Skip to main content

The pace of digital transformation in most investment firms quickened significantly at the onset of the pandemic, as work-from-home orders led firms to facilitate and extend remote working for staff. That another pandemic – or equally operationally impactful event – may arise again within our lifetimes has not been ruled out by leading scientists, yet a recent study found that 40% of investment firms still do not complete a yearly compliance risk assessment. This leaves those firms vulnerable to compliance, legal, audit, financial and operational risks, and hampers their ability to mitigate new or evolving risks effectively. Meanwhile, some risk types are becoming more challenging to mitigate, such as the growing cybersecurity threat, for instance. Legacy governance, risk and compliance (GRC) tools may not be up to the task, and firms may soon find that the only way to enhance their view of all risks and mitigate them is by  sing a new generation of artificial intelligence (AI)-enabled GRC tools.

By GreySpark’s Mark Nsianguana, Manager and Rachel Lindstrom, Senior Manager

AI-enabled tools utilise one or more advanced technologies such as machine learning, deep learning and natural language processing. The use of AI-enabled tools is a growing phenomenon across a range of GRC programmes. As these technologies evolve, those firms that embrace AI-enabled tools – and are able to use them effectively – will be better positioned to face what is, by definition, an uncertain global future.

GreySpark’s Digital Governance Transformation Maturity (DGTM) Model for governance, risk and compliance (GRC), was described in the recent article, Digital Transformation of Governance. The model, illustrated in Figure 1, can be used to identify the current stage of an investment firm’s ‘digital maturity’, and presents a high-level roadmap along which firms can build incrementally upon their previous transformational work.

Figure 1: Progressive Digital Governance Transformation Maturity (DGTM) Model

Source: GreySpark analysis

(click image to enlarge)

Briefly, the DGTM model is comprised of five stages:

  1. Initial – This stage is characterised by ad-hoc or informal – mainly manual – processes. There is no formal governance structure in place and the firm addresses immediate issues as they arise. This stage is ground zero for firms on a GRC journey.
  2. Developing – As the firm begins to recognise the importance of a formal GRC programme, it has reached the ‘Developing’ stage. During this stage, the firm begins to implement basic or automated processes and tools.
  3. Defining – Once the firm has in place a well-defined GRC framework that is fully integrated with the firm’s business strategy, it has entered the ‘Defining’ stage. During this stage, the firm establishes risk and compliance metrics, performance indicators and governance structures, and begins to integrate the GRC programme with other internal systems in order to automate and streamline processes across the various lines of defense.
  4. Managing – By this stage, the firm has implemented a mature GRC programme that is fully integrated with its internal systems. During the ‘Managing’ stage the firm embeds GRC-thinking into the firm’s culture. By the end of this stage, there is a strong governance structure in place and the firm is able to respond to any changes in the risk and compliance landscape.
  5. Optimising – During the final ‘Optimising’ stage the firm enhances its GRC programme by incorporating advanced analytics, smart machines and emerging technologies. The GRC programme becomes highly efficient and effective, and substantial agility of the systems and processes facilitates their own continuous improvement. Using AI-enabled tools, the systems can harness massive amounts of data and their learned intelligence allows them to make optimal decisions in a fraction of the time it would take the staff to do.

Using the DGTM model, a firm can identify its current level of GRC maturity and, at a high level, understand what the firm needs to do to reach the next stage. At each stage the firm needs to undertake a detailed assessment of the current state of its GRC processes, define in detail the target state and develop a roadmap to take them to the next stage. Often it is necessary to implement consequential initiatives and, always, there is a need to monitor progress and identify opportunities for continuous improvement.

The implementation of AI-enabled tools takes place in the final ‘Optimising’ stage of the model. This article explores whether AI-enabled tools can also be utilised to accelerate investment firms through earlier maturity stages of the DGTM model.

