NextGen Risk Management - protiviti.com · Effective risk identification and monitoring are...
Transcript of NextGen Risk Management - protiviti.com · Effective risk identification and monitoring are...
Internal Audit, Risk, Business & Technology Consulting
NextGen Risk ManagementHow Do Machines Make Decisions?
Value of Agile Risk Management
Next Generation Risk Management · 1protiviti.com
Effective risk identification and monitoring are integral to an organization’s success and
improving strategic decision-making. Accurate and timely risk identification and assessment
help drive efficiencies and improve customer experiences with business processes.
Consistent with its agile risk management philosophy, Protiviti presents its perspective
on establishing and sustaining leading practices for identifying, assessing, mitigating and
monitoring risks stemming from artificial intelligence (AI).
Introduction
Customer Satisfaction
Aligned Organization
Operational Excellence
Risk Management
• Customer Centricity
• Consistent Experiences
• Agility
• Optimized Performance
• Focus on Growth
• Risk-Enabled Decisions
Protiviti’s Agile Risk Management philosophy enables organizations to focus on growth, improve efficiency and become more effective at managing risks while providing greater value to business partners.
Source: Protiviti Insights — Agile Risk Management: "As costs continue to increase, it is clear that the overly manual, reactive and siloed lines of defense status quo is unsustainable and cannot continue. We believe risk capabilities must be agile, flexible and nimble in order to be effective and efficient in responding to the changing environment. A better model is technology-enabled, proactive, aligned across all three lines of defense and embedded into business processes. This is the solution we refer to as Agile Risk Management.”
2 · Protiviti
AI and Risk Management
Many organizations are quickly adopting AI based
on the benefits it can create. AI technologies have the
potential to advance established industries by improving
the efficiency and accuracy of company operations and
customer experiences. Additionally, AI is opening the
door to entirely new operating models, ushering in a new
set of competitive dynamics that rewards organizations
focused on interpreting and extracting internal and
external data quickly and accurately.1
Machine learning, a type of AI, utilizes the fields of
knowledge discovery and data mining. Machine learning
algorithms study and react to data automatically,
without human assistance or intervention, enabling
systems to learn from experience and improve.
However, using machine learning and AI increases
complexity and creates new, more dynamic risks that
may lead to unintended consequences.
To mitigate the new and changing risk environment,
an organization needs to have a properly established
risk management foundation. Organizations can
leverage existing risk management frameworks to
create a framework that can identify and oversee the
wide range of risks associated with AI. For instance,
risk frameworks utilized to assess new products and
services, as well as activities, can be leveraged, as AI
is developed, implemented and changed. Another
useful framework is a model risk management (MRM)
framework that is based on identifying, measuring
and monitoring all risks related to a model —
generally a component of AI in the form of a machine
learning algorithm.
MRM practices mitigate the risks of traditional
econometric model lifecycles, however, often they
fail to capture the risks presented by AI. While these
frameworks can be leveraged, organizations may not
be currently equipped and resourced to handle all risks
and ongoing monitoring needed in an AI environment.
To account fully for risks posed by AI, organizations’
existing frameworks and risk practices can be tailored
with some well-targeted enhancements within the AI
lifecycle, as discussed in detail below.
As use of AI continues to expand exponentially, risk
and compliance functions will be challenged to rethink
resourcing, traditional oversight monitoring techniques,
and how to leverage existing frameworks to ease
implementation and fully manage risks.
1 “The New Physics of Financial Services: How Artificial Intelligence Is Transforming the Financial Ecosystem,” World Economic Forum, Aug. 15, 2018: www.weforum.org/reports/the-new-physics-of-financial-services-how-artificial-intelligence-is-transforming-the-financial-ecosystem.
AI technologies have the potential to advance established industries by improving the efficiency and accuracy
of company operations and customer experiences. Additionally, AI is opening the door to entirely new operating
models, ushering in a new set of competitive dynamics that rewards organizations focused on the scale and
sophistication of data much more than the scale or complexity of capital.
AI Use in the Marketplace
Next Generation Risk Management · 3protiviti.com
AI in the Marketplace
The financial services industry continues to invest
heavily in artificial intelligence systems, leading other
industries such as manufacturing, healthcare and
professional services. Last year, research firm IDC said
it expected the banking industry to spend more than $5
billion on artificial intelligence systems in 2019. Overall,
IDC projects spending on AI systems will reach $97.9
billion in 2023, more than two and one half times the
$37.5 billion that will be spent in 2019.2
Financial institutions are incorporating AI into asset
management, fraud detection, credit risk management
and regulatory compliance, to name a few use cases.
