Professional Documents
Culture Documents
Derisking Ai by Design Build Risk Management Into Ai Dev
Derisking Ai by Design Build Risk Management Into Ai Dev
by Juan Aristi Baquero, Roger Burkhardt, Arvind Govindarajan, and Thomas Wallace
August 2020
Artificial intelligence (AI) is poised to redefine some cases by driving sweeping changes in human
how businesses work. Already it is unleashing behaviors, make them far from perfect.
the power of data across a range of crucial
functions, such as customer service, marketing, In a previous article, we described the challenges
training, pricing, security, and operations. To posed by new uses of data and innovative
remain competitive, firms in nearly every industry applications of AI. Since then, we’ve seen
will need to adopt AI and the agile development rapid change in formal regulation and societal
approaches that enable building it efficiently expectations around the use of AI and the personal
to keep pace with existing peers and digitally data that are AI’s essential raw material. This is
native market entrants. But they must do so while creating compliance pressures and reputational risk
managing the new and varied risks posed by AI for companies in industries that have not typically
and its rapid development. experienced such challenges. Even within regulated
industries, the pace of change is unprecedented.
The reports of AI models gone awry due to the
COVID-19 crisis have only served as a reminder In this complex and fast-moving environment,
that using AI can create significant risks. The traditional approaches to risk management may not
reliance of these models on historical data, be the answer (see sidebar “Why traditional model
which the pandemic rendered near useless in risk management is insufficient”). Risk management
Model risk management (MRM) in new data. For example, a fraud model — Some applications and use cases, such as
regulated industries such as banking is is retrained weekly in order to adapt to chatbots, natural-language processing,
currently performed by dedicated and new scams. and HR analytics, can qualify as “models”
independent teams reporting to the under regulatory definitions used in
chief risk officer. While these firms have — Traditional MRM workflows are banking. But these applications are very
developed a robust MRM approach to often sequential and require six to 12 different from the traditional model types
improve the governance and control of weeks of review time after the model (for example, capital models, stress-testing
their critical models determining capital development is complete, which delays models, and credit-risk models), and
requirements and lending decisions, this deployment. These workflows are not traditional MRM approaches are not easily
approach is usually not ideal for firms with easily adapted to the agile and iterative applied.
different requirements or in less heavily development cycles frequently used in
regulated industries, for the following AI model development. — AI and machine-learning algorithms are
reasons: often embedded in larger AI application
— MRM is often focused more on systems, such as software-as-a-service
— MRM is typically based on a point-in- traditional risk types (primarily financial (SaaS) offerings from vendors, in ways
time model assessment (for example, risks, such as capital adequacy and that are significantly more complex and
once every one to five years), which credit risk) and may not fully cover the more opaque than traditional models. This
assumes that the models are largely new and more diverse risks arising greatly complicates coordination between
static between reviews. AI models learn from widespread use of AI such as those who review the model and those who
from data, and their logic changes reputational risk, consumer and assess the application and platform (IT risk)
when they are retrained to learn from conduct risk, and employee risk. or the vendor (third-party risk).
A large food manufacturer developed an third-party review of the model, which realization that the company needed to
analytics solution to forecast demand for uncovered several problems with the undertake a broader initiative to embed
each of its products across geographies in model, including a critical data leakage. risk management into model development
order to optimize manufacturing, logistics, The model had accidentally included a to prevent this and other issues from
and the overall supply chain. The new feature that captured the actual demand. recurring. The manufacturer began the
model showed higher accuracy compared Once the feature was removed, the model effort by creating new roles within the
with the company’s existing expert-based accuracy dropped below the existing group to perform model review, defining
approach. expert-based approach. roles and responsibilities for model checks
throughout the modeling pipeline, and
But before the model was deployed, the This revelation led to a complete redesign implementing standards for development
manufacturer initiated an independent of the model architecture and the and documentation of analytics.
1 2 3
Ideate Get data Industrialize Monitor and maintain
A Build E F G H
B
Evaluate Approval to develop/proof of concept/
1
minimum viable product
C 2 Approval to implement
D 3 Approval to go live
covers all these different risks is a granular exercise. Embedding appropriate controls directly into the
For example, enhancing our own internal model- development and provisioning routines of business
validation framework to accommodate AI-related and data-science teams is especially helpful in
risks results in a matrix of 35 individual control industries without well-established analytics
elements covering eight separate dimensions of development teams and risk managers who
model governance. conduct independent review of analytics or manage
Companies in industries that have been to produce higher-quality coal. The models as they are developed; creating
running analytical models for decades company set up an analytics center of a centralized inventory for all analytics
under the scrutiny of regulators, such as excellence (CoE), which discovered that use cases and related information (such
financial services, often have a foundation thousands of analytics use cases had as developer and owners); establishing a
for moving to a derisk-by-design model. been developed and deployed across the tiering system to identify the most material
Organizations in industries that have organization without any clear oversight, models; creating standards for model
adopted analytics more recently and are creating risks for human health and safety, development and documentation; defining
less regulated (at least in the area of model financial performance, and company and implementing requirements for model
outputs) will need to build their capabilities reputation. review and monitoring for all models; and
nearly from scratch. defining model-governance processes, roles,
In response, the CoE appointed a model and responsibilities for all stakeholders
One large North American energy manager to oversee the model-governance across the modeling pipeline. These changes
company initiated a multiyear analytics rollout across the organization. The helped the organization take a giant step
transformation in order to improve the manager’s team identified six key priorities: toward embedding risk management into the
efficiency of current assets—for example, implementing a process to identify end-to-end process of model development.
