Action Plan against Disinformation

European Commission contribution to the European Council – December 5th 2018

The starting point of this contribution is that free speech is a core value. The citizen must be able to have verifiable information freely. They need this in order to be able to correctly inform themselves about the wide range of political issues and positions. This democratic process is threatened when disinformation mixes things up.

What is the problem?

Disinformation is understood in this document as information that can be verified as being false or misleading. It is created, presented and disseminated for economic gain, or to mislead the public intentionally, and may cause harm to that public.

This is intended to include threats to democratic processes as well as public health, public safety, the environment or public security.

The action plan responds to the European Council’s question of measures to protect the Union’s democratic systems and to defeat disinformation, including the context of the emerging European elections.

Understanding the threat.

An increase of targeted disinformation campaigns against the Union, its institutions and its policies,  is expected, in the run-up to the European elections of 2019. It uses deep-fakes (video manipulation) counterfeits of official documents, bots (automated software), trolls (false profiles on social media) and information theft. Also the traditional, classical, media continue to play a role. The tools and the techniques change quickly, therefore the response must also be done quickly.

Four pillars for ten actions by the Union in response to disinformation.

Actions against disinformation require political decision-taking and cooperation, across Governments (using counter-hybrid threat, cyber security, information and strategic communication communities, data protection, electoral, Legal and media authorities).

The Four pillars are:

  1. To improve the possibilities of the Union’s institutions to detect, analyse and denounce disinformation;
  2. Strengthen collaborative response against disinformation;
  3. Mobilising the private sector to remove disinformation;
  4. Raising awareness and improving social resilience.

Pillar 1: Improving the possibilities of the Union’s institutions to detect, analyse and denounce disinformation.

Action 1: To strengthen a number of Strategic Communication Task forces with specialized staff in data mining and analysis to process the relevant data. It considers also additional media monitoring services for the many language areas Europe has. In addition, we also need to invest in tools to process these data and conduct assessments.

Action 2: The mandates of the strategic communication Task forces for the western Balkan countries and the southern countries will be reviewed, also in order to effectively address misinformation. Member States should further enhance their national capabilities, including in terms of support for the Union with employees.

Pillar 2: Reinforcing collaborative responses against disinformation.

Action 3: A RAS (Rapid Alert System) is developed and put into use. This RAS should work closely with services from the Member States that are reachable 24/7.

Action 4: An increase in communication efforts on the values and policies of the Union, with a view to the forthcoming European elections. The Member States must also make this effort.

Action 5: The Commission and the High Representative, together with the Member States, will strengthen their strategic communications in the Union’s environment. This is done among other by sharing information, sharing in the lessons, raising awareness, proactive reporting and research to strengthen and share information.

Pillar 3: Mobilising the private sector to remove disinformation.

Action 6: The Commission monitors closely and continuously the implementation of the Code of Practice by its signatories. Where necessary, and in the light of the impending elections, the Commission will insist on a swift and effective compliant implementation. To this end an assessment will take place. If this ‘ Code of Practice ‘ proves insufficient, the Commission may propose further actions, including legal proceedings.

Pillar 4: Raising awareness and improving social resilience.

Action 7: In the longer term, targeted campaigns will be organised for the wider public, as well as training for the media and opinion-makers in the Union and its environment. This is aimed at facing the negative effect of disinformation. Efforts will be taken by independent media and quality journalism as well as the investigation of disinformation to provide a comprehensive response.

Action 8: Member States together with the Commission should provide teams of multidisciplinary independent fact-checkers and researchers with specific knowledge of local information, to detect disinformation campaigns on, among other, social networks and digital media.

Action 9: Actions will be taken on the media literacy of the public. Member states should also make rapid use of provisions of the Audio-visual Media Services Directive.

Action 10: Member states must ensure an effective follow-up of the ‘ Elections Package ‘, in particular the ‘ Recommendation ‘. The Commission will monitor this and provide support and advice where appropriate.


The terrorist’s son

Author: Zak Ebrahim with Jeff Giles

In this book the son talks about his father and mother, his youth, his family, and the atrocities of the world.

