AI 风险管理:操作化手册(MindForge)
AI Risk Management: Operationalisation Handbook (MindForge)
别名: MindForge Ops · MindForge Operationalisation · MindForge Phase 2 Ops
金融机构在技术、数据、模型、部署、监控五大方面落实 GenAI 风险控制的操作手册。
Operational handbook for FIs implementing GenAI risk controls across technology, data, model, deployment, and monitoring.
文件关系
- companion-tosg-mindforge-exec-handbook
- companion-tosg-mindforge-impl-examples
原子条款(724)
在搜索器中打开 →读者应理解这包括相关的AI系统和模型,出于治理目的,它们与其用例不可分割。
Readers should understand this to include associated AI systems and models, which for the purposes of governance are inseparable from their use case.
金融机构和整个行业在应用本手册的考虑因素时,应持续考虑新的、新兴的或减弱的AI特定风险。
FIs and the industry overall should continue to consider new, emerging, or diminished AI-specific risks as they apply the Considerations in this Handbook.
各金融机构可根据自身情况选择AI治理和风险管理的基本单位,只要在此过程中有效考虑模型、系统和用例之间的关系。
FIs may each choose the basic unit of AI governance and risk management in their own context, so long as when doing so they effectively consider the relationship between models, systems, and use cases.
AI治理和风险管理仅适用于受AI组件或功能影响或影响的系统输出或行为。
AI governance and risk management would apply only to those outputs or behaviours of the system which are affected or influenced by its AI components or functionalities.
确保明确定义AI治理和风险管理运营模型,利用并提升现有企业职能的角色和能力。
Ensure that an AI governance and risk management operating model is clearly defined by leveraging and, as needed, uplifting the roles and capabilities of existing enterprise functions including relevant roles from the Board, Senior Management, and operational governance, with sufficient operating effectiveness measures in place to support them.
金融机构应确保其运营治理为AI治理和风险管理的各个方面做好准备。
FIs can ensure that their operational governance is prepared for all aspects of AI governance and risk management.
运营治理职能在实施AI相关政策和程序以及支持其制定和维护方面发挥关键作用。
Operational governance functions have a key role to play in implementing AI-related policies and procedures, as well as supporting their development and maintenance.
金融机构应确保在适当治理职能的职责中明确定义AI相关的部署后监控,包括整体“组合”监控和单个用例监控角色。
FIs can ensure that post-deployment monitoring related to AI is well-defined in the responsibilities of the appropriate governance functions, including both overall 'portfolio' monitoring and roles in the monitoring of individual use cases.
金融机构应定义AI监督职责,将AI治理和风险管理整合到整体运营模式中。
FIs should define responsibilities for AI oversight, integrating AI governance and risk management into their overall operating model.
高级管理层在AI治理和风险管理的持续改进和演进中发挥关键作用。
Senior Management has a key role to play in the continuous improvement and evolution of AI governance and risk management.
运营治理职能维护金融机构的AI清单,可能包括监督AI整体使用并向高级管理层或董事会提供更新的责任。
Operational governance functions maintain the FI’s AI inventory; this may include a responsibility for providing oversight of the FI’s overall use of AI and the delivery of updates to Senior Management or the Board.
金融机构可以评估现有角色的有效性,并增加额外的组织或职责以确保有效监督AI。
FIs can assess the effectiveness of existing roles and augment them with additional organization or responsibilities to ensure effective oversight of AI.
管理层通常负责AI相关的人才、文化和基础设施等推动因素。
Management is typically responsible for AI-related enablers like talent, culture, and infrastructure.
在相关董事会和高级管理层角色中嵌入AI治理和风险管理的额外职责。
Embed additional responsibilities for AI governance and risk management, as required, in relevant Board and Senior Management roles.
扩展相关董事会成员或机构的角色和职责,包括批准关键AI治理和风险管理文件,确保具备AI特定技能,并确保AI风险得到管理。
Extend the roles and responsibilities of relevant Board members or bodies to include relevant AI-related actions, including the endorsement of key AI governance and risk management documents, ensuring that AI-specific skills are in place, and ensuring that AI risks are managed.
扩展现有高级管理层的角色和职责,包括实施有效的AI治理和风险管理,并确保董事会充分知情。
Extend relevant existing Senior Management roles and responsibilities to include the implementation of effective AI governance and risk management and keeping the Board well-informed.
