Artificial Intelligence (AI) is nothing new. It’s been used since the 1950s. The use of AI in business expanded rapidly in the 1970s as the power of computers became faster, and data storage became cheaper. What is new is Generative Artificial Intelligence (Gen AI), which represents a significant leap forward in the evolution of AI. All the current buzz and press were triggered by the broad public availability of powerful Gen AI tools in 2023. By using a natural language interface, Gen AI bought the power of AI to everyone.
The focus of this article is how companies are starting to use Gen AI in third-party risk management today and to look at future applications. A lot has already been written about the governance and ethical issues related to Gen AI. Our aim is to provide insight into Gen AI’s practical application to address specific challenges companies have in managing third-party risk across the full spectrum of compliance and Environmental, Social, and Governance (ESG) topics.
Along the way, we will provide some background on the common uses of AI in supply chain risk management and the fundamental advancement that Gen AI made in AI. The research for this article included interviews and group discussions with senior supply chain, legal, and technology executives in Ethisphere and Digital Supply Chain Institute (DSCI) member companies. This includes Dr. Dave Ferrucci, considered to be one of the pioneers of Gen AI for his work in leading the IBM Watson Team, that developed groundbreaking natural language processing abilities making him a seminal figure in the evolution of AI.
In addition to presenting practical applications, the article also identifies critical success factors for using Gen AI in third-party risk management. Many of these success factors are applicable to any use of Gen AI.
AI AND GEN AI: WHAT’S THE DIFFERENCE?
Essentially, AI is a faster, more efficient way to process and analyze large amounts of data (structured or unstructured) to make decisions. There are several components under the AI umbrella, including natural language processing, optical recognition, and machine learning. AI follows defined rules established by programmers, and it can learn as it goes, which is the machine learning component. You may see this acronym used sometimes: AI/ML. The computer can get better at recognizing patterns and making predictions based on new data and previous examples. AI needs structured data and precise instructions (aka algorithms). The major challenges with AI are getting clean, structured data and ensuring that the algorithm is written to provide answers that address the business problem being solved.
Gen AI is the hot new, rapidly growing component of AI. It is a game-changer because it brings the power of AI to everyone. Gen AI opens up AI the way web browsers opened up the use of the Internet. It uses large-language models to search through structured and unstructured data to create something new. Gen AI can create new text, computer code, music, or images.
Gen AI responds to questions written in plain language, called prompts. The exact wording of the prompt has a significant impact on the answer that is provided. In fact, there’s a new field emerging of “prompt engineers” that are trained to understand the business situation and translate it into an effective prompt. Gen AI systems are “trained” on data sets that can include public data and private data from your company. It’s crucial to understand that the size and quality of these datasets play a significant role in determining the performance and biases of the AI model. At a simple level, the breakthroughs that make Gen AI so impactful are the ability of the computer to understand the context of each word and the ability to predict the next word in a sentence based on the context.
At a slightly more technical level, Gen AI has two game-changing elements:
- Word embedding – words have meaning in their context and get meaning from the surrounding words. It’s not just the context that gives meaning to these words but also their intrinsic semantic properties.
- Transformers – in developing the answer to the prompt, attention is paid to the context, and Gen AI predicts the next word(s) in the sequence. Transformers can capture complex relationships and dependencies between words in a sentence, enabling more coherent and contextually relevant outputs.
The major challenges with Gen AI arise from the lack of transparency in the computer’s decision-making process because it uses deep learning and neural networks. As a result, the skill of the prompt writer is important, and there is no transparency related to the sources used to generate the answer. If the Gen AI has been trained on a data set that uses misinformation, the results will include misinformation. This lack of transparency has led to the need for an important new capability: data lineage. Data lineage is the ability to trace the source of data. More on the challenges and critical success factors for using Gen AI later in this article.
It may be helpful to think of AI as more quantitative and structured data processing and analysis, while Gen AI is more qualitative and creative with the ability to generate new, contextually rich content. Although Gen AI is in its infancy it is starting to change the way we work today and will definitely have a big impact on how we work in the future across virtually every function in an organization.
