Controllers must optimise their governance processes to balance risk management processes without stifling the productivity that the technology provides, as robotic process automation (RPA) moves from the testing phase to full adoption in most finance departments, said Gartner recently.
According to the advisory firm, its research has found that enterprise-wide adoption of RPA will grow from 55% of organisations in 2019 to 90% by 2022.
As RPA processes expand, so will the inclination to implement new controls and heavier governance, the firm added.
However, the productivity gains offered by RPA could be stifled in a heavily controlled environment that is too reliant on manual oversight, the firm noted.
“We have reached the point where formalised controls are catching up to RPA, but the risk of over-controlling is wasted effort that reduces the effectiveness of the technology and team capacity,” said Hilary Richards, research vice president in the Gartner Finance practice.
By choosing the correct governance model for RPA and creating clear, rule-based systems to manage the biggest risks upfront, stakeholders can design an effective governance approach without blunting the efficiency gains that made RPA attractive in the first place, she advised.
Optimising risk management for RPA
Initial risk management assessments of deploying RPA bots have focused on the risks that could emerge in an environment that is too lightly controlled.
These risks, such as the development of shadow IT, compliance violations, bot failure and related business continuity concerns, have gradually necessitated organisations to move to a heavier and more formalised governance system for the technology, Gartner pointed out.
“Some organisations have invested significant time and capital to deploy RPA, yet their bot utilisation rate is around 30% of what is actually available due to an overly burdensome control environment,” Richards said.
“Designing a better governance process can help these organizations hit breakeven much faster, without compromising on essential risk controls,” she noted.
Designing effective RPA governance
To get the most out of RPA investments, Gartner recommends that RPA stakeholders focus on setting a single governance model for the technology, controlling for segregation of duties (SOD) risk and creating guidelines to assess Sarbanes Oxley (SOX) impact of RPA use cases.
RPA governance model selection. The right governance model for enterprise-wide RPA adoption will be decided by stakeholders’ overall comfort with the technology and the need to balance centralised controls with use case flexibility among business units.
Organisations new to RPA start with a centralised governance model, where enterprise standards and procedures are set by a central body, Richards observed.
“Over time, as comfort and expertise with RPA grows, mature organisations can move to a federated model that provides more business unit flexibility while still maintaining coordinated control of policies,” she advised.
Managing SOD risk. In a lightly regulated SOD environment, bot-enabled fraud and human access duties are too broad.
In a more heavily regulated environment, bot capacity remains under-utilised, and budget is wasted on unused bots, Gartner said.
Instead of segregating each process and dedicating one bot per process, Richards recommended segregating the duties of the humans interacting with the bots, while allowing more processes to be run by a single bot.
“By separating the development, supervision and process owner roles managed by human employees, organizations can both better manage SOD risk while consolidating processes under fewer bots and increasing their utilisation rates,” she noted.
Assessing RPA’s SOX Impact. Screening every RPA use case for potential SOX impact is a time-intensive, manual activity that can quickly overwhelm the project management team responsible for this duty.
A more efficient approach in use by organisations with more mature processes involves creating guidelines for business unit owners to flag new RPA proposals for further review if these proposals automate existing SOX controls or will have an impact on SOX-related processes, said Richards.
RPA proposals with no potential SOX impact can proceed for approval without review by a SOX compliance team, she said, adding that such an approach can generate significant time savings and refocus the SOX compliance team toward direct risk mitigation activities, rather than lower-value proposal screening.