Impact Assessment

Purpose

This process ensures we systematically evaluate how AI systems affect the people and organizations that interact with them, enabling informed decision-making and responsible AI deployment. It defines the process for assessing potential positive and negative impacts to ensure that affected parties are considered and appropriate actions can be taken to capitalize on positive impacts while mitigating negative ones.

Scope

This process to all AI systems built or used by Rygen, including:

  • X1 Platform (IPaaS AI capabilities)
  • Corsair (TMS AI features)
  • Internal tools

Assessment Triggers

  • New AI system development
  • Significant modifications to existing AI systems
  • Change in deployment context or user base
  • New client onboarding with unique AI feature usage
  • Regulatory or jurisdictional changes

Impact Categories

To ensure a comprehensive assessment, we evaluate impacts across three main categories. For each AI system, the specific individuals and groups are identified by answering the guiding questions below.

Individual Impacts

This category focuses on the direct and indirect effects on individuals. The goal is to identify all roles that are touched by the AI system’s lifecycle.

Guiding Questions for Identification:

  • Direct Users: Who will directly interact with the AI system (e.g., inputting data, viewing outputs, making decisions based on its recommendations)?
  • Affected Parties: Whose work, tasks, or environment will be altered by the system’s operation, even if they never log into it?
  • Data Subjects: Are there individuals whose data is being processed by the system?

Once identified, assess potential impacts such as job efficiency, decision-making autonomy, skill requirements, work satisfaction, and privacy.

Group Impacts

Guiding Questions for Identification:

  • Customer Organizations: How does the system impact the client’s business operations, finances, or competitive standing?
  • Internal Teams: What is the impact on our own internal teams at Rygen (e.g., support, DevOps, security, product)?
  • Functional Roles: Are there specific classes of professional roles (like dispatchers, financial analysts, or compliance officers) that will be broadly affected?

Once identified, assess potential impacts like operational efficiency, competitive advantages, resource costs, liability exposure, and reputational risks or benefits.

Societal Impacts

While our enterprise software often has indirect societal impact, we consider the measurable, second-order effects our systems could have. This assessment is done on a case-by-case basis.

Areas for Consideration:

  • Supply Chain Efficiency: Does the system contribute to broader improvements in the supply chain community or for consumers?
  • Environmental Impact: Can we measure effects on resource consumption (e.g., reduced carbon emissions from route optimization)?
  • Safety: Could the system affect safety outcomes for workers, operators, or the public? This includes both intended use (e.g., safer routing recommendations) and foreseeable misuse (e.g., over-reliance on AI recommendations in safety-critical situations).
  • Industry Standards: Does the system help establish responsible AI practices that could influence the logistics technology industry?
  • Economic Efficiency: Does the system contribute to overall economic productivity by reducing waste or improving operations?

Safety-Specific Guiding Questions:

When assessing safety as a societal impact, consider:

  • Intended Use: What are the potential safety benefits or risks when the system operates as designed? (e.g., optimized routing that avoids hazardous conditions)
  • Foreseeable Misuse: How might the system be misused in ways that create safety risks? (e.g., ignoring AI-generated safety warnings, applying recommendations beyond their validated context)
  • Failure Modes: If the system fails or produces incorrect outputs, what are the safety implications for workers, operators, or the public?
  • Human Oversight: Are there adequate safeguards to ensure human review of safety-critical AI recommendations?

Assessment Process

Phase 1: System Context Analysis

  1. Document AI system purpose and capabilities
  2. Identify intended use cases
  3. Analyze foreseeable misuse scenarios, including:
    • Intentional misuse (e.g., manipulating inputs to generate unsafe outputs)
    • Unintentional misuse (e.g., applying AI recommendations outside designed operational boundaries)
    • Safety-critical failures (e.g., over-reliance on AI in situations requiring human judgment)
  4. Document technical context (architecture, integration points)
  5. Document societal context (business environment, user sophistication)
  6. Identify applicable jurisdictions

Phase 2: Stakeholder Identification

  1. Direct users: Client employees using the AI system
  2. Affected parties: Others impacted by AI outputs (drivers, warehouse staff)
  3. Groups: Client organizations, supply chain roles, Rygen
  4. Society: We assess applicable societal impacts on a case-by-case basis, focusing on measurable, second-order effects such as environmental efficiency and the establishment of industry standards.

