Emerging risk

Emerging risks: how are businesses managing their blind spots?

22 min read

Jan 10, 2023

Organisations need to horizon scan – moving far beyond their
principal or material risks – to consider their uncertainties and
emerging risks. While managing “known” unknowns is
fundamental, forward-thinking firms will also have a framework for
their “unknown unknowns” as they strategise and build
organisational resilience.

Download the guide:
Emerging risks: how are businesses managing their blind spots?

As risk leaders focus on optimising horizon scanning to further enhance their organisational resilience, many will be asking the same question: how do I know what I don't know?

While this question seems impossible to answer, it has formed the basis of much debate among risk leaders in our membership, all of whom are striving to be better prepared - and more resilient - to the challenges posed by emerging risks.

Based on the shared knowledge and experience of risk managers in our network, this article presents a high-level overview of the key steps and initiatives businesses are implementing to identify, monitor and manage emerging risks. Just jump to the relevant section to get started.

1. What is emerging risk?

1. Emerging risk definition
2. What's the difference between emerging risk and principal risk?
3. Additional definitions that can be useful
4. Why are risk leaders placing such importance on emerging risk?
5. What are some of the top emerging risks businesses are monitoring today?

a. Emerging risk definition

Like any other risk to a business, an emerging risk can represent one of two things: a threat to the achievement of objectives, or an opportunity to meet (and even exceed) those objectives.

Further to this, an emerging risk also develops in areas where the body of available knowledge is weak. This may be a new risk that evolves in a context familiar to the organisation; a known risk that changes based on the development of new context; or a new risk altogether that the business has not previously considered or factored into the setting of objectives.

b. What's the difference between an emerging risk and a principal risk?

principal-risk-and-material-risk

Principal/material risks are typically those key risks that are currently being controlled and reported on – both internally to senior leaders and externally via the organisation’s annual report. Usually, these risks are very well known to the business and are factored into strategic planning processes.

Furthermore, businesses tend to set risk appetite for each of their principal/material risk areas and use key risk indicators to monitor whether they are exceeding the limits of their agreed appetite.

For emerging risks, which are not usually well known to the business, the same level of control cannot be applied. How can you control a risk if you are not sure how or where it will impact the business? Also, while many organisations highlight the key areas of emerging risk that they are monitoring in their annual report, this is not a requirement.

Over time, through monitoring and assessment by the business, an emerging risk can become a principal/material risk, at which point appetite may be set and greater controls implemented. For instance, if the risk is monitored for a period of time, during which the business is able to build a sufficient body of knowledge about the potential likelihood and impact of the risk, this may become material.

Until this stage though, businesses monitor emerging risks to see how they will develop. It is important to note that emerging risks can often be unpredictable, particularly those based around events that are external to the business.

c. Additional definitions that may be useful

Critical attributes
Tasks, capabilities, share of a market segment (or customer base) that are critical to the business achieving its strategic and operational objectives.

Disruptor
An unexpected change that could impact (either positively or negatively) critical aspects of the business.

Black swans
Unpredictable events beyond what was expected, often with severe consequences. They are rare but often there is widespread insistence that they were obvious in hindsight.

Grey rhinos
A highly likely, high-impact yet neglected risk or threat – a question not of ‘if’ but ‘when’. Can be categorised into changing (e.g., imminent regulatory change), recurring (e.g., financial crises), meta (systemic factors that affect ability to manage grey rhinos e.g., resources) and unidentified (a risk where the problem is not fully understood e.g., artificial intelligence).

d. Why are risk leaders placing such importance on emerging risk?

Most companies manage emerging risks to some degree, but because they are so uncertain and information is limiting, formalised emerging risks frameworks are uncommon or (if they do exist) lacking in sophistication. With this in mind, we've recently launched our Emerging Risk Maturity Model - a service that not only tells you where you are on a maturity scale, but benchmarks you against your peers and supports you with actionable steps for improvement.

