Risk Management in the Era of AI: Transitioning Risk Analysis to a Business Accelerator

Risk Management in the Era of AI: Transitioning Risk Analysis to a Business Accelerator

May. 29, 2024
Lumivero
Published: May. 29, 2024

Risk management, explains Mariama Zhouri, is one of the oldest jobs there is. From parents investing in cabinet locks to protect toddlers to schools deciding whether it’s safe to open during a COVID outbreak, risk assessment is everywhere. Mariama, Managing Partner at Hammersmith Consulting Group in Montréal, Canada, has years of experience guiding world class companies toward better risk management practices for crisis mitigation, business continuity, and data protection – not just to protect their assets and operations, but to accelerate business growth, ensure continuity, and enhance resilience.

She recently hosted a webinar, Risk Management in the AI Era: Impact on Business Growth, that walked through a high-level explanation of how artificial intelligence (AI) tools can potentially enhance risk management functions, particularly in the area of information technology (IT) risks. In this article, we'll cover the highlights from the webinar including ways organizations think about risks, where IT risks reside, how to perform a risk assessment in IT while promoting Risk Culture, and developing risk management frameworks and plans.

High-Level Risk Assessment – Defining Organizational Risk Appetite and KRIs

Risk management, explained Mariama, is a constantly moving target. “There is no zero risk,” she said. “Whatever we're doing as an organization, we have a certain amount of risk.” That risk exists across a spectrum, which she broke down as:

  • Known risks – Risks inherent in the nature of the business (e.g., a food manufacturer that knows there is a risk of high flour prices at times)
  • Predictable risk – Risks which aren’t necessarily implied by what the business does, but have happened before and have a known impact (e.g., cyberattacks or severe weather events that shut down production)
  • Unpredictable risk – Risks which are unexpected, have not happened before, and have an unknown impact on operations (e.g., a global pandemic or the beginning of a war)

Slide from Mariama’s presentation on risks typology defining known risks, predictable risks, and unpredictable risks.

Mariama pointed out that unpredictable risks can move to the predictable or known-risk category over time. For example, the start of the war in Ukraine was an unpredictable risk, but after two years, businesses can now factor in the impact of the conflict on their operations.

Once overall risks are known, it’s key for businesses to define their risk appetite. Which potential risks should be totally avoided, and which are acceptable because they are balanced out by a reasonable positive result? These risks can be further broken down into key risk indicators (KRIs) – metrics that help businesses define how to manage different types of risks and set mitigation plans.

What is Risk Appetite? Graph showing the level of appetite from no appetite to favorable and the approach for each appetite.

Mariama gave the example of a Canadian bank affected by a United States tax regulation a few years ago, the Foreign Account Tax Compliance Act (FATCA), which would require banks to complete additional reporting on any U.S. nationals with assets above a certain amount anywhere on the planet. The client found that they had potential exposure to FATCA reporting across 147 separate legal entities.

By conducting a risk-benefit analysis, it was determined that the risks associated with failing to comply were deemed unacceptable according to her client’s risk appetite statement. The solution was to consolidate all the accounts for its U.S. citizen clients under one new entity where there could be centralized FATCA reporting, rather than risking multiple reporting violations.

IT Risks – Types of Risk Analysis and How They Impact Business Ecosystems

IT risk management applies risk analysis specifically to IT infrastructures and data. Mariama presented a slide that detailed many of the IT issues that could pose a threat to business effectiveness or continuity, including:

  • Depurative technologies
  • Informal access and security processes
  • Incomplete or inconsistent data reporting and data governance
  • Lack of IT recovery plans that don’t support business continuity during a major crisis
  • Third-party management of IT functions – what risks are there when vendors change over?

Why IT Risk Management? Graph from presentation showing examples of IT risks.

Obviously, with IT embedded in every aspect of business, IT risk analysis overlaps with risk analysis in other business domains, such as finance and operations. Managing and analyzing IT risk, therefore, helps with conducting a risk analysis across the entire ecosystem of a business.

Mariama explained how she might organize IT risk management functions for a client. First-line risk management defenses would include IT-specific functions such as information security, physical security and third-party vendor management that protect business continuity. Second-line defenses would include an IT compliance team tasked with monitoring processes and ensuring compliance with regulatory requirements.

In large, complex businesses operating globally, monitoring processes and conducting risk analysis often for only compliance reasons can be incredibly cost-heavy. That’s where AI tools can help.

