Robotics: the new outsourcing. What does this mean for your current control structure? What are the new Risks posed to the organisation?
During the 90’s and 2000’s, those of us old enough will remember the big shift in the process of tasks from higher cost locations, to lower cost locations such as India, the Philippines, Ukraine, Poland etc.
It seemed like every consultancy threw around the term “follow the sun model” to go hand in glove with their outsourcing and cost reduction pitch. Which, simply put, meant that work would be generated in higher cost locations, often in Europe and North America, and then be passed off to lower cost locations, often on the other side of the world, for it to be processed and recorded onto the middle and back office systems. This was termed “follow the sun” because it capitalised on time-zones. Work / production would occur when revenue generators were sleeping, ready for when they returned to the office the next day.
This offshoring model was all well and good for a time; it allowed companies to lower their overhead costs considerably. They could exchange higher cost workers with lower cost ones, and their footprint costs in high rental locations could be traded for locations where rental costs were significantly lower.
Today, however, we have a new wave of cheap labour upon us, brought about by the availability of a new wave of technological innovation – namely AI and Robotics. Furthermore, there has been a global shift in the middle class. The worker bees that once were cheap labour in the middle and back-offices, have now become highly skilled and not so cheap.
As anyone who has been around the corporate block will testify, once those cost targets that you are scrimping, and saving, and stretching to meet have been met, they don’t just go away. The ever greedy corporate capitalist machine just wants more, and more, and more.
So what is the answer to this quandary… how do we seek to get more blood out of the proverbial stone?
Robotic Process Automation (RPA) gives the organisation the ability to go further than just moving operations to a lower cost location. With RPA, tasks that were once being done by a human being, or perhaps ten human beings, now has a single computer in their place. Furthermore, that computer is able to operate 24/7. It does not have the same level of overhead costs associated; such as requiring a desk, chair, telephone, benefits, retirement, paid time off, and everything else that goes with employing a human being. What’s more, it can be located anywhere in the world with a stable internet connection.
Companies all over the world are starting to realise the benefits of Robotics. We are seeing a mass trend in the market as companies move towards automating their processes, in an effort to (amongst other things) meet cost pressures.
But what does that mean for an organisation’s Risk profile?
What we are talking about here is a fundamental shift in the organisational paradigm. A move from human processing to computer processing. Where once there would be a manager standing over employees, observing and acting as a line of defence, you now have a computer doing everything end-to-end. There are benefits of course, as we have lightly discussed above, but there are also Risks to be aware of and managed appropriately.
1. A removal of segregation of duties
For one, if you are not careful, automation could remove a key risk control – segregation of duties. The old maker vs checker mantra. By having a Bot carry out an entire process end-to-end, with the final process being to send something out the door, record it in a file / document, or post it in a ledger, you lose that sense check along the way. There is a danger that you only realise there is a problem when issues begin to arise, or worst of all, when your customers notice irregularities and give feedback.
2. A loss of specialist process knowledge in the event of disaster recovery
As computers replace humans and humans are taken out of the loop (not in the morbid Terminator sense of course), over time there is a loss of required process knowledge. Of course, when the process was originally created and automated, there were documented procedures. But what happens when the people who created those procedures are long gone? To compound the problem: the process may have gone through several iterations since creation with less than perfect change controls, and it’s now a different beast to what it once was. This has implications from a disaster recovery and continuity management point of view. What do you do if the system goes down? How do you fix things as they break?
This loss of process knowledge should be a real concern for organisations as it presents a real and present risk. Especially given the amount of ransomware out on the market, which may make you, as an organisation, have to go back to the drawing board and start from scratch in the event your systems are compromised.
3. A virtual employee having privileged access that can be manipulated
Cybercrime is not a new concept, it’s almost as old as computers themselves. Bots have an intrinsic extra level of risk: manipulation. Bots are, in essence, virtual workers that can be manipulated to do whatever they are told if someone with the right know-how gets access and tells them.
A large number of operational roles being replaced with virtual workers, are privileged roles. They handle sensitive information and they process that information on behalf of the organisation: posting it into ledgers and making copies for audit purposes. If a malicious hacker can gain access to a Bot with privileged access, then they can also gain the same privileged access rights as the Bot itself. Combined with the two risks discussed above – loss of segregation of duties and specialist process knowledge, this presents a major risk to an organisation. It could be leaving itself open to a highly susceptible, virtual worker with a large amount of privileged access rights with limited to no oversight.
4. Man in the middle (MitM) attack
Data is transmitted across servers, different networks or the internet. If not sufficiently encrypted, data could be viewed by other parties. This is called a man in the middle attack, and brings an added layer of complexity to the Robotics conversation.