A focus on managing emerging risks two or three years into the future – often driven by executive management worrying more about nearer-term, pipeline risks – could mean that those longer-term emerging risks on the horizon are ignored. Nevertheless, a business that is unprepared for what is coming over the horizon is unlikely to be an adaptable, resilient business.

Key reasons risk leaders are prioritising emerging risks:

Impact on company strategy – Depending on how far into the future a business sets its strategy, emerging risks will have varying impacts on what the organisation is trying to achieve. As a result, identifying emerging risks and keeping tabs on how they will affect business strategy (if at all) is key to ensuring that the business remains flexible for strategic development.
Meet expectations of internal and external stakeholders – Emerging risks are often linked to trends and narratives that are emerging around the world – in the news and online. While senior leaders invest time and effort into managing the business’s principal / material risks, investors will want to know that the organisation is keeping abreast of global trends. For example, does the business have a plan to deal with a growing variety of climate risks (regulations, physical risks etc.).
Mitigate and avoid operational disruption – Companies often prioritise principal risks over black swans and longer-term emerging risks, but these risks can significantly impact operations and cause severe losses – both tangible (financial) and intangible (reputational). It is therefore crucial that businesses identify these risks, assess their potential impact, and build them into relevant plans and frameworks – for example, in business continuity and crisis management plans. This will make the business more resilient overall.

e. What are some of the top emerging risks businesses are monitoring today?

Based on data from our Horizon Scanning Tool, which uses AI to identify trends in the emerging risks that organisations are reporting on, we have identified the top emerging risks of 2023 compared to 2022.

Top emerging risks 2023 vs 2022

Download a sunburst of the full data set.

Download

Trends:

Regulation - this remains the most reported emerging risk theme (as of the end of 2023). Of all the emerging risk themes reported under the Legal category in the Horizon Scanning Tool, Regulation accounted for 75% of them. Examples include environmental regulation (e.g. new legislation around sustainability reporting), financial reporting requirements and regulation relating to the use of A.I.
Geopolitical tensions - rising from fifth in 2022 to second in 2023, as a result of ongoing and escalated conflict in Ukraine and Gaza, and the effects of Brexit still filtering through to FTSE-listed businesses, geopolitical tensions is a significant riser on the top emerging risk themes. Other geopolitical risk factors include the rise of populism and nationalism, and increasing competition for resources.
Pace of technological advances - the speed at which new technology is being developed remains a top emerging risk theme for organisations, with almost a third of emerging risks reported under the Technology category aligning to the pace of technological advances. Key focuses in this area for organisations include the rapid digitalisation of operational technology environments and potential disruption, and the impact of automation on the workforce.

2. How do you identify and assess emerging risks to your business?

Determine critical attributes of the business
Identify disruptors to critical attributes
Leverage external stakeholders and outside expertise
Assessing emerging risks

a. Determine critical attributes of the business

Many organisations will identify, assess, manage, and control their material and principal risks against two core areas:

operational objectives – to maintain the ability to deliver products and/or services to customers
strategic objectives – to pursue opportunities and mitigate threats that could prevent the fruition of these goals.

Given the severity of losses that could surface from an emerging risk, it is also important to assess how emerging risks will affect the above areas.

One of the first key steps in identifying emerging risks is identifying the critical attributes to achieving both strategic and operational objectives. This should highlight potential disruptors and areas where the business is more vulnerable.

Some attributes that businesses may want to evaluate include:

Customer base - is the business reliant on selling its products/services to a particular demographic, and how critical is that to its long-term strategy?
Supply chain - how important is the business' supply chain in terms of delivering either products or services and which parts of this system are critical in achieving strategic or operational objectives in the long term?
Technology - are there key technologies and systems in use across the business that are critical to its operations?

Depending on the size of the organisation, risk functions typically select a limited number of critical attributes and work on linking them to their strategic and operational objectives. These attributes must be agreed upon by key stakeholders, documented, and clearly communicated to the business.

How mature is your activity surrounding the determination of critical attributes compared to your peers? Request to participate in our Emerging Risk Maturity Model.

b. Identify disruptors to critical attributes

Rather than focusing on the cause of an emerging risk, which could be hard to predict or out of the business’ control, more mature organisations are viewing emerging risks as disruptors to the critical attributes already identified, which makes any potential threat (or, indeed, opportunity) clearer.

In order to identify these disruptors, a comprehensive analysis of the emerging risk landscape – using a range of tools and techniques – is crucial. Also important to this process is:

finding people with the right organisational knowledge (senior, but close enough to the business to know it well)
sourcing data from a wide variety of stakeholders and sources.

There's more on the importance of external stakeholders' expertise in the next section.

Risk leaders are using the following methods to identify disruptors:

Reviewing megatrends
Global megatrends are macroeconomic and geostrategic events or changes that are shaping the world, ranging from climate change and the transition to renewables to the development of transversal technologies like artificial intelligence, big data and the metaverse.

By connecting megatrends to the specific context of an organisation, a risk manager can steer employees and senior leaders away from viewing the strategy of the business in isolation, emphasising instead how vulnerable – or robust – the business (and its objectives) can be to external factors.

Risk foresight planning
This technique can be used to look at different disruptors (and combinations of disruptors) and consider if the organisation is equipped to manage and respond to these in an agile way and if not, what could be the probable outcomes.

This sets the right tone for conversations with the business – during workshops, for example – and gets them to think about how those outcomes could impact them.

Foresight planning works by looking at the present (what is currently happening) and the future (what might happen), before working out a strategy to move between the two realities. More specifically, the aim of foresight planning is to expand the minds of participants and get them to imagine multiple futures, uncover blind spots and, ultimately, identify emerging risks.

Horizon Scanning Tool
Using Risk Leadership Network's Horizon Scanning Tool, an interactive database of the emerging risks that other organisations are reporting on, risk leaders are reducing the time they spend on collating an analysing external emerging risk data.

Read more about the Horizon Scanning tool and how it can save you time or request a demo with a member of Risk Leadership Network's team.

For an example of how the Emerging Risk Tool can be leveraged to identify emerging risks impacting a specific sector, with the tool covering all industries from retail to big tech, see our article on emerging risks and blind spots for digital companies.

c. Leverage external stakeholders and outside expertise

Risk leaders in our network agree that external subject matter expertise – for example, specialist industry knowledge – is a key component of an optimised approach to identifying emerging risks.

However, specialist knowledge may not exist within the organisation. Take the case of climate change, as an example. As highlighted in our Horizon Scanning Tool, climate change is one of the major emerging risks for companies in the past three years but a lack of understanding of the threats and opportunities that may arise from transitioning to clean energy, or deciding a suitable pathway to reduce emissions, could inhibit the business’ ability to identify the relevant risks.

Therefore, consulting with subject matter experts on the topic of climate change and energy transition – whether they operate in your sector or beyond – can help frame the issues at hand in a way that is clearer for the business.

Equally, it can be easy to develop tunnel vision if you only look internally for expertise on the different types of emerging risk that present themselves to businesses. An external perspective can help to overcome biases within the company and provide a second opinion that enables the business to look at emerging risk from a different perspective.

d. Assessing emerging risks

Once you have identified a range of emerging risks that could disrupt critical attributes of the business, the next step is to evaluate those risks and determine which, if any, could give rise to principal/material risk exposure. A key tip here, from risk leaders who have been through the process, is to focus more attention on the impact these risks could have, rather than how likely they are.

Given that an organisation will find it difficult to accurately define the likelihood of an emerging risk – remember, the body of available knowledge about these risks is weak – depending too much on an assessment of likelihood could leave you vulnerable. Also, bias is more likely to affect your assessment of likelihood than impact, making the former even less reliable.

In any case, no methodology for assessing emerging risks will ever be perfect and there is no one-size-fits-all approach. Furthermore, no risk leader or business can accurately predict the future to the tiniest detail. Instead, you may want to consider evolving your approach as new information becomes available.

