Home/Resource Library/AI Risk Assessment

Free AI risk assessment template for UK employers

Turn an AI use case into an owned, reviewable risk record. This free CSV includes 41 fields for people, data, risk, human oversight, workforce training, assessments, testing, approval and residual risk—plus six fictional worked examples.

41 governance fields 6 worked risk rows Human oversight and training No email gate

Published: 15 July 2026. Format: UTF-8 CSV with Excel and Google Sheets formulas. Fictional examples only.

What the register captures

System and use case

AI system, business area, purpose, supplier, lifecycle stage, owner, output and the people affected.

Data and potential harm

Personal and special-category data flags, significant automated decisions, legal context, risk category and a concrete risk statement.

Human oversight and training

Named reviewer, review stage, authority to override, training audience, required capability and an issue or appeal route.

Assurance and action

DPIA and equality-assessment status, monitoring metrics, inherent and residual scores, treatment, due dates, approval and evidence.

Worked UK employer examples

The file contains six risk rows across four AI use cases. They are fictional and designed to show how one system can need more than one risk record.

Use caseExample riskHuman review pointTraining audienceTreatment
CV screeningRanking differences and proxy discriminationBefore shortlist or rejectionRecruiters and hiring managersReduce
Customer reply copilotPrivacy, wrong entitlements or missed safety escalationBefore every messageAdvisers and quality reviewersReduce and monitor
Attendance predictorUnfair workforce scrutiny from proxy variablesBefore manager contact or actionL&D analysts and line managersAvoid pending assessment
Training-content copilotInvented or obsolete compliance requirementsBefore publicationDesigners and subject-matter expertsReduce

Use the template in seven steps

  1. Define the use case: name the system, intended purpose, output, owner, supplier, lifecycle stage and people affected.
  2. Write one risk per row: describe the cause, event and possible harm. Duplicate the system ID when one use case has multiple risks.
  3. Score inherent risk: estimate likelihood and impact before relying on controls.
  4. Route the right assessments: record DPIA and equality-assessment status and link security, procurement, legal or sector reviews where relevant.
  5. Design controls: name a capable human reviewer, the point of intervention, override authority, training, testing and a usable issue or appeal route.
  6. Score residual risk: reassess only after controls are specific, funded and testable. Choose reduce, avoid, transfer or accept under your organisation's policy.
  7. Approve and monitor: record the decision, evidence, owner, action date, metric, review cadence and conditions that would pause use.

Risk scoring formulas

The template uses a simple 5×5 matrix. It is intentionally easy to explain and customise. It is not an official UK regulator scoring scheme.

Inherent risk score (column R)

=IF(OR(P2="",Q2=""),"",P2*Q2)

Likelihood (1–5) multiplied by impact (1–5), assessed before controls.

Residual risk score (column AG)

=IF(OR(AE2="",AF2=""),"",AE2*AF2)

Likelihood and impact reassessed after the stated controls. Do not lower a score just because a control is planned; distinguish planned from operating controls.

Low
1–4
Medium
5–9
High
10–14
Critical
15–25

Calibrate thresholds, approvers and treatments to your enterprise risk framework. A low numerical score does not override a legal prohibition, mandatory safeguard or unacceptable impact on an individual.

What meaningful human oversight looks like

“A human checks it” is not a sufficient control. The ICO says a DPIA should record the degree and stage of human involvement, and that review processes should be meaningful, including the ability to overturn a decision.

A named competent role

Specify who reviews the output and what knowledge they need. Avoid vague labels such as “the business” or “an administrator”.

A decision point that matters

Review must happen before the output affects a candidate, employee, learner, customer or member of the public.

Authority and evidence

The reviewer needs time, source evidence and real authority to correct, reject, pause or escalate the AI output.

Training and monitoring

Teach reviewers the system's intended use, limits, bias indicators, data rules, escalation route and how overrides are recorded.

This register coordinates assessments; it does not replace them

Complete the process your use case actually needs

The ICO's AI risk toolkit is designed to help organisations reduce risks to people's rights and freedoms. Its AI governance guidance covers DPIAs, data flows, controller and processor roles, human involvement and meaningful review. Recruitment systems can also raise equality, accessibility and employment concerns, as the government's Responsible AI in Recruitment guidance explains.

The UK government's 2026 consultation version of AI Management Essentials asks organisations about AI system records, risk and impact assessments, thresholds, monitoring, response processes, data protection and communication. Those topics influenced the operational fields in this free register. The AIME consultation document is guidance under development, not a certification or a substitute for applicable law.

  • Use DPIA_Status to route and link the DPIA; do not attempt to compress the assessment into one cell.
  • Use Equality_Impact_Assessment_Status to make equality assurance visible without treating it as a checkbox.
  • Add links to threat modelling, security testing, supplier due diligence, accessibility review and sector assurance in Evidence_URL.
  • Seek your DPO, legal, security, HR and affected-user input in proportion to the use case and potential harm.

Official UK guidance used for this resource

This template is operational guidance, not legal advice, a completed DPIA, an equality assessment or evidence that an AI system is safe or compliant.

Frequently asked questions

What should an AI risk assessment include?

At minimum: the system and use case, owner, affected people, data, possible harm, inherent risk, controls, human oversight, required training, issue and appeal routes, other assessment status, testing, residual risk, approval and review dates.

Does this replace a DPIA?

No. It can identify and coordinate privacy risks, but the ICO's DPIA process requires much more detail where a DPIA is required. The same principle applies to equality, security, procurement and sector-specific assurance.

Can a system have more than one row?

Yes—and usually should. Use one risk statement per row and repeat the AI system ID. That lets you assign different controls, owners, monitoring metrics and treatments to privacy, fairness, accuracy, safety or transparency risks.

Turn AI governance into trained behaviour

TIQPlus helps organisations translate AI policies and controls into role-specific training, evidence and accountable workplace practice.