Blogs
How AI, Automation, and Emerging Technologies are Impacting Risk and Opportunities in 2024
- Artificial Intelligence
- 16 January 24
7 min read
Introduction
When ChatGPT entered the market early this year, it brought Artificial Intelligence (AI) into the mainstream and changed the way the world worked. From software engineering to education, law, and finance there are very few sectors that have not been impacted by ChatGPT. In addition to my role at MetricStream, I also teach at a university, and I have seen firsthand how ChatGPT is changing the way we teach and evaluate. I have had to remove several of my open-book questions since the answers were now available on ChatGPT! As concerns about how such new technologies continue to mount, enterprises, regulators, and governments need to focus on simultaneously managing the risks posed by these technologies and accelerating the opportunities they present.
I moderated an interesting discussion on how AI, automation, and emerging technologies are impacting risks and opportunities at the 2023 GRC Summit in Miami with eminent industry experts Brian Fricke, Managing SVP, CISO, City National Bank of Florida, and Alex Gacheche, Global Head of Information Security, Technology Infrastructure and Emerging Technology Audit, Meta.
Here are the key areas discussed during the session.
Watch Now: How AI, Automation and Emerging Technologies are Impacting Risk and Opportunities
The ChatGPT Impact
ChatGPT’s impact on the world cannot be underestimated. But it is important to remember that despite the hype, it is a tool in the toolbox, designed to make work easier. There will be other, better AI-powered platforms in the future, each of which will impact the way we work in its own way. But none of these platforms can replace human jobs – people will be replaced by other people who can use the platforms better, and subject matter expertise will remain vitally important. A foundational understanding of the technology, creative problem solving, and the agility to be able to adapt the results thrown up by an AI platform will be increasingly valuable in the years to come.
When it is considered a tool in a toolbox, it is easier for organizations as well—to shape policy, define acceptable risks, and establish technology controls. Organizations also need to develop robust efficiencies across the three lines of defense to maintain a comprehensive risk posture in the era of AI. Once the front line is empowered to leverage and use AI platforms effectively, the second and third lines will need to adapt quickly as well.
The Risks and Opportunities of an AI Economy
There is, of course, no denying that the rapid emergence of AI-powered platforms poses some immediate and long-term risks:
- Data Privacy and Confidentiality – When ChatGPT launched, initially, there was a spate of individuals putting confidential business information, and code onto the public platform. Organizations swung into action with blanket bans on usage of the platform. But such a ban is counterproductive and counterintuitive. AI platforms can go a long way in improving productivity by helping to automate mundane tasks. A better way to manage data privacy risks is to educate the workforce on the best ways to leverage the platform without exposing confidential information.
- Misinformation – This technology can be used to misinform. There is a need to go back to the drawing board to ensure the code is bias free. There is also a need for better governance.
- Cybersecurity – The other implication of AI platforms is their possible misuse by bad actors to launch sophisticated attacks on organizations. Security strategies must be revised for the AI era, and AI-related risks and taxonomies must be integrated into the risk register to better manage this threat.
Of course, there is no denying that AI offers a number of opportunities for enhancing productivity, improving key processes and driving responsible business growth. AI-powered platforms can help improve threat analyses significantly by analyzing large volumes of threats against existing mitigation capabilities quickly and accurately. AI can also help bridge skilled manpower shortages. For example, the cybersecurity field is projected to have a 50% shortage of talent by 2025. AI platforms can help companies manage and even improve their cyber security practices even in the absence of resources.
Regulations and Policies for the AI Era
Understandably, organizations, regulators, and even governments need to understand and work towards addressing some of the concerns around AI tools and platforms.
- Government Regulations – Governments across the world will play a crucial role in driving regulations for the emerging AI economy. In the US, the Biden-Harris administration’s executive order for AI safety and security aims to promote responsible AI innovation in the country as well as protect people’s rights and security. The EU parliament has proposed the landmark AI Act, with final approval expected this year. And other countries are following suit. But at the same time, it is important for governments to regulate AI without shackling it. Cross-functional teams with creatives, technologists, and regulators can help develop sound frameworks that protect individual rights, privacy, and security while enabling innovation.
- Regulators – There are trade regulatory bodies governing different sectors. Best practices from these sectors can be leveraged to create regulations for AI. Regulations governing each sector can be expanded to include AI and its impact on that sector. And as the technology continues to evolve, there may be merit in creating an entirely new agency for AI regulations.
