Risk Assessment of Employing Digital Robots in Process Automation

Abstract

Using digital technologies is essential to gain a competitive advantage in the global market by adapting to new business models. While digital technologies make business processes efficient, they enable companies to make faster and more accurate decisions by automating daily and routine process tasks. Robotic process automation (RPA) automates routine and repetitive business processes, allowing many jobs performed by humans to be performed faster. This way, advantages such as reduced error rates, reduced costs, increased production speed, and labor productivity are provided. For the successful implementation of RPA, potential risks need to be considered. In this study, failure mode and effect analysis (FMEA) based on decomposed fuzzy sets (DFSs), a new extension of intuitionistic fuzzy sets, has been used to evaluate subjectiveness in expert judgments. Differing from the other extensions of fuzzy set theory, the advantage of DFSs is to simultaneously consider decision-makers’ optimistic and pessimistic answers. Thus, the answer given by the decision-maker to the positive and negative questions on the same subject defines the indeterminacy of the decision-maker, and the method takes this indeterminacy into account in the evaluation. This study assesses and evaluates the potential risks of six digital robots in process automation. Thirteen risks were individually assessed for each automated process. This study found “Sustainability challenge” critical in three processes, “Absence of governance management” in two, and “Security“ in one. Variability in risk importance arose from process vulnerabilities.

1. Introduction

Adapting to new market demands forces organizations of all sizes, from small businesses to large corporations, to continually renew their revenue-generating mechanisms through product/service innovations, better strategies, and innovative business models [1]. The digital age requires companies to invest in value-added projects rather than routine activities to leverage innovation as a competitive edge and business success [2]. Process management must be designed around these business and compliance requirements, which are subject to a compromise between IT systems and business practices. Business Process Management (BPM) includes methods, techniques, and technologies to continually adapt and improve business processes by identifying, prioritizing, analyzing, and iteratively monitoring [2]. In this context, characteristic improvement goals include reducing costs, shortening execution times, and reducing error rates [3]. BPM is at the intersection of IT and business, enabling companies to manage digital innovations and transformations. While changing technology, they also pose challenges in the context of BPM [1]. An identified problem with current BPM solutions is that they need to leverage the amount of data to understand the most challenging aspects of a BPM system, what task to execute, when the task must be completed, and who will solve it. Researchers and practitioners suggest that BPM should be progressively optimized and automated [4].

Speed is one of the most critical factors to staying competitive in today’s challenging business conditions. The commissioning of software robots with Robotic process automation (RPA) has become one of the most essential and fastest-growing technologies in recent years [5,6]. RPA is a technology for performing routine business processes by automating how people interact with multiple applications or analytics through a user interface and following simple decision-making rules [7]. RPA can benefit from artificial intelligence and machine learning capabilities to tackle high-volume, repeatable tasks that previously required only humans to perform [4,8]. It uses software bots that can be considered digital workers, each using its computer station, username, and password, similar to a human worker [9].

The acceleration in the business context makes it even more challenging to predict what changes will occur and how they might affect the technological solutions used in increasingly automated business processes. It has been argued that immature or poorly trained models can eventually reduce productivity and increase errors due to unsupported or wrong decisions [4,10]. RPA has been widely adopted in many industries to automate well-defined and repetitive tasks [6]. Gartner forecasted RPA software end-user spending to reach USD 2.9 billion in 2022, up 19.5% from 2021 [11]. Because of its ease of use, the RPA revolution is taking place in the business operation groups of many companies active in financial services, healthcare, telecommunications, higher education, and energy [12]. Regarding RPA adoption, a survey of the top 25 global RPA service providers benefiting from 5800 customer deployments revealed that finance and accounting are the leading areas of RPA application, accounting for 36 percent of all RPA use cases [13]. Early adopters of RPA see that automation can radically transform the back office, improving service quality, increasing compliance, and reducing lead times while delivering much lower costs [14].

To understand the importance of RPA risk assessment, one can also look at it in the context of Industry 4.0, a popular topic in recent years. In Industry 4.0, creating efficient, intelligent, and interconnected systems is essential. One of these systems is the automation of processes using RPA technology. Assessing the potential risks and vulnerabilities of the developed systems is as important as developing the systems. Companies assess risks such as process stability, data security, and integration difficulties through various methods (one of which is discussed in this study). This can ensure that RPA improves operational efficiency and seamlessly connects with other advanced I4.0 technologies such as IoT, AI, and big data analytics. This combination will better prepare firms for the complexity of autonomous systems while maximizing the benefits of automation and reducing unintended disruptions [15].

Despite the widespread adoption of RPA worldwide, RPA adoption challenges are multidimensional in their technical, strategic, operational, and human aspects [16]. According to EY research, 30% to 50% of first RPA projects fail. For example, robots used in the complaint process caused a pile of complaints due to coding errors, and robots used in the accrual process caused significant under-reporting of accruals due to incorrect rule set definitions in bots [17]. As automation is rolled out across the industry, many examples of non-performance issues are a gray area for the deployment and investigation of technology causes [18]. Because of this, potential risks need to be considered.

This study applied decomposed fuzzy failure mode and effect analysis (DFS-FMEA) to compute the risk assessment of RPA. Failure mode and effect analysis (FMEA) is one of the most widely used risk assessment methods. In this study, risk assessment was carried out for the first time by integrating the FMEA method with decomposed fuzzy sets (DFSs). According to the logic of DFSs, a question is asked to the decision-maker for evaluation. The answer received from the decision-maker may change depending on whether the question is optimistic or pessimistic. That is, a question with the same meaning can be asked in two different ways: optimistic or pessimistic, and the decision-maker’s answer may change accordingly. With DFS-FMEA integration, questions about the three primary parameters of FMEA (Severity, Occurrence, and Detectability) are asked of the decision-makers from an optimistic and pessimistic perspective, and a more accurate assessment is carried out by obtaining more information from the user.

The remaining part of this paper is as follows: Section 2 summarizes the background of RPA and its benefits, and Section 3 identifies potential risks in detail with a fishbone diagram. Section 4 explains the methodology, including the decomposed fuzzy sets and decomposed fuzzy set-based FMEA. Section 5 presents a case study of six processes executed by RPA. It evaluates the risk assessment of digital robots’ implementation with the DFS-FMEA method. Section 6 discusses the results of the DFS-FMEA method over the selected six processes. Finally, Section 7 concludes the paper.

2. Background

RPA is the technological revolution that aims to take mundane and repetitive tasks from people’s daily workloads [19]. It frees up employees from tedious tasks and enables them to focus on more diverse, challenging, and valuable work [14]. It makes human creativity and ingenuity available for higher-value tasks that require decision making [4]. Much has been predicted about the effects of automation on the nature of human work. Some experts feel that automation will leave people with few tasks besides lawn mowing and hairdressing [12].

RPA benefits companies, customers, and employees in many departments, such as purchasing, manufacturing, human resources, sales, and marketing [15]. Many large and small companies appreciate that RPA reduces human labor needs, shortens transaction times, and easily interfaces with foreign systems, which is valuable for their profitability [11]. According to the Deloitte 2017 global robotics survey of over 400 responses, 85% of respondents reported that RPA continues to exceed their expectations in non-financial benefits such as accuracy, timeliness, flexibility, and improved compliance. In addition, 61% reported meeting cost reduction expectations, emphasizing that it moves people to higher-value activities that lead to higher job satisfaction [20].

RPA works well with identifiable, repeatable, and rule-based processes in all industries. It allocates significant work hours to tasks performed by software robots. Automation tracks and documents every IT or business process step within an automated system. This way, the company can better comply with industry and audit regulations. A software robot can work twenty-four hours a day, seven days a week, 365 days a year, thus increasing productivity. It enables better decision making when the data of each task the robot executes are analyzed. As software robots take care of repetitive, tedious tasks in a business, employees can engage in more value-added activities [11]. According to Lacity et al. [14], one of automation technology’s main benefits is increasing work accuracy and efficiency. Automation technology has the ability to increase productivity and make the business process more efficient and accurate [21]. When a process is adequately optimized, and all its sub-processes are mapped correctly, software robots do not make mistakes that their employees can make, so they can completely eliminate them [11]. The fact that all actions for RPA are standardized ensures consistency [22].

The alleged benefit of RPA’s ease of implementation leads firms to adopt RPA to generate a rapid return on investment (ROI) [23]. While traditional IT projects take months or even years, a standard RPA implementation happens faster. Therefore, the return on investment is much faster [5]. According to the case study results of Lacity et al. [12], it automates approximately 20 to 25 percent of back-office work related to meter management, customer invoicing, account management, consumption management, and segmentation, resulting in a return on investment in an average of 200 percent in 12 months.

Based on the literature about RPA process selection, the challenges encountered are summarized as selecting the right processes to automate; lack of RPA professional talent; reputational damage to the organization, both outside and within itself; and security. Figueiredo and Pinto [24] conducted semi-structured interviews with RPA project managers to address robotization’s main challenges and implications in shared service centers. The findings indicate that the main challenges in implementing RPA are concentrated in two main areas: (1) lack of resources, such as software management and development, to perform robotization tasks, and (2) insufficient internal training to develop these solutions. Flechsig et al. [25] studied using RPA in purchasing and supply management. In-depth, semi-structured expert interviews were conducted with experts from different levels in purchasing and IT departments, covering 19 organizations from the public and private sectors. The findings indicate that barriers to using RPA in purchasing and supply management include technical, organizational, and environmental factors such as internal communication, financial resources, top management support, infrastructure, human resources, organizational structures, supplier issues, and government regulations. Wagar et al. [26] studied the primary economic, technological, regulatory, privacy, and resource constraints to using RPA for tall-building safety management. Data were collected from tall-building experts through semi-structured interviews and surveys. The findings of the analysis showed that all factors, except resources, significantly influence RPA adoption. According to the path analysis findings, legislation was the most influential factor, followed by concerns about privacy, technological advancements, and economic factors.

