CategoryEnterprise Risk Management

Talking About the Risks of AI and Cognitive Technologies

According to the recently published PwC’s 22nd Annual Global CEO Survey, 85% of the surveyed CEOs overwhelmingly agree artificial intelligence (AI) will have a significant impact on their business within the next five years. For this reason, they have plans to pursue AI investments.

This is despite the fact that the information gap between the data CEOs are requiring to make informed decisions and what they are getting from their teams has not closed. Lack of analytical talent, data siloing and poor data reliability are the primary reasons the data they receive is inadequate.

Nonetheless, the application of AI and the underlying cognitive technologies such as machine learning, computer vision, natural language processing (NLP), audio and signal processing, speech recognition, predictive systems and robotics are wide-ranging, with the potential to improve performance in nearly any activity that generates large amounts of data.

Highly-powered algorithms which are the basis of these computer systems are presented with large amounts of data and subjected to supervised, semi-supervised, unsupervised, reinforced and deep learning.

The goal is to train the algorithms to identify relationships or patterns between the inputs and the outputs and use those rules to predict future outcomes with input data alone.

For example, in healthcare, AI is being used to study patient clinical data and recommend diagnoses. In finance, machine learning algorithms are being used to analyze transactions and uncover fraud and money laundering.

In the retail industry, predictive algorithms are being trained to automatically group customers into various categories based on their needs or buying patterns. These insights are then used to prioritize sales efforts and tailor promotions.

In other cases, companies have piloted NLP technology to monitor social media sentiment. The technology automatically identifies conspicuous topics of consumer conversations and sentiment surrounding those topics.

The generated insights are being used to influence decisions on improving marketing and customer service.

It is no surprise then that CEOs are now exploring how to implement these new technologies in their business.

Hype-driven or well-informed investments?

As much as AI is a source of significant business opportunities, the same technology is also a source of significant threats that must be evaluated. This is essential for helping leaders make informed and intelligent investment and risk decisions.

It is foolhardy for leaders to jump on the AI bandwagon and expect to capture the promises of AI and cognitive technologies if they lack an understanding of whether, how, and where to invest in applying these technologies.

When almost everyone is talking about the opportunities of AI and cognitive systems, it’s easy to cave in to hype-driven or ill-informed investments and overlook the fact that AI and cognitive technologies are not the solution to every business problem or situation.

That is why it is critical to evaluate the business case for investing in these technologies and assess the potential impact on your company’s business model, culture, strategy and sector.

Take a holistic view of your business processes, products and markets to weigh where the use of AI maybe be practical, profitable and crucial.

Algorithms are only as good as the data they learn from

Given that AI capabilities are data-driven, closing the information and talent gaps is key to unlocking AI’s potential. AI-powered algorithms improve over time through their experience of using data.

They learn relationships between variables in historical data sets and their outcomes. The relationships are used to develop models, which in turn are used to used to predict future outcomes without needing to be explicitly programmed by a programmer.

The systems change and evolve depending on the data that is fed to the algorithms. This therefore requires the data that is fed to the systems to be accurate, complete, diverse, and free from errors and bias. If the data is incomplete, error-prone or contains innate bias, the algorithms are likely to display false patterns as well as magnify the bias leading to misleading outcomes that have far-reaching repercussions.

Since AI and cognitive technologies deliver outcomes based on historical or existing data presented to them, leaders need to acknowledge that these systems will not necessarily provide flawless outcomes.

That is why it is critical to have appropriate data governance structures and talent in place to monitor where and how these technologies are deployed across the organization.

Skilled personnel play the critical role of overseeing biases and risks emanating from algorithms. For example, these people help identify and mitigate risks associated with programming errors.

Understand the black box of AI

As business leaders lay the foundation to pursue AI investments and entrust key decision making processes to intelligent machines, it is worthy to demystify the ‘black box’ of AI.

This is the notion that we can understand the inputs and outputs of an AI-powered system, but don’t understand what happens inside.

Accountability is an important element of decision making, and in order to make AI systems accountable for their decisions, AI-based decisions need to be explainable in order to be trusted.

