AI 风险管理:行政手册(MindForge)
AI Risk Management: Executive Handbook (MindForge)
别名: MindForge Exec · MindForge Executive Handbook · MindForge Phase 2
为金融机构采用生成式 AI 提供高管层决策框架:治理、风险分类、控制模式、董事会报告。
Provides executive-level decision framework for FIs adopting GenAI: governance, risk taxonomy, control patterns, board reporting.
文件关系
- companion-tomas-mindforge-ops
- companion-tomas-mindforge-impl
- operationalisesmas-feat-2018
- referencessg-mas-airg-2024
原子条款(85)
在搜索器中打开 →确保明确定义AI治理运营模型,利用并视需要提升现有企业职能的角色和能力,包括董事会、高级管理层和运营治理的相关角色,并配备足够的运营有效性措施来支持它们。
Ensure that an AI governance operating model is clearly defined by leveraging and, as needed, uplifting the roles and capabilities of existing enterprise functions including the relevant roles from the Board, Senior Management, and operational governance, with sufficient operating effectiveness measures in place to support them.
AI监督的一个关键要素是董事会和高级管理层的角色,他们共同对金融机构使用AI承担整体责任。
A key element of AI oversight is the role of the Board and Senior Management, who together take overall accountability for the FI’s use of AI.
AI监督责任通常整合到现有治理职能中,构成金融机构整体运营模式的一部分。
Responsibility for AI oversight is typically integrated with existing governance functions, where it forms part of the FI’s overall operating model.
这些治理文件落实本手册的建议,并建立基于风险的AI全生命周期管理方法。
These governance documents operationalise this Handbook’s recommendations and establish a clear risk-based approach to managing AI throughout its lifecycle.
金融机构应制定一系列可能影响AI治理和风险管理的政策、程序和标准(统称为“治理文件”)。
FIs have a range of policies, procedures, and standards (collectively referred to here as “governance documents”) in place in the organisation that may impact AI governance and risk management.
金融机构可以与供应商合作,尽可能采用行业标准方法,并灵活确保监督与风险相称。
FIs can work with their vendors, can adopt industry-standard approaches where possible, and can be flexible to ensure that oversight is proportionate to risk.
金融机构可以考虑更改其采购、入职和第三方风险管理实践,以应对这些新挑战。
FIs can consider changes to their procurement, onboarding, and third-party risk management practices to address these new challenges.
金融机构可以建立框架,对风险重要性进行分级,采用基于风险的方法应用控制,并在部署前后审查这些用例的风险。
FIs can establish a framework for tiering their degree of risk materiality, applying controls in a risk-based approach, and reviewing these use cases for risk before and after deployment.
金融机构可以考虑潜在影响、复杂性和依赖性等标准来定义AI风险重要性。
FIs can consider criteria like potential impact, complexity, and reliance to define AI risk materiality.
确保将AI用例的核心AI特定信息记录在清单中,并确保有维护该清单的流程,以便准确反映新增、更新或停用的AI用例信息。
Ensure that core AI-specific information on AI use cases is recorded in an inventory and ensure that a process is in place to maintain the AI inventory, so that information about new, updated, or decommissioned AI use cases is reflected accurately.
为AI用例建立所有权,并确保与组织标准和价值观一致。
Establish ownership for the AI use case and ensure alignment with organisational standards and values for ethical and responsible AI use.
进行固有风险重要性评估,以确定AI用例的风险分级并指导相应的治理工作。
Perform an inherent risk materiality assessment to determine the risk tiering of the AI use case and to guide proportionate governance efforts.
在AI清单中记录AI用例相关信息,以实现透明度并支持风险管理。
Capture AI use case-related information in an AI inventory to enable transparency and support risk management.
设计AI用例时,应确保具有适当且实际的人工监督水平。
Design the AI use case to operate with a proportionate and practical level of human oversight.
