In this class, Alejandro Orrego, CEO at Pirani, teaches us about Risk management Guidelines, Key components of ISO 31000, ISO 31050:2023, Characteristics of emergent risks, examples, How to identify emergent risks., global trends, PESTEL Framework, actions for emergent risks, Risk intelligence cycle and managing emerging risks, emerging risk to enhance resilience and the risk workflow.

Risk management Guidelines

The primary objective of ISO 31000 is to assist organizations in making informed decisions regarding risk by providing a framework that supports the integration of risk management into the organization's overall governance, strategy, and operations.

Key components of ISO 31000 include:

1. Principles: The standard outlines eleven risk management principles, including establishing the context, integrating risk management into organizational processes, and continuously improving the risk management framework.
2. Framework: ISO 31000 provides a framework for implementing organizational risk management. This framework includes processes for identifying, assessing, treating, monitoring, and communicating risks.
3. Process: The risk management process outlined in ISO 31000 is iterative and adaptable to the specific needs and objectives of the organization. It involves identifying risks, analyzing their potential impact and likelihood, evaluating treatment options, implementing risk treatment plans, and monitoring and reviewing the effectiveness of risk management activities.
4. Communication and consultation: ISO 31000 emphasizes the importance of communication and consultation throughout the risk management process, internally among stakeholders within the organization and externally with relevant external parties.
5. Monitoring and review: The standard emphasizes the need for ongoing monitoring and review of the risk management process to ensure its effectiveness and relevance in light of changing internal and external factors.

ISO 31050:2023 Risk management Guidelines for managing an emerging risk to enhance resilience

Emerging risks are characterized by their newness, insufficient data, and a lack of verifiable information and knowledge needed for decision-making. As these risks can develop with the potential for large threats and opportunities, appropriate management of emerging risks should be established as a part of an organization’s risk management. It should include changes in circumstances or conditions related to multiple aspects of the organization’s external context and the implications for its internal context.

Emerging risks can include, for example:

• Risks arising from unrecognized changes in organizational contexts;
• Risks created by innovation or social and technological development;
• Risks related to new sources or previously unrecognized sources of risk;
• Risks from new or modified processes, products or services.

Consequences of emerging risks can include, for example:

• Exposure to unforeseen hazards and threats with uncertain outcomes;
• Increased exposure to hazards and threats from known risk sources;
• Lost or gained opportunities.

Emerging risks | Characteristic

• Unpredictable

although there may be known risks, for example, a terrorist act, a pandemic, or a natural disaster, it is not known exactly when, where, and how they will occur. Their materialization is unexpected and surprising for most people; an example is the recent pandemic generated by COVID-19, for which neither organizations nor governments were adequately prepared.

• Uncertainty

uncertainty is one of the main characteristics of these risks because, in addition to not knowing if and when they will occur, it is not known what their real impact will be, i.e., how much damage they may cause to aspects such as the operation, liquidity, reputation and survival of an organization. For this reason, they are not easy to assess.

• Complex and changing

they evolve rapidly and generate impacts in different areas of companies, as well as in people’s lives and governments’ development.

• Emerge from global trends

whether political, economic, social, environmental, or technological. It is key to monitor these trends to identify those risks that could arise and have a high impact. In addition to these characteristics, emerging hazards can be man-made and natural and cause large-scale events.

Examples of emerging risks can include:

1. Technological risks: such as cybersecurity threats, data breaches, disruptive technologies, and technological failures.
2. Environmental risks: such as climate change, extreme weather events, natural disasters, and biodiversity loss.
3. Social risks: such as demographic changes, societal shifts in values or attitudes, and geopolitical instability.
4. Regulatory risks: such as changes in laws, regulations, or industry standards that may impact operations or compliance requirements.
5. Economic risks: such as market volatility, economic downturns, currency fluctuations, and supply chain disruptions.

How to identify emergent risks

Global Risks Report 2024

The Global Risks Report explores some of the most severe risks we may face over the next decade against rapid technological change, economic uncertainty, a warming planet, and conflict. As cooperation comes under pressure, weakened economies and societies may only require the smallest shock to overcome the tipping point of resilience.

Emerging risks | PESTEL Framework

Context assessment

The PESTEL framework is used in strategic analysis to assess and understand the external macro-environmental factors that may impact an organization or its industry. PESTEL is an acronym that stands for Political, Economic, Social, Technological, Environmental, and Legal factors. Each of these factors represents a category of external influences that can affect a business's operations, performance, and strategies. By analyzing these six categories of external factors using the PESTEL framework, organizations can gain insights into the opportunities and threats in their external environment, allowing them to develop informed strategies and make better decisions to navigate and adapt to changing market conditions.

Here's a brief overview of each component of the PESTEL framework:

• Political factors

These refer to the influence of government policies, regulations, stability, and political trends on businesses. This includes taxation policies, trade regulations, political stability, government leadership, and political ideologies.

