How AI will transform the Risk and Compliance industry

David van Gogh, Jessica Ong & Brandon Nguyen

Follow us on LinkedIn

5 Jul 2023
  • Compliance and Regulation


The emergence of Artificial Intelligence (AI) has allowed for sweeping benefits to various industries, while simultaneously sparking debate around its usage, implementation, and regulation.

AI uses advanced data analytics to link concepts, mimicking human learning. Initial AI implementations were applied across existing, structured data sets (such as databases), in place of traditional data analytics. This enabled its users to find advanced correlations and to improve the quality of data inputs used and outputs produced.

Since 2021, it has been possible to apply AI to unstructured data such as free text or conversational input. AI is now being used to respond to customers in chatbots, to authenticate users on devices, and for ultra-targeted marketing campaigns. Recent tools like ChatGPT also enable users to obtain plain-speaking answers to complex queries in an extremely efficient and cost-effective manner.

AI will transform the risk and compliance industry through its broad range of applications. This article considers five of those potential applications, which are illustrated with actual AI outputs, using version 4.0 of the chat-based AI tool ChatGPT.

Building Policies and Frameworks

Risk and compliance policies, frameworks, and related materials often maintain a relatively standardised structure that is tailored to the specifics of the organisation for which they are drafted. AI can be an efficient mechanism for producing the initial drafts of such documents. Given nuances such as an organisation’s current risk maturity levels, their individual concerns, or any evolving changes in industry, organisations must ensure that they adjust any skeleton materials created by AI to ensure that the document created ultimately meets their business needs.

Input: “Draft me a Risk Appetite Statement for an airline.”

ChatGPT Output:

XYZ Airlines Risk Appetite Statement
XYZ Airlines is committed to maintaining a balanced approach to risk management, ensuring the safety, financial stability, and service excellence of our operations. This Risk Appetite Statement outlines the level of risk that XYZ Airlines is prepared to accept in pursuit of our strategic objectives and day-to-day activities.

1. Safety and Security Risk: As an airline, our foremost priority is the safety and security of our passengers, employees, and assets. We have zero tolerance for any risks that could potentially compromise safety and security. All decisions and activities are guided by strict adherence to regulatory standards and best practices in the industry.

2. Financial Risk: While we are committed to growth and profitability, we will not pursue these objectives at the expense of safety, compliance, or our long-term sustainability. We have a low to moderate tolerance for financial risk, and are committed to prudent financial management, cost control, and strategic investments. 

3. Operational Risk: We understand that operational risks are inherent in our industry, and we are willing to accept a moderate level of such risks. We manage these risks through robust operational procedures, contingency planning, and continuous improvement initiatives.

4. Reputational Risk: We have a low tolerance for risks that could harm our reputation. We strive to uphold our reputation for quality service, corporate responsibility, and integrity in all our dealings.

5. Regulatory and Compliance Risk: We have zero tolerance for non-compliance with aviation laws, regulations, and standards. We are committed to maintaining robust compliance programs and fostering a culture of regulatory compliance.

6. Strategic Risk: We are willing to accept a moderate level of strategic risk in the pursuit of innovation, competitive advantage, and market leadership. We manage these risks through thorough strategic planning, due diligence, and careful decision-making.

7. Environmental and Social Risk: We recognize our responsibility to the environment and society, and we have a low tolerance for risks that negatively impact our environmental and social commitments.

Our risk appetite is reviewed regularly by the Board of Directors to ensure that it remains aligned with our strategic objectives, and can be adjusted in response to changes in our operating environment, business strategy, or the risk landscape.

Enhanced Reporting with Intelligent Insights

While the risk and compliance reporting of mature organisations is heavily linked to data, reporting is still highly time and resource dependent. Highly skilled Risk and Compliance practitioners are required to consume and interpret data and to synthesize these into insights.

AI will enable Risk and Compliance functions to provide deep insights in near-real time, even where data is unreliable or unstructured. It can do this by reading and processing internal data in unstructured formats (such as text-based reports) and structured formats (risk, issue and incident information), combined with data from external sources (such as economic data, news, and current events). This will enable it to identify emerging risks, trends, and patterns that a human may otherwise not detect.

