When ChatGPT entered the market early this year, it brought Artificial Intelligence (AI) into the mainstream and changed the way the world worked. From software engineering to education, law, and finance there are very few sectors that have not been impacted by ChatGPT. In addition to my role at MetricStream, I also teach at a university, and I have seen firsthand how ChatGPT is changing the way we teach and evaluate. I have had to remove several of my open-book questions since the answers were now available on ChatGPT! As concerns about how such new technologies continue to mount, enterprises, regulators, and governments need to focus on simultaneously managing the risks posed by these technologies and accelerating the opportunities they present.
I moderated an interesting discussion on how AI, automation, and emerging technologies are impacting risks and opportunities at the 2023 GRC Summit in Miami with eminent industry experts Brian Fricke, Managing SVP, CISO, City National Bank of Florida, and Alex Gacheche, Global Head of Information Security, Technology Infrastructure and Emerging Technology Audit, Meta.
Here are the key areas discussed during the session.
Watch Now: How AI, Automation and Emerging Technologies are Impacting Risk and Opportunities
ChatGPT’s impact on the world cannot be underestimated. But it is important to remember that despite the hype, it is a tool in the toolbox, designed to make work easier. There will be other, better AI-powered platforms in the future, each of which will impact the way we work in its own way. But none of these platforms can replace human jobs – people will be replaced by other people who can use the platforms better, and subject matter expertise will remain vitally important. A foundational understanding of the technology, creative problem solving, and the agility to be able to adapt the results thrown up by an AI platform will be increasingly valuable in the years to come.
When it is considered a tool in a toolbox, it is easier for organizations as well—to shape policy, define acceptable risks, and establish technology controls. Organizations also need to develop robust efficiencies across the three lines of defense to maintain a comprehensive risk posture in the era of AI. Once the front line is empowered to leverage and use AI platforms effectively, the second and third lines will need to adapt quickly as well.
There is, of course, no denying that the rapid emergence of AI-powered platforms poses some immediate and long-term risks:
Of course, there is no denying that AI offers a number of opportunities for enhancing productivity, improving key processes and driving responsible business growth. AI-powered platforms can help improve threat analyses significantly by analyzing large volumes of threats against existing mitigation capabilities quickly and accurately. AI can also help bridge skilled manpower shortages. For example, the cybersecurity field is projected to have a 50% shortage of talent by 2025. AI platforms can help companies manage and even improve their cyber security practices even in the absence of resources.
Understandably, organizations, regulators, and even governments need to understand and work towards addressing some of the concerns around AI tools and platforms.
At the end of the day, it is important to remember that AI is a technology much like all transformative technologies that came before it. The world has contended with a number of disruptive technology trends over the last couple of decades, ranging from cloud to digital banking and crypto currencies. And it has collectively regulated, secured, and governed each of them effectively. As we gear up to contend with AI, we must remember that information and data lie at the foundation of any AI-derived platform and consider ways in which to adapt existing data privacy laws such as GDPR and CCPA to include AI risks.
AI is here to stay and will continue to evolve and shape the nature of business, work and even life as we know it. Like any new technology it presents a range of risks and enterprises may be tempted to ban use of AI altogether. But a transformative, and accessible technology cannot and should not be banned in its entirety. Attempting to do so would not only hold the enterprise back from truly exploring its potential but also result in unauthorized and unregulated usage. It would be far more effective to focus on building an AI-aware risk culture by training employees on responsible use of AI. Active discussions at the board level and even the establishment of a risk committee to monitor AI risk is a good idea. By integrating AI into the risk register, organizations can prepare to build policies for it. And most importantly, they must engage with younger generations studying and preparing for careers in a world that is already transformed by AI. Their fresh perspectives, unique approaches, and understanding can help drive better policies for what is undoubtedly going to be a new era of Artificial Intelligence-driven development and growth.
