IA Risk Management

Framework
 Table of
1
Contents
Intelligent Automation Risk and Control Framework

2 Building a governance model at the entity level – Key considerations

3 IA Ecosystem

4 IA Risk Management Life Cycle

5 Three Line of Defence

6 IA Risk and Control consideration

7 Control Framework for Intelligent Automation

8 Risk Management Roles
Intelligent Automation Risk & Control Framework

Key points:

• Enterprise governance comprises strategy,

standards, and policy in order to drive
consistency and scalability across all lines
of business.
Integration functions verify that automation
programs are considered in the broader
scope of enterprise change and maintenance
is coordinated across releases.
Centralized people functions encourage
teaming and collaboration and create
fungibility in the in IA resources.
Other shared functions lower to overall cost
to operate and will be shared across lines of
business.

Page 3
Building a governance model at the entity level – Key considerations

Intelligent Automation impact goes beyond just deployments. Other things to consider and address support a
sustainable Intelligent Automation strategy and governance model to achieve sustainable benefits

► Establish global Intelligent Automation policies and ► Develop and deliver Intelligent Automation optimized
Execution

governance framework to support risk management end to end processes to maximize benefits
layer

► Review control frameworks to verify documentation ► Develop new Intelligent Automation frameworks for
and testing appropriate performance measurement
for Intelligent Automation  ► Develop Intelligent Automation Enterprise Committee
and continuous improvement program
Performance
Organization

Policy Process
measurement
► Structure the organization to consider new Intelligent
layer

Automation roles to support the business

► Define appropriate local, regional, global structures
including shared services and outsourcing ► Define Intelligent Automation systems and
Organization tools strategy to support cross functional
use in front, middle and back office
► Integrate Intelligent Automation systems
Data with pertinent security and control
Resource

► Define a set of consistent global data standards People Technology mechanisms

layer

and common chart of accounts then deploy ► Successful programs typically benefit
utilizing Intelligent Automation with existing from a constellation of tools
systems until future system deployment projects ► Consider impacts on existing software
► Implement Intelligent Automation single source contracts and future system
of data projects
► Build new competency models considering Robot/Human interactions
implementations
► Develop career ladders and job roles for Intelligent Automation enabled teams for
new skill needs
► Adjust talent strategy to new competency models

Page 4
Intelligent Automation Ecosystem

Enterprise Committee Key points:

Governance
► Policies and Standards
► Roles, Responsibilities and Structure
► Risk Management
Alignment and Change
► Stakeholder Management
► Skills Development – learning path
► Organization Change Mgmt.
► Communication
Value Measurement
► Program Progress Measurement
► Operational and Performance Metrics
► Benefits Measurement and Reporting
Technology
► Vendor Management
► Architecture & Infrastructure
► Network Management
Process Excellence ► Enterprise governance comprises strategy,
► Methodology and Design Authority standards, and policy in order to drive consistency
► Development, Deployment and Operations and scalability across all lines of business.
► Asset Management ► Integration functions verify that automation
programs are considered in the broader scope of
enterprise change and maintenance is coordinated
across releases.
► Centralized people functions encourage teaming
Integration and collaboration and create fungibility in the in IA
► Business Process Mgmt. resources.
► Risk & Controls ► Other shared functions lower to overall cost to
► Security operate and will be shared across lines of business.
► IT Processes

Key points:
Lines of Business (LOB)
► LOBs dictate prioritization and decisioning for
Governance Operations Integration individual needs.
► Program Strategy, Steer and Management ► Prioritization and Decisioning Framework ► Change Management ► LOBs control local development and deployment
► Roles, Responsibilities and Structure ► Development and Deployment ► Communication projects.
► Risk & Controls ► A lightweight governance and integration layer is
needed to integrate with the enterprise CoE.

Page 5
 IA Risk Management Lifecycle
Identify
• Identify business processes that are
automated and based on IA
• The identification of IA risks
should include risks associated
with the adoption of specific IA
use cases as well as risks that are
introduced across the organisation
through the adoption of IA more
generally.
• Involves monitoring the Internal
and External operating and
Regulatory Environment
• Identifying risks arising from
IA solutions is equally important
to think about the broader
organisational impact and what it
means for the human capital of an
organisation in the short and
longer term
Page 6
Assess
• Assess the likelihood (or
frequency) of the risk occurring.
• Estimate the potential impact if
the risk were to occur. Consider
both quantitative and qualitative
costs.
• Determine how the risk should
be managed; decide what actions
are necessary
• Process of comparing the
estimated risk against the given
risk criteria to determine the
significance or acceptability of
the risk
Control
• Dynamic process to evaluate
potential risks. Also implements
proactive changes to reduce risk
to match the Risk appetite  •
• Determination of the risk
treatment steps to reduce the risk
and enhance the security posture
which includes:
 Removing a source or
cause of the risk
 Sharing the risk with
other parties
 Retaining the risk by
informed decision
 Changing the likelihood
and/or consequence of the
risk through modifying
controls in place
Monitor & Report
• Monitoring and review can be both
periodic and based upon trigger events
or changing circumstances.
Risk needs to be monitored with
effectiveness, accuracy, and with
adequacy by:
 detecting changes in the
environment
 identifying emerging risks.
 ensuring the continued effectiveness
and relevance of controls and the
implementation of treatment
programs
 obtaining information to improve
the understanding and management
of already identified risks and
maintaining the risk level.
 analysing and learning lessons from
events, including near-misses,
successes and failures
Three lines of defence of IA Risk and Control Framework 

