A: Read our story

RSA Archer OverviewUNIXBusinessApplication

RSA Archer is #1 ranked solution in top GRC tools, top IT Governance tools, and top IT Vendor Risk Management tools. IT Central Station users give RSA Archer an average rating of 8 out of 10. RSA Archer is most commonly compared to OneTrust GRC:RSA Archer vs OneTrust GRC. The top industry researching this solution are professionals from a computer software company, accounting for 27% of all views.
What is RSA Archer?
Archer adapt enterprise governance, risk, and compliance (GRC) products to your requirements, build applications, and integrate with other systems, control the audit lifecycle to enable improved governance of audit-related activities, data, and processes, reduce the risk of IT and business disruption, harmful operational events, and significant business crises and build an efficient, collaborative governance, risk, and compliance (GRC) program across IT, finance, operations, and legal.

RSA Archer is also known as Archer.

RSA Archer Buyer's Guide

Download the RSA Archer Buyer's Guide including reviews and more. Updated: November 2021

RSA Archer Customers
T-Systems, Bridge Point, Equifax, First Data, Global Imaging Company, Manulife Financial
RSA Archer Video

Pricing Advice

What users are saying about RSA Archer pricing:
  • "The price of RSA Archer is good. The price isn't too high considering it is a leading tool in the market."
  • "I am not 100% familiar with that, especially with their new model. I just know that the way they've licensed per user to scale is good."

RSA Archer Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
VS
Security Specialist at a tech consulting company with 1-10 employees
Consultant
Top 20Leaderboard
Configure security applications easily while retaining the capability to customize with and without coding

Pros and Cons

  • "The most valuable part of the product is the ease-of-use and the opportunity to create custom security applications easily."
  • "There are some issues with the interface for version 6.5 but these may already be repaired and simplified in the new versions that have been released."

What is our primary use case?

I am developing applications in Archer from RSA (Rivest, Shamir, and Adelman). It is quite easy to implement the application. You just configure the workflow, define the forms and how the data is processed in the application. Everything can be configured without coding. You can use a code also to create special functionalities, but it is easy to do almost everything without coding at all.  

How has it helped my organization?

It gives me the opportunity to create custom security applications easily.  

What is most valuable?

The most valuable part of the product is the ease-of-use.  

What needs improvement?

I am currently using an older version of the product so my installation is not current. There have already been two new versions of Archer released after the version I have. I use 6.5 and 6.6 and 6.7 have been released. These two are minor releases. They are not really affecting the inner workings of how to do tasks but improving certain features like the interface. When I am creating applications I like to have what I know is a stable and familiar version of the product, so I do not automatically upgrade to the newest versions available.  

Because I have not upgraded, the graphical user interface is not the current one. It is not very modern and as user-friendly as it could be. I heard that the new versions have improved the graphical interface very much in this respect, and it should no longer be a problem at all. So, for now, I have some issues with the interface for this version but it may already be repaired and simplified in the new versions that exist.  

One thing I might like added is the ability to record a workflow in another application. It is really a sort of very technical thing and it is possible to do it in other ways, but adding this to the product could really help with the simplification of creating new workflows. This could make it easier, to implement some technical things.  

For how long have I used the solution?

I have been using RSA Archer for one year.  

What do I think about the stability of the solution?

I have not experienced any problems with the stability of the product. It works as expected in accordance with the resources and feedback I received from my IT department. It can use a SQL server, a web server, or whatever I need. There is no problem with lag or overuse of resources on the server.  

What do I think about the scalability of the solution?

The product is flexible and scalable. The processes that are created with the product are going to be used by every manager in this company. That is a total of about forty to sixty people right now.  

As far as how extensively I will use RSA Archer in development, everything I develop is per request. When somebody requests functionality, I am the one responsible for implementing it. It is not really possible to predict how often or how many requests come in or how complicated they will be. Usually, I am using it at least a few days every month. But I may be asked to implement an application that the other employees may use daily.  

How are customer service and technical support?

I had a few problems initially understanding the sample they showed for the implementation. Once I contacted support they told me a few things to try and sent me links to additional documentation. When I read about it, I was able to easily resolve the issues I was having. When I was then also introduced to the community, I was able to continue to quickly solve any problems I had. There is a huge community of users that is quite active and can help other users to solve issues. It is great when others who have already solved similar problems in real life share their knowledge about how to solve those problems in your own environment.  

But in general, from my experiences, I would rate the support at RSA as very good.  

