The use of robotic process automation (RPA) technology and accompanying robots (bots) has become widely popular as enterprises strive to prioritize customer engagement and retention. There are numerous scenarios where organizations can achieve greater efficiency using bots. Whether used for logging customer complaints or screening job applications, bots can be found everywhere from sales and marketing to human resources (HR), operations, supply chain logistics, and customer-facing services. There are numerous use cases across enterprises where the deployment of bots has resulted in improved efficiency and reduced costs.
Defining RPA and Bots
In simple terms, RPA is a technology that can mimic actions typically performed by a human to make processes more efficient. For example, deploying RPA technology to assist customers contacting a call center can significantly alleviate employee workload and reduce inefficiencies by providing immediate responses to simple customer queries. Such automation is achieved using bots that form a part of the RPA technology. A bot is essentially a software program that performs a predefined set of instructions to replicate a human or a specific business task in an automated manner. Organizations develop and deploy bots to replace repetitive manual tasks in a process to make it faster and more accurate while reducing costs.
Key Risk and Control Considerations
RPA introduces several key risk factors into a system in addition to the inherent risk associated with the processes being automated. It is imperative to consider appropriate risk management of, and the application of controls to, the design and operation of bots.
It is imperative to consider appropriate risk management of, and the application of controls to, the design and operation of bots.
There are a number of factors to consider that can help enterprises manage the risk associated with the use of RPA and bots:
- Ownership and appropriate governance—Bots have the capability to perform many tasks. However, if appropriate ownership and governance has not been established regarding the use of RPA, it is often the case that these powerful automations are not being utilized to their full potential. Automation can exist in silos and many employees may have weak understandings of how it can be leveraged to gain economies of scale. Controls such as appropriate governance structures, defined ownership and continuous monitoring of robust key performance indicators (KPIs) should be designed and implemented.
- Poor security design and change management—Understanding how a process or task needs to be automated is key to the success of any RPA program. Inappropriate design of the bot and/or a lack of system security awareness could lead to gaps within the system that will not be easy to identify later in the process. Controls related to the software design and development phase need to be implemented with strong change management controls to ensure that all updates are thoroughly tested, verified and authorized.
- Risk of data loss and leakage—RPA bots often handle sensitive customer and/or employee data that flow through the processes that are being automated. If proper security procedures are not in place, much of these critical data are left vulnerable to cyberattacks. There is also a risk that private customer data will be disclosed if personally identifiable information (PII) is not appropriately segregated and protected within the automation process. Ensuring that there are proper audit and logging capabilities, frequent bot password rotations and continuous monitoring of data processed by the bot is key to protecting data privacy.
- Poor access management—Many organizations fail to understand that like humans, a bot needs to be provided unique system credentials so that its activity can be easily tracked. Using generic usernames for bots, sharing bot passwords and unnecessarily providing elevated levels of access are the most common pitfalls of bot implementation. Attackers can easily use a bot’s privileged access to a system to gain access to confidential data or disrupt operations. Assigning unique system credentials, encrypting passwords and providing access only on a need-to-know basis are some of the key access management controls to consider for bot implementation.
Conclusion
Implementing and adopting RPA within an organization should not come at the cost of system or data security. Organizations must carefully design their RPA programs by selecting the right processes for automation and ensuring that proper security procedures have been designed with these processes in mind. Since bots often handle sensitive data, constant supervision is needed to ensure that they are working effectively and appropriately handling security risk as expected.
Poonam Gupta, CISA, CRISC, CISSP
Is an internal controls manager at Flutter Entertainment Inc. She has more than 12 years of experience in internal audit, third-party audit and risk management. Gupta has performed US Sarbanes-Oxley Act (SOX) and International Financial Reporting Standards (IFRS) audits and internal controls implementation for organizations including the Big 4 accounting enterprises. Throughout her career, she has overseen risk management and controls assessment activities for numerous Fortune 500 enterprises, helping them build effective controls and stronger operating models. She can be reached at https://www.linkedin.com/in/poonam-gupta-audit/.