RiskTech Forum

BWise: How Artificial Intelligence can Influence Governance, Risk and Compliance

Posted: 9 January 2018  |  Author: Ladd Muzzy  |  Source: Nasdaq BWISE


Artificial Intelligence (AI) offers enormous opportunities to businesses. Given the correlation between risk and an organization’s objectives, one could easily extrapolate how AI can help bring insight to Governance, Risk, and Compliance (GRC) activities as well.

But, what is AI? As a working definition, AI is the science and engineering of making intelligent machines and computer programs to achieve a goal. It’s about creating a computer mind that can think like a human. It’s about machines taking action.

One of the most important technological advances of our time is artificial intelligence, and, in particular, machine learning, which is the ability for a machine to keep improving its performance without human involvement to accomplish tasks. Systems can now be taught to perform activities on their own.

The transformative effects of AI will be felt across nearly all industries. The impact on core processes and business models will be enormous, placing further strain on management and implementation.

Known Unknowns

GRC and AI Image 2

There are similar implications for risk management. Probably one of the best cases is fraud detection. Algorithms can be written using various stochastic modeling techniques, coding, and data testing. Of course, for machine learning to be successful, it must have quality data. As a result, there is a premium on structuring risk data in such a way to use it as AI input. Conversely, a challenge implicit in machine learning is substantiating its outcomes. As machines “learn,” their conclusions may not always yield the desired result. This conceivably makes it difficult for a risk manager to explain the machine’s conclusions to executives or a regulator difficult. For example, there may be issues with multicollinearity, lack of data, as well as how the machine deals with outliers, which is common with many risk data, especially if the organization uses external data.

GRC and AI Image 2This example applies to a typical risk management anecdote of “driving by looking through the rear-view mirror.” The shear amount of data aids in the confidence (not just the statistical significance of a model) of AI’s output. This is beneficial to many high inherent, intrinsic risks that organizations experience. Malware is an example.

AI can also be used to substantiate conformance. For example, one large financial services company uses AI to help prevent money laundering, thereby assuring AML/BSA compliance.

Unknown Unknowns

An obvious challenge for AI becomes when the data is unknown or unstructured. Executives and boards are looking for what the next potential severe event may be. AI acts a catalyst for some of these topics, such as scanning medical images to help diagnose cancer. However, AI struggles with answering questions like who the new disruptive competitor may be, the next emerging technological advancement in operations, or the implications of regulatory change. Regardless, as AI continues to mature in sophistication, it will likely need human intervention to extrapolate its ultimate affects on the company.

Individuals can use GRC software’s risk and control data to overcome possible limitations of AI. In fact, one tool, scenario analysis, uses risk and control data, such as loss events, capital investments in controls, and business activities (e.g., data feeds from social media) to stress likely risk scenarios on the balance sheet and income statement.

GRC Advances

GRC and AI Image 3

AI is scratching the surface of how it will influence risk management. Topics, such as big data, will play a significant role in evaluating risk and risk management activities. Other subjects, such as analytics, will drive GRC and AI Image 3insight into how the risk profile may be changing. In either case, a significant benefit of AI is its ability to be fluid and dynamic. This creates an environment of immediate transparency so unwanted exposures can be dealt with sooner rather than later and opportunities can be realized sooner.

Additionally, using AI to improve deteriorating controls helps to maximize the control environment. This lays the opportunity to evaluate the efficacy of control investments. AI may signal the ability to relax the control environment, which can lead to reallocating capital to areas of growth.

Furthermore, AI can create insight into the relationships of risks. The Nasdaq BWise GRC platform offers the ability to report and provide insight into risk topics that may link to one another. For example, data privacy risk has multiple facets – operational, IT, compliance, and people. Utilizing AI can marry the variables across risk types to provide a holistic picture of the risk environment.


Although the GRC space is in its infancy when it comes to AI, it is disrupting the traditional mindset of how risk management is thought of. For instance, machines learn from examples, which requires collaboration across the lines-of-defense. Until we can create a better understanding of how a risk’s exposures morphs through the value chain, we will need to continue to rely on GRC software to set the precedent for decision making.