<![CDATA[Obligations of board toward AI risk]]>Hi RiskBowl

A question I’m getting a lot at the moment is about obligations and accountabilities towards AI from an Executive and Board level. I’ve given a lot of generic advice about augmenting boards with skills, standardising KPIs to risk levels, having a clear sense of direction for strategy, and avoiding conflict of interest, but keen to hear thoughts or experiences please

e.g.,

  • Given C-Suite are not expected to be specialists in AI, how do they remain accountable for its oversight?
  • How could a regulator test this?
  • What is the best approach to monitoring AI risks, given there’s no real progress towards straightforward KPIs in most cases?
  • How much knowledge should executives have, both for managing AI risk and overcoming resistance to innovation?
]]>https://riskbowl.owex.oliverwyman.com/topic/58/obligations-of-board-toward-ai-riskRSS for NodeFri, 06 Mar 2026 00:03:33 GMTWed, 11 Dec 2024 10:14:32 GMT60<![CDATA[Reply to Obligations of board toward AI risk on Wed, 11 Dec 2024 10:16:44 GMT]]>Very good questions. I’ve come across this as well on operational resilience and
cyber, where the challenges are similar

Some thoughts on this (also with the ex-regulator hat on):

  • Management bodies should acknowledge the challenge and be thoughtful around
    how to address this, e.g. through training; reporting; succession planning
    etc.
  • We recently heard from a regulator that they were worried that sometimes
    these topics are ‘outsourced’ to one person on the exec/ Board who
    understands it, whereas they are looking for broader skills and knowledge in
    the group. Again I think this is important to acknowledge, including the fact
    that building those muscles take time
  • In terms of ‘evidencing’ appropriate oversight and challenge by the Board,
    when supervisors look at meeting minutes they would expect to see critical
    questions being asked and a level of discussion (rather than the Board just
    ‘noting’ things)
  • The quality of the materials and reports being presented to the Board is very
    important, both data, but also someone bringing out the ‘so what’ and in
    particular where there are areas of judgement and uncertainty, and where
    there are trade-offs
]]>https://riskbowl.owex.oliverwyman.com/post/115https://riskbowl.owex.oliverwyman.com/post/115Wed, 11 Dec 2024 10:16:44 GMT<![CDATA[Reply to Obligations of board toward AI risk on Wed, 11 Dec 2024 10:16:11 GMT]]>I’d have thought Model Risk, IRB and IFRS 9 may be good templates in terms of expectations for senior management understanding of models

Likewise, I wonder whether we feel things like BCBS239 and GDPR are also good bases for expectations around understanding of underlying data sources and uses? Of course, execs and boards will need to more specific training around the more complex AI models

]]>https://riskbowl.owex.oliverwyman.com/post/114https://riskbowl.owex.oliverwyman.com/post/114Wed, 11 Dec 2024 10:16:11 GMT