Overview & objectives

Risk management in ISO/IEC 42001 links organisational objectives to AI controls and measurable outcomes. The aim is to reduce residual risk to within appetite through proportionate controls while enabling innovation. Outputs feed audits, management reviews and post-market monitoring.

Risk criteria & taxonomies

Adopt a standard taxonomy so assessments are repeatable:

• Safety & harmful content: physical/psychological harm, misinformation, self-harm inducement.
• Fairness & non-discrimination: subgroup error rates, parity gaps, sensitive attributes handling.
• Privacy & data protection: lawful basis, leakage, re-identification, DSR fulfilment risk.
• Security & abuse: prompt injection, data exfiltration, model theft, tool misuse.
• Transparency & explainability: clarity of role of AI, rationale availability, uncertainty cues.
• Robustness & reliability: adversarial resilience, drift sensitivity, reproducibility.
• Misuse & fraud: impersonation, spam/scams, policy circumvention.
• Legal & contractual: sector obligations, IP/licensing, cross-border transfers.

Scales, thresholds & appetite

• Scales: 5×5 likelihood × impact with descriptive anchors (e.g., Impact 5 = serious harm/regulatory breach).
• Hard stops: non-negotiables (e.g., toxicity >0.5% at 95% CI, or PII leakage >0 instances in eval set).
• Soft thresholds: trend-based triggers (e.g., fairness gap >3% for two consecutive releases) requiring mitigation plan and approver sign-off.
• Appetite & escalation: residual ≥ red zone → Board/Authorising Officer approval; amber → Risk Review; green → Product owner approval.

Method: identify → analyse → treat

• Identify: hazards/harms workshops; data lineage & licensing review; dependency analysis (FM vendors, tools/agents).
• Analyse: inherent risk scoring; map controls; estimate residual risk; document rationale & uncertainty.
• Treat: prevention (guardrails, sandboxing), detection (evals, monitors), response (HITL/HOTL, rollback, incidents), and acceptance with explicit approval where justified.

Every decision should trace to artefacts: risk ID → controls → test results → approval record.

Risk & opportunity register

Maintain a single register per product family so ownership is clear and reports are comparable.

• Fields: ID, title, description, category, inherent score, controls, residual score, owner, due date, evidence links (hash/URL), status, next review.
• Opportunities: record improvements (e.g., retraining to reduce subgroup gap) to inform investment and roadmap.
• Cadence: review monthly; update on change events (model swap, dataset update, new tool access).

Waivers: rules, expiry & control

Waivers allow controlled exceptions while preserving safety. They must never be open-ended.

• Template: context, justification, affected thresholds, compensating controls, monitoring signals, expiry date, approver, review cadence.
• Expiry & reminders: notify owners at D-30/D-7/D-1; lapse → automatic rollback to safe mode unless re-approved.
• Transparency: central waiver log accessible to risk/governance; show active waivers on release notes.

Governance integration

• Release Board: ships only when residual ≤ appetite or an approved waiver exists; record decision and links.
• Risk Review: adjudicates amber/red risks, sets actions, and assigns owners/dates.
• Management Review: uses risk heatmaps, incidents and KPIs to re-tune appetite and resourcing.

Evaluation & evidence

• Design: golden sets with protected subsets for safety/fairness; reproducible seeds; CI automation.
• Trustworthiness metrics: harmful output rate, fairness parity, jailbreak success rate, leakage findings, robustness under noise, explanation sufficiency.
• Evidence model: store reports with checksums; screenshot dashboards at approval time; link artefacts to risk IDs.

Worked examples

• RAG assistant for policy advice: Risks—hallucinated citations, outdated sources, prompt injection. Controls—top-k with confidence threshold, source provenance badges, egress allowlist, jailbreak filters. Thresholds—citation accuracy ≥ 97%; outdated source share ≤ 2%. Residual—green after mitigation; ship approved.
• Agent that can email customers: Risks—mis-send, harassment, data leakage. Controls—tool allowlist, argument schema validation, dry-run preview, human approval for external sends, rate limits, DLP scan. Residual—amber; waiver for rate-limit tuning with 14-day expiry and heightened monitoring.

KPIs & dashboards

• Risk posture: # red/amber risks; median waiver age; % risks with owner & next review.
• Trustworthiness: harmful rate, fairness gap, jailbreak success trend, leakage findings per K sessions.
• Operational: MTTD/MTTR for incidents; rollback count; time in HOLD state post-release.

Common pitfalls

• Different risk methods across teams → incomparable decisions and audit friction.
• Waivers with no expiry or monitoring → silent risk drift.
• Evidence not linked to risk IDs → “trust me” approvals with audit gaps.
• Thresholds written but not enforced in CI/CD → regressions reach production.

Implementation checklist

• One documented method with scales, thresholds, and escalation.
• Single live risk register; owners and due dates populated.
• CI-enforced eval thresholds; reports linked to risk IDs.
• Waiver template used; central log with D-30/D-7/D-1 reminders.
• Release Board & Management Review minutes include risk decisions and evidence links.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 07 Nov 2025 • This page is general guidance, not legal advice.