Strategies for handling emerging risks in line with ISO 31050

What are emerging risks, what are their characteristics, how do they develop, how can you manage them effectively and efficiently? Learn more about these and more below.

Introduction

As part of risk management in organizations, it is increasingly important to include the management of emerging risks, which must be proactively identified and characterized taking into account changes in the internal and external context of the organization. 

ISO 31050, published in October 2023 by the International Organization for Standardization, is a guide for the management of emerging risks to improve the resilience of organizations. 

This ISO standard complements ISO 31000 by providing guidelines for applying the general risk management principles and process to emerging risks, which require a proper understanding of the organizational context aspects. 

Like other ISO standards, ISO 31050 is applicable to any organization and can be customized to suit different contexts and realities. 

Here are some of the benefits of implementing it:

• Having greater awareness, which helps decrease the likelihood of not anticipating emerging risks that may be faced.
• Having early recognition of emerging risks and a higher level of preparedness and resilience.
• To be able to disseminate data in a timely manner and share information among stakeholders.
• Align actions on emerging risks in all aspects of the organizational context. 

Below you will learn about emerging risks, their main characteristics, their development and their management based on the ISO 31050 guidelines, which apply the ISO 31000 process. You will also understand the relationship between emerging risk management and organizational resilience.

What are emerging risks?

Emerging risks are those risks that are unknown or have not been considered by the organization and that may arise from the different changes that occur in the organizational context, for example, social, political, economic, environmental, technological, legal and even ethical factors.

These types of risks may also arise from organizational relationships and aspects of internal governance, culture and business activity, such as new or modified processes, products or services.

According to ISO 31050, the nature of emerging risks may include:

• Risks that have not previously been recognized or experienced by the organization.
• Known risks in a new or unfamiliar context where existing information and knowledge is insufficient.
• Systemic risks, i.e. risks that may threaten fundamental societal systems such as infrastructure, health services and telecommunications. These risks range from local to national and global.
• Risks that evolve significantly. 

Main characteristics of emerging risks

Taking into account ISO 31050, emerging risks are characterized by:

1. Insufficient data, information, and adequate and verifiable knowledge do not support decision-making

This means that understanding of emerging risks is often influenced by individual assessments, cognitive biases, group dynamics, erroneous data, or incorrect interpretations that prevent a reliable assessment of probabilities and consequences.

However, it is important to consider that as these risks evolve, more data will also be collected and interpreted about them, generating more knowledge that will allow organizations to identify them and make better decisions about their potential consequences.

2. Uncertainty, complexity, and volatility

These characteristics are related to rapid and unpredictable changes in the context of the organization, people, systems, or processes, the variability with which they may occur, and the implications or impacts they may have. They are also related to the instability of the data and information available on these risks.

3. The time dimension relates

Among other elements, to the speed with which changes occur in the organizational context and the pace at which an emerging risk develops. It also relates to the time that elapses before the necessary information is available to understand and manage these risks.

Although the above characteristics are not necessarily applicable to all emerging risks and are not exclusive to them, it is essential to be aware of them and consider them when managing them.

How do emerging risks develop?

The first thing to know about the development of these risks is that the appearance of signs or indicators of change in the organization's external or internal context is an indication of a potential emerging risk. 

Therefore, as indicated in ISO 31050, it is essential to constantly monitor the changes that occur in any aspect of the organizational context, collect and analyze data on these changes on an ongoing basis to determine their importance in any element, and, from there, develop scenarios. 

Doing this, as well as being able to rely on other relevant data, is key to having a better clarity and understanding of the identified situations and potential emerging risks. 

Even so, when there is little knowledge or experience of these risks, data may generally be limited, ambiguous, inaccurate, or false. As the standard indicates, interpreting data into verifiable information for decision-making should focus on reducing significant uncertainties.