AiSPIRE, an industry-first, state-of-the-art cloud-based product offering from MetricStream, can empower your organization’s GRC functions with proactive intelligence backed by powerful AI- algorithms.
By leveraging large language models, GRC ontology-based knowledge graphs, and generative AI capabilities, AiSPIRE has the power to utilize the full potential of an organization’s existing GRC and transactional data. Unlike other GRC tools that rely on manually defined rules and workflows, AiSPIRE effectively utilizes your organization’s data to train advanced machine learning models and AI.
AiSPIRE can empower your organization to:
Interested to know more? Request a demo today!
Download Product Overview: MetricStream AiSPIRE
As organizations look to harness the power of next-generation technologies and thrive in the era of the Fourth Industrial Revolution, the focus on data is now more critical than ever. It wouldn’t be wrong to say that it is data that runs the modern enterprise in today’s digitized world.
It’s often said that data is the new oil. However, data in itself cannot drive business value—it is only when it is transformed into actionable intelligence that it can enable effective decision-making.
That said, many organizations today lack common taxonomies and structured processes, resulting in unstructured data which is difficult to analyze. This is a major challenge for risk, audit, compliance, and IT & cyber teams as they end up spending most of their time going through this data rather than analyzing it for making strategic business decisions.
Streamlining the processes and workflow and automating them with the right set of tools and technologies is an absolute must for unlocking the true potential of data. By leveraging artificial intelligence (AI), organizations can quickly get insights, identify patterns, avoid duplicate effort, apply the right actions, and better focus on decision-making that helps the business.
Organizations today operate in a complex and unsettled business environment with amplified digital interconnectedness of people, processes, systems, and organizations, rapidly evolving risk and regulatory landscape, geopolitical uncertainty, and more. Furthermore, recent risk events, such as the pandemic, have underscored the importance of a future-ready GRC framework as organizations had an extremely short window of time to act.
Here, AI can be a gamechanger. It can empower organizations to break free from the clutches of siloed operations and facilitate integration and harmonization. Most importantly, it can drastically improve the speed at which risk, audit, compliance, and IT & cyber teams can locate relevant data and information, thereby expediting quick and fact-based decision-making.
AI is an integral component of the MetricStream Platform, deployed and operationalized using cloud-first practices, and can be used to build any model or automate any GRC use case. MetricStream currently offers pre-built AI-powered recommendations to transform and automate GRC processes. It automatically provides key recommendations to users based on the historical patterns, so that organizations can further improve user experience and drive intelligent business decisions.
Here are some of the areas where we are bringing AI capabilities:
Issue & Action Management: MetricStream uses the core strength of AI by leveraging semantic analytics with natural language processing that can be used to identify patterns in issues and actions that can originate from any program – be it enterprise and operational risk, compliance, audit, third-party, or IT & cybersecurity. MetricStream’s AI-powered issue and action management provides recommendations to categorize issues based on their semantic similarity and automatically recommends duplicate issues and best possible action plans based on historical trends and business context.
Smart Policy Search: MetricStream’s AI-powered smart policy search simplifies the task of searching for policies using a natural language processing (NLP) based semantic search. It improves search accuracy by understanding the searcher’s intent through contextual meaning.
Observations Triage: As organizations are increasingly enabling the frontline to capture observations, they will have to manage a large number of observations. With such a high volume of observations being reported, the triage process becomes tedious. MetricStream AI-powered recommendation automatically provides recommendations to classify observations as a case, incident, issue, or loss event. This enhances the efficiency of the triage team.
Risk Scoring of Third Parties: As part of risk assessments, third parties must periodically submit detailed SOC2 and SOC3 reports as evidence of robust compliance and controls in their infrastructure and security. MetricStream AI-powered recommendations for third-party risk can automatically extract content from SOC2 and SOC3 reports, compute, and risk rank the third parties based on the number and type of anomalies in the report.
To learn more about MetricStream’s AI capabilities, click here.
