1 / 32

Risk Governance Deficits

Risk Governance Deficits. A summary of the conclusions of the IRGC report on Risk Governance Deficits. Chemin de Balexert 9, CH – 1219 Châtelaine, Geneva, Switzerland | tel +41 (0)22 795 17 30 fax +41 (0)22 795 17 39 | www.irgc.org. IRGC’S Risk Governance Framework. Deciding.

irisa
Download Presentation

Risk Governance Deficits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Governance Deficits A summary of the conclusions of the IRGC report on Risk Governance Deficits Chemin de Balexert 9, CH – 1219 Châtelaine, Geneva, Switzerland | tel +41 (0)22 795 17 30 fax +41 (0)22 795 17 39 | www.irgc.org

  2. IRGC’S Risk Governance Framework Deciding Understanding Pre-Assessment Management Communication Appraisal Characterisation and Evaluation Categorising the knowledge about the risk

  3. What are risk governance deficits? • Risk governance deficits are deficiencies (when key elements are absent) or failures (when actions are not taken or prove unsuccessful) in the risk governance process. • They weaken the overall process. They can (and do) recur. • One way for risk practitioners to improve the governance of risks is to identify and remedy deficits in the risk governance processes of which they are a part.

  4. IRGC has identified 23 common risk governance deficits Cluster A: Risk assessment • Detecting early warnings of risk • Factual knowledge about risks • Perceptions of risk, including their determinants and consequences • Stakeholder involvement • Evaluating the acceptability of the risk • Misrepresenting information about risk • Understanding complex systems • Recognising fundamental or rapid changes in systems • The use of mathematical models • Assessing potential surprises Cluster B: Risk management • Responding to early warnings • Designing effective risk management strategies • Considering a reasonable range of risk management options • Designing efficient and equitable risk management policies • Implementing and enforcing risk management policies • Anticipating side-effects of risk management • Reconciling time horizons • Balancing transparency and confidentiality • Organisational capacity • Dealing with dispersed responsibilities • Dealing with commons problems and externalities • Managing conflicts of interests and ideology • Acting in the face of the unexpected

  5. The Risk Governance Deficits in the Risk Governance Framework Primary allocationSecondary allocation

  6. IRGC has focused on causes, risk governance deficits have consequences • Diminution (or even suffocation) of technological innovation and diffusion • Neglect of high-probability, low-impact risks • Missing low-probability, high-impact risks • Secondary impacts due to inadequate consideration of trade-offs • High costs of inefficient regulations • Loss of public trust in public and private institutions as well as NGOs • Unfair or inequitable distribution of risks and / or benefits • A failure to move from business as usual and trigger necessary actions (under-reaction)

  7. Two clusters of risk governance deficits Deciding Understanding CLUSTER A: Assessing and understanding risks Pre-Assessment CLUSTER B: Managing risks Management Communication Appraisal …which may lead to under-reaction or over-reaction in risk management Both under- and over-estimation can be observed in risk assessment… Characterisation and Evaluation Categorising the knowledge about the risk

  8. Risk governance deficits, Cluster A – Assessing risks

  9. A1 Early warning systems • Early warning systems may be formal (as in the use of radar in WW2) or informal (observation of effects of benzene on Turkish shoemakers) • When perfect, they prevent serious harm without causing false alarms • Early warning systems may: • Be too insensitive to detect signs of an emerging risk • Show False Negatives, causing a risk to evolve unnoticed • Indicate False Positives, leading to mistrust and “Crying Wolf” Missing, ignoring or exaggerating early signals of risks The subprime crisis in the United States The risks of home foreclosures were spread to investors throughout the world without transparency about what those risks actually were, while the few experts expressing concern were ignored

  10. A2 Factual knowledge about risks • Scientific data can be absent, of poor quality or incomplete • Factual knowledge is most likely to be lacking when risks are at their emergent stage • Even with adequate data, deficits can occur in the processes of analysis and interpretation • Further difficulties arise from: • Whether or not data has been subject to peer review • How best to treat uncertainty? (Evidence of absence of risk or absence of evidence of risk?) The lack of adequate knowledge about a hazard, including the probabilities of various events and the associated economic, human health, environmental and societal consequences Radio-frequency electro-magnetic fields Despite numerous scientific studies, questions remain as to the health hazards of possible non-thermal effects of radio-frequency EMFs. Results between studies are often inconsistent and cannot be replicated.

