BackAssess risks

This page is still being polished. If you have thoughts, please share them via the feedback form.

Data on this page is preliminary and may change. Please do not share or cite these figures publicly.

Assess risks

Parlov (2025)|LLM classified

Mitigation Taxonomy

2Organisation

2.2Risk & Assurance

2.2.1Risk Assessment

Structured analysis to identify, characterize, and prioritize potential harms and risks.

Also in Risk & Assurance

2.2.2 Testing & Evaluation2.2.3 Auditing & Compliance2.2.4 Assurance Documentation

Definitionp. 6

Organizations should assess the identified risks by evaluating their likelihood, severity and impact on individuals, groups and organizational operations. Each fundamental right should be assessed separately using a structured FRIA approach (with no aggregation across rights) while DPIA should guide the evaluation of data protection risks like unauthorized access, bias or re-identification.

LLM Classification Details

Reasoning

Structured risk assessment evaluates likelihood, severity, and impact on stakeholders using FRIA and DPIA frameworks.

Code: 2.2.1Version: v0.5Classified: Jan 22, 2026

Part of

Risk Assessment Layer

evaluates the severity and likelihood of each risk, considering impacts on individuals, society and the organization. Risks are assessed separately for rights, data and operations.

Other mitigations from Parlov (2025) (20)

Governance Layer

establishes leadership, roles and policies for AI oversight. Ensures commitment to rights, privacy and ethical use, with input from internal and external stakeholders

2.1.3 Policies & Procedures

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Governance Layer > Establish governance structure

Organizations should establish a governance structure that supports the trustworthy, lawful and resilient development and operation of AI systems. This structure should align with the EU AI Act, the GDPR and ISO/IEC 42001 and 23894

2.1 Oversight & Accountability

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Governance Layer > Demonstrate leadership

Senior management should demonstrate leadership by allocating resources, setting strategic goals and formalizing policies that reflect the organization’s commitment to responsible AI. An AI policy should be created to outline principles related to fundamental rights (FRIA), personal data protection (DPIA) and risk-based thinking (ISO/IEC 23894).

2.1.3 Policies & Procedures

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Governance Layer > Define and document roles and responsibilities

Organizations should define and document roles and responsibilities for managing AI risks, ensuring clear accountability for FRIA, DPIA and compliance processes. They should also establish mechanisms for engaging with external stakeholders (including users, affected communities and regulators) to promote transparency and build trust

2.1.2 Roles & Accountability

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Risk Identification Layer

identifies legal, ethical, privacy and societal risks based on how and where the AI system is used. It uses FRIA, DPIA and ISO methods, with attention to affected groups and contexts

2.2.1 Risk Assessment

Lifecycle:Plan and DesignActor:DeployerAIRM:Map

Risk Identification Layer > Identify all risks

Organizations should systematically identify all relevant legal, ethical, privacy and operational risks across the lifecycle of the AI system. This includes applying the FRIA, DPIA and ISO standards in a coordinated manner. They should begin with planning and scoping to understand the system’s purpose, the individuals it may impact and the societal or regulatory context. Personal data risks should be analyzed in line with DPIA guidelines, with a focus on profiling, automated decision-making and sensitive data.

2.2.1 Risk Assessment

Lifecycle:Plan and DesignActor:Governance ActorAIRM:Map

View all 20 mitigations from this source →

Source Document

Structuring AI Risk Management Framework: EU AI Act FRIA, GDPR DPIA and ISO 42001/23894

Parlov, Natalija; Mateša, Blanka; Mladinić, Anamarija (2025)

The growing regulatory focus on trustworthy AI systems has accelerated the need for integrated approaches to AI risk management. This paper presents a structured framework that aligns the EU AI Act's Fundamental Rights Impact Assessment (FRIA) and the GDPR's Data Protection Impact Assessment (DPIA) with the risk management principles and processes of ISO/IEC 42001 and ISO/IEC 23894. The aim is to support organizations in addressing legal, ethical, privacy and operational risks through unified, standards-aligned approach.It is hypothesized that embedding FRIA and DPIA procedures within ISO-compliant risk management structures can streamline compliance, strengthen governance and promote accountability and transparency. The proposed framework outlines six core phases: governance, risk identification, risk assessment, integrated impact assessment, risk treatment and monitoring and review. A dynamic feedback mechanism enables continuous improvement and adaptation to emerging risks and evolving societal expectations.By structuring these components into a coherent framework, the research supports organizations in aligning regulatory obligations with international best practices, reducing redundancy and advancing responsible, resilient AI innovation. ¬© 2025 IEEE.

View source DOI: 10.1109/MECO66322.2025.11049196

Classification

AI Lifecycle Stage

Plan and Design

Designing the AI system, defining requirements, and planning development

Responsible Actor

Governance Actor

Regulator, standards body, or oversight entity shaping AI policy

DeveloperDeployer

NIST AI RMF Function

Measure

Quantifying, testing, and monitoring identified AI risks

Map

Risk Domains

Primary

6.5 Governance failure

Other

1 Discrimination & Toxicity2.1 Compromise of privacy by leaking or correctly inferring sensitive information