Calculating risk
The working Risk formula is probability × severity. High → avoid or change; medium → explore and mitigate. Plus the four technical assessment categories and the EU risk pyramid's four tiers.
Determine who needs to be involved (business + technical stakeholders) → understand business purposes and planned uses → enumerate potential harms incl. false positives, false negatives and numeric over- and under-predictions → assess the training data description incl. sensitive data → check whether the AI has been benchmarked against established alternative approaches. Then the formula → probability of the harm × potential (severity) of it happening. Result high → avoid or change the AI to prevent the harm. Result medium → explore and mitigate the risks.
- Intended task → what will it achieve
- Function & performance metrics
- Robustness → scalable, withstands more or less use
- Transparency → workings and intended consequences
All assessment criteria sum to one question → is the AI outcome ultimately fair?
| Tier | What it means |
|---|---|
| Unacceptable risk | Banned → social credit scoring, real-time remote facial recognition in public spaces |
| High risk | Harms safety or fundamental rights → mandatory requirements apply |
| Limited risk | Only transparency requirements prescribed |
| Minimal risk | No mandatory requirements → voluntary industry standards |
Risk assessment is context-specific → context comes from five places → owner and operator · industry and use case · social impacts · timing · jurisdiction. Tailoring the framework to context strengthens governance and enables informed, values-aligned decisions.
"Risk assessment of AI is both an art and a science." - Vivienne Artz
Memorise the actions → high risk = avoid or change, medium risk = explore and mitigate. And the unacceptable-tier bans → social credit scoring and real-time remote facial recognition in public spaces.