Enhancing Risk Analysis Processes with AI

Machine learning (ML) and AI tools can support more effective risk analysis. A 2021 KPMG insights report notes that “AI/ML has become synonymous with improving efficiency and productivity while reducing costs . . . due to the technologies’ ability to handle and analyze large volumes of unstructured data at faster speeds with considerably lower degrees of human intervention.”

These technologies can also run large simulations, such as Monte Carlo simulations, to help IT teams determine the probability and cost of different types of risks in order to formulate better-informed risk mitigation strategies.

Mariama also noted that AI-enhanced risk analysis processes can support faster compliance reporting. In the banking sector, she explained, there are often organizations that are responsible for reporting to dozens of different regulators – in the case of one client, more than 125 regulators. AI can streamline the monitoring process, cross-checking operational data against many regulatory requirements at once. For companies doing business within Quebec, where Mariama is based, AI can help businesses affected by cyberattacks meet the mandated 72-hour reporting requirement set out by Act 25, a provincial data protection and privacy law.

AI tools, Mariama pointed out, are not meant to replace human risk management. They’re meant to enhance it. Teams will still need key people to verify AI findings, evaluate AI solutions, and communicate options based on organization’s KRIs.

Transitioning Risk Management from a Cost Mindset to a Business Acceleration Mindset

Finally, Mariama discussed how AI-powered risk management can help change how businesses think about risk. Currently, companies take a defensive approach, focusing on preventing losses and protecting business continuity. With AI-enhanced processes, businesses can enhance proactive response systems and processes and leverage risk analysis tools for competitive advantages.

For example, streamlined reporting and more robust data analysis can help companies prepare to expand into new regulatory environments. Mariama explained how one of her banking clients utilized risk-analysis tools to demonstrate that they were able to fulfill the European Union General Data Protection Requirements (GDPR), and how a regional airline was able to grow its operations into new worldwide markets after showing regulators that it was on top of its risk and compliance management.

AI is often referred to as a disruptive technology. In the arena of risk analysis, it has the potential to disrupt business leaders’ defensive mindset into a growth mindset.

Learn More About Quantitative Risk Analysis

Interested in watching the full presentation? Watch Risk Management in AI Era: Impact on Business Growth on-demand. You can also start assessing risk and conducting your business impact analysis with a free trial of Lumivero’s machine-learning powered risk analysis software, @RISK and DecisionTools Suite.

Risk management, explains Mariama Zhouri, is one of the oldest jobs there is. From parents investing in cabinet locks to protect toddlers to schools deciding whether it’s safe to open during a COVID outbreak, risk assessment is everywhere. Mariama, Managing Partner at Hammersmith Consulting Group in Montréal, Canada, has years of experience guiding world class companies toward better risk management practices for crisis mitigation, business continuity, and data protection – not just to protect their assets and operations, but to accelerate business growth, ensure continuity, and enhance resilience.

She recently hosted a webinar, Risk Management in the AI Era: Impact on Business Growth, that walked through a high-level explanation of how artificial intelligence (AI) tools can potentially enhance risk management functions, particularly in the area of information technology (IT) risks. In this article, we'll cover the highlights from the webinar including ways organizations think about risks, where IT risks reside, how to perform a risk assessment in IT while promoting Risk Culture, and developing risk management frameworks and plans.

High-Level Risk Assessment – Defining Organizational Risk Appetite and KRIs

Risk management, explained Mariama, is a constantly moving target. “There is no zero risk,” she said. “Whatever we're doing as an organization, we have a certain amount of risk.” That risk exists across a spectrum, which she broke down as:

  • Known risks – Risks inherent in the nature of the business (e.g., a food manufacturer that knows there is a risk of high flour prices at times)
  • Predictable risk – Risks which aren’t necessarily implied by what the business does, but have happened before and have a known impact (e.g., cyberattacks or severe weather events that shut down production)
  • Unpredictable risk – Risks which are unexpected, have not happened before, and have an unknown impact on operations (e.g., a global pandemic or the beginning of a war)

Slide from Mariama’s presentation on risks typology defining known risks, predictable risks, and unpredictable risks.

Mariama pointed out that unpredictable risks can move to the predictable or known-risk category over time. For example, the start of the war in Ukraine was an unpredictable risk, but after two years, businesses can now factor in the impact of the conflict on their operations.

Once overall risks are known, it’s key for businesses to define their risk appetite. Which potential risks should be totally avoided, and which are acceptable because they are balanced out by a reasonable positive result? These risks can be further broken down into key risk indicators (KRIs) – metrics that help businesses define how to manage different types of risks and set mitigation plans.

