Preparing for a future with artificial intelligence: The critical role of enterprise risk managers
Back to Blog

Preparing for a future with artificial intelligence: The critical role of enterprise risk managers

November 20, 2023 | Updated on November 21, 2023
Elizabeth Byers, Anthony Vetrano, Cynthia Vitters, John Basso, Eliza Clark, Mark Stofanak

On Sept. 26, in anticipation of President Biden’s executive order on the use of artificial intelligence in government, the Partnership for Public Service and Deloitte held a virtual working session that examined how agencies can use enterprise risk management, or ERM, to safely and securely harness AI to work more effectively.   

The session featured panelists Taka Ariga, chief data scientist and director of the Innovation Lab at the Government Accountability Office, and Wayne Taylor, senior risk advisor at the IRS, with moderation by Deloitte & Touche LLP Managing Directors Cynthia Vitters and John Basso.  

The discussion highlighted several frameworks that risk managers could consult to drive the responsible use of AI at their agencies. These frameworks touched on a range of issues, from balancing AI risk and opportunity to capturing and monitoring risks to fostering collaboration between technologists, humanists and others to form a dynamic AI risk team.  

Frameworks for AI risk management 

While AI has the potential to make government work more efficiently, implementing this new technology comes with a unique set of risks—risks that will continue to grow as AI matures and evolves.  

The Government Accountability Office and the National Institute of Standards and Technology have released frameworks to serve as a foundation for responsible AI adoption and risk management.  

Published in 2021, GAO’s AI Accountability Framework outlines four key principles—governance, data, performance and monitoring—for the application and responsible implementation of AI systems.  

This framework and ERM principles are complementary,” Ariga noted, emphasizing that many practices in the GAO framework—such as appropriate governance structures—are already familiar to ERM practitioners.  

The NIST AI Risk Management Framework outlines four core functions—govern, map, measure and manage—of AI risk management that agencies may apply to their particular risk contexts.  

Taylor shared how the IRS has used NIST’s framework and guidance on trustworthy AI principles to identify the types of AI risk that relate most to the agency’s operations and mission. The IRS is now thinking about how to operationalize NIST’s four core functions, building on the agency’s existing risk management processes.  

“I realized it’s not entirely different from what we’re already doing today,” Taylor said of the NIST framework. “It just needed to be augmented for AI.” 

Takeaways on AI risk management 

How might the federal risk management community put these principles into practice? Our session offered three key recommendations: 

  • Get started. It’s understandable, given the complex and rapidly evolving nature of AI, to want a more detailed roadmap for how to approach AI risk management before starting the process. Teams should begin AI risk management efforts using current resources and knowledge (e.g., an enterprise risk register), gauging what works and what needs to be adjusted as more is learned and as technology and regulations evolve. “Trying something is how to get to what good looks like,” Taylor said. 
  • Emphasize continuous monitoring in AI risk management plans. Active risk management is needed throughout the lifecycle of AI systems, as the performance and risks of the system often shift over time. This contrasts with many other tools that can be transitioned to incident management processes once they are operational. This continuous monitoring may assist in balancing AI risk and opportunity. 
  • Incorporate a wide variety of stakeholders. According to Ariga, responsibly implementing AI is a “team sport” that should involve different perspectives from across an agency as well as end users who may be impacted. ERM practitioners are well positioned to facilitate this collaboration, building on their existing programs that collect risk information through both bottom-up and top-down processes. This approach incorporates a wide variety of viewpoints, which are crucial AI risk management.

This blog was co-authored by teams from the Partnership for Public Service (Elizabeth Byers and Anthony Vetrano) and Deloitte (Cynthia Vitters, John Basso, Eliza Clark and Mark Stofanak). 

Leave a Reply