System and use case
AI system, business area, purpose, supplier, lifecycle stage, owner, output and the people affected.
Turn an AI use case into an owned, reviewable risk record. This free CSV includes 41 fields for people, data, risk, human oversight, workforce training, assessments, testing, approval and residual risk—plus six fictional worked examples.
Published: 15 July 2026. Format: UTF-8 CSV with Excel and Google Sheets formulas. Fictional examples only.
AI system, business area, purpose, supplier, lifecycle stage, owner, output and the people affected.
Personal and special-category data flags, significant automated decisions, legal context, risk category and a concrete risk statement.
Named reviewer, review stage, authority to override, training audience, required capability and an issue or appeal route.
DPIA and equality-assessment status, monitoring metrics, inherent and residual scores, treatment, due dates, approval and evidence.
The file contains six risk rows across four AI use cases. They are fictional and designed to show how one system can need more than one risk record.
| Use case | Example risk | Human review point | Training audience | Treatment |
|---|---|---|---|---|
| CV screening | Ranking differences and proxy discrimination | Before shortlist or rejection | Recruiters and hiring managers | Reduce |
| Customer reply copilot | Privacy, wrong entitlements or missed safety escalation | Before every message | Advisers and quality reviewers | Reduce and monitor |
| Attendance predictor | Unfair workforce scrutiny from proxy variables | Before manager contact or action | L&D analysts and line managers | Avoid pending assessment |
| Training-content copilot | Invented or obsolete compliance requirements | Before publication | Designers and subject-matter experts | Reduce |
The template uses a simple 5×5 matrix. It is intentionally easy to explain and customise. It is not an official UK regulator scoring scheme.
=IF(OR(P2="",Q2=""),"",P2*Q2)
Likelihood (1–5) multiplied by impact (1–5), assessed before controls.
=IF(OR(AE2="",AF2=""),"",AE2*AF2)
Likelihood and impact reassessed after the stated controls. Do not lower a score just because a control is planned; distinguish planned from operating controls.
Calibrate thresholds, approvers and treatments to your enterprise risk framework. A low numerical score does not override a legal prohibition, mandatory safeguard or unacceptable impact on an individual.
“A human checks it” is not a sufficient control. The ICO says a DPIA should record the degree and stage of human involvement, and that review processes should be meaningful, including the ability to overturn a decision.
Specify who reviews the output and what knowledge they need. Avoid vague labels such as “the business” or “an administrator”.
Review must happen before the output affects a candidate, employee, learner, customer or member of the public.
The reviewer needs time, source evidence and real authority to correct, reject, pause or escalate the AI output.
Teach reviewers the system's intended use, limits, bias indicators, data rules, escalation route and how overrides are recorded.
The ICO's AI risk toolkit is designed to help organisations reduce risks to people's rights and freedoms. Its AI governance guidance covers DPIAs, data flows, controller and processor roles, human involvement and meaningful review. Recruitment systems can also raise equality, accessibility and employment concerns, as the government's Responsible AI in Recruitment guidance explains.
The UK government's 2026 consultation version of AI Management Essentials asks organisations about AI system records, risk and impact assessments, thresholds, monitoring, response processes, data protection and communication. Those topics influenced the operational fields in this free register. The AIME consultation document is guidance under development, not a certification or a substitute for applicable law.
DPIA_Status to route and link the DPIA; do not attempt to compress the assessment into one cell.Equality_Impact_Assessment_Status to make equality assurance visible without treating it as a checkbox.Evidence_URL.This template is operational guidance, not legal advice, a completed DPIA, an equality assessment or evidence that an AI system is safe or compliant.
At minimum: the system and use case, owner, affected people, data, possible harm, inherent risk, controls, human oversight, required training, issue and appeal routes, other assessment status, testing, residual risk, approval and review dates.
No. It can identify and coordinate privacy risks, but the ICO's DPIA process requires much more detail where a DPIA is required. The same principle applies to equality, security, procurement and sector-specific assurance.
Yes—and usually should. Use one risk statement per row and repeat the AI system ID. That lets you assign different controls, owners, monitoring metrics and treatments to privacy, fairness, accuracy, safety or transparency risks.
TIQPlus helps organisations translate AI policies and controls into role-specific training, evidence and accountable workplace practice.