international risk governance council risk governance deficits january 2010 1 | 31 risk governance...

international risk governance council Risk Governance Deficits January 2010

1 | 31

Risk Governance Deficits

A summary of the conclusions of the IRGC report on Risk Governance Deficits

Chemin de Balexert 9, CH – 1219 Châtelaine, Geneva, Switzerland | tel +41 (0)22 795 17 30 fax +41 (0)22 795 17 39 | www.irgc.org


2 | 31

IRGC’S Risk Governance Framework

Pre-Assessment

Characterisationand Evaluation

AppraisalManagement Communication

Categorising the

knowledgeabout the

risk

UnderstandingDeciding


3 | 31

What are risk governance deficits?

Risk governance deficits are deficiencies (when key elements are absent) or failures (when actions are not taken or prove unsuccessful) in the risk governance process.

They weaken the overall process. They can (and do) recur.

One way for risk practitioners to improve the governance of risks is to identify and remedy deficits in the risk governance processes of which they are a part.


4 | 31

IRGC has identified 23 common risk governance deficits

Cluster B: Risk management

– Responding to early warnings– Designing effective risk management

strategies– Considering a reasonable range of risk

management options– Designing efficient and equitable risk

management policies– Implementing and enforcing risk

management policies– Anticipating side-effects of risk

management– Reconciling time horizons– Balancing transparency and confidentiality– Organisational capacity– Dealing with dispersed responsibilities– Dealing with commons problems and

externalities– Managing conflicts of interests and

ideology– Acting in the face of the unexpected

Cluster A: Risk assessment

– Detecting early warnings of risk– Factual knowledge about risks– Perceptions of risk, including their

determinants and consequences– Stakeholder involvement– Evaluating the acceptability of the risk– Misrepresenting information about risk– Understanding complex systems– Recognising fundamental or rapid changes

in systems– The use of mathematical models– Assessing potential surprises


5 | 31

The Risk Governance Deficits in the Risk Governance Framework

B8 Balancing transparency and confidentiality

A1 Early warning systems

A4 Stakeholder involvement

A6 Misrepresenting information about risk

A9 The use of formal models

B10 Dealing with dispersed responsibilities

B2 Designing effective risk management strategies

B3 Considering a reasonable range of risk management options

B4 Designing efficient and equitable risk management policies

B6 Anticipating side effects of risk management

B7 Reconciling time horizons


B11 Dealing with commons problems and externalities

B12 Managing conflicts of interests, beliefs, values and ideologies

B13 Acting in the face of the unexpected

B1 Responding to early warnings

B5 Implementing and enforcing risk management decisions

B9 Organisational capacity

A5 Evaluating the acceptability of the risk


A1 Assessing potential surprises

A2 Factual knowledge about risks

A3 Perceptions of risk, including their determinants and consequences



A7 Understanding complex systems

A8 Recognising fundamental or rapid changes in systems



A3 Perceptions of risk, including their determinants and consequences



B4 Designing efficient and equitable risk management policies




Primary allocationSecondary allocation


6 | 31

Diminution (or even suffocation) of technological innovation and diffusion

Neglect of high-probability, low-impact risks

Missing low-probability, high-impact risks

Secondary impacts due to inadequate consideration of trade-offs

High costs of inefficient regulations

Loss of public trust in public and private institutions as well as NGOs

Unfair or inequitable distribution of risks and / or benefits

A failure to move from business as usual and trigger necessary actions (under-

reaction)

IRGC has focused on causes,risk governance deficits have consequences


7 | 31

Two clusters of risk governance deficits

Pre-Assessment

Characterisationand Evaluation

AppraisalManagement Communication

Categorising the

knowledgeabout the

risk

UnderstandingDeciding

…which may lead to under-reaction or

over-reaction in risk management

Both under- and over-estimation can be observed in risk

assessment…

CLUSTER A:

Assessing and understanding risks

CLUSTER B:

Managing risks


8 | 31

Risk governance deficits, Cluster A – Assessing risks


9 | 31


► Early warning systems may be formal (as in the use of radar in WW2) or informal (observation of effects of benzene on Turkish shoemakers)

► When perfect, they prevent serious harm without causing false alarms

► Early warning systems may:

– Be too insensitive to detect signs of an emerging risk

– Show False Negatives, causing a risk to evolve unnoticed

– Indicate False Positives, leading to mistrust and “Crying Wolf”

The subprime crisis in the United StatesThe risks of home foreclosures were spread to investors throughout the world without transparency about what those risks actually were, while the few experts expressing concern were ignored

Missing, ignoring or exaggerating early signals of risks


10 | 31


► Scientific data can be absent, of poor quality or incomplete

► Factual knowledge is most likely to be lacking when risks are at their emergent stage

► Even with adequate data, deficits can occur in the processes of analysis and interpretation

► Further difficulties arise from:

– Whether or not data has been subject to peer review

– How best to treat uncertainty? (Evidence of absence of risk or absence of evidence of risk?)

