**Article 9**

**Risk Identification and Analysis**  
The Recruitment Decision Forest (RDF) system’s risk management process begins with a structured identification and analysis of risks associated with its use in candidate screening and scoring. The system has been developed utilizing a Gradient Boosted Decision Tree (GBDT) ensemble trained on approximately 450,000 anonymized historical recruitment records gathered over five years from diverse industry sectors. In this context, primary risks identified include the potential for perpetuating historical hiring biases embedded within the training data. Analysis revealed correlations between protected attributes indirectly reflected in candidate metadata (e.g., geographic location, educational institutions) and model outputs, consistent with documented societal disparities. These correlations were surfaced via feature importance metrics and partial dependence plots to understand the influence of specific inputs on candidate rankings. The risk identification step further encompasses potential adverse impacts on protected and vulnerable groups, including younger applicants and underrepresented minorities, consistent with Article 9(9). No biometric data are processed, and the system is designed solely for structured data inputs, thereby excluding certain biometric-related risks.

**Risk Estimation and Evaluation under Intended Use and Foreseeable Misuse**  
Risk estimation evaluates both intended use—routine candidate screening—and reasonably foreseeable misuse scenarios such as overreliance on model outputs without human oversight, or the use of RDF scores outside their validated domain (e.g., decision-making beyond initial shortlisting). Quantitative bias metrics were employed during evaluation, including disparate impact ratio and equal opportunity difference, showing a baseline disparate impact ratio of 0.78 for gender subgroups, indicative of bias consistent with underlying data distributions. Model sensitivity analyses indicated that risk levels pertaining to discrimination could fluctuate depending on candidate pool characteristics. Forecasts of misapplication risks consider contexts where recruiters may apply RDF outputs without critical evaluation or use the model to exclude candidates based on features associated with historical bias, potentially exacerbating unfair outcomes. These risks are flagged clearly in technical documentation and user-facing risk summaries to guide responsible deployment.

**Post-Market Risk Assessment and Integration**  
Consistent with Article 9(2)(c), RDF incorporates systematic gathering and evaluation of post-market monitoring data concerning model performance and fairness metrics, sourced from deployment logs and recruiter feedback portals. Monthly aggregations of scoring outcomes and candidate demographics feed into automated dashboards tracking key risk indicators, such as false positive/negative rates across subgroups and shifts in feature distributions. Post-market findings have confirmed persistence of bias patterns identified during pre-market phases, with no observed spontaneous mitigation absent explicit interventions by deployers. These insights form part of a continuous risk review cycle managed by Meridian Analytics Solutions, informing recommendations for use and audit intervals but do not trigger architecture changes within the model itself.

**Selection and Implementation of Risk Management Measures**  
RDF’s design incorporates transparency and interpretability tools, including SHAP (SHapley Additive exPlanations) value visualizations and feature contribution reports, to expose model reasoning post-hoc. These tools were integrated to address requirements for informing deployers and end-users about potential bias risks and to foster human-in-the-loop decision making. The provider has opted against re-weighting training samples, exclusion of bias-correlated features, or embedding fairness constraints during model development—design choices documented as aligned with objectives prioritizing model accuracy and interpretability. Consequently, no intrinsic bias mitigation is implemented at the model architecture or training stages. Instead, mitigation focuses on provisioning detailed transparency outputs, user training materials emphasizing ethical use, and deployment guidelines recommending periodic fairness audits and contextual decision reviews by human recruiters.

Risk reduction strategies therefore emphasize supplementing inherent system transparency with deployer and user education rather than core functional changes. This approach aligns with the understanding that certain residual risks related to bias are unavoidable given historical data limitations and system design trade-offs. Information on these risks, potential adverse effects, and recommended user practices is extensively documented in the technical dossier and accessible onboarding materials consistent with Article 9(5)(c).

**Testing for Performance Consistency and Risk Assessment**  
RDF’s validation framework includes staged testing across development phases and prior to market release, employing a suite of quantitative metrics addressing accuracy, fairness, and stability. Testing used stratified cross-validation on the 450,000-sample dataset with 20% reserved for unseen validation, yielding an average area under the ROC curve (AUC) of 0.82 ± 0.02 for candidate ranking. Fairness testing applied subgroup-specific performance metrics, securely logging results under preset probabilistic thresholds for acceptable disparate impact (minimum threshold set at 0.8). Tests were conducted in simulated operational environments replicating candidate mixes typical of European recruitment scenarios. While these demonstrated consistent system performance against functional benchmarks, fairness metrics confirmed the persistence of historical bias effects. No real-world pilot deployments involving live candidate assessments preceded market entry, in line with deployment best practice that ensures strict control over risk exposure pending further monitoring.

**Consideration of Vulnerable Groups and Minors**  
Risk evaluation explicitly addressed impact potentials on applicants under 18 and other vulnerable groups likely to interact with or be affected by RDF outcomes, consistent with Article 9(9). Although applicants below legal working age are generally screened out by deployers before data input, the system’s training data includes occasional borderline cases, which were analyzed for disproportionate negative scoring. Findings indicated no exceptional risk beyond the biases shared by adult subgroups, and no specialized safeguards in model design target minors or vulnerable candidates explicitly. Mitigation of potential harm to these groups is deferred to deployment-level procedures informed by provider guidance, including enhanced human review and additional contextual checks to be incorporated by recruiters.

**Integration within Internal Risk Management Structures**  
Meridian Analytics Solutions integrates the RDF system’s risk management process within broader corporate software lifecycle management protocols, ensuring compatibility with standard quality assurance, data governance frameworks, and customer support workflows per Article 9(10). The existing organizational procedures incorporate continuous risk review cycles, aligned with ISO/IEC 27701 for privacy and ISO/IEC 27001 for information security, and contain documented roles responsible for monitoring post-market data and updating technical materials accordingly. Risk findings and mitigation recommendations from RDF-specific assessments are appended to these structures without overriding them, enabling adaptability to varying deployer contexts and regulatory obligations.

---

This documentation evidences a comprehensive lifecycle risk management process centered around identification, documentation, and transparency-focused risk controls, recognizing residual bias risks inherent to model design choices lacking embedded bias mitigation.