Understand what could go wrong, before you deploy AI.
Comprehensive risk assessment designed for New Zealand organisations. We identify operational, privacy, ethical, and regulatory risks before they become costly problems, aligned with the Privacy Act 2020, FMA and RBNZ expectations, and Te Tiriti o Waitangi obligations.
Built for
What an assessment delivers.
Full methodologyRisk register
A comprehensive register with severity ratings and likelihood assessments across all five dimensions.
Risk heat map
Scenario analysis and impact assessment showing financial, reputational, regulatory, and cultural harm pathways.
Treaty-aware controls
Cultural controls including iwi consultation processes and M膩ori data governance protocols rooted in kaitiakitanga.
Control framework
Prioritised implementation roadmap with technical, process, governance, and cultural controls. Residual risk documented.
Why generic risk frameworks miss the point.
Traditional risk frameworks were not built to capture AI-specific risks like algorithmic bias, model drift, explainability failures, or M膩ori data sovereignty concerns. Aotearoa adds layers that generic international frameworks miss entirely.
- 01AI-specific exposure
Enterprise risk registers miss AI-native categories.
AI introduces categories your existing register never anticipated: training data quality and representativeness, model drift over time, algorithmic bias against M膩ori and Pacific communities, explainability failures in automated decisions, and cultural impacts on tangata whenua. Without AI-specific assessment, these risks remain invisible until they cause harm.
- 02Evolving rules
Regulatory expectations are still forming.
The Privacy Act 2020 does not mention AI explicitly. The FMA and RBNZ have not issued AI-specific rules. The Public Service AI Framework is voluntary. The OECD AI Principles provide direction but lack prescriptive detail. Compliance risk has to be assessed against ambiguity, and our consultants help you navigate that ambiguity and prepare for what comes next.
- 03Constitutional obligation
Te Tiriti demands specialised assessment.
If your AI systems process M膩ori data or affect M膩ori communities, Te Tiriti o Waitangi obligations apply. Cultural risks, M膩ori data sovereignty concerns, and the principle of kaitiakitanga require assessment frameworks grounded in te ao M膩ori. Most risk teams lack these capabilities, and international frameworks provide no guidance on these uniquely New Zealand requirements.
- 04In force
Self-assessment is the regulator's expectation.
Aotearoa released its first National AI Strategy in July 2025, the last OECD country to do so. The strategy adopted a light-touch, principles-based approach aligned with the OECD AI Principles. Businesses and government agencies must self-assess AI risks rather than follow a prescriptive checklist. The Privacy Commissioner enforces the Privacy Act 2020 across all data processing, including AI systems. The FMA and RBNZ expect regulated entities to manage AI-related risks under existing obligations. For organisations handling M膩ori data, Te Tiriti creates additional obligations around data sovereignty, cultural safety, and the protection of mana.
Our four-step assessment approach.
Not theoretical risk scoring, but practical assessment of what could actually go wrong in the New Zealand context and what controls your organisation needs.
Step 01
Understand the system and its context
We examine what the AI system does, how it works, what data it uses, and what decisions it informs or automates. We document the technical architecture, data pipelines, model characteristics, and integration points. We also examine the organisational context: who procured the system, what governance exists, and how it interacts with New Zealand's regulatory requirements, including the Privacy Act 2020 and any sector-specific obligations under the FMA or RBNZ.
DELIVERABLE 路 System documentation, data flow diagrams, regulatory mapping
Step 02
Identify risks across five dimensions
We assess across five categories tailored to NZ: operational (model failure, data quality, vendor concentration), privacy (Privacy Act 2020 compliance, cross-border data flows, automated decision-making), ethical (algorithmic bias against M膩ori and Pacific populations, fairness, transparency), regulatory (FMA / RBNZ expectations, sector obligations, OECD AI Principles), and cultural (Te Tiriti o Waitangi obligations, M膩ori data sovereignty, kaitiakitanga).
DELIVERABLE 路 Risk register with severity and likelihood
Step 03
Impact and likelihood scenario analysis
For each identified risk, our consultants assess potential impact across financial loss, reputational damage, regulatory enforcement by the Privacy Commissioner or sector regulators, customer and community harm, and cultural harm to M膩ori and Pacific communities. Scenario analysis shows what failure looks like and how it would cascade through your organisation.
