Can you assess AI risk?

There is a revolution today regarding artificial intelligence with hot topics like deep learning, predictive neural nets, big data, the digital organization and other technologies and techniques on the business analysis and analytics horizon. While organizations are rushing to take advantage of the accelerating AI capabilities, there is little published about the organization’s value side of the AI use equation. AI must be thought through and planned like any other organization effort. Like building business applications, AI is a business organization project that is very technical in nature.

The orderly inclusion of AI into planning is at best very fragmented. AI is not yet mature enough to the point of careful assessment of value to the organization. This is the result of early applications of AI to very specific uses such as stock market analysis and analysis of consumer behavior. Linking issues or problems to an AI solution requires understanding of both the organization and the AI technology.

Planning for inclusion of AI into the organization capabilities can be handled in an orderly and beneficial fashion with a little planning effort. AI efforts should link to organization initiatives which in turn are linked to strategic missions or objectives. They can be integrated into the organization planning process from a strategic level down to the operational level. They can also be linked to any of the management models used today such as balanced scorecard, value chain, value-based management and any of the 65+ other management models used today.

In any case, the capability to effectively integrate AI into an organization follows the same path as inclusion of any new technology. It starts with awareness of the technology, proliferating that awareness, identifying some early use cases for AI, integrating that into the planning cycle and identifying the risk associated with the technology.

AI technology is changing at a fast rate. Organizations are now in various stages of managing their AI interests. Some organizations are just entering the awareness stage while others are charging ahead and starting projects based on applications that have appeared in publications with hope of some type of success.

An approach to assessing AI project risk

As part of both strategic and operational planning, there is a point where the risk of the organizational value of the project(s) is assessed. Governing risk is critical to the nurturing of a new technology in an organization. For each project, key factors must be identified.

For the risk assessment to be useful, a combination of attributes of an AI project should be considered. Here is a starter list. On a per project basis, the items in bold are typical of an AI project risk assessment. A core subset of the list below should include a composite ranking of complexity of at least 3 technical factors and at least 5 business factors.

AI Complexity index

  • Number of goals/objectives
  • Number of AI techniques
  • Number of layers
  • Technical risk factors (e.g. age of software, quality of data )
  • Business risk factors (a composite of several attributes of AI project

Business risk factors (a composite of several attributes of AI projects)

  • Degree of importance (1 -5 where 5 is very important)
  • Degree of impact (1 – 5)
  • Benefit (1 – 5)
  • Perceived Business risk
  • Risk remediation cost
  • Risk damage cost/loss
  • Business value (monetary)
  • Business value (qualitative)
  • Project cost
  • Project time frame

The selected attributes of the AI projects are captured in a simple form of list model with attributes for each of the characteristics.

Attributes are then used to form a composite ranking, one with multiple attributes contributing to the rank. In the end you have two indices:

  1. AI technical index (x axis) – number of goals/objectives
  2. Business analysis index (y axis) – multiple attributes

Below is a small variation of the suggested starting attributes. It uses 6 attributes for the business/organization index and only the number of goals/objectives for the AI technical index. The number of goals/objective is used as that is one of the stronger indicators of technical risk. The resulting 4-box shown below helps to identify where the best opportunities exist.

What does it all mean?

Any new technology that is set for integration into an existing organization structure requires an assessment of the risk involved with deploying that technology. Interpreting the simple 4-box above provides this assessment:

  • Lower Left – Not very important but likely success, low risk (some small projects)
  • Upper Left- Important, high success, low risk (full of small projects, good yield low risk)
  • Upper Right – Important but likely failure, high risk (larger projects and more complex but still good yield)
  • Lower Right – Unimportant and likely failure, high risk (very complex with low yield)

To successfully execute an AI strategy, an organization would start in the lower left quadrant to train an AI team. Later, the organization can use the values in the upper left quadrant to evaluate risk and harvest value. The organization should only get into the lower right projects when technology and skills are mature enough to lower the risk.