At the beginning of November, I attended the Charted Institute of Internal Auditors event in London, where MetricStream was exhibiting. I had the opportunity to network with the delegates and attend the keynote session. This was my takeaway.
Listening to the main presentation, set on a stage in a room full of financial professionals was anything but jaded. The presenter had the room in tears of laughter as he compared some people in the industry as cliff divers, the adrenaline rush as you look down and see the water below looking incredibly far away can make you run a mile. In a similar setting, the telltale signs of so many companies that got their accounts wrong and had to declare bankruptcy was a revelation, but no laughing matter.
You can say that hindsight is a wonderful thing, but a closer look at these failed companies balances sheets and annual reports would make the hairs on the back of your neck stand up. With falling share prices, falling short of analyst’s expectations, or sudden change of management, there are several ways you can disappoint shareholders. However, when you add creative accounting to the mix, then it is a poison chalice.
But who stands to be framed when companies are in serious trouble with deceiving accounts? Is it the management team or the auditors? Is it the investors or the bankers? Or should the blame be shared between them all?
Let’s compare this to an iceberg, only 10% of it is above the water, the rest of it is submerged under the sea, and this is very much like the accountings of a firm. On the surface everything looks fine, but if you dig a bit deeper you will unearth several surprises that are not what they seem.
The audit profession is subject to strict oversight and ultimately CEO’s and directors of companies will take full responsibility. This is where the buck stops. Audit teams need to become more agile, and they need to consider several factors especially when considering internal controls, including third party risk, cyber security, data governance, and data compliance.
Auditors who use the latest technology within their own teams are well equipped to understand the associated risks with security issues and system failures.
When dealing with a company’s financial records, auditors need to be aware of other indicators that may cause a company to nosedive:
Having an audit program that is aligned to organizational goals and prepared for multi-dimensional risks while preserving the trust of every stakeholder will shape your audit universal.
Companies need to create agility and collaborate across teams to optimize audit productivity and allocate resources based on the highest risk impact.
There is a lot to be said about the right technology and choosing the right provider, which includes:
The secret is to leverage a centralized risk framework, as audit planning is central.
With the right data, wrapped in a dashboard you can generate a draft or even final audit reports with review and approval workflows. You can gain real time access to audit data with status reports. With risk assessments, you can document, manage, and assess risk across the origination.
The right audit platform accelerates audit cycles, helps improve audit strategies, reduces audit costs, and enhances auditor productivity.
And of course, you can provide external auditors and regulators with access to audit data for pre-defined time periods.
At MetricStream, our audit team community has transformed their departments by embracing the latest technology. They are truly the Instagram of Risk.
That reminds me, until the next time we meet, stay away from cliff diving.
This blog is the second in the Instagram of Risk blog series. Read the first blog where Suneel summarizes the key takeaways from the in-person events of the Oct 21 GRC Summit held in London, Copenhagen, and Zurich.
Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.
All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.
The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.
Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.
It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.
Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.
Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.
Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.
MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).
By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.
Until the next summit.
Organizations are adapting to the expectations of a changing workforce, creating a culture of risk-aware decision making, inclusion and compliance to succeed in an environment where risk is permeating through all levels of the organization. Also, the volume and velocity of interconnected risks has made the involvement of frontline stakeholders critical to the proactive mitigation of risks.
Organizations have introduced new tools and technologies to help frontline users to capture and report business anomalies and unethical activities including financial improprieties, sexual harassment cases, discriminatory practices, conflicts of interest etc. Intuitive tools such as widgets, browser plugins, chatbots, and simplified web forms enable these users to take a more active role in risk-aware decision making.
With this shift in attitude, the volume of observations being reported by the frontline has increased drastically. Risk and Compliance Managers who are responsible for scrutinizing each of these observations are spending considerable amount of time in triaging and classifying large volumes of observations. In this complex and fast-moving environment, traditional approaches to managing these observations may not be the answer.