As for risk assessment, Gotthardt et al. [27] conducted literature-based and case study-based research on the challenges encountered in successfully implementing RPA in accounting and auditing. The risk categories determined from implementing RPA systems evaluated with artificial intelligence were evaluated under two headings: business and automation risks. Business risks were categorized as technical, functional, operational, executive, and change management, while automation risks were categorized as center of excellence, proof of concept, backward compatibility, implementation, and business case. Patri [28] investigated banks’ main challenges in adopting RPA and provided suggestions for avoiding these challenges. Gao and Kuang [7] investigated how RPA technology for Risk Data Analysis can be used in customs post-clearance auditing. They discussed the challenges and benefits of its integration into customs management and explained RPA’s application values within the scope of a framework model. Eulerich et al. [29] interviewed 26 experts to identify the risks and challenges associated with RPA, and the findings were verified with the company’s external auditors. Five main challenges were identified regarding using RPA: implementation as a band-aid, control and security issues, cost, management, and the loss of information it causes. Yendluri et al. [30] explored RPA risk management, highlighting the challenges, trends, and strategies organizations need to integrate RPA successfully into their operations. Risks in RPA are explained under three headings: technical, operational, and business risks. Additionally, explanations regarding risk assessment were presented. Schlegel et al. [31] used data from 20 subject matter experts to rate the impact and controllability of risks associated with key factors in RPA projects and investigated the risks associated with RPA projects. A two-dimensional risk severity matrix was used to assess risk factors. The factors with the highest impact on the success of RPA projects were rated as “RPA development” and “process management”.

The main contribution of this work to the literature is based on the assessment of risks in RPA by integrating discretized fuzzy sets (DFSs) with failure mode and effect analysis (FMEA). Considering the similar studies summarized, it is evident that there are many previous studies involving RPA applications. However, despite the many positive outcomes of RPA, there may be some risks involved. For a successful RPA implementation, it is necessary to assess the risks as well as the benefits of RPA. The proposed unique risk assessment methodology addresses both the optimistic and pessimistic perspectives of decision-makers, enabling a more detailed and precise assessment of risks. To test the method, 13 potential risks were identified in six automated processes in the context of smart university studies.

3. Potential Risks

Implementing RPA may require significant changes to an organization’s business processes, which can be disruptive and costly. Additionally, the lack of standardization and detailed documentation of the process may lead to difficulties in designing and implementing RPA. Regarding automation, over-automating or automating poor processes can result in suboptimal automation that fails to deliver the desired outcomes. RPA may decrease job opportunities, particularly for roles that involve repetitive, rule-based tasks. Regarding data, RPA can cause data security and privacy concerns if the bots are not developed and managed appropriately. Also, the standardization of data from various sources may pose challenges during implementation. Change management can be another potential risk. RPA may require significant investment in time, money, and human resources, which can challenge organizations needing more skills and expertise. Furthermore, stakeholder engagement, staying aligned with strategic plans, and weak change management can hinder successful RPA implementation. People-related risks include a lack of qualified IT personnel, an absence of governance management, and a lack of role definitions. These issues can lead to ineffective RPA implementation, poor maintenance, and suboptimal performance. Maintenance and integration are other potential risks, as RPA requires consistent monitoring and maintenance to ensure it continues functioning effectively. Moreover, integration into IT processes can be complex and require significant effort. Finally, RPA may expose an organization to security risks, including the risk of cyber-attacks, data breaches, and other vulnerabilities. Thus, ensuring that RPA implementation is secure and well protected is crucial.

A comprehensive literature review was conducted to identify potential failures in RPA implementation using keywords such as “RPA failures”, “RPA risks”, and “RPA implementation challenges”. The studies obtained examined general challenges and risks in RPA implementations. By evaluating the common points of the studies, the risks were categorized under eight main headings: “Process”, “Data”, “People”, “Integration”, “Automation”, “Management”, “Maintenance”, and “Security”. This categorization reflects the general trends in the literature and provides a better understanding of the complex structure of RPA applications. Figure 1 shows a fishbone diagram of RPA implementation failures. The failures in each category are similar in terms of the underlying issue that caused them.

The process category includes failures related to the process itself, such as poor selection, lack of standardization, and difficulty identifying tasks.

Poor business processes selection: One of the biggest challenges of RPA projects is to choose the most suitable automation processes [32]. So, business executives need to understand that RPA cannot automate all processes. Therefore, choosing the right processes for RPA can be challenging. RPA is best suited for routine, rule-based, and uniform processes. It is also suitable for tasks without much judgment and with low exception rates. Additionally, RPA can be used to carry out control activities that employees currently perform due to time or resource constraints. Processes that do not meet these criteria will not be appropriate for RPA and will not provide enough benefits to justify the investment [22].

Lack of process standardization: Standardized processes play a significant role in the high-performance operation of units. It is essential to have clear rules and ideal sub-processes for automation. RPA needs precise instructions and regulations. According to Lacity et al. [12], RPA works best on standard processes. Not standardizing the processes well is one of the difficulties in implementing RPA [33].

Task identification: Task definition provides complete stability to RPA’s workflow and workload. Some processes to be selected for automation require specific conditions. For example, for an RPA application to be used in the audit process, well-defined procedures are structured and not subjective. In this way, the RPA application can complete tasks based on clear, rule-based instructions [6].

Magnification of unoptimized processes: The idea may seem obvious, but it is important to emphasize that optimizing inadequate processes will result in unsatisfactory automation. RPA should not only be utilized to automate repetitive and rule-based processes but also to enhance processes through automation. To achieve this, inefficiencies, gaps, and wastage should be carefully examined and resolved during the design phase of the RPA candidates. The RPA project must produce durable, top-notch automation that will not constantly fail and diminish the anticipated business value it will provide.

The automation category includes failures related to automation, such as over-automating and failure to adopt automation properly.

Over-automating: In today’s world, organizations are increasingly pushing for automation to improve operational efficiency and reduce costs. The pandemic and the associated surges in supply and demand intensified this desire. Automation was seen as a primary solution to manage this volatility. However, the haste to automate has resulted in a common pitfall when design and development are rushed—brittle automation is prone to breaking. To prevent this, automation requires a deliberate and thoughtful design approach that prioritizes process improvement before delivery. Additionally, the process must be linked to all relevant dependencies to enable better governance and change management.

Adoption of automation: The sustainability and success of automation, which has an important place in today’s world, are directly related to the adoption of this technology. RPA enables businesses to increase productivity by automating their routine work. However, considering the human factor and its benefits, its adoption can cause difficulties. Considering the costs, the system working improperly places operating efficiency and profitability at risk. Employees’ fear of losing their jobs hinders the adoption of automation [33].

The data category includes failures related to data, such as poor data quality, limited resources, and lack of documentation or handling of exceptions.

Data quality: Data accuracy is essential in the automation process, as in all systems. Incorrect data that RPA will use will produce erroneous results. This will cause businesses to make wrong decisions. At the same time, problems in the data source can slow down the RPA process. Robots can operate unexpectedly when data contain logical or semantic errors [34].

Resource variety: Using data from different sources for RPA can cause data compatibility issues. Data diversity requires the necessary integrations for RPA to process these data. The need to standardize data from various sources is one of the challenges [19]. RPA’s ability to process data from different sources can pose a risk depending on the infrastructure and integrations required.

Lack of detailed documentation of the process: Detailed process documentation of businesses provides detailed information about business processes. The RPA lifecycle begins with the analysis phase, in which a clear understanding of the process documentation is obtained [9]. Failure to present the processes in detail may cause RPA robots to execute incomplete or faulty processes. A complete design of RPA robots can be achieved with detailed process documentation.

Exception handling: Exception handling is essential in scripting at all stages of the RPA lifecycle [35]. Unexpected errors or problems during the RPA process pose a risk to RPA. These errors can prevent the system from working correctly and cause a waste of time.

Limited application: The automation decision depends on the cost–benefit analysis of the specific process and its requirements. Some documents, including complex data such as images, audio, and video, require partial automation. Putting cost and time into partial automation may not be reasonable.

The management category includes failures related to managing human resources and change, such as weak change management, poor stakeholder engagement, and not considering strategic plans.

Weak change management: Insufficient change management can negatively impact the successful implementation of RPA within an organization. The integration of new software and technology necessitates the transformation of employee roles and business processes. Proper communication with employees about the inevitable changes in workflows and processes is essential to avoid confusion. Business leaders must recognize that RPA will have varying effects on different employees, potentially resulting in differing levels of job satisfaction. Additionally, employees may require additional training and skill development to adapt to RPA. Failure to adequately support and understand employees during the implementation process may lead to an inability to keep up with the changes [36].

Stakeholder engagement: Stakeholders play an essential role in all processes, from the analysis to the implementation of the RPA process. Without stakeholder participation, RPA cannot be adequately designed, and problems are encountered during the implementation phase. At the same time, not adopting RPA applications disrupts business processes.

Staying out of strategic plans: Although RPA has the potential to enhance innovation and improve competitiveness, organizations often set unrealistic goals and misuse them for isolated areas, resulting in RPA failing to deliver on its promise. Instead of using RPA to innovate and improve work, some organizations solely use it to cut down spending by reducing FTE headcount, lacking any strategic intent or end-point design in their RPA projects. This under-resourcing of RPA initiatives can lead to risks associated with the RPA strategy. To mitigate these risks, organizations must implement a solid, future-proof target operating model and intelligent process automation tools.

The people category includes failures related to people, such as lack of role definitions, qualified personnel, and governance management.

Lack of role definitions: Operational risks in RPA implementation can arise if proper operating models are not defined. Rushing into training without defining roles can blur responsibilities when the bots go into production, leaving human RPA supervisors confused about their actual roles. To mitigate such risks, enterprises must have a well-defined operating model and clear role definitions [37].

Lack of qualified IT personnel: IT personnel is one of the most important stakeholders involved in all processes, from the construction of RPA applications to their implementation. IT staff support is required at every stage of the process. Employees engaged in RPA processes are available as those who build and maintain it and those who use the implementation results [38]. The lack of qualified IT personnel here can cause problems such as lodging, maintaining, and managing RPA applications.

Absence of governance management: A well-defined governance model is crucial for effective automation design. To this end, many organizations have established their own RPA Centers of Excellence, which are responsible for defining the governance model. To minimize risk downstream, it is important to have defined processes for identifying, assessing, validating, and prioritizing RPA opportunities. The standardization of automation work is also essential through templates and guidelines that follow best practices [9]. This ensures continuous improvement through lessons learned and avoids costly mistakes being repeated.

The maintenance category includes failures related to maintenance, such as sustainability problems and difficulties with maintenance.

