Risk management, codified by the International Organization for Standardization (ISO), allows since 2009 for an almost perfect correspondence with the ideal-type process of strategic foresight and warning (SF&W), as we use here, even though SF&W was developed mainly out of public service – notably intelligence and defense – practice and experience, and with international and national security issues in mind.
The new risk management process thus lays the foundation for easily incorporating geopolitical and other national and international security issues within risks usually managed by businesses, and should facilitate discussions and exchanges between the corporate world and the public sector, including in terms of data, information, and analysis, according to the specificities and strength of each.
We shall here detail the risk management process, underlines its similarities with SF&W and stress, when it is most different, how it could also help us move forward in one sensitive area, developing and offering policy or response alternatives to decision-makers.
Revising the definition of risk
Risk analysis, primarily a tool of the corporate sector, is codified and normalized, unlike most of the anticipation-related practices, notably through the activity of the ISO. In 2009, the ISO released the documents relative to the revision of the overall risk analysis process, renamed risk management and that is now defined by ISO 31000:2009.
First of all, the new standardization drastically changed the definition of “risk” which now means, according to the ISO Guide 73:2009, definition 1.1:
“The effect of uncertainty on objectives”
This new acception of risk is perfectly in line with the definitions used for SF&W. Previously, “risk” meant a “combination of the probability of an event and its consequence” (ISO/IEC Guide 73:2002, definition 3.1.1), which is similar to what we can find in dictionaries. However, the use of the new understanding of risk varies according to institutions. For example, the U.S. Department of Defense, in his 2014 Defense Acquisition Guidebook, uses the old definition of risk when it explains what risk management is for systems engineering. That approach is more restrictive and less interesting: it sees risk as an “unwanted event”, whilst the ISO 31000:2009 underlines the importance of uncertainty. Indeed, what should be identified and managed is uncertainty, and not only unwanted events. For example, an event that is an opportunity, if it is not properly foreseen, may either be missed or, if seized without proper planning, have challenging impacts. What we must foresee and then manage is uncertainty; what we must seek to prevent is surprise and not, or not only, “unwanted events.”
Risk management, the “coordinated activities to direct and control an organization with regard to risk”, is articulated according to two related and iterative processes. The “risk management process”, which concerns us here, is summarized in the diagram next (ISO/FDIS 31000:2009 (E), ISO Guide 73:2009, and terms and definitions).
For the record, we also have a “management framework” or “framework for managing risk”, which “ensures that information about risk derived from the process is adequately reported and used as a basis for decision-making and accountability at all relevant organizational levels” (ISO/FDIS 31000:2009 (E), p.8).
This framework may be seen as similar to a policy to implement a SF&W system or process, as decided by policy-makers or decision-makers. However, in the case of the state apparatus of a country or of IGOs’ administrations, many specific constraints, different from those existing for businesses will circumscribe possibilities. Indeed, polities evolve according to specific dynamics and rules (the whole of political science and international relations) that are complex and must be considered first.
Coming back to the process of risk management, if we compare it with SF&W, then establishing the context of risk is similar to what we would do when, initially, we identify the vision, the grand strategy, the strategy and related policies, which have been set by policy-makers and decision-makers, according to the actor for which the SF&W process is set up and operated.
Risk assessment is identical to the steps during which we determine meta-issues (e.g. international security, national security, or resource security), then narrow them down by scanning what is happening “out there” to identify issues, both existing and emerging (e.g. in the case of resource security, “energy security,” “rare earth security,“ the newer “Extreme Environments security”etc.), each issue being then analyzed, according to various processes and tools, as explained in our section focusing on analysis. The main difference between both activities is the use of dissimilar terms.
The monitoring and review of risks is nothing else than warning and evaluation in SF&W. Interestingly, risk management thus emphasises the importance of evaluation (see our section “Validate“) that is too often forgotten in anticipatory processes.
Communication and consultation corresponds, on the one hand, to the delivery of various products to clients (see section “Delivery“). However, the permanence of this phase in risk management could be ill adapted to some structures, notably large and complex ones, considering busy agenda, as well as need for confidentiality and secrecy. The specificity of governmental and state actors must, furthermore, not be forgotten.
On the other hand, communication and consultation corresponds to participatory processes that may be integrated within SF&W general or specific processes. For example, an organization may request a SF&W process being designed for dealing with a specific question, aiming not only at assessing plausible futures at best but also at involving specific individuals and entities, often stakeholders as specified by risk management, for multiple reasons. Here again risk management and SF&W are extremely similar.
