Governance, Risk & Controls for Robotic Process

Automation (RPA)

Unit III
• Roles in RPA implementation
• Testing
• Governance and risks - Compliance with regulations
• Human-based vs. bot decisions - Internal vs. external processes
• Data security and controls
Role of RPA Implementation
• Ensuring the long term
success
Here’s something else from a
• Bot deployment – average
Deloitte survey: Among 424
time for start, frequent companies, about 53% had
breakdowns begun an RPA journey but a
• Maintenance – additional mere 3% had actually scaled
the implementation to more
investment, added than 50 bots!
infrastructure
requirement, autopiloting
issues
 Testing
pr i son
ed i ts • Black Box Testing: This is where the internal
c h ang good are structure and design of the bot is not known
at e r ft w
g to n St edits fo nto a so to the tester. This involves setting up certain
as hin fo r cr nted i date.
0 2 ,W l l o w l em e as e e . B ut inputs and test cases – and then seeing if the
0 a e u
In 2 ncing to was imp the rel his is tr results are correct.
e s d T
sent ior. Thi termine , right? ge, it e a rl i er! • White Box Testing: This involves testing the
v e a a
beha m that d ood ide On aver 49 days internal structure and design of the bot. In
e g . s
syst ds like a ad a bug risoner ays. a l i zed other words, the tester will analyze the
h p d e
Soun ftware lease of er 600 erson r source code and try to detect any issues, say,
o e v p
the s ed the r it was o at an IT et more arlier security exposures, poor processes, or
s, h Y e
allow e case l 2015 t rected. eleased convoluted paths.
m ti r r
In so not un t was co d been • Grey Box Testing: Here you have a blend of
s i a
It wa ror and soners h w. the black and white box testing approaches.
r i la
the e 3,200 pr ired by
u
than was req
than
 Testing
“Those deploying the solution will
• When it comes to testing bots, there is usually both
define the roles of the bots in the
manual and automated techniques.
process.
• With the former, you will have a tester try many different They also should keep the affected
options and record them (this often requires looking at team members in confidence, iterate
the log files, database entries, etc.). This can be time-
consuming but it is still useful. There is the benefit of the process to check the
creativity and imagination. infrastructure and software, and
develop a fallback plan.”
• As for automated testing , you will set up scripts that
- Ashish Mehra,
have different values and then run them on the software.
This is certainly faster and can test for many possibilities. Co-Founder & CEO,
But automated testing is certainly constrained. Antworks
• Review the documentation like the Process Definition
Document (PDD) or the Solution design document (SDD).
• There should be analysis of the data for the test scripts
(the information is usually in an Excel worksheet).
Monitoring
• Know whether your deployment met those criteria or fell short. It’s also important to configure the bots
to handle changes and monitor the impact of that.
• Considering broader efficiencies and compliance requirements should also be part of your monitoring
effort. Ideally, measure to see whether employee efficiency has increased, and you’ll definitely need to
analyse the compliance requirements of the bot.
• Business Continuity Plan: document that sets forth the types of monitoring, the goals to achieve, and
the actions to take when something goes wrong; the CoE can draft and enforce.
• Periodic meetings: to evaluate the performance of the bots – are things tracked? Changes required? Bot
to be terminated?
• Parsing the log files – Visualize
 Cybersecurity
• RPAs are vulnerable to cyberattacks
• Protection of Credentials: Make sure you securely store and manage them.
• Application Access: Be mindful of what the bot is doing. What would happen if it were in
the control of a bad actor?
• Governance: Sketch out a framework for security, which should cover the design of the
bots and the use of data. There should also be a clear definition of roles and
responsibilities.
• Audit Trail: RPA platform that provides the creation of logs - conduct investigations and
assessments.
• RPA Security: high levels of security. Furthermore, it is not a good idea to use a free
version of an RPA system in production. In most cases, the security will not be strong.
• Rotation: A way to help protect credentials is to change the access privileges continuously.
Thus, if a hacker gains access, the usefulness will not last long.
 Scaling
• Planning: This is absolutely required for scaling RPA. You need to have detailed objectives
and documentation (actually, it is important to emphasize this at every step in the
process). If not, there will usually be chaos and confusion when there are many bots
within an organization. A common way to deal with this is to retain consultants and even
use process mining software
• ROI: If there is too much focus on this, then it can be difficult to scale RPA. The reason for
this? Let’s take an example: Suppose that a company only takes on automation of those
processes where the ROI is 100% over a two-year period. This may intuitively sound like
a good approach. But there is a nagging issue: What if there are only a few processes that
meet this criteria and they impact a small part of the organization? In this case, when
looking at a holistic view of things, there will really be little impact from the RPA effort.
Rather, if the average ROI is, say, 20%, but it encompasses many parts of a company, then
there could be a major impact on productivity and efficiency. This is known as the
“portfolio effect.” But for it to work, there needs to be a strong emphasis on change
management.
 Scaling
• CoE: This is absolutely essential for scaling. There needs to be some
discipline, governance, and centralization of the RPA implementation and
monitoring. The CoE should also draft the SOP (standard operating
procedures) and collect any of the learnings and best practices. There also
needs to be ongoing training and education.
• IT: It’s common not to involve IT in the early phases. And this is
understandable as RPA technology is relatively easy to use. What’s more, IT
can bring friction to the process. But if you want to scale the system, then you
need to have this group involved. They can be instrumental in helping with
building the right technology foundation – such as with the cloud or
sophisticated approaches like Kubernetes – as well as assist development
techniques, dealing with updates and patches (which, by the way, is quite
common with RPA), integration, and credentials management.
Compliance with regulations
• The Chief Compliance Officer needs to perform independent testing
on compliance to key regulations to be able to certify business units
• The checks are performed by testing compliance through a manual
process using compliance checklists
• In an RPA enabled compliance check, the compliance checklists form
the base for data preparation, which is fed to the bots for compliance
testing
• The benefit of such RPA compliance testing is to ensure the
achievement of compliance with regulatory requirements and internal
policies of the organization
Human and Bot Decisions
 Human and Bot decisions – Data
Management

