Purpose & principles

RMS ensures foreseen risks are identified, controlled, monitored and communicated. It embeds proportionality, accountability, transparency and evidence-based decisions.

Context & intended purpose

• Define end-to-end system boundary, interfaces, actors, and deployment environments.
• State intended purpose, exclusions, assumptions, and environmental constraints.

Hazards, harms & misuse

• Map hazards to harms (safety, fundamental rights, economic); add misuse scenarios and abuse personas.
• Prioritise via likelihood × impact; justify residual risk with explicit rationale.

Controls by design & operation

• By design: data selection, model constraints, fairness guardrails, explainability, privacy/security patterns.
• By operation: human-in-the-loop, two-person approval, hold-outs, post-decision review, audit alerts.

Metrics, thresholds & owners

• KPIs/KRIs per cohort/context; define tolerances, dashboards, alerts, on-call and escalation.
• Assign accountable owners with decision rights; publish a runbook.

Reviews & living risk file

• Quarterly risk reviews; change-driven reviews; incident post-mortems; regulatory triggers.
• Keep all decisions, evidence and approvals in a versioned living risk file.

Explainability & user instructions

• Explainability method selection by context: global, local, counterfactuals; human-readable rationales.
• User instructions: intended use, limitations, known failure modes, and escalation.

Qualification & acceptance

• Qualification matrix per requirement; sign-off by risk owners, security, legal and business sponsor.
• Define rollback criteria; dry-run operations and playbooks.

Handover to operations

• Transfer risk file, runbooks, thresholds, alert routing; train operators and oversight roles.
• Activate post-market plan and incident response.

Governance & approvals

• Standing AI governance forum; agenda: risk changes, metrics, incidents, CAPA, stakeholder concerns.
• Record minutes and formal approvals with version control.

Capability & training

• Competency framework for data science, ML engineering, safety, privacy, and oversight roles.
• Regular drills (incident, rollback, bias breach) and tabletop exercises.

Implementation checklist

• Purpose & context captured; hazards mapped; misuse addressed.
• Controls designed; metrics & thresholds set; owners assigned.
• Risk file live; governance operating; handover complete.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 05 Nov 2025 • This page is general guidance, not legal advice.