AI Risk Assessment Template
Risk assessment template for evaluating M365 Copilot use cases and deployment scenarios in financial services environments.
Disclaimer
This playbook is provided for informational purposes only and does not constitute legal or regulatory advice. Consult legal counsel for specific compliance requirements.
Assessment Information
| Field | Value |
|---|---|
| Assessment ID | [AI-RA-YYYY-NNN] |
| Use Case Name | [Name of the Copilot use case] |
| Business Sponsor | [Name and department] |
| Assessment Date | [YYYY-MM-DD] |
| Assessor | [Name and role] |
| Review Status | [Draft / Under Review / Approved / Rejected] |
Use Case Description
Purpose
[Describe the intended use of Copilot for this scenario. What business problem does it solve?]
Users
[Who will use Copilot for this use case? Departments, roles, estimated user count.]
Data Sources
[What data will Copilot access for this use case? SharePoint sites, document libraries, email, Teams.]
Expected Outputs
[What will Copilot generate? Summaries, drafts, analysis, recommendations.]
Risk Identification
Data Privacy Risks
| Risk ID | Risk Description | Likelihood | Impact | Risk Level |
|---|---|---|---|---|
| DP-1 | Copilot surfaces PII from one client in another client's context | [L/M/H] | [L/M/H] | [L/M/H/C] |
| DP-2 | Copilot-generated content includes data from restricted sources | [L/M/H] | [L/M/H] | [L/M/H/C] |
| DP-3 | Content created by Copilot is shared more broadly than source data permissions allow | [L/M/H] | [L/M/H] | [L/M/H/C] |
Regulatory Compliance Risks
| Risk ID | Risk Description | Likelihood | Impact | Risk Level |
|---|---|---|---|---|
| RC-1 | Copilot output used in regulated communications without supervisory review | [L/M/H] | [L/M/H] | [L/M/H/C] |
| RC-2 | AI-generated content not properly retained per records requirements | [L/M/H] | [L/M/H] | [L/M/H/C] |
| RC-3 | Information Barrier bypass through Copilot content grounding | [L/M/H] | [L/M/H] | [L/M/H/C] |
Operational Risks
| Risk ID | Risk Description | Likelihood | Impact | Risk Level |
|---|---|---|---|---|
| OP-1 | Copilot generates inaccurate content used for business decisions | [L/M/H] | [L/M/H] | [L/M/H/C] |
| OP-2 | Users over-rely on Copilot outputs without verification | [L/M/H] | [L/M/H] | [L/M/H/C] |
| OP-3 | Copilot performance degradation impacts business operations | [L/M/H] | [L/M/H] | [L/M/H/C] |
Reputational Risks
| Risk ID | Risk Description | Likelihood | Impact | Risk Level |
|---|---|---|---|---|
| RP-1 | Client-facing content generated by AI causes reputational harm | [L/M/H] | [L/M/H] | [L/M/H/C] |
| RP-2 | Public disclosure of AI-related data incident | [L/M/H] | [L/M/H] | [L/M/H/C] |
Risk Scoring Matrix
| Low Impact | Medium Impact | High Impact | |
|---|---|---|---|
| High Likelihood | Medium | High | Critical |
| Medium Likelihood | Low | Medium | High |
| Low Likelihood | Low | Low | Medium |
Controls Assessment
For each identified risk, document existing and additional controls:
| Risk ID | Existing Controls | Additional Controls Needed | Residual Risk |
|---|---|---|---|
| DP-1 | RSS, DLP, sensitivity labels | [Identify if additional controls needed] | [L/M/H] |
| DP-2 | Information Barriers, RSS | [Identify if additional controls needed] | [L/M/H] |
| RC-1 | Supervisory procedures, audit logging | [Identify if additional controls needed] | [L/M/H] |
Risk Acceptance Decision
| Decision | Approved By | Date | Conditions |
|---|---|---|---|
| [Accept / Accept with conditions / Reject] | [Name and role] | [Date] | [Any conditions for acceptance] |
Residual risk summary: [Overall residual risk level after controls are applied]
Review schedule: [When this assessment should be reviewed — recommended: annually or when the use case scope changes]
Assessment Signatures
| Role | Name | Signature | Date |
|---|---|---|---|
| Business Sponsor | |||
| Risk Assessor | |||
| CISO / Risk Approver | |||
| Compliance Officer |
Complete this assessment for each new Copilot use case. Store completed assessments in the risk management repository with 7-year retention.
FSI Copilot Governance Framework v1.2.1 - March 2026