GRC Projects for Investment Firms

While many investment firms have already settled on their self-assessment and controls review processes and the approach they will take to risk-based analysis in the electronic trading risk management space, few have mature GRC tools and processes in place or sufficiently staffed lines-of-defence with the required authority and skillsets. Many firms are finding that they are expending too much effort in the administration of the processes for risk control self-assessment (RCSA), and that they do not reap enough value from their controls-work to benefit front-line businesses. So, while investment firms face growing and evolving risks, staff find the risk assessment process too onerous. A potential remedy for this disquieting situation is the introduction of advanced technologies at an earlier stage in the maturity curve, to process data and deliver insights that are of value to the business as well as to GRC teams at an earlier stage. How and when precisely the AI-enabled tools could be applied, and the benefits that could be gleaned, can be illustrated by exploring their potential application in the context of real-world historical engagements.

The following are descriptions of the outcome of GRC project engagements that GreySpark undertook some time ago and includes an explanation of how an AI-enabled tool could potentially further enhance these firms’ ability to manage their risk and compliance more effectively, today.

These use cases indicate that the use of AI-enabled tooling becomes more valuable for firms looking to move along the curve from an intermediate maturity stage of the DGTM model. Employed to analyse large amounts of unstructured data that flow between already integrated systems, they can enhance both the efficacy and operational efficiency of GRC platforms. If a firm at the Initial stage were to employ AI-enabled technology, it would find that there is insufficient data available to analyse. Unintended bias would then be incorporated into derived insights.

Use Case No. 1:

Governance Project Engagement

Problem Statement

The investment firm was struggling to create and maintain an effective governance framework that aligned with industry regulations, internal policies and stakeholder expectations. Consequently, there was a lack of accountability, transparency and consistency in decision-making processes. The firm needed a comprehensive and integrated governance framework that could provide clear guidelines and standards for managing risks, ensuring compliance and promoting ethical conduct.

GRC Implementation

The investment firm was identified to be at the ‘Initial’ stage in the DGTM model. GreySpark helped the firm establish clear policies and procedures to ensure that decisions could be made in a consistent, transparent and accountable way. With the implementation of an electronic GRC platform, the firm moved into the ‘Developing’ stage of the model. At this point, the firm was able to meet its regulatory and compliance obligations, as well as automatically monitor changes to regulations, assess the impact of these changes and implement controls to ensure compliance.

Figure 2: Maturity State Progression for Project Engagement and Projected Progression using AI Tools for Use Case 1
Source: GreySpark analysis

(click image to enlarge)

AI-enabled Tooling

If the firm were subsequently to implement an AI-enabled GRC platform, larger volumes of data could be analysed, and patterns and trends identified that are relevant to governance-related risks and compliance obligations. This is contingent on the platform being fed with appropriate data via integration with other systems, such as Policy-, Risk-, Compliance- and Incident-Management systems. The data from those systems could be used by the AI-enabled tools on the GRC platform to uncover real-time insights. Consequently, the firm would enhance its risk management within an evolving culture of risk awareness and accountability, ensuring it meets regulatory requirements and industry best practices.

Headline Benefit of AI-enabled Tools

Advanced analytical tools that employ natural language processing and machine learning tools enhance decision-making and improve efficiency, leading to more effective governance practices and better risk mitigation strategies. The implementation of the AI-enabled tools would pull the firm more quickly along the maturity curve an onto the next stage – the defining stage, where the firm’s focus will be on establishing risk and compliance metrics, performance indicators and governance structures, and beginning to integrate the GRC programme with other internal systems.

Use Case No. 2:

Risk Project Engagement

Problem Statement

The investment firm faced challenges typical of firms at the ‘Initial’ stage of the DGTM model, including the lack of an accurate and up-to-date inventory of controls to mitigate risks. The absence of a comprehensive and centralised control inventory can lead to compliance issues, ineffective risk management and difficulties demonstrating control effectiveness to auditors and regulators.

GRC Implementation

Implementing an electronic GRC platform helped this firm move from the Initial stage to completion of the ‘Developing’ stage of the DGTM model. The cloud-based platform stored the firm’s algorithmic and control data in a digital format, and the business was able to benefit from enhanced and comprehensive management information and reporting. This gave management good visibility of any compliance gaps and provided them with notifications of the completion of control inventories and attestations in real-time. The implementation stopped short of being fully integrated with the firm’s business strategy and it did not integrate with other internal systems to automate and streamline processes across the various lines of defense.

