Help Centre

Appearance

Risk Scoring

SignalBreak provides continuous, automated risk scoring for your AI portfolio.

What We Measure

Provider Concentration

How dependent are you on individual AI providers? Single-provider concentration increases operational risk.

Signal Impact

When providers announce changes, how many of your workflows are affected? Higher impact = higher risk.

Governance Maturity

How well do your controls align with ISO 42001, NIST AI RMF, and EU AI Act requirements?

Operational Criticality

Risk scores are weighted by workflow criticality — mission-critical systems count more.

Risk Levels

ScoreLevelMeaning
0-25🟢 LowWell-diversified, strong governance posture
26-50🟡 ModerateSome concentration or control gaps
51-75🟠 ElevatedSignificant exposure requiring attention
76-100🔴 HighCritical risk, immediate action recommended

Governance Foundation

Before risk scoring begins, SignalBreak requires four foundational elements:

FoundationPurposeConfiguration
Business SectorSets industry-specific risk tolerancesGovernanceRisk Appetite → Select sector
Risk Appetite (RAG)Defines Red/Amber/Green thresholdsGovernanceRisk Appetite → Configure thresholds
MIT FrameworkProvides structured risk taxonomyAuto-loaded (7 domains, 24 subdomains)
RACI RolesAssigns accountability for governance activitiesGovernanceRACI Model → Assign roles

Start Here

Configure these foundation elements before creating workflows. Risk scoring requires sector-specific thresholds and RACI assignments to produce meaningful results.

MIT AI Risk Framework

SignalBreak integrates the MIT AI Risk Repository (CC BY 4.0) — an academic taxonomy of AI risks developed at MIT for structured risk classification.

Framework Structure

The MIT framework organizes risks into 7 domains with 24 subdomains:

DomainSubdomainsExample Risk
1. Discrimination & BiasFairness, Representation, StereotypingModel discriminates against protected groups
2. Privacy & SecurityData Protection, Unauthorized AccessTraining data leaks sensitive information
3. MisinformationFalse Content, ManipulationModel generates misleading information
4. Malicious UseDual-Use, WeaponizationTechnology repurposed for harmful applications
5. Human-Computer InteractionOver-Reliance, DeskillingUsers trust AI without verification
6. Socioeconomic & EnvironmentalJob Displacement, Energy UseAutomation eliminates jobs, carbon footprint
7. AI System SafetyRobustness, InterpretabilityModel fails unexpectedly, decisions opaque

Each workflow risk in SignalBreak is classified using a MIT subdomain code (e.g., 1.1, 3.2, 7.4).

Risk Code Format

Risks are identified with codes in the format: subdomain_code/workflow_initials

Example: 2.1/CHRA

  • 2.1 = MIT subdomain "Data Protection & Privacy"
  • CHRA = Workflow initials "Customer HR Assistant"

This format enables:

  • Quick identification of risk type
  • Grouping risks by MIT domain for reporting
  • Cross-workflow risk analysis

Mitigation Library

SignalBreak includes 831 pre-mapped mitigations extracted from 13 governance frameworks:

FrameworkMitigationsFocus
NIST AI RMF120+Risk management process
EU AI Act95+Legal compliance (EU)
ISO 4200185+Management system standard
OECD AI Principles50+Ethics and trust
Singapore Model AI Framework40+Practical implementation
+ 8 more frameworks441+Sector-specific guidance

Each mitigation is:

  • Categorized into 4 categories and 23 subcategories
  • Mapped to relevant MIT subdomains with relevance scores (1.0 = primary, 0.8 = secondary, 0.5 = tertiary)
  • Documented with implementation examples
  • Attributed with source framework and citation URL

How it works:

  1. Identify a risk and classify it using MIT subdomain (e.g., 3.2 = "Misinformation")
  2. SignalBreak suggests relevant mitigations ranked by relevance score
  3. Select mitigations to apply as controls in your workflow
  4. Document treatment status (Mitigated, Accepted, Transferred, Avoided)

To access:

  • Navigate to Workflows → Select a workflow → Risk Tab
  • Click on a risk → View suggested mitigations
  • Or navigate to GovernanceMitigations to browse the full library

Framework Attribution

The MIT AI Risk Repository is used under CC BY 4.0 license: Slattery, P., Saeri, A. K., Besiroglu, T., Burden, J., Juneja, J., et al. (2024). The AI Risk Repository. Available at: https://airisk.mit.edu

Business Sector Selection

SignalBreak customizes risk tolerances based on your industry sector. Different sectors have different regulatory requirements and risk appetites.

