AI Risk Appetite Statement
What This Requires
Document organizational AI risk appetite across key categories: data privacy, model bias, security vulnerabilities, and operational reliability. Define risk thresholds (low/medium/high) and corresponding approval authorities.
Why It Matters
Risk appetite translates abstract principles into decision-making criteria. Without it, teams either over-restrict innovation or accept unacceptable risks due to lack of clarity on organizational tolerance.
How To Implement
Define Risk Categories
Establish 4-6 risk domains (e.g., data exposure, bias/fairness, security, availability, compliance). For each, define what constitutes low/medium/high risk with concrete examples.
Set Approval Thresholds
Map risk levels to approval authority: low (team lead), medium (director + security review), high (executive committee). Include mandatory controls for each tier (e.g., high-risk requires red team assessment).
Scoring Rubric
Create simple scoring model (impact × likelihood) aligned to existing enterprise risk framework. Provide decision tree or questionnaire to help teams self-assess.
Review & Calibration
Review annually or after major incidents. Track approval decisions to identify patterns (too many exceptions may indicate appetite mismatch).
Evidence & Audit
- Risk appetite statement approved by board or executive team
- Risk scoring rubric with examples
- Approval authority matrix (RACI or similar)
- Decision logs showing risk assessments and approvals
- Annual review documentation