Board oversight of algorithmic risk
As published in 'NACD Directorship' magazine, November/December 2017
Directors have long had oversight responsibility for risk, including risks from emerging technologies. One such risk that has not received much attention to date—other than specific focus on predictive models—is algorithmic risk. Intelligent algorithms offer many potential benefits. However, these benefits could be diminished or completely negated by risks associated with the use of algorithms—risks that are likely to grow unless organizations develop processes to address algorithmic risk, including an appropriate level of board oversight.
By Dilip Krishna and Bob Lamm
Directors have long had oversight responsibility for risk, including risks from emerging technologies. One such risk that has not received much attention to date—other than specific focus on predictive models—is algorithmic risk.
Algorithms are processes or sequences of instructions used to analyze data, solve problems, and perform tasks. For example, when you make an online purchase, algorithms commonly record your purchase and develop recommendations for other things you may want to buy from the online retailer. The ever-growing use of increasingly complex and sophisticated intelligent algorithms (especially with the use of adaptive techniques like machine or deep learning) may have positive impacts across functions and industries, but could adversely affect a company in many ways, ranging from brand and reputation damage to financial and regulatory concerns.
When algorithms go wrong
Algorithms can increase performance by automating existing processes and tackling new activities previously not feasible using manual processes. However, algorithms can, and do, go wrong, and can have serious and wide-ranging adverse effects when they do. In the example above—where an online purchase generates algorithmic recommendations for additional purchases—an offensive recommendation could result in the loss of customer loyalty or market share in the future. Multiply that across a class of customers and there is the potential for a business meltdown.
The type and nature of algorithmic risks depend upon an entity's nature, size, industry, and other factors. Algorithmic risk can impact diverse areas, including finance, sales and marketing, operations, risk management, information technology (IT), and human resources. Illustrative risks include:
- Finance—inaccurate financial re-porting; flawed financial and strategic decisions
- Sales and marketing—targeted campaigns not appropriately directed
- Operations—product safety and quality; supply chain problems
- Risk management—missing detection of significant risks
- Information technology—inadequate business continuity planning; breakdown of IT systems
- Human resources—discrimination in hiring or performance management.
Challenges for the board
While the challenges involved in board oversight of algorithmic risk can be formidable, the board should consider an approach similar to those used to address other technology risks.
Directors may not be aware of or familiar with algorithms and their use within the company. Therefore, the first step for the board could be to develop a knowledge base of how algorithms are used and reviewed in the organization, potential impacts if the algorithms go wrong, and if any have functioned improperly. The board should also be aware of who oversees the use of algorithms and related risks at the company.
The board should work with management to establish a risk appetite for algorithms, enabling their use without exposing the company to excessive vulnerability.
The board and management should determine the appropriate levels of algorithmic risk and if certain areas merit specific focus. Algorithmic risk needs to be considered in a wide range of scenarios, from new product launches to acquisitions.
The board should determine the cadence of algorithmic risk review needed, based on the agreed upon risk appetite and focus.
Intelligent algorithms offer many potential benefits. However, these benefits could be diminished or completely negated by risks associated with the use of algorithms—risks that are likely to grow unless organizations develop processes to address algorithmic risk, including an appropriate level of board oversight.