Support the strengthening of the EOSC Risk Governance through the implementation of an effective Risk Management System

Home » Cocreating Eosc » Support the strengthening of the EOSC Risk Governance through the implementation of an effective Risk Management System


The European Open Science Cloud (EOSC) is the European Commission initiative aimed at developing an infrastructure to connect Research Data with (e-Infrastructure) Tools & Services, eventually providing its users with services for open science practices. A key objective of the Sustainability Working Group is to provide recommendations and advise for the implementation of an operational, scalable and sustainable EOSC federation after 2020.

The sustainability of EOSC depends not only on sound financial, legal, and business models, but also on governance models aiming to add value for the stakeholders and to encourage research bodies’ as well as researcher’s participation predominantly as well.

Under the co-creation funding,the Italian team of Aon Hewitt Risk & Consulting over a period of 20 weeks (May-October 2020), produced a preliminary analysis of the current and future EOSC risk governance.

    Objectives & Challenges

    This study aims at identifying, analysing, and evaluating the main gaps present in the EOSC risk governance structure with respect to Risk Governance best practices, as well as mapping the risk macro areas to support the future implementation of EOSC. The study also proposes some guidelines on how to move forward in structuring and nurturing the risk management governance of EOSC.

    AON studied, analysed, and assessed the governance structure of EOSC, both the interim governance in place up until December 2020 and the future EOSC governance (post 2020), to understand the complex context in which EOSC operates, the variety of stakeholders involved, and the maturity of the EOSC governance systems vs the assessment and management of risks.

    The assessment was performed on the basis of official EOSC documents, outcomes of various EOSC events and workshops, benchmark analysis of similar comparable organisations, interviews with key players and stakeholders, as well as drawing on the expert experience of Aon's risk consultants. 

    Main Findings

    It has emerged that EOSC Risk Governance mission is not limited to only linking datasets, federating infrastructures and aligning policies, but it starts by harmonizing multiple stakeholders across the European research and political ecosystem, and aligning their mission and their vision.

    AON has found a human capital very rich in multidisciplinary technical skills, sensitivity to governance issues, passion for the activities to be carried out and for the belief in EOSC itself. Moreover, the presence of all, or almost all, the essential pillars for the construction of effective risk management has been found. 

    The main findings that emerged from the gap analysis, as partially expected, were related to the weakness of the governance process in which competences are not organically integrated and structured for the management of the overall spectrum of risks.

    The main findings that emerged from the gap analysis were:

    • EOSC operates in an context with a high degree of complexity affecting the governance structure. The factors include organisational model, political influences, transnationality and cross-disciplinary usership;
    • A clear and defined risk governance structure with assigned roles and responsibilities for risk management has not yet been established;
    • Specific policies and procedures supporting the risk governance are lacking;
    • Some skills, experience, and attention to risk governance are present within the organisation, but are far from a synergistic and organic integration within an articulated and rigorous governance framework;
    • Risk management activities for EOSC have been limited to project-based analysis and therefore fragmented across the numerous EOSC projects, which are still ongoing. An overall risk assessment of EOSC has not yet been performed and a reporting process to allow structured decisions on risks has not yet been defined;
    • The missions of the Association and of the EOSC Ecosystem are only partially overlapping.


    EOSC needs to significantly strengthen its Risk Management System, in order to:

    • Increase the value of the EOSC Association and its benefit to stakeholders;
    • Support its business objectives and allow for a more effective use and allocation of capital and resources within the organisation;
    • Achieve the above by protecting the assets, the corporate brand, the know-how of the key people, and also by optimising the operational efficiency

    Main Recommendations

    The main recommendations are:

    • Launch a comprehensive plan to address the gaps found and define a risk governance framework and organisation. This will be instrumental in supporting the structuring and development process of EOSC itself; such an entity should enrol resources with adequate skills, expertise, and experience in designing and implementing ERM (Enterprise Risk Management) frameworks.
    • Establish a governance structure for risk management that is clear, effective, adequate, and well formalised. Appoint roles and responsibilities across the organisational structure (i.e., Risk Management Control Committee, Chief Risk Officer and his/her team with a corresponding budget, Risk Owners, etc.);
    • Define the EOSC ERM Policies for regulating roles and responsibilities within the risk governance structure. The policies serve as the strategic guidance reference for risk management and regulate the interactions between the different stakeholders;
    • Design a Risk Assessment & Reporting Process that properly analyses all the main risk areas, including strategy and alignment with EOSC's mission and vision, that are affected by the internal and external environment (e.g., politics, economy, technological development, regulations, society etc.), and which also enhances risk intelligence;
    • Map the skills and competences required to perform effective risk management at different levels of the association in order to consider all the fields of competence involved in the initiative (e.g., strategy, economics and finance, ICT technologies, Cyber Security, international relations, regulatory, programme and project management, project risk management etc.) and set requirements for the composition of the risk management bodies in order to assure independence in decision-making.


    AON recommends the following next steps:

    • Set-up a small working group that has the necessary commitment and represents a correct mix of skills and representation of stakeholders' interests;
    • Identify a figure with the necessary experience and analysis skills who will guide the project of ERM deployment;
    • Integrate the main recommendations of risk management with the analysis of the interdependencies between areas in the SRIA evolution;
    • Set-up and lead a process to continuously analyse and closely monitor the risks that may jeopardise the execution of the identified strategy.