Committee Governance Assessment

We welcome all feedback and recommendations for improvement.

OVERVIEW

KS OWNER – Alice Rangel Teixeira & Sundar Narayanan
KS DEPUTY –
LAST UPDATED – May, 2023

Committee Governance Assessment

Overview

The Committee Governance Assessment (CGA) is an overarching review of all interactions of risk management and compliance functions to ensure that there are no gaps or silos in terms of risk mitigation and regulatory requirements.  This assessment examines the interaction between committees to ensure that each one receives all necessary knowledge and outputs required for their own compliance and the overall compliance with Independent Audit of AI Systems criteria. The Committee Governance Assessment is the primary oversight, it reviews the second line of defence and it is conducted by the third line of defence in the ForHumanity Risk Management framework.

 

KS Owner

Alice Rangel Teixeira & Sundar Narayanan

KS Deputy 

n/a

Last Updated

2023-05-11

Definitions

 

Risk Management Process

The process involving the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk with reference to data processing and AI, algorithmic or autonomous systems. 

cAIRE 

Comprehensive Artificial Intelligence Risk Evaluation report, comprising all risk inputs, risk mitigations and residual risks gathered from any of the following reports: Algorithm Risk Assessment, Systemic Societal Impact analysis, TEC At-Risk Report, Ethical Risk Assessment, Committee Governance Assessment (CGA). Residual Risk that cannot be mitigated shall be disclosed. The cAIRE report shall establish within itself the frequency for automatic reassessment where not defined by one of the underlying assessments.

CGA

Committee Governance Assessment, an analysis and designation of accountability, oversight and responsibility for committees (Ethics Committee, Algorithm Risk Committee, and specialty committees such as the Children’s Data Oversight Committee), designated individuals (per a Duty Designation Letter), the Chief Executive Officer and the Board of Directors for any/all risk associated with an AI, algorithmic or autonomous system including duties associated with compliance with audit criteria.

Residual Risk

Unmitigated risk after risk treatment pertaining to a specific risk input or the aggregation of all untreated risk in an AI, algorithmic or autonomous system.



 Context

ForHumanity’s Risk Management Framework covers Governance, Risk Management and Compliance with Ethics, Bias, Privacy, Trust and Cybersecurity as key pillars. 

 

This Framework and process has two primary objectives:

  1. Maximising the mitigation of risk

  2. Fairly, accurately and transparently displaying Residual Risk for natural persons impacted by AI, algorithmic and autonomous systems. 

 

AI, algorithmic, and autonomous (AAA) systems are socio-technical systems that present many risk categories beyond traditional enterprise ones. These systems impact individuals, society, and the environment in different ways, creating unique, specialised, and multidisciplinary challenges. 

These challenges are addressed in the operational process of Risk Management by duly designated teams of experts who are trained in understanding specific and multidisciplinary risks. Each duly designated team forms a committee with a specific role and expertise. 

The operational process is localised in the Functional Risk Management of ForHumanity’s Risk Management Framework, and presents three layers of defence to maximise Risk Mitigation. The Committee Governance is the third and the second-to-last layer of defence, coming before the Internal Audit. 

The Committee Governance Assessment (CGA) is designed to examine the interrelationship between committees, experts, specialty committees, front-line design-development-data science teams for AI, Algorithmic and Autonomous (AAA) Systems. This report is done by the Operational Risk Management, who are able to review and have oversight on the Committees that are formed, and is included in the comprehensive AI Risk Evaluation (cAIRE) report that collects all outputs from the aforementioned analyses and Residual Risks.

Importance

Each of the committees and associated risk assessments is insular, meaning they are self-contained within the governance and oversight structures. Under this arrangement, by design, there is limited risk of missed assignments or miscommunications on accountability and responsibility. However, interrelationships in multi-disciplinary, socio-technical systems like AAA systems are unavoidable. The CGA is designed to examine, analyse, track and record the interfaces between committees.   

Operations

A critical objective of the CGA is to fill all gaps and eliminate miscommunications in the management of risk for AAA systems. To achieve this, the report covers the following:

  1. Logging all duties, responsibilities and accountabilities for a specific AAA System and keeping it current

  2. Tracking all Duty Designation Letters

  3. Tracking all specialty committees

  4. Identifying gaps, inconsistencies or issues associated with the alignment to the mandates for the specific committees/ duty designation letters. 

  5. Identifying all audit criteria that transit from one committee or duly designated officer to another committee or duly designated officer

  6. Identifying cross communications, sharing of risk inputs, consultations with specific committees including Ethics Committee or Children’s Data Oversight Committee and gaps that exists in such communications or interactions

  7. Third line of defence in consultation with the Ethics Committee to consider Inadequacies associated with the diversity or inclusion of adequate or appropriately skilled resources in the committees

  8. Validating the existence of an adequate process to ensure that all risk treatments and Residual Risks, regardless of the source risk assessments, are logged, deployed and collected for the cAIRE report.

  9. Identifying Residual Risk per organisation procedures, and then, if duly designated examining and analysing external risk treatment options, and deploying mitigations documented with Traceability.

  10. Process gaps, inefficiencies, delays in remedial actions / residual risk management on part of committees if any arising from the process. 

  11. Validating the existence of an adequate procedure for adjudicating interactions and potential conflicts between two or more specialty committees (e.g., Algorithmic Risk Committee and the Ethics Committee)

 

Template

Forthcoming

 

Linked Knowledge Stores and Content

Question

Answer

Who has ownership of the CGA?

Operational Risk Management

How often should a CGA be produced?

Quarterly or as determined by the Operational Risk Management

Who reviews the CGA?

The CGA is reviewed in the cAIRE report

 

Linked Knowledge Stores and Content

Content Type

Content Description and Link

BoK

ForHumanity AI Risk Management Framework