各风险类型负责人评估其领域内的AI相关风险,必要时建议缓解策略或拒绝用例。
Individual risk type owners evaluate AI-relevant risks within their areas, recommend mitigation strategies as needed, or reject a given use case.
RAIC在投产前对AI用例进行整体风险评估。
The RAIC conducts a holistic AI risk assessment of AI use cases prior to production deployment.
金融机构可为员工提供有用指导,例如AI与非AI示例列表及常见问题解答。
FIs can include helpful guidance for employees, such as a list of examples of what is and is not AI, and a set of frequently asked questions.
金融机构应定期对照行业规范和工具审查治理实践,以提高AI治理和风险管理的有效性。
FIs should periodically review their governance practices against evolving industry norms and tools to improve the overall effectiveness of their AI governance and risk management.
金融机构可定期评估治理流程、论坛、资产和工具的适用性。
FIs can periodically assess the fitness of their relevant governance processes, forums, assets, and tools as AI technologies evolve.
金融机构应确保AI治理文件定义流程、制定规则并提供AI风险管理指南。
FIs should ensure AI-related governance documents define processes, set out rules, and offer guidelines for AI risk management.
金融机构应考虑定义是否与本手册、相关监管机构及更广泛生态系统中普遍接受的定义一致。
FIs should consider whether the definition is aligned with the definition used in this Handbook, with those adopted by relevant regulators, and generally accepted definitions across the broader ecosystem.
金融机构应考虑AI定义是否能有效识别带来AI特定风险的技术或用例,包括嵌入式AI等新兴部署模式。
FIs should consider whether the definition of AI is effective in identifying technologies or use cases that pose AI-specific risks, including emerging deployment patterns such as embedded AI.
AI治理文件应一致地定义关键AI概念,并记录和分配企业AI治理和风险管理方法的责任。
AI-related governance documents should consistently define key AI-related concepts and document and assign responsibility for the enterprise’s approach to AI governance and risk management.
金融机构应更新风险管理,纳入AI对组织层面风险的影响。
FIs should update their risk management to include the impact of AI on organisation-level risk.
金融机构可建立内部沟通渠道讨论AI相关事宜。
FIs may also create communications channels as they deem fit to internally discuss AI-related matters, including governance.
金融机构宜监测AI技术、法规和风险的变化,并定期修订治理文件。
FIs may find it beneficial to monitor changes in AI technologies, regulations, and risks that may implicate their governance documents, and to periodically revise those documents where necessary.
确保记录AI识别过程的有效文档。
Ensure that effective documentation is captured on the process of identifying AI.
明确AI识别在整个AI生命周期中的职责,以及错误识别的问责和响应。
Define clear responsibilities for AI identification throughout the AI lifecycle, as well as accountability and response for incorrect identification where appropriate.
金融机构可以确保定期审查其AI定义,并根据行业新发展进行修订。
FIs can also ensure that processes are in place to periodically review their AI definitions and revise them to be more effective or to account for new developments in the industry.
指定最终权威机构或论坛来应用金融机构的AI定义,并裁决员工或业务部门之间的分歧。
Designate a final authority or forum for applying the FI’s AI definition and adjudicating differences between employees or business units, particularly in relation to new or emerging technologies.
金融机构应考虑定义是否对内部技术和非技术业务用户清晰且有用。
FIs should consider whether the definition is clear and useful to both technical and non-technical Business Users within the FI.
金融机构应就哪些技术符合AI定义建立明确的企业级立场。
FIs should establish a clear, enterprise-wide position on what technologies meet the definition of AI.
金融机构可选择更新其企业风险偏好,以考虑AI采用带来的新因素。
FIs may also choose to update their enterprise risk appetite to account for the new considerations introduced by AI adoption.
金融机构应跟踪AI事件或风险事件的数量,作为管理AI风险的重要元素。
FIs should track the number of AI incidents or risk events as an important element of managing AI-specific risks.
金融机构应根据其业务需求和合规要求对风险进行分类。
FIs will each categorise their risks in a way that is appropriate to their business needs and reflective of their compliance requirements.
金融机构应确保风险管理在整个企业内协调一致,确保风险类型或组织各部分之间没有覆盖缺口。
FIs should ensure that risk management is coordinated and consistent across the enterprise, ensuring that there are no gaps in coverage between risk types or parts of the FI’s organisation.
金融机构可能需要验证底层数据来自经过验证的来源并符合相关质量标准。
FIs may need to verify that the underlying data comes from verified sources and meets relevant quality standards.
