Automated Business Processes

Categories of business process

1. Operational process: they deal with the core business and value chain.
These processes deliver value to the customer by helping to produce a product or service.
Operational processes represent essential business activities that accomplish business
objectives.
Example: order to cash cycle(O2C), Purchase to Pay cycle(P2P) are associated with revenue
generation.
2. Supporting processes: they back core processes and functions with an organisation.
Examples of supporting or management process include Accounting, Human resource
management and Workplace safety. One key differentiator between operational and
supporting activities is that support processes do not provide value to the customers
directly. However, it should be noted that hiring the right people for the right job has a
direct impact on the efficiency of the enterprise.
Example: the main HR processes areas are grouped into logical areas functional areas that
include Recruitment and staffing; Goal setting; Training and Development Compensation and
Benefits; Performance management; Career development and leadership development.
3. Management Processes: they measure, monitor, and control the activities related to the
business procedures and systems. Examples of management processes include internal
communications, governance strategic planning, budgeting and infrastructure or capacity
management. Like supporting processes, management processes do not provide direct value
to the customers. However, it has a direct impact on the efficiency of the enterprise.
Processes of the budgeting:
In any enterprise budgeting requires to be driven by the vision (what the enterprise plans to
accomplish) and the strategic plans (the steps to get there). Having a formal and structured
budgeting process is the foundation for a good business management, growth and
development.

Vision Strategic Business Revenue Cost Profit Board Budget

plan goals projects projects projects approval Review
 S.no. Nature of Description of decision
business decisions
1 Vision and One of the Asia’s dairy product companies decided in 2005
Mission To increase its turnover by 2x in the next ten years. The
present turnover is Rs. 10000/- crores.
2 Management The top management sits down and lists down activities to be
Process done to achieve the said turnover. This included:
-Enter into new markets. It was decided to have an all-India
presence. At present the company products are being sold 20
out of 29 states including 4 metros, namely Delhi, Kolkata,
Chennai and Mumbai.
- Launch new products. Presently, the company is mainly
selling milk products. Few new products that are decided to
be sold in future included Biscuits, toast, Flour, Packaged
Drinking Water.
-Acquire existing dairies in markets where company has no
presence.
3 Support Process For all activities to be done as envisioned by the top
management, a huge effort is needed on the human
resources front.
-defining and creating a new management structure.
- Performing all human resource activities as per activities
listed activities listed above in the management process.
4 Operational Post the management processes, it is on the operational
Process managers to implement the decisions in actual working form.
It is here, where the whole hard job is done.

Business process Automation: BPA is the tactic a business uses to operate efficiently and
effectively.
BPA is the tradition of analysing, documenting, optimising and then automating business
process.
Factors affecting business process
1 Confidentiality: To ensure that the data is available only to the persons who are
authorized to see the same.
2 Integrity: To ensure that no unauthorized amendments can be made in the data;
3 Availability: To ensure that the data is available when asked for.
4 Timeliness: To ensure that data is made available at the right time.

Benefits of automating business process

Quality and consistency: Ensure that every action is performed identically resulting in high
quality reliable results and stakeholders will consistently experience the same level of
service.
Time saving: -Automation reduces the number of tasks employees would otherwise need to
do manually.
-It frees up time to work on items that add genuine value to the business
allowing innovation and increasing employees level of motivation.
Visibility: Automated business process are controlled, and they consistently operate
accurately within the defined timeline. It gives visibility of the process status to the
organisation.
Improved operational efficiency: -Automation not only ensures that the system run
smoothly and efficiently but also that the errors are eliminated and the best practices are
constantly leveraged.
Governance and Reliability: The consistency of the automated process means stakeholders
can rely on the business processes to operate and offer reliable services to the customer
thus maintaining a competitive advantage.
Reduced turnaround time: Eliminate unnecessary tasks and realign process steps to
optimize the flow of information throughout the production service billing and collection this
adjustment of processes distils operational performance and reduces the turnaround time
for both staff and external customers.
Reduced costs: Manual tasks given that they are performed one at a time and at a slower
rate than an automated task will cost more. Automation allows to accomplish more by
utilizing fewer resources.
Which business process Should be Automated?
Companies tend to automate those business processes that are time and resources
intensive operationally or those that are subject to human error.
PROCESSES INVOLVING HIGH VOLUME OF TASKS OR REPITITIVE TASKS:
Many business processes such as making purchase orders involve high volume of
repetitive tasks. Automating these processes results in cost and work effort
reductions.

PROCESSES INVOLVING MULTIPLE PEOPLE TO EXECUTE TASKS:

A business process which requires multiple people to execute task often results in
waiting time that can lead to increase in costs.

TIME SENSITIVE PROCESSES:

Business process automation results in streamlined processes and faster turnaround
times. The streamlined processes eliminate wasteful activities and focus on
enhancing tasks that add value. Time sensitive processes such as online banking
system railway and aircraft operating and control system etc. are the best suited to
the automation.

PROCESSES INVOLVING NEED FOR COMPLIANCE AND AUDIT TRAIL:

With business process automation every detail of a particular process is recorded.
These details can be uses to demonstrate compliance during audits.

PROCESSES HAVING SIGNIFICANT IMPACT ON OTHER PROCESSES AND SYSTEMS:

Some processes are cross functional and have significant impact on other processes
and systems. In cross functional processes, different department within the same
company work hard in hand to achieve a common goal. Automating these processes
results in sharing information resources and improving the efficiency and
effectiveness of the business processes.
 CHALLENGES INVOLVED IN THE BUSINESS PROCESS AUTOMATION

AUTOMATING REDUNDANT PROCESSES:

Sometimes organisation start off an automation project by automating the process
they find suitable for automation without considering whether such processes are
necessary and create value or not. In other cases some business processes and tasks
require high amount of tacit knowledge that cannot be documented and transferred
form one person to another therefore seek employees to use their personal
judgment. These processes are generally not good candidates of automation as
these processes are hard to encode and automate.

