One of the hot topics for any implementation of Robotic Process Automation seems to be about risk and compliance.
One of the frameworks I see in place is to simply extend the existing compliance framework over Robotics. I can see the attraction in this – it’s less effort as you’re not changing the approach to compliance – therefore it shouldn’t ruffle (too many) feathers.
But this approach really misses an opportunity to improve compliance.
Let’s take a classic process which has been split in two for segregation of duties:
Now, imagine this approach to compliance applied to Robots:
Since it’s a robot who doesn’t have any capability for deceit or fraud, what’s the actual risk here of a robot fraudulently processing invoice payments?
(the answer is ZERO risk)
Why does this matter? Well, if you segment the duties like you did with people, you’d never be able to allow Robot B to process invoices and you’d never allow Robot A to authorise payments. This results in lost efficiency… Let’s scale it up.
I have 10 processes that require separation of duties when people do them. No one person would be authorised to do more than 1 or these processes.
Mirroring that approach to compliance, I’d need 10 robots to complete this work. But each robot does the whole days work in about 1 hour. So if we removed the segregation of duties, I’d only need 1 robot working 10 hours to complete all the work.
The reality is, you want to have all your robots available to do any process you’ve programmed – this is the most efficient use of resources and you can react to peaks and troughs so much better.
There is no risk to this approach – because actually, the risk is now somewhere else…
So where does the risk now lie?
The risk of fraud now lives with the people who control the Robots – the Process Controllers.
These are the people that are responsible for allocating work to the robot. They monitor what the workload is of each robot and decide how many robots to put on a queue of work etc.
If I am the Process Controller, and I can direct the Robot to complete the process for paying an invoice and then direct the robot to authorise that payment – there is a risk that I could engage in fraud as I have the ability to direct a Robot worker to do the whole task.
In a complex financial services environment, you might have lots of controls like this – aimed at reducing the opportunity for fraud – prevention being far better than detection.
But don’t place these controls on the Robot – there is no reason to do this. Instead, think about the controls you need in place for the people who control the Robots.
You’ll get better results.