COMPEL Certification Body of Knowledge — Module 4.3: Cross-Organizational Governance and Policy Harmonization
Article 3 of 10
The NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0), published by the National Institute of Standards and Technology in January 2023, provides a voluntary framework for managing risks associated with AI systems. Unlike ISO 42001, which is a certifiable management system standard, the AI RMF is a risk-based guidance framework designed to be flexible, adaptable, and implementable across organizations of all sizes and sectors. For the EATP Lead, the AI RMF provides a comprehensive risk governance architecture that complements COMPEL's transformation methodology and connects to the broader NIST risk management ecosystem.
Understanding the AI RMF
The AI RMF is organized around two primary components:
Part 1: Foundational Information
Part 1 establishes the conceptual foundation for AI risk management, addressing:
- AI risks and trustworthiness: How AI systems can produce harmful outcomes and what characteristics make AI systems trustworthy — validity and reliability, safety, security and resilience, accountability and transparency, explainability and interpretability, privacy, and fairness with bias management
- AI risk management stakeholders: The diverse set of actors involved in AI risk management across the AI lifecycle
- AI risk management throughout the AI lifecycle: How risk management applies from conception through deployment and beyond
Part 2: Core and Profiles
Part 2 provides the operational framework organized into four functions:
GOVERN: Establish and maintain the policies, processes, procedures, and practices to manage AI risks. This is the cross-cutting function that informs and is informed by all other functions.
MAP: Identify the context and scope of AI systems, including their intended and potential uses, to inform risk assessment.
MEASURE: Employ quantitative, qualitative, or mixed methods to analyze, assess, benchmark, and monitor AI risk.
MANAGE: Allocate risk resources, plan for risk response, and act on risk priorities.
Each function is broken into categories and subcategories, with suggested actions and outcomes that organizations can adapt to their specific context.
COMPEL-AI RMF Alignment
Function-to-Stage Mapping
The AI RMF's four functions map to COMPEL's lifecycle stages and governance domains:
| AI RMF Function | COMPEL Alignment | Integration |
|---|---|---|
| GOVERN | Governance Domains 14-18 + Portfolio Governance (M4.1) | COMPEL's governance architecture provides the organizational structures, policies, and processes that GOVERN requires |
| MAP | Calibrate Stage + Domains 1-3 | COMPEL's maturity assessment and strategic analysis provide the contextual understanding that MAP requires |
| MEASURE | Evaluate Stage + Domain 17 | COMPEL's measurement methodology provides the assessment capability that MEASURE requires |
| MANAGE | Produce Stage + Portfolio Risk (M4.1, Art 5) | COMPEL's execution governance and portfolio risk management provide the operational risk management that MANAGE requires |
Detailed Category Mapping
The EATP Lead maps each AI RMF subcategory to specific COMPEL practices:
GOVERN 1 — Policies, processes, procedures, and practices: COMPEL's governance framework development directly produces the governance infrastructure that this category requires. The EATP Lead ensures that AI governance policies developed through COMPEL explicitly address the NIST trustworthiness characteristics.
GOVERN 2 — Accountability structures: COMPEL's organizational design (from Module 3.2) and portfolio governance (from Module 4.1) establish the accountability structures — roles, responsibilities, decision rights, and reporting relationships — that this category demands.
GOVERN 3 — Workforce diversity, equity, inclusion, and accessibility: COMPEL's people domains (Domains 4-5) address talent strategy and organizational capability. The EATP Lead extends these domains to explicitly address the workforce diversity and equity considerations that the AI RMF highlights.
GOVERN 4 — Organizational culture: COMPEL's culture domain (Domain 3) addresses the organizational culture required for effective AI governance, including a culture of risk awareness, ethical sensitivity, and continuous improvement.
GOVERN 5 — Processes for engagement with AI actors: COMPEL's stakeholder engagement practices address internal and external engagement with AI stakeholders — developers, deployers, affected communities, regulators, and others.
GOVERN 6 — Policies and procedures for third-party AI: Cross-organizational governance from this module (M4.3) addresses the governance of AI systems developed, deployed, or operated by third parties.
MAP categories: COMPEL's Calibrate stage produces the contextual analysis, use case mapping, and risk identification that MAP requires. The EATP Lead ensures that calibration explicitly addresses the MAP subcategories — intended purposes, potential impacts, sociotechnical context, and known limitations.
