This chapter applies the OECD Framework on the Management of Emerging Critical Risks to the analysis of national approaches to emerging risk governance. While the Framework’s seven-step process guides the overall analysis, the chapter introduces new content through the development of a maturity model designed to assess countries’ capacities to manage emerging critical risks. The maturity model is applied to case studies from Israel, Ireland, Korea, and the United States, offering comparative insights into institutional practices, preparedness levels, and implementation gaps. The chapter highlights how the maturity model can support governments in assessing progress, identifying areas for improvement, and guiding continuous enhancement of risk governance systems in the face of complex and evolving threats.
Managing Emerging Critical Risks
Abstract
The global risk landscape is rapidly evolving due to interconnected economies, societies, and technologies. Emerging critical risks1—those that are transboundary, highly uncertain, and systemic—pose significant challenges to governments. Managing these risks requires anticipation, understanding, and proactive strategies to safeguard national security, public safety, and economic stability.
This report provides a comparative analysis of national approaches to managing emerging critical risks, focusing on four OECD Member countries: the Ireland, Israel, Korea, and the United States. It aims to facilitate mutual learning among senior risk managers and experts by highlighting effective practices, challenges, and lessons learned.
Supporting the OECD Recommendation on the Governance of Critical Risks, the Framework on Management of Emerging Critical Risks (“the Framework”) (OECD, 2024[1]) outlines a seven-step process for managing such risks.
Step 1 of the Framework focuses on establishing processes for early detection of emerging critical risks. Case studies highlight how dedicated institutional roles, rigorous methodologies, and inter-agency collaboration can identify such risks.
Step 2 emphasises assessing emerging risks using systematic methodologies and sharing information effectively. Case studies examined how countries ensure information is disseminated to facilitate co-ordinated responses.
Step 3 involves assessing management maturity and identifying gaps. Case studies reviewed how countries evaluate preparedness, resources, and structures to manage identified risks.
Step 4 addresses developing and prioritising recommendations. Case studies looked for evidence of flexible policies, prioritised actions, and clear pathways for implementation.
Step 5 centres on exercises to test preparedness. Exercises help assess response capabilities, identify gaps, and improve co-ordination. Case studies reviewed where such exercises were applied to emerging critical risks.
Step 6 involves developing flexible, adaptable strategic plans that can adjust to evolving threats. Case studies examined how governments integrate these plans into existing policies, ensure regular updates, and establish accountability.
Step 7 covers implementing recommendations by integrating them into strategic, policy, and budgetary processes. Case studies sought evidence of accountability, necessary authority and resources, and continuous monitoring to assess and adjust implemented measures.
The Framework provides a structured process for governments to validate identified gaps in knowledge, authorities and capabilities needed to manage emerging risks and to validate plans for building-in flexibility and adaptability to unforeseen or poorly understood risks.
This study uses a maturity model, built by the OECD Secretariat and based on the Framework, to facilitate mutual learning among countries. It is a logic that structures the assessment of governments’ progress in anticipating and addressing emerging critical risks. It outlines levels of maturity across the following three key dimensions to provide reference descriptions to which governments are compared:
Authorities and systems
Knowledge and capabilities
Responsibilities and people
While the model offers insights, it is best seen as a starting point for critical analysis, rather than a definitive set of instructions. It may have limitations when applied to diverse governmental contexts, and will be subject to further development reflecting the learnings of this cross-country analysis.
1.1.1. Defined maturity levels
Consistent with precedent (OECD, 2021[2]) in maturity models, five levels of maturity are used. This allows for sufficient nuance in the different levels of maturity, while limiting the number of descriptions to facilitate memorisation and recall. The levels of maturity are:
Nascent: ad-hoc, reactive approaches. This first stage of maturity represents countries that have taken initial actions related to a specific step of the Framework but have significant further progress to make.
Progressing: basic processes in place. This level represents countries that have put into action some, but not all, measures called for in a specific step of the Framework.