• Economic factors

Economic factors encompass the broader economic conditions that may impact businesses, including economic growth, inflation rates, exchange rates, interest rates, unemployment rates, and consumer confidence levels. Economic conditions can affect consumer spending patterns, investment decisions, and market demand.

• Social factors

Social factors include societal trends, cultural norms, demographics, lifestyle changes, and consumer preferences. This includes population demographics, social attitudes, health consciousness, education levels, and cultural values. Social trends can influence consumer behavior, market demand, and the reputation of businesses.

• Technological factors

Technological factors relate to technological advancements, innovation, research and development, and the rate of technological change. This includes automation, digitalization, emerging technologies, intellectual property rights, and technological infrastructure. Technological developments can create opportunities for new products and services, as well as disrupt existing industries and business models.

• Environmental factors

Environmental factors encompass ecological and environmental considerations, including sustainability, climate change, natural disasters, resource scarcity, and environmental regulations. Businesses must consider their environmental impact and sustainability practices to mitigate risks and comply with regulations while also addressing societal expectations for corporate responsibility.

• Legal factors

Legal factors refer to laws, regulations, and frameworks governing business operations, industry standards, and corporate governance. This includes labor laws, consumer protection regulations, health and safety standards, competition laws, and intellectual property rights. Compliance with legal requirements is essential for businesses to avoid legal risks and maintain ethical standards.

Conclusions & actions

EMERGING RISKS are potential threats or hazards that are not currently recognized or fully understood, but have the potential to significantly impact an organization's objectives or operations in the future. These risks often arise from new or unexpected sources, such as technological advancements, changes in regulations or legislation, shifts in social or environmental trends, and geopolitical events. Emerging risks may not have a history of occurrence or may be difficult to predict using traditional risk assessment methods. They require ongoing monitoring and assessment to identify and understand their potential impact, likelihood of occurrence, and the effectiveness of existing risk management strategies.

“The organization should:

• Undertake regular and comprehensive scanning of the context in which it operates from multiple perspectives or the use of relevant methods/techniques to identify changes in context and emerging risks;
• seek to identify emerging risks at a strategic level and throughout the organization whenever the risk management process is applied (risks of particular significance to individual projects or departments can be less visible or less likely to be considered during higher-level strategic thinking);
• analyze trends that can eventually lead to new risks;
• describe sources of risks and possible scenarios of interest associated with the above;
• actively seek scenarios with positive as well as negative outcomes;
• explore interconnected risks and contexts;
• identify indicators for emerging risks that will provide an early warning of imminent consequences or new opportunities and threats that are emerging and monitor these indicators;
• continually monitor data so that descriptions of risks can be updated as the latest information is obtained.”

A risk intelligence cycle should be applied to managing the emerging risk by:

• Continual scanning to collect, analyze, and interpret data, information, and knowledge on emerging risks that occur within a context that is often characterized by unpredictable volatility, high degree of uncertainty, network complexity, and rapid rates of change;
• considering that data on emerging risks gathered under such changing circumstances are limited (in quality and quantity), and their need for urgent interpretation often leads to increasing ambiguity of available information;
• considering data about other relevant known risks;
• Relating intelligence's criticality to effective decision-making due to the limitations of available data and information on emerging risks.

Emerging risk to enhance resilience

• Business Continuity

Business continuity refers to the ability of an organization to maintain essential functions and operations during and after a disruptive event. It involves developing and implementing plans, processes, and procedures to ensure the continued delivery of products and services to customers, preserving critical assets, and managing risks that could disrupt business operations.

• Business Resilience

Business resilience goes beyond continuity and focuses on the organization's ability to adapt, recover, and thrive in adversity. It encompasses the ability to respond effectively to disruptive events, the capacity to anticipate, prevent, and mitigate risks, and the capability to innovate, learn, and evolve in a dynamic and uncertain business environment. Business resilience involves building a culture of resilience, fostering flexibility, agility, and creativity, and integrating risk management into strategic decision-making processes to enhance the organization's ability to withstand and recover from disruptions and achieve long-term success.

Emerging risks | actions

Emerging risks can indeed be difficult compared to other types of risks for which more information is available, but this does not mean that it is impossible. Some actions that can be implemented to identify emerging risks are:

1. Constantly monitor and evaluate the internal and external environment of the organization and be updated on global trends, as well as existing and possible conditions of change.
2. Have a deep knowledge of the industry and the market, including the entire supply chain for the production and operation of the company.
3. Consider and review lists of emerging risks presented by industry experts. Validate which risks are relevant to the organization.
4. Think and discuss the different areas, not only risk management, which events with a low likelihood of occurrence but with high impact could affect the operation and continuity of the company.
5. Perform analysis of possible scenarios to identify threats that could materialize and generate impacts on processes or assets.