Balancing Business, IT, and Human Capital: RPA Integration and Governance Dynamics

Abstract

In the era of rapid technological progress, Robotic Process Automation (RPA) has emerged as a pivotal tool across professional domains. Organizations pursue automation to boost efficiency and productivity, control costs, and reduce errors. RPA software automates repetitive, rules-based tasks previously performed by employees, and its effectiveness depends on integration across the business–IT–people interface. We adopted a mixed-methods study combining a PRISMA-guided multivocal review of peer-reviewed and gray sources with semi-structured practitioner interviews to capture firsthand insights and diverse perspectives. Triangulation of these phases examines RPA governance, auditing, and policy. The study clarifies the relationship between business processes and IT and offers guidance that supports procedural standardization, regulatory compliance, employee engagement, role clarity, and effective change management—thereby increasing the likelihood of successful RPA initiatives while prudently mitigating associated risks.

1. Introduction

The nomenclature “Robotic Process Automation” (RPA) surfaced in the early 2000s, denoting a methodology for the automation of processes or tasks employing robotic entities. RPA refers to the use of software “bots” designed to automate repetitive business tasks. These agents supplant human intervention in scenarios characterized by repetitiveness and clearly delineated parameters, or alternatively, they cooperate with human agents in a blended mode of operation [1]. As illustrated in Figure 1, global interest in RPA significantly increased from 2004 to 2025, underscoring its growing importance. Notably, the use of RPA experienced an exponential surge during the COVID-19 crisis. The graph also shows a new growth phase in 2025, suggesting that RPA adoption continues to rise after the pandemic and remains highly relevant in today’s business environment.

We retain Figure 1 as a contextual indicator of sustained demand for automation, situating our governance inquiry in an empirically growing domain.

RPA encompasses a spectrum of applications, yielding heightened operational efficiency, amplified productivity, and cost mitigation. Tasks encompassing data entry into forms [2], data aggregation within tables [3], rule-based processes or tasks [4], and iterative interactions [4] with applications stand as exemplary of actions amenable to RPA execution. American Express Global Business Travel uses RPA to handle airline ticket cancellations and plans to expand it to automate airport operations and provide customer recommendations [5]. RPA does not imply replacing employees. Instead, it relieves them from repetitive tasks, allowing for focus on value-added activities that require human judgment or supervision of automated results [6].

Presently, companies embarking on a trajectory with RPA evince a more circumspect outlook regarding anticipated returns, in stark contrast to the initial surge in popularity of this technology. Achieving optimal value depends on managers overseeing the setup and maintenance of multiple bots, which raises key governance questions [1,7]. A survey of 250 companies found that only 12% had implemented RPA, and of those, half achieved a positive return on investment (ROI) within 18 months. Several factors can hinder RPA success, including poor collaboration, regulatory constraints, and misaligned internal policies [8].

Beyond classic RPA, organizations are beginning to orchestrate work with AI agents—LLM-enabled, tool-using components that act semi-autonomously—expanding governance from process controls to include model risk, human-in-the-loop oversight, and auditable agent actions [9,10,11,12,13,14,15].

Several factors may impede the attainment of prescribed corporate objectives. It is imperative to fathom how a paucity of collaborative endeavors exerts influence [3,7,16], in addition to the nexus with compliance [3,17,18,19,20,21,22], and sundry other pertinent considerations. This study aims to analyze RPA governance frameworks in relation to Business, information technology (IT), and Human Resources, and how these frameworks connect with audit practices and organizational policies.

Guided by IT governance, the Technology Acceptance Model (TAM), and change-management perspectives, we frame RPA governance through structures/processes/relational mechanisms, user acceptance (perceived usefulness/ease of use), and organizational readiness—foundations that shape the research question posed below.

Hence, this article aims to focus on one main research question:

• RQ1: What is the impact of RPA governance on the dynamic interrelationships among Business, IT, and People, in conjunction with audit practices and organizational policies within organizations?

2. Background

2.1. Definition and Scope of Robotic Process Automation

In this study, Robotic Process Automation (RPA) denotes software “bots” that execute rule-based, repetitive tasks by interacting with existing systems at the user-interface or API level. Across authoritative sources, RPA definitions converge on three elements: (i) task automation of structured processes, (ii) non-intrusive integration with legacy systems, and (iii) governance requirements covering access, logging, and controls. Differences mainly concern the degree of intelligence (classic RPA vs. RPA with AI/ML) and the locus of ownership (IT-led, business-led, or federated).

Currently, within the existing body of literature, diverse definitions of RPA are discernible. Several scholarly contributions characterize RPA as a framework designed to automate repetitive tasks within business processes, employing software agents that are proficient in emulating human interactions with graphical interfaces.

RPA is a software-only system that connects with digital platforms to handle tasks like data entry, extraction, and manipulation. This functionality is executed through software entities commonly referred to as bots. A case study from Infosys shows a 58% drop in manual labor after RPA was implemented—not by reducing staff, but by boosting productivity with bots as assistants [16].

2.2. Case Studies and Industrial Adoption

In contrast to traditional coding paradigms, RPA development operates on pre-defined code components, enabling developers to incorporate and configure activities through an intuitive interface [23]. This streamlined development process translates into brief training intervals for staff, equipping them with the requisite proficiency in configuration and deployment. Although RPA implementation is relatively simple, excluding IT from decisions is discouraged due to their role in governance, infrastructure, and security [5,7]. Moreover, RPA is particularly efficacious in contexts characterized by process standardization, rule-based frameworks, and discernible levels of interaction and complexity [6]. For case selection, illustrative examples were chosen to reflect (i) sectoral diversity (financial services, manufacturing/supply management, public sector), (ii) variation in governance models (centralized CoE, federated, hybrid), and (iii) the availability of verifiable details regarding process scope, controls, and outcomes. This selection strategy enables meaningful cross-case comparisons of governance design and effectiveness.

Notwithstanding its capacity for facilitating expeditious and uncomplicated automation, the establishment of robust governance frameworks for RPA initiatives poses a substantive challenge. When an organization chooses to assimilate RPA comprehensively into its operational architecture, as opposed to deploying it as a discrete solution, the ensuing proliferation of bots engenders heightened complexity in governance requirements [24].

In the broader industry landscape, several leading organizations have been at the forefront of RPA implementation, showcasing a range of governance models and strategic approaches. Beyond financial services, published cases in purchasing/supply management and public administration report similar governance tensions (e.g., standardization vs. local flexibility), reinforcing our interview findings. For instance, Deloitte has guided clients in developing RPA Centre of Excellence (CoE), emphasizing cross-functional governance and structured process selection frameworks [25]. UiPath, a global RPA vendor, has demonstrated scalable deployments in finance and healthcare, focusing on citizen development and platform integration [26,27,28]. Similarly, KPMG has supported clients in embedding compliance, risk controls, and performance metrics into automation strategies [29]. These cases reinforce the study’s findings that structured governance and business–IT collaboration are critical enablers for sustainable RPA success.

