AboutBlogBusiness First AIFounder FreedomBook a conversation

Build a practical AI risk register for small businesses

May 17, 2026
Two people reviewing a shared spreadsheet together at a desk in a small office
TL;DR

An AI risk register is a shared log of every AI tool your business uses, the risks each one carries, who owns those risks, and what you are doing about them. UK owners are already expected to maintain this documentation under ICO guidance. A quarterly-reviewed spreadsheet with ten columns is all a firm of 5 to 50 people needs. The five steps to build one take a day, not a project.

Key takeaways

- An AI risk register documents every AI use-case, what data it touches, who is responsible, and what mitigations are in place. For a small business, a shared spreadsheet reviewed quarterly is sufficient. - The ICO and the UK government's hidden AI risks toolkit both require structured risk documentation for any organisation using AI with personal data. The obligation is not limited to large companies. - Build the register in five steps: map all AI in use including shadow AI, pick 3 to 10 priority use-cases, name risks and owners, rate impact and likelihood, and set a quarterly review cadence with named triggers. - A full AI risk register is needed when you use generative AI with client data, make client-affecting decisions with AI assistance, or operate in a regulated sector such as financial services or healthcare. - Connect your risk register to an acceptable use policy, vendor due diligence notes, DPIA records, and staff training examples. These four documents together form a proportionate governance layer for an SME.

A member of your operations team has been summarising client contracts using a free AI tool for six months. They meant well and they were faster. Nobody told them not to. Then a client asks you a direct question: what AI tools are you using with our data, and how are you managing the risk? You do not have a clean answer. You do not have a list. You are not even certain which tools your team has been using or what data has gone into them.

That gap is what an AI risk register closes.

What is an AI risk register?

An AI risk register is a shared, living document that logs every AI tool your business uses, what data goes into each one, what could go wrong, who owns each risk, and what controls are in place. For a firm of 5 to 50 people, a single shared spreadsheet reviewed quarterly is all this needs to be. One row per use-case or tool.

The ten columns that cover the standard range of situations are:

  • Use-case or process: the specific activity, for example, “drafting client emails with ChatGPT” or “summarising client files with Microsoft Copilot”
  • Tool and vendor: the named product and account type, whether free, enterprise, or tenant-bound
  • Data involved: personal data, special category data, client confidential information, internal financials
  • Risk description: what could go wrong, in plain English
  • Impact rating: High, Medium, or Low, covering privacy, financial, operational, and reputational harm
  • Likelihood rating: based on how often the process runs and how many staff use it
  • Owner: a named person, not a department
  • Mitigations and controls: specific steps already taken or planned
  • Status: open, in progress, or accepted
  • Last review date and triggers: when it was last reviewed, and what would prompt an unplanned review

This structure is drawn from ICO and NCSC guidance, adapted for small-business scale.

Why does your business actually need one?

The ICO requires organisations using AI to process personal data to identify, assess, and document risks. The UK government’s hidden AI risks toolkit recommends a structured risk log as a basic safeguard for any AI rollout. A 2023 KPMG survey found 80 per cent of UK businesses using generative AI had data security concerns, but fewer than half had formal governance frameworks in place.

This obligation is not limited to large companies or technology firms. The ICO’s position is clear: if you use AI to process personal data, you need to show your working. A spreadsheet is evidence. A vague policy statement is not.

Enforcement has already happened. In October 2023, the ICO issued an enforcement notice against Snap over its My AI chatbot, finding the company had failed to properly assess the risks its AI posed to UK children’s data. In 2020 and 2021, the Ofqual grading algorithm was abandoned after widespread reports of unfair bias. The subsequent inquiry found insufficient impact assessment and governance. UK regulators now cite that case regularly when explaining what AI accountability requires in practice.

If you serve any EU customers, the EU AI Act adds further obligations. High-risk AI systems require risk management documentation and incident logging, with fines reaching up to €35 million or 7 per cent of global turnover for serious breaches. A UK firm selling services into the EU is not exempt.