Radio-frequency electro-magnetic fieldsDespite numerous scientific studies, questions remain as to the health hazards of possible non-thermal effects of radio-frequency EMFs. Results between studies are often inconsistent and cannot be replicated.

The lack of adequate knowledge about a hazard, including the probabilities of various events and the associated economic, human health, environmental and societal consequences


11 | 31

A3 Perception of risk, including their determinants and consequences

► Risk perceptions vary between people and societal groups, and can change

► Perceived risks can be very different from estimates derived from assessments based on scientific evidence

► Erroneous information about risk perceptions can mislead decision-makers as much as erroneous factual information

► Factors influencing risk perception include:

– Personal experience / familiarity with the risk source

– Distribution and amount of perceived benefits

– Whether or not the risk affects identifiable people

Risk perceptions of nuclear powerPublic perceptions of risk are central to policies regarding nuclear power. Experts judge risk on the basis of probability and consequences; most people base their judgement on criteria that include “catastrophic potential”.

The lack of adequate knowledge about values, beliefs and interests, and therefore about how risks are perceived by stakeholders


12 | 31


► Stakeholders can contribute valuable knowledge to risk assessments

► Excluding relevant stakeholders can undermine trust in the entire governance process

► Excessive inclusiveness can, however, slow down the process or obscure the responsibility of legitimate decision-makers

► Stakeholders should be able to:

– Contribute useful knowledge or experience

– Add legitimacy to the risk assessment process

Large infrastructure projects (dams)The Nagara River Estuary Barrage (Japan) was delayed for years by legal cases brought by local stakeholders who were excluded from a top-down planning process. Planning proceeded only after authorities began a constructive dialogue with stakeholders.

Failure to adequately identify and involve relevant stakeholders in risk assessment in order to improve information input and confer legitimacy on the process


13 | 31

A5 Evaluating the acceptability of risk

► A risk’s acceptability is a judgement based on values and how people balance anticipated risks and benefits

► People and organisations need to define, inter alia, their risk appetite and level of tolerance for each risk

► Many factors influence the acceptability of risk, such as:

– Is it incurred voluntarily, or is it imposed?

– Is the risk familiar or unfamiliar?

– Is it controllable by personal action or only through collective action?

– Does it disproportionately impact on the poor, or on children?

Radioactive waste disposalEquity considerations (both intra- and inter-generational) are important when assessing risks relating to the siting of hazardous facilities. Objections by 3 US states to storing all US LLRW led to the Federal Low-Level Radioactive Waste Policy Act (1980) which had the effect of increasing the number of people at risk from LLRW disposal facilities.

Failure to consider variables that influence risk acceptance and risk appetite


14 | 31

► Many risk management decisions are made under time and other pressures, and with constrained resources. Perfect knowledge is rarely available or possible to communicate

► Each attribute of the risk science – complexity, uncertainty and ambiguity – can be either over- or under-stated

► Risk governance can be manipulated by providing biased, selective or incomplete knowledge, or when no effort is made to establish its quality and objectivity

► People tend to over-estimate the validity of evidence that conforms to their prior beliefs and values

Disposal of the Brent Spar Greenpeace made an erroneous public claim that the Brent Spar oil storage buoy contained some 5000 tonnes of oil and toxic chemicals. This contributed to consumer boycotts costing Shell an estimated £60-100 million


The provision of biased, selective or incomplete information


15 | 31

A7 Understanding complex systems

► Interactions between components of complex systems raise numerous difficulties for risk assessment

► Typically, risk assessments address single issues; without acknowledging systemic interactions, they will not be fully informative

► Efforts to reduce risk may lead to unexpected secondary consequences, in sectors or areas other than those targeted

► System complexity can both attenuate and amplify a risk and its consequences

SARS – from civet cats in China, to TorontoFirst reported in China in early 2003, SARS infected 8096 people in 27 countries; 774 died. Apart from grave harm to health, SARS led to severe economic impacts in Toronto (Canada), on airlines with routes in the Pacific region (eg Qantas), and up to 90% reductions in Chinatown restaurant business (in the US).

