AI is a “blessing”, and a “risk” to be managed

Obviously, technological advancements imply exposure to advanced or new risks, the more tech innovations, the higher risk ratings in terms of both probability and impact on businesses and our daily lives. AI is madly booming and changing the ways businesses work and individuals live. It’s everywhere, and still booming.

That has triggered Risk Management experts’ minds, to research on AI vulnerabilities and  formulate tailored AI Risk Management Frameworks in order to overcome the hazards associated with AI buzz.

First things first, let’s define what AI Risk Management is, simply put, it’s the set of processes, policies, tools and techniques used to identify, assess and respond to the risks related to AI deployment and inclusion in our world, the “world” includes businesses and personal lives, but let’s focus on businesses part here in this article.

Why AI Risk Management is Crucial

AI plays an integral role in reshaping business operations and strategic management, automating routine tasks and processes, literally, revolutionizing so many industries and so many more.  

McKinsey reports that 72% of organizations now use some form of artificial intelligence (AI), with an increase of 17% from 2023, and the numbers are going to get higher, really higher. Companies are competing in adding more AI features, trying to use AI as a competitive advantage, advertising more technological innovations and enhancing their efficiency through the power of AI.

At the same time, companies are aware of the risks inherited by AI development. An IBM Institute for Business Value (IBM IBV) study found that 96% of leaders believe that adopting generative AI makes a security breach more likely.

Therefore, the need for risk management frameworks and practices emerged to systematically manage/control those risks especially in early inclusions of AI.

Moreover, changes in regulations and complicated societal issues have started to rise on the surface putting more pressure on the organizations to concentrate on new risks resulting from the new situations in terms of compliance, data privacy and digital human rights for instance. So companies need to do their homework to maintain compliance, instill stakeholder confidence and uphold reputation.

AI Risk vs Software Risk

AI risks are very different from traditional software risks, the latter examines bugs, system failures, security breaches and so on, per contra, AI related risks extend beyond those concerns because AI itself is being developed to function beyond the capabilities of a traditional software.

Let’s take automated decision making for instance, a developed AI risk may lead to bias, unfairness and/or misleading interpretability when it comes to taking a critical decision to the business which in return could put it in a hazardous or, worst, a disastrous position. We will talk about the predicted risk issues associated with AI and the frameworks used to identify and control these risks.

Key Dimensions of AI Risks

Dealing with AI-related risks is so challenging due to three main reasons:

1. AI poses unfamiliar risks and creates new responsibilities
2. AI is difficult to track across the enterprise
3. AI risk management involves many design choices for firms without an established risk-management function

There are various critical areas organizations need to consider within the process of AI risks identification:

• Privacy: In the realm of privacy, AI introduces concerns related to invasive data collection and usage. Organizations need to be vigilant against unauthorized access to sensitive information, recognizing that AI systems, if not carefully managed, can inadvertently compromise individuals’ privacy.
• Security: The security dimension of AI risks encompasses vulnerabilities to cyber threats and the potential for unauthorized access to critical systems. As AI becomes increasingly integrated into organizational frameworks, safeguarding against cyber threats and unauthorized access becomes paramount for maintaining the integrity of operations.

• Fairness: AI systems are not immune to biases, and fairness concerns arise when there is a skew in decision-making processes. Organizations must grapple with the challenge of identifying and mitigating bias to prevent discrimination in algorithmic outcomes, ensuring equitable results across diverse user groups.

• Transparency: The transparency of AI decision-making is a crucial aspect often clouded by the complexity of advanced algorithms. Organizations face the risk of a lack of visibility into AI decision-making, leading to concerns about unexplainable or opaque models. Achieving transparency becomes a cornerstone in building trust and understanding within and outside the organization.

• Safety and Performance: AI introduces a spectrum of risks associated with safety and performance. From unforeseen operational failures that can have cascading effects to the gradual degradation of performance over time, organizations must diligently address these challenges to ensure the reliability and longevity of AI systems.

• Ethical Risk: Ethical risk stems from model behavior that violates norms, laws, regulations, or other governance standards. This may be present in the training data or be the result of production data over time. Examples include bias predictions, toxic outputs, exclusiveness, and prejudice responses.

AI Risk Management Frameworks

Now, moving to the frameworks that guide us to identifying, assessing, responding and controlling AI-related risks, the landscape is comprised of voluntary frameworks, guidelines, and legislation such as:

1. The NIST AI Risk Management Framework
2. The EU AI ACT
3. ISO/IEC standards
4. The US executive order on AI

Let’s have a closer look at these commonly used AI risk management frameworks.

1. The NIST AI Risk Management Framework (AI RMF) 

In January 2023, the National Institute of Standards and Technology (NIST) published the AI Risk Management Framework (AI RMF) to provide a structured approach to managing AI risks. The NIST AI RMF has since become a benchmark for AI risk management.

The AI RMF’s primary goal is to help organizations design, develop, deploy and use AI systems in a way that effectively manages risks and promotes trustworthy, responsible AI practices.

Developed in collaboration with the public and private sectors, the AI RMF is entirely voluntary and applicable across any company, industry or geography.

The framework is divided into two parts. Part 1 offers an overview of the risks and characteristics of trustworthy AI systems. Part 2, the AI RMF Core, outlines four functions to help organizations address AI system risks:

Govern: Creating an organizational culture of AI risk management

Map: Framing AI risks in specific business contexts

Measure: Analyzing and assessing AI risks

Manage: Addressing mapped and measured risks

2. EU AI Act

The EU Artificial Intelligence Act (EU AI Act) is a law that governs the development and use of artificial intelligence in the European Union (EU). The act takes a risk-based approach to regulation, applying different rules to AI systems according to the threats they pose to human health, safety and rights. The act also creates rules for designing, training and deploying general-purpose artificial intelligence models, such as the foundation models that power ChatGPT and Google Gemini.

3. ISO/IEC standards

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have developed standards that address various aspects of AI risk management.

ISO/IEC standards emphasize the importance of transparency, accountability and ethical considerations in AI risk management. They also provide actionable guidelines for managing AI risks across the AI lifecycle, from design and development to deployment and operation.

4. The US executive order on AI

In late 2023, the Biden administration issued an executive order on ensuring AI safety and security. While not technically a risk management framework, this comprehensive directive does provide guidelines for establishing new standards to manage the risks of AI technology.

The executive order highlights several key concerns, including the promotion of trustworthy AI that is transparent, explainable and accountable. In many ways, the executive order helped set a precedent for the private sector, signaling the importance of comprehensive AI risk management practices.

The Bottom-line

AI risk management is an ongoing process. Frameworks must evolve as technologies advance, and organizations must constantly adapt their practices.

Key challenges ahead include addressing increasingly complex AI systems, managing algorithmic biases, and ensuring the security of AI applications across industries. Proactive risk management, collaboration, and a commitment to ethical AI development will be essential to unlocking the full potential of AI while mitigating its risks.

While the AI risk management process necessarily varies from organization to organization, AI risk management practices can provide some common core benefits when implemented successfully, including:

Enhanced security

Improved decision-making

Regulatory compliance

Operational resilience

Increased trust and transparency

And much more..