Articles

Charity Digital explains how charities can evaluate the risks associated with artificial intelligence (AI) and put controls in place to mitigate them with an effective risk assessment...

All digital tools come with an element of risk. For example, the environmental footprint or the risk of a cyber breach, to name just two. However, when it comes to artificial intelligence (AI), despite the developing nature of the technology, just one in five charities said they were conducting regular assessments of AI risks, according to the ‘Charity Digital Skills Report 2025’.   

The report also revealed a particular appetite for leadership in managing those risks, with a third of organisations saying they would like their CEO to prioritise understanding risks and opportunities associated with emerging technology. 

To that end, the Charity Digital Code of Practice also advises that charities evaluate all digital tools, including AI, alongside their values, ensuring that they align with their commitments to integrity, inclusivity, accountability, fairness, and openness. 

“This includes using AI responsibly and considering areas such as the use of data in partnerships, understanding how adopting AI will impact marginalised communities, and deciding which social platforms to prioritise.” 

This is where an AI risk assessment comes in. Risk assessments can have many purposes, from workplace risk assessments (managing risks associated with the office or remote working) to event risk assessments aimed at keeping volunteers and participants safe as they advocate for your cause.  

An AI risk assessment can help you understand the potential impacts of AI and show teams exactly the actions they can take to tackle them.   

A risk assessment for AI does not have to be any more complex than a usual risk assessment. But there are some considerations worth taking into account. Below, we share four steps to creating a great AI risk assessment, one that’ll help your charity use the technology responsibly and with purpose.  

Make note of AI’s risks 

The first place to start when conducting a risk assessment is by...listing the risks. This is a space to list all the hazards that you, your service users, your volunteers, or anyone working with you, may face as a result of using AI, no matter what the likelihood. At this stage, it is about knowing the risks exist – later you will prioritise them.  

Risks you might encounter when using AI could include the spread of misinformation, hallucinations, data breaches, and data bias. You should also consider the environmental impact of AI use at this stage, particularly in context of any sustainability commitments you have.  

It is worth saying that listing the risks doesn’t necessarily preclude you from using AI tools and at this stage, you don’t have to make a firm decision. This stage of the risk assessment is about thinking about what could cause harm so you can employ controls to prevent them later.  

Map out who might be impacted by the risks 

Once you have listed your risks, the next step is to understand who will be affected by them, including volunteers, trustees, and service users.  

Knowing who is most likely to be affected will help you determine how big the impact could be and make an informed decision as to whether the benefits of using AI outweigh the costs. It also helps you establish what measures need to be put in place to support those people affected should the risk occur.  

Charities exist for the benefit of the communities they serve. Using AI should align with that purpose and if the risks disproportionately impact charity stakeholders, charities need to think about what they can do about it, whether it’s investing in more cyber security tools or avoiding certain AI tools completely.  

Prioritise risks and establish controls on AI use 

The next stage of the AI risk assessment involves prioritising your risks according to likelihood and impact. Which are the most likely to happen and which ones will have the worst impact on your charity?  

You could give each risk a rating. For example, on a scale of one to five, how likely is this risk to become a reality? You should give a rating to both likelihood and impact. Risks that are unlikely but may have huge repercussions if they do happen are still important to prepare for.  

The impact of a data breach, for example, could be vast if it involves the data of service users and donors, and such breaches are not uncommon. However, with potential data breaches at the top of the risk agenda, charities can ensure proper cyber security measures are employed to prevent them, like only working with third-party tools with proper security accreditation.  

Indeed, once you’ve sorted through your risks, now is the time to assess how you can mitigate them.  These controls are perhaps the most important part of your AI risk assessment: they will inform what responsible use of AI looks like in your organisation. 

Share the risk assessment with your teams 

Now you have a better idea of what responsible use of AI looks like, it is time to share that knowledge with your teams. Knowledge of the risks and how to prevent them will help everyone in your charity understand why using AI responsibly is so important.  

Sharing the AI risk assessment should also help reduce the use of “shadow AI”, whereby employees use AI for work on an individual level, without the permission of their organisation and without the measures put in place to ensure it is used safely.  

Sharing risks of AI usage with your wider team may also unearth further risks you haven’t yet considered. Teams working directly with service users may know more about the data that will be used to inform AI outputs, for instance, and what risks might happen as a result.  

It is important to remember that risk assessments are a living document – they exist to help organisations make informed decisions that will keep them safe. An AI risk assessment will evolve over time, as the technology develops, and so it should be reviewed regularly and kept somewhere that people can access easily.  

AI risk assessments should form the basis of your AI training and your AI policies. Conducting a risk assessment is an acknowledgement that AI usage is not without its risks and only by assessing them can you put the appropriate protocols in place to reduce their impact.  

)