Risk Analysis and Governance in EU Policy Making and Regulation – An introductory guide

Author: Bernardo Delogu

In this book, the author presents a number of concepts and methods of risk analysis that are most relevant to the development and application of EU risk policies and legal measures. It focuses on three types of risks: health risks, safety risks and environmental risks.

Throughout the book, the author starts with the concept of risk and risk analysis, and continues with the treatment of risk management, risk communication and ultimately risk governance. The book concludes with a summary chapter of the most important issues that were dealt with throughout the work.

But what are the issues that, in addition to a lot of things that had to be treated as a good principle applied to policy, were the most important aspects of this work?

Firstly, there are the risk management principles and criteria that the EU uses as a regulatory body. The first is the prudence principle (PP: precautionary principle). A second is the subsidiarity principle. The third is the proportionality principle. Each of these principles must always be justified. For example, excessive irresponsible caution can not be approved.

Other points are the risk-risk evaluation, the cost-benefit evaluation and the difference between hazards and risks. The latter was best explained up to now in this book. Hazard is a property of eg a material or a being “in itself” while a risk is a threat in which the environmental situation is taken into account. For example a cheese Camembert and the listeria bacteria. The listeria bacteria itself is a life-threatening bacterium. In an ‘environment’ of camembert, however, she is not risky for people. (https://www.nieuwsblad.be/cnt/goledsud)

Furthermore, the relationship with stakeholders is very important for the EU. In doing so, they apply the principles of participation, openness and liability, effectiveness and ensuring systematic consultation processes across EU services, including evaluations and quality control.

The most important message that other governments and managers of companies can draw from the book is that scientific research on the risks should and should not be done independently of the policy makers. Although the scientists need to be able to do their work independently of political preferences and accompanying preconditions, it is important that they share the results with politics so that they can add values ​​other than scientific correctness, without, however, going against the principle of prudence. The policymaker must also be able to accept that science does not always give the desired answer, or even has an unambiguous answer. Everyone, the scientists, the risk managers and the decision makers, must know their own role and that of the others.

Understanding Hybrid Warfare

Author: Multinational Capability Development Campaign (MCDC)

Hybrid what?

There is no clear definition yet. There are rather some descriptions, such as:

A hybrid crisis is a combination of two or more crises between which a link can exist (not necessarily) and which can reinforce each other.

Hybrid warfare is a military strategy that uses political war and mixes conventional war, irregular war and cyber war with other methods with a strong influence, such as fake news, diplomacy and intervention in foreign elections.

However, it is known that the aggressor tries to avoid retaliation. Hybrid warfare is typically tailored to stay below the clear detection radar and response thresholds.

The cases on which this study is based are:

–    Iran’s activities in Syria
–   
Use of Gas and loans by Russia as a means of pressure in Ukraine
–   
IS in Syria and Iraq
–   
Hybrid warfare in an urban context
–   
Cyber ​​used by Russia

Two things are clear on this subject: nobody understands it fully, but everyone thinks it’s a problem

That is why there is a need to take 2 steps

Step 1: A common language (understanding the subject and communicating about it smoothly)

Step 2: An analytical framework

Step 1: Understand

There is no clear definition yet, as we wrote earlier, but there are descriptions, eg:

“The synchronized use of multiple power tools tailored to specific vulnerabilities across the entire spectrum of social functions, in order to achieve synergies.”

They often fall back on the speed, volume and ubiquity of digital technology.

It is important to recognize that multiple power tools are used in multiple dimensions and at different levels simultaneously in a synchronous way. This allows the actor to use various MPECI (Military, Political, Economic, Civil, Information) resources that they have available to create synchronic attack packages that are tailored to perceived or suspected vulnerabilities. The instruments of power used will depend on the capabilities of the actor and on these vulnerabilities, as well as on the political objectives of the actor and his planned way to achieve his goals. As in all conflicts with wars, the characteristic of hybrid warfare will depend on the context.

Hybrid threat does not lend itself to classical threat analysis for, among others, the following reasons:

–    A wide set of MPECI tools
–   
Vulnerabilities across societies are being exploited in a way that we normally do not think of
–   
Syncing and the way that is done are unpredictable.
–   
Uses the exploitation of ambiguities, creativity and our understanding of warfare to keep his attacks invisible
–   
A hybrid attack can remain unnoticed until it is too late.

We will therefore have to learn to look differently at conflicts in the future.

escaleren

Step 2: the Analytical Framework:

The analytical framework is structured with three components:

–    Critical functions and vulnerabilities
–   
Synchronization of resources
–   
Effects and non-linearities (complexities)

We give a brief explanation of these three components

Critical functions and vulnerabilities

Critical functions here are activities about the PMESII (Political, Military, Economic, Social, Infrastructure, Information) spectrum that, when they are no longer carried out, can lead to an interruption of services on which society depends.

They can all be divided into a combination of actors, infrastructures and processes. They all have vulnerabilities.

Synchronization of resources

Synchronization (syncing) is the ability of the attacker to coordinate effective power tools (MPECI) in time, space and with certain goals to achieve a desired effect. With this he can achieve greater effects than with overt coercion. Benefits for the attacker are:

Use tailored resources and vulnerabilities

Compulsion but remain under the radar of the detection thresholds and response thresholds

Easier to escalate and de-escalate different MPECI simultaneously

Effects and non-linearities (complexities)

Effects are changes in the condition of the target. They can not be properly controlled by the attacker because one can no longer predict a linear sequence of effects. Causality becomes increasingly difficult to show and predict as more elements of the MPECI are used and vary.

 

Framework

One has to set up “BTIMs” to learn recognize and know things:

Baselines, Thresholds, Indicators, Monitoring in real time, from the philosophy: “You do not know what is abnormal if you do not know what is normal and if you do not measure what the evolution is”

For the baselines, a list and assessment of social critical functions must be made. Indicators must help determine whether an attack is in progress or is starting. Thresholds help determine what the normal / abnormal operation is.

Without knowing what is normal, nothing can begin.

Unfortunately no real examples of existing “BTIMs” are given in the document.

What are the recommendations of this document?

–    Make regular national self-assessment of critical functions and the vulnerabilities of all sectors and of society.
–   
Improve the classic threat analysis so that it contains the following tools and possibilities: Political, Economic, Civil, International and research how these resources can be synchronized in an attack on vulnerabilities
–   
Create a national methodology for coordinating self-assessment and threat analysis specifically for: understanding, detecting, responding to hybrid threats
–   
Internationalize, work together coherently across borders.

Conclusion: Here I am going to be a contrarian.

The study finds that the framework is a visual tool for responding during a hybrid attack.

That seems wrong to me. In addition to the BTIMs that have to be set up, and which must be able to function separately from the framework, the visual tool i.m.h.o. will rather remain a tool for analysis afterwards.

The tool does, however, provide an explanation of what information must be preserved during the crisis.