  11. A3 Perception of risk, including their determinants and consequences • Risk perceptions vary between people and societal groups, and can change • Perceived risks can be very different from estimates derived from assessments based on scientific evidence • Erroneous information about risk perceptions can mislead decision-makers as much as erroneous factual information • Factors influencing risk perception include: • Personal experience / familiarity with the risk source • Distribution and amount of perceived benefits • Whether or not the risk affects identifiable people The lack of adequate knowledge about values, beliefs and interests, and therefore about how risks are perceived by stakeholders Risk perceptions of nuclear power Public perceptions of risk are central to policies regarding nuclear power. Experts judge risk on the basis of probability and consequences; most people base their judgement on criteria that include “catastrophic potential”.

  12. A4 Stakeholder involvement • Stakeholders can contribute valuable knowledge to risk assessments • Excluding relevant stakeholders can undermine trust in the entire governance process • Excessive inclusiveness can, however, slow down the process or obscure the responsibility of legitimate decision-makers • Stakeholders should be able to: • Contribute useful knowledge or experience • Add legitimacy to the risk assessment process Failure to adequately identify and involve relevant stakeholders in risk assessment in order to improve information input and confer legitimacy on the process Large infrastructure projects (dams) The Nagara River Estuary Barrage (Japan) was delayed for years by legal cases brought by local stakeholders who were excluded from a top-down planning process. Planning proceeded only after authorities began a constructive dialogue with stakeholders.

  13. A5 Evaluating the acceptability of risk • A risk’s acceptability is a judgement based on values and how people balance anticipated risks and benefits • People and organisations need to define, inter alia, their risk appetite and level of tolerance for each risk • Many factors influence the acceptability of risk, such as: • Is it incurred voluntarily, or is it imposed? • Is the risk familiar or unfamiliar? • Is it controllable by personal action or only through collective action? • Does it disproportionately impact on the poor, or on children? Failure to consider variables that influence risk acceptance and risk appetite Radioactive waste disposal Equity considerations (both intra- and inter-generational) are important when assessing risks relating to the siting of hazardous facilities. Objections by 3 US states to storing all US LLRW led to the Federal Low-Level Radioactive Waste Policy Act (1980) which had the effect of increasing the number of people at risk from LLRW disposal facilities.

  14. A6 Misrepresenting information about risk • Many risk management decisions are made under time and other pressures, and with constrained resources. Perfect knowledge is rarely available or possible to communicate • Each attribute of the risk science – complexity, uncertainty and ambiguity – can be either over- or under-stated • Risk governance can be manipulated by providing biased, selective or incomplete knowledge, or when no effort is made to establish its quality and objectivity • People tend to over-estimate the validity of evidence that conforms to their prior beliefs and values The provision of biased, selective or incomplete information Disposal of the Brent Spar Greenpeace made an erroneous public claim that the Brent Spar oil storage buoy contained some 5000 tonnes of oil and toxic chemicals. This contributed to consumer boycotts costing Shell an estimated £60-100 million

  15. A7 Understanding complex systems • Interactions between components of complex systems raise numerous difficulties for risk assessment • Typically, risk assessments address single issues; without acknowledging systemic interactions, they will not be fully informative • Efforts to reduce risk may lead to unexpected secondary consequences, in sectors or areas other than those targeted • System complexity can both attenuate and amplify a risk and its consequences A lack of appreciation or understanding of the potentially multiple dimensions of a risk and of how interconnected risk systems can entail complex and sometimes unforeseeable interactions SARS – from civet cats in China, to Toronto First reported in China in early 2003, SARS infected 8096 people in 27 countries; 774 died. Apart from grave harm to health, SARS led to severe economic impacts in Toronto (Canada), on airlines with routes in the Pacific region (eg Qantas), and up to 90% reductions in Chinatown restaurant business (in the US).