2.3. Governance Models in RPA

2.3.1. Governance–Management Perspective

We adopt a management science perspective on governance, viewing it as the combination of structures, processes, and relational mechanisms to ensure IT—and specifically RPA—support organizational objectives while managing risks and ensuring compliance (adapted from De Haes & Van Grembergen) [30]. In the context of RPA, this includes role design and segregation of duties, allocation of decision rights (e.g., CoE or steering committee), standardized criteria for process selection, change control procedures, and mechanisms to ensure the auditability of bot actions.

Governance can be elucidated as a multifaceted process encompassing decision-making, alongside the subsequent execution or abstention from implementing choices by individuals occupying positions of authority. This concept finds application across diverse domains, including the sphere of corporate governance [31].

Distinct forms of governance emerge contingent upon the specific domain under consideration. For instance, as depicted in Figure 2, corporate governance primarily pertains to the operational milieu of businesses. Conversely, IT governance is relevant to the realm of IT. Additionally, there exist other classifications not explicitly delineated in the figure, such as environmental governance, which centers on matters pertaining to environmental management and related concerns [32].

2.3.2. Corporate Governance

It pertains to a comprehensive framework comprising practices, statutory provisions, procedural protocols, and guiding principles intended to enhance overall business administration. Its fundamental objective lies in harmonizing the interests of diverse stakeholders, including shareholders, employees, and suppliers, among others [33]. Poor corporate governance can lead to missed goals, reduced stakeholder support, and financial issues, ultimately resulting in business crises. Conversely, a commendable corporate governance framework integrates principles of accountability, signifying the company’s cognizance of the repercussions of its decisions on each stakeholder, inclusive of employees and shareholders. Consequently, the company is duty-bound to orchestrate its choices in a manner conducive to fostering sustainable progress and enduring development [34,35].

2.3.3. IT Governance

Within the ambit of corporate governance, an instrumental subset pertains to IT governance, which distinguishes itself by its exclusive focus on the IT sector within an organization [36]. In practical terms, this entails activities encompassing the establishment of performance metrics and objectives, maintenance of technical documentation, undertaking audits, scrutinizing knowledge deficiencies, and implementing mechanisms for monitoring progress [37]. Figure 3 delineates the five domains underpinning the framework of IT governance [38,39].

• Value Delivery: This domain concentrates on the efficient provision of IT advantages to other functional areas within the organization.
• Risk Management: This facet is dedicated to the systematic identification, communication, and judicious mitigation of risks associated with IT operations.
• Strategic Alignment: This domain scrutinizes the congruence between the objectives delineated by the IT function and those of the broader organizational framework.
• Resource Management: This area is centered on the appraisal of the appropriate and effective management of IT resources.
• Performance Management: This domain is concerned with the assessment of the efficacy and proficiency in which IT operations are executed.

Implementing IT governance is initially driven by the objective of fostering enhanced collaboration between business and IT sectors. It is estimated that proficient adoption of IT governance can lead to a potential increase of approximately 20% in profits due to improved alignment and delineation of responsibilities [40].

In the realm of RPA, the expansion of robotic entities necessitates meticulous implementation and maintenance, underscoring the imperative of sound governance for efficacy and objective attainment. Given the multifaceted impacts of RPA across various business domains, a well-defined framework and delineation of responsibilities are imperative. Different governance models must be considered respecting organizational conditions, resources, infrastructure, and objectives. The decentralized model, affording greater flexibility, is recommended for companies with extensive RPA experience, fostering innovation. Conversely, the centralized or federated model, conducive to risk mitigation through systematization and standardization, is better suited for enterprises still in the nascent stages of RPA adoption [41,42].

A notable case study involving Nordea Bank demonstrates a balanced approach, employing a centralized CoE for most RPA-related matters, while distributing responsibilities among various operational units [7]. The federated model presents an alternative, harmonizing the CoE with autonomous business unit initiatives, thereby promoting deliberation and priority-setting, and excelling in standardization of automation and best practices [43,44].

The CoE emerges as a pivotal governance mechanism within organizations, pivotal in guiding the design, development, and upkeep of bots [45,46]. As RPA proliferates, a CoE, comprising a diverse team, is instrumental in setting policies and standards to ensure adherence to best practices [21,41]. Its implementation entails a strategic investment, consolidating responsibilities and expertise from diverse sectors. The CoE assumes responsibility for the administration, licensing, and maintenance of RPA. Collaborative efforts under the aegis of the CoE lead to a degree of functional standardization across various sectors. Additionally, the CoE plays a vital role in change management, integration with IT, and the dissemination of RPA practices. The nature of governance may manifest through either a federated or centralized CoE, contingent on organizational structure RPA in purchasing and supply management [47].

A centralized CoE consolidates RPA functions within the organization, but may incur a concentration of efforts, potentially leading to productivity bottlenecks. Conversely, the federated model distributes responsibilities and bot management to individual business units (BUs), facilitating departmental access to CoE support [47]. In this context, the CoE assumes the role of a hub driving high-impact activities aligned with the objectives of a particular organizational unit or department, encompassing research, innovation, and technology adaptation [19].

The establishment of a CoE is also geared towards mitigating implementation-associated risks, including erroneous process selection for automation due to inadequate expectation analysis. A proof of concept is recommended to validate anticipated benefits. Risks may also arise from modifications and updates, incurring time and financial costs. Moreover, without comprehensive documentation, the organization risks losing critical process knowledge over time [19].

Exemplary RPA implementations feature a dedicated CoE, tasked with realizing proposed objectives. By operating across various organizational domains to identify, prioritize, and oversee RPA development, the CoE is instrumental in enabling scalable and risk-averse RPA adoption. OptumServe’s implementation of a CoE exemplifies this success, culminating in a substantial increase in automation capabilities, garnering industry recognition for outstanding competency development [48].

Transitional note: The background synthesis reveals converging needs around (i) role clarity and decision rights, (ii) standardized process selection and change control, and (iii) human-centric adoption and compliance. Yet comparative evidence on how governance models actually mediate the Business–IT–People interface remains limited. This motivates our study design and research question.

3. Study Design (Mixed-Methods Overview)

This study comprises two phases: Phase I—PRISMA-guided multivocal review (databases + AACODS-screened gray literature) and Phase II—qualitative interviews. Findings are integrated in a dedicated Triangulation subsection.

3.1. Phase I—PRISMA-Guided Multivocal Review

This study is conceptually anchored in several key theoretical frameworks. Firstly, IT Governance theory provides a lens to understand how decision rights, accountability, and performance are managed within organizations implementing RPA. This is especially relevant for assessing how roles and responsibilities are distributed between business and IT units.

Secondly, the Technology Acceptance Model (TAM) helps explain user attitudes and behavioral intentions towards adopting RPA tools. TAM emphasizes perceived usefulness and ease of use, which are critical in understanding employee engagement and resistance.