Why Sector Matters

SectorRisk ToleranceReason
Financial ServicesLowStrict regulation (GDPR, Basel III, MiFID II)
HealthcareLowPatient safety, HIPAA, medical device regulations
Government/PublicLowPublic accountability, transparency requirements
EducationMediumModerate oversight, student data protection
TechnologyMediumFast-paced innovation, lighter regulation
Retail/E-commerceMediumConsumer protection, payment security
ManufacturingMediumSafety standards, operational continuity
Professional ServicesMediumClient confidentiality, professional standards
Media & EntertainmentHighCreative freedom, rapid iteration
TelecommunicationsMediumInfrastructure criticality, regulatory oversight

Available Sectors

SignalBreak includes 10 common sectors with pre-configured risk appetite thresholds:

SectorTolerance LevelLow Threshold (Green)Medium Threshold (Amber)Review Frequency
Financial ServicesLow20%50%Monthly
HealthcareLow20%50%Monthly
Government/PublicLow25%55%Monthly
EducationMedium30%60%Quarterly
Retail/E-commerceMedium35%65%Quarterly
TechnologyMedium35%65%Quarterly
ManufacturingMedium30%60%Quarterly
Professional ServicesMedium35%65%Quarterly
Media & EntertainmentHigh40%70%Quarterly
TelecommunicationsMedium30%60%Monthly

How to Select Your Sector

  1. Navigate to GovernanceRisk Appetite
  2. Click Seed Common Sectors to load all 10 pre-configured sectors
  3. Click Select as Default next to your industry sector
  4. Your selected sector determines:

Risk Appetite sector selection page showing available business sectors

  • RAG threshold defaults for risk scoring
  • Governance report baselines
  • Recommended review frequencies
  • Industry benchmarking comparisons

Custom Sectors

You can also create custom sectors if your industry isn't listed. Click Add Sector and configure thresholds manually.

Risk Appetite Configuration (RAG Thresholds)

Risk appetite defines your organization's tolerance for AI-related risks using RAG (Red/Amber/Green) thresholds.

RAG Color System 

┌──────────────────────────────────────────────────────────┐
│  RISK SCORE CALCULATION                                  │
├──────────────────────────────────────────────────────────┤
│  0% ────────────────────────────────────────────── 100%  │
│  🟢 GREEN           🟡 AMBER             🔴 RED           │
│  (Acceptable)       (Monitor)        (Action Required)   │
└──────────────────────────────────────────────────────────┘

Thresholds:
• ≤ threshold_low        → 🟢 GREEN (risk acceptable)
• threshold_low < x ≤ threshold_medium → 🟡 AMBER (requires monitoring)
• > threshold_medium     → 🔴 RED (immediate action required)

Threshold Configuration

Each sector has customizable thresholds:

ThresholdMeaningExample (Financial Services)
Low (Green boundary)Upper limit of acceptable risk20%
Medium (Amber boundary)Upper limit of tolerable risk50%
High (Red zone)Unacceptable risk requiring action>50%

Example:

  • Risk score of 15% → 🟢 Green (well below 20% threshold)
  • Risk score of 35% → 🟡 Amber (between 20-50%, monitor closely)
  • Risk score of 65% → 🔴 Red (exceeds 50%, immediate remediation required)

Configuring Risk Appetite

To configure thresholds:

  1. Navigate to GovernanceRisk Appetite
  2. Click Edit (pencil icon) next to a sector
  3. Adjust the threshold percentages:
  • Threshold Low: Maximum % for GREEN status
  • Threshold Medium: Maximum % for AMBER status
  • Anything above medium = RED
  1. Set Review Frequency: How often to reassess (Weekly/Monthly/Quarterly/Annually)
  2. Click Save

Changes apply immediately to:

  • Dashboard risk score colors
  • Governance framework compliance reports
  • Risk Register status indicators
  • Evidence pack RAG assessments

Sector-Specific Thresholds

Some industries (Financial Services, Healthcare, Government) require stricter thresholds due to regulatory obligations. Don't set thresholds too high for regulated industries.

Tolerance Levels

Each sector also has a tolerance level indicating overall risk appetite:

LevelDescriptionSectors
LowConservative, risk-averseFinancial Services, Healthcare, Government
MediumBalanced risk/innovationTechnology, Education, Retail, Manufacturing
HighInnovation-focused, accepts more riskMedia & Entertainment, Startups

This level is informational and guides threshold recommendations, but the actual threshold percentages determine RAG colors.

RACI Model Integration

SignalBreak uses RACI (Responsible, Accountable, Consulted, Informed) to assign clear accountability for governance activities and workflow ownership.

What is RACI?

