Guidance for the artificial intelligence impact assessment tool

3. Inherent risk assessment

To complete the inherent risk assessment, follow these steps.

Sections 3.1 to 3.8

Definitions

Inherent risk: reflects the level of risk that exists before any additional or new controls are applied. This is the risk level under standard operating conditions, assuming only existing baseline or standard controls are in place.

Residual risk: reflects the level of risk that remains after new or additional treatments, controls or safeguards have been implemented.

Determine risk likelihood and consequence

For each risk category listed in the assessment table, determine the likelihood and consequence of the risk occurring for your AI use case. The likelihood descriptors are provided in Table 1 of the impact assessment tool, and consequence descriptors are in the appendix to this guidance. 

The inherent risk assessment should reflect the intended scope and function of the AI use case. In conducting your assessment, you should be clear on:

• key factors contributing to the likelihood and consequence of the risk
• any assumptions or uncertainties affecting your risk assessment.

Determine inherent risk rating

Use the risk matrix provided in Table 2 of the impact assessment tool to determine the risk rating for each category.

Provide explanations

Provide clear and concise explanations for each risk rating.

Key considerations

When completing the inherent risk assessment, keep the following in mind:

• Try to be objective and honest in your assessment of risks. Underestimating risks at this stage could lead to inadequate risk management.
• Determining risk ratings can be challenging. Seek guidance from others to assist you, especially subject matter experts and those experienced in safe and responsible AI risk assessments.
• Consider the perspectives of stakeholders, including those identified at section 2.4, in assessing the likelihood and consequence of risks.
• Consider the perspectives of marginalised groups, including First Nations people, especially in relation to risks relating to discrimination and stereotyping. You may not have the background or life experience to fully appreciate these risks.
• Consider both intended and unintended consequences and outcomes. This includes evaluating the impact of system failure, the impact of misuse or malicious use and other deviations from expected use.
• Where there is uncertainty or disagreement about the appropriate inherent risk rating, choose the higher rating.
• Document key assumptions or evidence used in determining the risk severity ratings, as this will help explain the rationale for your assessment to reviewers.
• Consider the expected benefits of the AI use case before deciding whether to proceed based on significant but mitigable risks.

3.9 Overall inherent risk rating

In this section, you are required to determine the threshold risk rating for the AI use case based on the ratings selected in the sections above. The highest risk rating identified in any earlier sections must be used as the overall risk rating.

Resources

• CSIRO Data61 Responsible AI Pattern Catalogue
• Massachusetts Institute of Technology (MIT) AI Risk Repository
• United States National Institute of Standards and Technology (NIST) AI Risk Management Framework (AI RMF) and AI RMF Playbook