MANAGE-1.2—Treatment of documented AI risks is prioritized based on impact, likelihood, or available resources or methods.

>Control Description

Treatment of documented AI risks is prioritized based on impact, likelihood, or available resources or methods.

>About

Risk refers to the composite measure of an event’s probability of occurring and the magnitude (or degree) of the consequences of the corresponding events. The impacts, or consequences, of AI systems can be positive, negative, or both and can result in opportunities or risks.

Organizational risk tolerances are often informed by several internal and external factors, including existing industry practices, organizational values, and legal or regulatory requirements. Since risk management resources are often limited, organizations usually assign them based on risk tolerance. AI risks that are deemed more serious receive more oversight attention and risk management resources.

>Suggested Actions

Assign risk management resources relative to established risk tolerance. AI systems with lower risk tolerances receive greater oversight, mitigation and management resources.
Document AI risk tolerance determination practices and resource decisions.
Regularly review risk tolerances and re-calibrate, as needed, in accordance with information from AI system monitoring and assessment .

>Documentation Guidance

Organizations can document the following

Did your organization implement a risk management system to address risks involved in deploying the identified AI solution (e.g. personnel risk or changes to commercial objectives)?
What assessments has the entity conducted on data security and privacy impacts associated with the AI system?
Does your organization have an existing governance structure that can be leveraged to oversee the organization’s use of AI?

AI Transparency Resources

WEF Companion to the Model AI Governance Framework – Implementation and Self-Assessment Guide for Organizations
GAO-21-519SP - Artificial Intelligence: An Accountability Framework for Federal Agencies & Other Entities.

>References

Arvind Narayanan. How to recognize AI snake oil. Retrieved October 15, 2022.

Board of Governors of the Federal Reserve System. SR 11-7: Guidance on Model Risk Management. (April 4, 2011).

Emanuel Moss, Elizabeth Watkins, Ranjit Singh, Madeleine Clare Elish, Jacob Metcalf. 2021. Assembling Accountability: Algorithmic Impact Assessment for the Public Interest. (June 29, 2021).

Fraser, Henry L and Bello y Villarino, Jose-Miguel, Where Residual Risks Reside: A Comparative Approach to Art 9(4) of the European Union's Proposed AI Regulation (September 30, 2021). LINK,

Microsoft. 2022. Microsoft Responsible AI Impact Assessment Template. (June 2022).

Office of the Comptroller of the Currency. 2021. Comptroller's Handbook: Model Risk Management, Version 1.0, August 2021.

Solon Barocas, Asia J. Biega, Benjamin Fish, et al. 2020. When not to design, build, or deploy. In Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency (FAT* '20). Association for Computing Machinery, New York, NY, USA, 695.