Gregory kicked off the discussion illustrating how we are dealing with many digital technologies related to artificial intelligence (AI) and machine learning (ML) nowadays. He emphasised that, intrinsically, risks and technologies are neither good nor bad, since they provide mathematical approaches to deal with future events and changing scenarios which could affect companies’ strategic objectives.
There has been a hype regarding digital innovations, but most of the current techniques have been around for a while (e.g. Bayesian analysis). They have been certainly boosted more recently by computer power. Nonetheless, all these technologies are actually related to how we take and use historical data to predict the future. The problem though is that with more extreme events happening in front of our eyes every day (e.g. Covid-19 pandemic crisis), the power of past data to predict future performance becomes more limited.
AI and ML are nothing more than augmented intelligent approaches which help humans to make better decisions. Uncertainty will always be around, and they will create variance in business performance and outcomes. Thus, to better understand these variances, risk managers must drive back from the risk event and investigate root cases, sensitivity analyses and scenarios, which will help them navigate, prepare and respond to uncertainties.
The problem though is that when we look to the future, we may not recognise that there were multiple alternatives, which have been silenced in the past order to the present to materialise. Different risk drivers will affect these nodes and links, creating points of divergence, which (hopefully) can be measured probabilistically, in real-time in order to advise decision makers on how to adjust to them. That demonstrates that there are many domains and disciplines which must be considered when we regard the impact of digital technologies in risk management.
Gregory invited us then to focus on a few Top 10 most relevant techniques, reminding us that more can be known from his book (Risk Intelligence – How AI Can Transform Risk Management). From his perspective, the range of multiple techniques that can be applied to enhance risk management encompasses:
1. Probabilistic Modelling (e.g. Bayesian inferences and Monte Carlo simulations).
2. Knowledge Graphs by using the higher amounts of data current available allow companies to identify vulnerabilities and behaviour analysis.
3. Neural Networks (aka Deep Learning) facilitates processes of classifying risks, identifying patterns and recommending courses of action.
4. Big Data makes more accessible and accurate preventive analysis.
5. IoT (Internet of Things) or as Gregory prefers to call “Intelligent Things” creates intelligent ways to monitor activities.
6. Virtual and Augmented Reality are facilitating cheaper and more accurate and sharper video monitoring.
7. Natural Language Processing (NLP) can be used to identify regulatory compliance and changes in context.
8. Robotic Automated Processes (RPA) operationalise risk management insights and assessments.
9. Blockchain distributed trust systems secure identity (e.g., KYC) and help in the elimination of frauds and supply-chain risks in contract management; and
10. Bayesian decision networks automate scenario analysis to maintain real-time risk evaluation.
The problem nowadays is that most AI projects are run as IT projects. Thus, 85% of AI projects fail. In order to solve that, we must start with the business unit and understand their needs. People must be involved in the design, test and implementation of digital technologies. Mathematical points of view should not be imposed but understood. And, as more people understand the value of risk management and technology, more support will be received.
2. Prabha Thomas
Tata is a well-known Indian company operating in more than 55 countries with 55,000 employees worldwide in diverse sectors, including technology development. Thus, Prabha has gathered extensive experience in enterprise risk management and regulatory compliance. She proposed to us the idea of Business 4.0. This is a purpose-driven approach of leveraging digital technologies and enhancing resilience. It focuses on organisational aims to deal with specific behaviours and deliver better performance.
Technologies must be purpose-driven and adaptable to enhance resilience and agility. That generates mass personalisation, intelligent support and creates exponential value, while leveraging ecosystems and embracing risks. In the digital world, embracing risk means playing to win and being hungered to take on new opportunities powered by a machine first philosophy. But, how do you know what intelligent risk taking is?
People must ask themselves if intelligent risks are being taken, discussing risk appetite and opportunities, and embracing risk as a way of life, empowering the first line to continuously assess risks. As more technologies are developed the most important aspect is to query your data and understand what it can and cannot answer to provide hindsight, insight and foresight to enterprise wise integrated risk management and decision making to draw value out of the data available.
