| Key Takeaways |
| Emerging risks are threats that do not yet have a significant impact but are characterized by high uncertainty, rapid evolution, and interdisciplinary nature (Gartner, 2026). They demand proactive, adaptive management approaches. |
| The top emerging risk categories in 2026 are AI governance and digital disruption, geopolitical instability, climate and ESG-related threats, cyber-enabled fraud, and pandemic-style operational disruptions (ORX, Forrester, McKinsey). |
| The World Uncertainty Index is nearly nine times higher than 20 years ago (McKinsey, 2025), making horizon scanning and scenario planning non-negotiable capabilities. |
| COVID-19 exposed a fundamental gap: 60% of small and medium enterprises lacked formal risk management processes when the pandemic hit. The lessons from that crisis now shape how organizations approach all emerging threats. |
| A structured emerging risk framework has four phases: Scan, Assess, Respond, and Monitor. This guide provides the tools, tables, and governance model to operationalize each phase. |
| Business continuity management is the critical link between emerging risk identification and organizational survival. Pandemic preparedness plans, tested through exercises, separate resilient organizations from vulnerable ones. |
| Only 37% of risk decision-makers feel confident they have captured all key risk drivers (Gartner, 2024). The emerging risk process specifically targets that confidence gap. |
The World Uncertainty Index has increased nearly ninefold over the past two decades, according to McKinsey’s 2025 research on the future of risk management. Geopolitical disruptions, technology-driven change, and climate volatility are compressing the time between a risk emerging and that risk causing material damage.
Traditional enterprise risk management programs, designed to manage known, well-understood threats, often struggle with risks that have no historical precedent and defy standard probability models.
The COVID-19 pandemic was the defining case study. Organizations with robust business continuity plans and tested pandemic response playbooks recovered faster, protected revenue, and maintained stakeholder confidence. Those without formal risk management processes, estimated at 60% of small and medium enterprises, suffered disproportionate losses.
But the pandemic was not the last emerging risk. AI governance, deepfake-enabled fraud, critical infrastructure failure, and cascading climate events now demand the same level of preparedness.
This guide provides a complete emerging risk management framework: from horizon scanning to board-level reporting. Each section anchors to ISO 31000 and COSO ERM, includes practitioner-ready tables, and draws on lessons learned from the pandemic to prepare your organization for the next wave of uncertainty.
What Are Emerging Risks?
Gartner defines emerging risks as threats that do not currently have a significant impact on an organization but are characterized by high uncertainty, rapid evolution, and interdisciplinary nature.
They differ from enterprise risks, which are well-understood and managed through established strategies. Emerging risks can be entirely new, re-emerging after a dormant period, or familiar threats appearing in unfamiliar contexts.
The ORX Operational Risk Horizon 2026 study, based on insights from 47 leading financial institutions, identified three persistent challenges: uncertainty dominates the environment, risk types are increasingly interconnected, and the time horizon between risk emergence and impact is shrinking.
These findings apply beyond financial services to any organization managing operational, strategic, or compliance risk.
Emerging Risk vs. Enterprise Risk: Key Differences
| Dimension | Enterprise Risk (Known) | Emerging Risk (Unknown / Evolving) |
| Historical data | Abundant; decades of loss data available | Sparse or nonexistent; no reliable precedent |
| Probability estimation | Quantifiable using actuarial or statistical models | Highly uncertain; expert judgment and scenario analysis required |
| Organizational awareness | Well-understood across business units | Often visible only to specialists or external watchers |
| Management approach | Established controls, policies, and KRIs | Horizon scanning, scenario planning, adaptive response |
| Examples | Credit default, workplace injury, IT outage | Pandemic disruption, AI-enabled fraud, quantum computing threats, critical mineral supply collapse |
| ISO 31000 alignment | Clause 6.4 (risk assessment) using established criteria | Clause 5.4.1 (understanding context) + Clause 6.6 (monitoring for change) |
Top Emerging Risks in 2025-2027
Multiple global surveys converge on the same emerging risk priorities. The 2026 ProSight CRO Outlook Survey found that 74% of respondents cited technology and cyber risk as a top risk category, with strategic risk and digital disruption named the number one emerging risk. The table below consolidates findings across five authoritative sources.
