Any successful organization must learn the art of planning ahead. And doing so means being aware of potential risk events, and being ready to act in a way that minimizes their (negative) impact on the organization.
When most of us think of risk in this way, we tend to imagine the big ‘one-off’ events: political upheavals, natural disasters, data breaches and so on. But what about the things that happen gradually? The risks that emerge over time, are hard to quantify, and yet unchecked can overwhelm an organization of any size?
We call these emerging risks. Addressing them effectively depends on learning as much about them as we can, quantifying the threat they pose to the best of our ability, and reacting appropriately to manage that threat.
In the rest of this piece, we’ll look at how to make that happen.
What is emerging risk?
As I write this piece, world leaders are gathering for COP26 in Glasgow in order to agree on a program to combat climate change. And climate change is (or was) the perfect, textbook example of an emerging risk:
“A risk that is evolving in areas and ways where the body of available knowledge is weak” - Institue of Risk Management
In general terms, we can specify two criteria that between them define emerging risk specifically:
- The risk tends to manifest over the course of time, rather than all at once as a discrete event, and
- The scale and likely impact of any given emerging risk is difficult to evaluate, certainly at any given moment in time
Both these attributes can make responding to emerging risks challenging. To return to climate change, one only needs to consider the false starts and inaction that have characterized the last three decades to make that point.
In that particular example, the stakes are inconceivably high. But many other forms of emerging risk have the potential to do serious damage to an organization or business. Let’s talk about them.
Types of emerging risk
Emerging risk can take many forms. By its very nature, it can be hard to spot. But these three examples give you some sense of what to look for:
- Technologies becoming obsolete, or overtaken by events. Digital photography replaced conventional film only gradually, but that didn’t stop an industrial giant like Kodak from filing for bankruptcy in 2012
- Slowly emerging trends, such as artificial intelligence, the positive or negative impacts of which are hard to evaluate
- The creeping, gradual change or erosion of organizational culture, that leaves the organization exposed to risk. The Fukushima Daiichi nuclear incident is just one example of such a disaster with two causes, one of which was a lax safety culture.
This last example is a reminder that emerging risks can often manifest in the same way Hemingway wrote of bankruptcy: “gradually, then suddenly”. Or for a more modern audience, the man free-falling from a skyscraper in the movie ‘La Haine’ who keeps repeating “so far, so good” before being reminded that “it’s not the fall that is important, it’s the landing”.
To understand and address emerging risk, it is vital to understand this point. Dangers can emerge gradually of themselves, or an organization can gradually leave itself more and more exposed to one-off cataclysmic events.
Identifying emerging risk: emerging risk monitoring
Now we understand emerging risk, what can we do about it? As an initial step, we need to identify it, and we need to do so as soon as possible. Early awareness is everything, because it gives us time to forecast, evaluate and act to avoid the consequences of emerging risks.
Identifying emerging risk largely requires two specific tasks:
- Spotting risk on the horizon (i.e. horizon scanning), at the maximum distance from ‘impact’, and
- Quantifying the ‘rate of change’, or how rapidly the specific risk is increasing
This can be a complex challenge. It requires a clear understanding of where and how risks can emerge, and an awareness that what seems innocuous today can in fact be storing up trouble for tomorrow. One way to help in this task is allowing the world’s media and broader analyst community to help.
Start by considering the types of risk that may pose a threat to the organization. Think creatively and openly around this subject: the nature of emerging risks is that they can be hard to identify. For example, if you are concerned with health and safety standards within a multinational organization, you will want to surface any comment or news relating to safety reports or breaches - not just actual failures or disasters.
The result of this activity is your 'emerging risk watchlist'.
Step two is actively scanning news sources from around the globe for any reference to those subjects on your watchlist. To do this properly requires monitoring a number of sources, including those in foreign languages and in specialist publications. They can run into the tens of thousands, or even hundreds of thousands: making this a job too large for any team of analysts.
Instead, this is where any organization serious about emerging risk puts in place an automated horizon-scanning tool such as RADAR, which can:
- Find and surface results relating to your watchlist, from over 80,000 sources from news media to earnings reports and court judgments.
- Track volume and significance of coverage over time, in order to accurately estimate how quickly (or slowly) the specific risk is increasing.
- Analyze sentiment, in order to forecast if specific events are likely to have a negative or positive impact on the organization.
- Automatically notify analysts when ‘abnormal’ results relating to any item on your watchlist are detected.
By performing these tasks, RADAR ensures that half the job (and to some extent the difficult half) is done. Emerging risks can be identified and quantified. Now ‘all’ the organization needs do is manage those risks successfully.
Managing emerging risk
The infinite variety of risks means in turn an infinite variety of appropriate responses to each. In that sense, it is not possible to give a ‘right answer’ when it comes to what that response might look like.
However, certain principles hold true.
Firstly and most importantly: act sooner rather than later. One of the great ‘benefits’ of emerging risk (certainly when compared to more conventional reputational risks) is that if a given risk is detected and addressed early, it can be entirely avoided.
For example, if issues arising from an increasingly lax cyber-security culture are identified and rectified, potential disastrous data breaches or denial of service attacks can be averted before they ever happen.
Even in cases such as that of Kodak above, whilst nothing was going to stop the rise of digital photography, acting quickly and decisively as the environment change could have saved the company.
This brings me to the second key principle when responding to emerging risk: be proactive in controlling your own fate. Use the insight that effective horizon scanning can give you to be clear about what is changing, what the destination looks like, and how your organization can win in that new reality. In a competitive world all risks are also opportunities.
Horizon scanning gives you the knowledge to win, but only if your organization is ready to take decisive action and, if necessary, change course. If you have that ability, emerging risk can be a real source of competitive advantage.