Industry
Banking
Banking Services Transformation: Unlocking Exponential Value
Highlights
- While the development of GenAI is marked by complexity and uncertainty, it is evident that the emergent risk landscape requires targeted attention and that existing control frameworks must evolve to address its distinct and unprecedented risks.
- Non-financial risks (NFRs) need to be managed holistically and within an integrated framework by the financial institutions. Mitigating GenAI-driven non-financial risks also requires an adaptive control approach.
- Financial institutions need to prepare for future scenarios and worst-case possibilities that could develop. These will enhance preparedness, support informed decision-making, and serve as critical evidence of a truly integrated approach to risk management
In this article
In this articleinpage
Introduction
Controlling the machines – an integrated framework
In a developing regulatory landscape and with ongoing inter-governmental debate, the role of the risk function is critical. An ineffective risk function could result in uncontrolled development that exposes organizations to an unsustainable level of risk. Equally, an overzealous risk management approach may unnecessarily constrain and hinder competitive instinct and opportunities. Finding the sweet spot is key. In this article, we talk about this in the context of navigating the journey or applying the brakes. We explicitly consider the practical considerations in controlling framework development and the necessity for this to be pervasive at all levels throughout an organization.
Integration
Controlling the machines.
An integrated framework is required against that backdrop of complexity, diversity and uncertainty. We believe that NFRs should be managed holistically and within an integrated framework. That should exist top-down throughout an organization and as part of its business operating model and objectives. Without that, ownership is unlikely to embed, decisions are unlikely to be informed and a positive attitude towards risk is unlikely to exist. GenAI will significantly impact organizations and the risks arising are transversal and complex. Integrated management is therefore critical, and we see three correlated factors in its development.
Strategic objective/risk foundation
- The risk foundations for a business, within the boundaries of applicable regulations.
- Board-determined appetite statements and risk tolerance.
- Policies, standards, culture that provide the guardrails for managing the risks.
Drivers of risk
- The inherent risks within the business, depending on its strategy, e.g. product range, customer base, process complexity, market change.
- The influence of external events such as geo-political, tech development, competition, etc.
Control of risk
- Management of risks through integrated assessment, mitigation and assurance tools.
- Risk governance through accountabilities, ML, insights and informed decision making.
- Horizon scanning to ensure threat preparedness.
The overall risk position will be a result of the likelihood and impact of risk drivers occurring, and the effectiveness of control mitigants, monitoring and governance.
Alignment
CROs and risk functions are integral to ensuring organizational alignment
Strategic objectives and risk foundations
Organizations will face deep strategic questions as they develop their adoption of GenAI capability. With a regulatory backdrop that is live, boards will need their CROs to advise and be a significant influencer of the approach. We see that being achieved through three strands:
- Alignment with strategy.
- Setting risk appetite.
- Governance.
Alignment with Strategy
Considerations should include:
- Clarity on the business problems that GenAI will address.
- Impact on compliance with existing laws and regulations.
- Confidence in data sources that train AI models.
- Methods to assess and mitigate bias in AI models.
- A monitored approach against security threats.
- Development of ethical guidelines.
- Changes required to operational procedures and policies.
- The availability of necessary expertise to implement tech transformation and ongoing management.
- Contingency arrangements for system failure or bad decisioning.
- Supplier arrangements and exit strategies.
- Required evolution of risk frameworks and assessment.
- Training and education for staff.
Setting risk appetite
A single appetite measure or statement does little to help transversal themes such as GenAI. Instead, organizations should judge the impact on overall resilience and how much risk they are prepared to tolerate across operational processes, consumer impact, system security and reputation. Through appetite, the board should set its expectations across a range of threats amplified by GenAI.
- Data quality. To what extent are weaknesses and limitations in data input acceptable, recognizing the potential for downstream bias risk?
- Customer impact. The potential for harm, particularly at a time when there is heightened vulnerability amongst consumers.
- Disruption tolerance. This depends on the level of risk, service criticality, complexity of process (e.g. supply chains) and consumer/business impact if deficient. It includes security of AI systems against criminality.
- Model transparency. The extent of explainability required.
- Monitoring regularity. The assurance that tools are operating as designed. This is a constant process, itself using automation, as well as human input.
Governance
Given the inherent challenge in explaining and interpreting models and decisions, organizations should implement explicit governance and monitoring frameworks. This will enable:
- Clarity and agreement on limitations and assumptions.
- Visibility of performance metrics and ability to respond quickly where necessary.
