Skip to main content
Skip table of contents

How to manage risks

Step 1. Identify risks

Risk management is a guided and knowledge based feature of Saidot. Our risk management methodology is based on standards and industry best practices. Start the risk management process by opening the Risks tab.

Risks can be added to systems in three ways:

  • Adding recommended risks from Saidot’s risk library

  • Recording custom risks

  • Inheriting risks from models, datasets and products

When using the risks in the library, the risk descriptions and mitigation suggestions are populated automatically. When recording a custom risk, the information needs to be added manually. The risk recommendations are based on the contextual information added when registering the system.

image-20241119-130447.png

image-20241119-130600.png

To support effective and comprehensive risk identification, Saidot platform includes an automated risk inheritance mechanism. Risk inheritance automatically surfaces risks linked to models and products, helping users identify and manage relevant risks for their AI system. In the future, this inheritance will also extend to datasets, further strengthening risk coverage across system components.

When users connect models from the catalogue or from library, or products to systems on the platform, relevant risks connected to those components are inherited. These risks are then shown in the system's risk management overview. This ensures that key risks are not overlooked and that users are proactively alerted to potential concerns based on the system's models and products.

On the platform, the following types of risks are inherited from models, products and datasets:

  • Model Catalogue: If a model is built on a third-party provider model, risks communicated by the provider about the model are automatically populated on the model card. Provider-identified risks are risks highlighted by a model provider in the provider's published model card pertaining to the model or in a provider's published risk framework descriptive of the specific model or model family. In addition, any model-related risks manually selected by the user, technical, legal, or otherwise, are inherited.

  • Model Library: Inherited risks include those communicated by the model provider.

  • Products: Inherited risks include provider-identified risks and risks arising out of Saidot’s legal and contractual analysis. Provider-identified risks are risks highlighted by a product provider in the provider's published product documentation or in a provider's published risk framework descriptive of the specific product.

All inherited risks appear automatically in the risk management overview. If a specific risk originates from multiple sources, it will appear separately for each source to support targeted and effective mitigation strategies. Users are responsible for reviewing these risks, assessing their relevance, and prioritising them based on the specific system's context of use. Irrelevant inherited risks can be deleted from the overview if they do not apply to the use case.

Even when risks are inherited automatically, users are encouraged to review the risk recommendations to ensure comprehensive coverage. Inherited risks provide a great starting point, but they may not capture all relevant risks. We emphasise the importance of user accountability in identifying additional, context-specific risks that the platform may not surface on its own.

It is important to note that if a model or product is later removed from a system, any risks that were inherited from it will no longer appear in the risk management tab. This removal requires user confirmation to ensure essential risks are not unintentionally deleted. Once confirmed, the inherited risks and any corresponding data are deleted from risk management.

 

  

image-20250624-123105.png

Step 2. Document risks

Risk documentation includes the risk owner, risk source, risk type and risk description. When using a risk from the Saidot risk library, the risk description is populated automatically but they can be edited if needed. Contextual risk consequences can be described separately.

Record Risk screens.png

Step 3. Evaluate risks

Analyse the inherent risk level, indicating the risk level before treatments. Analyse also marginal risk level describing the change in risk that occurs as a result of the introduction of AI technology.

2 Evaluate riskrisk screens (2).png

Step 4. Risk treatment

Select a risk treatment strategy according to the inherent risk level and our recommendations.

Risk treatment strategy.png

If you are using a Risk from the Saidot risk library, you can import mitigations suitable for risk treatments. You may also add your own custom mitigations.

Risk mitigations.png

Step 5. Assess residual risk

After selecting and implementing the treatments, select the treatment status and assess the residual risk. Residual risk describes the risk level after the treatments have been implemented.

Residual risksrisk screens.png
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.