AI Risk Assessment Framework: A Step-by-Step Guide with Templates
Executive Summary
- AI risk assessment is a systematic process for identifying, evaluating, and prioritizing risks from AI systems
- This framework covers eight risk categories specific to AI: accuracy, bias, security, privacy, operational, compliance, reputational, and strategic
- Risk assessment should occur before deployment, after significant changes, and periodically for operating systems
- The output is a documented risk register with mitigation plans and owners
- Assessment intensity should match risk level—not every AI tool needs the same scrutiny
- Organizations in regulated industries may have additional sector-specific requirements
AI Risk Categories
1. Accuracy Risk
AI produces incorrect or unreliable outputs.
2. Bias and Fairness Risk
AI produces discriminatory or unfair outcomes.
3. Security Risk
Unauthorized access, manipulation, or attacks on AI systems.
4. Privacy Risk
Unauthorized collection, use, or disclosure of personal data.
5. Operational Risk
AI fails to perform reliably or causes operational disruption.
6. Compliance Risk
Violation of laws, regulations, or contractual obligations.
7. Reputational Risk
AI harms organizational reputation.
8. Strategic Risk
AI undermines business strategy or competitive position.
The 5-Step Assessment Process
Step 1: Scope and Context (1-2 hours)
Define what you're assessing and why.
Step 2: Risk Identification (2-4 hours)
Systematically identify potential risks across all categories.
Step 3: Risk Evaluation (2-4 hours)
Assess likelihood and impact of each identified risk.
Step 4: Risk Treatment (2-4 hours)
Determine how to address each significant risk.
Step 5: Documentation and Monitoring (1-2 hours)
Record results and establish ongoing monitoring.
Likelihood and Impact Scales
Likelihood:
- 1 = Rare (<1% probability)
- 2 = Unlikely (1-10%)
- 3 = Possible (10-50%)
- 4 = Likely (50-90%)
- 5 = Almost Certain (>90%)
Impact:
- 1 = Minimal
- 2 = Minor
- 3 = Moderate
- 4 = Major
- 5 = Critical
Risk Score = Likelihood × Impact
AI Risk Register Template Snippet
| Risk ID | Category | Description | Likelihood | Impact | Score | Treatment | Owner | Status |
|---|---|---|---|---|---|---|---|---|
| AI-001 | Accuracy | Incorrect recommendations | 3 | 4 | 12 | Mitigate | [Name] | Open |
| AI-002 | Privacy | Personal data beyond consent | 2 | 4 | 8 | Mitigate | [Name] | Open |
| AI-003 | Bias | Discriminatory outcomes | 2 | 5 | 10 | Mitigate | [Name] | Open |
Checklist: AI Risk Assessment
Preparation
- Assessment scope defined
- AI system documentation gathered
- Assessment team identified
Assessment
- All 8 risk categories evaluated
- Likelihood and impact rated
- Treatment approaches selected
- Actions and owners assigned
Documentation
- Risk register completed
- Monitoring plan established
- Reassessment scheduled
Frequently Asked Questions
Disclaimer
This framework provides general guidance on AI risk assessment. Organizations in regulated industries should ensure compliance with sector-specific requirements. Consult legal and risk professionals for your specific situation.
Next Steps
Book an AI Readiness Audit with Pertama Partners for expert support with AI risk assessment.
Related Reading
- AI Risk Register Template: How to Document and Track AI Risks
- 10 AI Risks Every Executive Should Understand
- AI Governance 101
Frequently Asked Questions
Before deploying any new AI system, after significant changes to existing systems, and periodically (annually minimum) for operating systems.