Maintenance difficulties: The maintenance of RPA solutions is an essential aspect that must be considered to ensure the long-term sustainability of the implementation. As RPA solutions are designed to perform repetitive and rule-based tasks, they require regular maintenance to ensure optimal performance. Failure to initiate maintenance protocols can result in technical issues and difficulties that may become more challenging to resolve over time. Therefore, organizations must establish maintenance protocols and schedules to keep their RPA solutions up to date and functioning effectively. This includes regular monitoring, updates, and upgrades to ensure that the RPA solutions are aligned with any changes in business processes and technology.

Sustainability: Sustainability risks can also arise due to a lack of maintenance and support for the RPA system. As organizations continue to scale up their RPA deployments, maintenance and support become critical factors for ensuring the continued success of automation initiatives. Without proper maintenance and support, the RPA system can become outdated and fail to meet changing business needs, resulting in decreased efficiency and productivity. To mitigate these risks, organizations should establish clear processes for ongoing maintenance and support of the RPA system, including regular updates and upgrades to the software, as well as the continuous monitoring of system performance and user feedback. Additionally, having a dedicated team responsible for managing and maintaining the RPA system can help ensure that the system remains up to date and effective in meeting business needs.

The integration category includes failures related to integration, such as problems with integrating into IT processes and lack of operational stability.

Integration into IT processes: The complete integration of RPA applications into IT processes prevents problems in business processes. Integration is critical in ensuring data security. Data integrity provided by integration into IT processes increases the security of sensitive data processed by RPA. Management and maintenance problems may arise if RPA applications do not integrate with IT processes. This problem risks the stability and correct operation of RPA applications.

Operational stability: Operational instability can be caused by factors such as improperly designed, misconfigured, or poorly tested RPA applications and integrating RPA applications into business processes. The incompatibility of RPA applications with other systems may cause interruptions to processes. Lost link principles in RPA processes appear to be a challenge to be considered for operational stability [39].

The security category includes failures related to security. RPA bots can create, manipulate, and access large amounts of data. However, if the data are not properly secured, they can be accessed and used by unauthorized personnel. Organizations must take steps to ensure that sensitive data are encrypted and that bots can only access data that are necessary to perform their tasks. Lack of proper data governance and management can also lead to errors and inaccuracies in data processing, negatively impacting the organization [6,14,23].

4. Methodology

4.1. Decomposed Fuzzy Sets (DFS)

While getting expert opinions to solve real-life problems, there may be inconsistencies in the answers given by experts, depending on the change in their perspectives. In the literature, DFSs were proposed by Cebi et al. [40,41] as an extension of intuitionistic fuzzy sets that consider these inconsistencies. A question with the same meaning can be asked in two different ways, from an optimistic or pessimistic point of view, and decision-makers may give different answers accordingly. In other words, the answers given to the questions as optimistic and pessimistic may not complement each other.

Definition 1. 

The general representation of decomposed fuzzy sets is as follows according to Cebi et al. [40,41]:

$$\tilde{A}=\left\{〈x,(O({\mu }_{\tilde{A}}^o\left(x\right),{\nu }_{\tilde{A}}^o\left(x\right)),P({\mu }_{\tilde{A}}^p\left(x\right),{\nu }_{\tilde{A}}^p\left(x\right)|x\in X〉\right\}$$

(1)

where the function ${\mu }_{\tilde{A}}\left(x\right):X\to [0,1]$ is the degree of membership of optimistic view $\left(O\right)$ and pessimistic view $\left(P\right)$, and ${\nu }_{\tilde{A}}\left(x\right):X\to [0,1]$ is the degree of non-membership of $\left(O\right)$ and $\left(P\right)$, respectively.

Definition 2. 

Let $\tilde{a}=\{O(a,b),P(c,d)\}$, ${\tilde{a}}_1=\{O(a_1,b_1),P(c_1,d_1)\}$, and ${\tilde{a}}_2=\{O(a_2,b_2),P(c_2,d_2)\}$ be accepted as DFNs. The operators can be described as follows [40,41]:

Addition:

$${\tilde{a}}_1+{\tilde{a}}_2=\left\{O\left({\displaystyle \frac{a_1+a_2-2a_1{a}_2}{1-a_1{a}_2}},{\displaystyle \frac{b_1+b_2-2a_1{a}_2}{b_1+b_2-b_1{b}_2}}\right),P(c_1+c_2-c_1{c}_2,d_1{d}_2)\right\}$$

(2)

Multiplication:

$${\tilde{a}}_1\times {\tilde{a}}_2=\left\{O\left(\widetilde{a_1}\widetilde{a_2},b_1+b_2-b_1{b}_2\right),P\left({\displaystyle \frac{c_1{c}_2}{c_1+c_2-c_1{c}_2}},{\displaystyle \frac{d_1+d_2-2d_1{d}_2}{1-d_1{d}_2}}\right)\right\}$$

(3)

Multiplication by a scalar:

$$\lambda \tilde{a}=\left\{O\left({\displaystyle \frac{\lambda a}{(\lambda -1)a+1}},{\displaystyle \frac{b}{\lambda -(\lambda -1)b}}\right),P\left((1-{(1-c)}^{\lambda }),d^{\lambda }\right)\right\}for\lambda >0.$$

(4)

λth power of $\tilde{a}$, $\lambda >0$:

$${\tilde{a}}^{\lambda }=\left\{O\left(a^{\lambda },1-{(1-b)}^{\lambda }\right),P\left({\displaystyle \frac{c}{\lambda -(\lambda -1)c}},{\displaystyle \frac{\lambda d}{(\lambda -1)d+1}}\right)\right\}for\lambda >0.$$

(5)

Definition 3. 

The Decomposed Weighted Arithmetic Mean (DWAM) and Decomposed Weighted Geometric Mean (DWGM) are described as follows [40,41].

Let ${\tilde{a}}_i=\{O(a_i,b_i),P(c_i,d_i)\}$ be a collection of DWAMs with respect to ${\lambda }_i=({\lambda }_1,{\lambda }_2,\cdots ,{\lambda }_n)$${\lambda }_i\in [0,1]$ and ${\sum }_{i=1}^n{\lambda }_i=1$.

$$\begin{array}{c}\hfill DWAM({\tilde{a}}_1,{\tilde{a}}_2,\cdots ,{\tilde{a}}_n)={\lambda }_1{\tilde{a}}_1+{\lambda }_2{\tilde{a}}_2+\cdots +{\lambda }_n{\tilde{a}}_n=\\ \hfill \left\{O\left({\displaystyle \frac{{\sum }_{i=1}^n{\lambda }_i{\tilde{a}}_i}{1+{\sum }_{i=1}^n\left({\lambda }_i{\tilde{a}}_i-\frac{a_i}{n}\right)}},{\displaystyle \frac{{\prod }_{i=1}^n{b}_i}{{\sum }_{i=1}^n{b}_i^{n-1}{\lambda }_i(1-b_i)+{\prod }_{i=1}^n{b}_i)}}\right),P\left(1-\prod _{i=1}^n{(1-c_i)}^{{\lambda }_i},\prod _{i=1}^n{d}_i^{{\lambda }_i}\right)\right\}\end{array}$$

(6)

Let ${\tilde{a}}_i=\{O(a_i,b_i),P(c_i,d_i)\}$ be a collection of DWGMs with respect to ${\lambda }_i=({\lambda }_1,{\lambda }_2,\cdots ,{\lambda }_n)$${\lambda }_i\in [0,1]$ and ${\sum }_{i=1}^n{\lambda }_i=1$.

$$\begin{array}{c}\hfill DWGM({\tilde{a}}_1,{\tilde{a}}_2,\cdots ,{\tilde{a}}_n)={\tilde{a}}_1^{{\lambda }_1}+{\tilde{a}}_2^{{\lambda }_2}+\cdots +{\tilde{a}}_n^{{\lambda }_n}=\\ \hfill \left\{O\left(\prod _{i=1}^n{a}_i^{{\lambda }_i},1-\prod _{i=1}^n{(1-b_i)}^{{\lambda }_i}\right),P\left({\displaystyle \frac{{\prod }_{i=1}^n{c}_i}{{\sum }_{i=1}^n{c}_i^{n-1}{\lambda }_i(1-c_i)+{\prod }_{i=1}^n{c}_i)}},{\displaystyle \frac{{\sum }_{i=1}^n{\lambda }_i{d}_i}{1+{\sum }_{i=1}^n\left({\lambda }_i{d}_i-\frac{d_i}{n}\right)}}\right)\right\}\end{array}$$

(7)

Definition 4. 

The consistency index (CI) of the decomposed fuzzy number $(\tilde{a}=O(a,b),P(c,d))$ is defined as follows [40,41]:

$$CI=1-\sqrt{{\displaystyle \frac{{(a-d)}^2+{(b-c)}^2+{(1-a-b)}^2-{(1-c-d)}^2}{2}}}$$

(8)

where $0\le CI\le 1$, and the closer the CI value is to 1, the more consistent the decision-maker is [40,41].

Definition 5. 

The score index (SI) of the decomposed fuzzy number $(\tilde{a}=O(a,b),P(c,d))$ is defined as follows [40,41]:

$$SI\left(\tilde{a}\right)=\left\{\begin{array}{cc}{\displaystyle \frac{(a+b-c+d)CI\left(\tilde{a}\right)}{2k}},& SI\left(\tilde{a}\right)\ge 0\\ 0& SI\left(\tilde{a}\right)\le 0\end{array}\right.$$

(9)

The linguistic scale multiplier k is obtained by applying the formula below:

$$k=(a_{max}+b_{min}-c_{min}+d_{max})\times CI\left(\tilde{a}\right)/2$$

(10)

$CI\times \left(\tilde{a}\right)$ is the consistency index of the linguistic scale used and can be obtained by applying the formula below:

$$CI\left(\tilde{a}\right)=1-\sqrt{{\displaystyle \frac{({(a_{max}-d_{max})}^2+{(b_{min}-c_{min})}^2+{(1-a_{max}-b_{min})}^2+{(1-c_{min}-d_{max})}^2)}{2}}}$$

(11)

Here, $0\le CI\left(\tilde{a}\right)\le 1$, $a_{max}$ is the maximum membership value on the optimistic linguistic evaluation scale, while $b_{min}$ is called the minimum non-membership value on the optimistic linguistic evaluation scale. $c_{min}$ is the minimum membership value on the pessimistic linguistic evaluation scale, while $d_{max}$ is called the maximum non-membership value on the pessimistic linguistic evaluation scale.

