Professional Documents
Culture Documents
IA AI ML Risk Management Framework - v2.0
IA AI ML Risk Management Framework - v2.0
Framework
Table of
1
Contents
Intelligent Automation Risk and Control Framework
3 IA Ecosystem
8 Risk Management Roles
Intelligent Automation Risk & Control Framework
Key points:
Page 3
Building a governance model at the entity level – Key considerations
Intelligent Automation impact goes beyond just deployments. Other things to consider and address support a
sustainable Intelligent Automation strategy and governance model to achieve sustainable benefits
► Establish global Intelligent Automation policies and ► Develop and deliver Intelligent Automation optimized
Execution
governance framework to support risk management end to end processes to maximize benefits
layer
► Review control frameworks to verify documentation ► Develop new Intelligent Automation frameworks for
and testing appropriate performance measurement
for Intelligent Automation ► Develop Intelligent Automation Enterprise Committee
and continuous improvement program
Performance
Organization
Policy Process
measurement
► Structure the organization to consider new Intelligent
layer
and common chart of accounts then deploy ► Successful programs typically benefit
utilizing Intelligent Automation with existing from a constellation of tools
systems until future system deployment projects ► Consider impacts on existing software
► Implement Intelligent Automation single source contracts and future system
of data projects
► Build new competency models considering Robot/Human interactions
implementations
► Develop career ladders and job roles for Intelligent Automation enabled teams for
new skill needs
► Adjust talent strategy to new competency models
Page 4
Intelligent Automation Ecosystem
Key points:
Lines of Business (LOB)
► LOBs dictate prioritization and decisioning for
Governance Operations Integration individual needs.
► Program Strategy, Steer and Management ► Prioritization and Decisioning Framework ► Change Management ► LOBs control local development and deployment
► Roles, Responsibilities and Structure ► Development and Deployment ► Communication projects.
► Risk & Controls ► A lightweight governance and integration layer is
needed to integrate with the enterprise CoE.
Page 5
IA Risk Management Lifecycle
• Identify business processes that are • Assess the likelihood (or • Dynamic process to evaluate • Monitoring and review can be both
automated and based on IA frequency) of the risk occurring. potential risks. Also implements periodic and based upon trigger events
• The identification of IA risks proactive changes to reduce risk or changing circumstances.
• Estimate the potential impact if
should include risks associated the risk were to occur. Consider to match the Risk appetite • Risk needs to be monitored with
with the adoption of specific IA both quantitative and qualitative • Determination of the risk effectiveness, accuracy, and with
use cases as well as risks that are costs. treatment steps to reduce the risk adequacy by:
introduced across the organisation and enhance the security posture
• Determine how the risk should detecting changes in the
through the adoption of IA more which includes:
be managed; decide what actions environment
generally.
• Involves monitoring the Internal are necessary Removing a source or identifying emerging risks.
cause of the risk ensuring the continued effectiveness
and External operating and • Process of comparing the and relevance of controls and the
Regulatory Environment estimated risk against the given Sharing the risk with
• Identifying risks arising from implementation of treatment
risk criteria to determine the other parties programs
IA solutions is equally important significance or acceptability of Retaining the risk by obtaining information to improve
to think about the broader the risk
informed decision the understanding and management
organisational impact and what it
of already identified risks and
means for the human capital of an Changing the likelihood
maintaining the risk level.
organisation in the short and and/or consequence of the analysing and learning lessons from
longer term risk through modifying
events, including near-misses,
controls in place
successes and failures
Page 6
Three lines of defence of IA Risk and Control Framework
Page 7
Impact on the 1st Line of Defence
Top issues you need to think about
1st Line – responsible for owning and managing risks in the Intelligent Automation program
Have clarity on where ‘hand over’ of Verify the design and intended operation of
Page 8
Impact on the 2nd Line of Defence
Top issues you need to think about
2nd Line – provides objective oversight of the management of risks by the business
Assess whether the aggregated risk profile Determine what risks have been mitigated
1 of IA-enabled processes align with
business risk appetite.
or have emerged by the implementation of
robotic instructions.
4
Monitor adherence of the business to risk Evolve skills, capabilities and techniques
3 framework policies and procedures in the
new, automated process.
required to provide ongoing oversight and
challenge in more automated environment.
6
Page 9
Impact on the 3rd Line of Defence
Top issues you need to think about
3rd Line – responsible for independently assessing the effectiveness of design and operation of the risk governance framework
Initial health check on how organisation Internal Audit’s (IA) activity should fit
2 is setting up for Intelligent Automation
deployment success.
within an overall organisational ‘assurance
map’.
5
Focus on aspects both ‘above and below’ Verify access to appropriate technical skills
3 the pure Intelligent Automation life cycle
(e.g., governance, people, 3rd parties).
and capabilities to provide necessary
assurance.
6
Page 10
Intelligent Automation Risk and Control Considerations
Top risks and related control activities
IA risk management domains Top domain risks Illustrative controls for top risks
IA access management is ineffectively managed leading to the IA access control is managed, and proper authentication methods are implemented and
compromise of systems, applications and their associated data.
consistently enforced to prevent unauthorized access.
Value measurement
Process automation requirements are not appropriately or
accurately identified and documented leading to IA
developments that do not meet business needs or support the IA change and development requirements are clearly and concisely documented and
business/IT strategy resulting in a negative impact on business mapped to business needs to verify that the changes agree with the business strategy.
Processes processes and financials.
Automation problems are not timely identified and Automation problems and errors are evaluated, corrected, tracked
Technology managed , which can delay their resolution and negatively and communicated in a timely manner through resolution.
impact business processes.
Page 11
Control Framework for Intelligent Automation
Risk
Environment
►
►Vendor risk management
Infrastructure(cloud), Software security
+ ►Risk management
►Steering Committee
►Event management
scans ►Business resilience (DR) ►Process taxonomy, prioritization
► Vulnerability assessment ►Change management, Bot maintenance ►ROI, value measurement, reporting
►SDLC ►Workforce management
►KPI, KRI, value benefit analytics ► Business alignment and organizational
►IA asset management change management
Page 12
Risk Management Roles
It is important to establish a senior management level committee to provide oversight of the implementation of the RMF; this committee will
help delineate the roles and responsibilities within the framework.