Lastly, the Change Management theory, including models such as Kotter’s eight-Step Process, is pertinent to exploring how organizations prepare for and manage transitions brought on by automation [49]. These theories jointly inform both the methodological design and the interpretation of findings, allowing the study to bridge practical insights with academic grounding.

A Multivocal Literature Review (MLR) bears resemblance to a Systematic Literature Review (SLR) in its objective to encompass both formal and informal information sources. Academic writing constitutes the primary mode of discourse within scholarly domains, whereas gray literature (GL) comprises a diverse array of information not originating from academic channels and is devoid of conventional quality control measures such as pre-publication peer review [50,51].

3.1.1. Data Sources and Searches

The research was undertaken with the objective of gathering a comprehensive body of information. The Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines [52] were followed in the conduct Phase I (PRISMA-guided multivocal review).

The following keywords were applied to the search: (“Robotic Process Automation” OR “RPA” OR “Robotic Automation”) AND (“Governance” OR “Audit” OR “Policies”). Bibliographies from relevant publications were checked to identify relevant articles.

We searched the following databases for eligible studies:

• ACM Digital Library (https://dl.acm.org);
• Scopus (https://www.scopus.com/home.uri);
• EBSCO Information Services (http://search.ebscohost.com/);
• Scholar (https://scholar.google.com/);
• Google Search (https://www.google.com/).

While the utilization of Google Search may be perceived as a potential limitation due to its inherent variability, it is acknowledged by certain scholars that variations in search methodology are not uncommon. Hence, it is imperative to construct a compelling rationale rather than relying solely on a singular search approach [53]. Research activities should adhere to systematic methodologies, with preference given to established search engines such as Google. Moreover, it is advisable to extend the scope of inquiry beyond the initial pages of results, considering a diverse array of sources to ensure a comprehensive review [54,55].

3.1.2. Selection of Studies

This phase describes the methodology we used to conduct the review. It outlines how sources were identified and screened, and how the relevant data were extracted. The resulting dataset was then analyzed in a structured manner.

In the initial stage, we conducted a systematic search across the selected databases. We then restricted the results to peer-reviewed journals and academic articles to ensure quality and relevance.

3.1.3. Study Selection and Exclusions

Following PRISMA 2020, 21,531 records were identified; after deduplication (16,903), 4,628 proceeded to screening and 908 to full-text review. 753 full texts were excluded for documented reasons, leaving 155 sources for synthesis. Category counts are shown in Figure 4.

Figure 4 presents the PRISMA 2020 flow diagram for this review [52]. It shows how records were identified, screened, and included. The figure improves transparency and demonstrates the rigor of our study selection.

Table 1. Inclusion/exclusion criteria used.

Inclusion Criteria	Exclusion Criteria
Related to main keywords	Not related to RPA and Governance
Documents are written in English	Documents are written in a language other than English
Filtering the search results only shows the first fourteen pages from Google Search	Notifications from vendors about tools that have been excluded
Abstract

lists the selection criteria used in this review. These criteria set the parameters for inclusion and exclusion and guided every screening decision.

This step is pivotal to a rigorous review process. Each record was evaluated against the predefined inclusion and exclusion criteria. Only items meeting these criteria proceeded to full-text review.

For gray literature, we applied a comparable screening approach. We considered the first fourteen pages of Google results and removed non-authoritative items. Blogs with subjective opinions and pages lacking verifiable sources were excluded.

To systematically assess the quality of gray literature and non-peer-reviewed sources, we applied the AACODS checklist (Authority, Accuracy, Coverage, Objectivity, Date, Significance). We retained only those items that scored positively on authority, accuracy, date, and significance concerning RPA governance. This approach complemented our database screening and helped reduce selection bias in gray literature.

To ensure a rigorous and transparent selection of literature sources, the collection process was carefully structured using multiple layers of filtering criteria. These filters aimed to balance breadth and relevance, capturing both peer-reviewed academic contributions and credible gray literature to build a comprehensive knowledge base on RPA governance. The application of inclusion and exclusion parameters ensured that only materials aligned with the study’s objectives—particularly those addressing RPA integration, governance practices, and business–IT alignment—were retained. The process also emphasized source credibility, publication date relevance, and thematic alignment.

In the initial search phase (as shown in Figure 4), inclusion and exclusion criteria were applied alongside the predefined search string. These filters—covering all fields, all document types, full text and abstract availability, peer-reviewed journal publications, and both academic and gray literature—guided the identification of relevant sources. Table 1 outlines this process as part of the full MLR protocol, listing the retrieved articles and the filters used to refine the sample. All publications meeting the inclusion criteria were selected for further analysis.

For gray literature, the Google Search engine was utilized to capture relevant institutional and governmental reports. While Google Search has limitations and is not recommended as the sole source for systematic reviews, it was deemed appropriate for supporting qualitative evidence synthesis in this context. Only the first fourteen pages of search results were considered for review and selection [55].

Subsequently, a thoughtful manual filtration was executed to discern documents resonant with the study’s thematic focus, while simultaneously eliminating any redundant entries.

To fortify the inclusivity of pertinent sources, a snowballing strategy was deployed. This method involved an accurate inspection of the reference lists of selected articles, with due diligence given to related citations [57]. In this context, snowballing refers to the process of identifying additional relevant articles by examining the reference lists of selected studies (backward snowballing) and by exploring subsequent publications that cite them (forward snowballing). This iterative process was instrumental in ensuring the incorporation of meticulously selected and academically substantive sources for the study.

3.2. Phase II—Qualitative Interviews

Quantitative research uses statistical tests to validate and support findings, whereas qualitative research focuses on direct experiences to provide a richer and more comprehensive understanding. It captures underlying values and motivations, going beyond numerical analysis [58].

Qualitative research, conducted through interviews, aims to capture facets of the human experience [59]. This method facilitates gathering information directly from the source, providing a detailed exploration of topics, and understanding the perspectives and experiences of the interviewees. It is crucial to plan and adapt interviews to align with research questions and validate uncovered information during the study [58].

The literature review served as a foundational understanding of the subject, informing the formulation of interview questions. A questionnaire was then developed to guide the interviewer in collecting responses during the interviews. The interviewees were selected and contacted before the interviews were conducted, both via Zoom and in person.

The semi-structured interviews were designed with open-ended questions based on the literature from the MLR, aiming to capture experiences, feedback, narratives, diverse perspectives, and contextual information. This method allows for flexibility, enabling a thorough exploration of topics and enriching the study with nuanced insights [59].

3.2.1. Sampling and Participants

To facilitate the interviews, participants were drawn from various sectors, including business clients, the IT team overseeing robot development, the process analysis team, individuals unfamiliar with RPA, and those who engage with the outcomes produced by RPAs.

