Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IRGC Guidelines for Emerging Risk Governance

This peer-reviewed report proposes a set of guidelines to help organisations deal proactively with emerging issues.

  • Be the first to comment

  • Be the first to like this

IRGC Guidelines for Emerging Risk Governance

  1. 1. EPFL Center + Foundation GOVERNANCE OF EMERGING RISKS Guidelines for the governance of unfamiliar risks March 2017 No part of this document may be quoted or reproduced without prior written approval from IRGC This presentation deck accompanies the main IRGC report and an appendix, available online:
  2. 2. EPFL Center + Foundation Introduction • A risk is an uncertain (mostly negative) consequence of an event or an activity with regards to something that humans value. Emerging risks are ‘new or familiar risks that become apparent in new or unfamiliar conditions’ • Emerging risks should be distinguished from familiar risks: o Familiar risks are well understood by risk managers who know how to manage them o Emerging risks on the other hand are primarily characterised by uncertainty • Knowledge becomes the key concept for emerging risks • The concept of emerging risk is relative, not absolute • In emerging risk management, what matters most to an organisation is its potential exposure 2
  3. 3. EPFL Center + Foundation Characteristics of emerging risks • IRGC suggests three categories of emerging risks: Risks with uncertain impacts Risks in complex, interconnected systems Risks resulting from changes in context High uncertainty and a lack of knowledge about potential impacts and consequences (interactions with risk-absorbing systems). e.g., applications of synthetic biology Increasing complexity, emerging interactions and systemic dependencies have the potential to lead to non-linear impacts and surprises. e.g., systemic risks in energy or ICT systems Changes in context (social, regulatory, natural etc.) may alter the nature, probability and magnitude of expected impacts of previously known risks. e.g., antimicrobial resistance 3
  4. 4. EPFL Center + Foundation Defining an appropriate process for emerging risk governance • The guidelines proposed by IRGC provide an overarching framework to support senior managers address emerging risks. • They help to organise how information and evidence are collected, analysed and combined to design strategies for emerging risk governance. • In particular, the IRGC guidelines: o Provide guidance to organisations in anticipating and responding to emerging risks o Provide transparent and enforceable criteria for the evaluation of the effectiveness of the emerging risk governance process o Embed the emerging risk management process as a routine within the organisation, drawing from existing processes 4
  5. 5. EPFL Center + Foundation Emerging Risk Governance Guidelines 5
  6. 6. EPFL Center + Foundation Step 1: Make sense of the present & explore the future 7 Provide early warning Identify: • Potential threats or opportunities to relevant assets and processes • Contributing factors that create fertile ground for risks and opportunities to develop (emerge, amplify or attenuate) Make sense of signals that might shape the future Detect and explore current and possible future evolutions that may change the organisation’s environment Analyse these changes according to their potential to represent a threat and/or an opportunity Filter and prioritise the detected threats and opportunities that require further attention in Step 2 Regularly update the selection of risks and opportunities as new information becomes available Required actions List of threats and opportunities that require further analysis and exploration Description of the context in which these develop Identification of the necessary or sufficient conditions for the risk or opportunity to materialise List of threats and opportunities that are irrelevant to the organisation's objectives given available information Expected outcomes Key objective
  7. 7. EPFL Center + Foundation Step 1: Make sense of the present & explore the future 8 Emerging risk conductor Defines approaches and facilitates continuous interactions among experts and between experts and decision-makers Experts and analysts Detect signals, perform analyses and suggest necessary characterisation Senior decision-makers Validate Step 1 outputs and decide which issues will be further investigated and what resources will be allocated to the process Key participants & responsibilities • Diversity of information • Scientific soundness of data collection, analysis and prioritisation • Data reliability and consistency • Compatibility with existing and past or familiar threats Key success factors
  8. 8. EPFL Center + Foundation Contributing factors to risk emergence 9 The human factor: Behavioural and cultural advancement The overall context: System complexity The decision- maker 4. Varying susceptibility to risk 3. Positive feedback 2. Loss of safety margins 1. Scientific unknowns 7. Technological advances 6. Social dynamics 5. Conflicts of interests, values and science 12. Malicious attacks 11. Perverse incentives 10. Information asymmetries 9. Communication 8. Temporal complications Source: IRGC (2010). The Emergence of Risks: Contributing Factors. Geneva: International Risk Governance Council. Report available online: governance/emerging-risk/irgc- concept-of-contributing-factors-to- risk-emergence/
  9. 9. EPFL Center + Foundation Anticipating vs. exploring uncertain futures 10 Level 1 Level 2 Level 3 Level 4 Deep Uncertainty Context A clear enough future Alternate futures (with probabilities A multiplicity of plausible future Unknown futures Familiar risks Emerging risks Source: Walker, W. E., Marchau, V. A. W. J. & Swanson, D. (2010). Addressing Deep Uncertainty Using Adaptive Policies: Introduction to Section 2. Technological Forecasting & Social Change, 77(6), 917–923.
