Back to course overview
Module 4Risk & governance 13 min

AI risk, executive view

The five AI risk families in P&L language, the two questions that size any of them, and the risk-appetite statement only leadership can write.

You cannot delegate risk framing. Specialists will manage AI risks, but which risks the company will run, for what return is a leadership decision — and making it requires seeing the landscape in business terms, not vendor terms. Five families cover the territory:

  • Wrong-answer risk — the system is confidently wrong: the misrouted urgent exception, the ETA that loses the account, the contract summary that misses the liability clause. Sized by two questions: how wrong can it be? and who catches it before it acts? Every deployment answer from your teams should include both; 'usually right' without a catcher is an incident schedule.
  • Data leakage risk — your information going where it shouldn't: staff pasting customer data into unapproved tools (shadow usage, remember, is already happening), vendors training on your inputs, an assistant retrieving a document for someone who shouldn't see it. Mostly a policy and configuration problem — which is good news: policy and configuration are governable.
  • Compliance risk — regulation touching your deployments: employment decisions, customer communications, safety-adjacent operations, sector rules, and the broad AI acts (next lesson's radar). Sized by use case, not by technology — the same model is unregulated summarizing tenders and regulated screening drivers.
  • Reputation risk — the screenshot: your chatbot's worst answer, in public, with your logo. Asymmetric (one incident outweighs a thousand quiet successes) and mitigated less by model quality than by scope choices — what you let AI say and do in your name, ungated. The gate discipline your teams learn in the automation and agent courses is reputation insurance.
  • Dependency risk — strategic exposure you chose: the vendor who is your triage layer (see the shared-dependency flag from Module 3), the model whose behavior shifts under you, the two people who understand the ETA system. Managed like any concentration risk: name it, cap it, plan the exit.

These five families are the executive altitude — enough to frame appetite and ask the right questions. The operator course (AI Governance, Risk & Compliance) works from a finer eight-category taxonomy for building controls and audit evidence; these five roll up into it. Same terrain, different altitude: you set which risks the company runs, they run the machinery that keeps it inside your lines.

The risk-appetite statement (one paragraph, yours to write)

Governance without stated appetite becomes reflexive 'no'. The appetite statement is a paragraph the review board can apply: what error rates are acceptable where, what's gated always, what's forbidden outright. Alder's draft: 'We accept drafted-and-reviewed AI in all internal work and triaged AI in customer-facing routing. Anything sending externally, touching money, or affecting employment is human-approved, always. AI does not make safety-relevant decisions, period. We accept vendor dependency for undifferentiated capability with exit plans on file.' Four sentences; every later governance decision inherits from them. Write yours in the workshop — and notice it's a strategy document wearing risk clothing: it says what you're bold about and where.

Ask for the failure story

In any AI review — internal or vendor — the highest-signal executive question remains: 'Tell me about the last time it was wrong, and how you found out.' Teams with a real answer (a specific failure, a catch mechanism, a fix) are operating a system. Teams with 'it's been very accurate' are operating a hope. You now know enough to tell the difference in one sentence; that's most of executive AI risk management.