Emerging risks: how are businesses managing their blind spots?
Organisations need to horizon scan – moving far beyond their
principal or material risks – to consider their uncertainties and
emerging risks. While managing “known” unknowns is
fundamental, forward-thinking firms will also have a framework for
their “unknown unknowns” as they strategise and build
organisational resilience.
Download the guide:
Emerging risks: how are businesses managing their blind spots?
As risk leaders focus on optimising horizon scanning to further enhance their organisational resilience, many will be asking the same question: how do I know what I don't know?
While this question seems impossible to answer, it has formed the basis of much debate among risk leaders in our membership, all of whom are striving to be better prepared - and more resilient - to the challenges posed by emerging risks.
Based on the shared knowledge and experience of risk managers in our network, this article presents a high-level overview of the key steps and initiatives businesses are implementing to identify, monitor and manage emerging risks. Just jump to the relevant section to get started.
1. What is emerging risk?
|
a. Emerging risk definition
Like any other risk to a business, an emerging risk can represent one of two things: a threat to the achievement of objectives, or an opportunity to meet (and even exceed) those objectives. Further to this, an emerging risk also develops in areas where the body of available knowledge is weak. This may be a new risk that evolves in a context familiar to the organisation; a known risk that changes based on the development of new context; or a new risk altogether that the business has not previously considered or factored into the setting of objectives. |
b. What's the difference between an emerging risk and a principal risk?
Principal/material risks are typically those key risks that are currently being controlled and reported on – both internally to senior leaders and externally via the organisation’s annual report. Usually, these risks are very well known to the business and are factored into strategic planning processes.
Furthermore, businesses tend to set risk appetite for each of their principal/material risk areas and use key risk indicators to monitor whether they are exceeding the limits of their agreed appetite.
For emerging risks, which are not usually well known to the business, the same level of control cannot be applied. How can you control a risk if you are not sure how or where it will impact the business? Also, while many organisations highlight the key areas of emerging risk that they are monitoring in their annual report, this is not a requirement.
Over time, through monitoring and assessment by the business, an emerging risk can become a principal/material risk, at which point appetite may be set and greater controls implemented. For instance, if the risk is monitored for a period of time, during which the business is able to build a sufficient body of knowledge about the potential likelihood and impact of the risk, this may become material.
Until this stage though, businesses monitor emerging risks to see how they will develop. It is important to note that emerging risks can often be unpredictable, particularly those based around events that are external to the business.
c. Additional definitions that may be useful
Disruptor Black swans A highly likely, high-impact yet neglected risk or threat – a question not of ‘if’ but ‘when’. Can be categorised into changing (e.g., imminent regulatory change), recurring (e.g., financial crises), meta (systemic factors that affect ability to manage grey rhinos e.g., resources) and unidentified (a risk where the problem is not fully understood e.g., artificial intelligence). |
d. Why are risk leaders placing such importance on emerging risk?
Most companies manage emerging risks to some degree, but because they are so uncertain and information is limiting, formalised emerging risks frameworks are uncommon or (if they do exist) lacking in sophistication. With this in mind, we've recently launched our Emerging Risk Maturity Model - a service that not only tells you where you are on a maturity scale, but benchmarks you against your peers and supports you with actionable steps for improvement.
A focus on managing emerging risks two or three years into the future – often driven by executive management worrying more about nearer-term, pipeline risks – could mean that those longer-term emerging risks on the horizon are ignored. Nevertheless, a business that is unprepared for what is coming over the horizon is unlikely to be an adaptable, resilient business.
Key reasons risk leaders are prioritising emerging risks:
|
e. What are some of the top emerging risks businesses are monitoring today?
Based on data from our Horizon Scanning Tool, which uses AI to identify trends in the emerging risks that organisations are reporting on, we have identified the top emerging risks of 2023 compared to 2022.
Trends:
- Regulation - this remains the most reported emerging risk theme (as of the end of 2023). Of all the emerging risk themes reported under the Legal category in the Horizon Scanning Tool, Regulation accounted for 75% of them. Examples include environmental regulation (e.g. new legislation around sustainability reporting), financial reporting requirements and regulation relating to the use of A.I.
- Geopolitical tensions - rising from fifth in 2022 to second in 2023, as a result of ongoing and escalated conflict in Ukraine and Gaza, and the effects of Brexit still filtering through to FTSE-listed businesses, geopolitical tensions is a significant riser on the top emerging risk themes. Other geopolitical risk factors include the rise of populism and nationalism, and increasing competition for resources.
- Pace of technological advances - the speed at which new technology is being developed remains a top emerging risk theme for organisations, with almost a third of emerging risks reported under the Technology category aligning to the pace of technological advances. Key focuses in this area for organisations include the rapid digitalisation of operational technology environments and potential disruption, and the impact of automation on the workforce.
