Robots are on the rise in business.
As organisations become ever more focused on replacing manpower with technology in service delivery, an increasing number are turning to Robotic Process Automation (RPA) to streamline and automate certain processes.
In fact, a recent report by Everest Group found that 28% of firms were already using automation-deployed technology, whilst 50% of global IT service centres were actively deploying automation pilots. It also predicted that the global automation market would be worth nearly $5billion by 2020.
What exactly is RPA?
In simple terms, RPA means the deployment of a virtual cohort of ‘robots’ that are used to imitate human users by performing repetitive manual work across applications and systems, but without the need for complex systems integration. These robots can interact with a user interface just like a human would and switch between tools to perform tasks such as copying and pasting data.
The benefits of this are obvious, as it frees up staff from repetitive and time-consuming work and cuts down on human error – thus driving efficiency and productivity, reducing cycle time, and improving accuracy.
RPA is often adopted by departments such as finance and operations, where departmental pain points can be easily alleviated by automating ‘RPA friendly’ tasks such as data entry, payments and invoice processing.
But RPA can also play a significant role in supporting the centralisation of the risk and controls function.
How RPA can drive controls centralisation
The traditional approach to managing risk has often been to allow each individual business unit to control its own area of responsibility, rather than having one centralised team that manages risk across the organisation.
But RPA now offers the opportunity to centralise controls without the need for a heavily-staffed ‘Centre of Excellence’ (CoE) to manage the process. That’s because RPA is able to reduce the amount of manual intervention needed throughout the controls process, so that IT administrators just receive noted exceptions, rather than actually operating an excessive number of controls. This helps to remove the unnecessary duplication and overlap of controls and drive better integration of controls across the enterprise.
The RPA solution effectively tells them what they need to think about, based on what it defines as being necessary to bring to their attention. This obviously takes a lot of work away from staff responsible for controls, allowing them to concentrate on more productive work - such as further developing the internal controls framework - as they don’t have to look at as many control activities as before. A CoE then becomes a more affordable reality, as it has been designed with automation at the core.
Levels of RPA in controls automation
How RPA is used in controls will obviously vary from business to business, but it has three main strands:
Automating existing manual controls: The simplest way of using RPA is by automating what you've already been doing manually, such as batch jobs and simple scripts. For example, you could automate the review of certain logs – e.g. user activity and admin activity logs - to keep a check on certain unauthorised transactions
Automating controls testing: You can also use RPA to bring in more efficiencies through the testing of controls, by implementing automated scripts with analytical capability. This removes the need for a human user to analyse testing data and deem a control to be either effective or ineffective. For example, RPA can be used to test the status of default user account control. This can be end-to-end as it can even fill in documentation templates for the controls tested and then store in a document repository for review.
Automating controls monitoring: The third role of RPA in controls is through implementing continuous monitoring systems with controls dashboards that constantly watch over controls. For example, automatic and continuous monitoring of change management controls can be established to ensure all changes are approved and adequately tested before being moved into production. Other examples are to identify usage conflicts of Segregation of Duties within the system or to spot suspicious exceptions within a defined process that may require investigation.
It is important to remember that RPA is not a straight substitute for human risk and controls management. People must still run the controls process and ultimately make the necessary decisions. But with the ongoing advances in machine learning, it means RPA is likely to be an increasingly important component of controls.
This will mean regulators taking considerable interest, especially as robotics may worry many employees in regards to their future responsibilities and employment. Although, increased use of RPA will also create new employment opportunities that combine automation and risk management competencies.
Executives must also be ready to assess whether too much reliance is being placed on RPA and whether the intended purpose has grown too large, particularly where decision-making is concerned.
Overall, RPA presents an exciting opportunity for risk and controls, but ultimately it can’t automate everything. Organisations must ensure that RPA is there to speed-up processes, to scale the number of controls in place and to free up staff to do the work that robots can’t – such as innovating, problem solving and making decisions.
With the increasing cost of managing compliance, risk and controls continues to be a focus for business leaders, shareholders, auditors and regulators. While most organisations are still operating at the relatively early stages of their automation journey, RPA is now regarded by many as the future of controls.