In this case, risk managers must transform themselves and their skills to allow cross-disciplinary learning and development through collaborations that provide a more holistic view of changes and disruptions that may impact businesses. Risk managers must also use risk predictions and models that lead to specific and fine-grained risk recommendations, for instance, by creating digital twins’ scenarios and simulations, leveraging risk decision making. This can enhance the way companies deal with extreme events, as these models enable fast-forward views of how the world would respond to these events. Current technology also enables us to create portfolios, uncover hidden risks, and monitor risks in real-time and to provide risk and control dynamically evaluations that enable quick and assured decision-making.
In sum, there is still a lot to be explored in the future with financial and non-financial risk management as well as regulatory compliance and financial crimes enhanced by digital technologies and innovations. However, we must make sure biases do not creep in when we create these technologies. We must query ourselves and the technologies. That requires continuous risk assessments, monitoring and continuous audits.
3. Debra Watson
Debra has 30 years of experience in the mining sector as an ESG practitioner. Nowadays, professionals in this area face even more scrutiny given the inherent environmental, social and governance aspects of mining operations. Thus, we are increasingly seeing in this area blockchain affecting the way mining companies operate. Given the mining sector global supply chain, blockchain enables practitioners to understand where resources are coming from and how they are fairly mined and monitored. Now, however, the mining sector is still a little bit behind in the adoption of technologies, given the remote characteristics of mining, which adversely affect the feasibility of technology adoption. Nonetheless, a lot of pressure has been coming from customers who require this intelligence to evaluate their own supply chain and ESG impact and profile.
A lot of the digital innovation, such as virtual reality, has enhanced the security of human lives and distanced humans from hazards that could generate fatalities and injuries for workers and communities. They also enable enhanced training and induction to prepare people better into hazard spaces and to make them aware of real challenges and simulate cases where hazards may happen. Additionally, robots are used to investigate the reasonability of exploring some areas without the threat to human lives. Since the main cases of fatalities in mining are related to vehicles, self-driven vehicles have also reduced threats and fatalities. Mining companies are in the initial stage of digital technology adoption, but they already have IoT helping on campus and on health and safety.
As professionals, ESG and risk management practitioners cannot know everything, but they require other professionals to help sourcing data from a myriad of data sources and help risk managers to make better decisions. We are getting greater granular metrics of risk to timely decision making. Indeed, there has been a greater call for greater exposure given the technology and given the reassurance provided by technologies themselves. Smart cameras and video analysis allow real-time communication, monitoring and analysis to make proactive risk management and avoid fatalities as well as create new opportunities. The time to implement has rapidly been reduced and we can now do it in a week at a low cost. Thus, previous perceived barriers are being quickly eliminated in front of our eyes. Nonetheless, that does not mean all decisions should be automated. Humans are still the intelligent being behind all these technologies and we must take ownership of the decision.
4. Greg Lawton
Greg is the CEO and co-founder of Nodes and Links, which has been operating in most European and Western countries. Nodes and Links has certainly been democratizing knowledge and enabling companies to make truly informed decisions about projects. It has been taking data from silos and enabling specialists to look for hidden opportunities. Technologies are changing rules, economies and allowing new technologies to emerge. That is creating segmentation and specialisation. In the project space, which means machines performing processes more efficiently while people deal with ambiguity more emphatically and envisioning new opportunities.
Greg emphasised that machines are great to deal with accurate analysis, but people will certainly operate better with institution, ambiguity and purpose. He predicts that the wages of risk managers will increase significantly over the next 10 years. In order for that to happen, people leading risk management practices should fundamentally be able to deal with meaningful business decisions, which truly adds value, rather than be merely threat driven.
Regarding the digital (re)evolution, Greg sees what is happening right now as nothing new. It is merely a division of labour where risk managers (and schedulers) do not necessarily need to know coding, but they need to do what they were always meant to do well, that is the philosophy of risk. What will change is how this is executed. Less time will be taken to understand how things are happening in the background analysis, while more focus is delivered to interpret it and make decisions.
