Michael Rasmussen

The structures and realities of business today have changed. Traditional brick-and-mortar business is outdated: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacies, such as deep supply chains and subcontracting relationships. Roaming the hallways of an organization means crossing paths with contractors, consultants, temporary workers, and more. Business today relies and thrives on third-party relationships; this is the extended enterprise.

The European Union and the United Kingdom stand at the forefront of global trade and business partnerships. However, with increasing interconnectivity comes the challenge of managing third-party risks. For companies headquartered, operating within these jurisdictions, or in the supply/value-chain of companies that do, understanding and mitigating these risks is not only crucial for resilience but also for compliance.

The Essence of Third-Party Risk Management

Third-Party Risk Management (TPRM) involves . . .

[The rest of this blog can be read on the Diligent blog, where GRC 20/20’s Michael Rasmussen is a guest author]

The healthcare sector is ensnared in a relentless vortex of risk and regulation amid unanticipated disruptions and transformations. Navigating through this dynamic environment, healthcare entities grapple with a myriad of compliance obligations and frustrations that encompass patient safety, privacy, information security, operational practices, service delivery, billing protocols, and electronic medical records management.

Maintaining steadfast compliance and risk mitigation during times of smooth operation is challenging enough; doing so amid continuous change magnifies the challenge exponentially. Healthcare organizations frequently approach risk and compliance separately with a disjointed strategy that relies heavily on isolated documents, spreadsheets, emails, or outdated solutions, inadvertently escalating the cost, complexity, and risk of ensuring compliance.

Some of the compliance struggles within healthcare include . . .

[The rest of this blog can be read on the SimpleRisk blog, where GRC 20/20’s Michael Rasmussen is a guest author]

In the modern business landscape, enterprises are increasingly intertwined through complex networks of suppliers, vendors, and other third-party relationships. While this extended enterprise system brings immense benefits, like specialization and economies of scale, it also introduces challenges in terms of ESG, compliance, and operational resilience. As organizations lean more heavily on their external partners, ensuring that these partners share values, meet regulatory requirements, and can withstand potential disruptions becomes paramount.

Compliance isn’t just about adhering to laws and regulations. In the realm of supplier and vendor management, compliance also encompasses. Resilience is about how your extended enterprise responds to unforeseen challenges. Recent global events have shown that disruptions can arise rapidly, from pandemics to geopolitical tensions. A resilient supplier and vendor network can mean the difference between continuity and chaos.

It’s crucial that partners have congruent ESG objectives, commitments, values, and standards. When an organization’s suppliers and vendors comply with shared values and standards, there’s less risk of reputational damage, financial loss, or operational disruptions. Increasingly, consumers and stakeholders demand that businesses act responsibly. Ensuring that your suppliers and vendors also uphold these standards can cement your reputation as a responsible enterprise. With digital resilience, protection, and other privacy regulations taking center stage, it’s vital that your partners treat data and processes with the care and respect it demands. Any breach on their part can have ripple effects, damaging trust and possibly resulting in hefty fines. One CIO was recently personally fined £80 million pounds for a third-party risk/resilience failure.

Organizations need to consider . . .

1. Diversify Supplier Bases: Don’t put all your eggs in one basket. By diversifying, you reduce the risk of a single point of failure.
2. Regularly Review and Update Resilience Plans: Make sure every stakeholder knows their role in case of disruptions. This should include communication protocols, resource allocations, and backup suppliers.
3. Invest in Technology: Modern supply chain technologies, like blockchain and AI, can provide real-time insights, helping to identify potential choke points and ensure smoother operations.

Organizations globally are gearing up to respond to a whole range of EU regulations and UK regulations/laws that impact this intersection of resilience, ESG, compliance, and the extended enterprise.  

• EU Corporate Sustainability Reporting Directive (EU CSRD)
• EU Corporate Sustainability Due Diligence Directive (EU CSDDD)
• EU Corporate Sustainability Reporting Standard (EU CSRS)
• EU Digital Operational Resilience Act (EU DORA)
• EU Cybersecurity Resilience Act (EU CRA)
• Germany’s LkSG (Supply Chain Due Diligence Act)
• UK FCA/PRA/BoE Operational Resilience Act
• UK Senior Manager Regime/Certification Regime (SMCR – a CIO was personally fined £80 million for a third-party risk/resilience failure)
• UK Governance Code (UK SOX, recently proposed revisions . . . which require resilience statements and a focus on ESG)

Many firms in the USA and the rest of the world have to respond to these laws. If your clients/prospects are anywhere in an EU supply/value chain, then many of these apply to them. Just the first three on Corporate Sustainability (what I call the EU ESG Trifecta as they all work and support each other) impact 50,000 firms directly, but exponentially many more in vendor and supplier relationships. There is a lot of movement right now on EU DORA as organizations become aware that it has a very broad net, including anyone that services and supports the financial services industry, with a lot of downstream impact.

