GRC’s Positive Impact on Internal Control Management User ...€¦ · Change Is the Greatest Challenge Impacting GRC and Internal Controls contact Carole S. Switzer [email protected]

GRC’s Positive Impact on Internal Control Management

User Experience Innovation in Workiva Wdesk

2 © 2015, all rights reserved, www.GRC2020.com

Today’s Presenters

Joe Howell Co-founder and Executive Vice President, Workiva

Michael Rasmussen GRC Pundit, GRC 20/20 Research, LLC

Jeramie Taylor Internal Controls Manager, Energy Company


–  Current challenges

–  The need for GRC solutions for internal control management

–  How companies are benefiting

–  Your questions

Overview


Jeramie Taylor Internal Controls Manager, Energy Company


Why did you create a category for innovation in user

experience for internal control management? Why is this important to practitioners?


The Line of Business Is Frustrated With the Barrage of Internal Controls

Operational Unit

Operational Unit

Operational Unit

Operational Unit

Changing business, risk, and regulatory

environments

Board

Line of Business Management

Employees

Control

Control Control

Control

Control

Control

Control

Contrl

Control

Control

Control

Control Control

Control

Control Control


Organizations are burdened by manual ad hoc processes to document, manage, and attest to internal controls.

This involves being overwhelmed with emails and documents — leading to, in varying degrees…

ü  Excessive emails, documents, and paper trails

ü  Poor visibility & reporting ü  Files and documents out of sync ü  Wasted resources and spending ü  Overwhelming complexity ü  No accountability

The Hydra of Inefficiency


The Winchester Mystery House •  160 rooms

•  47 fireplaces

•  6 kitchens

•  10,000 windows

•  65 doors to blank walls

•  13 staircases abandoned

•  25 skylights — in floors

•  147 builders/no architects

•  Built without a blueprint

•  $5.5 million over 38 years

. . . Confusing User & Employee Experience


Why Documents, Spreadsheets & Email Fail at Internal Control Management

NO AUDIT TRAIL §  Documents, spreadsheets, and emails

alone do not have inherent audit trails. §  An organiza9on cannot state with

certainty that answers to an assessment represent the actual, unaltered, and authen9cated answer to that control assessment, a<esta9on, or audit.

SLIPPING THROUGH CRACKS §  There is no structure of required

workflow and task management.

§  People fire off emails asking for assessments in spreadsheets and documents and no one gets it done.

EASY TO MANIPULATE §  It is a simple task for anybody to go back

and manipulate responses to paint a rosier picture to get themselves, someone else, or the organiza9on out of hot water.

NO CONSISTENCY §  It is hard to make control assessments,

surveys, a<esta9ons, and other GRC related informa9on consistent.

§  Different documents and spreadsheets are forma<ed in different ways and each requires its own learning curve.

COMPLILATION NIGHTMARES §  With hundreds to thousands of

documents used for internal control management, organiza9ons are struggling with compiling reports.

§  Significant 9me needed to integrate and compile informa9on from a mountain of documents, spreadsheets, and emails.

COMPILATION ERRORS §  All the work compiling and integra9ng

hundreds to thousands of documents, spreadsheets, and emails for GRC is inevitable failure—odds are there is something wrong.

§  Manual reconcilia9on is bound to have errors.


. . . And We Hope Nothing Fails Ø  Inability to gain clear view of

control dependencies;

Ø  High cost of consolidating control information;

Ø  Difficulty maintaining accurate control information;

Ø  Failure to trend across control assessment periods;

Ø  Redundant approaches limit correlation, comparison and integration of control & risk information; and

Ø  Lack of agility to respond timely to changing risks, regulations, laws, and situations.


You make the statement that GRC approaches are cumbersome—in what way?


Are You Truly Aware of Your Risks?

“Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof!”

—E.J. Smith, Captain of the Titanic


Change Is the Greatest Challenge Impacting GRC and Internal Controls

contact Carole S. Switzer [email protected] for comments, reprints or licensing requests ©2012 OCEG visit www.oceg.org for other installments in the Anti-Corruption Illustrated Series

011100111001010100

External Risk ChangeMonitor change in the external risk environment to determine how uncertainty in economic, geo-political, environmental, industry, societal, and market forces affect current and needed policies.