Another benefit is that — although there are many features already — you can propose new features directly to the company. There is a place in the user community to propose those features where they can be discussed. If they are popular features with users, they are implemented. So you can ask for anything and if you have an idea which is good — something which is required by others — it is usually implemented. I have recommended about four or five features that are in the process of being considered. It is a really good way for the company to guide their efforts in improving the product.  

Which solution did I use previously and why did I switch?

A similar product that we used before RSA Archer was LDRPS (Living Disaster Recovery Planning System). We had to move from LDRPS to the RSA product because LDRPS went to the cloud. The security requirements of our management and of our customers are generally that they do not want to have very critical information on the cloud. In some cases, they can not have it there at all. We have to use a tool that is possible to install on-premises. When we were evaluating solutions, I was testing several of the products. I chose RSA Archer because it met this requirement and other needs we had for flexibility.  

I chose RSA Archer because I was tasked to find a tool that could implement business continuity planning. Archer can implement more processes in many ways, so it not difficult to implement anything from incident management to business continuity, to change management. Anything somebody asks me to do, they provide the requirements and it is really easy to implement it in this. On top of that, it is easy to customize.  

So this is the reason why we chose Archer. It is easy to implement, it is easy to change the workflow, and it is easy to customize the processes.  

How was the initial setup?

Archer can be set up for use in very small environments and you can use one tool for several installations. It can be installed on several servers concurrently, so every server might be configured to have special features and styles and the instances of the installations cooperate together to provide the functionality of the tool. So the complexity of the setup depends on how large an environment you have. At this moment, I have experience only with very small environments, running the product on one computer. But the product also has great documentation. Just using the documentation alone I was able to install the product really easily and get it up and running on the one server.  

It took me a little more than one day to install. The deployment really depends on the use case. The use case is processing or the kind of process you are creating. For example, processing may need to analyze requirements supplied by customers. The more requirements and more processes you need in Archer the more complex the setup will be. Usually, it takes a few days to create a process. I would say on average that processes are implemented in five days. The options and features that the tool has are really quite vast. There are lots of features and every company only chooses to use some of them, which they license and use separately. It can be compared to something like Jira.  

What about the implementation team?

I did not have to consider using an outside vendor for the installation and I was able to complete the install by myself with the help of the documentation.  

Which other solutions did I evaluate?

Many tools that I tested had processes wired into the application without any option to change them. When I needed to fill requirements that differed even slightly from what was already implanted in the tool I would need to make a workaround or need to implement another tool. This would not have been the best way to go about what I would need to accomplish regularly.  

What other advice do I have?

For people considering this product, they have to be sure that it is a product that could really do what they need it to do. Mostly any workflow can be implemented in the process in the application if they want to build it. The best thing would probably be that they should just try it and see. I would definitely recommend this product, but it may not be the tool everyone likes the best.  

On a scale from one to ten where one is the worst and ten is the best, I would rate RSA Archer as a nine-out-of-ten.  

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
AS
Specialist - RSA Archer at a tech services company with 10,001+ employees
Real User
Leaderboard
Complete end-to-end solution that's easy to integrate and customize

Pros and Cons

  • "Integration is another great aspect of RSA Archer. From the beginning, integration has been a central focus for RSA, and Archer has always integrated well with most tools on the market today."
  • "RSA Archer might be a bit expensive for small companies because it's a vast tool."

What is our primary use case?

I'm an administrator for RSA Archer and a consultant, so I create platforms for various businesses based on their requirements. RSA Archer is a GRC tool, so RSA Archer controls and regulates different enterprise GRC solutions and IRM modules. I create those platforms for various business users according to their specifications. They provide us with the storyline, and then we advise them on ways to use RSA Archer to manage their processes. And then, once that is done, we create an RSA Archer platform.

How has it helped my organization?

RSA Archer has updated its UI many times. And the UI is now much more rich and user-friendly. That's one of the major things that they have changed recently. Our business users are much more comfortable with the latest UI. Also, the reporting mechanism inside RSA Archer is another thing that is very user-friendly. And all the business users, in most of the cases I've seen that they are very comfortable in using the reporting tools.

What is most valuable?

RSA Archer is a valuable tool because it can manage the end-to-end functioning of any enterprise GRC module, such as compliance and risk management or business continuity plans and the entire BCM module. RSA Archer also provides many out-of-the-box solutions, which are use cases derived from the standards for GRC or risk management, governance, and compliance. It provides an end-to-end mechanism for business users on a single platform. That includes reporting, managing workflow, creating documentation, or tracking a process where you need to get approval from the various levels within the organization's hierarchy. 

Integration is another great aspect of RSA Archer. From the beginning, integration has been a central focus for RSA, and Archer has always integrated well with most tools on the market today. RSA Archer has its own APA that can be integrated into any other tools using Dorknet, Java, or any other language you can think of. So the APAs are excellent and easy to work with. 

RSA is also increasing the scope of customization. When using a tool, consultants like us might need to customize it because the out-of-the-box solution does not perfectly match the client's requirements. So RSA is quickly incorporating those customizations and allowing us various ways to do that. In doing so, RSA is opening up more areas where Archer can be used. Vendor management is the latest example. They have already added one vendor management module. I'm not entirely familiar with it, but it can be integrated with other tools directly on a real-time basis. So that's one feature, which is very new to Archer, and I think it's going to be a breakthrough.

What needs improvement?

There are many small things that need improvement but on the whole, it is much better now than it was when I first started using it six years ago. They are putting out updates almost every day. The latest version came out just a few days ago, so they are constantly making minute fixes and tweaks based on input from different users. Users like us are developing applications on the tool, so when we have an issue, we open a ticket with RSA directly. If it is a new issue and they can't fix it, then they log it and provide a solution in the next release of their tool. They're also planning to move to a completely cloud-based solution, so they are providing all the support for RSA Archer to be easily hosted on the cloud and everything.

For how long have I used the solution?

I've been working with RSA Archer for the last six years.

What do I think about the stability of the solution?

Performance is always an issue with any coding system. And RSA Archer used to have more performance issues. It was completely on-prem, so there were some slowdowns because of that. However, they've upgraded their backend systems, the codes, supporting database structures, etc. So the speed has picked up lately. They have improved in the last few releases, and I hope they will also continue to do that. 

What do I think about the scalability of the solution?

We have various mechanisms to scale up. For example, we already have the lab configuration in RSA Archer, so we can use their lab to get that directory from the organization. And whenever it changes or updates, that's automatically reflected in RSA Archer too. So that is a very straightforward thing and easy to maintain also. And we plan to increase usage. My company is an RSA Archer partner, so they're always looking to increase the number of projects in RSA Archer. 

How are customer service and support?

RSA technical support is good. They're very approachable and provide quick solutions. Sometimes there may be a delay, but only if it is a very complex problem or one they might not have encountered earlier. 

How was the initial setup?

RSA Archer is very deployment friendly because it is quick and straightforward. Migration and deployment aren't too complicated. RSA Archer can do it more quickly than most other GRC tools in the market right now, like SAP GRC. RSA Archer is one or two steps ahead because the migration is pretty smooth and can be done very quickly. One person can handle it pretty easily, but it also depends on the level of customization you want. Whenever we are customizing a tool, we need a specialist. So during migration, the senior consultants monitor what the team is doing and the others supervise. But if we're talking about how easy it is, then one or two people can easily do it.

Then there is the regular maintenance, but it's more accurate to say "enhancement" than "maintenance." Every time the user has a new requirement, we need to add those things into our resources. So it's pretty easy to do if you have two or three environments with you, development, UAT, QA, production, etc. The migration is pretty quick, so it's easier to manage from the maintenance point of view.

What was our ROI?

We've seen a return with RSA Archer. My organization started with a single project in RSA Archer, and now we are handling multiple businesses at multiple levels and doing several different projects in RSA Archer. And the clients are returning customers. They want to get into RSA Archer as much as they can.

What's my experience with pricing, setup cost, and licensing?

RSA Archer might be a bit expensive for small companies because it's a vast tool. It provides many built-in solutions and functions that can meet all of a company's GRC needs. So, ultimately, it is cost-effective because it offers tools that serve a variety of functions. It is costly, but if you are a big company, the decision is pretty straightforward in terms of the cost versus the service Archer provides.

The licensing scheme has several levels, and you can purchase additional licenses depending on your needs. So you can opt to get only a license for the use cases that apply to your organization. You don't need to buy the entire thing, so that is a good thing.

What other advice do I have?

I rate RSA Archer eight out of 10. Nothing is perfect and every day RSA is perfecting its own tool, so I rate it eight. It is one of the best GRC tools on the market at the moment. But, every day new tools are emerging. For example, ServiceNow is one of RSA Archer's strongest competitors. They are also coming up with their own ASA application use case. But I would say that RSA Archer is a much more mature GRC tool, and it stacks up well against other GRC platforms like SAP GRC and IBM Openpages. So in that sense, I would say Archer is a more mature tool with good services that can be helpful for your organization. I would recommend it. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Learn what your peers think about RSA Archer. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
552,305 professionals have used our research since 2012.
HK
Archer developer
Real User
Top 20Leaderboard
Attentive support and high return on investment

Pros and Cons

  • "With RSA Archer, an admin can set permissions for a normal user to go directly to the tool they need to input some data. Admins can then go through that and approve some requests. Also, they can log in based on these kinds of permissions, including ticketing, service patches, or upgrades."
  • "It would be nice if RSA Archer featured more customization. When customers are updating, they should be notified whether certain updates are optional. The install screen should not proceed to the next page unless we make some selections about which updates we want to install."