MetricStream’s AI Powered Observation Recommendation engine uses historical data available in the system to intelligently identify and classify the observations into areas such cases, incidents, issues and loss events. The use of artificial intelligence helps the Risk Managers to improve the speed and accuracy of triaging these observations. The ability of artificial intelligence and machine learning models to analyze large amounts of observations improves analytical capabilities in risk management and compliance, allowing Risk managers to identify risks in an effective and timely manner, make more informed decisions, and make operations less risky.
Andreas Diggelmann (CTO and Managing Director for India, MetricStream) recently stated that “AI for MetricStream is deeply contextual – and a means to help us solve a business use case. While it is important to keep the benchmark of innovation high, it also has to balance out with ground realities of every industry, every type of client – and it’s up to us to reach a solution that can benefit both”.
Artificial Intelligence is a game-changer for risk management and is one of the key drivers for transforming any industry. It saves time, boosts revenue, identifies risks and fraud, and adds value to your organization.
Learn more here.
Over the last 45 days as Senior Vice President and Managing Director of Asia Pacific Region, I had had the opportunity to talk to over 100+ customers, partners and potential MetricStreamers and I am excited by what I hear!
This is a growth market where GRC is table stakes! But what our customers and partners are looking for is innovation that helps them thrive on risk, using risk as a competitive differentiator and risk by design as a thought process, when they develop their products and services. As the velocity and complexity of risks increases, organizations will need more contextualized insights. They need to make GRC pervasive through automation, AI and frontline engagement; simplify risk-informed decision-making and seize opportunities versus simply mitigating risk.
As I build our presence in the region, I am excited by our customer stories. Of how our solutions have solved complex challenges to quantify cyber risks and prioritize investments; increase collaboration by breaking down risk, compliance, and audit silos; enabled the frontline to surface issues in real time and help create a compliant, risk-aware culture across enterprises that empowers our customers thrive on risk. All of this with the strong foundation of a single integrated risk platform that is layered with advanced analytics and AI.
As a leader in GRC and Integrated Risk Management solutions we must capitalize on today’s greatest changes and identify emerging trends. Environmental, Social and Governance (ESG) is an emerging trend, and we think about it as part of GRC reporting. Innovation is more essential than ever. We need to offer our customers products that solve problems and keep them profitable and ahead of the competition.
As our business scales, our network of partners is critical to delivering an exceptional customer experience anywhere in the world. We are set to increase our pace. I am looking forward to working closely with customers, partners and MetricStreamers to empower our customers to make real time risk-aware decisions that accelerate business performance, strengthen resilience, and enhance their brand reputation.
For all potential MetricStreamers, I promise it will be fun in making APAC, the fastest growing region in MetricStream!
The recent MetricStream IT Risk and Compliance Survey Report 2021 reveals a deep divide between IT Cyber Risk Management Strategy and Actual Practice.
______________________________________________________________________________
Since COVID-19, the pace of digital transformation has accelerated dramatically increasing our dependence on technology. Almost everything we do today is digital-first. Unfortunately, this has opened doors to new risks that can have wide-ranging consequences on business profitability and reputation. Today, companies need a clear understanding of their exposure, vulnerabilities, and potential losses related to every decision they make, in order to build and implement a concrete risk-based approach to cybersecurity. Decision-makers need faster and better risk visibility—which calls for an advanced, integrated, and automated IT GRC approach.
A couple of months ago, we decided to ask IT risk and cybersecurity practitioners from around the world some pressing questions on the current scenario – How effectively are IT and Cyber risks being managed? How mature are risk assessments and monitoring processes? Who is leading IT and cyber risk programs? And how robust are the tools being used?
As it turns out, the pandemic is likely to trigger a surge in IT and cyber risk investments where key focus areas include IT security solutions and regulatory compliance, evidences the latest insights gleaned from hundreds of companies that participated in our MetricStream IT Risk and Compliance Survey 2021.