Specifically, these organizations are turning to machine
learning models as an alternative to traditional models
to gain faster, more accurate, and insightful predictions
and classifications in their risk management and financial
management business decisions. Several types of AI
components and the effect they have on organizations are
provided below.
2 IDC Worldwide Artificial Intelligence Spending Guide: www.idc.com/getdoc.jsp?containerId=prUS45481219
Component Operating Efficiencies
Machine Learning Models Organizations can use AI as a modeling technique through machine
learning to improve decision-making in these select areas:
• Underwriting/credit decisioning
• Personalized marketing
• Asset management
• Compliance monitoring
• Credit risk management
• Customer segmentation
• Fraud detection
• Loss forecasting
Virtual Agents Virtual financial assistants or chatbots can guide consumers through
day-to-day financial tasks, providing personalized and proactive
assistance to help them stay on top of their personal finances.
Natural Language
Processing (NLP)
NLP enhances organizations’ ability to analyze countless numbers of
documents, including contracts, emails and forms, enabling them to
better quantify and examine available data that would otherwise be
difficult and inefficient to extract from unstructured source material.
Image Analysis AI-powered image analysis can be used by organizations to classify
images and trigger real-time actions based on image data capture,
enhancing the customer experience process. For example, insurers are
using image analysis to capture and analyze images of homes damaged
after a natural disaster, increasing the efficiency of claims processing.
4 · Protiviti
Incorporating and monitoring AI the correct way is
important. There have been several instances where
major organizations have rushed to deploy AI, only
to learn of the unmitigated risks and unintended
consequences of their application. In 2018, a major
consumer brand discovered that the AI used in its
hiring process discriminated against female job
applicants. The software was designed to align a
candidate’s history with that of employees who had
proven successful at the company over the previous
10 years.3 The design of the algorithm did not
intend to discriminate but the data set on which the
model relied caused unintended consequences and
bias. The following table shows common risks that
organizations are encountering through the use of AI:
3 Forbes Insights: www.forbes.com/sites/insights-intelai/2019/03/27/ai-regulation-its-time-for-training-wheels/#5981d0cc2f26
Key Risks Posed by AI
Common Risks of AI
Strategic Risk
• Reputational Risk
• Customer Experience
• Stakeholder Risk
• Resource Allocation
• Culture
• Obsolete Workforce
• Talent Management
• Brand Awareness
Operational Risk
• Business Disruption
• System Failures
• Process Failures
• Internal Control Environment
• Third-Party Risk/ Vendor Management
• Change Management
• Operational Errors
Financial Risk
• Credit Risk
• Liquidity Risk
• Market Risk
• Underwriting Risk
• Financial Reporting Risk
Regulatory and Compliance Risk
• Legal Risk
• Consumer Protection
• Know Your Customer (KYC)
• Consumer Privacy
• Disparate Impact
• Unfair, Deceptive, or Abusive Acts or Practices
• Fair Credit & Lending
• Sales Practices/Incentive Comp
Technology Risk
• Software/Application Failure
• Information & Cyber Risk
• Identity & Access Management
• Availability & Accessibility
• Black-Box Issues
• Data Management
• Data Security
Next Generation Risk Management · 5protiviti.com
Although AI is innovative and technically complex, it has
foundational components of a core model that quantifies
theories, techniques and assumptions from processed
input data. However, the differences with AI are the
exponential increase of model complexity due to intricate
algorithms, vast unstructured data sets and the potential
for immense decision trees. AI — specifically, machine
learning — removes the element of human subject-
matter expertise from the decision process, which can
result in unwanted risk exposure.
As the use of machine learning models continues to
expand across the financial services industry, regulators
are increasing their attention on model risk. The
following three root causes can result in model risk:
• A model has fundamental errors that cause it to
produce inaccurate or biased outputs when viewed
against the design objective and intended business use.
• A model is implemented or used inappropriately,
or when its limitations or assumptions are not
fully understood.
• A model is misused because of a misunderstanding
of its purpose and limitations.