- Enterprises – It is crucial to empower the three lines of defense for the AI era. The third line will have to drive active governance of these technologies. Cross-functional groups to drive governance is a good idea, and such groups must create repositories of current and potential use cases to address variations in risks that may emerge.
At the end of the day, it is important to remember that AI is a technology much like all transformative technologies that came before it. The world has contended with a number of disruptive technology trends over the last couple of decades, ranging from cloud to digital banking and crypto currencies. And it has collectively regulated, secured, and governed each of them effectively. As we gear up to contend with AI, we must remember that information and data lie at the foundation of any AI-derived platform and consider ways in which to adapt existing data privacy laws such as GDPR and CCPA to include AI risks.
AI is here to stay and will continue to evolve and shape the nature of business, work and even life as we know it. Like any new technology it presents a range of risks and enterprises may be tempted to ban use of AI altogether. But a transformative, and accessible technology cannot and should not be banned in its entirety. Attempting to do so would not only hold the enterprise back from truly exploring its potential but also result in unauthorized and unregulated usage. It would be far more effective to focus on building an AI-aware risk culture by training employees on responsible use of AI. Active discussions at the board level and even the establishment of a risk committee to monitor AI risk is a good idea. By integrating AI into the risk register, organizations can prepare to build policies for it. And most importantly, they must engage with younger generations studying and preparing for careers in a world that is already transformed by AI. Their fresh perspectives, unique approaches, and understanding can help drive better policies for what is undoubtedly going to be a new era of Artificial Intelligence-driven development and growth.
MetricStream’s AiSPIRE: AI-Powered GRC to Augment Decision-Making, Prioritization, and Improve Efficiency
AiSPIRE, an industry-first, state-of-the-art cloud-based product offering from MetricStream, can empower your organization’s GRC functions with proactive intelligence backed by powerful AI- algorithms.
By leveraging large language models, GRC ontology-based knowledge graphs, and generative AI capabilities, AiSPIRE has the power to utilize the full potential of an organization’s existing GRC and transactional data. Unlike other GRC tools that rely on manually defined rules and workflows, AiSPIRE effectively utilizes your organization’s data to train advanced machine learning models and AI.
AiSPIRE can empower your organization to:
- Remove redundant controls and reduce control tests and costs with AI
- Gain intelligent control insights and enhance processes for scheduling and prioritizing control tests
- Improve risk management by quickly identifying areas that need to be optimized and minimizing potential risks
- Gain insights by asking simple questions using a machine learning-based prompt intelligence
Interested to know more? Request a demo today!
Download Product Overview: MetricStream AiSPIRE
Jump to Topic
Related Resources
Blogs
Transform Risk and Compliance Programs with MetricStream’s AI-Powered Insights and Recommendations
- Artificial Intelligence
- 01 December 21
3 min read
Introduction
As organizations look to harness the power of next-generation technologies and thrive in the era of the Fourth Industrial Revolution, the focus on data is now more critical than ever. It wouldn’t be wrong to say that it is data that runs the modern enterprise in today’s digitized world.
It’s often said that data is the new oil. However, data in itself cannot drive business value—it is only when it is transformed into actionable intelligence that it can enable effective decision-making.
That said, many organizations today lack common taxonomies and structured processes, resulting in unstructured data which is difficult to analyze. This is a major challenge for risk, audit, compliance, and IT & cyber teams as they end up spending most of their time going through this data rather than analyzing it for making strategic business decisions.
Streamlining the processes and workflow and automating them with the right set of tools and technologies is an absolute must for unlocking the true potential of data. By leveraging artificial intelligence (AI), organizations can quickly get insights, identify patterns, avoid duplicate effort, apply the right actions, and better focus on decision-making that helps the business.
Bringing AI to GRC
Organizations today operate in a complex and unsettled business environment with amplified digital interconnectedness of people, processes, systems, and organizations, rapidly evolving risk and regulatory landscape, geopolitical uncertainty, and more. Furthermore, recent risk events, such as the pandemic, have underscored the importance of a future-ready GRC framework as organizations had an extremely short window of time to act.
Here, AI can be a gamechanger. It can empower organizations to break free from the clutches of siloed operations and facilitate integration and harmonization. Most importantly, it can drastically improve the speed at which risk, audit, compliance, and IT & cyber teams can locate relevant data and information, thereby expediting quick and fact-based decision-making.