Emerging Risk Landscape: Cross-Survey Comparison
| Emerging Risk Category | Forrester 2025 | ORX 2026 | McKinsey 2025 | Gartner 2026 | ProSight CRO 2026 |
| AI governance and digital disruption | Top 5 | Top 3 | Top trend | Top category | #1 emerging risk |
| Cyber risk and ransomware | #1 current risk | #1 emerging risk | Key challenge | High priority | 74% cite as top risk |
| Geopolitical instability and trade policy | Top 5 | High ranking | 9x uncertainty index | Political risk category | Top 3 current risk |
| Climate, ESG, and sustainability regulation | Growing concern | Rising | Supply chain driver | Environmental risk | Monitored |
| Pandemic and health-related disruption | Residual concern | Interconnected risk | Operational resilience driver | Not top-ranked currently | Not top-ranked currently |
| Third-party and supply chain concentration | Top enterprise risk | High; critical infrastructure dependency | Key challenge | Supply chain risk | Growing regulatory focus |
| Talent and workforce transformation | Operational risk | People risk | Future of risk talent | Human capital risk | #3 tied (operating model) |
Notice how pandemic risk, which dominated 2020-2022, has receded as a standalone category but lives on through operational resilience and business continuity expectations.
The lesson is clear: individual emerging risks come and go, but the capability to detect and respond to them must be permanent.
Lessons from COVID-19: What Pandemic Risk Taught Us
The COVID-19 pandemic was a stress test on global business continuity management and risk assessment practices. Organizations that had invested in preparedness before 2020 activated plans, shifted to remote operations, and maintained critical functions.
Those that had treated business continuity as a compliance artifact scrambled to improvise. The table below distills the most important takeaways.
Pandemic Risk: Key Lessons and Current Application
| Lesson | What COVID-19 Exposed | How to Apply Now (2025-2027) |
| BCP testing matters more than BCP documentation | Organizations with untested plans discovered they did not work under real conditions. Remote work infrastructure was inadequate; communication chains broke down. | Conduct annual tabletop exercises and at least one live simulation. Test remote operations, supply chain failover, and crisis communication protocols. |
| Supply chain concentration is a critical vulnerability | Single-source dependencies on suppliers in affected regions caused weeks of production downtime. Travel restrictions disrupted commodity chains. | Map supply chain dependencies to the fourth-party level. Diversify critical suppliers across geographies. Include supply chain scenarios in stress testing. |
| Business impact analysis must include pandemic scenarios | Many BIA templates did not account for simultaneous unavailability of people, premises, and technology across the entire organization. | Add a pandemic scenario to the BIA template. Define RTOs and RPOs assuming 40-60% workforce unavailability over 8-12 weeks. |
| Risk appetite must address emerging, not just known, risks | Boards had defined appetite for financial and operational risk but not for emerging threats with uncertain probability. | Include an emerging risk appetite statement that defines how much uncertainty the board is willing to tolerate before activating contingency plans. |
| Communication is as critical as operations | Organizations that communicated early, clearly, and consistently with employees, customers, and regulators maintained trust. Those that went silent lost it. | Pre-draft crisis communication templates. Assign a crisis spokesperson. Test the communication plan alongside the BCP exercise. |
| Government intervention shapes the risk landscape | Vaccine programs, stimulus packages, and regulatory relief significantly altered the risk-reward calculus during the pandemic. | Monitor regulatory and government response as a risk variable, not an assumption. Build government-dependent scenarios into contingency planning. |
These lessons extend beyond pandemic preparedness. Every emerging risk, from AI disruption to climate events, will test the same organizational capabilities: business impact analysis, disaster recovery planning, supply chain resilience, crisis communication, and executive decision-making under uncertainty.
A Four-Phase Emerging Risk Management Framework
Managing emerging risks requires a dedicated process that supplements, not replaces, the standard risk management lifecycle.
