Responsible AI Belongs on the CEO Agenda
Everyone from customers to investors wants AI done right. CEOs who take the lead in implementing Responsible AI can better manage the technology’s many risks.
Everyone from customers to investors wants AI done right. CEOs who take the lead in implementing Responsible AI can better manage the technology’s many risks.
Companies can gain breathing room to operate under stressful conditions; withstand the scrutiny of shareholders, creditors, and regulators; and pursue market opportunities.
Efficiency in supply chain operations shouldn’t come at the expense of flexibility. Here’s how leading companies achieve both.
Recognizing the need for holistic approaches, companies are focusing on cybersecurity as a business-critical capability and integrating it with their business strategy and goals.
By Matteo Coppola, Katharina Hefter, Marianna Leoni, and Thomas Pfuhler
Consider three events in the last three years: the COVID-19 pandemic, Russia’s invasion of Ukraine, and the sudden availability of plain-speaking generative artificial intelligence (GenAI). Then look forward to the growing impact of climate change and the possibility of more severe droughts, floods, and fires. Now think about your company’s risk management capability. Is it organized, and does it possess the capabilities it needs for today’s world—and tomorrow’s?
The answer for very few companies will be yes. Risk has always outpaced risk management, but the scale, complexity, and interconnectedness of risk today presents companies with new challenges. (See “Risky Business.”)
Risks today are complex, fluid, fast moving, and interconnected. Economic risks, including market volatility, industry disruption, and geopolitical upheaval, are pervasive. Technology-related risks are growing in type and number. BCG estimates that the global cost of cybercrime, for example, has soared from $445 billion in 2015 to more than $2 trillion today and will only continue to rise.
Regulators have become more vigilant. The 190 non-financial companies included in four global market indices were fined more than $200 billion between 2009 and 2022. Over the same period, North American and European banks were fined more than $400 billion.
Human-related risks continue to evolve in new ways. The current shortage of talent, especially analytical and new technology capabilities, is an immediate challenge. In some of advanced banks today 40% of all open job roles are AI related.
Then there’s climate change, which represents an entirely new driver of risk with unknown ramifications. A recent analysis we performed for an infrastructure company revealed that flooding and other natural disasters could reduce EBITDA by up to 8% in the next five years.
Compounding all of the above are the speed at which threats develop and their interconnectedness. Information spreads rapidly via social and business networks and the impact can materialize in a flash. It took only a few days for solvency concerns to bring down the 16th largest bank in the US. The reverberations were felt almost immediately by other banks in the US and Europe.
Companies worldwide need a new model to approach risk and integrate risk assessment into decision making at all levels. Here’s how to go about building it.
This new and comprehensive approach to risk management starts with a risk function that is anchored in the C-suite and involved directly in strategic decision making. It also requires mature business functions that blend risk management into day-to-day decision making. The risk function must be tightly connected with both the business and the finance functions and include the assessment of financial and non-financial risks (such as supply chain and other process-related risks). The technical and analytical capabilities of the risk function should be used for decision making at all levels, making operations and processes more resilient.
The goal is for risk management to operate as a control function that prevents individual risks from reaching threatening levels while actively supporting the right risk-reward decisions. This risk management approach is built on three pillars. (See the exhibit.)
Growing the Company. To support a company’s growth agenda, risk and business functions need to work together for timely and accurate decision support. The risk function can provide the necessary data and decision-relevant information for analytics to have impact, such as scenario analyses. Doing so requires new models of collaboration between risk and business that integrate the two more closely while maintaining the risk function’s required independence. Analytics at customer or transaction level enable best risk-return business decisions. Agile approaches, with their cross-functional team make-up and regular people rotation, are two ways to facilitate better understanding and collaboration between risk and business.
Several banks are deploying advanced-analytics models to provide forward-looking information on the loan portfolio and risk-return analyses for commercial opportunities. These banks use customer-level transaction data to update old or unavailable financials, project future customer cash flows in real time, and assess the interconnections of clients with their customers and suppliers to identify supply chain risks. This real-time analysis helps make the right revenue-risk tradeoffs at the transaction level, generating significantly higher value from the portfolio. The banks use the same customer data and related analysis (such as customer cash flow projections) for commercial needs (such as lending) and risk assessment (affordability for the client), for example.
Energy companies can benefit from strategic decision making that is informed by continuous monitoring of external metrics as they undertake large-scale transitions to renewable sources and new technologies. For one global energy player, this involved developing a detailed and well-defined risk appetite and clear governance with common understanding of the roles and responsibilities of relevant actors, enabling timely escalation in case of changing signals or alerts on the external environment. The new risk function provides an analytic infrastructure of metrics to monitor the evolution of various scenarios and support a dynamic approach to portfolio management. Using risk-based analyses the company can deal more effectively with uncertainties in context and allocate resources optimally. Management can also manage the risk of stranded assets and assess options based on the economic viability of the business models in the portfolio.
Steering the Company. To further interconnect risk management and enterprise planning and help build a more resilient organization, the risk function can support the finance function in understanding the tradeoffs between risk and return in balance sheet planning. Companies need to be prepared for multiple stress scenarios.
In banking, the risk function traditionally has built and maintained a set of models for regulatory purposes. Finance and risk management can join forces and use these models, which often include alternatives to the baseline financial planning exercise, to optimize the deployment of financial resources, including capital, liquidity, and funding. The planned P&L follows. To be effective, however, this collaboration requires integrated data platforms, structured processes, and strong teaming between the two functions.