确保相关岗位员工具备识别、缓解和追踪AI风险所需的技能。
Ensure that employees in relevant roles have the skills that they require to identify, mitigate, and track AI risks throughout the AI lifecycle.
确保学习活动足以使员工了解AI能力、风险及责任。
Ensure that learning and literacy activities are sufficient to equip current and future employees with knowledge on AI capabilities, risks, and responsibilities appropriate to their roles in managing AI risk.
确保文化和行为相关实践、计划及政策足以培养健康AI文化。
Ensure that practices, programmes, and policies related to culture and conduct are sufficient to foster a healthy AI culture around responsible, ethical, and safe AI use for current and future employees.
确保AI治理和风险管理活动涉及足够代表性和跨学科的员工群体。
Ensure that AI governance and risk management activities involve a sufficiently representative and interdisciplinary group of employees who can effectively represent a range of perspectives on AI’s risks and impacts.
确保金融机构的AI基础设施能够管理AI使用带来的可扩展性、可用性和安全风险。
Ensure that the FI’s AI-related infrastructure is suitable for managing scalability, availability, and security risks posed by the FI’s use of AI.
确保明确定义AI治理和风险管理运营模型,利用并提升现有企业职能的角色和能力,包括董事会、高级管理层和运营治理的相关角色,并配备足够的运营有效性措施。
Ensure that an AI governance and risk management operating model is clearly defined by leveraging and, as needed, uplifting the roles and capabilities of existing enterprise functions including relevant roles from the Board, Senior Management, and operational governance, with sufficient operating effectiveness measures in place to support them.
在第三方AI产品和服务接入时,根据组织标准进行相关的尽职调查,以管理风险。
Conduct relevant use case-specific relevant due diligence during third-party AI onboarding, in line with organisational standards, to manage the risks of a third-party AI product or service.
评估和选择AI用例的算法或特征,考虑其目标和风险,包括公平性、可解释性、性能目标、实施复杂性和计算效率。
Assess and select algorithms or features for the AI use case by considering its objectives and risks, including fairness, explainability, performance objectives, implementation complexity, and computational efficiency.
在AI用例开发过程中,根据相关风险的程度和性质,识别并实施适当的护栏和控制措施,以有效管理和缓解潜在风险。
Identify and implement appropriate guardrails and controls during the development of AI use cases proportionately to the level and nature of the associated risks, to effectively manage and mitigate potential risks.
定义用例特定的风险相关指标,用于评估AI用例的风险。
Define use case-specific risk-related metrics for assessing the AI use case for risks.
根据用例的风险重要性、自主程度和目标用户,评估和校准透明度措施,实施适当的设计功能和披露,以支持负责任和知情的使用。
Evaluate and calibrate transparency measures based on the use case’s risk materiality, degree of autonomy, and intended users, implementing proportionate design features and disclosures to support responsible and informed use.
在部署前进行彻底的测试和审查,以评估AI特定风险,并确保已遵守适当的护栏、控制和治理。
Conduct thorough testing and review prior to deployment to assess AI-specific risks and ensure that appropriate guardrails, controls, and governance have been observed.
在部署前为用例制定监控和应急计划,并考虑基于风险的部署选项。
Develop monitoring and contingency plans for the use case prior to its deployment, and consider risk-informed deployment options.
定期监控和报告与AI风险、护栏有效性及用例运行环境变化相关的指标,并根据需要以适当的强度和频率处理发现的问题。
Periodically monitor and report on use case metrics related to AI risks, guardrail effectiveness, and changes in the use case’s operating environment, as necessary and at a proportionate intensity and frequency, and address any issues identified.
记录AI用例或其组件的变化以保持可追溯性,并确保对风险有重大影响的变更通过有效的变更管理流程进行审查和批准。
Capture changes to AI use cases or their components to maintain traceability and ensure that changes with a material impact on risk are reviewed and approved through an effective change management process.