The key areas of consensus among those who took part in the research, lead to the emergence of several broad themes. Here are some of them:
1. Risks are evolving; compliance violations remain top of mind.
To find out what keeps security and risk professionals up at night, MetricStream asked what risks and threats their organization faced in the last two years. “Denial of Service” took the top spot, followed closely by “Compliance violations and regulatory actions.” Taking third was “Spoofing of company social media.”, reported AiThority.
2. IT risk programs have executive visibility; the majority are not driven by the CISO.
The survey shows that 70 percent of respondents agree that their senior management and leadership help establish the strategic direction of their IT risk management program. However, only 29 percent of respondents say that their IT risk program rolls up to the Chief Information Security Officer (CISO), reported Continuity Central in their article, ‘Survey looks at IT cyber risk management trends’.
“First, this report can help CISOs and compliance officers really understand how the pandemic transformed IT risk…CISOs have to think about how to keep corporate systems working — in a secure manner, and in compliance with all the usual regulatory requirements — in a much more loosely controlled IT environment. Even a task as simple as tracking all the IT devices accessing your data becomes much more complicated,” notes Radical Compliance, in their article Thoughts on IT Risk Management featuring key findings from the Survey.
3. Most IT risk programs have yet to reach optimal maturity.
When asked about the maturity level of their IT risk programs, 69 percent of respondents stated that they are not quantitatively managing their IT risk program. Furthermore, 31 percent of respondents report having IT risk assessment reviews on a quarterly basis. Only 15 percent stated having monthly reviews, highlighted yahoo!finance while featuring the report.
4. The number one tool used for IT risk management – spreadsheets.
Dark Reading while covering the report highlights, “When asked what tools are used for IT risk management, the number one response was spreadsheets. More than 45 percent of respondents reported using spreadsheets, even if they had an IT GRC solution in place. Moreover, 54 percent stated not using any IT GRC solution to manage IT risks.”
5. Investment in security and compliance are top risk priorities for 2021.
When asked about future plans, 38 percent of respondents stated that they are planning to increase their spend on IT risk management in 2021. Additionally, respondents ranked their top 2021 priorities to be: 1) investment in IT security solution, 2) compliance with federal and government regulations, and 3) IT security data aggregation and reporting, informed Cision Newswire while highlighting the key findings in the survey.
“Most security and risk professionals know that IT security is like a chain; you are only as strong as the weakest link,” said Gaurav Kapoor, COO, MetricStream. Overall, we can hope that the more organizations prioritize and invest in IT and cyber risk management, the better prepared they will be to deal with both the opportunities and threats of operating in an increasingly digital world. Access the complete report here.
The European Commission recently unveiled its long-awaited proposal to regulate artificial intelligence (AI). But will the new proposal stifle innovation? Find out more through the GRC Lens – February 2020 edition.
_____________________________________________
On the 19th of February, the European Commission (EC) President, Ursula von der Leyen, Executive Vice-President, Margrethe Vestager and EU Commissioner for Internal Market, Thierry Breton, held a press conference at the European Commission headquarters in Brussels, unveiling their ideas and actions to regulate AI.
Keen on building “a digital Europe that reflects the best of Europe,” the EC released a white paper on AI that defines an extensive framework under which AI can be developed and deployed across the EU. The paper includes considerations to govern high-risk use of AI like facial recognition used in public spaces, with an overall ambition to shape Europe’s digital future”.
The proposal still has a long way to go. For now, the EC plans to gather opinions and reactions from companies, countries, and other interested parties before they begin to draft the laws. And although the AI white paper is open for suggestions until May 19, lobbying has already begun.
Although many AI experts have said that the regulation of AI is necessary, especially due to ethical concerns, there is considerable worry around the consequences of regulation. Europe’s new proposal has already had far-reaching implications on the big tech brands that have invested in AI. After the EC declared a 12-week discussion period, several tech leaders from large organizations have journeyed to Brussels to meet with EU officials.