DEFINING COMPLEX PROCESSES:

BPA requires reengineering of some business processes that requires significant
amount of time to be allocated and spent at this stage. This requires a detailed
understanding of the underlying business processes to develop an automated
process.
STAFF RESISTANCE:
In most cases human factor issues are the main obstacle to acceptance of automated
processes. Staff may see automation process as a way of reducing their decision-
making power. This is due to the reason that with automated processes the
management has greater visibility of the process and can make decision that used to
be made by the staff earlier. Moreover, the staff may perceive automated processes
as threat to their jobs.

IMPLEMENTATION COST:
The implementation of the automated processes may be an expensive proposition in
terms of acquisition /development cost of automated systems and special skills
required to operate and maintain these systems.

BPA IMPLEMENTATION
Business needs a reason to go for any new system. Today the connected world has
opened huge opportunities as well as brought new threats to any business. The
increased availability of choice to customers about products or services makes it very
important for business to keep themselves to new technology and new mechanisms.
Steps to implement business process automation:
Step 1: Define why we plan to implement BPA?
 Errors in manual processes leading to higher costs.
 Payment processes not streamlined, due to duplicate or late payments,
missing early pay discounts and losing revenue.
  Paying for goods and services not received.
 Poor debtor management leading to high invoice
 Not being able to find documents quickly during an audit or lawsuit or not
being able to find all documents.
 Lengthy or incomplete information of new employee or new or new account
on boarding
 Unable to recruit and train new employees but where employees are
urgently required.
 Lack of management understanding of business processes.
 Poor customer services
Step 2: Understand the rules / regulation under which enterprise needs to
comply with?
One of the most important steps in automating any business process is to understand the
rules engagement which include following rules, adhering to regulations and the following
document retention requirements. This governance is established by a combination of
internal corporate policies external industry regulations and local state and external central
laws. Regardless of the source it is important to be aware of their existence and how they
affect the document that drive the processes. It is important to understand that laws may
require documents to be retained for specified number of the years in a specified format.
Entity needs to ensure that any BPA adheres to the requirements of law.
Step 3: understand the rules / regulation under which enterprise needs to comply with?
At this step all the documents that are currently being used need to be documented. The
following aspects need to be kept in mind while documenting the present process:

 What documents need to be captured?

 Where do they come from?
 What format are they in?
 Who is involved in the processing of the documents?
 What is the impact of the regulation on processing of these documents?
 Can there be a better way to do the same job?
 How are exceptions in the process handled?
The benefit of the above process for user and entity being:

 It provides clarity on the process

 It helps to determine the sources of inefficiency, bottlenecks, and problems.
 It allows designing the processes to focus on the desired result with workflow
automation.

Step 1: Define why we The answer to this question will provide justification for
plan to implement implementing BPA?
BPA?
 Step 2: Understand the The underlying issue is that any BPA created needs to comply
rules/regulations with applicable laws and regulations.
under which it needs
to comply with?
Step 3: Document the The current processes which are planned to be automated need
process we wish to to be correctly and completely documented at this step.
automate.
Step 4: define the This enables the developer and the user to understand the
objectives/goals to be reasons for going for BPA. This goal needs to be precise and
achieved by clear.
implementing BPA.
Step 5: Engage the Once the entity has been able to define the above, the entity
business process needs to appoint and expert who can implement it for the
consultant. entity.
Step 6: Calculate the The answer to this question can be used for convincing top
ROL for the project management to say yes to the BPA exercise.
Step 7: Development Once the top management grants their approval the right
of BPA. business solutions has to be procured and implemented or
developed and implemented covering the necessary BPA.
Step 8: Testing the BPA Before making the process live, the BPA solutions should be
fully tested.

Step 4: Define the goals to be achieved by implementing BPA.

When determining goals remember that goals need to be SMART:

Specific: Clearly defined.
Measurable: Easily quantifiable in monetary terms
Attainable: Achievable through best efforts
Relevant: Entity must be in need of these
Timely: Achieved within a given time frame.
CASE 1: For vendor’s offering early payment discounts entity needs to be consider:

 How much could be saved if they were taken advantage of and if the entity has got
the cash flow to do so?
 Vendor priority can be created based on above calculations for which gets paid
sooner rather than later.
CASE 1: To determine the average invoice aging per customer. Entity can decide to reduce
the average from 75 to 60 days. This alone can dramatically improve cash flow.
STEP 5: Engage the business process consultant.
To decide as to which company/consultant to partner with depends upon the following:

 Objectivity of consultant in understanding/evaluating entity solution.

 Does the consultant have experience with the entity business process?
 Is the consultant experienced in resolving critical business issues?
 Whether the consultant can recommend and implement a combination of hardware
software and services as appropriate to meeting an enterprise’s BPA requirements?
 Does the consultant have the required expertise to clearly articulate the business
value of every aspect of the business solution?

Step 6: Calculate the ROI (Return of Investments) for project

The right business case must be made covering technical and financial feasibility so as to
justify and get approval for implanting the BPA. The best way to convince would be to
generate a proposition that communicates to the stakeholders that BPA shall lead to not
only cost savings for enterprise but also improves efficiency and effectiveness of service
offerings.
Some of the methods of justification BPA proposal may include:

