Risk Management Controls and third party audits are important in AI and Data management practices
This blog series has been exploring the meaning of corporate purpose and looking at the importance of AI Ethical frameworks, and evolving audit practices to improve risk management practices, and advance digital literacy foundations to support the evolution to intelligent enterprises.
See Blog One in this five part series here defines corporate purpose and its importance in creating stronger intelligent enterprises. Blog Two in this five part series as this blog identifies leading AI principles, and frameworks or standards to guide board directors and CEOs to increase their knowledge in these areas, as well as their C-Suite. Blog Three identifies key questions that a Board Director can ask of its CEOs, and in turn, the CEO should be well prepared to answer data management strategic questions to manage data risk and ensure data value realization. Blog Four identifies board director and CEO risk management questions relevant to AI.
Board Directors and CEO’s have a primary responsibility to focus on data foundations as a risk priority and be mindful of using AI without strong trusted data management foundations firmly in place. This fifth and final blog in this series focuses on what Board Directors and CEOs can ask of their external auditors and uderscores why audit and control functions play a major role in getting AI right.
Articles abound on the risks and challenges associated with AI: gender and race biases in recruiting, credit approval software; chatbots that turned racist, inaccuracies in predictive models for public health, and diminished trust in machine learning models.
Some developments are worth being aware of. First, the Algorithmic Accountability Act, proposed by Democratic lawmakers, if passed would require that larger/publicly traded companies evaluate their “high-risk automated decision systems” for accuracy and fairness. EU’s GDPR audit process also covers some aspects of AI such as a consumer’s right to an explanation when companies use AI algorithms to make automated decisions. Also, the Information Commissioner’s Office (ICO) in the U.K. a proposed AI auditing framework that is much broader in scope and is worth monitoring, as Europe is advancing more rapidly in its legal frameworks on privacy and AI.
The ICO framework has identified eight AI risk areas and identifies governance practices such as: leadership engagement, reporting structures and employee training.
Board directors and CEO’s cannot wait for all these legal and regulatory frameworks to be put in place, so having third party audits /internal model reviews, ensuring usage of AI models are well documented like: documenting the names of the AI model developers, assigning risk ratings (data, society, financial, etc), if a model fails. AI audits must dig deep into evaluating the quality of the training data and ensure the algorithmic methods are robust and fair.
A robust audit process for data management practices must be the way forward for governing AI/ML decisions and ensure there is corporate purpose alignment.
Here are some of the key questions that a board director or CEO can consider asking of an audit firm.
1.) Does your audit practice have proven expertise in data management audits and AI / Machine Learning areas?
2.) Do you have an AI Ethics Trusted Framework, and set of operating principles or guidelines that can guide our corporate AI initiatives from a risk perspective?
3.) Does your audit practice apply your AI audit frameworks in your own internal operations and have an independent auditor review your internal practices?
4.) Have you helped evolve procurement and legal functions to have risk management practices in relationship to black box AI approaches vs trusted AI (visible) approaches?
5.) Do you have a digital literacy program for all your auditors with a foundation on data management and AI?
6.) What lessons have you learned in helping companies build stronger trusted AI audit practices?
7.) Are the resources assigned to your account certified in data management and AI?, and do they have the qualified skills to do your audit review vs leveraging the firm’s overall brand. Note: Always know the skills and capabilities of the talent assigned to your account (inspect).
Conclusion
This five part blog series has been written to motivate board directors to ensure they have a clearly defined corporate purpose and that investments in technology in particular with AI and ML methods that a foundation of data excellence is in place, ethical AI practices, and third party audits. Although many of the legal frameworks are not yet firmed aligned globally, board directors and CEOs must understand that their most valuable strategic asset is in their data, and valuations of companies will shift as auditor and regulatory evaluation risk frameworks evolve. Most board director audit committees do not have an AI and Ethics business or technology risk officer in place, or a board director experienced in these areas.
I recently completed my ICD.D board director certification at the Rotman School of Business at the University of Toronto. It was an excellent program overall, however there were no core modules on AI and ML risk, although cybersecurity and data leakage risk was discussed, nor was there a distinct discussion on corporate purpose and its importance in technology investments. With approximately 8.5% of revenue in all industries investing in IT, increasing governance in technology and aligning with corporate purpose.
Newer governance models like ESG (Environment, Social, Governance) present new opportunities to bring AI and ML and corporate purpose into stronger governance practices. Unfortunately, the majority of ESG consultants have limited AI/ML /technology expertise impacting the integration of AI/ML into these newer frameworks.