USE OF GEN AI IN SUPPLY CHAIN RISK MANAGEMENT
AI has established itself for years as a crucial tool in supply chain management. It enhances decision-making through predictive analytics, leading to increased efficiency in logistics, inventory management, and demand planning processes. AI’s strength lies in its ability to process vast amounts of data, learn from it, and apply these learnings to improve performance over time.
Gen AI’s unique ability to create and innovate is just starting to be used to improve the accuracy, efficiency, and effectiveness of compliance and ESG management programs. Let’s look at some potential practical applications of Gen AI. No companies we interviewed are using Gen AI in the end-to-end ways we describe. We have taken the bits and pieces from early experiments and woven them together in practical applications for supply chain risk management.
Today, every company is on a tightrope trying to balance growing their business, ensuring supply chain resiliency, and addressing compliance and ESG risks and performance. The supply chain function is the bridge between internal silos and the suppliers that are critical to success. Based on research from the Digital Supply Chain Institute, forward-thinking companies are shifting their mindset from linear supply chains to multi-dimensional “constellations of value.” The challenges in managing the risk have become even more pressing due to the rapid proliferation of supply chain due diligence laws.
Companies can have tens of thousands of third parties (e.g., suppliers, distributors, sales partners) spread across dozens of countries. The complexity is compounded because the risks vary dramatically depending on what the third party does and what jurisdictions apply. For example, a sales partner selling to government agencies may pose a very high corruption risk but a low environmental and labor compliance risk. Conversely, a manufacturing supplier may pose a high environmental and labor compliance risk but a low corruption risk. That’s one area where Gen AI can help.
Gen AI can create tailored communications to third parties based on their jurisdiction and the most relevant risks. Communications that incorporate the provisions from your supplier code of conduct and the relevant laws can be created to set clear expectations for the third party. Gen AI can update the communications based on new regulations, updates to your supplier code of conduct or the changing focus of your stakeholders.
Think about the potential time-saving power of Gen AI in the full life cycle of managing third-party risk. Let’s use data privacy as an example. You could use Gen AI to summarize the data privacy law of a certain country, then create a communication to all your third parties that operate in that country explaining your requirements for how they protect data. The communication could be tailored depending on the type of data they access or process and the related risk level. Then you could ask Gen AI to provide you with draft contracts that are aligned with the data privacy laws and your requirements. Going a step further, Gen AI could create simplified, plain-language (not legal language) data privacy policies to share with your employees by summarizing the relevant laws and contracts, then create training materials for your employees that interact with third parties. The training materials could include relevant data privacy scenarios based on their job function and a quiz. A short executive summary of your new data privacy program could be created for senior management and the Board. There’s more. Gen AI could update the entire process and all the materials if the relevant law changes.
It sure sounds like a big time-saver. However, as we will discuss later in the key success factors section, expert human oversight and judgment remain essential.
Another emerging use for Gen AI as part of the overall AI system is in assessing and ranking third-party risk. Gen AI can compile and analyze structured and unstructured data from your internal sources, including company-specific and external public-sourced data. Imagine you have 100 manufacturing contractors in a country considered high-risk for environmental and labor compliance. AI and Gen AI could be used to compile internal data sources like purchase orders, delivery schedules, labor compliance audits, and supplier performance reviews to identify any relevant patterns. For example, are there more labor violations when large orders are placed? Is there a correlation between on-time delivery and excessive working hours by factory workers? This internal data can be combined with a sweep of public data like news stories, participation by the company in industry-initiatives, and certifications they have achieved. Gen AI can help you synthesize the data on each of the 100 suppliers to create a company-specific risk profile and a consistent risk ranking.
“Gen AI does not give you the original sources it used, making it difficult to know if there are blind spots or biases in its sources.”
Next is the ability for Gen AI to enhance existing AI systems to do pattern recognition and “what if” scenarios based on historical data and predictive analytics. You can simulate different scenarios and test the resilience of your supplier under various circumstances. This could help you assess the potential impact of disruptions or unexpected events. For example, what is the impact on labor compliance in the factory (e.g., excessive working hours) and on-time delivery if we make a change in the purchase order volume without changing the delivery date? What if we increase the order volume by 10%? What if we increase it by 30%? What if we change the materials specifications? What if we change the packaging material and design? A human expert would be critical to review the results and make the decisions, but Gen AI could rapidly develop several scenarios.
