First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Contractual considerations in robotic process automation and artificial intelligence outsourcing

robotic process automationRobotic process automation (“RPA”), artificial intelligence and outsourcing can each be a means to the same end for organizations: cost reduction, productivity improvement and efficiency gains. Facing ever-increasing pressure to achieve these ends, organizations have traditionally partnered with business process outsourcers to outsource certain business and IT processes – for example, to an offshore, low-cost location in order to realize cost reduction. More recently, organizations have begun to engage with RPA and AI in order to realize even greater benefits across their value chain.

Contracting for RPA and AI products and services requires a fundamental shift in mindset vis-à-vis a traditional business process outsourcing arrangement. Among other things, it might require different models for pricing (e.g. moving from resource-based to outcome-based models), new ways of thinking about measuring performance, and more bespoke and considered IP arrangements. Five key contractual areas to consider in the shift to an RPA or AI solution are: the management of performance, IP rights, data and privacy issues, risk allocation, and exit strategies.

RPA and AI can be defined as follows:

  • RPA employs software “robots” to automate repetitive tasks and perform rules-based (e.g. “if-then”) processes. Processes that are good candidates for automation are those that have repetitive digital inputs, use structured data and follow logical rules – for example, invoice and payment processing; and
  • AI also employs software “robots”, but these aim to mimic human intelligence by performing hypothesis-based predictive analysis on large and unstructured sets of data, refining their own rules (i.e. self-learning) in order to improve performance. For example, a retail-sector AI system might identify and learn consumer habits by analyzing large volumes of data (e.g. social media trends, facial expression analysis, weather forecasts and historical transactions) to predict outcomes on which sales and inventory decisions can be made.

Performance management. Traditional service level frameworks typically incentivize vendors to avoid minor issues (e.g. minor system downtime). With a shift from traditional resource-based, process-driven solutions to more outcome-based solutions, customers will need to consider new ways in which a vendor’s performance can be measured (e.g. outcome-based service levels). AI-based failures pose particular risks – AI systems tend to work at a demonstrable level of accuracy, and a performance failure is more likely to be catastrophic (i.e. they are unlikely to degrade by small margins). Some of this risk in the RPA context might be addressed prior to launch through well-defined testing, acceptance and proof-of-concept provisions. However as AI evolves through self-learning, continuous monitoring is important to minimize this risk in the AI space.

IP management. Two key IP issues to consider are:

  • IP in the data and process. For both an RPA and an AI solution, a customer will often collaborate closely with vendors in the creation of a custom “trained” solution using that vendor’s (or a third party’s) technology. This might involve providing valuable business know-how, processes and other proprietary information as inputs. Issues might arise in respect of the IP rights associated with those data inputs, data produced by the solution and, in the case of AI, the “skills” learned by the solution. For example, will the vendor be able to exploit that data or those learnings for its other customers (including your competitors), or to otherwise capitalize on your solution (e.g. by creating a new product with the risk of becoming a competitor themselves)?
  • IP restrictions in existing licences and information. Before implementing an RPA or AI solution that interfaces with existing technology, a customer should understand the rights and restrictions (both contractual and regulatory) that apply to them in relation to that existing technology and any information with which the solution interacts. For example, that existing technology or information may be purpose-limited or the scope of the customer’s licence may not contemplate that RPA or AI interaction.

Data and privacy management. Organizations often encounter unique data and privacy challenges when using an RPA or AI solution – and particularly AI. This is because the effectiveness of an AI solution will often hinge on processing high volumes of data from diverse and untraditional sources. The collection and retention of vast amounts of data poses challenges from regulatory, practical and security-related perspectives, among others. To the extent that your data includes personal information, regulatory regimes often stress the concept of data minimization, place limits on the retention of data, limit the purposes for which data can be used and disclosed, and are beginning to require transparency about the logic involved in AI decision-making. Organizations should constantly revisit their policies and procedures with respect to the collection of personal information to ensure that regulatory hurdles do not limit their ability to benefit from an RPA or AI solution.

Risk management. Innovation in the RPA and AI outsourcing industry has led to a vast number of vendors offering a diverse range of products and services – including a number of smaller vendors. Those vendors generally have less appetite to shoulder contractual risk than some of the more established, traditional players, and may not have satisfactory financial strength or insurance arrangements. If there are risk shortfalls in a proposed arrangement, customers might ask the vendor for a related party guarantee or other performance security, or could seek to procure the solution through a more established vendor who may be willing to shoulder some of that risk. It may also be prudent for customers of such vendors to enter into an escrow agreement to ensure the future availability of the solution.

Exit management. Impending expiry or termination of an RPA or AI outsourcing arrangement poses particular challenges to customers. Customers should ensure that they have sufficient rights (whether ownership or licence-based) to use any machine-learned data produced as a result of the arrangement but in terms of the solution itself, migration to a new provider (or in-house) might be impractical or, particularly in the case of AI, impossible. If a solution is particularly large and complex, customers seeking a long-term solution might consider either creating that solution in-house, or contracting to own the solution.

RPA and AI technologies can be a game-changer for your organization from a commercial perspective, but procuring those technologies and managing the new risk landscape requires a fundamental shift in mindset vis-à-vis a traditional outsourcing contract.

By David Crane

Follow us

McCarthy Tétrault LLP

McCarthy Tétrault is a Canadian law firm that delivers integrated business law, litigation services, tax law, real property law, labour and employment law nationally and globally.McCarthy publishes a series of blogs to share information with companies to help them comply and manage their businesses. On the Inside Internal Controls blog we will share some of those blog posts sharing their expertise among others, in the areas of Competition/Anti-trust, Corporate and Commercial Law, Intellectual Property, Privacy, Environmental Law, Technology and Litigation. Read more here
Follow us
Send to Kindle

, , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.