While not perfect, such an approach to AI project strategy provides an organization with some direction in choosing projects. Keep in mind, it took many years to develop reliable AI software that works in assessing stock market moves. Planning and processes used to apply AI to other areas in a business will take time to develop

A small issue with AI software tools

One area of risk lies in the use of software tools. Many tools are software libraries with no or minimal user interface capabilities. It is misleading to think that is all you need. Current AI libraries consist of a set of code algorithms that require an interface or need to be included as part of other applications. There are exceptions however such as tools used for stock market movement analysis. These are standalone applications and have reasonable user interfaces developed for them. They do not need additional costly investment in a user interface.

Another risk with tools is the preparation of data that feeds the AI tool. This data must be formatted to fit the tool input formats. In many cases the data is extracted from a database or input from an external source and formatted into a table for input to the AI capability. Further, facilities must be provided to let a user select the input variables that drive the AI algorithm. Some tools provide for selection of input and objective variables if the data is formatted in a manner acceptable to the tool.

Discovering these needs at the time of implementation costs time and money and puts the AI project at risk. The less prepared the greater the risk.

So Be Prepared

Technology, especially AI technology, requires much more attention today than it did even 5 years ago. The organizations that keep up with the trends and changes will be best prepared to provide valuable goods and services in the future. Effectively using new forms of analytics including AI types of technology provide better opportunities to reduce operational uncertainty.


Most of the time engineers and other technical persons wonder why they fail  to hold the attention of top management to their presentation on projects or performance reports or requesting additional funds in annual maintenance or CAPEX budget. I learned from experience that the top management/ board members or the people who control the funds understand only one language that is dollar and cents.

When I was the head of training and development in one of the public listed group in Malaysia, during my presentation to the board I spoke about the requirement about more funds allocation for increasing CBT (Competency Based Training)  skill development program and how that increases productivity by around 20%. The chairman joked whether I meant Criminal Breach of Trust by CBT and whole board erupted in to laughter, but I did not get the allocation I sought. Then I realised that I spoke in a language that the corporate management doesn’t understand and learned to convert all the technical data in to money.

The top management having limited knowledge about project or maintenance technicalities and the technical persons have no or limited understanding of corporate management side fails to communicate in a language both understand contribute to the project failures.

Technical person in general tries to get everyone to pay attention to status report, man hours, percentage of improvements, failing to realise that to most in the corporate meetings, these are the least interesting things and they switch themselves off. It is important that the technical persons learn to understand the financial side in order to sell to the top management their ideas. What needs to be understood, then, is that value, when sold to an organization’s upper management from the technical perspective, needs to be defined in terms of dollars. That means every project, plan, or initiative that one want to launch needs to be converted to dollars. Whether it is a raise in productivity, reducing down time, improve efficiency it needs to be captured and converted to dollars.

For example the maintenance engineer may seek additional allocation of $50,000 to develop kit carts which may improve wrench time by 20%. Instead of saying in percentage calculate in monetary value say annualised savings of $5 million in labour cost and profit gain of around $15 million, then the request gets management’s serious attention.

Article By: N.Ravichandran


The basic concept

For any activity or event, nothing is attainable, or even if it is attainable it will not be of the level and standard that is expected, if there is no real commitment and passion put into that activity or event. Sometimes the hard fact is that many times these element of commitment and passion do not always come naturally, or one may be available while the other is lacking. Being passionate about a thing, activity or event implies that a person is fully committed and attentive to the details, standards and qualities necessary to complete the activity or event. Like an artist putting in all his skill, focus, heart and soul to his painting to bring that painting to ‘life’. Or a singer giving his all to belt out that personal number with his body, spirit and soul into the rhythm to bring out the best in his song and performance. Attitude, and good or right attitude, will always engender commitment and passion.


Attitude is about body, spirit, mind, and soul. It is all what a person has in himself that make him believe and perceived what he is to do and rely on to be the right and true thing that may not necessarily be the same as the belief and mindset or inclination of another person. Attitude can be about idiosyncrasy of individuals, and the perceived belief and behaviours that influence the manner by which a person acts and respond. Putting risk management as an attitude of individual employees of an organisation implies that they are aware of, and live by, the knowledge that risks influence their way of daily corporate life, activities, operations and the management of their organisation. Having that kind of attitude will make employees know that risks make them ‘think of risks’ and are always aware that risks influence the ways they conduct and do things in their various activities and operations. Possessing such attitude gives birth to an organisation’s conducive environment for effective risk management framework, risk management infrastructure, and risk management implementation.


