How GenAI can enhance risk management: PwC

Alex Laurie

Principal, Risk Modeling Services, PwC US

Email

Robert N. Bernard

Director, Risk Modeling Services, PwC US

Email

Richard de Haan

Principal and Global Risk Modeling Services Leader, PwC US

Email

As is the case with any new technology, generative AI (GenAI) introduces risks that your business needs to address and manage responsibly. Your stakeholders will better trust how you use AI if you're able to prove to them that your systems can repeatedly produce intended outcomes and reduce undesirable ones. This requires embedding responsible AI practices at every step – including design principles, testing, monitoring, and auditing of the solution.

That said, GenAI actually shows as much if not more potential as a force-multiplier in managing risks than as a source of them. Most notably, it can significantly enhance:

The risk management process by shifting it from data gathering to information analysis.
How risk managers do their jobs through tech-enabled productivity enhancements and consolidated knowledge management.

Specifically, GenAI can assist you in four key risk management areas: risk identification, risk analysis, data management and application, and compliance.

With data inputs from an organization’s various departments, your GenAI platform can synthesize disparate information into a single source of integrated risk identification and – unique to GenAI – provide insights and suggestions based on what it synthesizes. In turn, this thorough analysis of indicators and trends can shift the focus from data gathering to information analysis and action.

For instance, the platform may identify a potential supply chain disruption that could impact both operations and the finance department. With this information, risk managers can develop contingency plans, diversify suppliers, or allocate resources accordingly to reduce the impact of such risks. This contrasts with a traditional siloed approach to the collation and analysis of risk-related information, where risks can go unnoticed when risk managers focus mainly or solely on information available within or related to their own departments.

Once these interdependent risks have been identified, a risk manager can use the GenAI platform as a collaborative partner during risk analysis and evaluation. By having an interactive discussion with the platform and treating it as a colleague, the risk manager can brainstorm, coalesce and refine ideas to ultimately produce risk committee charters, risk narratives and governance documents, as well as risk analysis that spans the company. This could uncover more potential interdependencies, such as the impact of cybersecurity vulnerabilities on financial operations and customer trust, thereby leading to a more holistic understanding of the company's risk landscape and the development of effective risk mitigation strategies. Additionally, the platform also can be a foundational source for historical data and benchmarks that might not have resulted from a traditional analysis.

Furthermore, in the case of incident response and crisis management, a risk manager working with the platform can use the results from an incident to produce an after-action report. The risk manager then can continuously add updated learnings to the platform, enhancing the platform by training it on organizational specific data and thereby improving its performance over time (e.g., by reducing hallucinations).

By updating the platform with the most recent data, the platform also can help mitigate the “tribal knowledge” phenomenon, where useful information is hidden or lost (e.g., following the departure of a key employee) and significantly enhance institutional memory and data availability, thereby promoting a culture of continuous improvement.

Finally, a GenAI platform can help risk managers maintain compliance with internal or external requirements by verifying each step or requirement of a regulation or framework. In addition, the platform can potentially identify ways to reduce your company’s risk – for example, through changing a law, tax structure or other requirement. Of course, you should carefully consider the potential ramifications of the actions you may undertake at the platform’s recommendation to confirm they're consistent, legal and in line with company policy and strategy. And keep in mind that using the platform in this manner is complementary to your own due diligence, not a replacement for it.

Simplifying risk management: a GenAI use case

A company's generative AI application can be as basic as the conversational nature of publicly available chats, to something that integrates into an existing platform. For instance, PwC has developed a solution that uses GenAI to simplify for our clients the complexity inherent in regulatory data, including regulations across various agencies and updates to those regulations, transforming it into actionable insights through plain language summaries. By extracting and generating critical compliance elements such as obligations, control statements and risk statements directly from complex regulatory texts, the solution maps these extracted obligations to the client’s existing policy documents. It also produces a set of tasks the client’s compliance officer can follow.

What you can do now

Establish, populate and scale your company’s own, proprietary GenAI platform. You can license a publicly available or purchasable large language model (LLM) or leverage an open-source LLM. Either way, creating enterprise or domain-specific data for the model to reference in a safe, secure environment with appropriate guardrails – which is what PwC does – will be central to developing and deploying this company-specific solution.
GenAI will be genuinely transformational only if you and the platform evolve in tandem to enhance your symbiotic relationship. Not only should the system incorporate more and more of your company’s knowledge base, but as you manage and interact with it, you should also develop your own delegation and task assignment style (e.g., through employee training and upskilling in key areas like prompt engineering). Like integrating any new member of your team, learning through experimentation is necessary to harness the potential of GenAI’s capabilities.
Be prepared for your GenAI colleague and collaborator to make mistakes, realizing that it can still serve as a valuable member of your risk management team. You should continuously update the platform to make it relevant to your unique circumstances, with the end goal of having an automated subject matter specialist that’s available 24/7, with nearly complete institutional memory.
Don’t fall into the use case trap, where you look for nails to hit with a GenAI hammer. For example, if a use case makes a process longer and subject to more reviews, revisions and approvals than it would be without GenAI assistance, then it’s not a good use case.
Understand and account for global requirements regarding AI regulation. In the USA, the Biden Administration recently issued an Executive Order on Artificial Intelligence in November 2023 and the European Union recently approved a comprehensive act regulating AI. To avoid taking a strictly reactive approach, anticipate how regulations might change and prepare for them accordingly.
Last but not least, while GenAI is currently a very hot topic, it isn’t the only kind of AI. Because it’s based in language, it’s very accessible – but there are many other kinds of AI applications. Quantitative predictions created with machine learning are still highly relevant. Don’t forget about how useful they can be or that they also continue to need thoughtful and effective governance.