Managing Emerging Critical Risks

Regarding overall risk management capacities, Ireland participates actively in the OECD High Level Risk Forum, a body of the OECD which facilitates dialogue and exchange of effective practices in public governance for the management of risks and crises.

In 2023, the Public Governance Committee published a report (OECD, 2023[1]) on the implementation of the OECD Recommendation on the Governance of Critical Risks [OECD/LEGAL/0405] (“the Recommendation”). Among the findings of the Report were frameworks and practices undertaken by Ireland to enhance its risk management capabilities, particularly in financial readiness and communication strategies.

In October 2019, Ireland initiated the National Surplus (Exceptional Contingencies) Reserve Fund (NRF), aimed at improving the predictability of funding for emergency response and recovery across government departments and agencies. The fund was initially endowed with €1.5 billion transferred from the Ireland Strategic Investment Fund in November 2019. The Minister for Finance was tasked with allocating an additional €500 million annually from 2019 through 2023 from the Central Fund or its generated income. However, the COVID-19 pandemic necessitated a redirection of resources, with €1.5 billion withdrawn in October 2020 to support the government's pandemic response efforts. In subsequent years, replenishments continued with the Oireachtas (Ireland’s parliament) approving a transfer of €1.5 billion in 2022 and €3.5 billion in 2023, bringing the total contributions to the NRF to €6 billion by 2023 (Department of the Taoiseach, 2023[2]); Minister McGrath announces €4 billion transfer to the National Reserve Fund).

Furthermore, Ireland’s capacity for disaster risk management is supported through potential financial aid from the European Union Solidarity Fund, which aids EU Member States when the financial impacts of disasters surpass certain thresholds. The fund is designed primarily for major disasters but also extends assistance to regional disasters that fulfil specific criteria, thereby ensuring timely support for affected areas ("Ireland’s Strategic Emergency Management: National Structures and Framework").

On communication, Ireland employs regular public information campaigns to inform its population and businesses about critical risks. These campaigns, which are conducted seasonally, aim to boost societal resilience by making risk information accessible to diverse communities, sectors, and industries. Additionally, the incorporation of audience and behavioural insights into communication strategies is highlighted as a best practice. A notable initiative includes a public survey that assesses the population's understanding of national risk environments. The feedback from this survey helps identify knowledge gaps and refines the government's information campaigns, making them more targeted and effective (McMullan, 2024[3]), (Government of Ireland, 2022[4]).

Ireland also provides specific guidance to government entities and operators of essential services on identifying critical infrastructure. This guidance adopts a risk-based approach that prioritises societal impact over the potential losses to infrastructure owners. This policy helps ensure that the most crucial services remain operational during crises, safeguarding Irish society from significant disruptions (Office of Emergency Planning, 2021[5]).

Additionally, to address the challenges faced by households and small businesses in securing affordable insurance in flood-prone areas, a collaborative effort between Insurance Ireland and the Office of Public Works (OPW) has been established. They have entered into a Memorandum of Understanding for sharing information on flood defence measures, which aids insurance companies in evaluating the effectiveness of these protections. This agreement aims to improve the availability of insurance coverage for those benefitting from government flood protection works, thereby enhancing community resilience against such risks (Office of Public Works, 2020[6]), (Central Bank of Ireland, 2024[7]).

Ireland's governance system for managing emerging risks is structured around several key elements and institutions. Central to these are two processes and reports bearing the same name: National Risk Assessment. A comparison of these two is shown in Table 2.1.

National Risk Assessment Overview of Strategic Risks: the Taoiseach’s Office conducts a National Risk Assessment and produces a report (“NRA-Taoiseach’s”) which serves as a foundational document for identifying and categorising emerging risks across various domains, including social, economic, environmental, and technological risks. It has been produced almost annually1 since 2014 and involves horizon scanning to anticipate future challenges. The latest version was published in 2024.

National Risk Assessment for Ireland: the Department of Defence conducts a National Risk Assessment process over a three-year cycle and produces a report (“NRA-Defence”), drawing on NRA-Taoiseach’s and contributing to it in turn. The Department of Defence’s process evaluates the national risks facing Ireland with inputs from government departments, experts, and public consultation. It outlines various threats structured under 4 categories: Civil, Technological, Natural and Transportation. The latest version was published in March 2024. The process by which it was produced is outlined in Figure 2.1.