Rather than blindly entrust machines to make important decisions, leaders therefore need to develop an understanding of how the technology works and how it makes decisions.

Thus, business leaders must be able to identify and explain the layers of decision making which underpin the operation of the systems and influence the final outcomes.

For example, are you able to identify and explain which connections have predictive value in the multilayered deep neural networks? Although it’s impossible to analyze all the connections in a deep neaural network, it’s important to prioritize what you need to know, what you want to understand, and why.

Over time, through testing and measuring, or trial and error, you will be able to understand the thought process behind algorithms, trust the decisions they make and ensure a robust governance structure is in place to monitor these technologies as they mature.

Surge in Cyber Attacks

Big data has been a boon to the development of AI and cognitive technologies. Thanks to advances in technology, our digital lives are producing staggering amounts of data each day.

As a result, interest in AI application is surging as decision makers try to make sense of all the data at their disposal.

Nevertheless, leaders need to be aware that the more data is generated the higher the probability of cyber criminals or hackers targeting the company’s AI systems to steal personal data or business confidential information.

A major data breach can have unintended consequences that can create legal, brand and public relations issues for the business.

Therefore, as leaders seek to capture the opportunities of AI and cognitive technologies, they mustn’t turn a blind eye to the limitations of these systems.

They must also consider the various ethical, moral, and legal issues associated with the AI systems that their organizations deploy.

Thinking About The Upside of Risk

Making intelligent and informed decisions is intrinsic to effective risk management. Many at times risk management decisions are centered around loss events and the negative consequences that might eventuate. The positive aspects of risk taking are hardly noticeable.

Let’s take as an example, a decision by local-based company to build a sales and distribution presence in a new international market. Some of the risks associated with pursuing such a move include:

  • Regulatory or unanticipated government intervention aimed at foreign players.
  • Currency volatility. Shifts in foreign currency values have both positive and negative implications on the company’s costing and selling prices, and ultimately profitability.
  • Political Uncertainty. Increased political tensions between countries often lead to trade wars, supply chain disruptions and minimal trade opportunities.
  • Heightened Corruption. Companies entering certain markets may be confronted with unorthodox ways of doing business. In a number of countries, bribery is required in order to complete trade.

On the other hand, the opportunities of expanding into the new market include:

  • The business is able to keep pace with competitors by pursuing an international business strategy.
  • Potential to serve more customers. A larger consumer market ultimately means enhanced profit margins.
  • Exploring new markets can lead to innovation through external partnerships.
  • Market diversification. Having a presence in more than one market also spreads risk as the business is not completely reliant on one market.

In spite of the opportunities lingering on the horizon, the tendency for decision makers is to fixate on the negative side of risks.

Rather than identify and exploit the upside of risk for value creation, decision makers resort to singing the default anthem ‘No, no, no. It’s too risky.’

Risk taking is strictly eschewed or mitigated – always from the downside. Given today’s surging economic uncertainty and volatility, and the integral role of effective risk management in driving business performance, an unreserved mindset change is necessary.

It’s not about eliminating or even terminating risk as risk will always be present. It’s about mastering what might happen, considering all the potential opportunities, including the potential risks, evaluating whether this is acceptable and then acting as required to effectively pursue set business objectives.

Therefore, instead of always being risk averse, decision makers need to start thinking about the upside of risk and develop an understanding that there is a benefit to taking on more risk, provided this is done in a controlled way and not higgledy-piggledy.

As a strategic advisor to the business, finance can play a critical role in helping management make better informed decisions about uncertainties.

We can achieve this through taking initiative and integrating ourselves in operational and strategic performance discussions, understanding the business and its entire operations, and asking smart questions aimed at helping management perform their jobs better.

Doing so empowers us to provide decision makers with cogent advice that ensures they have solid information about both the upside and downside of the company’s business strategy, and ultimately help them make enlightened decisions.

In other words, the advice we allot to decision makers should not act as an impediment to the achievement of business objectives. Alternatively, it should help them understand the odds of achieving the objectives and business success.