4.2. DFS-Based FMEA

The FMEA method is one of the most well known and widely used risk assessment methods in the literature. This method is used in various fields, involves different disciplines, and is team-based. In this method, risks are identified, evaluated, and, if possible, tried eliminated. The FMEA method contains three parameters named “Severity (S)”, “Occurrence (O)”, and “Detectability (D)”. The risk priority number (RPN) is obtained by multiplying these parameters like in Equation (12). A high RPN value can be interpreted as a high risk. A high RPN value can be interpreted as a high risk. Specifically, in the context of process failure mode and effect analysis (PFMEA), this technique is recognized as a critical problem-prevention tool used to support continuous improvement and compliance with quality standards, especially in industries such as mechanical engineering, electrical manufacturing, and biopharmaceuticals. PFMEA focuses on uncovering process-related risks, ensuring quality management, and optimizing manufacturing processes, with applications ranging from automotive to biopharmaceutical processes, where the severity of risk is independent of the facility, but occurrence and detectability often depend on the manufacturing environment and equipment. Integrating these principles further strengthens the risk assessment framework by aligning it with industry standards for process optimization [42].   

$$RPN=S\times O\times D$$

(12)

The (S) value represents the degree of the potential outcome if the failure occurs, the (O) value indicates the frequency of the failure over time, and finally, the (D) value indicates the ability to detect the failure before it causes undesirable outcomes. Although fuzzy set-based FMEA is a frequently used method in the literature, sometimes the traditional FMEA method may be insufficient. For this reason, the FMEA method has been extended traditional fuzzy sets and various fuzzy set extensions. A detailed literature review reveals that FMEA has been extended many times with various fuzzy set extensions, but there is a lack of studies on FMEA extensions with DFSs. For this reason, in this study, the FMEA method is extended with DFS to enhance the risk assessment capability of the method. By integrating the FMEA method into DFS, evaluations of the basic parameters of FMEA, O, S, and D, are obtained by asking the decision-makers from an optimistic and pessimistic perspective. In this way, the decision-makers can express their ideas more accurately. On the other hand, by asking more questions to decision-makers, more information is collected from them. Having more information brings us closer to correct results. In addition, as required by the basic logic of DFS, asking questions to decision-makers from two different perspectives is crucial, as it helps reveal the situations where they are indecisive or give inconsistent answers. The steps of the proposed DFS-based FMEA method are shown in the pseudocode in Algorithm 1.

Algorithm 1 Pseudocode Representation of Proposed Approach [43]

Require:  n: number of evaluation dimensions (occurrence ($j=1$), severity ($j=2$), detectability ($j=3$)). m: number of risks ($i=1,2,\cdots ,m$). s: number of experts ($k=1,2,\cdots ,s$). Ensure:  Scores of the risks 1: for $k=1$ to s do 2:     Step 1: Construct the linguistic decomposed fuzzy decision matrices based on Table 1. $\tilde{R}={\left(r_{ij}\right)}_{m\times n}$ 3:     Step 2: Convert these linguistic terms into corresponding decomposed fuzzy numbers based on Table 1. $\tilde{R}={\left(r_{ij}\right)}_{m\times n}={\left\{O(a_{ij}^k,b_{ij}^k),P(c_{ij}^k,d_{ij}^k)\right\}}_{m\times n}$ 4:     Aggregate the decomposed fuzzy decision matrices using the DWGM operator given in Equation (7) for $\forall j$, separately. 5: end for 6: Step 4: Multiply the decomposed fuzzy Occurrence, Severity, and Detectability values of the risks obtained from Step 3 using Equation (3). 7: Step 5: Defuzzify the values to obtain crisp values. 8: for $i=1$ to m do calculate the consistency ratio: 9:     Apply Equation (8) 10: end for 11: for $i=1$ to m do calculate score values: 12:     Apply Equation (9) 13: end for

Table 1. Fuzzy linguistic scale [44].

Linguistic Terms	µ	v
Absolutely Low (AL)	0.05	0.9
Very Low (VL)	0.25	0.6
Low (L)	0.4	0.5
Medium (M)	0.5	0.5
High (H)	0.7	0.2
Very High (VH)	0.85	0.05
Absolutely High (AH)	0.9	0.05

Table 1. Fuzzy linguistic scale [44].

Linguistic Terms	µ	v
Absolutely Low (AL)	0.05	0.9
Very Low (VL)	0.25	0.6
Low (L)	0.4	0.5
Medium (M)	0.5	0.5
High (H)	0.7	0.2
Very High (VH)	0.85	0.05
Absolutely High (AH)	0.9	0.05

4.3. Borda Method

The Borda method is a voting or ranking method used to prioritize alternatives based on decision-makers’ preferences [45]. In risk prioritization, risks are ranked for the relevant process according to their perceived severity, occurrence, and detectability, with the resulting risk magnitude. However, the Borda method can be applied when there are multiple processes and to achieve a common ranking for the enterprise. The application steps of the method in the study are as follows:

• Each risk is ranked according to certain criteria (e.g., Severity, Occurrence, Detectability) by decision-makers for each identified process.
• Each risk is assigned a score according to its ranking under the relevant process. For example, for the 13 risks considered in this study, the highest ranked risk (the first-ranked risk) receives 13 points, the second highest risk receives 12 points, and so on, with the lowest ranked risk receiving 1 point.
• After assigning scores for each process, the scores for each risk are summed.
• The risk with the highest total score is prioritized as the most critical risk, followed by the others in descending order.

The Borda method is useful when more than one criterion is considered. Since this study involves more than one process and the risk rankings in these processes are different, it is suitable for obtaining an average ranking.

5. Case Study

5.1. Processes

Izmir Bakircay University is a young and visionary university in Turkiye. The smart campus and digital transformation office, one of the university’s coordinatorships, manages intelligent and digital projects. They utilize RPA technology to automate processes under digital transformation projects. The six selected processes for this study were performed at Izmir Bakircay University. Understanding process details enables readers to interpret their risks.

The main reason for choosing a university case study in this study is that universities offer an ideal environment for RPA implementation due to their complex processes, propensity for digital transformation processes, and data richness. Examining the processes in different university units has increased the study’s general validity by revealing the diversity of risks that can be encountered in RPA applications.

Risk assessment in RPA applications is critical for success, as it identifies potential problems in advance. An incorrect risk assessment can lead to severe consequences such as data loss, process interruptions, and security breaches. A systematic approach to risk assessment, such as the DFS method used in this study, helps minimize such risks. In addition, risk assessment results allow managers to make more informed decisions regarding RPA projects, ensuring more efficient use of resources.

Process experts were selected from among those with in-depth knowledge of the processes under study and experience in risk analysis. Criteria such as having worked in the relevant field for at least five years and having participated in more than ten risk analysis projects were considered. In this way, the reliability of the obtained data was increased.

The process of the scholarship payment process (P1): One employee prepares scholarship payment documents. Project coordinators fill out the application form and submit it with a wet signature at the end of each month. In some cases, project coordinators may require memorization to fill in a mandatory field or enter incorrect details, which can lengthen the cycle time of the process. The responsible employee creates three forms from four sources using the application form. Whereas the same fields are placed in each document, some individualized data such as identity number, name and surname, student number, project ID, and project name must also be included. It takes over two working days to prepare 54 documents for 18 scholarships.

The process of course addition and the branch opening process (P2): Courses and course programs are entered into the system at the beginning of each semester at the Graduate Education Institute. The details of the courses are collected from departments in an Excel file. Then, two employees working together define them in the university information system in six days.

The process of reporting the decisions to the board members and their implementation in the university information system (P3): The council at the Graduate Education Institute plans regular weekly meetings to discuss the applications coming from students. Before the meetings, one employee collects the applications in a standard format and prepares agenda items for the board members. After the meetings, each decision is entered into the university information system individually. Some of the council decisions involve the preparation of records for each department regarding the assignment of academic advisors to registered students at the beginning of each semester, as well as any changes made to academic advising based on student requests during the semester, the suspension of registration, the removal of registration, etc. In assuming that approximately 20 decisions are made at each council meeting, it takes two employees working together 140 min to report decisions to the board members and enter the decisions into the university information system for a weekly meeting.

The process of personalized document preparation and mailing (P4): Each department prepares a compulsory internship certificate for students to present to the companies before their internship. The compulsory internship certificate includes personalized data such as the student’s name, surname, number, department, and academic coordinator’s name, surname, and signature. After the department coordinator prepares the certificate they email it to the student. Approximately 240 students in the engineering faculty need internship certificates prepared every semester, leading to the ineffective use of time and human resources and some potential failures.

The process of reporting applications to the ethics committee preparation and archiving decisions (P5): The medical faculty plans regular weekly meetings to discuss researchers’ applications related to personal data use permission for research. One employee collects the three hard copy application forms. Then, they prepare the agenda items for the committee members. After the meetings, each decision is entered into the university information system individually, and the applicant is informed by email with the committee’s decision letter. Finally, each decision is archived with a unique code represented by a timestamp and the applicant’s surname.

The process of accident insurance payments for internship students (P6): Some departments have short- and long-term internships. The faculties must consider the occupational health and safety of students. Because of this, one faculty employee collects student application forms from the departments at least two weeks in advance. They check the information on the application forms from different official websites. If a mistake is found, the student is informed. The student data are entered into the ministry’s system if everything is correct. The responsible employee must check the ministry’s system every Friday to determine whether the students have a medical report because the accident insurance must not be paid for the days the student did not go to work. Otherwise, the faculty must pay a fine. The process is open to mistakes because the internship period is flexible between specific dates.

5.2. DFS-Based FMEA

The evaluation data for the DFS-based FMEA method were obtained through interviews with three process specialists involved in the process design and experienced in risk analysis. For the first step, the process specialists identified potential risks in RPA implementations using the nominal group technique and literature review.

A moderator with expertise in group decision-making and risk analysis managed the data gathering and evaluation process. The nominal group technique is a structured method used to facilitate group decision making and idea generation, ensuring equal participation from all members. The process begins with the facilitator introducing a problem or topic, followed by a phase where participants independently and silently generate ideas. These ideas are then shared in a round-robin format, allowing each participant to contribute without interruption or criticism. After all ideas are presented, the group discusses and clarifies each idea. Participants then individually rank or vote on the ideas, often using a ranking or point system to prioritize them. The highest-ranked ideas are selected for further consideration. The nominal group technique is effective for generating diverse input, avoiding groupthink by fostering independent idea generation, and enabling structured decision making through consensus building. It is commonly used in fields such as risk assessment and strategic planning. The determined potential risks in RPA implementations are given in

Table 2. Possible risks in RPA implementations.

