System-theoretic process analysis (STPA)

BackRisk matrices

This page is still being polished. If you have thoughts, please share them via the feedback form.

Data on this page is preliminary and may change. Please do not share or cite these figures publicly.

Risk matrices

Gipiskis (2024)|LLM classified

Mitigation Taxonomy

2Organisation

2.2Risk & Assurance

2.2.1Risk Assessment

Structured analysis to identify, characterize, and prioritize potential harms and risks.

Also in Risk & Assurance

2.2.2 Testing & Evaluation2.2.3 Auditing & Compliance2.2.4 Assurance Documentation

Definitionp. 37

A risk matrix is a method for risk evaluation. It is a heatmap that, for each cell, shows the severity score weighted by the likelihood score of a particular risk, usually from a scale of 1-5. Two rankings are required to construct a risk matrix: a ranking for the severity of risks, and a corresponding ranking of the likelihood of risks [107]. AI-related risks can be generated using appropriate taxonomies, and placed into the relevant cells according to their assessed likelihood and severity based on predefined criteria (e.g., likelihood level 1 corresponds to < 1% chance, and likelihood level 5 corresponds to > 90% chance; while severity level 1 corresponds to mild inconveniences to the user, and severity level 5 corresponds to a fatality or financial damage upwards of $10 million, etc.), such that particular focus can be given to mitigating risks with higher weighted scores (i.e., likelihood multiplied by severity).

LLM Classification Details

Reasoning

Risk matrices systematically identify, characterize, and prioritize potential harms and risks pre-deployment.

Code: 2.2.1Version: v0.6Classified: Feb 6, 2026

Part of

Risk Assessment

Other mitigations from Gipiskis (2024) (112)

Model development

2.4 Engineering & Development

Lifecycle:Build and Use ModelActor:DeveloperAIRM:Unable to classify

Model development > Data-related

1.1 Model

Lifecycle:Collect and Process DataActor:Unable to classifyAIRM:Unable to classify

Model evaluations

2.2.2 Testing & Evaluation

Lifecycle:Verify and ValidateActor:DeveloperAIRM:Measure

Model evaluations > General evaluations

2.2.2 Testing & Evaluation

Lifecycle:Verify and ValidateActor:DeveloperAIRM:Measure

Model evaluations > Benchmarking

3.2.1 Benchmarks & Evaluation

Lifecycle:Other (outside lifecycle)Actor:DeveloperAIRM:Measure

Model evaluations > Red teaming

2.2.2 Testing & Evaluation

Lifecycle:Verify and ValidateActor:DeveloperAIRM:Measure

View all 112 mitigations from this source →

Source Document

Risk Sources and Risk Management Measures in Support of Standards for General-Purpose AI Systems

Gipiškis, Rokas; San Joaquin, Ayrton; Chin, Ze Shen; Regenfuß, Adrian; Gil, Ariel; Holtman, Koen (2024)

Organizations and governments that develop, deploy, use, and govern AI must coordinate on effective risk mitigation. However, the landscape of AI risk mitigation frameworks is fragmented, uses inconsistent terminology, and has gaps in coverage. This paper introduces a preliminary AI Risk Mitigation Taxonomy to organize AI risk mitigations and provide a common frame of reference. The Taxonomy was developed through a rapid evidence scan of 13 AI risk mitigation frameworks published between 2023-2025, which were extracted into a living database of 831 distinct AI risk mitigations.

View source DOI: 10.48550/arXiv.2410.23472

Classification

AI Lifecycle Stage

Plan and Design

Designing the AI system, defining requirements, and planning development

Responsible Actor

Deployer

Entity that integrates and deploys the AI system for end users

NIST AI RMF Function

Measure

Quantifying, testing, and monitoring identified AI risks

Manage

Risk Domains

Primary

6.5 Governance failure