Risk management supports technology spread
Question: Having mapped the risks associated with emerging technologies like API, RPA, AI, ML, etc, what patterns have you observed?
The wide variety of technologies and the interconnections between them are creating a system that is beginning to resemble the ecosystem of nature that we live in. Nature has a way to keep the ecosystem in balance which enables living organisms to thrive. Risk management concepts and practices are evolving to sustain the technology ecosystem in a similar manner.
ABHILASH BALAN, CISO at Digit Insurance
Although there is a direct benefit of using APIs for faster integration with partners, it is an immediate target for hackers as well. There are multiple security risks associated with API and process automation, such as leakage of customer data, fraud, etc. With respect to AI and ML, it requires more data and is more complex to implement than others. Apart from that, there are vulnerabilities, misconfigurations, providing false information, etc. We have ensured security does not take a back seat during our adoption of newer technologies and have implemented robust framework around the same.
ANIL PINAPALA, CEO at Vivifi India Finance
AI, ML, API, etc, are the most common terms in the startup world, with or without adoption. Having been in the lending space for over 20+ years, it is important for us to ensure that a deserving customer is not turned down while at the same time, the rogue players – synthetic fraud or wilful defaulters – are not let in. In this process, we need to analyze data provided or authorized by the customer, sought from public domain databases, credit bureaus, etc, analyzed within seconds in realtime and offer a reasonable answer to a customer looking for emergency credit.
So, the reliance on RPA, AI, ML or similar technologies is heavy and has been one of our key differentiators in building a strong and profitable book of loans working with the underserved and unserved customers. While most exaggerate the use of these technologies, using these in the right way can accelerate business growth in this competitive space. We have strong audit and oversight processes to ensure that the various algorithms being utilized continue to work within the scope and guidelines laid out when implementing them.
AVNEESH TRIVEDI, CRO at Moneyboxx Finance
Emerging technologies have helped in assessing and forecasting repayment patterns during last and the current covid wave. It also gave a sense about the customer occupation segment impacted on high, medium and low parameters. Identification of new hotspots was also done with the help of technology tools.
BIKASH CHOUDHARY, Appointed Actuary & Chief Risk Officer at Future Generali India Life Insurance
Technology is constantly evolving almost daily, and with these changes, new risks are emerging. For us, it is important to keep ahead of the curve and remain innovators in the insurance space by not only adopting relevant emerging technologies but also managing the risks arising from holistic adoption of these.
Across organizations, stakeholders including the board, functional heads and internal auditors are exploring ways to improve efficiencies and provide cutting edge solutions and
products to clients and stakeholders by leveraging emerging technologies. More often than not, however, organizations tend to either ignore or side-line security and risk considerations, while implementing new technological solutions.
With technologies characterized by little or very little intervention of human beings, risk management plays a pivotal role in their implementation. Here are some key risks and controls that an organization should consider while implementing or planning to implement new technologies.
(i) Non-standardization of processes
– This often leads to solutions being customized to an organization or a business unit, resulting in errors and increased cost of automation. Before implementation, organizations should first standardize most of their processes across business units.
(ii) A lack of ownership, roles and responsibilities
– Functional heads tend to think that a particular technology solution is owned by IT, while IT think of themselves as just the enabler and the functional heads as solution owners. This leads to a situation where nobody owns the errors and problems of a technology driven solution. Organizations should clearly define the ownership, roles and responsibilities of each of the stakeholders for any technology solution they adopt.
(iii) Data privacy and cybersecurity
– Technology implementation comes with several inherent risks such as internal privileged access rights that can be exploited by cybercriminals. This can lead to the confidentiality, integrity and reliability of data that the organization processes being compromised. Organizations should review and deploy adequate cybersecurity and data privacy controls, depending on the data exposure and extent of personal data available within the organization.
(iv) An effective change management process
– As the level of automation within an organization develops, data mapping and configuration will also change. If the related configurations and data mapping are not updated within the technology solutions, it will deliver inaccurate results and incorrect output. Organizations should define and adopt a strong change management process to mitigate this risk.
(v) Process documentation
– In many cases, process documentation is not updated, making it difficult to manage changes at a later date in the application. Organizations shall ensure that all documents, supplier/ vendor information, inputs, logic processing, outputs and customer information are updated, which enables any changes to be easily implemented when required.
(vi) Selection of the technology solution and partner
– Failure to invest in the right solutions and partners can directly impact the viability and outcome of an organization’s digital journey. Inappropriate investment can lead to a waste of time and money. Organizations should perform adequate due diligence while selecting a technological partner and tools.
DAMODARAN C, Vice President & Chief Risk Officer at Federal Bank
AI/ML systems and models have high dependability on the environment and input data to learn and train itself. Any changes in the variables, outside the possible bounds, renders judgement of the system/model ineffective. These models should have an effective governance mechanism and constant oversight to ensure that the system is functioning as envisaged. The volatility induced by the pandemic has altered the variables to a great extent such that the present and future cannot be predicted only using historical observations.