Attitude is about body, spirit, mind, and soul. It is all what a person has in himself that make him believe and perceived what he is to do and rely on to be the right and true thing that may not necessarily be the same as the belief and mindset or inclination of another person. Attitude can be about idiosyncrasy of individuals, and the perceived belief and behaviours that influence the manner by which a person acts and respond. Putting risk management as an attitude of individual employees of an organisation implies that they are aware of, and live by, the knowledge that risks influence their way of daily corporate life, activities, operations and the management of their organisation. Having that kind of attitude will make employees know that risks make them ‘think of risks’ and are always aware that risks influence the ways they conduct and do things in their various activities and operations. Possessing such attitude gives birth to an organisation’s conducive environment for effective risk management framework, risk management infrastructure, and risk management implementation.

Objectives of risk management

Today, risk management is a function that any organisation prides itself of having as a support function for its front-line, marketing and business activities. Risk management should never be seen or regarded as a function for itself, nor is it an end in itself; but rather a means to an end i.e a mean to support management meets well its various goals and bottom-line targets. The myriad and practical objectives of risk management in any organisation are never far from the following:

  • meeting budgets, targets, goals and the objectives of the various internal (management) and external and stakeholders in an organisation
  • producing quality goods and services
  • eradicating errors and omissions, frauds and shortfalls
  • doing things right first time, and doing the right things always
  • avoiding surprises
  • fulfilling corporate governance
  • complying with legal and regulatory pronouncements and requirements

What is risk?

My own simple and no-pretence definition or interpretation of risk is as follows: “Risk is an event or occurrence that marred or thwarted the outcome of my aims, objectives, goals, wishes, or expectations”. This definition is in tandem with, or a down-to-earth summary of exotic interpretations/definitions that many authors and risk-management researchers like to allude to

Risk management culture

When risk management is successfully incorporated or inculcated into the culture of an organisation, it would mean the beliefs, heroes, practices, rituals, ethos, and behaviours in that organisation have elements and features of risk-understanding, risk-awareness, risk-management fundamentals, and the implementation of risk-management framework. The people in that organisation (like employees, management, directors), as well as those outside it (like suppliers, creditors, vendors, agents, regulators) think, live, act, behave and apply risk management in all what they do, talk about, and transact. This state of affairs is seen as probably ‘surreal’ in yonder years. But in the real world these days, it is not necessarily so. Why is this so? Well, for one it is due to the wide coverage, emphasis and focus that many organisations today put into their risk management programmes in order to comply with regulatory directives to have robust risk management programmes place. But more so because directors and management today believe that good risk management programmes are no more an option, but rather the right way of doing and managing business and non-business outfits nowadays, if one is to have a better competitive advantage from one’s competitors. The notion that doing or managing successful business (and to be one-step ahead of one’s competitors) is all about managing risks effectively. This belief is what many board-members and contemporary management profess. With this belief, the probabilities that risks would surface to thwart and disrupt events and operations in organisations are minimised or eradicated (although in reality risk is hard to eradicate but their likelihood of occurrence could be minimised and their negative impacts mitigated).

Organisational culture

Culture is a word that has quite complicated meaning and nuances. Culture’s domains are in people and in organisation. In people, the precepts of culture would mean the way things are done or practised or enacted by every individuals in the society, their dress-codes, beliefs, habits, antics, behaviours, perceptions/attitudes, practices, rituals, and idiosyncrasies. In organisation, the precepts are not dissimilar to ‘culture’ in people. Just that in organisation the culture is reflected or implemented/practiced by the organisation. Of course an organisation (though a legal entity) is an inanimate thing. So the culture or organizational culture is in fact those precepts that are practiced or exhibited/displayed and put to motion by the people inside that organisation that are collectively refereed to as the employees and management. Like in or with people, the culture in an organisation also exhibits elements or precepts of rituals, heroes, practices, beliefs, and ethos. So if risk-management becomes an element or gets incorporated into an organisation’s culture, what it means is that the features or characteristics and fundamentals of risk management, risk-awareness, etc, are infused into the organisation’s culture, or the way things are done in that organisation.

