Laura Austin is a seasoned financial professional with more than 10 years of experience. Most recently, she has worked for the federal government helping to resolve failed financial institutions. She hold a Masters of Business Administration and has written business documents and online articles for a health insurance company.
As proposed AI regulations gain momentum, regulators are recognizing that one size does not fit all. In the EU and the US, regulators now emphasize a proportional approach, where the compliance burden scales in line with an organization's size and resources. But regulations still lack explicit guidelines for small and medium businesses, who often do not have dedicated AI personnel, to implement an effective AI Governance program. The question of ‘What is Good AI Governance for my Business’ is still left for interpretation.
There are 5 broad levels of AI Governance Maturity that an organization may adopt. Each comes with key tradeoffs between speed of development, and risk mitigation, as well as costs to implement. The appropriate maturity level for an organization takes into account the organization's size, existing AI expertise, and what internal resources are already available. This breakdown of maturity levels and considerations can help organizations identify their ideal ‘target’ maturity level, and build towards it.
Many organizations start without any AI Governance at all: no structured guidance on governance practices, no clear oversight from anyone, and no technical testing standards or documentation requirements. There may be elements of best practices and good governance techniques, but they are typically driven from the bottom up and are likely tied to employees seeking to implement it themselves. The weakness of grassroots governance is sustainability - when internal champions leave, the established processes leave with them.
At this level, companies experimenting with AI are focused on innovating quickly to find the most valuable applications - not on reigning in experimentation with governance guidelines. But ignorance is not bliss. While this maturity level does allow for the most innovation without internal bureaucracy, the lack of any guidance, best practices, or stakeholder engagement actually decreases the likelihood that any successful AI experiment would get implemented. Without a governance structure, individual AI advocates struggle through unclear implementation roadmaps, disorganized and inefficient resource allocation, and risk backlash in the testing and release stage that hinders any future initiatives. In addition, they stand to lose trust with customers increasingly concerned about how companies are using AI.
The next step up is self-managed AI governance, with individual teams instituting pockets of best practice processes. For example, there may be clear policies to require code reviews for AI/ML code and a technical leader may need to sign off on every new model and AI use case. Other characteristics at this level include some developer-focused tools to support AI quality control, standards for documenting details about the AI System, or a structured AI product discovery process stipulating target user interviews. Regardless of the specific policy, oversight and enforcement at this level are done by people within the same department. This is analogous to the ‘first line’ of defense in the financial model risk management world.
Many software engineering teams enforce standards for cybersecurity and technical robustness in the same way, and industry standards such as SOC-2 help organizations adopt this kind of model. This maturity level should be the absolute 'minimum' to implement AI for any organization of any size, including startups. Internal standards and policies should be defined and enforced by the R&D leadership. Systems should be well documented at a bare minimum at the technical level, testing frameworks should be in place for known technical risks, and the go/no-go gates should be commonly understood. This level still promotes innovation as most decision making is still done within the same business function and new experiments can be quickly spun up and down. However, it still provides the first level of defense by ensuring AI cannot be deployed without some oversight and standards being met.
Many organizations need someone who isn't in the 'AI Hype' bubble to also be directly involved in the AI development process. Individuals on 'privacy' teams, 'trust and safety' teams, or even within a traditional compliance or legal team will have a go/no-go decision-making role in order to launch any AI system. Bringing in the risk, legal, or public policy perspective, provides a second level of defense and additional accountability to ensure AI systems are being developed and deployed responsibly.
Because this maturity level is now 'cross-functional', the standards for documentation are much higher as details must be defined both in technical, and non-technical terms. In addition, the processes are heavier as they involve setting up cross-functional meetings and discussions. Capturing those discussions will be a key part of AI compliance in upcoming AI regulations. At this level, companies have chosen to sacrifice some agility and speed in exchange for better risk management, and better guarantees around legal compliance and accountability. This maturity level is ideal for any public company or large enterprise that is heavily using AI across multiple business units.
Even a dedicated internal team may not have all the relevant skills to assess specific AI use cases, especially novel or high-risk ones. A more comprehensive AI ethics committee – with experts across AI technical development, ethics, and legal – provides a stronger oversight function than simply having one team review things. This structure is analogous to the Institutional Review Boards (IRBs), who provide ethical oversight for scientific research projects.
This maturity level builds off Level 3’s Dedicated Internal Overseers in second-party review and sign-off procedures by adding on extra protections to ensure that multiple people with a broader set of perspectives participate in the discussions. The same AI Ethics committee should be tasked with setting organization-wide standards and processes for responsible AI and actually enforcing these standards. This maturity level further sacrifices speed for more assurance that AI risks have been identified and mitigated to ensure trust in the system. Large public companies in heavily regulated industries or complex cross-functional operations should aspire for this maturity level.