MetricStream’s AI-Powered Insights and Recommendations
AI is an integral component of the MetricStream Platform, deployed and operationalized using cloud-first practices, and can be used to build any model or automate any GRC use case. MetricStream currently offers pre-built AI-powered recommendations to transform and automate GRC processes. It automatically provides key recommendations to users based on the historical patterns, so that organizations can further improve user experience and drive intelligent business decisions.
Here are some of the areas where we are bringing AI capabilities:
Issue & Action Management: MetricStream uses the core strength of AI by leveraging semantic analytics with natural language processing that can be used to identify patterns in issues and actions that can originate from any program – be it enterprise and operational risk, compliance, audit, third-party, or IT & cybersecurity. MetricStream’s AI-powered issue and action management provides recommendations to categorize issues based on their semantic similarity and automatically recommends duplicate issues and best possible action plans based on historical trends and business context.
Smart Policy Search: MetricStream’s AI-powered smart policy search simplifies the task of searching for policies using a natural language processing (NLP) based semantic search. It improves search accuracy by understanding the searcher’s intent through contextual meaning.
Observations Triage: As organizations are increasingly enabling the frontline to capture observations, they will have to manage a large number of observations. With such a high volume of observations being reported, the triage process becomes tedious. MetricStream AI-powered recommendation automatically provides recommendations to classify observations as a case, incident, issue, or loss event. This enhances the efficiency of the triage team.
Risk Scoring of Third Parties: As part of risk assessments, third parties must periodically submit detailed SOC2 and SOC3 reports as evidence of robust compliance and controls in their infrastructure and security. MetricStream AI-powered recommendations for third-party risk can automatically extract content from SOC2 and SOC3 reports, compute, and risk rank the third parties based on the number and type of anomalies in the report.
To learn more about MetricStream’s AI capabilities, click here.
Jump to Topic
Related Resources
Blogs
There is One Way Traffic – Downhill
- Artificial Intelligence
- 23 November 21
3 min read
The Instagram of Risk Blog Series: First Coffee, Then Audit
At the beginning of November, I attended the Charted Institute of Internal Auditors event in London, where MetricStream was exhibiting. I had the opportunity to network with the delegates and attend the keynote session. This was my takeaway.
Listening to the main presentation, set on a stage in a room full of financial professionals was anything but jaded. The presenter had the room in tears of laughter as he compared some people in the industry as cliff divers, the adrenaline rush as you look down and see the water below looking incredibly far away can make you run a mile. In a similar setting, the telltale signs of so many companies that got their accounts wrong and had to declare bankruptcy was a revelation, but no laughing matter.
You can say that hindsight is a wonderful thing, but a closer look at these failed companies balances sheets and annual reports would make the hairs on the back of your neck stand up. With falling share prices, falling short of analyst’s expectations, or sudden change of management, there are several ways you can disappoint shareholders. However, when you add creative accounting to the mix, then it is a poison chalice.
But who stands to be framed when companies are in serious trouble with deceiving accounts? Is it the management team or the auditors? Is it the investors or the bankers? Or should the blame be shared between them all?
Let’s compare this to an iceberg, only 10% of it is above the water, the rest of it is submerged under the sea, and this is very much like the accountings of a firm. On the surface everything looks fine, but if you dig a bit deeper you will unearth several surprises that are not what they seem.
The audit profession is subject to strict oversight and ultimately CEO’s and directors of companies will take full responsibility. This is where the buck stops. Audit teams need to become more agile, and they need to consider several factors especially when considering internal controls, including third party risk, cyber security, data governance, and data compliance.
Auditors who use the latest technology within their own teams are well equipped to understand the associated risks with security issues and system failures.
When dealing with a company’s financial records, auditors need to be aware of other indicators that may cause a company to nosedive:
- Cost becomes an asset
- Unusual stock adjustment
- Massive accrual of income
- Goodwill
- Deteriorating quality of assets over the effective lifetime
- Bad debt provisions
- Conflict of interest
Having an audit program that is aligned to organizational goals and prepared for multi-dimensional risks while preserving the trust of every stakeholder will shape your audit universal.
Companies need to create agility and collaborate across teams to optimize audit productivity and allocate resources based on the highest risk impact.