Further, the possibility of corruption of input data by rogue elements manipulating loopholes also needs to be watched for. As more applications are migrating to fully digital mode with straight through processing and intelligent processing mechanisms, governance and oversight framework should be routinely updated and adhered to.
Federal Bank has adopted multiple controls for managing risks associated with emerging technologies. We rely on trial runs, random verifications, ongoing monitoring and periodical validations to ensure that the bank remains the master over technology.
K R MOHANACHANDRAN, Chief Risk Officer at ESAF Small Finance Bank
Technologies like AI, ML, RPA etc are all based on algorithmic models and knowledge base. The pattern observed is that there are high chances of accidents, unanticipated consequences and privacy violations. We ensure proper security tests before moving on to production and also when any major modification happens in the code.
A huge risk with AI and ML is that these technologies are highly prone to bias and prejudice. This fact is often ignored or underestimated. It will require consistent evaluation by the AI/ML implementation team to identify whether the AI/ML engines develop bias, prejudices or throw stereotype outcomes.
PRITHVI CHANDRASEKHAR, President Risk & Analytics at InCred
We use technologies like APIs and AI/ ML models extensively. These tools are central to our business model and, in the balance, mitigate risk. The specific risk created by these technologies is complexity.
For example, 20 years ago, my risk models were all generally regression equations that were not hard to interpret intuitively. Now, more powerful AI/ ML models use synthetic features that are harder to interpret. We mitigate this risk by ensuring that some human supervision of models is always maintained.
RAKESH BANSAL, Chief Risk Officer at Hero Housing Finance
Many credit checks were done through APIs integrated through fintech companies. We were validating PAN, bank statements, etc, through APIs which made the process far more efficient.
ROOPAM ASTHANA, CEO & WTD, Liberty General Insurance
Liberty General Insurance works with mainly API & RPA technologies and has recently introduced AI/ML in its processes. Besides the risk of the vendor going out of business and resultant inability to provide continuing support, expected risks include non-standardization, poor design, selection of wrong processes, faulty allocation of roles and responsibilities, lack of strategic approach, dependence on related system / process changes, which may not be managed synergistically and lack of inhouse experience in managing these technologies.
If done the right way, it has many benefits like improved efficiency, innovative approach to customer experience, saving time, removing manual dependency which had led to errors, ease to reuse and quicker response time. These benefits can be achieved with the right knowledge of the developers, clear requirement analysis, functional and non-functional design study, lifecycle planning and a thorough look from the governance and compliance angles as well.
SUJAY DAS, CRO at MoneyTap
API integrations have helped the financial lending world to get different types of verifications of thousands of customers within seconds. Machine Learning models have given a boost to predictive power of different models, bringing out hidden patterns from data. RPA has allowed repetitive work to get automated and increase efficiency. Today, using all of these, fintech companies are able to service different segments of customers with their financial needs quicker and with better accuracy.
SUNDER NATARAJAN, Chief Compliance & Risk Officer at IndiaFirst Life Insurance
Two key risks are (i) the problem of plenty and (ii) the risk of fast paced change. Embracing emerging technologies has become a necessity to keep pace with the market and make rapid improvements in uplifting process productivity. Apart from the customer, the expectations of other key stakeholders like distributor, regulator and the shareholder have gone up. There is a deluge of service providers and identifying the right partner is critical. The risk of obsolescence is high as newer versions keep coming up quite often and as a result, doing a cost-benefit analysis over a long period is tricky.
VENKATA JAYARAMAN M., Chief Risk Officer at Fincare Small Finance Bank
Some of the patterns observed are in the following areas: (i) Quality of data (ii) Handling of business-critical data (iii) Level of integration (iv) Interoperability (v) Upgradation of technology stack and (vi) Security review of platform, middleware, and technology stack.
VIJAYALAKSHMI NATARAJAN, Chief Compliance & Risk Officer at Aviva India
Technology is constantly evolving, and new opportunities are arising every day. But as is often the case with new opportunities, come new risks. Artificial intelligence, robotic process automation and the cloud are emerging technologies that particularly excite because of their capacity to do all these things and completely transform organizations in the process.
AI is only as good as its teacher – its outcomes can be affected by poor training, bias and ‘bad data’. AI can deliver erroneous outcomes due to bias in data, algorithms, or development teams. Another prominent area of risk that has emerged is the third-party risk that arises when organizations are relying on external providers for these new technologies – a reliance that is set to increase and create an even more complex ecosystem. Risk now needs to be considered and designed at the inception of new products, services, channels or transformation. To create trust, all risks must be addressed together, at the same time – and critically, ahead of time.