Your Map to a Thriving Integrated Risk Program · risk and compliance in your organization, there is always room to grow. The further you progress along the spectrum of risk and compliance

Your Map to a Thriving Integrated Risk ProgramA Maturity Model for Connectivity, Communication, and Trust

12

34

5

www.workiva.com

Connected reporting and compliance is radically changing the way organizations gather, manage, and apply their data. When teams connect their risk and compliance work, they eliminate the barriers to information, improve communication between functions, and place key data in a single place, so it’s more accessible and useful.

But connectivity isn’t a binary “on” or “off” switch—there is a spectrum. Whether you have yet to take the fi rst step toward a connected compliance process or there is a fully baked, connected ecosystem of risk and compliance in your organization, there is always room to grow.

The further you progress along the spectrum of risk and compliance maturity, the more trusted you are as a business advisor, and the more confi dent you’ll be in your data.

Use the guidance in the following pages to judge how mature your team’s function and processes are, learn where you are at on the scale, and build a plan for advancing to the next stage.

Connectivity across people, data, and processes

Maturity ofthe function

Reacting

Discovering

Performing

Advising

Transforming

If you don’t know where you’re going, how will you know when you’re there?

34

Reacting

55

22

Risk, control, and compliance work is executed on their own islands, with

limited involvement from other parts of the organization. Vital reports and

documents are delivered just under the wire. Deadlines drive everything,

and there is seldom time for critical analysis outside of day-to-day work.

Signs your team might be in this stage

1. Creating ad hoc reports results

in a massive headache and a

fl urry of cutting and pasting

data from other sources

2. Triple-checking the accuracy of

shared documents immediately

after hitting send

3. Spending signifi cant time

putting out fi res stemming

from incorrect data

4. Spending more than half of

your week on SOX compliance

work, resulting in less time

spent on noncompliance risk

advisory

Stage 1 | Reacting

Report

What’s going on with people

Team collaboration

Teams feel siloed across departments/locations. It’s common for

duplicate requests to be sent across departments.

Business influence and visibility

Little to no time is spent advising management on risk-based business

decisions. The majority of teams’ time is allocated to compliance audits.

Defined roles and responsibilities

No defined responsibilities to business owners, resulting in low

engagement from business stakeholders. Significant follow-up and

manual response tracking needed across internal and external teams.

What’s going on with processes

Connectivity

Data systems, documents, and teams are disconnected and lack any

relationship to one another.

Automation

No automation. Teams are reliant on manual ad hoc communication to

meet deadlines and create deliverables. Teams spend signifi cant time

putting out fi res and keeping pace with compliance efforts.

Documentation

No formal risk assessment process established. Process narratives are in

danger of being outdated. Process fl owcharts are nonexistent or in early

creation. Some policies exist, but informally.

What’s going on with technology

Modernization

Reliant on desktop fi les and on email communication. Some key documents

are printed to share.

Data integrity and accessibility

Risk and control data lives in multiple locations and is diffi cult to access.

Data is on premises, on desktops, and in fi les attached to emails. Data

formatting is variable across teams, fi les, and versions.

Reporting capability

Reporting processes are re-created each time a deliverable is needed.

Teams are reliant upon multiple data sources and copy and paste to

create presentations.

How to advance

+ Do a quick assessment with your team—where is signifi cant

time being spent, and what activities are not adding real

value?

+ Identify key documents and fi les that are accessible by

multiple departments

+ Take inventory of existing policies that tie to key

controls

+ Establish a base risk assessment related to fi nancial

reporting

Stage 1 | Reacting

3334

ReactingDiscovering

55

There’s a realization among teams that the current processes aren’t scalable, and they are researching solutions and tools to remedy the situation. Teams want to execute work in advance—rather than right before the buzzer—but aren’t quite sure how to do that.


1. You still produce ad hoc

reports (e.g., audit committee

reports) with little to no

automation involved

2. Up-to-the-minute status

reporting is out of reach,

despite work being centralized

on a shared drive

3. Tasks (such as risk assessments)

are being completed, but

they’re done as a mandated

necessity, not to uncover

organizational benefi ts

Stage 2 | Discovering

Shareddrive

Desktopfolder

Desktopfolder

Printedcopy


Team collaboration

Some cross-team collaboration on documents, but still largely siloed.