To avoid these challenges, organizations should consider
these fundamental questions:
• Do you know how the machine learning model
was built?
• Do you know its purpose?
• Do you know how to use the results and how
success is defined?
The Federal Reserve Board (FRB) has reinforced that SR
11-7/ OCC 2011-124 (Guidance on Model Risk Management)
remains the applicable regulatory guidance on the use
of AI. There have been no indications by the FRB of any
new standards or requirements that will come into place.
Although SR 11-7/ OCC 2011-12 provides a foundation for
establishing risk management frameworks for mitigating
risks posed by AI systems, guidance and expectations
have not been expanded and formalized to address the
dynamic changes, unintended results, and bias risks5
posed by AI.
4 What Are We Learning about Artificial Intelligence in Financial Services?: www.federalreserve.gov/newsevents/speech/brainard20181113a.htm
5 Validation of Machine Learning Models: Challenges and Alternatives: “www.protiviti.com/US-en/insights/validation-machine-learning-models-challenges-and-alternatives”
AI Lifecycle and Effective Challenge
Design and M
itigate Risk
Imp
lem
ent
and
Test
1
2
3
4
5
67
8
9
10
11
12
Effective Challenge
Request the AI model
Conduct preliminary analytics and design
Develop the AI model
Validate the AI model before implementation
Finalize the AI model
Implement the AI model into production
AI model owners monitor performance
Review performance threshold exception reports
Perform post-implementation model validation
Analyze and review AI modifications
Review process for AI model findings
Perform model redesign and recalibration
Risk & Compliance Monitoring Internal Audit Reviews
Next Generation Risk Management · 6protiviti.com
Organizations can proactively mitigate these unique
AI risks by establishing cross-functional frameworks,
based on a clearly defined scope of each AI solution and
interdependencies with existing risks in its operating
environment. Consider the use of a chatbot as an
example. An organization will need to consider legal,
compliance, reputational and operational risks if any
issues (discrimination, bias, privacy, etc.) arise from
the use of a chatbot.
Recently, the New York Department of Financial
Services launched an investigation into gender
discrimination in financial institutions’ consumer
algorithms that are used to determine credit limits.6
Needless to say, organizations using AI for decisions
are facing scrutiny across the board as it relates to the
risk taxonomy. Given these challenges, organizations
should enhance their current risk management
framework by establishing a cross-functional risk
governance process to ensure AI risks are understood,
assessed, and mitigated throughout the AI lifecycle.
6 NYDFS Apple Card Investigation: www.bankingdive.com/news/apple-card-investigation-alleged-gender-discrimination/567050/
7 · Protiviti
Insight into the lifecycle will help organizations navigate various considerations, including risk and compliance,
governance and reporting, data management, technology, and workforce and training implications. Additionally, an
environment of effective challenge, where decision-making processes promote a range of views, fosters independent
testing and validation of current practices and AI solutions prior to implementation and production, and an integrated
environment of open and constructive engagement. Organizations can take the following actions now to enhance risk
mitigation during the AI lifecycle:
1 Design and Mitigate
AI Governance Build-Out
• Adapt and extend existing model governance to fit AI
tools, specifically the use and maintenance of models,
validation of models, and the adequate disclosure of
model assumptions and limitations.
• Review and update the model risk policy regulating
the definition of model risk, scope of MRM, roles
and responsibilities, model approval and change
process and management of model weaknesses, to
encompass the new risks that AI presents.
• Develop an AI policy consisting of requirements
around use, development, and ongoing monitoring,
which include roles and responsibilities for business
leaders, independent risk and compliance managers,
and technology and operations functions.
• Determine the interoperability requirements based on
the organization’s risk appetite as part of the AI policy.
• Develop a methodology around bias to ensure
fairness and address algorithmic bias, as well as bias
against humans.
• Configure a risk-based methodology consisting of
severity tiers, which will incorporate the necessary
requirements to implement AI successfully.
• Formalize a well-defined project oversight and change
management framework around AI systems.
• Improve data quality programs to profile input data
and strengthen data governance (i.e., embed data
requirements and a rigorous data monitoring process).
• Build a data warehouse for all performance monitoring
and testing data. This will allow an AI tool to easily
input and manage the data repository once the
structure is built.
• Configure application resiliency controls, detailed
business-continuity planning and disaster recovery.
• Track and aggregate monitoring in centralized
warehouses and align to issue and change
management programs.
