Why fast-moving AI will trash traditional risk frameworks
Enterprise risk managers face being outpaced by their competitors if they don’t move quickly to adopt artificial intelligence (AI).
Yet, traditional risk management frameworks, with lengthy procedures and strict oversight, can clash with the speed at which AI is evolving.
“If you try and apply standard risk management frameworks and procedures, you’re going to stifle innovation,” says Paige Cheasley, national technology practice leader at Gallagher.
“The risk would be, if it takes you six months to vet something like an AI project that you want to do, it’s possible [it will be] obsolete by the time you launch it,” Cheasley tells Canadian Underwriter at the RIMS Canada Conference in Calgary. She spoke in a RIMS session on artificial intelligence and cyber risk, and caught up with CU to discuss the highlights.
The fast speed of AI development requires risk managers to adapt their risk management tools to reap the benefits without failing or falling behind, she says.
Four steps to embracing AI
There’s a fine balance between moving too slowly to bring AI into your business and applying so much caution that your tool lacks the chance to improve.
“If you’re not going to get on board, you’ll fall behind. So [risk managers] have to [overcome] this by [creating] minimum frameworks, requirements and safeguards to make it so that they can quickly try, fail, or try different AI initiatives…and then implement them,” says Cheasley.
There’s a four-step outline companies can use to adopt third-party AI platforms effectively while moving quickly.
Step 1 is the identification phase. Risk managers must identify what the AI will be used for and equip staff with risk identification tools that make them aware of their AI risks.
“It’s twofold,” Cheasley says. “You can give them some awareness [of what to] watch out for, but also you get a sense of what they’re wanting to do, and then you can keep track to see if they they’re advancing with it.”
Next is the test and pilot stage.
Risk managers should “fast track AI pilot vetting so that they can quickly test and possibly fail or not, because there’s a high failure rate as well,” Cheasley says.
(Specifically, an MIT study found internally built AI solutions experience a failure rate three times higher than third-party AI adoption. That’s because companies try to avoid friction in their proprietary AI processes but inadvertently create a product that hasn’t experienced live issues that require management. When issues do arise, the AI fails to adapt.)
If the third-party AI needs to be implemented fast, risk managers will need to pre-establish their rules of engagement.
“[Are] you using it to help you write nice-sounding emails, or are you using it to diagnose X-rays? It depends on what you’re doing with it. You have to think about, from an insurance perspective, is it creating a new exposure for you?” Cheasley poses.
Step 3 is the development and implementation stage. Here, risk managers should ensure any agreement with their third-party AI contractor is ironclad and includes performance monitoring metrics.
“There’s that risk transfer contractually to the vendor, which gives more comfort to the underwriters,” Cheasley says.
Step 4 is continuous monitoring.
“AI is changing so quickly and advancing so quickly that something you’re thinking of now and concerned about now may not be a problem soon or [may become] a much bigger problem soon,” Cheasley says.
But risk managers can plan to mitigate future problems through “continuous monitoring and watching the evolution of your model,” says Cheasley, alongside “human oversight, proper safeguards, making sure your agreement with the vendor is very clear on who owns what, who’s data is where and what’s happening with [it].”
Doing that enables risk managers to protect themselves and their business, “and give…some sort of recourse against them if it’s not working as it should, or they’re not managing those risks that they’re supposed to be managing on your behalf.”