2. How do you identify and assess emerging risks to your business?
|
a. Determine critical attributes of the business
Many organisations will identify, assess, manage, and control their material and principal risks against two core areas:
- operational objectives – to maintain the ability to deliver products and/or services to customers
- strategic objectives – to pursue opportunities and mitigate threats that could prevent the fruition of these goals.
Given the severity of losses that could surface from an emerging risk, it is also important to assess how emerging risks will affect the above areas.
One of the first key steps in identifying emerging risks is identifying the critical attributes to achieving both strategic and operational objectives. This should highlight potential disruptors and areas where the business is more vulnerable.
Some attributes that businesses may want to evaluate include:
|
Depending on the size of the organisation, risk functions typically select a limited number of critical attributes and work on linking them to their strategic and operational objectives. These attributes must be agreed upon by key stakeholders, documented, and clearly communicated to the business.
How mature is your activity surrounding the determination of critical attributes compared to your peers? Request to participate in our Emerging Risk Maturity Model.
b. Identify disruptors to critical attributes
Rather than focusing on the cause of an emerging risk, which could be hard to predict or out of the business’ control, more mature organisations are viewing emerging risks as disruptors to the critical attributes already identified, which makes any potential threat (or, indeed, opportunity) clearer.
In order to identify these disruptors, a comprehensive analysis of the emerging risk landscape – using a range of tools and techniques – is crucial. Also important to this process is:
- finding people with the right organisational knowledge (senior, but close enough to the business to know it well)
- sourcing data from a wide variety of stakeholders and sources.
There's more on the importance of external stakeholders' expertise in the next section.
Risk leaders are using the following methods to identify disruptors:Reviewing megatrends By connecting megatrends to the specific context of an organisation, a risk manager can steer employees and senior leaders away from viewing the strategy of the business in isolation, emphasising instead how vulnerable – or robust – the business (and its objectives) can be to external factors. Risk foresight planning This sets the right tone for conversations with the business – during workshops, for example – and gets them to think about how those outcomes could impact them. Foresight planning works by looking at the present (what is currently happening) and the future (what might happen), before working out a strategy to move between the two realities. More specifically, the aim of foresight planning is to expand the minds of participants and get them to imagine multiple futures, uncover blind spots and, ultimately, identify emerging risks. Horizon Scanning Tool
|
For an example of how the Emerging Risk Tool can be leveraged to identify emerging risks impacting a specific sector, with the tool covering all industries from retail to big tech, see our article on emerging risks and blind spots for digital companies.
c. Leverage external stakeholders and outside expertise
Risk leaders in our network agree that external subject matter expertise – for example, specialist industry knowledge – is a key component of an optimised approach to identifying emerging risks.
However, specialist knowledge may not exist within the organisation. Take the case of climate change, as an example. As highlighted in our Horizon Scanning Tool, climate change is one of the major emerging risks for companies in the past three years but a lack of understanding of the threats and opportunities that may arise from transitioning to clean energy, or deciding a suitable pathway to reduce emissions, could inhibit the business’ ability to identify the relevant risks.
Therefore, consulting with subject matter experts on the topic of climate change and energy transition – whether they operate in your sector or beyond – can help frame the issues at hand in a way that is clearer for the business.
Equally, it can be easy to develop tunnel vision if you only look internally for expertise on the different types of emerging risk that present themselves to businesses. An external perspective can help to overcome biases within the company and provide a second opinion that enables the business to look at emerging risk from a different perspective.
d. Assessing emerging risks
Once you have identified a range of emerging risks that could disrupt critical attributes of the business, the next step is to evaluate those risks and determine which, if any, could give rise to principal/material risk exposure. A key tip here, from risk leaders who have been through the process, is to focus more attention on the impact these risks could have, rather than how likely they are.
Given that an organisation will find it difficult to accurately define the likelihood of an emerging risk – remember, the body of available knowledge about these risks is weak – depending too much on an assessment of likelihood could leave you vulnerable. Also, bias is more likely to affect your assessment of likelihood than impact, making the former even less reliable.
In any case, no methodology for assessing emerging risks will ever be perfect and there is no one-size-fits-all approach. Furthermore, no risk leader or business can accurately predict the future to the tiniest detail. Instead, you may want to consider evolving your approach as new information becomes available.
2 techniques risk teams are using to assess their emerging risksStress-testing scenarios How can you know whether an event or series of events that hasn’t occurred yet will affect your business? One way to assess the potential impact of a scenario is to stress-test it, which you can carry out via exercises in workshops. Key questions you may want people to consider include:
SWIFT analysis The Structured What If Technique (SWIFT) looks to checklists, past incidents, and guidelines to address some of the “what if” questions above. By answering questions, the risk team can assess the likelihood, consequences and velocity of potential scenarios. |
Featured resource:
3. How do you monitor emerging risks and keep them under control?
|
a. Determine the correct indicators for emerging risks
While key risk indicators (KRIs) may be used to inform a business that it is approaching the limit of its appetite for a certain kind of risk – before it can start to impact the business in a negative way – indicators for emerging risks work differently.