MARKET FORCES

INDUSTRY

TECHNOLOGY

COMPETITIVEFORCESGEO-POLITICAL

SOCIETAL FORCES


$

Internal Risk/Business ChangeMonitor changes to the internal environment to identify how changes to strategy, mergers & acquisitions, processes, technology, business relation-ships, and employees affect current and needed policies.

MERGERS &ACQUISITIONS

STRATEGY

PROCESSES

IT

EMPLOYEES

FINANCIALPOSITION

BUSINESSRELATIONSHIPS


Regulatory/Legal ChangeMonitor change in the legal and regulatory environment to determine how pending legislation, court decisions, new/changing regulations, and enforcement actions affect current and needed policies.

COURT RULINGS

ENFORCEMENT

LEGISLATION

REGULATIONS

MONITOR


Regulatory Activity in Financial Services Tracked 2008 to 2015 REGULATORY ACTIVITY TRACKED 2014-15

*Note: Tracked activity includes document changes, announcements, and enforcements by regulators. Average Daily Alerts = Total Alerts Year-on-Year / 261 Working Days


What do you see practitioners doing to address these GRC problems?


Titelmasterformat durch Klicken bearbeiten

GRC is a capability that enables an organization to:

G) reliably achieve objectives R) while addressing uncertainty and C) act with integrity.

OCEG GRC Capability Model


GRC Capability Model v3.0 – Iterative Cycles of Change & Improvement

What – has to be done? Who – is going to do it? Why – does he/she do it? How – will it be done? When – will it be done? Where – will it be done? Why – is it done like this?

KAI “CHANGE”

ZEN “GOOD”


GRC Technology Provides Automation and Tracking

Contact Carole S. Switzer [email protected] for comments, reprints or licensing requests ©2012 OCEG visit www.oceg.org for other installments in the Policy Management Illustrated Series

• Policy implementation and/or enforcement is not always possible. Exceptions can happen when the organization cannot comply with a policy, when the policy is too subjective, or requires excessive clarification.

• Organizations need processes to authorize, track, monitor and review exceptions.

• Those who authorize exceptions must have sufficient authority. Limits should be set so exceptions are regularly reviewed and not granted for extended or unreasonable time periods.

MANAGING EXCEPTIONS

• Exceptions must be documented and available to auditors and regulators upon request. Organizations that demonstrate clear procedures for policy exception management are also better able to defend their policy management processes.

• Organizations should institute compensating controls as part of exception approval until policy revisions are made or the organization is brought into full compliance.

?

COLLABORATION


Archive and History

Every policy and its past revisions must be archived for referral at a later time. When an organization experiences an in-cident or is examined by an external audi-tor or regulator, it is often necessary to provide positive evidence of policy com-pliance. Preserving a full view of the policy history and audit trail (including key data points such as the owner, who read it, who was trained, acceptance acknowl-edgements and dates for specific policy versions) will help assert an accurate and complete policy control environment is operating effectively.

AUDIT TRAIL


4 IMPLEMENT & ENFORCEEven with good communication, policies aren’t always fol-lowed. Implement controls that enable enforcement. Monitor those controls for effectiveness and adherence. Document and remediate violations, while considering what policy improvements should be made.

NUMBER OF FAILURES:3 POLICY VIO-

LATIONS:0EXCEPTIONS AND DEVIA-

TIONS

I haven’t seen any violations.

This needs to be done differently.

ENFORCEMENT


Policy Maintenance ChecklistMeasure and Re-evaluate

Frequent changes to policies should not be necessary in a healthy policy environment. Active diligence through regu-lar review cycles will ensure policies remain appropriate and aligned to organizational needs and help minimize un-necessary exposure and liabili-ty. Policies found to be out of date should be revised or re-tired.