Importance of conducive environment.

There is an age-old oriental cliché that says ‘ you can’t carve a statue from a rotten wood’, Using this analogy, we can deduce that an organisation that has very poor (or rotten) risk management culture or low risk-management understanding and non-conducive risk-management environment would find that it will fail slowly in the long-run, when implementing it’s initiatives or programmes for its risk management journey. There are seven cornerstones or building blocks for a good risk management programme. They are (i) risk-management philosophy, (ii) risk-management policy, (iii) risk management awareness/culture, (iv) defined and clear roles of every one, (v) human resources and training, (vi) risk-management framework of risk-identification, risk-evaluation/assessment, risk-controls, risk-reporting and risk-monitoring, and (vii) risk-follow up and re-assessment and change-management. Conducive risk management environment stemming from risk management awareness/culture is one of the above seven building blocks needed for any organisation’s effective risk-management function. was conducting a 2-day course on operational risk management in Phnom Penh Cambodia in January 2008. One of the participants in my course made a remark as follows, “From my past observation, if the environment is not conducive, any risk management programme will not really succeed in its mission and objectives in the long term”. I retorted that I fully subscribed to that precise statement.

Article By: Dr Joseph Eby Ruin


What is failure?
Failure is an outcome of event that does not jive with the expectation of the person. My own definition of risk has  a good semblance with this interpretation or meaning of failure.  My risk definition is  “  Risk is any happening, or event, incident or occurrence that sabotaged, marred, thwarted or prevented the positive outcome of my dreams, aims, objectives, targets, goals, wishes, or expectations”.

Risk management objectives
The objectives of managing risks in an organization are to ensure targets and goals are achieved, bottom-lines are fulfilled, shareholders’ values are enhanced, corporate governance and corporate social responsibilities maintained and goodwill, reputation and image kept intact.

‘Must have’  versus  ‘nice to have’
If you ask me what is the option today in as far as risk management is concerned in any outfit, be it business or non-business? Is it  ‘nice to have’ option, or  ‘must have’ requirement? It is a ‘must have’ function for today’s and tomorrow’s way of corporate management going forward.

Despite the notion by many organizations that risk management today and tomorrow is  a ‘must have’  programme, many failures or ineffective risk management are not uncommon. Why is that so?  We are going to review below the dozen or twelve reasons as to why an entity’s risk management programme failed.

Reasons for failures

I was conducting a course on anti-fraud awareness and risk management in Phon Penh Cambodia and Brunei not too long ago. One of the topics for group discussion or case study was on how risk management can fail. Te one dozen reasons that was summarised at my above workshops are listed below.

Reason 1

Only rhetoric support from board and top mgt

The much needed financial/budget and tactical/resources support from the top management and the board are not substantive. They are mere rhetoric, and the needed commitment and support are ‘surface appearance’, more perhaps to please or justify the authorities and regulators that their companies have such programmes or risk management journeys and commitments.

Reason 2

Poor understanding of risk fundamentals

The nomenclatures, definitions and general fundamentals and concepts of risk management vary among departments and senior personnel in the management

Reason 3

Ill-planned risk mgt framework

The risk management framework is not properly designed, understood and implemented. This may be due to inadequate skills and know-how of risk management and best practices among the Risk Mgt Department’s (RMD) staff. Granted, the responsibilities to manage risks on a day to day basis belong to the various risk owners ( the various business, operational and support units). But the coordinating role and the driver of the various risk management activities and programmes reside with the RMD. Thus this department has to play the ‘lead’ and initiate the necessary risk management programmes and definitely designing and making sure the organisational risk management framework is not only relevant and best practice but must work effectively for the organization.

Reason 4

Risk-scoping for the macro and micro risk profiles poorly conducted

The much needed financial/budget and tactical/resources support from the top management and the board are not substantive. They are mere rhetoric, and the needed commitment and support are ‘surface appearance’, more perhaps to please or justify the authorities and regulators that their companies have such programmes or risk management journeys and commitments.