A good indicator that we are moving in the right direction is to analyse if people are doing what they are supposed to be doing. Thus, if a salesperson is focused more on anything rather than enhancing customer experience, there is something wrong. We need this separation and specialisation more than ever.
This is one of the three fundamentals that supports Nodes and Links. The company has one of its fundamental beliefs regarding project’s business models, which is that projects are not about building things. The business model of projects is to create cash flows and profit from delivering things more efficiently, which is reasonably guaranteed by risk managers.
The big problem identified by Nodes and Links was that project schedules can become an almost impossible task, as they accumulate ten-thousand lines of activities and fifteen-thousand links between them. The approach that has been taken by most project leaders has been trying to make things happen by trying to keep things going on and not break. Technologies allow us to make this complex task simple and democratise the knowledge as machines keep things running, instead of breaking. This allows us to find ways to accelerate the project to create millions of free cash.
Simple does not mean simplistic. A complex system has emerging behaviours; thus, you cannot always predict what the outcome will be, but you can feel what the most likely outcome will be. You cannot control a system like this, but you can set parameters to hedge it to a certain outcome, driving decision-making.
We need a different medicine for a different disease. The intelligence of RM can come in, for instance, to contain the spread of diseases, which may be ultimately caused by a simple action that transmits it to other people. In cases like that, you do need a network cure regarding face marks, alcohol gels, vaccinations, lockdowns and hotel quarantine to delay propagations and improper actions to take place. The same is applied to project costs and time. Nodes and Links operates by building machine co-pilots. Thus, you will have a machine learning AI that is an assistant, where machines will be able to provide you the level of exposure and top risks in your risk analysis, while you devote time to what really matters.
5. Gabe Barrett
Gabe has had a miscellaneous of experiences in his career trajectory in risk management, moving through cyber risks and knowing that risk management is ultimately all about people, he is becoming a psychology researcher at Oxford University, working at Risk Talk, which is led by Prof Anette Mikes.
Considering man-made disasters, Gabe asserts that there has been a long line of cases where early-warning signals have been missed, ignored or reframed as ‘normal’. Thus, although all these companies have said their top priority was safety, what we see in action is that the core value has been directed to costs and profit.
We all have a set of beliefs and controls in our mind regarding possible disasters. However, small events may be the ones escalating and leading to precipitating events and the onset of disasters where companies will truly need recovery. Most of these disasters are a failure of foresight. As warnings were missed, they generated detection, communication, and prioritisation problems. Ultimately, this is an action problem.
All these are people issues and there is a lot of psychology science behind that regarding human behaviour and cognition. Thus, these problems can only be solved by genuinely creating blame free and bottom-up communication and culture. Employees must choose to speak out, or not, and it is all about the reaction from managers and senior management teams. Top management teams are those who provide psychological safety, which does not mean freedom from accountability or responsibility.
The Risk Talk App makes top-down and bottom-up communication accessible to everyone with a focus on solving the problem rather than accusing someone as the scapegoat. We visualised the need of a tool to make this happen. That way, detecting, communicating and acting employees can speak up in regard to the core values of the organisations and enable the prioritization of actions in order to get a better understanding of local issues and challenges. For instance, the approach “see-it-say-it-sort-it” gives managers and the board a view of what is happening on the ground.
This unvarnished truth bypasses employees’ psychological intention to provide illusions of safety and let their boss feel that everything is under control. Risk Talk shows what is truly happening on a daily basis and how risks are perceived, interpreted and reported in a systematic way to see patterns without hurdles, which enables an open, honest dialogue of organisational topics. This is what openly democratises access to knowledge and information.
6. Trine Jolst Veicherts & Prof Graeme Keith
Trine started by asserting that we should do the job better than we are doing. Human intelligence is more sophisticated than machine “intelligence.” Thus, we must keep things simple because communication has such a significant impact on risk.