  16. A8 Recognising fundamental or rapid changes in systems • Risk assessment is most straightforward in a relatively stable environment • Fundamental changes to political, technological, environmental or social systems can make obsolete the assumptions of risk assessments • These changes may be extremely rapid (e.g. AIDS) or evolve very slowly and not become apparent until a “tipping point” is reached (e.g. effects of climate change) • These changes are rarely expected Failure to re-assess in a timely manner fast and/or fundamental changes occurring in risk systems Potato blight and the Irish Famine The introduction of the “clipper” reduced journey times from America to Europe, allowing potatoes carrying blight to survive the voyage. Between 1845-49 Ireland suffered a famine which killed over one million people; of the additional 1 million who emigrated, 20% died on the ships

  17. A9 The use of formal models • Deficits can occur from both under-reliance (on useful models) and over-reliance (on imperfect models) • Too little may be known about a system to permit useful modelling • Models may be based on incorrect data or assumptions • The model itself may behave unpredictably • Models and their results can be manipulated or used selectively to support strategic or ideological positions An over- or under-reliance on models and/or a failure to recognise that models are simplified approximations of reality and thus can be fallible The subprime crisis in the US “The essential problem is that our models – both risk models and econometric models – as complex as they have become, are still too simple to capture the full array of governing variables that drive global economic reality. A model, of necessity, is an abstraction from the full detail of the real world”. Alan Greenspan, Financial Times, 16 March 2008

  18. A10 Assessing potential surprises • No-one can reliably anticipate the future; there will always be surprises and unexpected events • Unknowable risks will be subject to deficits in their assessment until it is understood that their existence is NOT predictable, that they cannot be characterised, measured, prevented or transferred • This situation will not be resolved by more sophisticated tools to model risk • Instead, what is needed is lateral thinking, creativity and the capacity to deal with surprises when they occur Failure to overcome cognitive barriers to imagining events outside of accepted paradigms (“black swans”) 9/11 “We were trapped by our own paradigm… programs to handle the endless sequence of hijackings and hostage takings…a “book” was devised and experts trained…the premise was that the hostage takers wanted something negotiable; this time, all they wanted was our lives.” David T. Jones

  19. Risk governance deficits, Cluster B – Managing risks

  20. B1 Responding to early warnings • Signals of a risk may exist, but no action is taken to prevent or mitigate the risk. This may be due to: • Poor communication • Poor prioritisation • An “unwillingness to know” • Conversely, there may be over-reaction to a warning signal: • Unnecessary regulation (e.g. US and Canadian ban on saccharin) • Apprehension / counterproductive behaviours (e.g. MMR in the UK) Failure of managers to respond and take action when risk assessors have determined from early signals that a risk is emerging Hurricane Katrina Despite being known as “the New Orleans scenario” it took FEMA five years to model the effect of a hurricane hitting New Orleans. Funds were insufficient to include an evacuation in the simulation. In August 2005 weather warnings persuaded the Governors of Mississippi and Louisiana to declare states of emergency on Friday 26th, but the mayor of New Orleans did not order evacuation until Sunday 28th. Katrina hit the following day.

  21. B2 Designing effective risk management strategies • Effective risk management requires: • A clear objective • An appropriate risk strategy • A suitable risk policy, regulation and implementation plan • When there are two or more objectives, deficits arise from a preoccupation with one at the expense of the other(s) • Effectiveness includes measuring progress towards the predetermined objective and revising policies and regulation to account for new knowledge Failure to design risk management strategies that adequately balance alternatives The US biofuels policy Biofuels are part of government strategies to increase energy security, reduce GHG emissions and boost agricultural development. US policies emphasise energy security and boosting farm incomes, but take no account of scientific evidence that producing corn-based ethanol may generate more CO2 emissions than come from the petroleum-based products it replaces.

  22. B3 Considering a reasonable range of risk management options • Risk managers can select favoured or familiar risk management options for the wrong reasons: • Not considering trade-offs • Prior use • Time constraints • Resource (including financial) constraints • Highly uncertain risks pose additional challenges: • Excessively precautionary approaches can stifle innovation • Least-cost options can prevent building redundancy and resilience into vulnerable systems Failure to consider a reasonable range of risk management options (and their negative or positive consequences) in order to meet set objectives Fisheries management Measures to reduce the impact of fishing include quotas, closed seasons and areas, and restrictions on fishing gear, but the competitive “race to fish” can still lead to excessive harvests. Rights-based management (e.g. individual transferable quotas) can protect fishing communities and fishery stocks, particularly if closely monitored.