  10. 10. EPFL Center + Foundation Framing discussions of risk and innovation • Innovation creates change • This always carries risk, with the potential for harm as well as benefit • It is difficult to ‘predict’ the future • Complexity, uncertainty and ambiguity (different interpretations, or even controversy) • Often technological innovations and related risks develop in complex systems  Interdependent cascading failures may happen in a network of interconnected system components, where a small localised initial failure (which could result from an emerging risk) may trigger large perturbations elsewhere 11
  11. 11. EPFL Center + Foundation Step 2: Develop scenarios based on narratives & models 12 Develop scenarios of how an emerging risk or opportunity could impact an organisation and its objectives. This: • Offers the possibility for collaborative framing of existing and future threats/opportunities • Provides evidence and support for future decisions concerning the identified threats/opportunities • Updates the scenarios as new information and knowledge become available Develop or use various types of scenarios to explore and evaluate the emerging risk that could affect the organisation in the future Begin to identify possible bifurcations and intervention points, to prepare the development of management options Update the scenarios as necessary, taking into account the emergence of new signals and the outcome of strategic interactions with stakeholders Required actions Set of explorative scenarios. The scenarios describe how the threats and opportunities identified in Step 1 may have an impact on the organisation. Particular attention must be given to: • The contributing factors (amplifying or attenuating) • Events or tipping points that may accelerate, reduce or generally affect the factors • The consequences of each scenario for the organisation Familiarity with concepts Expected outcomes Key objective
  12. 12. EPFL Center + Foundation Step 2: Develop scenarios based on models & narratives 13 Experts in futures studies scientific & scenario- building techniques Facilitate interactions between contributors and ensure the validity of the scenario development exercise Emerging risk conductor Ensures the coherence of the exercise with the threats and opportunities de ned in Step 1 and the organisation’s expectations Decision-makers Confirm their commitment, in particular by allocating resources, providing reward and assigning responsibilities Key participants & responsibilities • Relevance to concerns and needs of decision-makers • Credibility, to assess the scientific soundness of the models and data used as well as the transparency of the choices • Comprehensibility and traceability, to describe the clarity of the sequence of events and the ability of final users to easily understand and follow the underlying rationality • Legitimacy, through openness of the process to various stakeholders, promoting different values and political orientations • Creativity, to stimulate new ways of thinking and dealing with the “unusual” • Distinctness, to assess the ability of the scenarios to jointly convey to decision-makers the diversity of possible futures Key success factors
  13. 13. EPFL Center + Foundation Step 3: Generate risk management options & formulate strategy 14 Design strategies for the management of emerging risks that are proactive, effective, cost- efficient and adaptive in order to deal adequately with the risks and opportunities explored in Step 2 Identify and evaluate possible emerging risk management options. No option should be excluded Define intervention points and indicators. Consider the organisation’s decision-making style, resources and risk appetite Identify thresholds of irreversibility and thresholds of acceptability Communicate this process and the decision that has been made in a transparent manner Include uncertainty: Being aware of what is unknown Required actions Management strategies for each scenario: Provide a strategy for each of the scenarios developed in Step 2. The description of the strategy, its expected performance and the key trade-offs adopted by decision-makers must be made explicit A final decision as to which emerging risk management option(s) will be implemented Expected outcomes Key objective