 Cost savings being clearly computed and demonstrated

 How BPA can lead to reduction in required manpower leading to no new recruits
need to be hired and how existing employees can be re-deployed or used for further
expansion?
 Savings in employee salary by not having to replace those due to attrition
 The cost of space regained form paper, file cabinets, etc. is reduced.
 Eliminating fines to be paid by entity due to delays being avoided.
 Reducing the costs of audits and lawsuits.
 Taking advantage of early payment discounts and eliminating duplicate payments.
 Ensuring complete documentation for all new accounts.
 New revenue generation activities.
 Collecting accounts receivable faster and improving cash flow.
 Building business reputation by providing superior level of customer service.
 Instant access to records.
The above can be well presented to justify the proposal and convince the management to
go ahead with the project of BPA implementation as required for the enterprise.
STEP 7: Developing the BPA
Once the requirements have been documented ROL have been computed and top
management approval to go ahead has been received; the consultant develops the requisite
BPA. The developed BPA needs to meet the objectives for the same is being developed.
STEP 8: Testing the BPA.
Once developed it is important to test the new process to determine how well it works and
identity where additional “exception processing” steps need to be included. The process of
testing is an iterative process, the objective being is to remove all problems during the
phase.
Testing allows room for improvements prior to the official launch of the new process,
increases user adoption and decreases resistance to change. Documenting the final version
of the process will help to capture all the hard work, thinking and experience which can be
used to train new people.
CASE STUDIES ON BUSINESS PROCESS AUTOMATION
CASE 1: Automation of purchase order generation process in a manufacturing entity
Various steps of automation are given as follows
Step 1: Define why we plan to go for BPA?
The entity has been facing the problem of non-availability of critical raw material items
which is leading to production stoppages and delay in delivery. Delay in delivery has already
cost company in terms of losing customer and sales.
Step 2: Understand the rules/ regulations under which needs to comply with?
The item is not covered by regulation regarding quantity to be ordered or stored. To keep
cost at minimum, entity has calculated economic order quantity for which orders are placed.
Step 3: Document the process, we wish to automate.
The present process is manual where the orders are received by purchase department form
stores department. Stores department generates the order based on manual stock register
and based on item’s re-order levels. The levels were decided five years back and the stores
records are not updated timely.
Step 4: Define the objectives/goals to be achieved by implementing BPA
Once the above steps have been completed, entity needs to determine the key objectives of
the process improvement activities. When determining goals,
remember that goals need to be SMART:

♦ Specific: Clearly defined,

♦ Measurable: Easily quantifiable in monetary terms,

♦ Attainable: Achievable through best efforts,

♦ Relevant: Entity must be in need of these, and

♦ Timely: Achieved within a given time frame.

Example 1.4: Consider for the following cases
Case 1: For vendor’s offering early payment discounts, entity needs to consider:

♦ How much could be saved if they were taken advantage of, and if the entity has got the
cash flow to do so?

♦ Vendor priority can be created based on above calculations, for which gets paid sooner
rather than later.
Case 2: To determine the average invoice aging per customer. Entity can decide to reduce
the average from 75 days to 60 days. This alone can dramatically improve cash flow.
Step 5: Engage the business process consultant.
ABC limited, a consultant or repute, has been engaged for the same. The consultant has
prior experience and knowledge about entity’s business.
Step 6: Calculate the ROI for the project.
The opportunity loss for the project comes to around Rs. 100 lakhs per year. The cost of
implementing the whole BPA shall be around Rs. 50 lakhs. It is expected that the
opportunity loss after BPA shall reduce to Rs. 50 lakhs in year one, Rs. 25 lakhs in later years
for the next five years.
Step 7: Developing the BPA.
Once the top management says ‘Yes’, the consultant develops the necessary BPA. The BPA is
to generate purchase orders as soon as an item of inventory reaches to its re-order level. To
ensure accuracy, all data in the new system need to be checked and validated before being
put the same into system:

 Item’s inventory was physically counted before uploading to new system.

 Item’s re-order levels were recalculated.
 All items for consumption were timely updated in the system.
 All purchase orders automatically generated are made available to purchase
manager at the end of the day for authorizations.
Step 8: Testing the BPA
Before making the process live it should be thoroughly tested.
Case 2: Automation of employees Attendance system
Step 1: Define why we plan to go for BPA?
The system of recording of attendance being followed is not generating confidence in
employees about the accuracy. There have been complaints that salary pay-outs are not as
per actual attendance. It also created friction and differences between employees as some
may feel that other employees have been paid more for their salary has not been deducted
for being absent.
Step 2: Understand the rules /regulation under which needs to comply with?
Numbers of regulations are applicable to employee attendance including
The Factories Act, 1948, Payment of Wages Act 1936, State Laws etc. this is compliance
requirement and hence any BPA needs to cater to these requirements.
Step 3: Document the process, we wish to automate.
The present system includes an attendance register and a register at the security gate.
Employees are expected to put their signatures in attendance registers. The register at gate
is maintained by security staff, to mark when an employee has entered. There is always
dispute regarding the time when an employee has entered and what has been marked in
the security register. The company policy specifies that an employee coming late by 30
minutes for two days in a month shall have a ½ day salary deduction. There is overwriting in
attendance register leading to heated arguments between human resource department
staff and employees. As the time taken to arrive at the correct attendance is large, there is a
delay on preparation of salary. The same has already led to penal action against company by
labour department of the state.
Step 4: Define the objectives/ goals to be achieved implementing BPA
The objective for implementing BPA is to have:

 Correct recording of attendance.

 Timely compilation of monthly attendance so that salary can be calculated and
distributed on a timely basis.
 To ensure compliance with statutes.
Step 5: Engage the business process consultant.
XYZ Limited a consultant of repute has been engaged for the same. The consultant has prior
experience and knowledge about the entity’s business.
Step 6: Calculate the ROI for the project.
The BPA may provide tangible benefits in the form of reduced penalties and intangible
benefits which may include:

 Better employee motivation and morale.

 Reduced differences between employees
 More focus on work than on salary
 Improved productivity
Step 7: Developing the BPA
Implanting the BOA includes would result in the following:

 All employees would be given electronic identity card.

 The cards would contain details about employees.
 The attendance system should work in following manner:
1. Software with card reading machine would be installed at entry gate
2. Whenever an employee enters or leaves the company, he/she needs to put the
card in front of the machine.
3. The card reading machine would be linked to the software which would record
the attendance of the employee.
 4. At the end of the month the software would print attendance reports employee-
wise. These reports would also point out how many days an employee has
reported late in the month.
5. Based on this report, monthly attendance is put in the system to generate the
monthly salary.
Step 8: Testing the BPA.
Before making the process live it should be thoroughly tested.
The above illustrations are entities which have gone for business automation. These are
thousands of processes across the world for which the entities have gone for the BPA and
reaped numerous benefits. These include tracking movement of goods, ales order
processing customer services departments, inventory management system, and asset
tracking systems.

