A risk register is not a risk management system. Article 9 requires that every risk finding has an owner, a mitigation measure, an evidence record, and a resolution status.
EAB structures the Article 9 risk management system as a set of governed risk records — not a list, but a trackable governance layer with accountability at each step.
Article 9 requires a risk management system that is continuous, documented, and demonstrable. EAB makes every risk a governed object — with accountability, evidence, and a resolution path.
Risks are identified and documented in a structured format — risk description, affected system component, severity assessment, and likelihood. Not a free-text register, but a governed risk object with required fields.
Every risk has a named owner responsible for the mitigation. Unowned risks surface as governance gaps. Risk ownership is not a label — it is an attributed accountability that appears in the audit record.
Each mitigation measure is documented as a governance action — with a description, a deadline, an owner, and an evidence requirement. Mitigation is tracked to completion, not listed and forgotten.
Evidence that a mitigation measure has been implemented is uploaded and linked to the specific risk record. Regulators can see not just that a risk was identified — but that action was taken and evidenced.
Risks evolve as systems change. New risks can emerge from system modifications, legal changes, or operational events. EAB tracks risk evolution over the system lifecycle — not just at initial assessment.
The complete risk management record — identification, ownership, mitigation, evidence, resolution status — is exportable as a structured governance artefact. It demonstrates a system, not just awareness of risks.
Article 9 requires continuous risk management — not a one-time assessment. EAB maintains the risk record as a live governance layer across the full system lifecycle.
The AI System Owner identifies risks in the structured risk workspace — each with a description, affected component, severity, likelihood, and initial status. No free-text risk register — each risk is a governed record from creation.
Each risk gets a named owner and a documented mitigation measure. The mitigation measure includes a description, a deadline, and an evidence requirement. Mitigation is tracked as an active governance task.
When a mitigation is implemented, the risk owner uploads evidence and updates the resolution status. The risk record moves from Open to In Progress to Resolved — with evidence at each transition.
The supervisor reviews the complete risk management record — all identified risks, their owners, mitigation measures, evidence, and resolution status — before granting approval. The risk management system is part of the approval record.
Article 9 requires more than awareness. EAB structures risk identification, ownership, mitigation, and evidence into a demonstrable risk management system.
EU-hosted · Anchored to CELEX 32024R1689
Tell us about your organization and what you’re looking to address. We’ll follow up with the relevant information.