Phase 3: Consequence Assessment

For each stakeholder category, identify and document:

Positive Consequences

  • Efficiency improvements
  • Better decision-making support
  • Reduced errors
  • Competitive advantages
  • Time and cost savings
  • Enhanced safety outcomes (e.g., safer routing, improved hazard awareness)

Negative Consequences

  • Over-reliance on AI recommendations
  • Changes to job roles or skills
  • Increased complexity
  • Potential for automation bias
  • Privacy concerns (if applicable)
  • Safety risks from system failures or misuse (e.g., incorrect routing in hazardous conditions, degraded human oversight)

Phase 4: Documentation

  1. Complete Impact Assessment Report using standard template
  2. Review with appropriate stakeholders
  3. File in AIMS documentation system
  4. Provide results to Risk Assessment process

Integration with Risk Assessment Process

Impact assessment results are a mandatory input to the risk management process (AI-008). This integration ensures that all identified impacts on individuals, groups, and society are systematically evaluated for risk treatment.

Mandatory Evaluation Requirement

All negative impacts identified in Phase 3 (Consequence Assessment) MUST be evaluated in a subsequent risk assessment. This ensures no potential harm to stakeholders is overlooked in our risk management process.

For each negative consequence identified:

  1. Risk Evaluation: Assess likelihood and impact using the scales defined in AI-008
  2. Risk Treatment Decision: Determine appropriate treatment strategy (Accept, Mitigate, Avoid, Transfer)
  3. Documentation: Record the evaluation outcome in the risk register or exclusion log

Exclusion Justification Requirement

If a negative impact is not included in the risk register, a written justification must be documented. Valid reasons for exclusion include:

  • Negligible Risk Level: The combination of likelihood and impact results in a risk score below the monitoring threshold (Very Low, score 1-2)
  • Existing Control Coverage: The impact is already addressed by an existing risk entry with adequate controls
  • Out of Scope: The impact falls outside the boundaries defined in the AIMS scope (requires documented rationale)

Exclusion justifications must be:

  • Documented in the Impact Assessment Report
  • Reviewed and approved by the Principal AI Engineer
  • Retained for audit purposes

Information Flow to Risk Assessment

The following information flows from impact assessment to risk assessment:

  1. Negative consequences identified become candidate risks in the risk register
  2. Severity of consequences informs risk impact scoring
  3. Stakeholder context enriches risk identification and analysis
  4. Positive consequences may inform opportunity assessment (optional)

Traceability Requirements

To ensure accountability and auditability, a clear traceability chain must be maintained between impact assessment findings and risk register entries.

Traceability Matrix

Each Impact Assessment Report must include a traceability matrix documenting the disposition of all negative impacts:

Impact IDDescriptionRisk Register EntryDispositionJustification (if excluded)
IMP-001ExampleRISK-XXXIncluded
IMP-002ExampleExcludedBelow monitoring threshold

Required Elements

The traceability documentation must include:

  1. Unique Impact ID: Reference number linking to the consequence assessment
  2. Impact Description: Brief summary of the negative consequence
  3. Risk Register Entry: If included, the corresponding risk ID from the risk register
  4. Disposition: Either “Included” (in risk register) or “Excluded” (with justification)
  5. Justification: For excluded impacts, the documented rationale per the exclusion criteria above

Verification

During management review (per AI-003), the AI Governance Committee shall verify that:

  • All negative impacts have a documented disposition
  • Exclusion justifications are appropriate and approved
  • Risk register entries appropriately reflect impact assessment findings

Revision History

VersionDateAuthorSummary of Change
1.02025-06-05Field BradleyInitial draft.
1.12025-09-02Field BradleyMigrated to markdown and gitlab
1.22025-09-10Field BradleyImproved guidance for assessing individuals, groups, and society
1.32026-01-13Field BradleyFormalized impact-to-risk linkage with mandatory evaluation, exclusion justification requirements, and traceability matrix
1.42026-01-13Field BradleyAdded explicit safety assessment as societal impact per ISO 42001 clauses 6.1.4 and A.5.5