Risk assessments under the Online Safety Act

The Online Safety Act (OSA) takes a largely systemic approach to how providers of certain user-to-user or search services are to deal with online safety. While the type of content covered by the OSA has become clearer over the course of the OSA's progress through Parliament, fundamental to its risk-based approach is the requirement on in-scope service providers to carry out substantial and ongoing risk assessments to assess the extent of their obligations. 

Many providers already carry out various risk assessments, but the OSA will impose new and wider duties around them. As a result, risk assessments will become an even more crucial part of how many digital services are operated.

What do risk assessments entail?

The OSA and its supporting documentation give only high level indications as to what the various risk assessment duties will entail and how they may be satisfied, though it is already clear that the duties will be both substantial and continuous.  Ofcom has already set out its planned approach to risk assessments under the OSA and it has indicated that it expects any risk assessment process to include steps to establish the context, assess the risks, decide and implement measures accordingly, and to include a process of review and updating (see more on Ofcom's approach here). 

A sensible and commonly accepted approach will be vital both to providers knowing how they can comply and to acceptance of the new regime by all stakeholders, including the general public.

The obligations will be part of the relevant service providers' duties which will include the following, matching the three categories which appear throughout the OSA:

• illegal content risk assessment duty for all in-scope services
• children's access assessment duties for all in-scope services
• adult user empowerment risk assessment for Category 1 services only
• children's risk assessment duties for services likely to be accessed by children.

Providers will be obliged to consider risk profiles for their type of service developed by Ofcom (discussed below), then apply those specifically to how their service operates. This includes how the technology operates, the functionality it offers (defined according to a lengthy list of features) and how the design and operation of the whole service may increase or reduce risks. 

This goes beyond consideration of the technology and extends into analysis of how the service is used and by whom, how likely the users in question are to encounter the regulated content and the nature and severity of the possible harm if they do. It will also look at the provider's governance systems and even its whole business model. 

Providers will also have to both keep records of risk assessments and supply copies to Ofcom.

Ofcom's role: risk profiles

The first set of risk assessments are to be carried out by the regulator, Ofcom, to "identify, assess and understand" the risks of harm regulated services may give rise to. These risk assessment profiles will follow the same categories. Ofcom then has to prepare "risk profiles" for different types of service. These will partly be based on the Ofcom risk assessment profiles, but also on a catch-all phrase, the "characteristics of the services".   Ofcom will be required to produce guidance to accompany the risk profiles.

Although the intention appears to be that Ofcom's risk assessment profiles will be of types of service rather than those offered by specific providers, "characteristics" of services include elements which sound specific to particular services. These include their functionalities, governance, business model and user base. As with other parts of the incoming OSA, the drafting lacks detail, but the intention seems clear; Ofcom will have a broad discretion to decide what risks there might be.

Different levels of risk assessment

Risk assessments which factor in the Ofcom risk profiles are to be carried out by providers of user-to-user and search services. All services must carry out the assessments of illegal content risks and whether children are able to access the service.

All Category 1 services must conduct adult user empowerment risk assessments.

Where the service is "likely to be accessed by children" (a test for which is set out in the OSA), the service provider must carry out risk assessments in respect of content harmful to children.  We discuss children's risk assessments in more detail here.

Timings of risk assessments

The systemic approach depends upon a continual process of risk assessment, both by Ofcom and service providers. Both are under an obligation to keep their risk assessments up to date and so this is to be seen as an ongoing process, requiring specific dedicated resource within an organisation, rather than something that can be carried out once and has then been satisfied.

Providers will also have to conduct risk assessments at specific times:

• within three months of Ofcom publishing its risk assessments
• when Ofcom makes a significant change to its risk profile applicable to that service
• before the launch of relevant new services
• when making any significant relevant change to the design or operation of the service, and
• when the service changes to become a "regulated service".

Ofcom's planned approach to risk assessments

Ofcom set out its planned approach to risk assessments under the Online Safety Bill in March 2023. Its proposed approach to risk across the online safety regime will be framed to achieve that:

• risk assessments are an integral part of broader risk management processes and embedded within an organisation's existing risk management structures
• responsibilities for risk management are clearly specified and owned at the most senior levels
• risk management activities are regularly reported to senior decision-makers and independently scrutinised, where possible
• risk controls are assessed for effectiveness, and emerging risks are monitored.

Ofcom says its guidance will cover the kinds of evidence to be considered in risk assessments and what is likely to meet the requirement that assessments are "suitable and sufficient" for different types of organisation – larger services are likely to have a higher bar to meet in this respect. To that end, Ofcom plans to outline an additional set of evidence inputs for services which need to consider a range of sources of evidence to inform their risk assessments.

While recognising there is no 'one size fits all' approach, Ofcom says a good risk assessment should help a service anticipate and address the ways in which its users could be exposed to greater risks of harmful content. Helpful questions might include:

• How does the service's user base affect this risk; for example, do large numbers of child users in the UK increase the risk of exploitation?
• How do the functionalities of the service affect risk; for example, does offering stranger paring increase the risk of romance fraud?
• What effect does the service's business model have; for example, how can a service's financial incentives under a given revenue model increase the risk of hosting harmful content?

Ofcom has developed a four-step process which can be applied by services of all types and sizes:

• Step one: establish the context – establish the risks of harm that need to be assessed. Consult the risk profiles produced by Ofcom which set out its assessment of key risk factors, and identify any gaps in understanding and evidence.
• Step two: assess the risks – review evidence about the relevant platform and associated risks. Assess the likelihood of harmful content appearing and the severity/impact of harm. In addition, evaluate existing mitigating measures.
• Step three: decide measures and implement – decide how to comply with safety duties, including through Ofcom's codes of practice. Identify which measures need to be implemented, implement them, and record the outcomes of the risk assessment.
• Step four: review and update – report via relevant governance structures. Monitor the effectiveness of mitigation measures. Put in place regular review periods for assessments, recognising any triggers which might require revisitation before the next review.

Going forward, Ofcom says it is working with service providers and regulatory counterparts to help improve risk assessment coherence under different regimes, notably, the EU's Digital Services Act. 

Much of Ofcom's approach to risk assessments has been informed by its role under other principles-based legislation, as well as by a wide-ranging literature review. It says it has learned from a review of best practice and industry standards, that good risk management is not a single process but a broader approach by companies which puts risk-awareness at the forefront of decision making – a culture or risk-awareness and prioritisation by all teams across an organisation. Ofcom also refers to the importance of internationally recognised risk governance standards (eg ISO 31000 and the Three Lines Model) in helping with a risk-focused culture as a fundamental part of an organisation's governance and leadership.

Next steps

The design of risk profiles and risk assessments will be among the first steps in implementing the new online safety regime. This will be a major task both for Ofcom and for service providers but in order that risks and potential mitigations are properly understood, it will be crucial for service providers to be prepared to engage with the process from the outset.