The highest maturity level an organization can adopt is leveraging an external body for AI oversight. This could be a government regulatory body, a third-party auditor, or an external AI ethics committee similar to the pharmaceutical industry’s oversight body – where the Food & Drug Administration (FDA) and similar international regulators review and approve new pharmaceutical products. While there are concerns that a hired auditor may just rubber stamp systems to give the appearance of compliance – called ‘Ethics Washing’ in other industries – an independent 3rd party could still provide a strong level of assurance about AI systems.
This maturity level is the 'heaviest' in terms of mandatory documentation, internal processes and standards. The external oversight criteria involves not just information about an AI product itself, but also proof that specific policies are being tightly enforced within an organization to ensure AI safety requirements are met. Global 'big tech' companies, highly regulated products with global scale, organizations creating physical AI agents (e.g. robots or autonomous vehicles), and many public sector organizations will be subject to this maturity level for at least some of their products to help build public trust in their systems.
Use Case Risk Level
Regulations also take into account the sector an organization operates in and the specific use cases. Even a small startup creating a 'high risk' AI system (as defined by the EU AI Act) will need to clear higher regulatory scrutiny. Examples of this include AI tools for recruiting or software applications for children. Even though the EU is working on regulatory sandboxes to help facilitate growth of these startups, startups with high risk AI uses will still be required to submit documentation to authorities. The regulatory reporting burdens, and all the underlying infrastructure, will still need to exist even if the financial penalties will not apply.
Similarly, governance standards will be higher for organizations operating in an already heavily regulated industry such as healthcare, financial services, or law enforcement. Organizations operating in highly regulated sectors should aspire to one level higher than they otherwise would target on our maturity scale. For example, a small startup that might normally just implement best practices should start out with a dedicated oversight role if they are operating in a highly regulated industry. Along similar lines, a large enterprise operating in this space should consider regularly leveraging an external oversight committee or regular third-party audits of their systems.
'Low' risk AI use cases, such as a music recommendation algorithm, can become a higher risk system if they achieve a certain level of scale and market share. For example, while the 'harms' of a bad song recommendation may be small on the listener, bad recommendations at scale can be harmful to the artists whose livelihood is dependent on their songs being streamed. This scale may also apply to open source systems that many other systems rely on. Open source providers may not have any ethical responsibility when at a small scale, but once they become a dominant player, their decisions about system updates do have significant impacts on downstream users. Much like the sector and high-risk consideration, organizations that achieve a large scale (10+ million users) should also consider stepping up one level on the maturity scale.
Striking the right AI Governance Maturity balance for your organization is not a one-step process. It requires constantly reassessing your organization’s AI priorities, the relevant regulatory landscape, and technological limitations.
Different teams and business units within a single organization may also adopt different levels of maturity, or have some hybrid between the levels. For example, many organizations have already implemented their own 'risk-based escalation' framework where low-risk use cases follow best practices, slightly higher-risk ones involve the compliance team, and the highest-risk use cases are overseen by an AI ethics committee, or receive a regular outside audit.
Organizations need to not only conduct an initial assessment of their desired AI maturity level but also constantly readjust based on the tradeoff between speed and innovation and their own risk tolerance. Only then can they be truly AI ready.
Organizations are collecting and storing more data than ever before. This data can be used to Boost business processes, but it can also be a liability if mishandled. To protect the privacy of their customers and comply with the latest privacy laws, organizations need to implement a data governance framework that goes beyond basic data quality and management.
Data governance frameworks are structured approaches to managing and utilizing data in an organization. They include policies, procedures and standards that guide how data is collected, stored, managed and used. These frameworks help with data quality, data integration, data privacy and security, and effective data architecture.
SEE: Take advantage of this database engineer hiring kit from TechRepublic Premium.
In order to govern data effectively, organizations need to have a clear understanding of their data landscape. They need to know where their data comes from, who owns it, how it’s being used and where it’s stored. Gathering this information to build a data governance framework requires close collaboration between different departments and business units.
Below is a list of some commonly referenced data governance frameworks:
Each of these frameworks has its own pros and cons. Organizations should select the data governance framework that best aligns with their unique needs and goals.
There are two opposing philosophies to creating data governance frameworks that offer different pros and cons depending on an organization’s specific objectives.
The bottom-up approach to data governance, popularized by the growing big data movement, begins with raw data. Data is first ingested, and then structures, or schemas, are built on top of the data once it has been read. Governance rules, policies and quality controls are also added to the dataset at this time.
