Does management system sound familiar to you ? With recent laws and regulations entering into action, companies are facing increasing pressure to demonstrate responsible AI practices while maintaining their competitive edge.
Understanding Management Systems and ISO 42001
When moderator Patrick Sullivan asked about the fundamentals of management systems, Kim Lucy, described by Patrick as "the mother of modern management systems," provided a comprehensive explanation of their structure and benefits.
"From an ISO perspective, management systems are all based on something called the high-level structure that is designed in the ISO directives," Kim explained. This structure provides organizations with a systematic approach to establishing context, managing risks and implementing continuous improvement.
Kim emphasized that this framework applies universally: "No matter what type of management system you are designing or implementing, they all have to have these same high-level structure requirements." This standardization spans across different domains, from cybersecurity (ISO 27001) to privacy (ISO 27701) and now AI with the new ISO 42001.
The beauty of this common framework, as Kim pointed out, lies in its adaptability: "The real benefit is that organizations who implement management systems, no matter what type, no matter what industry they're in, no matter where they're at in the world, are getting the benefits of having this common framework in place."
Management systems follow ISO's high-level structure, providing a systematic framework for organizations to:
- Establish organizational context
- Implement risk management
- Enable continuous improvement
Addressing Implementation Concerns
Patrick Sullivan raised a critical point about organizational hesitation regarding ISO 42001. Shea Brown, acknowledged as "the father of algorithm audit," addressed these concerns by emphasizing the importance of risk assessment.
"AI is exposing companies to risk," Shea explained. "There's operational risk, there's liability, there's reputational, there's regulatory risk, there's all sorts of risks that are happening."
He advocated for a bottom-up approach to implementation, stating, "We know that there's this common structure and when you implement these systems, you're going to want to go from high level and go down. But when you're talking about where do I need to implement it, it's the scope that's really the confusing part."
Kim Lucy built on this point, highlighting the critical nature of scoping: "Scoping is a key concept of all management systems. It's one of the requirements in the high-level structure in all management systems that you have to define your scope." She emphasized that organizations must onsider their context, including regulatory requirements like the EU AI Act, when determining scope.
Risk Assessment and Scoping
- Organizations must identify where AI exposes them to various risks (operational, liability, reputational, regulatory)
- Bottom-up approach helps determine scope by identifying high-risk areas
- Systematic evaluation of processes and systems guides implementation
Context and Scope Definition
- Organizations must consider their context, including regulatory requirements like the EU AI Act
- Scope should reflect both internal risk assessments and external obligations
- Regular scope reviews and updates are normal and expected
Innovation and Management Systems: A False Dichotomy
One common concern is that management systems might stifle innovation. Both experts provided compelling counterarguments to this misconception.
Shea Brown introduced the concept of "moving slow to move fast": "There's no way that you could argue that it's not a lift to build a management system," he acknowledged, "but I think the idea is to move slow so that you can move fast." He explained how proper governance actually accelerates innovation: "If you want to innovate and if you want to go to market quickly with something with a new feature, or if you want to integrate into your company a new tool which you want to socialize and get everybody to use, having that management system in place is going to allow you to do that faster."
Kim Lucy reinforced this perspective: "One of the biggest benefits of management systems is their adaptability and flexibility. And yes, there is an upfront cost in terms of both financial cost and time and people, but if you implement them correctly and actually put the effort in and make the commitment to do them properly and don't just make it a checkbox exercise, you can utilize them in a way that the controls and processes are really adaptable."
Market Pressure: A Driving Force for Adoption
The discussion revealed a fascinating trend in AI governance adoption. Rather than waiting for regulatory mandates, market pressures, as the EU AI Act, are driving organizations to implement ISO 42001.
Kim Lucy drew from her extensive experience: "Management systems, particularly in the tech sector and particularly in the digital services or non-tangible products kind of sector, have traditionally been driven by the market because up until the last five years or so we haven't been heavily regulated." She pointed to GDPR as a turning point, noting that before then, "it was really only market driven in terms of supplier and customer expectations."
Shea Brown reinforced this observation from his experience running an AI audit and assurance firm: "Most of the time when people come to us, it's because of market pressure. They're trying to sell into enterprise." He predicted that "42001 is going to be table stakes for SaaS companies that have AI components to actually get those enterprise accounts."
Getting Started With ISO 42001 : Practical Steps Forward
The panel concluded with practical advice for organizations beginning their ISO 42001 journey.
Shea Brown outlined several approaches:
"If I already have 27,001 implemented, I will need to look at the risks and figure out what kind of bolt-ons do I need to have compared to 42,001," he suggested. For organizations starting from scratch, he recommended beginning with context: "It's getting people in a room together and looking at your organization and saying who are we impacting? Who cares about this? Where do we work?"
Kim Lucy added valuable insights about learning from others: "It can be helpful to kind of sit in with other organizations who have management systems implemented and see how they do it, kind of observe in real time." She also acknowledged that while "hiring consultants to help isn't always the most popular answer," finding the right consultant "who actually knows what they're doing and can help lead you through that process and do a pre-assessment, it can really be worth the money."
First Steps
- Assess existing management systems
- Evaluate organizational context
- Identify stakeholders and risks
- Prioritize based on risk assessment
- Define initial scope
- Develop risk management system
Implementation Support
- Consider external consulting expertise
- Learn from organizations with existing management systems
- Leverage internal resources and cross-functional teams
Looking Ahead: The Urgency of Now
Patrick Sullivan concluded with an important message about timing: "42001 - the time to start is now. Yes, you do need budget. There is a cost associated with it. Yes, you do need time. This is absolutely an investment in operationalizing new practices for your organization. But yes, it will be worthwhile."
Remember :
- Organizations shouldn't wait for final standards
- ISO 42001 provides a compatible foundation
- Similar to privacy standards evolution (ISO 27701 and GDPR)
- Begin implementation now to build momentum
Thanks for such knowledge from the panelists :
- Kim Lucy - Director of GRC Standards at Microsoft
- Shea Brown - Founder & CEO, BABL AI Inc.
And moderator Patrick Sullivan - VP of Strategy and Innovation at A-Lign
From the webinar "Implementing Responsible AI Management System" TrustMasters Monthly - December 2024 organized by A-LIGN. Full video here.