Reason 5

Little buy-in from employees and staff

The employees must know the values of risk management. How can risk management support them to meet their goals, targets, objectives? If they do not take care of their various risks their targets and goal will not be achieved; and their annual performances will be affected. So it is important to make risk management function become part of their overall KPIs (key performance indicators) for their annual appraisals. Many times this may not be the case. Therefore there may be that meager buy-in from the employees/staff; resulting in risk management to fail in that organisation

Reason 6

More reactive and fewer proactive risk mgt approach

Risk management is a ‘going-forward’ kind of management function. It attempts to pro-act, forecast what can and may go wrong (anything wrong is risk). Risk management function is to alert or forewarn the business and operations units in an organization to get prepared and be ready to prevent those identified inherent risks to occur by putting in adequate and effective control measures or infrastructures. Or should the risk event still crop up, the role of risk management is to advise on the relevant and cost-effective risk mitigants to minimize the negative financial impact on the bottom-line, or the adverse non-financial effects of that risk on the organisation’s image and reputation.
Risk management does however depend on past trends or events and occurrences as the base to review if such types of incidences or risks will recur in the future. Using past data or event-happenings as a base to judge whether similar risk event will crop u one day in the future is not the same as ‘reactive risk management’.

Reason 7

Peer review of risk mgt not carried out

It is well and good to know that an organisation has fulfilled many or all the necessary requisites and infrastructures for a reputable and effective risk management architecture and function. But is that enough? Will that bring complacency? Has that organisation benchmark its risk management set-up and practices with another player in the market? Are all or the relevant best-practices in risk management implemented or adopted, moving forward? Failure to look into this peer-review and exchanging notes with other organisations in the country and abroad can also bring about the state of false bliss or complacency which will be detrimental to the effectiveness of risk management because it has not factor in or manage the element of ‘change’ in the organisation’s internal and external environment.

Reason 8

Risk mgt function or contribution not effective from the context of users

Have all targets and risk management programmes been completed and implemented timely? Have all the deliverables and risk management outputs produced/delivered for the use of the internal customers? Does Risk Management Department (RMD) know its customers?  When Risk Management Department has the comfort that it is effective and relevant to the organisation’s management and board, on whose judgement or  standard did it say it is ‘effective’? When was the last time RMD did an internal  customer-survey to find out how other departments in the organisations feel or behave towards it? Has it ever sent out such survey, by the way?  RMD is to serve the business units and other support units or functions in an organisation. It is also to support the overall management and the board. So really its customers are the (i) business units, (ii) other support units, (iii) management, and (iv) the board. If these four clients of RMD do not give good report card or scores for RMD, then it is time to re-look at what else need to be done or delivered, because in as far as the customers are concerned RMD is seen to be not so effective seemingly. Risk management  dose not exist on its own or ‘per se’ but to support these four customers. Thus if they do not find effectiveness in the discharge of its functions, RMD has to re-invent ways and structures to best suit these customers; since effectiveness is from their point of view, not from the rationale of RMD itself.

Reason 9

Inadequate risk mgt resources

The resources needed for risk management to function adequately have to be in place and ready. The resources will be in the form of manpower, equipment, system and other infrastructure. Are these adequate? Are the systems up to date and efficient to serve all and sundry, bearing in mind that the daily management of risks rest with the individual business and support units. Many a times there could be lackness  not in people or manpower, but inadequate risk tracking and monitoring systems that are needed for risk management to function and support the business units and other support units likewise.

Reason 10

Meagre culture and awareness training

A working or corporate environment that is not conducive to risk management is a harbinger for failure of risk management. How does an organisation promote this conducive environment? Awareness of risks among all employees, senior  management and board is cardinal to the success of an effective risk management journey. This will exude a good and conducive environment for the organization. Such state of affairs engenders the important aspect of making sure that risk management and risk concerns get embedded in the organisation’s corporate and working culture. Such operating culture makes every one risk-averse, and to think of  every operation, activity, process, transaction and documentation with ‘risk first’ in mind. With that kind of mindset, likelihood of errors, omissions, defects and faults to be non-existent or at least at the very worst, minimised.  The objective of risk management any how is to ensure that these errors, omissions, defects and faults are eradicated. Only then can organisations produce goods that are defect-free, and the service-quality that consumers and users expect.