The advantage of this approach is its scalability; however, it can be difficult to maintain consistent quality control across a large volume of data.
For small businesses that might not have as much data as larger organizations, this approach allows for greater flexibility and scalability. It allows them to start small and scale their data governance efforts as their data grows. But as they grow and possibly face more stringent regulatory requirements, they may find value in shifting toward a top-down approach.
In the top-down approach, data modeling and governance take priority and are the first steps in developing a data governance framework. The process begins with data professionals applying well-defined methodologies and best practices to data. The advantage of this approach is its focus on quality control.
Banks, insurance companies, healthcare institutions and other large and highly regulated institutions are likely to use a top-down approach to data governance. This is because they often have a large volume of data and strict regulatory requirements to comply with, and a top-down approach allows for better quality control and compliance with regulations.
There are four primary components of a data governance framework:
Data governance frameworks are built on four key pillars that ensure the effective management and use of data across an organization. These pillars ensure data is accurate, can be effectively combined from different sources, is protected and used in compliance with laws and regulations, and is stored and managed in a way that meets the needs of the organization.
Data quality is the cornerstone of any data governance framework. It ensures that the data used in decision-making processes is accurate, consistent and reliable. Further, data quality management involves establishing policies and procedures for data validation, data cleansing and data profiling.
SEE: Explore these top data quality tools and software.
Data integration involves the combination of data from different sources to provide a unified view. This pillar ensures that data from various departments, business units or external partners can be effectively merged and used for analysis and decision-making.
Data privacy and security are crucial in today’s digital age. This pillar involves the implementation of policies and procedures to protect sensitive data and comply with data protection laws and regulations. It includes data encryption, access control and data anonymization techniques.
The fourth pillar is data architecture, which refers to the design and structure of data systems. It involves the planning and design of data systems to ensure they meet the needs of the organization. This includes the design of databases, data warehouses and data lakes.
A data governance framework provides a standard set of policies and procedures for managing an organization’s critical data assets. Without such a framework, those assets are at risk of becoming fragmented, inaccurate and non-compliant with relevant regulations.
Furthermore, a lack of governance can lead to confusion and duplication of effort, as different departments or individual users try to manage data with their own methods. A well-designed data governance framework ensures all users understand the rules for managing data and that there is a clear process for making changes or additions to the data. It unifies teams, improving communication between different teams and allowing different departments to share best practices.
In addition, a data governance framework ensures compliance with laws and regulations. From HIPAA to GDPR, there are a multitude of data privacy laws and regulations all over the world. Running afoul of these legal provisions is expensive in terms of fines and settlement costs and can damage an organization’s reputation.
Every organization wants to reap the benefits of becoming more data-driven, but getting there requires more than just collecting data. It requires a well-designed data governance framework to ensure data is managed effectively and remains compliant with relevant laws and regulations.
There is no one-size-fits-all solution for data governance frameworks. The best approach for an organization will depend on its specific needs and objectives. By following data governance best practices, organizations can create a data governance framework that meets their specific needs and industry requirements to help them achieve their desired business outcomes.
The first step in creating a data governance framework is to define the purpose of the framework. What goals does the organization want to achieve by implementing such a framework?
Understanding company-wide data management goals is an important first step in developing a data governance framework.
It is important to understand the current state of an organization’s data management processes and technology infrastructure before designing the framework. Apply a data maturity model to act as a benchmark and guide for improvement. This will help to identify any gaps that need to be addressed by the framework.
One of the most important things to remember when creating a governance framework is to engage stakeholders early and often throughout the process. This ensures everyone understands the framework’s goals and buys into its implementation.
It can also ensure that all current data usage and management best practices are accounted for and optimized for the new framework, regardless of what department is using the data.
Trying to cram too many rules and procedures into a governance framework can be tempting. However, it’s essential to keep things simple in order to promote organization-wide adoption and compliance.
No matter how carefully a governance framework is designed, there will always be unforeseen circumstances that arise. As such, it is important to create a flexible framework that can change with organizational needs over time.
SEE: For more detailed information, check out our guide on data governance best practices.
ManageEngine ADAudit Plus is an IT security and compliance solution. With over 200 reports and real-time alerts, it provides complete visibility into all the activities across your Active Directory (AD), Azure AD, file servers (Windows, NetApp, EMC, Synology, Hitachi, and Huawei), Windows servers, and workstations. ADAudit Plus helps you track user logon and logoff activity; analyze account lockouts; audit ADFS, ADLDS; monitor privileged user activities and much more. Try free for 30 days!
