Navigating emerging and interconnected risks: A blueprint for resilient strategies

Polycrisis^[1]. Unprecedented. Historic. Extreme. These are just some of the headlines entering the inbox of every organizational leader. The world is changing at a rapid pace, regulators and shareholders are adding to the governance requirements, and you may be coordinating actions across multiple business models, markets and timezones.

With the world’s largest 100 companies responsible for $17.7 trillion^[2] of revenue, the values at stake of the wrong action – or worse inaction – require shared understanding and a unified strategy. It is not surprising the world’s biggest companies are paying renewed attention to how they can identify the emerging trends driving the cascade of risks and opportunities, to explore how these will not only impact their risk framework, but also be forces for growth.

Risks and opportunities

Artificial Intelligence (AI) stands as a current siren lure, with projections suggesting generative AI could create $13 trillion in economic value^[3] with a clear call to businesses: Evolve with AI or risk falling behind. History is littered with examples ranging from organizations missing opportunities to pivot business models to the failure of boards to engage with important risks, such as risks to reputation and ’licence to operate‘, to the same degree that they engage with reward and opportunity. Nobody wants to be the next Blockbuster and experience the disruption of their business model. Something that could have been avoided by stretching the imagination to the plausible futures their rivals saw.

The urgency to respond to multiple internal and external stakeholders can prevent organizations from looking beyond and above their most immediate challenges. A comparison of the 2007 annual reports from today’s top 10 Fortune 500 companies will reveal that only one mentioned the word ’pandemic‘. In 2022, pandemic was in the top 10 risks of all 10, some with entire sections dedicated to it. What has changed since then? Experience. The return periods for a pandemic didn’t change. The data was always there that another pandemic could occur, but that data wasn’t personally available or recent.

And looking forward, the risk of pandemics hasn’t gone away just because we’ve experienced one recently. Researchers modeling future pandemic risk believe there is a 47% to 57% chance of another global pandemic as deadly as COVID-19 in the next 25 years.^[4]

A smarter way to risk

Reviewing emerging risks and being future-ready is about more than maintaining a risk register, or scoring acceleration, impact and severity. Harnessing the full potential of emerging risk thinking means adopting a risk maturity approach able to build partnerships across business functions to empower risk knowledge and ’buy in‘. Just as no risk operates in isolation, leaders increasingly need to have a wider understanding of impacts beyond their function.

Chief executive officers, chief risk officers, chief human resources officers, chief technology officers, chief operating officers, chief strategy officers and chief financial officers need a shared lexicon and approach that can bring risk management decision making and financial priorities together. For example, emerging risks around intellectual property (IP) could have touchpoints across the organization:

• Employee experience and how engaged they are in the company culture can feed into the risk management and mitigation
• The technology and governance choices can influence how IP is baked into innovation and procurement
• Having a finance-led view of the risks and opportunities of intellectual property can support decision making on how to protect investments, from accessing alternative capital to transferring risk to insurance markets

A collaborative approach enables you to provide a holistic view of risks, helping leaders and risk owners fuse qualitative appreciations of the future into modern approaches to quantitative risk management. When you embed risk management through working with other business functions, you’re more likely to address their risks and uncertainties proactively rather than reactively.

This evolving situation necessitates a pivot toward not just recognizing but actively preparing for a wider array of risks. Research suggests that organizations that have invested in building corporate foresight units outperform the average by 33% higher profitability and by 200% higher growth^[5]. There is value in thinking backwards to learn from history, and forwards to embrace collective futures.

We asked our industry and risk leaders for their most interesting emerging and interconnected risks that leaders should take back into their organizations and ask “how are we understanding and taking action on this source of emerging risks?”:

The cyber landscape is shifting again. Today, IBM estimates the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years^[6].

Average figures hide a diverse range of impacts.

The World Bank estimated that globally, from 2019 to 2023, approximately $5.2 trillion in global value was at risk from cyberattacks. Every month 10.5 million records are lost or stolen, an estimated 438,000 every hour.^[7]

These events can have very real impacts for complex organizations, with wide ranging risk sources, and complex causes and consequences that require a holistic framework and risk approach. A key example of these lessons over time includes the experience of a global hotel chain.

In 2018 they announced that hackers had stolen approximately 500 million customer records. The attackers had gained unauthorized access into a company acquired by the hotel chain in 2014 and remained in the system. The access was not discovered until 2018, and the hotel chain was fined £18.4 million for personal data breach by the U.K. Information Commissioner’s Office under the General Data Protection Regulation (reduced from £99.2 million). Wider impacts at the time included: recovery costs, reputational damages from the loss of customer confidence, and legal ramifications through class-action lawsuits raised by those impacted.

In 2022, a further 20 gigabytes of data were stolen through social engineering of an employee to gain access to his or her account — a different method of attack that enabled a different way in.

When organizations experience events, a need arises to think beyond single solutions and risk pathways to ensure resources can support wider resilience.

