We are well into the 4th Industrial Revolution, with many companies now significantly invested in some kind of automation, Machine Learning or other AI related business improvement or optimization projects.
There is no stopping the advancement of the 4IR future, but we can, as the human being, continue to ensure that we remain the architects of the journey into that future.
As AI becomes more of a mainstream, business norm, we must ensure that we continue to consider the consequential impacts that AI automation brings.
The positives are boundless, but the impact potential on both the existing human workforce and the ethical questions remain.
This Blog seeks to take a brief look at some of the fundamentals, starting with a summary unpack of the EU AI Act, through to introduction of the concept of Transactional Data Based GRC.
With the introduction of, the now passed EU Artificial Intelligence Act, which was passed in Mach this year, and expected to become official law by May or June this year, the EU, once again, takes a leadership role, as with GDPR, in providing guiding principles, this time, related to ethics and transparency in the use of AI as a business norm.
Key provisions of the EU AI Act, include:-
- Risk-Based Approach – The Act, categorizes AI systems into four risk categories based on their potential impact on safety, fundamental rights, and societal values. Higher-risk AI systems, such as those used in critical infrastructure, law enforcement, or healthcare, would be subject to stricter requirements and oversight.
- Prohibited Practices: The Act, sets to, prohibit, certain AI practices that pose unacceptable risks, such as AI systems that manipulate individuals through subliminal techniques or exploit vulnerable groups.
- Transparency and Traceability: The Act address, developers and providers of AI systems, who are required to ensure transparency and provide information about the AI’s capabilities, limitations, and potential risks. This includes documenting the data used to train AI models and providing explanations of AI-generated decisions where applicable.
- Data Governance: The Act emphasizes the importance of data governance and requires that AI systems be trained on high-quality data that is representative and free from bias. Additionally, data used for training AI models must comply with EU data protection rules.
- Human Oversight: Certain high-risk AI systems must undergo human oversight, including the ability for human intervention, monitoring, and verification. This is intended to ensure accountability and mitigate the risks associated with fully autonomous AI systems.
- Compliance and Enforcement: The proposed Act, outlines mechanisms for ensuring compliance with the regulations, including conformity assessments, certification schemes, and market surveillance. National competent authorities would be responsible for enforcement within their respective jurisdictions.
- International Cooperation: The EU AI Act emphasizes the importance of international cooperation on AI regulation and standards. It aims to promote alignment with international norms and facilitate cross-border cooperation on AI governance.
Overall, the EU AI Act represents a significant step toward regulating AI technology in the EU, with the goal of fostering trust, innovation, and responsible AI development and deployment, the world over. We have no doubt that, as with the GDPR Regulation, we will see rapid developments of similar and supporting local jurisdiction legislations and regulations, and ISO standards to come, in support of AI governance within the context of each country.
As GRC professionals, it is vital that we continue to address the growing concerns, with more and more business as usual use of AI, which requires careful consideration of the ethical, social, and economic implications of AI in the workplace, as well as proactive efforts to mitigate potential negative consequences and ensure that the benefits of AI are equitably distributed among all workers, as we seek the value add that AI projects can bring to the organization.
Introducing the Concept of Transactional Data Based GRC
So, what is transactional data based GRC?
As with all business functional areas, Governance, Risk and Compliance Management, including internal Audit, must evolve if it is to stay relevant to the organization in the age of AI and automation. The concept of Transactional Data Based GRC, incorporates an ISO Standards Model approach, in first defining the context of an organization, and then determination of all inputs, that will provide evidence to an expected output to the following aspects of GRC activities:
- Risk detection and identification
- Risk evaluation
- Underlying causal assessment
- Incident detection and reporting
- Near miss and emerging risk detection
- Determination of effectiveness or lack thereof, of controls
- Determination of correctness of policies and procedures, in control embedment
- Gaps leading to new risks and lost opportunities
- Control Assurance evidence
- Internal Audit continuous control monitoring
- Continuous Control Monitoring in lines of defense
So how can AI be used effectively within the activities of governance, risk, compliance control management day to day activities?
Using AI algorithms to analyze, source level, transactional data, whether that data be structured, (e.g., databases, spreadsheets) or unstructured (e.g., text documents, emails, WhatsApp messages, images, video), can be highly effective in automated continuous GRC management, in identifying evidence of, success or failure, of GRC activities in practice, within an organization on a real time or near real time basis. Here’s how GRC AI algorithms, run at source transactional data level, on structured or unstructured data, can be utilized for this purpose:
- Hidden or Missed Risk Detection and Risk Discovery.
- The old ways of asking Risk Owners to endlessly keep system or more likely, an excel spreadsheet risk register up to date, are a thing of the past.
- o Risks will be identified at the transactional data level, which can be sourced from data both internal to the business, in systems and unstructured data, as well as external, in RSS feeds, open source, social media and through tools like Chat GPT, open AI, dark web sources etc. The role of the human then becomes to ensure the validity of the source data and validate the identified risks through again, a governance AI driven process. Data Quality then becomes the primary focus.
