Lotto New Zealand takes holistic approach to Artificial Intelligence risk management

How did you initiate the process for managing AI risk?

AI governance provides a framework of policies and practices to ensure ethical, transparent and responsible development and use of artificial intelligence systems. This includes managing risks, ensuring compliance with regulations, and promoting fairness and accountability.

To assist the development of our AI risk management strategy, we considered the Trustworthy AI in New Zealand (Aoteraroa) Principles developed by the AI Forum New Zealand in 2020, which comprise:

• Fairness and justice
• Reliability, security andprivacy
• Transparency
• Human oversight andaccountability
• Wellbeing

From the outset, it was important to understand what our business risk appetite is, in terms of AI and technology risk in general. Our Board was involved in defining this, and we further developed it in our Risk Management Policy which includes AI risks as a subset of operational risks.

Given the importance and scope of AI technologies across our business, we assigned our Chief Innovation and Product Officer as owner of the AI risk type and integrated it into the existing areas of data management and governance.

What aspects must be considered when managing technologies and risk?

Technologies are always evolving, and businesses must ensure that their technology solutions are fit for purpose, and assist them in delivering their strategies.

AI technologies are deployed throughout our operations, which is why we have taken a holistic approach to their management. Given that AI risks are different from traditional risk types we have also developed a specific Data and AI Governance Policy within the ERM framework.

It is also important to consider obsolescence and adopt new technologies as products and services advance, for instance using AI, generative AI, and shifting to cloud services.

We have started AI risk tagging in the ERM system for any part of the business where AI risks could occur, for ease of reporting and reference.

What are some of the AI risks you have flagged?

In general, we must ensure confidentiality, integrity and availability of information or systems that use AI/large language model tools, otherwise there could be a disruption to service. There is also the potential for legal, regulatory, financial, privacy or reputational impacts.

If AI tools are not properly understood in terms of security and usage, there is the risk of data assets leaking into external public AI Models, which could result in unintended data exposure.

From a governance perspective, we have a Data and AI Excellence Forum with a cross section of senior leaders from our Technology and Data & Analytics teams who continuously assess and respond to developments around AI risks and opportunities in our organisational context.

What other steps are you taking to address AI risks at Lotto New Zealand?

In the case of Generative AI, we have considered some of the risk profiles that it creates around data security and privacy.

One example of what we’ve done is to opt to use Microsoft Co-pilot restricted version, rather than ChatGPT, so that employees still benefit from Generative AI capabilities, but our sensitive and proprietary information is not shared publicly.

We have also run training for all staff to explain what Co-pilot is, how it is different from other open-source AI tools, how it can enhance their work, and the common pitfalls and risks when using the tool.

Our work is ongoing as we adapt and refine our ERM strategy supported by our Data and AI Excellence Forum to align with our evolving organizational needs.

Raj Hit attended the WLA and EL Security and Operational Risks Seminar at the end of 2024 in Marseille, France. He participated in the Roundtable on Generative AI Applications in Security in Lotteries and gave a presentation on Enterprise Risk Management of Generative AI Applications at Lotto New Zealand.

‍

‍