Download - IRGC Guidelines for Emerging Risk Governance
EPFL Center + Foundation
GOVERNANCE OF EMERGING RISKSGuidelines for the governance of unfamiliar risks
March 2017No part of this document may be quoted or
reproduced without prior written approval from IRGC
This presentation deck accompanies the main IRGC report and an appendix, available online: https://www.irgc.org/risk-governance/emerging-risk/a-protocol-for-dealing-with-emerging-risks/
EPFL Center + Foundation
Introduction
• A risk is an uncertain (mostly negative) consequence of an event or an activity with regards to something that humans value. Emerging risks are ‘new or familiar risks that become apparent in new or unfamiliar conditions’
• Emerging risks should be distinguished from familiar risks:o Familiar risks are well understood by risk managers who know how to manage themo Emerging risks on the other hand are primarily characterised by uncertainty
• Knowledge becomes the key concept for emerging risks
• The concept of emerging risk is relative, not absolute
• In emerging risk management, what matters most to an organisation is its potential exposure
2
EPFL Center + Foundation
Characteristics of emerging risks
• IRGC suggests three categories of emerging risks:
Risks with uncertain impacts Risks in complex, interconnected systems
Risks resulting from changes in context
High uncertainty and a lack of knowledge about potential impacts and
consequences (interactions with risk-absorbing systems).
e.g., applications of synthetic biology
Increasing complexity, emerging interactions and
systemic dependencieshave the potential to lead to
non-linear impacts and surprises.
e.g., systemic risks in energy or ICT systems
Changes in context (social, regulatory, natural etc.) may alter the nature, probability and magnitude of expected
impacts of previously known risks.
e.g., antimicrobial resistance
3
EPFL Center + Foundation
Defining an appropriate process for emerging risk governance• The guidelines proposed by IRGC provide an overarching framework to
support senior managers address emerging risks.
• They help to organise how information and evidence are collected,analysed and combined to design strategies for emerging risk governance.
• In particular, the IRGC guidelines:o Provide guidance to organisations in anticipating and responding to emerging
risks
o Provide transparent and enforceable criteria for the evaluation of the effectivenessof the emerging risk governance process
o Embed the emerging risk management process as a routine within theorganisation, drawing from existing processes
4
EPFL Center + Foundation
Step 1: Make sense of the present & explore the future
7
Provide early warning
Identify:• Potential threats or opportunities
to relevant assets and processes• Contributing factors that create
fertile ground for risks and opportunities to develop (emerge, amplify or attenuate)
Make sense of signals that might shape the future
Detect and explore current and possible future evolutions that may change the organisation’s environment
Analyse these changes according to their potential to represent a threat and/or an opportunity
Filter and prioritise the detected threats and opportunities that require further attention in Step 2
Regularly update the selection of risks and opportunities as new information becomes available
Required actions
List of threats and opportunities that require further analysis and exploration
Description of the context in which these develop
Identification of the necessary or sufficient conditions for the risk or opportunity to materialise
List of threats and opportunities that are irrelevant to the organisation's objectives given available information
Expected outcomesKey
objective
EPFL Center + Foundation
Step 1: Make sense of the present & explore the future
8
Emerging risk conductorDefines approaches and facilitates continuous interactions among experts and between experts and decision-makers
Experts and analystsDetect signals, perform analyses and suggest necessary characterisation
Senior decision-makersValidate Step 1 outputs and decide which issues will be further investigated and what resources will be allocated to the process
Key participants & responsibilities
• Diversity of information
• Scientific soundness of data collection, analysis and prioritisation
• Data reliability and consistency
• Compatibility with existing and past or familiar threats
Key success factors
EPFL Center + Foundation
Contributing factors to risk emergence
9
The human factor: Behavioural and cultural
advancement
The overall context: System complexity
The decision-
maker
4. Varying susceptibility to risk3. Positive feedback2. Loss of safety margins1. Scientific unknowns
7. Technological advances6. Social dynamics5. Conflicts of interests, values and science
12. Malicious attacks11. Perverse incentives10. Information asymmetries 9. Communication8. Temporal complications
Source: IRGC (2010). The Emergence of Risks: Contributing Factors. Geneva: International Risk Governance Council.
Report available online: https://www.irgc.org/risk-
governance/emerging-risk/irgc-concept-of-contributing-factors-to-
risk-emergence/
EPFL Center + Foundation
Anticipating vs. exploring uncertain futures
10
Level 1 Level 2 Level 3 Level 4Deep Uncertainty
Context
A clear enough future
Alternate futures (with probabilities
A multiplicity of plausible future
Unknown futures
Familiar risks Emerging risks
Source: Walker, W. E., Marchau, V. A. W. J. & Swanson, D. (2010). Addressing Deep Uncertainty Using Adaptive Policies: Introduction to Section 2. Technological Forecasting & Social Change, 77(6), 917–923.