	Failures
R1	Poor business process selection
R2	Magnification of unoptimized processes
R3	Absence of governance management
R4	Over-automating
R5	Resources variety
R6	Weak change management
R7	Security
R8	Staying out of strategic plans
R9	Lack of role definitions
R10	Sustainability problem
R11	Maintenance difficulties
R12	Ownership
R13	Limited application

.

In the second step, the process specialists obtained linguistic evaluations of the Occurrence, Severity, and Detectability of the risks separately for each process. In accordance with the DFS logic, the decision-makers were asked two different questions, optimistic and pessimistic. The process specialists’ assessments of potential risks in RPA are given in

Table 3. Linguisticevaluations of risk specialists.

		Occurence of Potential Risk												Severity of Potential Risk												Detectability of Potential Risk
		P1		P2		P3		P4		P5		P6		P1		P2		P3		P4		P5		P6		P1		P2		P3		P4		P5		P6
		ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw
Risk Specialist 1	R1	H	L	H	VL	H	L	H	L	H	M	H	VL	AL	VH	AL	VH	AL	AH	AL	AH	AL	AH	AL	AH	M	L	M	H	M	H	M	H	M	M	M	H
	R2	VL	VH	VL	H	VL	H	VL	H	VL	H	VL	VH	L	VH	L	M	L	M	L	VH	L	H	L	H	VH	VL	VH	M	VH	L	VH	L	VH	L	VH	VL
	R3	H	M	H	VL	H	M	H	L	H	L	H	L	VH	VL	VH	L	VH	L	VH	VL	VH	L	VH	VL	L	H	L	VH	L	H	L	H	L	H	L	H
	R4	H	VH	H	VL	H	VL	H	VL	H	VL	H	L	M	H	M	L	M	H	M	H	M	L	M	L	L	VH	L	H	L	H	L	VH	L	H	L	H
	R5	VH	AL	VH	L	VH	VL	VH	L	VH	L	VH	VL	VH	L	VH	M	VH	L	VH	L	VH	VL	VH	L	L	H	L	H	L	VH	L	VH	L	M	L	M
	R6	VL	H	VL	H	VL	VH	VL	M	VL	H	VL	H	VL	H	VL	VH	VL	VH	VL	H	VL	H	VL	H	VH	L	VH	M	VH	VL	VH	VL	VH	VL	VH	L
	R7	H	H	H	M	H	M	H	M	H	L	H	M	AH	L	AH	AL	AH	AL	AH	AL	AH	AL	AH	AL	M	L	M	M	M	L	M	H	M	M	M	L
	R8	H	M	H	VL	H	L	H	VL	H	L	H	M	AL	H	AL	AL	AL	AH	AL	AH	AL	AH	AL	AH	L	H	L	M	L	H	L	H	L	H	L	H
	R9	VL	H	VL	H	VL	H	VL	VH	VL	VH	VL	VH	VL	H	VL	VH	VL	VH	VL	VH	VL	H	VL	VH	VL	H	VL	H	VL	VH	VL	VH	VL	H	VL	VH
	R10	H	VL	H	L	H	L	H	L	H	M	H	L	H	M	H	M	H	L	H	M	H	VL	H	L	H	L	H	L	H	M	H	L	H	VL	H	L
	R11	M	VH	M	M	M	L	M	L	M	M	M	M	H	L	H	L	H	L	H	M	H	VL	H	L	L	VH	L	H	L	M	L	M	L	H	L	H
	R12	AL	AH	AL	AH	AL	AH	AL	AH	AL	AH	AL	AH	H	VL	H	VL	H	VL	H	VL	H	L	H	M	M	M	M	L	M	H	M	L	M	M	M	L
	R13	VL	M	VL	H	VL	H	VL	VH	VL	VH	VL	H	AL	H	AL	AH	AL	AH	AL	AH	AL	AH	AL	AH	M	H	M	L	M	M	M	M	M	L	M	H
Risk Specialist 2	R1	VL	H	M	H	VH	AL	M	L	VL	H	VH	AL	VL	VH	L	L	L	H	AL	H	VL	H	H	VL	AL	VH	VL	VH	VH	AL	AL	H	AL	VH	VL	H
	R2	VL	AH	VL	H	M	H	VL	VH	AL	AH	H	VL	L	H	AL	AH	VL	H	VL	H	VL	H	VH	AL	L	H	H	VL	L	H	AL	VH	VL	H	VH	VL
	R3	L	M	VL	H	L	H	AL	AH	H	VL	VH	VL	VH	VL	VH	AL	VL	VH	AL	VH	VL	VH	M	M	H	VL	VL	H	VH	VL	VL	H	L	M	H	L
	R4	L	M	VL	VH	VL	VH	AL	VH	H	H	VH	AL	H	VL	VL	H	AL	VH	AL	VH	AL	VH	M	M	AL	VH	VL	VH	VL	VH	AL	AH	L	H	M	M
	R5	VH	AL	H	H	VL	H	L	H	H	AL	H	VL	H	L	M	M	VL	M	AL	VH	L	H	H	VL	L	H	VL	AH	VL	AH	AL	VH	VL	H	VL	VH
	R6	VL	AH	AL	AH	VL	VH	VL	VH	AL	AH	AL	VH	M	H	L	H	AL	VH	VL	VH	VL	H	M	M	VL	VH	H	VL	H	VL	AL	VH	VL	H	AL	AH
	R7	H	VL	VL	H	M	VL	AL	VH	M	M	M	L	H	VL	VH	VL	VL	M	AL	AH	VH	AL	AH	VL	L	H	VL	H	VH	VL	L	H	H	VL	AH	AL
	R8	VL	M	L	H	M	H	VH	VL	H	VL	VL	VH	AL	VH	VL	H	M	L	VL	H	VL	VH	M	H	VL	M	AL	VH	L	L	VL	M	AL	VH	AL	VH
	R9	AL	VH	VL	H	H	H	AL	VH	VL	M	VL	M	L	VH	L	H	VL	H	VL	VH	AL	VH	AL	AH	VL	VH	VL	H	VL	VH	VL	AH	AL	VH	AL	AH
	R10	H	AL	H	L	VH	AL	M	VL	VL	M	VH	AL	VL	H	VL	H	AL	VH	H	L	VL	H	VH	VL	VH	VL	H	VL	VL	H	M	VL	L	H	VH	AL
	R11	VL	H	AL	VH	VH	AL	VL	H	H	L	VH	AL	M	H	M	H	VH	VL	AL	AH	VH	AL	VH	AL	AL	AH	AL	VH	AL	VH	AL	VH	AL	VH	H	VL
	R12	AL	AH	VL	H	VH	AL	M	M	AL	AH	VH	AL	H	L	L	H	H	VL	L	H	VH	L	H	L	VH	AL	VL	H	VL	H	AL	VH	VL	H	AL	VH
	R13	VL	H	AL	AH	M	M	AL	AH	AL	AH	VH	AL	L	H	VL	VH	M	H	AL	AH	H	L	L	L	L	H	H	M	L	M	AL	VH	L	H	VL	VH
Risk Specialist 3	R1	AL	VH	M	VL	H	VL	VL	VH	AL	VH	VH	AL	M	VL	VL	VH	H	VL	AL	VH	VL	VH	M	M	VL	VH	AL	VH	AH	AL	VL	VH	VL	VH	VL	VH
	R2	AL	AH	L	M	M	H	AL	AH	AL	VH	H	H	VL	H	AL	AH	AL	VH	VL	H	AL	VH	AH	AL	M	L	M	H	L	L	AL	AH	VL	H	AH	AL
	R3	VL	VH	M	L	L	H	VL	VH	L	H	H	L	H	VL	VH	AL	AL	AH	VL	H	AL	AH	VL	M	H	VL	L	H	H	L	M	VL	VL	VH	H	VL
	R4	M	M	VL	M	M	H	AL	VH	H	L	H	VL	H	VL	VL	H	AL	VH	AL	VH	VL	H	L	H	VL	H	AL	AH	VL	VH	VL	VH	M	M	M	L
	R5	VH	VL	VH	AL	M	VL	VL	M	H	VL	H	L	M	M	M	M	L	H	AL	VH	VL	VH	VH	VL	H	VL	AL	AH	AL	AH	VL	VH	AL	VH	VL	VH
	R6	AL	AH	AL	AH	AL	AH	VL	VH	VL	VH	AL	AH	VL	H	L	M	VL	H	L	H	M	M	M	L	L	H	H	VL	VH	VL	VL	H	VL	VH	AL	VH
	R7	VH	AL	VL	H	VL	H	VL	VH	M	M	H	L	L	M	H	AL	VL	H	AL	VH	AH	AL	VH	VL	VL	H	VL	VH	AH	AL	VL	H	H	VL	AH	AL
	R8	L	M	H	H	M	VL	VH	AL	H	VL	AL	AH	AL	AH	VL	H	L	H	L	H	AL	AH	L	H	AL	AH	VL	VH	L	H	AL	AH	VL	H	AL	AH
	R9	AL	VH	VL	H	VH	VL	AL	AH	AL	AH	M	M	M	L	VL	VH	VL	VH	VL	H	AL	AH	VL	H	VL	VH	L	H	VL	H	AL	AH	VL	VH	AL	VH
	R10	H	VL	L	M	AH	AL	VL	H	M	M	H	VL	AL	VH	AL	VH	AL	VH	H	AL	L	H	VH	VL	VH	AL	VH	VL	M	M	H	M	VL	H	VH	VL
	R11	VL	VH	AL	AH	H	L	VL	VH	VH	AL	AH	AL	VL	H	VL	H	VH	VL	AL	AH	VH	VL	H	VL	VL	VH	AL	VH	VL	H	VL	H	AL	AH	H	VL
	R12	AL	VH	VL	H	AH	VL	L	H	AL	AH	AH	AL	M	VL	VL	M	H	L	VL	VH	H	L	L	L	H	L	M	VL	M	M	AL	VH	AL	H	AL	AH
	R13	AL	VH	AL	AH	M	VL	AL	H	VL	VH	H	AL	L	L	VL	VH	L	M	VL	VH	M	L	H	L	M	L	M	M	H	VL	AL	VH	L	L	M	H

. The linguistic evaluations were transformed into fuzzy triangular numbers using the scale in Table 1.

