ISO 42001 uniquely requires both AI risk assessments and AI system impact assessments. While these may seem similar, they serve distinct purposes and require different approaches. Understanding this distinction is crucial for both implementing and auditing AI Management Systems.
Defining the Two Assessments
AI Risk Assessment (Clause 6.1.2)
AI risk assessment focuses on identifying and evaluating risks that could prevent the organization from achieving its AI management system objectives. It answers: What could go wrong with our AI governance and operations?
AI System Impact Assessment (Clause 6.1.4)
AI system impact assessment evaluates the potential consequences of deploying an AI system on individuals, groups, and societies. It answers: What are the potential effects of this AI system on people and society?
Key Differences
| Dimension | AI Risk Assessment | AI System Impact Assessment |
|---|---|---|
| Focus | Organizational risks and objectives | Consequences to affected parties |
| Perspective | Inside-out (organization's view) | Outside-in (stakeholder's view) |
| Scope | AIMS effectiveness and compliance | Individual AI system effects |
| Output | Risk register, treatment plans | Impact report, mitigation measures |
| Timing | Ongoing across all AI activities | Before deployment of each AI system |
| Stakeholders | Internal risk and compliance | Affected parties and ethics reviewers |
AI Risk Assessment Deep Dive
What It Evaluates:
- Risks to achieving AI policy objectives
- Risks from AI system failures or errors
- Compliance risks from regulatory requirements
- Operational risks from AI dependencies
- Reputational risks from AI incidents
- Financial risks from AI investments
Assessment Process:
- Identify risks across all AI activities
- Analyze likelihood and impact
- Evaluate against risk criteria
- Determine treatment approach
- Document in risk register
- Monitor and review regularly
Audit Considerations:
- Does the assessment cover all in-scope AI systems?
- Are AI-specific risk categories addressed?
- Is the methodology documented and appropriate?
- Are treatment decisions linked to controls?
- Is there ongoing monitoring and review?
AI System Impact Assessment Deep Dive
What It Evaluates:
- Intended Use: Primary purposes and expected beneficiaries
- Foreseeable Misuse: How the system could be used improperly
- Affected Parties: Who is affected by AI decisions
- Impact Types: Societal, ethical, environmental, economic effects
- Vulnerable Groups: Special consideration for at-risk populations
- Rights Implications: Effects on fundamental rights and freedoms
Assessment Process:
- Document AI system purpose and functionality
- Identify all affected stakeholders
- Evaluate potential positive and negative impacts
- Consider foreseeable misuse scenarios
- Assess impacts on vulnerable groups
- Determine mitigation measures
- Define monitoring approach
Audit Considerations:
- Was assessment completed before deployment?
- Were appropriate stakeholders consulted?
- Does it consider societal and ethical impacts?
- Are mitigation measures implemented?
- Is there post-deployment impact monitoring?
Comparison with Similar Assessments
Data Protection Impact Assessment (DPIA):
DPIAs under GDPR assess risks to data subjects from personal data processing. AI system impact assessments are broader—DPIAs focus on privacy while AI impact assessments include non-privacy impacts. Both may be needed for AI processing personal data.
Algorithmic Impact Assessment (AIA):
Some jurisdictions require AIAs for specific contexts. These often align with ISO 42001 impact assessments but may have specific requirements.
When Each Assessment Is Required
AI Risk Assessment:
- During initial AIMS implementation
- When adding new AI systems to scope
- After significant changes to AI systems or context
- At defined review intervals (typically annual)
- Following AI-related incidents
AI System Impact Assessment:
- Before deploying any new AI system
- Before significant changes to existing systems
- When use cases expand or change
- When affected populations change
- At defined review intervals
Integration Approach
While distinct, these assessments should be integrated:
- Shared Information: Impact assessments inform risk assessments and vice versa
- Coordinated Timing: Conduct together when assessing new AI systems
- Consistent Methodology: Use complementary frameworks and criteria
- Unified Governance: Report to the same oversight structures
Auditor Checklist: Both Assessments
For AI Risk Assessment:
- Documented methodology exists
- All AI systems are assessed
- AI-specific risks are identified
- Risk register is maintained
- Treatment plans are documented
- Review schedule is followed
For AI System Impact Assessment:
- Assessment process is documented
- Assessments exist for all deployed AI systems
- Assessments were completed before deployment
- Stakeholder impacts are evaluated
- Mitigation measures are implemented
- Post-deployment monitoring exists
Common Confusion Points
- We did risk assessment, so we don't need impact assessment: Both are required—they serve different purposes
- Impact assessment is just for high-risk AI: ISO 42001 requires it for all AI systems in scope
- We can do one assessment covering both: Possible if both requirements are explicitly addressed
- Impact assessment is a one-time activity: Reassessment is needed when systems or contexts change
Conclusion
Understanding the distinction between AI risk assessments and AI system impact assessments is essential for ISO 42001 compliance. Risk assessments focus on organizational risks, while impact assessments focus on effects on individuals and society. Both are required, and both contribute to responsible AI governance.