Is Artificial Intelligence really the future of NFR Technology?
Game-changing, transformative, disruptive are just some of the phrases that have been used to describe introducing Artificial Intelligence (AI) in financial services. Indeed, one would be forgiven for believing that financial services firms should already be using AI to manage non-financial risks to great effect, becoming more efficient, getting better use of data and actively identifying and managing the range of risks associated with the technology.
Yet, our experience suggests that this narrative does not necessarily reflect reality. Instead, even where organisations are investigating these technologies, they are generally at the proof of concept stage, while continuing to prioritise efforts on embedding the basics of non-financial risk management within their existing technology suite. Inherent challenges that persist with migrating legacy systems and integrating other systems with their Governance, Risk and Control (GRC) platform mean that in the short to medium term, investment needs to focus on existing technologies, and the quality of data within them, rather than reaching for the more strategic and glamorous ones. Future proofing non-financial risk management in this way will pave the way for emerging technologies, and the benefits they bring in the longer term.
How is AI being used in risk management?
Whilst AI may not be as intrinsic in non-financial risk management as some might believe, it is being increasingly adopted in areas where the benefits clearly outweigh costs, notably supporting high volumes of data analysis and customer-facing products. Common use cases for AI in Financial Services include:
- Credit risk decisioning – AI analyses a customer’s data points to shorten the decision-making process.
- Financial crime management – machine learning is used in transaction monitoring to spot discrepancies in customer behaviour patterns, flagging instances of suspected fraudulent or criminal activity.
- Cybersecurity – machine learning analyses historical risk events and applies the trends to identify new cyber threats.
- Chatbots – AI driven chatbots automate internal support ‘helpdesks’, scanning policy and framework documents to provide answers to employee queries.
- RCSAs – machine learning analyses risk assessments to determine whether they are of sufficient quality with the expected controls, issues and actions linked.
Across each of these use cases, organisations are able to reduce demand on their people, re-prioritising efforts on less administrative tasks, and utilise more data, making decisions based on deeper and more accurate insights. However, the use cases for AI in NFR management, irrespective of the costs, are not without their own risks and challenges:
- Regulatory risk – transparency of outputs produced by machine learning reduces as technology continually evolves and becomes ‘smarter’, removing organisations’ ability to explain decision-making to regulators.
- Conduct risk – machine learning bias can be created unintentionally by the data inputted to train the technology, creating a systemic bias which can be difficult to identify and resolve.
- Data – many organisations lack the large volumes of high quality data required to train and test machine learning technology, leading to potentially inaccurate outcomes.
Given the potential risks associated with using AI in NFR management, it would therefore be prudent for organisations to carefully work through the use cases and ensure that appropriate controls are put in place before rolling them out more widely.
NFR technology in the short-medium term
As stated in the introduction, in order to prepare for AI, organisations need to continue focussing on enhancing their existing technology suite in the short to medium term. Whilst this view is especially true for those without the budgets of larger banks, the fine Citibank received last year for failings in their enterprise risk management and data governance clearly demonstrates the attention this warrants across the industry.
Instead, organisations should focus on the following three areas:
- Firstly, the user interface. When developing customer-facing products organisations prioritise the ‘usability’ of the system, ensuring it’s visually appealing and easy to use, for example by limiting the number of click-throughs. Whilst the same thought has historically not gone into internal systems, this is a key area of enhancement that will drive buy-in across the three lines of defence.
- Building good quality MI and analytics functionality enhances both the usability of the GRC solution, as well as the value derived from it. Reporting dashboards should provide clear thematic insights across the three lines of defence, helping identify areas of concern early, enabling them to put mitigating controls in place and thus reducing the likelihood of risk events.
- Focus on a single, golden-source GRC solution that enhances an organisation’s ability to provide thematic insights. Organisations that have multiple GRC platforms should look to streamline these to simplify risk management and provide a single platform on which to integrate other technologies, such as analytics functionality and, in time, emerging technologies.
AI and machine learning may be ‘the last invention that humanity will ever need to make’, and undoubtedly has huge potential in driving improvements and efficiencies in non-financial risk management as well as across the industry as a whole.
However, the road to nirvana is long and AI should be viewed as the sports car to be bought in 5 to 10 years. It’s shiny, exciting, the sales pitch is out of this world and the customisable extras will always cost extra. However, you’re unlikely to buy it until you’ve got the basics – somewhere to live and food on the table. Non-financial risk management is no different, the basics – framework, reporting, governance, need to be fit for purpose before adding additional complexity. In parallel, organisations, together with regulators and suppliers, should focus on understanding future technology and resolving issues before rolling out too widely.
At BCS Consulting we work with our clients to provide industry-leading framework solutions that are tailored to our clients’ needs, leveraging our extensive non-financial risk expertise. We have specialists in all areas of non-financial risk who can help you with all stages of your journey, from designing and implementing frameworks, establishing appropriate risk governance, to developing monitoring standards. Please contact us for more information on our experience in non-financial risk.