Established: standardised practices adopted. This level is intended to represent countries that have put into action all the measures called for in a specific step of the Framework and integrated it into its overall country risk management process.
Leading: practices measured and controlled. This level represents the gold standard of what is generally possible at the present time through actions by the relevant government authorities, and in addition has reviewed them with metrics.
Pioneering: cutting-edge processes and continuous improvement. This level represents countries that look forward at what might be possible in the medium term as the use of new technology tools develop and as governance of emerging critical risks makes a shift towards more cooperation with international partners and non-government stakeholders.
In Table 1.1 Maturity model for management of emerging critical risks, the seven steps of the Framework are listed, with the five levels of maturity above, creating an overall structure for the country case studies. The tables in Annex A. Methodology provide extensive descriptions for organisations at each of the five levels of maturity, for each of the seven steps of the Framework.
|
Step |
Nascent: ad-hoc, reactive responses |
Progressing: basic processes in place |
Established: standardised practices adopted |
Leading: practices measured and controlled |
Pioneering: cutting-edge processes and continuous improvement |
|---|---|---|---|---|---|
|
Identify Emerging Critical Risks |
|
||||
|
Assess and Share Information About Emerging Critical Risks |
|
||||
|
Assess Management Maturity and Identify Gap Areas |
|
||||
|
Develop and Prioritise Recommendations |
|
||||
|
Emerging Risk Exercise Series |
|
||||
|
Develop Flexible and Adaptable Strategic Plans for Emerging Risks |
|
||||
|
Implement Recommendations |
|
||||
Note: The notches do not reflect the maturity levels of the countries in the case studies, they are provided for illustrative purposes only.
Source: Author’s own work
The main source of data for this cross-country report is case studies from four OECD Members: Ireland, Israel, Korea, and the United States2. Through analysis of documents, an online questionnaire, and semi-structured interviews with government officials, each country’s processes and practices were examined and matched to the maturity model, resulting in an analysis for each.
Building on the individual case studies, highlights of effective practice for each step of the Framework are identified. These are followed by overall findings and reflections.
Each country studied reveals a different set of maturity levels across the seven steps. Full country case studies are provided in the annexes. This chapter presents highlights from each case.
1.3.1. Israel
National risk assessment: Israel has developed a proactive system for anticipating and managing emerging critical risks, involving strong inter-agency collaboration co-ordinated by the National Emergency Management Authority (NEMA). NEMA consolidates threat assessments from various agencies into a unified National Risk Assessment Document, approved by the cabinet, which serves as a legally binding framework for all ministries.
Continuous multi-source monitoring: Specialised units in several ministries continuously monitor global data and communication networks to detect emerging threats early.
Integration of military and civilian efforts: Israel's risk management system exhibits civil-military integration, resulting in shared ownership of risks and co-ordinated responses involving both civilian agencies and the military.
Use of advanced technologies and collaboration with academia: The country leverages advanced technologies, such as AI and big data analytics, and collaborates with academic institutions to enhance risk identification and assessment, for example through a ‘chief scientist’ position in certain ministries.
Israel has developed a robust and proactive system for anticipating and managing emerging critical risks, shaped by its complex geopolitical environment. The National Emergency Management Authority (NEMA) plays an essential role in consolidating threat assessments from various agencies into a unified National Risk Assessment Document. This system involves continuous multi-source monitoring, strong inter-agency collaboration, and the integration of military and civilian efforts, allowing for constant assessment and adaptation to new threats.
Emerging risks are identified through systematic and collaborative processes, involving specialised units within ministries that monitor global data and communication networks. For example, the health intelligence unit within the Ministry of Health monitors global health data to detect potential infectious disease threats early. Israel conducts regular exercises to test preparedness, using the outcomes to adapt and improve strategic plans. These exercises cover a range of scenarios and involve multiple ministries and agencies.
