Other parts of this series:
In our initial blogs we theorized that Intelligent Automation (IA) and, specifically Cognitive Artificial Intelligence (AI), would be essential in Governance, Risk Management and Compliance (GRC) programs to seek long term success and sustainability. Before this can occur, the areas in which IA is applied and the specific technologies that are used to implement IA are important factors that need to be considered. Choosing and prioritizing the right use cases or activities to automate is typically a complex, organization-specific endeavor that is driven by several parameters with “value to the business” at the enterprise, line of business, or functional level often being the ultimate factor.
Key underlying considerations consist of level of experience and maturity, both with respect to the processes that are targeted for automation as well as the use of advanced technologies that are typically used for implementing automation. To help assess the potential value of IA to the business, an organization should first take stock of pain points and challenges within their core business processes that need to be solved and attempt to quantify the impact that each is having on the business in terms of cost or other meaningful metrics. This exercise would allow for selecting or “mapping” appropriate technologies and capabilities that are available to automate or solve specific pain points and therefore help quantify the benefits that could be realized when IA is successfully implemented.
Automation Journey Stages
When implementing intelligent automation, it is essential to develop rudimentary capabilities before moving to more complex and advanced technologies. Start with use cases that will provide quick wins and build confidence. While having a vision or strategy for application and use of advanced technologies can serve as a guardrail, it is arguably more important for organizations to determine how prepared they are for transformation. A successful journey entails a natural progression from foundational capabilities to advanced technologies. There are typically 4 phases of progression that we observe with respect to automation – foundational capability, individual automation, industrialized automation, and intelligent automation – with each phase being characterized by use of more advanced technical capabilities and level of experience.
Foundational capability is the starting point for any journey and for a GRC program. We define this as a baseline, un-optimized GRC platform or solution.
Individual automation, or point automation, is marked by use of individual tools and script-based automation to reduce manual effort and increase individual or task level productivity.
Industrialized automation typically follows the individual or point automation stage with experience and confidence often being gained, emboldening organizations to further scale and “industrialize” their automation efforts. In this stage organizations may use Robotic Process Automation (RPA) and rule-based scripts and programs to streamline and improve GRC processes using a standardized set of tools and technologies. Advanced analytics and reporting may also be implemented to enable data-driven decision making and pattern-driven predictions and recommendations. In a GRC program such capabilities could be used to recommend risk ratings or new controls that may be relevant for a process based on similarity to existing data.
The final stage is intelligent automation, which builds further upon RPA, and is characterized by use of advanced artificial intelligence that simulates human thinking and can self-learn without intervention. Natural Language Processing (NLP), Natural Language Generation (NLG) and Machine Learning (ML) and Artificial Intelligence (AI) are used in various models to assist with predictive analytics, data or pattern driven decision making, and pattern-driven predictions and recommendations. It is also in this stage of IA that Cognitive AI is used. Cognitive AI models typically have ability to absorb and process large volumes of data and information, self-teach, and acquire knowledge. Whereas typical AI and ML models may look to mimic human thinking and reach decisions on a user’s behalf, Cognitive AI models may act in more of a supportive role, presenting a series of options or a suggested decision based on simulated human logic and analysis of data and other parameters but still leaving the final decision making in the hands of a human. We will take a closer look at Cognitive AI in a future blog, but for the moment Cognitive AI can be thought of among the most advanced IA capability.
When implementing intelligent automation, it is essential to develop rudimentary capabilities before moving to more complex and advanced technologies. Start with use cases that would provide quick wins and build confidence.
While embarking on the GRC transformation journey may seem daunting at first, an assessment of the organization’s current GRC capability maturity will aid it to define its vision and either commence or continue more diligently on its journey. As an outcome, an organization can evolve from establishing a contained, programmed, and controlled GRC environment to a self-learning, autonomous and unbounded environment, thereby delivering strategic benefits over tactical advantages.
Adhering to key guiding principles may setup an organization for success in this transformation journey. While identifying the most critical business challenges and corresponding use cases could help an organization to move in the right direction, mapping these challenges to the most appropriate technology solutions would aid in realizing actual benefits of technology advancements. Sometimes one may also need to prepare a business case to generate awareness and interest, thereby, securing buy-ins from key business stakeholders. The technology advancements will need to be aligned to business strategy, organization’s risk appetite and evolving regulatory requirements.
Intelligent Automation in GRC
Intelligent automation provides value across the risk management cycle. Multiple processes exist from the risk identification and prediction stage to risk prioritization, risk mitigation and risk profile creation stage. Enhancing a few of these processes can help organizations translate guiding principles into ground action.