Next Generation Risk Management · 8protiviti.com
AI Tool Design
• Define the purpose and scope of the AI solution
clearly, including its methodology, decision criteria,
and data requirements.
• Hold meetings with key stakeholders to understand
the AI tool requirements, desired output and use cases.
• Before developing an AI tool, map its process
workflow, including data inputs, variables, and
monitoring triggers to gain a full understanding of the
foundation of the tool.
• Complete documentation of the AI tools underlying
model’s purpose, design, assumptions, parameteriza-
tion, testing, limitations, and user instruction.
• Identify scale and potential inherent risks that may be
triggered with the use of an AI solution.
• Examine the amount of change that a business will
be required to undergo as it relates to building and
running the AI tool in production.
• Embed, understand and analyze rules and regulatory
requirements in the algorithm design and monitoring.
• Define hyperparameters, including a standard set of
analysis to be run on input data and output results.
• Perform quality control during pre-implementation
rollout.
• Obtain appropriate approvals and signoffs for
development and use of the AI tool.
• Build mechanisms within the AI tool to ensure
accountability and adequate access to redress.
Algorithms, data and design processes should all
be auditable.
• Configure consistent and recurring testing in a live
environment.
• Conduct preliminary analytics on the outputs
generated by the tool to understand its limitations
and determine optimal parameters when building
out the tool.
• Validate the parameters chosen through human
subject-matter experts (SMEs) and industry
benchmarks.
2 Implement
• Ensure the approved project plan serves as the
baseline or source of record, and acts as a “contract”
of the work to be performed to successfully
implement the AI tool.
• Hold meetings with key stakeholders to introduce
the AI and designate model owners and SMEs to
monitor performance.
• Configure a cross-functional team consisting of
data scientists, AI experts, model risk experts,
data officers, regulatory experts, and any key
stakeholders to help mitigate risks associated with
the implementation of the AI tool.
• Establish and monitor controls and human override
in the design of the algorithm to control inputs,
processing and outcomes during implementation.
• Conduct proof-of-concept testing and/or controlled
case studies before going into live production.
• Develop an implementation plan for moving the
AI solution into production and assist with the
implementation phase.
Next Generation Risk Management · 9protiviti.com
3 Testing and Effective Challenge
• Perform rigorous and continuous testing of
underlying/input data.
• Perform scheduled backups and parallel testing of
underlying/input data.
• Conduct periodic testing of the controls in place to
guardrail underlying/input data.
• Perform post-implementation AI validation testing
and exceptions testing and conduct a risk assessment.
• Review AI model findings and hold meetings with key
stakeholders and SMEs to discuss key takeaways.
• Review performance threshold exception reports to
identify areas of improvement for the model.
• Formalize review of key risks inherent in AI and its
operational component (e.g., economic variables,
qualitative factors).
• Perform a quality assurance review of surrounding
business objectives, stated benefits and process flow.
• Review choice of architecture, hyper-parameters,
optimizers, regularization and activation functions.
• Conduct an independent assessment as it relates
to operating within parameters outlined in the
approval documentation.
• Modify parameters dynamically to reflect emerging
patterns in the input data, as this will replace the
traditional approach of periodic manual review and
model refresh.
• Provide insight regarding risk and compliance
considerations that align to the use of AI.
• Conduct an independent audit to ensure the design
and effectiveness of controls relied upon to mitigate
the model’s risks.
• Perform an independent assessment of the process for
establishing and monitoring limits on model use.
• Conduct a bias/variance analysis.
• Develop a challenger model using alternative
algorithms to benchmark output performance.
• Perform a post-implementation analysis to determine
if the change management process or methodologies
need to be modified.
• If needed, redesign and recalibrate the AI model
based on the findings, discussions, and risk and
compliance considerations.
• Incorporate appropriate human intervention
throughout each component of the AI lifecycle.
• Develop an AI feedback loop consisting of existing
complaints and customer feedback to allow an
organization to understand and quickly resolve AI
issues and/or defects.
• Develop and formalize communication protocols to
internal and external stakeholders (e.g., consumers,
investors, regulators) of the use of the newly
implemented AI tool.
• Perform a production readiness analysis to ensure the
AI solution can be implemented successfully.
• Perform validation testing of the AI tool prior to
implementation and make final updates to mitigate
any material weaknesses of the tool.
