Risk assessment is the foundation of every AI compliance framework. Here's a step-by-step approach you can apply to any AI system.
Whether you're preparing for the EU AI Act, ISO 42001, or simply trying to deploy AI responsibly, it all starts in the same place: a clear-eyed assessment of risk. Yet many teams either skip this step or treat it as a box-ticking exercise. Here's a practical approach that produces something genuinely useful.
Step 1: Define the system and its purpose
You can't assess what you can't describe. Document what the system does, the decisions it influences, the data it uses, and the people it affects. Vague descriptions lead to vague risk assessments.
Step 2: Identify what could go wrong
- Harm to individuals — bias, discrimination, or unsafe outcomes.
- Harm to rights — privacy violations or lack of recourse.
- Operational risk — errors, drift, or system failure.
- Legal and reputational risk — non-compliance or loss of trust.
Step 3: Estimate likelihood and severity
For each risk, assess how likely it is to occur and how severe the impact would be. A simple likelihood-by-severity matrix is enough to prioritize — you don't need elaborate quantification to make good decisions.
Step 4: Mitigate and document
For each significant risk, define controls: data quality checks, human oversight, testing, monitoring, fallback procedures. Crucially, write down both the risks and the mitigations. Documentation is what turns a conversation into evidence.
An AI risk assessment isn't done when the document is written — it's done when it's living, reviewed, and updated as the system evolves.
The goal isn't to eliminate all risk — that's impossible. The goal is to understand it, reduce it to an acceptable level, and be able to show your reasoning. That combination is what keeps you both safe and compliant.
Written by Kateryna Saprunova at Ethos AI Consultancy. Need help with AI compliance? Get in touch →