Robotic process automation (RPA) is a promising new technology — except that lots of compliance officers might already use this technology and not know it. There’s an even larger chance that you are already facing compliance risks from other parts of your enterprise that are using RPA and haven’t yet thought to tell you..
RPA is defined as software that executes tasks without human intervention. For example, if your HR department records that an employee has quit and then your IT department software automatically turns off the employee’s system access privileges — that’s RPA. Or when you register for a webinar online and receive a calendar reminder via email two minutes later, that’s also RPA.
The sophistication of robotic process automation has soared in recent years. These days, survey after survey finds that companies are racing to adopt RPA, and many expect to use it widely within the next several years.
For example, Protiviti recently polled executives at 450 companies about RPA. In industries like manufacturing, consumer products, and energy, only 10 to 12% said they use RPA widely right now — but 25 to 30% of those same sectors also said they’ll use it widely by 2022. Among early “RPA leaders,” as the survey calls them, adoption rates by 2022 are closer to 65 or 70%.
That’s powerful technology, barreling down upon the corporate enterprise. So compliance officers have much to consider here.
RPA Within the Compliance Function
First, RPA offers a lot of promise to the compliance function itself. Corporate compliance programs involve a lot of tasks, where the information from one task becomes the input for another.
For example, RPA could connect due diligence and training systems, so that when automated due diligence identifies a high-risk third party, the training system automatically sends appropriate training materials to that third party.
Likewise, RPA technology could interface with your company’s accounting system, so that no payments go to a third party until the system confirms that due diligence is complete, or that the third party certified adherence to your code of ethics.
Automation is great, but so is the data intelligence that this particular type of automation offers. RPA generates a complete set of data on all transactions, so data analytics becomes much more thorough, accurate, and immediate. That has profound implications for how you might audit the compliance function and the level of confidence you have to develop improvements in your policy or procedure management.
All of that sounds appealing, and compliance officers should think now about how to take advantage of that RPA potential. Look at various tasks your compliance function does and ask: which ones are repetitive but require little judgment, that might be ripe for automation? What insights do you want to glean about policy and procedure management, or effectiveness of certain procedures?
That brings us, however, to the other significant issue for compliance officers and RPA.
While you’re considering how to implement this new technology in your department — so is every other department in your enterprise.
RPA Risk in the Whole Enterprise
The challenge for compliance officers is that RPA will change the risk profile of your organization. Tasks that once took much time will now happen immediately. So if the RPA that other parts of the enterprise use isn’t configured wisely, the company might increase its existing compliance risks, or create new ones it didn’t have before.
For example, the Protiviti report found that IT, marketing and finance departments already use RPA far more than any other part of the enterprise. So the marketing team might start automating the collection of data customer prospects to send them marketing materials — but if that RPA effort doesn’t include a mechanism to get parental consent for data about minors, that’s a compliance risk.
That automation of human action can also include the automation of human error.
Understand that RPA automates human actions. That automation of human action can also include the automation of human error. So anyone launching an RPA project without consulting the compliance function might quickly pile up hundreds of errors (or more) before realizing the blunder.
Steps Now to Prepare for Robotic Process Automation
First, consider whether you need a policy about implementing RPA. In many ways RPA today is akin to social media technology circa 2008 or web technology in the mid-1990s: in its infancy. It’s also easy to adopt in experimental fashion, with many people not quite understanding implications around legal liability, regulatory compliance, data security, reputation risk, and more.
Ideally, your enterprise would establish a cross-functional team to review and approve RPA pilot projects.
Ideally, your enterprise would establish a cross-functional team to review and approve RPA pilot projects, so those concerns get addressed. Spoiler alert: not enough companies do establish those cross-functional teams, which means the compliance and audit voices aren’t on them.
Protiviti found that among “RPA beginners,” 61% of firms let individual department heads approve an RPA project. Only 3% used cross-functional teams for approval. Even among RPA leaders, 34% still let department heads approve RPA projects themselves.
That is a governance risk for a technology that ultimately will affect corporate processes in ways we haven’t even imagined yet. Avoid that trap.
Good governance implies astute oversight. For an emerging technology like RPA, then, that means close collaboration among compliance, audit, and IT, so you can collectively keep a close watch on other business functions (marketing, sales, product development, procurement, HR) as they put RPA to good use.