Head of Financial and Professional Services, Marsh Speciality Pacific
A recent survey revealed around 50% of Australians are aware of ChatGPT and almost a quarter of the population has used it. Of those who have used ChatGPT, roughly half have used it for work purposes. The growing interest and embracement of the latest generation of AI technology across various businesses and industries have seen Marsh’s professional services firm clients raising queries with us about ChatGPT, an artificial intelligence (AI) powered language model, as well as AI tools in general. This article considers the risk from this new technology from various perspectives, and offers some thinking about how to adapt.
Clients of professional services firms as users of free AI
Free public use of ChatGPT-type technology potentially challenges aspects of the traditional knowledge and experience advantage professionals rely upon to generate profit. The possibility of a lay person, with free AI support, undertaking certain tasks without professional support may further threaten business models. This is a strategic risk , which will develop uniquely for different client sizes and by service lines. The majority of material shared online is probably categorised as ‘know what’ – factual information and opinion on what the processes and rules are – rather than ‘know how’, which is asking how to actually execute specific tasks. However, despite media reports indicating the latest generation AI’s apparent ability to pass professional exams, there is evidence that wrong answers are also often created. Given the speed of progress, it is probable that AI solutions will be reliable soon. Consequently, firms should assess the impact on services they offer and the likely increased frequency of limited retainers that may in turn require additional controls to manage risk.
Professional services firms as users of free AI
It may prove difficult for professional services firms to control colleagues’ use of external AI services. However, users need to be mindful that questions asked of AI systems could potentially reveal privileged or confidential information. Additionally, using these services for work-related tasks may also breach intellectual property rights. Even using such services to trawl and identify if others have made similar enquiries, might reveal an interest. Enquiry timing might reveal strategies, plans and concerns, and those holding data stemming from enquiries may use it for their own purposes. Furthermore, it could possibly be obtained by bad actors, who might seek to exploit it or find ways to poison the data pool to manipulate results. Firms may need to modify existing employment procedures to explicitly clarify that such usage is not permitted, if that is the position chosen.
ChatGPT may give a lay user confidence to take steps themselves that a professional might otherwise undertake. However, current reliability of results is questionable. Many professional services firms deploy AI to support clients with more interactive FAQs and some basic services. For larger firms, pressure from clients for efficiency and practitioner’s own use of AI (as part of internal support), have existed for some time. For example, accounting firms use AI to review documents such as board minutes and leases.
The professional service provider still has significant value to offer, despite AI’s free information and expertise. Firms can provide reliable operating processes and deal with situations that are more bespoke, and potentially use AI products for more standard situations. Indeed, many firms are investing heavily in database access to enable clients to self-serve with advice. As an example (although not necessarily using AI), one law firm provides access to data on the average settlement size for different types of employment allegations. Rather than seeking individual advice, the user enters the location and allegations to receive an idea of average reported settlements.
For law firms regulated by the various state and territory bodies in Australia , we would expect professional indemnity claims arising out of reliance on such advice to fall to the wide terms of cover provided by the professional indemnity policies issued or approved by various state and territory law societies. More generally, it would be prudent for professional services firms to consult with their broker and regulator. This can prevent potential surprises about whether claims are covered and if the service was compliant. Requirements of professional regulators will also need to be heeded. Please also see Australia’s 8 Artificial Intelligence (AI) Ethics Principles to understand the Australian Government’s principles to design and ensure AI is safe, secure and reliable.
 Law Society of the Australian Capital Territory; NSW Legal Services Commissioner; Law Society Northern Territory; Legal Services Commission Queensland; South Australian Legal Professional Conduct Commissioner; Legal Profession Board of Tasmania; Victorian Legal Services Commissioner; Legal Practice Board of Western Australia.
Overall, we consider that there are significant risks both as a provider and user of AI services, which ought to be monitored and managed appropriately.
Professional services firms as providers of internal AI services
Firms are developing support systems for colleagues internally. More logical and higher quality search access and solutions to policies, procedures and ‘know-how’ may be extremely useful. However, a key issue is the ongoing effort required to maintain these systems with up to date information. Additionally, it would be unsurprising if some clients seek to limit use of highly sensitive information to a particular work group, albeit this is not a new issue. If security is breached – and internal AI compromised – the usage data or corruption of data and AI based results may also create reputational risks for the firm and clients.
Professional services firms as providers of external AI services
As this is a significant area of risk, it may be useful to treat what is being provided as a product. As a reputational risk – and a novel area – we believe it is worth considering whether use of these tools and creation of products creates fundamental new hazards.
We have opted to use the bow tie risk tool as a lens to consider prevention and mitigation.
Below is an example of the tool we developed for law firm cyber risk:
Most users find it helpful to both define and order the key areas of the diagram:
In this case:
Product risk is familiar to some professional services firms, particularly IT developers and brokers. As more pure professional services firms may now be offering what are considered products, we suggest implementation of roles, processes and procedures for the design of these products, approval, marketing and maintenance. This enables firms to control the risk, test products and check feedback.
In financial services, governance, assessment and product refreshes were developed in response to market failures and the adoption of recommendations for Misconduct in the Banking, Superannuation and Financial Services Industry Royal Commission and other regulatory inquiries. Professional indemnity insurers of professional services firms have experience of suitability issues arising when homogenised advice is given to large numbers of clients – and the product does not perform as expected.
Firms that are designing and delivering AI products to clients should be cognisant of this risk. Subsequently ensuring there is robust product design and management with ongoing testing at least annually; possibly more often depending on feedback and changes. Providing a governance structure for a product, or putting the product through such a process, is sometimes recognised late in the product development cycle, becoming an unwelcome drag on product launch. However, experience shows that it is a necessary step.
For large professional services firms, an AI product is unlikely to generate wrong results for tens of thousands of users, making relatively modest claims – as happened in financial services. However, if outputs are wrong, the product could result in identical deficient advice being provided to multiple clients in a short period of time, without much chance of detection.
Reviewing the bow tie model, we can consider what barriers are in place to prevent product failure and how they relate to threats. A common problem can occur when the threats alter and the system does not detect that a barrier has been breached. If the overall system can detect that the barrier has been breached, then according to the model this is an escalation factor. An oversight review of the model should then be triggered along with a potential redesign of the barriers. Without this review, the likelihood of widespread product failure is more significant.
Drawing on previous involvement in the development of online service models, the cost of maintaining and testing product suitability is often significant; potentially eroding the apparent profitability of such approaches. There is also a governance issue regarding who should be responsible for ongoing maintenance and testing, and if they will be independent enough and motivated to undertake the role. These issues are often unpopular with innovative thinkers, who are attracted to creating novelty by leveraging know how.
It may appear attractive and innovative to create opportunity from transforming professional services and offering what have traditionally been bespoke services as a product. However, professional services firms must develop more back office assurance and infrastructure to support delivery of high quality service through such products. Maintenance, design refresh, and testing must be factored into the cost, in order to manage product risk.
Originally published 16 June 2023 by John Kunzler, Victoria Prescott, Marsh UK
Head of Financial and Professional Services, Marsh Speciality Pacific
Managing Principal, Law
Head of Corporate Cyber - Pacific
This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modelling, analytics, or projections are subject to inherent uncertainty, and any analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change.