My Grandmother’s Guide to AI Risk Assessment
Why the core of Responsible AI isn’t a complex checklist, but a common-sense, human-centered conversation.
Whenever I facilitate a workshop on AI risk assessment, I find myself saying the same thing: “My grandmother would call this common sense.”
You haven’t discovered a new world; you’ve just remembered an old one.
This work, which we often cloak in technical jargon, is at its heart a deeply human, almost spiritual act. It’s the process of becoming a guardian for our values in the face of powerful new technology. It´s the act of double checking to not to do harm.
This thought struck me recently in the car. My children and husband were debating a future where AI manages all agriculture. My daughter, with the simple wisdom of a child, said, “I’m not sure if I would like it. Maybe I would want to grow my own things.”
Her desire for choice, for agency, is the very reason this work matters. We are not just assessing risk for corporate compliance; we are consciously shaping the world our children will inherit.
So, how do we do it? How do we build this “common sense” into our organizations?
The Core of Responsible AI: A Simple Framework
The field is full of intimidating acronyms—FRIA (Fundamental Rights Impact Assesment), AIA (Algorithmic Impact Assesment), ARIA (Algorithmic Risk and Impact Assesment). While the names change, the skeleton of the process is always the same. I use the NIST AI Risk Management Framework as a simple guide, which I’ve translated into four straightforward, human-centered steps:
1. GOVERN: Start by Knowing Yourself.
This is the soul of the work. Before you can assess the risk an AI poses to your values, you have to know what your values are. This is the stage for co-creating your Responsible AI Principles, establishing your governance structure (like an “AI Stewardship Circle”), and deciding who will be accountable. It’s about creating a safe space to talk about your tensions and hopes as an organization and doing agreements. At this point you begin to write about all you have agreed, which is simply the initial step of your AI Policy.
2. MAP: Listen to Others.
Identify every single person and group who could be impacted by your AI system. Who are they? What are their rights, interests, and vulnerabilities? This is a profound act of listening that requires a diverse group of voices in the room, not just developers and executives, but people from different backgrounds, disciplines, and life experiences.
3. MEASURE: Think Critically.
With your stakeholders in mind, brainstorm the potential harms. Could your AI cause a loss of opportunity? Could it amplify bias? Could it harm someone’s dignity? Then, you measure that risk with a simple, common-sense formula:
Likelihood (How likely is it to happen?) x Magnitude (How bad would it be if it did?) = Risk Level.
This isn’t about complex math; it’s about having an honest, structured conversation.
For those critical and high risks you have identified, you are also measuring your assumptions with technical testings at this point.
4. MANAGE: Take Responsibility.
Once you’ve identified your highest-priority risks, you can brainstorm mitigation strategies. But here’s the honest truth: you cannot eliminate all risk. There will always be “residual risk” left over. Your job is to manage that remaining risk with clear AI governance controls, continuous monitoring, and a commitment to transparency.
Why “Common Sense” is Hard Work: The Socio-Technical Challenge
If the framework is just common sense, why do so many organizations struggle with it?
Because we mistakenly believe we are only dealing with a technical problem. The moment an AI model is deployed into a messy, human, social system, it becomes a socio-technical algorithm. Its risks are no longer just technical.
Take bias. We are not just talking about statistical bias that can be measured in a lab. We are talking about the historical, systemic, and human biases embedded in the data and our own decision-making. The problem becomes far more complex, dynamic, and incomprehensible.
This is why a one-size-fits-all checklist will always fail. Every situation is use-case-centric. It’s why my workshops with Tech to the Rescue were so inspiring; the magic happens when you bring a diverse group of people together to have that specific, contextual conversation (You can see the insights from one of those risk assessment sessions I did here.)
The Final Mindset Shift: From Audit to Ethic
This brings us to the final, crucial mindset shift. A risk assessment is not a one-time document you create and file away. It is a living process.
The technical audits and model testing you perform are simply the tools you use to check the assumptions you made during your risk assessment. As your AI operates in the real world, new risks will appear. You will add them to your risk register. It’s a continuous, dynamic cycle of learning and adapting.
When this mindset becomes part of your culture, you move from a reactive stance of merely preventing harm to a proactive one: Ethics by Design.
This is the real work. It’s about building the muscle for these conversations, internalizing the process until it becomes second nature.
It’s about remembering what our grandmothers knew all along: the most powerful tool we have is our ability to care for the impact our actions have on others.
Your Practical Toolkit
Want to go deeper? Here is my practical toolkit to help you start your first AI Risk Assessment journey:
A Free Template to Get Started
Related Previous Articles:
Real-World Case Studies:
What do you think ?
The conversation around Algorithmic Risk and Impact Assessment has only become more important. Does this perspective still hold true for you? What has changed? I’d love to hear your thoughts in the comments.
Did you find this article valuable?
If so, please consider subscribing to “AI of Your Choice.” It’s my bi-weekly newsletter where I do deep dives into the practical, human-centered side of AI governance and strategy.
And if you’re a leader navigating these complex challenges right now, you can book a complimentary 15-minute “AI Integrity Pulse Check” with me here