Risk treatment and policy alternatives
Risk treatment, which consists in selecting options of risk treatment then preparing and implementing them, is the area that is most different from SF&W, because the latter should stop just before policy recommendations. Indeed, in the framework of a state and more specifically of a democratic regime, decisions should always remain with policy-makers, because they are accountable as elected representatives. Thus, for example, intelligence officials are always careful to underline that they do not want to cross the line between the delivery of intelligence and policy-making. For example, Thomas Fingar, former chairman of the U.S. National Intelligence Council, describes this sensitive point using the example of the process related to Global Trends 2025 (Global Trends being quadrennial and tied to the election of a new President, the latest edition is Global Trends 2030):
“Our purpose was to tell officials what they should consider, not what they should do. The message, in effect, was, “Here are the trends that we judge will be important over the next fifteen years. If you like where they are headed, you should devise policies to preserve their projected trajectory. If you don’t like where they are headed, you should begin now to consider ways to shift them in a more favorable direction. The ultimate success of the policy agendas you develop will be influenced by how that agenda intersects with the trends we have identified. What to do is up to you.”
The decision to eschew policy recommendations was an easy one because both law and professional ethics enjoin the Intelligence Community from policy advocacy…
That said, I think those of us who were most deeply engaged in the project would have been disappointed if nobody asked for our thoughts on what might be done. I can assure you that when Mat Burrows and I briefed then President-elect Obama on our findings we did not refuse to answer when he asked for our thoughts on what to do with respect to certain of the issues and trends discussed in the report. ” (Reducing Uncertainty: Intelligence and National Security – Using Intelligence to Anticipate Opportunities and Shape the Future, Payne Distinguished Lecture Series 2009, FSI Stanford, CISAC Lecture Series).
Not respecting the distinction between SF&W and policy-making is to open the door to totalitarianism and other forms of autocracies. It is also to deprive policy-makers and decision-makers from their essential function, deciding upon strategies and policies, which may backfire and make them resent risk management and SF&W.
Should we thus disregard this part of the risk management process, which “treats risks”? On the contrary, because of the very sensitivity of the topic in defense and intelligence areas, we are left with little guidance when, increasingly, policy-makers and decision-makers, as well as the general public, tend to expect to see policy alternatives suggested (but not advocated) besides more classical foresight analyses and warnings. Risk treatment thus could fill in a gap and suggest ways forward that could provide us with guidelines and ideas, as long as we make sure that policy options are balanced, truly presented as alternatives and requested by clients.
Risk treatment can be defined as, following for example the US Defense Acquisition Guidebook (DAG), 2010, p.182*:
- “Avoiding risk by eliminating the root cause and/or the consequence,
- Controlling the cause or consequence,
- Transferring the risk, and/or
- Assuming the level of risk and continuing on the current program plan”
Thus, if we wanted to present policy alternatives, we could use these four options as a guideline to build them. If we take the example of scenarios delineating the frontiers of plausibility for a strategic foresight question, each scenario could be assorted of a brief set of policy alternatives, covering avoidance, control, transfer and business as usual, and, of course, pointing out impact in each case. These policy alternatives could also be presented as scenarios.
When decisions need to be taken almost instantaneously to prevent major dangers (we can think of civilian nuclear risks for example, or natural events such as earthquakes or tsunamis), then adequate procedures will have to be created beforehand, with full knowledge of policy-makers and decision-makers, as it is a delegation of their power and mission.
The second part of risk treatment, preparation and implementation of risk treatment plans, is outside the scope of SF&W process, as it deals with answers or responses. If responses need to be activated extremely rapidly as in emergencies, then, again, adequate procedures with full knowledge of policy-makers and decision-makers will have to be created beforehand.
As a summary, since 2009, risk management is almost identical to SF&W. This is a major innovation as it should allow for integration of national and international security issues, heretofore sometimes little considered by businesses, for more and better exchanges between different actors, for cross-fertilisation and thus, ultimately, for better anticipation and actions. Where both still differ, notably in the area of risk treatment, risk management cannot be exactly applied to national and international security issues because of the specificity of the actors involved and the absolute need to consider the policy-making process of state and quasi-states actors. However, it may nevertheless provide guidelines when citizens, policy-makers and decision-makers request policy alternatives.
Dr Helene Lavoix is the founder and director of the Red (Team) Analysis Society.
References to ISO 31000:2009 are actually to ISO/FDIS 31000:2009 (E).
Copyrights for all references to ISO norms remain with the International Organization for Standardization (ISO).
This article is a fully updated and revised version of a text that was published first as an element of the U.S. Government commissioned report, Lavoix, “Actionable Foresight”, Global Futures Forum, November 2010 (pp. 12 & 20-24/98).