MANAGEMENT REPORTING


0

0

11

1

1

1

01

0

0

0

11

1

0

0

1

1

0

0

0

0

1

1

0

1

0

0

11

1

1

1

01

0

0

0

1

1

0

0

0

0

1

1

0

1

0

0

11

1

0

0

1

1

0

0

1

1

01

0

0

0

1

1

0

0

0

0

1

1

0

1

0

0

11

1

1

01

0

0

110

10

0

10

0

0

11

1

1

010

10

0

10

0

0

11 0

10

1

1

010

10

0

10

1 0 10 11 00 0 1 100 0

Metrics

Metrics can provide a solid founda-tion for continuously refining the or-ganizational policy program. The right metrics will help ensure policies are effective at establishing desired behaviors efficiently, and agile enough to accommodate the de-mands of a dynamic and distributed business environment.

WORKFLOW & TASKS


00

0

111

11

11

1

011

00

00

0

111

11

000

0

11

1

000

0

000

0

11

1

000

1

00

0

111

11

11

1

011

00

000

0

11

1

000

0

000

0

11

1

000

1

00

0

111

11

11

1

011

00

00111

000

0

11

1

000

0

000

0

11000

11

1

011

00

000

0

11

1

000

0

000

0

11

1

000

1

00

0

1111

11

1

0011

00

0

111100

111100

00

111100

00

0

1111

11

1

001100

111100

00

111100

00

0

1111

11

1

0011

00

0

111100

111100

00

111100

11

1

001100

111100

00

111100

00111

11

1

011

00

00

0

111

11

000

0

11

1

000

0

000

0

11

1

000

1

11011

000

0

11000

000

0

11000

00

0

111

11

11

1

011

00

00

0

111

11

000

0

11

1

000

0

000

0

11

1

000

1

11

1

011

00

000

0

11

1

000

0

000

0

11

1

000

1

00

0

1111

11

1

0011

00

0

111100

111100

00

111100

11

1

001100

111100

00

111100

00

0

1111

11

1

0011

0

111100

111100

00

111100

11

1

001100

111100

00

111100

00

0

111

11

11

1

011

000

111

11

000

0

11

1

000

00

11

1

000

1

11

1

011

00

000

0

11

1

000

0

000

0

11

1

000

1 111

00

0

1

000

00

11

011100

0000

1 0 10 11 00 0 1 0100 0 0 10 0 1 0 11 001 1 1 0 10 000 0 00 0

Integration Visibility Global Reach AvailabilityPolicy communication and training technologies need to integrate into the larger business environment - such as with HR systems to gain access to employee lists to prop-erly target and communicate policies.

Policy communication and training technologies need to be user friendly and intuitive so that users of varying degrees of capabilities can use the system and under-stand the policy.

Policy communication and training technologies should have the proper capabilities to meet the language and geographic needs of the organization.

Policy communication and training technologies need to be accessible across the business and often business relationships so that anyone associated with the organi-zation can easily access the policy and associated training.

THE BENEFIT OF TECHNOLOGY

Technology is the backbone for the implementation of the policy, training and communications plan.

0

DATATECH THE BENEFITS OF TECHNOLOGY

RepositoryTechnology enables policy implementation and enforcement by creating a repository of all policies, procedures, and controls that are cross-referenced with one another and not treated as isolated documents.

ConsistencyTechnology creates a consistent environment to conduct assessments, track issues of non-compliance, and take corrective actions. Technology allows organizations to more easily and efficiently manage its hundreds to thousands of individual documents especially during audits and assessments.

AccountabilityTechnology provides for a complete picture and defensible audit trail of the ‘who, what, when, where, how and why’ including the role and actions of each individual.

AutomationTechnology enables the automation of workflows and tasks to complete audits and assessments related to policy compliance. No longer is the organization encumbered by unanswered or lost emails or documents that are out of sync.