The preeminent approach for data acquisition in qualitative research is through interviews, which find applicability across various philosophical paradigms, including positivist, interpretive, and critical orientations (Myers and Newman, 2007) [60]. Within qualitative inquiry, the interview emerges as a particularly effective mechanism for data procurement (Myers and Newman, 2007) [60]. Myers (2013) further asserts that interviews afford the opportunity to elicit valuable insights from individuals occupying diverse roles and contexts [61]. Consequently, interviews represent a fitting methodological choice for the development and evaluation of an artifact. Consequently, this article will employ semi-structured interviews as the means of data collection.

A total of thirty-one individuals were interviewed, contributing their valuable experiences and insights to the research. Those not directly involved with RPA offered a unique perspective, providing viewpoints from individuals without hands-on experience with the subject or from those who interact with the results produced by the robots.

3.2.2. Data Collection Process

The interview process started by requesting consent and an introduction to the study’s objectives. Initially, a document was prepared to provide the interviewees with context regarding the research and its findings, ensuring they comprehended the purpose of the interview. Subsequently, the interviews were conducted individually using the Zoom video conferencing platform or in face-to-face settings. Throughout the interviews, the interviewer recorded the responses, utilizing a pre-constructed form containing all the designated questions for the interviewees [62]. To align with ethical and data-protection requirements, the study adhered to the Declaration of Helsinki (2013 revision) [63]. No personally identifiable information was collected; all responses were anonymized. Data handling complied with the EU GDPR (Regulation (EU) 2016/679) [64] and Portuguese Law No. 58/2019 [65].

It is important to note that the questions gathered and stored did not include any personal information, such as names or company details, to maintain the confidentiality and anonymity of the interviewees and their respective organizations.

Table 2. Information about the interviewees.

Attribute	Value
Work Experience
0–5 years	54.8%
5–10 years	16.1%
10–15 years	3.2%
15–20 years	3.2%
>20 years	22.6%
Responsibility
Developer	64.5%
Business Analyst	19.4%
Manager	9.7%
Other	19.4%
Work Experience in RPA
0–5 years	87.1%
5–10 years	12.9%
10–15 years	0%
15–20 years	0%
>20 years	0%
Number of RPA processes
0	29.0%
1–5	12.9%
5–10	9.7%
>10	48.4%
Area
Business	12.9%
IT	67.7%
Other	19.4%
Do you have RPA projects at your organization?
Yes	83.9%
No	16.1%
If no, would you feel threatened if the company decided to implement it?
Yes	20.0%
No	80.0%

Note: Some categories permitted multiple selections; percentages may not sum to 100%.

provides detailed characteristics of the interviewees, including years of experience and the full individual responses are presented in Appendix A.

3.2.3. Analysis & Trustworthiness

Analysis: We used thematic analysis with a hybrid inductive–deductive codebook derived from the Phase I themes (alignment, role/permissions, compliance/change control). Two researchers independently coded an initial subset and reconciled differences through discussion; the final codebook was then applied to all transcripts.

Trustworthiness: To enhance credibility, we used purposive role-diverse sampling, source triangulation across business/IT/audit roles, iterative probing, a small pilot to refine the instrument, and an audit trail of coding decisions; quotes reported are anonymized and paraphrased when needed for confidentiality. (Moves the validation content that’s currently discussed around Results into Methods.)

3.2.4. Ethics

Ethics Statement: All participants at phase II provided informed consent prior to participation via an online consent form. Given the minimal risk nature of this research and its focus on professionals rather than vulnerable populations, the study was exempt from formal review by an Institutional Review Board or Ethics Committee. All data collection and handling adhered to ethical principles for research involving human subjects.

4. Multivocal Literature Review

In the context of this study, an extensive literature review was conducted, grounded in domain-specific expertise. The adoption of an MLR approach was deemed most capable due to the emerging nature of the subject matter, which precludes a comprehensive body of formally published literature. As elucidated earlier, the MLR integrates elements of both Systematic Literature Review and Gray Literature Review, the latter of which encompasses less formalized sources including online posts and blogs [50,66].

Figure 5 below delineates the interrelation among SLR, GLR, and MLR. The initial component was scrutinized within designated databases, while the latter was pursued through Google Search, respectively.

The objective is to scrutinize the findings of the MLR to attain a thorough comprehension of the interplay between RPA and Governance. Specifically, the study aims to achieve the following:

• Interrogate the correlation between RPA governance and its integration with Business, IT, and Human Resources, while also elucidating its interface with audit protocols and organizational policies as evidenced in the scrutinized documents.
• Clearly define the research objectives to guide subsequent analysis.
• Disseminate the identified challenges, opportunities, and results, highlighting their relevance and applicability for both researchers and practitioners in the fields of governance and Robotic Process Automation (RPA).

Table 3. Distribution between “White”, “Gray” and “Black” literature.

“White” Literature	“Gray” Literature	“Black” Literature
Peer-reviewed conference papers	White papers	Concepts
Peer-reviewed conference proceedings	Blogs	Ideas
Peer-reviewed journal articles	Lectures	Thoughts
Academic books/chapters	Audio–video media
	Preprints
	Datasets
	e-Prints

delineates distinctions between “White” literature, “Gray” literature, and “Black” literature, and delineates pertinent publication selection criteria for each category.

The MLR can be divided into three parts: first, the planning, then the conducting and lastly the reporting, as shown in Figure 6.

The initial phase, denoted as “Planning the MLR,” comprises two pivotal steps:

• Discerning the imperative for conducting an MLR on the specific subject matter.
• Formulating the overarching objective and delineating research questions (RQs) to guide the MLR.
• The subsequent phase, “Conducting the MLR”, encompasses five distinct sub-stages:
• Search and Selection: This involves the formulation of a set of keywords that encapsulate the primary objectives of the study.
• Quality Assessment: It entails the critical evaluation of the credibility and objectivity of selected sources.

Design of Data Extraction Forms:

At this stage, we designed standardized data extraction forms to capture study attributes (context, sector, governance model, role allocation, controls), methods, and reported outcomes (e.g., compliance effects, scalability, user acceptance). These forms supported consistent coding, traceable decisions, and cross-case comparison, while enabling later synthesis of structures, processes, and relational mechanisms.

• Data Extraction: This step involves the retrieval of pertinent data from the identified studies.
• Data Synthesis: Here, the collated data is combined and analyzed in a manner that facilitates the comprehensive addressing of the research question(s).

The concluding phase, “Reporting the MLR,” often encounters challenges analogous to those encountered in the guidelines delineated for executing a Systematic Literature Review (SLR) as outlined by Kitchenham and Charters [51].

4.1. Planning the MLR

The planning phase of the MLR is critical for setting a structured foundation for the entire review process. It began with identifying the need for conducting an MLR due to the evolving and practice-driven nature of RPA governance, where formal academic literature alone would be insufficient. Following this, the review’s objectives were defined, and the research questions (RQs) were formulated to guide the investigation. This planning stage ensured alignment between the review’s scope and its goals, integrating both academic and gray literature sources to build a comprehensive evidence base. The expected contribution was to create a balanced understanding of governance dynamics, bridging theoretical insight and practitioner experience.

