Amid a surge in technological capabilities, many organizations are rapidly deploying artificial intelligence (AI) to make maximum use of data and make certain processes more efficient and effective.
But along with opportunities for improvement, AI can pose risks that often are not isolated to a single department such as IT, but affect multiple functions throughout an organization.
As a result, organizations need governance, risk management, and controls to take advantage of AI's benefits while operating within their own risk appetite. Effective enterprise risk management (ERM) can guide an organization's strategy in this area, and this topic is addressed in research published Wednesday by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
COSO is a joint initiative of five private-sector organizations, including the AICPA, that develops thought leadership to enhance internal control, risk management, governance, and fraud deterrence. Over the last few years, COSO has endeavored to publish application-oriented guidance that helps organizations apply its principles-based frameworks to challenges and opportunities they encounter.
The guidance published Wednesday, Realize the Full Potential of Artificial Intelligence, describes how an organization can use the COSO ERM Framework and principles to help implement and scale AI projects. The publication is authored by Deloitte & Touche LLP, and it further explains how Deloitte's proprietary, nonauthoritative AI framework can be considered in AI implementation.
The COSO guidance explains that by understanding AI-related risks, an organization may be better positioned to deliver return on investment and meet shareholder expectations. Through ERM, organizations can refine and adapt their AI efforts to effectively support their strategies.
COSO Chairman Paul Sobel said in an interview that some companies are implementing AI projects one at a time without considering how AI as a whole fits into their governance processes and strategy.
"You have to view AI from a broader perspective," he said. "You need governance over your AI initiatives. You need to make sure they fit with your strategies and objectives. You need to understand the risks associated with it and how to manage and monitor those risks."
According to the guidance, AI platforms need to be:
- Trusted, because ERM is transparent by nature and it helps keep an organization abreast of its risks and opportunities;
- Tried, with models continually tested and vetted to make sure they are operating as intended; and
- True, with governance, risk management, testing, and monitoring processes that help AI platforms reflect the organization's values and protect its reputation.
Sobel said organizations need to carefully consider whether they have the right governance in place over AI.
"It's important to have good governance over any sort of technology-type initiative, and then the strategy and objective-setting component is, make sure you're doing this because it actually links with and enables a strategy or objective," he said. "You're not doing it just because you can."
Once governance is established and strategies and objectives are defined, organizations can more effectively consider the risks and how to manage them.
Sobel expects use of AI to continue to accelerate, partly as a result of the coronavirus pandemic. A trend toward automation coupled with worker shortages has increased the likelihood that businesses will use AI to handle certain tasks.
Indeed, research published by IBM indicates that 43% of IT professionals said their company has accelerated its rollout of AI as a result of the pandemic.
"We know it's going to be exploding so much in the future," he said, "and it would be very helpful for companies to read and understand how to look at AI a little more holistically just like any other type of risk or initiative and apply those COSO components and principles in such a way that it can help optimize your success with it."
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA's editorial director.