• Robots shine in tasks where it is

required to work within wide range
of different IT-systems
• e.g.: transfer information from one
place to another, extract data and
write it in different systems,
consolidate information and so on.
Human and Bot decisions – Data
Validation`

• Robot isn't only capable of data

transferring but also can verify the
information. This is specifically
helpful when it's required to check
something with 3rd parties or
verify if the information is real.
Human and Bot decisions –
Management of other robos and
employees
• Once many robots appear within
company, it is required to manage
their work using either another
Robot or special tool. In some cases
robots can control work of real
human, suggesting him the tasks or
signaling about specific events or
certain points in process.
Human and Bot decisions – Make
simple decisions

• If simple decisions should be made

within the process, it means that this
is a good task for robot. In case there
is a possibility of exception from the
algorithm, robot can signal the real
person and ask for help.
Human and Bot decisions – work
with unstructured data

• Even though robots aren't capable of

working with handwritten texts and
totally unstructured data, they could
be used for work with agreements in
terms of searching for specific
information and legal review.
Human and Bot decisions – Training
• Robots could be used as teachers for
new employees avoiding attraction of
real people who are usually busy with
the tasks with more added value. The
pre-recorded robot can show all the
company's systems to the new
employee and explain the regulations
of main processes.
Tesla Bot introduced by Elon Musk
on AI Day 2022

• https://youtu.be/UXHoWNfjJYM
 Data Security and controls
Sensitive Security
Access Service
data Vulnerabili
abuse Denial
disclosure ties

A corrupt
bot can
A security A rogue Denial of
access
breach can robot can service
sensitive
result to create scheduled in
data and
disclosure of security the rapid
moves
sensitive vulnerabilitie sequence in
laterally in
information s for data at case of any
the network
to external rest or in security
or destroy
parties motion breach
high value
information
 Data Security and Controls – the pillars of security

The organization should

Organizations should
ensure a governance
perform a product
framework which will build
architecture risk
strategy and security
assessment both
requirements from an RPA
internally and externally
Governance perspective and ensure a
(chosen RPA solution). Product
and
seamless business continuity
implementation Software Security

The organization must

Role based access control is
conduct regular audits to
one of the most crucial
ensure that the bots are
features to keep in mind while
compliant to all industry
opting for an RPA solution. A
regulations in order to
credential management
avoid hefty fines and a Audit
and
process must be put in place
Access for the bots to store
tarnished brand image.
Compliance
Management credentials in a Vault and
access it as and when needed
 Data Security
risks
Confidential information Common Security risks
disclosure
• Any information about a company's •Data encryption isn't present
business and operations that is not •Injection of SQL
available to the public and has •Authorization is missing
commercial worth is confidential. The
unauthorised revelation of a company's
•Forgery and cross-site scripting
financial information, marketing plans, •Insecure passwords
planned initiatives, or other private •Infected software is being
materials could be harmful.
uploaded
•Misuse of access
 Security controls
Prevent security problems that can lead RPA scripts should be reviewed and
to fraud and misuse validated regularly
Security executives must limit Robotic process
automation access to only what each bot Robotic process automation robots should be
requires to do the required task. For example, built and maintained constantly. Once
If a task is to extract the data from one place deployed on the production, continuous
and paste it to another. So only read access monitoring of bots should be done and
should be given in the first place, and only address the risks identified through exception
write access should be given to another.
reports.

To decrease security risks: Ensure Accountability for bot actions

•Ensure that its console access is protected Each Robotic process automation robot and
using cyber-security best practices to technique has its own identity, ensuring
protect RPA administrators' credentials and dedicated authentication credentials and
immediately suspend or terminate identity naming criteria. All the credentials
suspicious sessions. should be stored in a secure location. And all
•Create a risk assessment system that the privileges should be revoked, which are not
considers the overall its implementation and required, and all the credentials must be
individual scripts. removed from the scripts or other unsecured
•Monitor and validate its scripts regularly, locations. Two-factor authentications can also
be used with login authentication.