Please choose which emails to receive from each site. Among the types of strategic risk you should have on your radar are: Competitive risk. Hence, when risks were reported, team members didnt understand, or if they did, they wouldnt know how or whether to act. Existing policies and standards might already apply to many use cases for AI. Marina Kaganovich, Director, U.S. CIB Digital Advisory Compliance, BNP Paribas, AIRS would like to thank the following contributors for their valuable insights and contribution to the AI/ML Risk and Governance white paper (in alphabetic order), Akash Verma, Discover A common approach to risk management enables two things: With normalization and aggregation, one can state the risk at any level in the organization, making it understandable to everyone. Interpretability (presenting the AI systems results in human understandable format), and discrimination (unfairly biased outcomes) are crucial concepts that factor into the risks associated with AI/ML systems used for certain use cases. Lets revisit the scenario explained at the beginning of this article, where a project had been running without any proper risk management. Identified risks are analyzedboth qualitatively and quantitatively. Training Data Poisoning Estimate Risk. Potential enhancement of existing processes and the creation of new documentation should, as a result, be considered. Business, Technical, Systems, Risk, and Project Management Briefings and Presentations. Security Audit [4] See D. Sculley et al., Machine Learning: The High Interest Credit Card of Technical Debt, SE4ML: Software Engineering for Machine Learning (NIPS 2014 Workshop), available at https://research.google/pubs/pub43146/. Bruno Domingues, Intel You will receive a link to create a new password via email. The areas of data related risks, AI/ML attacks, testing and trust, as well as people risk constitute potential areas of risk, which could be subcategorized as illustrated in Figure 1. In fact, to the extent that machine learning is more accurate than traditional methods, it may be more likely to identify such a relationship and remove the non-predictive race effect. In most cases, such is the case for a program or portfolio. [15] For a high-level discussion of attacks on AI systems and proposed mitigation tactics, see Sophie Stalla-Bourdillon et al., Warning Signs: Identifying Privacy and Security Risks to Machine Learning Systems, Future of Privacy Forum, September 2019, available at https://fpf.org/wp-content/uploads/2019/09/FPF_WarningSigns_Report.pdf. Risk Appetite denotes the amount, rate, or percentage of risk an individual or an organization requires to bear to move ahead with its plans or objectives. Organizations should perform an internal audit of the processes and procedures used by the risk assessment and compliance teams. The use of AI/ML deployment may involve third party applications and/or data, as discussed in Section 2, which could enable scalability, increased compute power and access to vendors that are part of the larger fintech ecosystem. 1. The concept of risk governance includes both the institutional structure and the policy process that guide and restrain the collective activities of a group, society, or international community to regulate, reduce, or control risk problems (Renn and Klinke 2014; Klinke and Renn 2018).Contemporary handling of collectively relevant risk problems has been shifted away from traditional state . AI solutions are already being used by some firms in areas like fraud detection, capital optimization, and portfolio management. Another process might also evaluate the inputs, and the outputs of the AI system, as well as the AI system itself. Some were taken, but most ignored or overlooked because of other projects and lack of understanding of risk management at an organizational level. Data drift, on the other hand, helps enterprises understand the change in data characteristics at runtime. Members of the AIRS group have seen firsthand the positive impact these principles could have, and actively encourage their further development, including as appropriate in conjunction with any data governance efforts regarding ethical use of data. Project governance is crucial component of every project since the responsibilities that come with it are interconnected with different business cases, as well as the projects overall success. Organizational governance is a structured way to provide governance at the organizational level. Even though data quality requirements are not specific to AI/ML, data quality has significant impact on AI systems, which learn using data and provide output based on that learning. Importantly, this is not a problem that is unique to AI. <> After all, it means better access to reports, analytics and evidence which help shape strategic decisions. Some examples include: Billable to non-billable hours. Visit our COVID-19 Resource Center and our Cost Management Center. Risk governance is all about coming with an organizational structure to address a precise road map of defining, implementing, and authoritative risk management. Internal Audit forms the third line of defense, and provides assurance on the effectiveness of governance, risk management, and internal controls. These threats could be financial pitfalls, legal consequences, cybersecurity threats, commercial liabilities, management errors and even natural disasters and other accidents. Ultimately, the use of an AI system which may cause potentially unfair biased outcomes may lead to regulatory non-compliance issues, potential lawsuits and reputational risk. On the contrary, IT Governance is about IT decisions that have an impact on business value. General Data Privacy Regulation (GDPR), among others. [6] See, for example, SR 11-7 Guidance on Model Risk Management SR 11-7, April 2011, available at https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm. . See, for example, Transforming Paradigms: A Global AI in Financial Services Survey, World Economic Forum, January 2020, available at http://www3.weforum.org/docs/WEF_AI_in_Financial_Services_Survey.pdf. Deloitte's risk committee charter template is based on best practice in risk management and risk governance. Ensure your company is meeting rules and regulations around compliance, so you can reduce risk and eliminate liability. Its important to note that the applicability and relevance of risks illustrated in Figure 1 are dependent on an individual organizations risk profile, appetite, and existing controls, and it is up to each firm to determine whether their existing controls are sufficient. [5] The response to the questions do not reflect future plans of the institutions. Its likely that each established area of the organization will have its own way of performing risk assessments or compliance monitoring. Risk Event Action Plan. Most people think of risk as pure risk, as a possibility of loss. Detecting accuracy drift may be helpful to enterprise applications in that it may identify a decrease in model accuracy before the change results in a significant impact to the business. Risk governance, at the chosen layer, guides on risk response strategies and risk response actions, which are associated with the response strategies. This fact makes interpretability of high-impact AI/ML decisions a significant imperative and a source of potential risk. Hence, modifying our previous figure with respect to layers of risk management, we can consolidate and present as the below figure. Risk management processes typically rely on internal audits and risk assessments to identify critical gaps and areas of significant uncertainty. Is the board of sufficient size and composed of people with an appropriate Fair AI, nevertheless, may require a human-centric approach. Corporate governance elaborates the division of responsibility within the organisation for risk management, and determines the means with which, at . These methods have been shown to have limited success in complex AI/ML systems. And if you are interviewing for a risk management role, use these question prompts as a way to get ready for your meeting with the hiring manager! Planning ProjectManager Blog Risk Management. Designs and implements the actions and remedies required to avoid, reduce (prevent, adapt, mitigate), transfer or retain the risks. Join Lisa Edwards, Diligent President and COO, and Fortune Media CEO Alan Murray to discuss how corporations' role in the world has shifted - and how leaders can balance the risks and opportunities of this new paradigm. Organizations should perform risk assessments when considering wider business aims and objectives. Perform IT SOX control assessments for section 302 and 404 Reporting. Governance around these dynamically calibrating processes typically require additional safety protocols, including, for example, more robust and continuous monitoring, pre-defined performance thresholds, and kill-switches that could remove the system from deployment entirely, if necessary, depending on the use case. Such interpretability could help mitigate the risks from incorrect AI/ML system decisions, enable security audits of AI/ML systems, and align with regulatory compliance efforts. Project charter example. It can be both normative and positive, because it analyses and formulates risk management strategies to avoid and/or reduce the human and economic costs caused by disasters. This act exemplifies governance in the truest form. Under his guidance, over 2,000 professionals have successfully cracked PMP, ACP, RMP, and CAPM examinations in fact, there are over 100 documented success stories written by these professionals. Data poisoning is the contamination of data used to train the AI/ML system, negatively affecting its learning process or output. This paper discusses risk management maturity levels and starting a specialized function in your organization. While there is no one-size-fits-all approach, practices institutions might consider adopting to mitigate AI risk include oversight and monitoring, enhancing explainability and interpretability, as well as exploring the use of evolving risk-mitigating techniques like differential privacy, and watermarking, among others. All these factors are counted and calculated into corporate governance. Sites have been updated - click Submit All Changes below to save your changes. Examples of Risk Appetite Statements USAID has a thorough risk statement that is worth reading as a primer for what an extensive appetite statement can encompass. Strengthening and rationalizing these processes can help improve business performance and enhance decision-making within corporate governance boards. GRC's set of practices and processes provides a . Project management standards such as the PMBOK Guide, Sixth Edition state that contingency reserves, which are established to offset the cost or schedule impacts of realized identified risks, are considered part of the project budget and cost baseline. This article tackles the importance and significance of IT Project Governance Framework and its impact on the projects in the organization. This can be through efficiency savings by sharing resources across teams and departments, or through the refining of processes. TD's risk governance structure emphasizes and balances strong central oversight and control of risk with clear accountability for, and ownership of, risk within each business unit. brought to you by Green Project Management. In addition to their assigned responsibilities, the Data Science team could manage AI system inventory and version control. Monitoring could account for the data received by the model in production and estimate the accuracy of the model, which is one of the ways to provide insight into the accuracy drift of the model. In a practical sense, the two primary aspects of AI/ML interpretability are directly interpretable system mechanisms