4 Context                               

• 4.1 The organization and its context
• 4.2 Needs and expectations of stakeholders
• 4.3 Scope of the AIMS
• 4.4 AIMS

4.1 The organization and its context

External and internal issues that can influence the AIMS

Requirements 1 to 4 (see also the quiz)

The two most important things in a company do not appear in its balance sheet: its reputation and its people. Henry Ford

To successfully implement an artificial intelligence management systemset of processes allowing objectives to be achieved (see also ISO 9000, 3.5.3), it is necessary to understand and assess everything that can influence the purpose and performancemeasurable and expected results of the management system (see also ISO 9000, 3.7.8) of the organizationa structure that satisfies a need (see also ISO 9000, 3.2.1)  . An example of determining the issues is given in sub-clause 5.4.1 of ISO 31000. It is advisable to engage in in-depth reflection after a few essential activities:

• draw up an in-depth diagnosis of the unique context in which the organization finds itself, taking into account the issues:
  • external, such as the environment:
    • social
    • regulatory (GDPR, uses of AI prohibited by the AI Act)
    • economic (market opportunities related to the uses of AI)
    • political
    • technological
    • natural
  • internal, such as:
    • specific aspects of corporate culture:
      • vision
      • reason to exist, purpose and mission
      • core values
      • ethical expectations, perception of the AI system
    • staff
    • products and services
    • processes, policies, procedures, instructions, objectives
    • infrastructure
    • contractual obligations towards partners and customers
• monitor and review regularly all information relating to external and internal issues
• determine if climate change is a relevant issue (energy footprint of the AI models used)
• analyze the factors that may influence the achievement of the organization's objectives
• clarify your roles with respect to the AI system (are you a developer, supplier, integrator, or user?)

Each issue is identified by its level of influence and control. Priority is given to issues that are very influential and not at all under control. External and internal issues, cf. D 08v23. 

PESTEL and SWOT analyses (our strengths and weaknesses, opportunities and threats) can be useful for a relevant analysis of the context of the organization (cf. annex 05). A SWOT analysis helps to understand our business environment. It also allows us to identify internal and external problems, which could have an impact on artificial intelligence. 

Examples of roles:

• AI model developer (design a recommendation engine). Document training data, measure biases, and provide performance guarantees
• AI solution provider (integrate a recommendation engine into their product). Manage contracts, inform customers of limitations, and provide support in case of model deviations
• integrator (deploy the AI solution at a customer site). Ensure compatibility with existing systems and contractual obligations
• business user (analyze credit risks in a bank using an AI application). Ensure usage remains compliant with legal requirements (e.g., prohibition of discrimination)
• end user (the customer interacting with the AI system). While their role is less formalized, it must be considered in the impact and expectations analysis
   

Minute of relaxation. Game: Context of the company

• diagnosis of the context includes the main external and internal issues
• the core values as part of the corporate culture are taken into account in the context of the company
• the results of the context analysis are widely diffused
• the SWOT analysis includes many relevant examples
• the SWOT analysis is a powerful tool for identifying the main threats and opportunities

• the issues of the context of the company, such as the competitive environment, are not taken into account
• in some cases, the corporate culture is not taken into account
• risk analysis does not take into account strategic issues
• no clear link between the SWOT analysis and the actions undertaken

Top of the page

4.2 Needs and expectations of stakeholders

Understand the requirements of stakeholders

Requirements 5 to 7

There is only one valid definition of a business purpose: to create a customer. Peter Drucker

To understand the needs and expectations of stakeholdersperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20), we must begin by determining those who may be affected by the artificial intelligence management system, for example:

• employees
• top management
• customers
• external providers (suppliers, subcontractors, consultants)
• owners
• shareholders
• bankers
• distributors
• competitors
• citizens
• neighbors
• social and political organizations

The list of stakeholdersperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20) is created by a multidisciplinary team. Every stakeholderperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20) is determind by its level of influence and control. Priority is given to stakeholdersperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20) with great influence and poor control. List of stakeholders, cf. D 08v23. 

Some stakeholdersperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20) may also formulate expectations or requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) related to climate change.

The requirements of stakeholdersperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20), which change over time, are reviewed regularly (see the Maintain regulatory watch process).  

Anticipating the reasonable and relevant needs and expectations of stakeholdersperson, group or organization that can affect or be affected by a company (see also ISO 26000, 2.20) involves:

• meeting the requirements of the AIMS
• preparing to address risks
• seizing improvement opportunities

When a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) is accepted, it becomes an internal requirementexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) of the AIMSartificial intelligence management system.

Examples of expectations:

• customers and end users (expectations regarding security, transparency, and performance)
• a customer may request explainable AI (transparency)
• employees (training, acceptability, working conditions with AI)
• a team may require an internal charter for responsible use
• regulatory authorities (legal and ethical compliance)
• an authority may mandate the retention of audit logs
• partners and suppliers (contractual guarantees, interoperability)

In ISO 42001, Annexes C and D illustrate how to understand AIartificial intelligence riskslikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1) and the various areas of application.

• the list of stakeholders is updated
• the needs and expectations of stakeholders are established through meetings on-site, surveys, roundtables and meetings (monthly or frequent)
• the application of statutory and regulatory requirements is a prevention approach and not a constraint

• statutory and regulatory requirements are not taken into account
• the delivery time is not validated by the customer
• the expectations of stakeholders are not determined
• the list of stakeholders does not contain their area of activity

Top of the page

4.3 Scope of the AIMS

Define the scope of the AIMS

Requirements 8 to 12

In many areas, the winner is the one who is best informed. André Muller

The scope (or in other words, the perimeter) of the artificial intelligence management system is defined and validated by top managementgroup or persons in charge of the organizational control at the highest level (see also ISO 9000, 3.1.1).

