The emergence of the professional AI risk manager

When the 1970s and 1980s were colored by banking crises, regulators from around the world banded together to set international standards on how to manage financial risk. Those standards, now known as the Basel standards, define a common framework and taxonomy on how risk should be measured and managed. This led to the rise of professional financial risk managers, which was my first job. The largest professional risk associations, GARP and PRMIA, now have over 250,000 certified members combined, and there are many more professional risk managers out there who haven’t gone through those particular certifications.

We are now beset by data breaches and data privacy scandals, and regulators around the world have responded with data regulations. GDPR is the current role model, but I expect a global group of regulators to expand the rules to cover AI more broadly and set the standard on how to manage it. The UK ICO just released a draft but detailed guide on auditing AI. The EU is developing one as well. Interestingly, their approach is very similar to that of the Basel standards: specific AI risks should be explicitly managed. This will lead to the emergence of professional AI risk managers.

Below I’ll flesh out the implications of a formal AI risk management role. But before that, there are some concepts to clarify:

  • Most of the data regulations around the world have focused on data privacy
  • Data privacy is a subset of data protection. GDPR is more than just privacy
  • Data protection is a subset of AI regulation. The latter covers algorithm/model development as well.

Rise of a global AI regulatory standard

The Basel framework is a set of international banking regulation standards developed by the Bank of International Settlements (BIS) to promote the stability of the financial markets. By itself, BIS does not have regulatory powers, but its position as the ‘central bank of central banks’ makes Basel regulations the world standard. The Basel Committee on Banking Supervision (BCBS), which wrote the standards, formed at a time of financial crises around the world. It started with a group of 10 central bank governors in 1974 and is now composed of 45 members from 28 jurisdictions.

Given the privacy violations and scandals in recent times, we can see GDPR as a Basel standard equivalent for the data world. And we can see the European Data Protection Supervisor (EDPS) as the BCBS for data privacy. (EDPS is the supervisor of GDPR.) I expect a more global group will emerge as more countries enact data protection laws.

There is no leading algorithm regulation yet. GDPR only covers a part of it. One reason is that it is difficult to regulate algorithms themselves and another is that regulation of algorithms is embedded into sectoral regulations. For example, Basel regulates how algorithms should be built and deployed in banks. There are similar regulations in healthcare. Potential conflicting or overlapping regulations make writing a broader algorithmic regulation difficult. Nevertheless, regulators in the EU, UK, and Singapore are taking the lead in providing detailed guidance on how to govern and audit AI systems.

Common framework and methodologies

Basel I was written more than three decades ago in 1988. Basel II in 2004. Basel III in 2010. These regulations set the standards on how risk models should be built, what the processes are to support those models, and how risk will affect the bank’s business. It provided a common framework to discuss, measure, and evaluate the risks that banks are exposed to. This is what is happening with the detailed guidance being published by EU/UK/SG. All are taking a risk-based approach and helping define the specific risks of AI and the necessary governance structures.

Above: The Basel II Framework

Above: The UK ICO Framework

New profession and C-level jobs

A common framework allows professionals to quickly share concepts, adhere to guidelines, and standardize practices. Basel led to the emergence of financial risk managers and professional risk associations. A new C-level position was also created, the Chief Risk Officer (CRO). Bank CROs are independent from other executives and often report directly to the CEO or board of directors.

GDPR jumpstarted this development for data privacy. It required that organizations with over 250 employees have a data protection officer (DPOs). This caused a renewed interest in the International Association of Privacy Professionals. Chief Privacy and Data Officers (CPOs and CDOs) are also on the rise. With broader AI regulations coming, there will be a wave of professional AI risk managers and a global professional community forming around it. DPOs are the first iteration.

What will a professional AI risk manager need or do?

The job will combine some duties and skill sets of financial risk managers and data protection officers. A financial risk manager needs technical skills to build, evaluate, and explain models. One of their major tasks is to audit a bank’s lending models while they are being developed and when they’re in deployment. DPOs have to monitor internal compliance, conduct data protection impact assessments (DPIAs), and act as the contact point for top executives and regulators. AI risk managers have to be technically adept yet have a good grasp of regulations.

What does this mean for innovation?

AI development will be much slower. Regulation is the primary reason banks have not been at the forefront of AI innovation. Lending models are not updated for years to avoid additional auditing work from internal and external parties.

But AI development will be much safer as well. AI risk managers will require that a model’s purpose be explicitly defined and that only the required data is copied for training. No more sensitive data in a data scientist’s laptop.

What does this mean for startups?

The emergence of the professional AI risk manager will be a boon to startups building in data privacy and AI auditing.