The framework below has four phases: Scan, Assess, Respond, and Monitor. Each phase maps to ISO 31000 clauses and produces specific deliverables.
| Phase | Activities | ISO 31000 Alignment | Tools / Techniques | Deliverable |
| 1. Scan | Horizon scanning for weak signals. Monitor external environment: regulatory, technology, geopolitical, environmental, social. Engage industry networks and threat intelligence feeds. | Clause 5.4.1: Understanding context. Clause 6.3: Scope, context, criteria. | PESTEL analysis, media monitoring, Delphi surveys, industry peer benchmarking, threat intelligence platforms | Emerging risk longlist (20-30 candidates reviewed quarterly) |
| 2. Assess | Evaluate identified emerging risks using a modified assessment approach: plausibility, velocity, interconnectedness, and potential impact magnitude. Traditional likelihood x impact may not apply when data is absent. | Clause 6.4: Risk assessment (adapted for uncertainty). | Scenario analysis, expert workshops, plausibility scoring, bow-tie diagrams for causal pathways | Prioritized emerging risk shortlist (5-10 risks). Scenario narratives for top 3. |
| 3. Respond | Develop response strategies: monitor and prepare, build optionality, invest in resilience, or take pre-emptive action. Assign owners. Link to business continuity and strategic planning. | Clause 6.5: Risk treatment. Clause 6.5.2: Selecting treatment options. | Decision trees, cost-benefit analysis, BCP scenario integration, insurance review, strategic optionality mapping | Response plans for top emerging risks. Updated BCP and risk appetite statement. |
| 4. Monitor | Track leading indicators and weak signals. Reassess velocity and plausibility quarterly. Escalate risks that cross the threshold from emerging to enterprise. | Clause 6.6: Monitoring and review. Clause 6.7: Recording and reporting. | KRI dashboards, quarterly emerging risk reviews, automated news alerts, regulatory change trackers | Quarterly emerging risk report to board. Escalation triggers defined and tested. |
The critical difference from standard risk assessment is Phase 2. Emerging risks often lack the historical data needed for traditional likelihood scoring.
Replace the standard 5×5 matrix with a plausibility-velocity-impact model that captures how fast a risk could materialize and how connected the risk is to other threats in the portfolio. Scenario analysis and stress testing become the primary analytical tools rather than supplements.
Scoring Emerging Risks: The Plausibility-Velocity-Impact Model
Traditional risk matrices fail on emerging risks because they require a probability estimate that cannot be reliably produced.
The plausibility-velocity-impact (PVI) model replaces probability with plausibility and adds velocity as a dimension. Plausibility asks “how credible is this scenario?” rather than “what is the probability?”, which is a more honest framing when dealing with unprecedented events.
Plausibility-Velocity-Impact Scoring Scales
| Score | Plausibility | Velocity (Time to Impact) | Impact Magnitude | Interconnectedness |
| 1 – Very Low | Theoretical; no credible evidence | 5+ years before material impact | Localized; single business unit affected | Isolated; no links to other risk categories |
| 2 – Low | Plausible but requires multiple conditions to align | 3-5 years before material impact | Departmental; contained within one function | Weak connection to 1-2 other risks |
| 3 – Moderate | Credible signals from industry peers or analogous events | 1-3 years before material impact | Organizational; affects multiple functions or revenue streams | Moderate connection to 3-4 other risks |
| 4 – High | Strong evidence from early adopters, regulatory signals, or scientific consensus | 6-12 months before material impact | Enterprise-wide; affects strategy, reputation, or financial stability | Strong connection to 5+ other risks |
| 5 – Very High | Already materializing in peer organizations or adjacent sectors | Imminent; 0-6 months before material impact | Existential; threatens organizational survival | Systemic; cascading effects across entire risk portfolio |
Multiply plausibility x velocity x impact x interconnectedness to produce a composite PVI score (range: 1-625). Risks scoring above 200 should be escalated to the board immediately and assigned a response plan.
Risks scoring 100-200 warrant quarterly monitoring and pre-positioned contingency plans. Below 100, include the risk on the watchlist and reassess next quarter.
