The place of artificial intelligence in the risk management process

. In recent years, there has been increasing talk of the rapid entry of artificial intelligence into risk management. All the benefits it would bring over the whole process are often commented on: real-time results, processing large amounts of data, more complete risk identification, more accurate risk assessment, etc. There are also negative moods that make various experts feel threatened by their need to be replaced by artificial intelligence. Another problematic issue that arises is related to the transparency of algorithms and the increase in cyber risks [6]. This material aims to identify the individual elements at the stages of risk management in which artificial intelligence (AI) can and should be applied alone, in combination with expert opinion or not. Here it is shown that because of the use of AI the efficiency of the whole process is significantly increased, first of all by conducting in-depth analyses, and the decisions are made by the risk management experts. This proves its usefulness and increases the confidence of experts in it.


Introduction
This study is being conducted within the project KP -06-P35-1 from 29.09.2020 "Integration of risk in the management of business processes in organizations", in which part of the activities are aimed at applying modern approaches to risk management. We state that "new technologies" need to be introduced into the overall risk management process facing the artificial intelligence. The use of AI in business organizations will become milestone in the close future [7]. Herein the whole process is followed, and the individual elements are traced by in stages where the use of AI is appropriate. Before going through the stages of risk management, it is necessary to clarify some important features related to the application of artificial intelligence. To be possible its application, the necessity of data and algorithms must be considered, such as the availability of initial data base for machine learning, an ongoing data collection strategy, filtration of the collected data, defining useful data characteristics, transforming data according to a given model, selecting appropriate algorithms, evaluating multiple algorithms to determine accuracy, comparing with other algorithms, and determining the learning speed of the model [1]. To prepare its analysis, AI relies on machine learning (ML) capabilities [3]. ML is a broad field of artificial intelligence, rooted in statistics and mathematical optimization. Covers techniques in controlled and unobserved training for applications in forecasting, analysing, and retrieving data [8]. It also uses the functionalities of deep learning, which provides information based on multiple layers of parameters and a system of algorithms [5]. Of great importance, especially for risk identification, is the ability of AI to conduct semantic analysis. Its main advantage is the work with structured and unstructured data used for general analysis. In this way, data from diverse sources can be linked and provided for machine learning in a more cost-effective way [9]. On this basis, semantic analysis can conduct various analyses, including on the Internet, to identify various risk factors.

Risk identification
In accordance with the approved risk management process (ISO31000 provisions) [4], the first stage of the risk analysis with which the process starts is the risk identification. To start this stage, input information is needed about the types of business processes carried out in the given organization. Experts must also define all activities that are performed within each individual business process. These activities are carried out through the human factor in the organization.
The next activity is different, it combines expert opinion and artificial intelligence. Within its scope, all the parameters that affect the activity of each business process are defined. This includes parameters from the macro environment (economic, geopolitical, social, cultural, etc.); from the microenvironment (customers, contractors, competitors, etc.); from the internal environment (organizational, managerial, human resources, technologies, financial potential, etc.). At this point, the role of the human factor is to define all the parameters that it considers relevant. This analysis is complemented by the capabilities of AI and, more precisely, the conduct of semantic analysis -scanning over the Internet and to identify other parameters missed by experts in individual business processes. The availability of this information is the basis for reaching the essence at this stage, namely the identification of the risk. For the most part, it is done through the capabilities of AI: • Analysis of a database from previous periods -this analysis is performed based on the risk register, which is maintained by the organization. Here the AI seeks a connection between historically manifested risks and the specific activities of each business process.
• Analysis of a database by main indicators -is conducted again, through AI, the difference with the previous analysis is only in the type of database. Here the necessary database is purchased from the market of information products. Such databases are available for various macro indicators and other indicators that can be widely used.
• Semantic analysis by AI -aims to supplement the identified risks outside the available databases. Its ability to analyse various structured and unstructured sources and establish a relationship between them is the basis for identifying an additional set of identified potential risks relevant to the business processes of the organization.
• Expert analysis -it has rather control functions and goals considering the views of experts on individual activities in the organization.
The result of the identification is the generation of a list of potential risks to each individual activity within each business process. These risks should be described and categorized in a way that meets the needs of the risk register. Another advantage of risk identification through artificial intelligence is the ability to automatically update the identified risks in the event of a change in some of the indicators of the environment. The outcome of this stage is the application of the identified risks to the risk register. This stage of risk management is illustrated graphically in Figure 1.
Where: BP is a business process.
-activity performed by artificial intelligence -activity performed by artificial intelligence and human factor

