Tools of Power and the Right to say ‘No’

A critique of risk assessment as a method. By Camila Nobrega and Elisa Lindinger

Digital Futures - 7_Camila_Filipa_221122

Do risk assessment processes have the potential to serve as a tool of empowerment, expression and transparent analysis? What role, if any, can such assessments play in guaranteeing the right to say ‘No’ upheld in feminist and territorial struggles? 

This text summarises a discussion held at the Digital Futures Gathering about how risk is assessed in physical infrastructure projects and for digital tools and services. Its aim is to open a debate about how risk is defined and the ends to which its evaluation and assessment is put by corporate or state actors in the context of community-based and feminist activism and resistance. To this end, we compare how risk is assessed in environmental and other terms both in physical and digital contexts.

1. Assessing assessment

Companies assess risk to evaluate the current and future negative impacts of their work or activities, how likely these impacts are, and how they might be mitigated. For example, assessments are undertaken in the course of planning a new road or power plant, or when rolling out a new technology or digital service. Risk assessment processes can focus on risks to individuals, as is usually the case for digital technologies where analyses mainly consider the infringement of rights. They can also take a geographical approach, for example, evaluating impacts on local neighbourhoods, water and air quality on a specific region, traffic or protected species.

Risk assessments are mandatory for companies undertaking physical infrastructure projects. Data protection impact assessments have already become mandatory for specific cases under the EU’s General Data Protection Regulation (GDPR); risk assessments and audits will become mandatory for big platforms and other big service providers under the Digital Services Act. Their purpose is to assess risks such as those mentioned above, and in some cases facilitate deliberation and judgement as to whether a given project should go ahead. While they are required by law and constitute a condition of a company’s insurance, they are neither designed, conducted nor fact-checked by those who are most likely to experience adverse impacts.

This is where, from a perspective founded in community-based and feminist activism, risk assessments fall short and need to be viewed as tools of power.

Because the companies undertaking the project usually set the terms and scope of the risks involved, these assessments have the power to greenwash high impact infrastructure projects and absolve digital projects of responsibility for their impacts. They do this by taking away the legal basis for redress if people or places are negatively impacted to a degree that falls outside of the assessment’s definitions and terms.

This scenario has become increasingly common in the case of environmental risk assessments for physical infrastructure, reducing the possibility for communities and civil society to keep track of accountability. Nevertheless, in the case of digital infrastructure, the notion of risk does not even extend so far. Risk assessments by companies tend to focus on issues such as cybersecurity and system failure, and companies are obliged to trace only a handful of material impacts, as is the case with conflict minerals. What else do we not see in these processes?

Risks in the environmental context
With the growth of environmental movements around the world, the assessment of environmental risk has become a point of concern for large corporations and states when it comes to approving the development of megaprojects. Environmental Risk Assessments (ERAs) outline the potential for a project to create pollution, produce health problems related to contamination, have negative consequences for biodiversity, change water tables and river courses, and affect people’s lives for the worse. 

Development projects frequently involve the displacement of people – especially in the Global South, where the majority of these projects currently happen. However, in the Global North they tend to gain greater visibility in public debate. For example, Elon Musk’s Tesla Gigafactory in Berlin-Brandenburg has attracted attention because of the huge amount of water it needs in a region that, according to analysis by institutes including the Leibniz Institute of Freshwater, Ecology and Inland Fisheries (IGB), already suffers from a lack of water. Public debate revealed the different, competing interests behind environmental decisions in terms of accessing water and land. It also threw into relief contrasting private and public needs, not only for the present moment, but also for the long-term. Despite heavy criticism, the factory began operations this year.

The way risk is currently assessed frequently facilitates greenwashing.

Because companies can claim to have accounted for potential harms, they are able to portray themselves as benefactors, even when compensatory actions such as planting trees and improving the services of nearby towns and communities might be stipulated by law or planning regulations. Moreover, when the negative effects of a project are found to be more serious or different to those expected, companies are able to deny responsibility on the basis that since the situation does not match what they measured, the new analysis must be flawed or beyond the scope of their responsibility. This places the burden of proof on those suffering from or pointing out those effects and potentially puts the brakes on crucial action.

Risks in the digital context
When it comes to digital technologies, risks to companies, states and their agencies, such as cybersecurity dependencies and vulnerabilities, are most commonly assessed. Since the roll-out of the GDPR in the European Union, another form of risk assessment has become widely used – Data Protection Impact Assessments (DPIAs). DPIAs build on a risk-based approach as a way for data controllers to enforce compliance, or even over-compliance. As before, this is a closed loop system, with these controllers usually being the same entities that are providing the service or application under scrutiny.

2. A fundamental criticism of the method and its framing

Through our discussion, the inadequacy of how risk is assessed today came into focus. Shortcomings fall broadly into three categories: which actors can weigh in on the risk assessment process, the scope of the assessment, and the methods and processes which the assessment builds on.