EPFL Center + Foundation
Framing discussions of risk and innovation
• Innovation creates change• This always carries risk, with the potential for harm as well as benefit• It is difficult to ‘predict’ the future• Complexity, uncertainty and ambiguity (different interpretations, or even
controversy)• Often technological innovations and related risks develop in complex
systems Interdependent cascading failures may happen in a network of interconnected system components, where a small localised initial failure (which could result from an emerging risk) may trigger large perturbations elsewhere
11
EPFL Center + Foundation
Step 2: Develop scenarios based on narratives & models
12
Develop scenariosof how an emerging risk or opportunity could impact an organisation and its objectives. This:
• Offers the possibility for collaborative framing of existing and future threats/opportunities
• Provides evidence and support for future decisions concerning the identified threats/opportunities
• Updates the scenarios as new information and knowledge become available
Develop or use various types ofscenarios to explore and evaluatethe emerging risk that could affect the organisation in the future
Begin to identify possible bifurcations and intervention points, to prepare the development of management options
Update the scenarios as necessary, taking into account the emergenceof new signals and the outcome ofstrategic interactions with stakeholders
Required actions
Set of explorative scenarios. The scenarios describe how the threatsand opportunities identified in Step 1 may have an impact on the organisation. Particular attention must be given to:• The contributing factors
(amplifying or attenuating)• Events or tipping points that may
accelerate, reduce or generally affect the factors
• The consequences of each scenario for the organisation
Familiarity with concepts
Expected outcomes
Key objective
EPFL Center + Foundation
Step 2: Develop scenarios based on models & narratives
13
Experts in futures studies scientific & scenario-building techniquesFacilitate interactions between contributors and ensure the validity of the scenario development exercise
Emerging risk conductorEnsures the coherence of the exercise with the threats and opportunities de ned in Step 1 and the organisation’s expectations
Decision-makersConfirm their commitment, in particular by allocating resources, providing reward and assigning responsibilities
Key participants & responsibilities
• Relevance to concerns and needs of decision-makers
• Credibility, to assess the scientific soundness of the models and data used as well as the transparency of the choices
• Comprehensibility and traceability, to describe the clarity of the sequence of events and the ability of final users to easily understand and follow the underlying rationality
• Legitimacy, through openness of the process to various stakeholders, promoting different values and political orientations
• Creativity, to stimulate new ways of thinking and dealing with the “unusual”
• Distinctness, to assess the ability of the scenarios to jointly convey to decision-makers the diversity of possible futures
Key success factors
EPFL Center + Foundation
Step 3: Generate risk management options & formulate strategy
14
Design strategies for the management of emerging risks that are proactive, effective, cost-efficient and adaptive in order to deal adequately with the risks and opportunities explored in Step 2
Identify and evaluate possible emerging risk management options. No option should be excluded
Define intervention points and indicators. Consider the organisation’s decision-making style, resources and risk appetite
Identify thresholds of irreversibility and thresholds of acceptability
Communicate this process and the decision that has been made in a transparent manner
Include uncertainty: Being aware of what is unknown
Required actions
Management strategies for each scenario: Provide a strategy for each of the scenarios developed in Step 2. The description of the strategy, its expected performance and the key trade-offs adopted by decision-makers must be made explicit
A final decision as to which emerging risk management option(s) will be implemented
Expected outcomes
Key objective
EPFL Center + Foundation
Step 3: Generate risk management options & formulate strategy
15
Decision-makers at the strategic levelSelect options and demonstrate leadership, especially when it comes to challenging comfortable or routine practices not suited to changing environments
Emerging risk conductorFacilitates the decision-making process and ensures that decisions are made
Key participants & responsibilities • Flexibility for adaptation and adjustment to new
evidence when it becomes available
• Consistency with organisational values and culture as well as with procedures
• Internal openness and transparency of the process
• Clear prioritisation of actions, taking expected impacts and available resources into account
• Revision of the strategy if context and conditions change
Key success factors
EPFL Center + Foundation
Step 3: What to do and how
16
Generating the strategy options for implementation
• What strategy and options could respond to the emerging risk?• When could these options be implemented? What would be the
intervention timing?
Evaluating the strategic options
• What criteria will be used to assess and evaluate the options toprovide the best response to the variety of possible futures?
• How will the performance of the management options be evaluated?
Making robust decisions
• What decision-making approach will be chosen? How? • What option or combination of options will be decided?• What is the timing for implementation?
EPFL Center + Foundation
Step 3: Generate strategy and options for implementation
17
Some of the factors that contribute to risk emergence are controllable. In those cases, an organisation can act to prevent a risk from emerging (or amplifying) or can reduce its consequences if it materialises.
1 Act on contributing factors to risk emergence
Trying to avoid the risk can represent a valuable management option in cases where the risk evaluation results in reasoned assumptions of unacceptable consequences. Precautionary approaches should be chosen on a case-by-case basis, in relation to a desired level of protection against identified potential risks.
2 Develop precautionary approaches
A reduction in exposure or vulnerability can be a strategic option if an intervention is considered too costly, inappropriate, or impossible
For emerging but well identified risks: reduce sensitivity to the risk by developing redundancies, improving personnel training or readjusting protection capabilities.