Effective risk management far exceeds risk protection and compliance, loss avoidance or arranging insurance cover to mitigate negative consequences.

Old habits die hard. Nevertheless, growth and progress ensue from challenging the status quo and embracing new habits. Stop paying attention on avoiding loss and start taking a broad, strategic view on the upside and downside of risk.

Resolve how you can literally create value and support the successful execution of business strategy and achievement of objectives.

Third-Party Risk: What You Don’t Know Can Hurt Your Business

Thanks to globalization and advanced technologies, the world economy is increasingly interconnected and a borderless market. Businesses are no longer depending on their own resources and self-developed capabilities in order to achieve operational excellence, fuel growth and drive strategic success.

For example, a retailer headquartered in Toronto, Canada, doesn’t necessarily need to rely on local suppliers to meet its customers demand. A financial services company in London, England can now employ the services of a cyber security expert domiciled in Singapore. Today, businesses are no longer going it alone.

When entering into new lines of business or expanding into new markets, it is common for organizations to leverage third-party knowledge, skills or resources, and form partnerships, alliances, and other business relationships.  These external parties have suppliers, partnerships and alliances of their own too.

Given the interconnection between third-party relationships and the inherent risks, the ability to manage these relationships is critical to success.

Ignorance is no defense

The actions of third-party intermediaries have dire consequences on the business, not just financially but also legally, operationally and reputationally. Moreover, regulators are increasingly policing third-party relationships, and when something goes wrong, the penalties can be hefty.

Think of the U.S Foreign Corruption Practices Act, UK Bribery Act, EU General Data Protection Regulation, or Brazil’s Clean Companies Act. Even if a security breach or risk incident occurs on the other side of the world, entities or individuals found on the wrong side of the law will not escape unpunished.

Activities can be outsourced, but responsibility cant’t. It is therefore imperative that business leaders develop a deeper understanding of third-party relationships including the full spectrum of risks linking in each part of the organization.

You need to adequately examine your clients, vendors, consultants, agents and other business partners, know who they are and how they operate. A basic internet search or third-party website visit doesn’t cut it. A detailed integrity due diligence is required. You need to know your business partners’ qualifications, business history, reputation and their relationship with foreign government officials.

In addition, you also need to understand the business rationale behind including the business partner in the transaction. Failure to do so could expose your organization to reputational damage, operational risk, government inquiry, monetary penalties and even criminal liability. What you don’t know about your business partners can hurt you.

Visibility over third-party business relationships

In a number of organizations, the examination of business relationships and assessment of inherent risks is left in the hands of the procurement function. The function identifies potential savings from outsourcing, the legal team drafts the contract and it’s business as usual. There is no or little follow up on the relationships.

In some cases, external relationships are managed in silos within business units. The business unit that owns the relationship also manages the risk. These individual business units have different ways of tracking their suppliers, vendors or partners, making it difficult to compare and collate them across the entire business. In addition, sometimes there is a duplication of efforts and inconsistent application of risk assessment and management standards.

In other cases, companies adopt a centralized or hybrid approach in order to help overcome the challenges presented by the decentralization model. With the centralized approach, redundancies are reduced, and risk decisions reside with a single group in turn fostering accountability for risk assessment.

However, it is important to note that with this approach tensions can sometimes arise between business units that have a working relationship with the external parties and the centralized team accountable for risk assessments. As a result, some companies pursue a hybrid model in which risk ownership is clearly defined and decision making rights are spread across a number of business functions, such as procurement, finance, compliance and risk management.

As the business is constantly on-boarding or terminating external partnerships and expanding or reducing third-party services, it’s therefore important for business leaders to develop a strategy and road map to systematically identify third parties using an inclusive definition.

For many companies, key data about business relationships resides in multiple procurement systems and in emails, spreadsheets, and text documents. Manually building a complete inventory of current contracts from these multiple sources, and then analyzing and interpreting all the data in order to assess risks and make informed decisions can prove challenging.

