Overview & purpose

This framework provides a structured approach to manage risks across the AI system lifecycle. It aligns Zen AI Governance’s operational practices with global standards, supporting safe, lawful, and trustworthy AI deployment. The policy applies to all AI projects, systems, and suppliers within the AIMS scope.

Framework foundation

• ISO/IEC 42001: Defines AIMS-based operational controls and continuous improvement loops.
• ISO 31000: Provides foundational risk principles (identify, analyse, evaluate, treat, monitor).
• NIST AI RMF (2023): Introduces 4 functional pillars — Govern, Map, Measure, Manage.
• EU AI Act: Integrates conformity assessment, post-market monitoring, and human oversight requirements.

Risk management process

1. Identification: Capture potential risks from data, models, processes, suppliers, or human factors.
2. Analysis: Assess likelihood, impact, and detectability; assign preliminary rating.
3. Evaluation: Compare against risk acceptance criteria; escalate if above threshold.
4. Treatment: Define mitigation actions and assign responsible owner.
5. Monitoring: Track residual risk, controls, and incident correlation over time.

Risk criteria & scoring

All AI risks are scored using a 5x5 matrix evaluating:

• Likelihood (L): Frequency of occurrence, rated 1–5.
• Impact (I): Consequence severity, rated 1–5 (safety, ethical, financial, legal, reputational).
• Detectability (D): Ability to identify before harm (1 = easy to detect, 5 = hidden).

Risk Priority Number (RPN) = L × I × D Risks with RPN ≥ 50 are escalated to the AI Governance Board for review and mitigation approval.

Risk ownership & accountability

• Each risk assigned a Risk Owner (typically the Model Owner or Compliance Lead).
• Oversight Officer monitors mitigation and effectiveness.
• Compliance Lead ensures regulatory traceability (linking to EU AI Act Articles 9–15).
• Authorising Officer approves risk acceptance or escalation.

NIST AI RMF mapping

Risk controls & mitigations

• Preventive controls: bias testing, dataset audits, explainability analysis.
• Detective controls: drift monitoring, anomaly alerts, oversight dashboards.
• Corrective controls: CAPA procedures, retraining, rollback mechanisms.
• Administrative controls: policies, governance board reviews, training.

AI risk register & evidence

• All identified risks recorded in AIMS Risk Register (R-AI-###).
• Fields include: Description, Root Cause, RPN, Owner, Mitigation, Residual Risk, Review Date.
• Risk trends analysed quarterly and reported to Management Review.
• Closed risks archived ≥ 5 years for audit trail.

Common pitfalls & lessons learned

• Risk siloing: Integrate all AI risks into enterprise risk system, not isolated spreadsheets.
• Outdated scoring: Reassess RPN whenever system changes or retraining occurs.
• Subjectivity: Calibrate scoring scales with reference examples.
• Passive follow-up: Automate reminders and escalation for high RPNs.

Implementation checklist

• AI Risk Management Framework approved and published.
• Unified Risk Register operational and reviewed monthly.
• RPN thresholds and scoring methodology defined.
• Linkages established between risks, CAPA, and incidents.
• Quarterly risk report submitted to AI Governance Board.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 10 Nov 2025 • This page is general guidance, not legal advice.