00 11 000111

0111

00 110111

0111

00 11 000111

0111

110111

0111

0000

0

111

1111

1

001

0000

0

111

0

110

0

110

0000

0

111111

1

001

0

110

0000

0

111

1111

1

001

0000

0

111

0

110

0

110

1111

1

001

0

110

0

110

00110111

0111

0000

0

111

1111

1

001

0

110

0

110

1111111111111

1

0000000000001111

0000000000

1100 0


THE BENEFITS OF TECHNOLOGY





00 11 000111

0111

00 110111

0111

00 11 000111

0111

110111

0111

0000

0

111

1111

1

001

0000

0

111

0

110

0

110

0000

0

111111

1

001

0

110

0000

0

111

1111

1

001

0000

0

111

0

110

0

110

1111

1

001

0

110

0

110

00110111

0111

0000

0

111

1111

1

001

0

110

0

110

1111111111111

1

0000000000001111

0000000000

1100 0







00 11 000111

0111

00 110111

0111

00 11 000111

0111

110111

0111

0000

0

111

1111

1

001

0000

0

111

0

110

0

110

0000

0

111111

1

001

0

110

0000

0

111

1111

1

001

0000

0

111

0

110

0

110

1111

1

001

0

110

0

110

00110111

0111

0000

0

111

1111

1

001

0

110

0

110

1111111111111

1

0000000000001111

0000000000

1100 0







00 11 000111

0111

00 110111

0111

00 11 000111

0111

110111

0111

0000

0

111

1111

1

001

0000

0

111

0

110

0

110

0000

0

111111

1

001

0

110

0000

0

111

1111

1

001

0000

0

111

0

110

0

110

1111

1

001

0

110

0

110

00110111

0111

0000

0

111

1111

1

001

0

110

0

110

1111111111111

1

0000000000001111

0000000000

1100 0



Power of Control Integration Drives GRC Intelligence

REGULATIONS &OBLIGATIONS

RISK & ANALYSIS

OBJECTIVES& GOALS

INCIDENTS& ISSUES

ASSETS & RELATIONSHIPS

POLICIES &TRAINING

CONTROLS &ASSESSMENT

ROLES & RESPONSIBILITIES

©2012 OCEG, Permission by OCEG is required for reproduction and/or use of material www.OCEG.org -- Derived from the OCEG GRC Illustrated Series

BENEFITS

process optimizationAll non-value-added activities are eliminated and value-added activities are streamlined to reduce lag time and undesirable variation.

better capital allocationIdentifying areas where there are redundancies or inefficiencies allows financial and human capitalto be allocated more effectively.

higher quality informationIntegrating GRC information allows management to make more intelligent decisions, more rapidly.

protected reputationReputation is protected and enhanced because risks are managed more effectively.

improved effectivenessOverall effectiveness is improved as gaps are closed, unnecessary redundancy is reduced, and GRC activities are allocated to the right individuals and departments.

reduced costsReduced costs help to improve return on investments made in GRC activities.

.

©2012 OCEG, Permission by OCEG is required for reproduction and/or use of material www.OCEG.org -- Derived from the OCEG GRC Illustrated Series

BENEFITS

process optimizationAll non-value-added activities are eliminated and value-added activities are streamlined to reduce lag time and undesirable variation.

better capital allocationIdentifying areas where there are redundancies or inefficiencies allows financial and human capitalto be allocated more effectively.

higher quality informationIntegrating GRC information allows management to make more intelligent decisions, more rapidly.

protected reputationReputation is protected and enhanced because risks are managed more effectively.

improved effectivenessOverall effectiveness is improved as gaps are closed, unnecessary redundancy is reduced, and GRC activities are allocated to the right individuals and departments.

reduced costsReduced costs help to improve return on investments made in GRC activities.

.


Current Level of GRC Integration Across Organization

1 The more integrated, the more consistent in how GRC needs are addressed in different areas of concern.

2 The more integrated, the more confident about management of risk and compliance.

3 The more integrated, the more confident about performance and ability to audit performance, risk and compliance.

4 The more integrated, the more confident about having the right metrics to get clear views about performance, risk and compliance.

5 The more integrated, the more business units feel they give the right amount of information to strategic decision-makers and the board.

6 The more integrated, the more respondents select positive terms to describe metrics they use.

The Value of Integrated GRC

SOURCE: OCEG & GRC 20/20 2014 GRC Maturity Survey, data is from 190 respondents from organizations with 500+ employees.


To Enable Organizations to Be . . .