RSA Archer removes silos from the risk management process so that all efforts are streamlined and the information is accurate, consolidated, and comprehensive. The platform’s configurability enables users to quickly make changes with no coding or database development required. Archer was named a Leader in Gartner’s 2020 Magic Quadrant for IT risk management and IT vendor risk management tools. Additionally, Forrester named it a Contender in its Q1 2020 GRC Wave.
StandardFusion is a cloud-based GRC platform designed for information security teams at any sized organization to easily manage the entire compliance lifecycle with an intuitive user experience and top-ranked customer service. Our mission is to make GRC simple and approachable for any sized company.
Effective corporate governance is essential if a business wants to set and meet its strategic goals. A corporate governance structure combines controls, policies and guidelines that drive the organization toward its objectives while also satisfying stakeholders' needs. A corporate governance structure is often a combination of various mechanisms.
The foremost sets of controls for a corporation come from its internal mechanisms. These controls monitor the progress and activities of the organization and take corrective actions when the business goes off track. Maintaining the corporation's larger internal control fabric, they serve the internal objectives of the corporation and its internal stakeholders, including employees, managers and owners. These objectives include smooth operations, clearly defined reporting lines and performance measurement systems. Internal mechanisms include oversight of management, independent internal audits, structure of the board of directors into levels of responsibility, segregation of control and policy development.
External control mechanisms are controlled by those outside an organization and serve the objectives of entities such as regulators, governments, trade unions and financial institutions. These objectives include adequate debt management and legal compliance. External mechanisms are often imposed on organizations by external stakeholders in the forms of union contracts or regulatory guidelines. External organizations, such as industry associations, may suggest guidelines for best practices, and businesses can choose to follow these guidelines or ignore them. Typically, companies report the status and compliance of external corporate governance mechanisms to external stakeholders.
An independent external audit of a corporation’s financial statements is part of the overall corporate governance structure. An audit of the company's financial statements serves internal and external stakeholders at the same time. An audited financial statement and the accompanying auditor’s report helps investors, employees, shareholders and regulators determine the financial performance of the corporation. This exercise gives a broad, but limited, view of the organization’s internal working mechanisms and future outlook.
Corporate governance has relevance in the small business world as well. Internal mechanisms of corporate governance may not be implemented on a noticeable scale by a small business, but the functions can be applied to many small businesses nevertheless. Business owners make strategic decisions about how workers will do their duties, and they monitor their performance; this is an internal control mechanism -- part of business governance. Likewise, if a business requests a loan from a bank, it must respond to that bank’s demands to comply with liens and agreement terms -- an external control mechanism. If the business is a partnership, a partner might demand an audit to place reliance on the profit figures provided -- another form of external control.
An effective compliance program is comprised of many moving parts. Critical data is coming in from the variety of tools, documents, systems and technologies needed to run operations. As such, businesses can find themselves in over their heads when trying to gain a complete, accurate picture of their risk profile at any given time.
Therefore, strong data governance is essential in facilitating adherence to compliance requirements without slowing down business. Strong data governance aids in the efficient management of key compliance areas. A unified system for aggregating critical business data enables organizations to gain an accurate view of their compliance posture in real time and drive business efficiency.
Compliance programs must collect and analyze an enormous amount of data, which drives the importance of data governance. Important information is spread across the training, case management, risk assessment and management, policy management, gifts and entertainment and third-party due diligence systems. Compliance officers need to know they’re working with a single source of truth that gives them the most complete, accurate picture at any given moment.
Data governance becomes more important the more systems and applications a compliance function uses. Compliance officers want systems that store data in a single repository with standardized data formats because strong data governance ensures accurate reports. From there, compliance officers can make accurate decisions based on what the data tells them.
Greasing The Compliance Wheels
Here's the rub: The current landscape of compliance technology is composed of many disparate systems that don’t integrate with each other. Compliance officers are often stuck searching for critical data and don’t have a connected approach to the technology that supports their program. They want and need a system that stores data in a single repository with standardized data.
How can data governance fix this problem? Automating a compliance program’s many tasks helps to create a unified operations environment. In this paradigm, the compliance function goes beyond its tasks of third-party due diligence and training. It elevates the function by using a unified system to automate the process of due diligence, as well as sending alerts for any needed training.
Alternately, the due diligence and risk assessment tools communicate and work together to spot third parties at high risk for violations so that compliance officers can take a closer look. These are just two of many examples of how data integration and task automation vastly enhance compliance efforts.
Organizations can create a unified system either by integrating a group of solutions or by deploying one compliance tool that covers all the bases. But the key to success lies in setting up the system in a way that ensures strong data governance -- the ability to gather the needed data and analyze and apply it in ways that keep the organization compliant.
