Evolving governance and controls for automation

Why is this trend important today?

This article is one of nine trends outlined in Deloitte's Future of risk in the digital era report. 

Automation is becoming the new norm for organizations to support their growth and cost optimization strategies. And it’s driving them to adopt automation technologies, such as robotic process automation (RPA), intelligent automation, and AI-based decision making tools (refer to our Managing the black box of artificial intelligence trend). Unintended consequences, including the obsolescence of existing controls, complexity in operations, and the possibility of cascading errors, become top areas of concern. Legacy infrastructure and fragmented operating environments can limit the benefits that organizations may be seeking.

To realize the complete advantages of automation, organizations need to adopt a holistic change management approach, including business-IT alignment, employee culture (refer to our Enabling digital transformation by managing culture risk trend), and new controls designed to the specific risks emerging from automation technologies.

Back to top

Where has this trend had an impact?

• An automation tool used by a media organization automatically published a breaking news story in 2017 about an earthquake that happened in 1925, causing mass panic and huge ripples over social media websites.

• A company’s automated pricing algorithm kicked in during a national emergency, without consulting with the organization’s management about how to handle the sensitive situation. As a result, customers were charged inflated prices during the incident.

• A manufacturing organization completely automated a process in their assembly line without changing the quality controls designed for manual human assessment, leading to reduced product quality and increased costs.
  

Back to top

What does this mean for organizations?

• Increased complexity because different types of automation require different types of controls while outdated controls need to be replaced. In background checks, for example, controls for humans conducting them may be replaced with software robot (bot) specific controls for exception handling and outliers.

• Increased fragility as minor changes to source systems require cascading change management across automation tools to maintain consistent operations.

• Amplified damage from cyber incidents as hackers may gain access to an automated system or acquire large quantities of confidential data through bots with excessive access and privileges.

• Implementation challenges due to operational setbacks, such as employee apprehension over working with automated systems, and incompatibility with legacy infrastructure.

• Complexity in testing automation systems driven by difficulty in replicating complex production environments.

• Difficulty in realizing the full potential of automation driven by an excessive focus on reducing costs, often overlooking other benefits such as consistency, quality, and accuracy.
  

Back to top

How can organizations respond?

• Establish a centralized governance initiative to manage the risk of automation by establishing parameters for where automation can and can’t be applied and setting policies concerning process design, development, testing, and maintenance.
• Digitize existing controls through analytics and other technologies, and design new controls specific to each technology, such as built-in error handling capabilities, alert mechanisms for process breakdowns, and manual exception handling for unexpected circumstances.
• Build digital proficiency and educate employees on the benefits of automation to alleviate their fears, accelerate adoption, and encourage identification of potential use cases for development.
• Redesign the control framework across businesses, risk management, and internal audit teams, and use technology-enhanced tools to test or audit automated processes.
• Extend existing change management models to account for bots and enhance existing IT incident and crisis management strategies to support and triage potential incidents associated with the use of bots.

Back to top