OVERVIEW
KS OWNER – Alice Rangel Teixeira & Sundar Narayanan
KS DEPUTY –
LAST UPDATED – May, 2023
Committee Governance Assessment
Overview
The Committee Governance Assessment (CGA) is an overarching review of all interactions of risk management and compliance functions to ensure that there are no gaps or silos in terms of risk mitigation and regulatory requirements. This assessment examines the interaction between committees to ensure that each one receives all necessary knowledge and outputs required for their own compliance and the overall compliance with Independent Audit of AI Systems criteria. The Committee Governance Assessment is the primary oversight, it reviews the second line of defence and it is conducted by the third line of defence in the ForHumanity Risk Management framework.
KS Owner | Alice Rangel Teixeira & Sundar Narayanan |
KS Deputy | n/a |
Last Updated | 2023-05-11 |
Definitions
Risk Management Process | The process involving the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk with reference to data processing and AI, algorithmic or autonomous systems. |
cAIRE | Comprehensive Artificial Intelligence Risk Evaluation report, comprising all risk inputs, risk mitigations and residual risks gathered from any of the following reports: Algorithm Risk Assessment, Systemic Societal Impact analysis, TEC At-Risk Report, Ethical Risk Assessment, Committee Governance Assessment (CGA). Residual Risk that cannot be mitigated shall be disclosed. The cAIRE report shall establish within itself the frequency for automatic reassessment where not defined by one of the underlying assessments. |
CGA | Committee Governance Assessment, an analysis and designation of accountability, oversight and responsibility for committees (Ethics Committee, Algorithm Risk Committee, and specialty committees such as the Children’s Data Oversight Committee), designated individuals (per a Duty Designation Letter), the Chief Executive Officer and the Board of Directors for any/all risk associated with an AI, algorithmic or autonomous system including duties associated with compliance with audit criteria. |
Residual Risk | Unmitigated risk after risk treatment pertaining to a specific risk input or the aggregation of all untreated risk in an AI, algorithmic or autonomous system. |
Context
ForHumanity’s Risk Management Framework covers Governance, Risk Management and Compliance with Ethics, Bias, Privacy, Trust and Cybersecurity as key pillars.
This Framework and process has two primary objectives:
Maximising the mitigation of risk
Fairly, accurately and transparently displaying Residual Risk for natural persons impacted by AI, algorithmic and autonomous systems.
AI, algorithmic, and autonomous (AAA) systems are socio-technical systems that present many risk categories beyond traditional enterprise ones. These systems impact individuals, society, and the environment in different ways, creating unique, specialised, and multidisciplinary challenges.
These challenges are addressed in the operational process of Risk Management by duly designated teams of experts who are trained in understanding specific and multidisciplinary risks. Each duly designated team forms a committee with a specific role and expertise.
The operational process is localised in the Functional Risk Management of ForHumanity’s Risk Management Framework, and presents three layers of defence to maximise Risk Mitigation. The Committee Governance is the third and the second-to-last layer of defence, coming before the Internal Audit.
The Committee Governance Assessment (CGA) is designed to examine the interrelationship between committees, experts, specialty committees, front-line design-development-data science teams for AI, Algorithmic and Autonomous (AAA) Systems. This report is done by the Operational Risk Management, who are able to review and have oversight on the Committees that are formed, and is included in the comprehensive AI Risk Evaluation (cAIRE) report that collects all outputs from the aforementioned analyses and Residual Risks.
Importance
Each of the committees and associated risk assessments is insular, meaning they are self-contained within the governance and oversight structures. Under this arrangement, by design, there is limited risk of missed assignments or miscommunications on accountability and responsibility. However, interrelationships in multi-disciplinary, socio-technical systems like AAA systems are unavoidable. The CGA is designed to examine, analyse, track and record the interfaces between committees.
Operations
A critical objective of the CGA is to fill all gaps and eliminate miscommunications in the management of risk for AAA systems. To achieve this, the report covers the following:
Logging all duties, responsibilities and accountabilities for a specific AAA System and keeping it current
Tracking all Duty Designation Letters
Tracking all specialty committees
Identifying gaps, inconsistencies or issues associated with the alignment to the mandates for the specific committees/ duty designation letters.
Identifying all audit criteria that transit from one committee or duly designated officer to another committee or duly designated officer
Identifying cross communications, sharing of risk inputs, consultations with specific committees including Ethics Committee or Children’s Data Oversight Committee and gaps that exists in such communications or interactions
Third line of defence in consultation with the Ethics Committee to consider Inadequacies associated with the diversity or inclusion of adequate or appropriately skilled resources in the committees
Validating the existence of an adequate process to ensure that all risk treatments and Residual Risks, regardless of the source risk assessments, are logged, deployed and collected for the cAIRE report.
Identifying Residual Risk per organisation procedures, and then, if duly designated examining and analysing external risk treatment options, and deploying mitigations documented with Traceability.
Process gaps, inefficiencies, delays in remedial actions / residual risk management on part of committees if any arising from the process.
Validating the existence of an adequate procedure for adjudicating interactions and potential conflicts between two or more specialty committees (e.g., Algorithmic Risk Committee and the Ethics Committee)
Template
Forthcoming
Linked Knowledge Stores and Content
Question | Answer |
Who has ownership of the CGA? | Operational Risk Management |
How often should a CGA be produced? | Quarterly or as determined by the Operational Risk Management |
Who reviews the CGA? | The CGA is reviewed in the cAIRE report |
Linked Knowledge Stores and Content
Content Type | Content Description and Link |
BoK |