Today we apply everything from Days 7-10 to a comprehensive risk assessment scenario. Focus on risk-proportionate responses — ISACA wants measured, appropriate action, not maximum security.
Scenario: Healthcare organization deploying AI
Background: NorthStar Health is a regional hospital network deploying three AI systems:
1. DiagAssist — AI-assisted radiology diagnosis. Analyzes X-rays and CT scans, provides preliminary findings to radiologists. High-risk: affects patient care decisions.
3. BillBot — AI-automated medical billing. Codes procedures, identifies billing errors, submits claims. Medium-risk: financial and compliance implications.
The CISO has asked you to conduct a risk assessment for all three systems and recommend risk treatment strategies. The hospital has a conservative risk appetite, especially for patient safety. Budget for AI security controls is $300K for the fiscal year.
Scenario Question 1
You need to prioritize the risk assessment. Which system should be assessed FIRST?
**Risk-based prioritization.** DiagAssist directly affects patient safety, is subject to FDA medical device regulations, and aligns with the hospital's conservative risk appetite for patient care. Assess the highest-risk system first to ensure controls are in place or risks are known as quickly as possible.
Scenario Question 2
During the DiagAssist risk assessment, you discover the model was trained on data from a demographic that differs significantly from the hospital's patient population. The vendor says performance metrics are strong. What risk category does this PRIMARILY represent?
While all categories apply to some degree, this is **primarily an ethical/fairness risk.** Demographic mismatch in training data is the leading cause of AI bias in healthcare. A model trained predominantly on one demographic may miss diagnoses or produce false positives in underrepresented populations. This has direct patient safety implications.
Scenario Question 3
The SmartSchedule risk assessment identifies that the system has no fallback procedure if the AI becomes unavailable. Currently, 100% of scheduling goes through the AI. What is the MOST appropriate risk treatment?
**Mitigation through fallback.** A hospital can't stop scheduling patients if the AI fails. A manual fallback procedure is a proportionate control. Accepting the risk ignores operational impact. Transferring via SLA doesn't solve the availability problem. Reducing to 50% is disproportionate and operationally disruptive.
Scenario Question 4
The BillBot risk assessment reveals that the system occasionally miscodes procedures, resulting in overbilling. The error rate is 0.3% — lower than the human error rate of 1.2%. How should this risk be treated?
**Risk-proportionate treatment.** The AI is better than manual billing, but 0.3% errors in healthcare billing still carries compliance risk. Targeted controls (review high-value claims, audit for patterns) are proportionate. Reviewing 100% of claims negates the AI's value. Accepting without controls ignores compliance obligations.
Scenario Question 5
You need to allocate $300K across all three systems. DiagAssist needs monitoring, bias testing, and human oversight controls ($200K). SmartSchedule needs a fallback system ($50K). BillBot needs audit controls ($50K). This totals $300K exactly. A new regulation requires additional DiagAssist controls costing $75K. How do you proceed?
**Governance response.** Budget decisions with risk tradeoffs should be escalated with analysis, not made unilaterally. Present the options, the risk implications of each, and your recommendation. Leadership has the authority and accountability to make the resource allocation decision.
Scenario Question 6
The radiology department pushes back on human oversight controls for DiagAssist, arguing that the AI performs better than junior radiologists and oversight slows diagnostic throughput. What is the BEST response?
**Collaborative governance.** Don't override clinical expertise and don't abandon governance requirements. Find the implementation that satisfies both. Confidence-based oversight is actually a good approach, but it should emerge from **collaborative discussion,** not be imposed as a compromise.
Scenario Question 7
Six months post-deployment, DiagAssist's false negative rate for a specific condition has increased from 2% to 5% in one patient demographic. Monitoring detected this within two weeks. What is the MOST appropriate immediate action?
**Proportionate containment.** Adding mandatory human review for the specific condition and demographic maintains diagnostic capability while ensuring patient safety. Disabling for all patients is disproportionate. Disabling for one demographic raises equity concerns. Waiting for the vendor delays response.
Scenario Question 8
The hospital is considering purchasing a second AI diagnostic tool from a different vendor. From a risk management perspective, what is the PRIMARY benefit?
**Risk management perspective.** Vendor diversification reduces concentration risk — if one vendor has a failure, the other provides continuity. While accuracy improvement and demographic coverage are valid operational benefits, the exam asks for the **risk management** answer, which is concentration risk reduction.
Scenario Question 9
During the annual risk reassessment, you find that the overall AI risk posture has improved but two new risks have emerged: a new regulatory requirement and a newly discovered vulnerability in the ML framework used by BillBot. How should you report this to the board?
**Complete and balanced reporting.** The board needs the full picture: positive trends AND emerging risks. Omitting either is misleading. Include treatment plans to show that new risks are being managed — this demonstrates mature governance, not failure.
Scenario Question 10
NorthStar Health is merging with another hospital network that has no AI governance program but operates 12 AI systems. What is the FIRST risk management action post-merger?
**Inventory first.** Before you can assess risk, govern, or make decisions, you need to know what exists. Asset inventory and preliminary classification tells you what you have and which systems need urgent attention. This is the same principle as Day 1: you can't govern what you can't see.
Key ISACA risk management patterns
1. Risk-proportionate response. Match the severity of your response to the severity of the risk. Don't apply maximum security to every situation.
2. Process over judgment. Use predefined thresholds, documented procedures, and established governance processes — not individual ad hoc decisions.
3. Escalate with analysis. When decisions exceed your authority, escalate with complete analysis and recommendations — not just the problem.
4. Continuous assessment. AI risk changes over time. Assessment isn't a one-time activity — it's continuous with defined reassessment triggers.
5. Business alignment. Security controls serve business objectives. A control that prevents the business from operating defeats its purpose.
🏥
Day 11 Complete — Domain 2 Done
"ISACA wants proportionate response, not maximum security. Match your risk treatment to the actual risk level and always follow documented processes."