Instead of informing the business that it is moving beyond the limits of its risk appetite, an emerging risk indicator is a much earlier signal that suggests when a potential disruptor to the business is about to emerge as a material risk. These indicators should include much more sensitive triggers (or thresholds) that ensure there is enough time for the business to mount an effective response should that risk begin to move.
The first step is to establish a broad watchlist of different emerging risks that can be categorised and linked to the potential disruptors already identified (see previous section). While you may want to focus on emerging risks in the strategic category, as these will have a bigger impact on the long-term future of the organisation, lots of risk leaders’ watchlists also factor in some rapidly changing risks that could emerge at a high velocity.
When determining which indicators to use, you should approach each risk on the watchlist as requiring its own individual signal. To ensure they are useful, sit down with the relevant subject matter expert(s) in your organisation to determine which signals may be appropriate for monitoring that particular emerging risk – their insight will be valuable.
As mentioned in the previous section on outside expertise, bringing in views from other parts of the business and externally can also help to challenge viewpoints and make sure the risk is holistically understood.
b. Collect and use data to track the status of emerging risks
Once you have set your indicators and thresholds, how can you monitor these so that you know when they have been reached or even surpassed?
At this stage, you will likely want to identify sources of information which:
- provide a balanced view of a situation
- are updated regularly
In the case of the latter, a cost-benefit analysis may be required to determine whether a certain information source is worth using (for example, a subscription service, or hiring a third party to conduct analysis).
In most cases, sources of information used by businesses will provide qualitative and subjective data that is difficult to present on a standard likelihood-impact risk matrix. However, there are advanced tools such as natural language technologies that leverage AI to provide a more scientific view of the events taking place in a business’s external environment. For instance, as social media becomes increasingly powerful, natural language can be deployed to analyse a vast range of posts and gain updates on major events before they break elsewhere.
On the other hand, given that most of the data businesses collect will be qualitative in nature, there needs to be a simple repository in place for people across the business to document their observations. Without this, it is difficult to synthesise all the information generated about the different emerging risks facing the organisation.
For a summary of the key steps involved in the signal creation and monitoring process, see the diagram below.
c. Review indicator thresholds regularly
The usefulness of any system or indicator that is not consistently reviewed will inevitably decline, so make sure to regularly assess whether the thresholds that have been set are still appropriate. For example, have the objectives of the business changed to the extent that emerging risks that may have impacted them before no longer will? Or perhaps the business has decided to pursue new ventures, which makes it more vulnerable to emerging risks?
Equally, the global context surrounding the business may have changed. This is particularly relevant to emerging risk indicators, as the availability of new information and fresh developments in a certain risk area will demand another look at the thresholds.
The other reason to review thresholds regularly is to determine whether they have been met. This may sound obvious but it is not uncommon for a business to stand up frameworks and then neglect them as priorities shift.
d. Respond to triggers when activated
Some organisations only define specific thresholds for certain signals, relying on internal expertise to identify when the limit has been reached for the rest, while others take a more comprehensive approach. In any case, there needs to be a plan in place when triggers are activated. One example of this is a three-pronged approach that covers a range of different responses: no-regret moves, optional moves and big bet moves.
In the approach visualised above, the executive committee make a decision and trigger actions before handing over responsibility to the strategic programme owners. These owners then follow the organisation’s governance framework around strategic and sub-strategic initiatives to operationalise the changes decided upon at the executive level.
Other organisations use their own escalation matrix to decide if action is required, usually considering both urgency and the degree of impact the event is likely to have on the business. This matrix is normally based on pre-agreed thresholds, which provide management with a sense of comfort and prevents the escalation of too many – or, indeed, not enough – emerging risks.
e. Set accountability for monitoring emerging risks
Ultimately, monitoring emerging risks won’t be effective unless people in the business – or, more specifically, risk owners – feel responsible for the emerging risks relevant to their department. It is not usually the default responsibility of the risk team – their role tends to focus more on highlighting relevant emerging risks to the board and facilitating discussion around them across different levels of the business.
It is advisable to attribute each risk on the emerging risk watchlist to an internal subject matter expert. Their responsibility should be made clear: as the risk owner, they must take responsibility for updating the business on any events or developments that may cause this emerging risk to become material to the organisation.
Featured resource:
How are the most mature businesses managing emerging risks?
This article explores how these organisations identify, assess and monitor emerging risks, based on our new Emerging Risk Maturity Model.
