CAIA Academy
Beginner5 modulesAbout 2 hoursFree certificate

Introduction to
AI Risk Management

A plain-language, Caribbean-first introduction to governing artificial intelligence. No jargon, no fear, no computer science degree required. By the end you will know where AI risk hides, the frameworks the world actually uses, and exactly what to do on Monday morning.

What you will be able to do

  • Explain AI risk to a colleague or a board in plain words
  • Recognise the seven domains where AI risk shows up
  • Use the NIST framework and the EU AI Act risk tiers
  • Stand up a basic AI governance programme in 90 days
Adrian Dunkley

Taught by Adrian Dunkley

Founder and President, Caribbean AI Association

Module 1 · Why this matters · 4 min read

Start here

Let me tell you why this course exists. Across the Caribbean, artificial intelligence is already inside our banks, our hospitals, our classrooms, our call centres, and our government offices. Staff are using it whether or not anyone signed off on it. The tools are powerful and genuinely useful. They are also capable of quiet, expensive mistakes, and almost no one in the region has been taught how to spot those mistakes before they cause harm.

This course closes that gap. It is written for the ordinary professional, the manager, the public servant, the small business owner, the student. You do not need to code. You do not need mathematics. You need about two hours and a willingness to think clearly about a technology that is not going to slow down for us.

Why Caribbean-first

Most AI risk material is written for a Fortune 500 company in New York or a ministry in Brussels. Our reality is different. We run lean teams, we depend heavily on foreign vendors, our data protection laws are young, and our institutions are small enough that one bad AI decision can be felt across a whole community. This course takes the world's best thinking and translates it for that reality.

Work through the modules in order. Every lesson has something to click, drag, or try, because you learn governance by doing it, not by reading about it. At the end there is a thirty-question exam. Pass it with eighty percent and you earn a certificate signed by me, on behalf of the Association.

Module 1 · Why this matters · 6 min read

What AI risk actually means

Risk is not the same as danger, and it is not a reason to be afraid. In every serious profession, risk simply means the chance that something goes wrong, multiplied by how badly it would hurt if it did. A bank manages credit risk without refusing to lend. A pilot manages flight risk without refusing to fly. AI risk management works the same way. The goal is never to ban the technology. The goal is to capture its value while keeping the harm to a level you can live with.

So what could go wrong with AI? Broadly, three families of harm. The system can be wrong, confidently and invisibly. The system can be unfair, treating some people worse than others. And the system can be misused, leaking private information or being turned to a purpose no one intended. Good risk management is the discipline of finding those failures before your customers, your regulator, or the evening news finds them for you.

InteractiveMatch the everyday risk to the profession that manages it

Tap an item on the left, then tap its partner on the right.

The risk

Managed by

Notice the pattern. None of these professionals eliminate risk. They name it, measure it, and put controls around it so the benefit can flow safely. By the end of this course, AI will be one more risk you know how to handle, not a mystery you hope will behave.

Key takeaways

  • 1Risk means likelihood of harm times severity of harm. It is a normal part of using any powerful tool.
  • 2AI risk management captures value while keeping harm acceptable. It is not about banning AI.
  • 3The three big AI harms are being wrong, being unfair, and being misused.

Module 2 · Where risk hides · 7 min read

The seven places AI risk hides

You cannot manage a risk you cannot see, so the first real skill is knowing where to look. The most respected map of AI risk in the world comes from MIT. Their AI Risk Repository reviewed seventy-four separate frameworks and pulled more than seventeen hundred documented risks into a single structure. They found that almost every AI risk falls into one of seven domains. Learn these seven and you have a checklist you can run against any AI system, anywhere.

Use it as a checklist

Before your organisation adopts any AI tool, walk through these seven domains and ask, plainly, which of these could bite us here. Most tools will trip two or three. That short conversation is already more governance than most institutions in the region do today.

