I am often caught in debate over emerging risks and the role of probability in analysis of risks. Many organisations consider emerging risks to be risks that are changing in context, and that the changes need to be monitored to ensure the risk does not become a threat to the organisation.
But how does this differ from identification and analysis of risks? Surely if a risk has been identified, it can no longer be emerging. Changes in its context should be reflected in changes in the rating of probability and consequence, which in turn drive risk ratings.
We know that context, both internal and external, plays a vital role in the analysis of risks. When reviewing a risk, we ask what effect the changes in context have / will have on the risk and then establish how those changes are reflected in the risk rating.
An emerging risk can surely only be emerging until it has been identified, following which any changes should be viewed as changes in risk context?
Clearly, it is important for organisations to flag risks that need to be watched. These risks demonstrate changes that could increase or decrease the threat, or opportunity, to the organisation. The organisation can actively pursue these changing opportunity risks, or respond to threats with changes in controls and / or risk treatment strategies.
The key is to ensure risk reviews are based upon the attributes of the risk – probability, consequence, volatility, influence of changes in context. An organisation that conducts risk reviews on a fixed time schedule is unlikely to see changes in risks until it’s too late.
Whether we think of risks as emerging, or changing in context isn’t the critical issue. It’s the risk review process that is critical, as it is this that enables you to monitor the changes in risks that could impact your organisation. If risk management is embedded into the organisation’s risk awareness should ensure those changes in context are identified and addressed in a timely and effective way.
Understanding your risks, and ensuring effectiveness of controls enables organisations to exploit the opportunities risks create.
From risk comes opportunity.