New technologies such as robotic process automation and natural language processing can however help obtain visibility over third-party relationships. RPA helps integrate information from disparate sources and systems without manual intervention and embed control mechanisms into an automated process, thus increasing efficiency and streamlining third-party transaction risk management.

On the other hand, natural language processing helps to analyze documents written in plain text and signal critical risks, enabling third-party controls to be automatically reviewed for potential risks emanating from inadequate or unclear contract language.

Strong governance process

Traditionally, risk has been regarded as something to be minimized or avoided, with considerable effort spent on protecting value. However, in today’s global competitive environment, in order to progress and achieve strategic success, a business should develop an appetite for risk taking. A business cannot expect to grow and expand by avoiding risk or hesitating to expand its universe of third-parties.

However, given that today organizations are being held responsible not only for their own actions but also for the actions of customers, suppliers, vendors or partners, it’s critical for company boards to provide oversight to ensure that effective third-party risk management practices are in place.

To avoid confusion, there should be clarification on who owns third-party risk in the organization, including where third-party risk management sits within the organization. It is the board’s responsibility to ensure that management establishes a clear organizational model and process for third-party risk management.

In addition, management should provide a clear line of sight to the organization’s major external-party risks by establishing an effective reporting system and keeping the board informed of how critical risks will be mitigated.

The focus should not only be on achieving cost savings or efficiencies, but also on driving value creation and meeting set objectives of the business. Thus, there should be alignment to the broader strategy of the business.

As the world increasingly becomes digitally interconnected and the extended enterprise grows and gets more complex, third-party risk management should also become a top priority for any business.

Also important to note is that assessing and mitigating third-party risk is an ongoing process. It’s about prevention rather than reaction.

The CFO’s Role in Cyber Security

Artificial Intelligence (AI), Blockchain, Robotics, 3D Printing, Cloud Computing, Internet of Things (IoT), Mobile, Advanced Analytics among others are some of the new technologies making waves in the technology space. The rate at which technology is evolving is alarming to such an extent that if you’re a player in this field you have to constantly be on top of your game otherwise if you sleep you snooze.

Love them or loathe them, technological breakthroughs have created a world that is always connected, continuously innovating and constantly challenging conventional wisdom. For example, new computing power in the form of customer analytics is enabling businesses across all sectors to interact 24/7 with their customers, understand consumer behavior like never before and deliver unique customer experiences that yield results.

Current digital capabilities are disrupting traditional business models and presenting valuable opportunities to streamline processes, improve efficiency, free up resources, sharpen data analysis and improve business performance. Taking these benefits into account and others, CFOs are leading their companies on exciting digital transformation journeys.

It is true that technology is empowering us to perform our jobs better and achieve more with less. However, I get concerned when all we talk about is only one side of technology – benefits.

In the midst of all the promises and excitement brought by these “new shiny” tools, we are forgetting the heightened risks that also come along, which if not closely monitored and addressed have increased potential to bring the business down to its knees overnight. As organizations continue to increase their reliance on new technologies to drive strategic performance, new risks to data security and confidentiality are sprouting.

This automatically elevates the need to protect customer and employee data, as well as confidential information from third parties and business partners. The consequences of failing to do so are not only financial but also intangible – lost customer confidence and reputation damage.

CFOs have a critical role to play in enhancing and strengthening their companies cyber security programs. In the past security responsibilities have fallen under the radar of the IT manager. However, an increase in data breaches and cyber attacks are elevating cyber security to the boardroom resulting in the CFO taking over the mandate.

The good thing though is that Finance owns majority of the data generated and used in the business. Secondly, Finance is responsible for performance reporting and analysis and CFOs have a bird’s eye view of the business and the market. Because of these two advantages, CFOs have better knowledge and understanding of where sensitive information is stored at all times, how it is secured, who has access to it, potential perpetrators and how they can get access to the information.

The problem in many companies is that cyber security becomes an imperative only after a breach has occurred. Just because you have not experienced a cyber breach or attack does not necessarily imply that you should give yourself a false sense of security. If you believe that your network is secure or you are a small company therefore immune to cyber breaches, think again.

