ARPI

THE RISK POLICY
MODEL

New Thinking, New Approaches and New Frameworks about
Leadership, Decision-Making, Public Policy and Risk
The Australian Risk Policy Institute (ARPI) is incorporated under

the Australian Capital Territory Associations (Incorporation) Act

1991 and is a nationally registered Association under the

Commonwealth Corporations Act 2001, with offices in Canberra

and Melbourne.
Information regarding ARPI’s Purpose, Governing Board,
Publications, Partners and Contacts appears at www.arpi.org.au.
ABN 39 120 269 534
Australian Risk Policy Institute
The Risk Policy Model

Contents

Foreword .............................................................................................................................. 3

Introduction .......................................................................................................................... 4

1. New Times Need New Thinking ...................................................................................... 7
   1.1. The Case for a New Approach to Risk........................................................................................... 7
   1.2. A Sense of the Urgency to Rethink Risk and our Systems ............................................................ 9
   The Global Reform Agenda .................................................................................................................................. 9
   1.3. A Sense of the Challenges and Opportunities .............................................................................. 9
   1.4. Conclusion .................................................................................................................................. 14
2. Hope for New Thinking ................................................................................................. 14
   2.1. Crisis............................................................................................................................................ 14
   2.2. Paradigm Collapse ...................................................................................................................... 14
   Wicked Problems, Metaphors and Human Sensing ........................................................................................... 15

   2.3. Creativity..................................................................................................................................... 15

3. New Thinking about Risk Policy and Systemic Risk ........................................................ 16
   3.1. Australian Risk Policy Institute ................................................................................................... 16
   Background ........................................................................................................................................................ 16
   Risk Policy Model – An Innovation ..................................................................................................................... 16
   Risk Policy Model – An Innovation with Global Value ....................................................................................... 16
   3.2. Understanding the New Thinking ............................................................................................... 17
   Shifting the Paradigm ......................................................................................................................................... 17
   The Notion of Risk .............................................................................................................................................. 18
   The Relationship between Opportunity, Uncertainty and Risk ......................................................................... 19
   The Nature of Systems ....................................................................................................................................... 19
   Systemic Risk ...................................................................................................................................................... 20
   Working on Whole Systems ............................................................................................................................... 20
   Reconciling the System-View and Organisation-View ....................................................................................... 21
   Rethinking the Role of Government .................................................................................................................. 21
   © Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
   Reproduction in any format requires prior written approval of ARPI.
   1
   The Need for a New Civics ................................................................................................................................. 21
   Effective, High Quality Leadership is Required to Move Forward ..................................................................... 22
4. The Risk Policy Model Described................................................................................... 24
   4.1. Our Notion of Risk and its Management .................................................................................... 24
   4.2. The Value of Risk Policy .............................................................................................................. 24
   4.3. Rationale for Elevating Risk Policy .............................................................................................. 24
   4.4. The Focus on Vulnerability rather than Probability ................................................................... 25
   4.5. The Focus on Consequences and Strategic Decision-Making .................................................... 25
   4.6. A Whole-of-System Perspective ................................................................................................. 25
   4.7. Managing Risk in Systems........................................................................................................... 25
   Risk Identification and Assessment in Systems .................................................................................................. 26

   4.8. Job of Risk Policy......................................................................................................................... 26
   4.9. Risk Policy Model and Policy Framework ................................................................................... 27
   Risk Policy........................................................................................................................................................... 28
   Risk Governance................................................................................................................................................. 29
   Risk Management .............................................................................................................................................. 29

Summary ............................................................................................................................ 32

Conclusion .......................................................................................................................... 33
Attachment A: Key Messages about Risk Policy .................................................................................... 35

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
2
Foreword

Current risk management practices have failed government and industry worldwide. Most

importantly current risk management practices have failed to protect our vulnerabilities within local

and international communities. We all have a stake in this and a right to be concerned.
Current risk management practices have evolved into a formalised framework that is now accepted

as a standardised process approach to the management of risk. This process of risk management has

largely come together with the concept of compliance management because of the regulatory

nature of the current business environment. As a consequence, process has overridden leadership,
decision-making, and accountability at the highest levels of firms and agencies. Simply put, it is

better to have a risk process to fall back on than to face the reality of vulnerability identification,
which would force leadership decision-making and action.
The Global Financial Crisis (GFC) demonstrated that both markets and governments can fail.
Between them the GFC, the Deepwater Horizon oil drilling platform blow-out in the Gulf of Mexico,
and the destruction at the Japanese nuclear plants in Fukushima have resulted in a loss of public

confidence and trust in our leaders—of both the private sector and government. There is also a loss

of confidence in our understanding of and ability to design, operate and control, whole systems to

avoid failure. The financial crisis in Europe and a range of security concerns are adding further to this

public tension.
The urgency for change is fundamental – it now arises because we are more interconnected and

interdependent than at any time in our recorded history. This makes us vulnerable to the systems

we have designed. When a system fails all connected to it are affected. This means that some

people may suffer potentially catastrophic consequences. Program failures have been known to

cause leaders and governments to fall unexpectedly.
In the increasingly turbulent and unpredictable world, which inherently makes the systems within

society unstable, there must be policies and methodologies that enable businesses and

governments to become more resilient.
The Australian Risk Policy Institute (ARPI) has developed a model for risk policy development and

implementation that elevates the ownership of risk to the highest level of governance and decision

making. It is applicable to all public and private organisations. Risk policy confers coherence, an

integrated comprehension of risks, their identification and their consequences, as well as

articulating who is responsible for attending to each activity around risk. Risk Policy authorises,
informs, defines, drives, builds, maintains and accounts for the processes of Risk Governance and

Risk Management within an organisation and in all systems.
Appropriate responses to society's apprehensions and mistrust require effective, high quality

decision making from top leaders of governments and significant organisations within countries and

internationally. We will depend upon leaders being prepared to get out front and do something. We

know that waiting for someone else to act just perpetuates increasing damage to the fabric of our

society, and increases the level of risk involved. The need to act now is readily apparent.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
3
Introduction

The first decade of the 21st century brought us face-to-face with the reality that our world is

confronting numerous challenges that defy simple solutions and require innovative ways of

thinking about how to solve them.
In August 2010 the Australian Risk Policy Institute (ARPI) introduced its innovative Risk Policy

Model. The Risk Policy Model responded to the call from the World Economic Forum (WEF) and

other international groups to rethink, redesign and rebuild systems to avoid future failures.
The release of Risk Policy Model:2012 reflects global feedback from a wide variety of

individuals and organisations as well as further research and development.
At the core of Risk Policy thinking are Risk Policy Principles:

1. We must view risk differently and more broadly as being about future impacts,
   implications and implementation of decisions and non-decisions – and not just about
   something which might go wrong;
2. Risk must connect with, inform and be an integral component of our highest levels of
   Leadership, Decision-Making and Public Policy Formulation and Implementation in
   society, and this must be achieved through introducing Risk Policy;
3. Risk Policy must be accepted as a new leadership and management concept which
   authorises, informs and accounts for Risk through Risk Governance and Risk
   Management processes;
4. Our thinking about Risk and Opportunity has to shift from organisation‐centric to
   network‐centric thinking and acting – both internally and externally - in the new world
   of globalisation and instant relationships – reflecting our interconnectedness and
   interdependencies;
5. The proper starting point from today and into the future is to think about ‘vulnerability’
   – well before risks may be identified or considered;
6. We must think critically about whole systems and this means not only appreciating their
   socio-technical and network natures. We need to understand more fundamentally that
   systems represent deeper, established patterns of thought about how to see the world
   and make sense of it;
7. Systemic risk must be recognised as a new form of risk in today’s world. It is often the
   source of so-called 'wicked' problems. New processes must be established to manage
   systemic risks, with multiple owners and multiple managers often in separate
   organisations, through collaboration;
8. We therefore need a new way of thinking about ourselves and our proper relations to
   each other in regard to our systems and Systemic Risk. One way to bring this new
   thinking into reality involves a 'New Civics';
9. In our thinking about and acting upon Risk, we must embrace ‘time’. Our strategic
   choices about the nature and extent of possible consequences of Risk, and what action
   we can and should take to deal with Risk, may be directly related to the time provided

   © Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
   Reproduction in any format requires prior written approval of ARPI.
   4
   by early warning and a clear understanding at what point in time a particular Risk
   applies.

