v2.4.0 | Report Errata
docs governance docs governance

Phase 2 conducts the comprehensive risk assessment that informs all subsequent design and development decisions. The Technical SME and AI System Assessor conduct the five-method risk identification (FMEA, stakeholder consultation, regulatory gap analysis, adversarial red-teaming, horizon scanning). The risk register is established, with each risk scored across four dimensions. Residual risk acceptability is assessed against Article 9(4).

For deployers of high-risk systems, the FRIA is conducted in parallel. It examines the impact on all potentially affected EU Charter rights, with attention to intersectional effects. The reputational risk framework assesses customer, market, regulatory, shareholder, and employee dimensions.

Phase 2 produces the risk register (populating Module 6), the FRIA report (populating Module 11), the reputational risk assessment, and the risk mitigation plan with assigned owners and timelines. The AI Governance Lead reviews the risk register and accepts the residual risk profile before development proceeds. This gate ensures that design decisions in Phase 3 are informed by a complete risk picture.

Key outputs

  • Risk register with four-dimension scoring
  • FRIA report and reputational risk assessment
  • Risk mitigation plan with owners and timelines
  • Gate: risk profile acceptance before Phase 3
On This Page