What is Risk Appetite? Graph showing the level of appetite from no appetite to favorable and the approach for each appetite.

Mariama gave the example of a Canadian bank affected by a United States tax regulation a few years ago, the Foreign Account Tax Compliance Act (FATCA), which would require banks to complete additional reporting on any U.S. nationals with assets above a certain amount anywhere on the planet. The client found that they had potential exposure to FATCA reporting across 147 separate legal entities.

By conducting a risk-benefit analysis, it was determined that the risks associated with failing to comply were deemed unacceptable according to her client’s risk appetite statement. The solution was to consolidate all the accounts for its U.S. citizen clients under one new entity where there could be centralized FATCA reporting, rather than risking multiple reporting violations.

IT Risks – Types of Risk Analysis and How They Impact Business Ecosystems

IT risk management applies risk analysis specifically to IT infrastructures and data. Mariama presented a slide that detailed many of the IT issues that could pose a threat to business effectiveness or continuity, including:

  • Depurative technologies
  • Informal access and security processes
  • Incomplete or inconsistent data reporting and data governance
  • Lack of IT recovery plans that don’t support business continuity during a major crisis
  • Third-party management of IT functions – what risks are there when vendors change over?

Why IT Risk Management? Graph from presentation showing examples of IT risks.

Obviously, with IT embedded in every aspect of business, IT risk analysis overlaps with risk analysis in other business domains, such as finance and operations. Managing and analyzing IT risk, therefore, helps with conducting a risk analysis across the entire ecosystem of a business.

Mariama explained how she might organize IT risk management functions for a client. First-line risk management defenses would include IT-specific functions such as information security, physical security and third-party vendor management that protect business continuity. Second-line defenses would include an IT compliance team tasked with monitoring processes and ensuring compliance with regulatory requirements.

In large, complex businesses operating globally, monitoring processes and conducting risk analysis often for only compliance reasons can be incredibly cost-heavy. That’s where AI tools can help.

Enhancing Risk Analysis Processes with AI

Machine learning (ML) and AI tools can support more effective risk analysis. A 2021 KPMG insights report notes that “AI/ML has become synonymous with improving efficiency and productivity while reducing costs . . . due to the technologies’ ability to handle and analyze large volumes of unstructured data at faster speeds with considerably lower degrees of human intervention.”

These technologies can also run large simulations, such as Monte Carlo simulations, to help IT teams determine the probability and cost of different types of risks in order to formulate better-informed risk mitigation strategies.

Mariama also noted that AI-enhanced risk analysis processes can support faster compliance reporting. In the banking sector, she explained, there are often organizations that are responsible for reporting to dozens of different regulators – in the case of one client, more than 125 regulators. AI can streamline the monitoring process, cross-checking operational data against many regulatory requirements at once. For companies doing business within Quebec, where Mariama is based, AI can help businesses affected by cyberattacks meet the mandated 72-hour reporting requirement set out by Act 25, a provincial data protection and privacy law.

AI tools, Mariama pointed out, are not meant to replace human risk management. They’re meant to enhance it. Teams will still need key people to verify AI findings, evaluate AI solutions, and communicate options based on organization’s KRIs.

Transitioning Risk Management from a Cost Mindset to a Business Acceleration Mindset

Finally, Mariama discussed how AI-powered risk management can help change how businesses think about risk. Currently, companies take a defensive approach, focusing on preventing losses and protecting business continuity. With AI-enhanced processes, businesses can enhance proactive response systems and processes and leverage risk analysis tools for competitive advantages.

For example, streamlined reporting and more robust data analysis can help companies prepare to expand into new regulatory environments. Mariama explained how one of her banking clients utilized risk-analysis tools to demonstrate that they were able to fulfill the European Union General Data Protection Requirements (GDPR), and how a regional airline was able to grow its operations into new worldwide markets after showing regulators that it was on top of its risk and compliance management.

AI is often referred to as a disruptive technology. In the arena of risk analysis, it has the potential to disrupt business leaders’ defensive mindset into a growth mindset.

Learn More About Quantitative Risk Analysis

Interested in watching the full presentation? Watch Risk Management in AI Era: Impact on Business Growth on-demand. You can also start assessing risk and conducting your business impact analysis with a free trial of Lumivero’s machine-learning powered risk analysis software, @RISK and DecisionTools Suite.

magnifierarrow-right
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram