CUSTOMER Q + A

AT-A-GLANCE

Challenges

– Many manual legacy GRC processes

– Inconsistent implementation of GRC controls

– Inability to consistently measure GRC compliance

Results

– More cost-effective and efficient GRC processes

– End-to-end GRC platform provides Royal Dutch Shellwith a competitive advantage

ROYAL DUTCH SHELL Royal Dutch Shell Gains A Competitive Advantage By Deploying RSA For GRC

“We're introducing RSA Archer to project managers. The day they walk in the door and are told ‘this is your new project’, they can do their business impact assessments and leverage work flow to contact our risk and control staff to review the work that they've done. This way, they can better understand the risks. They can take controls that have been agreed at an enterprise level and, using Archer, bring them straight into their project.”

KEITH HERNDON, MANAGER OF COMPLIANCE & INCIDENTS

www.emc.com/rsa ©2014 EMC Corporation. All rights reserved. EMC, the EMC logo, RSA, the RSA logo and Archer are the property of EMC Corporation in the United States and/or other countries. All other trademarks referenced are the property of their respective owners. SHELL QA 1014 H14249

ABOUT RSA RSA’s Intelligence Driven Security solutions help organizations reduce the risks of operating in a digital world. Through visibility, analysis, and action, RSA solutions give customers the ability to detect, investigate and respond to advanced threats; confirm and manage identities; and ultimately, prevent IP theft, fraud and cybercrime. For more information on RSA, please visit www.RSA.com.

CONTACT US

To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller — or visit us at www.RSA.com

Royal Dutch Shell, commonly known as Shell, is a multi-national oil and gas company headquartered in the Netherlands and incorporated in the United Kingdom. Created by the merger of Royal Dutch Petroleum and UK-based Shell Transport & Trading, it is the second largest company in the world, in terms of revenue, and one of the six oil and gas "supermajors".

What is your role at Royal Dutch Shell? My name is Keith Herndon and I'm the manager of compliance and incidents for Royal Dutch Shell. I work in the global information risk management department. We're responsible for our IT assets and services.

What are your main business objectives and how does GRC impact them? Governance, risk and compliance, or GRC, is a critical element for us. We are operating in very difficult environments, and legal and regulatory requirements are important. It’s important for us to know what our risk posture and appetite are, and to be able to communicate them.

What challenges were you facing before RSA, and what was the primary business need behind the deployment? Before we deployed RSA Archer, we were living in a world of slide decks and spreadsheets. We are a global organization with global challenges, and yet were trying to use a common IT-controlled framework. So the question that we had was, were we implementing our controls consistently? Were we able to measure our compliance consistently? Were we able to make sure that we had the same processes being rolled out globally? We needed a common platform that worked across multiple businesses and multiple geographies.

What is the typical GRC process now that you have implemented RSA? The first thing that we do is to interact with business owners to really understand what the risk is of a particular application or service being lost in terms of integrity, availability, and confidentiality. Once they really understand that risk, we then identify the controls that are required to mitigate that risk. We then move into a compliance function that asks, did you implement those controls effectively?

Following the deployment of the RSA solutions, does your GRC strategy now provide a competitive differentiator for Shell? I believe the strategy that we now have around GRC really does make a difference in terms of Shell getting into new organizations, new adventures and new joint ventures, because we're able to demonstrate to the business or a potential business operator that we are in control. We can show them what we're doing not just in terms of controls and risk, but also in terms of the work that we're doing, in terms of security, threats and vulnerabilities and incident management. Having that whole suite of applications and being able to look at the whole GRC end-to-end, really is a competitive advantage.

So how does your GRC strategy align with your business plan now? We’re actually moving Archer into the hands of our project management community. Given the size and scale of our organization, we literally have thousands of IT projects and so we’re introducing RSA Archer to project managers. The day they walk in the door and are told ‘this is your new project’, they can do their business impact assessments and leverage work flow to contact our risk and control staff to review the work that they've done. This way, they can better understand the risks. They can take controls that have been agreed at an enterprise level and, using Archer, bring them straight into their project.

What's been the measurable impact to your business from standardizing your GRC strategy around RSA? If I think about some of the metrics that we've been able to capture associated with the implementation of RSA, there's a pretty long list actually. It's issues associated with efficiency and effectiveness, first of all. It's issues around standard processes. But more specifically, we've been able to save money because we've been able to conduct offshore testing. We've been able to have third parties come in and look at our evidence.

To view the full video interview, Click Here.