RPA’s Impact on Governance, Risk Management and Compliance
Intelligent automation (IA) is transforming the way organizations operate everything from finance to operations and human resources. Basic robotic process automation (RPA), or advanced process developments such as artificial intelligence (AI), can unlock the potential to do things faster, better and at a lower cost. These technologies are fairly easy to deploy and deliver quick ROI.
However, with wider adoption and reliance on automation, new governance, risk management and compliance (GRC) considerations have also emerged. As automation is introduced across multiple functions, it becomes subject to complex compliance mandates and operational scrutiny. To fully capitalize on the opportunities of IA and avoid the pitfalls, there are certain risk considerations to keep in mind when implementing these advanced technologies:
- Defined risk appetite and compliance requirements. It is paramount to remember that, without a clear view of risk appetite, as well as the organization’s existing compliance with business and regulatory requirements, it is impossible to establish a proper risk management and governance program that effectively identifies, monitors, evaluates and mitigates risk.
- Identity management and privileged access. In this new world of IA, where automated processes replace human actions and even makes decisions, the “how” questions asked about data security and access become even more complex. For example, how are bots handled in the context of identity, authentication and access provisioning? How are controls, segregation of duties, traceability and accountability introduced? How does an organization assign, monitor, change and remove access, and what systems, on a wider spectrum, can they gain access to?
- Controls integration, logging and traceability. Lack of controls in an IA program can prevent organizations from meeting security, privacy and compliance requirements. The ability to demonstrate what the automation-based systems (i.e. RPA) have actually done is important. Yet, there isn’t a good way of doing that, since today’s platforms have varying capabilities and levels of maturity around identity and access management, segregation of duties and capturing activities, logs and audit trails. And let’s face it – there aren’t any real, defined standards in this space.
- Business Resiliency. RPA-based systems can perform complex tasks and activities without any breaks, at speed and scale. Yet, inconsistent developer skills, as well as lack of change management processes and other controls, can create an unstable environment and increase the failure rate. What happens if there is a disruption or failure? How does an organization maintain business resiliency and availability of mission-critical business processes?
Defining a Governance and Risk Function That Works
A well-defined function is key to making sure that IA is designed and implemented effectively to drive and inform the automation program strategy, as well as its delivery and operation. The governance function must influence what the IA strategy will be, including what platforms will be selected, the functional stakeholders who will steer the program, the operational drivers, the approved use cases and how they will be prioritized.
Then, the organization must define how to implement the IA solutions. Governance and risk management comes into play by providing tools and training to enable developers, either as a central function, which is the preferred way, or in different organizational groups.
Integration of controls must be considered at this stage of the process: For example, will the RPA systems be performing key functions? Providing approvals for financial transactions? Depending on what the system is designed to do, segregation of duties, identity and access management, checks, logging and monitoring, approval requirements and workflows must be considered.
Not all automation systems are created equal. Some are basic systems, while others will perform complex and mission-critical functions, and, most likely, will be subject to compliance requirements.
In operations, in addition to KPIs, an organization must have key risk indicators (KRIs). An organization can funnel data back from the systems and use that data as a feedback mechanism to monitor and optimize risks. This servo-control mechanism will report back into the governance function to enable effective risk management.
Plan, Build, Run
To integrate governance and risk into the IA program, an organization must integrate governance and risk streams into the broader enterprise GRC framework. The organization needs to be thinking about what could go wrong. There needs to be a mechanism in place to set the ground rules for how to approach automation and how to address both the positives and the negatives.
In the build process, a key decision is paramount to fully operationalizing a governance function. Often businesses try to boil the ocean, which is good for immediately capitalizing on ROI, but GRC considerations are far more complex and can introduce challenges.
The run phase deals with the ongoing execution of the automation program, viewed through a risk lens. This is, perhaps, the most important function of governance, and it can exist in a variety of forms including a specialized risk auditing function, or even a center of excellence (CoE). This means building an operational CoE, managing change, continuously optimizing the program and individual automation systems, using risk templates and controls as part of the operation. Finally, there must be a mechanism for reporting compliance metrics and KRIs to stakeholders and/or regulatory bodies.
Opportunities for Risk Controls in Intelligent Automation
As technology and capabilities continue to evolve, the lack of defined standards to follow and the rapidly changing landscape can be, in some ways, chaotic. However, as the technology develops, there is more focus and discipline around GRC. Lately, risk management and audit functions have been more active in developing GRC controls. While we are still in the early stages, it’s still a step in the right direction.
