A dashboard shows what happened. A digital twin shows what could.

The first version of RAP wasn't a digital twin. It was supposed to be one place where an analytics manager could open VIA, IRL, Symphony, Nexus, Cyber, and Supply Chain — all the EY risk tools they were already using — without re-authenticating, re-orienting, and re-scoping every five minutes. The brief was straightforward: stop the toolchain bleed.

But containers for tools have a property nobody quite planned for. Once you put VIA's output next to IRL's output next to a process map in the same canvas, you stop looking at "tools" — you start looking at an assembled view of the enterprise. Exception data from one tool. Control library from another. Process imprint from a third. Held together by a shared scope ("SOX Audit 1245") and a shared timeframe. The canvas, almost accidentally, was a digital twin.

That's the pivot that defines this case study. RAP was scoped as a UI integration project. It became a model-building project. Solving the fragmentation problem and building the digital twin turned out to be the same problem.

Once that pivot was visible, the design vocabulary changed. We weren't designing a dashboard anymore — we were designing the surface of a probabilistic engine. The interface had to carry uncertainty, support what-if exploration, and earn the user's trust in outputs the user did not personally generate. That's a different design discipline, and it's what this case study is really about.

A risk analyst at the start of a SOX audit has the following on their desk: a SAP transaction extract in one window, EY VIA in a second, the Integrated Risk Library (IRL) in a third, a process map in a fourth, and a spreadsheet pulling it all together in a fifth. Two monitors. Sometimes three. The work isn't analysis — the work is keeping the cross-references aligned across five windows.

This was the day the project started from. The original brief named the pain precisely:

• Background. Analytics managers in risk practices were navigating a fragmented toolchain — VIA for analytics, IRL for the risk library, Symphony for orchestration, plus client-side systems like SAP and Oracle, plus document repositories, plus internal exception trackers. Each tool was good at its job. Together they were a coordination problem. The cognitive load wasn't computation — it was context-switching.
• Problem. No centralised interface that could integrate the disparate analytics tools, automate repetitive tasks, and let users move between scope-setting, analysis, and reporting without losing context. Manual compilation across disparate sources was the norm — increasing cognitive load, raising the likelihood of oversight, and slowing decisions in environments where decision-velocity was the whole point.
• Needs. A unified interface that could hold the tools simultaneously rather than chain them. AI to automate cross-referencing across them. Seamless switching between tools and functionalities. Multi-pane and multi-monitor continuity (risk analysts genuinely work across more than one screen — the product had to respect that). Advanced AI-driven features for predictive analytics and scenario modelling.
• Goal. Build an AI-powered tool that lets analytics managers perform every activity needed for risk assessment within a single, cohesive interface — leveraging AI to automate processes and provide intelligent insights.
• Impact. Less time per assessment. More accurate evaluations. Managers freed to focus on strategic decision-making rather than tool wrangling.

The reframe that changed everything: the integration target wasn't "a unified dashboard." It was a unified model. And the canvas that held multiple tools at once was the substrate that made the model possible.

The first useful piece of research was a framing exercise with the audit and risk team. The questions that surfaced were not about features — they were about epistemology:

• Where is the starting point for analytics going to be in the future? — i.e., the workflow doesn't start with a dataset, it starts with a hypothesis.
• How do auditors actually operate? — They scan for exceptions. Reports either become internal findings (which trigger inquiry) or escalate into formal audits, because auditors look for opportunities to flag exceptions that need to be managed or assured against.
• What's the data lifecycle? — Ingested → quality-checked → identified for risk → processed → consumed.

The synthesis was that risk analytics has three primary entry points — three different epistemic stances — and the product had to support all three from one interface:

1. Source-level exceptions. "I want to analyse risk exceptions at source — by location, process, IT system, document, event/news, finding/evidence."
2. Process-level mapping. "I want to visualise the sequence of events that make up a process and find absence or mis-configuration of transactions inside it — diagnose gaps, unlinked events, broken transaction chains."
3. Document-level evidence analysis. "I want to conduct evidence analysis from financial documents and flag exceptions" — custom analytics over unstructured data.

These are three different ways of asking the same model the same kind of question — what shouldn't be here? The canvas had to support all three; the digital twin had to be queryable along all three axes.

