April 2nd, 2024 •Loren Johnson• Reading Time: 6minutes
In December 2023, I published the first of a series of blog posts on AI in third-party risk management, called The Double-Edged Sword of AI for TPRM. This is the second post in that series, and despite it being just a few months since the previous posting, some significant things related to AI and AI for TPRM have already changed.
How AI for TPRM is Changing Already
Conceptually, artificial intelligence (AI) has landed. In late 2022 and all through 2023, the sky was the limit in terms of imagining how AI could revolutionize our lives, both at work and at home. It was a potential hammer for so many nails, promising value yet somehow still vague in how exactly it would do so.
Now, in 2024, many people are working to clear away the hype and better identify how, specifically, AI can and will benefit their businesses and their lives. It’s rapidly becoming time to put your money where your mouth is.
As I mentioned last year, AI means many things to many people. There’s a broad range of AI-like and more advanced applications across a spectrum. Moving from one side to the other, there are simple enhanced systems, then rules-based and adaptable recommendation engines (search and maps), on to more sophisticated process automation and statistical logic systems that predict outcomes. All of this is AI to some degree.
For many businesses, the advancement and extension of existing algorithms and automation in AI is the focus; it’s where much of the promise of efficiencies and resource savings lie.
Generative AI and Artificial General Intelligence
Further along the spectrum, we have generative AI, which is where the public’s imagination has been captured. It’s where AI tools can be tasked to generate content – art, writing, music, data, and records – that often seems human-created. Generative AI has many artists, copyright owners, and businesses worried about artificially generated content with questionable sourcing, attribution, and honest disclosure.
At the (current) farthest side of the AI spectrum, we have Artificial General Intelligence (AGI), which is thinking, adaptive, cognitive software that can learn to do and calculate things beyond what it was initially designed to do. While most AI experts say AGI is more conceptual than reality at this point, many of the predictions of a future transformed by AGI are so extreme that it’s largely unimaginable.
A Sign of What’s to Come
While the pace of AI development accelerates, it’s good to embrace what works well today while building the frameworks and understanding to adapt to, prepare for, and absorb upcoming iterations.
As AI continues to source content from connected devices, there’s a likelihood that we’ll see echoes of proprietary business content in publicly available AI-generated materials as well. This does not just affect humanities and the arts but can and will affect businesses and risk programs across all industries. Not surprisingly, multiple Aravo customers have expressed concerns about generative AI being improperly used within their own organizations and across their third parties.
True-Life Applications and Benefits for AI in TPRM
As the initial excitement about AI transitions into real business applications, viable and measurable benefits must be delivered. When we talk about AI in risk management, it is often focused on automation, streamlining critical processes, ensuring organizational and regulatory alignment, and reducing resource requirements.
This is where augmented or assistive intelligence can help risk managers identify priorities, accelerate processes, skip redundant steps, approve or reject scenarios, and improve risk-based decision-making. It can enhance data capture and validation, optimize risk evaluations and scoring models, accelerate controls, trigger risk remediation, and activate resiliency provisions.
Notably, it can do so effectively within a closed AI system, using only data isolated in that single risk management system. Ultimately, decision confidence and recommendation engines can help risk professionals improve consistency, limit user-bias, and reduce the effort to best identify, focus on, and address the risks that matter to their organizations. It can deliver insights that may not be apparent through traditional analysis, more precisely and more effectively.
It is for this reason that we see AI making an initial impact on third-party risk management program performance, effectiveness, and strategic impacts on the business. In the long run, becoming so ingrained into critical risk identification, management, and mitigation that it is a natural systemic ingredient in a well-run TPRM program.
It is because of this that we see AI as being beneficial to experts by enhancing their roles and allowing them to deliver more value to their organizations, not as a replacement for human intellect and strategic vision. As an extension of existing automation and intelligence, it will deliver advancements in the program efficiencies, effectiveness, and insights that drive good risk management practices.
Trusting Expertise to Find the Right Balance
In my previous post, I postulated that AI in TPRM is likely going to be applied with limited generative capabilities – at least initially. As a tool to improve existing applications and expand process functionality and accuracy, it has lots of promise. Yet, for many in this industry, generative AI and AGI create too many unknowns and more risks than there is an appetite for. This balance of risk and reward is the double-edged sword of AI in TPRM.
In the GRC, risk management, and TPRM industries, reasonable, incremental, and logical applications of AI make the most sense. Aravo has had AI capabilities available in our product for more than five years. The applications are focused on delivering value for our customers where it matters most to them – helping them better realize operational efficiencies, limit liability, and achieve revenue assurance.