Strategic Emergency Management (SEM) National Structures and Framework: This document outlines Ireland's national emergency management framework, providing a systems approach for handling national-level emergencies that focusses on risk assessment, risk management, planning and preparedness, response and recovery. It defines structures for co-ordinating a "whole-of-Government" response, detailing roles and responsibilities, and is complemented by Strategic Emergency Management (SEM) Guidelines. It aims to protect public welfare, minimise societal disruption, and enhance resilience during diverse emergencies requiring national-level co-ordination (Department of Defence, 2017[8]).

Government departments: as part of the NRA-Defence process, all government departments and their relevant agencies submitted to the Office of Emergency Planning a listing of risks which, in their expert view, had the potential to trigger a national level emergency.

Civil Service Management Board (CSMB): composed of the heads of all government departments, the CSMB provides a route for integrating risk management into the broader governmental framework. The Board also plays a role in reviewing the NRA-Taoiseach’s, while validating the findings.

Integration with research: an emphasis on linking policy with academic research expands the knowledge base supporting risk management, including an academic expert in the working group on risk assessment for the NRA-Defence process.

The Department of Defence collaborates with Dublin City University to ensure latest academic research is incorporated into the process. The Department of Defence currently leads an EU-funded research project to develop innovative methodologies to enhance future risk assessments and avoid duplication of effort. RISKS, funded by DG-REFORM, is designed to integrate the requirements of the Critical Entities Resilience Directive into an enhanced National Risk Assessment process.

Additionally, the department has recently completed a DG-ECHO funded research project with research led by Dublin City University. FUTUREPROOF-IE was aimed at enhancing the NRA-Defence process by incorporating horizon scanning to identify potential future risks which may develop into national-level emergencies.

Horizon scanning: processes and tools for horizon scanning have been delivered through the FUTUREPROOF-IE project for the purpose of identifying emerging risks. A review of practices in private firms and other governments highlighted how horizon scanning was implemented in those settings.

National Disaster Risk Management Capabilities Assessment: This document assesses Ireland's national disaster risk management capabilities. It evaluates prevention, preparedness, and response measures across the disaster management cycle, identifies capability gaps, and proposes improvements in co-ordination and methodology. The report aligns with EU guidelines and aims to strengthen Ireland's resilience and collaboration within the EU on risk management (Office of Emergency Planning, 2021[5]).

Department of the Taoiseach: as centre of government, the Department of the Taoiseach produces its NRA process and co-ordinates the review process as well as the consultation on and dissemination of the report.

Minister for Defence: as chair of the Government Task Force on Emergency Planning (GTF), the Minister for Defence provides political oversight for the co-ordination of strategic emergency planning arrangements across government. At the time of this study, the Minister of Defence also occupies the post of Tánaiste (equivalent of deputy prime minister in Ireland).

Office of Emergency Planning: the OEP supports the Minister for Defence in his role as chair of the Government Task Force on Emergency Planning. It has an oversight function on strategic, cross-government emergency planning arrangements and supports the Minister for Defence in preparing an annual report to government on emergency planning. The Office of Emergency Planning also co-ordinates public information campaigns aimed at enhancing societal resilience and preparedness against potential crises.

Government Task Force on Emergency Planning: with membership at senior official level from every government department and relevant agencies together with senior officers from the Defence Forces and the Garda Síochána (Ireland’s National Police and Security Service), the GTF co-ordinates strategic emergency planning arrangements across government. It examines policy issues, any current risks and ensures that information is shared across government.

GTF Subgroup on Risk: the Subgroup on Risk is a permanent subgroup of the GTF. The Office of Emergency Planning chairs the subgroup. Its aim is to prepare the NRA-Defence report for approval of the Government Task Force on Emergency Planning for submission to Government and for subsequent reporting to the EU. Additionally, this group prepares the National Assessment of Risk Management Capabilities report.