Bloomberg Intelligence suggests it will grow to $1.3 trillion over the next 10 years from a market size of just $40 billion in 2022^[8].

As the technology evolves at a rapid pace, governance efforts will be critical, especially as AI developers are grappling with the risks inherent in their training data. Every part of your organization will also need to consider the knock-on effects – cyber risks being one of them.

In 2023, the National Oceanic and Atmospheric Administration calculated the U.S. alone had experienced 28 events with losses exceeding $1 billion, well above the average since 1980 of eight events per year and the average for the past five years of 18 events per year. In the U.S., insurers saw the costliest severe convective storms (SCS) year on record, with total claims exceeding $50 billion^[9].

Secondary peril losses, primarily severe convective storms in the U.S. and Europe, contributed substantially to the year’s insurance claims, underscoring their growing influence by cumulative losses outstripping those caused by a season of hurricanes.

Other natural catastrophe perils also set new records, which have knock-on impacts for insurers challenging their own views of aggregations, as well as risk leaders who are taking a second look at the extent of their physical footprint. In 2023 Canada experienced its most extensive wildfire season on record, with 17.94 million hectares burned.

The scale of fires saw the Canadian government close several roads across Quebec, with many companies having to curtail their operations. As wildfire risk increases, a multifaceted approach will be needed that combines early forecasting and anticipation of wildfires with robust infrastructure, effective communication, adaptable policies and consideration of nature-based solutions.

The year 2024 is set to be what the Economist and Time has at the start of the year called “the biggest election year in history,” with national elections scheduled in at least 64 countries plus the European Union, representing 4.1 billion people — close to half the global population (49%) — and an estimated $57 trillion of global GDP. By April that number was 83 national elections in 78 countries.^[10] Which is indicative of the way that politics can rapidly ebb and flow. Many will prove consequential for years to come with potential impacts including social stability, reshoring/offshoring, regulatory change and international investment shifts.

Recent research by WTW and Oxford Analytica, published in the WTW Political Risk Index, suggests that geopolitical alignments are shifting rapidly. Inevitably, changes of government are an opportunity for dramatic geopolitical realignments. Investors tend to abhor uncertainty; in some ways, predictable adverse developments are preferable to not knowing the future, which makes it hard to calculate future returns. And 2024’s elections will bring their fair share of uncertainties, raising the importance of organizations to question what sources of information they can call on to ensure they are informed of the wide-ranging impacts of geopolitical risks.

Taking action and finding your path

There is no shortage of approaches that large and complex organizations are using to tackle these challenges. However, there is no one-size-fits-all approach to identifying, analyzing, monitoring and responding to emerging risks. Organizations should remain aware of this and ensure they take account of their culture, experience, technological capability, and colleague attitudes when designing or refining an approach.

How are leading organizations addressing their risk portfolio and financial impact while balancing emerging risks?

At the core of these approaches is the need to understand what we mean by emerging risks

Organizations use a range of different definitions for emerging risks, refined based on time horizons, risk tolerance thresholds, and strategy deliverables. The recent release of the ISO 31050 – guidance for managing emerging risks to enhance resilience – marks a pivotal moment in the management of these risks at a time when new regulatory standards and requirements are being implemented or considered.

If definitions can vary, what are emerging risks? To quote directly from ISO 31050 they can cover a series of characteristics:

This is a useful starting point, but organizations may wish to simplify this further to make the language clearer and more accessible. An organization could choose to view emerging risks as:

• Circumstances that materially change the profile of risks we’ve already spotted.
• Circumstances that lead to new risks we hadn’t previously spotted.
• Circumstances that cause two or more risks to combine, happen simultaneously or create a domino effect.

In asking whether your existing approach deals with these risks and opportunities appropriately, an organisation may wish to consider three challenge questions:

Consideration of emerging risks is essential for a truly effective strategic approach, which provides long-term value; accordingly, organizations should seek to ensure they give emerging risks in all their guises sufficient consideration and attention when building, enhancing, and implementing strategic frameworks and processes.

In the face of global change, there has never been a better time to challenge your emerging risk approach. Are you prepared against the risks and opportunities coming your way and ready to seize the advantage?

Footnotes

1. Covid-19, climate change, armed conflicts: world’s crises can lead to interconnected polycrisis. Return to article
2. The 100 largest companies in the world ranked by revenue in 2023. Return to article
3. The transformative role of AI for development data. Return to article
4. The Next Pandemic Could Come Soon and Be Deadlier. Return to article
5. Corporate foresight and its impact on firm performance: A longitudinal analysis. Return to article
6. Cost of a Data Breach Report 2023. Return to article
7. Cybersecurity Multi-Donor Trust Fund. Return to article
8. Generative AI to Become a $1.3 Trillion Market by 2032, Research Finds. Return to article
9. Natural Catastrophe Review July - December 2023. Return to article
10. All the Elections Around the World in 2024. Return to article