Industrialization, monitoring,
Ideation Data sourcing Model development
and maintenance
Determine the level of bias Detect and mitigate bias Find and reduce bias Continuously monitor and
risk, given model use and risk in data. through modeling. manage bias risk in
context. production.
Capability context
assessment Monitor model for bias metrics
Exhibit 3
The responsibilities
The responsibilities for for enabling
enabling safe
safe and and ethical
ethical innovation
innovation withintelligence
with artificial artificial span
intelligence
multiple parts span
of the multiple parts of the organization.
organization.
Business
Front line Operations Business-unit control
Confirm soundness of predictive Validate insights against business Ensure tests required by second-line-
drivers, modeling approach, and experience; ensure appropriate use- of-defense functions are performed,
results based on business experience case calibration (eg, clarity on including ongoing monitoring and
modeling objectives) testing of models in use
Exhibit 4
Both analytics
Both analytics and
and riskrisk professionals
professionals willtoneed
will need to complement
complement their skill
their traditional traditional
sets with
sufficient
skill setsknowledge of the others’
with sufficient function.
knowledge of the others’ function.
— a consistent and comprehensive set of — Create the conceptual design. Build on the
explainability tools to interpret the behavior of overarching principles to establish the basic
all AI technologies, especially for technologies framework for AI risk management. Ensure this
that are inherently opaque covers the full model-development life cycle
outlined earlier: ideation, data sourcing, model
building and evaluation, industrialization, and
Getting started monitoring. Controls should be in place at each
The practical challenges of altering an stage of the life cycle, so engage early with
organization’s ingrained policies and procedures analytics teams to ensure that the design can
are often formidable. But whether or not an be integrated into their existing development
established risk function already exists, leaders approach.
can take these basic steps to begin putting into
practice derisking AI by design: — Establish governance and key roles. Identify
key people in analytics teams and related risk-
— Articulate the company’s ethical principles management roles, clarify their roles within
and vision. Senior executives should create a the risk-management framework, and define
top-down view of how the company will use their mandate and responsibilities in relation
data, analytics, and AI. This should include a to AI controls. Provide risk managers with
clear statement of the value these tools bring to training and guidance that ensure they develop
the organization, recognition of the associated knowledge beyond their previous experience
risks, and clear guidelines and boundaries with traditional analytics, so they are equipped
that can form the basis for more detailed to ask new questions about what could go wrong
risk-management requirements further down with today’s advanced AI models.
While AI applications can be developed of challenges around key risk processes, The bank alleviated these issues by
in a decentralized fashion across an including tracking and assessing the risks establishing one multidisciplinary team
organization, managing AI risk should be of AI embedded in vendor technologies, to define a clear target state of AI risk
coordinated more centrally in order to be triaging and risk oversight of AI tools, management, build alignment across
effective. A major North American bank building controls into AI model development stakeholders, clarify AI governance
learned this lesson when it set out to involving multiple analytics groups, and requirements, and specify the engagement
create a new set of AI risk-management operationalizing ethical principles on data model and technical requirements to
capabilities to complement its existing and AI approved by the board. As a result, achieve the target state.
risk frameworks. Intitially, multiple groups the bank struggled to demonstrate that
began their own AI risk-management all AI risks were managed through the
efforts. This fragmentation created a host development life cycle.
— Access transparency tools. Adopt essential tools AI is changing the rules of engagement across
for gaining explainability and interpretability. industries. The possibilities and promise are
Train teams to use these tools to identify the exciting, but executive teams are only beginning to
drivers of model results and to understand the grasp the scope of the new risks involved. Existing
outputs they need in order to make use of the approaches to model risk-management functions
results. Analytics teams, risk managers, and may not be ready to support deployment of these
partners outside the company should have new techniques at the scale and pace expected
access to these same tools in order to work by business leaders. Derisking AI by design will
together effectively. give companies the oversight they need to run AI
ethically, legally, and profitably.
— Develop the right capabilities. Build an
understanding of AI risks throughout the
Juan Aristi Baquero and Roger Burkhardt are partners in McKinsey’s New York office, Arvind Govindarajan is a partner in the
Boston office, and Thomas Wallace is a partner in the London office.
The authors wish to thank Rahul Agarwal for his contributions to this article.