NRA-Taoiseach’s Steering Group: a steering group is convened for each NRA-Taoiseach’s cycle for the Taoiseach’s Office, involving representatives from various government departments and agencies. This group is tasked with overseeing the strategic risk assessment process managed under the Taoiseach’s Department and ensuring that the risk identification process is comprehensive and involves key stakeholders.

Departmental autonomy: responsibilities for risk management are distributed across various government departments, which report emerging risks and their management strategies through the GTF on a regular basis.

Below are the two sets of risks identified in the most recent editions of the two NRA processes. Items with substantial overlap are identified in bold.

Ireland’s system is leading with respect to identifying emerging critical risks.

Processes: the existence of at least two processes—the two National Risk Assessments—offers multiple opportunities to identify emerging critical risks, by diversifying methodologies, sources of knowledge, and the timing of the exercises. Emerging risks are explicitly addressed in both documents (Department of Defence, Ireland, 2023[9]) (Department of the Taoiseach, 2024[10]).

The recurring nature of the NRA-Taoiseach’s process, with nine reports in ten years, is indication of an established process, and the latest edition contains reflections on how certain risk categories have evolved in that time. This implies recognition of the evolving nature of risks, and there is a note that “many commentators have concluded that risks and shocks are now occurring more frequently” (Department of the Taoiseach, 2024[10]), although the analysis is entitled “A Look Back” and misses the opportunity to cast light on how future circumstances could give rise to emerging critical risks.

The NRA-Defence process is also a recurring undertaking, and identifies emerging critical risks by combining horizon scanning, consultation with management (especially through the GTF), expert focus groups, and public surveys.

Methodologies: approaches such as desk research and automated review of news feeds have been implemented. The FUTUREPROOF-IE report sets a framework incorporating scenario planning and horizon scanning to detect early signals of emerging risks: "The foresight framework is designed to identify early signals of potential future disruptions" (McMullan, 2024[3]).

There is evidence that the horizon scanning outlined in the FUTUREPROOF-IE study “allowed for horizon scanning to be integrated into the updated process” (Department of Defence, Ireland, 2023[9]). The recommendations of FUTUREPROOF-IE are featured into the standard agenda of GTF meetings where departments and agencies are invited to present on early warning signals related to new emerging risks as part of the emerging risk management process.

Academic expertise: experts from academia are consulted in at least two major ways: process design and content. On process design, methodological expertise is indicated by the inclusion of horizon scanning as an explicit phase in the NRA processes. On content, the NRA-Defence report included academic expertise in the OEP Risk Working Group.

A current initiative is to provide individuals within the public service responsible for identification of emerging critical risk with explicit education or training to do so:

We have improved the quality of input from government departments through training and cross-departmental exercises. We are developing micro-credentials for Government Task Force members to enhance their understanding of emergency management and risk management. Additionally, our university partnerships […], help embed these standards into educational programmes, ensuring a ripple effect in emergency management practices. (Interview IE-3)

A possible area for improvement could be the development of a competency framework for identifying emerging critical risk, with consideration of which capabilities are required in-house, and which are to be sourced from academia.

Consultations: consultation with experts from agencies, private sector, and civil society is evidenced in both risk-identification processes. Public consultations have also been used in the latest rounds of both NRA processes.

The NRA-Taoiseach’s document has used public consultations since the beginning to refine its risk identification. An interdepartmental group initiated a draft of strategic risks, which was then opened to public feedback. This process not only includes inputs from the public, but also private sector representatives, and Oireachtas members. The result is also aligned with the methodologies used by the World Economic Forum in its global risks reports, used as a cross-check for the comprehensiveness of the risk list.

The consultation process for the NRA-Taoiseach’s in Ireland involved a diverse range of stakeholders2, including:

• Government agencies

• Non-Governmental Organisations (NGOs)

• Business groups

• Trade unions

• Representative groups

• Members of the public

• Members of the Oireachtas (the Irish Parliament)

The NRA-Defence process undertook consultation in an indirect manner, through the FUTUREPROOF-IE process. Here, the Office of Emergency Planning facilitated a public survey designed and analysed by the Business and Society Research Team at DCU Business School. This survey allowed the public to rate the 22 risks identified by expert groups.