10. We must focus on 'outcomes'. Decisions are not outcomes: decisions require action to
    become outcomes. Our most important outcome is protecting critical systems from
    future failures which can spread like a contagion and potentially cause catastrophic
    damage to any other systems connected to them.
11. We have to 'measure our risks' in terms of the magnitude of the consequences if we fail
    to avert some threat, not in terms of the probability of the consequences, or the chance
    that it might not happen. Our vulnerability, not probability, has to define our Risk.
12. The power of government to regulate and co-regulate also implies an obligation that it
    be responsible and responsive. While government might not always succeed, the virtue
    is to try and say we have done our best.

ARPI is dedicated to assisting leaders to make systems more resilient through the development

of sound Risk Policy, Risk Governance and Risk Management. We will subsequently issue

Guidelines on Risk Policy Implementation to be followed by Risk Policy Practice Notes to

inform, guide and update Risk Policy principles and their application.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
5
This page left intentionally blank

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
6
1. New Times Need New Thinking
1.1. The Case for a New Approach to Risk

Our sense of order and certainty is declining under the strain of change as it impacts from both

expected and unexpected sources.
As a result, we live in a world of increasing uncertainty and disorder. Our systems are being

challenged continuously as they prove to be resistant to conventional analysis, in part, because

no system assumes its own failure. In addition, addressing systemic problems challenges

governance structures, our skills base, and our organisational capacity.
Crucially, there is a need to know how to use the human sensing of the unknown or the

unpredictable to meet new problems. Being able to discriminate between unfocused fears and

genuine intuitions of what may happen is an important weapon. When systems fail, using tried

and true methods to solve the ensuing problems is likely to fail. The best weapon is creative

thinking or our ability to foresee, with less reliance on protocols and what has been done in the

past.
Our major challenge is to make the systems within which we live and operate more resilient so

our business, our economy and our society can survive and prosper.
Resilience means reducing vulnerability so that our systems are better able to deal with

increased pressures from sudden shocks and the inevitable challenges from our

interconnectedness and interdependence as well as our scientific and technological advances.
Resilience also means being able to make the most of opportunities which can arrive just as

unexpectedly and which are often missed as a result.
Accordingly we are each faced with the potentially catastrophic implications of failure to find a

way to work together to bring about the greater sense of order and certainty that is required to

provide a more sustainable, safer and just world.
Competitive solutions are not likely to be sufficiently robust to meet modern demands.
Leaders therefore need to be thinking not only about collaboration, as opposed to competition,
but also about forging a way ahead through new thinking and new approaches to handle future

risk. (See Figure 1.)

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
7
Ou
t
R com fits
Vu edu ne ce
lne ced s
e Be silien
ra b
ilit Re
y

y
ilit
Co nsib
lla o
bo sp & bility
ra t Re ta
ion un
c co
A

Ris
kP k e
oli Ris anc
cy r n
ve
Go

Sy isk
s te m cR
s te mi
s
Sy

Vu
ln y
Op erab E a rl
po i e & ings
rtu lities
nit Tim arn
ies & W

NE KS
TW OR
OR TW
KS NE

Figure 1 New Thinking, New Approaches, New Frameworks

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
8
1.2. A Sense of the Urgency to Rethink Risk and our
Systems

The Global Reform Agenda1

The WEF has stated that improving the state of the world requires catalysing global

cooperation to address pressing challenges and future risks.
According to the WEF:
we need to rethink business models, financial innovation and risk management;
rethinking will trigger redesign whose long-term success will be predicated on the
individuals and the institutions empowered to take action having the trust of the
stakeholder communities; and
decision-makers must rebuild trust, not only to establish the legitimacy of their redesign
but also to instil confidence in their future success.
Rethinking, redesigning and rebuilding are invariably complex as values, norms and incentives

change and, in turn, reshape stakeholder communities, social networks, governance structures

and industry models worldwide.

1.3. A Sense of the Challenges and Opportunities

At the broadest level, human beings for the first time have taken hold not only of the economy

and of population dynamics, but most of the planet’s systems. However, we seem to be acting

without regard to the long-term consequences.
The scale and importance of challenges and accompanying opportunities before us can be seen

in a range of situations.
There are two key factors that permeate these examples:
a) we live in a networked world underpinned by social media where all sorts of power
games in pursuit of communicative impact, visibility and success take place; and
b) the realisation that only coordinated action can treat these challenges effectively and
with an attention to their interconnections. These challenges bring unusual strains to
participants in large part because they are called upon to devise cooperative solutions
even though the system within which they operate is often indifferent to such concerns
and hostile to the transaction costs such solutions impose.

Change in Statecraft
"We are at a moment in world affairs when the essential ideas that govern statecraft must

change. For five centuries it has taken the resources of a state to destroy another state: only

states could muster the huge revenues, conscript the vast armies, and equip the divisions

required to threaten the survival of other states. Indeed posing such threats, and meeting

them, created the modern state. In such a world, every state knew that its enemy would be

drawn from a small class of potential adversaries. This is no longer true, owing to advances in

1 World Economic Forum Meeting 2010 - Executive Briefing; Improve the State of the World: Rethink, Redesign, Rebuild

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
9
international telecommunications, rapid computation, and weapons of mass destruction. The

change in statecraft that will accompany these developments will be as profound as any that

the State has thus far undergone." 2

Promoting Security in the Global Commons
"Over the last several years, it has become apparent that the domains facilitating all

international interaction—sea, air, space, and cyberspace—are increasingly congested,
contested, and complex. ... The implications of these developments are not fully understood by

the U.S. national security community. Yet, there is a broad consensus that they represent both

a significant challenge and a major opportunity. Therefore, if the United States is to continue its

role in helping create and sustain an international system that promotes peace and prosperity,
it must update strategic concepts, adapt instruments of statecraft, and develop innovative

approaches to leadership in these critical domains."3

New Capitalism
"The capitalist system is under siege. In recent years, business increasingly has been viewed as

a major cause of social, environmental, and economic problems. Companies are widely

perceived to be prospering at the expense of the broader community.
Even worse, the more business has begun to embrace corporate responsibility, the more it has

been blamed for society’s failures. The legitimacy of business has fallen to levels not seen in

recent history. This diminished trust leads elected officials to set policies that undermine

competitiveness and sap economic growth. Business is caught in a vicious circle.
A big part of the problem lies with companies themselves, which remain trapped in an

outdated approach to value creation that has emerged over the past few decades. They

continue to view value creation narrowly, optimising short-term financial performance in a

bubble while missing the most important customer needs and ignoring the broader influences

that determine their longer-term success. The presumed trade-offs between economic

efficiency and social progress has been institutionalised in decades of policy choices.
Companies must take the lead in bringing business and society back together."4

Rethinking Our Financial Markets

The global financial system has enabled substantial economic development over decades. The

GFC in 2008 affected almost everyone. A key factor was the collapse of the underpinning risk

management paradigm, including its intellectual foundations.
"This modern risk-management paradigm held sway for decades. The whole intellectual edifice,
however, collapsed in the summer of last year." Alan Greenspan, former chair of the Federal

Reserve5

The GFC abruptly ended the confidence that we had amassed in believing we could manage the

associated risks successfully. The GFC continues to be a costly failure for global society. Our

2 Professor Philip Bobbitt, The Shield of Achilles, Prologue, pg xxi, Alfred A. Knopf, New York, 2002

3 Shawn Brimley, Promoting Security in Common Domains, The Washington Quarterly, July 2010, pg 119

4 Michael Porter, The New Capitalists, AFR BOSS, Harvard Business Review, 2011

5 In testimony to the U.S. House of Representatives Committee on Oversight and Government Reform, October 23, 2008

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
10
challenge and opportunity is to fundamentally rethink our approach to risk in the global

financial system in order to develop new risk policies and practices to sustain our future

prosperity.

Climate Change

It is now widely accepted that the consequences of damage to the environment will have a

serious impact on us all, yet there is a lack of leadership in response to this risk. Not enough is

being done fast enough and the rate and scale of initiatives is not keeping up with the

escalating risk. We need to do more work on revamping methods of doing business and

changing consumer consumption patterns.
A U.S. National Research Council committee reiterated the pressing need for substantial action

to limit the magnitude of climate change and to prepare to adapt to its impacts.
"America's response to climate change is ultimately about making choices in the face of risk.
Risk management strategies must be durable enough to promote sustained progress yet

sufficiently flexible to take advantage of new knowledge and technologies."6

Trading Systems

Transformation of our trading systems is also occurring. About one-third of world trade is not

really trade; it is shipments inside the same company's value chain. In the case of China-US

trade, it is about half: US companies repatriating their products to the US. Wal-Mart pushes

more products back up its value chain than Australia imports from China. This trend began in

the late 1980s, when Japan and the US agreed to a realignment of their currencies (the "Plaza

Accord"). Japan responded by locating much of its production around South-East Asia to get

around the problem of the high yen. When the yen fell a decade later, the result was the Asian

financial crisis of 1998 as Japan pulled production and investment back onshore, triggering a

collapse in Thailand and across South-East Asia. This was a graphic demonstration that the fate

of nations was dependent on how they fitted into the value chains of global companies, and

much depended on how successful they were in attracting foreign direct investment (FDI). The

problem is that FDI tends to follow the biggest economies and, as China has grown

dramatically, it has also sucked in massive amounts of FDI. For smaller countries the problem is

not just to be effective traders, but to locate where they best fit into the global value chains.
The convergence of industries and products is redefining the economic landscape. This

transformation is creating huge opportunities, in some cases major distortions within national

economies and a range of new risks. The well‐being of nations is increasingly dependent upon

how they fit into the value chains of global companies. Much depends on how successful

nations are in attracting foreign direct investment.

Political Structures

Turning to our political structures, modern life has seen power rationalised and

institutionalised. Government has increasingly taken the central role; taking more and more of

the decisions, in spite of the fact that the knowledge, expertise and experience needed to

inform these decisions is often located well away from the centre.

6 William L. Chameides, Vice Chair, National Research Council committee, dean of the Nicholas School of the Environment, Duke University, Durham, N.C., 2011

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
11
As result, we seem to have reached the point where ‘nobody’ seems responsible.
With ‘nobody’ responsible, governance is failing to meet the expectations of the people and

accountability seems to have all but vanished. In 2005, for example, Hurricane Katrina

demonstrated the extent of government irresponsibility and lack of accountability in meeting

the basic needs of the New Orleans community.

Supply Chains
“What’s the fastest growing risk type for companies? Supply chain risk is certainly a leading

candidate for companies that make, move, store, service, or sell products. Left uncontrolled,
supply chain risks threaten a company’s financial health and brand equity and, depending on

the product and event, can have deep social and economic impacts well beyond a company’s

immediate environ.
Supply chain risk is no longer an issue that ‘operations will handle.’ Supply chain disruptions

and delays don’t just impact the ability to satisfy a few customers’ orders. They are likely to

hurt a company’s brand reputation, stock price, working capital requirements, and cash-to-cash

cycle. They can even threaten the health of consumers and the economic well-being of other

participants in the supply chain. C-level executives do not want to become the next poster child

for supply chain risk on the front page of the Wall Street Journal or other business publication.
Lead paint in toys, contaminated pet food and pharmaceuticals, supplier delays causing missed

holiday sales, or major customer order interruptions – the list of potential risks and their

impacts goes on and on. ”7

What Do Food Systems Designed for the Challenges of 21st Century Look Like?
"As world population continues to expand, projected demand for food will require agricultural

and fisheries production to double over the next fifty years. This means harvesting food each

year for an additional 70 million people, which is equivalent to the total food production of

Australia.
To avoid a global food crisis without further damage to the environment, we need:
Substantial reform to the operation of agricultural and natural resources sciences;
Major injection of both national and international investment into agriculture and
fisheries food production distribution and marketing;
Reform of markets and regulations to ensure cost of food includes the costs to natural
resources and environment;
Orientate to a more market-based system of production, distribution and consumption
of food.
This urgent need to give priority attention to food production, whilst maintaining the quality of

the resource base from which it is produced, is perhaps one of the greatest scientific challenges

ahead and certainly one that has apparently slipped from our gaze." 8

7 Tackling the Rising Supply Chain Risk Threat, Beth Enslow, Risky Business, Marsh Inc., 2009

8 Opening Keynote address to the National Sustainable Food Summit, Melbourne, 5-6 April, 2011 by Dr John Williams, Commissioner, Natural Resources Commission, NSW, and

Member the Wentworth Group of Concerned Scientists

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
12
Deepwater Horizon and Fukushima
"In place of safety nets don't assume disasters won't happen at the frontiers of technology -
presume they will.
TECHNOLOGY does not inflate like a balloon, expanding human power over nature evenly in all

directions and at all scales. It grows like a sea urchin: long spines of ability radiate out towards

specific needs and desires. Some of those spines now reach dizzying distances, allowing what

would once have been impossible tasks; coaxing kilowatt hours by the million from the inner

workings of atoms, or driving tiny oil pipes miles through the crust of the Earth. But the spines

are brittle, and they stand alone. When one breaks—as happened on board the Deepwater

Horizon rig in the Gulf of Mexico a year ago, or at the Fukushima Dai-ichi nuclear plant in Japan

last month—there is no ameliorative technology on a par with that which has failed. Instead

there is floundering; there is improvisation; and there is vast damage. What was a continuous,
miraculous conduit from the depths of the Earth or the heart of the atom becomes a noxious,
tangled and inaccessible mess about which, for months, nothing can be done.
There is no way to fill in the space between the spines so that they are proof against

catastrophe, or easily fixable at any point of failure. But there are rules that can make it easier

to cope with the failures of such brittle technologies."9

Sustainability - Australian Perspective
"Today I would like to talk about four longer term trends that had been strongly influencing

economic outcomes in Australia before the onset of the Global Financial Crisis, and which are

likely to become even more influential in the next growth period. Indeed, each of these four

longer term trends is likely to have a profound impact on the Australian economy — and

Australian society — for several decades to come.
As the Global Financial Crisis hit our shores, the Australian economy was in structural transition

in response to four large, long term forces: (1) population ageing; (2) climate change

adaptation and the prospect of climate change mitigation; (3) the information and

communications technology revolution; and (4) the impact on Australia’s terms-of-trade of the

re-emergence, as global economic powers, of China and India.
Over the past year, the shockwaves from the global financial crisis have obscured the intensity

and scale of these forces. But as growth resumes, they will re-assert themselves. And, as they

do, the Australian economy will undergo a set of structural changes more profound than

anything in its history.
Just how those structural changes play out depends critically on the quality of the policy

settings and decisions taken today. None of the four forces I have identified need undermine

economic, social or environmental sustainability. Indeed, with the right decisions, one can

envisage a period of unprecedented prosperity; with less judicious decisions, however, we

could experience an extended period of extreme volatility — with no growth path proving

sustainable."10

9 Lessons from Deepwater Horizon and Fukushima, The Economist magazine, April 20th, 2011

10 Dr Ken Henry, Queensland University of Technology Business Leaders’ Forum, 22 October 2009

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
13
Terror and Consent
"The Wars against Terror have begun, but it will take some time before the nature and

composition of these wars are widely understood.
The objective of these wars is not the conquest of territory or the silencing of any particular

ideology but rather to secure the environment necessary for states of consent and to make it

impossible for our enemies to impose reduced states of terror. The source of these wars is not

Islam but rather a fundamental change in the nature of the State and its evolving relationship

to the new methods, purposes, and technologies of warfare." 11
"Almost every widely held idea we currently entertain about twenty-first century terrorism and

its relationships to the wars against terror is wrong and must be thoroughly rethought." 12

1.4. Conclusion

The new global leadership environment must be about managing risk in a wide variety of

natural and man‐made systems on which we depend for life. Systemic risks must be central as

we consider how to move forward to build a future in which our children and theirs can

prosper with confidence.
As a global society, our challenge is to rebuild faith in our ability to manage risk and thus

restore public confidence and trust.
We need a new way to manage risk and opportunity in a disorderly world. Above all, it must

have an emphasis on timeliness.

2. Hope for New Thinking
   2.1. Crisis

A crisis of confidence in the existing world-view has to occur for a new way of thinking about

the world to emerge and make sense:
"Crisis is commonly understood as a DRAMATIC AND PAINFUL deviation from a well-established

norm. Reversion to the mean is, however, expected, and as soon as the old norm has been re-
established, then the crisis will be over.
One may also imagine a crisis in a very different way, as the stress that accompanies the birth

of a new state of affairs. In this view, the old order no longer exists but is largely destroyed as

our circumstances are transformed."13

2.2. Paradigm Collapse

A crisis is important because it exposes how a system is understood by policy elites. That

understanding is the paradigm on which the conduct of (system) policy is based. The paradigm

11 Terror and Consent: The wars of the twenty-first Century, Philip Bobbitt, 2009, Published by Alfred A. Knopf 2008

12 Ibid, pg.5

13 Out of Crisis: Rethinking our Financial Markets, David A. Westbrook, Paradigm Publishers, 2010, An Introduction to the Argument

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
14
is a way of looking at the world that, in its time and place, makes sense to a group of people. As

such, it is also used to argue against calls for reform.
When a paradigm (world-view) collapses, there is little reason to believe that the generation of

policy thinkers really know how to tackle the problems confronting them. Many of the old ways

of considering these problems have been compromised, or even shown to be simply wrong.
Further, a paradigm collapse is not readily addressed publicly. Without a disciplined way of

thinking about the relevant system, how are our leaders to confront the current crisis?
Something must be done but what, exactly? Absent any answers, confidence may spiral

downward.

Wicked Problems, Metaphors and Human Sensing

Governments around the world are increasingly being tasked with solving complex policy

problems the causes of which are difficult to identify and solve.
Indeed, some of these policy issues are so complex they have been called 'wicked’ problems.
The term 'wicked’ in this context is used not in the sense of evil but, rather, as an issue highly

resistant to resolution. Successful problem solving or managing of these so-called 'wicked'
policy problems requires a reassessment of some of the traditional ways of approaching a

problem. We need new metaphors and new language. We need to know how to use the

human sensing of the unknown or the unpredictable to meet new problems. Being able to

discriminate between unfocused fears and the genuine intuitions of what may happen is an

important weapon. When systems fail, using tried and true methods to solve the ensuing

problems is likely to fail.
Our best weapon is our creative thinking or ability to foresee.
That is, when dealing with these problems, we need to put more emphasis on being creative

and rely less on past protocols and actions. (Risk Policy Principle: 7)

2.3. Creativity

We can substitute new thinking to replace the old ways. But creativity is unpredictable under

the best of circumstances, and policy elites rarely have the skills, the inclination, the time, or

the space for real thought, much less creativity. This means creativity will more likely be found

outside our established bureaucracies.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
15
3. New Thinking about Risk Policy and Systemic
Risk
3.1. Australian Risk Policy Institute

Background

ARPI is a non-political and not-for-profit organisation formed in 2008 to promote and

encourage greater focus on risk policy in leadership, decision-making, management and policy

across all sectors in Australia and indeed globally.
ARPI was the first to formally recognise and respond to the gap in risk policy. It is the advent of

a 'policy level' approach that permits ‘unknown risks’ to be brought under management—to

wit, by managing vulnerabilities when the risks are not yet known.
Until this policy level was created, there was no means to raise the management of

vulnerabilities above the management of risks.
ARPI’s network is predicated on promoting risk policy development in the public interest.
Membership of ARPI is by invitation. All are senior professionals drawn from many different

disciplines.

Risk Policy Model – An Innovation

In 2009, ARPI and ScottCromwell Pty Ltd (a local Australian research and consultancy company)
recognised the need for new thinking, new approaches and new institutions to address major

risks and actual failures of the systems the community benefits from and relies upon. Each

recognised the benefit of working together and entered into a strategic alliance to create a new

and superior approach to addressing major risks to systems (Systemic Risk).
The initial result of that collaboration was the Risk Policy Model first released publicly in August

2010. The Risk Policy Model:2012 elaborates further ARPI’s response to the call from the WEF

and other international groups to rethink, redesign and rebuild systems to avoid future failures.
The Risk Policy Model will continue to evolve in response to experience as well as academic

research and development.

Risk Policy Model – An Innovation with Global Value

The Risk Policy Model and its associated methodology are founded upon an original

contribution to knowledge 14 by ScottCromwell and risk policy developed by the ARPI.
Specifically, the Risk Policy Model is based on knowledge of social networks and the manner by

which their communications lead to action; it is concerned with the networks of people and

organisations that are the organic links that both move information and govern action.

14 Predication Theory, Cromwell, 1982. Explains how Communication leads to and governs Action. Communication is taken to be the receivable portion of any

information, and information flow is the movement of that information into, along, and out of networks.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
16
The model focuses on networking into those who know about and understand risks and

improving the time it takes to ensure that systemic risks are identified and brought under

management.
While the model can be applied to all levels of business, economic, environmental and social

risks, the priority for action is on really big risks—catastrophic risks.
The model explicitly recognises that senior managers almost never anticipate the major risk

events that imperil their organisations, while experts nearly always are able to explain in

retrospect why the disaster happened. When this happens, there is enough time for most of

the major risk treatment and avoidance (or at least mitigation) action to kick in.
The time value metric means cost (both financial and non-financial) is avoided, particularly the

cost of recovery from catastrophic events.
The Risk Policy Model represents a direct response to the call by the 2009 WEF for society to

commit and ‘rethink, redesign and rebuild’ in order to address pressing challenges and future

risks associated with economic interdependencies, governance gaps and systemic risks.

3.2. Understanding the New Thinking

Shifting the Paradigm

Our new paradigm begins with deep thinking about systems and the leveraging of networks.
We benefit from and are reliant upon the systems we have created. It is this

interconnectedness and interdependence on a network of organisations and institutions, as

well as their supporting technical systems, which magnifies the impact when whole systems

fail.
So our thinking about risk and opportunity has to shift from organisation‐centric to network‐
centric thinking and acting. (Risk Policy Principle: 4)
Second, in a rapidly changing and increasingly disorderly world, we need a new approach to

identify and assess risks. Many of the serious threats we face today seem to be of a nature and

kind not seen before. So the proper starting point from today and into the future is to think

about ‘vulnerability’. (Risk Policy Principle: 5)
Third, in our thinking about and acting upon risk, we must embrace ‘time’. Our strategic

choices about the nature and extent of possible consequences of risk, and what action we can

and should take to deal with risk, may be directly related to the time provided by early warning

and a clear understanding at what point in time a particular risk applies. (Risk Policy Principle:
9)
Finally, and most importantly, we must focus on 'outcomes'. Decisions are not outcomes:
decisions require action to become outcomes. Our most important outcome is protecting

critical systems from future failures which can spread like a contagion and potentially cause

catastrophic damage to any other systems connected to them. (Risk Policy Principle: 10)
In a business sense, focusing on outcomes means identifying and managing the right risks, at

the right time, to achieve the right business outcomes. This requires us to acknowledge the

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
17
success of systemic risk avoidance through good management. If we succeed, life will go

smoothly and no-one will be the wiser about the impending disasters we avoided.

The Notion of Risk

One of the most critical policy problems in the world right now is developing an appropriate

understanding of the distinction between risk and vulnerability. Recognising this distinction is

important because many people cannot think past risk.

New Risk Equation

The 'New Risk Equation' has been developed in response to:
a) the new relationship between threats and vulnerabilities, e.g. where
vulnerabilities are intentionally targeted, as in risks of terrorism;
b) the newly emerged crucial importance of vulnerabilities. For example, a
vulnerability may exist for which there is currently no known threat;
c) threats, which lie in the normal risks of managing any corporation forward, can
throw up unexpected 'singular' events that go unnoticed; and,
d) to the fact that even the 'normal' risks do not behave normally when exposed to
each other: Nobel-prize winning physicist Philip Anderson published an article in
Science titled "More is Different" in which he pointed out that interactions
between events lead to "messy interdependence". Buchanan writes, "But Dr
Anderson's point was that interactions also lead to "emergence" -- to the
spontaneous appearance of features that cannot be traced to the character of
individual parts."15

The New Risk Equation recognises that we have to 'measure our risks' in terms of the

magnitude of the consequences if we fail to avert some threat, not in terms of the probability

of the consequences, or the chance that it might not happen. Our vulnerability, not probability,
has to define our risk. (Risk Policy Principle: 11)
The New Risk Equation states, therefore, that Risk is the concurrence of a vulnerability and a

present or imminent (matching) threat. Vulnerability has to be known (that is, recognised and

appreciated) either immediately the present threat is identified or within the time-to-impact of

an imminent threat.
Risk is measured by the Consequences of our Vulnerability to any Threat which might exploit

that Vulnerability, represented by:
R=VxT

Our task is then to identify our vulnerabilities and weigh up the risk of experiencing

consequences from new threats if we don’t do something to protect those vulnerabilities.
In the old paradigm, risk was dictated by probability, the chance of some threat being

successful. In the new paradigm, we dare not leave the protection of vulnerability to chance.

15 "Power Laws & the New Science of Complexity Management" by Mark Buchanan, strategy+business, Booz&Co, Spring 2004, Issue 34

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
18
The Notion of Consequence and its Analysis

The New Risk Equation enables analysis of consequences to inform decision-making. The

starting point for such analysis is a correct understanding of consequence. People take

consequence to mean consequence of impact. What they really mean is what's the

consequence of impact if we don't do anything? The sentence is almost never finished.
The problem is that there is a consequence if we don't do anything and partly that helps to tell

us whether we should do something. However, leadership has to address the question of

preparedness, namely: 'if this happens what are we going to do?'. What would the

consequences be of not preparing?
Further, the dynamic nature of risk means that an initial assessment of consequence is not

sufficient. Continuous input of new information and re-checking is required. This new and re-
checked information properly informs decision-making in regard to:
a) immediate, strategic response choice(s) to the risk event;
b) preparing for the risk event;
c) protecting or reducing vulnerabilities; and
d) controlling or reducing threats.

The Relationship between Opportunity, Uncertainty and Risk

We are uncertain when we don’t know what is happening or might happen and/or what to do.
Uncertainty in its broadest context applies to the future in general. It does not focus on what

can go wrong. It is about our future.
Opportunity lives in uncertainty, just as risk does. Opportunity is an uncertainty that could

result in gain or advantage. Gain and advantage are also denizens of uncertainty because they

are relative to a current state of affairs or to an opponent.
This means that opportunity is also faced with risks. The risks have to be identified early,
watched, and prepared for. Opportunity also introduces a dual set of risks: not only does the

organisation have to be watching for all of its identified risks and its areas of uncertainty (for

new risks), it also now has to be watching for anything that threatens the new opportunity.
One of the known times of increased vulnerability of an opponent or enemy is when they are

focussed on an opportunity, for at that time they will lose diligence about their established

focus. Seeing opportunity therefore is a function of leadership and vision and a product of risk

policy in practice. (Risk Policy Principle: 1)

The Nature of Systems

Our systems are the result of purposeful human activity. Humans create systems. The system is

realised through a combination of people and technology.
The system is also a network—of people, organisations and institutions, including global

organisations and institutions.
The word 'system' may be used as term-of-art that refers to an actual, true system (e.g. the

characteristics and attributes of socio-technical systems defined by Fred Emery). The term can
© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
19
also be used as a metaphor for some organised activity, in the same way that "machine" is used

as a metaphor for organised activity.
Thinking critically about systems means not only appreciating their socio-technical and network

natures. We need to understand more fundamentally that systems represent deeper,
established patterns of thought about how to see the world and make sense of it. (Risk Policy

Principle: 6)
Our thinking must incorporate both the social and economic parameters of our society.

Systemic Risk

The significance of Systemic Risk is that in complex adaptive systems, the consequences of

failure of the system can be universal. That is, everyone and everything connected to the failed

system experiences the consequences. Vulnerabilities that are identified as a result of a

thorough assessment of systemic risks cannot be corralled into one ‘affected area’ of the

system, as may be possible in cases of conventional risks.
Systemic risks may, by their nature, exist as risks inside networks. They are the risks associated

with the networks of organisations, institutions and individuals that make up such systems.
Essentially, network risk is not so much a different kind of risk but risk within a different kind of
‘place’, where ‘place’ is not necessarily a location.
Risk in this sense is spatial and temporal but not necessarily physical. Some networks permit

risks to enter the system without proper management controls, and some networks actively

exploit unmanageable ‘parts’ of systems for their own gain, regardless of the vulnerabilities of

others.
So, if we are to understand and manage systemic risks, we have to work on whole systems. This

is where and why leadership is so critical.

Working on Whole Systems

There are at least three reasons why working on whole systems may prove difficult:
a) The challenges are new because we have a greater degree of control over our social and
physical environments than has hitherto existed.
b) Because it is difficult to assess the risks involved in changing whole systems, attempts at
change are avoided. Moreover, changing systems also creates the potential to create
new systemic risks.
c) Transforming systems requires a purposeful endeavour. For such endeavours to
succeed, society needs a new way of thinking about ourselves and our proper relations
to each other in regard to our systems and systemic risk.
In sum, moving forward requires a new mindset about systemic risks. The new mindset is as

much about networks and network‐centric thinking as it is about the developing policy in which

thinking about how to move forward is uppermost.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
20
Reconciling the System-View and Organisation-View

The core issue for the organisation is how to reconcile the ‘system-view’ with the
‘organisation-view’. The ‘system-view’ is akin to creating a virtual organisation and establishing

risk policy and risk governance over the system. The organisations which benefit from the

system then contribute to the protection of the system.
From an organisational perspective, the organisation has its own agenda, which may overlap

the system agenda at the following critical points:
a) what the organisation gains by being part of the system;
b) what the organisation contributes (including possibly to the detriment of what it might
achieve) to enable the system to avoid future failure; and
c) who takes the lead to begin the process of bringing the ‘system-view’ to the table to
begin the process of addressing systemic risk

The first step in the journey of the organisations connected to the system is to recognise and

appreciate the value of the system.

Rethinking the Role of Government

We equally need to think through new metaphors about the role governments might play given

that the public sector around the globe is transitioning to what is increasingly called the 'public

purpose' sector.
The ‘public purpose’ sector describes a new role for the traditional public sector, as well as new

ways of combining resources and expertise from other sectors, and the public, to deliver good

outcomes for the community.
However, the power of government to regulate also implies an obligation that it be responsible

and responsive. While government might not always succeed, the virtue is to try and say we

have done our best. (Risk Policy Principle: 12)
This is certainly the case for the role of government in addressing systemic risk.

The Need for a New Civics

We need a new way of thinking about ourselves and our proper relations to each other in

regard to our systems and Systemic Risk. One way to bring this new thinking into reality

involves a 'New Civics'. (Risk Policy Principle: 8)
The reason we need the New Civics is to create a forum to help bring about dialogue, as

between citizens and business, and between citizens and government, and between business

and government. The dialogue should be about what we are doing and what we should and

shouldn't be doing in regard to our systems and Systemic Risk. The ‘New Civics’ is for a forum

for governance of the highest order.
There are a number of catalysts for such a dialogue:
a) The growing reality that government has been captured by and reduced to politics, with
citizenship being conflated to partisanship.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
21
b) Fear of the future. What characterises the fears of the future is an almost uniform
absence of any vision for the future. Fear without a clear object of fear is not fear but
rather anxiety. Anxiety is characterised by a vague sense of threat or doom, coupled
with an often unceasing worry about 'not doing anything'. This leads to stress and poor
decision-making under pressure.
c) The challenge to match mankind's greater growing power over the natural environment
with a more advanced ability to deal with the risks. With power comes responsibility
and this entails managing risk in a more effective way than has been achieved
previously.
d) Greater clarity about moral and ethical issues if trust is to be rebuilt and risks better
managed. The implications and responsibilities for actions need to be made more
transparent and accountable. This accountability is not an after-the-fact-process.
Rather, it is based on our mutual interest in the desired outcome and also in
anticipating and avoiding catastrophe. Moreover, it means recognising the limits of our
knowledge.
To manage risks better, we must develop better methods, and a more realistic and beneficial

view of the future.
Knowing the risks we face in a climate of increasingly worrying global risks has partly to do with

understanding potential threats. But it is even more important that we understand where we

stand, and what our choices are. Much depends on having the right processes; processes for

knowing what we know and what we do not know. This helps us to understand what choices

are available. May we make the right decisions!

Effective, High Quality Leadership is Required to Move Forward

Appropriate responses to society’s apprehensions and mistrust require effective, high-quality

decision‐making from top level leaders of governments and significant organisations within

countries and internationally.
Personal relationships that develop among the decision‐makers who lead these governments

and organisations will also be critically important. Above all, we will depend upon leaders being

prepared to get out front and do something. We know that waiting for someone else to act

continues to cause increasing damage to the fabric of our society.
To establish accountability for the things that go wrong when uncertainty and risk can be

otherwise effectively dealt with requires the following four steps:
a) we need to recognize that ‘new times require new thinking’—about Risk Policy and
about the nature of Systemic Risk;
b) we need to be prepared to question the adequacy of current policies and risk
management processes and identify what needs to be done to correct deficiencies by
deepening our thinking about the very notion of risk and how risk occurs in our modern
systems;
c) we need to be prepared to accept deep change in the manner by which risks are
identified, and brought under management; and

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
22
d) we need effective, high quality leadership prepared to get out front and do something
i.e. decide a direction and issue commands. (See Figure 2).

LEADERSHIP

ENDANGERMENT
PROTECTION
SURVIVAL ACTION

DECISION
MAKING

Figure 2 High quality leadership is required for a paradigm shift

It is only through such a paradigm shift that businesses, governments and the public can each

succeed and global trust can be restored. This highlights the paradigm shift we are driving.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
23
4. The Risk Policy Model Described
4.1. Our Notion of Risk and its Management

The Risk Policy Model describes the process by which entities can identify, address and treat

risk so that the impact or consequences of the risk materialising are prevented or mitigated.
Risk is an abstract event which describes the difference between something that might happen

versus leaving things as they are or doing something other than addressing the risk. This

difference is usually expressed as a cost (in lives or materiel or missed opportunity i.e. foregone

gain). That difference is stated (qualitatively) as in the difference between life or death, or

projected (quantitatively) as either a probability – of one or other thing happening — or as a

calculation of the difference (literally, the product, as in subtraction) between the one thing

happening or leaving things be, or assuming another thing will happen. Risk ceases to be an

abstraction when it materialises through the actual cost post hoc of its impact or

consequences.
ARPI’s Risk Policy Model is designed to recognise and prevent or minimise the emergence of

this reality.

4.2. The Value of Risk Policy

We have a Risk Policy because we have risks. Risk Policy confers coherence, an integrated

comprehension of risks, their identification, their consequences, and who is responsible for

attending to each activity relating to risk.
The aim of Risk Policy is to achieve desired consequences.
If we don't have a risk policy and we have risk management (only), that could lead to having

management by accident. How would we know if management has covered all the bases? How

would we know that along the way they hadn’t exposed us to other risks by the way they have

gone about it? Only Risk Policy can address these necessary assurances.

4.3. Rationale for Elevating Risk Policy

The Risk Policy Model is anchored in the understanding that to focus on risk management is to

miss the point. The targeting of ‘blame’ is correct, but the focus for ‘correction’ is to mandate

risk policy and then to use official, formal, regulatory 'findings':
a) To ‘find policy to have been in error' or
b) To ‘find policy to have been silent' or
c) To 'find policy was not implemented' or
d) To 'find that policy was incorrectly implemented'.
In the final analysis, the argument will not be over whether the risk management modus

operandi was correct, but rather whether the policy mandated that risk must be controlled or

reported immediately if it was suspected as not being controlled.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
24
4.4. The Focus on Vulnerability rather than Probability

Our risk policy approach is based on recognising that the core assumption of modern risk

management is no longer adequate.
a) Risk is not about balancing probabilities and costs on the basis that if something is
improbable we shouldn’t spend too much on hedging against it occurring.
b) Some risks are so unthinkable the question is not about cost as such, but how to spend
to reduce vulnerability.
This approach is particularly applicable when exposed vulnerabilities threaten the whole

system because the consequences of system failure cannot be quarantined. All of the

organisations and institutions and individuals connected to the system will be affected,
sometimes with catastrophic consequences.

4.5. The Focus on Consequences and Strategic Decision-
Making

From real life examples, we know that the consequences of an identified risk dictate the

management of that risk. Our Predictive Risk and Early Warning discipline uses a strategic

decision-making framework to help put in order the organisation’s approach to any identified

risk. This is because it can dictate the aim of the actions at any point in time: the aim being to

prevent, to avoid, to control.
This means that as the consequences approach the catastrophic, the strategies of 'Mitigate'
and 'Survive' are no longer of material value. The only strategies that make sense are
'Avoiding/Averting' or 'Preventing', each of which requires some measure of 'Predicting'.
In the final analysis, Likelihood and Consequences are not part of the same equation: one or

the other has to 'govern' the calculation. This represents a fundamental paradigm shift in

thinking about risk and the need to include risk policy in all future work.(Risk Policy Principle: 2)

4.6. A Whole-of-System Perspective

Our approach recognises that the true management of risk and vulnerability must come from a

perspective outside of any system. This is required for two reasons:
a) It is virtually impossible to assess the dangers to a system if the assessment accepts the
premises of that system.
b) It is vital to understand the boundaries of the system in order to assess the
consequences—both human and technical—of failure of the system and to establish
responsibility for the consequences.

4.7. Managing Risk in Systems

In terms of managing risks in systems, we know that:
a) Risk lives in the networks that make up our systems and knowledge of the risks lives
there as well.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
25
b) No single organisation has all the knowledge of vulnerabilities and threats.
c) No single organisation has the control over 'treatment'.
d) Any protective measures must be put in place on some multi-organisation basis.
e) We have to work together because these potentially large risks have widespread
consequences, both geographically and over a long period of time.
f) Solutions will be implemented through networks of individuals, organisations and
institutions seeking to protect systems from future failures; some solutions will require
new governance arrangements capable of spanning the system.
g) Solutions will need to be forged in the reality of human systems and networks.