People are cruel and very short-sighted to each other when it comes to it, . The cultural layer on top of the short drives and instincts that distinguish man from animals is apparently very thin. Z has experienced this from different points of view: hatred of believers of another faith, hatred of children who are too young for empathy, hatred of adults for being simply connected to a “perpetrator” because of bloodlines, hatred against a system where you were received but could not live in, hatred because of greed, hatred in order to be able to respond and to “be at the other side”, but also repentance about the latter.

What Z proves is that they are all choices. Some are very influenced in this. Others are rock solid for their individuality and realize that they choose themselves. They choose despite the circumstances. And despite the circumstances, everyone is liable for his own choices. Regardless of a good lawyer. Regardless of a religious leader. Regardless of the system. Regardless of the pure fact that many can be pointed out for their share in your choice.

That is why terrorism is never OK.

That is why it is important that everyone realizes that their own choice makes a difference. That is in general the hope for this world. That is in general the message that I read in this booklet.

Z kept a TED talk about it. You can find them here:

Lessons identified from this life can be:

  • People can continue to choose themselves despite the hateful circumstances.
  • Everything can be misused, also faith.
  • There are four important pillars in a person’s life:

    • family and friends,
    • work,
    • residence,
    • (psychological) health.
  • Always hope for the understanding of others, but do not expect it.
  • Always create a strong friendship with people before you allow yourself to be vulnerable to them.
  • Learn to trust again and again.

IRGC Guidelines for the governance of systemic risks


Many of today’s challenges are related to climate change, biodiversity loss, degradation of the ecosystem, exposure to chemicals, etc. and these have all been characterized by a high degree of complexity. They often have multiple causes and internal feedbacks within and external feedbacks between systems and over time. They are often difficult to define, determine, and it is often difficult for us to agree on them. This contrasts sharply with conventional risks such as classical environmental issues: water quality, food problems, urban waste water, waste and wastewater management, etc. which are more successfully handled.

The analysis in this document has to do with slowly evolving catastrophic risks. Although they are often foreseeable, we often can not stop them because they are built into the nature of complex adaptive systems. Moreover, one of the defining characteristics of our modern world is the interdependence of these complex adaptive systems. But what are those systemic risks?

Systemic risks are the “threat that individual failures, accidents or interruptions that occur in a system continue through the system through a process of contagion”. It refers to a risk or probability of failure of a whole system as opposed to the failure of a single component. So there is a cascade of failure that involves the larger system. More abstractly, it is “a threat of a phase transition from one equilibrium state of the system to another, which is much less opportune, characterized by multiple self-reinforcing feedback mechanisms that make it difficult to reverse the evolution of the system”. Systems that are vulnerable to this often also have the characteristic of being interconnected. Examples of systemic risks are the financial crisis of 2008, the collapse of the Aral sea, and the overfishing of the oceans.

The guideline for “the governance of systemic risk” proposes an approach of 7 interrelated steps:

  1. Explore the system,
  2. Develop scenarios,
  3. Determine the objectives,
  4. Co-development management strategies,
  5. Focus on unforeseen obstacles and sudden critical shifts in the system,
  6. Decide, test and implement,
  7. Monitor, learn, review and adapt.

This requires iteration between and within each step.

The process must be coordinated by a “navigator” who plays a decisive role in bringing together the various stakeholders. He also ensures an effective implementation of the process and helps with the transfer of one transition from the system to another. It may be necessary for the organization to regularly adjust its objectives.

The process also involves addressing unexpected obstacles and sudden critical shifts. Obviously, the big obstacles must be known before the strategy is determined. But it must also be possible to think of sudden barriers. Adaptation possibilities of the organization are therefore a requirement.

The governance process for systemic risks must be open to a variety of possible entry points, depending on where the organization stands in its evolution, taking into account the course and timing of the development of the threat.

And in all of this, communication, openness and transparency are objective universal requirements to counteract difficulties in determining causal relations, psychological obstacles and often long latency periods. Round tables and platforms where information is shared are a requirement for creating awareness of existing needs and accepting the realistic management options.