Organizations must understand that their reputation, operations, and success are deeply linked to their extended enterprises to truly thrive in today’s interconnected world. By ensuring compliance and resilience in supplier and vendor relationships, businesses safeguard their operations and position themselves as trusted partners in an increasingly complex ecosystem.

Ultimately, these relationships aren’t just about transactions but trust, collaboration, and shared growth. As we look toward the future, organizations prioritizing these values will undoubtedly stand out as leaders in their respective industries.

Here are some of the events GRC 20/20 is involved in on this topic over the next few months . . .

September 14th Webinars

• A risk-based approach to operational resilience: When prevention isn’t always better than a cure.
• Third-Party Risk & Resilience: From Uncertainty to Business Confidence

September 18th Webinar

• Future of GRC in Complex, Distributed & Autonomous Environments

September 20th Webinar

• 3 – Terminating: Risk Management in the Vendor Relationship Lifecycle

September 25th Workshop in London 

• Third-Party Risk Management by Design Workshop, London

September 26th Seminar/Roundtable in Amsterdam

• Designing GRC programs to Manage Risk, Regulatory Compliance, Third-party, and Digital Operational Resilience Requirements 

October 10th Webinar

• Building Resilient Supply Chains: Strategies for Success

Governance, Risk, and Compliance (GRC) isn’t merely a buzzword but an essential strategy and framework (OCEG GRC Capability Model) for corporations to succeed in today’s complex and dynamic business environment. With increasing risks and regulations, it is evident that businesses require an effective GRC strategy. But while understanding the importance of GRC is one thing, effectively implementing and managing it is another challenge altogether.

The Challenges in GRC . . .

[The rest of this blog can be read on the CAMMS blog, where GRC 20/20’s Michael Rasmussen is a guest author]

In John Donne’s famous line, “No man is an island, entire of itself; every man is a piece of the continent, a part of the main,” the seventeenth-century poet’s words are startlingly relevant to modern businesses. Translated into contemporary terms, it suggests, “No organization is an island unto itself; every organization is a piece of the broader ecosystem.”

The architecture of today’s business landscape has vastly changed, making the notion of self-contained entities antiquated. Traditional brick-and-mortar businesses, defined by physical locations and in-house employees, have transformed into intricate networks. The modern organization is now an elaborate, interconnected web of relationships that extends far beyond standard employment to include a multitude of third parties—such as suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, brokers, and partners. This growing complexity is evident in multilayered supply chains and subcontracting relationships, making it clear that the concept of an “extended enterprise” has evolved from a theoretical construct to a business imperative.

Navigating this web of relationships comes with its own set of challenges, particularly in governance, risk management, and compliance — GRC. Traditional siloed approaches to managing third-party risks and compliance are insufficient; they do not capture the holistic impact on an organization’s objectives or the interconnected nature of modern risk. A failure in third-party governance can lead to catastrophes that reverberate across an organization, damaging both its reputation and bottom line. Be it issues related to delivery timelines, ethical conduct, privacy measures, quality control, human rights, resiliency, corruption, or environmental sustainability, the organization bears ultimate responsibility.

This interconnectedness becomes even more complex when considering Environmental, Social, and Governance (ESG) criteria and the inclusion of per- and polyfluoroalkyl substances (PFAS) in the supply chain. ESG standards focus on a company’s broader impact on society, the environment, and governance practices. Misalignment of ESG criteria within the extended enterprise can expose organizations to reputational and financial risks that are often difficult to quantify but devastating in impact. For instance, if a supplier is found to be in violation of environmental norms, the onus falls upon the company to rectify. It may result in the severance of critical business relationships.

