What happens if a drought occurs in a country where a company has a semiconductor manufacturing facility? What if a pathogen trapped in the Arctic permafrost for thousands of years is released due to melting ice and suddenly affects crops and the products that depend on them? These instances were once in the “unknowns” box. However, at least one of these risks is now a fact, and we faced heavy impacts in manufacturing because of it, especially in the automotive industry.
What is an emerging risk?
IRGC defines an emerging risk as “a risk that is new, or a familiar risk in a new or unfamiliar context or under new context conditions (re-emerging),” or as “issues that are perceived to be potentially significant but which may not be fully understood and assessed, thus not allowing risk management options to be developed with confidence.” An emerging risk can be characterized by “high uncertainty” and “a lack of knowledge about potential impacts and interactions with risk absorbing systems.”
As described, an emerging risk is not easy to identify, given that the impact can occur in a range of ways and the unknowns can hide the risk from us to determine (in the industry verticals, products or professional domains). Establishing the relevance of the scenarios constructed to the organization’s strategic tangibles or intangibles is another challenging part of emerging risk identification. Defining an emerging risk requires the assessor or analyst to know the organization, business, process and products well enough to sense the impacts of the events analyzed.
In the identification phase, we search for meaning within “unknowns” that needs to be tied back to reality in a way that business decision-makers can understand. The uncertainty of the impacts, the interactions of the systems and the people’s response to disruptions are the main factors in our lack of knowledge about the event’s relevance to the organization.
Acting on an irrelevant risk to the organization is as dangerous as doing nothing against a relevant risk. Consequently, a time scale and a scope should be defined when a plausible or possible scenario is studied.
Scale is the time that we predict the impact may be seen from an occurrence. There are three states for scale: the first is closer to today as the impact can occur now; the second is seen as when the risk occurrence probability starts accelerating, depending on the visible trends (projection); and the last one represents an idea in exploration, as little or no trend information exists. When we take a closer look at these parameters, depending on which state it is classified in, an emerging risk can be perceived as speculation (exploration).
On the other hand, if we stay close to the present, contrary to the existence of the emerging risk, it may quickly become a fact. Therefore, we might choose to stay in an uncertainty level between two states: projection and exploration. Compared to exploration, the projection has a data-driven approach. When the uncertainty increases, we reach to exploration scale. For instance, a trend analysis can identify that AI-based fine art drawing is improving. This would enable us to advance the idea to say, “AI capabilities may outrun the human artist capabilities.” However, exploration would be more like, “The AI capabilities may put human fine art artists and visual designers out of business.” The latter proposition becomes more imaginative when there are no trends or data for the core and the derivative/surrounding areas to support it. Still, we need to register the innovative proposition to our risk register with a caveat that describes it as an “exploration.” So, the business would not focus on this proposition until it is supported with trend data.
The second parameter, the scope, is like the blast radius of an explosion. It defines the reach of a risk’s impact when it occurs. Would it impact the organization or industry, or will it expand globally? The scope is primarily used to steer the focus of the attention to the type of strategy changes that may be needed. For instance, an identified risk with an organizational blast radius may be mitigated by tactical-level activities such as adding a policy, creating a process or implementing technology, while a global impact may encourage the organization to make a strategic change in direction, such as changing the course from expanding the market to increasing resilience of the business.
Where should we look for emerging risks
While looking for emerging risks, we search for information about our targeted subjects and sweep the events that are happening. The reliability of the information collected has strategic importance in this study. This activity is generally called horizon sensing or horizon scanning. The effort is about looking into the future as widely as possible while trying to see the relevant indicators from the news, trends, cultural tendencies, political events, and natural events. One can easily get lost in this phase or drown in a vast amount of information from the search, since the source of information is not filtered or tested. Unless the information is collected from an official, reliable and reputable source, we need to take it with some healthy skepticism. Otherwise, our results may misinform the strategy level and lead to more significant failures.
The information collection has two parts: one is to see what is happening in the world relevant to the business, and the second is the internal view. We look inside the organization and discuss the identified events or changes that may contribute to define emerging risks with relevant stakeholders. The internal discussions can also change the scale of the emerging risk (from exploration to projection or vice versa).
Leveraging every bit of reliable data supports the credibility of the outcome, so operational-level data is another reliable source of information. However, if the analysis process has time limits, it may be best to keep the information collected at the strategic and (at most) tactical levels; otherwise, a breach of the due date is inevitable.
How long can an emerging risk analysis take?
In emerging risk analysis cycles, we should have time limits or, in a broader sense, service-level agreements to avoid going above and beyond with the search/scan duration. However, there is no specific data to identify the duration it should take. What we know is that the duration heavily depends on the organization’s tolerance and the subject’s depth. For instance, the manufacturing industry can have longer cycles for identification when compared to the service industry. Still, based on the results of our actual projects and professional experience, we can estimate that scanning activity can take three to five weeks, depending on the focused area. In this period, the assessor or analyst develops a good understanding of the trends, key events and results. The internal discussions are expected to start after a certain level of confidence is gained with the information collected. Overall, the process cycle (identification, analysis, and report) can take up to six to eight weeks.
Why do we need to act like a think tank organization while assessing emerging risks?
Emerging risk analysis differs from a regular risk assessment performed against compliance requirements, implemented controls or processes. The subject matter expert (SME) performing the analysis must have profound professional knowledge and experience, just as the other types of risk assessment require; however, the SME also needs to have a good understanding of the company’s finance, legal, ESG, operations or other areas to be successful on the job. The SME may also need a holistic view of the company’s position in the market with a steered target to understand the company’s future state, similar to the decision-makers who oversee all the structures in the organization. This will enable the SME to synthesize the raw data into a meaningful explanation of why the business needs to focus on that emerging risk. Otherwise, the identified risk will be another brick on the wall or, more clearly, a row of data in the risk register.
The livelihood of an identified emerging risk depends on the viewpoint of the assessor. The defined emerging risk has to make sense to the business while the decision-makers evaluate their strategy and execution plans under that risk. Therefore, the SME needs to have a think-tank-style thought pattern capable of creating innovative solutions to problems supported by the planned scenarios.
How can we build an emerging risk analysis process? Do we need tools to implement?
Performing an emerging risk analysis can be a one-person effort when the skillset required is satisfied. While identifying the impact, the perimeter of the sources needs to be extended to gather different views from relevant internal functions. At this point, the SME will orchestrate the brainstorming session to balance the identified risk by setting a realistic and relevant impact definition to conclude the analysis. After an agreed result is shaped, the SME develops a report and a risk card to present to the management and the enterprise risk register. The internal meetings and reporting are straightforward, unlike the analysis phase. In the analysis phase, horizon scanning (or sensing) is the most chaotic part of the process. In this phase, the organization must seek a structured environment for reliable information to standardize the activity and eliminate the risk of SPOF (single point of failure). The quality resides in the quality of the intelligence gathered. Therefore, a general rule of thumb is to work with a service provider that specializes in research and has a solid framework to distill the information gathered in building intelligence. There are some subscription services available for this purpose. The time saved with a subscription service can work in favor of the organization, allowing scaling of the process.
Pioneering grit needed
In summary, emerging risk analysis requires a niche skill set and grit to pioneer, as it is a relatively new concept to organizations. Nevertheless, it is possible to implement the process with a relatively low budget, starting with internet-based searches. One thing, though, is crucial for success: finding an individual with an aligned thought pattern with the knowledge, experience, and skills to perform.
Editor’s note: For more risk resources from ISACA, download the IT Risk Starter Kit.