  23. B4 Designing efficientand equitable risk management policies • Assessing the efficiency of risk management options involves tools such as benefit-cost analysis (when consequences can be quantified), “soft” benefit-cost analysis (including the use of judgement to weigh unquantifiable or intangible benefits and costs), and cost-effectiveness. • Achieving society-wide efficiency may not result in an equitable sharing of costs and benefits. Inequitable decisions can: • Impose more burdens than benefits on the most vulnerable or least advantaged members of society • Assign costs or restrictions on people or nations that did not create a risk and do not deserve to be burdened Inappropriate risk management occurs when benefits and costs are not balanced in an efficient and equitable manner The Kyoto Protocol The Kyoto Protocol takes equity as one of its guiding principles (e.g. it is industrialised Annex 1 countries that are subject to emission reduction commitments). It addresses efficiency through the Joint Implementation and Clean Development Mechanisms, allowing reductions to be made where they can be most efficiently achieved.

  24. B5 implementing and enforcing risk management decisions • Having devised efficient and equitable risk management policies to meet the assessed level of risk, the challenge becomes that of implementing and enforcing them • Even perfectly conceived policies can achieve little if they are not implemented and enforced • Voluntary policies (as in codes of conduct) can be undermined by free-riders and a lack of punitive sanctions for non-compliance • Legally-binding policies can be weakened by a lack of willingness or capacity to monitor behaviours and punish transgression Failure to muster the necessary will and resources to implement risk management policies and decisions BSE in the UK The British government used regulations (including the ruminant feed ban and Specified Bovine Offal Ban) as part of its management of the BSE crisis. A “failure to give proper thought to” the SBO ban was one reason for 48% of abbatoirs not complying with it 6 years after it came into force.

  25. B6 Anticipating side effects of risk management • Changes in one part of a system can impact on and beyond other components of the system • Risks managers need to consider both the intended and unintended consequences of decisions • The effects of decisions therefore need to be monitored for both their direct and indirect benefits and adverse impacts • Decisions should also be accompanied by contingency plans for dealing with unintended side effects Failure to anticipate, monitor and react to the outcomes of a risk management decision in the case of negative side effects Monitoring the use of clozapine The anti-psychotic drug clozapine was introduced in Europe in 1973 but reports in Finland in 1975 of patients developing agranulocytosis (8 died) led to the product’s withdrawal. Later studies indicated these adverse side effects could be anticipated by monitoring each patient’s white blood cell count. With strict requirements for blood monitoring, clozapine was reintroduced in Europe and approved for use in the US in 1990.

  26. B7 Reconciling time horizons • Business and politics are often dominated by short-term considerations • Risks have a variety of timeframes: • Some emerge only a long period of time (many chronic diseases) • Some strike suddenly, often with limited warning (natural disasters) • Some start slowly, then escalate rapidly (e.g. AIDS) • Some are so persistent they breed familiarity (e.g. alcohol abuse) • Long-term risks are even ignored in favour of “urgent” day-to-day needs, or subject to “simple” quick fixes An inability to reconcile the time frame of the risk with the time frames of decision-making and incentive schemes Asbestos Asbestos-related health hazards were first reported in 1898. Partially-enforced regulations were first introduced in Britain in 1931. Licensing regulations and exposure limits were introduced in 1984 and a full ban on asbestos was implemented in 1999. It is estimated that asbestos-related claims will cost British employers and insurers up to £20 billion in the coming decades.

  27. B8 Balancing transparency and confidentiality • Excessive confidentiality can: • Reduce trust in risk decisions and decision-makers • Raise suspicion of the protection of vested interests • Excessive transparency can: • Undermine national security • Reveal information essential to a business’s competiveness • Invade an individual’s rights to privacy • The modern trend towards greater transparency and openness makes a decision to invoke confidentiality more difficult Failure to balance two of the necessary requirements of decision-making: transparency, which can foster stakeholder trust, and confidentiality, which can protect security and maintain incentives for innovation Enron Despite increasing emphasis on “corporate governance” in the US, UK and elsewhere, Enron was able to hide massive amounts of debt in off-balance sheet overseas entities. This, combined with mark-to-market accounting, greatly inflated its reported earnings and share price. Fortune magazine named Enron as America’s most innovative company for six successive years, including 2001 – the year Enron collapsed.