2 techniques risk teams are using to assess their emerging risks

Stress-testing scenarios

How can you know whether an event or series of events that hasn’t occurred yet will affect your business? One way to assess the potential impact of a scenario is to stress-test it, which you can carry out via exercises in workshops. Key questions you may want people to consider include:

How will the scenario impact people in the business?
How will the scenario affect our technology?
What will the financial impact of the scenario be if the worst case happens?
Are there any positives for the business if this scenario occurs?

SWIFT analysis

The Structured What If Technique (SWIFT) looks to checklists, past incidents, and guidelines to address some of the “what if” questions above. By answering questions, the risk team can assess the likelihood, consequences and velocity of potential scenarios.

Featured resource:

Three ways to improve your emerging risk framework

This article explores three key activities companies are taking to improve their emerging risk framework, as laid out in our new Emerging Risk Maturity Model.

3. How do you monitor emerging risks and keep them under control?

Determine the correct indicators for emerging risks
Collect and use data to track the status of emerging risks
Review indicator thresholds regularly
Respond to triggers when activated
Set accountability for monitoring emerging risks

a. Determine the correct indicators for emerging risks

While key risk indicators (KRIs) may be used to inform a business that it is approaching the limit of its appetite for a certain kind of risk – before it can start to impact the business in a negative way – indicators for emerging risks work differently.

Instead of informing the business that it is moving beyond the limits of its risk appetite, an emerging risk indicator is a much earlier signal that suggests when a potential disruptor to the business is about to emerge as a material risk. These indicators should include much more sensitive triggers (or thresholds) that ensure there is enough time for the business to mount an effective response should that risk begin to move.

The first step is to establish a broad watchlist of different emerging risks that can be categorised and linked to the potential disruptors already identified (see previous section). While you may want to focus on emerging risks in the strategic category, as these will have a bigger impact on the long-term future of the organisation, lots of risk leaders’ watchlists also factor in some rapidly changing risks that could emerge at a high velocity.

When determining which indicators to use, you should approach each risk on the watchlist as requiring its own individual signal. To ensure they are useful, sit down with the relevant subject matter expert(s) in your organisation to determine which signals may be appropriate for monitoring that particular emerging risk – their insight will be valuable.

As mentioned in the previous section on outside expertise, bringing in views from other parts of the business and externally can also help to challenge viewpoints and make sure the risk is holistically understood.

b. Collect and use data to track the status of emerging risks

Once you have set your indicators and thresholds, how can you monitor these so that you know when they have been reached or even surpassed?

At this stage, you will likely want to identify sources of information which:

provide a balanced view of a situation
are updated regularly

In the case of the latter, a cost-benefit analysis may be required to determine whether a certain information source is worth using (for example, a subscription service, or hiring a third party to conduct analysis).

In most cases, sources of information used by businesses will provide qualitative and subjective data that is difficult to present on a standard likelihood-impact risk matrix. However, there are advanced tools such as natural language technologies that leverage AI to provide a more scientific view of the events taking place in a business’s external environment. For instance, as social media becomes increasingly powerful, natural language can be deployed to analyse a vast range of posts and gain updates on major events before they break elsewhere.

On the other hand, given that most of the data businesses collect will be qualitative in nature, there needs to be a simple repository in place for people across the business to document their observations. Without this, it is difficult to synthesise all the information generated about the different emerging risks facing the organisation.

For a summary of the key steps involved in the signal creation and monitoring process, see the diagram below.

signal-creation-and-monitoring-process

c. Review indicator thresholds regularly

The usefulness of any system or indicator that is not consistently reviewed will inevitably decline, so make sure to regularly assess whether the thresholds that have been set are still appropriate. For example, have the objectives of the business changed to the extent that emerging risks that may have impacted them before no longer will? Or perhaps the business has decided to pursue new ventures, which makes it more vulnerable to emerging risks?

Equally, the global context surrounding the business may have changed. This is particularly relevant to emerging risk indicators, as the availability of new information and fresh developments in a certain risk area will demand another look at the thresholds.