The increased processing efficiency of Bots and the logs that they create dramatically increases the volume of data that is transmitted. Whether it be onsite, off-site or via the Cloud, companies need to ensure that information is sufficiently masked to prevent unauthorised viewing, or data integrity from being compromised by anyone seeking to intercept that information or commit malicious acts. This includes protecting data transmitted wirelessly, on a physical network or over the internet.
5. An increase in data processing and need for data storage
Bots generate large amounts of information (far more than a human could) by simply doing what they are designed to do.
For one, they are working 24/7. That increase in processing time in itself creates a larger volume of information, compared to a human that is working an eight hour day, five days a week. But Bots are also creating logs of all the tasks that they are carrying out, for monitoring and Audit purposes. All of this information needs to be stored somewhere, and saved for a certain amount of time. Different jurisdictions have different Regulations dictating the duration that information is required to be stored. But this increase in required storage brings an increase in information security risk, Regulatory risk and operational risk, as well as financial costs that the organisation must manage appropriately.
6. An increase in Regulatory risk when information is passed across national boundaries
A further consideration must be spent on the national boundaries that information is now transitioning to and from.
Now you may be saying, “We utilise Cloud based RPA service providers, so the above points do not apply to me”, but you would be wrong.
You as an organisation are still responsible for the integrity and security of the information that you upload onto the Cloud. What your Cloud provider does with that information, including where it’s transferred and stored is as much your responsibility, as if you were transmitting it to an onshore or offshore data centre directly.
A lot of the information transmitted to Bots, or by Bots, for processing will be sensitive in nature. By that, I mean it may contain personally identifiable information, or it may be financially sensitive. Different jurisdictions and nation states have different rules and regulations regarding the type of information allowed to leave their borders.
This brings an added complexity to the processing, transfer and transmission of data that an organisation needs to be conscious of, especially if utilising Cloud based RPA service providers. The location of servers (including back-up servers), encryption of information stored and transmitted, and access provisioning is something the Regulators take very seriously. This presents an equally serious Risk to an organisation.
7. An increase in required processing power and resultant energy usage
Moore’s law notes that the processing capacity of semi-conductors doubles roughly every two years. As we strive for, and transition closer to, coveted true AI and real neural networking, processing capacity increases, while the complexity of tasks that are earmarked for automation also increases.
Moving in tandem to this, is the power required to be able to run and operate this increase in processing capability. A good example of this is the amount of power required to mine Bitcoin. 10 years ago, it was a relatively simple process and people were easily doing it from their bedrooms. Bitcoin farming in 2021 has now been suggested to consumer more power than Argentina (. Whilst part of that is due to the increase in scale of operations, part is also due to the increased complexity of the algorithm they are now solving.
The increase in power requirement has both a financial cost and a sustainability cost. Organisations who embark on the Robotics transition will need to be conscious of this, and related Risks surrounding branding and reputation will need to be appropriately managed.
8. An overall increase in information security risk
It boils down to this: the amount of information being transmitted outside of the direct purview of the information owners, or those ultimately responsible, has increased security risks. Efficiency wins, but at the cost of reduced controls.
The way that information is processed, stored, who has access to it, the different layers of security and encryption that are applied, and how this is monitored, needs to be at the forefront of everyone’s minds.
The above list is of course not exhaustive, and will depend on your individual circumstances and situation. It is designed as a starter to get you thinking about the Risks, if venturing down the path of Robotics is something you are considering.
The shift from traditional outsourcing to robotic process automation represents a significant evolution in how organisations manage tasks and reduce costs. While RPA offers unparalleled efficiency, scalability, and cost savings, it also introduces a new set of risks that must not be overlooked.
From the loss of segregation of duties to heightened cybersecurity vulnerabilities and regulatory complexities, these challenges can fundamentally alter an organisation’s risk profile. Risk management is a discipline that needs to be woven into the fabric of the design from the very beginning, as opposed to an afterthought. By integrating robust controls, thorough process documentation, and continuous monitoring, businesses can capitalise on the opportunities RPA offers while safeguarding their operations.
As automation continues to redefine industries, ensuring that risk management is embedded from the outset will be the key to long-term success. It’s not just about adopting the technology but about doing so responsibly, enabling your organisation to put its best foot forward and operate in the most effective way.
Ready to Embrace Robotics While Managing Risks?
At Milbourne Park Associates, we specialise in helping organisations navigate the complexities of robotic process automation while ensuring robust risk management frameworks. Whether you’re just starting your automation journey or looking to optimise your existing RPA strategy, we’re here to guide you.
References:
- BBC. (2021). https://www.bbc.co.uk/news/technology-56012952