What is our primary use case?

There are six to seven use cases currently. Most of the time, clients request a customized application. Right now, we're using RSA Archer for risk and issue management— like building a risk registry. We'll respond to risks using findings in the risk registry. So we'll set policies for risk discrimination and acceptance based on inherent and residual risk. We have all kinds of environments, covering DEV, SIT, and UIT. Currently, we have 6.9 Service Pack 2.

What is most valuable?

With RSA Archer, an admin can set permissions for a normal user to go directly to the tool they need to input some data. Admins can then go through that and approve some requests. Also, they can log in based on these kinds of permissions, including ticketing, service patches, or upgrades. The manager gets a notification, and they can log into the mobile application using this tool.

What needs improvement?

It would be nice if RSA Archer featured more customization. When customers are updating, they should be notified whether certain updates are optional. The install screen should not proceed to the next page unless we make some selections about which updates we want to install. That feature should be implemented in Azure so that users are aware. 

There is also an issue with managing records. If we add or remove records, something has to be updated.  Something has to be developed in this subform so that if a developer unexpectedly removes the total recorder linked to the parent record, it doesn't interrupt the connection. They have to come up with a solution for that.

Previously, we used RSA Archer to review data events. For example, we have a feature called Subscription Notification that was called Generate Notification. The letterhead was changed after migration, so we needed to update the letterhead manually. In Service Pack 2 6.9, links were embedded. So if we edited STTP, we had to remove the double slashes at the beginning of the address and update them to use only one slash. However, it is not recommended practice, so currently they're still updating that. We have notified the RSA team, and they are working on that.

For how long have I used the solution?

I've been working with RSA Archer for seven years. I started my career as an administrator, and after that, I switched to development. Currently, I'm leading the team in an architectural role, like gathering requirements, deployments, and support.

What do I think about the stability of the solution?

In terms of performance, I would rate RSA Archer seven out of 10.

What do I think about the scalability of the solution?

After deployment, some customers complain that the database must be constantly updated every time they add users, and the update process takes them a long time. For example, one of my clients has 60,000 to 70,000 users in their environment. It takes them three to four days to rebuild the search index on the database side.

How are customer service and support?

We're in touch with RSA Archer's support on a daily basis. We have set up a scrum call every day to check if the clients have any issues identified post-deployment. In addition, we stay in touch with the tech team and provide support after deployment to address minor issues like, for example, if a customer needs to change their configuration. So we are implementing and releasing in two to three days if any minor changes are required. 

Which solution did I use previously and why did I switch?

I previously worked on ITGC Controls in the IT sector conducting general control audits. I have performed other roles. We used to collect all the systems-related information showing that the server is updated correctly. We used to check database server-related information, so we'd verify that the daily backup is done. All the IT environments should have maintenance on policies ISO 7001, and I performed the general control audits.

I was using a related tool, but at the time, I was interested more in development, so that's why I have switched. Initially, it was a minor project that required significantly less personnel. RSA Archer is growing mature, so I just switched.

How was the initial setup?

When you're first installing RSA Archer, the mobile feature is not available, but users can still manually input the details in the initial phase. And initially, it's like a normal input process. Then, after that, they have to come back and monitor using the PC or the laptop. 

The personnel needed for deployment depends on the solution. If there is one developer, they don't have any direct authority to deploy it. So we have some third-party monitoring at the time of deployment because if they touch any course other than this, the dedicated solution has to monitor it. Generally, one developer is enough for one solution. And after deployment, they have to recheck using that third party because most of them are in the banking sector, so everything should be monitored.


It takes about an hour to install. But, of course, if any jobs are running, it might take longer. So we have to give the system time to install all the code correctly. After installation, we also need to check for upgrades. 

What was our ROI?

I can say RSA Archer is worth the cost.

What's my experience with pricing, setup cost, and licensing?

The price of RSA Archer is good. The price isn't too high considering it is a leading tool in the market. However, some Level Three companies cannot afford this license because they're charging too much. For example, the price might be reasonable for Level Five companies doing a four-month project, but they have to lower prices to make the product more competitive in the market for companies below Level Three.