Most time is allocated to compliance audits, but exploring special projects

to prioritize later on. Some time spent consistently advising management,

but not a significant amount.


Loosely defined responsibility, with some engagement from business

stakeholders. Some follow-up is necessary to collect and track responses

and share with external teams.


Connectivity

Documents may be centralized, but data relationships and source systems

are still disconnected.

Automation

Documents are centralized with some built-in workfl ow, but tracking

responses from business owners and creating reports are still manual

processes.

Documentation

Narratives and fl owcharts have recently been updated. Risk assessment

is formalized, but more refl exive than effective for the organization.

Considering formal policy management.


Modernization

Using a central document repository, such as a shared drive.

Potential investment in a technology point solution, but few

features are used.


Some data lives on the cloud, accessible for some team members.

There’s no visibility into data changes over time, with outdated or

inaccurate fi gures.


Reports are produced via manual and time-consuming methods. Reported

data is often outdated by the time it is shared with stakeholders.

How to advance

+ Create a working group across key teams to establish required

capabilities for a technology solution

+ Evaluate risk assessments, gather stakeholder feedback,

and broaden your scope toward an enterprise view

+ Establish a process for regular review and to update key

policies and procedures

Stage 2 | Discovering

The clouds are clearing, and there’s a larger visibility into risk coverage, process automation, and how teams accomplish their work. Technology has helped people, processes, and data become more connected, but there’s room to grow.


1. You’re using information from

dashboards, rather than

scouring spreadsheets, for

reporting updates and

root-cause analysis

2. SOX compliance has become

easier, and you have some

time-savings to show for it

3. Control owners and process

owners are more involved and

engaged with your team’s work

DiscoveringPerforming

Reacting

45

Stage 3 | Performing

Team A Team CSystem

Team B Silo

Stage 3 | Performing


Team collaboration

Cross-team communication is streamlined and centralized, and most

teams are participating.


More time and emphasis is spent on advising management on risk-based

business decisions. Time is split 50/50 across compliance vs. operational

audits.


Defined roles and responsibilities for business stakeholders, core teams,

and external parties. Business stakeholders engage with risk teams, with

little to no follow-up necessary to collect responses.


Connectivity

Key processes are centralized with connected data, documents, and

teams. Some work is still conducted outside of the system, and source

systems are disconnected.

Automation

Technology helps automate the communication across teams and housing

of all key data and documents. Simple, canned reporting can be utilized.

Documentation

Updates to risk-control libraries automatically flow to narratives and

flowcharts. Risk assessments are formalized, and routine review of

policies are established.


Modernization

The organization has purchased technology and has adopted many of its

features or solutions.


Most data lives on the cloud. Risk and control data formats have become

standardized across usages, and teams gain visibility into changes with a

detailed history. Some tailoring of data via permissions is available.


Canned, automated reports from technology for reporting updates

and root-cause analysis are utilized.

How to advance

+ Identify recurring reporting deliverables and key data used

within them

+ Evaluate data source systems and key datasets to automate

data feed

+ Identify siloed reporting still done across multiple technologies,

outside of purchased technology solution


1. Real-time data, risk

dashboards, or automated

reports can be delivered to

committees, executive

management, or other teams

2. That “other projects/audits” list

is fi nally getting shorter

3. You’re able to provide better

insight—and more of it—to your

business on root-cause reasons

4. You are involved in new

acquisition evaluation

As teams automate work, they grow stronger—and the organization notices. With more bandwidth to proactively mitigate risks, risk and compliance teams can make vital recommendations to the organization

55


Advising

Reacting

Stage 4 | Advising

Sourcesystem

Report

D a t a


Team collaboration

All team communication is centralized and visible across departments

and locations.


Significant time is spent advising management and the audit committee

on risk-based business decisions. Some time is spent conducting

root-cause analysis.


Responsibilities are clear and communicated across all teams. Full

engagement and influence from business stakeholders. Streamlined

communication with external teams.


