Chapter 5 AI Solutions for Risk – Artificial Intelligence for Risk Management

CHAPTER 5

AI Solutions for Risk

  • Definition of AI solutions or risk
  • Project plan
    • Define the business case
    • Current state of risk
    • Proposed goal state
  • Going into AI/ML in-depth
  • Proposed AI/ML risk processes
    • Identify risk or threat model
    • Risk categorization/classification model
    • Predicting risk-impact model
    • Risk-probability occurrence model
    • Risk priority model
    • Root cause analytics/analysis
    • Risk mitigation strategy recommendation
    • Risk-contingency recommendation
    • Risk monitoring and corrective action

Chapter Outline

  • How to handle the AI/ML model for risk problems?

Key Learning Points

  • Learn and understand how AI/ML applies to risk areas
  • Data preparation for
    • Input
    • Output
    • Training data
    • Validation data
  • Evaluate different algorithms

Purpose

To create machine learning (ML)/artificial intelligence (AI) solutions to risk management.

Background

An organization will face many risk issues that need to be resolved in a timely manner. Risk is becoming a bigger problem because of the large volume of data, the variety of risks, and challenges on new types of risk. To resolve risk manually takes a long time and large teams; thus, ML/AI solutions will be helpful to risk analysts.

  • Problem statement
  • Identify the risk or threat model
  • Risk categorization/classification model
  • Predicting the risk-impact model
  • Risk-probability occurrence model
  • Risk priority model
  • Root cause analytics/analysis
  • Risk mitigation strategy recommendation
  • Risk-contingency recommendation
  • Conclusion

First let us define a project plan. Here is the project plan.

Define the Project Plan

Background

Develop an AI system that can be referenced in the AI and Risk Book. Developing the AI system will provide proof of concept and proof of value over the traditional approach of a manually applied risk process. So far, no standard AI mitigation system can handle risk issues. Many innovative devices include Internet of Things, robotics, and sensors.

Goals

  • Show that ideas mentioned in the book work.
  • Show that using AI algorithms are useful and work.
  • Select appropriate algorithms that can yield correct results.
  • Show that similar AI systems can be developed using appropriate algorithms.

Scope

Design and build an AI system that will gear toward mitigation for risk. The AI will not consider areas that do not have anything to do with risk mitigation.

Key Stakeholders


Potential readers

Corporation resources

Absolut-e

Resources

Project manager

Archie

Project team members

Muthu, Venkat, Srini, additional Absolut-e Resources


Project Milestones

  • Define AI system requirements
  • High-level AI design
  • Detail AI design
  • Research
  • Data collection
  • Proof of value and proof concept write-ups (outputs)

Project Budget

Absolut-e Data com Inc will absorb the project budget expenses.

Risk

Constraints, Assumptions, Risks, and Dependencies


Constraints

Absolut-e is developing the AI system, but would not show every detailed part of the system. However, it would ensure the system works well.

Assumptions

The system will work well, considering risk requirements. Business cases will be used for the development of the AI system.

Risks and dependencies

The system may not work as required. The system will depend on appropriate specified requirements and subsequent design. If appropriate data are not collected correctly, the outcome of the system could give false results.


Define Business Case

A corporation wants to create a new innovative product.

Purpose

To yield an AI system for risk mitigation based on the corporation’s point of view.

Current State of Risk Process

Now, it is necessary to ensure that possible risks are identified to save time and money.

Initially, the team needs to meet to develop the necessary risks to ensure the risks are annotated properly and accurately. A Risk Register will be used as one of the main artifacts.

Proposed Goal State Process

Here are the AI/ML models proposed to be in the goal state of the risk process:

  1. Identify the risk or threat model.
  2. Risk categorization/classification model.
  3. Predict the risk-impact model.
  4. Risk-probability-occurrence model.
  5. Risk priority model.
  6. Root cause analytics/analysis—not covered in this book.
  7. Risk mitigation strategy recommendation—not covered in this book.
  8. Risk-contingency recommendation—not covered in this book.
  9. Risk monitoring and corrective action—not covered in this book (see Figure 5.1).

Figure 5.1 ML/AI risk process

AI/ML Risk Processes

Let us go over each of the proposed AI/ML risk processes with high-level steps.