The nature of executive reporting is such that much time is spent fine-tuning messaging and tailoring technical language to the relevant audience. AI can apply fine nuance to language and can tailor reporting to the specific background and experience of individual readers. As it continuously learns from the data inputs it analyses and outputs it produces, AI will be able to produce this tailored reporting with the desired requirements near-autonomously with less human input over time.

It is worth noting though that AI engines sometimes produce incorrect or inaccurate outputs. For this reason, human review of reporting outputs will continue to be required in the near term.

Input: “What are major emerging risks for the Lithium mining industry in Australia? Illustrate your points with relevant data.”

ChatGPT Output:

Here are the key points and relevant data on the major emerging risks for the lithium mining industry in Australia:

Water Scarcity:
Lithium mining, particularly in the extraction of lithium from brine, requires significant amounts of water. Australia is known for its dry climate and frequent droughts, which may impact water availability for mining operations. The Australian Bureau of Meteorology reports that the annual mean rainfall in the country has been declining since the 1970s.
Relevant Data: Annual mean rainfall in Australia in 1970 was around 465mm, while in 2021, it was about 415mm, indicating a decline of around 10.8%.

Environmental Regulations:
Increased concerns about the environmental impacts of lithium mining have led to stricter regulations in some countries. If Australia enforces tighter regulations to protect the environment, this could increase operational costs and potentially slow down lithium production.
Relevant Data: From 2015 to 2021, Australia has introduced an average of 15 new environmental regulations per year, with a notable increase in 2020 and 2021.

Market Volatility: 
The demand for lithium is highly influenced by the adoption of electric vehicles (EVs) and renewable energy storage technologies. This demand may fluctuate depending on various factors, such as global economic conditions, government policies, and technological advancements in battery technology. Market volatility may lead to uncertainties in lithium prices and affect mining operations.
Relevant Data: Global lithium carbonate price in 2015 was around $6,000 per metric ton, reaching a peak of around $20,000 per metric ton in 2018, and dropping to approximately $7,000 per metric ton in 2021.

Competition from Alternative Sources:
The lithium mining industry in Australia faces competition from other lithium-producing countries, such as Chile, Argentina, and China. Additionally, there is ongoing research into alternative methods of lithium extraction, such as direct lithium extraction (DLE) technology, which could reduce the reliance on traditional mining methods and potentially affect Australia's lithium market share.
Relevant Data: In 2021, Australia accounted for around 40% of global lithium production, followed by Chile (30%), China (15%), and Argentina (10%).

Social and Community Concerns:
Local communities and indigenous groups may oppose lithium mining projects due to concerns about land rights, environmental impacts, and potential disruptions to their way of life. This opposition could result in delays, increased costs, or even cancellations of mining projects.
Relevant Data: Between 2015 and 2021, an average of 3 lithium mining projects per year faced delays or cancellations due to social and community concerns in Australia. 

Advanced Risk Decisioning

Automated risk decisioning already exists in many organisations, such as for retail credit and simple insurance underwriting decisions. These are usually based on a combination of data analytics and rules-based automated workflow. Such automation is not currently suited to complex or subjective risk assessments, like commercial asset finance and business lending decisions, which require SME intervention.

AI is already being used in the Financial Services industry to identify potentially fraudulent transactions and to flag potentially higher-risk customers or deals. However, in the future it may be possible for AI to undertake complex risk assessments which currently require a Credit, Underwriting or other specialist to review.

A potential drawback to the use of AI in this context is that such decisions currently require a strong audit trail of documentation. AI is a ‘black box’, in the sense that not all machine logic is clear to a user. This makes the auditing and traceability of decisions a challenging endeavour. With the potential for AI to be involved in many deals in a short time period, the potential for errors manifesting on a large scale is also of relevance. Controls would need to be developed to accommodate these drawbacks.

Input: “Pretend that you are the head of credit at a community-owned bank. Draft me a framework for assessing the creditworthiness of mortgage borrowers and then assess Clive Palmer against this framework using publicly available data. He would like to borrow $30m for an investment property at an LVR of 80%.”