Within risk identification, while data gathering and input consolidation could be automated leveraging Robotics Process Automation (RPA), risk recommendation and regulatory change scanning to gauge real-time changes and understand organizational impact could be enabled using predictive analytics (PA) or machine learning (ML). Once the risks have been identified, PA can help ascertain loss events or incidents and support a management dashboard for active risks monitoring under the stage risk prioritization.
At the next stage of risk mitigation, while RPA continues to support data gathering and input consolidation activities, when combined with PA and NLP, it can provide automated control recommendations and support control execution and testing activities. Once the risk & control environments are assessed and the issue activities are up to date, creation of a risk profile is required for holistic management assessment. This can be automated by leveraging PA/ML for automated risk rating recommendations and creating dashboard indicators for continuous risk monitoring.
Spotlight Use Case: Reg Change Management
Based on our industry experience, we would like to deep dive upon and present to you a revolutionary use case- cognitive technology in regulatory change management. It is difficult, but paramount, for organizations to understand their regulatory obligations that could come from hundreds of global, regional, and local mandates. With a constantly evolving regulatory landscape, most organizations are facing challenges in dedicating sufficient time and finding skilled resources to:
- ensure compliance with thousands of regulatory obligations,
- support frequent audits and regulatory reviews to avoid the negative impacts of non-compliance such as fines, reputational losses, and
- maintain a seamless management reporting on a continuous basis.
Even if organizations can invest resources and time, they incur significant costs just ensuring compliance, let alone, gathering actionable insights for the benefit of the organization.
Cognitive GRC can help organizations to understand the impact of regulatory changes on their existing processes, systems, policies, and controls. It can act as an accelerator to help identify gaps or redundancies in control coverage to regulatory obligations or map existing controls to obligations or even break down a new mandate into granular, digestible and adherable obligations. These functionalities can help organizations to prioritize requirements, involve the right stakeholders and address gaps or issues in a focused manner, thereby reducing costs and time considerably and increasing confidence in their existing risk and control environment.
Let us provide an example – as an investment advisory firm, you are required to comply with the Securities and Exchange Commission’s ‘first time ever’ proposed rules on cyber security, including an obligation to enact written policies and to report cyber breaches to both clients and regulators. In the absence of advanced technology solutions this could mean spending multiple days or even weeks of subject matter experts’ valuable time to interpret the rules and evaluate the existing controls and polices before the organization undertakes strengthening the policy and controls environment. With cognitive GRC technology in place, the regulatory interpretation and impact and gap assessment across policies, controls, and stakeholders could be just a matter of few hours. Based on the insights available, the organization can get a clear picture of its current state and prepare a tactical and strategic remediation plan to adhere to regulatory requirements. Quick data insights and reporting metrics would help senior management to respond to audit or regulator requests in an expedited timeframe and remove internal roadblocks related to people, processes or technology and continue its path to risk & regulatory compliance maturity.
The adoption of cognitive technologies is a powerful way of mapping and tracking data that can help organizations to gain contextual and useful intelligence that drives robust security, adaptable compliance, and a future with increased growth and sustainable success. Successful implementation of Intelligent Automation technologies may require an understanding of critical success such as availability of mature and detailed data, well defined processes, upskilled workforce, and a progressive maturity with a clear vision.
In this blog, we illustrated use cases and provided guiding principles and recommendations on embedding intelligent automation, specifically Cognitive technologies in GRC processes with a spotlight on regulatory change. In the next blog, we will explore the value proposition of introducing cognitive technology into compliance mapping to enhance scalability and sustainability.
Venky Yerrapotu – Founder and CEO, 4CRisk.ai
Venky is the founder and CEO of 4CRisk, an advanced AI and predictive analytics software company digitally connecting a firms regulatory, business, and external risk environments thus improving the efficiency, effectiveness, and agility of the organization. Venky is a hands-on leader with over 20 years of experience in building high performance GRC technology platforms and more importantly onboarding hundreds of customers onto the platforms.
Elizabeth Abraham – VP, Customer and Partner Success, 4CRisk.ai
Elizabeth’s leadership approach uses a multi-faceted perspective connecting industry, functional, and technology implementation expertise. With 25+ year experience in the governance, risk, and compliance space, Elizabeth has experienced the complex and dynamically changing environment from numerous perspectives. Working as a practitioner and advisor to numerous large established as well as high-growth start-up companies, she converges strategic thinking with an operational mindset to ensure successful customer and partner initiatives.