- Emerging Risk Recognition
- Given the speed, with which AI can consume and effectively analyze data, given the correctly written and applied GRC Algorithms, it is ridiculous to think, that the Human, will continue to be remotely effective in ongoing identification risks and management of risks, on static risks registers.
- Incident identification and Reporting
- Numerous tools and technologies already exist in the workplace to automatically detect incidents and threats and send notifications and alerts to the human individuals. However, a failing of these tools, is that they are siloed and don’t have an intelligence, that is human, in nature of the expert who will correlate data from different data inputs and arrive at an overall informed picture of a critical event, that is loss producing or highly detrimental in reputational damage to the organization. Thus AI, supported by human expert written GRC algorithms, will allow consumption of high volumes of data across multiple data sources, digesting structured and unstructured data input, to make an informed analysis of the nature of an incident happening and effect rapid, near real time remedial actions. This approach is set to revolutionize the entire nightmare of managing by crisis, as individuals will gain real time warnings with remediation in real time to prevent growing risks before it can evolve into crisis.
- Predictive Risk Definition
- Machine learning and Neural Networks is all about large volumes of data, efficiently analysed by algorithms, to produce decision making output that can be confidently acted upon to effect improvements. The bigger the data volume the better the learning capabilities. However, the quality of the data becomes the biggest risk, so that garbage in garbage out syndrome is mitigated. Unfortunately, most organizations are plagued with very poor quality of data, that lacks data classification, naming conventions, structure and data quality maintenance processes. Furthermore, most of the GRC information needed for decision making lies in unstructured data. Transactional data based GRC, can be highly effectively used, as the data quality policy officer, so that the value of the data becomes such, as to be the most powerful risk detection and evaluation tool, that you can deploy within your organization, by deploying Data Quality Governance Algorithms, to improve data quality and thereby manage many GRC aspects, with zero human interventions.
- Continuous Control Monitoring
- Data is a constant flow in our lives, at work and in our personal lives and grows every nano second of every day. We are not short of data, what we as GRC professionals lack, is quality of data, so as to understand how effective and efficient we are, in control over the risks, we have managed to identify. So, if we are looking to the future of risk management in AI risk detection and productive analysis, we must be able to effectively include continuous control monitoring into our transactional data based GRC framework, which is governed by the principles outlined in the EU AI Act. Trying to find the time for traditional manual control owner assurance interventions is near impossible in todays fast paced world. Thus, automated control is no longer a nice to have, but a critical necessity, to keep the business’s head above water. Transactional data monitoring, through clearly defined control validity statements, (statements of the ideal expectations of data quality needed), related to control objectives and linked to key processes and functions, which are in turn linked to clearly identified, and correctly worded risks statements, are the way to rapidly detect control failures, through expert GRC built algorithms. We are no longer in a position to only work off, a sample of data transactions, as algorithms can be written to analyze vast volumes of transactions, (which include ALL transactions), anywhere internally or externally in the organization, and in seconds, determine if the control objective has been met successfully or failed and as such exposed the organization to risk. As the analysis is conducted on transactions linked to the precises tasks, conducted in real time, in a clearly defined process and functional areas of the organization, you have the human individual responsible for the control area, also identified through the algorithm, so that rapid remedial action can be pushed to the human role, or notification is pushed based on the AI control intervention and immediate mitigation taken by the AI GRC actor.
- Empirical evidence in Control Assurance and Internal Audits
- Managing controls in the fashion described in the point above, the GRC responsible parties gain the value add of automated control assurance and continuous internal audits that are ongoing and immediate in findings and remedial actions notification and follow ups. This allows the Human risk control owner, compliance officer, internal auditor to step up in skills sets, to evolve into data reviewer specialists and data insights analysts, adding the unique human elements of oversight in the control assurance process.
By leveraging AI algorithms to analyze source transactional data, evaluated against our customized RUBIQ ACE GRC defined algorithms, organizations can gain valuable insights into the effectiveness of their control processes, identify areas for improvement, detect and mitigate risks more effectively. However, it’s crucial to ensure that AI systems are properly trained, validated, and integrated into existing control frameworks to maximize their effectiveness and minimize potential biases or errors.
AI can play a crucial role in governance, risk, and compliance (GRC) management by enhancing efficiency, accuracy, and effectiveness in various aspects of activities related to day-to-day governance, risk and compliance management. With RUBIQ ACE, (Automated Control Engine), we are assisting clients gain deep insights to the exact route cause of critical core process problems that are directly impacting on profitability, sustainability and revenue growth. With RUBIQ ACE effectively implemented, our clients are able to realize the true Return on Investment of Transactional Data based GRC, and make a real difference on the bottom line, as has always been the Holy Grail vision, of the outcome of effective GRC within any organization.
Click the link below to get a quote to start your AI assisted GRC journey