ChatGPT Output:

As the head of credit at a community-owned bank, I propose the following framework for assessing the creditworthiness of mortgage borrowers:

- Income and Employment Stability: Assess the borrower's income stability and employment history. A stable job with a reliable income source is crucial for meeting mortgage repayment obligations.
- Credit Score: Review the borrower's credit score and history, including any late payments, defaults, or bankruptcies. A good credit score indicates a responsible borrower who can manage credit effectively.
- Debt-to-Income Ratio (DTI): Calculate the borrower's DTI by dividing their total monthly debt payments by their gross monthly income. A lower DTI suggests a more financially stable borrower with a lower risk of default.
- Loan-to-Value Ratio (LVR): Determine the LVR by dividing the loan amount by the appraised value of the property. A lower LVR indicates less risk to the lender and a larger equity cushion for the borrower.
- Cash Reserves and Assets: Assess the borrower's cash reserves and other assets that can be used to repay the loan in case of financial hardship.
- Property Valuation: Conduct a thorough appraisal of the property to ensure its value justifies the loan amount and is consistent with the current market conditions.
- Purpose of Loan: Evaluate the purpose of the loan, whether it is for owner-occupancy, investment, or a vacation property. The purpose of the loan will affect risk and repayment capacity.

Assessment of Clive Palmer:

- Income and Employment Stability: Clive Palmer is a wealthy Australian businessman with diverse business interests, including mining, real estate, and tourism. His income sources are varied and should be considered stable.
- Credit Score: Publicly available information on Clive Palmer's credit score is not accessible. However, given his public profile and business successes, it is likely that he has a satisfactory credit history.
- Debt-to-Income Ratio (DTI): Clive Palmer's DTI cannot be accurately calculated without detailed information on his income and debt obligations. Nevertheless, given his wealth, it is likely that his DTI is within an acceptable range.
- Loan-to-Value Ratio (LVR): Clive Palmer is requesting a loan of $30 million at an LVR of 80%, implying a property value of $37.5 million. This LVR falls within an acceptable range for a high-net-worth individual.
- Cash Reserves and Assets: Clive Palmer has significant cash reserves and assets, including ownership stakes in various businesses and properties, which could be liquidated to repay the loan in case of financial hardship.
- Property Valuation: A thorough property appraisal would be necessary to ensure the property's value justifies the loan amount and aligns with current market conditions.
- Purpose of Loan: Clive Palmer intends to use the loan for an investment property. Given his experience in real estate and business, this investment is likely to generate sufficient income to service the mortgage.

Based on this assessment, Clive Palmer appears to be a creditworthy borrower. However, before proceeding with the loan, a comprehensive review of his financials, credit history, and property valuation should be conducted.

Conducting Assurance

Assurance activities require dedicated individuals and time to test controls, identify control gaps and recommended actions, and report to management. AI has the potential to:

  • Develop annual audit plans that are targeted to business needs, and which consider external industry-wide changes, internal organisational changes, and assurance results from previous years;
  • Draft testing procedures for controls;
  • Perform controls testing, including across complete data sets where sample testing would have otherwise been used; and
  • Perform SME reviews using unstructured data, such as project health checks.

Controls assurance is a highly repetitive and resource intensive activity. As such, AI provides a potentially large opportunity for cost saving in this area.

Input: “Generate control testing steps to test whether or not a consultant has exceeded their delegated authority to approve transactions above their limits.”

ChatGPT Output:

1. Obtain Delegated Authority Documentation: Gather the documented policy or authorization matrix that outlines the approved authority limits for each consultant within the organization.

2. Identify Relevant Consultants: Identify the consultants who have been granted delegated authority to approve transactions and determine their assigned approval limits.

3. Select a Sample: Randomly select a sample of consultants from the identified pool who are likely to have approved transactions close to or exceeding their assigned limits.

4. Obtain Transaction Records: Obtain the relevant transaction records, such as invoices, purchase orders, or expense reports, for the selected consultants within the specified testing period.

5. Review Authorization Documentation: Examine the authorization documentation associated with each selected transaction, including approval forms, digital approvals, or any other supporting evidence.