As a result, Israel demonstrates a leading or higher level of maturity in most aspects of the Framework for managing emerging critical risks. The integration of recommendations into strategic, policy, and budgetary processes, along with strong leadership commitment, ensures resilience against future challenges. While challenges exist, such as translating recommendations into commensurate resource and action plans, Israel's comprehensive approach positions it as a leading example in emerging risk management.
1.3.2. Ireland
Dual National Risk Assessments: Ireland operates two National Risk Assessments (NRAs)—one by the Department of the Taoiseach and another by the Department of Defence—providing multiple avenues for identifying emerging critical risks.
Structured Horizon Scanning and Public Consultation: Both NRAs incorporate methodologies like horizon scanning and public consultations, engaging stakeholders across government, academia, private sector, and civil society.
Lead Government Department Approach: Responsibilities for risk management are assigned to specific departments, promoting ownership and accountability for managing identified risks (Department of Defence, Ireland, 2023[3])
Gaps in Strategic Planning and Exercises: While risk identification is robust, there is limited evidence of strategic planning for emerging risks and the implementation of regular exercises to test response capabilities (Interview IE-1).
Plans for Improvement: Recent initiatives, such as the FUTUREPROOF-IE project, recommend enhancing co-ordination, developing emerging risk exercises, and providing training for public servants (McMullan, 2024[4]).
Ireland employs a dual-track National Risk Assessment (NRA) system to anticipate and manage critical and emerging risks. The Department of the Taoiseach conducts an annual NRA focusing on strategic risks through public consultation and interdepartmental collaboration, as outlined in the "National Risk Assessment 2024: Overview of Strategic Risks" (Department of the Taoiseach, 2024[5]). Concurrently, the Department of Defence produces a triennial NRA concentrating on national security and emergency preparedness, detailed in the "National Risk Assessment for Ireland 2023" (Department of Defence, Ireland, 2023[3]). The legislative basis for the latter being Decision 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism, which explicitly requires Member States to develop risk assessments and review them at least every three years.
Both processes use methodologies like horizon scanning, drawing on academic expertise and aligning with international examples such as the Framework.
Emerging risks are identified through structured engagements involving government departments, experts, and the public. The inclusion of academic research, particularly through collaboration with Dublin City University, enhances the knowledge base supporting risk management (McMullan, 2024[4]). The Lead Government Department approach assigns specific responsibilities, promoting ownership and accountability in managing identified risks (Department of Defence, Ireland, 2023[3]). Information sharing occurs through interdepartmental co-ordination and public consultations, with findings presented to high-level bodies like the Oireachtas.
However, gaps remain in strategic planning and the execution of emerging risk exercises. While the NRA processes facilitate risk identification and assessment, there is evidence of missing co-ordination in systematic strategic planning for emerging risks, and there have been no regular exercises to test response capabilities to emerging critical risks (Interview IE-1).
Recommendations from projects like FUTUREPROOF-IE include enhancing co-ordination among departments, developing emerging risk exercises, and providing training for public servants responsible for risk management (McMullan, 2024[4]).
1.3.3. Korea
Institutionalised Emerging Risk Identification: Korea’s establishment of the Center for Risk Identification and Assessment (CRIA) under NDMI has introduced a structured, data-driven approach for identifying and analysing emerging critical risks.
Integration into Planning and Policy Cycles: Potential disaster risk analysis reports, developed biannually, inform national safety management plans and guide preventive investments at both central and local levels.
Regular Information Sharing and Iterative Monitoring: Biannual reviews, follow-up communications, and reporting accessible to the public aim to create an environment of continuous stakeholder engagement and knowledge exchange.
Evolving Practices for Prioritisation and Capacity-Building: While risk identification, and information sharing and the prioritising recommendations have matured, methodologies for prioritising recommendations, methodologies for refining management maturity assessments, and linking exercises more closely to emerging risk analyses remain under development.
