BackStructured workflow

This page is still being polished. If you have thoughts, please share them via the feedback form.

Data on this page is preliminary and may change. Please do not share or cite these figures publicly.

Structured workflow

Parlov (2025)|LLM classified

Mitigation Taxonomy

2Organisation

2.2Risk & Assurance

2.2.1Risk Assessment

Structured analysis to identify, characterize, and prioritize potential harms and risks.

Also in Risk & Assurance

2.2.2 Testing & Evaluation2.2.3 Auditing & Compliance2.2.4 Assurance Documentation

Definitionp. 7

The integrated assessment should follow a structured workflow for identifying, scoring and documenting risks. The results should be consolidated in a way that satisfies all legal and standard-based requirements

LLM Classification Details

Reasoning

Structured workflow systematically identifies, scores, and documents risks through organized assessment process.

Code: 2.2.1Version: v0.5Classified: Jan 22, 2026

Part of

Integrated Impact Assessment Layer

combines FRIA, DPIA and ISO assessments into one process. It assesses rights, privacy and broader impacts in a structured way, with clear documentation

Other mitigations from Parlov (2025) (20)

Governance Layer

establishes leadership, roles and policies for AI oversight. Ensures commitment to rights, privacy and ethical use, with input from internal and external stakeholders

2.1.3 Policies & Procedures

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Governance Layer > Establish governance structure

Organizations should establish a governance structure that supports the trustworthy, lawful and resilient development and operation of AI systems. This structure should align with the EU AI Act, the GDPR and ISO/IEC 42001 and 23894

2.1 Oversight & Accountability

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Governance Layer > Demonstrate leadership

Senior management should demonstrate leadership by allocating resources, setting strategic goals and formalizing policies that reflect the organization’s commitment to responsible AI. An AI policy should be created to outline principles related to fundamental rights (FRIA), personal data protection (DPIA) and risk-based thinking (ISO/IEC 23894).

2.1.3 Policies & Procedures

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Governance Layer > Define and document roles and responsibilities

Organizations should define and document roles and responsibilities for managing AI risks, ensuring clear accountability for FRIA, DPIA and compliance processes. They should also establish mechanisms for engaging with external stakeholders (including users, affected communities and regulators) to promote transparency and build trust

2.1.2 Roles & Accountability

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Risk Identification Layer

identifies legal, ethical, privacy and societal risks based on how and where the AI system is used. It uses FRIA, DPIA and ISO methods, with attention to affected groups and contexts

2.2.1 Risk Assessment

Lifecycle:Plan and DesignActor:DeployerAIRM:Map

Risk Identification Layer > Identify all risks

Organizations should systematically identify all relevant legal, ethical, privacy and operational risks across the lifecycle of the AI system. This includes applying the FRIA, DPIA and ISO standards in a coordinated manner. They should begin with planning and scoping to understand the system’s purpose, the individuals it may impact and the societal or regulatory context. Personal data risks should be analyzed in line with DPIA guidelines, with a focus on profiling, automated decision-making and sensitive data.

2.2.1 Risk Assessment

Lifecycle:Plan and DesignActor:Governance ActorAIRM:Map

View all 20 mitigations from this source →

Source Document

Structuring AI Risk Management Framework: EU AI Act FRIA, GDPR DPIA and ISO 42001/23894

Parlov, Natalija; Mateša, Blanka; Mladinić, Anamarija (2025)

The growing regulatory focus on trustworthy AI systems has accelerated the need for integrated approaches to AI risk management. This paper presents a structured framework that aligns the EU AI Act's Fundamental Rights Impact Assessment (FRIA) and the GDPR's Data Protection Impact Assessment (DPIA) with the risk management principles and processes of ISO/IEC 42001 and ISO/IEC 23894. The aim is to support organizations in addressing legal, ethical, privacy and operational risks through unified, standards-aligned approach.It is hypothesized that embedding FRIA and DPIA procedures within ISO-compliant risk management structures can streamline compliance, strengthen governance and promote accountability and transparency. The proposed framework outlines six core phases: governance, risk identification, risk assessment, integrated impact assessment, risk treatment and monitoring and review. A dynamic feedback mechanism enables continuous improvement and adaptation to emerging risks and evolving societal expectations.By structuring these components into a coherent framework, the research supports organizations in aligning regulatory obligations with international best practices, reducing redundancy and advancing responsible, resilient AI innovation. ¬© 2025 IEEE.

View source DOI: 10.1109/MECO66322.2025.11049196

Classification

AI Lifecycle Stage

Other (outside lifecycle)

Outside the standard AI system lifecycle

Responsible Actor

Governance Actor

Regulator, standards body, or oversight entity shaping AI policy

NIST AI RMF Function

Other

Risk management function not captured by the standard AIRM categories

GovernMapMeasureManage

Risk Domains

Primary

6.5 Governance failure