The Three Lines of Defense

Model verifies there is
Ensure that the IA program Is
segregation between risk managed within the agreed
risk appetite
ownership (First Line), risk
oversight/challenge (Second
Line) and independent
assurance (Third Line). As Develop and
organizations move through implement the IA
strategy
their IA strategy, to
defining, implementing and
enabling Robotic sessions
across their organization,
they must remain
considerate of the unique
implications to each line.

Page 7
Impact on the 1st Line of Defence
Top issues you need to think about

1st Line – responsible for owning and managing risks in the Intelligent Automation program

Have clarity on where ‘hand over’ of Verify the design and intended operation of

1 responsibilities from Center of Excellence

(CoE) to line management occur (for
new/updated controls are sufficient to
evidence appropriate management of key 4
Intelligent Automation implementation). business risks.

Understand the potential risks that exist

Document the new way of working (e.g.,
2 both ‘upstream’ and ‘downstream’ of
those processes directly in scope for
process maps, key control statements,
RACI).
5
Intelligent Automation.

Provide education and awareness to staff

Assess operational effectiveness of controls
of Intelligent Automation benefits, the
3 likely impact on Business As Usual
(BAU), and the effect on risk & control
in a BAU environment. Provide feedback
(to CoE) regarding potential further 6
changes.
culture.

Page 8
Impact on the 2nd Line of Defence
Top issues you need to think about

2nd Line – provides objective oversight of the management of risks by the business

Assess whether the aggregated risk profile
1 of IA-enabled processes align with
business risk appetite.
Determine what risks have been mitigated
or have emerged by the implementation of
robotic instructions.
4

Understand the potential regulatory

2 implications and impact on governance

arrangements (including, for example,
Investigate/escalate breaches of risk
appetite and monitor remediation. 5
GDPR, SIMR).

Monitor adherence of the business to risk
3 framework policies and procedures in the
new, automated process.
Evolve skills, capabilities and techniques
required to provide ongoing oversight and
challenge in more automated environment.
6

Page 9
Impact on the 3rd Line of Defence
Top issues you need to think about

3rd Line – responsible for independently assessing the effectiveness of design and operation of the risk governance framework

Early involvement in understanding the

1 opportunities and risks Intelligent
Automation poses for the organisation.
Consider a mix of thematic reviews and
deeper dives. 4

Initial health check on how organisation
2 is setting up for Intelligent Automation
deployment success.
Internal Audit’s (IA) activity should fit
within an overall organisational ‘assurance
map’.
5

Focus on aspects both ‘above and below’
3 the pure Intelligent Automation life cycle
(e.g., governance, people, 3rd parties).
Verify access to appropriate technical skills
and capabilities to provide necessary
assurance.
6

Page 10
Intelligent Automation Risk and Control Considerations
Top risks and related control activities
IA risk management domains Top domain risks Illustrative controls for top risks

IA Governance framework is defined & Maintained, including leadership,

Lack of IA governance can lead to ineffective and inefficient processes, roles, responsibilities, information requirements & organizational
process automation and an inability to support and meet
Governance structure to verify support is aligned to business objectives.
business requirements.

IA access management is ineffectively managed leading to the IA access control is managed, and proper authentication methods are implemented and
compromise of systems, applications and their associated data.
consistently enforced to prevent unauthorized access.
Value measurement
Process automation requirements are not appropriately or
accurately identified and documented leading to IA
developments that do not meet business needs or support the IA change and development requirements are clearly and concisely documented and
business/IT strategy resulting in a negative impact on business mapped to business needs to verify that the changes agree with the business strategy.
Processes processes and financials.

IA implementations are not appropriately designed and tested

leading to requirements not being met or a negative impact on Implementation, testing, and support requirements are developed and
Alignment and change production systems resulting in a negative impact on the communicated to both business and IT stakeholders.
business and financial losses.

Automation problems are not timely identified and Automation problems and errors are evaluated, corrected, tracked
Technology managed , which can delay their resolution and negatively and communicated in a timely manner through resolution.
impact business processes.

