Is Automation Really the New Outsourcing?

by Patrick Law Group, LLC

As disruptive technologies continue to explode across the corporate technology landscape, a natural inclination from both business personnel and attorneys may be to draw parallels between these innovation tools and more established technologies and practices.  Robotics and process automation (“RPA”), a hotbed of exponential growth in recent years, is no different.  Increasingly, the benefits and risks of RPA have been compared to those ones associated with traditional outsourcing or managed services (“BPO”).  And while a considerable amount of overlap undoubtedly exists, the critical differences between RPA and BPO are even more striking. 

RPA and BPO: Similarities…With Distinct Differences

RPA is an umbrella term used to characterize machine-based solutions which previously required human thinking and/or oversight.  Organizations may implement RPA for any number of reasons, from something as simple as automating workflows to navigate corporate contract approvals, to conducting deep-dive data analytics for the purposes of making diagnoses in medicine.  Many of the underlying rationales for RPA use are similar to those reasons frequently cited as the basis for BPO: 1) RPA is less expensive; 2) RPA saves time; 3) RPA allows higher value resources to devote their time to higher value tasks.  The expectation is that, over time, the machine/code in the case of RPA, and the human(s) in the case of outsourcing, will become more efficient at a discrete set of tasks, thereby creating opportunities for gainsharing and improved efficiencies.

To be sure, a subset of the risks related to RPA overlap with outsourcing. Both people and systems incumbent to an organization may be displaced or eliminated altogether by the influx of RPA or BPO.  In both cases, the following issues may arise:

  1. If there is a critical outage or uncertainty as to the origin of an issue, what is the recourse if employees who were subject matter experts have departed and systems have been de-commissioned?  In most cases, the very purpose of RPA and outsourcing is to reduce costs related to people and systems.  Often, putting the genie back into the bottle is a impractical, if not impossible task.    
  2. When the reigns of an entire process of a business area are turned over to RPA or a BPO partner, organizations risk losing their competitive advantage to a vendor eager to share its “learnings” with other customers.  After all, one of the initial tasks in both cases is to deluge the target “worker” (in the case of RPA, the rules engine; in the case of outsourcing, the BPO partner) with as much information, institutional knowledge and underlying rationale as possible. 
  3. What additional regulatory requirements emerge as a result of employing RPA and BPO?  Are there aspects involving data that will change the risk profile?  If a process is customer-facing, what are the ramifications for failure?    

In the case of BPO, organizations typically overcome the first issue by having both the internal resources and the BPO vendor staff work together on the front end to clearly define requirements and an end to end process.  While this type of business analysis may also occur in the RPA context, RPA firms are typically more agile in their staffing and resources, and securing a seasoned business analyst who will carefully and meticulously document business requirements and processes can be problematic.

In the case of competitive advantage, an argument can be made that the same contractual safeguards leveraged in BPO deals (confidentiality, trade secrets, intellectual property rights, etc.) may leveraged similarly in RPA deals.  However, the niche leaders in the RPA space are primarily startup organizations funded by venture capital firms who may have little or no tolerance for accepting contractual terms which would in effect limit the RPA organization’s ability to both learn from prior engagements and mass market those learnings to other customers. 

The issue of regulatory compliance also poses materially different risks for consumers of RPA, the most obvious one being, “How does use of RPA vary my organization’s compliance obligations?”  An additional concern is whether RPA vendors will assume the risk of compliance with such regulations.  Considering the lack of appetite from venture capital firms for assumption of risks associated with RPA, it is likely that this will be an area in which RPA vendors demand a less balanced risk allocation, even when large organizations are sitting across the negotiation table. 

RPA’s Unique Risks

Unfortunately, the risks set forth above are not the only ones presented in the RPA space.  Consider the following:

  • Run, Then Sprint: While BPO tends to be “walk, then run” in term of its escalation and adoption within an organization, the dive into RPA generally tends to be a “run, then sprint” activity.  RPA vendors have become very savvy marketers, the basis of which is to introduce a user-friendly proof of concept or pilot solution which clearly shows the power and functionality of the RPA solution and ensures a “straight to production” roadmap.  In essence, the RPA provider uses the pilot period not only to demonstrate its base product, but also to perform any customizations required to make the RPA product production-ready for a customer. Furthermore, the contracts related to such pilots frequently are very brief in nature, but harsh in consequences.  It is not unusual, for example, for a license included in the pilot to automatically “kick in” after the expiration of a pilot period (unless the customer provides a written notice of termination prior to the expiration of the pilot period).  Equally, it is commonplace for such contracts to specify that the RPA vendor owns all customizations to the base code, creating great potential for the RPA vendor to freely re-market code solutions to a current customer’s competitors.  In that these marketing campaigns are launched directly to the business side of an organization, resources in legal, information security, data privacy and procurement may be left to rehabilitate the license and related agreements once the business intends to launch the solution into production. 
  • Scaled Down Dollars, Resources and Track Records: Thus far, RPA solutions have tended to be quite economical.  BPO deals, on the other hand, tend to be large in scope and dollar value—the buyer stands to save a great deal of money, while the provider stands to make a tidy profit. These incentives motivate both buyer and provider to approach the negotiation table with “A” players (from a legal and business perspective) who have an eye towards measured compromise in areas other than those ones which their respective organizations have sacred positions.  Given the small scope of many RPA deals and the scaled-down staffing model for many RPA vendors, it is quite possible that legal support from the RPA vendor may be lacking or even non-existent.  A related issue is that startups, by their nature, tend to have less of a track record in terms of performance, finances and overall stability, presenting critical issues for a sourcing organization who may evaluate such innovation vendors through the same lens as more established BPO vendors.  [Recent strategic partnerships, however, may be a harbinger of things to come: in January, Accenture teamed with Blue Prism for the express purpose of providing RPA solutions to a wide range of industries.]        
  • Publicity as a Double-Edged Sword.  BPO and RPA also diverge quite significantly on the issue of publicity.  While many organizations are less transparent about efforts to outsource processes (whether due to customer perceptions regarding data security, possible employee layoffs or an overall sensitivity to the politics of outsourcing), those same organizations may be more eager to publicize their exploits on the RPA front.  In the case of more conservative industries, use of RPA may, indeed, be a selling point for potential customers and an important indication that their providers are embracing cutting edge technologies, thus enabling the customer to remain competitive in its own industry.  Unfortunately, such publicity efforts may be a double-edged sword, in that service failures and/or data breaches become more high-profile when there is a publicity blitz on the front end.      

Even though RPA does present materially different risks than prior process innovations, oddly the approach to managing such risks may be a familiar one.  As a former colleague astutely noted during the early days of public cloud implementations, “things have to go wrong to go right.”   In most cases, internal resources from legal, data privacy, information security, risk management and business operations will race to assess and scrutinize exactly what was purchased, what risks it will present and what may have already gone wrong (and ways to mitigate those unforeseen risks). These actions will allow corporate teams to create a veritable “lessons learned” for future RPA deals as corporate brakes are applied to restore operational stability…until the next “disruptor du jour” arrives.  

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patrick Law Group, LLC | Attorney Advertising

Written by:

Patrick Law Group, LLC

Patrick Law Group, LLC on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.