Applying an Enterprise Risk Management Approach to AI & EmTech Risks

by John Jenkins

January 28, 2025

This Mayer Brown memo discusses some of the key risks associated with AI and other emerging technologies and calls for companies to adopt an enterprise risk management mindset to approaching these risks.  The memo identifies a number of “best practices” that companies should adopt in order to achieve this, including the adoption of appropriate governance guardrails:

Organizations should take steps to implement and communicate policies regarding the development or use of AI to all employees within the organization. These guardrails should reflect the key risks identified relating to the development and use of AI. Additionally, specialized or focused training guardrails may be required for specific departments or functions within the organization. For instance, organizations can instruct employees not to enter personal data or sensitive business information into AI tools and/or to only use company-approved AI systems, which have appropriate contractual protections for the company’s data.

Regulations set different obligations depending on the role of the organization and the level of risk of the AI system (risk-based approach). Organizations should determine the level of risk posed by the AI system and the organization’s role in connection with AI (e.g., developer vs. deployer), and then assess each AI system to ensure they comply with the organization’s role-specific legal obligations, and that risks are adequately mitigated. Organizations should document an AI impact assessment reflecting that the development or deployment of AI is justified, based on the risk-mitigation measures in place.

Other best practices associated with an ERM mindset include increasing awareness within the organization, creating an interdisciplinary team dedicated to addressing AI risks, applying a robust review and oversight process, and establishing and maintaining open lines of communications with regulators and stakeholders.