The other reason to review thresholds regularly is to determine whether they have been met. This may sound obvious but it is not uncommon for a business to stand up frameworks and then neglect them as priorities shift.

d. Respond to triggers when activated

Some organisations only define specific thresholds for certain signals, relying on internal expertise to identify when the limit has been reached for the rest, while others take a more comprehensive approach. In any case, there needs to be a plan in place when triggers are activated. One example of this is a three-pronged approach that covers a range of different responses: no-regret moves, optional moves and big bet moves.

emerging-risks-signal-triggers

In the approach visualised above, the executive committee make a decision and trigger actions before handing over responsibility to the strategic programme owners. These owners then follow the organisation’s governance framework around strategic and sub-strategic initiatives to operationalise the changes decided upon at the executive level.

Other organisations use their own escalation matrix to decide if action is required, usually considering both urgency and the degree of impact the event is likely to have on the business. This matrix is normally based on pre-agreed thresholds, which provide management with a sense of comfort and prevents the escalation of too many – or, indeed, not enough – emerging risks.

e. Set accountability for monitoring emerging risks

Ultimately, monitoring emerging risks won’t be effective unless people in the business – or, more specifically, risk owners – feel responsible for the emerging risks relevant to their department. It is not usually the default responsibility of the risk team – their role tends to focus more on highlighting relevant emerging risks to the board and facilitating discussion around them across different levels of the business.

It is advisable to attribute each risk on the emerging risk watchlist to an internal subject matter expert. Their responsibility should be made clear: as the risk owner, they must take responsibility for updating the business on any events or developments that may cause this emerging risk to become material to the organisation.

Featured resource:

How are the most mature businesses managing emerging risks?
This article explores how these organisations identify, assess and monitor emerging risks, based on our new Emerging Risk Maturity Model.

4. How should you report on emerging risks and use this to take action?

Integrate emerging risk into your risk reporting framework
Present information and data about emerging risks visually
Report on emerging risks externally
Use emerging risk reporting to make strategic decisions

a. Integrate emerging risk into your risk reporting framework

Most businesses will report to the board and audit and risk committee (ARC) on the impact of emerging risks, but few will drill down deeper to cover the consequences, causes and possible mitigations. According to our recent global benchmark, less than half of the companies we surveyed provide this level of detail.

emerging-risks-reporting

Moreover, our comparison of more than 50 companies, found that emerging risks featured less in risk reports to the board than in reports to the ARC.

This highlights an opportunity for many organisations to further integrate emerging risk into their risk reporting procedures. For instance, benefits include:

Improving engagement with the board and executives on emerging risk
Embedding the importance of organisational resilience in the minds of executives, as well as the agenda of the board
Allowing the business to be responsive to events on the horizon, rather than reactive once they arrive

The challenge for risk leaders is ensuring added value while avoiding information fatigue and overwhelming executives and the board with too much detail.

3 tips from risk leaders on how they've optimised their emerging risk reporting

1. Only include relevant elements in your report
If you have a watchlist of 10-15 different emerging risks, overloading the board with updates on all of them may not be a wise strategy. Not only will this take time, but most of the emerging risks won’t have changed in status and, as such, won’t be immediately relevant to the business. Instead, try to establish the value of monitoring emerging risks at a high level, focusing on a few that are currently showing a greater level of activity.

2. Place emerging risks in the context of business strategy
The board will be more interested in emerging risks if they are connected to the macro themes and strategic objectives of the organisation – for example, how will a particular emerging risk impact share price if no action is taken and is left uncontrolled? Emerging risk reporting should, first and foremost, drive action.

3. Be transparent about how the emerging risk framework works
While it may not be a good idea to cover every aspect of the emerging risk framework in minute detail, giving the board and executives a holistic overview of how the framework operates may help to demonstrate its value and alleviate any uncertainty. The risk team can also give the board a chance to ask their own questions about the emerging risks facing the business, so their concerns can be identified. Some risk leaders do this via group workshops, while others see value in conducting one-to-ones to allow executives a chance to be more open and avoid groupthink.

b. Present information and data about emerging risks visually

Demonstrating the status of emerging risks and their potential impacts in a visual way has proven a successful reporting technique for many risk leaders.