- Approval process for use of GenAI in new situations.
- Representation of approach externally – e.g. customer transparency, regulatory notifications.
Risk driver analysis
The strategy, regulatory environment and appetite sets the guardrails for the organization. We have already discussed how some new threats manifest because of GenAI, but the extent of risk taken will then depend on a number of factors, such as product design, process complexity, transformation agenda and the external environment. These are key aspects of the business cycle where again risk considerations and influence are integral, with GenAI bringing new considerations.
- Inventory of products that have Gen AI dependency.
- Approval processes for new products.
- Ongoing KPI and strategic review process to ensure that operation is as expected.
- Ability to identify and manage customer vulnerability issues and/or impacts on particular demographics.
- Partnerships with external suppliers and the extent of an enterprise’s dependence on them. What level of criticality do they represent?
- Additional monitoring and defenses required to mitigate against malicious attacks.
- Implications for most critical business services, with regular testing to ensure they operate as designed.
- Ability to execute the extent of change required in introducing and embedding new technologies.
- Expertise to train/interpret models.
- Managing organization culture issues that may present such as staff readiness and training, implications for existing roles.
Underpinning these internally driven impacts are external factors, which will also influence the risk profile and are increasingly more prevalent:
- Events occurring elsewhere, prompting ‘could it happen here’ reviews – particularly malicious activity.
- Change in regulatory, governmental and public perceptions, either in financial services or wider industries.
- Continued development of even more advanced technologies.
These will prompt scenarios to be undertaken and response playbooks to be developed.
Controlling risk
GenAI applies a new lens to the existing risk profile. As we’ve explored, existing risks may be amplified, and new risks emerge. Existing frameworks are supportive but will need to adapt to be more dynamic. With the right top-down engagement on strategic alignment; risk appetite; and understanding the drivers of risk, it is possible to set the guardrails that allow controls to be applied. An absence of these may lead to deficient assessments, over-control and missed opportunities, or a perception of inadequate risk engagement.
Figure 1 - Management of non-financial risks
Control of risk through integrated and dynamic tools
- Enterprise-wide risk management framework and taxonomy.
- Underpinned by proportionate, expert, second line advice/oversights and third line assurance.
Figure 2 - Managing risks with integrated and adaptive tools
Enhancing Risk Assessment
In assessing risk, there is a need for different lenses to be applied. Some will be specific, for example identifying new cyber security patterns, and some will be thematic and require a holistic view , for example:
- The potential for bias can manifest itself in poor decisioning/consumer harm. Consider the operational processes and training etc. that can be built to minimize this.
- Interpretation – aligned with the challenge of explaining the workings, the ability to assess the plausibility of outcomes.
- Expertise required both in development and execution from a transformation perspective, to the ability to manage and interpret the model inputs and outputs.
- The overall regulatory landscape and broader reputational/ethical themes that are emerging.
- The reliance on third parties in all stages from development to ongoing management.
Enhancing Controls
New controls will be required, also using AI capability. This will enable more continuous monitoring, and include:
- Bias – e.g. loan approvals across demographics.
- Interpretation – e.g. credit decisions that are explainable and compliant.
- Models – customer sentiment tracking against thresholds.
- Anomalies – monitoring network patterns for potential breaches.
- Ethics – continued scanning of output against agreed standards.
- Security – system audits to identify vulnerabilities.
Scenarios
Developing playbooks for future scenarios will enhance preparedness and is key to informing decisions and demonstrating evidence of integrated risk management. These include:
- Changes in regulatory position or public perception.
- Breaches, including at critical suppliers.
- Employee proposition – ways of working/expertise.
- Ethical challenges.
Conclusion
The GenAI potential can only be maximised if it is complemented with a robust risk and control environment and effective governance.
Inevitably, the regulatory position will evolve and heighten in expectation, with the potential for explicit individual accountability . There will be scrutiny in terms of organization strategy and quality of risk management. If that is found wanting, it’s likely to add to the downstream risks requiring resolution. Regulators will be particularly focused on steps taken to ensure:
- There is no customer detriment due to bias or inadequate data.
- Systems are secure from malicious intent, particularly where personal data is involved.
- Expertise is in place to execute, interpret, explain and monitor.
- Approach is sustainable, ethical, and reputationally sound, taking into account overall market integrity.
If any of these crystallize as challenges, both the resilience and reputation of an organization will be impacted. That is why it is crucial that there are robust frameworks in place to govern and control Gen AI.
All of which is before we get to the question of the existential risk that GenAI poses!