Where will you actually encounter the need for one?

Three situations tend to force the issue: a client or prospect asks about your data practices before signing, a member of staff uses a free AI tool with client information in it, or a regulatory inquiry arrives and you have no documentation. Each time, firms with a register reach for it. Firms without one spend days reconstructing from memory.

The register also shows up proactively when you are deciding whether to activate Microsoft 365 Copilot across the team, or when you are vetting a new AI tool for client-facing work. Having a standard log means the decision gets made consistently, not differently depending on who is in the room that day.

Building the register takes five steps, in this order.

First, map what AI your team already uses, including browser extensions, free personal accounts, and AI features embedded in existing SaaS. A 45-minute team workshop per function covers this. Ask three questions: what tools do you use, what data goes into them, and what decisions do you rely on the outputs for?

Second, choose 3 to 10 priority use-cases to assess first. The ICO recommends focusing on processing that involves sensitive data, automated decisions, or outcomes that significantly affect individuals. For a typical services firm, this cluster includes client-facing communications, processing of personal data, and any financial or hiring decisions involving AI.

Third, for each use-case, name the risks in plain business language and assign a named owner. The UK government’s toolkit stresses that ownership must sit with a person, not a department, with clear feedback channels so staff can flag problems when they see them.

Fourth, rate impact and likelihood on a three-level scale. Anything involving special category data (health, ethnicity, religion, sexual orientation), children’s data, or significant decisions about individuals is at least Medium-High impact under UK GDPR, regardless of how unlikely a breach seems.

Fifth, set a quarterly review date and name your three triggers for an unplanned review: a new AI vendor or major feature update, a near-miss incident, or a relevant regulatory change affecting your sector.

When is a full register overkill, and when must you have it?

For a firm using only AI embedded in well-governed, mainstream software, with no personal data processing beyond what existing DPIAs already cover, a short section in your current risk register is enough. A full AI register is needed when your team uses generative AI with client data, makes client-affecting decisions with AI assistance, or operates in a regulated sector.

The proportionality point matters. ICO guidance acknowledges that a separate AI-specific register may be disproportionate for a firm whose AI use is genuinely minimal. Adding a short section on AI to your existing business risk register is a legitimate alternative if the exposure is limited.

The useful test is practical rather than regulatory: can any member of your team paste a client file into a public AI tool in ten seconds without anyone knowing? If yes, you need the register. The risk is live whether or not you have formalised it.

For firms under FCA supervision, or those running legal, healthcare, or financial advice services, the bar is different again. The FCA has been clear that existing principles around skill, care, and treating customers fairly apply to AI-driven processes just as they do to human ones. Adequate systems and controls are required, and a risk register is part of that evidence base.

What else should connect to your AI risk register?

The register works best when it sits inside a small connected system rather than in isolation. A one-page acceptable use policy points staff to the register as the authority. Vendor due diligence notes attach to register entries when you onboard a new tool. Training examples drawn from register entries make guidance specific enough for staff to recognise in their daily work.

DPIAs connect directly. If a register entry reaches High impact under UK GDPR, a Data Protection Impact Assessment is required. The DPIA documents the risk in more depth and determines whether residual risks are acceptable. The register is the early-warning mechanism; the DPIA is the formal assessment that follows when a high-risk entry demands it.

A data classification policy, which labels your information as Public, Internal, Confidential, or Restricted, determines what can go into which AI tool. Those rules belong in the register’s Mitigations column, not only in a separate document that staff may never open.

Together, these four documents form the minimum proportionate governance layer for a UK small business scaling AI use: the risk register, an acceptable use policy, DPIA records for high-risk processing, and a data classification scheme. None of them requires outside help to build. All four together take a working week to put in place and a morning per quarter to maintain.

If your team is already using AI and you have none of these in place, the register is the right place to start. The others follow naturally from what you find inside it.

