A Real Customer Case Study: The Importance of Governance in RPA

June 12, 2019

Robotic Process Automation (RPA) has proven itself as an accessible and affordable solution for organizations in order to tackle repetitive, low added-value tasks. As a consequence, organizations have begun to invest heavily in RPA, capitalizing on the quickness and simplicity of deploying it. The Finance and Operations departments often spearhead this advancement without including the IT departments.

In this blog post, we interview Marcelo Albajari, our Development, and RPA Services Practice Director, about the experience a client went through in their RPA implementation.


Can you share a little background on the Company?

The company is the largest fast-service restaurant chain in Latin America and the Caribbean. The company operates or franchises more than 2,200 restaurants with more than 90,000 employees, and is known as one of the best companies to work for in Latin America.


Can you share a little background on the project?

Our main stakeholder, the IT Director of the company, discovered several business owners had executed automation projects without the IT department’s involvement or approval, funding the activities with their own budgets and without even notifying IT about the initiatives.

This was done as a proactive activity from those business owners who could not afford to wait for the next yearly round of evaluation for candidate projects, which is the official process in the company to define and fund the projects that will be executed during the year.

Our client recognized the need to leverage the benefits of RPA technology as soon as possible and eagerly joined the automation initiatives but requested those projects were put back on track and were modified as needed to stay compliant with IT policies.

But when he began to analyze what policies had to be followed, he realized he needed an updated governance plan specifically for automation projects.


What were the reasons behind their desire to implement RPA?

Business owners attend conferences and participate in industry forums where RPA is heavily analyzed and discussed.

Cost reductions and efficiency improvements were among the most important benefits to achieve, as well as better quality service and compliance adherence was later found as very important goals.


What were the challenges that they faced?

Automated processes (usually referred to by the fancy name of “robots”) imitate the actions carried over by a human user to complete an activity, like entering an invoice into an application, or downloading files from different sources to consolidate a period closure report.

In order to be able to do that, robots hold passwords and system access credentials and have access to sensitive personal and company information.

The IT department has strict rules about how all types of security threats are handled and has some very specific processes that apply to system security, like password requirements, periodic re-generation, the prohibition to share passwords, tools to securely store the passwords, etc. It also has many processes that define how systems must log all types of user activities as well as login attempts, login failures, password changes, etc.

Without considering security policies or letting IT know, the business departments gave robot processes the same system credentials and passwords used by human users. They thought that if John Doe enters invoices, a robot that does the same job could use the same user and password as John Doe, as it was doing the same activity.

This is, by all means, a false statement. A human user is different than an automated process, even if the two of them accomplish the same task.

What if an automated process is modified without authorization and the transactions entered are subject to fraudulent modification?

What if fake invoices are entered by an automated process that was tweaked to do that?

What if the real human user approves payment for an amount higher than he’s allowed to, and then blames the robot who uses his same credentials?

From every security and audit perspective, both parties are different and need to be tracked differently.

RPA implementation

How did they address these challenges?

Our project sponsor is a real team player that recognizes the role of IT as a business partner and is willing to help business owners succeed in their roles by the use of technology.

When he found out about the automation projects, he never considered censuring the initiatives under the claim that did not adhere to IT standards. Instead, he decided to help and make those processes better.

He asked IT Convergence to help him define rules for all the processes that relate to project implementation, like methodology, build standards, audit requirements, escalation, infrastructure, software license optimization, security, version control, and many others.

We participated in many meetings to understand the current policies in place for similar projects, then evaluated the adjustments required to cover automation projects, generated different alternatives, evaluated pros and cons, submitted for internal discussion, and finally help promote them.

Then a subsequent project was approved to apply the necessary fixes to the already developed automation to make them compliant with the new policies.


What are your key recommendations for companies in a similar situation?

If you face the same situation, where your business departments are ahead of IT and start automating processes without IT participation, you can still get back on track by defining the governance plan for automation processes and then adjusting the already existing processes as needed.

If you haven’t already started working on automation, define your policies now and apply them from the very first moment. This will help you save money, time and eliminate risks and security threats.


Start your RPA journey on the right foot

We know you are eager to apply RPA to your operations and see all the benefits that automation can provide to your company, but rushing to implement any technology can be problematic. In order to do things, the right companies need to assess their automation need and carefully select the processes that represent the best fit for RPA.

To learn more about our services, click here.

Other related material:


Marcelo Albajari

Marcelo Albajari is our Development Services Strategic Consulting Director.

Subscribe to our blog

Related Posts