Cross-Reference with other reports: the risk identification processes also refer to other sources to seek a broader governmental perspective into the risk assessment.

The NRA-Defence report has sought “greater integration” with the NRA-Taoiseach’s findings, which helped “to identify any strategic risks which could be defined as key national level risks and any emerging risks which could become key national level risks in the medium to long term” (Department of Defence, Ireland, 2023[9]). The process also adheres to a continuous improvement framework (Office of Emergency Planning, 2021[5]) which evaluates and updates the risk assessment process, including horizon scanning for emergent risks in line with EU Reporting Guidelines on Disaster Risk Management (Department of Defence, Ireland, 2023[9]).

Both NRA processes refer to the use of OECD research, particularly strategic foresight exercises carried out at the High Level Risk Forum, as sources of knowledge for the risk identification and assessment process.

Ireland is established in assessing emerging critical risks, while leading in sharing of information.

Assessment: for familiar risks, the NRA-Defence process undertakes a risk assessment process with a typical impact-probability matrix, developed through Expert Focus Groups, who receive a training session prior to attending. From there, emerging risks are explicitly considered in terms of their level of confidence and conditions on emergence. The intention is for all departments to develop horizon scanning tools to detect the earliest indicators of risk emergence or maturation. However one public servant consulted stated that this practice is not embedded across departments and agencies.

Once confirmed, [departments] must recommend whether to escalate the risk into the NRA process, maintain it as an emerging risk, or remove it.

According to the report, “consideration was also given to horizon scanning for potential emerging risks, with each Expert Focus Group considering this within their specialist areas”, however two potential gaps can be identified here:

• Expert-silo bias: due to their cross-cutting nature, emerging critical risks may fall outside the specialist areas of all the experts present, hence this limit may hinder the effective identification and assessment of certain emerging critical risks.

• Time-silo bias: the report defines emerging risks as “not yet ready for full risk assessment, but likely to emerge in the medium to long-term”, conflating the notion of ‘emerging’ with ‘delayed’. As a result, while the traditional probability-impact assessment may not apply to certain emerging critical risks, failure to assess them at all on the assumption that it is too early to do so may mean missing critical risks that emerge rapidly, for example over the course of just a few days.

Interdepartmental co-ordination: the structured interactions between the GTF, Steering Group, and various agencies have resulted in extensive contribution from government departments to risk identification processes in both NRA reports. The two NRA reports reference each other, and interviewees highlighted the processes of consultation and collaboration between departments, demonstrating the information sharing between the departments leading the work:

We operate a Lead Government Department approach to managing risks, whether mature or emerging […]. These departments must assess the maturity of risk management for each identified risk and identify any gaps, such as knowledge or responsibility gaps. For instance, an emerging risk might fall under both agriculture and health, requiring collaboration and information sharing between departments […] These recommendations are captured in emerging risk reports submitted to the government task force via the Office of Emergency Planning. (Interview IE-3)

In an interview with a government official (Interview IE-1), stage one of the NRA-Defence process was referenced as the point where all departments and agencies of the GTF are requested to submit risks from their corporate risk register that have the potential to trigger strategic emergency co-ordination structures. Departments and agencies are explicitly asked to focus on risks which could be considered emerging and critical.

While the outputs of the NRA-defence process is a requirement of Decision 1313/2013/EU, neither risk assessment processes are enshrined in domestic regulation or legislation. Therefore departmental engagement and methodologies are dependent on resources and trust in the processes. Furthermore, despite structured processes, officials noted that there is no standardisation or centrally led quality control on how departments and agencies prepare their inputs.

Ireland has an established approach in assessing management maturity and identifying gap areas.

Management: the Tánaiste and Minister of Defence in his foreword for the NRA-Defence report refers to the process as “part of the state’s risk management strategy”, a reference to the management of risk as laid out in the National Assessment of Risk Management Capabilities Report (Office of Emergency Planning, 2021[5]). Additionally, SEM requires specific planning and preparedness arrangements for each lead government department, which is vital to the state’s risk management capability (Department of Defence, 2017[8]).

