AI in risk management: use and governance

The role of artificial intelligence (AI) in risk management is evolving quickly. Many organisations in our network have begun to use AI, but while the technology offers many benefits, it also introduces governance and security challenges. This blog highlights some of the approaches to AI that our members shared during recent collaborations.

At the heart of our various member collaborations on AI are two questions:

1. How can AI be utilised to manage risk?
2. How do we manage the risks of AI itself?

Most organisations now use AI in a risk management context, primarily using chatbots or large language models (LLMs) for simple queries. However, some of our members shared how they are moving beyond this by adopting AI tools for more specific uses.

One organisation leveraged AI to build a controls library for its people-related risks. The goal of this activity was to extract key controls and “must” statements – i.e., the non-negotiable actions that “must” happen according to policies.

The AI model analysed 500 pages of internal manuals and policies, storing the information in a spreadsheet ready to be migrated into the organisation’s GRC tool.

“If given the same task, this would have taken a junior risk analyst hours to complete.”

Risk Leadership Network member

Taking it one step further, the model not only extracted key information, but also put it into a hierarchy. Based on a simple prompt, the model was able to pull out a few key controls from hundreds and identify interdependencies between controls.

Using ChatGPT in risk management

Read more

One member organisation partnered with a data scientist to build a climate change model. The AI model helped them review open-source data, as well as internal metrics, to build predictions about climate change into their strategy. This allowed them to plan for possible futures, rather than learning only from the past and existing materials.

"We used AI to help decide where we should build factories, based on the physical climate change risks predicted to face certain locations"

Risk Leadership Network member

The organisation also used AI to join the dots within the business itself, linking external information and trends to internal data.

For example, if external data is showing that heavy rain is expected, AI can layer this onto internal data to identify which of the organisation’s sites should be notified. This allows mitigations to be put in place efficiently.

One member used AI to connect their risks to the strategic goals outlined by the board. With 26 principal risks and 100 causes sitting behind them, these connections help the risk team to simplify their approach to risk reporting, and to communicate with senior leaders in a way that resonates with them.

These connections are also visualised within the reports, to communicate the relationships more effectively and make reporting more interactive.

While risk leaders note clear benefits of AI, they also agree on the importance of data security, governance and human involvement when using these tools.

Our members, as with all organisations, are aware of the risk of inputting sensitive information into AI models. To combat this, many have purchased enterprise licenses or established closed-off versions of tools like Microsoft Co-pilot. This prevents external access to organisational data, and protects their intellectual property (IP).

Some have gone further, using tools to dictate which sources internally used AI models can pull information from, and those which it can’t.

Many members are establishing dedicated governance groups or task forces to oversee the use of AI in their business. These are often responsible for developing an AI risk register and overseeing the strategy, budget, and risk appetite for AI projects.

“Our AI governance committee started by determining what the key pain points and inefficiencies were across the organisation. This fed into a discussion about how and where AI could provide the most value.”

Risk Leadership Network member

A recurring theme of AI-related conversations is the need for human oversight. Most risk leaders say that a "human in the loop" is necessary to provide a sense check and add their perspective and knowledge. AI, in its current form, cannot be trained on everything that is important to each specific organisation.

AI is already saving the time of risk leaders and their teams by streamlining day-to-day tasks, such as taking minutes at meetings, scraping news feeds and simplifying workflows. 

We're supporting our members in their use of AI in a number of ways, including through regular collaborations with their peers, bespoke benchmarks and developing our AI Horizon Scanner.

The AI Horizon Scanner, included in membership, saves time in gathering, analysing and integrating emerging risk intelligence through your organisation. Created with a human-in-the-loop, the AI Horizon Scanner fuses the rapidness of AI with the experience of the network; all data is reviewed and validated by our analysts to ensure it's relevant and unbiased.

Find out more about our AI Horizon Scanner

Download a free non-member sample of the first Quarterly Update from the AI Horizon Scanner.

Download a sample

To find out how your peers are using AI, hear case studies of AI success stories from practising risk leaders, and stress-test your AI plans before implementation, request an exploratory call, or explore membership here.