v2.4.0 | Report Errata
docs operations docs operations

Board Risk Committee — AI Compliance Reporting For organisations with material AI exposure, the board receives periodic reporting covering the number and classification of AI systems, compliance status of each high-risk system, serious incidents and resolution status, material regulatory developments, and overall risk posture. Quarterly reporting is appropriate for large portfolios; semi-annually for smaller ones. Board reporting is concise, decision-oriented, and escalates issues requiring board-level authority (risk appetite adjustments, material compliance investments, system withdrawal decisions). The AI Governance Lead prepares the report; the CRO or CTO presents it to the board. Key outputs

  • Board-level AI compliance reporting (quarterly or semi-annual)
  • Portfolio status, incidents, regulatory developments, risk posture
  • Decision-oriented with clear escalation points
  • Module 7 AISDP evidence

Audit Committee — AI Compliance Scope & Financials The audit committee includes AI compliance within its scope. The Internal Audit Assurance Lead’s annual oversight audit is reported to the committee, alongside any findings affecting the financial statements: provisions for potential regulatory fines or the carrying value of AI system assets that may be subject to mandatory withdrawal. The audit committee’s oversight ensures that the AI compliance programme receives independent board-level scrutiny beyond the AI Governance Lead’s self-assessment. Key outputs

  • AI compliance within audit committee scope
  • Annual oversight audit reported to committee
  • Financial statement implications assessed
  • Independent board-level scrutiny

Risk Committee — Risk Appetite & Insurance The risk committee receives the portfolio-level risk register and reviews the organisation’s AI risk appetite. Key questions include whether residual risk acceptance criteria are appropriately calibrated, whether AI compliance investment is proportionate to risk exposure, and whether insurance coverage addresses AI-specific liabilities. The risk committee’s engagement ensures that AI risk appetite is set at the appropriate organisational level, not delegated to the AI Governance Lead alone. Key outputs

  • Portfolio risk register reviewed by risk committee
  • AI risk appetite set at board level
  • Insurance coverage adequacy assessment
  • Module 7 AISDP evidence

Compliance Committee — AI Act Integration Where the organisation has a compliance committee (common in financial services and healthcare), the AI Governance Lead integrates AI Act compliance into the committee’s agenda alongside GDPR, sector-specific regulation, and other obligations. The AI Act-GDPR interaction is particularly relevant; the DPO Liaison’s role in the oversight pyramid should be reflected in the compliance committee’s reporting structure. Integration avoids the risk of AI compliance operating as an isolated programme disconnected from the organisation’s broader compliance framework. Key outputs

  • AI Act integrated into compliance committee agenda
  • Cross-regulatory coordination (GDPR, sector-specific)
  • DPO Liaison reporting structure reflected
  • Compliance programme integration
On This Page