Korea’s approach to anticipating and managing emerging critical risks draws on institutional reforms and expanded analytical capabilities. Following the 2022 Itaewon tragedy, the Ministry of the Interior and Safety (MOIS) and the National Disaster Management Research Institute (NDMI) enhanced the nation’s risk governance structures, culminating in the CRIA’s formation. This unit systematically applies big data analytics, scenario planning, and horizon scanning methods to identify emerging hazards, and convenes a multi-stakeholder committee to evaluate and classify them. The resulting analyses feed into national planning documents, sectoral guidelines, and local initiatives, shaping a more anticipatory risk management cycle.
Emerging risks are shared through biannual reports, integrated into policy deliberations, and supported by consistent follow-ups with ministries and agencies. Exercises such as “READY Korea” and “Safe Korea Training” incorporate new hazards into scenario-based drills, and pilot projects for local risk analysis are refining assessment methodologies and frameworks. Efforts to codify best practices, bolster capabilities in prioritising recommendations, and leverage advanced tools for uncertainty management are ongoing.
While Korea’s system has progressed significantly, certain areas warrant further enhancement. Greater clarity in recommendation prioritisation, more comprehensive assessments of management maturity, and better linkage between exercises and foresight-based analyses could strengthen the nation’s resilience against evolving and complex risks.
1.3.4. United States
Whole-of-society approach: the United States Department of Homeland Security (DHS)’s approach to managing emerging critical risks follows the principle of ‘locally executed, state managed, and federally supported’.
Homeland Security Enterprise (HSE): the United States involves federal, state, local, and private sector partners, with DHS and its components (FEMA, CISA, USCG, others) taking on proactive steps to address emerging critical risks.
Fragmented and varying approaches: there is no unified, robust process across the homeland security enterprise to holistically identify and assess emerging risks or systematically connect findings to strategic planning, policy, and budgeting.
Improvements underway: DHS is developing more flexible, scenario-agnostic planning capabilities and institutionalising improvements, but it has not yet achieved a fully matured, systematic approach.
The DHS demonstrates a whole-of-society approach to anticipating and managing emerging critical risks, balancing local execution, state management, and federal support. While subject-matter agencies exercise significant autonomy in pre-incident risk reduction for familiar and well-understood threats, the federal government becomes more directly involved when risks are less understood or more emergent. The Homeland Security Enterprise (HSE) provides a framework for multi-level engagement across government and the private sector, enabling agencies such as DHS, FEMA, CISA, and the USCG to begin proactively preparing for new and evolving threats.
In recent years, policy documents like National Security Memorandum-22 (President of the United States, 2024[6]) have stressed the need for more holistic methods of identifying and mitigating emerging critical risks. Programmes like the Emerging Risks and Technologies Program (ERT) within DHS’s Science & Technology Directorate aim to establish systematic processes to anticipate advanced and less well-defined threats before they cause harm. Nevertheless, the current system still relies heavily on top-down direction, with no single office charged with comprehensive risk assessment at DHS. Pilot projects and scenario-based planning show promise, but their scope and pace remain limited.
Challenges persist in aligning risk identification with strategic planning, policy, and budgetary decisions. Decentralised authorities and fragmented accountability mechanisms have hindered the consistent implementation of recommendations. Recognising these shortcomings, DHS is making efforts to improve co-ordination, develop flexible planning approaches, and institutionalise improvements. Although a fully matured, systematic approach has not yet been achieved, the ongoing initiatives and lessons learned are gradually strengthening the Homeland Security Enterprise’s capacity to manage emerging critical risks.
The Framework outlines a seven-step process for managing emerging critical risks. This structured process helps governments validate identified gaps in knowledge, authorities, and capabilities needed to manage emerging risks and to build flexibility and adaptability into their risk management strategies (OECD, 2024[1]).
For each step of the process, the case studies revealed effective practices and some hindrances within each participating country.
1.4.1. Identifying emerging critical risks
Step 1 of the Framework focuses on establishing processes and methodologies for the early detection of emerging critical risks. In case studies, information was sought on diverse sources of knowledge, engaging multiple stakeholders, and employing techniques such as horizon scanning, foresight exercises, and expert consultations to anticipate potential risks before they materialise. The case studies highlight the importance of dedicated institutional roles, methodological rigor, and inter-agency collaboration in effectively identifying emerging critical risks.