The product had to serve four distinct personas:

• CRO (Chief Risk Officer) — strategic exposure, board-level reporting, what-if scenarios for capital and concentration risk.
• Internal Auditor — exception-hunting at the transactional level, working from a defined audit scope (e.g., "SOX Audit 1245").
• Risk Consultant — designing the analytics, configuring the model, mapping process flows.
• Controls Manager — monitoring control effectiveness, managing the inventory of controls and their statuses.

The temptation in enterprise software is to give each persona their own application. The strategic move with RAP was the opposite: one digital twin, one canvas, one conversational steering interface, persona-specific decision surfaces sitting on top.

The conversational layer absorbed the difference. A CRO asks "What's our concentration risk in the UKI portfolio if regulatory capital tightens?" An Internal Auditor asks "On SOX Audit 1245, flag transactions in the AZ entity that breach materiality." A Controls Manager asks "Which preventive controls have had failed test attempts in the last quarter?" Same engine. Same data topology. Same digital twin. Different questions into it.

The data topology was deliberately polyglot: SAP/Oracle, generic ERP, documents, images, CSV/Excel — because each persona's evidence sat in a different format and the model had to ingest all of it.

Before designing screens, we mapped what the central persona — the Risk Manager — needed the product to be:

• An interface to connect to client data sources — with a local data location where the user can place files and the system checks and updates them automatically.
• A repository of rules that will be utilised for making data consumable — the model's logic, exposed and editable.
• A way to present me information that I need to act on — surface-up, not pull-down.
• A way to enable me to execute the activities needed to assess risks — the simulation can be driven from the interface itself.
• A common interface for accessing different services aligned to business-admin and system-admin needs — i.e., the interface respects roles and entitlements.

Read together, this is a brief for a digital-twin cockpit — not a reporting tool. Connect to my sources, hold the rules, surface what matters, let me act on it, and respect who I am.

Synthesising the working architecture, RAP occupies a position no single EY product had occupied before:

• Below RAP: the client's heterogeneous data topology — SAP, Oracle, generic ERPs, custom systems, documents, CSVs, images.
• Around RAP: the EY risk tool ecosystem — VIA (analytics), IRL (Integrated Risk Library), Symphony (orchestration), Nexus, Cyber, Supply Chain, and others. Each of these is a sophisticated tool in its own right. RAP isn't replacing them — it's hosting them.
• Inside RAP: the digital twin itself — structured data ingestion, unstructured data consumption, a PRC (Process / Risk / Control) taxonomy hierarchy, a control-test and KRI analytics library, self-service workflow, continuous monitoring and dashboards, integrated data services. Wrapped in machine learning, natural language processing, neural networks, and voice-and-document understanding.
• Above RAP: the downstream risk applications that consume the model — Risk and Control Monitor, ICM, Issue Tracker, Reporting/Control Tower — and third-party GRC tools (AuditBoard, Workiva, TeamMate).

The crucial insight: RAP isn't an app. It isn't a dashboard either. It's a host environment. Other tools live inside it. The client's data flows up into it. The downstream apps consume from it. And in the middle of all that — assembled out of the tool outputs that the canvas holds together — sits the digital twin.

Three principles defined it.

The right side of RAP isn't a single tile — it's a tileable workspace that can hold multiple tool surfaces at once. The hi-fi shows two panels rendered side by side (Inherent Risk Map + Risk Relations), but the architecture is generalised: any tool surface that respects the RAP integration protocol can appear here. A VIA exception view. An IRL risk-library lookup. A process map overlay. A document evidence panel. Each one can be summoned by the conversation, pinned, resized, and arranged. The four feature tiles on the home screen (Digital Twin, Data Topology, Process Mapping, Dashboard) aren't four features. They're four entry points to the canvas.

When the user pins "SOX Audit 1245" as a scope chip, every tool surface in the canvas inherits that scope. The VIA panel queries against that audit. The IRL panel filters its risk library to risks relevant to that audit. The process map highlights the in-scope process. The user scopes once; the canvas scopes everywhere. This is the move that turns "tools side by side" into "a coherent view of the enterprise." Without shared scope, multiple panels are just multiple windows in a different shape. With shared scope, the panels stop being separate tools and start behaving like organs of a single body.