  28. B9 Organisational capacity • IRGC has summarised organisational risk management capacity as having three dimensions: • Assets – knowledge, resources, structures and processes • Skills – to adapt assets to deal with changing and dynamic situations • Capabilities – the overall framework in which the assets and skills are best exploited, including external networks • At the most intangible level, organisations need a risk culture that recognises the value of risk management and shows awareness of risk, its consequences, and the benefits of sound risk management Failure to build or maintain an adequate organisational capacity to manage risk Hurricane Katrina After 9/11 the US Federal Emergency Management Agency (FEMA) became a part of the new Department of Homeland Security (DHS). FEMA’s powers and resources were downgraded and the agency began to suffer budget shortages. This led to personnel shortages and, prior to Katrina, FEMA had a 15-20% vacancy rate. It did not have sufficient organisational capacity to respond effectively.

  29. B10 Dealing with dispersed responsibilities • Many risks require a coordinated response from multiple actors including companies, national and local governments, and others • Even within a company or between government departments, responsibilities are fragmented and can overlap or be unclear • International organisations created to handle trans-boundary issues have the additional problem of needing to coordinate sovereign nation states • Things can, and do, fall between the cracks Failure of the multiple departments or organisations responsible for a risk’s management to act cohesively Swiss-Italian blackout On 28 September 2003 a tree flashover in Switzerland caused a trip of the highly-loaded 380kV Mettlen-Lavorgo line in Switzerland. A second line then overloaded and tripped. Rapidly, all of the Italian mainland lost electricity. Costs of the blackout are estimated at US$139 million. The underlying problems that led to the incident were largely the result of how responsibilities for cross-border power transmission were shared between separate transmission service operators.

  30. B11 Dealing with commons problems and externalities • Multiple individuals acting in their own self-interest can ultimately destroy a shared resource even though each has a long-term interest in preserving it • Such resources often fall outside systems of property rights • Protecting these resources often requires individuals to relinquish economic or other benefits • When these resources extend globally (e.g. international fisheries; the atmosphere) their management requires global action, including international agreement among governments A lack of understanding of the complex nature of commons problems and consequently also of the specific risk management tools required to address them Fisheries depletion The collapse of stocks of cod in the Canadian Grand Banks, blue-fin tuna in the Mediterranean and herring in the North Sea all illustrate the multiple challenges of dealing with the “Tragedy of the Commons”. Management of the Alaskan pollock fishery suggests a solution can be found.

  31. B12 Managing conflicts of interest, beliefs,values and ideologies • A conflict may be negotiable or irreconcilable • Conflict may derive from different: • Interests (which are typically tangible or economic) • Beliefs regarding the nature and consequences of an issue or risk • Basic values, such as social justice and ecological sustainability • Ideologies (often grounded in religion, ethics, culture, tradition or politics) • Risk managers need to understand the different motivations for conflict in order to distinguish those conflicts that may be resolvable from those that are irreconcilable A conflict may be negotiable or irreconcilable, and risk managers must have the capacity to distinguish between the two The Canadian asbestos industry Quebec’s asbestos industry employs under 1,000 workers yet has “an almost sacred status in the province” which has “made it politically untouchable”. Canada is the world’s 4th largest producer and 2nd largest exporter of asbestos, and has consistently opposed global efforts to regulate international trade in asbestos.

  32. B13 Acting in the face of the unexpected • For many reasons, risk managers may be unable to act in the face of the unexpected • Skills and resources suited to prior emergencies or well-known risks may be insufficient for dealing with new threats • Managers may delay or fail to change from routine to crisis management • There may be an absence of authority to reallocate resources • An emphasis on efficiency makes it difficult to retain slack resources or build redundancies and resilience into systems Insufficient flexibility in the face of unexpected risk situations The Millennium Bug Dire consequences were predicted from the possible failure of computers to deal with date-related data between 31 December 1999 and 1 January 2000. Millions were spent checking and upgrading computer systems, but no problems were reported. However, work done to prepare for “Y2K” may have added resilience to systems so as to allow the New York infrastructure to function after 9/11.

More Related