Who Is Watching the Bots? Part 2 – Operational Challenges (and Solutions)

Tony Abel, Managing Director Sustainable Operations Lead
Ben Franjesevic, Associate Director Internal Audit and Financial Advisory

A lot of organizations are beginning to realize the value of deploying robotic process automation (RPA) to perform high-volume, repetitive tasks that were previously performed by human users. Properly managed, RPA allows companies to scale operations and increase productivity. RPA comes with its own set of operational challenges, however, that must be considered.

In Part 1 of our discussion we highlighted the importance of RPA governance as a foundational element of an RPA program. Here, we consider some of the tactical hurdles that can arise with the deployment of bots, including challenges related to security, change management and business continuity.


Poorly managed bots can negatively impact the confidentiality, integrity or availability of the information stored and processed by an organization. This applies not only to the infrastructure components that support the RPA environment — servers, databases, virtual machines and orchestration technology — but also to the passwords and permissions of the accounts that bots use to interact with applications and systems.

For example, a user with knowledge of a bot’s account credentials could potentially use the bot’s account to circumvent important controls, such as the segregation of incompatible duties, which could result in unauthorized or fraudulent activity. Further, if passwords to bot accounts are not well controlled, it can be difficult to figure out who actually logged into the bot’s account and was responsible for any inappropriate activity. The impact of inadvertent or fraudulent activity performed through a bot can be significantly greater, given the processing speeds that can be achieved. For instance, fraudulent payments could be processed at a rate significantly faster than the traditional, manual equivalent.

To help address these risks, bot accounts should be included in periodic access reviews to verify that assigned access is appropriate and remains so. Similarly, any human interaction with bots should be tracked via a check-in/check-out mechanism, such as a password vault, and monitored for inappropriate activity.

Managing Change

RPA has been marketed as an easy-to-use, plug-and-play, out-of-the-box solution that users can configure and operate with minimal training. However, just because RPA can be quick and easy to implement doesn’t mean it should be managed with a lesser degree of rigor than what is applied to the development and implementation of other technologies. This applies not only at the program level, but also on a bot-by-bot basis.

For instance, it’s important that organizational change is well managed, and that communication and training are used to educate end users about changes and intended consequences resulting from an RPA implementation. Without building awareness and understanding, users whose work duties are being automated may not understand that they are not being replaced, but rather that their attention is being shifted to other, more value-adding activities. Failure to manage organizational change can result in pushback from employees and suboptimal return on investment.

Additional change management control points include performing a sufficient level of testing to confirm that bots meet user requirements and obtaining appropriate approval through existing change forums, such as a Change Advisory Board, prior to implementing bots into production. These control points can help to prevent disruptions to the organization by only allowing bots that are operating as expected to be deployed while also considering the upstream and downstream impact of both implementing bots as well as implementing changes to the systems that bots interact with.

Business Continuity

As bots become more common, the importance of managing the bots to minimize disruption, as well as the ability to recover from any disruptions that do occur in a timely manner, also increases. If a bot, its supporting infrastructure, or the applications that it interacts with cannot be recovered within an acceptable amount of time, there may be an excessive amount of process downtime resulting in a loss of efficiency and effectiveness. For these reasons, it is important to have controls in place to support the continued operation of bots and the business processes that they support. That means having exception management procedures, incident and problem management processes, and strong (and tested) backup and disaster recovery routines.

This also includes retaining the institutional knowledge required to manually perform the automated tasks in the event that a bot goes down and cannot be restored in an acceptable amount of time. For example, the Process Definition Document (PDD), which is typically created during an RPA development effort, can provide valuable guidance on how to perform a process manually if a bot is unavailable. Additionally, documentation created during bot development can also help with supporting bot operations.

As you can see, there are several operational challenges related to security, change management, and business continuity that an organization may encounter when implementing RPA; however, a thoughtful approach paired with the right controls can position an organization to better address these challenges.

In this and our previous post, we’ve only scratched the surface of RPA considerations. To see how companies are advancing on their RPA journeys and benchmark yourself against peers, download a complimentary copy of our RPA survey from our website.

Learn about Protiviti’s RPA services and read additional RPA related blog posts on The Protiviti View.

Add comment