Sketching the relationship between risk (management) and impact (assessment)

Description

For many decades, the concepts of risk and impact, and, consequently, the processes of their analysis (management, assessment), have been used in domains ranging from insurance, corporate governance, technology development, national security to the protection of natural and human environment. Recently, the protection of privacy and personal data has been built on the concept of risk and subjected to impact assessment. Most notably, in the European Union, the General Data Protection Regulation introduced a legal requirement for data controllers to assess the ‘impact of the envisaged processing operations on the protection of personal data’ (Article 35).
Despite the continued growth of the concepts of risk and impact, and of the processes of their analysis, the relationship between them is rather understudied. These are often confused or their differences, if any, are rather ignored, especially in the domains recently subjected to risk or impact analysis. Hence, the need for an in-depth study of this relationship is essential, not only for the integrity of these processes, so that they deliver as honest and as complete results as possible, but also for legal certainty.
Both concepts of risk and impact, and their analysis processes, share a lot of characteristic features, yet, at the same time, they differ significantly. For example, both risk and impact are concerned with the future and the processes of their analysis are similarly structured. Yet, while risk is frequently understood as a possibility of a consequence that is solely negative, impact is often perceived as encompassing also positive outcomes. Risks are usually ‘managed’, impacts are only ‘assessed’, i.e. in the process of impact assessment, a step treating future consequences is deliberately not included and hence left outside. Furthermore, there exist many methods to analyse the impacts and the analysis of risk is one of them.
The data protection impact assessment process is illustrative of this relationship. The General Data Protection Regulation requires employing two methods: first, a legal analysis of proportionality and necessity, and, second, a risk assessment with a list of ‘measures envisaged to address the risks’.
I propose an early list of similarities and differences between risk (management) and (impact) assessment with a view to bring more clarity to the relation between these two closely woven approaches to managing the future. I will draw conclusions about the practical added-value of the operationalising them on parallel tracks, using the domain of personal data protection as an example.

Period	8 Nov 2018
Event title	4th SRA Nordic Conference: Exploring the risk, safety, security and resilience nexus
Event type	Conference
Location	Stavanger, NorwayShow on map
Degree of Recognition	International