Artificial Intelligence (AI) offers enormous opportunities to businesses. Given the correlation between risk and an organization’s objectives, one could easily extrapolate how AI can help bring insight to Governance, Risk, and Compliance (GRC) activities as well.
But, what is AI? As a working definition, AI is the science and engineering of making intelligent machines and computer programs to achieve a goal. It’s about creating a computer mind that can think like a human. It’s about machines taking action.
One of the most important technological advances of our time is artificial intelligence, and, in particular, machine learning, which is the ability for a machine to keep improving its performance without human involvement to accomplish tasks. Systems can now be taught to perform activities on their own.
The transformative effects of AI will be felt across nearly all industries. The impact on core processes and business models will be enormous, placing further strain on management and implementation.
Known Unknowns
There are similar implications for risk management. Probably one of the best cases is fraud detection. Algorithms can be written using various stochastic modeling techniques, coding, and data testing. Of course, for machine learning to be successful, it must have quality data. As a result, there is a premium on structuring risk data in such a way to use it as AI input. Conversely, a challenge implicit in machine learning is substantiating its outcomes. As machines “learn,” their conclusions may not always yield the desired result. This conceivably makes it difficult for a risk manager to explain the machine’s conclusions to executives or a regulator difficult. For example, there may be issues with multicollinearity, lack of data, as well as how the machine deals with outliers, which is common with many risk data, especially if the organization uses external data.
This example applies to a typical risk management anecdote of “driving by looking through the rear-view mirror.” The shear amount of data aids in the confidence (not just the statistical significance of a model) of AI’s output. This is beneficial to many high inherent, intrinsic risks that organizations experience. Malware is an example.
AI can also be used to substantiate conformance. For example, one large financial services company uses AI to help prevent money laundering, thereby assuring AML/BSA compliance.
Unknown Unknowns
An obvious challenge for AI becomes when the data is unknown or unstructured. Executives and boards are looking for what the next potential severe event may be. AI acts a catalyst for some of these topics, such as scanning medical images to help diagnose cancer. However, AI struggles with answering questions like who the new disruptive competitor may be, the next emerging technological advancement in operations, or the implications of regulatory change. Regardless, as AI continues to mature in sophistication, it will likely need human intervention to extrapolate its ultimate affects on the company.
Individuals can use GRC software’s risk and control data to overcome possible limitations of AI. In fact, one tool, scenario analysis, uses risk and control data, such as loss events, capital investments in controls, and business activities (e.g., data feeds from social media) to stress likely risk scenarios on the balance sheet and income statement.
GRC Advances
AI is scratching the surface of how it will influence risk management. Topics, such as big data, will play a significant role in evaluating risk and risk management activities. Other subjects, such as analytics, will drive
Additionally, using AI to improve deteriorating controls helps to maximize the control environment. This lays the opportunity to evaluate the efficacy of control investments. AI may signal the ability to relax the control environment, which can lead to reallocating capital to areas of growth.
Furthermore, AI can create insight into the relationships of risks. The Nasdaq BWise GRC platform offers the ability to report and provide insight into risk topics that may link to one another. For example, data privacy risk has multiple facets – operational, IT, compliance, and people. Utilizing AI can marry the variables across risk types to provide a holistic picture of the risk environment.
Although the GRC space is in its infancy when it comes to AI, it is disrupting the traditional mindset of how risk management is thought of. For instance, machines learn from examples, which requires collaboration across the lines-of-defense. Until we can create a better understanding of how a risk’s exposures morphs through the value chain, we will need to continue to rely on GRC software to set the precedent for decision making. For more information visit www.bwise.com or contact us.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.