Press Release


STAMFORD, CT, May 26, 2021

Gartner Says Finance Leaders Must Balance Risk Management and Productivity When Using RPA

Analysts Discuss Key Issues Facing CFOs During the Virtual Gartner CFO and Finance Executive Conference

As robotic process automation (RPA) moves from the testing phase to full adoption in most finance departments, controllers must optimize their governance processes to balance risk management processes without stifling the productivity that the technology provides, according to Gartner, Inc.

Gartner analysts discussed the impact of RPA on risk management processes today during the virtual Gartner CFO and Finance Executive Conference. Gartner’s research has found that enterprise-wide adoption of RPA will grow from 55% of organizations in 2019 to 90% by 2022. As RPA processes expand, so will the inclination to implement new controls and heavier governance. However, the productivity gains offered by RPA could be stifled in a heavily controlled environment that is too reliant on manual oversight.

“We have reached the point where formalized controls are catching up to RPA, but the risk of overcontrolling is wasted effort that reduces the effectiveness of the technology and team capacity,” said Hilary Richards, research vice president in the Gartner Finance practice. “By choosing the correct governance model for RPA and creating clear, rule-based systems to manage the biggest risks upfront, stakeholders can design an effective governance approach without blunting the efficiency gains that made RPA attractive in the first place.”

Optimizing Risk Management for RPA

Initial risk management assessments of deploying RPA bots have focused on the risks that could emerge in an environment that is too lightly controlled. These risks, such as the development of shadow IT, compliance violations, bot failure and related business continuity concerns, have gradually necessitated organizations to move to a heavier and more formalized governance system for the technology.

“Some organizations have invested significant time and capital to deploy RPA, yet their bot utilization rate is around 30% of what is actually available due to an overly burdensome control environment,” said Ms. Richards. “Designing a better governance process can help these organizations hit breakeven much faster, without compromising on essential risk controls.”

Designing Effective RPA Governance

To get the most out of RPA investments, Gartner’s research recommends that RPA stakeholders focus on setting a single governance model for the technology, controlling for segregation of duties (SOD) risk and creating guidelines to assess Sarbanes Oxley (SOX) impact of RPA use cases.

  • RPA Governance Model Selection –The right governance model for enterprise-wide RPA adoption will be decided by stakeholders’ overall comfort with the technology and the need to balance centralized controls with use case flexibility among business units. Ms. Richards recommends that organizations new to RPA start with a centralized governance model, where enterprise standards and procedures are set by a central body. Over time, as comfort and expertise with RPA grows, mature organizations can move to a federated model that provides more business unit flexibility while still maintaining coordinated control of policies.
  • Managing SOD Risk –In a lightly regulated SOD environment, bot-enabled fraud and human access duties are too broad. In a more heavily regulated environment, bot capacity remains under-utilized, and budget is wasted on unused bots. Instead of segregating each process and dedicating one bot per process, Ms. Richards recommended segregating the duties of the humans interacting with the bots, while allowing more processes to be run by a single bot. By separating the development, supervision and process owner roles managed by human employees, organizations can both better manage SOD risk while consolidating processes under fewer bots and increasing their utilization rates.
  • Assessing RPA’s SOX Impact – Screening every RPA use case for potential SOX impact is a time-intensive, manual activity that can quickly overwhelm the project management team responsible for this duty. Ms. Richards said a more efficient approach in use by organizations with more mature processes involves creating guidelines for business unit owners to flag new RPA proposals for further review if these proposals automate existing SOX controls or will have an impact on SOX-related processes. RPA proposals with no potential SOX impact can proceed for approval without review by a SOX compliance team. Such an approach can generate significant time savings and refocus the SOX compliance team toward direct risk mitigation activities, rather than lower-value proposal screening.

Gartner clients can read more in: RPA Operating Models: Internal Control Risk Implications for Internal Auditors. Non clients can learn more here: Digital Future of Finance.

CFOs and finance leaders can participate in Gartner research and get complementary access by joining the Gartner Research Circle.

About the Gartner CFO and Finance Executive Conference

The virtual Gartner CFO and Finance Executive Conference 2021, May 25 – 26, outlines what the future of finance will be and helps CFOs and finance executives define the ‘new normal’ for their teams, helps create a digital finance footprint that will enable a more nimble structure, set of processes, and people.

About the Gartner Finance Practice

The Gartner Finance practice helps senior finance executives meet their top priorities. Gartner offers a unique breadth and depth of content to support clients’ individual success and deliver on key initiatives that cut across finance functions to drive business impact. Learn more at Follow Gartner for Finance on LinkedIn and Twitter using #GartnerFinance to stay ahead of the latest expert insights and key trends shaping the Finance function.


About Gartner

Gartner, Inc. (NYSE: IT) delivers actionable, objective insight to executives and their teams. Our expert guidance and tools enable faster, smarter decisions and stronger performance on an organization’s mission critical priorities. To learn more, visit