4. How should you report on emerging risks and use this to take action?
|
a. Integrate emerging risk into your risk reporting framework
Most businesses will report to the board and audit and risk committee (ARC) on the impact of emerging risks, but few will drill down deeper to cover the consequences, causes and possible mitigations. According to our recent global benchmark, less than half of the companies we surveyed provide this level of detail.
Moreover, our comparison of more than 50 companies, found that emerging risks featured less in risk reports to the board than in reports to the ARC.
This highlights an opportunity for many organisations to further integrate emerging risk into their risk reporting procedures. For instance, benefits include:
- Improving engagement with the board and executives on emerging risk
- Embedding the importance of organisational resilience in the minds of executives, as well as the agenda of the board
- Allowing the business to be responsive to events on the horizon, rather than reactive once they arrive
The challenge for risk leaders is ensuring added value while avoiding information fatigue and overwhelming executives and the board with too much detail.
3 tips from risk leaders on how they've optimised their emerging risk reporting1. Only include relevant elements in your report 2. Place emerging risks in the context of business strategy 3. Be transparent about how the emerging risk framework works |
b. Present information and data about emerging risks visually
Demonstrating the status of emerging risks and their potential impacts in a visual way has proven a successful reporting technique for many risk leaders.
Risk radar
In the risk radar below, you can see how emerging risks have been integrated into the visual reporting of principal/material risks. Reporting will no doubt focus on those Tier 1 risks (those closest to the centre) but risk teams should refer to this radar in conversations with the board to ensure they are aware of the risks, who is responsible, and whether the risk trend is on the rise.
Explore risk radars in our free download: |
Moodboard of risks
Another method to visually display the range of emerging risks is to create a moodboard. In the example below, external risks are plotted above the line to highlight that they come from outside of the business, while the associated responses or actions that spring off them are internal. You can also use a coloured key and different icons to visually categorise these risks.
Although visuals alone won’t be enough to get the board and executives fully engaged with emerging risks, these techniques can enliven conversations on the range of threats and opportunities these risks present, boosting engagement with decision-makers.
Emerging Risk Maturity ModelForward-thinking risk leaders are looking for ways to develop their emerging risk management processes and benchmark their maturity against other businesses. To support them in this mission, our Emerging Risk Maturity Model provides an iterative process for enhancing that maturity, regardless of their current level. See how it works in this short video:
The Emerging Risk Maturity Model is available as part of membership to the Risk Leadership Service. But, for a limited time, we're inviting the emerging risk lead at large multi-national organisations in Europe, Australasia and the Middle East to participate in the self-assessment, in order to further enhance the benchmark for our members. Of course, you'll receive the benchmark report when you participate. Find out more and request to participate here. |
c. Report on emerging risks externally
Although it is not a requirement for businesses to report on emerging risks externally (i.e., via their annual report) many companies do reference the emerging risks they are thinking about. Why might companies do this, even if they aren’t required to?
Organisations want their external stakeholders to feel comfortable in the knowledge that the business is considering risks that are developing but not yet material to the business. This is especially true if these risks relate to external factors already being reported in the news or online.
Equally, regulators, customers and the wider market may have eyes on the business. Making clear what the emerging risks are and how the business is managing them, gives these parties confidence that the organisation has plans in place.
Emerging risk topics are also covered by organisations such as the World Economic Forum (WEF) and European Commission. Referring to these documents may help you identify emerging risks you may have missed. Of course, we collate these emerging risk topics with many other sources in our Horizon Scanning Tool.
d. Use emerging risk reporting to make strategic decisions
Ultimately, risk leaders want their reporting to prompt action from decision-makers and guide changes in strategy.
Emerging risk reporting should be used to challenge assumptions that were made when the business initially outlined its strategy. For example, has a geopolitical event or growing reputational hazard shifted the expectations of the organisation, requiring an adjustment to its strategy? If your strategy is too restrictive and won’t allow you to change direction, this could affect the resilience of the business if the worst-case scenario should occur.
Instead of thinking strategy-forwards (setting goals and implementing a supporting action plan) emerging risks can be assessed to form potential scenarios and help you work backwards: if an event transpires in the future, will the actions you are taking now prepare you for it?
Although businesses can’t be ready for everything – especially black swans – reporting on emerging risks through this lens will ensure that your strategy is flexible enough to drive the business towards its objectives whilst being adaptable should a range of possible scenarios become a reality.
As part of this process, you can build in constraints that require senior leaders and the strategy function to think differently about how they would overcome a certain problem. For example, what if you lost a sizable portion of your customer base? Emerging risk assessment can help you form the basis of these questions and make the business more resilient.
We hope you've found this article a useful introduction to Emerging Risk. It contains just a fraction of the guidance and case studies put together through knowledge sharing with Risk Leadership Network's community. Take a look at our membership options to see how joining us could help you bring your risk management to the next level.
More on emerging risk2. Explore the Horizon Scanning Tool 3. Find out more about our Emerging Risk Maturity Model |