AI Risk Management Framework
10 · Protiviti
Numerous organizations are intensely focused on gaining
a competitive advantage through AI implementation. To
succeed, organizations need to commit to monitoring and
understanding risks posed by AI.
As AI becomes more prevalent, it is crucial for
organizations to move into an agile risk target state to
manage AI risks. An organization can align its MRM
infrastructure with the enhanced procedures and
controls, while incorporating new AI activity governance,
agile implementation and effective challenge of AI
tools. Establishing an AI risk framework will benefit
an organization’s ability and speed to innovate. This
can be applied to all three lines of defense and updated
regularly to reflect evolving best practices and regulatory
expectations. The updated framework can leverage
existing governance and risk management activities
while catering to AI.
AI Risk Management Framework
AI RiskManagement
Framework
Governance
Inventory & Risk Assessment
Integrated Development & Implementation
Ongoing PerformanceMonitoring
Data Aggregation & Quality
Independent Validation
Post-Mortem Review
• Policy & Procedures • Lifecycle Standards • Approval & Accountability • Risk Oversight • Change Management
• Analysis of Findings • Findings Prioritization • Roadmap for Implementation • Redesign/Recalibration for
Continuous Improvement
• Al Identification • Al Inventory • Applicability • Risk Assessments • Risk Ratings • Model Impact Assessment
(Risk Scoring)
• Output Analysis • Interpretability • Bias Testing • Operational Issues • Review of Performance Indicators • Review of Recommendations
• Data Architecture • Data Infrastructure • Data Privacy • Feature Engineering
• Testing Program • Effective Challenge • Stress Testing • Real-Time Monitoring and Bias
Output Reporting • Dynamic Model Calibration • Results & Output Based Testing • Proactive Trend, Concentration &
Correlation Identification • Benchmarking • Continuous Automated Exception
Identification & Reporting
• Data Quality Assessment • Testing & Analysis • Control Framework • Secure Data Model • Training • Pre-Implementation Validation • Hyperparameters • Production Readiness • Model Input Change Management
1
2
3
45
6
7
Next Generation Risk Management · 11protiviti.com
With an agile AI risk framework, organizations should, at a minimum, implement the following activities and concepts
per the framework components:
1 Governance
• A formalized governance structure will establish
accountability around the execution of the AI lifecycle.
It will also assign appropriate resources and processes
required to assess the design and performance of the
AI tool.
• Organizations will be required to ensure resources
possess the appropriate skill sets needed to challenge,
control, and monitor the use of AI. However, due to the
complexity of AI, the respective skill set to govern AI
effectively will be tailored for the sustainability and
for each business use of the AI tool.
- For example, a line-of-business SME will be
needed to verify if the expected AI outputs are
achieved, while a technology SME is needed to
verify if the AI was efficiently integrated into
an organization’s technological infrastructure
without falling into algorithmic loops that
overload the system.
• With the enhancement of the governance structure,
organizations will need to incorporate the following:
- A formalized, documented, clear, and
comprehensive definition of AI.
- Defined roles and responsibilities.
- A formalized and socialized project
governance charter.
- A formalized and responsive change
management process.
2 Inventory & Risk Assessment
• Organizations will immediately need to revisit
their tools inventory to ensure AI models are
included. A robust model inventory provides
management with a comprehensive overview of all
models in use, including model owners, restrictions
on use, and the validation status. Lack of a robust
method to update the model inventory on a regular
basis can result in undocumented model changes,
inefficient processes to risk rate models, and
ineffective performance monitoring.
• The organization’s model risk assessment process,
as required under regulatory guidance, will need
to be formally adapted to incorporate AI. The risk
assessment process will need to assess model impact
risk, covering both the assumptions that are drawn
from models and the impact of decisions based
upon model output. Conducting a risk assessment
allows an institution to understand inherent risks
of the business, products and services, as well as
the effectiveness of the controls in place. A periodic
risk assessment will support appropriate scheduling
of monitoring to ensure resources are allocated and
risk is mitigated.
12 · Protiviti
4 Integrated Development & Implementation
• The successful development and implementation of
AI solutions within an enterprise depends largely
on the design and effectiveness of the control and
testing process. An enhanced control framework and
continuous testing can help reduce inherent risks to a
residual risk level that aligns with the organization’s
risk appetite and framework. Currently, organizations
tend to test new initiatives within a sandbox
environment; however, given the complexity and
development of AI, they should consider configuring
consistent and recurring testing outside a sandbox.
