Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Your Map to a Thriving Integrated Risk ProgramA Maturity Model for Connectivity, Communication, and Trust
12
34
5
Connected reporting and compliance is radically changing the way organizations gather, manage, and apply their data. When teams connect their risk and compliance work, they eliminate the barriers to information, improve communication between functions, and place key data in a single place, so it’s more accessible and useful.
But connectivity isn’t a binary “on” or “off” switch—there is a spectrum. Whether you have yet to take the fi rst step toward a connected compliance process or there is a fully baked, connected ecosystem of risk and compliance in your organization, there is always room to grow.
The further you progress along the spectrum of risk and compliance maturity, the more trusted you are as a business advisor, and the more confi dent you’ll be in your data.
Use the guidance in the following pages to judge how mature your team’s function and processes are, learn where you are at on the scale, and build a plan for advancing to the next stage.
Connectivity across people, data, and processes
Maturity ofthe function
Reacting
Discovering
Performing
Advising
Transforming
If you don’t know where you’re going, how will you know when you’re there?
34
Reacting
55
22
Risk, control, and compliance work is executed on their own islands, with
limited involvement from other parts of the organization. Vital reports and
documents are delivered just under the wire. Deadlines drive everything,
and there is seldom time for critical analysis outside of day-to-day work.
Signs your team might be in this stage
1. Creating ad hoc reports results
in a massive headache and a
fl urry of cutting and pasting
data from other sources
2. Triple-checking the accuracy of
shared documents immediately
after hitting send
3. Spending signifi cant time
putting out fi res stemming
from incorrect data
4. Spending more than half of
your week on SOX compliance
work, resulting in less time
spent on noncompliance risk
advisory
Stage 1 | Reacting
Report
What’s going on with people
Team collaboration
Teams feel siloed across departments/locations. It’s common for
duplicate requests to be sent across departments.
Business influence and visibility
Little to no time is spent advising management on risk-based business
decisions. The majority of teams’ time is allocated to compliance audits.
Defined roles and responsibilities
No defined responsibilities to business owners, resulting in low
engagement from business stakeholders. Significant follow-up and
manual response tracking needed across internal and external teams.
What’s going on with processes
Connectivity
Data systems, documents, and teams are disconnected and lack any
relationship to one another.
Automation
No automation. Teams are reliant on manual ad hoc communication to
meet deadlines and create deliverables. Teams spend signifi cant time
putting out fi res and keeping pace with compliance efforts.
Documentation
No formal risk assessment process established. Process narratives are in
danger of being outdated. Process fl owcharts are nonexistent or in early
creation. Some policies exist, but informally.
What’s going on with technology
Modernization
Reliant on desktop fi les and on email communication. Some key documents
are printed to share.
Data integrity and accessibility
Risk and control data lives in multiple locations and is diffi cult to access.
Data is on premises, on desktops, and in fi les attached to emails. Data
formatting is variable across teams, fi les, and versions.
Reporting capability
Reporting processes are re-created each time a deliverable is needed.
Teams are reliant upon multiple data sources and copy and paste to
create presentations.
How to advance
+ Do a quick assessment with your team—where is signifi cant
time being spent, and what activities are not adding real
value?
+ Identify key documents and fi les that are accessible by
multiple departments
+ Take inventory of existing policies that tie to key
controls
+ Establish a base risk assessment related to fi nancial
reporting
Stage 1 | Reacting
3334
ReactingDiscovering
55
There’s a realization among teams that the current processes aren’t scalable, and they are researching solutions and tools to remedy the situation. Teams want to execute work in advance—rather than right before the buzzer—but aren’t quite sure how to do that.
Signs your team might be in this stage
1. You still produce ad hoc
reports (e.g., audit committee
reports) with little to no
automation involved
2. Up-to-the-minute status
reporting is out of reach,
despite work being centralized
on a shared drive
3. Tasks (such as risk assessments)
are being completed, but
they’re done as a mandated
necessity, not to uncover
organizational benefi ts
Stage 2 | Discovering
Shareddrive
Desktopfolder
Desktopfolder
Printedcopy
What’s going on with people
Team collaboration
Some cross-team collaboration on documents, but still largely siloed.
Business influence and visibility
Most time is allocated to compliance audits, but exploring special projects
to prioritize later on. Some time spent consistently advising management,
but not a significant amount.
Defined roles and responsibilities
Loosely defined responsibility, with some engagement from business
stakeholders. Some follow-up is necessary to collect and track responses
and share with external teams.
What’s going on with processes
Connectivity
Documents may be centralized, but data relationships and source systems
are still disconnected.
Automation
Documents are centralized with some built-in workfl ow, but tracking
responses from business owners and creating reports are still manual
processes.
Documentation
Narratives and fl owcharts have recently been updated. Risk assessment
is formalized, but more refl exive than effective for the organization.
Considering formal policy management.
What’s going on with technology
Modernization
Using a central document repository, such as a shared drive.
Potential investment in a technology point solution, but few
features are used.
Data integrity and accessibility
Some data lives on the cloud, accessible for some team members.
There’s no visibility into data changes over time, with outdated or
inaccurate fi gures.
Reporting capability
Reports are produced via manual and time-consuming methods. Reported
data is often outdated by the time it is shared with stakeholders.
How to advance
+ Create a working group across key teams to establish required
capabilities for a technology solution
+ Evaluate risk assessments, gather stakeholder feedback,
and broaden your scope toward an enterprise view
+ Establish a process for regular review and to update key
policies and procedures
Stage 2 | Discovering
The clouds are clearing, and there’s a larger visibility into risk coverage, process automation, and how teams accomplish their work. Technology has helped people, processes, and data become more connected, but there’s room to grow.
Signs your team might be in this stage
1. You’re using information from
dashboards, rather than
scouring spreadsheets, for
reporting updates and
root-cause analysis
2. SOX compliance has become
easier, and you have some
time-savings to show for it
3. Control owners and process
owners are more involved and
engaged with your team’s work
DiscoveringPerforming
Reacting
45
Stage 3 | Performing
Team A Team CSystem
Team B Silo
Stage 3 | Performing
What’s going on with people
Team collaboration
Cross-team communication is streamlined and centralized, and most
teams are participating.
Business influence and visibility
More time and emphasis is spent on advising management on risk-based
business decisions. Time is split 50/50 across compliance vs. operational
audits.
Defined roles and responsibilities
Defined roles and responsibilities for business stakeholders, core teams,
and external parties. Business stakeholders engage with risk teams, with
little to no follow-up necessary to collect responses.
What’s going on with processes
Connectivity
Key processes are centralized with connected data, documents, and
teams. Some work is still conducted outside of the system, and source
systems are disconnected.
Automation
Technology helps automate the communication across teams and housing
of all key data and documents. Simple, canned reporting can be utilized.
Documentation
Updates to risk-control libraries automatically flow to narratives and
flowcharts. Risk assessments are formalized, and routine review of
policies are established.
What’s going on with technology
Modernization
The organization has purchased technology and has adopted many of its
features or solutions.
Data integrity and accessibility
Most data lives on the cloud. Risk and control data formats have become
standardized across usages, and teams gain visibility into changes with a
detailed history. Some tailoring of data via permissions is available.
Reporting capability
Canned, automated reports from technology for reporting updates
and root-cause analysis are utilized.
How to advance
+ Identify recurring reporting deliverables and key data used
within them
+ Evaluate data source systems and key datasets to automate
data feed
+ Identify siloed reporting still done across multiple technologies,
outside of purchased technology solution
Signs your team might be in this stage
1. Real-time data, risk
dashboards, or automated
reports can be delivered to
committees, executive
management, or other teams
2. That “other projects/audits” list
is fi nally getting shorter
3. You’re able to provide better
insight—and more of it—to your
business on root-cause reasons
4. You are involved in new
acquisition evaluation
As teams automate work, they grow stronger—and the organization notices. With more bandwidth to proactively mitigate risks, risk and compliance teams can make vital recommendations to the organization
55
DiscoveringPerforming
Advising
Reacting
Stage 4 | Advising
Sourcesystem
Report
D a t a
What’s going on with people
Team collaboration
All team communication is centralized and visible across departments
and locations.
Business influence and visibility
Significant time is spent advising management and the audit committee
on risk-based business decisions. Some time is spent conducting
root-cause analysis.
Defined roles and responsibilities
Responsibilities are clear and communicated across all teams. Full
engagement and influence from business stakeholders. Streamlined
communication with external teams.
What’s going on with processes
Connectivity
Data, documents, and teams are connected in one system where
relationships exist and are visible. However, some data is manually
transferred between systems for reporting.
