IRGC Guidelines for Emerging Risk Governance

EPFL Center + Foundation

GOVERNANCE OF EMERGING RISKSGuidelines for the governance of unfamiliar risks

March 2017No part of this document may be quoted or

reproduced without prior written approval from IRGC

This presentation deck accompanies the main IRGC report and an appendix, available online: https://www.irgc.org/risk-governance/emerging-risk/a-protocol-for-dealing-with-emerging-risks/

https://www.irgc.org/risk-governance/emerging-risk/a-protocol-for-dealing-with-emerging-risks/


Introduction

• A risk is an uncertain (mostly negative) consequence of an event or an activity with regards to something that humans value. Emerging risks are ‘new or familiar risks that become apparent in new or unfamiliar conditions’

• Emerging risks should be distinguished from familiar risks:o Familiar risks are well understood by risk managers who know how to manage themo Emerging risks on the other hand are primarily characterised by uncertainty

• Knowledge becomes the key concept for emerging risks

• The concept of emerging risk is relative, not absolute

• In emerging risk management, what matters most to an organisation is its potential exposure

2


Characteristics of emerging risks

• IRGC suggests three categories of emerging risks:

Risks with uncertain impacts Risks in complex, interconnected systems

Risks resulting from changes in context

High uncertainty and a lack of knowledge about potential impacts and

consequences (interactions with risk-absorbing systems).

e.g., applications of synthetic biology

Increasing complexity, emerging interactions and

systemic dependencieshave the potential to lead to

non-linear impacts and surprises.

e.g., systemic risks in energy or ICT systems

Changes in context (social, regulatory, natural etc.) may alter the nature, probability and magnitude of expected

impacts of previously known risks.

e.g., antimicrobial resistance

3


Defining an appropriate process for emerging risk governance• The guidelines proposed by IRGC provide an overarching framework to

support senior managers address emerging risks.

• They help to organise how information and evidence are collected,analysed and combined to design strategies for emerging risk governance.

• In particular, the IRGC guidelines:o Provide guidance to organisations in anticipating and responding to emerging

risks

o Provide transparent and enforceable criteria for the evaluation of the effectivenessof the emerging risk governance process

o Embed the emerging risk management process as a routine within theorganisation, drawing from existing processes

4


Emerging Risk Governance Guidelines

5


Step 1: Make sense of the present & explore the future

7

Provide early warning

Identify:• Potential threats or opportunities

to relevant assets and processes• Contributing factors that create

fertile ground for risks and opportunities to develop (emerge, amplify or attenuate)

Make sense of signals that might shape the future

Detect and explore current and possible future evolutions that may change the organisation’s environment

Analyse these changes according to their potential to represent a threat and/or an opportunity

Filter and prioritise the detected threats and opportunities that require further attention in Step 2

Regularly update the selection of risks and opportunities as new information becomes available

Required actions

List of threats and opportunities that require further analysis and exploration

Description of the context in which these develop

Identification of the necessary or sufficient conditions for the risk or opportunity to materialise

List of threats and opportunities that are irrelevant to the organisation's objectives given available information

Expected outcomesKey

objective


Step 1: Make sense of the present & explore the future

8

Emerging risk conductorDefines approaches and facilitates continuous interactions among experts and between experts and decision-makers

Experts and analystsDetect signals, perform analyses and suggest necessary characterisation

Senior decision-makersValidate Step 1 outputs and decide which issues will be further investigated and what resources will be allocated to the process

Key participants & responsibilities

• Diversity of information

• Scientific soundness of data collection, analysis and prioritisation

• Data reliability and consistency

• Compatibility with existing and past or familiar threats

Key success factors


Contributing factors to risk emergence

9

The human factor: Behavioural and cultural

advancement

The overall context: System complexity

The decision-

maker

4. Varying susceptibility to risk3. Positive feedback2. Loss of safety margins1. Scientific unknowns

7. Technological advances6. Social dynamics5. Conflicts of interests, values and science

12. Malicious attacks11. Perverse incentives10. Information asymmetries 9. Communication8. Temporal complications

Source: IRGC (2010). The Emergence of Risks: Contributing Factors. Geneva: International Risk Governance Council.

