RMG 211 - Element 7: Emerging Risks

Entities must implement arrangements for identifying, managing and escalating emerging risks.

Considering and planning for emerging risks is an important part of the risk management process. Identifying and monitoring emerging risk enables entities to manage the uncertainty and impact of these risks.

Entities should consider seeking a range of perspectives on emerging risks and incorporate the consideration of these emerging risks into their risk management framework and governance arrangements.

Considering emerging risks is an important part of strategic decision-making. It is easy for emerging risks to go unnoticed when you focus on the short-term. By monitoring emerging risks, you can better identify and prepare for possible disruptions. Preparing for emerging risks greatly enhances the resilience of an organisation. It also creates a mechanism to provide early warning to the executive and enables them to put in place appropriate measures and controls.

Emerging risks are newly developing or evolving risks that can affect the achievement of an organisation’s objectives. These risks present entities with newfound challenges and difficulties, of which the consequences are currently unknown. Emerging risks can materialise quickly and unexpectedly and often have complex consequences and characteristics that make them difficult to manage. This uncertainty can be hard to anticipate and even more difficult to measure.

Changes to an entity’s priorities and operating environment can lead to the materialisation of new risks and vulnerabilities. This is particularly common during periods of disruption, or when entities are undergoing major restructures which could involve the implementation of new technology or internal systems. Instability or transformation across an entity can create an element of uncertainty that brings about new and emerging risks.

Entities need the ability to identify current risk signals and anticipate emerging risk events, but also to embrace the opportunity emerging risks can bring. Identifying emerging risks through risk sensing makes this possible by delivering intelligence on the risks most relevant to an entity.

It is important to turn the risk signals gathered through risk sensing into strategic insights to inform decision-making. The consideration of this information allows entities to do more than identify trends and anticipate risks. It also helps uncover the opportunity that future disruption often presents, allowing entities to be better placed to manage these risks.

Effectively managing emerging risks is important to establishing resilience and preparedness in an entity’s risk management function as it allows for these emerging pressures to be factored into strategic decision-making.

After identifying emerging risks, the next step is to store this information in a register or ‘Emerging Risk Watch List’ that allows for a dynamic approach to actively assess and monitor the risks. Some benefits of an emerging risk watch list include:

  • A watch list can help prioritise emerging risks and categorise them according to how soon the risk is likely to eventuate, as well as the nature and velocity of the consequence.
  • Through the use of a watch list, a threshold for these emerging risk trends can be developed and agreed upon by management whereby there is a common understanding at which point action should be taken in order to mitigate the potential risk.
  • Accountabilities and responsibilities in relation to each emerging risk should be allocated through this watch list. Another approach is to flag risks within your everyday risk registers as being an evolving concern. This allows the capture and monitoring of risks which may be of low severity and low likelihood today but need to be managed in a structured way because of their potential for change. Without this flag, these currently low risks may be deleted or ignored during review processes.

The following communication channels and mechanisms can be used in order to escalate emerging risks within an entity:

  • Quarterly risk reports: these can provide detailed information on the entity’s key emerging risks and allow for greater visibility over any new or evolving risks that have the potential to affect business operations in the future.
  • Regular reporting to the Executive Committee: this can involve frequent upwards communication as part of the regular internal reporting channels that involves the discussion of any emerging risks that are on the horizon.
  • Risk forums and committees: embedding the consideration of emerging risks into these meetings helps provide a level of oversight.
  • Newsletters & internal risk management intranet page: these can be more informal mechanisms by which information surrounding emerging risks can be circulated throughout the entity with easy to read updates.

Entities are encouraged to use risk communication to identify, assess and provide information on the monitoring of emerging risks against the corporate objectives of the entity. This may be aligned with other reporting frameworks.

When communicating about emerging risks, ask yourself the following questions:

  • Who needs to know and what needs to be communicated?
  • What objectives does the emerging risk threaten?
  • What is the potential consequence of the emerging risk, now and in a range of foreseeable futures?
  • How long until the emerging risk could first be realised?
  • What triggers, warnings or key risk indicators (detective controls) are being actively monitored to understand the emergence or evolution of the risk?
  • What is the most acceptable format when presenting information?
  • What analysis has been performed to provide robustness to the data?
  • What follow-up action is needed?

Emerging risk reporting to senior executives is most effective when it occurs at regular intervals throughout the year.

A risk communication plan can be an effective way of documenting an entity’s approach to escalating and spreading awareness of the emerging risk profile. To minimise duplication, risk information provided in corporate reporting may be used to inform senior executives when completing annual reporting tasks.

A risk communication plan can be tailored for each individual entity and may include information on:

  • the attitude and approach to managing risk
  • the emerging risk profile
  • individual emerging risks
  • specific control responsibilities.
  • A wide range of techniques can be used to identify areas of potential emerging risk. These are often common with approaches used by entities for their strategic and business planning. Leverage strategy and business planning discussions, recommendations from Internal and ANAO Audits and media reports as opportunities to identify emerging risk.
  • Include emerging risks as a specific agenda item in risk forums or entity risk committee meetings in order to ensure that they are addressed. Risk reports should contain tight and brief executive summaries – what are the stand-out issues and what have been the key changes.
  • ‘Dashboards’ which highlight areas of concern or opportunity can quickly and effectively convey information to senior executives to enable them to focus on key issues.
  • Tailor the structure and content of emerging risk reports for the audience, the nature of the risks being reported and the circumstances.

Did you find this content useful?