Appendix A: Algorithmic Impact Assessment Template

Trigger	Assessment Required	Approvals Needed
New AI system development (High-Risk)	Full assessment before deployment	RAI Council + Executive Sponsor
New AI system development (Limited Risk)	Abbreviated assessment	Model Owner + RAI Representative
Significant changes to existing system	Updated assessment	Based on change risk level
Third-party AI procurement (High-Risk use)	Deployment assessment	RAI Council + Procurement
Annual review of High-Risk systems	Reassessment	Model Owner

Section 1: System Identification

1.1 Assessment ID

Unique identifier for this assessment (auto-generated or assigned)

1.2 AI System Name

Official name of the AI system

1.3 System Version

Version being assessed

1.4 Assessment Date

1.5 Assessment Type

1.6 Assessment Lead

Person responsible for completing this assessment

1.7 Model Owner

Person accountable for the AI system

1.8 Executive Sponsor

Senior executive accountable for business outcomes

Section 2: System Description & Purpose

2.1 System Purpose & Business Objective

Describe what the AI system does and the business problem it solves. Be specific about intended outcomes.

2.2 AI Technology Type

Select all that apply

Traditional Machine Learning (classification, regression) Deep Learning (neural networks) Computer Vision Natural Language Processing Large Language Model / Generative AI Recommendation System Robotic Process Automation with AI Reinforcement Learning Other (specify below)

2.3 System Architecture Overview

Describe the technical architecture including key components, data flows, and integration points

2.4 Intended Use Cases

List specific use cases and scenarios where the system will be deployed

2.5 Out-of-Scope Uses

List use cases for which the system is NOT intended and should not be used

2.6 Deployment Context

2.7 Geographic Scope

Where will the system be deployed? Select all that apply.

United States European Union / EEA United Kingdom Canada Asia Pacific Latin America Other (specify below) Global

2.8 Expected User Volume

Estimated number of users/subjects affected

Section 3: Risk Classification

3.1 EU AI Act Risk Tier

Classify the system according to EU AI Act risk categories

3.2 High-Risk Category (if applicable)

If High-Risk, select the applicable EU AI Act Annex III category

Biometric identification and categorization Critical infrastructure management Education and vocational training Employment, workers management, self-employment access Access to essential services (credit, healthcare, etc.) Law enforcement Migration, asylum, border control Administration of justice and democratic processes Not applicable (not high-risk)

3.3 Justification for Risk Classification

Explain the reasoning behind the risk classification

3.4 Domain-Specific Regulations

List any sector-specific regulations that apply

Financial Services (SEC, FCA, Basel, etc.) Healthcare (HIPAA, FDA, MDR, etc.) Employment (EEOC, labor laws) Consumer Protection (FTC, CFPB) Telecommunications Other (specify below) None applicable

Section 4: Data Assessment

4.1 Training Data Sources

List all data sources used for training

4.2 Training Data Volume & Time Range

Describe the size and temporal scope of training data

4.3 Data Contains Personal Information?

4.4 Lawful Basis for Data Processing

What is the legal basis under GDPR/applicable law?

Consent Contractual necessity Legal obligation Vital interests Public interest / Official authority Legitimate interests Not applicable (no personal data)

4.5 Data Rights & Licenses

Document data rights, licenses, and any restrictions

4.6 Bias Assessment - Training Data

Describe analysis of potential bias in training data

4.7 Data Quality Assessment

Describe data quality checks and known limitations

Section 5: Stakeholder & Impact Analysis

5.1 Primary Stakeholders

Who are the direct users and subjects of this AI system?

5.2 Secondary Stakeholders

Who else may be indirectly affected?

5.3 Vulnerable Groups Analysis

Identify any vulnerable populations who may be affected and how

Children / Minors Elderly People with disabilities Economically disadvantaged Racial / Ethnic minorities Non-native language speakers Individuals with limited digital literacy Other (specify below) No vulnerable groups identified

5.4 Decision Significance

What is the significance of decisions made or influenced by this system?

5.5 Potential Harms

Identify potential negative impacts

Harm Category	Applicable?	Description & Severity
Physical Safety
Financial Harm
Discrimination / Civil Rights
Privacy Violation
Psychological / Emotional
Reputational (to subjects)
Access to Services / Opportunities
Autonomy / Manipulation

5.6 Potential Benefits

Identify positive impacts for stakeholders

Section 6: Fairness Assessment

6.2 Fairness Definition Selected

What fairness criteria will be used to evaluate the system?

Demographic Parity (equal selection rates) Equalized Odds (equal TPR/FPR across groups) Predictive Parity (equal precision across groups) Calibration (equal accuracy of probability estimates) Individual Fairness (similar treatment for similar individuals) Other (specify below)

6.3 Fairness Testing Methodology

Describe how fairness will be tested

6.4 Fairness Testing Results

Document results of fairness testing

6.5 Bias Mitigation Measures

Describe measures implemented to address bias

Section 7: Transparency & Explainability

7.1 Model Interpretability Level

7.2 Explanation Approach

How will decisions be explained to affected individuals?

7.3 User Disclosure Requirements

How will users be informed they are interacting with AI?

7.4 Documentation Completeness

Confirm documentation is complete

Model Card completed Data Card / Datasheet completed System architecture documented Training methodology documented Performance metrics documented Known limitations documented User documentation completed

Section 8: Human Oversight & Control

8.1 Automation Level

8.2 Justification for Automation Level

Explain why this level of automation is appropriate given the risks

8.3 Human Override Capability

Can human operators override AI decisions?

8.4 Appeal / Contestation Mechanism

How can affected individuals challenge AI-influenced decisions?

8.5 Human Reviewer Qualifications

What training/qualifications are required for human oversight?

8.6 Emergency Stop Capability

Can the system be immediately halted if needed?

Section 9: Security & Robustness

9.1 Security Assessment Completed

Confirm security reviews completed

Threat modeling completed Penetration testing completed Adversarial testing completed Data encryption verified Access controls verified Audit logging enabled

9.2 AI-Specific Security Risks

Assess ML-specific security risks

Risk	Applicable?	Mitigation
Adversarial Input Attacks
Data Poisoning
Model Extraction
Model Inversion
Prompt Injection (LLMs)

9.3 Reliability & Availability Requirements

What are the uptime and reliability requirements?

Section 10: Monitoring & Maintenance Plan

10.1 Performance Monitoring

Describe ongoing performance monitoring

10.2 Fairness Monitoring

Describe ongoing fairness monitoring

10.3 Drift Detection

How will data/concept drift be detected?

10.4 Incident Response Plan

How will AI-related incidents be handled?

10.5 Retraining Cadence

How often will the model be retrained?

10.6 Review Schedule

When will this AIA be reviewed?

Section 11: Overall Risk Summary & Decision

11.1 Overall Risk Rating

LOW RISK

Minor potential for harm; standard controls sufficient

MEDIUM RISK

Moderate potential for harm; enhanced controls required

HIGH RISK

Significant potential for harm; extensive controls required

11.2 Risk Summary Narrative

Summarize the key risks and mitigations

11.3 Residual Risks

What risks remain after mitigations?

11.4 Conditions for Deployment

What conditions must be met before deployment?

11.5 Decision

11.6 Decision Rationale