  1. Identify the risk or threat model:
    • Define the goal of the ML/AI model for risk identification.
    • Collect risk data.
    • Design an algorithm for the threat model.
    • Train the threat model.
    • Test the threat model.
    • Evaluate the threat model.
    • Publish/produce the threat model.
  2. Risk categorization/classification model:
    • Define the goal of the model for risk categorization.
    • Collect the risk category and risk data.
    • Select and use the classification algorithm.
    • Train the classification model.
    • Test the classification model.
    • Evaluate the classification model.
    • Publish/produce the classification model.
  3. Predicting the risk-impact model:
    • Define the goal of the model for predicting risk impact.
    • Collect risk-impact data from historical occurrences or from an expert.
    • Design an algorithm to predict the risk-impact model.
    • Train the risk-impact model.
    • Test the risk-impact model.
    • Evaluate the risk-impact model.
    • Publish/produce the risk-impact model.
  4. Risk-probability occurrence model:
    • Define the goal of the model for risk-probability impact.
    • Collect risk-probability data from historical occurrences or from an expert.
    • Design an algorithm for the prediction of risk-probability occurrence.
    • Train the risk-probability-occurrence model.
    • Test the risk-probability-occurrence model.
    • Evaluate the risk-probability-occurrence model.
    • Publish/produce the risk-probability-occurrence model.
  5. Risk priority model:
    • Define the goal of the model for risk priority.
    • Calculate data for risk priority.
    • Design an algorithm for the prediction of the risk priority model.
    • Train the risk priority model.
    • Test the risk priority model.
    • Evaluate the risk priority model.
    • Publish/produce the risk priority model.
  6. Root cause analytics/analysis:
    • Determine the root cause of the identified risk and the analytics/analysis that will be used.
  7. Risk mitigation strategy recommendation:
    • Determine risk mitigation recommendations that may be used, based on the identified risk.
    • Risk-contingency recommendation.
    • Determine the risk-contingency recommendation that will be used, based on the risk type and category.

Risk Process Life Cycle

The risk process life cycle follows processes in the current environment and as part of AI solutions for risk. Let us use the same steps to get the input, output, tools, and techniques by applying ML/AI approaches.

Plan

For planning, the ML/AI approach is not considered.

Input:

  • Charter
  • Management plan
  • Risk supporting documents
  • Industry policy and standards
  • Technology policy and standards
  • Risk policy and standards
  • Organization rules, regulations, and policy
  • Datasets

Tools and techniques:

  • Human expertise
  • Data analysis
  • Meetings and collaboration

Output:

  • Risk plan

Identify

  • To identify, the ML/AI approach is considered in the risk identification/threat model.

Input:

  • Management plan
  • Risk supporting documents
  • Industry policy and standards
  • Technology policy and standards
  • Risk policy and standards
  • Organization rules, regulations, and policy
  • ISO risk standards 31000
  • Dataset

Tools and techniques:

  • Human expertise
  • Data gathering
  • Data analysis
  • Meetings and collaboration
  • Skills and scoring model
  • Classification models
  • Probabilistic model
  • ML and AI models

Output:

  • Risk Register
  • Risk Report

Qualify

To qualify, the ML/AI approach is considered in the risk categorization/classification model to predict the risk-impact score and the risk-probability-occurrence score.

Input:

  • Management plan
  • Risk supporting documents
  • Industry policy and standards
  • Technology policy and standards
  • Risk policy and standards
  • Organization rules, regulations, and policy
  • ISO Risk standards 31000
  • Dataset
  • Risk Register

Tools and techniques:

  • Human expertise
  • Data gathering
  • Data analysis
  • Meetings and collaboration
  • Skills and scoring model
  • Classification models
  • Probabilistic model
  • AI models

Output:

  • Risk policy

Quantify

To quantify, the ML/AI approach is considered in the risk categorization/classification model, to predict the risk-impact score, and the risk-probability-occurrence score.

Input:

  • Management plan
  • Risk supporting documents
  • Industry policy and standards
  • Technology policy and standards
  • Risk policy and standards
  • Organization rules, regulations, and policy
  • ISO Risk standards 31000
  • Dataset
  • Risk Register
  • Risk Report
  • Risk policy

Tools and techniques:

  • Human expertise
  • Data gathering
  • Data analysis
  • Meetings and collaboration
  • Skills and scoring model
  • Classification models
  • Probabilistic model
  • AI models

Output:

  • Risk policy

Respond

To respond, the ML/AI approach is considered in risk mitigation strategy recommendations and risk-contingency recommendations.

Input:

  • Management plan
  • Risk supporting documents
  • Industry policy and standards
  • Technology policy and standards
  • Risk policy and standards
  • Organization rules, regulations, and policy
  • ISO risk standards 31000
  • Dataset
  • Risk Register
  • Risk Report
  • Risk policy
  • Data of risk strategies for threats
  • Data of risk strategies for opportunities
  • Data of risk strategies for contingent response
  • Data of strategies for overall risk

Tools and techniques:

  • Human expertise
  • Data gathering
  • Data analysis
  • Meetings and collaboration
  • Skills and scoring model
  • Strategies for threats
  • Strategies for opportunities
  • Strategies for contingent response
  • Strategies for overall risk
  • Classification models
  • Probabilistic model
  • ML/AI models
  • Strategies-recommendation AI model
  • Decision-making process

Output:

  • Strategies recommendation
  • Decision recommendation
  • Human takeover

Implement

For implementation, the ML/AI approach is considered in all ML/AI solutions to integrate with the application the business user can use directly.