确保治理文件定义关键AI概念、流程和职责,并保持最新和有效。
Ensure that governance documents define key AI-related concepts, processes, and responsibilities, and that they remain up-to-date and effective in supporting all aspects of the FI’s approach to AI governance and risk management.
增强组织风险框架和风险偏好,纳入企业风险、策略和关键风险指标,以跟踪、监控和缓解AI特定风险。
Enhance the organisational risk framework and risk appetite to include enterprise risks, strategies, and key risk indicators (KRIs) that track, monitor, and mitigate AI-specific risks.
提升现有采购和第三方风险管理活动,以应对AI特定风险,包括披露模板、供应商评估和采购实践、变更检测和通知、合同实践,并确保团队获得AI相关专业知识。
Uplift existing procurement and third-party risk management activities to address AI-specific risks, including disclosure templates, vendor assessment and procurement practices, change detection and notification, contracting practices, and ensure that teams have access to relevant expertise in AI.
实施固有和残余AI风险评估框架。
Implement a framework for inherent and residual AI risk assessments.
确保建立框架管理每个AI用例的风险。
Ensure that a framework is in place to manage the risks of each AI use case.
定义风险重要性评估方法。
Define a risk materiality assessment approach.
应用与识别风险相称的控制措施。
Apply controls that are commensurate with the risks identified.
酌情进行部署前和部署后的AI专项审查。
Conduct pre- and post-deployment AI-specific reviews as appropriate.
确保数据使用符合道德标准、监管要求及组织政策或标准。
Ensure that the use of data complies with ethical standards, regulatory requirements, and organisational policies or standards.
确保任何第三方数据的使用符合知识产权规则、合同义务和许可权。
Ensure that the use of any third-party data complies with intellectual property rules, contractual obligations, and licensing rights.
确保用于AI用例的数据适合其目的。
Ensure that data used for the AI use case is fit for purpose.
证明在AI用例中使用个人属性的合理性。
Justify the use of personal attributes in the AI use case.
根据组织数据管理政策和监管期望,记录与AI用例相关的元数据和数据来源。
Document metadata and data sources related to the AI use case in accordance with organisational data management policies and regulatory expectations.
根据所选AI用例的性质,确保实施适当的数据访问控制。
Ensure that appropriate data access controls are implemented based on the nature of selected AI use case.
为AI用例中使用的任何衍生或转换数据建立明确的所有权。
Establish clear ownership of any derived or transformed data to be used in the AI use case.
识别并减轻训练和测试数据集中的偏差。
Identify and mitigate bias in training and test datasets.
金融机构可根据具体情况决定如何使本手册的建议与其AI使用相关。
FIs can determine in context how to make this Handbook’s recommendations relevant to their use of AI.
根据金融机构相关标准定义AI用例的风险重要性级别。
Define levels of risk materiality for AI use cases based on criteria relevant to the FI’s context.
扩展相关董事会成员或机构的职责,包括批准关键AI治理文件、确保具备AI特定技能以及管理AI风险。
Extend the roles and responsibilities of relevant Board members or bodies to include relevant AI-related actions, including the endorsement of key AI governance documents, ensuring that AI-specific skills are in place, and ensuring that AI risks are managed.
确保建立AI清单,考虑现有清单系统和实践,适合且与FI环境相称,以捕获AI用例的核心AI特定信息。
Ensure that a form of AI inventory, designed in consideration of existing inventory systems and practices to be suitable and proportionate for the FI’s context, is in place to capture a core set of AI-specific information on AI use cases.
根据相关AI特定风险,定义向第三方AI产品和服务提供商寻求的适当披露水平,以及评估披露的流程。
Define, based on relevant AI-specific risks, a proportionate level of disclosure to seek from third party providers of AI products and services, and a process for assessing disclosures.
扩展现有高级管理层的职责,包括实施有效的AI治理并向董事会充分报告。
Extend relevant existing Senior Management roles and responsibilities to include the implementation of effective AI governance and keeping the Board well-informed.
