However, such data use often raises coverage and accuracy concerns. In this attack, an adversary tries to steal the model itself. They may also be differentially predictive if the systems weights or coefficients do not properly account for class-specific idiosyncrasies. Potential enhancement of existing processes and the creation of new documentation should, as a result, be considered. Training data could be assessed for data quality as well as for potential biases the data set may contain. An AI/ML system is generally as effective as the data used to train it and the various scenarios considered while training the system. Control Risk. Remember that the governance framework is an element of governance. Governance covers a range of matters including tax strategy, corporate risk management, executive compensation, donations and political lobbying, corruption and disclosure. While a lot of effort can go into developing a viable governance structure, it doesnt have to be that way on every project. AI systems could potentially amplify risks relating to unfairly biased outcomes or discrimination. The results of the internal audit will help shape the direction of the whole GRC project. Note that identification of potential AI/ML risks (as set forth in Section 2) is critical to formulating an operational risk and control framework. The use of AI/ML deployment may involve third party applications and/or data, as discussed in Section 2, which could enable scalability, increased compute power and access to vendors that are part of the larger fintech ecosystem. Then, the best suitable governance layer is decided. These threats could be financial pitfalls, legal consequences, cybersecurity threats, commercial liabilities, management errors and even natural disasters and other accidents. Although this is still a field of evolving research, some theoretical mitigation techniques are being further researched in the technology industry. Four core components of AI governance include: definitions, inventory, policy/standards, and framework, including controls. For example, a link to the relevant risk analysis reports will make the discovery and retention of required information easier. Key potential risks of AI relate to potential harms that may affect organizations, consumers, or create broader detrimental effects on society. Manan N. Rawal, MUFG Corporate governance essentially involves balancing the interests of a company's . In order to receive our emails, you must expressly agree. Risk governance is created, and the risk governance framework is also elaborated. Formal HR governance includes risk management, as well as policy and program governance. Generally speaking, three types of discrimination are recognized by federal banking regulators: overt discrimination, disparate treatment, and disparate impact when not supported by a legitimate business justification. Breaking compliance could result in devastating financial, legal and reputational consequences. brought to you by Green Project Management. Such deficiencies may give rise to potentially erroneous or poor predictions, or potentially result in a failure to achieve the intended objectives. Existing Legal and Regulatory Frameworks Mitigation algorithms find the optimal system for a given level of quality and discrimination measure in order to minimize these disparities. Although mitigation techniques are still being researched for AI/ML attacks discussed in Section 2, depending on implementations and environment, having strong technology and cyber controls could act as effective mitigation. Some were taken, but most ignored or overlooked because of other projects and lack of understanding of risk management at an organizational level. If a team possesses a high level of psychological safety, does this increase the likelihood that one of its members might feel safe taking a risk which goes beyond the risk tolerance of the team, the line of business or the organization as a whole? Please find below a transcription of the audio portion of Rich Murphys showcase session, Triskell Software for Enterprise Governance, being provided by MPUG for the convenience of our members. GRC's set of practices and processes provides a . Figure 2 depicts the results of the survey. ERM also addresses all the risks associated with an enterprises portfolios, which internally contains all programs and projects. Data drift, on the other hand, helps enterprises understand the change in data characteristics at runtime. Some of the more serious risks include: These risks can impact teams differently throughout the organization. AI governance frameworks should ensure that sufficient oversight, challenge, and assurance requirements are met in AI system development and utilization. Cross-cutting aspects - Communicating, engaging with stakeholders, considering the context. # Question Yes No Governance 1. AIRS is committed to furthering this dialogue and has drafted the following overview addressing the use of AI within financial services, discussing AI implementation and the corresponding potential risks firms may wish to consider in formulating their AI strategy. However, for your strategy to be more scalable, sustainable and cost-effective, focusing on the latter approach is more likely to give you the results youre looking for. endobj For example, a compliance officer at a software company might work to ensure