4.2. Conducting the MLR

This section outlines the second phase of the process—conducting the review—which involved executing targeted searches in selected databases using predefined queries and analyzing the resulting data.

4.3. Reporting the MLR

This section reports the main findings of the MLR and the interviews. We organize the results by theme and relate them to prior work [22,67]. Together, these sources show that RPA governance has become a pressing topic in both research and practice [68].

In broad terms, governance comprises the structures, processes, and relationships that align technology with organizational goals. In the context of RPA, governance also manages risk, compliance, and accountability settings [69]. As depicted in Figure 7, governance assumes a foundational role, overarching and influencing the various facets under its purview. This wider view underscores its importance across the organization.

Corporate governance focuses on the oversight of business performance and accountability [69]. It sets decision rights, control mechanisms, and reporting lines [70]. RPA governance operates within this frame and contributes to these broader objectives.

Within that framework, RPA governance defines roles, permissions, controls, and audit trails for automated work [71]. Effective RPA governance depends on collaboration between business and IT. In many cases, structural adjustments are needed to achieve that synergy.

RPA governance covers several practical elements. These include how rules are implemented, how changes are controlled, and how access is granted. It also includes logging bot actions and ensuring that automations are designed and sized appropriately [72].

Furthermore, RPA governance plays a crucial role in several key areas:

• Business Continuity: RPA adaptability was highlighted during the COVID-19 pandemic, enabling organizations to maintain operational continuity even as employees transitioned to remote work [8,9,10,11,12,13,14,15,54,73,74,75,76,77,78,79,80,81,82,83,84,85].
• Security: It encompasses defining roles and responsibilities, establishing security policies, and adopting guidelines to safeguard RPA systems and data [7,12,13,24,67,73,74,75,76,77,78,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102].
• Viability and Scalability: These areas address investment evaluation, resource allocation, and cost assessment, while also ensuring that RPA systems can expand and adapt in tandem with organizational growth [10,11,24,68,73,79,81,89,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119].

Analysis of the selected studies informed

Table 4. Findings related to the research.

MLR Findings
Integration between business and IT	[1,2,7,9,11,13,14,24,54,67,68,70,71,72,73,74,75,76,78,80,81,87,88,89,91,106,108,111,120,121,122,123,124,125,126,127,128,129,130,131]
Standardization of processes	[1,2,7,9,10,11,12,13,14,22,46,67,68,74,75,76,77,78,79,80,81,84,85,88,91,92,93,94,95,96,98,100,101,102,104,105,106,107,108,109,110,113,116,117,118,119,120,130,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150]
Compliance and risk management	[2,7,8,9,12,13,24,48,54,72,73,76,78,79,80,82,84,85,93,94,96,97,99,100,101,102,110,115,117,128,129,131,132,133,134,135,136,142,143,144,145,147,148,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167]
Employee engagement, changes in roles, responsibilities, and change management	[1,2,7,10,11,13,46,54,67,68,69,70,72,73,77,78,79,80,81,82,84,88,90,94,95,96,98,99,101,102,108,109,112,117,118,119,126,127,128,129,130,131,132,133,134,135,140,141,142,143,144,145,148,149,150,151,152,161,162,165,166,167,168,169,170,171,172]

, which summarizes the dominant themes in the literature; a detailed synthesis of these themes is presented in Section 6 (Results and Discussion) [120].

4.3.1. Integration Between Business and IT

RPA falls under lightweight IT, requiring minimal programming skills and simplifying development. This empowers business departments to be actively involved in automation. Conversely, heavyweight IT is typically centralized and led by IT professionals.

Governance models (centralized, decentralized, federated) must align with a company’s characteristics. Centralization prevents “shadow IT” but may raise concerns about process prioritization. Decentralization empowers various parties in decision-making, potentially leading to process standardization challenges. Federated governance combines elements of both models, allowing for autonomy while collaborating on collective goals.

4.3.2. Standardization of Processes

Companies must choose processes for automation carefully, considering structured data suitability. For example, Nordea Bank emphasizes processes with stable systems and structured data. Although software can handle unstructured data with OCR, structured data is preferable to avoid high costs and errors. The choice of processes can be influenced by IT departments lacking business understanding (centralized model) or insufficient technical skills (decentralized model) [7].

4.3.3. Compliance and Risk Management

Integrating RPA in auditing, as seen in companies like Deloitte and Kira Systems, enhances efficiency and effectiveness. RPA minimizes time spent on routine tasks, allowing auditors to focus on high-priority activities, thus reducing errors and improving quality. It also enables the reengineering of audit processes.

The standards established by the American Institute of Certified Public Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB) are designed to ensure the quality and reliability of audit processes. These frameworks emphasize the need for robust compliance controls, which highlights the importance of conducting in-depth studies on how RPA affects audit quality and adherence to regulatory requirements. Small and medium-sized audit firms face challenges in data gathering due to diverse system formats, leading to resource-intensive processes. Effective planning and an organizational framework with defined privileges and vulnerability management are crucial for risk reduction [164].

4.3.4. Employee Engagement, Changes in Roles, Responsibilities, and Change Management

While RPAs perform defined tasks, employees may still face job displacement fears. Employers can benefit from reduced costs by prioritizing less mechanical, value-added work and reallocating resources. Governance should address these concerns, providing training and opportunities for effective collaboration between robots and workers. Taxation considerations may arise, given the potential cost savings of using robots.

Roles and responsibilities need reevaluation as tasks transition from human to machine execution. Figure 8 illustrates the integrated governance approach, encompassing IT and RPA governance, process integration, compliance, risk management, and people management.

5. Results and Discussion

5.1. Findings from Phase I—Systematic Review

Phase I clustered the literature into four governance levers: (i) business–IT alignment and decision rights (e.g., CoE/federated models), (ii) role and permission design with separation of duties, (iii) standardized intake, process selection and change control, and (iv) compliance, logging and auditability, with people/change-management cutting across all themes (Table 4). These themes frame the interview analysis and the subsequent triangulation.

5.2. Findings from Phase II—Qualitative Interviews

The analysis of the interview data began with an extensive review of the transcribed content, followed by systematic categorization according to shared concepts, similar roles, levels of professional experience, and specific functional areas in which interviewees were employed.

To ensure the credibility and robustness of the findings, multiple validation techniques were implemented. Purposive sampling was utilized to ensure diversity among participants’ roles, providing a comprehensive and nuanced dataset. Additionally, a pilot study involving five participants was conducted to refine the interview approach, language clarity, and interpretive methods.

The credibility was further strengthened through source triangulation, incorporating perspectives from interviewees affiliated with diverse organizations, thus enabling a thorough comparative analysis. Iterative questioning techniques were also employed, allowing interviewers to revisit topics and contextualize responses, identifying and addressing potential inconsistencies.

Member checking played a crucial role, involving verification of the recorded statements with interviewees to confirm their accuracy and alignment with the interviewees’ intended meanings. This approach provided participants an opportunity to clarify or add further insights.