In the third step, the analysis process was started after the data collection process. Since each process specialist presents their preferences separately, the DWGM operator given by Equation (7) was used to aggregate process specialists’ assessments to obtain a co-decision matrix.

Table 4. Aggregated values of DFNs.

		P1		P2		P3		P4		P5		P6
		ow	pw	ow	pw	ow	pw	ow	pw	ow	pw	ow	pw
Occurence of Potential Risk	R1	(0.206, 0.682)	(0.670, 0.250)	(0.559, 0.415)	(0.353, 0.467)	(0.746, 0.153)	(0.094, 0.667)	(0.444, 0.457)	(0.576, 0.350)	(0.206, 0.682)	(0.701, 0.250)	(0.797, 0.103)	(0.035, 0.800)
	R2	(0.146, 0.748)	(0.884, 0.050)	(0.292, 0.569)	(0.637, 0.300)	(0.397, 0.536)	(0.700, 0.200)	(0.146, 0.748)	(0.827, 0.100)	(0.086, 0.841)	(0.827, 0.100)	(0.497, 0.365)	(0.596, 0.283)
	R3	(0.412, 0.457)	(0.640, 0.350)	(0.444, 0.457)	(0.420, 0.433)	(0.482, 0.415)	(0.637, 0.300)	(0.206, 0.682)	(0.763, 0.200)	(0.581, 0.316)	(0.420, 0.433)	(0.747, 0.153)	(0.334, 0.533)
	R4	(0.519, 0.415)	(0.640, 0.350)	(0.352, 0.496)	(0.532, 0.383)	(0.444, 0.457)	(0.596, 0.283)	(0.121, 0.800)	(0.673, 0.233)	(0.700, 0.200)	(0.420, 0.433)	(0.747, 0.153)	(0.283, 0.567)
	R5	(0.850, 0.050)	(0.035, 0.800)	(0.797, 0.103)	(0.146, 0.533)	(0.474, 0.425)	(0.353, 0.467)	(0.440, 0.425)	(0.533, 0.400)	(0.747, 0.153)	(0.094, 0.667)	(0.747, 0.153)	(0.283, 0.567)
	R6	(0.146, 0.748)	(0.846, 0.100)	(0.086, 0.841)	(0.846, 0.100)	(0.146, 0.748)	(0.868, 0.050)	(0.250, 0.600)	(0.760, 0.200)	(0.146, 0.748)	(0.827, 0.100)	(0.086, 0.841)	(0.827, 0.100)
	R7	(0.747, 0.153)	(0.118, 0.567)	(0.352, 0.496)	(0.637, 0.300)	(0.444, 0.457)	(0.452, 0.433)	(0.206, 0.682)	(0.760, 0.200)	(0.559, 0.415)	(0.464, 0.500)	(0.626, 0.316)	(0.431, 0.500)
	R8	(0.412, 0.457)	(0.500, 0.500)	(0.581, 0.316)	(0.519, 0.333)	(0.559, 0.415)	(0.420, 0.433)	(0.797, 0.103)	(0.089, 0.700)	(0.700, 0.200)	(0.283, 0.567)	(0.206, 0.682)	(0.785, 0.200)
	R9	(0.086, 0.841)	(0.807, 0.100)	(0.250, 0.600)	(0.700, 0.200)	(0.530, 0.328)	(0.519, 0.333)	(0.086, 0.841)	(0.868, 0.050)	(0.146, 0.748)	(0.785, 0.200)	(0.315, 0.569)	(0.640, 0.350)
	R10	(0.700, 0.200)	(0.089, 0.700)	(0.581, 0.316)	(0.431, 0.500)	(0.812, 0.103)	(0.029, 0.767)	(0.444, 0.457)	(0.420, 0.433)	(0.444, 0.457)	(0.500, 0.500)	(0.747, 0.153)	(0.094, 0.667)
	R11	(0.315, 0.569)	(0.807, 0.100)	(0.108, 0.829)	(0.785, 0.200)	(0.668, 0.276)	(0.110, 0.633)	(0.315, 0.569)	(0.670, 0.250)	(0.668, 0.276)	(0.118, 0.633)	(0.726, 0.233)	(0.028, 0.767)
	R12	(0.500, 0.900)	(0.884, 0.050)	(0.146, 0.748)	(0.779, 0.150)	(0.337, 0.551)	(0.206, 0.517)	(0.215, 0.708)	(0.728, 0.250)	(0.050, 0.900)	(0.900, 0.050)	(0.337, 0.551)	(0.073, 0.617)
	R13	(0.146, 0.748)	(0.701, 0.400)	(0.086, 0.841)	(0.846, 0.100)	(0.397, 0.536)	(0.452, 0.433)	(0.086, 0.841)	(0.827, 0.100)	(0.146, 0.748)	(0.868, 0.050)	(0.530, 0.328)	(0.033, 0.667)
Severity of Potential Risk	R1	(0.184, 0.729)	(0.673, 0.233)	(0.171, 0.729)	(0.735, 0.200)	(0.241, 0.658)	(0.632, 0.283)	(0.050, 0.900)	(0.827, 0.100)	(0.146, 0.748)	(0.827, 0.100)	(0.260, 0.658)	(0.572, 0.383)
	R2	(0.342, 0.536)	(0.756, 0.150)	(0.100, 0.829)	(0.809, 0.200)	(0.171, 0.729)	(0.701, 0.250)	(0.292, 0.569)	(0.756, 0.150)	(0.171, 0.729)	(0.756, 0.150)	(0.674, 0.233)	(0.033, 0.667)
	R3	(0.797, 0.103)	(0.250, 0.600)	(0.850, 0.050)	(0.029, 0.767)	(0.220, 0.664)	(0.763, 0.200)	(0.220, 0.664)	(0.596, 0.283)	(0.220, 0.664)	(0.763, 0.200)	(0.474, 0.425)	(0.387, 0.533)
	R4	(0.626, 0.316)	(0.353, 0.467)	(0.315, 0.569)	(0.601, 0.300)	(0.108, 0.829)	(0.807, 0.100)	(0.108, 0.829)	(0.807, 0.100)	(0.184, 0.729)	(0.670, 0.250)	(0.464, 0.500)	(0.533, 0.400)
	R5	(0.668, 0.276)	(0.431, 0.500)	(0.597, 0.381)	(0.500, 0.500)	(0.440, 0.425)	(0.533, 0.400)	(0.129, 0.788)	(0.735, 0.200)	(0.440, 0.425)	(0.596, 0.283)	(0.797, 0.103)	(0.283, 0.567)
	R6	(0.315, 0.569)	(0.700, 0.200)	(0.342, 0.536)	(0.701, 0.250)	(0.146, 0.748)	(0.807, 0.100)	(0.292, 0.569)	(0.756, 0.150)	(0.315, 0.569)	(0.637, 0.300)	(0.397, 0.536)	(0.533, 0.400)
	R7	(0.632, 0.276)	(0.359, 0.533)	(0.812, 0.103)	(0.035, 0.800)	(0.383, 0.466)	(0.161, 0.533)	(0.131, 0.788)	(0.374, 0.333)	(0.883, 0.050)	(0.050, 0.900)	(0.883, 0.050)	(0.491, 0.417)
	R8	(0.050, 0.900)	(0.827, 0.100)	(0.146, 0.748)	(0.199, 0.433)	(0.215, 0.708)	(0.700, 0.250)	(0.171, 0.729)	(0.779, 0.150)	(0.086, 0.841)	(0.884, 0.050)	(0.215, 0.708)	(0.779, 0.150)
	R9	(0.368, 0.536)	(0.670, 0.250)	(0.292, 0.569)	(0.807, 0.100)	(0.250, 0.600)	(0.807, 0.100)	(0.250, 0.600)	(0.807, 0.100)	(0.086, 0.841)	(0.827, 0.100)	(0.146, 0.748)	(0.827, 0.100)
	R10	(0.206, 0.682)	(0.701, 0.250)	(0.206, 0.682)	(0.701, 0.250)	(0.121, 0.800)	(0.735, 0.200)	(0.700, 0.200)	(0.118, 0.633)	(0.412, 0.457)	(0.519, 0.333)	(0.797, 0.103)	(0.283, 0.567)
	R11	(0.443, 0.457)	(0.601, 0.300)	(0.444, 0.457)	(0.601, 0.300)	(0.797, 0.103)	(0.283, 0.567)	(0.121, 0.800)	(0.809, 0.200)	(0.797, 0.103)	(0.089, 0.700)	(0.747, 0.153)	(0.094, 0.667)
	R12	(0.626, 0.316)	(0.283, 0.567)	(0.412, 0.457)	(0.452, 0.433)	(0.700, 0.200)	(0.283, 0.567)	(0.412, 0.457)	(0.596, 0.283)	(0.747, 0.153)	(0.400, 0.500)	(0.581, 0.316)	(0.431, 0.500)
	R13	(0.200, 0.708)	(0.601, 0.300)	(0.146, 0.748)	(0.868, 0.050)	(0.215, 0.708)	(0.728, 0.250)	(0.086, 0.841)	(0.884, 0.050)	(0.260, 0.658)	(0.613, 0.350)	(0.241, 0.658)	(0.613, 0.350)
Detectability of Potential Risk	R1	(0.184, 0.729)	(0.735, 0.2)	(0.184, 0.729)	(0.807, 0.100)	(0.726, 0.233)	(0.033, 0.667)	(0.184, 0.729)	(0.756, 0.150)	(0.184, 0.729)	(0.760, 0.200)	(0.315, 0.569)	(0.756, 0.150)
	R2	(0.554, 0.381)	(0.420, 0.433)	(0.668, 0.276)	(0.452, 0.433)	(0.514, 0.381)	(0.498, 0.400)	(0.129, 0.788)	(0.763, 0.200)	(0.376, 0.466)	(0.601, 0.300)	(0.866, 0.050)	(0.089, 0.700)
	R3	(0.581, 0.316)	(0.353, 0.467)	(0.342, 0.536)	(0.756, 0.150)	(0.620, 0.276)	(0.420, 0.433)	(0.368, 0.536)	(0.519, 0.333)	(0.342, 0.536)	(0.701, 0.250)	(0.581, 0.316)	(0.420, 0.433)
	R4	(0.171, 0.729)	(0.807, 0.100)	(0.171, 0.729)	(0.827, 0.100)	(0.292, 0.569)	(0.807, 0.100)	(0.171, 0.729)	(0.868, 0.050)	(0.431, 0.500)	(0.637, 0.300)	(0.464, 0.500)	(0.533, 0.400)
	R5	(0.482, 0.428)	(0.519, 0.333)	(0.171, 0.729)	(0.846, 0.100)	(0.171, 0.729)	(0.884, 0.050)	(0.171, 0.729)	(0.850, 0.050)	(0.171, 0.729)	(0.701, 0.250)	(0.292, 0.569)	(0.760, 0.200)
	R6	(0.440, 0.425)	(0.670, 0.250)	(0.747, 0.153)	(0.300, 0.567)	(0.797, 0.103)	(0.250, 0.600)	(0.220, 0.664)	(0.596, 0.283)	(0.376, 0.466)	(0.596, 0.283)	(0.129, 0.788)	(0.763, 0.200)
	R7	(0.368, 0.536)	(0.601, 0.300)	(0.315, 0.569)	(0.701, 0.250)	(0.726, 0.233)	(0.094, 0.667)	(0.368, 0.536)	(0.700, 0.200)	(0.626, 0.316)	(0.300, 0.567)	(0.740, 0.233)	(0.029, 0.767)
	R8	(0.171, 0.729)	(0.728, 0.250)	(0.171, 0.729)	(0.760, 0.200)	(0.400, 0.500)	(0.601, 0.300)	(0.171, 0.729)	(0.728, 0.250)	(0.171, 0.729)	(0.756, 0.150)	(0.100, 0.829)	(0.827, 0.100)
	R9	(0.250, 0.6)	(0.807, 0.100)	(0.292, 0.569)	(0.700, 0.200)	(0.250, 0.600)	(0.807, 0.100)	(0.146, 0.748)	(0.884, 0.050)	(0.146, 0.748)	(0.807, 0.100)	(0.086, 0.841)	(0.868, 0.050)
	R10	(0.797, 0.103)	(0.094, 0.667)	(0.747, 0.153)	(0.283, 0.567)	(0.444, 0.457)	(0.569, 0.400)	(0.626, 0.316)	(0.359, 0.533)	(0.412, 0.457)	(0.519, 0.333)	(0.797, 0.103)	(0.094, 0.667)
	R11	(0.171, 0.729)	(0.868, 0.05)	(0.100, 0.829)	(0.807, 0.100)	(0.171, 0.729)	(0.701, 0.250)	(0.171, 0.729)	(0.701, 0.250)	(0.100, 0.829)	(0.827, 0.100)	(0.581, 0.316)	(0.353, 0.467)
	R12	(0.668, 0.276)	(0.118, 0.633)	(0.397, 0.536)	(0.420, 0.433)	(0.397, 0.536)	(0.637, 0.300)	(0.108, 0.829)	(0.735, 0.200)	(0.184, 0.729)	(0.637, 0.300)	(0.108, 0.829)	(0.763, 0.200)
	R13	(0.464, 0.500)	(0.601, 0.300)	(0.559, 0.415)	(0.533, 0.400)	(0.519, 0.415)	(0.387, 0.533)	(0.108, 0.829)	(0.760, 0.200)	(0.431, 0.500)	(0.498, 0.400)	(0.397, 0.536)	(0.756, 0.150)

