At a Gathering of Compliance Practitioners, No Shortage of Food for Thought

My first visit to Amsterdam, and first attendance at the ECEI in person, was a productive and enjoyable one. I flew in early to see some sights (read: see a few sights and mostly indulge my already overburdened tummy with the exceptional culinary delights the city has to offer). 

AI and greenwashing were two of the most prominent themes on the agenda, indicating what compliance officers are grappling with at the moment. In this column, I take inspiration from two of the sessions I attended and highlight some considerations in regards to AI and key performance indicators.

Compliance

A Bot Isn’t Going to Take Your Place, But AI Will Make Your Job Harder

by Jennifer L. Gaskin

March 8, 2023

OpenAI’s splashy ChatGPT rollout has generated untold amounts of text, both directly and indirectly. While much of what’s been written so far has been about creative work, which some fear will be completely upended by ChatGPT, CCI’s copy chief, Jennifer L. Gaskin, looks at how generative AI tools will change the corporate integrity landscape.

Read more

AI and compliance 

I see artificial intelligence as being akin to social media in that even if you decide that you yourself personally do not wish to partake, as a compliance officer, there’s no getting away from having close proximity to it with regard to the organization that you work for. We will ultimately need to put in place a policy and other controls to plan for artificial intelligence risk in our organizations, just as we did when it was clear that social media was here to stay.

One of my friends works for a large financial services organization that is already looking at integrating ChatGPT AI. Compliance officers need to know the time to be thinking about AI is now and be ready to step into the conversations of assessing the risk and working with the business on the parameters and limitations of ChatGPT and other AI tools.

The Artificial Intelligence Act is a law that is slated to come into force in the European Union any day now, though that process has been upended by ChatGPT. It sets out standards for organizations with regard to training on and monitoring of AI tools that it deploys. While for now this would only affect companies with EU market exposure, I anticipate it’s only a matter of time before other jurisdictions follow suit. 

Compliance officers should look to the AIA as a starting point that is likely to set the scene for what we can expect globally from a general perspective and consider now what ought to be done in your organization to put you on the front foot for the inevitable regulatory standards about to come into force. Even in the absence of regulatory requirements, I think it’s clear that with the limitations of AI, it’s simply the right thing to do to consider how we can prevent harm to individuals and our organizations when the use of AI becomes commonplace.

Here are some of the considerations that Geert Vermeulen and Tatiana Caldas-Lottiger shared at their session: “The Ethical Use of Artificial Intelligence/Machine Learning and Data Analytics”:

• Privacy and security risks: Be clear on the interaction between the Artificial Intelligence Act and other EU initiatives and regulations such as data spaces, GDPR and relevant ISO and national standards.
• How will you work to overcome biased information? (The speakers shared that one experiment showed that ChatGPT is biased towards men.)
• How will your training take into account AI collaborating with different group functions?

AI is taking shape rapidly and the capabilities are only set to grow. We need to start thinking now about how to start wrapping our compliance programs around AI, but with the knowledge that it will have to be a living initiative and we’ll need to grow and adapt our controls to accommodate the evolution of AI.

What metrics should compliance use?

Maria Lancri, Cecelia Fellouse-Gunkel and Susan du Becker spoke about “The Right KPIs to Monitor the Effectiveness of a Compliance Program.” Their topic of choice was a prudent one — everyone knows about the need for key performance indicators to set some objectivity around effectiveness, but it’s rarely chosen as a conference topic to ruminate about. 

Unsurprisingly, the team of #GWIC, (that’s Great Women in Compliance for the uninitiated) drew a strong crowd, eager to have an opportunity to discuss this subject matter as a group and hear from the expert speakers.

I thought the speakers did an excellent job of taking a step back to better help us think about the subject matter. That said some pretty common sense things that totally resonate when you hear them, but I don’t think we always turn our minds to these helpful rules when designing KPIs so I share some of the tips with you here:

• Work out what you want to measure before trying to find a tool
• KPIs measure progress/performance against quantifiable goals
• Ask yourself who is the audience for your KPIs
• Tie the KPIs to an actual goal of the compliance program
• Decide on what is nice to have vs must have (keep in mind relevance and being risk-based)
• Seek to collect a set of data that you can measure year on year
• Consider using traffic light visuals to quickly signal info — this is especially good if you can show improvement year on year
• Don’t forget about third parties — whatever you do internally, think about how you can make it flow down to your third parties.

KPIs have been on compliance’s radar for a long time. It would behoove us to be true to our monitoring and review practices to turn our minds to our KPIs, and with the guidance given above, consider whether our KPIs need a refresh. Susan, Cecelia and Maria also urge us not to forget about KRIs, which are key risk indicators. KRIs measure the extent to which an activity is risky.

My first ECEI was a self-declared raging success. I loved how interactive the audience was with the speakers in all of the sessions, and as you can see from this piece, and I garnered a lot of food for thought in addition to the pleasure of meeting and catching up with fellow compliance practitioners seeking to help our colleagues with their ethical decision-making. If you’re interested in attending yourself, the next installment of this conference will be once again at Hotel Okura in Amsterdam in March 2024.