The comprehensive analysis process involved careful organization and interpretation of data into distinct categories, identifying recurring patterns, key terms, and shared themes across responses. From these patterns, a coherent narrative emerged, grounded firmly in the interviewees’ collective experiences.

Our interview findings emphasize that successful RPA governance requires close alignment between IT and BUs—a view supported by existing literature (e.g., Kedziora & Penttinen, 2020; Hofmann et al., 2020) [7,24]. Interviewees consistently underscored the importance of clearly defined roles and responsibilities to mitigate risks of miscommunication and errors, echoing recent studies such as Abdullah and Tursoy (2023) [128]. An illustrative example from Nordea Bank revealed how a federated governance model effectively resolved common governance challenges highlighted by participants, including bottlenecks in decision-making and insufficient local knowledge of automated processes.

Table 5. Responses to close-ended questions.

Question	Yes (%)	No (%)
Do you think that there should be integration between business and IT?	100	0
Do you think there could be issues if the process is solely defined by the business side or solely by the IT side, without following a standard?	100	0
From your perspective, what is the meaning of a careful selection of processes to be automated in RPA?	-	-
Since there are no taxes on robots, but there are many people, if you were a business owner, would you prefer to retain and prioritize people over replacing them with robots for economic reasons?	35.4	64.6
Do you think RPA helps or replaces employees?	100	0
Do you believe that all individuals involved in the same project should have the same levels of permission?	3.2	96.8
In your opinion, is understanding and preparing employees important for reducing compliance risks in RPA?	100	0

presents a concise summary of the close-ended responses from the interviews, while the comprehensive individual responses are documented in Appendix A.

The set of questions presented in Table 5 was carefully designed to probe critical dimensions of RPA governance, including organizational alignment, decision-making authority, ethical considerations, and the human impact of automation [173]. The questions aim to reveal not only the technical or procedural understanding of RPA among participants but also their perceptions of its broader organizational and cultural implications. By combining close-ended and open-ended prompts, the intention was to elicit both quantitative trends and deeper qualitative insights into how professionals interpret and respond to automation in practice [59,60]. This design supports the study’s objective of exploring the interplay between business, IT, and human capital in RPA integration.

To facilitate clearer understanding and enable a more structured discussion of the interview findings,

Table 6. Results resume with major topics found.

Questions	Resume of Major Topics Found
Q1: Do you think that there should be integration between business and IT?	Alignment of goals Process quality Error reduction Communication Definition of responsibilities Documentation
Q2: Do you think there could be issues if the process is solely defined by the business side or solely by the IT side without following a standard?	Knowledge limitations Errors Ambiguity Resource wastage Overload Misalignment of objectives
Q3: From your perspective, what is the meaning of careful selection of processes to be automated in RPA?	Efficiency Error Minimization Stability Viability
Q4: Since there are no taxes on robots, but there are many on people, if you were a business owner, would you prefer to retain and prioritize people over replacing them with robots for economic reasons?	Time Reduction Mitigating Human Error Profit Efficiency Essential Collaborators Reallocation Cost Reduction
Q5: Do you think RPA helps or replaces employees?	Organizational Objectives Workload Replacement Reallocation
Q6: Do you believe that all individuals involved in the same project should have the same levels of permissions?	Hierarchy Separation of Functions and Responsibilities Security Project Management
Q7: In your opinion, is understanding and preparing employees important for reducing compliance risks in RPA?	Training and awareness Motivation Risks and impacts

presents a synthesized overview of the core themes and topics identified through the qualitative analysis. This summary captures the essence of the most frequently recurring insights, highlighting key governance concerns, organizational dynamics, and human capital considerations related to RPA adoption. It serves as a practical reference point for readers by distilling complex qualitative responses into thematic categories. For those seeking deeper contextual detail and nuanced interpretations, the full set of coded responses can be consulted in Appendix A.

The following section presents a series of interview questions along with a compilation of responses provided by the interviewees. These responses serve to elucidate the concepts introduced earlier, providing a more comprehensive understanding:

• Q1: “Do you think that there should be integration between business and IT?”

All interviewees unanimously emphasized the necessity of integration between business and IT in the context of RPA, highlighting several key reasons:

• Alignment of Goals: Participants noted that achieving organizational objectives like cost reduction and improved efficiency requires that both business and IT share a clear understanding of priorities. As one interviewee explained, “If IT doesn’t understand what the business needs, automation efforts will miss the mark. Alignment is not optional—it’s critical.”
• Process Quality: Collaboration was seen as essential for identifying process failures early and designing effective solutions. A business analyst mentioned, “We know the customer expectations and planning requirements; IT brings the technical know-how to handle exceptions. Without working together, processes break down.”
• Error Reduction: Interviewees pointed out that business teams’ deep process knowledge complements IT technical expertise to prevent errors and redundancies. For example, an RPA developer shared, “When business and IT collaborate, we catch potential errors before deployment, which saves time and avoids costly fixes.”
• Communication: Effective and ongoing communication was emphasized to ensure shared understanding and timely error resolution. As one manager stated, “Open communication channels between business and IT mean problems get identified and fixed quickly, keeping projects on track.”
• Definition of Responsibilities: Clearly delineated roles prevent misunderstandings and facilitate smooth change management. One interviewee noted, “When responsibilities aren’t clear, people step on each other’s toes. Involving both sides in process changes avoids surprises.”
• Documentation: Comprehensive documentation was described as a vital tool for transparency and process control. A participant explained, “Good documentation helps everyone—from business to IT—stay on the same page about what the process does and how changes should be made.”

In summary, IT brings technology, implementation, and maintenance expertise, while business contributes process knowledge and rule definitions. The consensus was clear: “The integration of business and IT is the foundation for successful RPA implementation.”

• Q2: “Do you think there could be issues if the process is solely defined by the business side or solely by the IT side without following a standard?”

All interviewees expressed clear concerns about processes being developed exclusively by either business or IT without adherence to a standardized framework, highlighting several challenges:

• Knowledge Limitations: Participants noted that relying solely on one side risks critical gaps in understanding. As one interviewee explained, “When business defines the process without IT’s input, technical constraints and integration challenges are often overlooked. Conversely, IT-only designs can miss important business rules.”
• Errors: Several respondents described how insufficient collaboration leads to errors, citing examples of overlooked requirements or inadequate testing. A developer commented, “Errors creep in when one side assumes the other has covered certain aspects. This causes rework and delays.”
• Ambiguity: Interviewees warned that processes crafted by a single party often introduce ambiguity that complicates implementation. As a business analyst stated, “Without shared understanding and standards, process steps can be interpreted differently by teams, leading to inconsistent results.”
• Resource Wastage: The risk of wasted time, effort, and budget was commonly mentioned. For instance, one manager shared, “We’ve seen robots deployed based on incomplete processes that failed to deliver value, wasting resources that could have been avoided with joint planning.”
• Overload: Several highlighted how the lack of collaboration places an unfair burden on either business or IT, causing inefficiencies. A participant noted, “If one side handles everything, they get overloaded and bottlenecks appear, slowing down the whole project.”
• Misalignment of Objectives: The importance of aligning goals was emphasized by all interviewees. One said, “Synchronization ensures we use all expertise effectively. Without it, critical perspectives are missed and the process falters.”

