In a more connected and complex world, emerging risks can arise quickly and from unexpected sources. New ISO31050 Guidelines for managing emerging risk to enhance resilience can help you stay ahead.
We examined elements of the new guidance in our insights article ISO31050: Introducing the risk intelligence cycle for emerging risks. In this follow-up article, we look at how to incorporate ISO31050 principles into your ERM approach to enhance resilience in the face of emerging risks.
While there are pitfalls you’ll want to avoid, particularly around duplicating efforts where your current approach is already considering emerging risks, the new guidance represents an opportunity to challenge and enhance your ERM.
One way of approaching this is to ask a series of questions, which we examine in more detail below, namely:
An effective ERM approach to managing emerging risks begins with a solid definition of what constitutes one. ISO31050, for example, suggests the following definitions:
This is a useful starting point, but you could make the language clearer and more accessible by defining emerging risks as:
Many organisations will already be considering emerging risks to an extent, but this may not be as thorough, consistent or comprehensive as required for truly effective emerging risk management. An effective ERM approach will assess when a risk is likely to occur.
If your organisation is already doing this, the time horizons you’ve set should encourage those identifying and analysing risks to consider longer-term trends and events with the potential to impact on strategy, operations and beyond.
Establishing a risk review cycle should enable you to be aware of circumstances that have a material impact on those risks already within your risk profile, whether these circumstances are short or long term.
The 'emerging’ element in this case is the circumstance, trend or event causing a risk already on your radar to change substantially. This change could be around either likelihood or impact. An effective ERM approach should account for this and ensure you have robust risk review processes in place to capture these changes.
The review process should trigger risks being escalated through your chain of governance if necessary, for example to the owners of risk and at board level as required.
You can ask the following specific questions to make sure your processes are fit-for-purpose:
New risks may be increasing driven by factors such as artificial intelligence and increasing geopolitical tensions across many parts of the globe. An effective emerging risk process will allow you to spot these risks in good time and to plan and prioritise a response appropriately.
Even established ERM approaches can have blind spots.
Those tasked with day-to-day operations of a team, function or business can sometimes tend towards a narrow or short-term risk focus, targeting the risks they already know over exploring and addressing what’s new. This is particularly true when the risks associated with ‘the new’ haven’t yet hit your organisation. As your ERM approach becomes familiar and embedded, there’s a danger you could fail to look at the bigger picture.
To establish whether your existing ERM approach deals with entirely new risks appropriately, you can consider the following measures:
By routinely asking what's new and what does it mean for the business, you can identify new risks earlier.
Emerging risk doesn't have to be truly new, nor does it have to be a material change in one specific risk. It can take the form of a previously undiscovered or underappreciated connection between two or more risks, or circumstances that cause one of these connections to emerge or develop.
For example, you may have identified the practical impact of a cyberattack on your operations, but this could compromise safety systems in your manufacturing environment or impact your supply chain. What impact would inter-related risks have on your recovery times and costs?
Interconnected risk can be especially difficult to identify, record and manage effectively and efficiently. As you add risks to your register, the number of potential interconnectivities begins to grow exponentially. Dealing with this level of potential complexity in a way that gives you actionable insights can be challenging if the structure and format of your risk information is hard to interpret.
Tools such as risk reporting dashboards populated with live risk information, can help you more easily filter risk information based on risk category, impact and other categories can help you identify and develop connections between risks.
You can also consider more creative approaches, such as surveying relevant stakeholders to capture insight on underappreciated or unforeseen risk connections or creating scenario exercises simulating one or more risks to explore any potential domino effects.
In the first insight article of this two-part series, we focused on the ‘risk intelligence cycle’ and how its four stages — framing, data collection and analysis, interpretation and application of knowledge — provided a strong foundation for managing emerging risk.
By considering the questions above and ensuring your ERM approach answers them, your organisation can develop a process that incorporates:
Remember, there's no one-size-fits-all approach to identifying, analysing, monitoring and responding to emerging risks. Ensure you take account of your culture, experience, technological capability and colleague attitudes when designing or refining ERM frameworks and processes. A systematic approach reflecting best practice and the specifics of your organisation will help you deliver ERM that incorporate emerging risks to provide long-term value and organisational resilience.
To discover a smarter way to increase your resilience, get in touch with our risk management specialists.