1. Aware

ü  Have a finger on the pulse of business

ü  Watch for change in internal & external environment

ü  Turn data into information that can be, and is, analyzed

ü  Share information in every relevant direction

2. Aligned

ü  Support and inform business objectives

ü  Continuously align objectives and operations to risk of the entity

ü  Give strategic consideration to information from risk management enabling appropriate change

3. Responsive

ü  You can’t react to something you don’t sense

ü  Gain greater awareness and understanding of information that drives decisions and actions

ü  Improve transparency, but also quickly cut through the morass of data to what you need to know to make the right decisions

4. Agile

ü  More than fast, nimble

ü  Being fast isn’t helpful if you are headed in the wrong direction

ü  Risk mgmt enables decisions and actions that are quick, coordinated, and well thought out

ü  Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.

5. Resilient

ü  Be able to bounce back quickly from changes in context and threats with limited business impact

ü  Have sufficient tolerances to allow for some missteps

ü  Have confidence necessary to rapidly adapt and respond to opportunities

6. Lean

ü  Build the muscle, trim the fat

ü  Get rid of expense from unnecessary duplication, redundancy, and misallocation of resources within the risk management

ü  Lean the organization overall with enhanced capability and related decisions about application of resources


Case Study in Effective Internal Control Management

In a report in November 2012, the DOJ and SEC stated they:

“have often encountered companies with compliance programs that are strong on paper but that nevertheless have significant . . . violations because management has failed to effectively implement the program even in the face of obvious signs of corruption.”

POINT: Regulators are tired of paper-based compliance programs that look good on paper but fail in operations and employee engagement.


When you saw Wdesk, what stood out to you right away as the biggest and most valuable things that

set Wdesk apart from other GRC solutions/platforms?


INNOVATOR

2015

ü  The Wdesk platform by Workiva is a GRC solution that GRC 20/20 has researched, evaluated, and reviewed with organizations that are using it in dynamic business environments.

ü  GRC 20/20 has evaluated and verified the innovation found in Wdesk and sees this as a compelling offering for internal control management. With an intuitive and engaging user experience, Wdesk makes organizations more efficient, effective, and agile.

ü  In this context, GRC 20/20 has recognized Wdesk with a 2015 GRC Innovation Award for the best user experience in Internal Control Management in 2015.

What the Wdesk Platform by Workiva Innovation Is About . . .


Capabilities of Wdesk Platform by Workiva

1 Task Management

2 Audit Trail & Evidence Management

3 Data Collection

4 Flowcharts

5 Visualizations

6 Dashboards

7 Cellular Audit Trail

8 Out-of-the-Box Templates

9 Mobility

10 Collaborative


GRC 20/20 Value Trajectory of Wdesk Platform by Workiva

Security of data & informa9on Increase produc9vity

Time to value and con9nued value

Maintaining data integrity across plaOorms & documents

Review process Document centric experience


Characteristics of GRC Solution Maturity Enablement

Automating and streamlining

individual requirements or risks Siloed, Fragmented

Information. Manual Processes, Documents, Spreadsheets &

Email, Cumbersome

Streamlining individual functions / departments with

department level processes and analytics that addresses a range of risk and compliance areas in

context of the department / function.

Cross-department collaboration, sharing of information, and 360°

contextual awareness of risk and compliance in context of

the organization

Agile

Maturity of the Program Enabled by Information & Technology Architecture

Stra

tegi

c Ef

fect

iven

ess

Fragmented

Managed

Questions? Michael Rasmussen, J.D. The GRC Pundit & OCEG Fellow [email protected] +1.888.365.4560

Some of the content we have evaluated is OCEG content which GRC 20/20 has an established relationship to use. Please do not copy slides or graphics without permission. GRC 20/20 highly recommends you consider OCEG membership at www.OCEG.org.

GRC 20/20 Newsletter

LinkedIn: GRC 20/20

Blog: GRC Pundit

Twitter: GRCPundit

LinkedIn: Michael Rasmussen


Dare to think differently

“Any intelligent fool can make things bigger, more complex and more violent. It takes a touch of genius – and a lot of courage to

move in the opposite direction.”

Albert Einstein or E.F. Schumacher.