RISK AND ITS MANAGEMENT

Various technologies relating to risk and its management are as follows:
Asset: Asset can be defined as something of value to the organisation e.g., information in
electronic or physical form, software systems, employees.
Irrespective the nature of the asset themselves, they all have one more of the following
characteristics:

 They are recognized to be of value to the organisation.

 They are not easily replaceable without cost, skill, time, resources or a combination.
 They for a part of the organisation’s corporate identity, without which the
organisation may be threatened.
 Their data classification would normally be Proprietary, highly confidential or even
Top Secret.
It is the purpose of information security personnel to identify the threats against the risks
and the associated potential damage to, and the safeguarding of the assets.
Threat: Any entity, circumstance, or event with the potential to harm the software system
or component through its unauthorized access, destruction, modification, and/or denial of
service is called a Threat. it is an action, event or condition where there is compromise in
the system, its quality and ability to inflict harm to the organisation. Threat has capability to
attack on a system with intent to harm. It is often to start threat modelling with a list of
known threats and vulnerabilities found in the similar systems. Every system has a data,
which is considered as a fuel to drive a system data is nothing but assets. Assets and threats
are closely corelated. A threat cannot exist without a target asset. Threats are typically
prevented by applying some sort of protection to assets. A good example of potential
threats involves malware, ransomware, and viruses. Attackers often focus on the total
destruction of an asset, Distributed Denial of Services (DDoS), or social engineering to
accomplish their goals.
Vulnerability: Vulnerability is the weakness in the system safeguards that exposes the
system to threats. It may be weakness in information system’s cryptographic system or
other components (example- system security procedures, hardware design, internal
controls) that could be exploited by a threat. Vulnerabilities potentially “allow” a threat to
harm or exploit the system. For example- vulnerability could be a poor access control
method allowing dishonest employees to exploit the system to adjust their own records.
Some examples of vulnerabilities are as follows:

 Leaving the front door unlocked makes the house vulnerable to unwanted visitors.
 Short passwords (less than 6 characters) make the automated information system
vulnerable to password cracking or guessing routines.
Missing safeguards often determine the level of vulnerability.
Determining vulnerabilities involves a security evaluation of the system including inspection
of safeguards, testing, and penetration analysis.
Normally, vulnerability is a state in a computing system which must have at least one
condition out of the following:

 ‘Allows an attacker to execute commands as another user’ or

 ‘Allows an attacker to access data that is contrary to the specified access restrictions
for data’ or
 ‘Allows an attacker to pose as another entity’ or
 ‘Allows an attacker to conduct a denial of service’.
Exposure: An exposure is defined as an extent of loss an enterprise has to face when a risk
materializes. It is not just the immediate impact, but the real harm that occurs in the long
run. For example: loss of business, failure to perform the system’s missions, loss of
reputation, violation of privacy and loss of resources etc.
Likelihood: Likelihood of the threat occurring is the estimation of the probability that the
threat will succeed in achieving an undesirable event. The presence tenacity and strengths
of threats, as well as the effectiveness of safeguards must be considered while assessing the
likelihood of the threat occurring.
Attack: An attack is an attempt to gain unauthorized access to the system’s services or to
compromise the system’s dependability. In software terms, an attack is a malicious
intentional fault, usually an external fault that has the intent of exploiting vulnerability in
the targeted software or system. Basically, it is a set of actions designed to compromise
CIA (Confidentiality, Integrity or Availability) or any other desired feature of an information
system. Simply it is the act of trying to defeat Information System (IS) safeguards. The type
of attack and its degree of success determine the consequence of the attack.
Counter measure: An action device procedure technique or other measure that reduces the
vulnerability of a component or a system is referred as counter measure. For example, well
known threat ‘spoofing the user identity’ has two countermeasures:
  Strong authentication protocols to validate users: and
 Passwords should not be stored in configuration files instead some secure
mechanism should be used.
Similarly for other vulnerabilities, different counter measures may be used.
Risk: Risk is any event that may result in a significant deviation from a planned objective
resulting in unwanted negative consequence. The planned objective could be an
enterprise’s strategic, financial, regulatory, and operational processes, products or
services. The degree of risk associated with an event is determined by the likelihood of
the event occurring the consequences if the event were to occur and it’s timing.

Example:

Sources of Risk
When an enterprise adopts automation to support its critical business processes, it
exposes itself to several risks, such as downtime due to failure of technology. The
most important step in risk management process is to identify the sources of risk,
the areas from where risks can occur. This will give information about the possible
threats, vulnerabilities and accordingly appropriate risk mitigation strategy can be
adapted. Some of the common sources of risk are commercial and legal
relationships, economic circumstances, human behaviour, natural events, political
circumstances, technology and technical issues, management activities and controls,
and individual activities.
Broadly risk has the following characteristics:
 Potential loss that exists as the result of threat / vulnerability process.
Threats have the potential to cause damage or loss. A risk is an expectation
that a threat may succeed and potential damage may occur.
  Uncertainty of loss expressed in terms of probability of such loss. The extent
of loss includes not only the immediate direct financial loss but also the loss
due to its impact in the long run. Loss in the long run includes losses such as
loss of business, loss of reputation, etc.
 The probability/likelihood that a threat agent may mount a specific attack
against a particular system. The assessment of both the likelihood/probability
of occurrence and the consequence of risk is a high probability event.
To conclude, Risk can be defined as the potential to harm caused if a threat exploits a
particular vulnerability to cause damage to an asset.