RoleMeaningExample
R (Responsible)Does the workAI Engineer implements mitigation
A (Accountable)Owns the outcome (only one per activity)VP Engineering approves deployment
C (Consulted)Provides inputSecurity team reviews architecture
I (Informed)Kept in the loopExecutives receive status updates

Two-Layer RACI System

SignalBreak implements RACI at two levels:

1. Workflow-Level RACI (per AI system)

Each workflow has 5 optional RACI roles:

RoleRequired?Typical AssignmentResponsibility
Workflow Owner✅ YesAI Engineer, Product ManagerDay-to-day management (R)
Exec SponsorOptionalVP, DirectorDecision authority (A)
Platform LeadOptionalInfrastructure LeadTechnical operations (C)
AI/ML LeadOptionalML Engineer, Data ScientistModel governance (C)
GRC LeadOptionalCompliance OfficerRisk & governance (C)

How to assign workflow RACI:

  1. Navigate to Workflows → Select a workflow
  2. Go to Ownership Tab
  3. Fill in role details (name, email, role title)
  4. Click Save RACI Assignments

Required Field

Workflow Owner is mandatory. You cannot save a workflow without assigning an owner. Other roles are optional.

2. Governance Matrix RACI (organization-level)

Define organizational governance responsibilities using a matrix:

Rows = Governance Activities (e.g., "Risk Assessment Review," "Evidence Pack Preparation") Columns = Organizational Roles (e.g., "Data Scientist," "Security Officer," "Compliance Lead") Cells = Responsibility assignment (R, A, C, I)

How to configure governance RACI:

  1. Navigate to GovernanceRACI Model
  2. View the matrix grid (Activities × Roles)
  3. Click a cell to cycle through: R → A → C → I → Empty
  4. Changes save automatically

RACI matrix showing governance activity assignments across roles

Example matrix:

ActivityData ScientistSecurity OfficerCompliance LeadExec Sponsor
Risk Assessment ReviewRCAI
Evidence Pack PreparationCCRA
Framework MappingCIRA
Control ImplementationRCCI

RACI Coverage Metrics

SignalBreak tracks RACI completeness across your organization:

MetricFormulaGood Target
Ownership %(Workflows with owner ÷ Total workflows) × 100≥90%
Exec Sponsor Coverage(Workflows with exec sponsor ÷ Total workflows) × 100≥60% for Critical workflows
GRC Coverage(Workflows with GRC lead ÷ Total workflows) × 100≥80% for High/Critical workflows

View these metrics in GovernanceOverview dashboard.

RACI & Risk Decisions

RACI roles are used when making risk treatment decisions:

TreatmentTypical AuthorityRACI Role
Mitigate (implement control)Workflow OwnerR (Responsible)
Accept risk £5k-£25kCommitteeExec Sponsor (A)
Accept risk £25k-£100kExecutive LeadershipExec Sponsor (A)
Accept risk >£100kBoardExec Sponsor (A) must escalate
Transfer (insurance/vendor)Procurement + GRCGRC Lead (R)
Avoid (stop using feature)Product OwnerWorkflow Owner (R) + Exec Sponsor (A)

See Risk Management documentation for full authority matrix details.

Scoring Methodology

SignalBreak's risk scoring combines all governance foundation elements:

┌─────────────────────────────────────────────────────────┐
│  RISK SCORE CALCULATION                                 │
├─────────────────────────────────────────────────────────┤
│                                                          │
│  1. MIT FRAMEWORK                                        │
│     • Classify risks using MIT subdomains (1.1-7.4)     │
│     • Suggest mitigations from 831-control library      │
│                                                          │
│  2. BUSINESS SECTOR                                      │
│     • Apply sector-specific risk tolerances             │
│     • Compare against industry benchmarks               │
│                                                          │
│  3. RAG THRESHOLDS                                       │
│     • Calculate risk score (0-100%)                     │
│     • Map to Green/Amber/Red using sector thresholds    │
│                                                          │
│  4. RACI ACCOUNTABILITY                                  │
│     • Assign ownership to workflows & activities        │
│     • Track treatment responsibility                    │
│     • Measure governance coverage                       │
│                                                          │
│  5. CONTEXTUAL FACTORS                                   │
│     • Provider intelligence (health, incidents)         │
│     • Workflow criticality (Low/Medium/High/Critical)   │
│     • Signal impact (how many workflows affected)       │
│     • Provider concentration (diversification)          │
│                                                          │
└─────────────────────────────────────────────────────────┘

FINAL SCORE = Weighted combination of all factors
              adjusted by sector-specific RAG thresholds
              displayed as Green/Amber/Red indicator

Weighting Factors

FactorWeightRationale
Governance Maturity35%Controls reduce risk
Provider Concentration25%Diversification reduces operational risk
Signal Impact20%Incident frequency matters
Operational Criticality20%Mission-critical systems weighted higher

Detailed Formulas

Complete scoring formulas, weighting factors, and calculation examples are available in the platform under Governance → Methodology.

Continuous Monitoring

Unlike point-in-time audits, SignalBreak scores update continuously as:

  • New signals are detected
  • Provider health changes
  • Workflows are added or modified
  • Governance controls are implemented

Request a Demo