3. Threshold assessment

3.1    Threshold assessment process

To complete the threshold assessment, follow these steps.

3.1.1   Determine likelihood and consequence

For each risk category listed in the assessment, determine the likelihood and consequence of the risk occurring for your AI use case. You should consult the likelihood and consequence descriptors at the Attachment to this guidance.

The risk assessment should reflect the intended scope, function and risk controls of the AI use case.

In conducting your assessment, you should be clear on:

  • key factors contributing to the likelihood and consequence of the risk
  • how any existing or planned risk controls contribute to the likelihood and consequence of the risk
  • any assumptions or uncertainties affecting your risk assessment.

3.1.2    Determine risk severity

Use the risk matrix provided in the framework and at the attachment to this guidance to determine the risk severity for each category.

3.1.3    Provide explanations

In the ‘rationale’ column, provide a clear and concise explanation for each risk rating (aim for no more than 200 words per risk but use additional words if necessary).

You should cover the factors, controls and assumptions outlined above at step 1.

3.2    Assessment contact officer recommendation

Once completed, if the Assessment Contact Officer is satisfied that all risks are low, they may recommend that a full assessment is not required and that the executive sponsor accept the low risks and endorse the use case. If one or more risks are medium or higher, the assessment contact officer must either: 

  • complete a full assessment
  • amend the scope, function or risk controls to a point where the threshold assessment results in a low risk rating
  • decide to not accept the risk and not proceed with the AI use case.

3.3    Executive sponsor review

Once the assessment contact officer has made their recommendation, the executive sponsor must: 

  1. review the recommendation 
  2. confirm whether they are satisfied by the supporting analysis 
  3. agree that a full assessment is or is not necessary for the use case.

When completing the threshold assessment, keep in mind the following:

  • Try to be objective and honest in your assessment of risks. Underestimating risks at this stage could lead to inadequate risk management.
  • Determining risk ratings can be challenging. Seek guidance from others to assist you (especially subject matter experts and those experienced in safe and responsible AI risk assessments).
  • Consider the perspectives of stakeholders, including those identified at section 2.4, in assessing the likelihood and consequence of risks. 
    • Ensure you consider the perspectives of marginalised groups, including First Nations people, especially in relation to the risks relating to discrimination and stereotyping. You may not have the background or life experience to fully appreciate these risks.
  • Where there is uncertainty or disagreement about the appropriate risk severity rating, err on the side of caution and choose the higher rating.
  • Document key assumptions or evidence used in determining the risk severity ratings, as this will help explain the rationale for your assessment to reviewers.
  • Consider the expected benefits of the AI use case before deciding whether to proceed based on significant but mitigable risks.

4. Fairness

Next page

Connect with the digital community

Share, build or learn digital experience and skills with training and events, and collaborate with peers across government.

Join the Digital Profession