Report available online: https://www.irgc.org/risk-

governance/emerging-risk/irgc-concept-of-contributing-factors-to-

risk-emergence/

https://www.irgc.org/risk-governance/emerging-risk/irgc-concept-of-contributing-factors-to-risk-emergence/


Anticipating vs. exploring uncertain futures

10

Level 1 Level 2 Level 3 Level 4Deep Uncertainty

Context

A clear enough future

Alternate futures (with probabilities

A multiplicity of plausible future

Unknown futures

Familiar risks Emerging risks

Source: Walker, W. E., Marchau, V. A. W. J. & Swanson, D. (2010). Addressing Deep Uncertainty Using Adaptive Policies: Introduction to Section 2. Technological Forecasting & Social Change, 77(6), 917–923.


Framing discussions of risk and innovation

• Innovation creates change• This always carries risk, with the potential for harm as well as benefit• It is difficult to ‘predict’ the future• Complexity, uncertainty and ambiguity (different interpretations, or even

controversy)• Often technological innovations and related risks develop in complex

systems Interdependent cascading failures may happen in a network of interconnected system components, where a small localised initial failure (which could result from an emerging risk) may trigger large perturbations elsewhere

11


Step 2: Develop scenarios based on narratives & models

12

Develop scenariosof how an emerging risk or opportunity could impact an organisation and its objectives. This:

• Offers the possibility for collaborative framing of existing and future threats/opportunities

• Provides evidence and support for future decisions concerning the identified threats/opportunities

• Updates the scenarios as new information and knowledge become available

Develop or use various types ofscenarios to explore and evaluatethe emerging risk that could affect the organisation in the future

Begin to identify possible bifurcations and intervention points, to prepare the development of management options

Update the scenarios as necessary, taking into account the emergenceof new signals and the outcome ofstrategic interactions with stakeholders

Required actions

Set of explorative scenarios. The scenarios describe how the threatsand opportunities identified in Step 1 may have an impact on the organisation. Particular attention must be given to:• The contributing factors

(amplifying or attenuating)• Events or tipping points that may

accelerate, reduce or generally affect the factors

• The consequences of each scenario for the organisation

Familiarity with concepts

Expected outcomes

Key objective


Step 2: Develop scenarios based on models & narratives

13

Experts in futures studies scientific & scenario-building techniquesFacilitate interactions between contributors and ensure the validity of the scenario development exercise

Emerging risk conductorEnsures the coherence of the exercise with the threats and opportunities de ned in Step 1 and the organisation’s expectations

Decision-makersConfirm their commitment, in particular by allocating resources, providing reward and assigning responsibilities


• Relevance to concerns and needs of decision-makers

• Credibility, to assess the scientific soundness of the models and data used as well as the transparency of the choices

• Comprehensibility and traceability, to describe the clarity of the sequence of events and the ability of final users to easily understand and follow the underlying rationality

• Legitimacy, through openness of the process to various stakeholders, promoting different values and political orientations

• Creativity, to stimulate new ways of thinking and dealing with the “unusual”

• Distinctness, to assess the ability of the scenarios to jointly convey to decision-makers the diversity of possible futures

Key success factors


Step 3: Generate risk management options & formulate strategy

14

Design strategies for the management of emerging risks that are proactive, effective, cost-efficient and adaptive in order to deal adequately with the risks and opportunities explored in Step 2

Identify and evaluate possible emerging risk management options. No option should be excluded

Define intervention points and indicators. Consider the organisation’s decision-making style, resources and risk appetite

Identify thresholds of irreversibility and thresholds of acceptability

Communicate this process and the decision that has been made in a transparent manner

