11th Meeting of the Community of Users On Secure, Safe and Resilient Societies Urban Critical Infrastructures
7th June 2018 Brussels, BAO Congress Centre (rue Félix Hap 11, 1040 Brussels)
From EU projects to international standards: Bridging the gap between the world of research and the world of standardization in the area of safe and
resilient societies
EUROPEAN COMMISSION Community of Users on Secure, Safe and Resilient Societies
A. Jovanovic
Steinbeis Advanced Risk Technologies, Stuttgart, Germany
University of Stuttgart – ZIRIUS, Stuttgart, Germany
EU-VRi – European Virtual Institute for Integrated Risk Management, Stuttgart, Germany (Liaison ISO)
Notes
Note: only the 5 selected slides will be shown at the opening – all others will be used for discussion, if appropriate and/or needed
Note: as per mail of May 25, 2018 (Ph. Quevauviller):
“…we do not want project presentations but rather considerations expressed by different actors on the panel topics which are highlighting trends, gaps and perspectives from different angles (policy, science, industry, practitioners) if at all possible…”
and
“… panelists … advised that due to time constraints PowerPoint presentations will be discouraged…”
From a longer (“EU”) list of “common issues””:
… Big idea behind some projects? How do they support society, citizens, EU and stakeholders? Actions way forward? Here: ResiStand, SMR, SmartResilience…
How do DRS project deliverables contribute to security standardization vision/missionHere: CWA 91:2018, ISO 31050…
DRS projects: Benefits, Difficulties, challenges, achievements, lessons learned, …
Here: Bridging the gap between the “two worlds”: Two types of standards for DRS projects…
Addressing some of the “common issues” in the EU projects
TWO TYPES OF STANDARDS!
Standards UPFRONT
Created BEFORE the best-solution is found
Framework-oriented
Collaboration-oriented
Best network performance oriented
Public interest driven
Public and MULTIPLE DOMAIN experts oriented
Two types of standards: “after” vs. “upfront”
Standards AFTER
Created AFTER the best-solution is found
Product-oriented
Production-oriented
Best single-performance oriented
Industry-driven
High level SINGLE DOMAIN experts oriented
1 2
Standards by experts and/or for experts
What types of standardsdo we talk about? 1
Example: Comparison US vs EU standards –one of the is probably overconservative“wasting money” or not safe enough!
Adapted from: Security-related standardization: supporting
research and governance needs. A. Poustourli; EU
Today – Standards FOR the society
ISO 14xxx Environment
ISO 223xx –Security/Resilience
ISO 26000 – Corporate Social Responsibility
ISO 27xxx – IT security
ISO 31000 – Risk Management
…
What types of standardsdo we talk about?
Establishing the context
Risk identification
Risk analysis
Risk evaluation
Risk treatment
Mo
nit
ori
ng
and
rev
iew
Co
mm
un
ica
tio
n a
nd
co
nsu
ltat
ion
Risk assessment
2. Context & concerns
3. Identification of risk scenarios
4. Pre-assessment
7. Evaluation of tolerability & acceptability
8. Management & decision(treatment)
10. M
on
ito
rin
g, r
evie
w &
co
nti
nu
ou
s im
pro
vem
ent
9. C
omm
uni
cati
on
and
cons
ult
atio
n
1. Early warnings - notions
6. Characterization
5. Analysis(appraisal/assessment)
Emerging RiskHorizon Screening
Emerging RiskPre-Assessment
Emerging RiskAssessment
Pre-assessment
Communication
Categorizing the
knowledge about the risk
AppraisalManagement
Characterization and
evaluation
UnderstandingDeciding
IRGC Framework
ISO 31000
Framework
iNTeg-Risk
Framework
2
Standardize:• Frameworks• Procedures• Processes• Formats• INDICATORS• …
Resilience: Standardizing what?Two types of standardization issues – also for DRS!
After © Renn 2011
RESILIENCE!
Complex
Epistemic
Use experts to find valid,
reliable and relevant
knowledge about the risk
Uncertain
Reflective
Involve all affected
stakeholders to collectively decide best way forward
Ambiguous
Participative
Include all actors so as to
expose, accept, discuss
and resolve differences
Simple
Instrumental
Find the most cost-effective way to make
the risk acceptable or
tolerable
Agency Staff Agency Staff Agency Staff Agency Staff
Scientists/ Researchers
Affected stakeholders
« Civil society »
Scientists/ Researchers
Scientists/ Researchers
Affected stakeholders
Type of risk / resilience issue
Level o
f sta
keh
old
er’s
parti
cip
ati
on
1
2
Why is it all so important for DRS projects?Because of the risk aversion paradox and the “trust gap”!
Number
of
accidents
Time
Technology
improvement
Safety
Management
Systems
Safety
Culture Safety
Behavior
1. Quick success
2. Constant improvement
3. Saturation
RESILIENCE!
Risk aversion?
