Risk Management For and By the BOT Secured BOT Series2018
03
Risk Management For and By the BOT
Contents
Risk Management For and By the BOT
Setting context for RPA Risk Management
Deloitte's Risk Framework For RPA
Risk Management For the BOT
Risk Management By the BOT
How can we help?
Contacts
04
Risk Management For and By the BOT
05
Risk Management For and By the BOT
RoBOTs have sooner become a reality than most of us thought. In the current avatar, Robots are making your business more responsive, cost effective, compliant and efficient. Many of us already see these digital clicks happening around us. We are already entering an era where BOTs are doing intelligent work and building efficiencies.
While technology makes our life efficient, it also opens new risks
to the business environment. A typical Robotics Process Automation (RPA) system design provisions interconnection between multiple systems and hence also has an impact on underlying system control environment.
Lets examine its relevance to business environments.
• Opportunity: Can you make your digital platforms more secured and compliant through RPA?
• Threat: How secured is your RPA environment from internal and external threats?
It is essential for an organization to build a secure BOT strategy when they move from a POC to Production environment.
Risk Management For and By the BOT
06
Risk Management For and By the BOT
Setting context for RPA Risk Management
RPA offers broader spectrum of internal and external application integration, and may lead to enhanced cyber threats.
Automation of process through RPA without embedding/aligning control design may lead to manual override or unauthorized changes which often goes undetected.
Typical risks in an RPA environmentRPA brings its own inherent risks as well the ones which are resultant of the business environment it automates.
Deloitte's Risk Framework for RPA
Generic BOT ID often poses risk of non compliance to software licenses due to potential indirect usage.
Due to high processing capability of BOTs, a delayed response to cyber incidents may lead to inappropriate processing of high volume/ value transaction.
BOTs stores credentials of multiple applications, which are often empowered with extensive access. Unauthorized access and use of BOT credentials may lead to data, security, privacy and fraud risks.
BOTs are often not built for intent identification, hence detection of security breach may be a challenge.
Strategic Technology Financial Operational Regulatory
Deloitte’s Risk Framework for RPA
Busi
ness
Ris
kRP
A Sp
ecifi
c Ri
sk C
onsi
dera
tion
s
Incident Management and Business
ContinuityCyber Security
Data leakage and Privacy
License Compliance
Regulatory Compliance
Identity and access
management
Secured Business process
• Alignment with organizational business continuity strategy and priorities
• Crisis mitigation planning• Business continuity during process outages• Disaster Recovery Strategy implementation
planning
• Regulatory compliance reporting requirements• Mandatory controls/ validation in solution• Document/ change management controls• Data lineage and traceability
• Server security configurations• Network Vulnerabilities• Logical security controls• Penetration testing• Code Reviews
• Ensuring protection of data across the RPA ecosystem
• Consent record and validity• Private data identification• Cross border data transfers
• Current Software License contracts lack clarity to allow BOT access to target application
• Penalties due to non compliance – Indirect usage
• Access Security strategy for and by BOT
• Segregation of Duties and sensitive access
• BOT IAM risks and measures
• Weaker process / sox controls• Possible manual override on BOT
automation• Weak change management process
of BOT configurations
01 02 03 04 05 06
A secured and compliant BOT environment requires an effective management and monitoring of key risk domains. Depending on the relevance, each of these domain would help strengthen security and controls in your RPA environment.
07
Risk Management For and By the BOT
Risk Management For the BOT
A holistic risk validation of the RPA is conducted from perspective all key domains of RPA risks. Deloitte’s Secured RPA implementations and advisory services encompasses a wide range of process and compliance needs.
Our Secured RPA implementations and advisory services are designed to help you at varied stages of RPA implementation. It helps you get a comprehensive view of your RPA risks, maturity of risk management methods adopted along with desired state.
Typical value delivered includes:• Independent and comprehensive BOT risk assessment • Adoption of leading practices for secured and compliant BOT
• Assess the current RPA Risk maturity level and desired state
Implementation Advisory
BOT Security Architecture – Strategy, design and review
Identity and access management
Pre/ Post Go-live risk assessment
Business Continuity Review
Process standardization and Mapping
Program governance and strategy
Secured BOT Assurance
Secured BOT Assurance
Process and Access Control Design and implementation
Functional and non functional Testing
Vulnerability Management
Secured code reviews
Interface / API Security
Vulnerability Assessment
Risk Management / Industry Solution
Compliance enablers (SoX, JSOX, FRC, IFC, IRDA, TRAI, GST, ISO27001, PCI DSS etc.)