On a broader scale, Gen AI can generate a risk score and ranking for each supplier based on their specific activities for your company. This ranking can be used to prioritize your risk management efforts. It can offer tailored recommendations for mitigating risks with each supplier based on their activities, risk profile, and jurisdiction.
Gen AI could also provide insight on steps to take to improve your overall supply chain resiliency and highlight the potential trade-offs. This is very useful for gaining cross-functional support in your company between the legal, compliance, sustainability, and supply chain functions. For example, adding a backup component supplier close to your assembly plant may reduce geopolitical or weather-related business continuity risk, but it may increase the risk of losing your trade secrets and increase your cost per component because the order volumes are smaller. In this example, you can see the importance of wording the prompt to get a result that isn’t biased to one functional area.
CHALLENGES OF GEN AI
Much has been written about some of the ethical and governance challenges of Gen AI. We are going to focus on the specific challenges of using Gen AI in supply chain risk management— although some of these challenges are also applicable to the use of Gen AI in other business areas.
The deep neural networks used by Gen AI are too complex to understand how it arrives at an answer. This is the core issue that has several practical implications. Compared to using an internet browser search, Gen AI does not give you the original sources it used, making it difficult to know if there are blind spots or biases in its sources.
The quality and accuracy of the Gen AI response are heavily dependent on the training data set and the prompt. Gen AI will mimic the data and documents it is trained on. This makes it important to understand to the extent possible what data was used in the training and generally what internal and external sources Gen AI accesses. Bias in the data training set or the prompt will influence the results. If there is misinformation in the data set, there can be misinformation in the answer. Going back to our examples, if a news article about a supplier incorrectly stated they had a data breach or serious labor violations, Gen AI would incorporate the false information into the risk ranking.
As mentioned earlier, this is leading to a relatively new field of data lineage—the process of tracking the flow of data over time, providing a clear understanding of where the data originated, how it has changed, and its ultimate destination within the data pipeline. Data lineage solutions seek to provide more transparency so people can trust the results because they trust the underlying data.
“Gen AI can generate a risk score and ranking for each supplier based on their specific activities for your company.”
One of the challenges of using Gen AI is getting your people to trust the results, given a lack of knowledge about the data sources and possible lack of visibility into the prompt that was used if they weren’t the ones writing the prompt. That’s where data lineage comes in. A useful analogy is to think about data like water. We have probably all been in situations where we will readily drink from a glass of water because we trust the source of the water and its flow from the source to the glass. In other situations, we don’t trust the water and refuse it, even if we are thirsty. More visibility into data sources and data quality builds more trust in the output, and trust in the output is critical to its usefulness.
CRITICAL SUCCESS FACTOR
First and foremost, know what problem you are trying to solve. Is Gen AI the right tool for the business problem you are trying to solve? Does it require the creation of new content? Is the output you are seeking language oriented? Does it require the synthesis and summary of several long documents? If it is, you must ask the right question. This is where prompt engineering comes in. Particularly if you are trying to solve problems that involve internal cross-functional teams, the prompt needs to be balanced in its approach. As we mentioned, one of the challenges of Gen AI is not knowing the sources that were used. This makes it even more critical to have transparency and consensus on the prompt. To build trust, record the prompts that are used and the corresponding Gen AI results. This tracking system will create more transparency in how Gen AI is used and can help educate users in better prompt writing.
Second, there must be sufficient controls in place to maintain data quality. This requires the orchestration of people, process, and technology. It involves some knowledge of the data set that is used in training the Gen AI system because the output is derived from the data it is trained on.
Third, it is essential to keep human experts in the decision-making loop today. Gen AI results must be monitored for “correctness.” Is the answer within a reasonable range of answers? Just as with other compliance issues, you must establish your risk tolerance for “partially right” or “wrong” answers.
