risk management

Identifying, quantifying, and prioritizing risks to people, assets, or projects by maintaining a risk register, performing qualitative and quantitative assessments (likelihood/impact, expected loss), defining controls and mitigation plans, and using frameworks like NIST or ISO 31000 to track residual risk.

riskmanagement

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

A Methodology for Quantitative AI Risk Modeling

Dec 09, 2025
MM
Malcolm Murray
🏛️ SaferAI

While Artificial General Intelligence (AGI) presents transformative opportunities, its systemic safety risks lack mature, quantitative assessment methodologies. Method: This paper introduces the first quantitative risk modeling framework specifically designed for AGI, adapting high-consequence industry risk paradigms. It comprises six systematic steps: scenario definition, parameter decomposition, baseline quantification, metric identification, LLM capability gain mapping, and risk aggregation. Grounded in empirically validated metric–parameter relationships, the framework bridges qualitative judgment to auditable, verifiable quantitative claims (e.g., “X% probability of >$Y in annual economic loss”) and enables cross-domain unified evaluation (e.g., cyberattacks, biochemical threats). Contribution/Results: The framework is fully validated on an LLM-augmented cyberattack scenario, yielding statistically grounded risk quantifications. It provides regulators—such as those implementing the EU AI Act—with auditable, reproducible, and scalable risk assessments.

Addresses systemic AI risks like cyber offense and loss-of-control.Develops quantitative risk modeling for AI safety and misuse.Integrates scenario building with quantitative risk estimation methods.

Developing a Risk Identification Framework for Foundation Model Uses

Jun 01, 2025
DP
David Piorkowski
🏛️ IBM Research

The widespread deployment of foundation models introduces multifaceted AI risks, yet existing taxonomies lack practical guidance for practitioners to identify context-specific risks in real-world usage scenarios. Method: We propose the first risk identification framework tailored to foundation model *use governance*, grounded in four design principles that shift AI risk identification from static classification toward dynamic, scenario-aware, and actionable analysis. Integrating AI risk taxonomy, use governance theory, and requirements-driven engineering—validated through a case-driven paradigm—we develop an extensible prototype. Contribution/Results: Evaluated across representative deployment use cases, the prototype effectively identifies critical risks—including privacy leakage and algorithmic bias—demonstrating significantly enhanced practicality and operational feasibility. This work advances AI safety governance by delivering both a methodological foundation and an implementable tool for risk-aware foundation model deployment.

Address gaps in current risk guidanceDevelop framework for relevant risk assessmentIdentify risks in foundation model applications

This study addresses the limitations of traditional risk matrices in supporting fine-grained, context-sensitive risk decision-making within complex dynamic systems. The authors propose a traceable, three-stage risk analysis framework: first, employing a multidimensional polar-coordinate heatmap to enable context-aware risk prioritization; second, constructing Bowtie causal barrier models for high-priority risks; and third, automatically transforming these Bowtie models into Bayesian networks to facilitate dynamic inference and “what-if” scenario analysis. A key innovation lies in explicitly modeling barriers as activated nodes, thereby establishing an integrated pathway from macro-level risk screening to micro-level intervention. Validation in a real-time payment gateway setting demonstrates that the proposed approach significantly enhances the transparency, auditability, and operational readiness of risk analysis.

context-sensitive triagecyber riskoperational resilience

Internal Vulnerabilities, External Threats: A Grounded Framework for Enterprise Open Source Risk Governance

Oct 29, 2025
WY
Wenhao Yang
🏛️ Peking University | Bitergia | Huawei Technologies Co., Ltd.

Conventional open-source risk management overrelies on technical tools, failing to address systemic risks—including upstream “silent fixes,” community conflicts, and sudden license changes—resulting in governance blind spots. Method: This paper proposes a strategic open-source risk governance framework centered on the interaction between external threats and internal vulnerabilities, shifting from tactical response to proactive, strategic prevention. It innovatively introduces a Strategic Objective Matrix and a dual-risk taxonomy, yielding an “Object–Threat–Vulnerability–Mitigation” decision model; integrates grounded theory, strategic mapping, and capability-building principles to support organization-level governance decisions. Contribution/Results: Validated by three domain experts and applied in real-world case studies, the framework significantly enhances risk analytical capability and enables enterprises to establish a systematic, immunizing mechanism against open-source risks.

Addressing systemic open source risks beyond technical vulnerabilitiesDeveloping framework to connect external threats with internal vulnerabilitiesShifting from tactical risk management to holistic risk governance

Risk management systems often overlook the explicit representation of uncertainty, thereby limiting the quality and traceability of decision-making in high-hazard scenarios. Addressing this gap, this study conducts a systematic review of 370 publications to develop the first decision-oriented taxonomy for uncertainty representation, categorizing approaches into five classes: probabilistic methods, evidence- and fuzzy logic–based techniques, qualitative heuristics, graphical visualizations, and hybrid frameworks. The analysis reveals that while probabilistic methods dominate the literature, their practical integration remains inadequate; qualitative and visualization-based strategies substantially enhance communicative transparency; and hybrid approaches demonstrate the greatest potential for real-world application. These findings offer a structured guide for selecting appropriate uncertainty representation methods and outline promising directions for future research.

