We have a team of three developers and about ten active bots. Management is pushing us to establish a formal Center of Excellence (CoE), but I’m worried about the bureaucratic overhead. At what point does the scale of an RPA initiative actually justify the cost of a formal governance body and dedicated infrastructure?
3 answers
You don't need a "heavy" CoE yet, but you definitely need the foundational pillars. We started with just a "Federated" model where the devs also handled the governance. The risk of not having a CoE is that you'll end up with "Shadow IT"—bots created by different departments that don't follow security standards or naming conventions. By establishing a light CoE now, you can define your "Definition of Done" and security protocols before you hit 50 bots. If you wait until the complexity is unmanageable, it will cost you twice as much to retroactively fix the lack of documentation and standardized error handling.
Do you think a "Lite" CoE should focus more on the technical standards first or on the business case prioritization to ensure high ROI for every bot?
We hit 15 bots before the lack of a CoE became a problem. The main issue was version control and credential management across different environments.
Laura is right. Credential management is usually the breaking point. Moving to a centralized vault like CyberArk within a CoE framework changed everything for our security audits.
Jason, I’d prioritize technical standards first. If your bots are built poorly, no amount of high ROI will save you from the maintenance nightmare. Once you have a standard template for logging and exception handling, then you can build a "Pipeline Committee" to vet business cases. For a team of three, keeping the technical debt low is the best way to ensure you actually have time to work on those high-value business cases later.