? ?
The “trust gap”?
High standardization costs
Lack of understanding the benefits
Long standardization projects
Complex standardization procedures
Competition instead of collaboration
Closing the “gap of trust” by standardization of “type 2”
Conclusions:DRS must master the standardization challenges of…
Closing GAP OF
KNOWLEDGE
Closing GAP OF POWER & MANUFACTURING
Closing GAP OF
INFORMATION
Closing GAP OF TRUST?
12
Current efforts within the CoU/DRS: perspective
Pre-standardization
•ResiStand (roadmap, RAF, process)
Pre-normative (ERNCIP)
•RN
•CB Water
•ExEF
•DEWSL
Standardi-zation CEN
•WG1, 2, 3 …
Standardi-zation ISO
•SmartResilience ISO 31050
Adapted from: Security-related standardization: supporting
research and governance needs. A. Poustourli; EU
DRS
1. „We run the era where for many people and for many sub-sectors, GDPR is considered as de facto global Standard similar to many IT standards”Can we have such EU-standard-like-docs for other DRS-relevant areas?
2. E.g. like ISO 26000 and Global Reporting Initiative G4 Sustainability Guidelines?“GRI-G4” of resilience?
3. An opportunity of promoting EU as an actor in Global Governance: EU Resilience Governance beyond the State - global problems demand global solutions
4. We already have a lot – newest:CEN/WS 91 City Resilience Development - Maturity Model) or under preparation (ISO 31050)
1. Virtually all projects include standardization in one or another way
2. Project ResiStand produced mapping of needs/gaps(http://www.resistand.risk-technologies.com/home.aspx?lan=230&tab=
2942&itm=2942&pag=3003)
3. Some projects produce pre-standardization documents (e.g. CWA 91 in SMR project http://smr-
project.eu/fileadmin/user_upload/Documents/Resources/WP_6/2018-03-
28_D6.5_Draft_CEN_Workshop_Agreements.pdf)
4. SmartResilience kicked-off The ISO-NWIP (New Work Item) ISO 31050 “Emerging Risks & Resilience”
Current efforts within the CoU/DRS: examples
Just some hints from the past experience
The standard-development (naturally!) at the end of the project – no time, no money for standardization available! … Solution: do one bit of standardization in “concatenated projects”Examples: BE5935 > RIMAP > CWA 15740 > SafeLifeX > EN16991iNTeg-Risk > CWA 16449 > SmartResilience > ISO 31050
Standard(s) cannot be “ONE project oriented”, they need alignment ACROSS THE PROJECTS and activities…Solution: “Think big start small”!Example: Resolute + SMR CWA91 + SmartResilience ISO31050 /Tools
Possible solutions for time, cost and alignment issues in EU projects?
SmartResilience
ISO 31050
SMR project
CWA 91
Add-on
Example: ISO 31050 (ISO/IEC NP 31050): Guidance for managing emerging risks to enhance resilience
A. Jovanovic
Steinbeis Advanced Risk Technologies, Stuttgart, Germany
University of Stuttgart – ZIRIUS, Stuttgart, Germany
EU-VRi – European Virtual Institute for Integrated Risk Management, Stuttgart, Germany (Liaison)
TC 262: Q&A Session (WebEx), May 7/8, 2018,Including notes from the discussion
ADVERSEEVENT
Scenario time
Fun
ctio
nal
ity
Leve
l of
the
infr
ast
ruct
ure
J
STRESS-TEST LIMITS
K L
Conventional risks ?
Emerging risks ???
… manage emerging risks to enhance resilience The problem (in other words, i.e. picture!):
common protocols,definitions,indicators,…
ISO 31050, extending ISO31000:INTEGRATED CONCEPT, METHOD, TOOLS!
ADVERSEEVENT
Scenario time
Fun
ctio
nal
ity
Leve
l of
the
infr
ast
ruct
ure
J
STRESS-TEST LIMITS
K L
Conventional risks ?
Emerging risks ???
Resilience(ISO 223xx)
… managing emerging risks to enhance resilience The problem (in other words, i.e. picture!):
Emerging Risks(new, unknown...)
Known Risks (ISO31000)
1. COMMON terminology, protocols (procedures) and templates neededE.g.: The horizon emerging risk scanning procedures need to be compatible if the results of scan from institution A should be comparable to those of institution B
2. The Terminology, Protocols (procedures) and templates need to be both GLOBAL/INTERNATIONAL and NATIONAL (ISO 31050 will on existing and/or currently developed terminologies –e.g. in TC262 and TC292, but protocols and templates are yet to be developed)
3. The procedures have to result in common RISK & RESILIENCE INDICATORSE.g.: Number of accidents in occupational safety was an indicator ever since, but only after the global agreement that it should be measured over 1,000,000 working hours it became possible to compare and benchmark the practices
Why is this a standardization issue (“what needs to be standardized in order to solve the problem”)?
Top Related