Module 2 · Where risk hides · 8 min read

The two you will meet first: bias and hallucination

Of the seven domains, two will land on your desk before any of the others. The first is bias. An AI system learns from data, and data is a photograph of the world as it was, unfairness included. Train a hiring tool on twenty years of a company's decisions and it will learn to prefer exactly the people that company already preferred. The machine is not being cruel. It is being obedient to a past we are trying to move beyond. That is why bias is a design and data problem, not a personality flaw in the software.

The second is hallucination. Generative AI does not look up facts. It predicts convincing text. Most of the time convincing and correct line up. Sometimes they do not, and the system will state a false thing with the same calm confidence it uses for the truth. It will invent a court case, a citation, a statistic, a policy clause. It does not know it is wrong, because it does not know anything in the way you do. Your job is to never let a confident answer skip the step of being checked.

InteractiveSpot the hallucination

One of these answers is invented (“hallucinated”). Which one? Round 1 of 2.

Now connect the harm to the fix. For every AI risk there is a practical control, and controls are where risk management stops being theory. Match each risk below to the control that most directly tames it.

InteractivePair each risk with the control that tames it

Tap an item on the left, then tap its partner on the right.

Risk

Control

Key takeaways

  • 1Bias is learned from data and design. Test outcomes across groups; do not assume fairness.
  • 2Hallucination is confident, invented output. Never act on an unchecked high-stakes answer.
  • 3Every risk has a matching control. Governance is the habit of pairing them.

Module 2 · Where risk hides · 7 min read

The risks we feel hardest: vendors and privacy

Two risks deserve special attention in our region because our circumstances sharpen them. The first is vendor risk. Very few Caribbean organisations build their own AI. We rent it from a handful of foreign giants. That is sensible, but it creates concentration risk. If a single provider changes its price, changes its terms, suffers an outage, or is cut off by an export rule in its home country, your operation can stop with no fallback and no warning. This is not hypothetical. Boards elsewhere have already been surprised by a model they depended on going dark overnight.

The single-vendor trap

If your answer to what happens if this provider disappears tomorrow is silence, you have a material risk sitting off your books. The fix is not to avoid vendors. It is to keep a fallback, read the contract, and have an exit plan before you need one.

The second is privacy. AI is hungry for data, and the fastest way to leak your organisation's secrets is for a well-meaning employee to paste a confidential document into a free public chatbot to summarise it. That data has now left your control. Several Caribbean nations, Jamaica, Barbados, Trinidad and Tobago among them, have Data Protection Acts, and AI does not create an exemption from them. If personal data is involved, local privacy law still applies in full, on top of any AI-specific care you take.

InteractiveA live decision: your team wants to use a new AI tool

A manager at a Kingston insurance firm asks to start using a free public AI chatbot to draft replies to customers. Some of those replies will include customers' names, policy numbers, and medical details.

What is the strongest first response?

Module 3 · The rulebooks · 7 min read

The framework the professionals use: NIST

You do not need to invent AI governance from scratch. Serious people have already built the rulebooks, and you only need to understand a few. The most useful starting point is the NIST AI Risk Management Framework, published by the United States National Institute of Standards and Technology. It is voluntary, free, respected worldwide, and refreshingly practical. It organises all of AI governance into four simple functions.

Read them as a loop, not a ladder. You govern always, you map a system, you measure its risks, you manage them, and then you keep going round as the system and the world change. Hold these four verbs in your head and you can walk into any AI project and know what questions to ask.

Risk also enters at specific moments in an AI system's life. Tap through the lifecycle below to see where.

DiagramWhere risk enters the AI lifecycle

The AI system lifecycle

ScopeDecide the useDataGather & prepareBuildTrain & testDeploy & monitorLive use????

Risk at Scope

Choosing the wrong use case. Using AI for a decision too sensitive to automate, like who receives emergency relief, is a risk you take before a single line of code is written.

Tap the marked points to learn what happens at each stage.

