How to Establish RPA Governance

How to establish an enterprise RPA strategy starts by sharing two popular IT governance frameworks. The intro quoted below is a great summary, but you can feel free to skip it if you're already familiar.

"Two popular frameworks used in information technology are Controlling Objectives for Information and Related Technology (COBIT) as well as Information Technology Infrastructure Library (ITIL).

COBIT is focused on controlling enterprise IT and establishing a roadmap for where it'll go. In other words, COBIT focuses on reducing risks and establishing a strategy. ITIL is focused on continuous improvement and efficient operations; it focuses on best practices that improve outcomes for [a] business (Leinov, 2018).

You may think of ITIL as tactical and of COBIT as strategic. It’s possible your company is already using some of these libraries within specific departments (such as ITIL within IT support and COBIT within finance). Which framework, or combination of them, is used is likely already decided upon by our company.

The reality is that any framework is better than the ‘automate first, think about it later’ mentality. Simply 'winging it' will result in an RPA program running out of steam, automating the wrong processes, or being tactical at the expense of not seeing the bigger picture."

A popular framework not covered in the previous article is Capability Maturity Model Integration (aka CMMI). The Carnegie Mellon Software Engineering Institute, which was heavily involved in its creation, states the CMMI’s intent as ‘[helping] integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes.”’

CMMI, COBIT, and ITIL all offer means to score the capability of an organization’s maturity. What makes COBIT unique is that it makes room for the inclusion of other frameworks to meet established objectives. Whether it’s The Open Group Architecture Framework (TOGAF), CMMI, ITL, or Six Sigma — COBIT can incorporate all of them depending on business requirements.

What is RPA governance?

From a COBIT 5 perspective, governance is important to make sure that IT delivery and maintenance processes are in line with an organization’s objectives, that external requirements (such as regulations) are met, that the organization continuously improves, and that risk is well managed.

COBIT is encouraged to be customized, so you can think of it as a ‘plug and play’ framework. Its 5 principles are as follows (Soujanya, 2019):

The principles themselves are built on seven ‘enablers’ as well, which consist of:

1. Principles, Policies, and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics, and Behavior
5. Information
6. Services, Infrastructure, Applications
7. People, Skills, and Competencies

The components of COBIT span the framework itself, which categorizes IT governance objectives by IT domains, process descriptions (what's involved for each process from a generic standpoint), control objectives (how the processes ought to be controlled), management guidelines (for aligning on objectives, measuring performance, relating processes, etc.), and the maturity model that helps to address gaps between the current and desired state.

The activities that are recommended for implementing RPA governance are covered in the remainder of this article.

Establish RPA governance structures

The first order of affairs is creating a governance structure to legitimize the prioritization of governance objectives and processes. In RPA, this governance structure may already exist in the form of a Software Development steering committee, an innovation council, or another body.

If the group doesn't already exist then leadership, and stakeholders that'd be involved in the oversight of automation, should determine how to best establish the group.

Automation steering committees typically report to the CIO in organizations with under two thousand employees. No matter how the steering committee are set up, there needs to be a separation between the governance group and the management group (according to COBIT best practices).

Another governance structure that's associated with RPA is a Center of Excellence, which focuses on the management as well as the proliferation of automation best practices. We discussed the RPA Center of Excellence and where it belongs in more detail in a previous article.

Define RPA governance objectives

There are a total of 40 governance objectives in COBIT broken out by 5 processes. Defining RPA governance objectives is undertaken by your RPA steering committee or leadership. The objectives picked should align to the company’s objectives and key results (OKRs) or goals (depending on what methodology is used).

The objectives that your company prioritizes also depend on the maturity of your RPA program. Objectives prioritized will establish expectations for what processes will be managed, controlled, and optimized, as well as the order that everything should follow.

Assess RPA risks and apply COBIT recommendations

Governance risk assessments are undertaken to identify what business risk stems from IT risk. This includes the use, ownership, operation, involvement, influence, and adoption of specific IT (Scherer, 2020).

In RPA, a risk could be building an automation which handles a growing amount of volume that can no longer be supported by manual intervention. When such automation fails, due to a change in the underlying logic or required applications, the work will get backlogged as there won’t be enough people to process items manually. If this work is constrained by an SLA, there could be monetary penalties or reputational damage at stake if the SLA is breached.

In other industries, such as in the healthcare or finance industry, companies are under strict regulation. If a vendor is used for developing bots for example, a separation has to be established between the vendor’s development and the operation of bots to make sure that no confidentiality or privacy laws are broken.

A risk assessment should be conducted, based on your company’s maturity, to determine what risks are present. Those risks should be further assessed for their impact and severity, as well as how they ought to be managed.

ISACA, the certification body behind COBIT, recommends the following regarding managing IT risk (COBIT 5 for Risk — A Powerful Tool for Risk Management, 2017):

• ‘Encourage executive management to demonstrate support for the risk management program.
• Identify the key organizational structures/roles that are required to build and sustain effective and efficient risk governance and risk management in the organization. COBIT 5 for Risk helps organizations to identify such roles by providing a specific description/definition of each role and structure. This helps organizations to establish their lines of defense for risk management.
• Risk management must be embedded in the normal process and form part of the daily management practice.
• Establish a risk-aware culture among all employees at all levels.
• Identify and develop metrics to serve as key risk indicators (KRIs) to describe and track indicators of risk.’

Develop RPA governance policies and procedures

To formalize governance, policies should be written which clearly define the governance group's stance on how the automation program must be led. From a management perspective, procedures need to be documented to outline how implementation, operation, and maintenance is controlled for compliant automation delivery.

If you have the right people in your governance body, as well as the right resources in your automation center of excellence, and the objectives of the RPA program at your company have been prioritized, the hard work is done.

Regarding documenting policies and procedures, it’s best to shoot for the sky but aim for the stars, knowing that the first, second, or third iterations probably won’t be perfect. What counts is getting something down and revising it when it's no longer the best representation of how your company operates.

Monitor RPA governance and continuously improve

As the number of bots continues to grow, and so does the associated risk of bot failure, it’s important that your company is diligent about tracking performance and continuously improving.

1. As the RPA program becomes a well-oiled machine, leadership should continue to monitor how governance is performing.
2. In the manner that your company established governance, is it hindering or enabling the automation program?
3. Are there gaps in how it is operating?
4. Does the RPA governance body feel that management is adequately addressing gaps in the objectives that have been established?
5. Are maintenance tasks being undertaken proactively or is there a high rate of bot downtime and enhancement development that is harming stakeholder satisfaction?

Hopefully this article has been informative and given you the pointers needed to knock RPA governance out of the park!

Footnote:

The term 'Robotic Process Automation' is used due to its popularity in the industry. Process automation is a clearer term that'll ideally replace 'RPA.'

References:

CMMI Institute - Home. (2019, June 21). https://cmmiinstitute.com

COBIT 5 for Risk—A Powerful Tool for Risk Management. (2017, July 5). ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2017/cobit-5-for-riska-powerful-tool-for-risk-management

Scherer, T. (2020, March 17). How is COBIT Related to Risk Management? https://reciprocity.com/how-is-cobit-related-to-risk-management/

Soujanya. (2019, March 14). What is COBIT Framework - COBIT Principles ? Mindmajix. https://mindmajix.com/cobit-framework