Balancing Automation with Third Party Risk

Before taking on any new process automation or software, it’s important to consider the third party risk associated with the new approach.

Current market pressures and constrained resources, especially people resources, combined with the need for decreased processing and response times demand that organizations look to automation for improved efficiency. But, organizations need to take into consideration the business needs and risks associated with increased automation. The following four areas are a good place to start the analysis and assessment of process automation at your organization.

1. Define your digital strategy and identify where you can leverage automation.

Rather than identifying automation tools or services and then determining which processes you can migrate, take the opposite approach. Take an inventory of your processes and make sure you understand the criticality of each one (leverage your most recent Business Impact Analysis for a list of processes). Is the process well documented and understood?  What applications and data flows are used in the process? Do dependent processes exist, and what are the upstream and downstream data needs? What types of data are included in the processes? Consider PII (Personal Identifiable Information), PCI (Payment Card Industry – credit card information), or company proprietary data.

As you prioritize the processes, the best place to start may be with those processes that are less critical, allowing the organization to learn and become more comfortable and efficient in implementing and supporting automation.

2. Understand the risks associated with automation across your organization.

Here are a few of questions to ask as you evaluate the risks:

• What are the security needs and risks?
• What are the restart and error handling procedures?
• Are there training and maintenance needs?
• What are the internal and external network requirements?
• Is any additional insurance necessary to protect the organization from losses due to the automation?
• What is the availability of the service? Does the service have historical reliability?
• What is the service’s business continuity plan and strategy? Does it meet your requirements?
• If using an internal solution, what are the business continuity needs and requirements?

3. Review your service provider’s agreements prior to adopting automation.

If you are using a third-party service to manage an internal solution or Software as a Service solution, make sure to thoroughly review any agreement prior to making your decision. Ensure that any service level agreement meets your business requirements. Understand the level, type and availability of support. What is included in the fee, and what involves an additional cost? What is the development and change management process? You do not want the service provider to make changes during critical processing times. Ensure that a business continuity plan is in place and is exercised.

4. Determine overlap between automation initiatives across the organization.

A potential organizational risk is incompatibility or complex integration between automated solutions. Ensure that there is appropriate coordination, and minimize the number of solutions. Often there is no need for multiple solutions, as a subset of an existing service may meet most of needs across the organization. If you use the above steps, you can make an objective decision and provide the best solution, though this will not necessarily mean every requirement is met. The more tools, the more complex the environment. Increased complexity in an environment can decrease the overall effectiveness of a solution.

Do your homework; understand the risks and business requirements in order to identify and implement the best solution to fit your needs. If you deploy automated services correctly, they can have a positive impact on an organization’s bottom line. If you effectively measure, assess and manage these third party risks, it can make a huge difference for your business. Don’t go for bright shiny automation without a look at how it affects your organization’s risk profile and appetite. Sometimes manual processes or semi-automated processes can be an appropriate solution. Lastly, don’t allow automation to be a solution looking for a problem, but ensure there is a real problem or opportunity where automation is a solution.