Similarly, the inclusion of PFAS, a group of man-made chemicals used in a wide range of products from textiles to packaging, in the supply chain complicates risk management due to evolving regulations and increasing public scrutiny and legal liablity over their health and environmental implications. Organizations must ensure that their third-party partners align with regulatory and organizational standards regarding PFAS, demanding a more intricate and rigorous governance process.

In recent conversations with a global hospitality firm, a global pharmaceutical firm, and a global food and beverage firm . . . they all listed ESG risks, particularly to Germany’s LkSG and now the EU CSDD, as their number one third-party/supply-chain risk. Second, they each listed PFAS as their second greatest supply chain risk.

Given the amplifying nature of risks—akin to the ‘butterfly effect’ in chaos theory, where a small event can lead to substantial consequences—businesses require a strategically integrated approach to third-party governance, risk management, and compliance (third-party GRC). The disparate data and fragmented insights yielded by a traditional department-centric approach inadequately address the nuanced complexity of today’s organizational ecosystem. Instead, companies need an integrated strategy, processes, and architecture that allow for real-time risk intelligence and comprehensive situational awareness across all third-party relationships.

In conclusion, the fabric of modern business is woven with threads of myriad third-party relationships. For organizations to reliably achieve their objectives, effectively manage uncertainty, and act with unassailable integrity, it is essential to harmonize governance, risk management, and compliance across the extended enterprise. This calls for a robust, integrated strategy that manages and anticipates the complexities and interconnected risks of our modern business landscape. This is only delivered on a robust third-party risk intelligence and management platform.

In an era characterized by ethical, social, and regulatory challenges, many organizations are finding it difficult to navigate the complex maze of compliance. Particularly in an ESG context. The daily news cycle frequently highlights companies falling short of regulatory expectations, painting a picture that corporate ethics is often judged by what firms do when they believe no one is watching.

Understanding the Compliance Conundrum

Compliance is not a one-size-fits-all endeavor. The larger and more global the organization, the more intricate its operational dynamics and associated compliance responsibilities become. In the ever-evolving corporate landscape, elements such as employee turnover, expansion into new markets, product launches, and changing regulations reshape the business environment constantly.

For compliance and ethics programs, this ever-shifting landscape poses unique challenges. As businesses grow and develop diverse partnerships—be it vendors, consultants, or expanding their supply chain—their compliance risk magnifies exponentially. Thus, there’s a pressing need for systems that vigilantly monitor both internal and external compliance risks.

Dismantling Compliance Silos

The age-old practice of managing compliance within isolated silos and manual processes is a recipe for disaster. It is the inevitability of failure. This fragmented approach:

• Promotes Redundancy. The organization wastes time and resources on redundant tasks using unique processes and approaches for each compliance function.
• Reduces Visibility. Different departments may use various methods for compliance checks, making it hard to have a holistic view of enterprise-wide compliance risks.
• Compounds Complexity. Non-uniform processes introduce ambiguity and confusion, leading to increased compliance and ethical risks, as well as gaps in compliance.
• Diminishes Agility. With every compliance area following different and non-integrated approaches, the organization finds it hard to pivot quickly in the face of change.
• Elevates Compliance Risk Exposure. By only focusing on immediate function needs and ignoring enterprise-wide interdependencies, businesses inadvertently create more compliance exposure and it impacts the ethical culture of the organization.

Rethinking Compliance Management

While many organizations are diligent about meeting legal and compliance obligations, the realm of compliance is rapidly transforming. It’s not just about addressing legal requirements but acting as the pillar of corporate integrity.Today’s compliance is evolving beyond just ticking regulatory checkboxes. It’s about championing corporate integrity. As a result, compliance departments are being granted greater autonomy and are increasingly reporting directly to CEOs or boards, especially in highly regulated sectors.

This shift means compliance teams need to be well-versed with the organization’s ethical, regulatory, and cultural risks, particularly in an ESG context. Relying on strong, integrated processes will ensure that compliance measures are both effective and efficient. For today’s businesses, it’s paramount that compliance isn’t just a written policy but embedded into daily operations. A robust compliance program should prioritize risks that pose the greatest threat to the organization’s values and ethos.

In summary, traditional compliance approaches are no longer viable. Boards are keen to understand the organization’s compliance framework, its efficacy, and its contribution to enhancing shareholder value. Modern challenges necessitate a comprehensive compliance program, one that is firmly rooted in integrated processes and transparent information.