Examples of sources of emerging risks

Among others, some changes that may occur in the context and may generate emerging risks for an organization are:

• Extreme weather events include heat waves, cold waves, torrential rains, tropical cyclones, and prolonged droughts. 
• Beyond the opportunities it offers to organizations, new technologies such as the Internet of Things (IoT) also represent threats related to network and data security, system malfunctions, and malicious attacks by cybercriminals.
• Antimicrobial drug resistance occurs when microorganisms such as bacteria, viruses, fungi, and parasites change over time and become ineffective against drugs. This resistance, in addition to hindering the treatment of infections and increasing the spread of disease, can result in human and economic costs. 
• Climate change transition risks arise as society and organizations try to adapt to the reality of climate change and take action to reduce greenhouse gas emissions. An example of these risks is the emergence of assets that, due to changes in policies and regulations, become obsolete, such as diesel automobiles.

• Social changes, political polarization, economic crises, and technologies such as artificial intelligence or the extensive development of cognitive computing are also examples of changes in the context that may favor the appearance of emerging risks.

How to manage emerging risks?

Today, managing emerging risks should be a priority for all organizations because, among other advantages, it enables the development of current operations and service delivery while preparing for future risks. 

The management of emerging risks is based on applying the principles and management process of the ISO 31000 standard.

These eight principles are fundamental to the effective and efficient management of emerging risks:

1. Integrated. Emerging risk management must be an integral part of the organization, including all processes and procedures.

2. Structured and exhaustive. Refers to applying an agile approach to data collection and interpretation for decision-making. This approach should allow coherent identification and communication of emerging risks. 

3. Adapted. Both the risk management framework and the risk management process must be adapted and reflect the characteristics of emerging risks, such as volatility, uncertainty, complexity, and ambiguity; it must also be related to the organization's mission, objectives, and strategies.

4. Inclusive. Stakeholders should be identified and engaged with emerging risks. It is important to do this in an appropriate and timely manner to improve knowledge of the context and emerging risks that may affect the organization.

5. Dynamic. Refers to the organization's ability to anticipate, detect, and respond in a timely manner to changes, as well as having sufficient flexibility in managing emerging risks.

6. Better information available. In the absence of background and relevant information for the assessment of emerging risks, it is essential for the organization to ensure continuous data collection, verification, and analysis to obtain valuable information on these risks for decision-making.

7. Human and cultural factors. The information on emerging risks can influence the culture and behavior of the organization's personnel, so it is necessary to value the contributions of internal and external experts.

8. Continuous improvement. The management of emerging risks must favor the generation of new opportunities, learning, and experiences for society and companies, and continuous improvement is key to making this management effective and efficient. 

This improvement includes, for example, the constant collection of data, the transformation and exchange of information, and the development of new and better knowledge.

ISO 31050 specifies that for the management of emerging risks, the ISO 31000 management process should be applied:

Communication and consultation

The organization should identify the different stakeholders, both internal and external, and establish means of communication with them, as they may be involved in different elements of the management of emerging risks. 

The collaboration of stakeholders, e.g., partners, suppliers, experts, regulators, consumers, the media, and the general public, is very helpful in identifying emerging risks and providing ideas and perspectives for their management. 

In addition, communication and consultation are essential for rapid decision-making in relation to emerging risks.

Scope, context, and criteria

With respect to scope and context, ISO 31050 indicates that the organization must consider multiple aspects of the context in which it is, since sources of risk may arise, for example, from the relationships, interactions or interdependencies it has with social, geopolitical, environmental, economic, technological, legal and ethical factors, as well as from internal governance, cultural and operational aspects of the business. 

The standard emphasizes that it is essential to have broad and deep contextual information for the effective management of emerging risks. This means going beyond the current context and considering changes and trends that may become risks; these changes may be gradual or rapid, and it is important that they are evaluated at both the operational and strategic levels.

As for the criteria, ISO 31050 indicates that the organization should establish simple rules to determine the importance of an emerging risk. However, generally, these rules are not easy to apply due to the lack of data, complexity, or ambiguity of the available information. 

Therefore, the standard recommends taking into account other aspects, for example:

• The perceived probability that a particular situation will occur.
• The speed at which changes in the context occur.
• The time scale in which the consequences may occur. 
• Feasibility of controls.
• Opinion of the different stakeholders.