确保已识别的数据源符合金融机构现有数据管理/质量框架中概述的关键数据质量维度。
Ensure that identified data sources align with key data quality dimensions outlined in the FI’s existing data management/quality framework.
对于第三方数据或模型,金融机构可在可行且风险相称的情况下进行尽职调查。
For third party data or models, FIs can perform due diligence, where feasible and proportionate to risk.
使用合成数据时,金融机构可评估和管理相关风险,包括数据代表性、监管合规性、数据来源和模型泛化。
When using synthetic data, FIs can assess and manage associated risks, including data representativeness, regulatory compliance, data provenance and model generalisation.
鉴于AI的快速发展,金融机构可考虑定期进行地平线扫描,以发现新的或增强的AI特定风险及AI治理和风险管理的监管发展。
Given AI’s rapid evolution, FIs could consider periodically performing horizon scanning for new or enhanced AI-specific risks and regulatory developments on AI governance and risk management.
确保已识别的数据源充分代表AI用例的预期上下文和用户范围。
Ensure that identified data sources are sufficiently representative of the AI use case’s intended context and range of users.
金融机构应仔细考虑并明确分配其选定方法中的企业风险管理责任。
FIs should carefully consider, and clearly assign, accountability for enterprise risk management in their chosen approach.
金融机构可定期整合AI使用的总体风险的企业或组合视图,供董事会或高级管理层参考。
It may be useful for FIs to periodically consolidate an enterprise or portfolio view of the aggregated risks of their AI use for the Board or Senior Managers.
跟踪与AI特定风险相关的事件、问题和风险事件,并考虑其严重性。
Track incidents, issues, and/or risk events related to AI-specific risk, considering their severity when doing so.
确保建立关键风险指标以衡量AI特定风险,并适当跟踪和管理相关事件。
Ensure that key risk indicators (KRIs) are in place to measure AI-specific risks and that relevant incidents, issues, or risk events are appropriately tracked and managed.
确保与金融机构AI特定风险相关的适当关键风险指标到位,并分配给适当的风险负责人。
Ensure that appropriate KRIs related to the FI’s AI-specific risks are in place and assigned to appropriate risk owners, leveraging or supplementing existing enterprise KRIs as needed.
执行组织或投资组合级别的AI特定风险跟踪。
Perform organisation- or portfolio-level tracking of AI-specific risk.
确保应对事件、问题、风险事件及相关风险趋势的实践适合处理AI特定风险。
Ensure that practices for responding to incidents, issues, risk events, and/or trends in associated risks are suitable for addressing AI-specific risks.
在采购前测试第三方AI产品和服务是一种有效的风险管理实践,可根据用例风险重要性使用。
Testing third party AI products and services before procurement is an effective, but sometimes resource-intensive, risk management practice that can be used depending on the risk materiality of the intended use case.
金融机构应确保第三方风险管理实践的职责明确,并建立流程定期审查和修订AI采购实践。
FIs can ensure that accountabilities for third party risk management practices are clearly defined and that processes are in place for AI procurement practices to be periodically reviewed and revised, as needed.
金融机构在设计AI特定采购实践和合同标准时,可受益于跨学科团队的参与。
FIs may benefit from engaging interdisciplinary teams in the design of AI-specific procurement practices and contracting standards.
金融机构不应自动拒绝不完整的披露;相反,应建立流程,根据缺失的披露类型和用例风险做出知情决策。
FIs need not automatically reject incomplete disclosures; in these cases, it is important instead that FIs have a process in place for making informed decisions based on the types of disclosure that are missing and the risks of the use case.
在披露不完整的情况下,金融机构可以考虑若干缓解因素:相关风险的赔偿、可信的外部认证。
FIs can consider several mitigating factors in cases where disclosures are incomplete: Indemnification from related risks, Credible external attestation.
金融机构可通过在采购过程中测试第三方AI产品和服务在AI风险相关绩效指标上的表现来管理AI风险。
FIs can manage a range of AI risks by testing third party AI products and services on AI risk-related performance metrics as part of their procurement processes.
金融机构可在外包服务提供商的采购和采购后生命周期中评估和处理AI特定风险。
FIs can assess and address AI-specific risks as part of the procurement and post-procurement lifecycles of outsourced service providers.
指定明确的第三方披露流程和模板的问责点可支持此工作。
Designating a clear point of accountability for third party disclosure processes and templates can support them in doing so.
