Risk Governance Deficits
Graham, John D.
Florin, Marie Valentine
IRGC defines risk governance deficits as deficiencies (where elements are lacking) or failures (where actions are not taken or prove unsuccessful) in risk governance structures and processes. They hinder a fair and efficient risk governance process. The deficits described by IRGC have recurred over time and have affected risk governance in many types of private and public organisations, and for different types of risks. While deficits may be relevant for both simple and systemic risks, in this report we focus on the latter. This is because systemic risks – defined as those risks that affect the functionality of systems upon which society depends and that have impacts beyond their geographic and sector origins – provide a greater challenge for risk governance and thus greater scope for the occurrence of deficits. The potential consequences of risk governance deficits can be severe in terms of human life, health, the environment, technology, financial systems and the economy as well as social and political institutions. There may be a failure to trigger necessary action, which may be costly in terms of lives, property or assets lost; or the complete opposite – an overreaction or inefficient action which is costly in terms of wasted resources. Consequences of deficits can also discourage the development of new technologies, as they can lead to a suffocation of innovation (through over-zealous regulation) or to unintended consequences (through failing to account for secondary impacts). Loss of public trust in those responsible for assessing and managing risk or an unfair (or inequitable) distribution of risks and benefits are other possible adverse outcomes. By identifying and describing these important deficits, this report aims to help risk decision-makers in government and industry understand both the causes of deficits in risk governance processes and their capacity to aggravate the adverse impacts of a risk. With this understanding, it is hoped that risk practitioners will be able to identify and take steps to remedy significant deficits in the risk governance structures and processes in which they play a part, including those that may be found within their own organisations. Although presented in this report as distinct phenomena, with their respective causes, drivers, properties and effects, deficits can be inter-related (for example, a deficit in risk assessment may increase the chances of another, linked deficit occurring during the management phase) and a single risk issue may be subject to multiple deficits. As with the design of its risk governance framework, IRGC has grouped the deficits to reflect the distinction between assessing risk and managing risk. Those in the assessment sphere (cluster A) relate to the collection and development of knowledge, understanding and evaluation of risks. Those in the management sphere (cluster B) concern the acceptance of responsibility and the taking of action in order to reduce, mitigate or avoid the risk. Each deficit is illustrated by examples from the risk governance of past or current risk issues – for example, the outbreak of “mad cow disease”, Bovine Spongiform Encephalopathy (BSE), in the United Kingdom (UK), Hurricane Katrina, fisheries depletion or genetically modified crops in Europe–in order to demonstrate the severity and variety of material and immaterial impacts they can have. Cluster A: Assessing and understanding risks Risk governance deficits can occur during risk assessment. Such deficits arise when there is a deficiency of either scientific knowledge or of knowledge about the values, interests and perceptions of individuals and societies. They can also be caused by problems within the processes by which data is collected, analysed and communicated as knowledge, or result from the complexity and interdependencies within the system at risk. Complexity, uncertainty and ambiguity are thus key challenges for risk assessment and underlie all of the deficits in cluster A. IRGC has identified 10 deficits in risk assessment. The first few deficits address difficulties involving the gathering and interpreting of knowledge about risks and perceptions of risks: • (A1) the failure to detect early warnings of risk because of erroneous signals, misinterpretation of information or simply not enough information being gathered; • (A2) the lack of adequate factual knowledge for robust risk assessment because of existing gaps in scientific knowledge or failure to either source existing information or appreciate its associated uncertainty; and • (A3) the omission of knowledge related to stakeholder risk perceptions and concerns. The following three deficits have to do with disputed, or potentially biased or subjective, knowledge, and have the effect of making it difficult to judge whether a risk needs specific attention or action. They comprise: • (A4) the failure to consult the relevant stakeholders, as their involvement can improve the information input and the legitimacy of the risk assessment process (provided that interests and bias are carefully managed); • (A5) the failure to properly evaluate a risk as being acceptable or unacceptable to society; and • (A6) the misrepresentation of information about risk, whereby biased, selective or incomplete knowledge is used during, or communicated after, risk assessment, either intentionally or unintentionally. A further three deficits focus on knowledge related to systems and their complexity: • (A7) a failure to understand how the components of a complex system interact or how the system behaves as a whole, thus a failure to assess the multiple dimensions of a risk and its potential consequences; • (A8) a failure to recognise fast or fundamental changes to a system, which can cause new risks to emerge or old ones to change; and • (A9) the inappropriate use of formal models as a way to create and understand knowledge about complex systems (over- and under-reliance on models can be equally problematic). The final deficit in cluster A addresses how knowledge and understanding are never complete or adequate. At the core of this deficit (A10) is the acknowledgement that understanding and assessing risks is not a neat, controllable process that can be successfully completed by following a checklist. Rather, this deficit is about assessing potential surprises. It occurs when risk assessors or decision-makers fail to overcome cognitive barriers to imagining that events outside expected paradigms are possible. Cluster B: Managing risks Risk governance deficits can also occur during risk management. These deficits concern responsibilities and actions for actually managing the risk and can be sub-grouped as relating to: a) the preparation and decision process for risk management strategies and policies; b) formulating responses and taking actions; and c) the organisational capacities for implementing risk management decisions and monitoring their impacts. Those deficits related to the preparation and decision process for risk management strategies and policies derive from failures or deficiencies on the part of risk decision-makers to set goals and thoroughly