Leveraging AI for risk management is already an imperative

As the scale and complexity of the challenges facing risk and compliance executives across all three lines of defence continues to increase, many or most are quite rightly turning to AI as a critical part of the tool kit for meeting this challenge. Internationally, banks, insurers and wealth managers that are leading AI adoption for risk management are realising substantial benefits in reduced costs, faster customer service times and lower levels of issues and losses. With a gap beginning to emerge between those leading on AI adoption for risk management, and the rest of the industry, many risk professionals are struggling with the challenge of how to cut through the hype and achieve practical progress. In this article we offer practical suggestions to do just that. In short, these include:

• Business case clarity: Ensure the use case, the business or risk problem to be solved, is clear and realistic with a robust methodology for measuring success and evaluating benefits. In a world seemingly filled with endless possibilities, a disciplined prioritisation approach considering strategic alignment, financial returns and other benefits, and risks is also important.
• Run parallel trials: Trial AI solutions in parallel with existing risk processes. This will not only mitigate the risk of relying on a flawed outcome from the AI but will also provide a counter-factual to evaluate results and assess the benefits.
• Select pilots with care: Pilot or proto-typing AI solutions on discreet business units, customer portfolios or products rather than attempting to deploy these on an organisational wide basis. At the same time, it is equally important to hold a view of the target end state for the enterprise if the pilots prove successful. Ultimately, successful AI adoption will give rise to the next evolution of business architecture and workflows, and as such, having a view of how to position the enterprise to realise the benefits at scale will be key to unlocking sustainable productivity benefits. As the number of potential use cases being promoted across each organisation continues to increase, so too does the importance of having a credible and consistent set of standards and approaches for testing and evaluating pilots.
• Data is key: Careful curation, cleansing and consideration of any potential bias in the applicable data sets to ensure not only the success of the pilot, but to build the understanding of data requirements and limitations ahead of broader roll out is key. 
• Mobilising an optimal mix of capabilities: Doing the work of risk and compliance going forward will require a different mix of skills. In addition to the traditional risk and legal specialists, business and product expertise and data and analytics become increasingly important, as does the ability to deploy, oversee, govern, and explain AI systems. 
• Providing staff the space to test, learn and explore: Possibly the single biggest barrier to overcome is to create a culture where staff feel comfortable to explore, test and learn. Creating the time, ensuring access to suitable tools, and providing expert AI support where needed are key steps to creating the right conditions.
• Rigorous adherence to AI Governance frameworks and policies: Risk has a critical enterprise-wide role to play in AI governance and responsible AI adoption and must ensure strict adherence to the policy and framework requirements. Using these in practice also provides an opportunity to calibrate and refine the enterprise wide policy settings.

Business case clarity: finding the right opportunities

Being clear on the business and risk management challenge or opportunity to be solved is a critical first step in unlocking the potential of AI for risk management. This involves being clear on how adoption will increase risk management effectiveness and reduce cost, and how success and benefits realisation will be measured. When considering the business case, consider all aspects of responsible AI, including data privacy and protection, transparency and explainability, the avoidance of bias, and the requirement to monitor and oversight any third parties being relied upon as part of the AI solution. These are all costs that should be factored in when completing a business case and benefits assessment. For regulated financial institutions where CPS 230 has stipulated explicit expectations in relation to service provider management, AI introduces an additional set of risks and considerations in relation to data privacy and protection, IP protection, model training approach and bias safeguards, all of which need to be considered and addressed in contractual agreements. 

Selecting the right tool for the job is another important focus area. While generative AI and large language models are receiving all the attention right now, in many cases, machine learning and even basic automation scripts may offer more compelling solutions at a lower cost and a lower risk profile. 
By way of overview, below we explore some of the use cases where leading financial services organisations are realising the benefits of AI adoption.

Fraud and financial crime: Machine learning models analyse transactional patterns and customer behaviours in real time, flagging suspicious activity with greater speed and precision than traditional rules. 

Credit risk modelling: Lenders are enhancing credit scoring by incorporating alternative data and advanced algorithms that find complex patterns in borrower behaviour. 