Risks are not effectively mitigated for IA vendor relationship

Due diligence is performed over IA vendors to evaluate the risk
and outsourced services, leading to financial and reputation
Enterprise integration of the vendor at the onset of the relationship and on a periodic
exposure.
basis

Page 11
Control Framework for Intelligent Automation

►Compliance requirements ►Secure configuration

►IAM
►Privacy,data security ►Development standards
► Threat modeling and vulnerability management
► Bot controls ►Secure ►Control performance, Assurance
data management
► RACM, ITGC, policy and procedure ►Privileged access ►Technology enablement
maintenance ►Enterprise architecture, integration
►Coordination across lines of defense
►Controls baselining, testing, reporting
+ ►Technical change management

+ Regulatory Cyber Tech risk + ►Application Access and Authorizations

Risk
Environment

Program ►Intelligent AutomationStrategy, enterprise

TPRM Operations
+ management
+ standards

►
►Vendor risk management
Infrastructure(cloud), Software security
+ ►Risk management
►Steering Committee
►Event management
scans ►Business resilience (DR) ►Process taxonomy, prioritization
► Vulnerability assessment ►Change management, Bot maintenance ►ROI, value measurement, reporting
►SDLC ►Workforce management
►KPI, KRI, value benefit analytics ► Business alignment and organizational
►IA asset management change management

Page 12
 Risk Management Roles

It is important to establish a senior management level committee to provide oversight of the implementation of the RMF; this committee will
help delineate the roles and responsibilities within the framework.

• Ultimate accountability for all risks.

• Provide support to business units in developing and enforcing policies and
• Risk management practices must be discussed periodically, and risk
procedures.
Board of management related policies must be reviewed and approved.
Support functions
directors &
CEO

• Design, implement and maintain an effective framework.

• Develop policies and procedures, establish and monitor the risk appetite, and • monitor and provide independent assurance of the effectiveness of the
report regularly to the board of directors. framework.
Senior • Promote a risk-aware culture. Internal Audit
management and Compliance

• Identify, assess, measure, monitor, control, and report risks to senior

management.
• Coordinate the establishment of the framework and provide risk management
• Manage relevant risks within the framework established by senior
expertise.
management.
Business units • Ensure compliance with policies and procedures. Risk management
Our Offices
Ahmedabad
22nd Floor, B Wing, Privilon
Ambli BRT Road, Behind Iskcon Temple,
Off SG Highway
Ahmedabad - 380 059
Tel: + 91 79 6608 3800
Bengaluru
12th & 13th floor
“UB City”, Canberra Block
No.24 Vittal Mallya Road
Bengaluru - 560 001
Tel: + 91 80 6727 5000
Ground Floor, ‘A’ wing
Divyasree Chambers
# 11, Langford Gardens
Bengaluru - 560 025
Tel: + 91 80 6727 5000
Chandigarh
Elante offices, Unit No. B-613 & 614
6th Floor, Plot No- 178-178A
Industrial & Business Park, Phase-I
Chandigarh - 160 002
Tel: + 91 172 6717800
Chennai
Tidel Park, 6th & 7th Floor
A Block, No.4, Rajiv Gandhi Salai
Taramani, Chennai - 600 113
Tel: + 91 44 6654 8100
Delhi NCR
Golf View Corporate Tower B
Sector 42, Sector Road
Gurugram - 122 002
Tel: + 91 124 443 4000
3rd & 6th Floor, Worldmark-1
IGI Airport Hospitality District
Aerocity, New Delhi - 110 037
Tel: + 91 11 4731 8000
4th & 5th Floor, Plot No 2B
Tower 2, Sector 126
Gautam Budh Nagar, U.P.
Noida - 201 304
Tel: + 91 120 671 7000
Hyderabad
THE SKYVIEW 10
18th Floor, “SOUTH LOBBY”
Survey No 83/1, Raidurgam
Hyderabad - 500 032
Tel: + 91 40 6736 2000
Jamshedpur
1st Floor, Shantiniketan Building
Holding No. 1, SB Shop Area
Bistupur, Jamshedpur – 831 001
Tel: + 91 657 663 1000
Kochi
9th Floor, ABAD Nucleus
NH-49, Maradu PO
Kochi - 682 304
Tel: + 91 484 433 4000
Kolkata
22 Camac Street
3rd Floor, Block ‘C’
Kolkata - 700 016
Tel: + 91 33 6615 3400
Mumbai
14th Floor, The Ruby
29 Senapati Bapat Marg
Dadar (W), Mumbai - 400 028
Tel: + 91 22 6192 0000
5th Floor, Block B-2
Nirlon Knowledge Park
Off. Western Express Highway
Goregaon (E)
Mumbai - 400 063
Tel: + 91 22 6192 0000
Pune
C-401, 4th floor
Panchshil Tech Park, Yerwada
(Near Don Bosco School)
Pune - 411 006
Tel: + 91 20 4912 6000