Back to course overview
Module 1AI risk taxonomy 20 min

Workshop: Risk map

Produce Meridian Group's AI risk map: inventory the systems, assess each with the impact framework, and plot them into risk tiers that drive everything downstream.

Workshops in this course produce the actual artifacts of a governance program — the documents you'd present to a risk committee. This one produces the risk map: the foundational picture of where AI risk lives in an organization, which every later module builds on.

Step 1 — Inventory the AI systems

  1. 1List Meridian's three AI systems (support agent, HR screening tool, analytics assistant). For each, capture: purpose, who operates it, what data it uses, what decisions it makes or influences, and who it affects.
  2. 2Add two you invent that a real 2,000-person company would plausibly have (e.g., a marketing content generator, a fraud-detection flag, a code assistant for engineers). A real inventory is never complete on the first pass — noticing the shadow AI (tools teams adopted without telling anyone) is part of the exercise.

Step 2 — Assess each system

  1. 1Run each through the impact-assessment questions: affected parties & opt-out, decision consequence, reversibility, contestability, scale.
  2. 2For each, note the two or three material risk categories (fairness, privacy, reliability, etc.) that most apply. The HR tool's fairness risk and the support agent's security risk should jump out.
  3. 3Score each risk's inherent likelihood × consequence — before controls — and assign the system a tier: low / moderate / elevated / critical. (Residual re-scoring waits until Module 4 gives you the controls.)

Step 3 — Plot the map

  1. 1Build a simple 2×2 (or a table): systems plotted by likelihood and consequence, colored by tier, and labeled inherent risk (pre-controls) — so nobody mistakes it for the residual picture. The HR tool sits top-right (high likelihood, high consequence); the analytics assistant bottom-left.
  2. 2For each system, write one line: its tier and the primary reason. 'HR screening — CRITICAL: automated decisions on employment affecting protected classes, hard to contest.'
  3. 3This map is the organizing artifact of the whole program: it decides where governance effort goes, which systems get which controls, and what the board should worry about first.

Step 4 — The prioritized narrative

Write the two-paragraph summary a risk committee would read: the organization runs N AI systems; here are the M that are elevated-or-high and why; here is where governance attention must concentrate. Save RISK-MAP.md — every subsequent workshop (gap analysis, charter, controls, incident plan) references it, and it becomes the opening section of your capstone program.

Problem set 1

In the workbook: eight AI use cases across a bank (from a chatbot FAQ to an automated credit-decision engine to an internal doc search). Assess and tier each, then defend your two highest-risk selections to a skeptical executive who thinks 'it's all just software'. One wrinkle to honor: the bank already runs an SR 11-7 model risk program with a model inventory and fair-lending obligations — the credit engine is already a governed model. Your task is extending that governance to the new AI systems, not building from greenfield.