The Evolving Perspective on Generative AI: From Technology Risk to Operational Risk

Operational Risk ManagementArtificial IntelligenceTechnology Risk Management
Written By Samantha "Sam" Jones

In financial services, generative AI (GenAI) has rapidly emerged as both a transformative opportunity and a formidable risk. According to a recent ORX survey, three-quarters of financial institutions now classify oversight of GenAI under operational risk. This pivotal shift highlights how GenAI is increasingly perceived as a broader business risk rather than merely a technology-specific challenge. For banks and other financial institutions, this development underscores the necessity of integrated risk management (IRM) frameworks to effectively navigate the complexities of AI adoption.

The Shift Toward Operational Risk

Historically, technological innovations like GenAI would have fallen squarely under the purview of technology or information security teams. However, the ORX findings reveal that 75% of institutions assign GenAI governance to operational risk, often in collaboration with technology (42%) and cyber risk functions (33%). This broader operational focus suggests that financial organizations recognize the pervasive nature of AI risks—ranging from information security to external fraud and data privacy.

The survey also highlighted significant concerns among operational risk managers, particularly around information security (77%), external fraud (55%), and data security (54%). This alignment with operational priorities indicates that AI-related risks extend beyond technical vulnerabilities to encompass enterprise-wide processes and reputational impacts.

Why GenAI is a Business Risk

Generative AI poses challenges that transcend technological boundaries. Its integration into business operations—from customer engagement to decision-making—creates unique vulnerabilities. For instance, smaller third-party vendors experimenting with AI tools may inadvertently expose financial institutions to heightened risks. This interconnectedness necessitates a multidisciplinary approach to risk governance.

Steve Bishop, ORX’s research and information director, aptly notes that AI governance requires combining diverse perspectives, from operational risk professionals focused on control environments to cyber risk managers concerned with the threat landscape. As organizations strive to harmonize these viewpoints, they increasingly rely on cross-functional AI governance frameworks to ensure safe and rapid adoption.

The Role of Integrated Risk Management

Integrated Risk Management (IRM) provides the ideal foundation for addressing GenAI risks as a business challenge. Unlike traditional siloed approaches, IRM enables organizations to:

  • Unify Governance: By consolidating oversight across operational, cyber, and compliance functions, IRM ensures a cohesive risk management strategy.

  • Enhance Transparency: IRM frameworks facilitate a better understanding of AI-related risks across departments, promoting informed decision-making.

  • Improve Agility: Financial institutions can respond more effectively to evolving risks by leveraging real-time data and predictive analytics.

Preparing for “Speed and Scale”

The pressure to scale these initiatives will only intensify as financial institutions continue experimenting with AI pilots. ORX anticipates that by 2025, GenAI will be deployed at “speed and scale,” making robust risk management practices even more critical. Establishing a standard control environment for AI governance will be essential to achieving this balance.

A Vision for the Future

“Generative AI is not just a technological innovation; it is a strategic business enabler that comes with significant operational complexities,” says John A. Wheeler, Founder and CEO of Wheelhouse Advisors. “To navigate these complexities, financial institutions must adopt integrated risk management practices that align AI governance with broader business objectives. By doing so, they can harness the transformative potential of AI while safeguarding their organizations against emerging risks.”

In this transformative era, banks and financial institutions must view GenAI as a multifaceted risk that touches every aspect of their operations. Integrated risk management offers the tools and frameworks to address these challenges effectively, ensuring resilience in an increasingly AI-driven world.

References

Crowley, John. “GenAI risk falls under OpRisk, ORX survey finds.” Banking Risk and Regulation, April 29, 2024.

Risk management considerations for generative AI​​: Key risks and concerns of GenAI in risk management”, ORX Cyber, April 2024.

Samantha "Sam" Jones

Samantha “Sam” Jones is a seasoned technology market analyst, specializing in integrated risk management and adept at uncovering market insights through advanced analytical tools. Passionate about sustainable business practices and emerging technologies, she enjoys staying at the forefront of the industry by participating in community tech events and exploring new trends.

Previous

Looking Back: The RiskTech Journal’s Top 10 Trends and Innovations of 2024
Next

Restating Trust: Tackling the Rise in Financial Restatements with Integrated Risk Management