Data privacy. Developing models on personal data will automatically require a DPIA. Imagine data scientists having to ask for approval before they start a project. (Hint: not good) To work around this, data scientists would want tools to anonymize data at scale or generate synthetic data so they can avoid DPIAs. So the opportunities for startups are twofold: There will be demand for software to comply with regulations, and there will be demand for software that provides workarounds to those regulations, such as sophisticated synthetic data solutions.

AI auditing. Model accuracy is one AI-related risk for which we already have common assessment techniques. But for other AI-related risks, there are none. There is no standard to auditing fairness and transparency. Making AI models robust to adversarial attacks is still an active area of research. So this is an open space for startups, especially those in the explainable AI space, to help define the standards and be the preferred vendor.

Kenn So is an associate at Shasta Ventures investing in AI/smart software startups. He was previously an associate at Ernst & Young, building and auditing bank models and was one of the financial risk managers that emerged out of the Basel standards.


Original post:

34 comentários em “The emergence of the professional AI risk manager

  1. I am the manager of JustCBD Store label ( and I’m presently planning to develop my wholesale side of company. I really hope that someone at targetdomain is able to provide some guidance . I thought that the most suitable way to accomplish this would be to connect to vape companies and cbd stores. I was hoping if someone could suggest a trustworthy web site where I can purchase CBD Shops B2B Data I am already checking out, and Not exactly sure which one would be the very best choice and would appreciate any guidance on this. Or would it be much simpler for me to scrape my own leads? Suggestions?

  2. When I originally commented I seem to have clicked on the -Notify me when new comments are added- checkbox and now whenever a comment is added I recieve four emails with the exact same comment. Is there a means you are able to remove me from that service? Appreciate it!

  3. Having read this I believed it was very enlightening. I appreciate you spending some time and energy to put this information together. I once again find myself spending a lot of time both reading and commenting. But so what, it was still worthwhile!

  4. Do you mind if I quote a few of your articles as long as I provide credit
    and sources back to your webpage? My blog is in the exact same area of interest
    as yours and my users would truly benefit from some of the information you present here.

    Please let me know if this okay with you. Thanks a lot!

  5. Does your blog have a contact page? I’m having trouble locating it but, I’d like to
    shoot you an email. I’ve got some suggestions for your blog you
    might be interested in hearing. Either way, great blog
    and I look forward to seeing it improve over time.

  6. An outstanding share! I’ve just forwarded this onto a co-worker who has been doing a little homework on this. And he in fact ordered me dinner simply because I found it for him… lol. So allow me to reword this…. Thank YOU for the meal!! But yeah, thanks for spending some time to discuss this topic here on your web page.

  7. Good post. I learn something new and challenging on blogs I stumbleupon every day. It’s always exciting to read content from other writers and practice something from their websites.

  8. Howdy! I simply would like to give you a big thumbs up for your excellent info you have right here on this post. I’ll be coming back to your site for more soon.

  9. Achieving your fitness goals doesn’t need a certified personal trainer or an expensive gym membership, especially when you have the budget and the space to consider practically every workout machine in the market.

  10. Thanks for some other excellent post. The place else could anyone get
    that type of information in such a perfect means of writing?
    I have a presentation subsequent week, and I’m on the look for such
    info. 3aN8IMa cheap flights

  11. I’d like to thank you for the efforts you’ve put in writing this site. I am hoping to check out the same high-grade blog posts from you in the future as well. In truth, your creative writing abilities has motivated me to get my very own site now 😉

  12. Good post. I learn something new and challenging on websites I stumbleupon every day. It will always be exciting to read content from other writers and use a little something from other web sites.

  13. Good site you have got here.. It’s difficult to find high quality writing like yours these days. I truly appreciate individuals like you! Take care!!

  14. May I simply just say what a comfort to discover somebody that actually knows what they’re discussing on the net. You certainly realize how to bring a problem to light and make it important. More people have to check this out and understand this side of the story. I can’t believe you are not more popular given that you certainly have the gift.

  15. An interesting discussion is definitely worth comment. I think that you need to write more about this topic, it may not be a taboo matter but generally people don’t discuss these subjects. To the next! Many thanks!!

  16. Having read this I believed it was extremely informative. I appreciate you finding the time and effort to put this information together. I once again find myself spending a lot of time both reading and posting comments. But so what, it was still worthwhile!

  17. Aw, this was an extremely good post. Finding the time and actual effort to create a very good article… but what can I say… I put things off a lot and don’t seem to get nearly anything done.

  18. Good post. I learn something totally new and challenging on blogs I stumbleupon everyday. It will always be exciting to read through articles from other writers and use something from other sites.

Leave a Reply

Your email address will not be published. Required fields are marked *