Module 3 · The rulebooks · 8 min read

The law with teeth: the EU AI Act risk tiers

If NIST is the friendly coach, the European Union's AI Act is the referee with a whistle. It is the world's first comprehensive AI law, and its big idea is beautifully simple. It does not regulate all AI the same way. It sorts every AI system into one of four tiers based on how much risk it poses to people, and the rules get stricter as the risk rises.

At the top sits unacceptable risk, which is simply banned, things like government social scoring of citizens. Below that is high risk, where the system affects people's rights or safety, such as deciding loans, jobs, or medical care. These are allowed but tightly controlled. Then limited risk, which mostly means you must be transparent, for example telling people they are talking to a bot. And at the bottom, minimal risk, the vast majority of everyday AI, which is left largely free.

InteractiveSort each system into its EU AI Act tier

Drag each card into the correct column, or tap a card then tap a column.

Unacceptable

Banned outright

High risk

Allowed but tightly controlled

Limited

Mainly transparency duties

Minimal

Largely free to use

AI that screens job applicants' CVs
An AI opponent in a video game
AI medical-diagnosis support
An AI spam filter in your email
AI that approves or denies bank loans
Government social-scoring of every citizen
Untargeted mass face-scanning in public
A chatbot that must say it is a bot

Why a Caribbean board should still care

The Caribbean is not in the EU, so why learn this? Three reasons. The law reaches any organisation whose AI outputs are used in Europe. The global vendors we all rent from are rebuilding their products to obey it, so we inherit its shape whether we like it or not. And regulators everywhere, including our own, are treating it as the template to copy. The high-risk obligations were recently delayed to December 2027, which is not a reprieve for us. It is runway. Use it.

One more thing worth knowing. The Act has real teeth. Breaching the banned-practice rules can cost up to thirty-five million euros or seven percent of a company's global annual turnover, whichever is larger. Governance is cheaper than the fine.

Minimal risk (most everyday AI)80%
Limited risk (transparency duties)12%
High risk (tightly controlled)7%
Unacceptable (banned)1%
Illustrative distribution: most everyday AI is low risk, so governance effort should concentrate where the stakes are highest.

Module 3 · The rulebooks · 6 min read

The rest of the toolkit: UNESCO, ISO, and local law

Three more instruments complete the picture, and none of them require you to be a lawyer. The UNESCO Recommendation on the Ethics of Artificial Intelligence, adopted in 2021, was the first global standard on AI ethics, agreed by nearly two hundred countries. It is not a binding law, but it is the shared moral floor, built on human rights, human dignity, transparency, fairness, and human oversight. When you need to explain why governance matters beyond avoiding fines, UNESCO gives you the language.

ISO/IEC 42001 is the newest piece. It is an international management-system standard for AI, the same family as the quality and security standards many Caribbean firms already hold. It turns good intentions into a certifiable, auditable system. You do not need it on day one, but it is the destination a maturing programme walks toward.

And closest to home, your own national Data Protection Act. This is the one with actual legal force over you today. Whatever else you do, your handling of personal data through AI must satisfy local law. Start there.

A simple way to remember the four rulebooks

NIST is how you do it. The EU AI Act is the strictness dial for how risky a system is. UNESCO is why it matters. Your national Data Protection Act is the law you must obey right now. Master those four sentences and you are ahead of most boards in the region.

Module 4 · Governing in practice · 7 min read

Someone has to own it

Here is the uncomfortable truth that separates real governance from a poster on the wall. Accountability cannot be given to a machine, and it cannot be given to a vendor. When an AI system causes harm, a regulator, a customer, or a court will ask a human being why, and the answer cannot be that the computer decided. Every meaningful AI system in your organisation needs a named human owner, and your board or senior leadership must own the oversight of the whole.

How big is this gap in our region? A 2026 PwC survey of Caribbean directors measured it, and the numbers are sobering.