There is a lot to be said about the right technology and choosing the right provider, which includes:
- Protecting the business and meeting regulatory requirements
- Migrating from manual processes to automated workflows
- Driving consistency across the organization
- Recurring audit planning and execution integrated with resource & time management
- Centralizing GRC Library of risk, control, auditable entities with relationships
- Automating workflows that include review and approval of key activities
The secret is to leverage a centralized risk framework, as audit planning is central.
With the right data, wrapped in a dashboard you can generate a draft or even final audit reports with review and approval workflows. You can gain real time access to audit data with status reports. With risk assessments, you can document, manage, and assess risk across the origination.
The right audit platform accelerates audit cycles, helps improve audit strategies, reduces audit costs, and enhances auditor productivity.
And of course, you can provide external auditors and regulators with access to audit data for pre-defined time periods.
At MetricStream, our audit team community has transformed their departments by embracing the latest technology. They are truly the Instagram of Risk.
That reminds me, until the next time we meet, stay away from cliff diving.
This blog is the second in the Instagram of Risk blog series. Read the first blog where Suneel summarizes the key takeaways from the in-person events of the Oct 21 GRC Summit held in London, Copenhagen, and Zurich.
Jump to Topic
Related Resources
Blogs
Our European GRC Summit Roadshows and the Instagram of Risk
- Artificial Intelligence
- 02 November 21
4 min read
Introduction
Talk about roundtrips…. In-the same week of a very successful 2021 GRC virtual summit on the 19 and 20 of October, where MetricStream had over 2500 customers, prospects, and partners registered to learn, participate, and share their experiences around GRC, IRM, and everything in-between, we decided to host three physical summits based in London, Copenhagen, and Zurich to continue the conversations with our community.
All three locations had a boardroom style setting dedicated to a round table discussion. The aim was simple, we would listen to what our community had on their mind. It was an opportunity to find common synergies, lead round table discussions, and network with senior risk professionals that are paving the way in this industry.
With representation from risk, compliance, audit and IT Cyber, the discussions were captivating, and the commentary was electric.
London Calling
The first of the events started off in London, and we had a great mix of customers, partners, and prospects around the table.
Our CEO, Bruce Dahlgren introduced the session, and it was an engaging group that shared their thoughts and concerns around the current themes and trends.
Alongside the presentations, our partners gave a short speech on the success of collaborating with MetricStream to provide business benefits for our risk community. What followed was an insightful roundtable discussion that covered risk quantification, cyber security, and the need for organizations to lead with purpose.
It did not take long for ESG to make an appearance and quite rightly so, with COP26 on the agenda and the link to compliance, organizations that have a purpose and are aligning to social governance, diversity, and climate change are setting a precedent. MetricStream recently launched the ESGRC product, which enables organizations to define and manage ESG standards, frameworks, and disclosure requirements. There was a lot of excitement on this in the room.
Emerging risks and third-party risks were explored in detail. With recent supply chain disruptions, it became even more apparent how peripheral risks had to be managed.
Dinner followed, and the conversations (like the wine) continued flowing. It was delightful to see customers connecting with customers. It was evident that they all thrive in this environment and that it was clearly something they had sorely missed over the last 20 months.
Cycling through Denmark
We settled in for another topical roundtable discussion, where the thoughts and real-life examples of how technology is an enabler in the GRC space were deliberated. In some instances, the dialogue went back and forth. One example of this was that the concern organizations face with risk was not always a technology one, but more of a transformational project that the organization needed to resolve. Accompanying this, was the remark that there are inconsistencies in risk terminologies across the industries, which fuels part of the problem. It was also surprising (to me) to learn that there were still so many organizations using spreadsheets to manage their risk. This was their default way to identify, monitor, and track risks, even though they knew it was not sustainable, efficient, or scalable.
The need for AI and ML to automate risk attributes was the next topical point. The comment was made that AI techniques recognize pattens and trends to help alleviate the pain, time, and missing information that humans cannot always detect, but how do you know that AI is doing the right thing. This conversation continued into the evening, accompanied by food and drinks.
High-End Shopping in Zurich
And finally, concluding the week in Zurich, we had another full house with an engaging group that deliberated on how they can start a community of risk or as was suggested, the “Instagram of risk”. There were discussions around risk culture, accountability, accurate data, and mindset. Some customers admitted that it was quite possible to get lost in the data and what they require is speed, agility, and most of all simplicity. A comment was made that you could spend all your time managing documents and not the risk. Another referenced that as change management sits in all departments including HR and legal it can be a challenge to bring it all together for larger organizations. Crypto also made it in the discussion, with a notable mention that new risks have no historical data to base it on.