A lack of appreciation or understanding of the potentially multiple dimensions of a risk and of how interconnected risk systems can entail complex and sometimes unforeseeable interactions


16 | 31

A8 Recognising fundamental or rapid changes in systems

Potato blight and the Irish Famine The introduction of the “clipper” reduced journey times from America to Europe, allowing potatoes carrying blight to survive the voyage. Between 1845-49 Ireland suffered a famine which killed over one million people; of the additional 1 million who emigrated, 20% died on the ships

► Risk assessment is most straightforward in a relatively stable environment

► Fundamental changes to political, technological, environmental or social systems can make obsolete the assumptions of risk assessments

► These changes may be extremely rapid (e.g. AIDS) or evolve very slowly and not become apparent until a “tipping point” is reached (e.g. effects of climate change)

► These changes are rarely expected

Failure to re-assess in a timely manner fast and/or fundamental changes occurring in risk systems


17 | 31


► Deficits can occur from both under-reliance (on useful models) and over-reliance (on imperfect models)

► Too little may be known about a system to permit useful modelling

► Models may be based on incorrect data or assumptions

► The model itself may behave unpredictably► Models and their results can be manipulated or

used selectively to support strategic or ideological positions

The subprime crisis in the US“The essential problem is that our models – both risk models and econometric models – as complex as they have become, are still too simple to capture the full array of governing variables that drive global economic reality. A model, of necessity, is an abstraction from the full detail of the real world”.Alan Greenspan, Financial Times, 16 March 2008

An over- or under-reliance on models and/or a failure to recognise that models are simplified approximations of reality and thus can be fallible


18 | 31

A10 Assessing potential surprises

► No-one can reliably anticipate the future; there will always be surprises and unexpected events

► Unknowable risks will be subject to deficits in their assessment until it is understood that their existence is NOT predictable, that they cannot be characterised, measured, prevented or transferred

► This situation will not be resolved by more sophisticated tools to model risk

► Instead, what is needed is lateral thinking, creativity and the capacity to deal with surprises when they occur

9/11 “We were trapped by our own paradigm… programs to handle the endless sequence of hijackings and hostage takings…a “book” was devised and experts trained…the premise was that the hostage takers wanted something negotiable; this time, all they wanted was our lives.”David T. Jones

Failure to overcome cognitive barriers to imagining events outside of accepted paradigms (“black swans”)


19 | 31

Risk governance deficits, Cluster B – Managing risks


20 | 31

B1 Responding to early warnings

► Signals of a risk may exist, but no action is taken to prevent or mitigate the risk. This may be due to:

– Poor communication

– Poor prioritisation

– An “unwillingness to know”► Conversely, there may be over-reaction to a

warning signal:

– Unnecessary regulation (e.g. US and Canadian ban on saccharin)

– Apprehension / counterproductive behaviours (e.g. MMR in the UK)

Hurricane KatrinaDespite being known as “the New Orleans scenario” it took FEMA five years to model the effect of a hurricane hitting New Orleans. Funds were insufficient to include an evacuation in the simulation. In August 2005 weather warnings persuaded the Governors of Mississippi and Louisiana to declare states of emergency on Friday 26th, but the mayor of New Orleans did not order evacuation until Sunday 28th. Katrina hit the following day.

Failure of managers to respond and take action when risk assessors have determined from early signals that a risk is emerging


21 | 31

B2 Designing effective risk management strategies

► Effective risk management requires:

– A clear objective

– An appropriate risk strategy

– A suitable risk policy, regulation and implementation plan

► When there are two or more objectives, deficits arise from a preoccupation with one at the expense of the other(s)

► Effectiveness includes measuring progress towards the predetermined objective and revising policies and regulation to account for new knowledge

The US biofuels policyBiofuels are part of government strategies to increase energy security, reduce GHG emissions and boost agricultural development. US policies emphasise energy security and boosting farm incomes, but take no account of scientific evidence that producing corn-based ethanol may generate more CO2 emissions than come from the petroleum-based products it replaces.

Failure to design risk management strategies that adequately balance alternatives


22 | 31


► Risk managers can select favoured or familiar risk management options for the wrong reasons:

– Not considering trade-offs

– Prior use

– Time constraints

– Resource (including financial) constraints► Highly uncertain risks pose additional challenges:

– Excessively precautionary approaches can stifle innovation

– Least-cost options can prevent building redundancy and resilience into vulnerable systems

Fisheries managementMeasures to reduce the impact of fishing include quotas, closed seasons and areas, and restrictions on fishing gear, but the competitive “race to fish” can still lead to excessive harvests. Rights-based management (e.g. individual transferable quotas) can protect fishing communities and fishery stocks, particularly if closely monitored.

