Under the Financial Reporting Council’s new UK Corporate Governance Code, which came into effect in January of this year, organisations are now required to complete a ‘robust assessment of the company’s emerging and principle risks, and an explanation of how these are being managed and mitigated.’ The new code reflects an understanding that modern corporates have a responsibility to consider both known and unknown-unknowns as a central pillar of their business plans. But what is an emerging risk exactly? At present no standard definition of the term exists and, unhelpfully, the FRC has not provided one of their own to make matters clearer.
The United States’ Securities and Exchange Commission has, since 2005, required all public US companies to disclose their ‘risk factors’ which are ‘the most significant factors that make the company speculative or risky.’ Again, no solid definition of ‘emerging risks’ has been provided.
Fortunately, the International Organization for Standardization has a new standard, ISO/NP 31050, for managing emerging risks. The bad news is that it is at a very early stage of being drafted – it has only just been ‘approved for development’ (stage 10.99 in ISO milestones because, naturally, there must be a standard process for developing a standard). A final ISO publication with a definition of ‘emerging risks’ may still be years away.
The Cambridge Centre for Risk studies recently reviewed the broader business literature on the definitions of emerging risks to date, and found a broad swathe of applicable factors. E&Y state that emerging risk ‘scenarios that could stand to derail the company’s plan’; Swiss Re defines the term as ‘newly developing or changing risks which are difficult to quantify and which may have a major impact on an organization’; for PwC, ‘emerging risks, also sometimes called global risks, are large-scale events or circumstances that arise from global trends; are beyond any particular party’s capacity to control.’ International Risk Governance Council (IRGC) has a definition that is a bit more useful. An emerging risk, it states, is ‘a new risk, or a familiar risk in a new or unfamiliar context (re-emerging). These risks may also be rapidly changing (in nature)… their probabilities and consequences are not widely understood or appreciated.’ These definitions draw attention to a set of variable criteria by which a company can judge their relationship to risk – things that can derail plans, or just are difficult to quantify, or things that are too big to control.
A standard, concise definition like this is wholly necessary for companies needing to manage their risk with clear and careful consideration, and so that methods and creative planning can be shared and discussed to the betterment of all. Under different definitions, a well considered ‘emerging risk’ such as climate change may not capture traditional but evolving perils such as increased storm surge risk or more frequent hurricanes. Once this definition is found, companies can continue on the process of building taxonomies of emerging risks, based on threat assessments, case studies of causes of business distress, self-reported risks, and conjectures about future trends that can threaten an organization’s strategic business plan.
So let us provide the definition that the Centre is using to help our research partners in developing their robust assessments of emerging risk in the wake of the FRC’s new code: An emerging risk is a new risk, changing risk, or novel combination of risks for which the broad impacts, costs and optimal management strategies are not yet well understood.