Visibility and accountability were front of mind in the discussions, and a common theme that was mentioned was on reporting risks up to the board of directors and the role of the board in risk governance.
MetricStream presented 5 current trends that we are observing in the industry and 5 innovation themes that we are leading the way with (API, AI, Adoption, Agility & Analytics).
By bridging the gap and driving value for the community, MetricStream has a purpose to continue to add value and innovate alongside our community. We want the community to thrive on risk and reap the rewards of being on a GRC journey that like a good bottle of wine gets better with age.
Until the next summit.
Jump to Topic
Related Resources
Blogs
How AI Powered Recommendation Engines are enhancing Integrated Risk Management
- Artificial Intelligence
- 10 May 21
2 min read
Introduction
Organizations are adapting to the expectations of a changing workforce, creating a culture of risk-aware decision making, inclusion and compliance to succeed in an environment where risk is permeating through all levels of the organization. Also, the volume and velocity of interconnected risks has made the involvement of frontline stakeholders critical to the proactive mitigation of risks.
Organizations have introduced new tools and technologies to help frontline users to capture and report business anomalies and unethical activities including financial improprieties, sexual harassment cases, discriminatory practices, conflicts of interest etc. Intuitive tools such as widgets, browser plugins, chatbots, and simplified web forms enable these users to take a more active role in risk-aware decision making.
With this shift in attitude, the volume of observations being reported by the frontline has increased drastically. Risk and Compliance Managers who are responsible for scrutinizing each of these observations are spending considerable amount of time in triaging and classifying large volumes of observations. In this complex and fast-moving environment, traditional approaches to managing these observations may not be the answer.
MetricStream’s AI Powered Observation Recommendation engine uses historical data available in the system to intelligently identify and classify the observations into areas such cases, incidents, issues and loss events. The use of artificial intelligence helps the Risk Managers to improve the speed and accuracy of triaging these observations. The ability of artificial intelligence and machine learning models to analyze large amounts of observations improves analytical capabilities in risk management and compliance, allowing Risk managers to identify risks in an effective and timely manner, make more informed decisions, and make operations less risky.
Andreas Diggelmann (CTO and Managing Director for India, MetricStream) recently stated that “AI for MetricStream is deeply contextual – and a means to help us solve a business use case. While it is important to keep the benchmark of innovation high, it also has to balance out with ground realities of every industry, every type of client – and it’s up to us to reach a solution that can benefit both”.
Artificial Intelligence is a game-changer for risk management and is one of the key drivers for transforming any industry. It saves time, boosts revenue, identifies risks and fraud, and adds value to your organization.
Learn more here.
Jump to Topic
Related Resources
Blogs
45 days in MetricStream…Un-learn, Re-Learn and Get Change Ready
- Artificial Intelligence
- 18 March 21
1 min read
Introduction
Over the last 45 days as Senior Vice President and Managing Director of Asia Pacific Region, I had had the opportunity to talk to over 100+ customers, partners and potential MetricStreamers and I am excited by what I hear!
This is a growth market where GRC is table stakes! But what our customers and partners are looking for is innovation that helps them thrive on risk, using risk as a competitive differentiator and risk by design as a thought process, when they develop their products and services. As the velocity and complexity of risks increases, organizations will need more contextualized insights. They need to make GRC pervasive through automation, AI and frontline engagement; simplify risk-informed decision-making and seize opportunities versus simply mitigating risk.
As I build our presence in the region, I am excited by our customer stories. Of how our solutions have solved complex challenges to quantify cyber risks and prioritize investments; increase collaboration by breaking down risk, compliance, and audit silos; enabled the frontline to surface issues in real time and help create a compliant, risk-aware culture across enterprises that empowers our customers thrive on risk. All of this with the strong foundation of a single integrated risk platform that is layered with advanced analytics and AI.
As a leader in GRC and Integrated Risk Management solutions we must capitalize on today’s greatest changes and identify emerging trends. Environmental, Social and Governance (ESG) is an emerging trend, and we think about it as part of GRC reporting. Innovation is more essential than ever. We need to offer our customers products that solve problems and keep them profitable and ahead of the competition.
As our business scales, our network of partners is critical to delivering an exceptional customer experience anywhere in the world. We are set to increase our pace. I am looking forward to working closely with customers, partners and MetricStreamers to empower our customers to make real time risk-aware decisions that accelerate business performance, strengthen resilience, and enhance their brand reputation.
