(and not confusing the 2)
Just as in football, most organisations have three lines of defense that form their risk management system. A football team's defense protects against a touchdown by the opposing team. Similarly, employees in organization protect the business against a risk event.
The 3 lines of defense model was developed by the FERMA (Federation of European Risk Management Associations) in 2008 and introduced by the Institute for Internal Auditors in 2013.
Since then it has grown significantly and has become a standard for many auditors and risk managers. Different types of risks (credit, market, interest, operational, AML, etc.) regulated in financial services are managed according to this model.
Why not apply it to AI?
1. Apply the 3 lines of defense model to AI governance
What does it mean ?
1st line of business: create, own and manage AI risks
These are responsible for designing, specifying, building, deploying and operating ML models and AI automation. They are also responsible for the data used in the AI model.
2nd line of business: overseeing AI risks
They assess and monitor risks, develop a risk management strategy and check whether the 1st line of defense has developed according to the expected requirements.
Model validation teams are independent teams responsible for assessing the robustness of the AI model and associated data, testing the results and recommending corrective actions.
3rd line of defense: responsible for providing independent assurance to senior management and the board over the effectiveness of the First and Second Line on AI
They oversee the other two lines of defense to ensure compliance with the organization's laws, policies and strategies, as well as the ethical and responsible use of technology. They may be supplemented by specific boards made up of various internal/external managers reporting to the board.
To be effective, these three lines of defense work in synergy with a common goal: to control AI risks end-to-end in the organization and throughout the AI life cycle.
If not already done, enhance your 3 lines of defense model to incorporate AI risks at each stage of the lifecycle and empower risk management around the data and AI ML models ..
2- Strengthen the 3 lines of defense model with AI ML technologies
AI as a new technology has the potential to facilitate and automate certain tasks performed at each stage of the line of defense model.
Here are some examples
1st line of defense: detecting new patterns in customer datasets to get better services tailored to your customer needs, perform sentiment analysis for stocks trends
2nd line of defense: developing automated solutions to improve prediction of credit default risk , detect patterns around suspicious transactions, unsupervised solutions to monitor regulatory stress test scenarios.
As the scope of risk analysis expands into new areas (e.g. cyber risks, climate risks), the use of AI ML technologies is expected to grow.
3rd line of defense: audit activities can be transformed through machine learning, leading to increased productivity and accuracy.
It helps automate manual tasks, analyze the full volume of structured and unstructured data, identify anomalies, make predictions about future risks and events.
With automation, some components of risk management move from the third line to the first and second lines of defense.
Overall automation with AI improves the effectiveness of risk management.
But while implementing other factors such as training, communication, risk culture assessment, company size, infrastructure capabilities (e.g. cloud) and data readiness are taken into account.
How to effectively implement the 3 lines of defence around AI (way 1) is already a challenge for most organisations.
Introducing AI tools into risk management practices (way2) lead to greater efficiency.
But what about combining the two ways ? It's another step.
Feel free to provide your comments and questions at firstname.lastname@example.org