Risk Classification

Initiative risk tier assignments with required controls, sign-off requirements, and outstanding control tracking. High and Critical tiers require additional gate sign-off.

Critical

High

Medium

Outstanding Controls

Risk Tier Definitions

Critical — Board sign-off required at each gate. Legal, security, and bias assessments mandatory.

High — Legal and security sign-off required. Bias assessment required for AI-enabled initiatives.

Medium — Security review required at pre-go-live gate. Standard gate criteria apply.

Low — Standard gate criteria apply. No additional sign-off requirements.

Filter by tier:

AI Copilot Programme

Critical Risk

Enterprise-wide AI programme with potential to affect employment decisions, customer-facing outputs, and regulated processes. Classified Critical due to AI output quality risk in regulated contexts, data governance gaps, and absence of a ratified Responsible AI policy.

0% controls complete

6 outstanding5 open risk factors

Board sign-offLegal sign-offSecurity reviewBias assessment

M365 Copilot Rollout

High Risk

AI tooling affecting all 900 employees with data privacy implications, job displacement anxiety, and AI output quality risk. Classified High due to employee impact scale and AI-specific risks.

40% controls complete

2 outstanding2 open risk factors

Legal sign-offSecurity reviewBias assessment

Org Restructure

High Risk

Affects 900 employees across all departments with role changes, reporting line changes, and redundancy risk. Classified High due to employee relations risk and regulatory employment law obligations.

25% controls complete

2 outstanding2 open risk factors

Legal sign-off

ITSM Platform Migration

Medium Risk

Technology platform migration with moderate employee impact and standard security requirements. Classified Medium — no AI-specific risks, no employment law implications, contained scope.

50% controls complete

1 outstanding1 open risk factors

Security review