For all potential MetricStreamers, I promise it will be fun in making APAC, the fastest growing region in MetricStream!
Jump to Topic
Related Resources
Blogs
The moment of truth for Cyber Risk and Compliance
- Artificial Intelligence
- 16 February 21
3 min read
Introduction
The recent MetricStream IT Risk and Compliance Survey Report 2021 reveals a deep divide between IT Cyber Risk Management Strategy and Actual Practice.
______________________________________________________________________________
Since COVID-19, the pace of digital transformation has accelerated dramatically increasing our dependence on technology. Almost everything we do today is digital-first. Unfortunately, this has opened doors to new risks that can have wide-ranging consequences on business profitability and reputation. Today, companies need a clear understanding of their exposure, vulnerabilities, and potential losses related to every decision they make, in order to build and implement a concrete risk-based approach to cybersecurity. Decision-makers need faster and better risk visibility—which calls for an advanced, integrated, and automated IT GRC approach.
A couple of months ago, we decided to ask IT risk and cybersecurity practitioners from around the world some pressing questions on the current scenario – How effectively are IT and Cyber risks being managed? How mature are risk assessments and monitoring processes? Who is leading IT and cyber risk programs? And how robust are the tools being used?
As it turns out, the pandemic is likely to trigger a surge in IT and cyber risk investments where key focus areas include IT security solutions and regulatory compliance, evidences the latest insights gleaned from hundreds of companies that participated in our MetricStream IT Risk and Compliance Survey 2021.
A look inside the report:
The key areas of consensus among those who took part in the research, lead to the emergence of several broad themes. Here are some of them:
1. Risks are evolving; compliance violations remain top of mind.
To find out what keeps security and risk professionals up at night, MetricStream asked what risks and threats their organization faced in the last two years. “Denial of Service” took the top spot, followed closely by “Compliance violations and regulatory actions.” Taking third was “Spoofing of company social media.”, reported AiThority.
2. IT risk programs have executive visibility; the majority are not driven by the CISO.
The survey shows that 70 percent of respondents agree that their senior management and leadership help establish the strategic direction of their IT risk management program. However, only 29 percent of respondents say that their IT risk program rolls up to the Chief Information Security Officer (CISO), reported Continuity Central in their article, ‘Survey looks at IT cyber risk management trends’.
“First, this report can help CISOs and compliance officers really understand how the pandemic transformed IT risk…CISOs have to think about how to keep corporate systems working — in a secure manner, and in compliance with all the usual regulatory requirements — in a much more loosely controlled IT environment. Even a task as simple as tracking all the IT devices accessing your data becomes much more complicated,” notes Radical Compliance, in their article Thoughts on IT Risk Management featuring key findings from the Survey.
3. Most IT risk programs have yet to reach optimal maturity.
When asked about the maturity level of their IT risk programs, 69 percent of respondents stated that they are not quantitatively managing their IT risk program. Furthermore, 31 percent of respondents report having IT risk assessment reviews on a quarterly basis. Only 15 percent stated having monthly reviews, highlighted yahoo!finance while featuring the report.
4. The number one tool used for IT risk management – spreadsheets.
Dark Reading while covering the report highlights, “When asked what tools are used for IT risk management, the number one response was spreadsheets. More than 45 percent of respondents reported using spreadsheets, even if they had an IT GRC solution in place. Moreover, 54 percent stated not using any IT GRC solution to manage IT risks.”
5. Investment in security and compliance are top risk priorities for 2021.
When asked about future plans, 38 percent of respondents stated that they are planning to increase their spend on IT risk management in 2021. Additionally, respondents ranked their top 2021 priorities to be: 1) investment in IT security solution, 2) compliance with federal and government regulations, and 3) IT security data aggregation and reporting, informed Cision Newswire while highlighting the key findings in the survey.
“Most security and risk professionals know that IT security is like a chain; you are only as strong as the weakest link,” said Gaurav Kapoor, COO, MetricStream. Overall, we can hope that the more organizations prioritize and invest in IT and cyber risk management, the better prepared they will be to deal with both the opportunities and threats of operating in an increasingly digital world. Access the complete report here.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – February 2020
- Artificial Intelligence
- 13 March 20
4 min read
Building a Future of Trustworthy AI
The European Commission recently unveiled its long-awaited proposal to regulate artificial intelligence (AI). But will the new proposal stifle innovation? Find out more through the GRC Lens – February 2020 edition.