The Gray Rhino – How to recognize and act on the obvious dangers we ignore

Author: Michèle Wucker

In this book, the author tells about things that are uncomfortable. It is not about “Black Swans” but about “Gray Rhinos”. What is the difference? Where black swans are very popular as events with a small probability but huge impact, gray rhinos events that are common, have a big probability, and have a huge impact. Where black swans are difficult to predict, or totally unexpected, gray rhinos are often seen on the horizon. But often people choose not to (want to) see them.

So there are some questions that we can ask, on which the author argues, such as “What are examples?” and “When should we respond?” And “Why do we ignore them while the costs and consequences are self-evident, and often greater than we even think, and that while we know this? ”

The author tries to answer these questions by analyzing the stages of gray rhinos events. These stages are: prediction that elicits denial, denial, muddling, diagnosis of the situation, panic, action, and post-treatment “because a crisis is a terrible thing to waste”.

A very important advice from the author is: think long term.

But the most important take aways of the book are in the last chapter: in that chapter the author gives a “Gray Rhino Safari Guide”. These are a set of principles to deal with the stages of the gray rhins, so “How to Not Get Run Over by a Gray Rhino”. These are:

1 ° Recognize the rhinoceros. Recognizing the existence of gray rhinos is a step aside when it comes along. But more than that, that’s why you can learn to see problems differently and transform them into an opportunity. So dare to ask uncomfortable questions. Hear, see & speak no evil is not a good idea.

2 ° Define the rhinoceros. After some practice you recognize a number of rhinos. And that can be very intense in itself. You can not take all problems into account at the same time. So you have to prioritize. But for that you have to define a scope of each rhino. The way you do this is important to let people respond.

3 ° Do not stand still. If you can not work out the big things you have to do in one step, do it in smaller steps. You may muddle on for a while, as long as this muddling helps you on your way to take action. If possible, make a plan in time. For example, on a personal level, you can change your seatbelt when you drive a car. Not every ride leads to an accident however, but it is always possible. Preparation is the key to success.

4 ° A crisis “is a terrible thing to waste”. Sometimes you can not get out of the way of a rhino and you will be trampled. Then it is important not to lie down but to get up, to carry out repair work, and where possible also to make improvements with respect to the old situation.

5 ° Stay downwind. The best leaders respond to a threat if it is still far away. Because they know that the costs and the chances of impact only increase with procrastination. In doing so, you must distance yourself from group thinking and other bias mentioned in the book. Unfortunately, not everyone follows president Kennedy’s advice “It’s time to fix the roof when the sun shines”.

6 ° Be a rhino spotter, become a rhino keeper. A person who sees a (obvious or not) great danger coming to the organization, that is ignored by others. Someone who speaks out loud when others are silent. That is where the first step to success begins. Then you have to get others to come along. Identifying a need is one thing, but the hard work lies in convincing and executing appropriate actions. You must therefore dare to go against the crowd. So you have to be a bit mad. But also courageous. Because it often requires a sacrifice of yourself.

Three Steps Starting Effective and Efficient Risk Management according to ISO 31000

Author: Dr. Frank Herdmann

In a thin book of 70 pages, the author explains ISO31000 in both English and German. Yet another handbook you will say. Yes, but this time it is about version 2018 and in this booklet there is some emphasis on small and medium-sized organizations. In the end, it should not be forgotten that implementing an ISO standard such as ISO 31000 for a small or medium-sized organization is a relatively much greater effort than for a large organization that can set up a FTU (Full Time Unit) or a whole team. That is why some simplifications are necessary, without however touching the core of the message of the norm. With this, this approach is suddenly a Quick start for the bigger ones. The Quick Start is realized in three steps that the company must take:

“Establishing the Framework”

“Establishing the Process”

“Implementing and Executing the Risk Management Loop”

But why do we have to do this? The aim of risk management according to this new standard is value creation and value protection. You read that correctly. Risk management can be regarded as an added value and not as a cost. Also as a protection factor, among others by avoiding costs or minimizing it, it yields. That added value can be enormous. Also due to the obligations and liabilities of the management for negligence of the organization, for example by supporting good, correct governance.

The booklet starts with a fairly extensive introduction, starting with the ISO 31000 version 2009 and the success that came with it.

The aim of the book is not to give a detailed description of the implementation of ISO 31000 as it has to be elaborated by the large organizations (with its three pillars: framework, principles and process).