The Actors
The relevance of any risk assessment is tied to the actors that have the power to shape them. Both in environmental and digital contexts, this power lies with public administrations and/or businesses which are positioned to frame project narratives and legally influence the scope of an assessment and its definitions. Affected communities might at some point in the process be heard by these actors, but their knowledge and perspectives don’t define project risks, nor how they are assessed as such. This power imbalance is exacerbated by a lack of transparency. It often isn’t clear who the protagonists driving the process are and what knowledge they are acting upon.

The Scope
ERAs tend to focus on impacts in a very localised context, for example, a dam within a valley ecosystem. However, social-environmental justice movements such as EJATLAS argue that impacts are much more widespread and pervasive than what is actually mapped, as can be seen in the case of lithium mining on territories in Chile. The definitions used to assess risk are limited (for example, people are only considered ‘affected’ in extreme circumstances, such as displacement) and since risks are only analysed by individual project, consideration of how consequences can combine and compound with other changes in the same territory is omitted. Recent studies have shown that this fragmentation of scenarios prevents recognition of the broader impacts of projects. For example, questions around product life cycles, waste and recycling often don’t figure in the assessment of production facilities. More than that, the bigger consequences of, for example, people’s displacement, the disappearance of entire rivers and the degradation of quality of life are not easy to measure. Under the tyranny of quantification, they do not appear within these documents.

The hyperlocal lens of risk assessment hides these impacts, which might be extra-regional or even global, and concentrate in regions that are considered peripheral, perpetuating what social-environmental justice movements call ‘environmental racism’.

Risk assessments that are fit for purpose must highlight these hidden impacts and account for where impacts overlap, intersect and amplify each other. 

By contrast, digital risk assessments focus less on production processes and more on how consumer rights are impacted. Consideration of impacts is reduced to a highly individualised level and the central assumption is clearly that all things digital exist only in ‘virtual’ contexts, detached from localities. While digital communities might constitute themselves differently to local communities, they still exist and are just as distinct and closely-knit – no matter how hard corporations claim it is to identify them or the different ways they might be affected, nor how far they go in commodifying the word ‘community’. In this sense, it is important to emphasise that the digital is physical – there is no separation between a digital community and a physical community. They occupy the same place in the world and should be treated the same.

As a shared denominator, risk assessments are tied to specific proposals of action, be it the development of an industrial site or the creation of a digital service. Their scope is the proposal at hand, while potentially viable alternative approaches are out-of-scope. As a result, they don’t necessarily answer which proposal is best suited to solve a problem but rather evaluate in a vacuum the extent of the risks carried by a specific solution.

Methods and Process
The way risk is currently assessed results in a number of limitations that are relevant to social justice issues. First and foremost, long-term impact is, by definition, hard to project and measure, and is disregarded by most assessments. The concept of intergenerational risk is lacking entirely from assessments of digital technologies and basic approaches can suffer from ‘threshold thinking’, meaning that a proposal is considered sound if enough boxes are ticked and a certain number of specific risks are mitigated. The right to say ‘No’ to new developments is usually denied – a fact which many organisations such as WOMIN are working hard to change.

3. Conclusion and Outlook

While the formalisation of risk assessment and management has been a victory for the public interest in terms of enhanced accountability, the implementation of development projects and their documentation have come to reduce complexity in misleading ways and favour those already in power. Here, we have observed the general features and patterns of mandatory environmental risk assessments for projects in which physical impacts are recognised, and of risk assessments for digital tools and services.

Still, we must recognise that there is no separation between the physical and the digital, and in both cases there are environmental impacts.

That is also to say that physical infrastructures impact digital infrastructures and vice versa. How then can these development projects be evaluated jointly, considering all elements, with no boundaries between the digital and physical? How does the environment become a transversal topic in the assessment of risk?

The conclusion of our discussion was not to improve risk assessment processes as they are carried out today, but to develop feminist and community-based tools to stop the machinery behind them.

To work towards this, we compiled an inexhaustive list of approaches and questions that we would like to see explored:

– Assessments of risk need to be iterative, not linear. How can we make such intensive processes accessible and relevant to the people who are most likely to be affected? How can we make sure that redress is possible?

– Forms don’t work. Assessments have to be unique to each context. What are examples of good practice?

– Models developed in the Global North do not work for the Global South, although they have historically been implemented that way.

– What role should consensus play in the process of evaluating risks?

– Conceptions of risk should speak to reparation. The impacts of colonialism need to be actively mitigated by the recommendations and actions that assessments of risk give rise to.

– Impacts, like communities, are not isolated or fragmented. Risk also needs to be contextualized in this way.

– The precautionary principle states that if a product, action or policy is suspected of risking harm to the public or to the environment, preventative or protective action should be supported before a proof of a risk is ascertained.


Camila Nobrega is a Brazilian journalist and researcher working on megaprojects and social-environmental justice through Latin American feminist and queer perspectives. She is currently a Ph.D Candidate at the Gender Division at the Free University of Berlin.

Elisa Lindinger is Co-Founder und Joint Managing Director of Superrr Lab.