Skip to main content
main content, press tab to continue
Article | Managing Risk

Navigating emerging and interconnected risks: A blueprint for resilient strategies

Are complex organizations resilient and ready for the future?

By Jennifer Caldarella and Lucy Stanbrough | April 29, 2024

The world is changing at a rapid pace, regulators and shareholders are adding to governance requirements, and you may be coordinating actions across multiple business models, markets and time zones.
Corporate Risk Tools and Technology|Work Transformation|Insurance Consulting and Technology|Risk and Analytics|Willis Research Network
Future of Work|Risque de pandémie|Risk Culture

Polycrisis[1]. Unprecedented. Historic. Extreme. These are just some of the headlines entering the inbox of every organizational leader. The world is changing at a rapid pace, regulators and shareholders are adding to the governance requirements, and you may be coordinating actions across multiple business models, markets and timezones.

With the world’s largest 100 companies responsible for $17.7 trillion[2] of revenue, the values at stake of the wrong action – or worse inaction – require shared understanding and a unified strategy. It is not surprising the world’s biggest companies are paying renewed attention to how they can identify the emerging trends driving the cascade of risks and opportunities, to explore how these will not only impact their risk framework, but also be forces for growth.

Risks and opportunities

Artificial Intelligence (AI) stands as a current siren lure, with projections suggesting generative AI could create $13 trillion in economic value[3] with a clear call to businesses: Evolve with AI or risk falling behind. History is littered with examples ranging from organizations missing opportunities to pivot business models to the failure of boards to engage with important risks, such as risks to reputation and ’licence to operate‘, to the same degree that they engage with reward and opportunity. Nobody wants to be the next Blockbuster and experience the disruption of their business model. Something that could have been avoided by stretching the imagination to the plausible futures their rivals saw.

The urgency to respond to multiple internal and external stakeholders can prevent organizations from looking beyond and above their most immediate challenges. A comparison of the 2007 annual reports from today’s top 10 Fortune 500 companies will reveal that only one mentioned the word ’pandemic‘. In 2022, pandemic was in the top 10 risks of all 10, some with entire sections dedicated to it. What has changed since then? Experience. The return periods for a pandemic didn’t change. The data was always there that another pandemic could occur, but that data wasn’t personally available or recent.

And looking forward, the risk of pandemics hasn’t gone away just because we’ve experienced one recently. Researchers modeling future pandemic risk believe there is a 47% to 57% chance of another global pandemic as deadly as COVID-19 in the next 25 years.[4]

A smarter way to risk

Reviewing emerging risks and being future-ready is about more than maintaining a risk register, or scoring acceleration, impact and severity. Harnessing the full potential of emerging risk thinking means adopting a risk maturity approach able to build partnerships across business functions to empower risk knowledge and ’buy in‘. Just as no risk operates in isolation, leaders increasingly need to have a wider understanding of impacts beyond their function.

Chief executive officers, chief risk officers, chief human resources officers, chief technology officers, chief operating officers, chief strategy officers and chief financial officers need a shared lexicon and approach that can bring risk management decision making and financial priorities together. For example, emerging risks around intellectual property (IP) could have touchpoints across the organization:

  • Employee experience and how engaged they are in the company culture can feed into the risk management and mitigation
  • The technology and governance choices can influence how IP is baked into innovation and procurement
  • Having a finance-led view of the risks and opportunities of intellectual property can support decision making on how to protect investments, from accessing alternative capital to transferring risk to insurance markets

A collaborative approach enables you to provide a holistic view of risks, helping leaders and risk owners fuse qualitative appreciations of the future into modern approaches to quantitative risk management. When you embed risk management through working with other business functions, you’re more likely to address their risks and uncertainties proactively rather than reactively.

This evolving situation necessitates a pivot toward not just recognizing but actively preparing for a wider array of risks. Research suggests that organizations that have invested in building corporate foresight units outperform the average by 33% higher profitability and by 200% higher growth[5]. There is value in thinking backwards to learn from history, and forwards to embrace collective futures.


We asked our industry and risk leaders for their most interesting emerging and interconnected risks that leaders should take back into their organizations and ask “how are we understanding and taking action on this source of emerging risks?”:

$4.45 million to $5.2 trillion gap How are we preparing for current and future cyber risks?

The cyber landscape is shifting again. Today, IBM estimates the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years[6].

Average figures hide a diverse range of impacts.