The Statement of Applicability - SoA (cf. sub-clause 6.1.3 and annex 07) allows us to: 

• determine what is or is not part of the AIMS
• identify and update the controls to be applied
• answer the questions for each control:
  • what needs to be done?
  • why?
  • how?
  • what is its status?
• plan and audit the AIMS

Each control of the statement of applicabilitydocument describing the objectives and security controls is directly linked to the treatment of a risklikelihood of occurrence of a threat or an opportunity (see also ISO Guide 73, 1.1).

To properly determine the scope of the AIMSartificial intelligence management system, the specificities of the context of the organizationa structure that satisfies a need (see also ISO 9000, 3.2.1)   are taken into account such as:

• the issues related to AI (see sub-clause 4.1)
• the activities of the organization, including support
• corporate culture
• the environment:
  • social
  • financial
  • technological
  • economical
• the requirements of the stakeholders (see sub-clause 4.2)
• outsourced processes

The Scope of the AIMS is available, cf. D 08v23. It includes the scope (limits and interfaces): 

• of the organization:
  • AI system
  • products
  • services
  • activities
• information and communication:
  • software design and development
  • maintenance
• physical:
  • head office
  • subsidiaries

• the scope is relevant and available upon request
• non applicable requirements are justified in writing
• a department not included in the scope is treated as a supplier with all the consequences (contract, confidentiality agreement, performance monitoring)

• some products are outside the scope of the AIMS without justification
• the scope is obsolete (a new subsidiary is not included)
• the scope is not validadted by top management
• the scope of the AIMS procedure is classified as confidential

Top of the page

4.4 AIMS

AIMS requirements, processes and interactions

Requirement 13

The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) of the ISO 42001 standard are integrated in the AIMSartificial intelligence management system.

To do this:

• the artificial intelligence management system is:
  • planned (see the Plan the AIMS process, cf. D 08v23)  
  • established
  • documented (a simple and sufficient documentary system is in place)
  • set up and
  • continually improved
• the AI policy, objectives, resources and working environment are determined
• threats are determined and actions to reduce them are established (see sub-clause 6.1)
• the essential processes necessary for the AIMS are controlled (cf. the process Establish process ownership):  
  • the corresponding resources assured
  • the determined input and output elements
  • the necessary information available
  • the appointed owners (responsibilities and authorities defined)
  • determined sequences and interactions
  • each process is measured and monitored (criteria established), objectives are established and performance indicators analyzed
  • process performance is evaluated
  • necessary changes are introduced to achieve expected results
  • actions to obtain the continual improvement of processes are established
• the strict minimum necessary ("as much as necessary") of Documents on the processes is maintained and retained (  )

The AIartificial intelligence manual is not a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.6.4) of the ISO 42001 standard, but it is always a possible method to present the organizationa structure that satisfies a need (see also ISO 9000, 3.2.1)  , its AIMSartificial intelligence management system and its proceduresdocument describing the to carry out a process (see also ISO 9000, 3.4.5 and documented information), policies and processesactivities that transform inputs into outputs (see also ISO 9000, 3.4.1) (cf. annex 08). 

The ISO guide “The integrated use of management system standards” of 2018, contains relevant recommendations on the integration of management systems.

 Pitfalls to avoid:

• going overboard on quality: 
  • a useless operation is performed without adding value and without the customer asking for it - it is a waste, cf. quality tools D 12
• having all procedures written by the AI manager: 
  • artificial intelligence is everybody's business, "the staff is conscious of the relevance and importance of each to the contribution to AI objectives", which is even more true for department heads and process owners
• forgetting to take into account the specificities related to the corporate culture: 
  • innovation, luxury, secrecy, authoritarian management (Apple)
  •  strong culture related to ecology, action and struggle, while cultivating secrecy (Greenpeace)
  • fun and quirky corporate culture (Michel & Augustin)
  • liberated company, the man is good, love your customer, shared dream (Favi, cf. T 60)

The requirements of the ISO 42001 standard are shown in figures 4-1 and the dedicated page:

Figure 4-1. The requirements of the ISO 42001 standard

AI requirements concern:

• the risks of the organization:
  • threats to assets
  • the vulnerability and likelihood of occurrence
  • the consequences
• legal and contractual requirements
• the principles, objectives and responsible use of AI systems

• the process map has enough arrows to show who the customer (internal or external) is
• for a process, it is better to use a lot of arrows (several customers) rather than to forget one
• reveal the added value of the process during the process review
• the analysis of processes performance is an example of continual improvement evidence of the effectiveness of the AIMS
• top management regularly monitors the objectives and action plans
• the purpose of each process is clearly defined
• the commitments of  top management on continual improvement are widely diffused

• some process outputs are not set correctly (customers not considered)
• process efficiency criteria are not established
• the process owners are not formalized
• outsourced processes are not determined
• very real activities are not identified in any process
• control of outsourced services is not described
• sequences and interactions of certain processes are not determined
• criteria and methods for ensuring effective processes are not determined
• monitoring the effectiveness of certain processes is not established
• the AIMS resources do not allow achievement of AI objectives
• the AIMS is not updated (new processes are not determined)
• the threats and weaknesses identified in the SWOT analysis remain without actions

Top of the page

• Home
• My account
• Site map
• FAQ
• GTU