Failure to consider a reasonable range of risk management options (and their negative or positive consequences) in order to meet set objectives


23 | 31

► Assessing the efficiency of risk management options involves tools such as benefit-cost analysis (when consequences can be quantified), “soft” benefit-cost analysis (including the use of judgement to weigh unquantifiable or intangible benefits and costs), and cost-effectiveness.

► Achieving society-wide efficiency may not result in an equitable sharing of costs and benefits. Inequitable decisions can:

– Impose more burdens than benefits on the most vulnerable or least advantaged members of society

– Assign costs or restrictions on people or nations that did not create a risk and do not deserve to be burdened

The Kyoto ProtocolThe Kyoto Protocol takes equity as one of its guiding principles (e.g. it is industrialised Annex 1 countries that are subject to emission reduction commitments). It addresses efficiency through the Joint Implementation and Clean Development Mechanisms, allowing reductions to be made where they can be most efficiently achieved.

B4 Designing efficientand equitable risk management policies

Inappropriate risk management occurs when benefits and costs are not balanced in an efficient and equitable manner


24 | 31

B5 implementing and enforcing risk management decisions

► Having devised efficient and equitable risk management policies to meet the assessed level of risk, the challenge becomes that of implementing and enforcing them

► Even perfectly conceived policies can achieve little if they are not implemented and enforced

► Voluntary policies (as in codes of conduct) can be undermined by free-riders and a lack of punitive sanctions for non-compliance

► Legally-binding policies can be weakened by a lack of willingness or capacity to monitor behaviours and punish transgression

BSE in the UKThe British government used regulations (including the ruminant feed ban and Specified Bovine Offal Ban) as part of its management of the BSE crisis. A “failure to give proper thought to” the SBO ban was one reason for 48% of abbatoirs not complying with it 6 years after it came into force.

Failure to muster the necessary will and resources to implement risk management policies and decisions


25 | 31


► Changes in one part of a system can impact on and beyond other components of the system

► Risks managers need to consider both the intended and unintended consequences of decisions

► The effects of decisions therefore need to be monitored for both their direct and indirect benefits and adverse impacts

► Decisions should also be accompanied by contingency plans for dealing with unintended side effects

Monitoring the use of clozapineThe anti-psychotic drug clozapine was introduced in Europe in 1973 but reports in Finland in 1975 of patients developing agranulocytosis (8 died) led to the product’s withdrawal. Later studies indicated these adverse side effects could be anticipated by monitoring each patient’s white blood cell count. With strict requirements for blood monitoring, clozapine was reintroduced in Europe and approved for use in the US in 1990.

Failure to anticipate, monitor and react to the outcomes of a risk management decision in the case of negative side effects


26 | 31


► Business and politics are often dominated by short-term considerations

► Risks have a variety of timeframes:

– Some emerge only a long period of time (many chronic diseases)

– Some strike suddenly, often with limited warning (natural disasters)

– Some start slowly, then escalate rapidly (e.g. AIDS)

– Some are so persistent they breed familiarity (e.g. alcohol abuse)

► Long-term risks are even ignored in favour of “urgent” day-to-day needs, or subject to “simple” quick fixes

AsbestosAsbestos-related health hazards were first reported in 1898. Partially-enforced regulations were first introduced in Britain in 1931. Licensing regulations and exposure limits were introduced in 1984 and a full ban on asbestos was implemented in 1999. It is estimated that asbestos-related claims will cost British employers and insurers up to £20 billion in the coming decades.

An inability to reconcile the time frame of the risk with the time frames of decision-making and incentive schemes


27 | 31

B8 Balancing transparency and confidentiality

► Excessive confidentiality can:

– Reduce trust in risk decisions and decision-makers

– Raise suspicion of the protection of vested interests

► Excessive transparency can:

– Undermine national security

– Reveal information essential to a business’s competiveness

– Invade an individual’s rights to privacy► The modern trend towards greater transparency

and openness makes a decision to invoke confidentiality more difficult

EnronDespite increasing emphasis on “corporate governance” in the US, UK and elsewhere, Enron was able to hide massive amounts of debt in off-balance sheet overseas entities. This, combined with mark-to-market accounting, greatly inflated its reported earnings and share price. Fortune magazine named Enron as America’s most innovative company for six successive years, including 2001 – the year Enron collapsed.

