Custom Solution Intake & Review — Executive Process Overview

A lightweight governance process to ensure custom solutions (AI, automation, analytics, digital products) are delivered with the right level of assurance. The aim is to move fast on low-risk work while ensuring higher-risk work gets the right cross-functional scrutiny (privacy, security, legal, operational accountability, and where applicable, AI governance).

Outcome: clear routing + accountability Principle: minimum necessary review Inputs: structured intake (dropdowns) Outputs: decision + constraints + worklist

Why this process exists

Custom solutions vary widely in risk based on what they do, what data they touch, who operates them, and the context they run in. Without a consistent intake, teams either over-rotate (slow) or under-review (risk exposure).

Speed: fast path for bounded low-risk solutions.
Consistency: standard questions that drive consistent decisions.
Accountability: clear owners, approvals, and decision records.
Defensibility: demonstrable rationale for why the chosen review path was appropriate.

Design principle: we do not "re-review everything." We identify which incremental obligations are triggered by the specific solution and run only the reviews that are actually required.

Process at a glance (5 steps)

Intake

Capture minimal structured inputs (what it does, data, hosting/ops, context, system impact).

Triage

Auto-route using decision rules; flag red-lines that require high assurance.

Activation check

Derive which incremental reviews are triggered (privacy, security, legal, ops, AI governance).

Evidence pack

Assemble only the artifacts required for the selected option (short pack vs full pack).

Decision & record

Approve, approve with constraints, or stop. Record decision and conditions for delivery.

Processing options (what leadership should expect)

Option	When it's used	Typical SLA	Minimum outputs
Option A — Rapid Triage	Bounded, client-operated; guidance/advisory; read-only; non-sensitive data; low public-interest context.	1–2 business days	Routing decision + basic constraints + minimal evidence (intake summary).
Option B — Standard Intake	Regulated contexts, personal data, provider-hosted pilots, gated actions, or meaningful workflow/system impact.	~5 business days to decision (typical)	Decision + triggered worklist + short Evidence Pack (data map, hosting boundary, oversight model).
Option C — Full Proposal	Government/critical, managed service, persistent provider operation, automatic decisions, write/execute in core systems.	2–6+ weeks (scope dependent)	Formal approvals + full Evidence Pack + risk acceptance (where required) + operating model.

The process is designed to keep Option C rare and intentional. Most work should land in A or B if scoped properly.

What drives routing (the six risk drivers)

Driver	Executive definition
Decision role	Is it advising humans, taking actions with human gates, or acting automatically?
Human involvement	Do humans review every case, exceptions only, or not routinely?
Operations model	Who operates it day-to-day (client vs provider), and is it persistent or a pilot?
Data type	Test/business data vs personal data vs sensitive/regulated data.
Context	Commercial vs regulated vs government/critical environments.
System impact	Read-only vs updates to workflows/documents vs writes/executes in core systems.

Hard escalations (non-negotiable)

Any of these automatically requires Option C — Full Proposal (or an explicit executive override):

Government/critical + sensitive/regulated data
Managed service + personal/sensitive data
Provider hosting + write/execute access to core systems
Automatic actions in regulated/public-interest contexts
No routine human review + write/execute capability

What leadership gets at the end (decision package)

Decision

Proceed / Proceed with constraints / Stop

Clear outcome with rationale.

Constraints

Hosting, data limits, autonomy limits

What must be true for delivery to proceed.

Triggered reviews

Auto-derived worklist

Privacy/security/legal/ops/AI governance as applicable.

Record

Decision log + owner

Defensible trail for internal/external scrutiny.

Governance (lightweight)

Role	Accountability
Submitter	Provides accurate intake details and confirms scope boundaries.
Solution owner	Owns the technical/design response and evidence pack.
Risk reviewers	Provide approvals only when triggered (privacy, security, legal, etc.).
Decision owner	Confirms lane decision and constraints; escalates where needed.

Metrics to keep it honest

Time to triage (Option A): target 1–2 business days
Time to decision (Option B): target ~5 business days (typical)
% routed to Option C: should remain low and explainable
Rework rate: intakes returned for missing info (signals form clarity issues)
Post-deployment incidents: validate whether routing logic is calibrated

After ~30–60 intakes, tune the thresholds and hard flags based on observed outcomes.