  14. 14. EPFL Center + Foundation Step 3: Generate risk management options & formulate strategy 15 Decision-makers at the strategic level Select options and demonstrate leadership, especially when it comes to challenging comfortable or routine practices not suited to changing environments Emerging risk conductor Facilitates the decision-making process and ensures that decisions are made Key participants & responsibilities • Flexibility for adaptation and adjustment to new evidence when it becomes available • Consistency with organisational values and culture as well as with procedures • Internal openness and transparency of the process • Clear prioritisation of actions, taking expected impacts and available resources into account • Revision of the strategy if context and conditions change Key success factors
  15. 15. EPFL Center + Foundation Step 3: What to do and how 16 Generating the strategy options for implementation • What strategy and options could respond to the emerging risk? • When could these options be implemented? What would be the intervention timing? Evaluating the strategic options • What criteria will be used to assess and evaluate the options to provide the best response to the variety of possible futures? • How will the performance of the management options be evaluated? Making robust decisions • What decision-making approach will be chosen? How? • What option or combination of options will be decided? • What is the timing for implementation?
  16. 16. EPFL Center + Foundation Step 3: Generate strategy and options for implementation 17 Some of the factors that contribute to risk emergence are controllable. In those cases, an organisation can act to prevent a risk from emerging (or amplifying) or can reduce its consequences if it materialises. 1 Act on contributing factors to risk emergence Trying to avoid the risk can represent a valuable management option in cases where the risk evaluation results in reasoned assumptions of unacceptable consequences. Precautionary approaches should be chosen on a case-by-case basis, in relation to a desired level of protection against identified potential risks. 2 Develop precautionary approaches A reduction in exposure or vulnerability can be a strategic option if an intervention is considered too costly, inappropriate, or impossible For emerging but well identified risks: reduce sensitivity to the risk by developing redundancies, improving personnel training or readjusting protection capabilities. In the case of unexpected events: build resilience 3 Reduce vulnerability 1 Act on contributing factors to risk emergence 2 Develop precautionary approaches 3 Reduce vulnerability 4 Modify risk appetite in line with risk 5 Use risk governance instruments for familiar risks 6 Do nothing Dealing with emerging risks requires that organisations constantly align their risk appetite to changes in their environment, the availability of new knowledge, and their resources and capabilities to tolerate or cope with potential risk losses. 4 Modify risk appetite in line with risk
  17. 17. EPFL Center + Foundation Step 4: Implement the strategy 18 Implement strategy options decided in Step 3 Creating supportive conditions for the organisational, technical and cultural shifts that may be required for the effective deployment of risk management options Put in place the internal and external communication capacities required for a common understanding of the objectives and the rationale behind them Allocate resources to match operational capabilities with strategic orientations Clearly define roles, responsibilities and incentives according to the strategic options adopted Support strategy implementation by ensuring adequate authority and leadership in all phases and enabling the creation of appropriate risk cultures Required actions • Translation of the strategic objectives into individual and collective objectives at the various levels of the organisation • Implementation of the decisions made in Step 3 Expected outcomes Key objective
  18. 18. EPFL Center + Foundation Step 4: Implement the strategy 19 Strategic decision-makers (e.g. chief risk officer) Endorse the responsibility of implementing the strategy; appoint a dedicated team Risk owner (if any) Effectively manages the risk and opportunity for which he/she is responsible, and is rewarded accordingly Other relevant stakeholders Translate the strategic decisions into concrete actions Emerging risk conductor Provides complementary knowledge or expertise regarding the risks and opportunities considered Key participants & responsibilities • Transparency through effective and continuous communication about the strategic objectives and decisions at all levels of the organisation • Including relevant stakeholders for the evaluation of the strategy relevance and effectiveness, and timely reaction to resolve conflicts and trade-offs • Continuous monitoring through the early detection of difficulties and conflicts (with bottom- up reporting) • Continuous interactions with the emerging risk conductor to re-evaluate the relevance of the strategy in light of new signals and knowledge, if necessary Key success factors