Assessment of emerging risks

This stage of the emerging risk management process, based on ISO 31000, consists of:

1. Identification of emerging risks

Emerging risks, in general, are difficult to recognize and describe. Changes in the context are what help to shape this type of risk, which, as we have seen, can arise from sources such as political and economic pressures, and social, environmental, and technological changes, among others. 

Therefore, beyond applying a structured approach to identifying emerging risks, ISO 31050 recommends using other methods or techniques and sources of information to help complete the identification of these risks. 

In this regard, the organization must:

• Conduct a constant and thorough investigation of the context in which you are using different useful methods or techniques to identify changes and possible emerging risks. 

• Seek to identify emerging risks at the strategic level and throughout the organization.

• Consider and analyze trends that may generate new risks and describe sources of risks and possible scenarios associated with them. 

• Actively seek and pose scenarios with possible positive and negative outcomes.

• Identify emerging risk indicators that serve as an early warning of consequences or new opportunities that are appearing. 

• Constantly review data to update risk descriptions as more recent information becomes available.

2. Analysis of emerging risks

The objective of the analysis is to understand the risks so that informed decisions can be made, e.g., whether the emerging risk is significant to the organization, how to respond to this risk, and with what urgency.

When initial data are limited, it is key to collect more data and information through reputable sources and these should be verified whenever possible. 

Likewise, the organization must analyze the sources of emerging risk, the possible events and scenarios, and their positive and negative effects on the objectives and consider cascading and severe consequences. 

For scenarios, it is important to consider the magnitude of the consequences on the objectives, the perceived probability and the uncertainty of the estimates. To obtain an estimate of the level of risk, consequences and probability can be combined.

As more data is obtained, the organization should update the description of the scenarios, cause-effect relationships, consequence and probability estimates, and other supporting information. 

Throughout this process, keep in mind that the perceived importance of an emerging risk can change significantly, meaning that some risks may become insignificant while others may increase in relevance. And understanding the possible scenarios can also lead to the identification of new risks.

3. Assessment or evaluation of emerging risks

The results of the risk analysis should be evaluated on the basis of the defined risk criteria, and social, regulatory, cultural, environmental, and other aspects should be considered. It is important that emerging risks are taken into account in business decisions. 

Even so, it is not necessary to make immediate decisions on some risks, among other reasons, because there is insufficient information or because they are of little importance to the organization for the time being. This does not mean that these risks should be completely forgotten, but rather that they should be monitored. 

When there is not much data and knowledge about an emerging risk, it is possible that significant uncertainty about the consequences or their likelihood may arise. In these cases, it may be useful to identify possible actions and establish which ones can be taken. 

ISO 31050 also indicates that information on emerging risks considered significant should be communicated, if necessary, throughout the organization so that they can be taken into account in the decisions made. Therefore, it is key to assign responsibilities for the detection and timely response to changes and available data on emerging risks.

Treatment of emerging risks

Given that the consequences and probability of emerging risks are generally unknown, it is essential for the organization to develop the ability to anticipate, prepare for and respond to a wide variety of problems, as well as to adapt to unexpected situations. 

Some of the recommendations to be followed by the organization, according to ISO 31050, are: 

• Analyzing different options for dealing with emerging risks, e.g., scenario analysis and event tree analysis, can be useful. 
• Include those emerging risks that may have serious consequences for business continuity planning.
• Test risk treatment measures that have been implemented.
• Integrate plans for treating emerging risks into the operation and planning processes.

Monitoring and review of emerging risks

According to ISO 31050, the organization must: 

• Devote continuous and effective effort to monitoring and measuring risk management performance, as well as reviewing the framework, policy, and plan defined for emerging risks. 
• Monitor, test the effectiveness and, if necessary, improve the processes used for understanding the context and assessing emerging risks. 
• Continuously monitor the results of the management process, including, for example, context information, identified risks, available data and information, and actions taken. In this way, the organization can respond quickly to any changes that arise. 
• Constantly monitor the context to detect changes and their possible effects, as well as to update the data and information available on emerging risks. 
• Monitor the effectiveness of implemented controls and proposed treatment measures. In addition, systems should be established to learn from experience with these risks as part of continuous improvement.

