Generative AI for Non-Financial Risk for Banking and Financial Services – How to get this right.

Generative AI has been the buzzword in IT industry currently and everybody has rushed in to join the bandwagon. However, is it a panacea for all or is it a myth? We have tried to analyze the utility of Generative AI in BFSI Risk & Compliance and deep dive into the most important use cases in Non-financial Risk (NFR) management in this article.

Generative AI in BFSI and Risk & Compliance – Where are the sweet spots?

The research and surveys conducted to find the applicability and value adds by industry sectors and functions indicate that Banking & Financial services is a good candidate for creating value through implementing Generative AI (Gen AI) solutions. The functions of Banking that may be the most benefitted are Customer Operations (includes credit) and Software Engineering. However, the next set of functions that may also generate great value from Generative AI are the functions such as Marketing and Risk & Compliance.

Within Risk & Compliance, the prominent business use cases may include Model Risk, Financial Crime and Credit Risk along with few areas under non-financial risks (NFR) such as Operational Risk Management (ORM), Cyber risk, Information security, Operational Resilience, ESG and Sustainability reporting. We shall deep dive primarily into the ORM area in the subsequent sections.

Latest challenges in ORM and Gen AI capabilities that may help to overcome those challenges

A. Failure to detect & manage new risks

As ORM requires oversight of almost all organizational processes and business activities, important to identify and manage new and diverse risks arising from:
• Adoption of new business models & technologies
• Entering a new market
• Introduction of new products and services
• Changing regulatory guidelines
• Partnering with new vendors

B. Ever transcending ORM boundary

Significant uncertainty arising from external drivers (geo-political, economic, climate, societal) lead to new risks and require new manifestation of ORM for the inter-relationship of business processing and leading to converging certain risk types.

C. Pressure on Operational Risk Management team to do ‘more’ with ‘less’

New regulations have been steadily evolving in banking and financial services keeping risk management function always on their toes. However, due to decreasing margins and stiff competition, the financial institutions have been under pressure to keep cost of compliance under check. Hence, it has been critical
for ORM function to work within limited resources and budget without compromising on the rigor of managing and mitigating the ever-evolving risks.
Generative AI has several capabilities but couple of capabilities that may be the most pertinent are – Data Mining and Democratization of Data & Analytics.

Data Mining

• Gen AI can automate monitoring and processing of internal and external data, compile and scrutinize transaction data across various departments or sources for anomalies or outliers to detect and rank threats to a company’s operations.
• The speed and capacity to integrate multiple information sources can dramatically enhance the productivity of individuals.
Democratization of Data & Analytics
• Empower operational risk managers to extract meaningful insights and identify patterns of risks and design proper controls using relevant data from company databases without any specialized technical skills.
• Operational risk or audit analytics may be more efficient and accessible as ChatGPT type of tools may be leveraged. Traditional ORM strategies, though effective to a certain degree, often fall short when tackling the dynamic nature of emerging threats and managing the increasing volume and diversity of data.

Top five Gen AI business use cases in ORM

As mentioned above, there are several areas in the larger non-financial risk management where Gen AI can play a crucial role. For example: Generative AI can transform cybersecurity and infosec teams’ security approaches by providing advanced threat detection, real-time monitoring, and adaptive defense mechanisms. Various AI-powered tools enhance their ability to combat sophisticated cyber threats, safeguard customer data, and maintain a resilient security posture in the dynamic digital landscape. Similarly, Gen AI can contextualize ESG data and support reporting operations, including creating plain-language statements that outline ESG initiatives.

However, if we look purely at ORM aspect, the following are the best candidates for Gen AI adoption.

1. Automation of audit review

• Automate audit submission fact finding and detailed audit reviews based on query formats.
• Evaluate audit engagement independence requirements to help simplify the approvals process for certifying independence.

2. Quick risk assessment and identification of control gaps

• Generative AI models, such as GPT-4, can analyze large volumes of unstructured textual data from various sources. By identifying patterns and relationships within this data,
generative AI can detect emerging risks that are potentially missed by traditional
methods.
• Identify gaps in policies and control frameworks or analyze thousands of pages of regulations across multiple jurisdictions instantly.

3. Creation of synthetic data to complement internal loss data

• Collecting pertinent loss data has been a challenge for loss modeling for many institutions. Gen AI may help to create relevant loss data to complement internal loss events.
• Gen AI can create synthetic data, that is indistinguishable from real data. Synthetic data sets may be used for data security / privacy too

4. Comprehensive Scenario Analysis

• Generative AI can contribute to risk assessment by generating potential risk scenarios based on real-world data. That enables robust and comprehensive scenario analysis and provides deeper insights into potential vulnerabilities and helps to mitigate risk more effectively, thus bolstering operational resilience.

5. Dynamic Risk Monitoring

• Generative AI models can continuously learn from new data and enable organizations to monitor their risk environment in real time. This helps them to quickly detect changes in risk exposure, allowing for pre-emptive and more effective risk-mitigation tactics.

