AI Crisis Preparedness: Key Roles for Boards and Internal Audit

As artificial intelligence (AI) permeates every facet of business operations, it presents unique challenges and crises that can disrupt organizational stability. These crises can range from technological failures, such as malfunctioning AI systems that cause operational disruptions, to ethical transgressions, including severe consequences as a result of biased algorithms. Furthermore, data breaches involving AI systems can compromise vast amounts of sensitive information, leading to legal and reputational damages. Boards and internal audit play a critical role in steering companies through this evolving AI risk landscape.

Understanding AI Crises: Types and Triggers

AI crises can manifest in various forms, each with significant implications for an organization. Boards must understand these potential crises to devise effective strategies:

• Data breaches and privacy violations. AI systems often process vast amounts of personal and sensitive data. Unauthorized access or data leaks can lead to severe privacy violations and legal repercussions.
• Algorithmic biases and discrimination. Algorithms can inadvertently perpetuate biases, leading to unfair treatment or discrimination, thereby exposing the company to legal challenges and reputational damage.
• Operational failures. AI systems can malfunction, causing disruptions in services or errors in decision-making processes, affecting business operations.
• Dependency and third-party risks. Overreliance on AI technologies, especially those provided by external vendors, can pose significant risks if third parties fail to meet contractual obligations or experience security breaches.
• Regulatory compliance. Compliance failures could lead to fines, sanctions, and reputational harm as governments worldwide begin to implement more stringent regulations on AI usage.

Essential Questions for Boards

To effectively oversee AI crisis management, boards should engage in proactive questioning that spans several key areas:

Risk Identification and Assessment

1. What are the potential AI risks that our organization could face?

Boards should inquire about the spectrum of AI risks, including data breaches, algorithmic biases, and operational failures, to understand their potential impact on the organization.

2. How are these risks being identified and assessed periodically?

Boards should ensure that risk identification processes are continuous and reflective of the evolving AI landscape.

Crisis Management Planning

3. What is our strategy for AI crisis management?

Directors need to review and understand the crisis management plan, ensuring that it includes specific actions for various types of AI crises.

4. Who is responsible for managing an AI crisis, and what are their roles?

Directors should delegate responsibility to relevant parties and clarify roles and responsibilities, which is critical for effective crisis management.

5. How do we communicate during a crisis?

Boards should scrutinize the communication plan to ensure that it addresses both internal and external communications effectively.

Preparedness and Response

6. How prepared are we to handle an AI crisis?

Boards should continuously evaluate the readiness of the organization to implement crisis management plans swiftly and effectively.

7. What training and resources are available to our team to manage an AI crisis?

Directors should ensure that the C-suite is well-equipped and trained, which is essential for effective crisis response.

8. How do we assess the effectiveness of our crisis management efforts?

Boards should discuss mechanisms for evaluating crisis response both during and after an incident to refine future strategies.

Internal Audit’s Role in AI Crisis Preparedness

Internal audit is pivotal to enhancing the board’s oversight and strategic response to AI-related risks. The team’s expanded role involves the below key functions that support the organization's readiness and resilience in the face of AI crises:

Comprehensive Risk Assessment

• Holistic evaluation. Internal audit should conduct thorough and regular evaluations of all AI systems and processes within the organization. This includes assessing the adequacy of risk management frameworks and ensuring that they encompass all dimensions of AI risks, from technical failures to ethical concerns.
• Predictive risk analysis. Internal audit should employ predictive analytics to forecast potential future risks associated with AI developments in addition to generating current risk assessments. This proactive approach helps prepare the organization for emerging threats.

Assurance and Advisory

• Objective assurance. Internal audit provides the board with an objective assessment of how well the organization manages and mitigates AI risks. This includes evaluating the effectiveness of controls put in place to safeguard AI operations and data integrity.
• Strategic advisory. Internal audit helps shape the organization’s AI strategy by offering expert advice, ensuring that risk management is integrated into the decision-making process. It also advises on best practices for AI deployment, including ethical considerations and compliance with evolving regulations.

Operational Resilience

• Testing and validation. Internal audit should regularly test AI systems and their related controls to validate their effectiveness and resilience in various scenarios. This includes stress testing systems against potential crises and simulating response strategies.
• Incident response drills. Internal audit should conduct regular incident response drills and simulations to ensure that the organization is well-prepared to act swiftly and effectively in the event of an AI crisis. These drills also help identify gaps in response plans and training needs.

Compliance and Ethics

• Regulatory compliance checks. Internal audit plays a crucial role in ensuring that the organization complies with all relevant laws and guidelines as AI regulation continues to evolve. This includes ongoing monitoring of changes in the regulatory landscape and advising on necessary adjustments to AI practices.
• Ethical audits. Internal audit should also review and evaluate the ethical implications of AI deployments, given the potential for AI to raise ethical issues, such as biases in decision-making. Ensuring that AI operations align with ethical standards is crucial to maintaining public trust and corporate integrity.

Continuous Improvement and Education

• Feedback mechanisms. Internal audit should establish feedback loops with AI teams and stakeholders within the organization. This continual feedback is vital to refining risk strategies and enhancing crisis preparedness.
• Education and awareness. It is also part of internal audit's role to inform the board and senior management of AI risks and developments. This involves organizing training sessions and workshops to enhance their understanding and ability to oversee AI strategies effectively.

Collaboration and Integration

• Cross-functional collaboration. Internal audit should work closely with other risk management and information technology departments to ensure a unified approach to managing AI risks. Collaborative efforts can lead to more comprehensive risk mitigation strategies and coherent crisis response actions.
• Integration with corporate governance. Ensuring that AI risk management is integrated into the broader corporate governance framework is crucial. Internal audit helps bridge the gap between technological innovations and traditional risk management practices, fostering a culture that is both innovative and risk-aware.

The Board's Role During a Crisis

During an AI crisis, the role of the board becomes more pronounced in three key areas.

Oversight and Guidance

Boards should offer guidance on the strategic decisions made during a crisis, ensuring that they align with the organization's long-term goals and values. Additionally, directors should actively monitor the crisis response to ensure that it is effective and that corrective actions are taken promptly.

Communication

Boards play a crucial role in managing communications with key stakeholders, including investors, regulators, and the public, to maintain trust and manage reputational risk.

Review and Adaptation

Boards should lead a thorough review of the events and the effectiveness of the response after managing the crisis. Based on the insights gained, they then should advocate for necessary changes to policies and strategies to better prepare for future crises.

As AI technologies continue to evolve and integrate into business processes, the role of the board in crisis preparedness becomes increasingly complex and crucial. By actively engaging with these critical questions and overseeing the strategic responses, boards can ensure that their organizations not only survive an AI crisis but emerge stronger and more resilient. Moreover, internal audit's role is indispensable in providing the insights and assurances needed to support effective governance in the face of AI-driven challenges.

Mike Levy is CEO of Cherry Hill Advisory, a global risk advisory firm focused on corporate governance and internal audit services with a specialization in risk management concerning emerging technologies such as AI.