Risk management key in overseeing implementation of innovative technology

Risk managers or their counterparts should be included in organizations’ discussions and activities concerning the use and potential impacts of artificial intelligence, experts say.

“That’s always a good practice, because risk managers have a good line of sight to broad exposures that somebody in an individual discipline within an organization may not have the opportunity to see otherwise,” said Elisabeth Case, Chicago-based global product manager, cyber, for Liberty Mutual Insurance Co.

Risk management involvement helps make sure that “everybody is aligned on what the tools are being used for and how they’re going to be deployed, and that it’s being done in a thoughtful manner,” she said.

Organizations should be proactive in identifying and addressing potential AI exposures, said Jaymin Kim, Toronto-based senior vice president, cyber risk practice, for Marsh LLC. 

Managers responsible for AI should ask “what can I do from a risk management perspective in order to understand the specific exposure and transfer residual risks,” she said.

“With respect to AI, organizations generally are on notice that risk management and legal and compliance regimes within organizations have to ensure there’s adequate oversight,” said Bob Wice, West Hartford, Connecticut-based head of underwriting management, cyber and tech, at Beazley PLC. 

“You have to make sure that you’re updating your privacy controls and security controls to ensure that you’ve got the right walls, practices, policies and procedures in place to ensure that your organization’s employees aren’t using generative AI in the wrong way to do their work. 

That’s all got to be managed from the risk management practice at these organizations,” Mr. Wice said.

John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber practice, said during a mid-April webinar that organizations should incorporate AI into their cyber incident response plans given its rising prominence in data breaches.

“In your incident response plan, you have to anticipate the potential for deepfake,” Mr. Farley said, and have mechanisms in place to mitigate damages as with other cyber incidents.