credit union AI risk 3 lines of defense

This is the 4th blog in a series about Artificial Intelligence (AI) in the context of credit union risk and compliance. This series is designed to provide auditors and compliance professionals with a clear understanding of how AI can be applied and managed within their operations.

When you’re protecting something important, you want to defend it well. The Institute for Internal Auditors developed a model that recommends 3 lines of defense:

    • Management controls
    • Quality control and compliance
    • Audit

Ultimately, no single person bears the responsibility for AI risk mitigation at a credit union. It’s a team effort. Read on to learn more.

(Re)Introducing the 3 Lines of Defense

The “3 Lines of Defense” model has been around for some time. It was developed by the Institute for Internal Auditors in 2013, and it’s been a solid model ever since.

In fact, we even covered it in a credit union context and with respect to Boeing.

Briefly, we’ll cover them here (in the context of AI):

1.   Management Controls

The first line of defense is management controls. Essentially, these are the policies and/or rules at the business level that govern the use of AI. Following these controls (or rules) should, in theory, mitigate risk.

So, when a person uses AI, their adherence to management controls reduces risk.

AI particulars: users should follow controls for general use, limiting bias, and regulatory compliance.

2.   Quality Control and Compliance

The second line of defense is quality control, inspection, or sometimes, compliance. This is a level behind the operating unit, and this line of defense ensures that the management controls from the first line are being executed properly.

Essentially, this is where management or compliance checks the work of the users to make sure things are done right.

AI particulars: inspectors should monitor for potential bias, compliance issues (especially data protection and financial regulations), ethical implications; additionally, there should be ongoing risk assessments, as AI technology (and regulatory guidance) evolve quickly.

3.   Audit

Depending on the size of your credit union, this could be internal audit, external audit, or an outsourced CPA firm. Either way, independent assurance is the third line of defense, and it’s important that they remain separate from the business area being audited (to avoid bias).

The role of independent assurance is to ensure that all rules a) make sense, and b) are being followed.

AI particulars: auditors might be forgiven for not getting into the weeds regarding the AI data lifecycle (from data collection to model training, to deployment). However, auditors should give special focus to evaluating the effectiveness of AI risk management policies, compliance with internal policies and external regulations, and possibly assessing transparency and explainability of AI decisions.

Bearing Responsibility for AI

Due to the nature of AI—products and uses are emerging faster than regulatory guidance—it’s important to start thinking about AI policies and frameworks now.

Credit union leaders must ensure that each line of defense understands its role in managing risk.

However, there’s no reason to wait on leadership when it comes to AI risk assessment and mitigation. It’s also best to be proactive about AI. If you have concerns about audit’s role here—or if you want to provide guidance—you may want to start a conversation about AI with the CU leadership team.

Ultimately, anyone at the CU with exposure to AI bears some responsibility for risk mitigation. From users and management, to compliance, to audit.

Next Steps and Takeaways

When working with new AI solutions, it’s important for credit unions to do the following:

    1. Define whether their AI strategy is for offense, defense, or both;
    2. Understand the goals of the AI strategy or solution;
    3. Set intention behind the stated AI strategy or solution; and
    4. Run the AI strategy or solution through this AI Assurance Agenda.

Subscribe now to see further installments of this series on AI and credit union risk and compliance.

If you’d like to see how Redboard can save time and improve visibility and accountability in your audit process, schedule an assessment here.

Posted in: