AI vs. GRC: How AI can affect GRC areas of technology consultancies

AI (Artificial Intelligence) has proven to be a powerful tool in a number of areas, including Security Governance, Risk Management and Regulatory Compliance (GRC). As AI continues to develop and play an increasingly important role in our society it is critical to recognize the value and importance of the human component. While AI offers significant technological advances, there are areas where human judgment, experience and interpersonal skills are indispensable.

We, as workers in consulting firms and specifically in the GRC area, analyze the repercussion and impact that the arrival of AI may have in our professional field.

Will AI put an end to our jobs? This is a question that after the media boom that the irruption of ChatGPT has meant in our lives we ask ourselves without being able to avoid it, therefore, I have proposed to carry out an analysis to understand if AI could replace the work we develop at our clients, so below I allow myself to add my point of view on different aspects and/or reasons why, in my opinion, I understand that it is unlikely that AI can replace or at least take over the work developed in the GRC areas of technology consultancies:

Regulatory complexity

Regulations and laws related to risk management and compliance can become extremely complex. AI can help in automating certain tasks related to the work performed by GRC areas, but interpreting regulations and making decisions in complex situations often requires human judgment and expert knowledge of the business context and sometimes even human, and no less important budgetary and financial aspects. Consulting firms play a crucial role in providing expert guidance on how to comply with regulations and adapt to regulatory changes based on clients’ needs.

An example of this complexity can be transferred to the execution of a project based on the ISO 27001 standard. This standard requires organizations to perform a risk assessment to identify and evaluate the risks faced by information within the organization. This assessment must take into account the information assets, threats to the assets, existing vulnerabilities and the potential impact in the event of a security breach. Once the risk assessment is done, the organization must select the appropriate security controls to mitigate the identified risks and this is where AI cannot come in due to the complexity that arises because risk assessment and control selection are not standard, predefined processes. Each organization has its own specific characteristics, information assets, threats and vulnerabilities. This implies that risk assessment and control selection must be tailored to the particular needs and contexts of each organization, such as the technology budget that the company can or wants to assume.

In this scenario, experienced ISO 27001 consultants play a key role in providing expert advice, guiding the risk assessment process and providing recommendations on the most appropriate security controls to ensure compliance with the standard and protect the organization’s information.

Business and cultural context

It is not just about regulatory compliance, but also about understanding the business and cultural context in which an organization operates. This involves considering industry-specific factors, a company’s internal policies, best practices and the specific risks it faces. AI can help with data analysis and provide valuable insights, but fully understanding the business context and making strategic decisions requires human expertise and knowledge.

For example, consider a company in the financial sector that is subject to specific regulations to prevent money laundering. While AI can help in detecting suspicious transactions or unusual patterns, understanding the company’s specific risk profile, business model, industry specifics and best practices requires expert knowledge and a holistic assessment that goes beyond automated analyses. Consulting firms can offer a combination of industry expertise, regulatory knowledge, but most importantly an understanding of the business environment to help organizations develop customized risk management and compliance strategies.

Confidentiality and ethics

Working in an information security consulting firm and specifically in the GRC area involves working with confidential and sensitive information such as financial data, personal information and trade secrets. Consulting firms are committed to safeguarding confidentiality and applying ethical practices in the handling of client data. Confidentiality and ethics are paramount in these areas, and consulting firms have protocols and security measures in place to protect their clients’ information. While AI can be useful in certain automatable tasks, it is important to ensure that ethical and security standards are met when using this information in GRC-related projects.

For example, in the field of cybersecurity, a consulting firm can help an organization to assess its vulnerabilities and strengths, but also to design information security policies and implement appropriate protection measures. The application of AI in this context should be able to meet rigorous ethical and security standards to prevent the leakage or misuse of confidential information, a circumstance that does not occur today.

Interpersonal relationships, communication and innovative thinking

Working in consulting and specifically in a GRC area involves interactions with various stakeholders, such as regulators, customers, suppliers and employees. Effective communication and relationship management are crucial in these interactions. Effective communication, negotiation and conflict resolution are critical skills, and while AI has advanced in natural language processing and can assist in some interactions, it still faces challenges in fully understanding the context and subtext in human communication, and in this regard, it will be many years before AI reaches a “consciousness” that can take on these skills. Consulting firms and their employees do bring those interpersonal skills and relationship management experience to provide a more complete and above all practical approach in these situations.

Although AI may be able to generate predictable results and follow established patterns, creativity and innovative thinking are distinctly human attributes. The ability to solve complex problems, find out-of-the-box solutions, and generate new and original ideas are skills that have yet to be fully replicated in machines. These skills are fundamental to driving innovation and progress in all areas of society.

For example, in a situation where an organization is facing a regulatory investigation, the consultant can provide advice on how to respond, interact with regulators and address the issues identified. While AI can automate certain aspects of communication, such as analyzing language in emails or legal documents, it is not yet capable of fully understanding the context, subtext and emotions involved in human interactions. This is where the interpersonal skills and experience of consultants are invaluable in helping organizations navigate complex and sensitive situations.

That said, while AI can be a valuable tool in the GRC field, there are limitations to its ability to completely replace the GRC areas of consultancies. The complexity of regulations, the need to understand the business context, the confidentiality of information and the interpersonal skills required make consultancies, in my opinion, indispensable to provide specialized advice, tailored to the specific needs of organizations.

Human judgment, context interpretation, ethics, creativity, interpersonal skills and empathy are aspects that consultants (human beings after all) contribute and that I believe cannot be replaced by AI.

In conclusion, and without wanting to demonize AI, I understand that the combination of human intelligence and AI can lead to more complete and balanced results in various fields and specifically in GRC, so that an approach focused on the needs of the client can be encouraged, therefore, neither GRC can ignore that AI is already here, nor has AI arrived to replace the areas of Governance, Risk and Compliance.

See also in: