Risk Management: identifying risks to achieve sustainable impact

At Trilateral Research we think managing risks is critical, both in the development of emerging technologies and in ensuring safety and security. All our projects involve some type of risk management.

The use of risk assessment is critical to identifying, understanding and mitigating potential risks thereby enhancing decision making, responsible research and innovation and many other activities where understanding and mitigating risk is required.

What is Risk Management?

Regardless of the field you work in – crisis, human rights, security, business, ethics, law, marketing – it is likely that you have come across the phrase risk management.

Starting from the understanding of ‘risk’ as any situation involving exposure to danger or uncertainty, risk management is a process used to assess, predict, minimise and manage uncertainty or ‘danger’ for people and organisations. Of course, risk can be intangible and often may not be obvious, but it must be recognised.

How does it work?

The process starts by asking basic questions:

1. What am I trying to achieve?

E.g., in the iTRACK project, partners are developing an ICT system that protects humanitarian workers in conflict areas

2. What might affect me and have an impact on my aim? What are the uncertainties that matter? What danger may exist? What can go wrong here? Essentially it is hazard recognition.

E.g., lack of internet connection in the field OR privacy laws that prevent me from operating my system

It is also helpful to look beyond what the risk factor is and understand its cause.

3. What are the most important considerations that could impact me? Here try to prioritise the impacts – now we can call them risks – in two dimensions.
   • How likely is the risk?
   • If the risk did happen, what effect does it have on the overall aim, or on the organisations’ ability to mitigate the risk?

Risk management results: an identification of risks that matter. 

Risk management implementation

4. How confident are we in our understanding of the risk?
5. What shall we do about the risks? This usually includes:

• Avoidance: eliminating a specific threat
• Mitigation: reducing the likelihood of occurrence
• Acceptance: accepting the consequences of the risk
• Transfer

Action: Implement your risk avoidance or mitigation strategies, for example:

• Build an offline mode into your ICT system;
• Ensure your users provide informed consent

Risk management evaluation

6. Did it work?
7. Has anything changed? Remember that most projects, situations, undertakings, businesses are living things and can face new or indeed continuing risks all the time. Risk management is thus an ongoing process and should be reviewed on a periodic basis.

When should you adopt a risk management approach?

Risk management should be seen as a continuous process taking place at key points (e.g., In a project – throughout the project’s lifecycle, within an organisation – on a periodical basis based on operations) with emphasis on key milestones.

Who should be involved?

Ultimately, the responsibility lies with those that are involved in identifying, managing and mitigating risks. As such, any risk management concept requires buy-in and active participation from all those involved in a project, business or organisation. In addition, a process for engaging and consulting with stakeholders, including those from different sectors, should be put in place to help ensure that different risks are recognised, discussed and dealt with. Stakeholders bring new intelligence which the project manager might not have considered and may have some good suggestions for resolving multifarious issues.

Be sensitive to issues such as ethics, human rights and wider societal considerations. For example, think about gender: Taking a gender-neutral approach to risk management and mitigation can result in risks to different genders and transgenders being underestimated or even ignored altogether. To avoid this, at Trilateral we advocate for you to:

• Look at the whole picture and involve all genders in all stages
• Avoid making prior assumptions about what the risks are and who is at risk
• Avoid thinking your project or business exists in a gender-neutral space

Some Examples

When has Trilateral Research applied risk management? The answer is: all the time, but here are some examples:

STRIAD

Risk management in policing and community safety regarding the protection of vulnerable people is at the centre of all activities that are carried out and comes in different forms. One approach to risk management focuses on the prioritisation of competing demands and the allocation of resources. To that end, Trilateral is developing STRIAD. STRIAD will provide law enforcement agencies and community safety partnerships with a comprehensive risk management application, supporting data-driven strategic and tactical decision-making, collaboration, planning and resource allocation. STRIAD will provide users with the ability to conduct risk assessments, derive insights from open data on public safety, leverage their own data to provide insights and support decision making. See more

Privacy Impact Assessments Plus (PIA+)

 The development and deployment of technological solutions can have various consequences, including those related to privacy, data protection and ethics. The purpose of a Privacy Impact Assessments Plus (PIA+) is to carry out a risk management on a technology. Trilateral has, in many projects (e.g., Develop and iTRACK), used the PIA+ to assess the risks that the project technology poses for privacy and ethics and proposed how to mitigate these risks. The analysis carried out in the PIA+ informs the technology development. In other words, the PIA+ fills a knowledge vacuum on how the relevant technology should be developed so as to ensure it abides by, and protects, ethics and privacy.

By carrying out the PIA+ specifically for a particular technology (or system) we consider privacy and ethics in the relevant context; namely we are taking into account the nature of the situation and context in which the technology will be used as well as the technology itself. The aim of the PIA+ in any project, is to become part of the design process from beginning to end. Read more.

It is important to note that the process of risk management contains intuitive biases within people’s assessment, mitigation and evaluation to risk – as clearly outlined by Kahneman (2012) in Thinking, Fast and Slow – it is, therefore, critical to be aware of our intuitive biases. As a practice, risk management, therefore, needs to be conducted in a transparent manner, ensuring evidence is provided where possible to help others understand the process involved in determining what is and is not a risk in the first instance. That is why within Trilateral, we emphasise the need for transparent evidence-based risk assessment.

For more information contact our team.