DELIVERABLE 路 Heat map, scenario documentation, impact assessment
Step 04
Practical controls and mitigation
We design controls to reduce risk to acceptable levels: technical (model monitoring, bias testing, validation), process (approval workflows, human oversight, escalation), governance (policies, training, incident response), and cultural (iwi consultation processes, M膩ori data governance protocols). Recommendations are prioritised by severity, feasibility, and alignment with existing governance.
DELIVERABLE 路 Control framework, roadmap, residual risk assessment
Industry-specific risk drivers.
Our team tailors AI risk assessment to the regulatory and operational context of your industry. Every sector in Aotearoa has distinct risk drivers.
Sector
Financial services
The FMA has been actively studying AI adoption across asset management, banking, financial advice, and insurance. The RBNZ has identified vendor concentration, market distortion, and systemic risk from interconnected AI systems as key concerns. Our risk assessment addresses operational resilience under the CoFI Act, model risk management for credit and trading algorithms, and Fair Dealing provisions under the Financial Markets Conduct Act.
Sector
Healthcare
Healthcare AI carries unique risks around patient safety, clinical accuracy, and health information privacy. We assess against the Health Information Privacy Code 2020, Medsafe Software as a Medical Device classification, and the Code of Health and Disability Services Consumers' Rights. Research from Waitemat膩 Healthcare has shown that international AI frameworks are inappropriate for Aotearoa's healthcare context.
Sector
Government and public sector
Government agencies face overlapping obligations under the Public Service AI Framework, Privacy Act 2020, Government Procurement Rules, the Algorithm Charter for Aotearoa, and Te Tiriti o Waitangi requirements. Our risk assessment helps agencies evaluate AI systems against all relevant frameworks simultaneously.
Sector
Technology and SaaS
Auckland's growing technology sector is both developing and deploying AI at pace. Technology businesses need risk assessment that considers Privacy Act obligations for AI products, intellectual property implications, bias in AI outputs, and the governance expectations of enterprise and government customers.
Frequently asked questions.
How is AI risk assessment different from standard risk assessment?
AI introduces unique risk categories that traditional frameworks miss: algorithmic bias, explainability requirements, training data quality, model drift, vendor concentration, and cultural impacts on M膩ori and Pacific communities. In New Zealand, risk assessment must also account for Privacy Act 2020 compliance across automated decision-making, Te Tiriti obligations, and the expectations of sector regulators like the FMA and RBNZ. Our team assesses these alongside standard operational and regulatory risks.
Do we need a risk assessment for every artificial intelligence system?
A risk-based approach is appropriate, consistent with New Zealand's light-touch regulatory philosophy. High-risk systems that make significant decisions about individuals, process sensitive personal information, or affect vulnerable populations need comprehensive assessment. Lower-risk productivity tools need lighter-touch review. Our consultants help you categorise systems appropriately and match assessment rigour to actual risk levels.
How long does an AI risk assessment take?
It depends on system complexity and the breadth of assessment required. Simple vendor-provided tools can be assessed in one to two weeks. Custom-built systems with sensitive use cases, cross-border data flows, or M膩ori data sovereignty considerations may take four to six weeks. We scope every assessment based on the risk level, complexity, and regulatory context specific to your organisation.
Can you assess AI systems we are procuring, not just building?
Yes. The majority of AI risk assessment work in New Zealand is for vendor-provided tools, from large platforms to specialised solutions. We assess based on vendor documentation, contracts, security questionnaires, and data processing agreements, identifying what additional information or contractual protections your organisation needs before deployment.
How does risk assessment relate to ISO 42001 certification?
ISO 42001 requires systematic AI risk assessment as a core component of an AI Management System. Our risk assessment methodology aligns with the standard's requirements, which means the outputs can feed directly into an ISO 42001 certification programme. For organisations in Auckland, Wellington, and Christchurch pursuing certification, this creates a clear pathway from initial risk assessment through to formal certification.
Related services.
Risk assessment is rarely the end of the work. These services close out the next layer.
Ready to understand your AI risks?
Schedule a consultation with our team to discuss your AI systems and receive a risk assessment tailored to New Zealand's regulatory landscape, Te Tiriti obligations, and your organisation's specific context.