and posthoc explanations (explainability) of system mechanisms and predictions. Yogesh Mudgal, AIRS Founder/Curator; Operational Risk Management, Citi GRC can help you align performance activities to business goals, manage enterprise risk and meet compliance regulations. We cherry-picked 10 of our favorite inspirational examples of teamwork as it applies to a variety of circumstances. The views expressed in this paper are meant to assist individuals and organizations facing risks and governance challenges presented by AI/ML. Depending on the control library of an institution, this may require participation from multiple control owners and requires a structured approach and thorough planning. and lifecycle of the organisation - for example, a small organisation will be unlikely to have an internal audit function. Various research papers, articles, and discussions have covered the topics of risks associated with AI. Governance is hardly the most sexy of project management disciplines. [13] Whether these methods are suitable for use in a particular case depends on the legal environment in which the system is used and the systems usage itself. The simple act of identifying and discussing risks goes a long way towards reducing problems in your project. Depending on specific implementations, organizations may test explanatory techniques in human evaluation studies or, for accuracy and stability, on simulated data, to potentially reduce risks associated with explainability. Governance typically involves the organizations key decision-makers, such as its board members or high-level executives. Breaking compliance could result in devastating financial, legal and reputational consequences. The main aim of a GRC program is to drive improvements to risk assessment and compliance monitoring. Engage with 2nd and 3rd Lines of Defense, including the external auditor and regulators. Training data could be assessed for data quality as well as for potential biases the data set may contain. Business experts, for example, are oftentimes on-hand to override erroneous results. These insights are based on our collective experience, and the suggestions we outline are, as a result, not meant to be comprehensive or prescriptive. Governance (#Governance). Risk governance doesn't only include risk analysis. Good governance is a cornerstone of project success, so poor governance inevitably leads to project failure. Each statute defines types of protected classes, such as gender, race, or ethnicity, that a lender cannot legally disfavor. [9] See, for example, XGBoost, h2os GBM or Microsofts InterpretML toolkit, available at https://xgboost.readthedocs.io/en/latest/tutorials/monotonic.html, https://github.com/h2oai/h2o-3/blob/master/h2o-py/demos/H2O_tutorial_gbm_monotonicity.ipynb and https://interpret.ml/ respectively. The following are just a few examples of what some firms may find useful as they think about managing risks related to their own adoption of AI systems. For example, from the 2018 statement: "We have a MEDIUM risk appetite with regard to: Implementing long-term strategic focus in our country programs. How often will you perform risk management activities? In this, the algorithms attempt to find alternative systems where, for any given level of discrimination, no system can be found with a higher level of quality. How the 25-year-old team captain Mike Eruzione got his team to bring home the gold and beat the odds-on favorites, the seasoned Soviet team, is a most inspirational teamwork example. Finally, there are likely to be AI advancements in compliance and risk mitigation by banks. AIRS would like to thank our authors for their key role in the creation and development of the AI/ML Risk and Governance white paper. Infosys Ltd - Pittsburgh, PA. Furthermore, as both the potential risks and regulations related to AI are evolving, the second and third lines of defense should, likewise, ensure they have adequate subject matter expertise to effectively challenge the first line in evaluating the proposed use and implementation of the AI systems, as outlined earlier in Section 2. This chapter aims to unravel this new concept by exploring its genesis and analytical scope. Governance, risk, and compliance (GRC) is the collective set of procedures that help organizations maintain their integrity and address uncertainty with respect to their business objectives. One of the most historic examples of teamwork is the Apollo 11 1969 mission. Conversely, for any given level of quality, no system can be found that decreases discrimination. That is, the variable may act as a proxy for the neighborhood, which in turn acts as a proxy for race. Subscribe to the Diligent GRC Newsletter. 2. Corporate governance is the system of rules, practices and processes by which a company is directed and controlled. Research clearly shows the root causes of most software projects cost and schedule overruns and technical shortfalls comes from poor risk management. Moreover, it touches on the transparency and establishment of channels of communication within which an organization, stakeholders, and regulators engage. We noticed that you changed your country/region of residence; congratulations! Plus, improved risk management processes mean those strategic decisions are well-informed in the first place. For example, risk governance depends on relevant, timely risk data so exposures can be monitored and controlled. The risk of poor data quality is not unique to AI, but for AI/ML systems, poor data quality could not only limit the learning capability of the system, but could also potentially negatively impact how it makes inferences and decisions in the future. The success of scaling up RPA business lies in proper governance that may organize proper guidance, processes, and mechanisms to manage and control the RPA activities to realize the . As we have seen earlier, there can be bi-directional movement of risks in an organization.