Generative AI in Risk and Compliance:

Friend or Foe?
2024 Primary Research

The surge in interest surrounding GenAI is undeniable, yet the true value of this technology can become distorted by hype and misconceptions. Moreover, widespread tenacity to automate has been met with mounting concerns surrounding the risks this technology poses to individuals and organisations, particularly where sensitive data or business-critical processes are involved.

The rise of RiskTech and RegTech over the past decade has reflected the need for innovation in risk and compliance. The success of these products has also shown that technology can be trusted to perform these uniquely sensitive and complex tasks.

However, today’s GenAI is not just another technology. It represents the start of truly intelligent and proactive automation, serving both as a warning and a window into the future. Our findings illuminate both aspects: the opportunities and the challenges. Numerically, we find more GenAI opportunities than risks in risk and compliance use cases. More than 70% of the hundreds of opportunities assessed will have at least a moderate impact on improving risk and compliance workflows, whereas only 30% of the risks assessed are deemed moderate or highly severe.

Among our 14 risk and compliance use cases, Model Risk faced the highest number of highly severe risks, including bias, hallucinations, and compute power issues. This was in line with expectations, given the direct role Model Risk Management plays in handling AI-related challenges. We also find that text-heavy use cases stand to gain the most from GenAI, largely thanks to recent advances in LLMs, which will enable the automation of processing, interpreting, and summarising text data. Use cases in Compliance Management, Horizon Scanning, and eComms Surveillance therefore rank highly in our analysis of GenAI opportunities.

We are aware that the quantity of opportunities and risks in each use case does not necessarily provide the complete picture. A single, highly suited GenAI capability may transform one use case more than five capabilities transform another. To address the quality and scale of each GenAI opportunity and risk, we have created scales that are visualised in heat maps. Furthermore, these scales address not only the impact of GenAI but also the imminence with which these impacts will emerge.

We have also delved deeper qualitatively in our interviews with 17 expert contributors, whose views have informed, inspired, and challenged us throughout. You can find their many insights in the Industry Deep Dives section, where we elaborate on the state of GenAI in each of our 14 risk and compliance use cases. These use cases, which will be referred to throughout, belong to the unique taxonomy defined in the next section. To structure our analysis, we have also produced original taxonomies of eight GenAI capabilities and eight GenAI risks, which have been well-received externally.

Several key trends stood out in our research, including the use of retrieval-augmented generation to both focus and restrict LLMs, and the observation that GenAI is being widely used as a tactical solution in regulated institutions. Our recommendations for adopting GenAI urge pragmatism: focusing on the business case (not the technology), prioritising data, and outsourcing some challenges to technology experts. For mitigating risks, we advocate urgency, collaboration, and the likely need for a suite of technology solutions to address these fundamentally new challenges.