Broadly speaking, AI can be a "net positive" for those of us seeking to improve enterprise risk management. Strictly speaking, however, today's mushrooming claims of "AI assisted risk assessment" are doing little to address the fundamental problem of enterprise risk management because it is incapable of address the essential problem with most AI - which is to ask "whose voices are missing" from the data sets being used to provide "answers".
Today's AI systems are trained on compliance databases, regulatory text, and audit trails because that's the structured, digitized data that exists, while board-level prioritization and risk appetite conversations are rarely written down anywhere a model could ingest them. Fundamentally, today's AI over-represents governance agencies, compliance officers, and legal advisors, and ignores impact of risk to objectives to stakeholders, particularly senior leadership.
There are 2 key areas where AI cannot today substitute for human judgement without fundamentally changing what AI is (a pattern-matcher on past data versus an agent embedded in an organization's lived priorities and accountability structures.) First, is that AI is poor at identifying the actual goals and objectives of an organization. Even if AI overcomes that hurdle it is the role of senior leadership that needs to determine relative priorities of those goals. Without a method to capture these prioritisations. This means that AI driven assessments of risk are more quickly measuring the same things they've always measured, but are lagging in ability to globally measure risks events relative to each other to drive more effective risk reduction, that goes beyond compliance requirements.
Second, AI has not yet proven itself to be capable of identifying "future facing risks." Currently, AI can help to speed and collect data with respect to past risks and treatments, (what I personally call incidents to distinguish them from new or unexpected risk events). AI deployment is advancing in use of scenario generation and red-teaming are exactly where a lot of current AI deployment is happening, but at present and in the near future humans are still needed to ideate and brainstorm future risks.
And, even if AI advances in its abilities to truly generate novel combinations or permutations of risk factors, it is highly questionable if AI will be able to judge which of those are material, plausible, or worth organizational attention, because that judgment depends on context AI doesn't have access to such as politics, culture, unstated risk appetite, what leadership actually cares about this quarter).
To sum up, the AI of today and tomorrow has been built upon ingestion of past data, and is completely silent with respect to prioritizations data from boards of directors, management, CFOs, and subject matter experts. The AI of today over-represents the points of view of governance agencies, compliance officers, and legal advisors. Yes, AI has enabled us to more quickly identify breaches, or more quickly implement treatments for said breaches. But for the most part, all the GRC tools promoting new AI solutions are perpetuating the overreliance on compliance databases, and measures of likelihoods.
Using a medical analogy, most GRC tools are misdiagnosing their patients as a doctor would if they diagnosed a cancer patient using stale knowledge from 10 years ago, and they rely one-size-fits-all treatments instead of customizing treatment for the patient/organization distinct profile. Using risk tools that overly focus on statistical likelihoods of past risks and currently identified treatments is malpractice. Today, doctors consider changes in environmental factors, and customise recommendations based on the importance the patient places on quality of life, the availability of experimental options, and gene based therapies. Risk managers should do no less.
Those of us who want to help organizations reduce their risk, and go beyond merely meeting compliance and legal GRC mandates must, like physicians swear to "first, do no harm." Risk assessments that fail to incorporate leaderships priorities are, by definition based on false confidence and mismeasured. Your risk assessments MUST incorporate feedback from your senior leadership as to how risk events will impact on your objectives. And, it means that your risk evaluations MUST use measurement tools that give you some way of synthesizing likelihood and impacts against past treatments and new treatments that are brainstormed by HUMANS.
Yes, AI will be a terrific help for enterprise risk management. At Face the Risk we ARE using AI, but in a guided fashion. Like MRIs, AI helps us to gain insights on relative risks at the beginning of a risk assessment, to ensure our results are based on today's environment and priorities, and not being misled by our historical data or compliance mandates.
Like the Genome Project, AI helps us more quickly customise a risk model, that lets us quickly map the interdependencies between risk elements in a manner that lets them be measured. Just like certain drug cocktails are researched to learn which are more effective, AI, alongside simulation and optimisation helps us identify correlations between risks and control sets. BUT, the prioritisation of objectives (needed to measure impact) can never be set by AI. And, any measurement system must be flexible enough to accommodate reliable and repeated sensitivity analysis so that risk can be recalculated at any time as priorities shift.
AI will also make it more efficient to actually track risks, year over year. Science evolves. Risk measurement will too.
Eileen Ludden is the director of Face the Risk, Ltd., where the mission is to support strategic risk assessments that prove benefit in ROI terms against organizational objectives.