I started this series of blog posts on the Double-Edged Sword of AI for TPRM in December of 2023. This is the third post in the series, and in that time period the buzz about the application and advantages of AI in TPRM, GRC, and other business use cases has evolved from far-off aspirational to a real-life and measurable benefit. Yet, the aspirational applications remain.
From the start, our approach toward AI in TPRM has been enthusiastic yet rationally skeptical. There are current applications of AI that deliver real value to practitioners and program performance. There is much in development today, and there are still expectations that AI can do more in the realm of risk management.
In the Aravo solution, AI helps risk managers accelerate third-party risk evaluations and scoring, allowing smart, learning, and automated systems to make recommendations for actions based on a customer’s distinct risk profile and reference practices. It applies isolated customer data to drive recommendations and does not eliminate the human factor.
There are other systems that are precariously close to using open network data and systems to influence AI in risk management, based on the assumption that best practices are not isolated to individual programs and could improve performance.
My assumption is yes, most risk managers crave learning and best practices. However, risks of data leakage or contamination are present. Additionally, potential struggles to control AI data and algorithms that use content and information sourced from outside their organization make using open AI systems untenable. After all, risk management is based on balancing risks and rewards, and for now, broad application AI solutions represent risks more so than rewards.
For today, the limited use of AI in TPRM programs is the way to go. With assurances of closed data systems, auditable algorithms and automation, and measurable impact, AI is a benefit to TPRM practitioners.
I’ve seen AI tools help organizations complete questionnaires, help decipher regulatory updates, and improve relative risk scoring. All of these are recognizable benefits to the TPRM practitioner as they identify and evaluate risks, define and execute controls, and generate reporting for their organizations.
There is a lot of promise of AI in additional TPRM applications, especially as innovation builds on innovation. One of the biggest challenges in TPRM is developing risk-based practices that are aligned to the organization’s risk profile and allow for relative and accurate prioritization of risks. As TPRM programs mature, there is an expectation that they will more clearly identify the criteria for when a third party should go through additional risk assessments. What are the business rules for when a questionnaire is or is not sent, or when topic-specific information requires additional follow up, or when due diligence or continuous monitoring is applied?
Over the years, I’ve seen various proposed best practice models where 100% of third parties are assessed, 75% are sent questionnaires, and 20% are processed through due diligence and/or continuously monitored. Especially as there are costs and cycle times associated with each of these steps, these arbitrary percentages are inefficient and ineffective. Yet, for too many risk professionals, more precise applications of risk-based processes across their TPRM program remains elusive.
It doesn’t have to be.
Ideally, smart systems should adapt those arbitrary percentages to the reality of an organization’s risk profile and third-party environment. Adaptable, weighted scoring, AI-informed evaluation criteria, and the smart application of risk intelligence should help organizations deliver more effective and efficient programs.
Advanced assessment criteria informed by high-quality risk intelligence data sourced in the earlier stages of evaluation and onboarding processes allows businesses to identify where real risks lie and prioritize necessary mitigation activities. Where efficient processes identify only 30 of 1,000 third parties as representing real risk to the organization, standard percentages are inefficient and inapplicable.
Ultimately, TPRM professionals want to run efficient, effective, and safe programs. Where AI can deliver that for them, it’s welcome. From the business’s perspective, as long as the TPRM program delivers positive outcomes, market advantage, and effectively protects the organization from risks, regulatory compliance misalignment and/or enforcement, and operational and reputational damage, technology – including AI – is a welcome contributor.
I expect AI to continue to make in-roads in TPRM. There are new program efficiencies and performance improvements within reach already. In our case, we see AI combined with risk intelligence accelerates evaluations and delivering more precision in identifying and mitigating risks.
Smart risk intelligence implemented in the earlier stages of evaluation and onboarding promises to not only reduce costs, cycle times, and risks, but also to measurably reduce false positive reporting, data, and intelligence, allowing customers to work with more actionable data and insights. And informing and building practitioner performance and expertise with AI and risk intelligence will increase the value of TPRM programs across organizations.
It’s a great time to be a TPRM practitioner, to build expertise, to apply smart systems to improve performance and impact on the business. I trust such practitioners and professionals to continue to embrace AI where it is safe and delivers measurable impact, but not to cede their turf to AI solutions that introduce new risks to their programs or organizations.
The double-edged sword of AI in TPRM remains sharp as that balance needs to be maintained. Even as the technology evolves and promises of bliss are marketed to TPRM professionals, healthy skepticism, consistent demands for assurances, and well-defined program governance should rule the day.
Share with Your Friends:
