3. Threshold assessment

3.1    Risk assessment

Using the risk matrix, determine the severity of each of the risks in the table below, accounting for any risk mitigations and treatments. Provide a rationale and an explanation of relevant risk controls that are planned or in place. The guidance document contains consequence and likelihood descriptors and other information to support the risk assessment. 

The risk assessment should reflect the intended scope, function and risk controls of the AI use case. Keep the rationale for each risk rating clear and concise, aiming for no more than 200 words per risk. 

Risk matrix
Likelihood/ConsequenceInsignificantMinorModerateMajorSevere
Almost certainMediumMediumHighHighHigh
LikelyMediumMediumMediumHighHigh
PossibleLowMediumMediumHighHigh
UnlikelyLowLowMediumMediumHigh
RareLowLowLowMediumMedium

What is the risk (low, medium or high) of the use of AI:

  • Negatively affecting public accessibility or inclusivity of government services?
  • Unfairly discriminating against individuals, communities or groups?
  • Perpetuating stereotyping or demeaning representations of individuals, communities or groups?
  • Harming individuals, communities, groups, organisations or the environment?
  • Raising privacy concerns due to the sensitivity, amount or source of the data being used by an AI system?
  • Raising security concerns due to the sensitivity or classification of the data being used by an AI system?
  • Raising security concerns due to the implementation, sourcing or characteristics of the AI system?
  • Influencing decision-making that affects individuals, communities, groups, organisations or the environment?
  • Posing a reputational risk or undermining public confidence in the government?

3.2    Assessment contact officer recommendation

If the assessment contact officer is satisfied that all risks in the threshold assessment are low, then they may recommend that a full assessment is not needed and that the agency accept the low risk.

If one or more risks are medium or above, then a full assessment must be completed, unless you amend the AI use scope, function or risk controls such that the assessment contact officer is satisfied that all risks in the threshold assessment are low. 

You may decide not to accept the risk and not proceed with the AI use case. 

The assessment contact officer recommendation should include:

  • the statement ‘a full assessment is/is not necessary for this use case’
  • comments (optional)
  • name and position
  • date.

3.3    Executive sponsor endorsement

The executive sponsor endorsement should include:

  • the statement ‘I have reviewed the recommendation, am satisfied by the supporting analysis and agree that a full assessment is/is not necessary for this use case’
  • comments (optional)
  • name and position
  • date.

4. Fairness

Next page

Connect with the digital community

Share, build or learn digital experience and skills with training and events, and collaborate with peers across government.

Join the Digital Profession