Business Risk
Internal controls Monitoring
Periodic Risk Assessment
Application License Compliance
Industry solutions
CSA Framework
Managed Services
Governance Strategy
Center of Excellence - Managed Cyber security operations center
Incident management and response
Change Management validation
IT Process Automation
Standard Operating Procedures
Controls Automation
RPA Risk Maturity BenchmarkingIllustrative
Domains Initial Developing Defined Managed Optimized
Cyber Security
Data leakage and Privacy
License Compliance
Incident Management and Business Continuity
Regulatory Compliance
Identity and Access management
Secured Business process
Business Case Evaluation
Legend# Current Maturity Target Maturity level
08
Risk Management For and By the BOT
Risk Management By the BOT
Industries today face a large number of internal and external compliance requirements. With the regulators adopting technology, the demand for timely and granular compliance is common. RPA provide a unique value proposition for many such requirements. A carefully designed RPA can improve the accuracy of records and response time. On the other hand, with 100% review of records, compliance monitoring through RPA improves the quality of reviews and enhance stakeholder confidence.
Illustrative view of RPA amenable Risk Management use cases are highlighted below.
• Periodic Risk Assessment
• Compliance reporting (SoX, ICFR, IRDA, TRAI, GST, ISO27001, PCI DSS etc.)
• System Change Management
• Master Data Management
IT Process Automation
• Regulatory Reporting
• Trade Surveillance• Credit Monitoring• Collateral
Management
Banking
• Meter reading Management
• Billing and Invoicing
• CHP/OEM contract compliance monitoring
• Emission norms monitoring
• Maintenance schedule monitoring
Energy & Resources
• Computer System validations like application Analysis, Change management review
Life Sciences & Health Care
• Regulatory compliance for material movement
• Declaration of stocks and manufacturing plan to regulators
Consumer & Industrial Products
09
Risk Management For and By the BOT
How can we help?
Our RPA methodology is designed to help you throughout the RPA journey. Our team of risk and technology experts would help automate compliances as well secure your RPA environment.
Design
Deploy
Maintain
Its all in design. We bring our experience for enabling compliance across industries to help you choose the right candidates and design to-be processes. Maximum risk mitigation with optimal efforts.
Embedded controls is the best way to manage risks in any technology implementation. Our combined teams of technology and risk experts helps implement a secure RPA environment
With ever evolving risk and threats to the technology environments our experts help you prevent, detect and manage risks and threats to RPA environment
Secured BOT Assurance for RPA implementation
01
Secured BOT Assurance for RPA products
02
RPA Risk Maturity Assessments03
Managed Cyber security operations center – Center of Excellence05
BOT Identify and Access Management04
Incident management and response06
Leveraging RPA for secured and compliant Technology environment
Making your RPA environment secured and compliant
Operations and Maintance
Maintain
Organizational
Stra
tegy
and
Roadmap
Defi
n
e
Proj
ect m
anag
ment
Implementation
Deliver
Governance
Change Managment
10
Risk Management For and By the BOT
Rohit MahajanPartner | Leader Risk Advisory E-mail: [email protected]
Anthony CrastoPartner Risk Advisory E-mail: [email protected]
Shree ParthasarathyPartner Risk AdvisoryE-mail: [email protected]
Senthilvel Kaliyamurthy Partner Risk Advisory E-mail: [email protected]
Abhay GuptePartner Risk Advisory E-mail: [email protected]
Ashish SharmaPartner Risk Advisory E-mail: [email protected]
Prasad GodboleSenior Manager Risk Advisory E-mail: [email protected]
Contacts
11
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
This material has been prepared by Deloitte Touche Tohmatsu India LLP (“DTTILLP”), a member of Deloitte Touche Tohmatsu Limited, on a specific request from you and contains proprietary and confidential information. This material may contain information sourced from publicly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. The information contained in this material is intended solely for you. Any disclosure, copying or further distribution of this material or its contents is strictly prohibited.
Nothing in this material creates any contractual relationship between DTTILLP and you. Any mutually binding legal obligations or rights may only be created between you and DTTILLP upon execution of a legally binding contract. By using this material and any information contained in it, the user accepts this entire notice and terms of use.
©2018 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited
Deloitte Touche Tohmatsu India Private Limited (U74140MH199 5PTC093339), a private company limited by shares, was converted into Deloitte Touche Tohmatsu India LLP, a limited liability partnership (LLP Identification No. AAE-8458), with effect from October 1, 2015.