Risk assessment
Once the potential risks have been identified and described, an assessment is made. The possibilities of artificial intelligence are also used for it. First, an assessment is made of the frequency with which the potential risk would manifest itself. This analysis is performed through historical database analysis and predictive environmental analysis. AI's capabilities for combinatorics and deep learning are used here. The risk analysis continues with an assessment of the risk manifestation on the quality of business processes. This analysis is performed in a similar manner. Another thing to keep in mind when assessing the risk is what would be the financial consequences of its implementation. This is a reason to make an assessment in this direction too. Here, artificial intelligence provides an assessment based on market values of assets, accounting for time and human capital costs, the cost of reputational damage. The fourth part of the assessment is performed again by AI and refers to the potential time losses from the delay of the respective business processes, due to realization of the potential risks. The summarized results of these assessments are visualized in a "probability matrix" [11]. There the risks are arranged according to their magnitude. In the matrix, the risk gradation is visualized with colors and allows for a good illustration of their level. Apart from this analysis, AI also performs an assessment aimed at establishing a causal relationship between individual risks. This is necessary to withstand the chain effect of the risk and greater accuracy of its assessment. This assessment is also needed to prioritize risks, according to their relationship to certain activities and BP. All results so far are the basis for conducting a simulation using the Monte Carlo method [2], based on which the numerical values of each individual risk are derived. From this it is clear that one of the most laborintensive stages of the risk management process is much easier to implement, and its assessments are more detailed and accurate. The risk assessment is presented graphically in Figure 2. * Probability matrix -method for qualitative risk assessment **Monte Carlo method -method for quantitative risk assessment -activity performed by artificial intelligence

Risk treatment
The next stage of the risk management process is aimed at influencing the assessed risks, i.e., this is the stage in which their management is actually carried out. At this stage, artificial intelligence finds its place again. Here his task is primarily related to conducting analyzes, but the specific choices of means and way to have an impact are in the hands of experts in the business organization. The input information needed to start the stage is the result of the risk assessment. Based on it, artificial intelligence integrates all interrelated risks and seeks their relationship with the expected negative consequences of their potential realization. The result of this activity is aimed at obtaining a complete profile of each individual risk. According to these values, AI activates its deep learning algorithms and shows the appropriate strategies that would give positive results. The specific measures (risk responses) that are appropriate for each specific risk are also visualized. The experts can make their choice from among the proposed ones or choose others according to their own choice. If they prefer their measures, they are added to the AI database and used for further self-learning. Once the measures are implemented, their effect is monitored. In case such is not registered, the procedure for selection of measures is activated again. If an effect is found, the level of residual risk is assessed (according to the already known procedure from the previous stage).
If the assessment of the residual risk corresponds to the risk appetite of the organization, it is considered that the risk treatment has been successful, and the risk monitoring stage is started. If not, the procedure goes back to choosing new risk management measures.
Where: is activity performed by artificial intelligence

Fig. 3. Risk treatment through artificial intelligence
Risk monitoring is the stage in which full monitoring of the manifestation of risk is performed. It should not be forgotten that organizations operate in highly dynamic environment. Changes in the environment must be recognized in order timely changes to the system to be applied [10]. The approach proposed in this material for monitoring, through the capabilities of AI, begins with monitoring the risks of the risk register. AI monitors for changes in the parameters of each risk. If such is identified, the risk identification phase is reactivated and the whole risk management process is triggered. AI also monitors for changes in the environment (external and internal), for the presence of indicators for changes in the risk profile. The experts in the organization also take part in this activity. They can supplement the analysis with an available upcoming change in counterparties or when they have information about upcoming future events that are not reflected by artificial intelligence.
Another indicator under observation is the change in the effect of the risk response. When over time it turns out that its benefits diminish or need additional impact. The last indicator that is proposed for monitoring here is the discrepancy between the planned and actually reported activities and their financial values. Depending on the type of organization, additional monitoring indicators may be offered. Any change in them is a prerequisite for starting the whole process again. The lack of amendment requires monitoring. The risk monitoring process is graphically presented in Figure 4. Where: -activity performed by artificial intelligence -activity performed by artificial intelligence and human factor

Conclusion
The vision of risk management proposed in this paper combines the traditional steps of the process and a new approach to management, namely through artificial intelligence. Here are the activities of the stages that can be managed via AI. In this way, the process will be faster, more impartial, more accurate, more transparent, and generally more complete. It is clear that the human factor will not be replaced. Expert opinion and views complement the analysis of AI and serve for its training and development. The specific decisions for risk management remain in the hands of experts, and the main task of artificial intelligence is to conduct analyses and time-consuming activities. Artificial intelligence is already entering at a rapid pace in all areas. It is unnecessary to be afraid of it, on the contrary, the use of his opportunities leads to better results.
Here, management through artificial intelligence is presented conceptually, the exact mechanisms and algorithms for development are the object of interest and work of software developers, so they are not considered.