Their major concern – will tough laws hinder innovation?
AI vendors are worried that if the process of regulation, considered a slow process that can be subject to interference and distortion, is applied to a fast-moving field like AI, it can stifle innovation and divert the technology’s enormous potential benefits.
To illustrate this concern, a recent article in Analytics India Magazine, used the example of neural nets to explain how the regulation of AI could possibly hamper innovation. Neural networks work by finding patterns in training data and applying those patterns in new data, enabling researchers to solve problems that they couldn’t earlier.
For instance, CheXnet, an AI algorithm from Stanford, has an incredibly powerful ability to detect pneumonia among older patients through chest X-rays. But for technologies like these to work, they need a certain amount of creative and scientific freedom (within ethical boundaries, of course). If there is a ban on “black box” AI systems that humans can’t interpret, could AI innovation be impacted?
Another area of confusion revolves around the definition of “high-risk” applications of AI. The report seems to be unclear about high-risk applications in low-risk sectors, leaving companies uncertain on how to approach this issue.
There is no doubt that AI has enormous potential to be used for good. But its accelerating adoption across industries comes with multiple ethical concerns.
According to a survey by KPMG, 80% of risk professionals are not confident about the governance in place around AI.
What happens when decisions are made by AI without human oversight? Recent instances have shown that automated decision-making can perpetuate social biases. In addition, deep fakes, surveillance technology, autonomous weapons, and discriminatory HR recruiting tools come with multiple serious risks. The focus of AI regulatory authorities is on developing frameworks to govern AI.
Like Anna Fellander, Co-founder of the AI Sustainability Center, said at the GRC Summit in London, “It’s no longer just about what AI can do, but what it should do.” In a similar vein, Andreas Diggelmann, “Office of the CEO,” Interim CEO and CTO at MetricStream said, “We need technology that serves humanity, not the other way around.”
AI expert Ivana Bartoletti, Technical Director, Deloitte – Cybersecurity and Privacy Division, speaking at Impact 2020 conference, said: “The reason why we’re talking so much about ethics in AI is over the last few years we have seen the best of technology – but also the worst.”
With its novel approach to AI regulation, the EC wants to promote the development of AI while respecting human fundamental rights and addressing potential risks that come with the technology. The EC wants a digital transformation that works for all, reflecting the best of Europe: open, fair, diverse, democratic, and confident.
The new AI proposal has already begun to receive acceptance in some industries. Ted Kwartler, Vice President, DataRobot, said the vendor welcomes calls for regulatory approaches that don’t stifle innovation. Christopher Padilla, VP, Government and Regulatory Affairs, IBM, also was reported saying in Protocol, “By focusing on precision regulation — applying different rules for different levels of risk — Europe can ensure its businesses and consumers have trust in technology.”
It appears now that big tech companies that want to tap into Europe’s market will have to play by the rules that come into force. Like the GDPR in 2018, will the new AI proposal inspire similar, tough regulatory action in other parts of the world? Read the MetricStream Blog to stay updated on more news.
Advancements in technology, especially in artificial intelligence (AI), are transforming GRC, leading to analytics-driven business tools with an emphasis on tackling future risk scenarios. But we still don’t have enough control over AI to give it up. Here are the technological developments in October – through the GRC lens.
The mainstreaming of artificial intelligence is radically transforming how organizations approach digital transformation. AI is set to dominate enterprise agendas by augmenting decisions. Yet, practical concerns persist. According to an article in Forbes, “…while people will increasingly become used to working alongside AIs, designing and deploying our own AI-based systems will remain an expensive proposition for most businesses.”
Interestingly, recent global research by Oracle, highlighted how AI is changing the relationship between people and technology at work, stating that, “64% of people trust a robot more than their manager.”
The need for AI is also accelerating inside the GRC ecosystem. According to research by Capgemini, 69% of organizations believe they will not be able to respond to security threats without AI.