MEASURE categories: COMPEL's Evaluate stage and measurement framework provide the qualitative and quantitative risk assessment capabilities that MEASURE requires. The EATP Lead extends measurement to include the specific metrics and methods that the AI RMF recommends — fairness metrics, explainability assessments, robustness testing, and privacy impact assessments.
MANAGE categories: COMPEL's portfolio risk management from Module 4.1, Article 5: Portfolio Risk Aggregation and Enterprise Risk Exposure provides the risk response planning and resource allocation that MANAGE requires.
Enterprise-Scale Implementation
Implementing the AI RMF at enterprise scale introduces challenges beyond those addressed in the framework itself:
Tiered Implementation
Not every AI system in the enterprise requires the same level of risk management rigor. The EATP Lead designs a tiered implementation that calibrates AI RMF application based on the risk profile of each AI system:
Tier 1 — Minimal Risk: Low-impact AI applications (internal analytics, simple automations) receive streamlined risk assessment — a lightweight version of MAP and MEASURE with standard risk acceptance.
Tier 2 — Moderate Risk: Business-critical AI applications (customer-facing analytics, process optimization, predictive maintenance) receive full MAP and MEASURE assessment with documented risk treatment.
Tier 3 — High Risk: AI applications with significant impact on individuals or the organization (credit decisioning, healthcare diagnostics, safety-critical systems) receive comprehensive risk assessment with enhanced governance, independent review, and ongoing monitoring.
Tier 4 — Critical Risk: AI applications in regulated domains or with potential for significant harm receive the most rigorous implementation — comprehensive assessment, independent validation, continuous monitoring, and board-level oversight.
Organizational Structure
Enterprise-scale AI RMF implementation requires organizational support:
AI Risk Management Function: A dedicated or embedded function responsible for AI risk management across the enterprise. This function may be part of the enterprise risk management (ERM) function, the AI Center of Excellence, or a standalone unit.
AI Risk Champions: Distributed expertise in business units and program teams — professionals who understand AI risk management and can apply the AI RMF in their local context.
AI Risk Governance Board: A governance body that oversees enterprise-level AI risk management, reviews risk assessments for high and critical-risk AI systems, and makes risk acceptance decisions.
Integration with Enterprise Risk Management
The AI RMF must integrate with the organization's existing ERM framework. The EATP Lead designs this integration to ensure that:
- AI risks are represented in the enterprise risk register alongside financial, operational, regulatory, and strategic risks
- AI risk reporting feeds into enterprise risk reporting to the board risk committee
- AI risk appetite is established within the enterprise risk appetite framework
- AI risk management processes leverage existing ERM infrastructure — risk assessment methodologies, risk reporting tools, risk governance structures
AI RMF Profiles and Playbooks
NIST publishes AI RMF Profiles and Playbooks that provide sector-specific and use-case-specific guidance. The EATP Lead leverages these resources:
Generative AI Profile: Additional risk management guidance for generative AI systems, addressing hallucination, content provenance, intellectual property, and misuse risks.
Sector-specific profiles: Guidance tailored to specific sectors — financial services, healthcare, government — that addresses the unique AI risk landscape of each sector.
The EATP Lead adapts these profiles to the organization's specific context, using them as accelerators for AI RMF implementation rather than starting from first principles.
Cross-Organizational AI RMF
In multi-entity contexts, the AI RMF's emphasis on the AI lifecycle — from conception through deployment and monitoring — creates governance challenges when different organizations are responsible for different lifecycle stages. A model developed by one organization, deployed by another, and consumed by a third requires coordinated risk management across all three.
The EATP Lead designs cross-organizational AI RMF implementation that:
- Establishes shared risk assessment standards across organizations
- Defines risk management responsibilities at each lifecycle stage
- Creates risk information exchange protocols between organizations
- Ensures that downstream deployers have visibility into upstream development risks
This cross-organizational risk management connects directly to the governance architecture principles established in Module 4.3, Article 1: Cross-Organizational Governance Architecture Design.
The next article, Module 4.3, Article 4: Multi-Jurisdictional Regulatory Harmonization, addresses the challenge of governing AI across multiple regulatory regimes — a challenge that every multinational organization and many cross-organizational partnerships must confront.
© FlowRidge.io — COMPEL AI Transformation Methodology. All rights reserved.