2024: The FAR, Federal Acquisition Regulations - Part 29
IRGC Guidelines for Emerging Risk Governance
1. EPFL Center + Foundation
GOVERNANCE OF
EMERGING RISKS
Guidelines for the governance of unfamiliar risks
March 2017
No part of this document may be quoted or
reproduced without prior written approval from IRGC
This presentation deck accompanies the main IRGC report and an appendix, available online:
https://www.irgc.org/risk-governance/emerging-risk/a-protocol-for-dealing-with-emerging-risks/
2. EPFL Center + Foundation
Introduction
• A risk is an uncertain (mostly negative) consequence of an event or an
activity with regards to something that humans value. Emerging risks are
‘new or familiar risks that become apparent in new or unfamiliar conditions’
• Emerging risks should be distinguished from familiar risks:
o Familiar risks are well understood by risk managers who know how to manage them
o Emerging risks on the other hand are primarily characterised by uncertainty
• Knowledge becomes the key concept for emerging risks
• The concept of emerging risk is relative, not absolute
• In emerging risk management, what matters most to an organisation is its
potential exposure
2
3. EPFL Center + Foundation
Characteristics of emerging risks
• IRGC suggests three categories of emerging risks:
Risks with uncertain impacts
Risks in complex,
interconnected systems
Risks resulting from changes
in context
High uncertainty and a lack
of knowledge about
potential impacts and
consequences (interactions
with risk-absorbing systems).
e.g., applications of
synthetic biology
Increasing complexity,
emerging interactions and
systemic dependencies
have the potential to lead to
non-linear impacts and
surprises.
e.g., systemic risks in
energy or ICT systems
Changes in context (social,
regulatory, natural etc.) may
alter the nature, probability
and magnitude of expected
impacts of previously
known risks.
e.g., antimicrobial resistance
3
4. EPFL Center + Foundation
Defining an appropriate process for
emerging risk governance
• The guidelines proposed by IRGC provide an overarching framework to
support senior managers address emerging risks.
• They help to organise how information and evidence are collected,
analysed and combined to design strategies for emerging risk governance.
• In particular, the IRGC guidelines:
o Provide guidance to organisations in anticipating and responding to emerging
risks
o Provide transparent and enforceable criteria for the evaluation of the effectiveness
of the emerging risk governance process
o Embed the emerging risk management process as a routine within the
organisation, drawing from existing processes
4
5. EPFL Center + Foundation
Emerging Risk Governance Guidelines
5
6. EPFL Center + Foundation
Step 1: Make sense of the present &
explore the future
7
Provide early warning
Identify:
• Potential threats or opportunities
to relevant assets and processes
• Contributing factors that create
fertile ground for risks and
opportunities to develop
(emerge, amplify or attenuate)
Make sense of signals that might
shape the future
Detect and explore current and
possible future evolutions that may
change the organisation’s
environment
Analyse these changes according
to their potential to represent a
threat and/or an opportunity
Filter and prioritise the detected
threats and opportunities that
require further attention in Step 2
Regularly update the selection of
risks and opportunities as new
information becomes available
Required
actions
List of threats and opportunities
that require further analysis and
exploration
Description of the context in which
these develop
Identification of the necessary or
sufficient conditions for the risk or
opportunity to materialise
List of threats and opportunities
that are irrelevant to the
organisation's objectives given
available information
Expected
outcomes
Key
objective
7. EPFL Center + Foundation
Step 1: Make sense of the present &
explore the future
8
Emerging risk conductor
Defines approaches and facilitates continuous
interactions among experts and between experts and
decision-makers
Experts and analysts
Detect signals, perform analyses and suggest
necessary characterisation
Senior decision-makers
Validate Step 1 outputs and decide which issues will be
further investigated and what resources will be
allocated to the process
Key participants
& responsibilities
• Diversity of information
• Scientific soundness of data collection, analysis
and prioritisation
• Data reliability and consistency
• Compatibility with existing and past or familiar
threats
Key success factors
8. EPFL Center + Foundation
Contributing factors to risk emergence
9
The human factor:
Behavioural and cultural
advancement
The overall context:
System complexity
The
decision-
maker
4. Varying susceptibility to risk
3. Positive feedback
2. Loss of safety margins
1. Scientific unknowns
7. Technological advances
6. Social dynamics
5. Conflicts of interests,
values and science
12. Malicious attacks
11. Perverse incentives
10. Information asymmetries
9. Communication
8. Temporal complications
Source: IRGC (2010). The Emergence of Risks: Contributing Factors. Geneva: International Risk Governance Council.
Report available online:
https://www.irgc.org/risk-
governance/emerging-risk/irgc-
concept-of-contributing-factors-to-
risk-emergence/
9. EPFL Center + Foundation
Anticipating vs. exploring uncertain
futures
10
Level 1 Level 2 Level 3 Level 4
Deep Uncertainty
Context
A clear enough
future
Alternate
futures (with
probabilities
A multiplicity of
plausible future
Unknown
futures
Familiar risks Emerging risks
Source: Walker, W. E., Marchau, V. A. W. J. & Swanson, D. (2010). Addressing Deep Uncertainty Using
Adaptive Policies: Introduction to Section 2. Technological Forecasting & Social Change, 77(6), 917–923.
10. EPFL Center + Foundation
Framing discussions of risk and innovation
• Innovation creates change
• This always carries risk, with the potential for harm as well as benefit
• It is difficult to ‘predict’ the future
• Complexity, uncertainty and ambiguity (different interpretations, or even
controversy)
• Often technological innovations and related risks develop in complex
systems
Interdependent cascading failures may happen in a network of
interconnected system components, where a small localised initial failure
(which could result from an emerging risk) may trigger large perturbations
elsewhere
11
11. EPFL Center + Foundation
Step 2: Develop scenarios based on
narratives & models
12
Develop scenarios
of how an emerging risk or
opportunity could impact an
organisation and its objectives. This:
• Offers the possibility for
collaborative framing of existing
and future threats/opportunities
• Provides evidence and support
for future decisions concerning
the identified
threats/opportunities
• Updates the scenarios as new
information and knowledge
become available
Develop or use various types of
scenarios to explore and evaluate
the emerging risk that could affect
the organisation in the future
Begin to identify possible
bifurcations and intervention
points, to prepare the development
of management options
Update the scenarios as necessary,
taking into account the emergence
of new signals and the outcome of
strategic interactions with
stakeholders
Required
actions
Set of explorative scenarios. The
scenarios describe how the threats
and opportunities identified in Step 1
may have an impact on the
organisation. Particular attention
must be given to:
• The contributing factors
(amplifying or attenuating)
• Events or tipping points that may
accelerate, reduce or generally
affect the factors
• The consequences of each
scenario for the organisation
Familiarity with concepts
Expected
outcomes
Key
objective
12. EPFL Center + Foundation
Step 2: Develop scenarios based on
models & narratives
13
Experts in futures studies scientific & scenario-
building techniques
Facilitate interactions between contributors and ensure
the validity of the scenario development exercise
Emerging risk conductor
Ensures the coherence of the exercise with the threats
and opportunities de ned in Step 1 and the
organisation’s expectations
Decision-makers
Confirm their commitment, in particular by allocating
resources, providing reward and assigning
responsibilities
Key participants
& responsibilities
• Relevance to concerns and needs of decision-makers
• Credibility, to assess the scientific soundness of the
models and data used as well as the transparency of
the choices
• Comprehensibility and traceability, to describe the
clarity of the sequence of events and the ability of final
users to easily understand and follow the underlying
rationality
• Legitimacy, through openness of the process to various
stakeholders, promoting different values and political
orientations
• Creativity, to stimulate new ways of thinking and
dealing with the “unusual”
• Distinctness, to assess the ability of the scenarios to
jointly convey to decision-makers the diversity of
possible futures
Key success factors
13. EPFL Center + Foundation
Step 3: Generate risk management
options & formulate strategy
14
Design strategies for the
management of emerging risks
that are proactive, effective, cost-
efficient and adaptive in order to
deal adequately with the risks and
opportunities explored in Step 2
Identify and evaluate possible
emerging risk management options.
