To really understand control automation, we need to first define what we mean by a control. In the context of Information Technology Governance, Risk Management, and Compliance (IT GRC), a control refers to a specific measure or mechanism put in place to manage or mitigate a specific risk. A control also simultaneously ensures compliance with applicable laws, regulations, or standards. So, when we talk about controls automation, we are referring to the process of automating control activities. Automation provides several potential benefits, including improved security, monitoring and visibility, process efficiencies, and ideally, lower costs.
For a control to be considered fully automated it needs to fit three criteria:
- No human intervention to operate
- Automated monitoring, reporting and/or alerting based on some specific rule set
- Automated decision-making
Control Automation removes human judgement – removing a significant cause of failure from the equation entirely. Because of the ability to reduce human error, control automation touches on a lot of business drivers for organizational leadership, such as:
- Process Efficiencies
- Cost Savings
- Reduced Risk
- Enhanced Testing Coverage (automated controls don’t require population sampling)
- Enhanced Compliance
- Improved Developer Experience
What we learned during our webinar is that while all of these are important, people supporting automation efforts in their organizations emphasized the need for: reduced risk, process efficiencies, and cost savings as the leading drivers of their automation programs.
Reducing risk as a driver comes as no surprise. AI and automation controls reduce data breach costs by 80%. The most significant factor contributing to the costs of data breach is time, therefore, tools that reduce this time have the greatest positive impact. Data breaches, major IT outages, and ransomware attacks were ranked as the top risk issues for businesses worldwide in 2022. Automating processes that prevent these events from happening in the first place is a high priority. Essentially, executing effective Control Automation gets you ahead of the process so you are spending less time on compliance while being more compliant and saving development time and energy.
These reasons make the investment in automating controls compelling, especially when you think about the other, more value-added activities on which people can spend their time. When you are ready to move forward with your Automation program, you need to identify the strategic drivers and business objectives and align with them.
To address one of our audience questions – IT GRC is an organizational strategy for managing governance, risk management, and compliance with industry and government regulations. GRC provides a set of processes that provides a structured approach to aligning IT with business objectives. Because of this, IT GRC is a business enabler.
To get started with your program, if an IT GRC baseline does not yet exist, you’ll need to create one. To do this there are some key questions to ANSWER (not ask) before starting any sort of Controls Automation:
- What is the desired outcome?
- What is the business case?
- What are the requirements?
- What are the risks?
- How are you controlling risk today?
- What controls do you currently have?
- Who in the organization owns them?
- How are they being executed – are they manual, hybrid, automated?
- Are you seeing themes – are there controls that are failing routinely, and if so, why?
If you don’t have a clear, DETAILED picture of where you need to go, you will waste time and resources jumping into implementation.
To get started on answering these questions, you can use standard frameworks and approaches to ‘pressure test’ where processes may have weaknesses. One of the best in this space is the Failure Modes & Effects Analysis (FMEA) Controls Assessment Process. To address another of our audience questions – FMEA is part of the Lean Six-Sigma Framework. The American Quality Institute has great resources to learn more about this framework that can be found HERE.
A webinar participant asked another thoughtful question – when you are in an organization that has enterprise-level and business unit level initiatives, sometimes they don’t align – how would you suggest approaching this? In these cases, if possible, for control processes such as SOX compliance that cross multiple business units, it is more effective to centralize under one enterprise framework.
When organizations are evaluating the best tools to use for automating processes – we come back to the IT GRC framework. Because the IT GRC’s set of processes provides a structured approach to aligning IT with business objectives, using this framework can help with the appropriate tool selection – oftentimes you don’t need a Lamborghini when a bike will do. We can’t stress enough the importance of thoughtful process design before selecting automation tools/approaches.
In general, fully automating controls is always going to be a challenge and will depend on your organization’s infrastructure/current state. Automation is very beneficial in areas where processes are standardized and inputs, outputs, and responses are clearly defined. Automation isn’t as useful in novel circumstances – that is circumstances where an organization is confronted with a situation it hasn’t seen before – critical failure events, for example. In those instances, automating controls can help orchestrate responses, but organizations will really need to depend on security analysts, engineers, and others to identify the best next steps based on the data and information that is available, and there are tools for that! There are tools for everything, but it should go without saying that fully centralized automation with 24/7 monitoring of everything is hard.
While we get into much more detail in the webinar, the Top 3 Takeaways are:
- This is a program of work and should be treated as such. Agree on your objectives, get senior management buy-in on the business case, allocate the right resources, plan the work, and work the plan.
- We talk about automating controls, but we are automating processes. Ensure that the process design meets the requirements and test its effectiveness.
- Organizations’ technology landscape is evolving faster than ever – and will only get faster. You need to build a long-term, sustainable approach to implement new processes and systems with automated controls built-in on day one.
For more information, contact us today.