Make Key Risk Indicators great again with RPA

The purpose of this post is certainly not to provide guidance or recommendation on how to develop good Key Risk Indicators (principles, methodologies, characteristics, etc.). I will leave that to risk management experts.

The objective is (hopefully) way more simple: stimulate new debates around the usage of Robotic Process Automation (RPA) to increase the efficiency of Key Risk Indicators (KRI).

Reality Check

I have been involved in many projects where my team had to deploy dedicated off-the-shelf platforms to help organisations perform a wide range of risk monitoring activities (my focus was mainly on the technology enablement side). I quickly realised that there are 2 fundamental problems when deploying KRIs.

The first one is the actual gathering of data used to measure KRIs. In many cases, the inability of the platforms to automatically extract data from multiple disparate data sources simply led to put on hold the initial ambition of building a truly efficient KRI environment (to re-assess feasibility and more importantly viability). Having already invested in an expensive off-the-shelf IT solution, organisations usually realise a bit too late that an extra budget (sometime as high as the initial planned CAPEX) is inevitable in order to reach the desired levels of automation.

With the evolution of APIs, the potential to include external data (and internal data residing outside of the "main" database) has definitely improved the effectiveness of KRIs. However, using this type of automation to access the systems/ applications that contribute or feed data into KRI triggers is in many cases not an option (API call is simply unavailable or integration is not possible, often prohibitively costly, time-consuming and usually slow to deliver and requires deep technical knowledge of software).

The second problem, which is the direct consequence of the first one, is the inability to trigger the necessary mitigating actions in a timely manner when KRI thresholds have been or are in danger of being breached.

Because of the lack of “affordable” automation for data extraction (and analysis), the only remaining option is to measure KRI in a manual way, which is time and resource consuming. This situation ultimately results in the inability to actually implement a robust continuous risk monitoring environment.

RPA can save the day

The main focus of RPA has been in automating operational tasks within existing processes but very rarely on risk monitoring activities. So why not use RPA to increase monitoring capabilities?

I am not going to spend too much time on the usual benefits of RPA as I am sure everyone is tired of listening to the same old stories. Yes, RPA costs significantly less to deploy and recalibrate than the traditional automation methods. Yes, RPA can be rolled out way faster. And yes, RPA can become smarter by adding cognitive capabilities that will definitely bring you risk monitoring capabilities to the next level.

But here are 3 quick wins that RPA can bring to KRIs:

• Accessibility. You can have great KRIs that should use, in theory, a wide range of data residing inside and outside the organisation...But what is the point of having KRIs if data cannot be easily accessed and automatically extracted, resulting in excessive human intervention that could potentially lead to omissions, delays or errors? RPA allows to extract data, in a consistent manner, from (almost) any source. RPA bots can interact with a wide range of systems/ applications as long as User IDs have been defined (no technical integration is required). RPA can even increase the data analysis capabilities of existing tools.

• Timeliness. You can have great KRIs that should provide, in theory, an early signal of increasing risk exposure in various areas of the organisation...KRIs work as indicators of events that might have harmful effects on an organisation. But what is the point of having KRIs if they cannot be measured in a timely manner due to high volume of manual activities that are needed to actually produce them? RPA allows to measure KRIs in a timely manner, through high-frequency continuous monitoring, in order to ultimately increase the reaction window. And speed of reaction is obviously crucial in this case to limit the damage!

• Last but not least, RPA can provide additional “energy” to your existing tools by acting as an extended automation engine. RPA can simply add more firepower to your risk monitoring activities by automatically executing complementary actions. As illustrative examples, when a given KRI threshold is reached, a bot could trigger a risk scenario analysis in order to evaluate the risk exposure and/or evaluate the effectiveness of existing risk mitigation activities (i.e entity-level or process controls). You and your imagination here!

I hope you enjoyed the reading and I would be very interested in hearing your thoughts. If you want to read more about automation, please check my other posts:

RPA: 6 checks that you must perform before releasing a bot in production

RPA operating model: evolve to succeed

Robotic Process Automation: Think Resilience

The forward-looking benefits of RPA

RPA bot development: power to the business

High levels of automation can also have negative consequences

Opinions expressed are solely my own and do not necessarily express the views or opinions of my employer.