Connectivity

Data, documents, and teams are connected in one system where

relationships exist and are visible. However, some data is manually

transferred between systems for reporting.

Automation

Automation of some repetitive or manual control processes are

in place. APIs connect data between systems. Real-time reports are

available for presenting status and results to executive committees.

Documentation

Have implemented a formal ERM program, identifying duplicate effort

across risk identification processes.


Modernization

Optimizing the full offering of purchased technology. More teams and

departments now have the access they need to collaborate.


Reported data has lineage to its original source, including a full history of

data changes. Data is up to date and consistent across all usages.


Reporting is conducted across functional areas—compliance audits,

operational audits, and others.

How to advance

+ Management support and buy-in for the vision and impact

to the business

+ Assess the degree of collaboration across three lines of

defense

+ Seek guidance from peers or industry advisors on how to best

optimize your available data feeds

Stage 4 | Advising


1. You receive regular

management or audit

committee requests for advice

2. Evaluating and executing

long-term plans is the status

quo, and teams can allot for

future risk factors

3. Teams are completely

confi dent in the integrity of

their data and put data to use

when making large, impactful

decisions

This is the pinnacle of risk and compliance. Teams are trusted for their knowledge of risk throughout the organization, and they’re often tapped as an internal resource for identifying business opportunities. Whichever objectives teams set out to achieve, they are able to meet.


AdvisingTransforming

Reacting

Stage 5 | Transforming

Report

Dashboard

D a t a

ERP

CRM

GRC

Source systems


Team collaboration

Fully integrated cross-functional teams benefit from real-time, centralized

collaboration. Work is optimized with no duplicate requests.


Teams are often tapped for recommendations, and are recognized as a

regular strategic partner. More advisory audits are being conducted.


Proactive communication across business stakeholders, core teams, and

external parties. Real-time identification and communication around risk,

processes, and control updates.


Connectivity

Data source systems are now fully connected. A single system to identify,

evaluate, and report on risk.

Automation

Analytics with an automatic, continuous data feed are used to drive value

and business decisions. Teams have the ability to actively monitor risk.

Documentation

The ERM program is linked to a central risk and control repository.

Risk assessments are consolidated across teams and connected to

relevant controls and policies.


Modernization

Real-time data is used to drive key business decisions. Teams are able to

access an updated view of risk management across the enterprise.


Confidence in data integrity is high, and data is connected with controlled

access across the organization, and actionable intelligence can be derived

from data.


APIs are used heavily to connect all source systems for centralized

reporting of key enterprise risk data to executive management, audit

committees, et. al.

Stage 5 | Transforming

Connectivity across people, data, and processes

Maturity ofthe function

Reacting

Discovering

Performing

Advising

Transforming

Connected processes, mature organizations

The push for connectivity has never been stronger. Today’s overtaxed

teams demand increased levels of digitization and automation. They need

to be able to follow data from origin to destination, from source to the final

report. As connections are made, your organization is mobilized to better

communicate, manage, and analyze the risk you’re facing on a daily basis.

Connected reporting and compliance is a fresh approach to your risk

and controls environment. By placing connected data at the core, you

create a single source of record to ensure consistency across all usages.

When data is connected, teams can identify, assess, evaluate, and report

on risk and controls across key functions—such as SOX compliance,

internal audit, enterprise risk management, and policies and procedures

management—more efficiently than ever before.

While technology alone does not change processes, when correctly

implemented, it is a valuable push toward the success of teams and the

viability of the risk and compliance function for decades to come.

https://www.workiva.com/connected-reporting

About WorkivaWorkiva, provider of the world’s leading connected reporting and compliance platform, is used by thousands of enterprises across 180

countries, including more than 75 percent of Fortune 500® companies, and by government agencies. Our customers have linked over five billion data

elements to trust their data, reduce risk, and save time. For more information about Workiva (NYSE:WK), please visit workiva.com.


AdvisingTransforming

Reacting The information contained herein is proprietary to Workiva and cannot be copied, published, or distributed without express prior written consent. Copyright 2019 Workiva Inc. Workiva is a registered trademark of Workiva Inc. All rights reserved.

www.workiva.com

www.workiva.com