Risk radar
In the risk radar below, you can see how emerging risks have been integrated into the visual reporting of principal/material risks. Reporting will no doubt focus on those Tier 1 risks (those closest to the centre) but risk teams should refer to this radar in conversations with the board to ensure they are aware of the risks, who is responsible, and whether the risk trend is on the rise.
risk-radar-emerging-risks

Explore risk radars in our free download:
How to see what you don't see: a risk radar approach to emerging risk
Download now >>

Moodboard of risks
Another method to visually display the range of emerging risks is to create a moodboard. In the example below, external risks are plotted above the line to highlight that they come from outside of the business, while the associated responses or actions that spring off them are internal. You can also use a coloured key and different icons to visually categorise these risks.

emerging-risks-blog-graphs7

Although visuals alone won’t be enough to get the board and executives fully engaged with emerging risks, these techniques can enliven conversations on the range of threats and opportunities these risks present, boosting engagement with decision-makers.

Emerging Risk Maturity Model

Forward-thinking risk leaders are looking for ways to develop their emerging risk management processes and benchmark their maturity against other businesses. To support them in this mission, our Emerging Risk Maturity Model provides an iterative process for enhancing that maturity, regardless of their current level.

See how it works in this short video:

The Emerging Risk Maturity Model is available as part of membership to the Risk Leadership Service. But, for a limited time, we're inviting the emerging risk lead at large multi-national organisations in Europe, Australasia and the Middle East to participate in the self-assessment, in order to further enhance the benchmark for our members. Of course, you'll receive the benchmark report when you participate. Find out more and request to participate here.

c. Report on emerging risks externally

Although it is not a requirement for businesses to report on emerging risks externally (i.e., via their annual report) many companies do reference the emerging risks they are thinking about. Why might companies do this, even if they aren’t required to?

Organisations want their external stakeholders to feel comfortable in the knowledge that the business is considering risks that are developing but not yet material to the business. This is especially true if these risks relate to external factors already being reported in the news or online.
Equally, regulators, customers and the wider market may have eyes on the business. Making clear what the emerging risks are and how the business is managing them, gives these parties confidence that the organisation has plans in place.

Emerging risk topics are also covered by organisations such as the World Economic Forum (WEF) and European Commission. Referring to these documents may help you identify emerging risks you may have missed. Of course, we collate these emerging risk topics with many other sources in our Horizon Scanning Tool.

d. Use emerging risk reporting to make strategic decisions

Ultimately, risk leaders want their reporting to prompt action from decision-makers and guide changes in strategy.

Emerging risk reporting should be used to challenge assumptions that were made when the business initially outlined its strategy. For example, has a geopolitical event or growing reputational hazard shifted the expectations of the organisation, requiring an adjustment to its strategy? If your strategy is too restrictive and won’t allow you to change direction, this could affect the resilience of the business if the worst-case scenario should occur.

Instead of thinking strategy-forwards (setting goals and implementing a supporting action plan) emerging risks can be assessed to form potential scenarios and help you work backwards: if an event transpires in the future, will the actions you are taking now prepare you for it?

Although businesses can’t be ready for everything – especially black swans – reporting on emerging risks through this lens will ensure that your strategy is flexible enough to drive the business towards its objectives whilst being adaptable should a range of possible scenarios become a reality.

As part of this process, you can build in constraints that require senior leaders and the strategy function to think differently about how they would overcome a certain problem. For example, what if you lost a sizable portion of your customer base? Emerging risk assessment can help you form the basis of these questions and make the business more resilient.

We hope you've found this article a useful introduction to Emerging Risk. It contains just a fraction of the guidance and case studies put together through knowledge sharing with Risk Leadership Network's community. Take a look at our membership options to see how joining us could help you bring your risk management to the next level.

More on emerging risk

1. Download this article

2. Explore the Horizon Scanning Tool

3. Find out more about our Emerging Risk Maturity Model

4. View the top emerging risks of 2023 vs 2022

← How to boost risk appetite awareness across the business

How do risk leaders use scenario testing to prioritise emerging risks? →

Resources