that their systems abide by regulations like GDPR. Prevention of model extraction attacks could potentially be achieved using strong information security practices; however, the identification of an extracted model is possible with a method known as watermarking. https://www.federalreserve.gov/newsevents/speech/files/brainard20181113a.pdf. This is because ERM should be considering all of the organizations risks as an interrelated collection. Disparate treatment discrimination could occur when similarly situated individuals are treated differently based on a prohibited basis, but the treatment does not have to be motivated by prejudice or an intent to discriminate. Potential concerns related to testing and trust risk are discussed in detail below: Incorrect Output Generally, if the attack is successful, an attacker could determine, to a certain degree of probability, whether a particular record was part of the training data set used to train the AI system. On the other hand, risk tolerance is when the investor or . Depending on the organization, a CoE could create a collective view and create and share best practices. Opportunities usually dont. Risks can also be positive. Because AI/ML systems are probabilistic, they may make incorrect decisions. There is a perception, for example, that AI systems are a black box and therefore cannot be explained. In fact, there was no structured and uniform way to define the probability and impact scales, no standard form of risk reporting, and little to no accountability for addressing risks. For example, governance bodies are expected to manage financial, competitive and information security risks. Why was it running for a such a long time with little or no risk management? GRC stands for Governance, Risk and Compliance, and is a system used by organizations to structure governance, risk management and regulatory compliance. AI governance frameworks could help organizations learn, govern, monitor, and mature AI adoption. We understand the term "risk governance" as the various ways in which many actors, individuals, and institutions - public and private - deal with risks surrounded by . The danger in this is creating too many disconnected silos that slow down communication, limit access to critical information and duplicate activities due to a lack of transparency and knowledge across the organization. Security Audit Moreover, it touches on the transparency and establishment of channels of communication within which an organization, stakeholders, and regulators engage. On the contrary, IT Governance is about IT decisions that have an impact on business value. While it can have a huge impact, project risk is usually managed individually by each project manager. AI governance frameworks should also consider a host of other factors, some of which we outline below. Several papers and articles describe the potential uses and benefits of AI adoption and innovation in financial services. We reference these legal and regulatory considerations to illustrate existing standards that already apply to many algorithmic activities of financial institutions, especially as they relate to unfairly biased outcomes. [11] This three-part approach aligns, broadly, with the key sources of risk set forth in Subsection 2.1. I welcome your feedback below in the comments section. In such circumstances, however, additional or revisions to policies and standards may be necessary to ensure that AI is deployed appropriately. We noticed that you changed your country/region of residence; congratulations! This bill is a prime example of governance, and we see it implemented every day as it provides disciplines, regulations, reporting and oversight for corporations, which further filter down to the project team within the organization. While there is no one-size-fits-all approach, practices institutions might consider adopting to mitigate AI risk include oversight and monitoring, enhancing explainability and interpretability, as well as exploring the use of evolving risk-mitigating techniques like differential privacy, and watermarking, among others. Aroosa Khan. The author asked what needs to be considered when planning risk responses. W]e will transform many existing Government transactions in this way. Please enter your username or email address. In this article, we will explore how to manage such massive gap at an organizational level considering Enterprise Risk Management and Risk Governance. Organizations employ a governance, risk, and compliance (GRC) strategy to handle interdependencies between corporate governance policies, regulatory compliance, and enterprise risk management programs. The end goal is that your selected tools, technologies and processes become baked into the fabric of your organization so that any GRC standards and practices become a natural part of doing business. These could potentially damage the reputation of the company and lead to significant legal costs. As AI implementations mature in organizations, their impact on existing internal policies should be considered. Whether youre part of a large corporation, government agency, small business or nonprofit, youll face numerous challenges, including: A disorganized approach to GRC can slow down an organization and cost more all while achieving less, missing requisite compliance requirements and misidentifying threats to your revenue or reputation.