These days cyber criminals are becoming more and more sophisticated and repeatedly aim to stay a couple of steps ahead of their victims. Most attacks are discovered a couple of months or years later from the date of initial breach. A case in point is the attack on the shipping company Svitzer, which is part of the Maersk Group. Sensitive personal information of around 500 employees in Australia where the attack happened was affected.

Perpetrators got access to email addresses of 3 employees and for 11 months (May 2017 – March 2018) they secretly auto-forwarded between 50 000 and 60 000 emails outside the company. Accounts in Finance, Payroll and Operations were affected. The perpetrators were smart enough to introduce supporting rules that deleted the forwarded emails to prevent the compromised account owners see that their emails were being forwarded.

With the speed and complexity of the threats changing on a daily basis, CFOs must take action and a play leading role in helping their organizations fight against cyber crime. As a CFO:

Acquire knowledge on cyber security. If the CFO is expected to take the lead in assessing and advising the board on cyber security issues, how best is (s)he going to do so if (s)he lacks an understanding of the risks and potential impacts of a breach. Lack of understanding leaves valuable information exposed. It is therefore critical that the CFO acquires knowledge on different types of attacks, impact on brand value, how to prevent the attacks, and also how to respond in the unfortunate event of an attack. Also, when the CFO has detailed knowledge of cyber security, (s)he is able to lead the discussion and provide training to the board so that they get working knowledge and understanding of cyber security to provide appropriate oversight.

Map and classify your organization’s data. In a world where companies are operating more than one financial and operations system, with each system containing sensitive stakeholders and financial performance information, risks abound. You need to understand how your organization’s data supply chain functions as well as how the information flows across your entire network of systems. Developing this understanding will help you take a digital inventory of your data and locate critical information in need of most protection since it is impossible to protect everything.

Carry out regular vulnerability assessments. It is common practice to install antivirus or any other form of software to protect ourselves from an attack. Unfortunately, this is not enough. Cyber security goes beyond installing software hence the need to assess any weaknesses and risks attached to your systems. One way of doing so is employing the services of ethical hackers who will actively try to intrude or penetrate into your systems and recommend effective internal controls. It’s important to be proactive and continuously evaluate current detection tools.

Build cyber security into the culture. One way cyber criminals make their way into company systems is via employees by sending them click bait emails. In the event that an employee lacks knowledge of cyber attacks, by clicking on the link he or she is exposing the entire group to a destructive attack. Educating and training employees on cyber matters helps build awareness. Additionally, employees should be encouraged to share information about a breach, this improves the organization’s ability to detect and respond to attacks of a similar nature. Although the CFO carries the overall responsibility of reporting to the board on cyber security issues and initiatives, it is still everyone’s job to detect and report possible attacks. Thus, cross-functional collaboration is necessary.

Don’t ignore third party risk. Business partners, vendors and other third parties hold important data on behalf of the company. An example would be where your company has outsourced specific Finance functions to a low-cost service provider, or you have engaged a marketing agency to handle your product marketing strategy. If this data is to fall into a wrong pair of hands, your company will have to answer for that. Why? Because the company is accountable not just for data stored in-house but also data held by third parties. CFOs must therefore regularly conduct an assessment of third party risks and evaluate third party’s data management processes. This will shed light on whether the third parties are protecting data with same rigour as their own company.

Develop an incident response plan. Data breaches occur even to the highly secured organizations. What is required is having a response plan developed before the breach takes place to avoid making panicky and bad decisions. The plan should define what is considered a cyber security incident, and provide a clear guide map or process steps to follow when an incident happens. Also, the plan should have clear decision-making guidelines including a robust communication framework. You don’t want to find yourself scrambling to assign roles and responsibilities in the heat of the moment. Regular practice and testing of your response plan is a must. This will inform you in advance if your plan is usable or overly complex.

In conclusion, the mere fact that your organization has not been subjected to an attack doesn’t mean that you should shelve all efforts to secure your systems. As long as you use devices, mobile, social and back-office technologies that are connected to the Internet, you are a perfect candidate for a data breach. Don’t let ignorance act as a catalyst for your downfall.

