Module 3: Governance & Risk Management · BoK III.A

Risk assessment mechanics

Greatest resources go to the highest-risk areas. The 3×3 harms matrix multiplies severity × probability for a score, tolerances vary by organisation, and NIST calls for senior independent oversight that declares risk tolerances.

Where the resources go, how scores are built, and what NIST says good oversight looks like.

Resource allocation → the greatest resources go to the highest-risk areas → define project scope, determine impacts and business value, assign risk levels.
The 3×3 harms matrix → rate each risk's severity and probability, then multiply severity × probability for the score → measured risks are governed with legal, policy and technical controls driving operational decisions.
Risk tolerances & sources → tolerances vary among organisations (and within them) → policies categorise and evaluate risks against standards in documented contextual reviews; consider sources → financial, operational, safety, reputational, compliance.

Senior independent oversight reviews risk structures and holds them accountable → declare risk tolerances
Allocate authority and resources → right people, right tools
Document roles and responsibilities
AI solutions provide sufficient information for informed, documented decisions

Key terms - quick answers

What is “3×3 harms matrix”?

Rates each risk's severity and probability, multiplying them for a score.

← Calculating risk AI impact assessments and ISO 42005 →