Guidelines for artificial intelligence-driven enterprise compliance management systems

Abstract

The use of Artificial Intelligence (AI) to design and drive a Compliance Management System (CMS) at an enterprise level is a strategic decision to be taken by large organizations. Given the complexity this decision entails, conceptual guidelines addressed to senior management and board of directors are required. The original contribution to knowledge and practice of this research lies in the understanding of how compliance management systems are set-up in organizations, by using the CMS framework derived from literature, later confirmed by empirical data. Furthermore, this research originally contributes to both knowledge and practice, through the depiction of the enablers and barriers of AI adoption in organizations, as well as the recommended conceptual guidelines for AI-driven CMSs. Using three case studies as a research method, this paper investigates the current set-up of CMSs, as well as the enablers and barriers of AI adoption and then discusses the driving themes of strategic importance to organizations when sourcing AI aimed at supporting the management of compliance. These themes are: CMS components structures responsibilities, enablers and barriers of AI, control and compliance of AI applications, compliance by design, data governance and data management, cyber security, information technology infrastructure, regulation and regulators, and collaboration with external parties. The thematic findings of this research are additionally discussed in the context of the three lines of defence of an enterprise (business units, support functions, audit functions), making this an organizational framework for the design of an AI-driven CMS. The research concludes with the recommendations that in order to adopt an AI-driven enterprise CMS, organizations should do the following: strategically decide the type of AI organization they want to be, involve stakeholders in the design phase of new policies and AI applications, invest in data governance and IT infrastructure, tap on best practices from cyber security, and collaborate with external parties and regulators.