Types of Risks
The risks can be broadly categorized as follows:

A. Business Risks: Business risk is a broad category which applies to any event or
circumstances related to business goals. Business face all kinds of risks ranging from
serious loss of profits to even bankruptcy and are discussed below:
 Strategic Risks: These are the risks that would prevent an organization from
accomplishing its objectives. Examples include risks related to strategy, political,
economic relationship issues with suppliers and global market conditions; also, cold
include reputation risk, leadership risk, brand risk, and changing customer needs.
 Financial Risks: Financial risks are those risks that could result in a negative financial
impact to the organization. Examples include risks from volatility in foreign
currencies, interest rates and commodities, credit risks, liquidity risk, and market
risk.
 Regulatory (compliance) Risks: This incudes risks that could expose the organization
to fines and penalties form a regulatory agency due to noncompliance with laws and
regulations. Example include violation of laws or regulations governing areas such as
environmental, employee health and safety, lack of due diligence, protection of
personal data an accordance with global data protection requirements and local tax
and statutory laws. New and emerging regulations can have a wide-ranging impact
on management’s strategic direction business model and compliance system. It is
therefore important to consider regulatory requirements while evaluating business
risks.
 Operational risks: Operational risks include those risks that could prevent an
organisation form operating in the most effective and efficient manner or be
disruptive to other operations due to inefficiencies or breakdown in internal
processes, people and systems. Examples include risk of loss resulting from the
inadequate or failed internal process, fraud or any criminal activity by an employee,
business continuity, channel effectiveness, customer satisfaction and
product/service failure, efficiency, capacity, and change integration.
 Hazard Risks: Hazard risks include risks that are insurable such as natural disasters
various insurable liabilities, impairment of physical assets terrorism.
 Residual risks: This includes any risk remaining even after the countermeasures are
analysed and implemented. An organization’s management of risk should consider
two areas -Acceptance of residual risks and Selection of safeguards are applied,
there is probably going to be some residual risk. The risk can be minimised but it can
be seldom be eliminated. Residual risk must be kept at a minimal acceptable level.
As long as it is kept at an acceptable level the risk can be managed.
B. Technology risks: Automated process are technology driven. The dependence on
technology in BPA for most of the key business processes has led to various
challenges. All risks relating to technology equally applicable to BPA. As technology is
taking new forms and transforming as well the business processes and standards
adapted by enterprises should consider these new set of IT risks and challenges
which are describe below:
(i) Downtime due to technology failure: Information system facilities may
become unavailable due to technological problems or equipment failure. A
common example of this type of failure is non-availability of system due to
server failure.
(ii) Multiplicity and complexity of systems: The technological architecture used
for services could include multiple digital platforms and is quite complex.
Hence this requires the personnel to have knowledge about requisite
technology could be outsourced to a company having the relevant skill set.
(iii) Frequent changes or obsolescence of technology: Technology keeps on
evolving and changing constantly and becomes obsolete very quickly. Hence,
there is always a challenge that the investment in technology solutions unless
properly planned may result in loss to the organization due to risk of
obsolescence.
(iv) Different types of controls for different types of technologies/systems:
Deployment of technology often gives rise to new types of risks. These risks
need to be mitigated by relevant controls as applicable as applicable to the
technology could be outsourced to a company having relevant skill set.
(v) Proper alignment with the business objectives and legal requirements:
Organizations must ensure that the systems implemented cater to all the
business objectives and needs, in addition to the legal/regulatory
requirements envisaged.
(vi) Dependence on vendors due to outsourcing if IT services: In a system
environment the organization requires staff with specialized domain skills to
manage IT deployed. Hence these services could be outsourced to vendors
and there is heavy dependency on vendors and gives rise to vendor risks
which should be managed by proper contracts, controls and monitoring.
(vii) Vendor related concentration risks: there may not be one but multiple
vendors providing different services. For example, network, hardware,
system software and application software services may be provided by
 different vendors on these services may be provided by a single vendor. Both
these situations result in higher risks due to heavy dependence on vendors.
(viii) Segregation of duties (SOD): Organizations may have a highly defined
organization structure with clearly defined roles, authority and responsibility.
The segregation of duties as per organizations structure should be clearly
mapped. This is a high-risk area since any SOD conflicts can be potential
vulnerability for fraudulent activities. For example, if a single employee can
initiate, authorize and disburse a loan, the possibility of misuse cannot be
ignored.
(ix) External threats leading to cyber frauds/crimes: the system environment
provides access to customers anytime, anywhere using internet. Hence
information system which was earlier accessible only within and to the
employees is now exposed and it’s open to be accessed by anyone from
anywhere. Making the information available is business imperative but this
also fraught with risks of increased threats from hackers and others who cold
access the software to commit frauds/crimes.
(x) Higher impact due to intentional or unintentional acts of internal
employees: employees in a technology environment are the weakest link in
an enterprise. Employees are expected to be trusted individuals that are
granted extended privileges which can easily be abused.
(xi) New social engineering techniques employed to acquire confidential
credentials: Fraudsters use new social engineering techniques such as
socializing with employees and extracting information which is used for
committing frauds. For example, extracting information about passwords
from staff acting as genuine customer and using it to commit frauds.
(xii) Need for governance process to adequately manage technology and
information security: Controls in system should be implemented from macro
and business perspective and not just from function and technology
perspective. With BPA, technology becomes the key enabler for the
organization and is implemented across the organization. The senior
management should be involved in directing in bow technology is deployed in
and approve appropriate policies this re1qires governance process to
implement security as required.
(xiii) Need to ensure continuity of business process in the event of major
exigencies: the high dependency on technology makes it imperative to
ensure resilience to ensure that failure does not impact the organizations
services. Hence a documented business continuity plan with adequate
technology and information systems should be planned an implemented and
monitored.
C. Data related risks: The primary concern of any organization should be its data
because it is often a unique resource. All data and applications are susceptible to
disruption, damage and theft. Data related risks includes unauthorized
implementation and or modification of data and software and are discussed below:
(i) Data diddling: This involves the change of data before or after they entered
the system. A limited technical knowledge is required to data diddling and
the worst part with this is that it occurs before computer security can protect
the data.
(ii) Bomb: Bomb is the piece of bad code deliberately planted by an insider or
supplier of program. An event which is logical, triggers a bomb or time based.
The bomb explodes when the condition of explosion gets fulfilled causing the
damage immediately. However, these programs cannot infect other
programs; chances of widespread epidemic are relatively low.
(iii) Christmas card: It is a ell known example of trojan and was detected on
internal email of IBM systems. In tying the word ‘Christmas’ it will draw the
Christmas tree as expected but in addition it will send copies of similar output
to all the other users connected to the network. Because of this message on
the other terminals other users cannot save their half-finished work.
(iv) Worm: A worm does not require a host program like trojan to relocate itself’
thus a program copies itself to another machine on the network. Since,
worms are stand-alone programs and they can be detected easily in
comparison to trojans and computer viruses. Examples of worms are
essential worms, Alarm clock worms etc. the alarm clock worm places wake
up calls on list of users. It passes through the network to an essential
outgoing terminal while sole purpose of existential worm is to remain alive.
Existential worm does not cause damage to the system, nut only copies itself
to several places in a computer network.
(v) Rounding down: This refers to rounding of small fractions of denomination
and transferring these small fractions into an authorized account is small it
gets rarely noticed.
(vi) Salami techniques: This involves slicing of small amounts of money form a
computerized transaction or account. A salami technique is slightly different
form rounding technique in the sense a fixed amount is deducted. For
example, in the rounding off technique, Rs.2123456.39 becomes
Rs.2123456.40, while in salami technique the transaction amount
Rs.2123456.39 is truncated to either 2123456.30 or Rs 2123456.00
depending upon the logic.
(vii) Trap doors: Trap doors allow insertion of specific logic such as program
interrupts that permit a review of data. They also permit insertion of
unauthorized logic.
(viii) Spoofing: A spoofing attack involves forging one’s source address. One
machine is used to impersonate the other in spoofing technique. Spoofing
occurs only after a particular machine has been identified as vulnerable. A
penetrator makes the user think that she/ he is interacting with the operating
system. For example, a penetrator duplicates the login procedure, captures
the user’s password, attempt for a system crash and makes the user login
again.
 (ix) Asynchronous Attacks: They occur in many environments where data can be
moved synchronously across telecommunication lines. These kind of attacks
makes use of timing difference between the time when the data is inputted
to the system to the system and the tome when it gets processed by the
system. Data is waiting to be transmitted are liable to unauthorized access
called Asynchronous Attack. These attacks are hard to detect because they
are usually very small pin like insertions and are of following types:
 Data leakage: This involves leaking information out of the computer
by means of dumping files to paper or stealing computer reports or
tape.
 Subversive attacks: These can provide intruders with important
information about messages being transmitted and the intruder may
attempt to violate the integrity of some components on the sub-
system.
 Wire-Tapping: This involves spying on information being transmitted
over communication network.
 Piggybacking: This is the act of following an authorized person
through a secured door or electronically attaching to an unauthorized
telecommunication link that intercepts and alters transmissions. This
involves intercepting communication between the operating system
and the user and modifying them or substituting new messages.
RISK MANAGEMENT STRATEGIES
Risk analysis is defined as the process of identifying security risks and determining their
magnitude and impact on an organization. Effective risk management begin with a clear
understanding of an enterprise’s risk appetite and identifying high-level risk exposures.
The un acceptable high levels of risks can be controlled by designing and implementing
adequate proactive controls.
Risk management is the process of assessing risks taking steps to reduce risk to an
acceptable level and maintaining that level of risk. Risk management involves identifying,
measuring and minimizing uncertain events affecting resources.
But it is not always appropriate to counter risks by implementing controls because
controls involve cost. After defining risk appetite and identified risk exposure, strategies
for managing risk can be set and responsibilities clarified. Based and senior management
may choose to take up any of the following risk management strategy in isolation or
combination as required:

