Emerging risks are characterized by their newness, insufficient data, and a lack of verifiable information and knowledge needed for decision-making related to them. As these risks can develop with the potential for large threats and opportunities, appropriate management of emerging risks should be established as a part of an organisation’s risk management. It should include changes in circumstances or conditions related to multiple aspects of the organisation’s external context and the implications for its internal context.
But how should organisations go about practically doing that? In our latest insight article we share thoughts on the recently released ISO 31050 Guidance for managing emerging risks to enhance resilience.
Perhaps the most significant contribution of ISO 31050[1] is the introduction of a “risk intelligence cycle for emerging risk,” designed to detect changes in the external environment and then build understanding of how they could impact the organisations processes and objectives. The language used to describe the cycle is highly abstract: an inevitability, perhaps, given the breadth of tangible and intangible factors that drive emerging risks.
Effective implementation of the proposed cycle requires determined focus on the ultimate output: applied knowledge to drive decision-making for strategy. But again, strategy is a broad topic: specific contributions are required to make emerging risks meaningful. The primary component of strategy that the applied knowledge from emerging risks intelligence should feed is organisational resilience. Emerging risk intelligence should provide the foresight needed for the organisation to prepare:
Building foresight starts with thinking about the data and information you need to capture. Imagine you are a General preparing to defend your terrain against an attack by an enemy army. What do you need to know? And how are you going to find out?
As a General, you need to look across the “strategic, tactical and operational” and “continually scan to collect, analyse and interpret data, information and knowledge…that occur within a context that is often characterised by unpredictable volatility, a high degree of uncertainty, network complexity and rapid rates of change”. And even then, you will need to be mindful that the “data can be unavailable, limited, inconsistent, inaccurate or false”. Or at least, those are the recommendations for all organisations in ISO 30150.
So, back in your command post, as a General, what do you need from your headquarters team? You need to employ “systems that can gather and interpret data about capabilities, possibilities, changes and trends in the external context” as they relate to your “organisation’s objectives”. If you are looking to, “obtain the best available information on which knowledge can be gained and shared and communicated as intelligence,” then clue is probably right there. It’s time to catch up with your intelligence department.
They should be able to advise not just on “the systems that can gather and interpret data” but also the information requirements based upon your “organisation’s objectives” and “trends in the external context”. But to give initial advice and then meet your requirements, the intelligence team needs a framework to guide their activities: this is often referred to as the “intelligence cycle”.
The “risk intelligence cycle for emerging risk” proposed by ISO 31050 comprises “two interconnected iterative cycles”: an “external cycle” and an “internal cycle”. The “external cycle” consists of “continual scanning across multiple aspects of the organisational context” for changes that can “signify an early warning or an indicator” of threats or opportunities to organisational objectives.
The WTW Research Network is one of our key sources of external intelligence to share with clients, as not all organisations are able to maintain a network of 60+ partners across academia and thinktanks. Many of our insights and research papers on topics ranging from climate to people risks are shared on our website, as is our Geopolcast podcast series which explores a broad spectrum of geopolitical topics and brings together expert analysis and actionable insights.
ISO 31050 explains how early warning indicators can then become data sources to systematically track “identified changes in context,” once there is “the knowledge necessary to assign values to the measurable elements of emerging risk characteristics, including consequences and likelihood”. This provides the foundations for monitoring and review as would be implemented for any other risk, in accordance with ISO 31000.
Those “weak signals” of changing external context provide inputs to the four stages of the “internal cycle”. This begins with:
This then proceeds through the steps of:
And then finally:
The new ISO guidance provides a framework that must then be customised to meet the unique situation and needs of individual organisations. Some may find themselves in a situation like that of the military General, leading a large workforce through a through a volatile and ambiguous environment, requiring a dedicated intelligence team to provide constant support. Others will be operating in more stable conditions, or perhaps at a smaller scale, with a much lower requirement or capacity to consider emerging risk. Whether your organisation has a dedicated team or only the capacity to consider emerging risks for a couple hours every six months, there will be tangible benefits to resilience and competitiveness from implementing an appropriate emerging risks framework.
Working to a range of appropriate time horizons is an important component of this. Many people associate emerging risks with dedicated “futures teams” and “horizon scanning” in large organisations. Whilst this will be an important aspect for some organisations, it should be noted that emerging risks do not automatically mean extended time horizons. Unexpected risks and opportunities can present at short notice not just on the peripheries of organisational outputs but in core areas, approaching with a velocity that can overwhelm the underprepared.
Organisations running appropriate emerging risk management processes, calibrated at an appropriate cadence, can identify these risks and respond at the earliest opportunity, building the resilience to survive and the agility to thrive. On the horizon for us as a key component of the risk intelligence cycle is the next iteration of our Emerging and Interconnected Risks Survey, which will aim to drill down into these themes and bring new perspectives to new and familiar risks.