William Webster

written by

William Webster

Researcher, Avoncourt Partners GmbH

Culture Blog - Nov 2, 2018

The AI Knowns and Unknowns for GRC

Artificial intelligence is perhaps the most important technological advancement of our time. Particularly machine learning, which is the ability for a machine to keep improving its performance without human involvement to accomplish tasks, is causing waves cross-sectionally. Systems can be taught to perform activities without human intervention. The impact on core processes and business models will be enormous, enhancing the decision-making capacities of management and their implementation.

Scales of justice in the hands of a lawyer on blurred background.

Known Unknowns of Artificial Intelligence

AI will be transformative for risk management. One of the best examples is in the task of fraud detection. Algorithms can be written using various stochastic modeling techniques, coding, and data-testing. For machine learning to be successful, it must have relevant data. As a result, there is a price for structuring risk data in such a way to be useful as AI input. Conversely, a challenge implicit in machine learning is substantiating its outcomes. As machines “learn,” their conclusions may not always yield the desired result. This conceivably makes it difficult for a risk manager to explain the machine’s conclusions to executives or a regulator.

This exemplifies a typical risk management anecdote of “driving by looking through the rear-view mirror.” The shear amount of data aids in the confidence (not just the statistical significance of a model) of AI’s output. This is beneficial to many high inherent, intrinsic risks that organisations experience, for example malware.

AI can also be used to substantiate conformance. For example, one large financial services company uses AI to help prevent money laundering, thereby assuring AML/BSA compliance.

Unknown Unknowns

An obvious challenge for AI comes when the data is unknown or unstructured. Executives and boards are looking for what the next potential severe event may be. AI acts as a catalyst for some of these topics, such as scanning medical images to help diagnose cancer. However, AI struggles with answering questions like who the new disruptive competitor may be, the next emerging technological advancement in operations, or the implications of regulatory change. Regardless, as AI technology continues to mature, it will likely need human intervention to extrapolate its ultimate affects on the company.

Individuals can use GRC software’s risk and control data to overcome possible limitations of AI. In fact, scenario analysis, a GRC tool, uses risk and control data such as loss events, capital investments, and business activities (e.g. data feeds from social media) to emphasize likely risk scenarios on balance sheets.

Artificial Intelligence Playing Chess With Human

GRC Advances

Currently, AI is only scratching the surface of its influence in risk management. Topics like big data will play a significant role in evaluating risk and risk management activities. Other subjects, such as analytics, will drive insight into how the risk profile may be changing. Nevertheless, a significant benefit of AI is its ability to be fluid and dynamic. This creates an environment of immediate transparency, such that unwanted exposures and beneficial opportunities can be addressed sooner rather than later.

Additionally, using AI to improve deteriorating controls helps to maximize control environments. This lays the opportunity to evaluate the efficacy of control investments. AI can signal the ability to relax the control environment, which can lead to reallocating capital to areas of growth.

AI can also create insight into the relationships of risks. For example, data privacy risk has multiple facets: operational, IT, compliance, and people. Utilising AI can marry the variables across risk types to provide a holistic picture of the risk environment.


Although AI is in its infancy when it comes to GRC applicability, it is disrupting the traditional mindset of how risks are managed. Until we can create a better understanding of how a risk’s exposures morphs through the value chain, we will need to continue to rely on GRC software to set the precedent for decision-making.