Fourth, leading companies are establishing cross-functional AI Committees to oversee the use of AI and Gen AI. These committees are charged with creating transparency, fairness, and governance policies and determining how to protect proprietary company information in Gen AI usage. For companies that are training their Gen AI using proprietary data sources and external sources, the protection of the proprietary data becomes another challenge and an issue that is critical to success.
WHERE TO START
Gen AI is here to stay, just like the Internet. It is a significant evolution in AI that dramatically lowers the barrier to using AI for businesses and subject matter experts. Now is the time to experiment and identify the best use cases for your company. For most companies the early applications of Gen AI are focused on creating targeted marketing communications, using Chat Bots for customer service, summarizing long documents, and computer programming.
Gen AI in supply chain risk management is at an earlier stage of development, but it will accelerate at an incredible speed. Third-party risk management is an enormously complex undertaking. Thousands of third parties. A wide range of compliance and ESG risks. Increasing regulations and reporting requirements. Huge amounts of data. More scrutiny from customers and investors. The confluence of these trends makes Gen AI a great solution.
In starting with Gen AI, don’t make the mistake of starting with broad projects that are designed to completely replace existing workflows. Start with the problem and start small. Identify small specific problems in supply chain risk management where the output is language-based. Develop a plan for how you can link small projects into a more comprehensive end-to-end solution. Refer to the examples we provided in this article which are very narrow applications to an overall supply chain risk management program. Make sure to understand the data lineage and quality. Use your initial cases as a proof of value to make sure that there is a clear business benefit.
Ultimately, your job is to use human experts to carefully define the problem, ask the right questions, know where the data comes from, and make decisions based on the Gen AI outputs.
SIDEBAR: MIKE CROWE ON THE CUTTING EDGE OF GENERATIVE AI
In the dynamic landscape of artificial intelligence, Mike Crowe, a retired Chief Information Officer, Co-Chair of the Digital Supply Chain Institute and an advisor to several tech companies, emerges as a thought leader. Here is a summary of our interview with him and his insights.
Mike emphasized the evolutionary nature of Generative AI. It is not a separate technology but a significant advancement within the broader spectrum of artificial intelligence technologies. Many business applications are going to involve multiple components of the AI suite, including Gen AI. He stressed that companies should start with the business problem they are trying to solve and define the desired outcome. Don’t start by looking at this exciting new technology and trying to force its use into existing workflows.
Given his broad perspective, his views are particularly valuable on current uses. The most common use today is the auto-generation of tailored content, for example, images, marketing material, and email content. Mike does not see widespread use in supply chain risk management today, but he emphasized that companies are rapidly working to develop solutions that integrate Gen AI. He suspects that much of the practical application research being done today is by the supply chain software companies, including the supply chain risk management companies, seeking to incorporate Gen AI in order to advance their current offerings.
Mike anticipates the transformative power of Gen AI in supply chain risk management as part of a broader AI solution. He emphasized the importance of a robust data foundation and strategic implementation, cautioning against the rush to adopt Gen AI without proper data governance and quality controls. He advocates for beginning with small, manageable problems and gradually expanding, ensuring that each step is data-driven and aligned with specific business outcomes. This approach, he believes, is crucial for businesses to harness the full potential of AI and Gen AI without falling prey to the common pitfalls of overpromising how a new technology will revolutionize the business.
Mike’s guidance serves as a vital resource for business leaders navigating the complex and rapidly advancing world of AI. His emphasis on foundational data infrastructure and controlled, purpose-driven application of Gen AI is particularly pertinent in today’s technology landscape.
ABOUT THE AUTHORS
Craig Moss is the Executive Vice President of Measurement at Ethisphere. He is also a Director of the Digital Supply Chain Institute. And he is Director- Content at the Cyber Readiness Institute and Chair of the Licensing Executives Society committee for developing an ANSI global standard for Intellectual Property Protection in the Supply Chain.
Vivek Ghelani is a Director of Research at Digital Supply Chain Institute, an applied research institute of the Center for Global Enterprise, a New York-based non-profit organization dedicated to studying contemporary corporations in the era of global economic integration. In addition to this role, Mr. Ghelani is a Senior Research Analyst at Mercator XXI, LLC., a professional services firm helping clients engage the global economy.