• Q3: “From your perspective, what is the meaning of careful selection of processes to be automated in RPA?”

The interviewees emphasized the critical importance of carefully selecting processes for automation. Several considerations were outlined:

• Efficiency: Selecting the right processes for automation is crucial to saving resources such as time and money. Processes that are repetitive and rule-based are particularly suitable.
• Error Minimization: Processes that generate frequent known errors can benefit from RPA implementation, as it can reduce execution time and mitigate errors.
• Stability: When choosing a process for automation, stability of the programs used by the robot is paramount. Ensuring that requirements and rules are well-understood, alongside technical stability, is essential for successful automation.
• Viability: An in-depth analysis should be conducted to determine if automation makes sense for each process, factoring in factors like expected return, implementation cost, maintenance, time, and effort. The focus should be on quality rather than volume, as choosing the wrong processes can lead to resource loss.

One interviewee illustrated this with a banking example: automating the resolution of flagged credit card transactions’ legal actions helped prevent long-term financial losses and protect the bank’s reputation.

“Choosing the right process is not about how many you automate, but about which ones will actually deliver value without causing new problems.”

“We focus on stable, rule-based workflows because robots can only perform well when the rules are clear and the environment is predictable.”

“Stability and auditability matter as much as ROI—if screens or rules change every month, you don’t have a good RPA candidate,” noted one RPA lead.

• Q4: “As there are no taxes on robots, but there are many on people, if you were a company owner, would you prefer to retain and prioritize people over replacing them with robots for economic reasons?”

Interviewees’ perspectives varied on whether to prioritize retaining employees or adopting automation for economic reasons, with 35.4% favoring employee retention and 64.5% leaning towards automation. Several key considerations emerged from the discussions.

Many highlighted that the RPA ability to operate continuously significantly reduces process execution time and minimizes human error, which often arises from fatigue or misunderstandings. This enhanced efficiency and error reduction contribute to improved profitability. At the same time, interviewees emphasized the essential role of employees in tasks requiring human judgment, analysis, or maintenance. They noted that workers can be reallocated to higher-value roles demanding critical thinking, provided they receive adequate training.

Cost savings were also cited as a major factor, given the reduction in personnel-related expenses such as salaries, healthcare, and taxes when leveraging automation.

Despite differing preferences, there was unanimous agreement that the optimal strategy involves prioritizing automation for repetitive, rule-based tasks while reserving skilled personnel for specialized, critical functions.

“Robots don’t get tired or distracted, so they’re perfect for repetitive work—but people are still needed for the complex decisions.”

“It’s not about replacing people, but about freeing them to focus on tasks where their expertise really matters.”

The following points were raised:

• Time Reduction: RPA can operate around the clock, significantly reducing process execution time compared to human counterparts.
• Mitigating Human Error: Robots operate based on rules, minimizing the potential for human error caused by factors such as lack of concentration or inadequate process understanding.
• Profit and Efficiency: the RPA ability to handle large volumes of information quickly can lead to increased efficiency, reduced errors, and ultimately, higher profits.
• Essential Collaboration: Certain employees play pivotal roles in processes that require human intervention, such as analysis or maintenance.
• Reallocation: Employees can be reallocated to roles demanding critical thinking and analysis, with appropriate training to equip them for these functions.
• Cost Reduction: Both the continuous operation of robots and the potential reduction in personnel can lead to cost savings, encompassing salaries, healthcare expenses, and taxes.

Ultimately, 100% of the interviewees converged on the understanding that prioritizing automation for repetitive tasks, while reserving specialized personnel for critical roles, was the optimal approach.

• Q5: “Do you think RPA helps or replaces employees?”

All interviewees agreed that Robotic Process Automation (RPA) primarily serves to assist employees rather than completely replace them. The impact of RPA on staffing depends largely on the organization’s goals and the nature of the processes automated.

Several participants noted that while some organizations may consider reducing headcount for cost savings, many emphasize reallocating employees to higher-value tasks by automating repetitive and routine work. This transition not only alleviates workload pressures but also enables employees to focus on analytical and strategic activities.

Concerns about job security surfaced, especially in cases where processes are fully automated without close collaboration between humans and technology. Such apprehensions can sometimes hinder knowledge sharing, which is crucial for successful robot development.

Nonetheless, interviewees highlighted examples where RPA facilitated the transition of employees from routine tasks to more analytical roles, preserving jobs and enhancing organizational capabilities.

“RPA frees people from the mundane so they can focus on what machines can’t do—thinking and problem-solving.”

“When done right, automation doesn’t cut jobs; it changes them.”

Ultimately, whether RPA assists or replaces employees depends on strategic choices and the specific processes targeted for automation.

• Q6: “Do you believe that all individuals involved in the same project should have the same levels of permissions?”

A significant majority (96.8%) of interviewees expressed reservations about granting all project participants the same level of access. They emphasized that establishing a clear hierarchy with designated decision-makers and supervisors is crucial for effective project management. The need for a clear separation of functions and responsibilities was highlighted as essential to prevent errors, such as unauthorized transactions caused by missteps in environment selection.

Security concerns were frequently raised, with participants noting that access to confidential data should be limited based on varying levels of understanding and caution among employees. One IT specialist observed, “If everyone has the same permissions, it becomes very difficult to track who made what changes, which can be disastrous in regulated environments.”

Defined roles and responsibilities were viewed as vital for organized and secure project execution. A business analyst added, “Differentiating access rights ensures that people only handle what they’re responsible for, which reduces errors and confusion.”

A small minority (3.2%) suggested that in certain small projects, uniform access levels might streamline work and prevent delays, but they stressed that such actions must always be under supervision with appropriate regulation and data encryption.

In summary, the consensus favors implementing role-based access control, aligning permission levels with responsibilities to maintain data integrity and project security without hindering productivity.

• Q7: “In your opinion, is understanding and preparing employees important for reducing compliance risks in RPA?”

All interviewees (100%) emphasized the pivotal role of employee understanding in reducing compliance risks associated with RPA. The following key factors were highlighted:

• Training and Awareness: Employees need comprehensive knowledge of business operations, regulations, data handling, roles, responsibilities, and associated risks.
• Motivation: Understanding the real-world impact of processes can motivate employees to maintain a broad organizational perspective and exhibit conscientiousness.
• Risks and Impacts: Unprepared employees, with limited experience, may inadvertently introduce errors, potentially leading to the compromise of confidential data.
• Creating an environment of awareness and accountability within an organization is deemed instrumental in minimizing compliance risks, enhancing the likelihood of successful RPA implementations, and safeguarding sensitive data.

