Modulos Logo
Documentation

Appearance

Manage a Risk

This article guides you through the process of managing risks end-to-end. The AI risk management process is dynamic and you will likely move back and forth in the process.

What is a Risk

A risk, in the context of compliance, is a potential event or circumstance that could negatively impact an organization's ability to meet its regulatory obligations, achieve its business objectives, or maintain its reputation. Risks represent uncertainties that, if realized, may lead to non-compliance, financial losses, or other adverse outcomes. Learn more about Risks.

Requirements

  • You’re logged into the Modulos platform
  • You have access to a project and you're assigned the editor role. You’ll need the reviewer or owner role to complete the review step

Risk Management Process

To help you get started managing risks on Modulos Platform, the example in this article walks you through the whole process:

  • Assessing a risk by identifying and quantifying it before deciding whether to proceed
  • Develop Treatment strategies and deciding when the Risk Treatment has been successful
  • Monitoring (if applicable) the Risk over time and intervening if necessary
  • Reporting on how the management of the Risk has developed

The goal of Risk Management is to assess the Inherent Risk and, if this risk is too high, systematically apply Treatment strategies to mitigate it to a Residual Risk that’s acceptable. Once the Residual Risk is acceptable, the Risk should continue to be Monitored and, if necessary, return to Treatment. At any time, a Report summarizing the Risk Management and lessons learned from it can be generated.

The risk management process on the Modulos platform is based on best practices from various laws and industry standards, in particular ISO/IEC 23894:2023 "Information technology — Artificial intelligence — Guidance on risk management".

Example:

Step 1: Create the Risk

You can create a new risk in the following ways:

  1. On the Risk tab of your project, you see a list of all the Risks currently associated with the project. In order to add a new Risk, click + New Risk on the top right to start the process.

  2. Alternatively, you can create a risk straight from the relevant Control by clicking Associate to a Risk in the sidebar.

  3. You’ll be asked to give the new Risk a name. We recommend using a descriptive name.

    NOTE: Some organizations will use specific naming conventions for risk management.

  4. You can assign a user who will be responsible for this Risk in the sidebar.

Step 2: Risk Assessment Phase

After creating the Risk, you are in the Assessment phase of Risk Management.

  1. In the sidebar, you can start adding metadata to the new Risk, such as to which AI System Lifecycle phase the Risk is related.

  2. In the Identification box, you can start writing a report on what is already known about this risk. Modulos provides you with a template to cover the relevant aspects, but you may wish to use your own. You can associate existing Evidence here, or upload new files as Evidence. You could make use of your organization's Risk Taxonomy and Risk Sources Tags.

  3. In the Estimation box, you can similarly write a report on how impactful and likely this Risk is.

  4. The Risk Matrix allows you to quantify the impact and likelihood of the Risk based on what is known about it. You can also quantify how well you are able to detect this risk. This quantitative analysis should be based on your organization's Risk Management Policy so that Risks are comparable to each other in a quantitative sense.

    NOTE: It may happen that your Risk is both highly likely and has a very high impact, but you have no ability to detect it. In this case, there is little you can do to mitigate it.

  5. The Risk Matrix takes your Risk Priority Number, which is the product of the Risk Impact, likelihood and detection. This number is mapped to your Risk Level. The combination of impact, likelihood and detection is the Risk's Inherent Risk.

    NOTE: Inherent Risk is a concept from risk management. Once fully assessed, the Inherent Risk should not be changed any more. Instead, attempts to mitigate the Risk via Treatment strategies result in a Residual Risk.

  6. The RPN is compared to your Risk Threshold. Generally, only risks above the Risk Threshold are recommended for Treatment.

  7. The final box is the Risk Evaluation report, where the decision whether to further treat the Risk is recorded. As a result of the Evaluation, a Risk is either accepted, resulting in a Residual Risk that is acceptable, in which case no further action is taken, or Treatment is recommended, which moves the Risk to the Treatment phase.

risk_assessment

Risk Assessment

Step 3: Risk Treatment Phase

After creating and assessing the Risk, you can start with the Treatment phase of Risk Management.

Risk Treatment is a process of implementing strategies and measures to mitigate the identified risks effectively. It involves taking proactive steps to reduce the likelihood or severity of potential harms or adverse impacts associated with an AI system or technological initiative.

Key Steps in Risk Treatment:

  1. Create a New Strategy

    • Click on the “New Strategy” button.
    • A right drawer will open where you can enter details for the new strategy, including:
      • Name: Assign a name to the new strategy.
      • Plan: You can document your proposed actions or measures here, addressing identified risks. Describe specific steps such as implementing new protocols, enhancing security measures, or improving data governance practices.
      • Implementation: Outline how you plan to execute the proposed strategies. Specify timelines, assign responsibilities to team members, allocate resources, and detail any necessary procedural or technical requirements.
      • Residual Risk: Indicate the level of risk that remains after treatment.

  2. Strategy Comparison and Selection

    • Create or edit as many strategies as needed, compare their residual risks, and choose the most effective one using the toggle feature.

  3. Conclusion

    • Reflect on the outcomes of your risk management efforts and communicate key findings and decisions.
    • Compare inherent risk (the initial level of risk before treatment) with residual risk (the level of risk remaining after treatment) using the risk matrix.
    • Explain the results of the chosen risk treatment strategy, detailing why it was selected and how it addresses the identified risks.

  4. Request Review

    • Request a review of your risk treatment efforts by a Risk Reviewer to ensure thorough evaluation and validation.

  5. Notification Center

    • Track the progress of your risk treatment efforts via the Notification Center, which provides updates and alerts on the status of your risk treatment activities.

risk_treatment_new_strategy

Risk Treatment - Creating New Strategy

risk_treatment_select_strategy

Risk Treatment - Choosing one strategy