Is your firm ready to manage the reputational and operational risks associated with emerging and maturing tech?
Recent research by Integral Advice suggests the answer is ‘not quite.’ When asked about the effectiveness of AI governance, just 2 in every 5 organisations respond positively. Those organisations say that the oversight of AI initiatives is well integrated into enterprise risk management practices, that there is clear responsibility for outcomes, and that the use of data, models and processes are effectively controlled. However, transparency remains problematic. Only 60% are fully transparent with colleagues, customers and constituents about the use of AI in the organisation. Using AI in a responsible way necessarily involves being clear with the people it impacts.
The remainder still have all their work before them. Uplifting control tooling and practices must be supplemented with greater visibility delivered to process and product owners about where and why these systems will apply. This is borne out by the further 2 in 5 organisations that are unsure whether AI governance is effective or not. Deepening understanding across departments about this rationale and the prioritised outcomes sought can help uncover and mitigate emerging risks.
Digital regulations still evolving
Addressing these uncertainties is crucial in an era of regulatory change. While AI brings new risks it also accelerates the problems that emerge as businesses, agencies and consumers become ever more connected through digital means. That includes risks to people’s identity, privacy, security and agency. Digital regulations are catching up after years of those risks manifesting across the economy. Now, regulators are likely to take a dim view of organisations that don’t take reasonable care of the personal and transactional data they acquire, retain and deploy across systems, including AI. These realities require a step change in business resiliency strategies. Doing so involves becoming more adaptive – allowing for the continuous scanning, discovery and response to the new and deepening risks from AI.
While regulators across the APAC region continue to mull specific guardrails for Responsible AI, some fundamentals remain. Many global law firms shared guidance for the risk management required of AI. Some examples of the available information is linked below:
The common thread is that guidance is often related to instruments like Operational Risk Management (CPS 230). CPS 230 identifies and requires control of risks across firms’ central backbone. Focusing on what that means for technology strategy, it involves managing the climate, security, data and supplier risks associated with key systems, the interplay with people and products, and how those integrate across and outside of the organisation. Technology leaders need to partner with responsible risk owners to identify and prioritise change. Getting the data is essential. With more reliable, connected intelligence about how these risks are flowing into and across the organisation, action can emerge from operational reality.
CPS 230, at a broader level, is an essential starting point but not the end game. To stay compliant and build advantage, firms need to skate to where the regulatory puck may go. Part of this involves building readiness for future reporting regimes. In place of static reports submitted at limited intervals, regulators have signalled intent to become more real-time, granular and adaptive. In place of regulated entities submitting those reports, the suggestion is that regulators intend to pull prescribed data from entities on demand. That has implications for the firm-wide data strategy. Readiness relies on more than the tooling, where evolving data operations (DataOps), governance, quality and the information architecture are all needed.
That readiness can also serve as a metric for organisational readiness to manage AI risks. A few examples of those risks include:
- climate risks of AI that impact power demand, carbon intensity, water degradation and land use
- data risks across the insights lifecycle (from capture to integrate, analyse and decide)
- security risks in AI and emerging from the energy transition (unmanaged devices, data exchange)
- supplier risks such as GPU supplier dependencies, modern slavery and provider lock-in.
Expanding on the security risks involves thinking of those involved in the energy transition required to power AI. Those risks involve many sources and devices, from behind the meter to grid scale and ultimately the data exchanged between energy providers, retailers, distributors and consumers. Whether the organisation has a sizeable renewable fleet or not, the rise of devices managed by third parties involves a volume data being transferred at a speed and complexity that can quickly overwhelm overburdened security teams.
Zero trust and the DO-NOTHING RISK
This is where strategies like Zero Trust can help. Zero trust enforces security policy under the assumption that the technology environment has suffered a security breach. Each request to access information technology is assessed individually, with least privilege access using multi-factor authentication. Zero Trust thereby enforces an ‘always verify’ approach to maintaining business resiliency against existing and emerging threats. It helps mitigate the risks from unmanaged devices, AI systems, prompt injections, rogue models and the difficulties assuring the development of non-deterministic AI models.
But what are technology leaders to do when faced with all these challenges? The scale and scope of these problems can lead to analysis paralysis, as in, doing nothing. But enduring the ‘do-nothing risk’ involves relying on the status quo in control, decision rights and observability, this risk ends up causing firms to fall behind best practice. The antidote to that inertia is action – with greater insights as the basis for change. Acting now can mitigate more than each risk individually. The value of action exceeds change in each risk individually as they all contribute to an compound each other.
Integral Advice offers objective benchmarking and insights that can help. If you’d like to learn more then please get in touch or review our services page. We look forward to assisting you.