Gone are the years of simplicity in business operations. Organizations today are evolving into more complex, distributed, and autonomous entities. While this evolution ushers in unprecedented growth and opportunities, it has also introduced challenges in ensuring consistent governance, risk management, and compliance (GRC). The digital age, characterized by its interconnectivity and advanced technological infrastructures, has added further challenges to this while also delivering GRC solutions in complex, distributed, and autonomous environments. Today’s organizations can be a complex array of distributed and autonomous businesses that still need some level of coordination and reporting centrally. 

The interconnectedness of risks and compliance requires 360° contextual awareness of integrated GRC within a business and across businesses. Some organizations have an operating model that allows subsidiaries and divisions autonomy but still needs centralized consistency and reporting. Professional service firms also engage diverse organizations in a consistent framework and methodology and look to do benchmarking across clients. Across these various businesses, organizations need to see the intricate relationships of objectives, risks, obligations, commitments, and controls. It requires holistic visibility and intelligence of GRC. The complexity of business necessitates that the organization implements an integrated GRC management strategy, process, and technology/information architecture that can allow distributed and diversified businesses to work autonomously but provide some consistency in management and reporting. 

Many organizations also require some level of autonomy within distributed businesses and operations while still providing centralized governance and reporting. This is also a need within professional service firms that manage a portfolio of clients in a GRC context. Organizations facing these challenges should look for technology that enables distributed and autonomous businesses to manage GRC in their context while still providing centralized governance, reporting, and benchmarking. The best reference to this is called Hub and Spoke^TM GRC (note: this is a trademarked term by one vendor in the space, 6clicks, used with permission in this blog). This allows a master entity a framework for overall governance, risk management, and compliance control and engagement across a range of diverse, distributed, and sometimes autonomous entities with specific GRC needs and privacy and isolation requirements. 

The use cases for this approach to GRC . . .

• Conglomerates/global holding companies/diversified businesses which need to track and manage GRC activities across a range of disparate entities businesses. 
• Private equity portfolios that own a range of companies and need insight into their portfolio companies in a GRC context.
• Franchises, this one has come up a few times in the past few months, providing a consistent framework for GRC management and reporting across franchises.
• Managed services/consulting/professional service firms that have established methodologies and services for GRC-related engagements across their portfolio of clients. 
• Insurance companies that must manage their brokers’ compliance (and other GRC activities) where brokers/entities can be profiled and grouped, then managed consistently to meet regulatory obligations.
• College/university campuses that house a range of entities that need to be governed in a consistent GRC context but also allow autonomy and independence. 
• Hospital networks comprising a range of complex and diversified businesses that need consistent GRC frameworks applied in different contexts. 

As you can see, the various use cases can continue. Many modern organizations are characterized by complex, distributed, and autonomous structures that present unique challenges in ensuring consistent GRC. Addressing these challenges requires a strategic GRC technology architecture that few solutions deliver in the space. Organizations need to be very selective in evaluating solutions that address these scenarios; those that do will ensure their GRC survival and carve out a competitive advantage in today’s highly complex business environment.

Curious about the solutions that can deliver this? Ask an inquiry of GRC 20/20 Research in our market coverage of the range of governance, risk management, and compliance solutions available in the market. 

One of the top inquiry areas for GRC 20/20’s market research is the role of Corporate Compliance and Ethics Management, managing the range of conduct, ethics, regulations/obligations, policies, and boundaries of the organization. Particularly now in the era of ESG. We regularly get inquiries from organizations looking for solutions for policy management, hotline/whistleblower, case management, forms/disclosures, third-party compliance/risk, compliance assessments, and more.

A growing area for solutions for corporate compliance is in regulatory change management and regulatory intelligence. This is an area where the traditional approach of armies of subject matter experts is now automated with artificial intelligence. 

Managing and keeping up with regulatory change is one of the most significant challenges for organizations in the context of governance, risk management, and compliance (GRC). Managing the dynamic and interconnected nature of change and how it impacts the organization is driving strategies to mature and improve regulatory change management as a defined process. The goal is to make regulatory change management more efficient, effective, and agile as part of an integrated GRC strategy within the organization.

Regulatory change is overwhelming organizations. Many industries, like financial services, are past the point of treading water as they actively drown in regulatory change from the turbulent waves of laws, regulations, enforcement actions, administrative decisions, and more worldwide. Regulatory compliance and reporting is a moving target as organizations are bombarded with thousands of new regulations, changes to existing regulations, enforcement actions, and more each year.