decision-makingepistemic uncertaintymethod selection

Latest Papers

What's happening recently
View more

This study addresses the challenge in regional risk assessment posed by missing asset attributes, which introduces unquantifiable uncertainty in exposure information and compromises risk estimation accuracy. For the first time, it systematically decomposes and quantifies the uncertainty arising specifically from probabilistic exposure representation, isolating it from total risk uncertainty to elucidate its generation and propagation mechanisms within the assessment workflow. Methodologically, the research integrates machine learning with engineering rule sets to impute missing data and constructs a high-resolution bridge exposure inventory. Uncertainty propagation is then analyzed through a combination of analytical methods and Monte Carlo simulations. The approach significantly enhances the transparency of exposure modeling and improves the reliability of regional-scale risk assessments.

bias quantificationexposure uncertaintyinfrastructure inventory

This study addresses the inadequacy of current IT compliance–oriented cybersecurity policies in safeguarding the physical safety of cyber-physical systems, as digital failures often precipitate real-world harm. By coding 292 critical infrastructure policies (2000–2025) and aligning them with the NIST SP 800-160 Vol. 2 resilience lifecycle, the research reveals a significant misalignment between prevailing policy approaches—overreliant on IT control catalogs during resistance and recovery phases—and actual physical risks. The work proposes a modernized “duty of reasonable care” standard centered on hazard-specific traceability, structured assurance cases, and cyber resilience engineering. It identifies three critical disconnects: misaligned delegation of standards, reduction of recovery mechanisms to mere incident reporting, and uneven sectoral adaptability. The study further outlines a viable pathway for federal policy that integrates engineering implementation with targeted incentives.

critical infrastructurecyber safetycyber-physical systems

This study addresses the challenge of managing residual risks that cannot be fully eliminated, noting that existing qualitative analyses lack actionable dynamic management mechanisms. To bridge this gap, the authors propose formalizing the Bowtie risk diagram as a directed acyclic graph (DAG) capable of supporting Bayesian inference and causal intervention. By incorporating safety-state semantics and explicit intervention nodes, and integrating expert probability assessments with do-calculus, the framework enables risks to be observable, quantifiable, and intervenable. The work introduces Realtime Risk Studio—a modeling tool—and Probability Capture—a method for eliciting probabilistic judgments—to construct, for the first time, an executable real-time risk reasoning model. Validation in an instant payment gateway scenario demonstrates the efficacy of transforming Bowtie diagrams into DAGs, fusing noisy expert probabilities, and performing “What-if” causal intervention analyses.

causal analysisoperationalizationprobabilistic modeling

This study addresses a critical gap in quantitative risk management: the absence of formal modeling for the epistemic justification and institutional commitments underlying risk claims, which hinders credible assessment of their trustworthiness. To remedy this, the paper introduces a modal epistemic logic framework that distinguishes objective risk propositions from their cognitive stances—such as warranted belief (\(Kp\)) and working commitments (\(Bp\))—and embeds them within a layered governance architecture. This architecture separates object-level risks from meta-level epistemic diagnostics, thereby avoiding logical collapse due to self-reference. By integrating classical and fuzzy modal semantics, the framework formally captures notions of assurance, commitment, possibility, hesitation, and epistemic inconsistency. It further establishes a diagnostic mechanism to detect scenarios where risks exist without corresponding cognitive stances, thereby enhancing the robustness and prudence of risk disclosure, auditing, and regulatory decision-making.

assuranceepistemic riskmodal logic

Integrative Analysis of Risk Management Methodologies in Data Science Projects

Dec 02, 2025
SD
Sabrina D. C. Feitosa
🏛️ Universidade de Brasília

High failure rates in data science projects stem primarily from the lack of integrated governance addressing technical, organizational, and ethical risks. This study employs a systematic literature review and cross-framework content analysis to compare mainstream risk management standards—including ISO 31000, PMBOK, NIST RMF, and CRISP-DM—assessing their adequacy across the data science lifecycle. It identifies critical structural gaps in handling data maturity, cross-functional collaboration, and socio-technical risk responsiveness. To address these limitations, the paper proposes an innovative “Governance–Monitoring–Ethics” triadic framework that transcends unidimensional risk models by embedding ethical review and continuous governance mechanisms directly into technical workflows and organizational practices. The resulting integrated risk management perspective supports responsible data practices and establishes a theoretical foundation for subsequent framework development and empirical validation. (149 words)

Compares risk management methods for data science projects.Identifies gaps in traditional approaches for emerging risks.Proposes hybrid frameworks integrating ethics and governance.

Hot Scholars

MW

Mark Whitmeyer

Arizona State University
Game TheoryMicroeconomic TheoryInformation Economics
SC

Stephen Casper

PhD student, MIT
AI safetyAI responsibilityred-teamingrobustness
RW

Ruodu Wang

University of Waterloo
StatisticsRisk ManagementActuarial ScienceFinancial Engineering
YB

Yoshua Bengio

Professor of computer science, University of Montreal, Mila, IVADO, CIFAR
Machine learningdeep learningartificial intelligence