AIG-005 AI Risk Management Process
Description
A documented process for identifying, analysing, evaluating, and treating AI risks is established and applied throughout the lifecycle of each AI system. The process identifies risks to health, safety, fundamental rights, and business operations. Risk assessments are performed prior to deployment and at defined intervals (at minimum annually and after any substantial modification). Residual risks are documented and accepted by an accountable owner.
Rationale
A lifecycle risk management process is the engine of AI governance; policy and roles are insufficient without an operational assessment mechanism.
Framework Mappings (9)
| EU-AI-Art.9.1 | AI Risk Management System — Establishment and Maintenance | full |
| EU-AI-Art.9.2 | AI Risk Management System — Risk Identification and Analysis | full |
| EU-AI-Art.9.4 | AI Risk Management System — Residual Risk Acceptability | full |
| A.6.1.3 | Processes for responsible AI system design and development | partial |
| GOVERN 1.5 | Risk Management Monitoring and Review | full |
| MANAGE 1.1 | AI System Purpose and Deployment Determination | full |
| MANAGE 1.2 | AI Risk Treatment Prioritization | full |
| MANAGE 1.3 | High-Priority Risk Response Planning | full |
| MANAGE 1.4 | Residual Risk Documentation | full |
Evidence (2)
Completed AI risk assessments for each production AI system, covering the risk identification, analysis, evaluation, and treatment steps, with residual risk sign-off by the named system owner.
Example: AI Risk Assessment — Customer Churn Model v3 (Confluence), completed 2025-08-12 prior to deployment, with treatment plan and residual risk accepted by Head of Data
Test: Request risk assessments for a sample of production AI systems (minimum 3 or all Tier 2+ systems). Verify each assessment: (1) was completed before deployment or within the last 12 months, (2) covers health, safety, fundamental rights, and business operations dimensions, (3) includes a documented treatment plan for identified risks, (4) has residual risk formally accepted by the named system owner, (5) was triggered again after any substantial modification.
Documented AI risk management process defining how risks are identified, analysed, evaluated, treated, and accepted throughout the AI system lifecycle, including the trigger criteria for reassessment.
Example: AI Risk Management Procedure v2.0 (Confluence), defining risk assessment methodology, lifecycle trigger points, risk register format, and residual risk acceptance thresholds
Test: Request the AI risk management process document. Verify: (1) all four ISO 31000 phases (identify, analyse, evaluate, treat) are described with method guidance, (2) lifecycle triggers for reassessment are defined (including 'substantial modification'), (3) the process specifies who conducts and who approves assessments, (4) retention period for completed assessments is stated.
Questions (2)
Does your organisation apply a documented risk management process to AI systems throughout their lifecycle?
The process should cover risk identification, analysis, evaluation, treatment, and residual risk acceptance. It should be triggered before deployment and after any substantial modification — not only at initial development.
At which points in the AI system lifecycle is a formal risk assessment conducted?
Assessments conducted only at initial deployment miss risk accumulation from model drift, changed use contexts, and regulatory evolution. A mature process triggers reassessment at all five points.