Blog

AI Risk Assessments: A One-Page Method for SMBs

July 2026 · 6 min read · AI Strategy

A single-page AI risk assessment sheet beside a shield with a tick, brand illustration
← Back to all posts

Most Australian small businesses adopt AI tools faster than they document the risks. A team starts using Claude to draft client emails, summarise contracts, or triage support tickets, and the tooling spreads before anyone writes down what could go wrong. A formal risk assessment sounds like a job for a compliance department you do not have. It is not. A useful AI risk assessment for a business under 50 staff fits on a single page, and you can build the first version in an afternoon.

Why one page beats a forty-page framework

Frameworks like ISO 42001 and the Australian Government's Voluntary AI Safety Standard are worth reading, but they are written for organisations with dedicated governance teams. For a ten-person firm, a forty-page document has a predictable fate: it gets written once, filed, and never opened again. A one-page assessment survives because people actually use it. It forces you to answer the questions that matter without burying them in process.

The goal is not to satisfy an auditor. It is to make sure that before a staff member puts client data into an AI tool, someone has thought about where that data goes, who can see the output, and what happens when the tool gets something wrong. Those three questions cover most of the real exposure a small business carries.

The one-page method

Build a table with one row per AI use case. A use case is a specific job an AI tool does in your business, not the tool itself. “Claude drafts first-pass responses to customer complaints” is a use case. “We use Claude” is not. Keep each row to a single line so the whole thing stays on one page. For each use case, fill in these columns:

  • What it does: the task in plain words, and which tool performs it.

  • Data involved: what information goes in and comes out. Flag anything that is personal information under the Privacy Act, or commercially sensitive.

  • Who checks the output: the named person or role responsible for reviewing before anything reaches a client or goes on the record.

  • Worst realistic failure: the most likely thing that goes wrong, not the most dramatic. A wrong figure in a quote is more probable than a data breach, and cheaper to prevent.

  • Control: the one safeguard that reduces the risk. Usually a human review step, a restriction on what data is allowed in, or a limit on what the tool can send.

A worked row

Say a Sydney conveyancing firm uses Claude to condense long contracts. The row reads: the task is contract summarisation in Claude; the data is client contracts, which contain personal information; the reviewing solicitor checks every summary against the source; the worst realistic failure is a missed clause leading to wrong advice; the control is that summaries are treated as a first read, never the basis for advice on their own. That single row does more for the firm than a policy binder, because it names who is accountable and what they must do.

Costing the risk in dollars

Risk assessments feel abstract until you attach a number. A mid-sized breach of personal information in Australia can cost a small business well beyond $45,000 once you count notification, remediation, lost clients, and staff time. The OAIC can pursue serious or repeated interferences with privacy, and the penalties under the reformed Privacy Act are not trivial. Set against that, the cost of a review step, a short paragraph of staff guidance, and a restriction on what data enters a tool is close to nothing. The one-page assessment is where you make that trade visible.

Keeping it current with Claude

The reason most risk documents go stale is that updating them is a chore nobody owns. This is a job worth handing to Claude. Point it at your one-page assessment and your current list of AI tools, and ask it to flag use cases that have changed, tools that have been added without a row, and controls that no longer match how the team actually works. Run that check monthly. A five-minute review keeps the page honest, which is the entire point of writing it.

Claude can also draft the first version from a short interview. Describe how your business uses AI in a few sentences and it will propose the rows, the likely data-sensitivity flags, and sensible controls for you to accept or change. You keep judgement over what matters, and the tool removes the blank-page problem that stops most firms from starting.

What a good assessment does not do

A one-page assessment is a working tool, not a shield. It will not make your AI use compliant on its own, and it does not replace legal advice on the Privacy Act or sector rules such as APRA's obligations for financial firms. Two failure modes are common:

  • Writing it once and forgetting it. An assessment that does not match this month's tools is worse than none, because it creates false confidence.

  • Listing tools instead of use cases. “We use three AI tools” tells you nothing about risk. “Claude drafts client-facing quotes without a review step” tells you exactly where to look.

If you want a hand building your first assessment, or a second opinion on the one you already have, we run short AI risk sessions for Australian businesses. You can book a time to talk it through. The aim is simple: a single page your team will actually use, current with how you work, and clear about who is accountable when a tool gets something wrong.

Ready to move from AI pilot to production?

We help mid-market Australian businesses deploy AI automations that actually reach production and deliver measurable ROI.