Ireland identifies strategic risks through public consultation and interdepartmental collaboration (Department of the Taoiseach, 2024[5]). The process uses horizon scanning and involves government departments, the public sector, private sectors, and civil society (Department of the Taoiseach, 2023[7]). FUTUREPROOF-IE, an EU-funded research project, introduced advanced methodologies like scenario planning to enhance the identification of emerging risks (McMullan, 2024[4]). Collaboration with Dublin City University integrates academic research into the risk-identification process.
Israel uses a multi-source, collaborative approach. Specialised units within ministries continuously monitor global data to detect potential threats early. Experimentation with artificial intelligence and machine learning enhances emerging-risk identification capabilities (Interview IL-6).
Korea has instituted a dedicated Emerging Risk Identification Center (CRIA), which employs big data analytics, structured expert committees, and horizon scanning to identify emerging risks. Biannual meetings ensure recurrent detection of new hazards, and collaboration with local research institutes allows diverse sources of knowledge to feed into the identification process.
The United States DHS components have their own methods for conducting strategic foresight and assessing risks relevant to their missions. Recent efforts such as National Security Memorandum 22 and a pilot project, collaborating with RAND to produce structured assessments on emerging risks, represent steps towards a more centralised view of emerging risk.
OECD Expert Group on AI Futures
Through international expert consultation, the OECD Expert Group on AI Futures ("Expert Group") identified a set of potential future artificial intelligence (AI) risks, published in November 2024 (OECD, 2024[8]).
The Expert Group, launched in July 2023, conducted an extensive literature review of approximately 250 sources, including academic reports, policy documents, and expert opinions. This initial research identified 17 potential future benefits, 36 potential risks, and 68 potential policy actions related to AI. To prioritise these items, the OECD developed a survey for Expert Group members, conducted between August and September 2023. The survey asked members to rate the importance and actionability of each potential risk, benefit, and policy action.
The survey results guided the selection of the ten priority risks and policy actions. Subsequent discussions and communications refined these priorities, taking into account new members' views and ensuring that the items reflected the group's consensus. The risks identified were:
Facilitation of increasingly sophisticated malicious cyber activity
Information manipulation, distortion, fraud, and resulting harms to informed citizenry and social cohesion
Races to develop and deploy AI systems causing harms due to insufficient investment in AI safety and trustworthiness
Unexpected harms from inadequate alignment of AI system objectives with human preferences and values
Concentration of power in a small number of companies or countries
Minor to serious AI incidents and disasters in critical systems
Invasive surveillance and privacy infringement
Governance mechanisms and institutions unable to keep up with rapid AI evolutions
Erosion of accountability due to AI systems lacking sufficient explainability and interpretability
Exacerbated inequality or poverty within or between countries
To address these risks and harness AI's potential benefits, the Expert Group proposed ten priority policy actions, including clearer rules, approaches to restrict or prevent certain "red line" AI uses, and risk management procedures throughout the lifecycle of high-risk AI systems.
Source: (OECD, 2024[8])
1.4.2. Assessing and sharing information
Step 2 of the Framework emphasises the importance of assessing emerging critical risks using systematic methodologies and sharing information effectively among relevant stakeholders. The case studies looked at how countries identified risks to understand their potential characteristics and ensuring that information is disseminated to facilitate co-ordinated responses.
Ireland demonstrates the benefits of systematic methodologies and established information-sharing mechanisms. The Department of Defence's NRA employs impact-probability matrices developed through expert focus groups. These groups receive training to ensure consistency in assessments (Department of Defence, Ireland, 2023[3]).
Israel also demonstrates strong practices in both assessing and sharing information: NEMA consolidates threat assessments from various agencies into a unified National Risk Assessment Document, approved by the cabinet (Interview IL-1). Reference scenarios are developed and updated regularly for emerging risks, and ministries are expected to use them in preparation work.
Korea’s assessment of emerging risks includes a formal evaluation and selection committee that convenes twice a year. Resulting analyses are captured in publicly available reports and disseminated to ministries and agencies.
The United States DHS shares risk to critical infrastructure with Sector Risk Management Agencies and the private sector to enhance information sharing, but lack a fully integrated system across all risks and partners (Mayorkas, 2024[9]).
The United States’ Biological Threat Reduction Program
The Defense Threat Reduction Agency (DTRA) provides cross-cutting solutions to enable the Department of Defense, the United States Government, and international partners to Deter strategic attack against the United States and its allies; prevent, reduce, and counter WMD and emerging threats; and prevail against WMD-armed adversaries in crisis and conflict.
The Department of Defense’s Cooperative Threat Reduction program (DoD CTR) invests in strengthening public and veterinary health systems in partner countries in order to improve their ability to detect, report, and mitigate the spread of infectious disease outbreaks. This work is critical to building a strong global health security system which is the world’s best defense against pandemics. The Biological Threat Reduction Program (BTRP), part of the DoD CTR Program, is implemented by the Defense Threat Reduction Agency. BTRP protects the United States, its Armed Forces and allies from biological threats by strengthening the capabilities of partner nations and the international community to prevent, detect and prepare for outbreaks caused by biothreat pathogens.
The programme supports more than 30 partner nations as they seek to improve their biosafety, biosecurity, and biosurveillance (BSV) capabilities to counter biological threats. The BTRP has worked cooperatively with countries across Africa, Europe, the Middle East, and Asia to secure pathogen collections; enhance biosafety and biosecurity (BS&S) at vulnerable sites; and strengthen the capacity for public health and veterinary systems to detect, characterise, and report disease outbreaks rapidly and accurately.
1.4.3. Assessing management maturity and identifying gap areas
Step 3 of the Framework focuses on assessing the maturity of existing management capabilities and identifying areas where gaps may exist in handling emerging critical risks. Case studies looked at how effectively countries were evaluating current preparedness levels, resources, and structures to manage identified risks effectively.
Ireland’s Lead Government Department model ensures ownership of risks, and emerging risks are explicitly referenced (Department of Defence, Ireland, 2023[3]). Departments are required to assess the maturity of risk management for each identified risk and identify any gaps. Potential gaps and overlaps between departments are recognised and addressed.
Israel has assessments of emergency preparedness and management capabilities to identify gaps through systematic evaluation of resources and response strategies. Ministries set service levels and develop response plans based on identified gaps. Inter-agency collaboration and exercises help assess management maturity.
Korea has begun integrating a maturity model into pilot projects at the local level, revealing overlaps in responsibilities and prompting the refinement of methodologies. While national standards for maturity assessments are still evolving, this early work aids in identifying capability gaps and strengthening co-ordination between central and regional stakeholders.
The United States DHS has varying levels of maturity in terms of managing different categories of risks. The country is more mature in managing ‘known knowns’ and ‘known unknowns’, whereas challenges exist in managing ‘unknown unknowns’—risks without historical precedent, unexpected events, or those lacking existing authorities. To address this challenge, DHS has begun to prioritise future research into how to use risk management to reduce strategic surprise.
1.4.4. Developing and prioritising recommendations
Step 4 of the Framework is developing and prioritising recommendations to manage identified emerging critical risks effectively. Case studies looked for evidence of flexible policies, actions prioritised based on risk assessments, and clear pathways for implementation.
Ireland has adopted recommendations outlining steps for managing emerging risks, adding these to the NRA-Defence report’s prioritisation using impact and likelihood assessments.
Israel prioritises risks by evaluating 1) severity, 2) likelihood and 3) economic considerations. Recommendations are developed collaboratively, with continuous validation and adaptation to new threats.