In the past five years, the number of regulatory changes has more than doubled, while the typical organization has not increased staff or updated processes to manage regulatory change. According to Thomson Reuters, financial services had an average of 257 regulatory change events every business day in 2020, just in this one industry. In the past five years, the number of regulatory change updates impacting organizations has grown extensively across industries.

GRC 20/20 Research is seeing a steady pace of regulatory change management inquiries and research interactions, focusing on artificial intelligence in this context. In our market research, we have reviewed/evaluated many solutions in this space. Some solutions deliver real value, and some solutions claim A.I. but are stretching the term (anyone with some logic in a workflow claims it as A.I.), or it is the Wizard of Oz with the man behind the curtain doing the work as the A.I. tech is not fully baked and delivering. 

The best solutions deliver a lot of value in A.I. for regulatory change, with natural language processing, machine learning, deep learning, predictive analytics, generative A.I., and more. 

I am told that if you print off the entire UK FCA rulebook, it is a stack of paper six feet tall. Printing off the U.S. Code of Federal Regulations and stack it end to end is longer than a marathon. Internal documents, like policies, are also a mess. One bank I built a business case for policy management had one policy that took six months to get updated because of a regulatory change and went through 75 reviewers in a linear document check-in and check-out fashion . . . that certainly is not agile. Another bank states that if every branch printed the policy manual, it would be a stack of paper as tall as the Elizabeth Tower (Big Ben) in London. 

A machine with natural language processing can read the US CFR or UK FCA rulebook in minutes. It would take me a year or more. But a machine can read it in minutes and direct, map, and categorize it in minutes. 

The Chief Ethics and Compliance Officer (CECO) I interacted with at a life sciences firm did some internal testing on A.I. for regulatory change management. They not only found that a machine was a ‘gazillion’ times faster at reading and mapping regulations, but they also found it was 30% more accurate/effective. Think about it, if we are going to read a lot of legal documents/regulations, and I mean a lot, looking for changes/updates . . . are minds are going to wander and think about the plans for dinner or the weekend, or how our favorite sports club is doing. We miss things where a machine stays on point. 

There are a variety of use cases for A.I. in regulatory change management. Not one solution has all of this covered in detail, so it takes an architecture and often plugs into your favorite enterprise GRC platform for even broader value. These include:

• Horizon Scanning. Using A.I. to monitor and evaluate pending legislation, proposed rules, changes in enforcement, speeches, and comments made by regulators to determine what we need to pay attention to that will be tomorrow’s concerns. 
• Regulatory Obligation Library. Using A.I. to monitor the current situation of regulations, changes in regulations, comparisons of change (side-by-side markups), and notifications, all to keep the organization current with regulatory changes impacting the hear and now. 
• Policy Management. This is mapping regulations and changes to your current policy library and leveraging A.I. to inform you what policies should be reviewed because of changes and suggest language for the update to address the change (generative A.I.)
• Control Management. I worked on a large risk management RFP for a global organization a few years ago. Once they were done with that RFP, they looked to using A.I. to keep controls updated and current in their environment. They specifically leveraged Natural Language Processing to derive content-related information from local control descriptions. They then used Machine Learning to score quality and identify quality gaps in documentation. This enabled them to provide real-time feedback to control owners directly and indicate areas for improvement. They then did Scoring Reports & Dashboards to generate an overview of the documentation quality of ICS Principles in Business Units.

And this is just exploring the regulatory change management-related use cases of A.I. I also see a lot of interest in using A.I. for third-party risk management, from reading and comparing differences in policies/controls between an organization and a supplier/vendor to monitoring the range of third-party risk databases (e.g., ESG ratings, financial viability/corporate ratings, reputation and brand lists, watch lists, sanction lists, negative news, security ratings, politically exposed persons, geo-political risk, and more).

My job as an analyst is to research and understand the variety of GRC solutions (both very narrow and specific to broad platforms) and understand what differentiates one vendor from another and what is the best solution for an organization. 

In that context, GRC 20/20 covers the range of Cognitive GRC solutions available in the market, around the world, and in which industries . . . and know which are real and provide value, and which are ’the Wizard of Oz.’

