IRGC has issued a number of publications exploring how its risk governance framework can be applied in various contexts and making recommendations for appropriate strategies. IRGC’s report on risk governance in nanotechnology is a good example (IRGC, 2007). The organization’s reports are prepared by experts from around the world, and are intended to incorporate conflicting opinions in order to reach an objective result.
Suzanne Servis, Director of the Risk Management Program at the National Institutes of Health (NIH), explained how NIH understands and manages risk. NIH’s general experience has been that outstanding management practices are essential to sustainable scientific innovation. Scientific merit is addressed through many internal and external processes at NIH, so the focus of risk management is on operational areas that support science such as finance, grants, information technology, radiation safety, and animal welfare.
A basic concept is that risk is the uncertainty around a future outcome. Framed in this way, risks are all around, and risk management is a continuous process. If risks are not managed effectively at research organizations the result can be a loss of public trust. Possible dangers include not allocating resources to address the higher priority risks, and complacency that might come from the mere existence of systems and processes in a given area. Looking at NIH’s structure, risks can come from intramural or extramural projects, ethics, facilities, and human resources.
Ms. Servis reviewed several areas of possible risk. Examples include inadequate human subjects protection due to faulty protocols or informed consent procedures. Problems might arise in extramural research if information is not disseminated within the grantee institution. Samples and other assets might be lost if the proper temperature and humidity conditions are not maintained in storage facilities. Policies and structures may not be in place to address risks, such as Institutional Review Boards (IRBs). Information technology security policies put in place to protect private information and maximize data integrity may not be adequate. Are these evaluated proactively in order to see how they are working, or only reactively in response to a breach?
NIH’s risk management approach has a number of goals: (1) Support the NIH research mission and vision, (2) Provide a consistent and cross-