Risk management: Risk assessment questionnaires

This sub-guideline is a part of the guideline Risk management. Refer to the main guideline for context and an overview.

This sub-guideline provides sample risk assessment questionnaires that can be used to support parliament’s risk management process in three phases of the AI system life cycle:

• Initial project authorization
• The development phase
• The operational phase

When business managers want to submit a proposal to run an AI project, through a partnership with the IT unit, they focus on the problem to be solved using AI. At this stage, both business managers and the IT unit should complete an initial questionnaire, which could include the following questions, among others:

Purpose and stakeholders

• What is the business case for, and the problem to be solved by, the proposed AI system?
• Which stakeholders would this project benefit? How would they be impacted?
• Are there any stakeholders (internal and/or external) that could be negatively impacted by this project? If so, could these negative effects be mitigated or compensated for?

Compliance

• Will this project conflict with parliament’s policies, or with any law or other compliance rule?

Data and privacy

• Have the owners of the data that the AI system will use been identified?
• Will the AI system use internal data? If so, has internal authorization been obtained to use parliament’s data for this purpose?
• Will the AI system use external data? Has parliament signed a memorandum of understanding or other agreement with the organization(s) that own(s) the data? 
• Are any groups potentially underrepresented in the data?
• Will the AI system use personal data? Is there an agreement or arrangement with appropriate safeguards in place?
• Will the AI system’s output be available to external users?

Copyright

• Should any of parliament’s data be protected by copyright?
• Are there any copyrights or contractual conditions that need to be respected?

Capacity-building and outsourcing

• What expertise is missing within parliament (if any) to support the procurement, development or implementation of the AI system?
• Will this AI system be developed internally, purchased as a commercial product or developed through outsourcing?

This second questionnaire is to be completed by the AI development team and business staff during the development phase. Where an agile development method is employed, the responses should be reviewed for each new version of the system, informing the decision as to whether to continue or suspend – or even cancel – the project. This questionnaire could include the following questions, among others:

Data and privacy

• Have the data owners authorized all actions regarding data access and treatment?
• Is enough data available for the project?
• Is the data quality adequate for this project? If not, what data quality issues have been identified?
• How will parliament improve data quality in relation to the identified issues?
• Will the use of personal data be restricted to the purposes for which it was planned/authorized?
• Is it possible to keep people’s privacy sufficiently protected? Will it be possible to re-identify the data subjects?

Bias and discrimination

• Are there any underrepresented data categories or potential biases in the data set? If so, what issues have been detected and how are they being mitigated? 
• If generative AI is used, which hallucinations should be avoided or minimized in this project?
• Will the AI system generate any classification of people’s behaviour?

Transparency

• How are the planning, modelling, evaluation, testing and deployment phases scrutinized?
• Does the documentation use appropriate language for the target audience(s)?
• How do the documents demonstrate that the model addresses business requirements?
• How do the documents demonstrate that the AI system is sufficiently accurate?
• Is there any direct interaction between human end users and the AI system? Are users explicitly informed that they are interacting with an AI system? 

Safety and robustness

• Are there any weaknesses in the defined model?
• Are there any weaknesses in the testing phase?
• Is the AI system robust to potential failures and security attacks?
• Is there a deployment plan?
• Is there a rollback or disaster recovery strategy in place?

Once an AI system is deployed in a live operating environment, it should be continuously monitored by business and IT staff. At this stage, these staff should complete a third questionnaire to ensure that changes in data, business rules, social trends and the operating environment have been taken into account. This questionnaire could include the following questions, among others:

Human autonomy and oversight

• Is the AI system subject to continuous performance monitoring?
• Has parliament established clear criteria for classifying acceptable and/or unacceptable AI system behaviours? If so, is the AI system’s current behaviour acceptable according to these criteria?
• Has parliament implemented a continuous process for collecting user feedback on the AI system’s behaviour? If so, is the AI system’s current behaviour acceptable according to user feedback?
• Has parliament identified any new variables (changes) in the AI system that were not considered in the development phase?

Transparency

• Is the performance monitoring and user feedback collection process effectively scrutinized?

The Guidelines for AI in parliaments are published by the IPU in collaboration with the Parliamentary Data Science Hub in the IPU’s Centre for Innovation in Parliament. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International licence. It may be freely shared and reused with acknowledgement of the IPU. For more information about the IPU’s work on artificial intelligence, please visit www.ipu.org/AI or contact [email protected].