Complexity & Costs: Key Points of Consideration in Selecting a Solution

When it comes to operational resilience and continuity, as well as broader GRC, many solution options are available in the market. Selecting the right solution is critical as many choices lead organizations down the road of complexity and cost, not just in implementation but also in ongoing maintenance, management, and user experience. Organizations need operational resilience and continuity solutions that are highly efficient (in both human capital and financial capital), effective, and agile to the needs of dynamic and distributed businesses.

It used to be that the dividing line between agile solutions with lower implementation and maintenance costs was whether the solutions were cloud-based (e.g., SaaS) or on-premise. This is not the case anymore, as some . . .

[The rest of this blog can be read on the CLDigital blog, where GRC 20/20’s Michael Rasmussen is a guest author]

This blog is an excerpt from GRC 20/20’s latest research paper, READ MORE in: A.I. GRC: The Governance, Risk Management & Compliance of A.I.

A.I. technology and models are used across industries to analyze, predict, generate, and represent information, decisions, and outcomes that impact operations and business strategy. A range of departments, functions, and roles are beginning to rely on A.I. as a critical foundation of business processes that support operations, long-term strategic planning, and day-to-day tactical decisions.

A range of A.I. technology spans predictive analytics, machine learning, deep learning, natural language processing, and robotic process automation to the new era of generative A.I. Within these various approaches, there are three core components:

• Input Component. Delivers assumptions and data to a model.
• Processing Component. Analyzes inputs into predictions, decisions, and content. Within A.I. systems there is often a continuous learning component/engine, which sets it apart from conventional data processing systems.
• Reporting/Output Component. Translates the processing into useful business information.

While the common understanding of models is that they have three components – input, processing, and reporting/output – the reality is that there are multiple parts to each of these component areas.  Multiple components within input, processing, and reporting connect to each other and have an array of assumptions, data, and analytics. Adding to this complexity are the human and process elements intertwined throughout the business use of A.I. that weave together various manual processing and technology integration elements needed to use and interpret A.I.. As the environment changes, A.I. models themselves have to change to accurately represent the world in which they exist.

Models are used to represent scenarios and produce outcomes through inputs of values, relationships, events, situations, expressions, and characteristics. This is defined as the ‘input component’ of a model. The real world is a complex web of interrelationships and variables of significant complexity and intricacy that models cannot fully represent. Inputs are a simplified abstract of the real world used to process and report on quantitative estimates in outcomes. The challenge is that bringing in wrong assumptions, bias, and bad (or incomplete) information is compounded with the complexity of variables in the real world, and models can fail in their validity and reliability and by their inability to process any variables that sit outside their input scope. Validity speaks to accuracy whereas reliability speaks to repeatability. Something can be very reliable but not at all accurate. There is a risk that complex models lose both validity and reliability as the focus shifts from analyzing the impact of key critical variables to the fragile interaction and relationship of a variety of variables. They will reliability provide an outcome, but it will increasingly not be accurate or valid.

When A.I. Fails

Organizations are in the early stages of becoming highly dependent upon A.I. to support critical business processes and decisions. A.I. is now critical to many businesses. The expanding use of A.I. in the organization reflects how A.I. can improve business decisions. Still, A.I. comes with risks when internal errors or misuse results in bad decisions. 

Unfortunately, as much value as A.I. provides, it also exposes the organization to significant risk. Ironically, the A.I. tools often used to model and predict risk can be a significant risk exposure if not governed appropriately. A.I. model risk is the potential for adverse consequences from decisions based on incorrect or misused A.I. It leads to financial loss, poor business and strategic decision-making, legal and regulatory issues, and damage to an organization’s brand. For example, disclosing restricted information to “public A.I.” might be a risk as well when employees register and use tools like ChatGPT for business purposes. The most dangerous thing (moral hazard) for an organization is to have developed complete trust in what is being produced / delivered by A.I.