Sources

- ICO (2024). Guidance on AI and data protection. Covers documentation requirements for AI processing of personal data, including risk registers and DPIAs. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/ - UK Government (2023). Mitigating 'Hidden' AI Risks Toolkit. Recommends structured risk logs for AI rollouts, covering behavioural and technical risks and requiring named owners. https://www.gov.uk/government/publications/a-human-centred-approach-to-scaling-and-de-risking-ai-tools/the-mitigating-hidden-ai-risks-toolkit-html - European Commission (2024). European approach to artificial intelligence. Overview of EU AI Act requirements including risk management systems and incident logging for high-risk AI systems. https://digital-strategy.ec.europa.eu/en/policies/european-approach-artificial-intelligence - NCSC (2023). Guidelines for secure AI system development. Recommends tracking risks under data, model, supply chain, and operations headings for any AI deployment. https://www.ncsc.gov.uk/collection/guidelines-secure-ai-system-development - KPMG UK (2023). Generative AI survey. Found 80 per cent of UK businesses using generative AI had data security concerns, but only 45 per cent had formal governance frameworks in place. https://kpmg.com/uk/en/home/insights/2023/09/generative-ai-uk-business.html - ICO (2023). Data Protection Impact Assessments. Explains when a DPIA is required and how risk registers connect to formal impact assessment obligations. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments/ - ICO (2023). Enforcement notice to Snap Inc. over 'My AI'. Illustrates consequences of inadequate risk assessment for AI systems touching children's data. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/10/ico-issues-enforcement-notice-to-snap-over-potential-failings-in-childrens-privacy/ - ICO (2024). Generative AI chatbots and data protection: what organisations need to know. Sets out ICO expectation that organisations document how generative AI tools process personal data. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/05/generative-ai-chatbots-and-data-protection-what-organisations-need-to-know/ - UK Parliament (2021). Reports on the Ofqual exam grading algorithm. Cited regularly in UK regulatory guidance as a case study in insufficient impact assessment and AI governance failure. https://committees.parliament.uk/work/322/the-exam-grading-process-during-the-coronavirus-pandemic/publications/ - FCA (2023). AI and financial services: regulatory expectations. Sets out FCA expectation that regulated firms apply existing principles to AI-driven processes and maintain adequate systems and controls. https://www.fca.org.uk/news/speeches/ai-and-regulation

Frequently asked questions

Is an AI risk register legally required for a small business in the UK?

The ICO does not mandate a standalone AI risk register by name, but it requires any organisation using AI to process personal data to identify, assess, and document risks. If that processing is likely to result in high risk to individuals, a Data Protection Impact Assessment is required, and a risk register feeds directly into it. The practical result is that any small business using AI with client data needs one.

How long does it take to build an AI risk register for a small firm?

For a firm of 5 to 50 people, building the first version takes roughly one working day. That includes a 45-minute team workshop per function to map current AI use, a session to select the 3 to 10 priority use-cases, and an hour to populate the initial spreadsheet. Maintaining it takes around 90 minutes per quarter.

What columns should a small business AI risk register include?

The ten columns that cover the standard range of situations are: use-case or process, tool and vendor, data involved, risk description, impact rating, likelihood rating, named owner, mitigations and controls, current status, and last review date with review triggers. This structure follows ICO and NCSC guidance adapted for small-business use.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A business professional sitting at a desk reviewing documents on a laptop, with client folders stacked to one side

How to stop staff using ChatGPT with client and confidential data

Your team's ChatGPT habit is likely moving client data outside your legal control, and this post covers the UK GDPR obligations, practical policy, and safer alternatives to get ahead of it.

A business owner looking at documents on a meeting room table with a laptop open beside them

Does your business actually need formal AI governance?

A decision guide for owner-managed businesses on when formal AI governance is genuinely required and when lighter controls are adequate.

Person reviewing a printed document at a wooden desk with a pen, natural light from a window

UK AI copyright rules explained for business owners

What UK copyright law actually says about AI tools and outputs, and where owner-managed businesses carry the real risk.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd