Other parts of this series:
Risk considerations during strategic planning
Organizations need to consider and reassess risk throughout the strategic planning and Agile development lifecycle to /monitor the risks posed by adopting new digital technologies (e.g., cloud, artificial intelligence, robotic process automation) are identified and controlled. As part of strategic planning, business leaders in the first line of defense should involve Technology, Security, Risk, Legal, and Compliance experts to /assess/analyze which technologies to adopt for long term strategic advantage and cost minimization. Simultaneously, internal technology experts and business control partners should help the business assess the risks associated with these technologies considering: 1) pace of adoption required, 2) the expertise required to implement, maintain, and monitor each application, 3) ability of business functions to realize the benefits of technology adoption, 4) ethical and reputational implications of technical configurations, and 5) internal and external inherent risks and controls management.
Before making strategic commitments, business leaders should consider the organization’s readiness (e.g. op model, capacity, talent) to identify and control these risks in line with the organization’s risk appetite and drive risk-based decisions. In a recent study, “Only 49% of risk teams believe their teams are “fully capable” of assessing risks associated with their business’s adoption of cloud. Fewer risk teams believe they are fully capable of assessing risks associated with their business’s adoption of artificial intelligence (34%), blockchain (32%), and robotic process automation (28%) 1 .” A primary program that can help drive risk identification and evaluation across business and technology for financial services organizations is the OCC required ‘New, Modified, or Expanded Bank Products and Services’ program, also commonly known as ‘New Business Initiative (NBI) Management’. This program helps banks practice proactive risk management over large transformational projects 2 .
Incorporate risk identification and controls into design and testing
Once a strategic commitment is made to deploy, first line leaders need to engage their Technology, Security, Risk, Legal, and Compliance partners to broadly identify the risks associated with application configurations and to design controls to identify and manage these risks prior to moving to the development phase. It is good practice to maintain risk and security requirements in the design process to provide reasonable assurance that risk is minimized from the start. It is critical for organizations to fully identify all the risks within a configuration ecosystem, not just the usual operational and IT risks, but also other risk types such as business continuity, reputational, third-party, data privacy. For instance, organizations designing cloud-based services should consider malware and data breach risks associated with the move to a cloud-based services provider. Organizations considering adopting AI-based analytics and models, should consider unintended bias risk stemming from the data sets used to build the AI algorithm. For example, lack of quality control in development and the inherent human error bias in programmers may equate to gender/racial bias and inequality. 3 For each identified risk, the business and their control partners should design the controls in place to mitigate the risk, the metrics for measuring control performance and the acceptable residual risk levels based on the organization’s risk appetite. These metrics will then be used to monitor and manage risk throughout the product lifecycle.
During the development phase, businesses need to leverage the expertise of risk and technology experts to confirm that tests are executed to identify any unintended risks, and account for adequate controls to be implemented prior to release. For example, testing for AI-based models should incorporate out of sample data testing and statistical analysis to models are working as expected and are not producing unintended results. If biases are found in an AI-based model, then the controls in the model development process need to be examined and strengthened.
Confirm and monitor control effectiveness and upskill organization on risks
When new technology is released into the production environment, the business and Technology organization /should work together to confirm a transition of risk ownership from development to the operations environment and that threats are controlled for pre and post release, or as appetite allows, that vulnerabilities are in an active remediation plan. Should issues arise at any stage during the implementation which exceed risk and control metric thresholds, plans should be made for responding or resolving them timely (e.g. through rollbacks, QA testing, replanning). As part of production release planning, businesses should partner with Learning and Technology partners to upskill the organization on risks related to implementing and applying new technologies, particularly cybersecurity risk and reputational risk as technology is customized for use and implemented.
Despite the overwhelming advantages of ML/AI technology applications in financial services, banks are expected to remain under the scrutiny of their regulators and their own control functions. As mandated by the Federal Reserve, “organizations should be attentive to the possible adverse consequences (including financial loss) of decisions based on models that are incorrect or misused, and should address those consequences through active model risk management.”4, 5
As an organization’s technology environment is enhanced with new digital technologies, first line leaders /should /confirm/verify that residual risk for each technology change is in line with expectations and controls are working as expected. Controls and residual risks associated with new technologies should be incorporated into standardized risk dashboards and businesses should continually monitor, assess, and report on these risks across all three lines of defense. New risks and controls should also be added to existing taxonomies, and identification, testing, monitoring routines. For example, when an RPA solution is deployed, maintenance and support key activities are identified and implemented by an organization as follows: Bot Performance Monitoring and Scheduling, Incident Management, Production Change Management, Business Continuity Attestations, and Source Code and Change Controls.
In the next blog, we will discuss how the second line risk and Compliance organizations can evolve to better manage emerging risks from new digital technologies that are adopted by the first line.
- “Accenture 2021 Global Risk Management Study”, Accenture, July 14, 2021 Access at: https://www.accenture.com/_acnmedia/PDF-159/Accenture-2021-Global-Risk-Management-Study2.pdf#zoom=40
- “New, Modified, or Expanded Bank Products and Services: Risk Management Principles”, Office of the Comptroller of the Currency, October 20, 2017. Access at: https://www.occ.treas.gov/news-issuances/bulletins/2017/bulletin-2017-43.html
- “The Benefits and Risks of AI”, Accenture, September 7, 2021. Access at: https://financialservicesblog.accenture.com/the-benefits-and-risks-of-ai
- “SR 11-7: Guidance on Model Risk Management,” Board of Governors of the Federal Reserve System, April 4, 2011. Access at: https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm
- “Emerging Trends in the Validation of Machine Learning and Artificial Intelligence Models”, Accenture, November, 2017. Access at: https://www.accenture.com/_acnmedia/PDF-114/Accenture-Emerging-Trends-in-the-Validation-of-ML-and-AI-Models.pdf