As robotic process automation (RPA) moves from the testing phase to full adoption in most finance departments, controllers must optimise their governance processes to balance risk management processes without stifling the productivity that the technology provides, says Gartner.
Gartner analysts discussed the impact of RPA on risk management processes during the virtual Gartner CFO and Finance Executive Conference. Gartner’s research has found that enterprise-wide adoption of RPA will grow from 55% of organisations in 2019 to 90% by 2022. As RPA processes expand, so will the inclination to implement new controls and heavier governance. However, the productivity gains offered by RPA could be stifled in a heavily controlled environment that is too reliant on manual oversight.
“We have reached the point where formalized controls are catching up to RPA, but the risk of overcontrolling is wasted effort that reduces the effectiveness of the technology and team capacity,” says Hilary Richards, research vice-president in the Gartner Finance practice. “By choosing the correct governance model for RPA and creating clear, rule-based systems to manage the biggest risks upfront, stakeholders can design an effective governance approach without blunting the efficiency gains that made RPA attractive in the first place.”
Optimizing Risk Management for RPA
Initial risk management assessments of deploying RPA bots have focused on the risks that could emerge in an environment that is too lightly controlled. These risks, such as the development of shadow IT, compliance violations, bot failure and related business continuity concerns, have gradually necessitated organisations to move to a heavier and more formalised governance system for the technology.
“Some organisations have invested significant time and capital to deploy RPA, yet their bot utilisation rate is around 30% of what is actually available due to an overly burdensome control environment,” said Ms. Richards. “Designing a better governance process can help these organisations hit breakeven much faster, without compromising on essential risk controls.”
Designing Effective RPA Governance
To get the most out of RPA investments, Gartner’s research recommends that RPA stakeholders focus on setting a single governance model for the technology, controlling for segregation of duties (SOD) risk and creating guidelines to assess Sarbanes Oxley (SOX) impact of RPA use cases.
• RPA Governance Model Selection -The right governance model for enterprise-wide RPA adoption will be decided by stakeholders’ overall comfort with the technology and the need to balance centralized controls with use case flexibility among business units. Ms. Richards recommends that organizations new to RPA start with a centralized governance model, where enterprise standards and procedures are set by a central body. Over time, as comfort and expertise with RPA grows, mature organizations can move to a federated model that provides more business unit flexibility while still maintaining coordinated control of policies.
• Managing SOD Risk -In a lightly regulated SOD environment, bot-enabled fraud and human access duties are too broad. In a more heavily regulated environment, bot capacity remains under-utilized, and budget is wasted on unused bots. Instead of segregating each process and dedicating one bot per process, Ms. Richards recommended segregating the duties of the humans interacting with the bots, while allowing more processes to be run by a single bot. By separating the development, supervision and process owner roles managed by human employees, organizations can both better manage SOD risk while consolidating processes under fewer bots and increasing their utilization rates.
• Assessing RPA’s SOX Impact – Screening every RPA use case for potential SOX impact is a time-intensive, manual activity that can quickly overwhelm the project management team responsible for this duty. Ms. Richards said a more efficient approach in use by organizations with more mature processes involves creating guidelines for business unit owners to flag new RPA proposals for further review if these proposals automate existing SOX controls or will have an impact on SOX-related processes. RPA proposals with no potential SOX impact can proceed for approval without review by a SOX compliance team. Such an approach can generate significant time savings and refocus the SOX compliance team toward direct risk mitigation activities, rather than lower-value proposal screening.