The world of Artificial Intelligence is still very niche, especially within Internal Audit and Risk. We came across this interview that was published on the InsideBIGDATA site recently.
Despite growing calls to bolster their big data strategy, most companies remain behind the curve when it comes to using data, AI and machine learning tools to drive their enterprise governance, risk management and compliance (GRC) strategy, according to Dan Zitting, Chief Product Officer at ACL, an enterprise governance SaaS provider whose solutions are powered by data automation.
insideBIGDATA: Please tell us about ACL and give our readers a high-level view of how ACL has incorporated automation, AI, and machine learning into governance, risk management and compliance?
Dan Zitting: ACL is used primarily by teams across large organisations and government agencies responsible for overseeing risk management, compliance and similar functions. What makes ACL different is that for 30-plus years we have been using data analytics to make risk management and related functions more precisely quantified, more predictive, and more “real-time” automated to provide ultimate clarity about risk, compared with dated methodologies that often still have companies doing low-value risk management in spreadsheets.
What you’ll often see in an organisation is an annual risk assessment involving surveys of key executives to get a sense of risk in different areas of the business. What a completely academic waste of time compared to leveraging the power of the organisation’s transaction data. When using analytic and machine learning oriented techniques, and fully automating with robotics, organisations can both find and actively monitor the truth that is impossible for human surveys to reveal, and there’s nothing more effective for risk management. Individuals simply can’t sift through the amount of data technology can—and it does it in real-time—noting red flags that require attention.
The real battle is getting the C-suite to truly understand risk management in general. However, C-level executives turn the corner when the risk management team incorporates analytics to quantify and reveal areas of the business otherwise overlooked. The C-suite takes notice when they see double-digit improvements in risk detection and compliance, including those that could otherwise severely damage their reputation.
insideBIGDATA: How are companies generally doing when it comes to risk management? How much of their data are they actually using?
Dan Zitting: Companies are doing a relatively poor job outside of a few select industries such as banking and insurance. Those industries do better because the core business of a bank or an insurance company is ultimately to manage risk. Outside of those, however, both private and public organisations tend to be fairly immature as it relates to using data and analytics for risk management.
For purposes of risk management, companies use maybe 5 to 10 percent of their potentially meaningful data. For example, one of the risks that companies are materially concerned about is that of a security breach. To analyse risk in these areas, they will ask questions and look at compliance standards― when they should be looking at actual data captured on all of their devices that show vulnerabilities the company has and where the threats are coming from. Organisations generally don’t know how to use their data effectively—whether it’s for cyber security risk in IT, financial reporting risk in finance, or the dozens/hundreds/thousands of other risk areas they are exposed to—and they certainly don’t have proper visibility if they are relying on humans and spreadsheets.
If the organisation has centralised risk management related functions, that department must advocate aggressively for developing a core strategy for analytics. Groups like Enterprise Risk, Internal Audit, Information Security, etc. already usually have an audience with the C-suite and the board of directors. They can shine a light on the deep value of risk management to the corporate strategy by demonstrating the insightful power of increasingly smarter evaluation of organisational data.
Department heads should also advocate for a more quantified and predictive approach to managing issues of risk, compliance, etc. For instance, financial crime teams uncovering credit card fraud or money laundering are obvious examples where financial institutions can use AI and machine learning to do a better job. But no matter the industry or department, there are use cases around risk and compliance that show how thoughtful use of data science can transform the way companies manage these issues, what those program costs, and ultimately the value it brings to the business.
insideBIGDATA: Are robots replacing important corporate functions?
Dan Zitting: They’re not necessarily replacing them. Rather, robotic automation technology is making corporate functions much more effective despite functional resource constraints.
Corporate functions, such as in this case those like internal audit, risk management, regulatory compliance, financial reporting, etc. tend to be understaffed and under-resourced. But the executives in those functions tend to become rock stars rather quickly once they’ve demonstrated value delivery with automation, AI and robotics. Suddenly, they have a competency to build data robots that offload work they were doing manually, and that opens up time and expands their value to the organisation. These robots allow them to review billions of records in real time, where previously they could only look at a small fraction of records in even long periods of time. This significantly increases chances of identifying patterns, trends, or red flags that humans alone could never pick up.
Case in point, I was working with a client team responsible for IT compliance and because this business hosts other companies’ data, it must be compliant with a broad range of industry standards. The client spent several thousand hours a year manually collecting evidence to demonstrate their compliance, and manually assessing each of the areas of risk. The team worked with us in building a variety of data robots that monitor different key compliance points in real time and, in the process, freed up several thousand hours of manual analysis and manual evidence gathering and significantly upgraded the company’s compliance capabilities.
I like to think about the future of GRC-related functions and robotics in the context of the quote “Either you are the one creating automation, or you are the one being automated.” That is never truer than now in the practice of the virtually all GRC-related functions. Some will surely lose jobs while others see rapid career acceleration based on which side of that quote they come down on.
insideBIGDATA: What is the future of “Big Data” and analytics in risk management?
Dan Zitting: It is currently quite typical for large organisations’ Boards to be provided a heat map that shows the company’s top 20 risks based on an annual assessment or audit.
In the near future, more companies will have a living, breathing, “single pane of glass” view of risk with custom risk dashboards that move in real-time. As the conditions in the business change—as captured in the organisation’s transactional data—they will always know what the risk posture of the organisation is, so the company can make better and more intelligent risk-based decisions on the spot.
Similarly, the majority of companies today manage risk by analysing what they know to be a risk. In contrast, with AI and machine learning, companies can begin to understand the risk they’ve been missing completely. They can be asked to consider possible risk issues manifesting in data patterns that the company never previously predicted. Machine learning means robots that can learn differently and more effectively than humans alone can augment traditional strategy and risk analysis.
One client of mine was considering a price change for their products. Using analytics and machine learning, we were able to identify pockets of customers via geography, title, contract age, and many other attributes (from the hundreds of available data dimensions) who could likely suffer high levels of churn because of product and price changes, many of which we had never thought to consider before the intelligent robotics surfaced interesting questions for us. That’s the kind of knowledge a company can only realise as a result of having machine learning capabilities. In this case, it provided them precise information which fed directly into their strategy. We will see much more of this in the future.
There’s no point in doing risk management just for the sake of it. The reason for having such programs is so that companies can more reliably achieve performance objectives. That means fewer cyber security incidents, fraud investigations, compliance issues, negative financial losses, and/or drill-downs by regulators. Risk management, with the power of analytics, machine learning and robotics is very effective in reducing all of those things and the impact of that will become more apparent in companies in the future.
insideBIGDATA: How do companies keep effectively improving their performance and analysing and using more of their data for corporate governance?
Dan Zitting: The first thing companies must do is to build a data science strategy around risk management and corporate governance. Today, lots of organisations are building out data-science functions within marketing or sales, but they need to deploy that same strategy within their risk management, audit and compliance functions.
If the company already has a centralised data-science function, they should expand the availability of their analytics capabilities to professionals working in governance and risk management as well.
A company’s ability to sharpen risk management and compliance will drastically improve when there’s a mandate for robotics and machine learning—that’s going to be a critical component of how organisations conduct risk management moving forward. Once that’s established, it’s a matter of maturing the program over time.