While we have compelling arguments to prove that AI is a boon for the digital age – is it really fool-proof?An AI-driven world introduces multiple legal implications. Flawed facial recognition, deepfake voice attacks, gender-skewed credit, and biased recruitment tools are just some of the AI-related risks that are emerging.
In the healthcare industry, a recent article published in Harvard Business Review says, “Besides current regulatory ambiguity, another key issue that poses challenges to the adoption of AI applications in the clinical setting is their black-box nature and the resulting trust issues.”
New global research, by Futurum Research and sponsored by analytics firm SAS, finds that technology and trust will be the major driver behind the reimagined customer experience in the next 10 years. Which means for AI to be a successful growth catalyst, it needs to be trusted.
So, the big question is – How do we leverage the capabilities of AI while making sure it does not lead to new discrepancies or aggravate the existing inequalities and biases?
With regard to financial services, an article published in BRINK warned against new risks and regulatory breaches that could be created by AI and machine learning (ML). According to the article, “…for the next three to five years, financial institutions must approach the digitization of risk and compliance with a healthy dose of human supervision, governance and monitoring to ensure that automation is still within the perimeters of auditability and traceability. In short, digitization must not become a new emerging risk in itself.”
Mitigating new risks is imperative in an age of technological innovations where the pace of change is faster than ever. Before deploying AI and ML, businesses need to make sure that these technologies are surrounded by good governance controls to prevent ethical violations and expensive regulatory breaches. Organizations also need to be proactive about identifying new risks, and continually evaluating whether an AI system is operating within acceptable performance levels.
Effective regulation is important. In fact, it is no longer a question of whether regulation is needed in AI, but how best to implement it.
All of these arguments boil down to a single need: GRC for AI.
While businesses explore the possibilities of AI and big data, they must ensure that the development and deployment of algorithms, data, and AI, are based on an ethical approach.
The MetricStream GRC Summit 2019 in Baltimore offered some thought-provoking arguments on the governance of AI. Some of the important questions discussed were: How should GRC steer the narrative towards creating a more socially conscious, ethical form of AI? How do we ensure that humans lead AI, not the other way around? How can regulation keep pace with new AI innovations?
According to the WEF: “Some forms of AI are not interpretable even by their creators, posing concerns for financial institutions and regulators who are unsure how to trust solutions they cannot understand or explain…The Forum offers a solution: evolve past ‘one-size-fits-all’ governance ideas to specific transparency requirements that consider the AI use case in question.”
The WEF also proposes frameworks to help financial institutions and regulators explain AI decisions, understand emerging risks from the use of AI, and identify how they might be addressed, in its report.
At the GRC Summit 2019, Anna Felländer, Co-founder, AI Sustainability Center, pointed out, “We shouldn’t be asking ‘What can AI do?’ We should be asking ‘What should AI do?”
“Organizations who want to succeed in an AI world must embed a risk-optimization mindset across the AI lifecycle. They do this by elevating risk from a mere responsive function to a powerful, dynamic and future-facing enabler for building trust,” suggests EY.
Organisations of all sizes are facing growing pressure to improve performance. They’re expected to drive efficiency, sales and profits, while cutting costs and upholding corporate integrity. The challenge is made more complex by the growing plethora of risks that are constantly reshaping the business landscape. For example, there’s the political risk caused by Trump and Brexit, the ever-changing register of regulations, the growing frequency and sophistication of cyberattacks, social media and the opportunity it gives the public to lobby, third-party risk, IT risk and natural disasters – that’s just a few.
These factors have traditionally been managed as separate silos; owned by isolated departments that have little contact with each other, report to different individuals in upper management and simply focus on the risks that fall under their ‘remit’. Yet, as risks become more intertwined, the various processes and documents used to manage them often contradict one another, resulting in further business risk, duplication of work, and spiraling costs.