Figure 3: Maturity State Progression for Project Engagement and Projected Progression using AI Tools for Use Case 2
Source: GreySpark analysis

(click image to enlarge)

AI-enabled Tooling

If the firm were to implement AI-enabled tools during the ‘Defining’ stage, the firm could streamline the integration of data sources and identify and flag errors or inconsistencies in the data, making it easier for employees to resolve issues quickly. Incorporating the firm’s testing systems into the AI-enabled GRC platform would mean that the testing of controls could be automated using intelligent algorithms that simulate control scenarios and identify control gaps more accurately and more quickly. This, in turn, would help reduce the risk of control failures and improve the overall effectiveness of controls. At this point, the firm is at beginning of the ‘Managing’ stage.

Headline Benefit of AI-enabled Tools

The advanced analytical tools that employ natural language processing and machine learning tools allow the firm to proactively identify and assess risks, make informed decisions and increase its resilience to potential risks through its use of the predictive analytics and automation capabilities. Overall, the addition of advanced analysis at this stage in the DGTM maturity curve would accelerate the firm in through the ‘Defining‘ stage and into the ‘Managing’ stage. At this point the firm will have a robust framework via which it can manage risk.

Use Case No. 3:

Compliance Project Engagement

Problem Statement

The Investment firm was unable to accurately assess the efficacy of its internal controls, policies and procedures and the ability of employees to ensure compliance with regulations and internal policies. The firm needed a streamlined, automated and objective self-assessment process that could effectively identify control gaps, assess risks and improve the firm’s overall governance framework.

GRC Implementation

Implementing a GRC platform helped this firm move from the ‘Initial’ to the ‘Developing’ stage as it automated the self-assessment process, improving its efficiency and accuracy. Control gaps and risks were more efficiently identified, which allowed the firm to take more timely corrective actions. The platform’s reporting and analytical capabilities enabled the firm to track its progress over time and identify areas for improvement.

Figure 4: Maturity State Progression for Project Engagement and Projected Progression using AI Tools for Use Case 3
Source: GreySpark analysis

(click image to enlarge)

AI-enabled Tooling

Integrating the GRC platform with self-assessment and other risk management and compliance systems would help to address risks more holistically across the firm. Natural language processing couple of machine learning tools could help firms in the managing stage reach the optimising stage more quickly and smoothly. Analysis of unstructured data, such as policies and procedures could more rapidly identify control gaps and uncover risks that may not be evident from the cursory and limited analysis of a subset of the cast dataset with a traditional toolset.

Headline Benefit of AI-enabled Tools

The advanced analytical tools that employ natural language processing and machine learning tools allow the firm to proactively identify and assess risks, make informed decisions and increase its resilience to potential risks through its use of the predictive analytics and automation capabilities. Overall, the addition of advanced analysis at this stage in the DGTM maturity curve would accelerate the firm in through the ‘Defining‘ stage and info the ‘Managing’ stage. At this point the firm will have a robust framework via which it can manage risk.

Skipping vs Accelerating through Maturity Stages of the DGTM Model

The use cases nicely support GreySpark’s hypothesis that AI-enabled platforms and tools can be used by investment firms to accelerate certain aspects of GRC. However, they do not support the hypothesis that the utilisation of such tools may allow firms to entirely skip a maturity stage of the DGTM model.

The DGTM model begins where firms take a siloed and manual approach to the implementation of GRC platforms through to the implementation of smart analytical systems that can make decisions through their analysis of vast datasets. Progressing sequentially through each stage of the model ensures the firm’s risks, policies, controls, operating model and technology all fit the specific needs of the firm allowing it to move toward the optimal conditions for the effective management of its risks. Skipping stages of the DGTM model may result in a lack of understanding or oversight of critical risks, which can lead to compliance failures and other negative consequences.

AI-enabled platforms and tools can help investment firms not only when they are at the ‘Optimising’ stage but also help accelerate them through each of the intermediate stages. So, while AI-enabled tools can help investment firms more rapidly evolve into the next maturity stage, it is important to ensure that all stages of the DGTM model are properly executed to effectively manage risks and ensure compliance.