What is a Risk and Impact Assessment?
AI risk and impact assessment is the structured process of identifying what could go wrong with an AI system, who could be harmed, how severely, how likely it is, and what controls reduce the residual risk to an acceptable level — before the system is deployed and continually thereafter.
Generic enterprise risk frameworks (ISO 31000, COSO) do not capture the specific failure modes of AI systems: bias against protected groups, hallucination, distribution shift, prompt injection, opaque decision-making, automation complacency. A dedicated AI risk and impact assessment process surfaces these explicitly, scoring each across affected population, severity, likelihood, and reversibility.
The output is twofold. First, a fitness-to-deploy decision: does residual risk fall within the organisation's stated appetite? Second, a control register: what is being done to keep the risk low and what residual risk remains. Material AI systems should have a documented risk and impact assessment refreshed at least annually and after any significant change.
In the Veridio framework, D3 contains five principles covering risk methodology, impact assessment for affected individuals (often called an FRIA — fundamental rights impact assessment under the EU AI Act), proportionate control selection, risk acceptance authority, and re-assessment triggers. These map to the EU AI Act Article 9 (risk management system) and Article 27 (FRIA for high-risk systems).
Common questions about risk & impact assessment
What is the difference between an AI risk assessment and a fundamental rights impact assessment?
An AI risk assessment evaluates risks to the organisation: financial, operational, regulatory, reputational. A fundamental rights impact assessment (FRIA, required by the EU AI Act for high-risk systems) evaluates risks to the people affected by the system: discrimination, loss of access to services, due process, dignity. Both are needed; they answer different questions.
Which AI systems require a risk assessment?
Every AI system in the inventory should have at least a screening risk assessment. Systems classified as high-risk under the EU AI Act, or as material under internal criteria, require a full impact assessment with documented controls and residual risk acceptance by an accountable person.
How often must AI risk assessments be reviewed?
At least annually for material systems, and re-triggered by: a significant change to the model or training data; a material change in the use case or affected population; a new regulatory requirement; or an incident that reveals previously unconsidered risks.
What does an AI impact assessment look like?
A structured document covering: system purpose and population affected; identified risks (bias, error, opacity, security, misuse); severity, likelihood, and reversibility scoring; controls in place; residual risk; mitigation roadmap; and named risk owner. Veridio provides a template (T-D3-01) implementing this structure.
How does AI risk feed enterprise risk reporting?
Material AI risks should appear in enterprise risk registers with consistent scoring, and aggregated AI risk should be reported to the board at least annually. Mature organisations include AI as a standing item in quarterly risk committee meetings, with the AI accountable executive presenting trends and material changes.