Graeme shared Gregg’s escapism regarding the panacea promised by the digital revolution. It is plausible that digital technologies will revolutionise risk management, but, realistically, it is still more a support mechanism rather than a substitute for human intelligence.
The question thus revolves around, considering the importance of testing and trusting, is there a way to put risk management on the side and replace it with some kind of machine thing?
Trine and Graeme affirm that although this may not be feasible in the short-term, it is always the project manager who should focus most on risk (manager), not the risk manager. The need for accurate outcomes is much more needed, but human and machine interaction can simplify this job. Indeed, a lot of this quantification job is already done by risk managers anyway.
What is needed is better resourced and more reliable data, which is still dubious. Cleaning up the data is a prerequisite and with that, we can all do the required risk analysis and quantification. The big job, though, is to clean up the data, which is required with, or without, AI.
Most companies are trying to solve a problem as part of their business model. Thus, although Google and Facebook have started with the data, we all must understand that this may be the starting point for us to enquire what is possible or not with data. Data is not the final target.
7. Panel Discussion
Trine – It would be great if AI would enable us to use all kinds of data, but unfortunately, we still do need and do not have people available to enable us to do that. Thus, harvesting the right data and cleaning it is the problem. A lot has been done, but there is still a lot of data not fully available. Even if we are doing okay, despite the noise in the data, there are still errors, which cannot be completely eliminated.
Gregory – Bayesians do not rely on historical data. However, most businesses already have a lot of data available to them, which can create a wealth of information if it is properly classified. The main problem with cleaning data is that you may be making up data. You may get the biases wrong. Biases also exist in historical data, it is not just human perceptions, but ways data has been recorded as well. This will drive you to the wrong solution anyway. But we may be able to use AI to use real data. Biases are like risks; it is something you must understand. Too many people start from a data point of view, but they must start from a solution point of view and come back to data.
Greg – We are spending 40% of our time doing data engineering. However, we must be problem driven. We must ask about the bottleneck we are trying to sort out. It is not about we have a lot of data so let us try to find the problem to solve.
Gabe – We equate data with truth, but data is just an approximation of the truth. We must know why we are using this data for. Does it matter? How much would these errors cost? Is it just about financial cost or human lives cost? We should not be driven by the numbers that we found, or we make up to present to stakeholders, and we must question our reliance on numbers.
James – As you put a set of figures, people think this is the truth. There is a danger of not fully understanding how the algorithms actually work and how they are aligning with companies’ objectives. Thus, there is this danger that as we have relied on numbers as we may rely on machines and digital technology. Thus, a big point is to query those (numbers, machines and digital technology).
Greg – Data tells lies, and this is the core component of what a co-pilot is. The core secret of successful businesses is ‘don’t lose money and maximise the upside as much as possible’. That way, I would know for instance how I can pass my one £10M risk to a third-party, instead of focusing on nine £10k risks.
Graeme – It all resonates with this ‘data first’ thing. We have this idea that data is an objective thing. Thus, we tend to go out and find the data that confirms our theory, instead of going out and trying to find data that contradicts our theory. We must start with the problem and what you are trying to achieve. We must then go to the world and try to see what we have available to solve this problem. Your models must represent an interactive process that agilely evolves to try to solve your problem.
Gabe – Regarding being reactive and not proactive, all businesses exist to solve a problem, so we must take a step back and understand what kind of problem we are trying to solve.
Gregory – A lot of problems come from starting with risk (or data) and then try to solve a problem. However, you must start by looking at your objectives and trying to know how they can change, so you will know your variance and by prioritizing you know where your business needs to focus and be.
Graeme – It is interesting to hear your sermons be preached for you. I am a strong believer that we must start with our objectives and then go for the data and see how we can solve that. However, the traditional approach to data analysts is very data driven. What we are talking about here is to work the other way around and see how we can approach problems in a better way.
Jane – The whole problem we are discussing here is that we do not live in a steady world and we must then start with this pre-mortem part to understand how the world would look like if your business goes down. That way, we will know how to better prepare and respond to challenges ahead.
If you have any queries or comments please email email@example.com