Leveraging Gen AI in ORM for Financial Institutions – Potential Benefits

Utilizing generative AI such as GPT-4 models could elevate a bank’s ability to identify potential operational risks within extensive textual data, facilitate the generation of summaries for complex documents to aid decision-making, and improve tools for monitoring and managing risks. This could lead to heightened efficacy in communication and collaboration within risk-management teams and consequently bolster ORM strategies.

• Amplified Operational Risk Detection: Automate mundane, everyday tasks, offer rapid assessments and help financial institutions better understand and manage the risks they face.
• Dynamic Risk Monitoring: The ability of generative AI models to continuously learn from new data enables organizations to monitor their risk environment in real time. This helps them to quickly detect changes in risk exposure, allowing for pre-emptive risk-mitigation tactics.
• Enhanced Operational Risk Evaluation: By leveraging AI’s capabilities, banks can address challenges related to risk identification and assessment by generating potential risk scenarios based on real-world data. Robust and comprehensive scenario analysis will provide deeper insights into potential vulnerabilities, help to mitigate risk more effectively, thus bolstering their operational resilience.
• Effective Risk Mitigation: Generative AI supports the design and execution of effective risk-mitigation strategies. It offers insights into potential process improvements, identifies gaps in controls and suggests targeted training programs.
• Efficiency and Cost-Effectiveness: Incorporating generative AI models into ORM can automate labor-intensive tasks, leading to increased efficiency and cost reduction.
• Adaptability and Responsiveness: Generative AI models can quickly adapt to changing business landscapes and regulatory stipulations, ensuring that ORM practices remain relevant and effective in tackling emerging risks.

Challenges lie ahead

Although Generative AI offers substantial value in ORM, implementation is not devoid of complexities and potential pitfalls. According to ORX, generative AI has contributed to the highest number of operational risk “incidents” since 2017. Data from the world’s largest operational risk association found that more sophisticated technology and low-risk fraud had led to a reported 76,620 loss events in 2022, a 26.4% rise of 16,020.
• Comply with Regulatory Guidelines: The deployment of generative AI models in ORM raises significant ethical and privacy considerations, particularly when handling sensitive data.
• Ensure Data Quality and Volume: The effectiveness of generative AI models depends heavily on data, and banks must ensure that they have high-quality and sufficient data to train and deploy AI models effectively. Securing accurate, pertinent and comprehensive data can pose a formidable challenge. Poor data quality or insufficient data can lead to inaccurate risk assessments.
• Establish Model Interpretability: Generative AI models, including GANs and GPT-4, can be complex and opaque, making them difficult to interpret. Banks need to ensure that risk models are explainable to regulators, and it is vital for stakeholders to understand the logic underpinning the models’ outputs and decision-making processes.
• Endorse Model Performance: Validating performance and reliability of generative AI models within ORM may be challenging. Establishment of robust validation techniques and performance metrics is critical to ensure soundness of these models.
• Establish Organizational Readiness: The seamless integration of generative AI into ORM requires proper infrastructure and technical expertise. Therefore, inculcating organizational culture that is conducive to learning, innovation and change is extremely important.
• Build Business Case on ROI: Implementing Gen AI solutions may be expensive. Hence, banks need to conduct due diligence, assess the return on investment and build a sound business case.

The road ahead

The financial institutions must devise a comprehensive strategy to successfully integrate generative AI into operational risk management. They must embark on the following initiatives to implement the strategy successfully.

• Implement solutions complying with the data protection norms
• Invest in Data Quality Initiatives to improve data quality and enhance volume of data for training generative AI models
• Develop clear strategy for Model Interpretability and Validation to democratize data, communicate logic and improve trust and credibility of model output
• Embark on Organizational Change Management initiatives to inculcate the culture of continuous learning and embracing change
• Conduct proper due diligence and build solid business case for investment in Gen AI projects

However, while exploring the options to integrate generative AI into operations, banks will do well to consider several factors:

To conclude, the industry experts predict considerable growth in the application of AI capabilities within financial institutions in the medium term. The banks can successfully integrate generative AI into their ORM practices, enabling them to recognize, evaluate and mitigate operational risks more effectively in an increasingly complex and dynamic world by carefully navigating the challenges and considering the factors as mentioned. While the application of generative AI in ORM is still in its infancy, its potential benefits warrant detailed examination. Like any nascent technology, a balanced approach that appreciates its benefits while mitigating its challenges is essential in successfully leveraging generative AI for effective ORM and hence, a thorough due diligence and Proof of Concept based approach may be the way to move forward.

Author: Saptarsi Ray
Saptarsi Ray is a leading practitioner in Risk and Regulatory Compliance and Capital Markets with around 25 years of experience. He has worked as trusted advisor for banking and financial organizations across the globe and helped them in their transformation journey in Risk and Finance. He currently works as the Global Head of Operational Risk and IT Risk (Consulting Partner in Risk & Compliance) in TCS and leads Risk Advisory for BFSI vertical across the globe for all types of Risks