AI Support for Risk Management at an Insurance Company

In the financial sector, compliance with laws and regulations is of vital importance. Mistakes can lead to fines or reputational damage. The insurer had various obligations: from data protection (GDPR) and information security (ISO27001) to the new NIS2 directive for critical infrastructure and internal ESG objectives. A large part of these standards requires a risk-based approach: you must demonstrate that you know the risks and take measures in proportion to those risks. However, identifying risks was previously manual work. Brainstorming sessions were organized with managers to map out risks, or standard lists from industry peers were used. This often resulted in a limited and subjective view. Important risks were sometimes forgotten because no one in the session thought of them, or because information was siloed. Furthermore, estimating the probability and impact of each risk was difficult and also prone to human bias. This created the danger that certain compliance risks were underestimated, while focus might be on relatively small dangers. In short, traditional risk management was time-consuming and did not provide a complete picture.

PrudAI deployed two AI-driven tools: IRMA (Intelligent Risk Management Agent) and NORA (Norm Oversight & Risk Advisor). First, we collected all relevant internal information with the insurer that could indicate risks. Think of audits and checks, incident reports, policy conditions, complaint registers, operational data, but also emails or minutes where problems are mentioned. These diverse source documents – structured and unstructured – were analyzed by the AI in a secure environment. IRMA and NORA "read" the organization, so to speak. They use advanced algorithms and language models to discover risk signals in all that text and data. AI-assisted risk assessment can detect patterns and indications of potential risks that humans easily overlook. For example, the AI sees recurring concerns about IT systems in meeting minutes, a trend of customer dissatisfaction over a certain process in complaint data, or gaps in policy documents where no owner is assigned – all possible risk indicators.

Then the AI formulates a clear description in risk terms for each discovered risk item ("Risk: failure of system X can lead to <…>").

After the inventory phase, the AI also assists in the evaluation. IRMA is trained to provide an estimate of the probability and impact for each risk based on available data and general sources. For example, it combines internal incident frequency with external statistics to score the probability of data breaches as "high/medium/low," and uses financial data to quantify potential damage. If desired, the AI also suggests possible control measures. The result is an almost ready-to-use risk matrix and report. The compliance officer can take this as a starting point and fine-tune it with management. But instead of starting from scratch, they now begin with a very complete list. A demo showed that a language model (ChatGPT) can easily provide a list of twenty relevant risks for a particular situation in one prompt – our experience with IRMA/NORA is similar, albeit tailored to the organization's own context. Of course, human judgment remains necessary; the AI is an addition that enriches and accelerates the work of risk managers and compliance officers.

Added value of AI (IRMA/NORA): This AI approach offers several advantages. First: completeness. The AI does not just forget something; it searches through thousands of documents and finds risks in "corners" where people do not think. This provides a much more complete risk register. Second: speed and efficiency. Reviewing all that information would take a team of risk officers months, the AI does it in hours or days. This leaves the risk & compliance team more time to come up with solutions and measures, instead of collecting data. Third: objectification. Where risk scores were previously the result of discussion and estimation (with all the bias that entails), the AI bases itself on data and clear rules when proposing a probability and impact score. For example: "Based on 3 incidents last year and an increasing trend, I consider the probability of this risk high." This forces transparency and substantiation. The fourth advantage is dynamics: IRMA/NORA can continuously monitor in the background. New data (e.g., an incident report or a change in an IT system) is included by the AI, so risk profiles can be updated live. This shifts risk management from an annual exercise to a continuous and ongoing process, providing continuous insight into the current top risks that require attention. Finally, we notice that the conversation about risks within the organization has improved. Because the AI also brings up risks outside the normal field of view, topics that were previously underexposed are now on the table – this increases risk awareness among everyone.

The insurer now has a comprehensive risk picture. In the first AI-generated risk inventory, ~30% more risk points emerged than were on the old list – including some critical ones that were not previously recognized. Thanks to the estimates, the management team could immediately prioritize: of the perhaps one hundred risks, ten are now "top priority" (high risk) that receive immediate attention, twenty medium-sized risks for the medium term, and the rest are monitored. This provided control: a targeted action plan was drawn up for the top 10 risks, something that was previously difficult without a complete overview. A board member described it as "as if we finally have the full map instead of a sketch." The organization can now also better demonstrate to regulators that they are in control: they have demonstrably identified and assessed all relevant risks, which, for example, inspired much confidence during ISO audits and DNB supervision. The time investment to produce this report was also smaller – the AI took care of the initial groundwork. This allows the risk & compliance team to use their expertise where it adds value: interpreting the results and advising on mitigation actions. In the months following implementation, the organization already noticed improvements: fewer surprises occurred because potential issues were proactively identified. And if something does happen, it is already on the radar with a plan ready. All in all, thanks to IRMA/NORA, the insurer is step by step more in control: from reactive fire-fighting to proactive risk management.