shows the co-decision matrix. Then, the risk priority numbers of each risk under each process were obtained using the multiplication operator defined in Equation (3).

Finally, each process’s CI and SI values are calculated utilizing Equations (8) and (9), respectively. In using the multiplication operator defined in the DFS in Equation (2), the three basic parameters of FMEA, the Severity, Occurrence, and Detectability values, are multiplied, and the risks are ordered according to their magnitude.

Table 5. CI and SI values for RPN.

	RPN
	P1				P2				P3
	ow	pw	CI	SI	ow	pw	CI	SI	ow	pw	CI	SI
R1	(0.007, 0.977)	(0.427, 0.470)	0.487	0.278	(0.018, 0.957)	(0.291, 0.553)	0.386	0.265	(0.131, 0.778)	(0.025, 0.815)	0.269	0.254
R2	(0.028, 0.928)	(0.353, 0.498)	0.463	0.283	(0.020, 0.947)	(0.331, 0.591)	0.403	0.275	(0.035, 0.922)	(0.349, 0.556)	0.448	0.289
R3	(0.191, 0.667)	(0.156, 0.744)	0.454	0.364	(0.129, 0.761)	(0.028, 0.809)	0.280	0.259	(0.066, 0.858)	(0.307, 0.591)	0.454	0.305
R4	(0.056, 0.891)	(0.275, 0.604)	0.409	0.290	(0.019, 0.941)	(0.363, 0.537)	0.446	0.281	(0.014, 0.960)	(0.464, 0.382)	0.549	0.272
R5	(0.157, 0.771)	(0.231, 0.657)	0.471	0.354	(0.081, 0.849)	(0125, 0.693)	0.316	0.263	(0.036, 0.910)	(0.260, 0.615)	0.377	0.272
R6	(0.020, 0.938)	(0.476, 0.410)	0.564	0.280	(0.022, 0.938)	(0.254, 0.637)	0.345	0.257	(0.017, 0.943)	(0.228, 0.625)	0.328	0.247
R7	(0.174, 0.715)	(0.092, 0.742)	0.387	0.331	(0.090, 0.805)	(0.034, 0.826)	0.236	0.221	(0.124, 0.778)	(0.058, 0.796)	0.293	0.266
R8	(0.004, 0.985)	(0.387, 0.591)	0.407	0.270	(0.015, 0.953)	(0.159, 0.602)	0.281	0.220	(0.048, 0.914)	(0.288, 0.625)	0.402	0.286
R9	(0.008, 0.971)	(0.507, 0.357)	0.578	0.266	(0.025, 0.926)	(0.157, 0.602)	0.298	0.231	(0.033, 0.892)	(0.415, 0.419)	0.548	0.283
R10	(0.115, 0.772)	(0.047, 0.824)	0.273	0.252	(0.089, 0.816)	(0.190, 0.725)	0.362	0.290	(0.043, 0.903)	(0.028, 0.808)	0.170	0.163
R11	(0.024, 0.936)	(0.486, 0.372)	0.585	0.275	(0.005, 0.984)	(0.459, 0.441)	0.512	0.276	(0.091, 0.824)	(0.083, 0.771)	0.279	0.248
R12	(0.209, 0.950)	(0.090, 0.755)	0.262	0.266	(0.019, 0.957)	(0.301, 0.591)	0.380	0.267	(0.094, 0.833)	(0.126, 0.737)	0.315	0.269
R13	(0.014, 0.963)	(0.363, 0.604)	0.404	0.273	(0.007, 0.977)	(0.452, 0.454)	0.508	0.278	(0.038, 0.923)	(0.147, 0.718)	0.263	0.224
	P4				P5				P6
	ow	pw	CI	SI	ow	pw	CI	SI	ow	pw	CI	SI
R1	(0.004, 0.985)	(0.441, 0.452)	0.496	0.276	(0.006, 0.978)	(0.513, 0.410)	0.56	0.274	(0.065, 0.868)	(0.034, 0.828)	0.194	0.186
R2	(0.005, 0.977)	(0.543, 0.350)	0.601	0.263	(0.005, 0.977)	(0.456, 0.417)	0.522	0.274	(0.290, 0.537)	(0.024, 0.825)	0.451	0.408
R3	(0.017, 0.950)	(0.343, 0.534)	0.429	0.276	(0.044, 0.893)	(0.321, 0.574)	0.441	0.292	(0.205, 0.667)	(0.168, 0.753)	0.466	0.377
R4	(0.002, 0.991)	(0.532, 0.319)	0.592	0.256	(0.056, 0.891)	(0.291, 0.604)	0.419	0.293	(0.164, 0.756)	(0.183, 0.747)	0.417	0.344
R5	(0.010, 0.967)	(0.414, 0.492)	0.477	0.279	(0.056, 0.868)	(0.085, 0.732)	0.255	0.223	(0.174, 0.672)	(0.157, 0.741)	0.443	0.352
R6	(0.016, 0.942)	(0.432, 0.451)	0.518	0.281	(0.017, 0.942)	(0.407, 0.483)	0.492	0.283	(0.004, 0.984)	(0.417, 0.507)	0.462	0.276
R7	(0.010, 0.969)	(0.293, 0.500)	0.392	0.258	(0.309, 0.620)	(0.043, 0.919)	0.404	0.405	(0.409, 0.502)	(0.027, 0.833)	0.535	0.510
R8	(0.023, 0.934)	(0.084, 0.740)	0.204	0.182	(0.010, 0.966)	(0.251, 0.606)	0.334	0.247	(0.004, 0.984)	(0.566, 0.350)	0.612	0.263
R9	(0.003, 0.984)	(0.657, 0.178)	0.712	0.201	(0.002, 0.990)	(0.580, 0.321)	0.626	0.255	(0.004, 0.983)	(0.520, 0.413)	0.561	0.274
R10	(0.194, 0.703)	(0.086, 0.784)	0.385	0.342	(0.075, 0.840)	(0.259, 0.667)	0.409	0.300	(0.474, 0.318)	(0.044, 0.841)	0.635	0.561
R11	(0.006, 0.977)	(0.464, 0.478)	0.506	0.28	(0.053, 0.889)	(0.053, 0.807)	0.197	0.186	(0.315, 0.556)	(0.021, 0.860)	0.446	0.424
R12	(0.010, 0.973)	(0.415, 0.495)	0.473	0.279	(0.007, 0.977)	(0.314, 0.597)	0.369	0.26	(0.021, 0.948)	(0.065, 0.741)	0.183	0.167
R13	(0.001, 0.996)	(0.604, 0.293)	0.647	0.246	(0.016, 0.957)	(0.358, 0.557)	0.426	0.277	(0.051, 0.893)	(0.032, 0.731)	0.205	0.187

presents the risk priority numbers in fuzzy triangular numbers for each risk under each process.

