Book Now

Episode 5: Risk Management & AI

This episode provides an overview of the main components of Enterprise Risk Management as a basis for examining how AI adoption could be formally addressed by an organisation such as intereach. It outlines certain assumptions regarding the current state of intereach's risk management structure before considering how AI risk management may be incorporated into this framework.
Enterprise Risk Management (ERM)
It is recognised that intereach may not strictly meet the definition of an enterprise; however, as a large not-for-profit organisation, many ERM concepts remain relevant and applicable. In brief there are 7 main components to consider as fundamentals in an ERM:
  • Governance and Organisational Accountability: Establishing a defined structure for oversight and accountability for risk management within the organisation, including an audit function to verify that operational risk management and oversight responsibilities are being implemented effectively. Risk policy definition would also be considered when defining accountability.
  • Risk Culture Development: Encouraging awareness of risk across the organisation by promoting transparency and providing an environment where risks can be reported safely (see AI Prompt).
  • Risk Characterisation Mechanism: Implementing standard principles or guidelines for organisational alignment in handling risks, such as capturing, assessing magnitude, responding to, and escalating risks.
  • Regular Risk Assessment: Conducting scheduled reviews to identify both internal and external risks, with emphasis on those outside normal organisational attention, and formally recording identified risks and their characteristics.
  • Risk Control Procedures: Developing a program to address risks, noting that effective mitigation requires appropriate resources. Mature organisations often use technology to support their risk management framework instead of relying solely on manual methods.
  • Key Focus Areas: While risk management is comprehensive, certain areas may require dedicated focus such as Continuity Management, Risk & Strategy, Cybersecurity, and Compliance & Regulation.
  • Framework Review: Regular evaluation and adjustment of the entire risk management framework is recommended, following the Plan-Do-Check-Act (PDCA) methodology.
intereach Current State
  • intereach has established key elements for managing organisational risk. However, some areas may require further attention based on experiences observed in other organisations.

  • [NOTE: This blog does not recommend the adoption of complex, process-intensive risk management frameworks, as these may provide an appearance of oversight without offering practical benefits to the organisation. For intereach, it is important to clarify the purpose of risk management and ensure that efforts are directed towards building ongoing risk maturity, while keeping these core objectives in view.]
  • Potential areas for attention:
  • Staff Engagement: Developing a risk culture, particularly with emergent AI capability, involves ensuring that communication about organisational risk reaches all team members. A key step is establishing the expectation that risk-based policies and procedures are reviewed regularly (at least twice annually) by managers and staff. While employees are expected to educate themselves, there is too much at stake for intereach and its participants to rely solely on this approach for building a comprehensive risk culture.
  • Risk Ceremonies: Allocating time for risk assessment is often seen as an overhead that is the responsibility of leadership, resulting in assessments occurring only as required by compliance schedules. A more effective approach is to embrace the benefits of risk management outcomes (productivity improvement, cost efficiency etc.) embedding risk assessment into key operational forums. This approach engages subject matter experts safely and directly in productive risk discussions and quickly surfaces relevant risk context.
  • Self-Analysis: Implementing the PDCA cycle effectively within any business process supports organisational improvement. Organisations can find it challenging to distinguish between using a risk management framework and evaluating the effectiveness of the framework itself. It is important for leadership to differentiate between immediate benefits of applying the framework and long-term advantages gained from ongoing framework enhancement (see AI Prompt).
AI implications for ERM
Considering AI and the current risk management structure, intereach may consider the following top three recommendations to further enhance their position:
  • Policy Updates: Adjust technology usage/adoption policy to define acceptable AI use cases, require risk assessment for AI adoption, and specify approval authority based on risk level, explicitly addressing model risks (bias, accuracy), implementation risks (integration, security), and usage risks (over-reliance, misuse).
  • Staff Advice: Develop and deliver organization-specific AI guidelines and training for all staff covering acceptable use, risks, and escalation processes, with regular refreshers and mechanism to confirm understanding (e.g., attestation, testing).
  • AI Governor: Appoint a senior executive as AI Governance Lead with clear authority to assess, approve/reject, and monitor AI initiatives using the existing risk framework, reporting to the intereach board/senior leaders forum and ensuring AI risks, controls, and incidents are addressed at appropriate governance and operational forums with defined escalation thresholds (see AI Prompt).

AI Prompts for further research...

"What are the key observable differences in how organizations with mature risk cultures versus immature risk cultures handle risk identification, decision-making, and incident response in day-to-day operations?"
"How should organizations structure the governance of their risk framework to clearly separate framework operations (using it day-to-day) from framework management (assessing and evolving it), and why do these often get conflated?"
"What are the core responsibilities that need to be covered for effective AI governance, and how do organizations typically assign these to existing roles versus creating dedicated AI governance positions?"