“When employees truly understand the why and how behind RPA, they’re more careful and aligned with compliance goals,” noted one participant.

“Training isn’t just a checkbox; it’s what keeps the process safe and effective,” emphasized another interviewee.

Practical Implications Based on Interview Findings

The findings of this study offer several actionable insights for both business managers and IT leaders engaged in RPA initiatives. The interviewees emphasized the importance of structured governance models, cross-functional collaboration, and the alignment of RPA efforts with organizational goals. Based on these inputs, one practical recommendation is the creation of CoEs or designated roles (e.g., RPA champions) to coordinate efforts between business and IT. Managers are advised to prioritize automation opportunities using well-defined selection criteria, considering feasibility, compliance, and potential business value. IT leaders should establish granular permission models, monitor risk exposure, and lead change management to ensure smooth transitions. Moreover, the human side of automation cannot be overlooked: preparing and engaging employees are essential to build trust, reduce resistance, and ensure compliance. These practical implications, derived from the voices of experienced practitioners, serve as a roadmap for organizations seeking to deploy RPA effectively and sustainably.

While our procedures ensured rigor (PRISMA/AACODS), the contribution of this paper lies primarily in the governance insights and actionable implications distilled from the literature and interviews.

5.3. Integration/Triangulation of Findings

Integration across phases: Phase I and Phase II converge strongly on the need for tight business–IT alignment, clear decision rights, and role-based access controls. Interviewees unanimously endorsed business–IT integration and flagged risks when one side designs processes alone, and 96.8% rejected “same permissions for all,” reinforcing the literature’s emphasis on standardized intake, change control, and separation of duties. Together, the phases point to a practical bundle: a CoE/steering structure (decision rights), role/permission models (RBAC/SoD), standardized selection and change procedures, and training/communication to address adoption and compliance.

Triangulating case—Nordea: Nordea’s federated model (central CoE + BU execution) operationalizes this bundle: central standards, vendor/compliance oversight, and local process ownership for speed and contextual fit. This structure directly addresses two tensions raised by interviewees—bottlenecks from over-centralization and insufficient local knowledge—while preserving auditability through common policies and logs. The case therefore substantiates the integrated pattern emerging from both phases: centralize the rules and oversight; decentralize discovery and execution under those rules.

A deeper examination of Nordea Bank’s approach illustrates the tangible benefits and structure of a mature RPA governance model. The organization implemented a federated governance model, which combines a centralized CoE with decentralized automation teams embedded in BUs. The CoE oversees strategy, vendor management, and compliance policies, while BUs are empowered to identify and implement automation opportunities locally, in alignment with the central standards [7].

Within this structure, distinct roles were defined: an executive RPA sponsor guided strategic alignment; CoE product owners developed governance policies and tooling strategies; and business analysts and developers collaborated on identifying and automating processes. This role clarity was critical to avoiding overlap, maintaining compliance, and ensuring scalability.

Nordea reports substantial scale across Know Your Customer (KYC), anti-money laundering (AML), mortgages, onboarding, and reconciliation, with meaningful efficiency gains and cost savings under its federated governance model [174].

This case underscores the value of hybrid governance in complex, regulated environments, and aligns with findings from this study, where interviewees emphasized the need for role clarity, central oversight, and strategic alignment to achieve successful RPA outcomes.

Implication: A practical roadmap is to (1) institute or refresh a business–IT governance CoE/steering layer, (2) deploy a standardized intake and change-control workflow, (3) implement granular RBAC/SoD, logging and review, and (4) run a training/communication program aligned to perceived usefulness and ease-of-use levers.

In summary, the interview findings underscored that informed employees, cognizant of the risks and benefits of their work, are essential. Errors made without an appreciation of their implications can have significant financial repercussions for the organization. The insights provided by the interviewees illuminate the multifaceted considerations surrounding RPA integration, further emphasizing the nuanced interplay between technology and human expertise in organizational contexts.

6. Conclusions

The research employs a Mixed Methods Research approach to investigate the facets of RPA and governance, emphasizing integration between business and IT, process standardization, compliance, risk management, employee engagement, role changes, and change management.

This study set out to explore how organizations are integrating RPA and what governance mechanisms are being adopted to support such integration. By drawing on qualitative insights from experienced professionals across diverse industries, the research addressed the central question: “How is RPA being integrated within organizations, and what governance structures support its effective adoption?”

The findings revealed that successful RPA integration hinges on strong business–IT collaboration, the establishment of clear governance models (such as CoE or steering committees), and careful process selection. Organizations that engaged employees early, defined permission levels rigorously, and aligned automation efforts with strategic objectives reported smoother adoption and more sustainable outcomes.

In terms of contributions, this study enriches the literature on RPA by highlighting the governance challenges and enablers from a practice-based perspective. It introduces a synthesized governance framework grounded in real-world insights and identifies actionable recommendations for both business and IT leaders. Furthermore, it adds depth to existing case studies by examining the interplay between organizational culture, compliance considerations, and the evolving role of automation champions. The results extend IT–governance scholarship by showing that CoEs/steering committees (structures), standardized process selection and change control (processes), and early business–IT engagement (relational mechanisms) jointly predict smoother RPA scale-up. They also complement TAM by linking perceived usefulness/ease of use to employees’ willingness to engage with bots, and they echo the change management theory by underscoring communication, training, and visible sponsorship as prerequisites for sustainable adoption.

By integrating theoretical models with lived experiences, this study provides practical insights for both academic and managerial audiences. It emphasizes the necessity of governance as a strategic enabler of RPA and calls for thoughtful planning to ensure long-term value realization.

6.1. Emerging Trajectory

As RPA platforms increasingly converge with generative AI, task orchestration, and autonomous “AI agents,” governance must progress to cover model risks, human-in-the-loop controls, auditability of agent actions, and expanded role design. Our interviewees’ emphasis on clear permissions and accountability aligns with these trends, reinforcing the need for guardrails as RPA matures toward agentic automation.

6.2. Limitations and Future Research

This study, while offering valuable insights into RPA integration and governance practices, is not without limitations. First, the qualitative nature of the research and the relatively small sample size may limit the generalizability of the findings. The interviewees represented diverse industries, but geographic and organizational variations could have introduced biases that were not fully captured. Additionally, the study primarily reflects the perspectives of professionals currently engaged in RPA projects, which might not encompass the full spectrum of organizational experiences.

Future investigations might explore deeper into specific domains, potentially including longitudinal studies to explore the evolution of RPA governance over time. Cross-sectoral comparisons or large-scale surveys could further validate the proposed governance framework. Moreover, exploring communication processes, the training and reskilling of employees, and the integration of artificial intelligence with RPA tools present promising avenues for future inquiry.

Finally, our sample (n = 31) spans multiple roles but remains modest; the distribution of hands-on RPA experience may limit generalizability. Future cross-sector surveys and longitudinal field studies could quantify the effects of specific governance choices on adoption and compliance outcomes.