In the case of unexpected events: build resilience
3 Reduce vulnerability
1Act on contributing
factors to risk emergence
2Develop
precautionary approaches
3Reduce vulnerability
4Modify risk appetite
in line with risk
5Use risk governance
instruments for familiar risks
6Do nothing
Dealing with emerging risks requires that organisations constantly align their risk appetite to changes in their environment, the availability of new knowledge, and their resources and capabilities to tolerate or cope with potential risk losses.
4 Modify risk appetite in line with risk
EPFL Center + Foundation
Step 4: Implement the strategy
18
Implement strategy options decided in Step 3
Creating supportive conditions for the organisational, technical and cultural shifts that may be required for the effective deployment of risk management options
Put in place the internal and external communication capacities required for a common understanding of the objectives and the rationale behind them
Allocate resources to match operational capabilities with strategic orientations
Clearly define roles, responsibilities and incentivesaccording to the strategic options adopted
Support strategy implementation by ensuring adequate authority and leadership in all phases and enabling the creation of appropriate risk cultures
Required actions
• Translation of the strategic objectives into individual and collective objectives at the various levels of the organisation
• Implementation of the decisions made in Step 3
Expected outcomes
Key objective
EPFL Center + Foundation
Step 4: Implement the strategy
19
Strategic decision-makers (e.g. chief risk officer) Endorse the responsibility of implementing the strategy; appoint a dedicated team
Risk owner (if any)Effectively manages the risk and opportunity for which he/she is responsible, and is rewarded accordingly
Other relevant stakeholdersTranslate the strategic decisions into concrete actions
Emerging risk conductorProvides complementary knowledge or expertise regarding the risks and opportunities considered
Key participants & responsibilities • Transparency through effective and continuous
communication about the strategic objectives and decisions at all levels of the organisation
• Including relevant stakeholders for the evaluation of the strategy relevance and effectiveness, and timely reaction to resolve conflicts and trade-offs
• Continuous monitoring through the early detection of difficulties and conflicts (with bottom- up reporting)
• Continuous interactions with the emerging risk conductor to re-evaluate the relevance of the strategy in light of new signals and knowledge, if necessary
Key success factors
EPFL Center + Foundation
Step 5: Review risk development and decisions
20
Monitor how emerging risks and opportunities unfold
Review the relevance and performance of the decisions made and, if needed,
Update the strategy
Deploy monitoring capabilities for the decision options described in Step 3
Create the interaction space required for the conductor and other users of the guidelines to exchange and communicate
Establish bridges with risk management standards or professional organisations, which may help confer legitimacy to the process
Required actions
• Risks and opportunities can be decommissioned, or become accepted or sufficiently well known for familiar risk management measures to be employed
• Risks and opportunities outside of these options must remain the subject of careful and continuous monitoring, analysis and revision
Expected outcomesKey
objective
EPFL Center + Foundation
Step 5: Review risk development and decisions
21
Senior managersReview decisions about the organisation’s emerging risk management, i.e. the design and implementation of internal structures and processes
Business managersDeploy the adopted risk management strategies
Emerging risk conductorCreates interaction space for reflection and confidence
Key participants & responsibilities
• Involvement of all internal stakeholders
• Open and transparent discussions
• Regular updates of strategic decisions based on new information
Key success factors
EPFL Center + Foundation
The emerging risk conductor
• Emerging risk governance requires leadership, it requires a ‘risk conductor’ to ensure the effective implementation of the guidelines
• Specifically, the risk conductor must have the mission and resources to lead the process and to:o Facilitate interactions among participantso Validate technical frameworks and approaches adopted in the process o Monitor performances and, if required, identify and correct weaknesseso Promote necessary changes in attitude and behaviouro Communicate to increase awareness and explain decisionso Report on the potential impact of emerging riskso Review
22
EPFL Center + Foundation
Conditions for success
23
Provide a supportive environment
Tolerance for failure Acknowledge cognitive biases
Dialogue about the challenges of investing
in emerging risk governance
Communicate
Proactive attitude to change
Creating meaningful interactions between
stakeholders
Demonstrate that it is effective and worth the
investment
The emerging risk conductor must not be
a ‘prophet of doom’
EPFL Center + Foundation
Conclusion
• Frameworks for the governance of familiar risks are often not appropriate for emerging risks: Need for internal processes to anticipate and respond to risk
• Create conditions for opportunity management as well as for risk management
• Innovation management and emerging risk management are interlinked
• At a broad strategic level, implementing these guidelines should result in four distinct key capabilities:o Proactive thinkingo Willingness to bear or to avoid risko Prioritising investmentso Internal communication
24
EPFL Center + Foundation
How IRGC developed its guidelines for emerging risk governance• Look at how practitioners do it: ENISA – EU Agency for Network and Information
Security, EFSA – European Food Safety Authority, Swiss Re SONAR, CEN workshop agreement on managing emerging technology-related risks (Din_CWA 16649)
• Look at theoretical foundations in cultural theory of risk, dynamic capabilities in strategic and innovation management, use of signals and early-warnings in technology management, foresight and scenario development, robust decision-making, and strategy implementation
• Previous IRGC worko Factors contributing to risk emergence (2010)o Improving risk management in industry (2011)o Public sector governance of emerging risks (2013)o On-going discussions with practitioners
and academics at workshops
25