Input:

  • Management plan
  • Risk supporting documents
  • Industry policy and standards
  • Technology policy and standards
  • Risk policy and standards
  • Organization rules, regulations, and policy
  • ISO Risk standards 31000
  • Dataset
  • Risk Register
  • Risk Report
  • Risk policy
  • Data of risk strategies for threats
  • Data of risk strategies for opportunities
  • Data of risk strategies for contingent response
  • Data of strategies for overall risk
  • Respond to process outputs
    • Strategies recommendations
    • Decision recommendations

Tools and techniques:

  • Human expertise
  • Data gathering
  • Data analysis
  • Meetings and collaboration
  • Skills and scoring model
  • Strategies for threats
  • Strategies for opportunities
  • Strategies for contingent response
  • Strategies for overall risk
  • Classification models
  • Probabilistic model
  • ML/AI models
  • Strategies recommendation AI model
  • Decision-making process

Output:

  • Strategies recommendations
  • Decision recommendations
  • Implementation recommendations
  • Human takeover

Monitor and Control

To monitor and control, ML/AI approaches are considered regular data analytics and monitoring through dashboards and scorecards. These scorecards will be used as input to the ML/AI model to mitigate the risk [Note: This is a visionary approach to be automated through the ML/AI approach.].

Input:

  • Management plan
  • Risk supporting documents
  • Industry policy and standards
  • Technology policy and standards
  • Risk policy and standards
  • Organization rules, regulations, and policy
  • ISO Risk standards 31000
  • Dataset
  • Risk Register
  • Risk Report
  • Risk policy
  • Work-performance data
  • Work-performance reports

Tools and techniques:

  • Human expertise
  • Data gathering
  • Data analysis
  • Meetings and collaboration
  • Skills and scoring model
  • Strategies for threats
  • Strategies for opportunities
  • Strategies for contingent response
  • Strategies for overall risk
  • Classification models
  • Probabilistic model
  • ML/AI models
  • Strategies recommendation AI model
  • Decision-making process
  • Audits
  • Anomaly detections

Output:

  • Audits report
  • Anomaly detections report
  • Notification
  • Human takeover

Data Collection

Overall data collection steps taken to achieve this using the existing PMBOK risk process and other risk standard processes.

Risk Register—Data Sample

General information for capturing risks follow:

Risk name: the risk name for each risk must be unique to properly help with analysis.

Open/closed risk status: Open risks are active risks that may occur. Closed risks are those risks that are no longer active, based on risk response or other factors or measures taken. Closed risks may contain important information and should not be deleted from the Risk Register. For this reason, risks should have been deleted.

Risks, issues, lessons learned: Risks are events that may or may not occur and have a probability between 0.0 and 1.0. Issues are events that have already occurred and require a response. Lessons learned are events that occurred in the past and have a history associated with them. It is important to note that inserting new records to the Risk Register may tend to be a risk.

Note that the risk statement, objectives, assumption, cause, and trigger contain textual information about risks, and this can be used in reporting.

Risk mitigation strategy: Such a strategy is required for every identified risk. Mitigation strategies should be entered for positive and negative risks. It is important that the impact and probability are entered.

Risk start and end dates should be entered that show the risk active period.

Risk ID should be added to the Risk Register to provide the uniqueness of the risk.

Note: All columns of the Risk Register should be considered.

Risk Matrix and Risk Trend Chart

Risk matrix and risk trend views are used to determine the severity of a risk and to analyze how risks are changing over time.

The risk matrix is a tool that determines the severity of a risk. The risk matrix view shows severity using risk probability with calculated risk impact of the project risks. The risk matrix view has two sections: a table with a list of risks and their actual calculated values for probability, impact, and score. The table puts each risk into the context of the organization’s risk threshold or tolerance.

The risk trend illustrates how project risk changes over time. Risk trend can be presented using a bar chart, stack-area chart, or in a table format.

Risk history illustrates the probability and impact of individual risk and how it has changed over time.

Data Sample

A list of data samples follows:

  • Assumption log
  • Issue log
  • Risk Register
  • Duration estimates
  • Lessons Learned Register
  • Requirements documentation
  • Stakeholder Register
  • Activity attributes
  • Activity lists
  • Basis of estimates
  • Change log
  • Cost estimates
  • Cost forecasts
  • Milestone list
  • Physical resource list
  • Project calendars
  • Project communications
  • Project schedule
  • Project schedule network diagram
  • Project scope statement
  • Project team assignments
  • Quality control measurements
  • Quality metrics
  • Quality report
  • Requirement documentation
  • Requirement traceability matrix
  • Resource breakdown structure
  • Risk Register
  • Risk Report
  • Schedule data
  • Schedule forecasts
  • Test and evaluation documents
  • Team charter
  • Work breakdown structure

In forthcoming chapters, we explain each of the previous risk ­processes in detail to show how AI can be applied.