Skip to main content
main content, press tab to continue
Article

How to manage emerging risks to boost resilience using ERM best practice

By Sam Haslam | April 16, 2024

ISO31050, new guidance on emerging risks, can reinforce your existing enterprise risk management (ERM) framework’s ability to strengthen organisational resilience.
Risk Management Consulting|Motor Fleet
Directors and Officers risk insights|Geopolitical Risk|Risk Culture

In a more connected and complex world, emerging risks can arise quickly and from unexpected sources. New ISO31050 Guidelines for managing emerging risk to enhance resilience can help you stay ahead.

We examined elements of the new guidance in our insights article ISO31050: Introducing the risk intelligence cycle for emerging risks. In this follow-up article, we look at how to incorporate ISO31050 principles into your ERM approach to enhance resilience in the face of emerging risks.

While there are pitfalls you’ll want to avoid, particularly around duplicating efforts where your current approach is already considering emerging risks, the new guidance represents an opportunity to challenge and enhance your ERM.

One way of approaching this is to ask a series of questions, which we examine in more detail below, namely:

What is an emerging risk?

An effective ERM approach to managing emerging risks begins with a solid definition of what constitutes one. ISO31050, for example, suggests the following definitions:

  • Risks arising from unrecognised changes in organisational contexts
  • Risks created by innovation or social and technological development
  • Risks related to new sources or previously unrecognised sources of risk
  • Risks from new or modified processes, products or services.

This is a useful starting point, but you could make the language clearer and more accessible by defining emerging risks as:

  • Changes to existing risks — circumstances that substantially change the profile of risks you’ve already identified
  • Identifying new risks — circumstances that lead to new risks you hadn’t previously identified
  • Interconnected risks — circumstances that cause two or more risks to combine, happen simultaneously or create a domino effect.

Are you already covering emerging risks sufficiently in your existing approach?

Many organisations will already be considering emerging risks to an extent, but this may not be as thorough, consistent or comprehensive as required for truly effective emerging risk management. An effective ERM approach will assess when a risk is likely to occur.

If your organisation is already doing this, the time horizons you’ve set should encourage those identifying and analysing risks to consider longer-term trends and events with the potential to impact on strategy, operations and beyond.

Establishing a risk review cycle should enable you to be aware of circumstances that have a material impact on those risks already within your risk profile, whether these circumstances are short or long term.

How are you managing substantial changes to existing risks?

The 'emerging’ element in this case is the circumstance, trend or event causing a risk already on your radar to change substantially. This change could be around either likelihood or impact. An effective ERM approach should account for this and ensure you have robust risk review processes in place to capture these changes.

The review process should trigger risks being escalated through your chain of governance if necessary, for example to the owners of risk and at board level as required.

You can ask the following specific questions to make sure your processes are fit-for-purpose:

  1. Have you established an appropriate risk review frequency, such as quarterly, and do all relevant stakeholders stick to this frequency?
  2. Have you formally documented the requirements on risk review frequency and do you have controls in place to make sure it’s happening?
  3. Do you require your risk owners to conduct more frequent risk assessments if they become aware of circumstances that change your risk profile?
  4. Have you established an appropriate escalation route for risks that become more severe?
  5. Can you identify where incomplete information is leaving you with unanswered questions on a risk, its impact or likelihood? Do you have a process to refine your assessment if this is the case?

How are you identifying new risks?

New risks may be increasing driven by factors such as artificial intelligence and increasing geopolitical tensions across many parts of the globe. An effective emerging risk process will allow you to spot these risks in good time and to plan and prioritise a response appropriately.

Even established ERM approaches can have blind spots.

Those tasked with day-to-day operations of a team, function or business can sometimes tend towards a narrow or short-term risk focus, targeting the risks they already know over exploring and addressing what’s new. This is particularly true when the risks associated with ‘the new’ haven’t yet hit your organisation. As your ERM approach becomes familiar and embedded, there’s a danger you could fail to look at the bigger picture.

To establish whether your existing ERM approach deals with entirely new risks appropriately, you can consider the following measures:

  • Specifically covering brand-new risks in risk training and risk frameworks
  • Dedicating specific risk review sessions to wholly new types of risk, for example, holding sessions looking at scenarios relating to how you think the world will look in 10, 25 or 50 years’ time and assessing the potential impact of your organisation
  • Instigating a horizon-scanning regime that extends beyond traditional boundaries, focusing on new legislation or financial reporting standards, for example.

By routinely asking what's new and what does it mean for the business, you can identify new risks earlier.

How are you understanding and identifying interconnected risks?

Emerging risk doesn't have to be truly new, nor does it have to be a material change in one specific risk. It can take the form of a previously undiscovered or underappreciated connection between two or more risks, or circumstances that cause one of these connections to emerge or develop.

For example, you may have identified the practical impact of a cyberattack on your operations, but this could compromise safety systems in your manufacturing environment or impact your supply chain. What impact would inter-related risks have on your recovery times and costs?

Interconnected risk can be especially difficult to identify, record and manage effectively and efficiently. As you add risks to your register, the number of potential interconnectivities begins to grow exponentially. Dealing with this level of potential complexity in a way that gives you actionable insights can be challenging if the structure and format of your risk information is hard to interpret.

Tools such as risk reporting dashboards populated with live risk information, can help you more easily filter risk information based on risk category, impact and other categories can help you identify and develop connections between risks.

You can also consider more creative approaches, such as surveying relevant stakeholders to capture insight on underappreciated or unforeseen risk connections or creating scenario exercises simulating one or more risks to explore any potential domino effects.

How can you adapt your ERM approach to best incorporate emerging risks?

In the first insight article of this two-part series, we focused on the ‘risk intelligence cycle’ and how its four stages — framing, data collection and analysis, interpretation and application of knowledge — provided a strong foundation for managing emerging risk.

By considering the questions above and ensuring your ERM approach answers them, your organisation can develop a process that incorporates:

  • Stage one: Framing through considering emerging risks from multiple angles and arising from various sources.
  • Stage two: Data collection and analysis by asking the questions above to ensure you have a process that captures and analyses data in enough detail
  • Stage three: Interpretation by applying a clear and consistent approach to our risk data, whether existing or emerging
  • Stage four: Knowledge application by following the escalation and action pathways established in your ERM approach, refined through asking the questions above.

Remember, there's no one-size-fits-all approach to identifying, analysing, monitoring and responding to emerging risks. Ensure you take account of your culture, experience, technological capability and colleague attitudes when designing or refining ERM frameworks and processes. A systematic approach reflecting best practice and the specifics of your organisation will help you deliver ERM that incorporate emerging risks to provide long-term value and organisational resilience.

To discover a smarter way to increase your resilience, get in touch with our risk management specialists.

Contact


Risk and Resilience Advisory Deputy Practice Leader

Contact us