The World Bank estimated that globally, from 2019 to 2023, approximately $5.2 trillion in global value was at risk from cyberattacks. Every month 10.5 million records are lost or stolen, an estimated 438,000 every hour.[7]

These events can have very real impacts for complex organizations, with wide ranging risk sources, and complex causes and consequences that require a holistic framework and risk approach. A key example of these lessons over time includes the experience of a global hotel chain.

In 2018 they announced that hackers had stolen approximately 500 million customer records. The attackers had gained unauthorized access into a company acquired by the hotel chain in 2014 and remained in the system. The access was not discovered until 2018, and the hotel chain was fined £18.4 million for personal data breach by the U.K. Information Commissioner’s Office under the General Data Protection Regulation (reduced from £99.2 million). Wider impacts at the time included: recovery costs, reputational damages from the loss of customer confidence, and legal ramifications through class-action lawsuits raised by those impacted.

In 2022, a further 20 gigabytes of data were stolen through social engineering of an employee to gain access to his or her account — a different method of attack that enabled a different way in.

When organizations experience events, a need arises to think beyond single solutions and risk pathways to ensure resources can support wider resilience.

Key lesson

Those cyber risk numbers only consider today

There is a need to think forwards and with the influx of consumer generative AI programs, such as Google’s Bard and OpenAI’s ChatGPT, the generative AI market is poised to explode.

Bloomberg Intelligence suggests it will grow to $1.3 trillion over the next 10 years from a market size of just $40 billion in 2022[8].

As the technology evolves at a rapid pace, governance efforts will be critical, especially as AI developers are grappling with the risks inherent in their training data. Every part of your organization will also need to consider the knock-on effects – cyber risks being one of them.


28 $1 billion events in 2023. What range of losses are assets exposed to across geographies we operate in? How are we thinking about a year of compounding events?

In 2023, the National Oceanic and Atmospheric Administration calculated the U.S. alone had experienced 28 events with losses exceeding $1 billion, well above the average since 1980 of eight events per year and the average for the past five years of 18 events per year. In the U.S., insurers saw the costliest severe convective storms (SCS) year on record, with total claims exceeding $50 billion[9].

Secondary peril losses, primarily severe convective storms in the U.S. and Europe, contributed substantially to the year’s insurance claims, underscoring their growing influence by cumulative losses outstripping those caused by a season of hurricanes.

Other natural catastrophe perils also set new records, which have knock-on impacts for insurers challenging their own views of aggregations, as well as risk leaders who are taking a second look at the extent of their physical footprint. In 2023 Canada experienced its most extensive wildfire season on record, with 17.94 million hectares burned.

The scale of fires saw the Canadian government close several roads across Quebec, with many companies having to curtail their operations. As wildfire risk increases, a multifaceted approach will be needed that combines early forecasting and anticipation of wildfires with robust infrastructure, effective communication, adaptable policies and consideration of nature-based solutions.

Key lesson

Events once thought rare are becoming more likely or occurring at scales previously not seen …

The historical record alone does not capture the full range of potential risks. By examining what-if scenarios through scenario testing, organizations can gain insights into potential vulnerabilities and develop strategies for a more resilient future. Creating an accurate representation of risk requires a necessary bias check to ensure the impact of recently experienced risks does not shadow those on the horizon. This might include external partnerships — whether board advisors or links with academia — whose role is to challenge your assumptions and add to your knowledge pool.


$57 trillion or 4.1 billion geopolitical shifts. What insights are we using to shape our understanding of geopolitical risks?

The year 2024 is set to be what the Economist and Time has at the start of the year called “the biggest election year in history,” with national elections scheduled in at least 64 countries plus the European Union, representing 4.1 billion people — close to half the global population (49%) — and an estimated $57 trillion of global GDP. By April that number was 83 national elections in 78 countries.[10] Which is indicative of the way that politics can rapidly ebb and flow. Many will prove consequential for years to come with potential impacts including social stability, reshoring/offshoring, regulatory change and international investment shifts.

Recent research by WTW and Oxford Analytica, published in the WTW Political Risk Index, suggests that geopolitical alignments are shifting rapidly. Inevitably, changes of government are an opportunity for dramatic geopolitical realignments. Investors tend to abhor uncertainty; in some ways, predictable adverse developments are preferable to not knowing the future, which makes it hard to calculate future returns. And 2024’s elections will bring their fair share of uncertainties, raising the importance of organizations to question what sources of information they can call on to ensure they are informed of the wide-ranging impacts of geopolitical risks.

Key lesson

Effective leaders are factoring geopolitical trends into their intelligence monitoring to identify opportunities for growth, while preparing to act quickly and decisively when events occur.

WTW’s Geopolcast provides a thought-provoking discussion of the world’s most pressing geopolitical issues through expert interviews. When discussing risk and strategy, there is a strong role for different perspectives, from external views to considering your own workforce intelligence. Your people are often an untapped view of risk – often dealing with the operational realities of strategic decisions – and can very quickly point at risks and opportunities.


Taking action and finding your path

There is no shortage of approaches that large and complex organizations are using to tackle these challenges. However, there is no one-size-fits-all approach to identifying, analyzing, monitoring and responding to emerging risks. Organizations should remain aware of this and ensure they take account of their culture, experience, technological capability, and colleague attitudes when designing or refining an approach.

How are leading organizations addressing their risk portfolio and financial impact while balancing emerging risks?

Addressing their risk portfolio and financial impact

Through sophisticated risk management strategies to address their risk portfolios and mitigate financial impacts while also considering emerging risks.

  1. Comprehensive risk assessments
  2. Diversification
  3. Stress testing
  4. Scenario analysis
  5. Risk transfer
  6. Continuous monitoring and review
  7. Collaboration and partnerships

Optimizing risks and what levers/tools/resources

Adopting a proactive, data-driven, and integrated approach to optimizing risks, leveraging a combination of strategic, technological, and organizational levers to enhance their resilience and value creation potential.

  1. Integrated Risk Management (IRM) frameworks
  2. Embracing innovation: Data analytics and Artificial Intelligence (AI)/Machine Learning (ML)
  3. Risk auantification and measurement
  4. Scenario planning and stress testing
  5. Risk transfer and hedging strategies
  6. Crisis management and business continuity planning
  7. Governance and compliance frameworks
  8. Collaboration and partnerships

Analyzing changes and influences of emerging risks

Leading with proactive and multi-faceted approach to analyzing changes and influences of emerging risks on their organizations, integrating insights from diverse sources, disciplines, and stakeholders to enhance their risk intelligence and resilience in an increasingly uncertain and dynamic business environment.

  1. Environmental scanning/threat intelligence/horizon scanning
  2. Scenario analysis
  3. Risk workshops and brainstorming sessions
  4. Risk assessments and heat mapping
  5. Expert interviews and delphi method
  6. Data analytics and early warning systems
  7. Partnerships and collaborations

WTW believes that a truly effective approach should start with establishing and understanding your risk tolerance. This step allows you to identify those emerging risks that can breach this tolerance level and need mitigation, both financial and organizational.

At the core of these approaches is the need to understand what we mean by emerging risks

Organizations use a range of different definitions for emerging risks, refined based on time horizons, risk tolerance thresholds, and strategy deliverables. The recent release of the ISO 31050 – guidance for managing emerging risks to enhance resilience – marks a pivotal moment in the management of these risks at a time when new regulatory standards and requirements are being implemented or considered.

If definitions can vary, what are emerging risks? To quote directly from ISO 31050 they can cover a series of characteristics:

Emerging risks can include, for example:

  • Risks arising from unrecognized changes in organizational contexts.
  • Risks created by innovation or social and technological development.
  • Risks related to new sources or previously unrecognized sources of risk.
  • Risks from new or modified processes, products, or services.

Source: ISO 31050

This is a useful starting point, but organizations may wish to simplify this further to make the language clearer and more accessible. An organization could choose to view emerging risks as:

  • Circumstances that materially change the profile of risks we’ve already spotted.
  • Circumstances that lead to new risks we hadn’t previously spotted.
  • Circumstances that cause two or more risks to combine, happen simultaneously or create a domino effect.

In asking whether your existing approach deals with these risks and opportunities appropriately, an organisation may wish to consider three challenge questions:

  1. 01

    How do you identify and manage emerging risks?

    The importance of building an emerging risk process and linking it to the business model probably cannot be emphasized enough. That includes the lens of opportunity. Reviewing emerging risks is also about considering your competitive advantage and, gathering insights into new market opportunities, customer needs, and technological advancements, as well as staying ahead of regulatory developments, compliance requirements, and industry standards that could impact your operations and reputation.

    Action: Instigate a horizon scanning regime that extends beyond traditional boundaries, such as a focus on new legislation or financial reporting standards. By asking the question, “What’s new and what does it mean for us?” regularly, new risks and opportunities may become apparent far earlier. By examining what-if scenarios, organizations can stretch their imaginations to gain insights into potential vulnerabilities and develop strategies for a more resilient future. Wargaming is one way of bringing this to life, because the game will focus on risks, but also on actors playing on their competitive advantage - for a more realistic view.

  1. 02

    What is your biggest concern in the current and future environment?

    Given the pace of change in our internal and external contexts, truly ‘new’ risks are increasingly likely. An important element of an effective emerging risk process is the ability to spot these risks in good time, and to plan and prioritize a response appropriately given the varied risk profile the organization is likely to have. For complex organizations made up of multiple industries and business models, being able to tap into those views is a way to harness a horizon scanning network, and create a holistic view of risk. But risk insight must drive decision-making and strategy. ISO 31050 now offers a standardized framework for translating foresight data into risk intelligence that can be integrated into existing risk management processes.

    Action: Risk management is at the core of corporate governance as it is critical for creating a sustainable, resilient organization. Organizations that embed emerging risks thinking into their approaches can harness those values. That might mean taking a fresh look at existing data sources such as your claims; challenging the risk dimensions your organization tracks; or keeping pace with the latest thinking across science, academia, think tanks and the private sector. This is the approach our WTW Research Network uses to identify risks and improve their understanding and quantification for the benefit of our clients and society; we find that looking left and right and at what other industries are considering can bring fresh understanding to your challenges.

  2. 03

    To what extent do you consider the interconnected nature of emerging risk when formulating plans to respond to your top concerns?

    Traditional risk assessment frameworks frequently use statistical methods and techniques to identify and isolate historical trends in the trigger, magnitude or frequency of an individual hazard. While this captures the risk one hazard at a time, it does not adequately capture the risk associated with connectivity, whether that’s co-occurring, compound or cascading hazards. If something goes wrong and exceeds organizational resilience, it's rarely the tried and tested area of individual risk with numerous tightly defined controls and scenarios. It's usually either about interconnected risks or scenarios just beyond the imagination.

    Action: A structured approach to consider interconnectivity between risks can provide a foundation for shared understanding between stakeholders. Registers have their place but additional value can be added through challenge perspectives, such as the view in Figure 1 of a list of top 25 risks, where respondents were asked for their top three combinations of risks of concern. This approach can be used to bring unseen/unappreciated risk dependencies to the surface, encouraging collaboration across business functions, and to enable an elevated risk governance regime that offers the business a repeatable, but necessarily flexible, means of outsmarting complex risk connections.

An image of a coloured wheel with spokes showing connectivity between different types of risks.
Figure 1. Challenging interconnectivity

Consideration of emerging risks is essential for a truly effective strategic approach, which provides long-term value; accordingly, organizations should seek to ensure they give emerging risks in all their guises sufficient consideration and attention when building, enhancing, and implementing strategic frameworks and processes.

In the face of global change, there has never been a better time to challenge your emerging risk approach. Are you prepared against the risks and opportunities coming your way and ready to seize the advantage?

Footnotes

  1. Covid-19, climate change, armed conflicts: world’s crises can lead to interconnected polycrisis. Return to article
  2. The 100 largest companies in the world ranked by revenue in 2023. Return to article
  3. The transformative role of AI for development data. Return to article
  4. The Next Pandemic Could Come Soon and Be Deadlier. Return to article
  5. Corporate foresight and its impact on firm performance: A longitudinal analysis. Return to article
  6. Cost of a Data Breach Report 2023. Return to article
  7. Cybersecurity Multi-Donor Trust Fund. Return to article
  8. Generative AI to Become a $1.3 Trillion Market by 2032, Research Finds. Return to article
  9. Natural Catastrophe Review July - December 2023. Return to article
  10. All the Elections Around the World in 2024. Return to article

Authors


Corporate Risk & Broking, Managing Director & Leader, Global Large Account Strategy
email Email

Head of Emerging Risks and Business Engagement
email Email

Contacts


Karen Beldy Torborg
Corporate Risk & Broking North America, Large Accounts
email Email

Alan Duffy
Corporate Risk & Broking Asia, Large Accounts
email Email

Jean-Noel Delabrousse-Mayoux
Corporate Risk & Broking France, Large Accounts
email Email

Chris Nelson
Corporate Risk & Broking Australia, Large Accounts

Michael Johnston
Corporate Risk & Broking Great Britain, Large Accounts
email Email

Contact us