The principles, in fact, are the success factors or success criteria of risk management and serve the ultimate goal: creating and protecting value.

According to the author, the two most important principles are “Integrated” and “customized”.

The intention is to make the first acquaintance with ISO 31000 more accessible for small and medium-sized organizations. There is therefore no extensive or detailed advice. However, a number of issues that need to be elaborated in order to be able to speak of a full risk management, but often with the knowledge, skills and resources are already present in the organization. This makes this project bearable for a small organization. For them, this manual is therefore already a first step towards a tailor-made approach method.
Let us look at these three steps.

Setting up the Framework: This piece is perhaps the part of the standard that is most open to customization.

After all, the framework must be tailored to the organization, that goes without saying. The author emphasizes two pillars of this, namely leadership (effectiveness requires a strong and persistent commitment of all levels of management by means of a policy document or something, that makes clear what the objectives of the oranization are, as well as its commitment) and organizational culture. The so-called ETTO principle is important here. ETTO stands for “Effectivity – Thoroughness Trade Off”. There must be a balance between effective business and how well-considered risk management is. If there is too much “thinking through” according to the risk management map, this is detrimental to the effectiveness of the business. If, however, the business draws too much of an effective and efficient action, for example by exaggerating with “lean”, this can harm the risk handling and prevention. E.g. by eliminating any form of redundancy. Trade Off actually means that a golden mean must be found. Risk management must therefore be brought within the boundaries of the ETTO principle in the organization, in all its processes and at all levels in a supported manner. So it must be tailored to the organizational needs and culture.

Furthermore, the author motivates that risk management can also be mapped on all organizational activities as a plug-in dongle.

Setting up the Risk Process: The risk management process must be an integral part of all structures and activities. I.e. of the organization chart, the operations, the business model, and the processes. The framework must therefore, in principle, be reviewed with each change to a business process. However, the core of the risk management process is risk assessment and implementation of the measures: risk identification, risk analysis, risk assessment and risk treatment. This happens in an iterative process. In fact, it consists of two processes: the PDCA cycle for adapting the risk management process on the one hand and the operational risk management that must take place in all organizational processes and projects on the other.

This risk assessment is further discussed in detail in terms of possible technologies in ISO 31010: 2009. The decisions that can then be made can be summarized by:

Avoid the risk
Take or increase the risk
Remove the risk cause
Changing the probability
Changing the consequences
Share the risk with one or more other parties
Retain the risk with an informed decision

Parallel to these cycles, reporting takes place, where too many details can cause confusion or a false sense of security. Here, therefore, “less is more” applies.

Implementing and Executing the Risk Management Course: It is best for several reasons to use the risk management course during the design and implementation of the (core) processes of an organization: lower costs, less effort, and synergy between the processes and the risk loop. Ideally these processes have already been brought together in a manual of the organization. This risk loop is best integrated into the processes at the start of the process using information or estimates. It is best repeated when new information is added, whether new estimates are made, or changes to the process. The risk owner for this process or this part of the process is best considered before executing the first steps of the business process or when an uncertainty influences or can influence the process and its outcomes and objectives.

A first level of maturity of risk management by introducing the risk management course using check lists will be a gigantic first step to start effective and efficient risk management. An equally large step is possible by integrating risk management of a silo activity that simply registers risks on a regular basis to a proactive and integrated risk management according to ISO 31000: 2018.

Internal Audit must also be integrated, or in other words, aligned, with risk management and that in all areas: all activities and all processes. This also affects the planning of projects and processes and operations. It monitors the execution of the risk management course within the business processes and activities. Conversely, the results of risk management can influence the planning of Internal Audit.

A risk register is a commonly used method for monitoring, revising, registering and reporting risks.

Continuous Improvement

Applying the PDCA cycle, also known as the Deming cycle, will improve and refine the risk management course over time. As a result, it will eventually achieve a higher level of maturity. Risk management, like all skills, also requires training, experience, knowledge and expertise and is also open to continuous improvement, precisely because of the PDCA cycle. This will systematically improve skills by using more complex but better-suited assessment techniques from ISO 31010: 2009. (10000 Hours of Malcolm Gladwell: Outliers The Story of Success, New York 2008)