Include uncertainty: Being aware of what is unknown

Required actions

Management strategies for each scenario: Provide a strategy for each of the scenarios developed in Step 2. The description of the strategy, its expected performance and the key trade-offs adopted by decision-makers must be made explicit

A final decision as to which emerging risk management option(s) will be implemented

Expected outcomes

Key objective


Step 3: Generate risk management options & formulate strategy

15

Decision-makers at the strategic levelSelect options and demonstrate leadership, especially when it comes to challenging comfortable or routine practices not suited to changing environments

Emerging risk conductorFacilitates the decision-making process and ensures that decisions are made

Key participants & responsibilities • Flexibility for adaptation and adjustment to new

evidence when it becomes available

• Consistency with organisational values and culture as well as with procedures

• Internal openness and transparency of the process

• Clear prioritisation of actions, taking expected impacts and available resources into account

• Revision of the strategy if context and conditions change

Key success factors


Step 3: What to do and how

16

Generating the strategy options for implementation

• What strategy and options could respond to the emerging risk?• When could these options be implemented? What would be the

intervention timing?

Evaluating the strategic options

• What criteria will be used to assess and evaluate the options toprovide the best response to the variety of possible futures?

• How will the performance of the management options be evaluated?

Making robust decisions

• What decision-making approach will be chosen? How? • What option or combination of options will be decided?• What is the timing for implementation?


Step 3: Generate strategy and options for implementation

17

Some of the factors that contribute to risk emergence are controllable. In those cases, an organisation can act to prevent a risk from emerging (or amplifying) or can reduce its consequences if it materialises.

1 Act on contributing factors to risk emergence

Trying to avoid the risk can represent a valuable management option in cases where the risk evaluation results in reasoned assumptions of unacceptable consequences. Precautionary approaches should be chosen on a case-by-case basis, in relation to a desired level of protection against identified potential risks.

2 Develop precautionary approaches

A reduction in exposure or vulnerability can be a strategic option if an intervention is considered too costly, inappropriate, or impossible

For emerging but well identified risks: reduce sensitivity to the risk by developing redundancies, improving personnel training or readjusting protection capabilities.

In the case of unexpected events: build resilience

3 Reduce vulnerability

1Act on contributing

factors to risk emergence

2Develop

precautionary approaches

3Reduce vulnerability

4Modify risk appetite

in line with risk

5Use risk governance

instruments for familiar risks

6Do nothing

Dealing with emerging risks requires that organisations constantly align their risk appetite to changes in their environment, the availability of new knowledge, and their resources and capabilities to tolerate or cope with potential risk losses.

4 Modify risk appetite in line with risk


Step 4: Implement the strategy

18

Implement strategy options decided in Step 3

Creating supportive conditions for the organisational, technical and cultural shifts that may be required for the effective deployment of risk management options

Put in place the internal and external communication capacities required for a common understanding of the objectives and the rationale behind them

Allocate resources to match operational capabilities with strategic orientations

Clearly define roles, responsibilities and incentivesaccording to the strategic options adopted

Support strategy implementation by ensuring adequate authority and leadership in all phases and enabling the creation of appropriate risk cultures

Required actions

• Translation of the strategic objectives into individual and collective objectives at the various levels of the organisation

• Implementation of the decisions made in Step 3

Expected outcomes

Key objective


Step 4: Implement the strategy

19

Strategic decision-makers (e.g. chief risk officer) Endorse the responsibility of implementing the strategy; appoint a dedicated team

Risk owner (if any)Effectively manages the risk and opportunity for which he/she is responsible, and is rewarded accordingly

Other relevant stakeholdersTranslate the strategic decisions into concrete actions

Emerging risk conductorProvides complementary knowledge or expertise regarding the risks and opportunities considered

Key participants & responsibilities • Transparency through effective and continuous

communication about the strategic objectives and decisions at all levels of the organisation

• Including relevant stakeholders for the evaluation of the strategy relevance and effectiveness, and timely reaction to resolve conflicts and trade-offs