_____________________________________________
On the 19th of February, the European Commission (EC) President, Ursula von der Leyen, Executive Vice-President, Margrethe Vestager and EU Commissioner for Internal Market, Thierry Breton, held a press conference at the European Commission headquarters in Brussels, unveiling their ideas and actions to regulate AI.
Keen on building “a digital Europe that reflects the best of Europe,” the EC released a white paper on AI that defines an extensive framework under which AI can be developed and deployed across the EU. The paper includes considerations to govern high-risk use of AI like facial recognition used in public spaces, with an overall ambition to shape Europe’s digital future”.
The proposal still has a long way to go. For now, the EC plans to gather opinions and reactions from companies, countries, and other interested parties before they begin to draft the laws. And although the AI white paper is open for suggestions until May 19, lobbying has already begun.
Worried AI Vendors: Will Regulation Stifle Innovation?
Although many AI experts have said that the regulation of AI is necessary, especially due to ethical concerns, there is considerable worry around the consequences of regulation. Europe’s new proposal has already had far-reaching implications on the big tech brands that have invested in AI. After the EC declared a 12-week discussion period, several tech leaders from large organizations have journeyed to Brussels to meet with EU officials.
Their major concern – will tough laws hinder innovation?
AI vendors are worried that if the process of regulation, considered a slow process that can be subject to interference and distortion, is applied to a fast-moving field like AI, it can stifle innovation and divert the technology’s enormous potential benefits.
To illustrate this concern, a recent article in Analytics India Magazine, used the example of neural nets to explain how the regulation of AI could possibly hamper innovation. Neural networks work by finding patterns in training data and applying those patterns in new data, enabling researchers to solve problems that they couldn’t earlier.
For instance, CheXnet, an AI algorithm from Stanford, has an incredibly powerful ability to detect pneumonia among older patients through chest X-rays. But for technologies like these to work, they need a certain amount of creative and scientific freedom (within ethical boundaries, of course). If there is a ban on “black box” AI systems that humans can’t interpret, could AI innovation be impacted?
Another area of confusion revolves around the definition of “high-risk” applications of AI. The report seems to be unclear about high-risk applications in low-risk sectors, leaving companies uncertain on how to approach this issue.
The Need for AI Regulation: Consumer Protection
There is no doubt that AI has enormous potential to be used for good. But its accelerating adoption across industries comes with multiple ethical concerns.
According to a survey by KPMG, 80% of risk professionals are not confident about the governance in place around AI.
What happens when decisions are made by AI without human oversight? Recent instances have shown that automated decision-making can perpetuate social biases. In addition, deep fakes, surveillance technology, autonomous weapons, and discriminatory HR recruiting tools come with multiple serious risks. The focus of AI regulatory authorities is on developing frameworks to govern AI.
Like Anna Fellander, Co-founder of the AI Sustainability Center, said at the GRC Summit in London, “It’s no longer just about what AI can do, but what it should do.” In a similar vein, Andreas Diggelmann, “Office of the CEO,” Interim CEO and CTO at MetricStream said, “We need technology that serves humanity, not the other way around.”
Looking Forward to Trusted AI
AI expert Ivana Bartoletti, Technical Director, Deloitte – Cybersecurity and Privacy Division, speaking at Impact 2020 conference, said: “The reason why we’re talking so much about ethics in AI is over the last few years we have seen the best of technology – but also the worst.”
With its novel approach to AI regulation, the EC wants to promote the development of AI while respecting human fundamental rights and addressing potential risks that come with the technology. The EC wants a digital transformation that works for all, reflecting the best of Europe: open, fair, diverse, democratic, and confident.
The new AI proposal has already begun to receive acceptance in some industries. Ted Kwartler, Vice President, DataRobot, said the vendor welcomes calls for regulatory approaches that don’t stifle innovation. Christopher Padilla, VP, Government and Regulatory Affairs, IBM, also was reported saying in Protocol, “By focusing on precision regulation — applying different rules for different levels of risk — Europe can ensure its businesses and consumers have trust in technology.”
It appears now that big tech companies that want to tap into Europe’s market will have to play by the rules that come into force. Like the GDPR in 2018, will the new AI proposal inspire similar, tough regulatory action in other parts of the world? Read the MetricStream Blog to stay updated on more news.
Jump to Topic