根据需要,在相关董事会和高级管理层角色中嵌入AI治理和风险管理的额外职责。
Embed additional responsibilities for AI governance and risk management, as required, in relevant Board and Senior Management roles.
通过建立AI原则、定义关键概念、建立有效AI识别框架并持续改进,确保AI治理和风险管理的概念基础。
Ensure robust conceptual foundations for AI governance and risk management by establishing AI principles, defining key AI-related concepts, establishing frameworks for effective AI identification, and continuously improving these foundations over time as necessary.
识别与企业相关的新增或增强的AI风险,并确保企业风险分类有效涵盖这些风险。
Identify the new or enhanced risks of AI that are relevant to the enterprise and ensure that the enterprise risk taxonomy effectively captures them.
确保构建者在开发过程中进行适当的AI风险自查,以测试用例性能,验证风险管理活动的有效性,并在开发早期识别和缓解问题。
Ensure that Builders conduct appropriate AI risk self-checks during development to test use case performance, verify the effectiveness of risk management activities, and identify and mitigate issues early in the development process.
结合其他监控活动,确保监控计划和保障/应急措施到位,并指定适当的负责人处理监控中发现的AI风险。
In conjunction with other monitoring activities, ensure that a monitoring plan and safeguards/contingency measures are in place, along with the designation of an appropriate accountable person to address AI risks detected in monitoring.
建立AI变更管理流程,确保对内部或第三方用例的变更在实施前得到适当的跟踪、审查和批准。
Establish AI change management process to ensure that changes to in-house or third-party use cases are appropriately tracked, reviewed, and approved before implementation.
确保运营治理职能具有明确的角色和职责,以在整个企业内实施AI治理和风险管理活动。
Ensure that operational governance functions have clear roles and responsibilities assigned to operationalise AI governance and risk management activities across the enterprise.
考虑分阶段推出以管理AI用例风险并在全面部署前逐步验证性能。
Consider the need for a phased rollout to manage the AI use case’s risks and progressively validate the use case’s performance prior to full deployment.
定义在适当生命周期阶段评估AI用例固有风险重要性的流程。
Define a process to assess the inherent risk materiality of AI use cases at the appropriate lifecycle stage, considering the fundamental characteristics of each use case.
确保在采购、入职和采购后生命周期的适当节点评估AI特定风险的流程和能力到位。
Ensure that processes and capabilities are in place for AI-specific risks to be evaluated at appropriate points in procurement, onboarding, and throughout the post-procurement lifecycle.
评估现有企业风险控制在应对AI特定企业风险方面的适用性,并在存在差距时提升这些控制措施。
Assess existing enterprise risk controls for their fitness in addressing AI-specific enterprise risks, and uplift those controls where gaps exist.
持续监控并报告与用例输入和训练数据相关的质量、漂移和第三方风险。
Monitor and report on the quality, drift, and third-party risks associated with the use case’s input and training data in an ongoing fashion, as necessary, after deployment.
确保流程到位,角色和职责明确,以维护AI清单并保持最新。
Ensure that processes are in place and that roles and responsibilities are defined such that the AI inventory is well-maintained and kept up to date.
确保AI治理和风险管理的所有方面在治理文件中有效制度化,并建立定期审查和重新评估的流程。
Ensure that all aspects of AI governance and risk management are effectively institutionalised throughout the FI’s governance documents, and that a process is in place to periodically review and reassess them.
在部署前根据用例风险重要性进行AI特定审查,以确保识别并缓解潜在风险。
Conduct an AI-specific review based on use case risk materiality prior to deployment to ensure that potential risks are identified and mitigated.
为用户提供针对性培训和使用案例特定资源,以支持负责任的使用和有效监督。
Engage and equip users with targeted training and use case-specific resources to support responsible use and effective oversight.
