Robotic process automation (RPA) today forms part of almost any digital transformation or transformation of business process functions (including outsourced arrangements). Customers are either dipping their toes in smaller-scale RPA, which is intended to affect only a limited number of people or activities within a function or business (micro), or, at the other end of the scale, they are assessing how RPA can change the corporate across entire functions and businesses (macro).
While the technologies pose significant benefits, it is important to consider potential liability issues that attach to an RPA implementation and how such risk can be transferred or mitigated.
RPA is typically deployed to automate a process which involves a high level of repeat transactions, which involve limited to no value-based judgment, and which are replicable within a relatively small number of potential variables, all so as to allow the machine to replace the human. These processes usually involve significant amounts of data, e.g. significant data entry and retrieval from multiple legacy systems, which the process might aggregate and / or use to execute a transaction.
On this basis it should be considered that an algorithm itself could go awry, or variable aspects of the process could be incorrectly configured, or indeed an initial human input could be incorrect. Depending on the process, any one of these issues could require re-work and possibly re-keying, and could of course result in material issues with outputs such as financial calculations. An error could result in customer-facing issues and even regulatory-compliance issues.
Assessing risk - different by design
Introducing RPA will almost certainly mean that a previously largely undefined activity is turned into a process with defined parameters, and which can be audited after execution. It also almost wholly removes human error. Risk downsides to RPA have to be balanced against these very significant, inherent advantages.
Therefore, in and of itself, a properly implemented RPA solution will bring benefits by way of control, oversight, data access and sharing, and audit of transactions. These are amongst the most important issues for any corporate, and its regulator.
The potential downside is as mentioned above: the speed and scale at which deployed robots can execute the relevant process can serve to amplify the disruption that could be caused by a defect. Mistakes quickly become embedded and widely propagated. The removal of direct human involvement means it can also take time for a mistake to come to light, possibly identified by a third party rather than by internal checks.
Risk transfer through contracts?
A difference to a traditional services or outsourcing agreement is that under RPA there is more limited risk transfer to the third party supplier. In respect of ‘micro’ RPA solutions we would expect to see very limited risk transfer indeed, not dissimilar to off-the-shelf commercially available software.
For ‘macro’ RPA solutions, risk transfer may appropriately be closer to an outsourcing arrangement. This will depend on solution characteristics e.g. the extent to which (i) the process has been developed to be bespoke to client needs; or (ii) is largely controlled and configured by the RPA provider, or an RPA integrator which is responsible for the implementation and management of the customer’s RPA solutions; or (iii) the RPA forms a subset of a wider outsourcing or staff augmentation relationship.
Even in these more complex models, the volume risk, which could exponentially increase the impact of a small error, could make suppliers more reticent than under traditional outsourcings to accept risk, and customers may be required to take decisions on risk transfer in the context of issues such as data loss and regulatory breach which they would not otherwise countenance in a usual outsourcing.
Understanding and managing risk
Understanding and contracting for risk remains a key issue for the RPA customer. RPA could be the broken widget which results in very significant challenges for a corporate. It is a great enabler, but the very nature of its potential scale brings these challenges.
Customers should go into these relationships truly understanding potential risks and mitigants:
- Has implementation been appropriately phased and tested before the RPA is switched on in a live environment? These steps will not eradicate all problems, but they will significantly reduce them.
- Do the relevant internal stakeholders have a clear picture of how operations and business outcomes could be affected by errors? In assessing an RPA solution, their decision might be to remain on a manual process if that offers advantages by way of human checks and less scale for major contagion.
- Similarly, is contractual risk allocation with the third party supplier genuinely understood by legal / procurement / the business? Assumptions about which party takes responsibility for errors, based on traditional outsourcing risk positions, could prove to be wrong.
- Are there practical contingency plans and recovery processes in place to deal with an incorrect or out-of-action RPA process? These include the ability to have access to current data, and available workforce for manual intervention.
- Is the service provider appropriately incentivised by the contract to deliver on a thorough implementation, and oversee an ongoing process which identifies and removes errors? Risk allocation still has an important role to play within RPA, and many RPA providers – including the traditional outsourcing players – are still motivated by maintaining long term client relationships.
While RPA itself is the transformation of activity into a largely automated and commoditised process, currently the label RPA covers a wide variety of solutions, each of brings its own specific risks. At the ‘micro’ end of the RPA spectrum, liability issues and risk allocation will largely follow the same considerations as in COTS, cloud and ‘as-a-service’ type arrangements. At the ‘macro’ end of the spectrum, the issue is more complex, and the liabilities potentially significant – which makes understanding risk, and appropriate risk transfer, as important as ever.
Mike Pierides and Simon Lightman, technology and outsourcing partners, Morgan Lewis
Image Credit: Praphan Jampala / Shutterstock