This model worked in hindsight on COVID-19: by January 2020, plausibility was moderate (signals from China), velocity was high (exponential spread), impact was enterprise-wide, and interconnectedness was systemic. A PVI score would have triggered early action weeks before most organizations reacted.
Building Organizational Resilience to Emerging Threats
Emerging risk management produces its greatest value when embedded into operational resilience and business continuity management programs.
Resilience is the ability to anticipate, withstand, recover from, and adapt to disruption. The COVID-19 pandemic proved that resilient organizations share specific characteristics.
Organizational Resilience Maturity Levels
| Maturity Level | Characteristics | Emerging Risk Capability | Typical Outcome During a Crisis |
| Level 1: Reactive | No formal BCP. Risk management is ad hoc. No horizon scanning. Insurance is the primary risk response. | None. Emerging risks are invisible until impact. | Severe disruption. Recovery measured in months. Possible bankruptcy. |
| Level 2: Defined | BCP exists but is untested. Risk register covers known risks only. No emerging risk process. | Minimal. Awareness depends on individual champions. | Significant disruption. Recovery in weeks. Revenue loss and reputational damage. |
| Level 3: Managed | BCP is tested annually. Risk register includes emerging risk section. Quarterly horizon scanning. | Moderate. Top 5 emerging risks monitored with basic KRIs. | Moderate disruption. Plans activate within 24-48 hours. Controlled recovery. |
| Level 4: Adaptive | BCM integrated with strategy. Real-time monitoring. Scenario exercises include emerging threats. Risk appetite covers uncertainty. | Strong. PVI model in use. Pre-positioned response plans for top emerging risks. | Minimal disruption. Plans activate within hours. Organization may gain competitive advantage. |
| Level 5: Antifragile | Organization actively uses emerging risk intelligence to shape strategy, enter new markets, and build optionality. Risk creates value. | Embedded. Emerging risk insights drive investment, M&A, and strategic pivots. | Organization thrives during disruption. Market share gained from less prepared competitors. |
Moving from Level 1 to Level 3 is achievable within 90 days using the implementation roadmap below. Moving from Level 3 to Level 5 requires sustained investment in culture, technology, and leadership commitment over 12-24 months. Impact tolerance assessments and ISO 22301 certification provide structured pathways to higher maturity.
Implementation Roadmap
Launching an emerging risk management capability does not require a multi-year program. The roadmap below delivers a functional process in 90 days.
| Phase | Actions | Deliverables | Success Metrics |
| Days 1-30: Foundation | Appoint an emerging risk owner (typically the CRO or Head of ERM). Conduct a baseline horizon scan using PESTEL and industry threat reports. Build the initial emerging risk longlist (20-30 candidates). Select the PVI scoring model. | Emerging risk owner appointed. Baseline longlist documented. PVI scoring scales calibrated to the organization. First emerging risk briefing note to leadership. | Longlist completed. Leadership briefed. PVI model approved by risk committee. |
| Days 31-60: First Assessment Cycle | Run an expert workshop to score the longlist using PVI. Narrow to a shortlist of 5-10 priority emerging risks. Develop scenario narratives for the top 3 risks. Map connections between emerging risks and existing enterprise risks. Review BCP for emerging risk coverage gaps. | Prioritized shortlist with PVI scores. Scenario narratives (best case, base case, worst case). Gap analysis between emerging risks and current BCP/risk register. | Top 3 emerging risks have assigned owners. BCP gap analysis shared with business continuity team. Scenarios reviewed by senior leadership. |
| Days 61-90: Operationalize | Present the first quarterly emerging risk report to the board. Define escalation triggers (PVI thresholds). Integrate emerging risk monitoring into the monthly risk review cycle. Schedule quarterly emerging risk workshops. Begin developing pre-positioned response plans for the top 3 risks. | First quarterly emerging risk board report. Escalation trigger matrix. Monthly monitoring KRIs defined. Quarterly workshop calendar. Draft response plans for top 3 risks. | Board report delivered on time. Escalation triggers approved. At least one emerging risk triggers a proactive preparation action. Process embedded in the monthly cycle. |
Common Pitfalls and How to Avoid Them
| Pitfall | Root Cause | Remedy |
