Beyond Basic: Understanding ISO/IEC 42001’s Definition of “Risk”

ISO introduced its AI management system standard, ISO/IEC 42001, in December 2023.  It is the first such standard and, according to ISO’s website, “ISO/IEC 42001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations.” A recent LinkedIn post by Dentons’ Dalton Cline highlights the fact that ISO/IEC 42001 defines “risk” in a way that’s different from how it’s been defined in other risk frameworks and different than how lawyers are accustomed to assessing risk.

The post notes that under NIST and other risk management frameworks, “risk” is typically defined in terms of the probability of an event and its potential magnitude.  That’s a standard that corporate lawyers and compliance professionals are accustomed to working with, since it mirrors the materiality standard for contingencies under the federal securities laws laid out by the SCOTUS in Basic v. Levinson.  However, as this excerpt explains, ISO/IEC departs from that approach to defining risk:

Here’s the perspective shift organizations seeking certification under 42001 should be prepared for: since the adoption of ISO 31000, the purpose of risk management is to identify and respond to variance from the expected performance of a system. As part of the governance process, the organization sets its objectives and policy and then has procedures to meet those goals. The purpose of risk management under the ISO conception is to identify the sources of uncertainty that could keep the organization or a system from functioning as expected.

So, for example, one of the things you have to do as part of AI Governance under ISO 42001 as part of the “Planning” function is to perform an AI system impact assessment that identifies the potential benefits and harms of the AI system to individuals, groups, and society. Then, once you identify those benefits and harms, the purpose of the risk assessment is to look at potential risk events and measure how those uncertainties may impact the anticipated benefits and harms.

While we are accustomed to assessing risk in terms of its probability and impact on a particular company, ISO/IEC 42001 casts a much wider net, and requires companies to look at the damage that an AI system could do to constituencies beyond the company and its investors.