Worldwide standardizations for Artificial Intelligence (AI)
ISO (International Organization for Standardization)
IEC (International Electrotechnical Commission)
Focus on ISO/IEC 23894-2023: Guidance on Risk Management
ISO/IEC 23894:2023 is a standard that provides guidance on risk management in the field of artificial intelligence (AI). The standard provides a comprehensive framework for organisations to manage risks associated with the development, deployment, or use of AI systems. ISO/IEC 23894:2023 aims to create and safeguard value by improving performance, encouraging innovation, and supporting the achievement of objectives. The standard is designed to be customised to any organisation and context, providing a structured approach to risk management that delivers consistent and comparable results. The standard is designed to be used in connection with ISO 31000:2018, which provides general guidance on risk management. ISO/IEC 23894:2023 is divided into three main parts: Principles, Framework, and Processes, each addressing specific considerations related to AI.
Principles
The Principles section of ISO/IEC 23894:2023 describes the underlying principles of risk management. These principles include the need for risk management to be integrated into an organization's overall management system, the importance of considering the context in which risks arise, and the need for risk management to be a continuous process. The use of AI requires specific considerations with regard to some of these principles, as described in ISO 31000:2018, Clause 4.
Framework
The Framework section of ISO/IEC 23894:2023 describes how the risk management framework can assist organizations in integrating risk management into significant activities and functions, specifically in relation to AI systems. This section includes guidance on understanding the organization and its context, articulating risk management commitment, assigning organizational roles, authorities, responsibilities, and accountabilities, allocating resources, establishing communication and consultation, implementing risk management, evaluating risk management, and continually improving risk management. Understanding the organization and its context involves considering the organization's objectives, stakeholders, and the internal and external factors that may affect the organization's ability to achieve its objectives.
Articulating risk management commitment involves communicating the organization's commitment to AI risk management to stakeholders. Assigning organizational roles, authorities, responsibilities, and accountabilities involves identifying individuals with the authority to address AI risks and responsibility for establishing and monitoring processes to address AI risks. Allocating resources involves ensuring that the organization has the necessary resources to manage AI risks. Establishing communication and consultation involves ensuring that stakeholders are informed about AI risks and that their input is considered in the risk management process. Implementing risk management involves identifying, assessing, and treating AI risks.
Evaluating risk management involves monitoring and reviewing the effectiveness of the risk management process. Continually improving risk management involves adapting the risk management process to changing circumstances and continually improving the effectiveness of the risk management process.
Processes
The Processes section of ISO/IEC 23894:2023 describes the risk management processes involved in identifying, assessing, treating, monitoring, reviewing, recording, and reporting AI risks. These processes involve the systematic application of policies, procedures, and practices to the activities of communicating and consulting, establishing the context, and assessing, treating, monitoring, reviewing, recording, and reporting risk. A specialization of such processes to AI is described in ISO 31000:2018, Clause 6.
Other Risk Management principles covered in the standard
ISO/IEC 23894:2023 outlines several other principles for effective risk management. These principles apply to all organisational levels and objectives, whether strategic or operational.
Integrated Risk Management
Risk management should be an integral part of all organisational activities. This is particularly important for AI systems, which can introduce new or emergent risks with potential impacts on organisational objectives.
Structured and Comprehensive Approach
A structured and comprehensive approach to risk management helps to deliver consistent and comparable results. This is vital for AI systems, which often rely on diverse data sets and complex algorithms.
Customized Risk Management
The risk management framework and process should be customised and proportionate to the organisation's external and internal context.
Risk Management Process
The risk management process involves several steps, including communication and consultation, defining the scope, context and risk criteria, risk assessment, risk treatment, monitoring and review, and recording and reporting.
Communication and Consultation
Effective communication and consultation are integral to the risk management process. This is especially important for AI systems, which can have far-reaching impacts on various stakeholders.
Scope, Context and Criteria
Defining the scope, context and risk criteria is crucial for understanding the parameters of the risk management process. For AI systems, this includes understanding the system's intended use, the external and internal context, and the criteria for defining risk.
Risk Assessment
Risk assessment is a crucial part of the risk management process. It involves identifying, analysing, and evaluating risks.
Risk Identification
Risk identification is the first step in risk assessment. For AI systems, this involves identifying potential events and outcomes that could lead to risks, as well as the sources of these risks.
Risk Analysis
Risk analysis involves understanding the nature, sources, likelihood, and potential impact of risks. For AI systems, this may involve analysing data, models, and other assets related to the system.
Risk Treatment
Risk treatment involves developing and implementing strategies for managing identified risks. This can involve avoiding the risk, changing the likelihood or impact of the risk, or accepting the risk.
Monitoring and Review
Monitoring and review processes are crucial for ensuring the effectiveness of the risk management process. These processes should be ongoing and should involve regular assessments of risk management performance.
Recording and Reporting
Recording and reporting are crucial for maintaining transparency and accountability in the risk management process. These processes involve documenting risk management activities and communicating this information to relevant stakeholders.
Annexes
ISO/IEC 23894:2023 includes several informative annexes that provide additional guidance on AI risk management. Annex A provides common AI-related objectives and risk sources that should be taken into account when identifying risks of AI systems. Annex B provides guidance on the use of AI in safety-critical applications. Annex C provides an example mapping between the risk management processes and an AI system life cycle.
Related ISO/IEC References
ISO/IEC 23894:2023 also includes a list of related ISO/IEC references that provide additional guidance on AI risk management. These references include ISO/IEC 38507:2022, which provides guidance on the governance implications of the use of AI by organizations, ISO/IEC TR 24028:2020, which provides an overview of trustworthiness in AI, and ISO/IEC TR 24027:2021, which provides guidance on bias in AI systems and AI-aided decision making.
Conclusion
ISO/IEC 23894:2023 provides valuable standards guidance on risk management in the field of artificial intelligence. The standards emphasize the need for risk management to be integrated into an organization's overall management system and provides specific guidance on how to do so in the context of AI systems. ISO/IEC 23894:2023 provides a comprehensive framework for managing the risks associated with AI. By following this standard, organisations can navigate the complexities of AI, mitigate potential risks, and leverage the transformative potential of this technology.
ความคิดเห็น