What other advice do I have?

I rate RSA Archer nine out of 10. It's an increasingly mature and very secure tool in the market. Every environment should have this kind of tool. It's useful for tracking any security threat.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Vivek Shah
GRC Archer Consultant at a tech services company with 10,001+ employees
Consultant
Top 20Leaderboard
Flexible record permissions and data import features; could be simplified in several key areas

Pros and Cons

  • "Flexible record permissions and data import features."
  • "The solution as a whole could be simplified."

What is our primary use case?

My primary use cases of RSA Archer are for business resiliency, business continuity management, third party vendor management, IT risk management and some of the other governance and compliance applications. We are partners with RSA and I'm an Archer system administrator. 

How has it helped my organization?

There are many benefits to using Archer as a platform. Previously, all processes in the organization were scattered. Once Archer was implemented, everybody had a role to play. It was just a matter of logging in, doing the work, and moving the workflow to the next stage. Prior to Archer, all the work took place via emails or sharing of Excel files. Archer has streamlined everything and it's really helping the organization to manage potential risk and data security. Security is key these days.

What is most valuable?

I believe the record permissions and data import are the most flexible and user-friendly features because they enable all information to be available on the platform.

What needs improvement?

Compared to other GRC tools, RSA Archer is a little complex in the sense that even users need to have some knowledge of the tool. Without any knowledge, both users and developers will have a hard time. I'd like to see the access control part simplified. Reduced complexity in the Advance Workflow and on the front end part of the tool would be really helpful. 

System administrators have overall control over the system, but it would be good if they could get more control over Archer. Finally, Archer has the option of custom coding things not currently supported by RSA. If it were supported that would be a great innovation because clients have needs that are not adjustable or incorporated in the tool. All those changes require coding which increases complexity.

For how long have I used the solution?

I've been using this solution for close to four years. 

What do I think about the stability of the solution?

I think the level of stability and performance is connected to the size of the organization. There can be issues when there is an Excel load in the system, or when there are too many users and too many processes running on the backend. Things can slow down and we've seen glitches and delays. If processing speed could be increased, that would likely solve the issue. 

What do I think about the scalability of the solution?

Scalability is there but it's not easy. You need to be familiar with the system, which can take a couple of months. Once there's familiarity it becomes more user-friendly. It's not as easy as ServiceNow or OneTrust. Those are much lighter tools and easier to learn. Scaling should be more user-friendly. We currently have around 9,000 active users and I expect that to increase in the future.

How are customer service and support?

Customer support is working well and I don't have any complaints about that. 

Which solution did I use previously and why did I switch?

I have used ServiceNow but nowhere near as extensively as I've used Archer. The problem with GRC ServiceNow is that it has limited features, which is why we switched to Archer. It has better features and functionalities.

How was the initial setup?

The initial deployment needs to be carried out in coordination with RSA because it's their product. It requires a web service, application service, database service, everything needs to be designed for the platform. It would be great to have some kind of video or technical demo to help with this. 

If the process of going from the ESC environment all the way to the production environment could be easier that would be really helpful because it's very likely that not all environments will be in sync in most organizations. Features are going to differ from the broad environment to the lower environment and while packaging, the features of the lower environment also come into the production environment. Maintaining synchronization takes a lot of time so if there could be some flexibility and ease, that would save a lot of time for the organization.

What was our ROI?

In terms of return on investment, I think the processes and management as far as risk and governance compliance is concerned, have been very effective. Achieving their objectives and tasks in a timely manner with all the necessary security and parameters along with streamlining is a return on investment. I'm unsure about the benefit in revenue, it's more about improving risk and the governance processes.

What's my experience with pricing, setup cost, and licensing?

Archer is expensive compared to other GRC tools. The product is generally used in multi-national companies like JP Morgan, Morgan Stanley, Amazon, Goldman, or eCommerce. They all use Archer. The cost would be prohibitive for a small or medium-scale company. If Archer is looking at promoting this product, they need to work on the pricing because only large organizations can afford it. There are many additional costs involved so that if one needs to develop some features in the tool there is an additional charge; if you ask RSA for any kind of enhancement or development, they will charge you; and if you'd like some consultation in regards to the product, they will charge you for that too.

What other advice do I have?

This is a really nice tool because the majority of what it provides is not offered by other solutions. It's a matter of learning the tool and accepting how it works with an open mind. Anyone using it will find it really helpful for the GRC processes.

