Establishing a Robotic Operating COE: Critical Enablers

While there is a lot of information available to learn how to create and build an automation program, there is less attention paid to the subtle factors that can make or break it.

We refer to these focus areas as critical enablers because they make all the difference. Here, we share some thoughts about why paying special attention to the critical enablers will pay dividends throughout the life of your automation program.


When starting an automation program, it is important to establish a good security strategy as one of the first actions you take. Your RPA platform theoretically has access to your entire infrastructure that supports business processes, so it is critical to take basic precautions and ensure that the platform itself is secure. It goes without saying that you must safeguard the platform so that it cannot be accessed by bad actors, but with RPA, there are other security challenges that do not get as much attention as with traditional system development.

One of the benefits of RPA is the over-the-top nature of how it works. There is no need for integration requiring APIs or other complexities. Simply provide the bot with an account to access a system and train it to log on to complete the work. However, it only functions if you can get the profiles and IDs the bot needs to login to each system used in the business process. This had led companies to underestimate the security challenges with bot credentials. When organizations do not plan for how to handle identity and access management, they quickly learn that internal processes may not adapt very easily to supporting bots.

Some important questions all companies will face in bot identity management include:

  • What type of account should be used to provide bot access, service accounts, end user accounts, etc.?
  • Once an ID is created for the bot, what is the process for providing access to all the systems? In large organizations, there may be thousands of systems, all with unique and often manual processes to grant access.
  • Some systems require self-registration for access, but bots are unable to self-register and should not be trained to request or renew access.
  • Who should manage bot IDs and password renewals?
  • Do Segregation of Duties (SoD) policies need to be adjusted for bots, and if so, to what degree?
  • Some systems have access protocols using techniques such as two-factor authentication, CAPTCHA, and hard tokens. What are the options for enabling bots to access systems with these protocols?
  • Security organizations can be suspicious of RPA and may be concerned about how to control risks associated with bots accessing systems. Does your organization have appropriate policies to govern the access to confidential data, and do they need to adapt to cope with bots?

It is recommended that one of the first things that should be done when starting an automation program is to partner with the Chief Information Security Officer (CISO) and/ or the Identity Management/ Access Management teams. You can address their concerns from the outset, educate them on how the governance process will enhance security, and leverage their experience to design a streamlined bot credentialing process that will enable speed and mitigate risks. Working with security early on will give you the opportunity to ensure you understand any system-specific requirements and policies, work with the CISO to adapt the policies for RPA, and educate application owners on the program.




Development Governance and Approach

The second aspect of establishing frictionless governance is in the development methodology. This is the process you plan to follow to take ideas from inception to production. Much of the traditional focus of development centers on the question about whether to use Waterfall or Agile. However, when considering a development methodology, we advise clients to focus on defining key activities, artifacts, and approvals as the foundation of governing bot development. The process of developing bots works very well in an Agile/ Scrum model, but due to the rapid growth capabilities of RPA, any methodology will work fine.

Here, we illustrate a simple six-step model for developing bots. What is not depicted in this graphic is the concept of key artifacts and approvals.




Coupled with a solid development process is a clear set of key activities to be completed, approvals and other controls to be satisfied, and important documentation and artifacts to create and retain. The combination of a process and governance checklist forms the basis for a clear approach to delivering bots from idea to production.

A customized approach and governance checklist ensures that important best practices are present, as well as incorporating any organization-specific requirements. Defining these important program policies up front will provide a clear set of guidelines about what is expected from bot developers, as well as providing any instructions they will need to ensure that everything is done completely and correctly. One main benefit of laying out the process is to educate stakeholders on their responsibilities and the responsibilities of the Center of Excellence. Doing so will enable everyone to proactively plan for everything they need to do to avoid pitfalls, delay, and frustration.

Below is a sample checklist outlining all the steps and actions necessary for your organization.

chapter 11 - illustration 3 Page 47


People and Mindset

While your executive suite can say, “Yes” to the automation program, individuals at many levels throughout the organization can say, “No” to RPA. This resistance can manifest itself in explicit, as well as subtle ways. Overtly, a security team can simply refuse to provide bot credentials until their concerns are addressed. Subtly, a process owner or the person completing the day-to-day development can derail RPA progression by simply not suggesting any use cases, or sharing that the manual method is too dependent on judgement rather than defined business rules. Generally, department leaders are reluctant to overrule these assertions from staff because they typically do not have first-hand knowledge of the processes and rely on the judgement of their staff.

Recognizing the importance of mindset requires you to trust that the actions you take to promote an automation first mindset will lead to a positive outcome, even though you may not be able to measure a return on each action. Mindset is subtler than a simple metric. Creating the right digital first culture is one of the most important things you can do to improve the odds of success.

A tendency to oversimplify the approach to automation by looking for concrete examples and actions to take misses the point of mindset and the impact it has on your ability to transform an organization. An automation program can greatly benefit from investing in change management with a good dose of communication and education.

Here are the two big common themes we share with clients:

1. Continually Promote RPA Evangelism


Senior leaders play an important role in creating a vision of the future and help employees

see how their day-to-day work life will be improved through the digital transformation the

organization wants to achieve. Highlight digital program goals and successes, such as individual or team accomplishments at all-hands meetings and in other communications, or cultivate the digital innovation mindset by building accountability around nontraditional factors that measure engagement rather than just results or returns. This is important to help employees understand that they will be rewarded for thinking differently, which is at the root of all digital transformations.


Working with business teams to listen to their concerns and ensure the program is addressing them will help develop trust and speed adoption of RPA. However, leadership cannot build the digital culture alone. To amplify and reinforce the message of digital mindset, it is far more effective to leverage the help of a network of champions throughout the company who already have the trust of employees because they are part of the same local team. This grassroots network of digital warriors can magnify your voice and ensure that your message is getting out there in a consistent and sustained way.


2. Create Accountability for Promoting a Digital Mindset


One of the most common pockets of resistance to change we see in organizations are the middle managers, who can often be overly invested in the status quo, the enemy of digital transformation. RPA has the power to upend the way work has been done for decades and, more significantly, change how companies are organized. Once leaders realize that RPA removes two of the most significant barriers to transformation, the delivery of products and services can be redesigned around customer preferences and not the capabilities of the company to deliver those services.


Anticipate this resistance, and work to educate and incent employees and process owners to adopt the digital first mindset. Take this opportunity to explore how RPA can breakdown silos and reimagine the organizational structure. Bring managers on this digital journey and show them how they will be part of the new organization.


While there are several things that are important for the success of an automation program, we feel security, a development methodology designed to promote frictionless governance, and the digital culture that starts with how people think are among the most important. Undertaking a digital transformation supported by a Robotic Operating Center of Excellence will have a different set of goals and challenges for every business, but developing a strategy and vision for your organization is the first step in the journey to becoming a digital organization.


Interested in learning more about establishing a Robotic Operating Center of Excellence?

Download our guidebook for an insight on why a COE matters, the steps and key considerations necessary to establishing a world-class program, and how to maximize your business value.

New call-to-action


The Evolving Cybersecurity Threat Landscape
Risk and Control Gap Analysis and Remediation
Related Posts
Automating the Validation, Reconciliation, and Reporting of Index Data for a Global Financial Benchmark Provider
Automating the Validation, Reconciliation, and Reporting of Index Data for a Global Financial Benchmark Provider
Drive Internal Audit Success With Automation and Data Analytics
Drive Internal Audit Success With Automation and Data Analytics
Finance Process Optimization: Automating for a Faster Future
Finance Process Optimization: Automating for a Faster Future