 Tolerate /Accept the risk. One of the primary functions of the management is
managing risk. Some risk may be considered minor because their impact and
probability of occurrence is low. In this case, consciously accepting the risk as a
cost of doing business is appropriate. The risks should be reviewed periodically to
ensure that their impact remains low. A common example of risk acceptance is
 planning for potential production delays (within a reasonable time range) since it’s
often difficult to predict a precise delivery schedule in advance.
 Terminate/eliminate the risk: Especially on the case of risks that have high
probability and impact values, it may be best to modify and any project strategy to
avoid them altogether. For example- it is possible for a risk t be associated with the
use of technology, supplier, or vendor. The risk can be eliminated by replacing the
technology with more robust products and by seeking more capable suppliers and
vendors.
 Transfer/ share the risk: Risk mitigation approaches can be shared with trading
partners and suppliers. A good example is outsourcing infrastructure management.
In such a case the supplier mitigates the risks associated with the managing the IT
infrastructure by being more capable and having access to more highly skilled staff
than the primary organization. Risk also may be mitigated by transferring the cost
of realized risk to an insurance provider.
 Treat/mitigate the risk: Where other options have been eliminated, suitable
controls must be devised and implemented to prevent the risk form manifesting
itself or to minimize its effects. A good example of risk mitigation is planning for
the eventuality in case an enterprise won’t have sufficient capacity or supplies to
deal with a very high demand. In that case , enterprise shall have a mitigation
strategy in place that allows them to rapidly scale their capacity, or to subcontract
some of the work some of the work to other parties to meet high demand.

Enterprise Risk Management (ERM)