| Treating emerging risks as a one-time exercise | Leadership requested a scan after a crisis, then abandoned the process once the crisis passed | Embed emerging risk reviews into the quarterly governance calendar. Make the process permanent, not reactive. |
| Using the same 5×5 matrix for emerging and enterprise risks | The risk function applies familiar tools to unfamiliar problems, forcing artificial probability estimates | Adopt the PVI model for emerging risks. Reserve the 5×5 matrix for enterprise risks with historical data. |
| Producing a watchlist with no response plans | The scan identifies 30 emerging risks but no resources are allocated to prepare for any of them | Narrow to a shortlist of 5-10. Require pre-positioned response plans for the top 3. Budget a small contingency fund. |
| Ignoring interconnectedness between emerging risks | Each risk is assessed in isolation, missing cascading scenarios (e.g., pandemic + supply chain + cyber attack simultaneously) | Score interconnectedness as a PVI dimension. Run combined scenarios that stress-test overlapping risk events. |
| No link to business continuity and disaster recovery | Emerging risk sits in the ERM function while BCP sits in operations; neither team talks to the other | Require the emerging risk shortlist to feed directly into BCP scenario planning. Include emerging risk scenarios in annual BCP exercises. |
| Waiting for certainty before acting | Leadership defers action because the risk has not materialized yet, defeating the purpose of early detection | Frame response as optionality, not commitment. Pre-positioned plans cost little to maintain but save enormous time and money if the risk materializes. |
Looking Ahead: The Emerging Risk Landscape 2025-2027
The ORX 2026 study confirms that the risk horizon is closer, faster, and more interconnected than at any point in recent history.
Cyber risk remains the top-ranked emerging risk category, but AI governance is climbing rapidly as organizations move from AI experimentation to production deployment. The 2026 ProSight CRO Survey found that 54% of respondents have already adopted AI in production, yet 26% say their risk management framework is too immature to govern AI properly.
Climate risk is transitioning from an emerging risk to an enterprise risk in many sectors, driven by expanding ESG disclosure requirements and the rising frequency of climate-related disasters.
Organizations that have not yet integrated climate scenarios into their risk assessment process and business impact analysis will face regulatory, operational, and reputational consequences.
Third-party risk continues to expand. Verizon’s 2025 DBIR found that breaches involving a third party jumped to 30%, double the prior year. Third-party risk management must now include AI vendor risk assessments as organizations inherit model risk, data risk, and bias risk from their technology vendors.
The organizations that will navigate the next decade successfully are those that build a permanent emerging risk capability, not a crisis-triggered reaction.
The pandemic proved that the cost of preparedness is a fraction of the cost of improvisation. Apply that lesson to every emerging risk on the horizon, and you shift from hoping the next disruption does not happen to being ready when the next disruption happens.
Ready to build your emerging risk management capability? Visit riskpublishing.com to access frameworks, scenario templates, and practitioner guides. Need a tailored emerging risk workshop? Contact our consulting team to design a horizon scanning and scenario planning program built around your organization’s risk appetite.
References
1. ISO 31000:2018 Risk Management Guidelines — International Organization for Standardization
2. COSO Enterprise Risk Management Framework — Committee of Sponsoring Organizations
3. The Future of Risk: How Global Trends Are Reshaping Risk Management — McKinsey & Company, 2025
4. Emerging Risks in Audit & Risk Management, 2026 — Gartner
5. Operational Risk Horizon 2026 — ORX
6. 2026 ProSight CRO Outlook Survey — ProSight Financial Association / Oliver Wyman
7. The State of Enterprise Risk Management, 2025 — Forrester Research
8. Cost of a Data Breach Report 2024 — IBM Security
9. Emerging Trends in Risk and Compliance 2026 — Moody’s
10. 2025 Data Breach Investigations Report — Verizon
11. NIST Cybersecurity Framework 2.0 — National Institute of Standards and Technology
12. ISO 22301:2019 Business Continuity Management — International Organization for Standardization
13. Preparing Your Risk Management Program for 2026 — Sedgwick
14. Enterprise Risk Management Trends 2026 — Face The Risk
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.