Innovating AI in user experience (UXD) to empower the first line of defense
The potential applications of rapidly evolving artificial intelligence (AI) across industries continues to dominate the headlines. Opportunities for smarter solutions and more efficient applications present decision-makers with new choices in their technical strategies. One area includes the role of AI in Risk and Compliance Management. In a wide-ranging interview, Laura Polak and Christophe Delaure share insights on how innovating artificial intelligence (AI) via User Experience Design (UXD) will soon transform risk and compliance management, empowering the first line of defense, and enabling the business to realize the value of “owning” risk. Laura Polak is Head, GRC Offering Management, and Christophe Delaure is Senior Product Manager for OpenPages at IBM.
Challenges in Risk and Compliance Today
Laura: Christophe, I thought we could begin this RegTech Innovations blog interview by talking about a critical business challenge in risk and compliance today—how to engage the first line of defense—and how this relates to some of the innovative work that we’re doing today on artificial intelligence (AI), user interfaces (UI) and user experience design (UXD) in governance, risk and compliance (GRC). I recall a recent conversation in which you mentioned the shift in how the first line of defense sees risk and compliance compared to just a few years ago?
Christophe: Well Laura, as you know with your background in banking and OpRisk, if we look back just 10 years ago, the risk team was really kind of a specialist team within an organization. It was usually a fairly small team—50 people, maybe a bit more, depending on the organization. Obviously, when you start dealing with risk, and you’re part of a huge organization with a team of only 50 people, you start by engaging the F first line of defense. The problem at that time was that the first line was using tools that were really meant for specialists, pretty decent solutions, but really, solutions focused on risk management and not on engaging the first line of defense.
Over the past decade, things started to change as the responsibility of the risk team grew. You’re a small team within an organization, and you need to understand the risk for this business or for this process. And that was a challenge that became bigger over time—because they had to start working more with the first line of defense. If we look back 10 years ago, I remember speaking with some people in the first line, and their view was: “Ah, here again the risk team with their spreadsheets, with the hundred different questions that I answered last year and I need to go through that again.” They didn’t really feel that this was part of their job.
Laura: I agree with you. I worked in a bank in OpRisk, and I think there was a certain amount of “how do I get in, get out, get it done as quickly as possible.” And like you said, back then we had smaller teams. For example, at the time that I joined OpRisk, my team was only four people. Now, of course, it’s like dozens, and compliance has exploded since then. It went probably from teams of like 20 to 25 people to teams of like 200 to 300 people, as compliance has become a bigger issue within most organizations, and especially financial organizations. At the time, many people in the organization didn’t necessarily feel that they “owned” this risk. I agree that it has changed today, but it took that decade or more to get here.
Christophe: Exactly. It was seen as a task or distracter to their jobs, from a first line of defense perspective, based on what they’re supposed to do on a day-to-day basis.
Risk is Everybody’s Responsibility: The First-Line of Defense
Laura: So that leads us to today, and the question of how the second line of defense is working with the first line? How has it improved, and why?
Christophe: In the last year, we talked to a number of our customers about this and it was interesting how many shared the same experience—a shift in perspective to where risk is increasingly seen as everybody’s responsibility. Across the business, people are saying: “I own this, I should be more involved with the GRC solution.” We’ve seen this across the board actually—and especially for customers that have thousands in the first line of defense for their GRC solution. Once they reach this level, they all say that the first line now understands that this is their responsibility too.
Laura: Do you think that’s happened because now, 10 years later, there is a lot more data out there along with new analytics technologies, so that the business can actually see the value in what’s been collected? So the shift we are seeing in the first line of defense is a result of their realization that there is value in what they can get out of this to make useful business decisions, such as their risk appetite?
Christophe: Yes. When you start initially, there may not be much in the system. But as you start putting in information for everything that happened, risk events, or loss or control testing or just the definition of the control, this is kind of an incremental type of data. After a few years, what you end up with is really valuable information, and increasingly the first line see that as they use it. Now, factor in the reality of organizational fluidity: when you have a new person coming in they can actually rely on the information that was collected by previous person in their role—they can actually look and see the history around it. I think that is one of the things that make people across the business see that risk is also part of their job. That is a huge shift and we’ve seen it, as I said, for people that actually engage with the first line of defense in using a centralized GRC solution—the more they use it, the more they are engaged, the more likely they are to understanding the value of GRC to their job.
Evolving the GRC Platform: Analytics, AI and the User Experience
Laura: Let’s talk more about those tools—how using analytics against the data has been helping create a maturation in the first line. How do you see today’s GRC platform evolving or enabling the business to foster this maturation? Where is the focus of innovation moving forward?
Christophe: When we look at the most advanced, the most mature customers we also see that the GRC platform needs to enable the growth and the maturity that is essential for the business to take charge to tackle risk and manage risk correctly. The GRC platform needs to empower the first line of defense. To enable this there are three different components. First, you have something that needs to be easy to use for the first line. Consider the challenge of engaging with 5,000 people in your organization; sometimes people who are new to the concept of risk? Also, organizations are increasingly fluid today. As well, you need something that abstracts the complexities underlying risk. That is actually incredibly important, otherwise the first line is going to say: “What are you telling me? I don’t understand why I need to do this?”
In sum, you need a UI that is engaging for the end user. But now on the other side, risk and compliance is still really complex. You have different taxonomies, you have 200 controls, and there is no way that the first line will be able to understand the underlying intricacies of what is, admittedly, an increasingly complex practice.
So what we started to do last year is to include artificial intelligence (AI), with cognitive components to provide expertise at the fingertips of everybody. Now if you don’t know how to classify something, the engine can actually help you classify it based on the description of the issue, with natural language processing providing suggestions to significantly enhance the ease of use of the UI. But you still have different taxonomies different classifications, hundreds of controls or risks in your library. So we innovated the UI with Watson. With cognitive technology, the user can actually see and be given suggestions based on the information they entered, based on natural language and standard text.
These innovations via user experience design (UXD) are really important in empowering the first line: creating an engaging UI that is easy to use, and can provide training, with added expertise from integrating cognitive technology in the solution.
Laura: Christophe, I think your point about inevitable organizational change is particularly interesting. For the business, being able to use the platform to get new users up to speed more quickly is always going to be a real win for the organization in terms of time spent doing these kinds of things. Also, going back to a comment you made earlier—that risk and compliance is everybody’s business—this is increasingly important as we’re seeing institutions where anybody can raise a loss. Enabling more people in the business to better understand these complexities creates a lot of value for an organization.
Also, it is fascinating to see how the view of risk and compliance has evolved so radically in such a short span of time. For example, one of the results of a more engaged first line, I think, is the rise of what we call “risk champions” in the business. A decade ago there were very few of these but now we are seeing more business risk officers or risk champions. Still very much business people—specialists in their particular business line, whether it’s wealth or trading or retail or whatever it is in the front lines—who leverage risk to add value to their business decisions. So I think the innovations in UI and ease-of-use you’re talking about are very crucial for them, because they want to easily do the things that they need to do to create that business value on the GRC side.
Christophe: Yes, exactly, it’s not only about owning risk, but being able to make informed decisions based on the risk data. So they start to be able to make decisions based on risk for their business. This is the dream for every organization—it’s a win-win situation if your first line of defense is leveraging risk management in ways that can make better decisions for the business—that’s the ultimate goal: a win-win for everybody—for the risk team, for the first line, and for the organization.