Once the data exists, compliance professionals need to groom and aggregate it so they can review this information in the context of compliance and risk. That is to say, seemingly unrelated chunks of data will need to come together and be examined within broader trends of compliance activity.
On the human side, employees and third parties must know a reportable event when they see it and then report it. They need training and ongoing support to fulfill that duty and do so in a timely fashion. This adds to the body of data that can be used both right now to address immediate concerns and in the future as to look back on for reference.
Compliance Done Right
Perhaps your company is pre-IPO and preparing for life as a public company. Perhaps it’s a spin-off from a larger business or a new joint venture. Maybe the company encountered trouble with regulators because it did not have a compliance program and part of the resolution is to build one.
Though reasons and regulations may vary, the underlying foundation of the elements necessary for a solid compliance program is the same regardless of company size or industry. This involves masses of data usually found in disparate systems. No matter what your reasons are for starting or upgrading your compliance program, its goal should be strong data governance enabled by a single repository of all compliance-related data, unity and automation.
Since 1698 we have been governed by the 'Syndics' (originally known as the Curators), 14 or more senior members of the University of Cambridge and others who, along with various co-optees, bring a range of subject and business expertise to the governance of Cambridge University Press & Assessment. Committees of the Syndicate meet regularly to look at our output, ensuring that the content we publish and the exams we produce meet rigorous standards, and to oversee the strategic, regulatory and financial operations of Cambridge University Press & Assessment.
The Syndicate has a Press & Assessment Board, Audit & Risk Committee, Remuneration Committee, Nominations Committee, Academic Advisory Board, Online Education Committee, Regulatory Compliance Committee, Standards Committee, Technology Committee, Academic Publishing Committee, and Teaching & Learning Committee. The Publishing Committees provide quality assurance and formal approval for the titles published, meeting regularly to review editorial and publishing strategy matters. Other Committees oversee the quality of our exams output. The Press & Assessment Board is concerned with our overall governance and meets six times a year.
Responsibility for our day-to-day management is delegated by the Syndicate to our Chief Executive and our Executive Board, which includes our Chief Financial Officer.
Fioretos, Orfeo and Tallberg, Jonas 2021. Politics and theory of global governance. International Theory, Vol. 13, Issue. 1, p. 99.
Barnett, Michael 2021. Change in or of global governance?. International Theory, Vol. 13, Issue. 1, p. 131.
Scholte, Jan Aart 2021. Beyond institutionalism: toward a transformed global governance theory. International Theory, Vol. 13, Issue. 1, p. 179.
Green, Jessica F and Hadden, Jennifer 2021. How Did Environmental Governance Become Complex? Understanding Mutualism Between Environmental NGOs and International Organizations. International Studies Review, Vol. 23, Issue. 4, p. 1792.
Johnstone, Ian and Lincoln, Joshua 2022. Global Governance in an Era of Pluralism. Global Policy, Vol. 13, Issue. 4, p. 563.
Green, Jessica F 2022. Hierarchy in Regime Complexes: Understanding Authority in Antarctic Governance. International Studies Quarterly, Vol. 66, Issue. 1,
Jia, Kai and Chen, Shaowei 2022. Global digital governance: paradigm shift and an analytical framework. Global Public Policy and Governance, Vol. 2, Issue. 3, p. 283.
Pitteloud, Sabine Ballor, Grace Clavin, Patricia Perrone, Nicolas Marcelo Rollings, Neil and Slobodian, Quinn 2022. Capitalism and Global Governance in Business History: A Roundtable Discussion. SSRN Electronic Journal ,
Saz-Carranza, Angel Maggetti, Martino Yesilkagit, Kutsal and Coen, David 2023. Mapping and Unpacking Global Governance Bodies: A Cross Sectional and Cross Organizational Analysis. International Studies Quarterly, Vol. 67, Issue. 3,
Tudor, Andreea-Loredana 2023. THE CHALLENGES OF GLOBAL SECURITY GOVERNANCE. Vol. 10, Issue. ,
Kissack, Robert 2023. Does the EU Benefit From Increased Complexity? Capital Punishment in the Human Rights Regime. Politics and Governance, Vol. 11, Issue. 2,
Fritzsche, Felicitas and Bäckstrand, Karin 2023. The Palgrave Handbook of Diplomatic Reform and Innovation. p. 703.
The UK’s increasingly digitised public services are plagued by design, governance and workplace issues that are undermining the government’s stated goal of improving efficiency, but can be alleviated by giving public sector workers a greater say in how new technologies are being developed, deployed and controlled Continue Reading