Current State of Enterprise Risk Oversight

A recent publication, Global Risk Oversight, by North Carolina ERM Initiative, in partnership with the Chartered Global Management Accountant ( CGMA ) provides insights on the current state of enterprise – wide risk oversight, including identified similarities and differences in different parts of the world.

Here are some key findings, with emphasis added:

  • Organizations all around the world perceive an increasingly complex risk environment.
  • Risk management practices appear to be relatively immature cross the globe. Around 30% or less of organizations indicate they have ‘complete’ enterprise risk management ( ERM ) processes in place. Only about 25% of the survey respondents describe their organization’s risk maturity as “mature” or “robust”.
  • Most organizations struggle to integrate their risk management processes with strategic panning. Despite the fact that most strategies maybe impacted by a number of risks, only about 50% of organizations around the world “mostly” or “extensively” consider risk exposures when evaluating new strategic initiatives. 
  • There is a lack of detailed risk oversight infrastructure in most organizations. Only a few organizations have formal risk management policy statements and frequently update risk reports.
  • Around 80% of organizations have not conducted any formal training risk management training for their executives.
  • There is increased pressure on management to strengthen risk oversight. Depending on the geographical location of the organization,  this pressure is coming from either the board of directors, the CEO or the audit committee.
  • Lack of sufficient resources to invest in ERM and the perception that there are more pressing competing priorities have been identified as the biggest barriers impeding the progress of maturing the organization’s risk management processes.

In light of these findings, the authors of the report recommend that:

  • Senior executives and boards of directors honestly and regularly assess their organization’s current approach to risk oversight in the today’s changing risk environment.
  • Management genuinely consider whether the process used to understand and evaluate risks associated with the organization’s strategies actually delivers any unique capabilities to manage and execute their strategies.
  • Organizations appoint a risk champion such as a Chief Risk Officer (CRO) or create a management-level risk committee in order to help strengthen the risk management function and ensure all risk management processes are appropriately designed and implemented.
  • Organizations spend time analyzing the vast amounts of data they have to generate insights about emerging risks that may impact their organizations’ strategic success.

Overall, the report is a good read and a great starting point for improving enterprise-wide risk oversight.

It helps senior executives ask important questions when evaluating their organizations’ overall approach to risk oversight. However:

  • Although the authors mention regular updating of the risk register. I would add risk management is not about list compilation,  otherwise organizations might find themselves building risk lists that lack any insight for effective decision making. It is about identifying and evaluating those key risks with the potential of derailing the organization’s strategic success and finding effective ways of mitigating any losses. Furthermore, intelligent risk decision-making does not look only at the downside of risks but also at the opportunities found in taking calculated risks.
  • There is no mention in the report about offering risk management training to middle-level and lower-level employees, only to senior executives.  The tone at the top and culture will determine if the organization succeeds at maturing risk management processes. Identifying and managing enterprise risks should be everybody’s responsibility within the organization. Thus, I believe there should be a common risk language throughout the organization.
  • Appointing a risk champion to strengthen risk oversight is critical. However, the individual appointed must have a deeper understanding of the business, its critical performance drivers and the ability to partner with the rest of the business. He or she must also be able to deliver the necessary risk training required.
  • Clear communication channels should be established to enable free flow of risk communication from top-down and bottom-up. People should not be scared to raise red flags or emerging risk issues to senior executives. Although the board of directors ultimately holds the risk oversight responsibilities to shareholders and other stakeholders of the business, if they receive inappropriate risk reporting from the bottom, the information they will feed to these interested parties will also be inadequate.
  • Risk management should be ingrained in the DNA of the business. Risk conversations should be about supporting strategic objectives achievement and enhancing business performance, as opposed to being a box-ticking exercise all the time.

Do the survey findings reflect the situation at your organization? If so, what are you doing to improve this situation?

I welcome your comments and views.

 

© 2019 ERPM Insights

Theme by Anders NorénUp ↑