The CSMB has the opportunity to use its input into and reflections on the NRA-Taoiseach’s process for assessing management maturity and identifying gaps. However, the specifics on which members of the CSMB actually undertake such efforts, or even leadership’s acknowledgement of changes needed were not available for this case study:

The weakness in the system is that we don't have reach inside in the departments to see how they're doing their emerging risk forecasting, who's doing it, and what the level of commitment and study is and what the level of expertise is we have to take. (Interview IE-1)

Alignment with international best practices: in the NRA-Defence report, references to OECD work underscore the alignment of Ireland's risk assessment processes with international standards. The document details how the NRA framework incorporates insights and methodologies adapted from OECD publications on risk management. Specifically, the NRA-Defence process reflects guidelines and recommendations from the OECD on structuring comprehensive risk assessments and emergency management frameworks (Department of Defence, Ireland, 2023[9]).

Lessons learned: a public servant interviewed (Interview IE-2) mentioned using the previous year's NRA-Taoiseach’s document as a basis for public consultations to gather input and identify gaps in current risk management strategies. However, there is no concrete evidence of a codified process for this to systematically take place. The “Look Back” in the NRA-Taoiseach’s document in 2024 is entirely content-focused, and misses the opportunity to reflect on and identify gaps and improvements in the process of risk identification and assessment.

In the interest of continuous improvement and in line with the EU Reporting Guidelines on Disaster Risk Management, Art. 6(1)d of Decision No 1313/2013/EU, enhancements were introduced to the 2023 NRA-Defence process. These included impact criteria, horizon scanning and emerging risks, and enhanced public input (Department of Defence, Ireland, 2023[9]).

Ireland’s prioritisation of emerging critical risks and development of recommendations for their management are progressing.

Prioritisation: in the NRA-Defence report, the prioritisation of risks is structured around evaluating risks based on their likelihood and potential impact, using criteria defined in the National Risk Matrix. The integration of expert group findings with public opinion, as gathered through the public survey, facilitates a prioritisation that reflects both expert knowledge and societal concerns. Risks are categorised and prioritised into key areas such as Natural, Technological, Civil, and Transportation, each with specific risk scenarios that are assessed to determine their national-level significance and the required response measures.

The NRA-Taoiseach’s process employs a collaborative approach to prioritising risks by first developing an initial set of strategic risks through an interdepartmental group. These risks are then presented all together, without further prioritisation, leaving the government departments and others who are the audience of the report to determine their own prioritisation method.

The NRA-Defence process assigns a confidence level to each key risk, reflecting the quality and quantity of data available:

In step four of our process, departments develop and prioritise recommendations for managing uncertainty, following OECD recommendations by adopting an all-hazards approach. This allows us to manage under deeply uncertain conditions by addressing reasonable worst-case scenarios or utilising the all-hazards approach when scenarios are less defined. (Interview IE-3)

However in the case of emerging risks, which generally lack sufficient data for a formal characterisation, no categorisation is made. Instead the risk is flagged for monitoring and reporting by the Lead Government Department as indicated above.

Development of recommendations: the NRA-Taoiseach’s report explicitly excludes the provision of recommendations for managing risks identified, highlighting the autonomy of lead government departments in developing their own response plans. It also does not assign responsibility for those response plans.

The NRA-Defence report under each risk highlights plans and policies in place, such as “cross-border cooperation with European States” or “close cooperation” with international organisations to monitor the potential emergence of risks. The report states that “The next step in this process will be to commence an assessment of the State’s risk management capabilities for dealing with the key risks identified in the National Risk Assessment for Ireland 2023” (Department of Defence, Ireland, 2023[9]).

In addition, there are 50 emergency/crisis types identified in Annex A of SEM, with Lead Government Department (LGD) responsibility identified for each emergency type. This results in eight government departments having LGD responsibilities. SEM requires each one of the eight Lead Government Departments to have scenario-specific plans for each risk, and a generic emergency response plan for all other crises (Department of Defence, 2017[8]).

As a result of the FUTUREPROOF-IE report (McMullan, 2024[3]) the following recommendations are reported to have been implemented, according to an interview (IE-3) conducted in late 2024:

• Lead Government Departments report on any changes in emerging risks at each GTF meeting to:

• Remove the risk if it no longer qualifies as emerging,

• Confirm that it remains a threat but is still maturing,

• Move it into the formal risk assessment process.

