I thought it was about time I did a bit of an update from my side on SAP’s use of AI in GRC focussing on public cloud. Of course we also have amazing cases we are exploring in private cloud, too.
I wrote a GRCTuesdays blog in 2021 where I mentioned my enthusiasm for good use of AI but also noted some concerns about an unmanaged use of AI. These included:
Bias and discrimination
Lack of transparency
Erosion of privacy
Workforce displacement and transitions
I think these are still valid. But that should not stop responsible use of AI.
Well known Analyst Michael Rasmussen mentions growth of use of AI in his GRC trends for 2024: while seeing huge potential he also has the view that “Organizations across industries need to implement oversight of AI to review and approve AI algorithms used in the organization.”
Understand Potential Risk of Using of AI in the Business
Following on the risk of implementing AI theme, I attended an interesting OCEG webinar last week on GRC strategies for effective use of AI based on their recent report on the subject.
It made for interesting listening. Like with all human created technology, OCEG notes AI could be a force for good or damage. It depends how we use it. They ask the salient question that gets GRC folks excited: “what structures can we put in place to have it be more of a force for good?”
Some points that I thought to mention here include:
Most organisation have a very decentralised use of AI, and it is not not coordinated.
Keeping pace with advancements from vendors providing new AI capabilities is difficult. This has a monthly heartbeat, not annual.
In terms of risk from implementing AI, 70% surveyed are not confident their organisation has effective strategies for their existing AI-introduced risks.
58% of organisations do not have employees trained to work with AI.
60% have not trained employees on compliance risks related to AI.
Job posts are looking for AI engineers & developers, nothing to do with AI risk or governance.
They make the practical point that it’s OK not to have use of AI all worked out. It’s a journey. But document your baselines and incremental areas of use, understand your risks, coordinate use, implement governance.
SAP GRC Public Cloud use of AI
In my previous blog I referenced the EU saying that use of AI should be lawful, ethical, and robust. With this and above as a frame of reference I remain optimistic about AI as a “force for good”. Within SAP GRC we are taking considered steps and keeping it business relevant. Both in our public and private cloud incarnations. In SAP’s public cloud world this is realised via SAP Financial Compliance Management - which, hot off the press, is now to be called SAP Risk and Assurance Management:
We plan to add an Asset object to FCM later this quarter which in itself is great. During last year we conducted an AI-base PoC and using this approach this we plan to be able to automatically assess the assets’ criticality.
We will implement machine learning to augment Issues: to reduce manual work and improve accuracy, and therefore performance. Based on a PoC and experience in other solutions, the feature will also support prediction of workflows for new Issues. It has a lighter technology footprint too as it doesn’t need a training model, it uses historical data in the system.
There is an interesting collaboration planned between S/4HANA Finance and FCM: deviations in transactions and processes in S/4HANA Finance are detected using AI. After all this is where the rich data is. Suspicions cases are automatically raised in FCM to be documented within an internal risk and control framework, investigated, an if required remediated. Which is where the assurance is managed.
We plan to implement an AI aid for regulatory intelligence for compliance. It will detect the regulatory requirement and changes automatically after uploading regulations or policies, and identify & suggest changes in the control framework to stay compliant.
We are also looking at more obvious AI use cases such as detecting duplicate controls, and suggesting missing controls based on documented risks.
You can read about these and more in our roadmap explorer. Noteroadmap items may change, or be dropped, or dates changed.
These are indeed exciting times, and at SAP we take implementing AI seriously. We are steering towards a force for good. We are keeping use consolidated and managed, and highly relevant to the core of GRC and to the company’s finance crown jewels in S/4HANA.