To mitigate risk, organizations should take a proactive approach. The following four best practices can help organizations employ effective governance at both the overall RPA program and the bot level.
1. Enterprise framework
Some of the most important decisions to consider when building an RPA program involve defining roles and responsibilities that determine overall governance. One best practice for effective RPA governance is to establish an enterprise framework that outlines the requirements for the development, implementation, approval, ongoing monitoring, and performance evaluation of automated tools. Such a framework should include:
- Criteria for compliance with the established framework
- Escalation processes for instances of noncompliance with the established framework
- Evaluation and tiering process for approvals and monitoring frequency
2. Center of excellence
Another best practice for effective RPA governance is to have a centralized function to execute against the enterprise framework. Establishing a center of excellence can help govern the unified enterprise policy and strategy for automation. Because of the risk that RPA could actually weaken the control effectiveness of a process, a center of excellence can aid in a review to determine if the benefits outweigh the cost of investment. This center of excellence should provide:
- Execution of the enterprise framework, including processes for consistent documentation of business requirements such as data points, assumptions, exposure to regulatory compliance risk, and exit strategies, as well as business justification for the creation of the bot
- An escalation point for instances of noncompliance with the framework or instances in which a bot’s performance is below established thresholds
- An approval body for the development and implementation of new bots
3. Auditability
Because bots mimic human actions and execute portions of a workflow, it is critical that the bot activities can be audited to evaluate reliability as bots perform regular tasks. Best practices include:
- Assigning bots and other automation tools with a unique identifier for ease in tracking the bot’s activities and for auditing the bot’s performance
- Defining a bot owner that is responsible for monitoring the bot’s day-to-day activities, performing periodic reviews of the bot’s performance, and escalating bot issues
- Having a clearly defined business continuity plan that captures backup procedures and the sources of data required to complete the work in the event the bot breaks down
4. Performance monitoring
A fourth best practice is to define how the bot or other automated tool’s performance will be measured. Financial services organizations should have procedures in place that outline review requirements that focus on identifying and limiting errors with known weaknesses and limitations and on making sure the bot is functioning as designed. Consideration should be given to developing the following:
- A monitoring plan and periodic review of the bot’s performance and business requirements based on inherent risk, including confirmation that business requirements remain accurate
- Regular reporting for bot exceptions and failures, including root cause analysis for any failures that occur
- Defined key performance indicators and key risk indicators for bot performance monitoring, including actions to be taken when errors exceed risk or performance tolerances