Risk analysts work on more than one screen — that's empirically how they operate. The canvas had to follow them. The design allows panels to be popped out of the main RAP window, dragged to a second monitor, and continue receiving scope and conversation updates from the primary session. The analyst's two-monitor setup becomes one logical canvas. A heat map pinned to the secondary monitor stays in sync with a conversation happening on the primary. State doesn't fragment when the workspace physically does.

Why this is the foundation, not a feature: without the canvas, the digital twin has nowhere to live. The "twin" isn't a single visualisation that gets rendered into a tile — it's whatever combination of panels the user has arranged to answer their current question, assembled out of multiple tools, held together by shared scope, and following the user across screens. The canvas is the body of the twin.

The user flow is unusual because the onboarding step is the model-build step. You can't start using RAP without first telling it what to simulate — because the canvas needs to know which tools to load, against which entities, with which data sources mapped.

The flow:

1. Start — sign in.
2. Onboarding client — integrating with the GIS parent-tree structure (the organisational hierarchy of the client).
3. Three parallel admin workspaces must be set up before the canvas can populate:
   • Set up BU / Digital Twin workspace — define the business unit being modelled.
   • Set up Data Topology Mapping workspace — declare what data sources feed the twin.
   • Set up Process Mapping / Process Imprinting workspace — define the process flows and their risk/control overlays.
4. Home Page — the Risk Analytics Intelligent Service Responder (LLM-led). Conversational. Users can ask questions and upload documents to extend the model in flight.
5. Two readiness gates before the canvas can render simulation outputs:
   • Does the system know the events involved in the process risks and controls map?
   • Did the user map the sources / data topology?
6. If YES → the Digital / Heat / Inherent Map renders in the canvas, visualising risk in a structured format based on input criteria from the IRL and the digital twin.
7. If NO → the system asks for the missing inputs before computing.

This looks like an ordinary flow diagram, but it isn't. In a normal app, "missing inputs" is a form-validation problem. In RAP, missing inputs mean the model isn't ready to simulate yet. The decision diamonds aren't UI gates — they're simulation-readiness gates. The interface refuses to lie by computing on insufficient inputs.

A heat map in RAP is not a chart. It's a probability distribution. Every cell encodes severity × likelihood, and the likelihood is computed by the model with confidence bounds. The design question is unforgiving: do you expose the confidence bounds (rigorous, but visually noisy), or collapse them into a single colour (clean, but lies by omission)?

The move: a two-layer visual encoding.

• The dominant colour expresses the expected severity-likelihood product.
• A secondary visual treatment — a stroke weight or an opacity differential — encodes the model's confidence in that estimate.

High-confidence cells read as crisp. Low-confidence cells read as softer-edged. The user learns to scan crispness as a proxy for trustworthiness without having to read confidence intervals. The picture carries the uncertainty.

A what-if scenario is fundamentally a comparison: "If I change X, the heat map shifts like this." The temptation is to redraw the heat map every time the user perturbs an input. The better move is to render the delta — a diff layer over the baseline — so the user can see exactly which cells moved, and by how much.

The flow:

1. User pins a baseline scenario.
2. User perturbs an input (a control is removed; a regulation tightens; a transaction routing changes; a region scales).
3. The system re-runs the simulation against the baseline.
4. The interface overlays the new state with an animated transition.
5. The user can toggle baseline / new-state / diff at any moment.

The user sees the change, not just the result. A heat map that just refreshed silently is a lie of omission. A heat map that animates the delta is an honest answer. And because the canvas can hold multiple panels at once, the baseline and the perturbed state can sit side by side — the user can run two simulations in parallel and read the diff visually rather than computationally.

A model output is not a decision. A cell that reads "high severity, high likelihood, low confidence" doesn't tell a CRO what to do. The interface has to bridge from model output to recommended action.

The move: every elevated risk cell exposes three follow-up actions in a side panel:

• Investigate — drill into the underlying transactions and evidence (opens a VIA panel in the canvas).
• Escalate — route to the appropriate downstream app (Audit, ICM, Issue Tracker — opens that app's panel in the canvas).
• What-if — open a scenario sandbox against this specific cell (pins a new panel for the perturbation).

Each follow-up action expands the canvas with another tool surface — which is why the canvas had to come first. Without it, the bridge from prediction to action has nowhere to land.