第三方AI治理和风险管理措施的有效性可能需要定期审查。
The effectiveness of a third party’s AI governance and risk management measures may need to be periodically reviewed.
金融机构可考虑要求第三方共享监控信息;若不可行,可设计有效方案监控AI产品或服务进入其生态系统后的输入或输出。
FIs can consider requesting that third parties share monitoring information; where this is not possible, they can design effective solutions for monitoring the AI product or service’s inputs or outputs once they reach the FI’s ecosystem.
金融机构应制定与用例风险相称的明确程序,确保在入职过程中进行系统性劣势测试。
FIs can ensure that they are well-integrated into onboarding procedures by setting out clear procedures, proportionate to use case risk, for ensuring that testing for systematic disadvantage is conducted as part on onboarding.
金融机构可考虑按风险比例定期重新评估第三方AI产品或服务。
FIs can consider planning for the periodic re-assessment of third-party AI products or services at a frequency proportionate to risk.
如果新场景超出范围,金融机构可通过补充初始采购流程(如要求额外信息或进行额外测试)来管理风险,并为新的风险更高的场景寻求采购批准。
If so, FIs can manage the risk of this new use case by supplementing that initial procurement process – such as by requesting additional information or conducting additional tests – to seek procurement approval for a new, riskier use case in addition to existing IT change management practices.
例如,若许可条款规定开发者免于所有损害,金融机构可将某些开源模型或系统排除在高风险用例之外。
FIs may, for example, exclude certain open-source models or systems from some high-risk use cases should their license provisions indemnify the developer against all damages.
金融机构可设计流程,在采购、签约或入职过程中根据需要邀请相关内部专家参与。
FIs may design processes for engaging relevant internal experts in each domain when needed in the procurement, contracting, or onboarding process.
如果无法获得期望的合同条款,金融机构可以考虑补偿性测试等缓解措施。
Where desired contractual terms are not available, FIs can consider mitigations such as compensatory testing.
但金融机构应注意,这目前并非行业常见做法,执行起来可能具有挑战性。
FIs should note, however, that this is not currently a common practice in the industry and may be challenging to enforce.
金融机构可考虑就AI特定风险管理协商合同义务,如遵守AI特定风险指标阈值。
FIs may also consider negotiating contractual obligations around AI-specific risk management, such as adherence to certain thresholds on AI-specific risk metrics.
除传统采购考虑因素外,金融机构可考虑许可条款对管理开源AI产品风险的适用性。
In addition to traditional procurement considerations like performance, expected total lifecycle cost, and support options, FIs can consider the suitability of license terms for managing the risks associated with open-source AI products.
其他仍相关的非AI特定合同实践包括要求审计权。
Other non-AI-specific contracting practices that remain relevant include requesting a right to audit.
金融机构可考虑审查现有风险应对和升级程序,纳入AI特定风险,如在相关论坛报告AI相关事件。
FIs can consider reviewing their existing risk response and escalation procedures to include AI-specific risks, such as reporting AI-related incidents in relevant forums.
其他开源模型可能附带与营利性使用不兼容的许可,例如要求使用该模型的任何软件也以开源方式提供。
Other open-source models may be distributed with licenses that are incompatible with for-profit use, such as provisions that require any software using the model to also be made available on an open-source basis.
金融机构应确保建立有效流程,定期审查和修订其第三方AI信息披露方法。
FIs can ensure that effective processes are in place to periodically review and revise their approaches to third party information disclosures related to AI.
金融机构可仅在预期用例存在歧视风险或第三方数据披露表明其基于个人数据训练时,要求第三方提供额外的公平性评估结果。
FIs can request that third parties provide them with additional evaluation results related to Fairness only if the intended use case has a potential risk of discrimination, or if the third party’s data disclosure identified a risk that it was trained on personal data.
采购实践也可帮助金融机构应对与开源AI模型或系统相关的法律风险。
Procurement practices can also help FIs address legal risks associated with open-source AI models or systems.
金融机构有时会改变AI产品或服务的使用场景,特别是对于通用AI系统,应参考初始采购流程、法律审查和批准,以确定新场景是否超出原批准范围。
FIs may sometimes change the use case for which an AI product or service is used, especially for general-purpose AI systems with a range of potential applications. It is important in these cases that FIs refer to the initial procurement process, legal reviews, and approvals to determine whether the new use case falls outside the scope of what was approved at that time.
金融机构可酌情考虑模拟测试和红队测试等其他测试方法。
FIs can consider other testing approaches like simulation testing and red teaming, where appropriate.