I rate the solution seven out of 10. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
SJ
Vice President and Risk Management at a financial services firm with 10,001+ employees
Real User
Top 10Leaderboard
Robust and feature rich solution

Pros and Cons

  • "The part I liked about Archer was the risk assessment for deficiencies and being able to use it there."
  • "It's resource-hungry, that's the best way of putting it."

What is our primary use case?

For Archer, today there is everything from risk management to looking at security and how to track all the security defects. We don't have Archer connected to ServiceNow. We had the better version when I was at Albertsons. Just before I joined UFG, we used it not only tracking deficiencies, but also doing all the risk work and all of the vulnerability management, but we tied it to ServiceNow so we could issue tickets and track stuff. That's the way to do it.

How has it helped my organization?

Our version is on-prem, which I used also used at Wells Fargo where we had it on-prem as well. I thought the best version we used was at Albertsons, we were in the cloud and we were using their stuff. To me, that's a better way to go. You want to keep it up to par, and you can't screw around with the data structures. It really keeps you current which is probably the best example so you get the best bang for your buck.

What is most valuable?

When you get it to work, then it's valuable to me. The part I liked about Archer was the risk assessment for deficiencies and being able to use it there. The part I don't like is what it takes to get it really working right. That's not trivial. You need people that really understand it, and you also have to get people to stop making changes to the data schema and the rules, because if they do that, then it defeats the whole purpose of Archer.

What needs improvement?

The problem is, and I've had years and years of experience using it, let's say decades of experience with it, and they keep changing it. It could be as much as two years or so and they change the product. My concern is when they go from module to module, what do they do? Is it consistent to what the industry wants? And they could also add some things and improve on their product for when we want to match up CVS to it and a few other things. And I think the training is hard. I think they need to emphasize that you take people and send them to training. But today with COVID, how do you do that?

For how long have I used the solution?

I use RSA Archer on a daily basis. Some people in the Archer group call me a pain, they keep saying, "Well, we can't do this and we can't do that." I say, "Let me show you how it's done."

I have been using it since they first started. So that's got to be almost 15 years now. I knew it when it wasn't even Archer, when it was part of Ernst & Young's suite of risk products. And then Silver Shire took it out of there, formed his own company called Archer. And that's how it was developed. I go that far back with Archer. I've seen it evolve, and they keep changing modules, names, pricing. It's kind of fun to watch the industry.

What do I think about the stability of the solution?

In terms of stability, if you do it yourself, it can grow big depending on how you want to use it. I've seen and been in companies that want to do all this fancy stuff and all the rules and everything else and it just eats resources you could point at, being 20, 30 servers. It's big.

It's resource-hungry, that's the best way of putting it.

What do I think about the scalability of the solution?

In terms of scalability, that's a problem. When you want it to scale, it costs you resources, just like that other product I hate, Splunk. I love the products, but not the resources they eat. It is expensive that way.

How are customer service and technical support?

When you find the right one in tech support, it's good. They're all good, but some are better than others. When you're in a crunch, you want the best person right away. Guess what? I want it now. It's like a kid. I want it now.

I'd give tech support an eight to nine.

How was the initial setup?

The initial setup is complex. It's not straightforward and never was.

It requires knowing what all the modules do, understanding what you want to do, and then finding the right people that can program it. And finding those experts is not trivial.

Which other solutions did I evaluate?

At one time, it was the only thing available. Now there are other products that I would consider.

What other advice do I have?

Make sure you know what you want to really do and pick the right modules and do a lot of planning, planning, planning. It's like building a house. If you don't do the planning, when it comes down to trying to build it, you really get screwed or the team gets screwed. And I don't think people do a lot of planning.

On a scale of one to ten, I'd give RSA Archer an eight.

It's Archer - there are days when their stuff is awesome, there are other days when the frustration level is way too high.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
MP
Senior System Developer at a financial services firm with 5,001-10,000 employees
Real User
Workflows are easily automated; great risk management and policy compliance features

Pros and Cons

  • "Enables development of any application, automation of any workflow including the GRC work processes."
  • "GUI could be improved."

What is our primary use case?

My role is as a developer or administrator of this tool, but I'm also a user. I work as a senior system developer and we are customers of RSA Archer. 

How has it helped my organization?

Previously, the process we required was carried out in Excel data with follow-up emails through Outlook and it was very difficult to track. After we implemented Archer, things worked a lot more smoothly, and rather than looking for things, the system sends a notification reminder. We can do everything within the tools; updating records and publishing them, maintaining approvals, reminders, reporting, and dashboards. 