Korea has emerging risk reports that include targeted recommendations, ranging from regulatory adjustments to improved training measures. Though all recommendations are reviewed by relevant agencies, and are also prioritised by MOIS based on urgency, readiness, and other factors, formal prioritisation frameworks are not yet in place across government, and addressing deeply uncertain risks remains challenging.
The United States DHS develops recommendations when risks gain leadership attention, but DHS lacks a robust method to objectively evaluate changes in the risk environment and elevate them to leadership for prioritisation. Integrating the finding across component risk assessments into policy and budgeting decisions remains a challenge.
The United Kingdom's Action Plan for Enhancing Risk Management and Resilience
The UK published a Government Resilience Framework in 2023, focusing on the country’s ability to anticipate, assess, prevent, mitigate, respond to, and recover from known, unknown, direct, indirect and emerging civil contingency risks. Key recommendations include:
Clarify Roles and Responsibilities for Each National Security Risk Assessment (NSRA) Risk: Assign clear ownership within the government for all identified risks to drive activity across the risk lifecycle, ensuring that risks are effectively managed and mitigated.
Conduct an Annual Survey of Public Perceptions of Risk: Engage with the public to understand perceptions of risk, resilience, and preparedness, informing risk communication strategies and public awareness campaigns.
Introduce an Annual Statement to Parliament on Civil Contingencies Risk: Enhance transparency and accountability by reporting on the government's performance in resilience and risk management.
Develop Measurement of Socio-Economic Resilience: Create tools to understand how risks impact different communities and vulnerable groups, guiding decision-making and targeted interventions.
Improve Risk Communication: Make government communications on risk more relevant, personalised, and easily accessible to organisations and individuals, enhancing public engagement and preparedness.
The government also recognises the importance of risk ownership and accountability. By clarifying roles and responsibilities, particularly for complex or cascading risks, the UK aims to ensure that all risks are adequately managed. The Lead Government Department model will continue, but with enhanced support from the new Head of Resilience to provide leadership and promote best practices.
1.4.5. Emerging risk exercise series
Step 5 of the Framework centres on exercises to test and validate preparedness for emerging critical risks. These exercises help assess response capabilities, identify gaps, and improve co-ordination among stakeholders. In the case studies, documentation and interviewees’ experiences of such exercises were reviewed where they were used for emerging critical risks.
Israel has documented exercises which included emerging critical risks. These cover a range of scenarios and are used to identify gaps and areas for improvement. Inter-agency collaboration is integral to these exercises, which include planning, execution, and after-action reviews.
Korea has also integrated identified emerging risks into established training programmes, such as “READY Korea” and “Safe Korea Training,” simulating conditions like electric vehicle fires and crowd disasters.
1.4.6. Developing flexible and adaptable strategic plans
Step 6 of the Framework is the development of flexible and adaptable strategic plans to manage emerging critical risks. This involves creating strategies that can adjust to changing circumstances and uncertainties associated with new and evolving threats. Case studies looked at how governments integrate these plans into existing policy frameworks, ensure they are regularly updated, and establish clear accountability mechanisms for their implementation.
Israel develops strategic plans through systematic processes, setting service levels, and continuous updates. Plans are adaptable to cope with uncertainty and dynamic threats. Inter-agency co-ordination and engagement with the private sector and academia contribute to developing flexible plans.
Korea incorporates emerging risks into its five-year basic plans and annual action plans, ensuring that newly recognised hazards are factored into strategic-level decision-making. Feedback loops through MOIS and ongoing pilot projects at local levels foster adaptive planning.
The United States DHS is currently developing flexible incident management plans and integrating new threats into strategic plans, such as the upcoming National Infrastructure Risk Management Plan.
1.4.7. Implementing recommendations
Step 7 of the Framework is on the implementation of recommendations. This involves putting strategies and plans into action, integrating recommendations into existing strategic, policy, and budgetary processes. Case studies sought to identify clear accountability mechanisms, ensuring that responsible entities have the necessary authority and resources. Continuous monitoring and evaluation were also used to assess the effectiveness of implemented measures and to make adjustments as needed.
