Artificial Intelligence (AI) and Machine Learning (ML) are no longer a distant futureâthey are already part of business processes in banking, insurance, industry, and the public sector.
They bring tremendous opportunities: better predictions, faster decisions, cost reductions, and the discovery of new patterns. But alongside these opportunities comes a whole new set of risks that traditional governance frameworks struggle to encompass.
This transformation raises a key question: What will be the new role of the risk managerânot if, but whenâAI takes over part of their current responsibilities while simultaneously introducing entirely new sources of risk?
Although Bosnia and Herzegovina has traditionally lagged behind the global pace in adopting new technologies, that time lag has narrowed in recent years. Itâs becoming increasingly clear that we may soon face demands for new skill setsâor perhaps we already are.
Until now, our main concern was finding a risk manager. Now, weâre already thinking about how to retrain them for a new role.
Emerging risks brought by AI and ML
The first thing we must state clearly: AI is not just another toolâit is a generator of entirely new types of risk.
If nothing else, this guarantees the continued relevance of the risk managerâs role, because someone must remain in control of these emerging threats. As explored in our blog on AI and ML risks, these technologies introduce a wide spectrum of new risksâor reframe existing ones under new conditions.
Itâs essential to emphasize that in every area of risk management, professionals must now possess at least a conceptual understandingâand ideally some technical familiarityâwith Model Risk Management (MRM). This is no longer optional.
At present, there is no universally defined framework for managing AI-related risks. However, the most natural fit seems to be within the domain of model risk management. Consider a few examples of ML-related risks in banking:
- Bias in credit scoring models, leading to unfair or discriminatory outcomes
- Unexplainable outputs in fraud detection, undermining trust and auditability
- Overfitting in liquidity risk models, which can distort decision-making under stress
And these are just the models directly tied to risk management. AI and ML are also increasingly embedded in areas like sales, marketing, and HRâwhere risks may be less visible but equally impactful.
Considering recent trends in asset quality and liquidity risk indicators, banks are increasingly expected to face reduced exposure to these traditional risks.
This is largely due to the maturity of established governance and control frameworksâat least in theory. However, with the advancement of technology, even the management of these traditional risks is now intersecting with the growing field of model risk management.
As digital tools and AI-driven models become embedded in core risk processes, the focus is shifting. Itâs no longer just about managing credit or liquidity riskâitâs about understanding and controlling the risks introduced by the models themselves.
In addition to all this, supervisory expectations remain implicit, while regulatory inertia and uncertainty persist.
Frameworks such as the EU AI Act are still in the early stages of implementation. Regulations are evolving, and organizations are expected to manage risks in an environment that is changing at an almost surreal paceâwithout clear rules.
Past regulatory decisions suggest a growing need for documented model risk related to AI systems. We can reasonably anticipate requirements such as a âhuman in the loopâ for high-risk models, and a connection between AI governance structures and the ESG frameworkâwith emphasis likely on the Social and Governance dimensions more than Environmental.
For the risk manager, this means the role is no longer limited to monitoring credit, market, or operational risk. It now includes understanding how the very technologies used to monitor those risks have themselves become sources of risk.
The risk manager: same title, new mission
Having explored the emerging risks, letâs now consider how the role of the risk manager itself is evolving.
Traditionally, the risk manager has served as a guardian of balanceâmediating between business ambitions, regulatory requirements, and prudent oversight. But in the age of AI and ML, this role takes on a new dimension.
It is no longer sufficient to monitor financial indicators alone. Risk managers must now understand how algorithms function. Is the algorithm producing the expected outcome? With AI and ML systems, ex-post testing is often the normâvalidation happens after deployment.
The risk manager becomes a translator between data scientists and senior managementâresponsible for converting technical insights into the language of risk, capital, and reputation.
Model validation evolves into an interdisciplinary activity, involving statistics, IT, law, and ethics.
In other words, the risk manager must rise to a new levelâfrom executor to strategic partner.
The profile of the future RM:
A blend of regulatory expertise, foundational technical understanding of AI/ML, and strategic communication skills. At minimum, we can expect new roles to emergeâsuch as AI Risk Analyst or Model Governance Officer.
Image Creation Observation:
Prompt: âDifference between (old) traditional risk manager and new risk manager.â
The prompt was revised several times due to multiple biasesâgender, skin tone, and hallucinated emotional expressions.
One of the key aspects of using and managing AI is the adequacy of the prompt, which plays a critical role in risk mitigation.
AI risk governance: redefining governance landscape
If ICAAP and ILAAP are todayâs pillars of capital and liquidity management, then tomorrow we can expect AI governance to emerge as a pillar of trust in technology.
And the risk manager has a central role to play:
- Define a framework for identifying, measuring, mitigating, and reporting AI-related risks
- Coordinate the AI governance committee, bringing together risk, compliance, IT, and business functions
- Clearly delineate responsibilitiesâwhat belongs to developers, what to control functions, and what to senior management
Without such a framework, AI remains in a grey zone: a powerful tool with no clear accountability.
Transitioning from manual effort to AI assistance
The transformation isnât only about new risksâit reaches deep into the daily workflow of the risk manager.
Todayâs reality:
A significant portion of time is spent collecting data, manually updating Excel spreadsheets, preparing reports for regulators, boards, and ownersâan endless cycle of âmanual labor.â At times, the idea of applying AI feels almost impossible.
The consequence:
Focus shifts from substance to formâand this has been the case for years.
What AI changes:
Automated reporting, faster data aggregation, and real-time anomaly detection.
In other wordsâfingers crossedâAI should eliminate part of the manual workload and free up space for the risk manager to focus on analysis, scenario planning, and strategic guidance.
That is, on the work that delivers real added value to the organization.
Learn or Lag: Why Continuous Learning Is Non-Negotiable
Here we arrive at the most critical point: without new knowledge, the risk manager is exposed to a new source of stress.
đš Technical dimension:
Itâs essential to understand the basics of AI and ML algorithms, data pipelines, and the requirements for model development, testing, validation, and monitoring. The risk manager doesnât need to codeâbut must know how to ask the right questions.
đš Substantive dimension:
The focus remains on interpretation, ethics, and regulationâbecause numbers and outputs mean nothing without human judgment.
đš Practical reality:
Reskilling is not a one-time eventâitâs a process of continuous learning and competency development.
And this is precisely where the opportunity lies for organizations:
Investing in the education of risk teams means investing in the future security of the business.