Developing a control framework and testing process
would allow organizations to identify gaps and
potential options for improvement quickly. The
control process should be determined and aligned
by an established and enhanced risk assessment
framework. The risk assessment process is critical, as
it helps to determine the controls needed to mitigate
the inherent risks.
• Organizations should consider the key risks generated
from the use of AI. For example, data bias will require
organizations to produce impartial decisions by
examining the choice of data. As bias in AI can trigger
costly errors, organizations will need to focus on the
front-end of the AI lifecycle, the development of the AI
tool. One way to identify data bias is by benchmarking
with other models or the opinion of SMEs. Appropriate
data de-biasing techniques should be used to remove
bias from development data. In addition to traditional
methods such as downscaling and quantile mapping,
randomization and sample weighting should also
be incorporated to correct data bias. The statistical
soundness of selecting unbiased development and
holdout data should be given extra emphasis for
machine learning models.
3 Data Aggregation & Quality
• Organizations will need an effective and transparent
process to improve underlying or input data
throughout the model’s tenure. A formalized and
documented model input change management
process and communication plan is critical to the
aggregation and quality of underlying or input data
used in the AI tool. The key stakeholders (model
owner, model user, model approver, and
independent reviewer) will be required to maintain
and/or understand the following components:
- Data quality and data set integration.
- Data architecture and data infrastructure.
- Understand > review > assess > remediate >
algorithms.
- Transparency of algorithms.
- Effective controls in place to guardrail
underlying/input data.
Next Generation Risk Management · 13protiviti.com
5 Ongoing Performance Monitoring
• Performance monitoring is essential to mitigating
risks connected to AI tools. Effective monitoring
will help an organization draw clear conclusions to
support business decisions. An effective performance
monitoring function comes from a highly automated
monitoring and testing program, using a common
methodology and real-time reporting. Organizations
can enhance the rigor of the performance monitoring
function by using the techniques below:
- Real-time monitoring and bias output reporting.
- Results and output-based testing.
- Proactive trend, concentration and
correlation identification.
- Assurance of appropriate and compliant
recommendations.
- Continuous automated exception identification,
alert system and reporting.
- Proper skill set.
- Repurposing workforce.
- Reskilling workforce.
- Multidisciplinary team structure with formal
project management.
• Effective challenge requires the cooperation and
alignment of all three lines of defense, as each plays
a specific role. The first line of defense, specifically
model developers and owners, works to understand
and monitor the risks from the use of an AI tool. The
second line, the model validators, independently
establishes key protocols for risk and compliance
decisions while working with model developers and
owners. Lastly, the third line of defense, specifically
audit, conducts its own tests to ensure that the
residual model risk of the AI tool does not surpass the
risk appetite established. The scope of activities by
the third line of defense will stay similar in nature
in comparison to the traditional MRM framework.
However, the third line of defense will be required to
expand its skill set to understand how AI algorithms
work and their intended use, as well as understand
the risk they pose to technology infrastructure and
operations. To have the most impact, an effective
challenge must include the following:
- Two-way communication on strategic business and
risk decisions as it relates to the use of the AI tool.
- Transparency and direction to business and risk
leadership before issues arise from the use of
the AI tool.
- Full use of the AI tool according to the
established risk appetite.
• Additionally, it will be critical for organizations to
maintain human subject-matter oversight rather
than strictly relying on software solutions to
render analysis, as software has the potential to
fail to understand the impacts of the results. Lastly,
organizations should review and update policy,
procedures and processes periodically to encompass
the changes that AI brings, which, in turn, will help an
organization effectively evaluate an AI tool.
Next Generation Risk Management · 14protiviti.com
7 Postmortem Review
• An organization will need to plan strategically
and execute effectively around the performance
monitoring results, as postmortem reviews will
be crucial to refining and improving the models.
Organizations will need to thoroughly examine the
analysis and explanation of the AI output, bias and
interpretability analysis, and review performance
threshold exceptions and controls in place. Based on
the examination and reviews, organizations will need
to constantly redesign and recalibrate the AI tool for
continuous improvement.
6 Independent Validation
• As with any model, periodic independent
validations7 will continue to be a focal point of
AI monitoring. To assess the innovations of AI,
model validators will need to understand the
challenges, such as a model’s fitness for use, and
develop customized methods for validating AI
tools. The validation will still be required to assess
models broadly from four perspectives: conceptual
soundness, process verification, ongoing
monitoring and outcomes analysis.
• SR 11-7 and OCC 2011-12 require that model
documentation be comprehensive and detailed
enough so that a knowledgeable third party can
recreate the model without having access to the
model development code. The complexity of AI and
the model development process are likely to make
documentation of AI tools much more challenging
than traditional model documentation. It is
recommended that organizations standardize their
model development and validation procedures for AI
and provide a model documentation template that is
consistent with regulatory expectations and its model
risk management policies and standards.
7 Validation of Machine Learning Models: Challenges and Alternatives: www.protiviti.com/sites/default/files/united_states/insights/validating-machine-learning-models-whitepaper-protiviti.pdf
15 · Protiviti
Conclusion
With the continued investment in AI, the use of AI in
business processes and practices is only growing larger
in scope and deeper in granularity. To stay ahead and
provide effective and efficient monitoring of risk,
organizations will not only utilize AI as their most
comprehensive and valued tool but will need agile risk
and compliance management. Competitive advantages
will come not only from how organizations use AI but
also from how they are able to avoid mistakes, ensure
smooth customer experiences, prevent violations of
law and explain what AI is intended to do to customers
and regulators.
An AI tool will never be fully clear of risk, but an
efficient and effective AI risk management framework
will keep risk manageable and enable organizations to
respond to fluctuations in the outputs and decisions
generated by AI. The key for all organizations using AI
currently is to build and maintain AI in a responsible
and transparent way, which, in turn, will help reduce
operational cost and, more important, maintain the
confidence of customers.
Next Generation Risk Management · 16protiviti.com
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Through its network of more than 85 offices in over 25 countries, Protiviti and its independent and locally owned Member Firms provide clients with consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit.
Named to the 2020 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 60% of Fortune 1000® and 35% of Fortune Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
HOW PROTIVITI CAN HELP
Protiviti has a record of success helping clients develop strong risk management practices with the responsiveness required for an ever-changing business environment. We work with over 75% of the world’s largest financial institutions, which benefit from our collaborative team approach to resolving today’s risk management challenges. Our professional consultants have varied industry and regulatory backgrounds that enable our unified financial services practice, with the seamless integration of risk and compliance, technology, data and analytics solutions, to develop customized agile risk management approaches to meet tomorrow’s challenges today.
Business, risk, compliance and internal audit groups need to work within an integrated framework with clear accountabilities that will lead to an aligned organization for making sound decisions. We address risk and operational excellence as two sides of the same coin, leading to agility and optimal performance. We understand how customer satisfaction, and in turn growth, have become elusive. While risk management is intended to drive growth, it too often becomes an inhibitor. Our expertise positions you at the forefront of effective risk management with a unique approach to reap both immediate and long-term benefits.
Matthew Moore Managing Director and Global Risk and Compliance Leader +1.704.972.9615 [email protected]
Suresh Baral Managing Director +1.212.471.9674 [email protected]
Michael Brauneis Managing Director and Americas Financial Services Leader +1.312.476.6327 [email protected]
Matthew Perconte Managing Director +1.212.479.0692 [email protected]
Madhumita Bhattacharyya Managing Director +1 469-374-2564 [email protected]
Shaheen Dil Managing Director +1.212.603.8378 [email protected]
CONTACTS
Lucas Lau [email protected]
© 2020 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0320-103142
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Denver
Fort Lauderdale
Houston
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
COLOMBIA*
Bogota
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE, MIDDLE EAST & AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
SWITZERLAND
Zurich
UNITED KINGDOM
Birmingham
Bristol
Leeds
London
Manchester
Milton Keynes
Swindon
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
EGYPT*
Cairo
SOUTH AFRICA *
Durban
Johannesburg
ASIA-PACIFIC AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
INDIA*
Bengaluru
Hyderabad
Kolkata
Mumbai
New Delhi
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
*MEMBER FIRM
© 2
01
8 P
roti
vit
i In
c. A
n E
qu
al O
pp
ort
un
ity
Em
plo
yer
M/F
/Dis
ab
ilit
y/V
ete
ran
s. P
RO
-09
18