A.I. should be informing decisions and raising points for consideration rather than being solely relied on to make decisions – especially those that are business critical. A.I., inappropriately used and controlled, brings many risks to organizations.  These include:

• Dynamic & Changing Environment. A.I. models are not static. In reality, new A.I. models and use are being added, old ones are retired, and current A.I. technology and models are constantly changing. Compounding this is the constant change in risk, regulations, and business that puts the environment that A.I. is supposed to represent in a constant state of flux. Organizations face significant risk when the environment changes, yet A.I. and its associated data inputs fail to evolve to represent the current environment. A.I. models that were accurate last year may not be accurate this year.
• Lack of Governance & Control. The pervasive use of A.I. has also introduced what could now be Shadow A.I., a component of Shadow IT where the line of business bypasses IT and uses technology that has not been approved. This increases risk through inappropriate and unauthorized use that exposes the organization.
• More Than the A.I. Model-Processing Component. The use of A.I. is more than the A.I. model-processing component. It is an aggregation of components that span a variety of input, processing, and reporting functions that integrate and work together. This includes the overall A.I. modeling and use project. Organizations risk being fixated on the A.I. model-processing component alone while the many supplementary components undergo rapid changes that are not governed, and bad input data means bad decisions from A.I. The quality of A.I. depends upon the quality of the input data and the assumptions: errors in inputs and assumptions lead to inaccurate processing and outputs. 
• Errors in Input, Processing & Reporting. A.I. may have errors that produce inaccurate outputs without proper development and validation.  Errors can occur throughout the A.I. lifecycle from design through A.I. use and can be found in any or all of the input, processing, and reporting components. With specific data, if that data is not annotated correctly, the outcome will always be wrong. These errors may be from the development of the A.I. model in its inputs, processing, and reporting or can be errors introduced through changes and modifications to the model components over time. Errors may also occur from the failure of A.I. to change to shifting business use and a changing business environment.  
• Undiscovered Model Flaws. It’s possible that an A.I. model will initially appear to generate highly predictive output, despite having serious flaws in its design/training. In this case, the A.I. solution may gain increased credibility and acceptance throughout the organization until eventually, some combination of data exposes the flaw. False positives are part of any predictive system but can be extremely convincing with A.I., leading to greater long-term reliance on a flawed model.
• Misuse of Models. A significant risk is from A.I. that is used incorrectly. An accurate A.I. model will produce accurate results but lead the business to error if used for purposes the A.I. tech/model was never designed for. Organizations need to ensure that models are accurate and appropriately used. Organizations face risk when using and applying existing A.I. to new areas without validating A.I. in that context.
• Misrepresentation of Reality. The very nature of A.I. means they are a representation of reality and not reality itself. A.I. models are simplifications of that reality and, in the process of simplification, may introduce assumptions and errors due to bias, misunderstanding, ignorance, or lack of perception. This risk is particularly a hot topic in generative A.I. which may leverage inaccurate data but also a risk across A.I.
• Limitations in the Model. A.I. models approximate the real world with a finite set of inputs and variables (in contrast to an infinite set of circumstances and variables in the real world). Risk is introduced when A.I. is used with inaccurate, misunderstood, missing, or misapplied assumptions that they are built upon. 
• Pervasiveness of Models. Organizations bear significant risk as A.I. can be used at any level without accountability and oversight. Anyone can acquire and/or access A.I. that may or may not serve the organization properly. Organizations struggle to identify A.I. being used not only within traditional business but also across third-party relationships. The problem grows as existing A.I. models are modified and adapted to new purposes. The original A.I. model developer in the organization often does not know how others are adapting and using A.I.. 
• Big Data and Interconnectedness. The explosion of inputs and variables from massive amounts of data within organizations has made A.I. use complex across input, processing, and reporting components. The interconnectedness of disparate information sets makes A.I. models more complex and challenging to control. This leads to a lack of standardization, inconsistent use of data, data integrity issues across systems that feed into models, and data integrity within A.I.
• Inconsistent Development and Validation. A.I. models are being acquired/developed, revised, and modified without any defined development and validation process. The role of audit in providing independent assurance on A.I. integrity, use, and fit for purpose is inconsistent and needs to be addressed in organizations. 

The Bottom Line: A.I. is rapidly growing in variety, complexity, and use within organizations. It is quickly moving from a tactical focus to a strategic pillar that provides the infrastructure and backbone for strategy and decisions at all levels of the organization. Time and evolution of A.I. left ungoverned bring forth loss and potential disaster. Unfortunately, many organizations lack governance and architecture for A.I. risk management. Organizations need to provide a structured approach for A.I. governance, risk management, and compliance that addresses the A.I. governance, lifecycle, and architecture to manage A.I. and mitigate the risk they introduce while capitalizing on the significant value of A.I. when properly used.

This blog is an excerpt from GRC 20/20’s latest research paper, READ MORE in: A.I. GRC: The Governance, Risk Management & Compliance of A.I.