In each of these use cases, Aravo’s current AI approach is to augment and enhance human intelligence more than apply artificial intelligence to generate content or learn how to make decisions.
Human Decision Making Shouldn’t Go Anywhere
And this is where I’m sticking to my guns. As I noted in December, where some industries may invest in AI to deliver decision-making efficiencies, risk management is not a place where any rational person would hand over decisions to a machine. No matter how smart or sophisticated that machine is, risk management is a strategic discipline for a business, defined by human intelligence. Risk management not only defends the business against threats, but it also helps define and create opportunities, balancing risks and rewards.
For example, if I were a risk manager and my company’s ambition was to open production facilities in India in the next ten years, and that by doing so it would give my business a long-term strategic advantage in the Asian market, that knowledge should influence whether and how I choose to partner with a particular third party based in India today. Even where that potential partner represents high risk and my assessments raise red flags, my strategic viewpoint should help drive my decisions.
In this scenario, I need to personally evaluate the risks and rewards of doing business with this third party and the long-term consequences of doing so. If I depend on an advanced AI solution to process the evaluation, scoring, risk models, and to decide whether or not it makes sense for my business to work with this third party, the AI engine would reject the engagement without considering the long-term strategic goals of my company.
And based on my business’s risk evaluation criteria, that makes sense. But, because I know more than my data, my business history, and all the inputs the AI engine uses, I need to be able to make those decisions myself – overruling the AI evaluation criteria in this case – and initiate that engagement.
Tricky TPRM Decisions for High-Risk Third Parties
Is the above decision risky for my business? Yes. But as any professional in the TPRM market knows, there are times when it makes sense to do business with red-flagged third parties, as long as extra precautions are taken to protect your business.
To help with this, in Aravo, you can also create detailed records of assessments, scores, and engagement decisions made. Therefore, should questions arise or an audit occur, records would show how and why decisions were made in reference to doing business with that high-risk third party.
While this may be an oversimplification, if my enthusiasm for artificial intelligence allowed it to make decisions for me, if I removed human intervention, I would miss a strategic opportunity to ensure the long-term success of my business. Ironically, the use of AI may allow me to create a more mature approach to TPRM while developing my expertise and making me a better risk management professional.
AI Governance Plays a Big Role
In the scenario above and in similar cases, AI governance, policies, and disclosures are important. Rules of engagement for the business are essential as AI capabilities continue to advance. Already, there is a market expectation that businesses should use AI appropriately and transparently.
Because businesses must be accountable for their use of AI, many are actively defining governance policies and rules about the use of AI within their companies and across their third parties. At the same time, multiple Aravo customers have asked how to best inquire about, evaluate, score, and define their governance and expectations about the degree to which, and how, their third parties should (or should not) use AI in the services or solutions they provide.
In terms of global regulations, we see governments considering the same kinds of questions and concerns businesses have about policies and acceptable uses, as well as potential enforcement jurisdictions and actions. In some cases, governments have been slow to address AI due to a need to balance creating opportunities for their constituent businesses and creating applicable governance. Given how quickly AI technologies are advancing, governments are challenged to balance those needs while not creating legislation that’s rapidly passed by innovation.
The first AI regulations may miss the mark but the legitimacy of and public demand for applicable AI regulations will continue to grow. There is likely to be some AI governance enforcement bumpiness for many years. But ultimately, governance and accountability expectations will likely iron out some of the questions and fears about AI-generated content and data.
AI for TPRM Will Keep Us on Our Toes
The double-edged sword of AI in TPRM, the excitement of innovation, and the risks it represents will ultimately be mellowed by investments in governance, viable and accountable applications, and in the measurable value a well-designed and well-run TPRM program delivers. It’s going to be a very interesting ride for many years.
Loren Johnson leads Aravo’s product marketing function, covering how Aravo builds, markets, and sells its market-leading third-party risk management solution. Driven by a passion for innovation and solving business challenges, Loren brings an international business perspective and desire to deliver measurable customer success. Loren is a long-term TPRM advocate with an MBA in International Management from Thunderbird, and more than 30 years working in the technology sector. With eight years in the GRC market, Loren brings enthusiasm and an informed perspective to his work with Aravo.
Senior Director, Product Marketing
Loren Johnson leads Aravo’s product marketing function, covering how Aravo builds, markets, and sells its market-leading third-party risk management solution. Driven by a passion for innovation and solving business challenges, Loren brings an international business perspective and desire to deliver measurable customer success.