AI Risk Appetite

Risk appetite serves as a cornerstone of effective risk management, defining the level of risk an organisation is willing to accept in pursuit of its objectives. Originating from decades of refinement in the financial services industry, guidance from global bodies such as the Financial Stability Board (FSB) and the Bank for International Settlements (BIS) has shaped robust frameworks for setting and governing risk appetite. With the advent of artificial intelligence (AI), these principles must now evolve to address the unique challenges and opportunities posed by this transformative technology. This document provides comprehensive guidance on establishing and implementing AI-specific risk appetite and governance frameworks, seamlessly integrating traditional principles with modern applications.

1. Ownership from the Top

The Board of Directors bears ultimate responsibility for defining and overseeing the organisation's risk appetite. This top-down approach ensures that risk appetite aligns with the organisation’s strategic objectives, ethical commitments, and regulatory obligations.

2. Clarity and Alignment

Risk appetite must be articulated clearly, using measurable thresholds to guide decision-making. It should align with the organisation’s mission and strategic goals, ensuring consistency across all levels.

3. Integration into Organisational Processes

Risk appetite should permeate all layers of the organisation, influencing strategy, operations, and decision-making. It must be embedded within the broader risk management framework to ensure comprehensive coverage.

1. Governance Structure

A robust governance framework ensures that AI risks are identified, monitored, and managed effectively.

2. Core Functions: Govern, Map, Measure, Manage

Adopting a structured approach to AI risk management ensures comprehensive oversight and mitigation:

• Govern: Establish policies, processes, and procedures to manage AI risks, including risk appetite and ethical guidelines.
• Map: Identify and contextualise AI risks within the organisation’s operational and strategic environment.
• Measure: Analyse, assess, and monitor AI risks, using both quantitative and qualitative metrics.
• Manage: Prioritise and mitigate risks, ensuring alignment with the defined risk appetite.

Continuous monitoring of AI systems ensures that they remain within the defined risk appetite and perform as intended.

• Ongoing Monitoring: Implement real-time monitoring for critical systems.
• Reporting and Transparency: Effective reporting mechanisms ensure that the Board and senior management remain informed about AI risks and performance.
• Adaptability and Evolution: Risk appetite statements and governance frameworks must evolve with technological advancements and changes in the external environment.