As such, businesses are increasingly seeing the value of managing everything under one umbrella. Governance, risk and compliance (GRC) provides a single centralised processes and empowers organisations to more easily control and manage internal and external factors that may impact the enterprise. With a centralised repository of data, businesses can determine potential issues and new opportunities, and action the relevant changes to make sure that they are not left vulnerable or unable to take advantage. Furthermore, a single point of reference ensures that all employees are aware of the company’s overall GRC stance, enabling them to incorporate it into their everyday roles.
To some, GRC is a completely different approach. Yet, while it may be new to them, the industry and the technology within it has taken great strides forward. Here are a few trends that will become more visible as 2017 progresses:
With GRC covering so much ground, the amount of data being collected by companies is eye-watering. Huge complex sets of structured and unstructured data need to be sieved through and analysed in order to separate the actionable intelligence from the ‘white noise’. Current processes automate risk assessments, but the outcome and any required changes are still left up to the judgement of risk professionals; this isn’t sustainable. The amount of data will only keep growing as the world becomes more connected, and this increases the chances of mistakes being made. GRC is intended to simplify, so the technology and processes need to evolve to be able to cope with expanding data sets and not get bogged down with the deluge.
AI is a fascinating technology that is developing at an incredible pace. The ability for a computer to take in information, analyse it and then make calculated decisions more quickly than a human is of obvious benefit to the enterprise. Businesses are already looking at implementing AI systems to speed up investment decisions – for instance, Fukoku Mutual Life Insurance is adopting AI that can calculate pay-outs – so having systems that analyse and suggest GRC-related changes is not a monumental leap forward.
Systems will be able to automatically collect data from various data streams and channels – for example, regulatory and trade bodies’ feeds, social media, news sites, and customer and competitor websites – analyse it against the company’s existing data sets and operations, and suggest any process or strategic changes. As the technology evolves, and machine learning and predictive algorithms improve, diminishing the potential margin for error, companies will be able to manage the entire GRC function with just a handful of employees; a stark contrast to the current set-up in some multi-national firms which can see hundreds of workers with the sole task of data collection.
The GRC landscape is under a lot of stress due to the large number of unexpected events. Once again, Brexit and Trump are the obvious examples, with very few predicting the outcomes to those historic votes. The domino effect is the uncertainty they have created. For instance, there’s the wildly fluctuating exchange rates between the Dollar, Pound and Euro, and the unknown extent of regulatory change, which will come about following the triggering of Article 50 and Trump’s declaration to de-regulate the US. Businesses are finding it more difficult to plan and are having to allow for wider risk margins.
What is predictable, is that there will be far more unpredictable events in the next few years. As such, GRC technology and approaches will evolve to handle persuasive uncertainty and not simply the standard events. Firms will become better equipped to manage unexpected risks, and won’t be left completely vulnerable by rapid changes in the market or to industry trends.
Despite the now frequent headlines regarding companies falling victim to cyberattacks or suffering data breaches, cyber risk is still a relatively new threat. While businesses may have an idea about the potential effects, many are yet to experience one first-hand, or at least not on a high profile scale. That means there’s still an unfamiliarity around how exactly to manage the risk.
We also find ourselves in an age where hackers are having an influence on national security and political events. With more than a few claims that Russian hackers interfered with the US elections, if true, it reveals how relatively easy it is for external parties to sway events that have global repercussions.
While businesses are changing their approach, in many cases, cyber security is still departmentalised and seen as the remit of the IT team. Instead, it needs to be elevated to boardroom level and incorporated into the enterprise’s overall risk structure. This ensures that the risk is considered within all processes, and the truly damaging effects can be mitigated.
Ultimately, as businesses face greater pressure to deliver against a backdrop of evolving risks, more advanced GRC technology and thinking provide a holistic view across the entire enterprise. Companies can rely on a single process and point of reference, ensuring that they are better prepared for the expected and, more importantly, the unexpected.
The original article was published by IT Pro Portal. View the full article here.