Some of our clients who use Archer bring the activities scan and present data into Archer, and can then manage their workflow. They can see the overall risk rating, how it relates and where it's coming from, the device causing it, those kinds of things. They wouldn't have been able to do that without Archer. 

What is most valuable?

The tool is really well designed overall and you can develop any application, automate any workflow including the GRC work processes. Workflow can be automated very easily so that providing access and making changes are all relatively simple. I find that integrations are very easy in this tool. For example, bringing data from an external tool is easy and manageable. It also provides a single tool to manage all the different workflows and different processes. For example, you can perform risk management, policy compliance, audit, and all other processes. It's really a one-stop-shop and a great feature compared to what other tools offer. Finally, the core solution and library provided with the tool are great compared to other tools like ServiceNow, which still process metrics. I don't think they come close to Archer. 

What needs improvement?

Other tools, specifically designed for audit management have a better GUI than Archer. The problem with Archer is the business process. If you design in Archer you get a lot of tasks and a lot of information that gets congealed, which users don't like. The issues can be solved using the advanced workflow feature of Archer but it was only recently introduced and most clients are still using the old version to run the workflow.

If your process requests many tasks, many approvals, workflows, etc., then you're definitely going to see a lot of information in one sheet which makes the job harder. It's all dependent on your process. There are some flaws in the system, which are generally rectified over time but there is still room for improvement. I've previously given some feedback and, in general, there are a lot of complaints about the GUI. 

For how long have I used the solution?

I've been using this solution for three years. 

What do I think about the stability of the solution?

The solution is very stable but as the data grows and the size of the database grows, you need to add additional servers or sources to manage latency. It creates a lot of logs and the data fills up if it's not properly maintained. It doesn't require daily maintenance but a clean-up is needed at least once a year. If you have really good hardware resources, you don't really need to do that.

What do I think about the scalability of the solution?

The solution is easy to scale. Just add a server, then store the tool in it and then load balance it. It's not difficult. We have around 2,000 regular users and we're likely to increase that.

How are customer service and support?

I think customer support is really good. There are some times when they don't have a solution to a new problem, something newly identified, but they submit it to the engineering team and ultimately it gets fixed. It can sometimes take a few months but I don't see any major issues with their support. I think they're pretty good.

How was the initial setup?

The initial setup is reasonably straightforward. Deployment is generally carried out by one person. If a company wants to maintain segregation of duties, then multiple teams are necessary; one for development and another for deploying the change in production. Deployment time depends on the change you are pushing. If there are multiple items involved, the best option is to deploy the package. If the application has millions of records, then it will take longer to recalculate. If there's a smaller number of records, deployment can be done in a couple of hours. 

What was our ROI?

We've definitely seen a saving with the automation of the process. It saves time which can be spent on other activities. And, of course, that means a cost saving. 

What's my experience with pricing, setup cost, and licensing?

I believe our licensing costs are around $100,000 for the tool and that possibly includes a basic solution that comes with the tool. If you then need another solution then there is an added cost for that. I don't know how that compares to the cost of other tools. 

What other advice do I have?

For anyone trying to automate a data GI processor, Archer is a good product.

I rate the solution nine out of 10. 

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
AD
Project Manager, Consultant at a tech services company with 11-50 employees
Consultant
High ROI, user-friendly, and good licensing model for scalability

Pros and Cons

  • "From my perspective, because I've always done it as a consultant, I do like the way it is configured. They've gone into changing the application builder interface, so it is even easier. When you're working with users, it is really easy to show them how to do things quickly and how to configure, change, and design stuff quickly."
  • "Some of the error reporting isn't very clear. When you're looking for information on error codes, you got to do a lot of digging."

What is our primary use case?

It is used for enterprise risk audit, corporate compliance, and vulnerability reporting like threat management reporting. It is a whole suite that has different products depending on what you want to track and report on.

I do use the SaaS version, but I have also deployed it on-prem, and I also have experience with the original cloud version. The one that we deployed originally on the cloud was on AWS, but now they do everything on SaaS.

What is most valuable?

From my perspective, because I've always done it as a consultant, I do like the way it is configured. They've gone into changing the application builder interface, so it is even easier. When you're working with users, it is really easy to show them how to do things quickly and how to configure, change, and design stuff quickly.

What needs improvement?

Some of the error reporting isn't very clear. When you're looking for information on error codes, you got to do a lot of digging.

What do I think about the stability of the solution?

I've never seen any major issues.

What do I think about the scalability of the solution?

Its scalability is very good. Because of the way they've set up their licensing, it's now very easy to scale, especially if you're using SaaS.