  19. 19. EPFL Center + Foundation Step 5: Review risk development and decisions 20 Monitor how emerging risks and opportunities unfold Review the relevance and performance of the decisions made and, if needed, Update the strategy Deploy monitoring capabilities for the decision options described in Step 3 Create the interaction space required for the conductor and other users of the guidelines to exchange and communicate Establish bridges with risk management standards or professional organisations, which may help confer legitimacy to the process Required actions • Risks and opportunities can be decommissioned, or become accepted or sufficiently well known for familiar risk management measures to be employed • Risks and opportunities outside of these options must remain the subject of careful and continuous monitoring, analysis and revision Expected outcomesKey objective
  20. 20. EPFL Center + Foundation Step 5: Review risk development and decisions 21 Senior managers Review decisions about the organisation’s emerging risk management, i.e. the design and implementation of internal structures and processes Business managers Deploy the adopted risk management strategies Emerging risk conductor Creates interaction space for reflection and confidence Key participants & responsibilities • Involvement of all internal stakeholders • Open and transparent discussions • Regular updates of strategic decisions based on new information Key success factors
  21. 21. EPFL Center + Foundation The emerging risk conductor • Emerging risk governance requires leadership, it requires a ‘risk conductor’ to ensure the effective implementation of the guidelines • Specifically, the risk conductor must have the mission and resources to lead the process and to: o Facilitate interactions among participants o Validate technical frameworks and approaches adopted in the process o Monitor performances and, if required, identify and correct weaknesses o Promote necessary changes in attitude and behaviour o Communicate to increase awareness and explain decisions o Report on the potential impact of emerging risks o Review 22
  22. 22. EPFL Center + Foundation Conditions for success 23 Provide a supportive environment Tolerance for failure Acknowledge cognitive biases Dialogue about the challenges of investing in emerging risk governance Communicate Proactive attitude to change Creating meaningful interactions between stakeholders Demonstrate that it is effective and worth the investment The emerging risk conductor must not be a ‘prophet of doom’
  23. 23. EPFL Center + Foundation Conclusion • Frameworks for the governance of familiar risks are often not appropriate for emerging risks: Need for internal processes to anticipate and respond to risk • Create conditions for opportunity management as well as for risk management • Innovation management and emerging risk management are interlinked • At a broad strategic level, implementing these guidelines should result in four distinct key capabilities: o Proactive thinking o Willingness to bear or to avoid risk o Prioritising investments o Internal communication 24
  24. 24. EPFL Center + Foundation How IRGC developed its guidelines for emerging risk governance • Look at how practitioners do it: ENISA – EU Agency for Network and Information Security, EFSA – European Food Safety Authority, Swiss Re SONAR, CEN workshop agreement on managing emerging technology-related risks (Din_CWA 16649) • Look at theoretical foundations in cultural theory of risk, dynamic capabilities in strategic and innovation management, use of signals and early-warnings in technology management, foresight and scenario development, robust decision-making, and strategy implementation • Previous IRGC work o Factors contributing to risk emergence (2010) o Improving risk management in industry (2011) o Public sector governance of emerging risks (2013) o On-going discussions with practitioners and academics at workshops 25
  25. 25. EPFL Center + Foundation No part of this document may be quoted or reproduced without prior written approval from IRGC © EPFL International Risk Governance Center and Foundation, 2015 - 2017