8 Risk management

Watch this video of Richard Nicholas, from Browne Jacobson LLP, where he discusses the importance of governance, policy and training

Download this video clip.Video player: course_3_workshop_video_clip_2.mp4

Show transcript|Hide transcript

Transcript

RICHARD NICHOLAS

It is more than just having a policy in place. You probably also need when you start to use AI, whether that's just the LLMs or whether it's something brought in, you're going to need to have a whole structure in place in terms of how you plan this, what your communications are going to be, the governance structure. Because you're going to need to retain some control over the outputs. You're likely to need training within the practice in terms of how you are going to use AI solutions for what purpose and why. You're going to need some level of risk assessment. And you're going to need some controls in place, certainly from a data protection perspective which is similar, if you like, GDPR.

What I found is the people who are tasked with dealing with AI governance, and others might have found something similar, is it's whoever that dealt with GDPR last. Because it's a similar governance structure, it's similar sorts of issues. And possibly, they're the people who don't say no to things.

End transcript

Download

 

There are legal and regulatory compliance requirements in using GenAI including data privacy and cyber security (these are covered in more detail in the sixth course, Navigating risk management, and the seventh course, Understanding legal regulation and compliance). NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce.

The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data – Understanding the NIST cybersecurity framework | Federal Trade Commission [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)]  (this is applicable to organisations in the UK).

It is a straightforward framework that is easy to incorporate into your business in these five areas:

• Identify

• Protect

• Detect

• Respond

• Recover.

You should speak to your insurers to check that GenAI tools are covered under existing policies and understand how your insurance deals with the risks of tools producing deteriorating outputs. You should understand what systems and processes your insurers require in order for the organisation to use GenAI.

Key insurance considerations in relation to GenAI providers terms and conditions include ensuring that the provider offers sufficient liability coverage and indemnity provisions. This is essential for protecting the organisation in case the AI generates incorrect results or recommendations. Review any indemnities provided to assess whether they offer protection against infringement claims initiated by third parties. This is important because GenAI models can occasionally produce outputs that, unintentionally, infringe upon existing IP rights.

You should also review if the insurance includes coverage for data breaches or privacy violations resulting from using the AI services. This is important given the sensitive data that may be processed by GenAI systems. If there is no coverage for data breaches, other insurance policies such as cyber insurance should be considered.

You need to consider business continuity, create a plan to address a system failure or outage of service, and develop an incident response plan (IRP). Simulations of real-world scenarios in a controlled environment will support the development of an IRP.

It is essential to have a GenAI policy that covers ethical considerations, monitoring of outputs for potential ethical and/or biases issues, and responsible AI guidelines:

• Law firms who have access to Practical Law can access guidance and a template for creating a ‘Generative AI in the workplace policy (UK)’. LexisNexis also provide a template.
• Socitm (Society for innovation, technology and modernisation) has produced a sample GenAI policy that organisations can customise:
  • Sample corporate policy document for use of Generative Artificial Intelligence.
• Charity Excellence has an Example UK Nonprofit AI Policy Template.
• This article includes links to GenAI policy examples and guidance on how to develop a policy:
  • Law Firm AI Policy Template, Tips and Examples | Clio.

A GenAI policy should cover the following components:

• Purpose and scope: define the goals of implementing GenAI, and outline how it will be used and monitored.

• State who in the organisation the policy applies to and specify the areas of application within the organisation the GenAI will apply, for example, administrative function and document drafting, etc.

• Usage guidelines: outline permissible uses and applications of GenAI.

• Ethical considerations: address potential biases in AI outputs, ensure AI-generated content is clearly identified and that the use of AI is transparent to clients and stakeholders, and establish accountability mechanisms for AI-generated decisions and actions.

• Compliance and legal standards: identify the legal and compliance obligations in relation to laws at the local, national and international levels, with special consideration given to areas such as copyright, data protection and the prevention of misinformation.

• Data privacy and security: create safeguards to protect the data inputted into any GenAI technology, addressing data collection, storage and sharing. Make clear any prohibited activity such as entering private or personal information into any GenAI platform.

• Operational guidelines: include any training available to staff to effectively use the technology, outline how GenAI will be integrated into existing systems and establish procedures for ongoing monitoring and evaluation of AI performance and impact.

• Risk management: outline the risk management framework and consider conducting regular risk assessments to identify and mitigate the potential risks associated with AI.

• Review and update: include a provision for regular reviews and that the GenAI policy may be updated from time to time in order to reflect technological advancements and any changes in the regulatory landscape.

The sixth course, Navigating risk management, looks at the importance of mitigating risk by having policies in place to address bias, misinformation or harm caused by outputs.