Market and liquidity risk analytics: AI models distil vast market data sets to provide early warnings of stress and generate realistic stress-testing scenarios. Used in parallel with existing market risk and liquidity risk management approaches and stress tests, AI is providing incremental insights as to possible sources of risk. 

Customer sentiment and complaints handling: Natural Language Processing (NLP) can monitor different types of customer interactions and complaints data to assist with the detection of thematics and root causes. Regulators are consistently signalling the expectation that organisations move beyond considering issues and complaints in isolation and identify the root causes and thematics. AI tools are likely to become increasingly important to doing so effectively. 

Obligations scanning and organisation: AI tools are increasingly being used to scan for legal and regulatory changes and bringing a level of organisational impact assessment as to which business units or products might be affected by those changes. 

Making it easier for staff across the enterprise to navigate frameworks and policies: Risk management policies and other elements of the risk management framework can be challenging for staff across the organisation to locate, interpret and follow. Some organisations have achieved meaningful savings in the time spent by staff to find and follow internal requirements by providing staff with AI tools that not only help with finding the relevant requirements but also provide plain English explanations as to what is required. 

Run parallel trials on select pilots (while holding a view of the target end state)

One of the most common barriers to adoption of AI in risk management is concern about the integrity and accuracy of the model output. While this cautiousness is appropriate, organisations must resist the tendency for this to delay acting. One of the lowest risk ways of doing this is to evaluate AI solutions in parallel with existing risk management processes. This approach means that organisations have essentially nothing to lose, knowing they will always have the existing protections while exploring the incremental insights (and limitations) of AI solutions. Having a clear pathway to iteratively improve solutions and ultimately migrate off legacy processes is important to sustainable benefits realisation. Trialling these solutions on discreet business units, products or customer cohorts may prove much faster and more effective than endeavouring to roll out enterprise-wide approaches. While pilots are a practical and valuable way of progressing the AI strategy and maturity, it is important that from the outset of the pilot, the organisation has a clear view of what the application could look like at scale if the pilot is successful. This ensures the broader organisational readiness can keep pace with the learnings gleaned from the pilots.

Face into data challenges

Another major barrier to adoption is the quality and availability of data. Parallel pilot programs as described above provide the opportunity to explore solutions in a low-risk way, without the need to ensure perfect data, while also generating insights as to where data limitations impact the AI outcome in a material way, which in turn enables the right focus for data cleansing initiatives. 

The capabilities needed for risk management

Risk functions have for some time been facing into considerations around the right blend of skills needed in the risk team, and the need to supplement traditional risk and legal expertise with data and analytics capabilities. AI will accelerate the demand for this shift, initially with a focus on the need for greater data and analytics capabilities. As the role of AI in analytics continues to increase, our skills will need to evolve to focus on the design, governance and oversight of AI solutions. 

Creating a culture of innovation and exploration in risk

Supporting risk practitioners across the enterprise to move from hesitation and trepidation to a state of curiosity and continuous learning, may be the most important condition for successful adoption of AI for risk management. Providing the time and space, ensuring the right tools are available to staff, and making expert AI support and guidance available are all critical elements to fostering a culture of innovation. Don't underestimate the potential impact on the organisational culture when the Risk function is seen as leaders and champions of (responsible) AI innovation, in contrast to being seen as overly risk averse and slowing down adoption.

Responsible AI governance – leading by example

Risk teams across all three lines of defence have an important role to play in ensuring that the principles of responsible AI are adopted across the enterprise and that organisational frameworks and policies are followed. It is important that risk teams lead by example in how these requirements are implemented in the adoption of AI in doing the work of the risk function. These examples use cases can also be valuable testing grounds for Risk teams to evaluate how best to support the broader enterprise to embrace the promise of AI within safe guardrails that ensure the protection of customers and other stakeholders.

AI adoption for risk management offers enormous potential for enhancing risk management outcomes in a cost-effective manner, and as the challenges in risk and regulatory compliance continue to increase, so too does the imperative to realise this potential. Selecting use cases according to disciplined business case requirements, and creating the conditions to explore, test and learn within safe guardrails will enable Risk teams to achieve practical, real-world benefits while building the organisational capability and culture for the future.