Risk Identification and Assessment in Systems

Risk identification and management literature suggest a number of basic functional criteria for

an effective risk intelligence system in order to provide high quality, timely, relevant

information and data into the appropriate governance structure for decision-making.
The literature advocates the following:
a) The different types of risks considered and the sources of information need to be as
comprehensive as possible.
b) The system should provide clarity about the potential causes and impacts of the risks
considered.
c) Alerts should be well-based or screened so that there is the confidence to take
decisions and actions, particularly for emergency responses.
d) The lead-time between alerts and potential events must be sufficient for the risk to be
avoided or mitigated.
e) The system should be well-documented and understood, with clear allocation of
responsibilities, and provision for regular review and refinement over time.
These organisational requirements are critical to addressing systemic risk in an increasingly

disorderly world.
The Predictive Risk and Early Warning discipline provides the basis for constructing a risk

intelligence system. This discipline underpins the Risk Policy Model.

4.8. Job of Risk Policy

The job of Risk Policy is to make sure that:
a) all known risks are recognized, identified and under management;
b) all presently unknown risks are recognized and brought under management as soon as
they are known; and
c) unknown risks are proactively looked for.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
26
4.9. Risk Policy Model and Policy Framework

The Risk Policy Model has three integrated components:
a) Risk Policy
b) Risk Governance
c) Risk Management

The Risk Policy Model recognizes that these three elements may extend to the boundaries of

the system and reflect the collaboration necessary to prevent systemic risks from resulting in

system failure. (See Figure 3.)

RISK
POLICY

RISK
GOVERNANCE

RISK MANAGEMENT

WHOLE SYSTEM

Figure 3 Risk Policy Model

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
27
Risk Policy

Risk policy authorises, informs, defines, drives, builds, maintains and accounts for the processes

of risk governance and risk management. (Risk Policy Principle: 3)
Risk policy resides in the domain of an organisation because it speaks to the highest level

organisational purpose about risk (and in the case of addressing systemic risk the highest level

of mutual interest in protecting the system) and because an organisation has the ability to

enforce policy decisions.
Risk policy is, in the first instance, concerned with defining the boundaries of the system for

which risks are to be identified and brought under management. The benefit of understanding

the boundaries is that it opens the door to critical thinking about the way the system currently

operates (at a deeper level of appreciation) and how new thinking both about the value of the

system to the organisation as well as through new metaphors could improve the management

of systemic risks.
Risk policy is articulated through a protection goal, clarity about the boundaries of the system,
and a set of basic principles and associated guidelines which are formulated and enforced by

the governing body.
The risk policy directs and limits actions in pursuit of the agreed long-term goal.

The Risk Policy Framework

The risk policy has a risk policy framework for building the capability to achieve the risk policy

goal within the agreed boundaries of the system.
It must have the capability to address 'What is needed' and 'Who will do it' (authority and

responsibility) in order for each step to achieve the risk policy protection goal.
The risk policy framework includes within it risk governance and risk management frameworks.
It is like the framework of a house in which there are no walls or even a roof—just the frame.
Risk policy, risk governance and risk management each operate within the framework, with the

apex at the risk policy level.

Thus, the risk policy governance framework is a component of the risk policy framework.
It is concerned about the statutory and other responsibility for the components and activities

set out in a risk policy. The risk policy governance framework is about who is responsible for

each component or activity, who is in charge of each activity, and what their authority and

responsibility (and liability) are, including the extent and/or extenuating circumstances of these

responsibilities, authorities and liabilities.
The risk governance framework pays particular attention to risks which are outside an

organisation's direct control and how these can be governed and what the limitations are and

how the implementation seeks to manage the risks (e.g. by agreement, contracts, compulsion).
The risk management framework is also a component of a risk policy framework. It is

concerned, among other things, with the rigour of the methodology for the risk intelligence

system which provides high quality, timely, relevant information and data into the governance

structure.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
28
The risk management framework is equally concerned with the rigour of implementation and

provision for regular review and refinement over time.
'Early Warnings' are an essential part of the risk intelligence function as capability to field,
recognise and act on early warnings is an essential capability to be implemented. The risk

management framework speaks to the need to warn in time to prepare and addresses 'Who

gets Warned', under 'What circumstances', by 'Whom', and 'When', and 'How'. Where the

capability needs to field early warnings from other organisations the risk management

framework would address implementation of this capability.
The risk policy framework provides the guidance for the design, establishment and on-going

operation of risk governance and risk management functions both within an organisation and

across a network.

Risk Governance
'Risk Governance' is an assurance process. First, it operates within a network or organisation to

pro-actively ensure the articulation, adoption and implementation of risk policy in an effective,
robust and compliant manner. Secondly, it provides an independent review process that risk

policy and risk management have operated as intended, as well as identifying continuous

improvement opportunities.

Risk governance is concerned with achieving the requisite collaboration across the network of

organisations and institutions that make up the system to enable risks in the system to be

identified and brought under management. The design and establishment of the risk

governance mechanism has to be fit for this purpose. This may entail the establishment of an

entity to enable the required information sharing and co-ordinated actions.

The risk policy governance mechanism achieves the risk policy through (distributed) risk

management.

Risk Management

Risk management forms part of policy, leadership and management decision-making and

implementation processes to help achieve our goals, objectives and outcomes. It takes into

account possible impacts and implications during the conception, design, development and

implementation of decisions, including effects on stakeholders and other risks.
Risk management is also part of security and emergency planning and early warning processes

in relation to identifying vulnerabilities and systemic risks, and also concerning prevention,
avoidance, mitigation and indeed survival as well as network collaboration in relation to

possible future events ranging from minor to catastrophic in local and global impact.
Risk management is a collaborative, distributed function operating across the system. The aim

of risk management is to identify and bring risks affecting the system under management. The

knowledge of risk lives in the network of organisations and institutions that make up the

system.
In order for the risk management function to operate efficiently and effectively it requires a risk

management methodology for identifying and assessing risks, initiating alerts and informing

strategic choice decision-making and action. The supporting methodology must be
© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
29
fit-for-purpose and be implemented with rigour recognising that the risks being addressed are

potentially catastrophic for the system and organisation.
In sum, risk management is a process to identify and manage uncertainties to advantage.
It operates in real time within the context of risk policy and utilising risk governance to

maximise the value of early warning time. (See Figure 4.)

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
30
STRATEGIC CHOICES
PREDICT/PREVENT AVOID/AVERT MITIGATE SURVIVE

RISK POLICY
ACTIONS

PROTECT VULNERABILITIES CONTROL OR REDUCE THREATS PREPAREDNESS & RESPONSE
PLAN & IMPLEMENT
THREAT
ACTOR

CONSEQUENCES
VULNERABILITY

ENTITY/ASSET

RISK

IMPACT
EVENT
THREAT

ALERTS & WARNINGS

INFORMATION & WARNINGS (RECEIVING INFORMATION, UNDERSTANDING IT, UNDERSTANDING THE
(LISTENING) IMPLICATIONS)

THE COMMUNITY & ITS ENVIRONMENT

Figure 4 Risk Policy Model in Action

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
31
Summary

The Risk Policy Model is an innovation of global value responding to the need for new thinking

about how to successfully address the challenge of systemic risk. At the core of Risk Policy

thinking are the following propositions:

1. We have a Risk Policy because we have risks. Risk policy confers coherence, an
   integrated comprehension of risks, their identification, their consequences, and who is
   responsible for attending to each activity around risk. Protection is what risk policy
   speaks to and is for. Every risk policy protects something. Governance of risks is
   informed and guided by the risk policy and measured against fitness for purpose criteria
   in respect of the risk policy. Risk Management is the manner by which the Risk
   Governance achieves the risk policy reliant upon a rigorous framework implemented
   with rigor. This structure applies equally within an organisation, and within a network to
   its widest reaches (that is, a global network).
   If we don't have a risk policy and we have risk management (only), that could lead to
   having management by accident. How would we know if management has covered all
   the bases? How would we know that along the way they hadn’t exposed us to other
   risks by the way they have gone about it? Only risk policy can address these necessary
   assurances.
2. The development of an appropriate understanding of the distinction between Risk and
   Vulnerability is one of the most pressing and immediate policy problems in the world.
3. The true management of risk and vulnerability must come from (a view taken) outside
   any system. This is required for two reasons:
   a) it is virtually impossible to assess the dangers to a system if the assessment
   accepts the premises of that system; and
   b) it is vital to understand the boundaries of the system in order to assess the
   consequences—human, technical and environmental—of failure of the system
   and to establish responsibility for the consequences.
4. The core assumption of modern risk management is no longer adequate:
   a) risk is not about balancing probabilities and costs on the basis that if something
   is improbable we shouldn’t spend too much; and
   b) some risks are so unthinkable the question is not cost but how to spend to
   reduce vulnerability.
5. Risk is based in vulnerability and concerned with consequences. The aim of risk policy is
   to increase the resilience of our systems.
6. Risk policy is both a journey and a destination: a science and an art. In our journey, we
   will start looking ahead and becoming more practiced; we will find more and more risks
   being notified, and dealt with more effectively; we will improve our policy through
   having to organise for new risks and new types of risks. We will find ourselves becoming
   members of a network community of discourse about risk policy, probably as the result

   © Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
   Reproduction in any format requires prior written approval of ARPI.
   32
   of being initially approached by others who are already members as we each become
   aware of the new mutual interest we share. This is particularly the case where the
   exposed vulnerabilities threaten the whole system. The consequences of such system
   failures cannot be quarantined; all connected to the system are affected, sometimes
   with catastrophic consequences.
   ARPI’s release of its ‘Risk Policy Model:2012’ provides:

7. An appreciation of crisis and paradigm collapse as these affect systems and our thinking
   about response to such events.
8. Deeper understanding of the new thinking about risk policy and systemic risk
   specifically addressing:
   a) the notion of risk, the new risk equation, the notion of consequence and its
   analysis and the value of risk policy;
   b) the relationship between opportunity, uncertainty and risk;
   c) the nature of systems and systemic risk;
   d) working on whole systems and managing risk in systems;
   e) reconciliation of the system-view and organisation-view;
   f) rethinking the role of government and the need for a ‘New Civics’; and
   g) the need for effective, high quality leadership.
9. An introduction to the conceptual innovation and critical role of risk policy, the Risk
   Policy Model and Risk Policy Framework. The Risk Policy Model separates Risk Policy,
   Risk Governance and Risk Management reflecting the reality of identifying and
   managing risk in systems.

Conclusion

We have identified a decline in our sense of order and certainty under the strain of change,
from expected as well as unanticipated sources. We have noted the erosion of public

confidence as well as the loss of trust in our ability to manage properly all the risks in our

environment as a result of the GFC and other recent catastrophes.
These recent crises point to a world of interconnected and interdependent networks of

organisations, governments, and institutions. Risk lives in these networks and the knowledge of

these risks lives there as well. We have argued that collaboration at many levels is required to

access this risk knowledge. Equally, we suggest that required solutions to improve risk

management will be implemented through networks.
It is clear that management’s inclination and ability to devote people and money to dealing

with risks are declining at the very time when the risks are growing. The reasons for these

circumstances include inherent conflicts, competition, short-term thinking and cultural issues.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
33
Accordingly, a new way to identify and manage risks in a disorderly world is needed. This new

way must also place an emphasis on timeliness. It is beyond dispute that society must be

protected from system failures, and provided with assurances that the failures of risk

management are being addressed.
ARPI’s Risk Policy Model addresses these challenges. It provides a suitable policy framework to

guide leader behaviour and enhance performance in risk governance and risk management

through the rigorous implementation of its key risk policy principles.
We believe that this new response to global uncertainty provides the greatest hope, where:
a) the ability to go forward rests in our ability to work together; and
b) our recognition of the possibility of working together requires sharing a common future.
In order to achieve that shared future, mutuality becomes vital. We need to share each other’s

risks and recognise and protect each other’s vulnerabilities. Our global society needs to rebuild

faith in our ability to manage risk and build more sustainable, enduring systems, and so restore

public confidence and trust.
ARPI’s Risk Policy Model elevates risk policy and shifts risk management onto a solid footing so

damaging system failures can be prevented. The key messages about risk policy are shown in

Attachment A.
This Risk Policy Model:2012 will be followed by an Implementation Guideline supplemented by

an Introduction to Terminology as well as Practice Notes. ARPI will also be producing a mix of

master classes and other educational and networking initiatives.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
34
Attachment A: Key Messages about Risk Policy

1. We have a risk policy because we have risks. Risk policy confers coherence, an
   integrated comprehension of risks, their identification, their consequences, and who
   is responsible for attending to each activity relating to risk.
2. Current risk management practices have failed to protect the interests of a very large
   number of people worldwide in government, industry and society. We simply cannot go
   on perpetuating these past failures.
3. We live in an increasingly uncertain and disorderly world. A new way to manage risk
   is needed. Above all, it must have an emphasis on timeliness.
4. Many of the serious threats we face today seem to be of a nature and kind not seen
   before.
5. Understanding the distinction between Risk and Vulnerability is one of the most
   pressing policy problems in the world right now.
6. Risk policy enables you to manage vulnerabilities when the risks are not yet known.
7. The true management of risk and vulnerability must come from (a view taken)
   outside any system. This is required for two reasons:
   a) it is virtually impossible to assess the dangers to a system if the assessment
   accepts the premises of that system; and
   b) it is vital to understand the boundaries of the system in order to assess the
   consequences—human, technical and environmental—of failure of the system
   and to establish responsibility for the consequences.
8. The core assumption of modern risk management is no longer adequate:
   a) risk is not about balancing probabilities and costs on the basis that if something
   is improbable we shouldn’t spend too much; and
   b) some risks are so unthinkable the question is not cost but how to spend to
   reduce vulnerability.
9. Likelihood and consequences cannot be in the same formula: one or the other has
   to 'govern' the calculation. This represents a fundamental paradigm shift in thinking
   about risk and the need to include risk policy in all future work.
10. Risk is based in vulnerability and concerned with consequences. The aim of risk
    policy is to increase the resilience of our systems.
11. The time value metric of risk policy is avoided cost (both financial and non-
    financial), particularly the cost of recovery from catastrophic events.
12. One of the primary catalysts (for a new way of thinking about ourselves and our
    proper relationships to each other) is the growing reality that government has been
    captured and thence reduced to politics, and citizenship has been conflicted with
    partisanship.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
35
13. What characterises the fears of the future is an almost uniform absence of any
vision for the future.
14. Policy elites rarely have the skills, the inclination, the time, or the space for real
thought, much less creativity. Such creativity will more likely be found outside our
established bureaucracies.
15. The best weapon (we have) is our creative thinking or people's ability to foresee.
16. Risk policy is both a journey and a destination: a science and an art.

© Australian Risk Policy Institute Inc (ARPI) and ScottCromwell. All rights reserved.
Reproduction in any format requires prior written approval of ARPI.
36
Address
1/1 Taylor Street
Moorabbin Victoria 3189
Australia

Postal Address
PO Box 295
Mawson, ACT
2607, Australia

Email: inquiry@arpi.org.au

www.arpi.org.au
© Australian Risk Policy Institute Inc. (ARPI).
All Rights Reserved. Reproduction in any format requires
prior written approval of ARPI