Automation
Automation of some repetitive or manual control processes are
in place. APIs connect data between systems. Real-time reports are
available for presenting status and results to executive committees.
Documentation
Have implemented a formal ERM program, identifying duplicate effort
across risk identification processes.
What’s going on with technology
Modernization
Optimizing the full offering of purchased technology. More teams and
departments now have the access they need to collaborate.
Data integrity and accessibility
Reported data has lineage to its original source, including a full history of
data changes. Data is up to date and consistent across all usages.
Reporting capability
Reporting is conducted across functional areas—compliance audits,
operational audits, and others.
How to advance
+ Management support and buy-in for the vision and impact
to the business
+ Assess the degree of collaboration across three lines of
defense
+ Seek guidance from peers or industry advisors on how to best
optimize your available data feeds
Stage 4 | Advising
Signs your team might be in this stage
1. You receive regular
management or audit
committee requests for advice
2. Evaluating and executing
long-term plans is the status
quo, and teams can allot for
future risk factors
3. Teams are completely
confi dent in the integrity of
their data and put data to use
when making large, impactful
decisions
This is the pinnacle of risk and compliance. Teams are trusted for their knowledge of risk throughout the organization, and they’re often tapped as an internal resource for identifying business opportunities. Whichever objectives teams set out to achieve, they are able to meet.
DiscoveringPerforming
AdvisingTransforming
Reacting
Stage 5 | Transforming
Report
Dashboard
D a t a
ERP
CRM
GRC
Source systems
What’s going on with people
Team collaboration
Fully integrated cross-functional teams benefit from real-time, centralized
collaboration. Work is optimized with no duplicate requests.
Business influence and visibility
Teams are often tapped for recommendations, and are recognized as a
regular strategic partner. More advisory audits are being conducted.
Defined roles and responsibilities
Proactive communication across business stakeholders, core teams, and
external parties. Real-time identification and communication around risk,
processes, and control updates.
What’s going on with processes
Connectivity
Data source systems are now fully connected. A single system to identify,
evaluate, and report on risk.
Automation
Analytics with an automatic, continuous data feed are used to drive value
and business decisions. Teams have the ability to actively monitor risk.
Documentation
The ERM program is linked to a central risk and control repository.
Risk assessments are consolidated across teams and connected to
relevant controls and policies.
What’s going on with technology
Modernization
Real-time data is used to drive key business decisions. Teams are able to
access an updated view of risk management across the enterprise.
Data integrity and accessibility
Confidence in data integrity is high, and data is connected with controlled
access across the organization, and actionable intelligence can be derived
from data.
Reporting capability
APIs are used heavily to connect all source systems for centralized
reporting of key enterprise risk data to executive management, audit
committees, et. al.
Stage 5 | Transforming
Connectivity across people, data, and processes
Maturity ofthe function
Reacting
Discovering
Performing
Advising
Transforming
Connected processes, mature organizations
The push for connectivity has never been stronger. Today’s overtaxed
teams demand increased levels of digitization and automation. They need
to be able to follow data from origin to destination, from source to the final
report. As connections are made, your organization is mobilized to better
communicate, manage, and analyze the risk you’re facing on a daily basis.
Connected reporting and compliance is a fresh approach to your risk
and controls environment. By placing connected data at the core, you
create a single source of record to ensure consistency across all usages.
When data is connected, teams can identify, assess, evaluate, and report
on risk and controls across key functions—such as SOX compliance,
internal audit, enterprise risk management, and policies and procedures
management—more efficiently than ever before.
While technology alone does not change processes, when correctly
implemented, it is a valuable push toward the success of teams and the
viability of the risk and compliance function for decades to come.
About WorkivaWorkiva, provider of the world’s leading connected reporting and compliance platform, is used by thousands of enterprises across 180
countries, including more than 75 percent of Fortune 500® companies, and by government agencies. Our customers have linked over five billion data
elements to trust their data, reduce risk, and save time. For more information about Workiva (NYSE:WK), please visit workiva.com.
DiscoveringPerforming
AdvisingTransforming
Reacting The information contained herein is proprietary to Workiva and cannot be copied, published, or distributed without express prior written consent. Copyright 2019 Workiva Inc. Workiva is a registered trademark of Workiva Inc. All rights reserved.