In implementing controls, it is important to adapt a holistic and comprehensive approach.
Hence ideally it should consider the overall business objectives, processes, organization
structure technology deployed the risk appetite. Based on this, overall risk management
strategy has to be adapted which should be designed and promoted by top management
and implemented at all levels of enterprise operations as required in an integrated manner.
Regulations require enterprises to adapt a risk management strategy, which is appropriate
for the enterprise. Hence the type of controls implemented in information systems in an
enterprise would depend on this risk management strategy.
The Sarbanes Oxley Act (SOX) in the US which focuses on implementation and review of
internal controls as relating to financial audit, highlights the importance of evaluating the
risks, security and controls as related to financial statements. In an IT environment, it is
important to understand whether relevant IT controls are implemented. How controls are
implemented would depend on the overall risk management strategy and the risk appetite
of the management.
Enterprise Risk Management (ERM) may be defined as a process affected by an entity’s
board of directors, management and other personnel, applied in strategy setting across the
enterprise, designed to identify potential events that may affect the entity, and manage risk
to be within its risk appetite, to provide reasonable assurance regarding the achievement of
entity’s objectives.
The underlying premise of enterprise risk management is that every entity whether for
profit or not or a governmental body exist to provide value for its stakeholders. All the
entities face uncertainty and the challenge for management to determine how much
uncertainty an entity is prepared to accept as it strives to grow stakeholders value.
Uncertainty presents both risk and opportunity with the potential to erode or enhance
value. ERM provides framework for management to effectively deal with uncertainty and
associated risk and opportunity and thereby enhance its capacity to build a value.
It is important for management to ensure that the enterprise risk management strategy
considers implementation of information and its associated risk while formulating IT
security and controls are a sub-set of the overall enterprise risk management strategy and
encompass all aspects of activities of the enterprise.
ERM in a business include the methods and processes used by organisations to manage risks
and seize the opportunities related to the achievement of their objectives. ERM is an
common framework applied by business management and other personnel to identify
potential events that may affect the enterprise manage the associated risks and
opportunities and provide reasonable assurance that an enterprise’s objectives will be
achieved.
Benefits of Enterprise Risk Management

 Align risk appetite and strategy: Risk appetite is the degree of risk on a board-based
level that an enterprise is willing to accept in pursuit of its goals. Management
considers entity’s risk appetite first in evaluating strategic alternatives, then in
setting objectives aligned with the selected strategy and in developing mechanisms
to manage the related risks.
 Link growth, risk and return: Entities accept risk as a part of value creation and
preservation, and they expect return commensurate with the risk. ERM provides an
enhanced ability to identify and assess the risks and establish acceptable level of risk
relative to growth and return objectives.
 Enhance risk response decisions: ERM provides the rigor to identify and select
among the alternative risk responses- risk avoidance, reduction, sharing and
acceptance. ERM provides methodologies and techniques for making these
decisions.
 Minimize operational surprises and losses: Entities have enhanced capability to
identify potential events assess risk and establish responses thereby reducing the
occurrence of surprises and related cost or losses.
 Identify and manage cross enterprise risks: Every entity faces a myriad of risks
affecting different parts of enterprise. Management needs to not only manage
individual risks but also understand interrelated impacts.
 Provide integrated responses to multiple risks: business process carry many
inherent risks, and ERM enables integrated solutions for managing the risks.
 Seize opportunities: Management considers potential events rather than just risk,
and by considering a full range of events, management gains an understanding of
how certain event represent opportunities.
  Rationalize capital: More robust information on entity’s total risk allows
management to assess more effectively overall capital needs and improve capital
allocation.
Enterprise risk management framework
ERM provides a framework for risk management whish typically involves identifying the
events or circumstances relevant to an organization’s objectives assessing them in terms of
likelihood and magnitude of impact, determining a response strategy and monitoring
progress. Various potential threats to computer system affects the confidentiality, Integrity,
and Availability of data and computer system, for successful continuity of business it is very
essential to evaluate these potential threats and control them so as to minimize the impact
of these threats to an acceptable level. By identifying and proactively addressing risk and
opportunities, n=business enterprises protect and create value for their stakeholders
including owners, employees, customers, regulators and society overall.
ERM is a risk-based approach which includes methods and processes used by organizations
to manage risks. ERM provides a framework for risk management which involves:

 Identifying potential threats or risks

 Determining how big a threat or risk is, what could be its consequence, its impact,
etc.
 Implementing controls to mitigate the risks.
ERM framework consists of eight inter-related components that are derived from the way
management runs a business and are integrated with the management process. These
components are as follows:
(i) Internal environment: The internal environment encompasses the tone of an
organization and sets the basis for how risk is viewed and addressed by an
entity’s people, including risk management philosophy and risk appetite,
integrity and ethical values and the environment in which they operate.
Management sets a philosophy regarding risk and establishes a risk appetite =.
The internal environment sets the foundation for how risk and control are
viewed and addressed by an entity’s people. The core of any business is its
people- their individual attributes, including integrity, ethical values and
competence- and the environment in which they operate. They are the engine
that drives the entity and the foundation on which everything sets.
(ii) Objective setting: Objective should be set before management can identify
events potentially affecting their achievement. ERM ensures that a management
has a process in place to set objectives and that the chosen objectives support
and align with the entity’s mission/vision and are consistent with the entity’s risk
appetite.
(iii) Event Identification: Potential events that might have an impact on the entity
should be identified. Event identification includes identifying factors- internal
external- that influence how potential events may affect strategy
implementation and achievement of objectives. It includes distinguishing
 between potential events that represents the risks, those representing
opportunities and those that may be both. Opportunities are channelled back to
management’s strategy or objective setting processes. Management identifies
inter-relationships between potential events and may categorize events to create
and reinforce a common risk language across the entity and form a basis for
considering events form a portfolio perspective.
(iv) Risk Assessment: Identified risks are analysed to form a basis for determining
how they should be managed. Risks are assessed on both an inherent and
residual basis, and the assessment considers both risk likelihood and impact. A
range of possible results may be associated with a potential events and
management needs to consider them together.
(v) Risk Response: Management selects an approach or set of actions to align
assessed risks with the entity’s risk tolerance and risk appetite, in the context of
the strategy and objectives. Personnel identify and evaluate possible responses
to risks, including avoiding, accepting, reducing and sharing risk.
(vi) Control activities: Policies and procedures are established and executed to help
ensure that the risk responses that management selected are effectively carried
out.
(vii) Information and communication: Relevant information is identified captured
and communicated in a form and time frame that enables people to carry out
their responsibilities. Information is needed at all levels of an entity for
identifying, assessing and responding to risk. Effective communication also
should occur in a broader sense, flowing down across and up the entity.
Personnel needed to receive clear communications regarding their role and
responsibilities.
(viii) Monitoring: The entire ERM process should be monitored, modifications made
as necessary. In this way, the system can react dynamically, changing as
conditions warrant. Monitoring is accomplished through ongoing management
activities, separate activities of the ERM processes or a combination of both.

