These risks and their consequences are often described as emerging risks due to their velocity, uncertainty, complexity and impact – yet organisations identify and respond to them in very different ways.
This may change as organisations respond to the recent release of the first edition of ISO 31050 – Guidance for managing emerging risks to enhance resilience. With fresh regulatory standards and requirements either recently implemented or under consideration in the United States and United Kingdom, the management of emerging risks could evolve rapidly from 2024 onwards. The potential implications for risk leaders and boards should prompt organisations to look at their approaches to emerging risks and ask, are they fit for purpose?
Organisations use a range of different definitions for emerging risks, refined based on time horizons, risk tolerance thresholds, or tied to strategy deliverables. The WTW Research Network currently uses the International Risk Governance Council definition [1] for emerging risks: “a risk that is new, or a familiar risk in a new or unfamiliar context or under new context conditions (re-emerging). Emerging risks are issues that are perceived to be potentially significant but that may not be fully understood and assessed, thus not allowing risk management options to be developed with confidence that they will be effective.”
We also keep a watching brief on the definitions used by different organisations and changes in how they think about and respond to emerging risks. Variations in wordings are not a problem, so long as the activity they drive delivers value for the organisation. That starts with an understanding of where an organisation is in their risk maturity approach and appetite, and then forming an approach suited to the organisation’s capability, preferences, and overall risk framework. It also means going beyond risks to see the opportunities. Leading companies extend their emerging risks thinking into strategic change and innovation, connecting teams across their organization.
The publication of ISO 31050 – Guidance for managing emerging risks to enhance resilience in November 2023 may prompt greater alignment of definitions for emerging risk across organisations. The overall aim of the document though is to provide guidelines for applying the ISO 31000 risk management process to emerging risks.
It will provide a reference for organisations seeking to foster best practice in the development of foresight and the delivery of insight to better understand emerging risks. With improved understanding, the guidance then aims to support organisations in making informed risk management decisions to enhance resilience and deliver value through the integration and alignment with organisational strategy. Key content in ISO 3150 includes:
After several years deliberating reforms to audit and corporate governance, the UK government published draft regulations for consultation in July 2023, to come into force for any financial year beginning on or after 1 January 2025. The Financial Reporting Council (FRC), the independent regulator for audit and corporate reporting, was also consulting on complementary updates to the Corporate Governance Code, for implementation to the same timeframe. These included enhanced requirements the management and reporting of emerging risks.
Whilst both sets of proposals have now been stopped and a new consultation is underway, they are still worthy of consideration for lessons they might hold for best practice in emerging risks management. So, what was under discussion for emerging risks? Two key aspects:
01
The UK government’s new regulations would have applied to companies with 750 or more employees and turnover of £750m or more, in any financial year. These criteria would have broadened the range of companies in scope for the updated and strengthened reporting requirements.
Following consultation with industry, which raised concerns about imposing additional reporting requirements, on 16 October 2023 the UK Government withdrew its draft regulations [2]. This led the FRC to announce that it would narrow the scope of its update to the UK Corporate Governance Code [3]. The FRC will now take forward only a small number of the original 18 proposals set out in the consultation and it is not clear whether this will include the enhanced emerging risk requirements. To find out we will have to wait until 24 January 2024, when the FRC now aims to release the updated Code.
02
The FRC first introduced emerging risks reporting in 2018. It required companies to report “emerging and principal risks” [4] but it did not provide a definition – something that was under discussion in the 2023 consultation on a revised Code [5]. The proposed changes would have required companies to:
There was an emphasis on the importance of the risk assessment being a continuous and dynamic process rather than a one-off exercise during the year.
Aside from the potential for lessons and insights to improve best practice, the prudent risk manager may still wish to explore routes to compliance with the FRC consultation proposals. They could yet be incorporated into either the updated UK Corporate Governance Code or the UK government’s alternative options for legislation.
Renewed regulatory appetite for organisations to clarify and standardise risk reporting is also driving change for emerging risks in the United States. From 2005 the Securities Exchange Commission (SEC) required firms to disclose “the most significant factors that make the company speculative or risky” [6]. From the outset there was a lack of certainty around whether emerging risks should be included in disclosures and concerns that the vague wording might give rise to “boilerplate…cover all bases” risk disclosures [7]. In 2020 the SEC introduced new rules [8] to:
Interpretations of these new rules are still developing and for now emerging risks remain an area of uncertainty. The term “material risks” still presents ambiguity for the treatment of emerging risks; but should prompt forward looking organisations to consider their materiality. The requirement for “risk headings” does not specify the headings or a taxonomy that companies should use. However, some of the most sophisticated submissions under the new rules employ a structured risk taxonomy linked to the firm’s Enterprise Risk Management approach [9]. As approaches to the new regulations mature, it is likely more firms in the US will need to refine their risk taxonomies. But for now, it seems they will have scope to decide for themselves whether emerging risks will be a valuable risk heading.
Regardless of future regulation, organisations at the cutting edge of risk management already report the benefits of implementing processes similar to those proposed by the FRC and the release of ISO 31050 is only set to widen the adoption of emerging risk management.
Whilst the arrival of new frameworks and regulations should reduce uncertainty in the long-term, it will not suddenly mean one-size fits all: implementation will and should continue to vary according to the individual needs of organisations. This comes back to the question of the value of emerging risks management internally to organisations and the importance of a coordinated approach that supports decision-making. Regulation aside, successful emerging risks management should give leaders insights and actions that deliver advantage against competitors.
Over the coming months the Emerging Risks hub will share some of our internal work on approaches to emerging risks, from the integration of new data sources and analytics with expert judgement to the development of scenarios and the importance of effective risk communication. Also on the horizon for us is the next iteration of our Emerging and Interconnected Risks Survey, which will aim to drill down into these themes and bring new perspectives to new and familiar risks.
Whilst the arrival of new frameworks and regulations should reduce uncertainty in the long-term, it will not suddenly mean one-size fits all…