Increasing complexity and lack of transparency around controls and algorithms design, inappropriate use of machine learning and further tools (referred to nowadays as AI), furthermore weak governance are specific reasons why algorithms are subject to such long risks as biases, errors, and malicious acts we face nowadays.

We at Deloitte help our Clients overcoming these issues with their existing solutions already using digital controls or with their new developments utilizing a variant of how a digital control can appear.

Even if the actual control is an IT development, its effects and results can escalate quickly to an unforeseen situation that can lead to not just financial losses but even reputation issues.

Digital controls are everywhere

What is a digital control?

A digital control can be any programmed function or report that automates a single or a set of business tasks, e.g.:

• calculatons based on complex criteria set
• making decisions based on multiple variables
• contstant monitoring or behavioral based decisions, optimizations

What are the corresponding issues?

• Design flaws in case of complex statistical models
• Data quality problems arising from complex system landscapes, transformations, manual inputs
• Implementation and programming deviances between the specifications and the actual operation
• Governance and compliance issues with the operating environment and the type of used data

What are the real risks?

The solution that was looking good on paper and working during the demonstration must be compliant and needs to operate in a bulletproof way over time to avoid:

• Customer / Stakeholder satisfaction decline
• Portfolio-wide corrections to be investigated and made by IT/controlling
• Bad decisions, extra costs, financial losses, penalties

Who is exposed?

The use of simple digital controls and intelligent algorithms as a building block offers a wide range of potential benefits to organisations. However, algorithms also have the potential to produce unexpected and unintended results, and the risks of algorithms malfunctioning therefore have wide-ranging consequences for all stakeholders. The effects of inadequately designed algorithms could result in financial losses, harming firms' reputations, regulatory implications, severe disruptions to operations and (in extreme instances) could also result in the loss of human life.

Consequently, algorithmic risk management cannot be a periodic point in time exercise and requires continuous monitoring, re-assessment and validation/recalibration of underlying models as the end result might be affected by events appearing in the data on hidden layers that do not trivially correlate with decisions.

Our framework to understand algorithmic risks is connected to digital controls

Algorithmic risks arise from the use of data analytics and cognitive technology-based software algorithms in various automated and semi-automated decision-making environments.
Deloitte developed a framework for understanding the different areas that are vulnerable to such risks and the underlying factors causing them:

• Input data is vulnerable to risks, such as biases in the data used for training: incomplete, outdated, or irrelevant data; insufficiently large and diverse sample size; inappropriate data collection techniques or simply miscalibrated measurements and a mismatch between the data used for training the algorithm and the actual input data during operations.
• Algorithm design is vulnerable to risks, such as biased logic; flawed assumptions or judgments; inappropriate modelling techniques; coding errors; and identifying spurious patterns in the training data.
• Output decisions are vulnerable to risks, such as incorrect interpretation of the output; inappropriate use of the output and disregard of the underlying assumptions.
• Governance risks focus mainly on operations, engineering and legal background of using such digital controls and algorithms and it is applicable only on a fully designed solution. The actual full spectrum governance of the model requires extensive oversight of technical operation, IT controls, hardcoded and fine-tuning ready parameters often managed by DevOpsunits and review of actual data used by the solution.

The risks around input data, algorithm design, output decisions and governance can be caused by several underlying factors:

• Human biases
• Technical flaws
• Usage flaws
• Security flaws
• Governance flaws

Digital control review, algorithm testing and assurance

Review, testing and assurance of digital controls and algorithms goes beyond code review (reading through the algorithm source code, or pseudo code, or identify potential errors or vulnerabilities); and a robust control framework is fundamental to risk management.
The framework covers key areas including governance and oversight, pre- and post go-live testing specific digital controls around key risk regarding the implemented functions, monitoring surveillance and appropriate levels of documentation.

Our approach for a specific engagement can be built up based on the required level of assurance and the specifics, complexity of the algorithm itself and the digital control built on it.

Real life scenarios and use cases