Identifying and Handling Risks in AI Businesses

Posted by Q McCallum on 2020-04-21

Do you think about the risk in your company’s ML/AI efforts? You should, if you want your business to stay afloat. Here’s a primer on how to identify and handle those potential changes before they grow into problems.

Risk and resilience make for a fascinating study. Doubly so when used as a lens for the business world. Every company, from airlines to banks to chain resturants, faces some kind of risk. Many of them have developed practices and policies to keep business running smoothly in the face of abnormal conditions.

That’s why I’m surprised that I rarely hear people in the data world talk about it. In spite of (or, perhaps, “because of?”) data’s reputation as an easy money-maker, data-related businesses often pretend they are immune.

Ignoring risks increases the chances your business will be caught by (avoidable) surprises. You’d do well to learn how to spot them, so you can keep your company from falling apart when problems arise.

Risk assessment: “What if?”

Most people assume the word “risk” is a synonym for “problem.” That’s not completely true. A risk is, simply put, a potential change. It only becomes a problem if you don’t get ahead of it. (Handling a risk well can even be a source of opportunity. But that’s another story.) “Resilience” is how well you hold up after a risk moves from a potential event to a reality.

The stock market can tell us a lot about risk. Traders buy and sell shares of stock, the prices of which can (sometimes, wildly) change. That change is where traders make or lose money. They therefore constantly ask “what if?” about about the basket of stocks they currently hold (their position):

  • “What if there is a sudden, N% dip in the market?”
  • “What if this one company’s stock price takes a nose-dive?”
  • “What if the Fed cuts interest rates tomorrow?”
  • “What if we had to close out (sell off) our entire position right now, at a steep loss? Would we have any money left?”

Asking these questions comprises a risk assessment and it is the first step in getting ahead of a possible change. The important thing is that these events haven’t happened. Yet. The traders are exploring these questions ahead of time, when they are not pressing matters, which means they don’t have to map out their contingency plans in the heat of the moment.

You don’t have to be a trader to appreciate risk. Other businesses can explore similar “what if?” questions:

  • “What if [some source of our revenue] were to disappear, overnight?”
  • “What if we were to experience an abnormal volume of cancellations in a short timespan?”
  • “What if [our superstar product] contains a flaw that can harm consumers?”

It might be tougher to put a dollar value on a given scenario – one perk of the trading business is that numbers are very clear, since people are working with prices – but you can still gauge the general scale of impact and plan accordingly.

Risk in the world of data

All of this is why I look askance at the data business. There are plenty of risks in there, but when I talk to people, it’s clear that few of them have ever considered any such “what if?” scenarios:

  • “What if our upstream data vendor shuts down on short notice?”
  • “What if our data collection systems have a bug that goes unnoticed for an hour? A week? A month?”
  • “What happens if our production models experience a sudden dip in performance?
  • “What if a sudden change in laws or consumer sentiment renders our business model untenable?”

(That last question is a big one. Consider how much of “the data business” involves large-scale collection, sale, and analysis of information about people. But I’ll cover that in-depth in a future post.)

It’s easy to wave away these questions with, “that couldn’t possibly happen!” But the examples I listed are based on real-world events. Remember that “it could never happen” is usually a precursor to “I can’t believe that happened.” It’s best to plan ahead.

Risk mitigation: “What next?”

After the “what if?” of a risk assessment, you get to work through the “what next?” of risk mitigation. This is where you work through how you would handle the potential change.

Broadly speaking, there are three kinds of “what next?” approaches:

Reduce the Impact (resilience): You limit how much the potential change could affect you. In our example of the upstream data vendor, this could mean cultivating relationships with different vendors. If your primary data vendor suddenly cuts you off, you will take a brief hit to rewrite your ETL routines to talk to the new vendor, but your business will still stay afloat.

Avoid the Impact: Here, you try to completely shed the risk. You could find a way to collect the data yourself, so you don’t need to rely on an external data vendor. If you have the cash, you could outright purchase the vendor to bring that operation in-house. Either way, the risk of losing the vendor goes away.

Do Nothing: In this case, you simply don’t make any contingency plans. Should a problem arise, you’d have to scramble to figure out what to do in the heat of the moment. (At least you’ve already acknowledged the possible problem in advance, so it won’t be a completesurprise.) But until that happens, you get to stay focused on your business mission.

Which approach is best for you? You have to weigh factors such as your ability to absorb a big change (“we have lots of money to burn”) and your desire to take a chance (“what are the odds this risk could ever materialize into a problem?”).

Trying to reduce or avoid the impact of a possible change means investing time and money to prepare for something that might not happen. Also, every move you make to mitigate risk may expose you to a different risk, because you’ve introduced changes.

This is why choosing to accept the risk – the Do Nothing approach – saves you money and effort … so long as the risk never becomes a reality. Some companies still manage to talk their way out of any serious repercussions. Do Nothing works more often than we’d care to admit, but it also hurts a lot more when it doesn’t.

No matter what your risk mitigation approach, remember to stay flexible. No amount of asking “what if?” will find every possible change. You’ll need an extra cushion of resources to handle those unknown unknowns.

Getting ahead of the risks

Despite all of the media attention on the positive outcomes of ML/AI, this field is hardly immune to risks. You’d do well to perform an assessment and develop mitigation strategies now.

If you don’t identify your risks in advance, time will certainly find them for you.