evaluate the available options and their potential consequences. They are: • (B2) a failure to design effective risk management strategies. Such failure may result from objectives, tools or implementation plans being ill-defined or absent; • (B3) a failure to consider all reasonable, available options before deciding how to proceed; • (B4) not conducting appropriate analyses to assess the costs and benefits (efficiency) of various options and how these are distributed (equity); • (B6) a failure to anticipate the consequences, particularly negative side effects, of a risk management decision, and to adequately monitor and react to the outcomes; • (B7) an inability to reconcile the time-frame of the risk issue (which may have far-off consequences and require a long-term perspective) with decision-making pressures and incentives (which may prioritise visible, short-term results or cost reductions); and, lastly, • (B8) a failure to adequately balance transparency and confidentiality during the decision-making process, which can have implications for stakeholder trust or for security. Each of these deficits has the capacity to derail the risk management process – even if other deficits are avoided. For example, no matter how successfully an organisation coordinates its resources to quickly implement a strategy or enforce a regulation, the results will be inadequate if the original strategy or regulation was flawed from the beginning. The deficits which relate to formulating responses, resolving conflicts and deciding to act derive from an inability on the part of the risk manager to identify the most appropriate response given the context or even to properly understand the context of the risk issue, which inevitably must guide the response. These deficits are: • (B1) a failure to respond adequately to early warnings of risk, which could mean either underor over-reacting to warnings; • (B11) a failure to deal with the complex nature of commons problems, resulting in inappropriate or inadequate decisions to mitigate commons-related risks (e.g., risks to the atmosphere or oceans); • (B12) a failure to resolve conflicts where different pathways to resolution may be required in consideration of the nature of the conflict and of different stakeholder interests and values; and • (B13) insufficient flexibility or capacity to respond adequately to unexpected events because of bad planning, inflexible mindsets and response structures, or an inability to think creatively and innovate when necessary. Finally, there are the deficits related to organisational capacities for responding or monitoring. These occur because of shortcomings in terms of resources, willpower or coordination: • (B5) a failure to implement risk management strategies or policies and to enforce them; • (B9) a lack of adequate organisational capacity (assets, skills and capabilities) and/or of a suitable culture (one that recognises the value of risk management) for ensuring managerial effectiveness when dealing with risks; and, finally, • (B10) a failure of the multiple departments or organisations responsible for a risk’s management to act individually but cohesively, or of one entity to deal with several risks. Risk governance deficits: a real-world example The emergence of BSE in the UK and the early handling of the epidemic in British cattle was certainly an example of inadequate risk governance. This case is used in the report to illustrate several of the above deficits from both the assessment and management clusters. BSE is a neurodegenerative disease affecting cattle, transmissible to humans via consumption of infected beef. As a novel disease in 1986, it gave no obvious early warning signals of its emergence; cattle were sick, but there was no clear cause. Additionally, risk assessors did not possess adequate scientific knowledge of its epidemiology or pathology to confidently evaluate what sort of risk it posed to animal or human health (A2). Expert groups convened to study the disease and to advise on whether BSE could have implications for human health could only conclude that negative implications were “unlikely”. However, the uncertainty associated with the available knowledge meant that public health risks could not be ruled out. Nevertheless, authorities did not take into account this uncertainty and repeatedly assured the public that British beef was safe to eat. Even as evidence of BSE’s transmissibility to other species (such as cats and pigs) began to mount, authorities gave the public the impression that BSE was not transmissible to humans. The importance and implications of precautionary public health measures taken by the government were also downplayed in the public domain. These actions constituted a misrepresentation of information about the true risks of BSE (A6) and contributed to what was, on the whole, a serious failure in risk communication. The government’s efforts to reassure the public that there was no risk from BSE actually ended up creating more risk and contributing to the scale of the negative economic and social consequences. With regard to the precautionary regulations that were eventually put in place, here the dominant deficit was the failure to implement and enforce risk management measures (B5). Two of the most important regulations introduced during the BSE epidemic – the ban on feeding ruminant animals meat and bone meal made from animal carcasses, and the ban on incorporating specified bovine offal (SBO) into human food – were neither implemented nor enforced as effectively as they could have been. Concern for the economic health of industry led to a five week delay in the implementation of the ruminant feed ban and to very lax enforcement of the SBO ban. Dispersed responsibilities (B10) also caused a number of problems throughout the handling of the crisis. Communication and collaboration were slow or non-existent between the Department of Health (responsible for public health) and the Ministry of Agriculture, Fisheries and Foods (MAFF, responsible for animal health and agricultural interests). Internal divisions and contradictions within MAFF further complicated matters. Overall, dealing with BSE and its consequences is estimated to have cost the UK government £4.4 billion by 2001 and (to September 2009) 165 people had died from the human form of the disease, Variant Creutzfeldt-Jakob Disease (vCJD). BSE and the other illustrations used in this report demonstrate the impact of risk governance deficits on past risk issues. They also show how the underlying concept of deficits reflects the interactive process between risk assessment and management, as well as that between risk generators and those affected by it. Overall, this report can be used by organisations as a checklist to, first, evaluate the risk governance processes of which they are a part and, then, prioritise those which are most in need of improvement. IRGC will provide further guidance on acting on the concepts described in this report in a policy brief to be published in late 2009 Show more
External linksSearch via SFX
PublisherIRGC, International Risk Governance Council
Organisational unit03515 - Wenger, Andreas
MoreShow all metadata