Failure to balance two of the necessary requirements of decision-making: transparency, which can foster stakeholder trust, and confidentiality, which can protect security and maintain incentives for innovation


28 | 31


► IRGC has summarised organisational risk management capacity as having three dimensions:

– Assets – knowledge, resources, structures and processes

– Skills – to adapt assets to deal with changing and dynamic situations

– Capabilities – the overall framework in which the assets and skills are best exploited, including external networks

► At the most intangible level, organisations need a risk culture that recognises the value of risk management and shows awareness of risk, its consequences, and the benefits of sound risk management

Hurricane KatrinaAfter 9/11 the US Federal Emergency Management Agency (FEMA) became a part of the new Department of Homeland Security (DHS). FEMA’s powers and resources were downgraded and the agency began to suffer budget shortages. This led to personnel shortages and, prior to Katrina, FEMA had a 15-20% vacancy rate. It did not have sufficient organisational capacity to respond effectively.

Failure to build or maintain an adequate organisational capacity to manage risk


29 | 31


► Many risks require a coordinated response from multiple actors including companies, national and local governments, and others

► Even within a company or between government departments, responsibilities are fragmented and can overlap or be unclear

► International organisations created to handle trans-boundary issues have the additional problem of needing to coordinate sovereign nation states

► Things can, and do, fall between the cracks

Swiss-Italian blackoutOn 28 September 2003 a tree flashover in Switzerland caused a trip of the highly-loaded 380kV Mettlen-Lavorgo line in Switzerland. A second line then overloaded and tripped. Rapidly, all of the Italian mainland lost electricity. Costs of the blackout are estimated at US$139 million. The underlying problems that led to the incident were largely the result of how responsibilities for cross-border power transmission were shared between separate transmission service operators.

Failure of the multiple departments or organisations responsible for a risk’s management to act cohesively


30 | 31


Fisheries depletion The collapse of stocks of cod in the Canadian Grand Banks, blue-fin tuna in the Mediterranean and herring in the North Sea all illustrate the multiple challenges of dealing with the “Tragedy of the Commons”. Management of the Alaskan pollock fishery suggests a solution can be found.

► Multiple individuals acting in their own self-interest can ultimately destroy a shared resource even though each has a long-term interest in preserving it

► Such resources often fall outside systems of property rights

► Protecting these resources often requires individuals to relinquish economic or other benefits

► When these resources extend globally (e.g. international fisheries; the atmosphere) their management requires global action, including international agreement among governments

A lack of understanding of the complex nature of commons problems and consequently also of the specific risk management tools required to address them


31 | 31

B12 Managing conflicts of interest, beliefs,values and ideologies

► A conflict may be negotiable or irreconcilable► Conflict may derive from different:

– Interests (which are typically tangible or economic)

– Beliefs regarding the nature and consequences of an issue or risk

– Basic values, such as social justice and ecological sustainability

– Ideologies (often grounded in religion, ethics, culture, tradition or politics)

► Risk managers need to understand the different motivations for conflict in order to distinguish those conflicts that may be resolvable from those that are irreconcilable

The Canadian asbestos industryQuebec’s asbestos industry employs under 1,000 workers yet has “an almost sacred status in the province” which has “made it politically untouchable”. Canada is the world’s 4th largest producer and 2nd largest exporter of asbestos, and has consistently opposed global efforts to regulate international trade in asbestos.

A conflict may be negotiable or irreconcilable, and risk managers must have the capacity to distinguish between the two


32 | 31

B13 Acting in the face of the unexpected

► For many reasons, risk managers may be unable to act in the face of the unexpected

► Skills and resources suited to prior emergencies or well-known risks may be insufficient for dealing with new threats

► Managers may delay or fail to change from routine to crisis management

► There may be an absence of authority to reallocate resources

► An emphasis on efficiency makes it difficult to retain slack resources or build redundancies and resilience into systems

The Millennium BugDire consequences were predicted from the possible failure of computers to deal with date-related data between 31 December 1999 and 1 January 2000. Millions were spent checking and upgrading computer systems, but no problems were reported. However, work done to prepare for “Y2K” may have added resilience to systems so as to allow the New York infrastructure to function after 9/11.

Insufficient flexibility in the face of unexpected risk situations

international risk governance council risk governance deficits january 2010 1 | 31 risk governance...

Documents

risk assessment

risk governance processes

risk practitioners

risks perceptions of

governance of risks

remedy deficits

complex systems

early warnings b5implementing