• The Expert Focus Group methodology of the NRA would be activated if an emerging risk materialised, with the risk documented as an annex to the NRA.

• Lead Government Departments report any newly identified emerging risks since the last GTF meeting.

The preparation of these reports by Lead Government Departments covers Steps 2, 3, 4, and 6 of the 7-Step Process for Identifying and Managing Emerging National Risks set forth in the Framework.

Coping with uncertainty: the lack of alternative to the characterisation process in the case of emerging critical risks is a gap in the Irish state’s ability to cope with uncertainty. Approaches and disciplines such as Decision-Making Under Deep Uncertainty (Marchau, 2019[11]) and strategic reframing (Wilkinson, 2016[12]) have been developed for this purpose. However no evidence was found of such approaches and disciplines in use in Ireland’s development of recommendations for managing emerging critical risks.

Ireland’s use of emerging risk exercises is nascent.

Mixed information: despite indication in the questionnaire that regular emerging risk exercises may take place, followed by comprehensive after-action reviews leading to actionable insights and lessons learned, one senior official indicated a lack of knowledge about running such exercises.

The exercising of it is something that we haven't grasped […] How do you exercise an emerging risk? (Interview IE-1)

FUTUREPROOF-IE included the following recommendations on emerging critical risk exercises:

• Lead Government Departments devise a 3-year training and exercise programme covering Reasonable Worst-Case Scenarios related to each key risk they manage, to ensure current arrangements are effective.

• Key individuals involved in risk or emergency management receive role-specific training in preparation for scenario-based exercises.

• The training and exercise programme test all technical, logistical, administrative, procedural, and operational aspects of response and recovery, including the adequacy of arrangements, infrastructure, roles, responsibilities, and incident management locations, along with any necessary technology and telecommunications.

• Exercises include workshops, tabletop simulations, or live scenarios, potentially in collaboration with third-party organisations.

• Tabletop exercises are used to evaluate emerging risks, based on lessons from prior emergency management.

• Exercises serve to identify gaps and generate recommendations for ongoing improvements in national risk management.

Documentation of the implementation of these recommendations, such as audits, oversight reviews, or curricula from training programmes, was not available for this case study at the time of writing.

The NRA-Defence report states that work planned for 2024 “will further inform the prioritised training and exercise programmes of the government departments responsible for […] key risks” (Department of Defence, Ireland, 2023[9]), though it is left implicit in that report that emerging critical risks could be included among these.

This case study found insufficient data to draw meaningful inferences about how Ireland develops flexible and adaptable strategic plans for emerging risks.

Questionnaire and interview responses indicate that plans for managing some emerging risks but not others are regularly produced according to an established cycle and have clear accountability bodies that follow their implementation, and that responsible for actions in the strategic plans generally have the necessary powers and authorities and there is a governance structure to oversee the execution of risk management plans.

Documentation obtained to date goes only as far as the identification, assessment, and prioritisation phases. The attribution of responsibility for certain risk areas to government departments, with a high degree of autonomy, may explain why there was little awareness among interviewees from the Taoiseach’s and Defence Departments of what those strategic plans entail. Templates for reporting on the development of strategic plans to the GTF are included in FUTUREPROOF-IE (McMullan, 2024[3]), and officials confirmed that these are now in use since June 2024.

Ireland has a progressing level of maturity in implementing recommendations.

Ownership of emerging critical risks: the NRA-Taoiseach’s process does not set out to assign ownership of risks or detail how risks are to be managed, implying autonomy for lead government departments to assess and manage their specific risk areas: "The National Risk Assessment does not assign ownership of risks or how risks are to be managed" (Department of Defence, Ireland, 2023[9]).

In contrast, the NRA-Defence process, operating the Lead Government Department approach mentioned above, assigns responsibility for implementing recommendations accordingly.