0%

of Caribbean directors feel their board spends enough time on AI

0%

feel they receive sufficient information on AI risks

0M

top EU AI Act fine, or 7% of global turnover, for banned practices

Read those first two numbers again. More than ninety percent of directors in our region know they are not giving AI the attention it needs. That is not a failure of intelligence. It is a failure of process, and process is exactly what you are learning to build. When something does go wrong, and eventually something will, the organisations that cope are the ones with an incident response plan. Put these steps in the right order.

PuzzleOrder the AI incident response

Use the arrows to put these steps in the right order.

  1. 1Remediate: fix the root cause and correct the harm where you can
  2. 2Notify: tell the affected people, leadership, and any regulator as required
  3. 3Learn: update your controls so the same failure cannot happen twice
  4. 4Contain: pause or limit the system so the harm cannot spread
  5. 5Detect: notice and confirm that the AI system has caused or nearly caused harm

Module 4 · Governing in practice · 6 min read

The single most useful tool: the risk register

If you take only one practical instrument from this whole course, take the AI risk register. It is not software and it does not need to be. It is a living list of every AI system you use, the risks each one carries, how severe they are, who owns them, and what control is in place. A spreadsheet is enough to start. The power is not in the format. The power is in making invisible risk visible, owned, and reviewed on a schedule, exactly the way your finance team already treats money.

What a first row looks like

System: customer-service chatbot. Risk: may give wrong advice (hallucination). Severity: high, it speaks to customers. Owner: Head of Customer Service. Control: human review of any policy or legal answer before it is sent. Next review: quarterly. That single row is more governance than most institutions in the Caribbean have written down today.

Work the decision below. It is the kind of judgement a risk register is built to support.

InteractiveA board-level judgement call

A Trinidadian bank wants to deploy an AI model that decides small-business loan approvals automatically, with no human in the loop, to speed up lending.

As the risk owner, what do you advise?

Module 5 · Put it to work · 6 min read

Your first 90 days

You now know more about AI risk than most people sitting on Caribbean boards. The last question is what to do with it. You do not need a budget, a consultant, or permission to begin. Here is a plan any organisation can run in three months.

Days 1 to 30: See what you have

Make a simple inventory of every place AI is already being used in your organisation, official or not. Ask people honestly; you will be surprised. Write a one-page AI use policy in plain language that says which tools are approved and the golden rule that no personal or confidential data goes into public tools. That two-document start already puts you ahead.

Days 31 to 60: Name owners and risks

For each AI system on your inventory, name a human owner and open a row in a risk register. Run the seven domains against it and write down the two or three risks that actually apply. Decide one control for each. Keep it light and real rather than perfect.

Days 61 to 90: Set the rhythm

Put AI risk on a recurring agenda, monthly for the working team, quarterly for leadership. Draft a five-line incident response plan. Pick one high-stakes system and add a human review step. Governance is not a project you finish. It is a habit you keep, and after ninety days you will have the habit.

Key takeaways

  • 1You can start AI governance with a spreadsheet and a one-page policy. No budget required.
  • 2Inventory first, because you cannot govern what you cannot see.
  • 3Name a human owner for every AI system. Accountability never belongs to the machine.
  • 4Set a review rhythm. Governance is a habit, not a one-time project.

A final word

The Caribbean does not have to wait for perfect regulation to govern AI well. We can adopt this technology proactively and govern it deliberately, adapting the world's best frameworks to our own context and values. That is not caution for its own sake. It is how a small region protects its people while still claiming its share of what AI can build. Now prove what you know.

Module 5 · Put it to work · 20 min read

Final assessment

Thirty questions drawn from everything you have covered. Score eighty percent or higher to earn your certificate. You can retake it as many times as you like, and every question has an explanation so a wrong answer is still a lesson.

Final assessment

Earn your certificate

Thirty multiple-choice questions drawn from everything you have covered. Score 80 percent or higher, which is 24 out of 30, and you earn a certificate of completion signed on behalf of the Caribbean AI Association. You can retake it as many times as you need. Enter your details so we can put your name on the certificate.

We store your name and email only to issue and verify your certificate and to send you the result. No spam.