考虑与第三方提供商的合同和软件许可是否充分定义了关于赔偿、数据保护、网络安全、监控和AI引入的AI特定条款。
Consider whether contracts with third party providers and software licenses for products and services adequately define AI-specific provisions around indemnity, data protection, cybersecurity, monitoring, and AI introduction.
根据许可条款带来的法律风险,确定金融机构使用开源AI模型和系统的意愿。
Determine the FI’s willingness to use open-source AI models and systems, depending on the legal risks posed by their license terms.
考虑与提供AI产品和服务的第三方的合同和许可是否足以明确解决AI特定风险。
Consider whether contracts and licenses with third parties providing AI products and services are sufficient to clearly address AI-specific risks.
定期重新认证(重新认证频率由AI系统的风险等级决定),以确保持续符合AI伦理和适用性。
Periodic recertifications (frequency of recertifications is determined by the AI system’s risk tier) to ensure ongoing compliance with AI ethics and fit-for-purpose.
每个AI模型根据加权评分方法被分配高或低的实质性评级。
Each AI model is assigned a materiality rating, either high or low, based on a weighted scoring methodology that incorporates quantitative thresholds and qualitative judgment.
根据商定的阈值验证结果。
Validating results against agreed thresholds.
通过数据丢失防护、掩码和加密保护敏感数据(包括个人数据)。
Protection of sensitive data (including personal data) via Data Loss Protection, masking, and encryption.
AI模型按预期用途分类,与实质性评级共同决定审查深度、独立性和负责的治理团队。
AI models are categorised by their intended use (e.g. risk management, regulatory reporting), and this classification, together with the materiality rating, determines the depth of review, the independence of the review process, and the responsible governance team.
重新评估相关性和风险重要性。
Reassessing relevance and risk materiality.
决策记录以实现可审计性和可解释性。
Decision logging for auditability, and explainability.
应用于风险管理的人工智能用例,其用例级风险管理方法并无不同。在此类情况下,风险管理职能被视为治理目的的业务所有者。
The approach to AI use case-level risk management does not differ for AI use cases applied in risk management. In these cases, the risk management function is considered to be the business owner for the purposes of governance.
有效的风险重要性分级应明确定义且无歧义,以便在整个金融机构内一致应用。
Effective risk materiality tiers are explicitly defined and unambiguous so that they can be consistently applied across the FI.
金融机构可自行确定风险重要性分级的最佳方式,考虑最适合其面临的人工智能风险的分级。
FIs can determine the best way to tier risk materiality within their organisation, considering which risk materiality tiers may be best suited to account for the AI risks that they face while also managing complexity.
每个AI用例具有特定的风险重要性,确定其重要性有助于采取基于风险的方法进行治理。
Each AI use case presents a specific level of risk materiality. Determining the specific risk materiality of an AI use case is important because it allows organisations to take a risk-based approach to govern those use cases, better allocating resources and tailoring mitigation strategies proportionately to risk.
该框架评估AI模型可能对银行及其利益相关者(包括客户、员工和更广泛的社会)造成伤害的可能性和潜在严重性。
This framework evaluates both the likelihood and potential severity of harm that an AI model could pose to the bank and its stakeholders including customers, employees, and broader society.
评估护栏的有效性和调整需求。
Evaluating guardrail effectiveness and the need for adjustments.
应用与部署前评估类似的评估,涵盖功能、性能、数据质量和风险管理。
Similar evaluations are applied as per pre-deployment assessments, covering functionality, performance, data quality, and risk management.
定期进行部署后审查,频率和深度基于风险重要性。
Post-deployment reviews are conducted regularly, with frequency and depth based on risk materiality.
通过定期模型验证和再训练确保理赔质量。
Ensuring Quality of claims through periodic model validation and retraining.
根据风险重要性安排部署后审查,以确保控制措施的持续有效性和相关性。
Post-deployment review is scheduled based on risk materiality to ensure continued effectiveness and relevance of controls.
部署前评估应解决准确性、偏见、数据质量和可解释性等关键风险。
Pre-deployment evaluations addressed key risks including, accuracy, bias, data quality, and explainability.
可评估部署后AI专项审查的结果,以确定是否需要采取行动(如变更、暂停或停用),或AI用例风险是否发生重大变化。
The results of post-deployment AI-specific reviews can be assessed to determine if an action is required (such as change, pause, or decommissioning) or if there has been a material change in the AI use case’s risk.