确保建立关键风险指标以衡量AI特定风险,并适当跟踪和管理相关事件、问题或风险事件。
Ensure that key risk indicators (KRIs) are in place to measure AI-specific risks and that relevant incidents, issues, or risk events are appropriately tracked and managed.
定义在部署前评估AI用例残余风险重要性的流程。
Define a process to evaluate the residual risk materiality of AI use cases prior to deployment, considering the established controls and guardrails.
确保更新现有的治理流程、论坛、资产和工具,以有效支持AI治理和风险管理。
Ensure that existing governance processes, forums, assets, and tools are updated to effectively enable AI governance and risk management.
定期检查AI用例关键方面的变化,包括风险重要性、使用范围和关键风险。
Conduct periodic checks for changes to key aspects of the AI use case over time, including risk materiality, scope of usage, and key risks.
识别已引入金融机构技术生态系统的第三方产品和服务中新增或修改的AI组件或功能。
Identify new or modified AI components or features in third party products and services already introduced into the FI’s technology ecosystem.
确保AI用例得到适当记录,应用适当的安全和治理实践,提供相关数据保留,并在部署到生产前获得相关批准。
Ensure that the AI use case is appropriately documented, that appropriate security and governance practices are applied, that relevant data retention is provided for, and that relevant approvals are obtained before deploying to production.
确保配备足够的运营有效性和前瞻性扫描措施,以持续监控和改进AI治理和风险管理运营模型。
Ensure that sufficient operating effectiveness and horizon-scanning measures are in place to monitor and improve the AI governance and risk management operating model over time.
根据风险和风险重要性识别、提升或创建适用于每个AI用例的控制措施。
Identify, uplift, or create controls to be applied to each AI use case based on its risks and risk materiality.
考虑与提供AI产品和服务的第三方的合同和许可是否足以明确解决AI特定风险。
Consider whether contracts and licenses with third parties providing AI products and services are sufficient to clearly address AI-specific risks.
确保建立有效监控,以识别AI特定风险事件或KRI阈值违规,其程度与金融机构的风险偏好相称。
Ensure that effective monitoring is in place to identify AI-specific risk events or breaches of KRI thresholds to a degree proportionate to the FI’s risk appetite.
部署后定期进行AI专项审查,评估新出现的部署后风险。
Conduct periodic AI-specific reviews after deployment to assess emerging post-deployment risks.
记录AI构建过程的关键方面,包括数据处理、模型训练和选择以及评估决策,以实现可审计性和可重复性。
Document key aspects of the AI build process, including data handling, model training and selection, and evaluation decisions to enable auditability and reproducibility.
定义部署前进行AI专项审查的方法,确认已识别风险、风险重要性和风险缓解措施的适当性。
Define an approach for conducting an AI-specific review of AI use cases prior to deployment, confirming the risks identified, the use case’s risk materiality, and the appropriateness of risk mitigations.
确保具备AI特定法律、技术和风险管理技能的团队酌情参与采购、签约、入职或其他第三方风险管理活动。
Ensure that teams with AI-specific legal, technical, and risk-management skills are involved in procurement, contracting, onboarding, or other third-party risk management activities as appropriate.
确保用例在运营中具有与其风险重要性或目的相称的适当程度的人工监督。
Ensure that the use case is operationalised with an appropriate degree of human oversight proportionate to its risk materiality or purpose.
确保在部署后定期进行AI专项审查,频率基于包括风险重要性在内的因素。
Ensure that AI-specific reviews of AI use cases are conducted periodically post-deployment, with their frequency based on factors including the risk materiality of the AI use case.
为最终用户提供查询、反馈或请求审查AI决策的途径,以支持持续改进并建立用户信任。
Provide end users with avenues to enquire, give feedback, or request a review on AI decisions, where applicable, to support continuous improvement and build user trust.
确保有适当的监控和分析来防范系统使用过程中的安全风险。
Ensure that proportionate monitoring and analysis are in place to safeguard against security risks during system usage.