Ireland has a decentralised implementation model, with Lead Government Departments responsible for managing risks within their domains. While reports are considered at high levels, a structured process with key performance indicators for implementing recommendations is not documented. The absence of “reach” into departments for the purpose of oversight and audit poses a significant challenge to ensuring that recommendations are implemented.
Israel integrates recommendations into existing strategic, policy, and budgetary processes. Ministries are accountable for implementing recommendations, with significant financial resources allocated. Continuous improvement is achieved through exercises, after-action reviews, and policy updates.
Korea monitors the implementation of recommendations by issuing follow-up communications to agencies every six months. Although these follow-ups are not compulsory, they maintain visibility of recommended measures and have guided some regulatory changes.
The United States DHS integrates some recommendations into existing processes when they gain leadership attention, but the absence of a direct process connecting identification and assessment of emerging critical risks to budget, strategy, and policy development hinders consistent implementation.
References
[10] Defense Threat Reduction Agency (2023), Biological Threat Reduction Program, https://www.dtra.mil/Portals/125/Documents/CTR-Factsheets/DTRA-Fact-Sheet-BTRP-Aug-2023.pdf (accessed on 28 November 2023).
[3] Department of Defence, Ireland (2023), National Risk Assessment for Ireland 2023, Government of Ireland, https://www.gov.ie/en/press-release/3da9e-tanaiste-publishes-results-of-national-risk-assessment-2023/.
[5] Department of the Taoiseach (2024), National Risk Assessment 2024: Overview of Strategic Risks, Government of Ireland, https://www.gov.ie/en/policy-information/448eb-national-risk-assessment-2024-overview-of-strategic-risks/ (accessed on 23 October 2024).
[7] Department of the Taoiseach (2023), National Risk Assessment 2023: Overview of Strategic Risks, Government of Ireland, https://www.gov.ie/en/policy-information/448eb-national-risk-assessment-2024-overview-of-strategic-risks/ (accessed on 23 October 2024).
[9] Mayorkas, A. (2024), Strategic Guidance and National Priorities for U.S. Critical Infrastructure Security and Resilience (2024–2025).
[4] McMullan, C. (2024), Scanning for Impact: Integrating Effective Risk Horizon Scanning & Emergent Risk Forecasting into Ireland’s National Risk Assessment, DCU Business School.
[8] OECD (2024), Assessing Potential Future Artificial Intelligence Risks, Benefits and Policy Imperatives, OECD Publishing, https://doi.org/10.1787/3f4e3dfb-en.
[1] OECD (2024), Framework on Management of Emerging Critical Risks, OECD, https://doi.org/10.1787/2f2.
[2] OECD (2021), Enterprise Risk Management Maturity Model, http://www.oecd.org/tax/forum-on-tax-administration/publications-and-products/enterprise-risk-management-maturity-model.htm (accessed on 2023).
[6] President of the United States (2024), National Security Memorandum on Critical Infrastructure Security and Resilience, https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/ (accessed on 12 November 2024).
[11] UK Government / Cabinet Office (2023), UK Biological Security Strategy, Cabinet Office, https://www.gov.uk/government/publications/uk-biological-security-strategy/uk-biological-security-strategy-html (accessed on 28 November 2024).
[12] UK Government / Cabinet Office (n.d.), UK Government Resilience Framework, https://www.gov.uk/government/publications/resilience-framework.
← 1. Defined in the Framework on Management of Emerging Critical Risks (2024) as “[t]hreats and hazards that pose the most strategically significant risk, as a result of (i) their probability or likelihood and of (ii) the national significance of their disruptive consequences, including sudden onset events (e.g. earthquakes, industrial accidents, terrorist attacks), gradual onset events (e.g. pandemics), and steady-state risks (notably those related to illicit trade or organised crime)[…] and are also [e]ither new risks or familiar risks that are evolving due to new or unfamiliar conditions”.
← 2. Department of Homeland Security