Registration and reporting

The first thing to keep in mind is that information on emerging risks, the means used, and how it is updated and communicated depend on the specific needs of the organization and its stakeholders. 

And, as stated in ISO 31050, records relating to emerging risks should be used for: 

• Provide timely and relevant information on emerging risks to decision-makers in the organization. 
• Assure the organization's internal and external stakeholders that emerging risk management is effectively implemented. 
• Track changes and data on emerging risks and their controls. 
• Track progress against risk management plans and treatment plans. 

On the other hand, it is recommended that what is documented about an emerging risk contain descriptive information about the risk and the different potential scenarios. In addition, if verified quantitative information aids understanding, it should be included in the documented information, which should be available, maintained, and updated.

Emerging risk management and organizational resilience

Organizational resilience is a key capability that all organizations should develop, among other things, because it enables:

• Meet objectives, survive, and thrive.
• Prepare for potential threats, absorb their impacts, recover, and adapt to changing conditions. 
• Adapt to take advantage of the opportunities brought by change, create internal value, and take risks. 

And how does this relate to emerging risk management? 

According to ISO 31050, efficient and effective management of emerging risks should also avoid and mitigate potential failures to take advantage of opportunities or suffer adverse effects on organizational objectives. 

Therefore, developing the ability to anticipate, resist, recover, and adapt to change is increasingly necessary.

1. Anticipation. It is about being as well prepared as possible to face unexpected or improbable events through the development of foresight capabilities and functions. It also involves knowing how to take advantage, before the competition, of the opportunities offered by the changes occurring in the external context.

2. Resilience and recovery. It consists of being able to resist adverse situations that occur in the environment and to be able to recover from them, that is, to return to the usual state and restore the functioning of the organization.

3. Adaptation is the ability to provide specific responses to each type of situation, i.e., to adapt to adverse events and propose actions to take advantage of them.

On the other hand, it is important that these capabilities can also be enhanced through the collection of available data and meaningful analysis of information and knowledge relevant to decision-making on emerging risks.

It should not be forgotten that continuous inspection of the external and internal context is fundamental to better understanding the emerging risks in organizations. In addition, it provides the necessary information to have, measure, and strengthen the attributes of organizational resilience.

Conclusions

• ISO 31050 is a guide for managing emerging risks to improve organizations' resilience. It complements ISO 31000 and is applicable to any organization.
  
  
• In general, emerging risks may include:

- Risks derived from unrecognized changes in organizational contexts.

- Risks created by innovation or social and technological development.

- Risks related to new or previously unrecognized sources of risk.

- Risks derived from new or modified processes, products, or services.

• The management of emerging risks is based on applying the following principles ISO 31000 risk management standard: integrated, structured and comprehensive, adapted, inclusive, dynamic, best available information, human and cultural factors, and continuous improvement. 

• The management of emerging risks is also based on the risk management process described in ISO 31000: communication and consultation, scope, context and criteria, risk assessment, risk treatment, monitoring and review, and recording and reporting. 
  
  
• It is essential to continuously acquire information and knowledge about the organization's function, context, experience, and characteristics of emerging risks for efficient and effective risk management.
  
  
• Organizational resilience is about an organization's ability to anticipate, prepare for, and respond to changes in the context. According to ISO 31050, it should be an essential element of effectively managing emerging risks.

Are you already managing emerging risks in your organization? Create your free Pirani account and learn how our software can help you manage these risks in a simpler and more effective way to be prepared for future challenges. 

And if you have questions and need more information about our management systems, you can schedule a meeting with one of our experts.

Bibliographic reference

• ISO 31050: to manage emerging risks and improve resilience
• ISO/TS 31050:2023 Risk Management - Guidelines for managing an emerging risk to enhance resilience