Reporting: interviewee testimony and documentation (Department of the Taoiseach, 2024[10]) indicate that findings from the NRA-Taoiseach’s process are considered at high levels, including being laid before the Oireachtas and discussed in cabinet meetings. However, these findings do not necessarily constitute recommendations on the management of emerging critical risks, and specific details on the implementation of these recommendations are not provided in depth.

When it comes to the management of the emerging risks that have been identified through this process, they go back to the departments, and the departments then now have to research and they fill in an emerging risk template, and they report that to the government task force on emergency planning. (Interview IE-1)

This testimony was corroborated by another interviewee:

Our emerging risk exercise templates require departments to outline their horizon scanning tools and processes, ensuring they can identify and track emerging risks effectively. These exercises are part of our strategy to manage emerging risks comprehensively. (Interview IE-3)

From the NRA-Defence report, the role of the template is primarily in the identification and assessment phases of risk (Department of Defence, Ireland, 2023[9]) and in the continued management of the emerging risk as the template is used by lead departments to report on the progress of the emerging risk at GTF meetings..

Improvement plans: both reports indicate efforts undertaken to improve their processes, such as through broadening consultation, increasing expert involvement, or improving methodologies, as outlined above. However, these improvements tend to focus around areas where Ireland is already performing relatively strongly: identifying and sharing information on emerging critical risk.

The recommendations of the FUTUREPROOF-IE are much further reaching by covering or at least referencing all the steps of the Framework. Interview testimony indicates that these recommendations are now in effect.

Ireland’s anticipation and management of emerging critical risks is heavily focused on risk identification, with two established processes and associated studies and consultations forming an ecosystem that produces regular, well researched, and somewhat detailed risk analyses. Knowledge is shared through formal consultations, including with academia, business, civil society, and the public. Co-ordination between government departments and in the broader public service is facilitated by regular meetings, as well as by presenting the reports to the Oireachtas. In all the above processes, conventional risk assessment processes are expanded or adapted for consideration of emerging critical risks. Commitment of senior leadership is demonstrated in official statements by the Taoiseach and the Minister of Defence, who also occupies the post of Tánaiste.

Comprehensive risk identification: the two NRAs leverage various methodologies and cross-departmental collaboration. Regular updates to each process and the systematic risk matrix in the NRA-Defence process have been adapted to include emerging critical risks.

Stakeholder engagement: consultations and collaboration with a wide array of stakeholders—including academia, the private sector, and civil society—contribute to both NRA processes.

Integration of research and expertise: the involvement of academic experts, notably through partnerships with Dublin City University, introduces the latest research into the NRA-Defence process. This collaboration has supported the use of horizon scanning to identify new emerging risks.

Alignment with international best practices: the system reflects international guidelines, with references to Frameworks, the EU Critical Entities Resilience Directive, and methodologies from the World Economic Forum.

Less mature are the subsequent stages of the Framework. Gap identification is largely focused on the risks that may have been missed, with little documentation to date on potential inadequacies in Ireland’s capacity to manage them. The development and prioritisation of recommendations is explicitly excluded from the NRA-Taoiseach’s report, and provided in broad general terms in the NRA-Defence report, though the implementation of the FUTUREPROOF-IE recommendations promises to progress this stage. Emerging risk exercise series have not occurred. On implementation, the availability of reports and the dialogue they generate may lead to actions taken by certain agencies, but these remain undocumented at this stage.

Strategic Planning for Emerging Risks: Ireland has a well developed process for risk identification, and strategic planning for emerging risks is attested but not yet documented. Departments operate with significant autonomy, and there is limited evidence of a unified approach to planning for deeply uncertain risks.

Harmonisation of High Standards: Co-ordinated or centrally led quality control on how departments and agencies contribute to the process is lacking. A shared reporting process, possibly based on the SEM frameworks, is a step towards the unity of effort needed to effectively manage emerging critical risks. These documents could be amended to take account of the co-ordination of emerging risks in strategic planning.

Competency development in emerging risk management: standardised training and competency frameworks for public servants responsible for emerging risk identification and management are still underdeveloped. Establishing a competency framework for risk management and offering targeted training could enhance expertise and preparedness within departments tasked with managing emerging risks.