No option should be excluded
Define intervention points and
indicators. Consider the
organisation’s decision-making style,
resources and risk appetite
Identify thresholds of
irreversibility and thresholds of
acceptability
Communicate this process and the
decision that has been made in a
transparent manner
Include uncertainty: Being aware of
what is unknown
Required
actions
Management strategies for each
scenario: Provide a strategy for
each of the scenarios developed in
Step 2. The description of the
strategy, its expected performance
and the key trade-offs adopted by
decision-makers must be made
explicit
A final decision as to which
emerging risk management option(s)
will be implemented
Expected
outcomes
Key
objective
14. EPFL Center + Foundation
Step 3: Generate risk management
options & formulate strategy
15
Decision-makers at the strategic level
Select options and demonstrate leadership, especially
when it comes to challenging comfortable or routine
practices not suited to changing environments
Emerging risk conductor
Facilitates the decision-making process and ensures
that decisions are made
Key participants
& responsibilities • Flexibility for adaptation and adjustment to new
evidence when it becomes available
• Consistency with organisational values and culture
as well as with procedures
• Internal openness and transparency of the
process
• Clear prioritisation of actions, taking expected
impacts and available resources into account
• Revision of the strategy if context and conditions
change
Key success factors
15. EPFL Center + Foundation
Step 3: What to do and how
16
Generating the strategy options for implementation
• What strategy and options could respond to the emerging risk?
• When could these options be implemented? What would be the
intervention timing?
Evaluating the strategic options
• What criteria will be used to assess and evaluate the options to
provide the best response to the variety of possible futures?
• How will the performance of the management options be
evaluated?
Making robust decisions
• What decision-making approach will be chosen? How?
• What option or combination of options will be decided?
• What is the timing for implementation?
16. EPFL Center + Foundation
Step 3: Generate strategy and options
for implementation
17
Some of the factors that contribute to risk
emergence are controllable. In those
cases, an organisation can act to prevent a
risk from emerging (or amplifying) or can
reduce its consequences if it materialises.
1 Act on contributing
factors to risk emergence
Trying to avoid the risk can represent a
valuable management option in cases where
the risk evaluation results in reasoned
assumptions of unacceptable consequences.
Precautionary approaches should be chosen
on a case-by-case basis, in relation to a
desired level of protection against identified
potential risks.
2 Develop precautionary approaches
A reduction in exposure or vulnerability can
be a strategic option if an intervention is
considered too costly, inappropriate, or
impossible
For emerging but well identified risks:
reduce sensitivity to the risk by developing
redundancies, improving personnel training
or readjusting protection capabilities.
In the case of unexpected events: build
resilience
3 Reduce vulnerability
1
Act on contributing
factors to risk
emergence
2
Develop
precautionary
approaches
3
Reduce vulnerability
4
Modify risk appetite
in line with risk
5
Use risk governance
instruments for
familiar risks
6
Do nothing
Dealing with emerging risks requires that
organisations constantly align their risk
appetite to changes in their environment, the
availability of new knowledge, and their
resources and capabilities to tolerate or cope
with potential risk losses.