CONTROLS
CONTROL is defined as policies, procedures, practices and organization structure that are
designed to provide reasonable assurance that business objectives are achieved and
undesired events are prevented or detected and corrected. The main objectives of
information controls and safeguarding of assets, maintenance of data integrity,
effectiveness in achieving organizational objectives, and efficient consumption of resources.
Controls include things like practices, policies, procedures, programs, techniques,
technologies, guidelines, and organizational structures.
Example 1.6: Purchase to Pay(P2P)-Given below is a simple example of controls for the
Purchase to Pay cycle, which is broken down to four main components as shown in the Fig.
1.6.1 (P2P cycle is explained in later part of chapter).
  Purchases: when an employee working in specific department wants to purchase
something required for carrying out the job, he/she will submit a purchase
requisition to a manager for approval. Based on the approved PR, a
purchase order (PO) is raised. The PO may be raised manually and then input into
the computer system raised directly by the computer system.
 Goods receipt: The PO is then sent to the vendor who will deliver the goods as per
the specifications mentioned in the PO. When the goods are received at the
warehouse, the receiving staff checks the delivery note, PO number etc. and
acknowledges the receipt of the material. Quantity and quality are checked and aby
unfit items are rejected and sent back to the vendor. A goods receipt note (GRN) is
raised indicating the quantity received. The GRN may be raised manually and then
input into the computer system or raised directly by the computer system.

 Invoice processing: The vendor sends the invoice to the accounts payable
department who will input the details into the computer system. The vendor invoice
is checked with the PO to ensure that inly the goods ordered have been invoiced and
at the negotiated price. Further the vendor invoice is checked with the GRN to
ensure that the quantity has been received.
 Payment: If there is no mismatch between the PO, GRN and the vendor invoice: the
payment is released to the vendor based on the credit period negotiated by the
vendor.
Based on the modes of implementation, these controls can be manual, automated or semi-
automated. The objective of a control is to mitigate the risk.
  Manual control: Manually verify that the goods ordered in PO are received in good
quality and the vendor invoice reflects the quantity and price that are as per the PO.
 Automated control: The above verification is done automatically by the computer
system by comparing (D), (E) &(F) and exceptions highlighted.
 Semi automated Control: Verification of goods receipt (E) with PO (D) could be
automated but the vendor invoice matching could be done manually in a
reconciliation process(G).
Importance of IT controls
IT control objective is defined as “A statement of the desired result or purpose to be
achieved by implementing control procedures with a particular IT activity”. Implementing
right type of controls is responsibility of management. Controls provide a clear policy and
good practice for directing and monitoring performance of IT to achieve enterprise
objectives. IT controls perform dual role which is as follows:
(i) They enable enterprise to achieve objectives: and
(ii) They help in mitigating tasks.
Many issues drive the need for implementing IT control. These range rom the need to
control costs to remain competitive to need the for compliance with internal and external
governance. IT controls promote reliability and efficiency and allow the organization to
adapt changing risk environments. Any control that mitigates or detects fraud or cyber
attacks enhances the organization’s resiliency because it helps the organization uncover the
risk and manage its impact. Resiliency is a result of a strong system of internal controls
which enable a well-controlled organization- to manage challenges or disruptions
seamlessly.
Applying IT controls
It is important for an organization to identify controls as per risk management strategy. For
example, the way banking is done in a nationalized bank is traditional way with right
organization structure of managers at different levels, officers and clear demarcation
between department and functions whereas in a private sector, the organization structure is
organized around customers and focused on relationship banking.
A common classification of IT controls is General controls and application controls. General
controls are macro in nature and are applicable to all applications and data resources.
Application controls are controls which are specific to the application software such as
payroll, accounts payable and billing, etc.
 Information security policy: An information security policy is the statement of intent
by the senior management about how to protect a company’s information assets.
The security policy is a set of laws, rules and practices that regulates how assets
including sensitive information are managed protected and distributed within the
user organization. The security policy is approved by the senior management and
encompasses all areas of operations across the enterprise and the other
stakeholders.
 Administration, Access and Authentication: Access controls are measures taken to
ensure that only authorized persons have access to the system and the actions can
take. IT should be administered with appropriate policies and procedures clearly
defining the levels of access to information and authentication of users.
 Separation of IT functions: Secure development of IT requires the organization to
have separate IT organization structure with key demarcation of duties for deferent
personnel with IT department and to ensure that there is no segregation of duties
conflicts.
 Management of systems Acquisition and implementation: Management should
establish acquisition standards that addresses the security, functionality and
reliability issues related to systems acquisition. Hence process of acquisition and
implementation of systems should be properly controlled.
 Change management: Deployed IT solutions and its various components must be
changed in tune with changing needs as per changes in technology environment,
business processes, regulatory, compliance requirements and changing needs of the
user. These changes impact the live environment of the organization. Hence change
management process should be implemented to ensure smooth transition to the
new environment covering all key changes including, hardware -, software and
business processes. All changes must be properly approved by the management and
tested before implementation.
 Backup recovery and business continuity: Heavy dependence in IT controls critically
makes it imperative that resilience of the organization operations should be ensured
by having appropriate business continuity including backup, recovery and off-site
data centre. Business continuity controls ensure that an organization can prevent
interruptions (violations) and processing can be resumed in acceptable period of
time.
 Proper development and implementation of application software: Application
software drives the business process of the organizations. These solutions in case
 developed and implemented must be properly controlled by using standard software
development process. Controls over software development and implementation and
ensure that the software is developed according to the established policies and
procedures of the organisation. These controls also ensure that the system are
developed within budgets, within budgeted time, security measures are duly
incorporated, and quality and documentation requirements are maintained.
 Confidentiality, integrity and availability of software and data files:
security is implemented to ensure confidentiality, integrity and availability (CIA) of
information. Confidentiality refers to protection of critical information to ensure
that information is only available to the persons who have the right to see the same