Emerging risk exercises: Ireland has not engaged in emerging risk exercises, or any regular process for testing response capabilities to new threats. A structured 3-year exercise programme, as outlined in the FUTUREPROOF-IE report, intends to provide departments with opportunities to rehearse their response to emerging risks.

Department of Defence, 2023. National Risk Assessment for Ireland 2023. Government of Ireland, Dublin.

Department of Defence, 2017. Strategic Emergency Management National Structures and Framework. Government of Ireland, Dublin.

Department of the Taoiseach, 2024. National Risk Assessment 2024: Overview of Strategic Risks. Government of Ireland.

Department of the Taoiseach, 2023. National Risk Assessment 2023: Overview of Strategic Risks. Government of Ireland.

McMullan, C., Reilly, N., Largey, A., Brown, G., 2024. Scanning for Impact: Integrating Effective Risk Horizon Scanning & Emergent Risk Forecasting into Ireland’s National Risk Assessment, FUTUREPROOF-IE: Scanning for Impact (S4I) Project. DCU Business School, Dublin.

Office of Emergency Planning, 2021. National Disaster Risk Management Capabilities Assessment 2021 (Report to the Government Task Force on Emergency Planning). Department of Defence, Dublin.

Anonymised and referenced in the text as IE-1 to IE-3

Department of Defence, covering the case study overall [25 July 2024]

Office of the Taoiseach, covering the NRA-Taoiseach’s [17 October 2024]

Academic expert, covering upgrades to the system [15 November 2024]

[7] Central Bank of Ireland (2024), THe Flood Protection Gap, Central Bank of Ireland, https://www.centralbank.ie/docs/default-source/regulation/industry-market-sectors/insurance-reinsurance/flood-gap-report/flood-protection-gap-report.pdf.

[8] Department of Defence (2017), Strategic Emergency Management National Structures and Framework, Government of Ireland, https://www.gov.ie/en/collection/5ef65-publications/.

[9] Department of Defence, Ireland (2023), National Risk Assessment for Ireland 2023, Government of Ireland, https://www.gov.ie/en/press-release/3da9e-tanaiste-publishes-results-of-national-risk-assessment-2023/.

[10] Department of the Taoiseach (2024), National Risk Assessment 2024: Overview of Strategic Risks, Government of Ireland, https://www.gov.ie/en/policy-information/448eb-national-risk-assessment-2024-overview-of-strategic-risks/ (accessed on 23 October 2024).

[2] Department of the Taoiseach (2023), National Risk Assessment 2023: Overview of Strategic Risks. Government of Ireland, https://www.gov.ie/en/policy-information/448eb-national-risk-assessment-2024-overview-of-strategic-risks/ (accessed on 23 October 2024).

[4] Government of Ireland (2022), National Risk Assessment 2021/2022 – Overview of Strategic Risks, Government of Ireland, https://www.gov.ie/en/department-of-the-taoiseach/policy-information/national-risk-assessment-20212022-overview-of-strategic-risks.

[11] Marchau, V. (2019), Decision Making Under Deep Uncertainty: From Theory to Practice, https://www.rand.org/pubs/external_publications/EP67833.html (accessed on 4 July 2021).

[3] McMullan, C. (2024), Scanning for Impact: Integrating Effective Risk Horizon Scanning & Emergent Risk Forecasting into Ireland’s National Risk Assessment, DCU Business School.

[1] OECD (2023), Report on the Implementation of the OECD Recommendation on the Governance of Critical Risks, OECD Publishing, Paris, https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0405.

[5] Office of Emergency Planning (2021), National Disaster Risk Management Capabilities Assessment 2021, Department of Defence, https://www.gov.ie/en/collection/5ef65-publications/.

[6] Office of Public Works (2020), Memorandum of Understanding between Insurance Ireland and the Commissioners of Public Works in Ireland, Government of Ireland, https://www.gov.ie/en/office-of-public-works/publications/information-on-completed-opw-flood-defence-schemes/.

[12] Wilkinson, A. (2016), “Using strategic foresight methods to anticipate and prepare for the jobs-scarce economy”, European Journal of Futures Research, Vol. 4/1, https://doi.org/10.1007/s40309-016-0094-0.