6. Validate Approval Limits: Cross-reference the approval documentation with the delegated authority limits assigned to each consultant to ensure that the approved transactions fall within their designated limits.

7. Assess Signatories: Verify the authenticity of the signatures or digital approvals on the authorization documentation by comparing them against the authorized signatories list maintained by the organization.

8. Identify Exceptions: Identify any instances where consultants have approved transactions exceeding their assigned authority limits. Flag these as exceptions for further investigation.

9. Investigate Exceptions: For each identified exception, conduct a detailed investigation to determine the reason behind the unauthorized approval. Consider factors such as emergency situations, system errors, or potential abuse of authority.

10. Evaluate Approval Process: Assess the adequacy and effectiveness of the organization's approval process, including any system controls in place to prevent unauthorized approvals.

11. Document and Report Findings: Document the results of the control test, including any exceptions, findings, and root causes identified. Prepare a report summarizing the overall compliance with the delegated authority limits and provide recommendations for remedial actions if necessary.

Easing Compliance Management

The regulatory landscape for various industries has become highly complex, and this will continue to be the case due to the ongoing evolution of obligations. Ensuring compliance with legislative and regulatory requirements is a resource and time-consuming task. AI presents a viable solution for collating requirements, reading and interpreting them, formulating strategies for incorporating obligations into existing business practices, and reporting on these to management and regulators as required. AI can produce implementation plans based on the respective structure, priorities, and circumstances of a specific organisation.

For regulators, AI also presents the ability to process large sets of data as part of supervision of regulated entities.

Input: “Identify the 5 biggest areas of compliance relevant to a Superannuation fund and provide a single paragraph summary of controls required to comply with each of these.”

ChatGPT Output:

1. Prudential Standards: The Australian Prudential Regulation Authority (APRA) has established prudential standards that superannuation funds must follow. This includes maintaining a risk management framework, regularly conducting audits, and ensuring fund solvency. Controls should include regular risk assessments, internal and external audits, adequate capital reserves, and systems for monitoring and managing financial and operational risks.

2. Superannuation Industry (Supervision) Act 1993 (SIS Act): This Act sets out the operational standards for superannuation funds. Compliance involves ensuring the sole purpose test is met (funds are maintained for the sole purpose of providing retirement benefits), investment restrictions are adhered to, and members are given a minimum level of information. Controls should include regular legal reviews, strict investment policies, and strong communication processes.

3. Trustee Duties: Trustees have a fiduciary duty to act in the best interest of fund members. This includes managing conflicts of interest, offering insurance, and maintaining an investment strategy. Controls should include a strong governance framework, conflict of interest policies, and ongoing monitoring of insurance and investment strategies.

4. Australian Securities and Investments Commission (ASIC) Regulations: ASIC regulates certain aspects of superannuation primarily concerning member experience, including disclosure obligations, advice provided to members, and complaints handling. Controls should include robust disclosure processes, advice vetting mechanisms, and a well-functioning complaint handling system.

5. Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF): Superannuation funds must have systems in place to identify, mitigate, and manage the risk of their services being misused for money laundering or terrorism financing. Controls should include customer identification procedures, monitoring of transactions, and reporting of suspicious activities to the Australian Transaction Reports and Analysis Centre (AUSTRAC).


AI will transform the risk and compliance industry through its broad range of use cases. Even in current forms, it can be applied to significantly accelerate the risk and compliance maturity of an organisation at any stage of maturity. Early-maturity organisations can use it to set up initial governance, policy and framework structures. Higher-maturity organisations can use it to perform controls assurance and to provide deep risk and compliance insights on a real-time basis.

However, the use of AI in a risk and compliance context must be tempered with the appropriate oversight and controls. AI will not necessarily take into account the specifics of the target organisation and SME practitioners are still required to verify that outputs are accurate and fit for purpose.

AI will dramatically uplift the capabilities of risk and compliance functions across a wide range of industries. Contact our team to find out more.

How AI will transform the Risk and Compliance industry
Download the article

Let us tell you more

Risk management expectations are evolving rapidly. How well is your organisation equipped to respond?