Committee Governance Assessment

We welcome all feedback and recommendations for improvement.

OVERVIEW

KS OWNER – Alice Rangel Teixeira & Sundar Narayanan
KS DEPUTY –
LAST UPDATED – May, 2023

Committee Governance Assessment

Overview

The Committee Governance Assessment (CGA) is an overarching review of all interactions of risk management and compliance functions to ensure that there are no gaps or silos in terms of risk mitigation and regulatory requirements. This assessment examines the interaction between committees to ensure that each one receives all necessary knowledge and outputs required for their own compliance and the overall compliance with Independent Audit of AI Systems criteria. The Committee Governance Assessment is the primary oversight, it reviews the second line of defence and it is conducted by the third line of defence in the ForHumanity Risk Management framework.

KS Owner	Alice Rangel Teixeira & Sundar Narayanan
KS Deputy	n/a
Last Updated	2023-05-11

Definitions

Risk Management Process	The process involving the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk with reference to data processing and AI, algorithmic or autonomous systems.
cAIRE	Comprehensive Artificial Intelligence Risk Evaluation report, comprising all risk inputs, risk mitigations and residual risks gathered from any of the following reports: Algorithm Risk Assessment, Systemic Societal Impact analysis, TEC At-Risk Report, Ethical Risk Assessment, Committee Governance Assessment (CGA). Residual Risk that cannot be mitigated shall be disclosed. The cAIRE report shall establish within itself the frequency for automatic reassessment where not defined by one of the underlying assessments.
CGA	Committee Governance Assessment, an analysis and designation of accountability, oversight and responsibility for committees (Ethics Committee, Algorithm Risk Committee, and specialty committees such as the Children’s Data Oversight Committee), designated individuals (per a Duty Designation Letter), the Chief Executive Officer and the Board of Directors for any/all risk associated with an AI, algorithmic or autonomous system including duties associated with compliance with audit criteria.
Residual Risk	Unmitigated risk after risk treatment pertaining to a specific risk input or the aggregation of all untreated risk in an AI, algorithmic or autonomous system.

Context

ForHumanity’s Risk Management Framework covers Governance, Risk Management and Compliance with Ethics, Bias, Privacy, Trust and Cybersecurity as key pillars.

This Framework and process has two primary objectives:

Maximising the mitigation of risk
Fairly, accurately and transparently displaying Residual Risk for natural persons impacted by AI, algorithmic and autonomous systems.

AI, algorithmic, and autonomous (AAA) systems are socio-technical systems that present many risk categories beyond traditional enterprise ones. These systems impact individuals, society, and the environment in different ways, creating unique, specialised, and multidisciplinary challenges.

These challenges are addressed in the operational process of Risk Management by duly designated teams of experts who are trained in understanding specific and multidisciplinary risks. Each duly designated team forms a committee with a specific role and expertise.

The operational process is localised in the Functional Risk Management of ForHumanity’s Risk Management Framework, and presents three layers of defence to maximise Risk Mitigation. The Committee Governance is the third and the second-to-last layer of defence, coming before the Internal Audit.

The Committee Governance Assessment (CGA) is designed to examine the interrelationship between committees, experts, specialty committees, front-line design-development-data science teams for AI, Algorithmic and Autonomous (AAA) Systems. This report is done by the Operational Risk Management, who are able to review and have oversight on the Committees that are formed, and is included in the comprehensive AI Risk Evaluation (cAIRE) report that collects all outputs from the aforementioned analyses and Residual Risks.

Importance

Each of the committees and associated risk assessments is insular, meaning they are self-contained within the governance and oversight structures. Under this arrangement, by design, there is limited risk of missed assignments or miscommunications on accountability and responsibility. However, interrelationships in multi-disciplinary, socio-technical systems like AAA systems are unavoidable. The CGA is designed to examine, analyse, track and record the interfaces between committees.

Operations

A critical objective of the CGA is to fill all gaps and eliminate miscommunications in the management of risk for AAA systems. To achieve this, the report covers the following:

Logging all duties, responsibilities and accountabilities for a specific AAA System and keeping it current
Tracking all Duty Designation Letters
Tracking all specialty committees
Identifying gaps, inconsistencies or issues associated with the alignment to the mandates for the specific committees/ duty designation letters.
Identifying all audit criteria that transit from one committee or duly designated officer to another committee or duly designated officer
Identifying cross communications, sharing of risk inputs, consultations with specific committees including Ethics Committee or Children’s Data Oversight Committee and gaps that exists in such communications or interactions
Third line of defence in consultation with the Ethics Committee to consider Inadequacies associated with the diversity or inclusion of adequate or appropriately skilled resources in the committees
Validating the existence of an adequate process to ensure that all risk treatments and Residual Risks, regardless of the source risk assessments, are logged, deployed and collected for the cAIRE report.
Identifying Residual Risk per organisation procedures, and then, if duly designated examining and analysing external risk treatment options, and deploying mitigations documented with Traceability.
Process gaps, inefficiencies, delays in remedial actions / residual risk management on part of committees if any arising from the process.
Validating the existence of an adequate procedure for adjudicating interactions and potential conflicts between two or more specialty committees (e.g., Algorithmic Risk Committee and the Ethics Committee)

Template

Forthcoming

Linked Knowledge Stores and Content

Question	Answer
Who has ownership of the CGA?	Operational Risk Management
How often should a CGA be produced?	Quarterly or as determined by the Operational Risk Management
Who reviews the CGA?	The CGA is reviewed in the cAIRE report

Linked Knowledge Stores and Content

Content Type	Content Description and Link
BoK	ForHumanity AI Risk Management Framework

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.