Reason 11

Failure to focus on change-management

Changes, as we all know, are indeed real risk issues that all organisations must be wary of.    What is in vogue today will be obsolete and out of fashion tomorrow. With this down to earth understanding, one of the first issues to manage as far as risks in an organisation  is concerned is the risk that changes to the business, operations an environment will bring. Any oversight or neglect in this area will make an organisation’s risk management not only weak, but  rather meaningless and futile, or at most the role of risk management can be seen to be merely perfunctory.

Reason 12

Inadequate risk mgt tools and infrastructure

When any one goes to battle, the important thing to ensure is that there must be take adequate arms and ammunitions available. These are tools that a soldier uses in the battle or combat. On the same rationale, risk management is akin to going to war. WE are fighting the enemy that we named as ‘risk’. Don we have enough arms and weapons? Are our weapons relevant, effective and user-friendly? Are they cost-effective (bearing in mind that too expensive a weapon is also a risk to our financial constraint/budget; and worse still this expensive tool may not help us a lot in defeating our enemy i. e ‘risk’. Adequate, relevant, user-friendly, cost-effective or cost-benefit risk management tools in the forms of control systems and procedures are what we need. ‘How adequate, cost-effective and relevant are they’, would be the forever perennial question that we have to unravel. Not knowing what tools to use, or investing in the expensive and less relevant, ineffective tools/systems will produce a white-elephant that would make the rest of people in the organisation ridicule and bad-mouth risk management set up.

Article By: Dr Joseph Eby Ruin


The energy policy of Malaysia is determined by the Malaysian Government, which addresses issues of energy production, distribution, and consumption. The Energy Commission acts as the regulator while other players in the energy sector include energy supply and service companies, research and development institutions and consumers. Government-linked companies, Petronas and Tenaga Nasional Berhad are major players in Malaysia’s energy sector. Governmental agencies that contribute to the policy are the Ministry of Energy, Green Technology and Water, the Energy Commission (Suruhanjaya Tenaga), and the Malaysia Energy Centre (Pusat Tenaga Malaysia). Among the documents that the policy is based on are the 1974 Petroleum Development Act, 1975 National Petroleum Policy, 1980 National Depletion Policy, 1990 Electricity Supply Act, 1993 Gas Supply Acts, 1994 Electricity Regulations, 1997 Gas Supply Regulations and the 2001 Energy Commission Act (“National Energy Policy”; Ministry of Energy, Green Technology and Water, 2013).

The Energy Commission was created under the Energy Commission Act 2001 as a new regulator for the energy industry in Peninsular Malaysia and Sabah. The Commission was established to ensure that the energy industry is developed in an efficient manner so that Malaysia will be ready to meet the new challenges of globalization and liberalization, particularly in the energy supply industry. The commission regulates and promotes all matters relating to the electricity and gas supply industry within the scope of applicable legislation namely the Electricity Supply Act 1990, License Supply Regulation 1990, Gas Supply Act 1993, Electricity Regulation 1994, and Gas Supply Regulation 1997. In performing its role the commission takes the self-regulation approach (The Energy Commission of Malaysia, 2009).

The electrical energy consumption in Malaysia has increased sharply in the past few years, and modern energy efficient technologies are desperately needed for the national energy policy to increase public awareness. Figure 1.1 indicates the energy consumption by fuel type in Malaysia. It is very clear that electrical energy consumption is the highest and the increase during the 35 year period (1978-2013) is about ten times (increasing from about 5,000 KTOE (Kilo Tons of Oil Equivalent) to about 50,000 KTOE). It is very clear that electrical energy consumption has increased during the 40 year period (1971-2014) by more than two fold, i.e. from about 4,000 GTOE (Giga Tons of Oil Equivalent) to about 9,000 GTOE. Surveys are continuously being performed to assess the consumption pattern and the existing techniques for energy efficiency. Based on past surveys, the extent of the feasibility of improving the available systems and adopting new programs in different sectors was not investigated in depth. Studies reveals the fact that the energy conservation policy of Malaysia has been fairly improved in the last ten years. However the country has to pay more attention to this area and make urgent measures to adopt more energy efficient technologies in various sectors.