In other industries, the use of multiple scenarios to inform the planning process is equally applicable and will become more important over time. Companies can put in place a concrete framework that enables them to screen, assess, and monitor potential internal and external adverse events that can impede the achievement of defined strategic objectives, such as entering a new market or boosting revenues. This type of risk steering initiative is particularly valuable when the organization has deployed an ambitious strategic plan, embarked on a wide transformation program, or made a game changing investment decision. It involves a scenario-based assessment of the probability and likely financial impact of potential adverse events, based on historical observation, current market trends, and expert judgement.
A leading international fashion and luxury goods company, for example, has recently used this approach to identify more than 20 forward-looking scenarios across multiple risk categories (such as supply chain, image and reputation, service channel, and business interruption). It prioritized scenarios more likely to endanger the new plan’s chances for success, according to the potential impacts at varying revenues level. For each of these “top scenarios,” the relevant risk management units and the business agreed on a set of KPIs and related mitigation actions in the event that identified thresholds are breached.
In a world of risk-based multi-scenario planning, GenAI can dramatically transform planning activities in multiple ways, enabling a new operating model and at the same time streamlining activities and costs. These include:
GenAI applications are already a reality, and many companies are piloting new use cases with the ultimate goal of transforming the planning operating model. But technology adds its own series of risk and concerns. Pressure to control the risks while still reaping the considerable rewards is fueling the integration of responsible AI, an approach to designing, developing, and deploying AI systems that is aligned with the company’s purpose and values while still delivering transformative business impact. Risk management in the firm needs to be front and center in this effort.
Protecting the Company. Risk’s traditional role is more important than ever. But the level of protection needed requires a significant upgrade of the entire company’s capabilities. In this updated version of protection, distributed and automated controls become the immune system that senses threats and issues responses. This requires a rethought control environment—the set of standards and processes that provide the foundation for internal controls within the organization and clear early warning indicators.
For many companies, new data that can identify fraud in very early stages may be necessary. Banking again provides a useful example since its business model and the large number of financial transactions taking place every day make banks particularly vulnerable to criminal attacks and other nefarious activity. Banks are increasingly taking a data-driven approach to address this challenge. They have automated their know-your-customer processes to source relevant customer data, perform news searches, and assess financial crime risks. They are leveraging AI to identify and block suspicious transactions out of the millions of legitimate transactions banks are processing.
Better use of data, analytics, and technology achieves more effective protection through a more efficient use of resources. For example, at one leading bank, boosting prediction and prevention by enabling cross-risk data intelligence led to a 20% decrease in alerts escalated to the second level. Such moves also help the business to embed streamlined controls in business processes to achieve compliance by design.
The range, complexity, and interconnectedness of threats today opens new mandates (and opportunities) for risk management to prove its value. A wide range of actors (governments, cybercriminals, and employees, for example) with a variety of motivations (such as data disclosure and asset destruction) have access to similar attack methods (such as hacking and phishing followed by theft and extortion). Growing numbers of connections among a company’s own IT function, its operational technology and the Internet of Things, as well as overlapping tools, data, and processes lead to threats that start in one environment more easily spreading to others.
Fusing risk management capabilities across the various types of risks and technologies can generate both effectiveness and efficiency benefits. The risk function needs to focus its enhanced capabilities upstream on prediction and prevention capabilities across risk types, such as threat monitoring and risk profiling, and downstream by focusing on detection and response capabilities, such as scenarios and rules and investigation and remediation. Advanced technology and data capabilities, including data management platforms and advanced analytics, are key to both efforts.
Companies in multiple industries have realized 20% to 30% staff synergies by joining forces in multidisciplinary teams. Integrating case management and documenting end-to-end decision making has helped reduce IT costs by removing redundancies and realizing synergies while cutting processing time by more than 30%.
Finally, companies today need to embed resiliency at the core of their operations, technology, and business. This requires a different logic from that of traditional operational risk management. Companies must consider how to maintain service continuity in the event of a major disruption, the potential for harm to customers and the broader market ecosystem from potential events, and how to redesign end-to-end critical business services embedding modularity, redundancy, contingency, and ability to react quickly to changes.
CEOs can launch a practical set of actions today to de-risk their companies’ future:
Preparing for the future of risk requires a company-wide transformation in the operating model, the organizational structure, and in the minds of the company employees. When everyone views the management of risk as a part of their job, a company is on its way to being well-prepared and resilient for future risk events.
The authors are grateful to their BCG colleagues in the Risk & Compliance practice whose insights and experience contributed to this report. In particular, they thank Abhinav Bansal, Ingmar Broemstrup, Stephanie Bussan, Davide Corradi, Lorenzo Fantini, Bernhard Gehra, Gerold Grasshoff, Paul O’Rourke, Sebastién Rexhausen, Pierre Roussel, Hanjo Seibert, and Carsten Wiegand.
Related Content
Read more insights from BCG’s teams of experts.
BCGのリスク、コンプライアンス領域のコンサルティングでは、戦略、トランスフォーメーション、技術の各側面にわたる専門能力を通じて、クライアントの成長への取り組みをサポートします。
Today’s complex regulatory environment poses not only enormous challenges for compliance functions but also an opportunity for companies to hone an important competitive edge.
Everyone from customers to investors wants AI done right. CEOs who take the lead in implementing Responsible AI can better manage the technology’s many risks.