Managing Emerging Risk Identification

When To Use

• Standing horizon-scanning cycles (quarterly, semi-annual) where the risk committee needs a structured inventory of threats not yet captured in the existing risk register
• Ad hoc scanning triggered by macro events — geopolitical shifts, regulatory proposals, technology disruptions, pandemic signals, or sudden market dislocations
• Developing or refreshing early warning indicator (EWI) frameworks tied to specific risk categories
• Preparing emerging risk sections for board risk reports, ORSA narratives, or enterprise risk appetite statements
• Evaluating whether a newly surfaced threat warrants escalation from "watch list" to active risk with capital or limit implications

Inputs To Gather

• Current risk taxonomy and register — existing categorization (credit, market, operational, strategic, reputational, climate/ESG, cyber, model, etc.) so emerging risks can be mapped or flagged as net-new categories
• Scanning horizon — define time bands (e.g., 0–1 year near-term, 1–3 year medium-term, 3–10 year long-term)
• Source universe — regulatory pipeline (proposed rules, consultation papers), industry loss event databases, internal incident trends, macro-economic indicators, technology and competitive intelligence feeds
• Risk appetite statement — quantitative thresholds and qualitative boundaries that determine when an emerging risk crosses into active management
• Prior emerging risk inventory — last cycle's output, including disposition decisions (promoted, retired, unchanged)
• Stakeholder audience — CRO, board risk committee, business-line risk owners, or regulators [VERIFY which governance body receives final output]

Workflow

1. Define scanning scope and horizons

   • Confirm risk taxonomy version in use; agree on time-horizon bands
   • Identify any thematic focus areas requested by leadership (e.g., AI/ML model risk, sovereign credit deterioration, supply-chain concentration)

2. Harvest signals from source universe

   • Scan regulatory proposals, supervisory guidance, and enforcement actions relevant to the firm's jurisdictions [VERIFY applicable regulators — Fed/OCC/FDIC, PRA/FCA, ECB/SSM, MAS, etc.]
   • Review industry loss databases (ORX, SAS OpRisk), peer disclosures (10-K risk factors, Pillar 3 reports), and rating agency sector outlooks
   • Collect internal signals: near-miss incidents, audit findings, model validation exceptions, limit breaches, concentration drift

3. Categorize and characterize each emerging risk

   • For each candidate risk, document:
     • Description — what the risk is and its causal drivers
     • Horizon band — near / medium / long-term
     • Velocity — how quickly impact could materialize (sudden, gradual, episodic)
     • Potential impact channels — P&L, capital, liquidity, operational continuity, reputation
     • Interconnections — linkage to existing register risks or other emerging risks (contagion paths)
   • Assign a preliminary severity rating using the firm's impact/likelihood matrix or a qualitative High/Medium/Low scale

4. Develop early warning indicators (EWIs)

   • For each high- and medium-severity emerging risk, propose 2–4 leading indicators with:
     • Data source and refresh frequency
     • Threshold / trigger level — green / amber / red bands tied to risk appetite
     • Owner — business line or control function responsible for monitoring
   • Examples: CDS spread widening beyond historical percentile, regulatory comment-letter volume spike, patent-filing acceleration in disruptive technology, cyber-threat intelligence score elevation

5. Disposition and escalation recommendations

   • Compare current inventory against prior cycle; for each risk recommend one of:
     • Promote — move to active risk register with assigned owner, limits, and capital treatment
     • Watch — retain on emerging risk list; specify next review trigger
     • Retire — risk has materialized (now active) or dissipated; document rationale
   • Flag any risk where current risk appetite framework has no coverage and recommend appetite-statement amendment

6. Compile management report

   • Produce the emerging risk report with executive summary, heat map visual, individual risk profiles, EWI dashboard design, and disposition decisions
   • Include an appendix listing sources consulted and assumptions made

Output

The deliverable is an Emerging Risk Identification Report containing:

• Executive summary — top 3–5 emerging risks ranked by severity and velocity, key changes from prior cycle
• Heat map — two-dimensional plot of likelihood vs. impact, color-coded by horizon band
• Individual risk profiles — one per emerging risk with description, drivers, impact channels, interconnections, EWIs, and disposition recommendation
• EWI dashboard specification — indicator definitions, data sources, threshold calibrations, and monitoring ownership
• Disposition log — promoted, watched, and retired risks with rationale
• Assumptions and limitations — data gaps, jurisdictional caveats, model uncertainty

Quality Checks

• Every emerging risk is mapped to at least one risk taxonomy category or explicitly flagged as a proposed new category
• EWI thresholds are anchored to observable data and aligned with the firm's risk appetite bands — no arbitrary or undefined triggers
• Interconnections are documented; risks are not treated as independent when common drivers exist
• Prior-cycle risks are explicitly dispositioned — none silently dropped
• Regulatory and jurisdictional dependencies are marked with [VERIFY] where the analysis may not generalize across operating entities
• Report avoids speculative language; where uncertainty is high, confidence level is stated and escalation to subject-matter experts is recommended
• Severity ratings use the firm's approved impact/likelihood definitions, not ad hoc scales [VERIFY alignment with current risk appetite framework version]