We have over 60,000 users across all departments. Some users just go to check the status. I would think it is being used extensively.

How are customer service and support?

It has changed over the last six months, and it is a little bit more challenging. When you have to report an error, you can't really find a lot of detail online. You have to open a case file, and then after opening a case file, it does take some time for resolution. From one to five, I'm going to rate them a 3.5.

How was the initial setup?

It is very straightforward. The documentation that they provide is clear in terms of the instructions that you have to follow through. It is very well documented. Most users and techs can follow it, even with very little experience.

For its deployment, usually, there are one or two people. You don't need more than that because it's a very easy product to upload. If you're doing it from scratch where you have absolutely nothing, it is about a half-day setup.

It requires very little maintenance. Their upgrade packages are pretty quick, and it is easy to do the upgrades. It is very user-friendly, and even if you have no tech background or you're a new Archer administrator, it is very easy to do.

What was our ROI?

Its ROI is quite high when you look at how long it takes for people to input stuff for compliance risk, vulnerability management, and threat management. The centralization of data allows you to get a pretty high return on your investment pretty quickly because it's really easy to implement. It doesn't take like a year. You can do it in less than two months, depending on the solution that you want to implement. The customization opportunities with reporting are also pretty high.

What's my experience with pricing, setup cost, and licensing?

I am not 100% familiar with that, especially with their new model. I just know that the way they've licensed per user to scale is good.

What other advice do I have?

I would advise others to know their requirements going in because there's so much flexibility with the product. You could over customize it just because it allows you to do so much, but sometimes too much of a good thing is not a good thing. If you know your requirements upfront, your road to success is short, but your return is high.

I would rate it a nine out of 10.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
SB
Sr. Consultant at a retailer with 11-50 employees
Consultant
Great Advance Workflow feature; ability to create multiple layers with a specified functionality

Pros and Cons

  • "The Advance Workflow feature simplifies things."
  • "The solution can be a little slow due to the Silverlight feature."

What is our primary use case?

We customize this solution for our clients. We take all their requirements and prepare the design and format by creating fields, notifications, access controls and workflows. We use all the management features that the solution provides to support our clients. We are customers of RSA Archer and I'm a senior consultant. 

What is most valuable?

The Advanced Workflow feature is one of the most valuable and user-friendly. We used to have to write multiple calculations. With Advanced Workflow, things are much easier for the developer and end user. It's a robust feature that allows users to easily identify what they're doing and where they are. We're able to create multiple layers with a specified functionality that gives an understanding of what is required as well as increased flexibility. Archer provides good security, enabling access where necessary. It's also a useful reporting tool, clearly showing functional data and, when needed, the ability for comparison. The default dashboard shows daily activities that are easily captured allowing for information to be extracted. 

What needs improvement?

In the current version, RSA is a little slow mainly because of Silverlight which I believe has been removed in the next version. We have some issues using .NET because migrating requires retraining the custom object every time; it's a manual change which is challenging. For that reason, we don't use the custom object. What's needed is a valueless field, where we can drag and drop, add some values and the process is automatic. I'd also like to see an 'approved' button incorporated in the notifications for updates. It would save time and make life easier for the end users.  

For how long have I used the solution?

I've been using this solution for 11 years. 

What do I think about the scalability of the solution?

This solution is very easy to scale and easy for new users to understand.

How are customer service and support?

Because we use most of the modules we're paying a lot to get good support. We interact with someone from RSA on a weekly basis and deal with any issues on the platform.

How was the initial setup?

The initial setup is straightforward when you understand the system. We put our new users in the sandbox environment and get them to play around with it before setting out our requirements. It can be a bit of a challenge initially but not for long. It's not a common platform and is different from other tools. Once our users are implementing, it's a very smooth process for them. We have a total of seven developers, four are in-house and three are on contract. 

Deployment time depends on the use case; if it's a large implementation, it can take between six and nine months. The solution needs maintenance because of the updates and that often results in patching needs. We're using Archer on a daily basis. 

What's my experience with pricing, setup cost, and licensing?

I'm not sure about the cost of the solution but every year we purchase additional on-demand applications. Archer offers a package that allows the purchase of 10 on-demand applications. You can purchase more than that and the price goes up accordingly. I believe these purchases come with two years of maintenance support. 

What other advice do I have?

This is a good solution compared to others in the market because it is more secure. It's suitable for any size company although smaller companies will only need to use certain modules with larger organizations using multiple modules. This is a one-stop storage device that you can access from anywhere. 

I rate this solution nine out of 10. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate