Risk Management for AI: A Board Director's Guide

AI Governance · 2 min read
Portrait headshot of Jillian Bommarito
By Jillian Bommarito · Read the full post

AI risk management starts with the board. Board directors play a critical role in setting the firm's risk appetite, establishing context and objectives, and ensuring that AI initiatives align with overall strategy. Well-established risk management frameworks like ISO 31000, COSO ERM, and the NIST Cybersecurity Framework can be adapted for AI-specific risks.

The risk management process begins with establishing context and objectives — understanding the current regulatory environment and the specific uses of AI within the organization. This includes data flow mapping, a critical step in risk identification that helps boards understand jurisdictional data flows and regulatory requirements.

Risk assessment encompasses identification, analysis, and evaluation. AI introduces unique risk categories including bias, opacity, data provenance challenges, and rapidly evolving regulatory requirements. Boards must ensure assessment processes are comprehensive and regularly updated.

Risk treatment options include avoidance (choosing not to deploy AI in high-risk contexts), mitigation (implementing technical guardrails and human oversight), transfer (through insurance or contractual allocation), and acceptance (where risks fall within the organization's defined tolerance). Each approach has implications that boards should understand.

Recording and reporting should be carefully documented to support transparency and accountability. By creating and preserving records, organizations can demonstrate compliance with regulatory obligations and industry standards. Despite mitigation strategies, risks may still be realized — having a well-crafted response plan minimizes impact.

Effective risk management is continuous, not a one-time exercise. Given the speed at which AI and related legal obligations evolve, boards must regularly evaluate their AI risks and opportunities. This involves assessing whether the existing program still meets organizational needs, identifying new risks, finding areas for improvement, and implementing changes that strengthen the program's effectiveness.

ai-governance risk-management board-governance compliance

More Insights

AI Governance · 2 min

EU AI Code of Practice Draft: What Boards Should Know

An analysis of the EU AI Office's draft General-Purpose AI Code of Practice, highlighting systemic risk oversight, documentation requirements, incident response, and board-level compliance considerations.

Read more →
AI Governance · 2 min

AI Oversight: 5 Key Sources of Board Requirements

A framework identifying the five key sources of AI governance requirements for boards — legal mandates, risk frameworks, insurance, internal policies, and customer preferences.

Read more →
AI Governance · 2 min

Pioneering Responsible Data Science: A Framework for Ethical Innovation

Introducing an open-source Responsible Data Science Policy Framework designed to help organizations address ethical AI governance through a modular, adaptable approach.

Read more →

Let's Work Together

We'd welcome the opportunity to discuss how we can help your organization navigate the intersection of technology, governance, and strategy.

Contact Us