6. Discussions

6.1. Discussion on Numerical Results

Figure 2 depicts the ranking results of potential risks in six processes. The ranking of potential risks in each process is as follows:

P1: 

$R3>R5>R7>R4>R2>R6>R1>R11>R13>R8>R9=R12>R10$

P2: 

$R10>R4>R13>R11>R2>R12>R1>R5>R3>R6>R9>R7>R8$

P3: 

$R3>R2>R8>R9>R4=R5>R12>R7>R1>R11>R6>R13>R10$

P4: 

$R10>R6>R11>R5=R12>R1=R3>R2>R7>R4>R13>R9>R8$

P5: 

$R7>R10>R4>R3>R6>R13>R1=R2>R12>R9>R8>R5>R11$

P6: 

$R10>R7>R11>R2>R3>R5>R4>R6>R9>R8>R13>R1>R12$

The validation for the risk analysis results given above, was achieved through a rigorous expert review process, involving subject matter experts who evaluated the identification of risks, prioritization methodology, and proposed mitigation strategies, ensuring the accuracy and relevance of our findings. The effect of risks differed depending on the activity carried out in the process. However, in general, R3 was the most important risk in both P1 and P2, while R10 was the least significant risk. The standardization of automation work is one of the most significant factors in P1 and P3 because process steps interact with different web applications. Therefore, forms used to collect scholarship payment applications and course details should be standardized to ensure continuous improvement through lessons learned and avoid repeated costly mistakes. Sustainability risks result in the lack of maintenance and support for the RPA system. It is the least critical risk for P1 and P3 because the interacted web application forms are stable, which means they do not require any changes in the digital robot’s working way.

On the other hand, in P2, P4, and P6, R10 stands out as the most important risk because the processes of course addition, personalized document preparation, and accident insurance payments may require additional support and maintenance. For example, the university uses third-party software to create complicated forms that are uploaded to the ministry system. The smart campus and digital transformation coordinatorship plan to facilitate the process. So, the digital robot working for this process needs some maintenance over time.

In P5, R7 is the most important risk since the process of reporting applications to the ethics committee preparation and archiving decisions includes personal data. If the data are not adequately secured, unauthorized people can access and use them. Moreover, suitable data governance and management can avoid errors and inaccuracies in data processing.

If the risks are ranked for all processes using the Borda count method, the general ranking is in

Table 6. Ranking risk based on the Borda count method.

	P1		P2		P3		P4		P5		P6		Total Points	Ratio %
Risk	Rank	Point	Rank	Point	Rank	Point	Rank	Point	Rank	Point	Rank	Point
R1	7	6	7	6	8	5	5	8	7	6	12	1	32	44
R2	5	8	5	8	2	11	6	7	7	6	4	9	49	68
R3	1	12	9	4	1	12	5	8	4	9	5	8	53	74
R4	4	9	2	11	5	8	8	5	3	10	7	6	49	68
R5	2	11	8	5	5	8	4	9	11	2	6	7	42	58
R6	6	7	10	3	10	3	2	11	5	8	8	5	37	51
R7	3	10	12	1	7	6	7	6	1	12	2	11	46	64
R8	10	3	13	0	3	10	11	2	10	3	10	3	21	29
R9	11	2	11	2	4	9	10	3	9	4	9	4	24	33
R10	12	1	1	12	12	1	1	12	2	11	1	12	49	68
R11	8	5	4	9	9	4	3	10	12	1	3	10	39	54
R12	11	2	6	7	6	7	4	9	8	5	13	0	30	42
R13	9	4	3	10	11	2	9	4	6	7	11	2	29	40

. According to the overall ranking, including all processes, the overall rank is $R3>R2=R4=R10>R7>R5>R11>R6>R1>R12>R13>R9>R8$. R3 is the most important risk for all processes, while R8 is the least significant risk. In addition, R10, R2, and R4 come after R3. To effectively manage risks, risk reduction techniques should be used primarily for R3, R10, R4, and R2.

6.2. Discussion on Validity

Risks may occur more frequently and unexpectedly in dynamic environments, referring to constantly changing, uncertain, and unpredictable conditions. First, the DFS-based FMEA method benefits from the experience and knowledge of process experts. It goes beyond a static analysis and helps better understand the risks in dynamic environments. Second, fuzzy logic better models risk uncertainty, which provides a significant advantage for managing uncertainty in dynamic environments. Third, the method can be adapted to different sectors and processes to assess various risks in dynamic environments. However, the use of the DFS-based FMEA method in dynamic environments also faces some limitations: (i) Obtaining and evaluating the opinions of experts can be time-consuming, especially in complex processes. This can be a disadvantage in rapidly changing dynamic environments. (ii) The results may be subjective since experts’ evaluations may be based on personal experience and opinions. (iii) Risks can change constantly in dynamic environments, so FMEA may need to be repeated regularly.

Moreover, while the DFS-based FMEA method presents several advantages, its application in specific case studies, such as those conducted at Izmir Bakircay University, highlights potential challenges in expert evaluations. The six selected processes were implemented in a specific context (Izmir Bakırçay University), and the evaluation of these processes by experts was carried out with a limited set. This situation may increase the subjectivity of the assessments based on the experts’ perspectives. In future studies, including a larger pool of experts and evaluating the processes from different sectors may increase the internal validity.

The generalizability of this study results is limited to the data obtained only in the context of a specific university. Therefore, the validity of the obtained findings for other institutions or sectors may be questioned. In future studies, examining similar processes in different universities or sectors may help ensure the results’ validity in a broader context.

7. Conclusions

If organizations make appropriate provisions against potential risks, unfavorable effects can be prevented, and the advantages of RPA can be utilized at the highest level. It is an issue that needs to be considered, as RPA solutions require regular maintenance to ensure their long-term sustainability. Lack of maintenance and support poses significant risks to the sustainability of RPA solutions. Transparent processes must be established to mitigate these risks, and its performance constantly monitored, including regular updates and software upgrades. Managing the RPA system through a dedicated team will ensure that the system remains effective. Such measures will help ensure the sustainability and long-term success of RPA solutions. Governance management includes critical processes such as identifying, validating, and prioritizing RPA opportunities. Lack of governance management brings risks such as setting wrong priorities, automating inappropriate processes, and creating security vulnerabilities. A well-defined governance model is essential for the success and sustainability of automation projects.

Process failures such as poor process selection, lack of process standardization, and the magnification of unoptimized processes will cause programming errors, and thus erroneous decisions, as well as increased process inefficiencies. To adopt the RPA approach, process standardization and process maturity rules must be high. Considering the human factor, which is directly influential in the sustainability and success of automation, there may be difficulties in its adoption. Fear that robots will replace workers’ jobs hinders automation adoption. RPA, while capable of handling increased workloads, poses a risk of displacing human workers. Although some vendors argue that RPA eliminates redundant work, the truth is that some employees were previously responsible for those tasks. This can cause concern for those affected and affect the public’s perception of the organization’s business practices.

RPA implementers should consider all these potential risks for more successful implementations because RPA is not a cheap technology like other advantageous applications. This paper proposes a novel method, decomposed fuzzy set-based failure mode effect analysis (DFS-FMEA). A DFS is an extension of the intuitionistic fuzzy set that considers both the optimistic and pessimistic perspectives of the decision-makers. As a result, the decision-maker’s indeterminacy is defined by their response to both the positive and negative inquiries on the same issue, and the approach takes this inconsistency into account while assessing them. It differs from other fuzzy extensions. This study integrated the FMEA method with DFSs, and 13 potential risks were identified and evaluated under six automated business processes. The importance degrees of the considered risks differ considerably in processes based on their vulnerabilities. In P1 and P3, for example, the “absence of governance management” risk (R3) appears to be the greatest risk. On the other hand, the sustainability problem risk (R10) is the most critical risk for P2, P4, and P6. Furthermore, in P5, security risk (R7) is the most important risk. When considering the rankings for all processes, R3 is the most significant risk, while “staying out of strategic plans” (R8) is the least significant risk. The absence of governance management (R3) is followed by sustainability (R10), magnification of unoptimized processes (R2), and over-automating (R4). Risk reduction methods should be used largely for R2, R3, R4, and R10 hazards to manage risks effectively.

Finally, this study emphasizes the critical implications of effective governance management in successfully implementing RPA solutions. Our findings suggest that organizations must prioritize establishing transparent processes to mitigate risks associated with RPA, particularly regarding governance management, which encompasses identifying, validating, and prioritizing RPA opportunities. The results indicate that the absence of governance management is the most significant risk, highlighting organizations’ need to adopt a well-defined governance model to ensure sustainable automation practices.

From a managerial perspective, our research underscores the importance of the regular maintenance and monitoring of RPA systems to prevent unfavorable outcomes and maximize the benefits of automation. Organizations should invest in dedicated teams to oversee RPA performance, ensuring continuous updates and adaptations to changing business needs. By doing so, companies can address concerns regarding employee displacement and the fear of job loss, facilitating a smoother transition to automation.

Moreover, our findings contribute to the discourse on employee–robot substitutability by illustrating that while RPA can enhance operational efficiency, it also poses risks of displacing human workers. This dual nature of RPA necessitates implementers to consider the human factor in their strategies, recognizing the potential resistance to automation driven by fears of job redundancy. Addressing these concerns is crucial for fostering an organizational culture that embraces change rather than fears it.

The integration of the decomposed fuzzy set-based failure mode effect analysis (DFS-FMEA) into our risk assessment framework offers a novel methodological approach for identifying and evaluating risks associated with automation. By considering optimistic and pessimistic perspectives, our DFS extension provides a more nuanced understanding of decision making under uncertainty. Identifying 13 potential risks across six automated business processes lays the groundwork for future research to explore targeted risk reduction strategies.

The proposed study’s limitation is that the scope of our analysis was confined to specific automated business processes, which may limit the generalizability of our findings to other contexts. Additionally, relying on expert judgment in identifying and evaluating risks may introduce subjectivity, warranting further validation through empirical research. Future studies could expand the application of the DFS-FMEA framework to a broader range of industries and processes, enhancing our understanding of RPA risks across various settings.

In conclusion, this study not only highlights the importance of governance and risk management in RPA adoption but also contributes to the understanding of employee–robot substitutability. By articulating these implications clearly, we aim to guide both academic inquiry and practical applications in the automation field.