• Continuous monitoring through the early detection of difficulties and conflicts (with bottom- up reporting)

• Continuous interactions with the emerging risk conductor to re-evaluate the relevance of the strategy in light of new signals and knowledge, if necessary

Key success factors


Step 5: Review risk development and decisions

20

Monitor how emerging risks and opportunities unfold

Review the relevance and performance of the decisions made and, if needed,

Update the strategy

Deploy monitoring capabilities for the decision options described in Step 3

Create the interaction space required for the conductor and other users of the guidelines to exchange and communicate

Establish bridges with risk management standards or professional organisations, which may help confer legitimacy to the process

Required actions

• Risks and opportunities can be decommissioned, or become accepted or sufficiently well known for familiar risk management measures to be employed

• Risks and opportunities outside of these options must remain the subject of careful and continuous monitoring, analysis and revision

Expected outcomesKey

objective


Step 5: Review risk development and decisions

21

Senior managersReview decisions about the organisation’s emerging risk management, i.e. the design and implementation of internal structures and processes

Business managersDeploy the adopted risk management strategies

Emerging risk conductorCreates interaction space for reflection and confidence


• Involvement of all internal stakeholders

• Open and transparent discussions

• Regular updates of strategic decisions based on new information

Key success factors


The emerging risk conductor

• Emerging risk governance requires leadership, it requires a ‘risk conductor’ to ensure the effective implementation of the guidelines

• Specifically, the risk conductor must have the mission and resources to lead the process and to:o Facilitate interactions among participantso Validate technical frameworks and approaches adopted in the process o Monitor performances and, if required, identify and correct weaknesseso Promote necessary changes in attitude and behaviouro Communicate to increase awareness and explain decisionso Report on the potential impact of emerging riskso Review

22


Conditions for success

23

Provide a supportive environment

Tolerance for failure Acknowledge cognitive biases

Dialogue about the challenges of investing

in emerging risk governance

Communicate

Proactive attitude to change

Creating meaningful interactions between

stakeholders

Demonstrate that it is effective and worth the

investment

The emerging risk conductor must not be

a ‘prophet of doom’


Conclusion

• Frameworks for the governance of familiar risks are often not appropriate for emerging risks: Need for internal processes to anticipate and respond to risk

• Create conditions for opportunity management as well as for risk management

• Innovation management and emerging risk management are interlinked

• At a broad strategic level, implementing these guidelines should result in four distinct key capabilities:o Proactive thinkingo Willingness to bear or to avoid risko Prioritising investmentso Internal communication

24


How IRGC developed its guidelines for emerging risk governance• Look at how practitioners do it: ENISA – EU Agency for Network and Information

Security, EFSA – European Food Safety Authority, Swiss Re SONAR, CEN workshop agreement on managing emerging technology-related risks (Din_CWA 16649)

• Look at theoretical foundations in cultural theory of risk, dynamic capabilities in strategic and innovation management, use of signals and early-warnings in technology management, foresight and scenario development, robust decision-making, and strategy implementation

• Previous IRGC worko Factors contributing to risk emergence (2010)o Improving risk management in industry (2011)o Public sector governance of emerging risks (2013)o On-going discussions with practitioners

and academics at workshops

25

https://www.irgc.org/risk-governance/emerging-risk/irgc-concept-of-contributing-factors-to-risk-emergence/

https://www.irgc.org/risk-governance/emerging-risk/risk-management-in-industry/

https://www.irgc.org/risk-governance/emerging-risk/improving-anticipation-of-and-early-response-to-emerging-risks/


www.irgc.orghttp://irgc.epfl.ch

No part of this document may be quoted or reproduced without prior written approval from IRGC

© EPFL International Risk Governance Center and Foundation, 2015 - 2017

IRGC Guidelines for Emerging Risk Governance

Government & Nonprofit

Transcript of IRGC Guidelines for Emerging Risk Governance