4 Modify risk appetite in line with risk
17. EPFL Center + Foundation
Step 4: Implement the strategy
18
Implement strategy options
decided in Step 3
Creating supportive conditions for
the organisational, technical and
cultural shifts that may be required
for the effective deployment of risk
management options
Put in place the internal and
external communication
capacities required for a common
understanding of the objectives and
the rationale behind them
Allocate resources to match
operational capabilities with strategic
orientations
Clearly define roles,
responsibilities and incentives
according to the strategic options
adopted
Support strategy implementation by
ensuring adequate authority and
leadership in all phases and
enabling the creation of appropriate
risk cultures
Required
actions
• Translation of the strategic
objectives into individual and
collective objectives at the
various levels of the organisation
• Implementation of the decisions
made in Step 3
Expected
outcomes
Key
objective
18. EPFL Center + Foundation
Step 4: Implement the strategy
19
Strategic decision-makers (e.g. chief risk officer)
Endorse the responsibility of implementing the
strategy; appoint a dedicated team
Risk owner (if any)
Effectively manages the risk and opportunity for which
he/she is responsible, and is rewarded accordingly
Other relevant stakeholders
Translate the strategic decisions into concrete actions
Emerging risk conductor
Provides complementary knowledge or expertise
regarding the risks and opportunities considered
Key participants
& responsibilities • Transparency through effective and continuous
communication about the strategic objectives and
decisions at all levels of the organisation
• Including relevant stakeholders for the evaluation
of the strategy relevance and effectiveness, and
timely reaction to resolve conflicts and trade-offs
• Continuous monitoring through the early detection
of difficulties and conflicts (with bottom- up
reporting)
• Continuous interactions with the emerging risk
conductor to re-evaluate the relevance of the
strategy in light of new signals and knowledge, if
necessary
Key success factors
19. EPFL Center + Foundation
Step 5: Review risk development and
decisions
20
Monitor how emerging risks and
opportunities unfold
Review the relevance and
performance of the decisions made
and, if needed,
Update the strategy
Deploy monitoring capabilities for
the decision options described in
Step 3
Create the interaction space
required for the conductor and other
users of the guidelines to exchange
and communicate
Establish bridges with risk
management standards or
professional organisations, which
may help confer legitimacy to the
process
Required
actions
• Risks and opportunities can be
decommissioned, or become
accepted or sufficiently well
known for familiar risk
management measures to be
employed
• Risks and opportunities outside
of these options must remain the
subject of careful and
continuous monitoring,
analysis and revision
Expected
outcomesKey
objective
20. EPFL Center + Foundation
Step 5: Review risk development and
decisions
21
Senior managers
Review decisions about the organisation’s emerging
risk management, i.e. the design and implementation
of internal structures and processes
Business managers
Deploy the adopted risk management strategies
Emerging risk conductor
Creates interaction space for reflection and confidence
Key participants
& responsibilities
• Involvement of all internal stakeholders
• Open and transparent discussions
• Regular updates of strategic decisions based on
new information
Key success factors
21. EPFL Center + Foundation
The emerging risk conductor
• Emerging risk governance requires leadership, it requires a ‘risk
conductor’ to ensure the effective implementation of the guidelines
• Specifically, the risk conductor must have the mission and resources to
lead the process and to:
o Facilitate interactions among participants
o Validate technical frameworks and approaches adopted in the process
o Monitor performances and, if required, identify and correct weaknesses
o Promote necessary changes in attitude and behaviour
o Communicate to increase awareness and explain decisions
o Report on the potential impact of emerging risks
o Review
22
22. EPFL Center + Foundation
Conditions for success
23
Provide a supportive
environment
Tolerance for failure
Acknowledge
cognitive biases
Dialogue about the
challenges of investing
in emerging risk
governance
Communicate
Proactive attitude to
change
Creating meaningful
interactions between
stakeholders
Demonstrate that it is
effective and worth the
investment
The emerging risk
conductor must not be
a ‘prophet of doom’
23. EPFL Center + Foundation
Conclusion
• Frameworks for the governance of familiar risks are often not appropriate for
emerging risks: Need for internal processes to anticipate and respond to risk
• Create conditions for opportunity management as well as for risk management
• Innovation management and emerging risk management are interlinked
• At a broad strategic level, implementing these guidelines should result in four
distinct key capabilities:
o Proactive thinking
o Willingness to bear or to avoid risk
o Prioritising investments
o Internal communication
24
24. EPFL Center + Foundation
How IRGC developed its guidelines for
emerging risk governance
• Look at how practitioners do it: ENISA – EU Agency for Network and Information
Security, EFSA – European Food Safety Authority, Swiss Re SONAR, CEN workshop
agreement on managing emerging technology-related risks (Din_CWA 16649)
• Look at theoretical foundations in cultural theory of risk, dynamic capabilities in
strategic and innovation management, use of signals and early-warnings in technology
management, foresight and scenario development, robust decision-making, and strategy
implementation
• Previous IRGC work
o Factors contributing to risk emergence (2010)
o Improving risk management in industry (2011)
o Public sector governance of emerging risks (2013)
o On-going discussions with practitioners
and academics at workshops
25