Determining what is an emerging risk can be a very difficult prospect for organizations trying to get ahead of bad things that may be coming their way. The definition of “emerging” does little to help us in this regard, stating simply that something is “becoming apparent, obvious.” What is undefined is when a risk becomes apparent or even what it means to have something (specific to cybersecurity) become clearly visible enough to call it obvious. It is also somewhat contradictory to define emerging risk as becoming obvious when obviousness has (or should have) a binary state.
Looking instead to other published lists of emerging risk does little to define the practice of creating and managing emerging risk. Such lists far too often show blatantly obvious things or more often reflect things in the zeitgeist. Even our closest neighbor to cyberrisk—operational risk—produces these lists without much substance. One large operational risk consortium’s January 2019 emerging risk list was published alongside a list of top risk compiled from survey responses (another popular way to compile such lists). Their current top 5 risk factors were: information security (including cybersecurity), conduct, fraud, transaction processing, and technology. Interested in what they called emerging? The list includes: digital disruption and disintermediation, information security (including cybersecurity), geopolitical and macroeconomic, regulatory compliance, and third party.
I included the full lists here because categorically, one could argue that much of cybersecurity can be said to be responsible for much of these areas. While we could debate the relevance of all the items on this list, of particular interest is how one could list information security as both a top risk and an emerging risk. Clearly, we are an industry struggling to provide prioritization in ways that we do not yet understand fully.
All risk analysis has a prospective quality to it; we are never talking about incidents currently under management. Our risk analyses are always about the future state and priority making that needs to occur to ameliorate bad outcomes. Emerging risk analysis requires that we push ourselves out further than that. It does necessitate that we adopt precepts of “future studies” or “futurology” to create the best risk products for our organizations. This type of approach has a clear creative flair; it requires imagining things that have not yet come to pass. Sure, one could list blockchain as an “emerging risk,” but a futurist will predict the fall of public accounting. How you apply this in your organization is to find a place somewhere between the absurdity of science fiction and the foolishness of telling everyone what is already here is “the future.”
Instead, building a good emerging risk product requires a focus on a couple of key components. The first is a solid view of timeline. This means that you must clearly identify when this risk will come into play. This should be more than 1 year out at a minimum; anything less is more of a tactical concern. As always, since we are talking about the future, ranges are necessary for accurately representing timelines and the inherent uncertainty therein.
The second is a clear definition of what an instantiation of an emerged risk looks like. For instance, a popular emerging risk right now is cyberwarfare. Precise definitions of cyberwarfare are varied; however, international law requires some kinetic action to constitute “warfare.” Under this definition, only a small handful of historical events even come close. (Most of what the popular press refers to as cyberwarfare is really espionage or just plain criminal behavior). Regardless, you may find it helpful to craft a specific definition for your organization. For example, cyberwarfare may be on your emerging risk list, but only as it pertains to the healthcare industry, for example. Such narrowing of the scope allows you to define specific indicators that enable you to monitor the landscape for this emerging risk.
Speaking of which, it is important to maintain good key risk indicators (KRIs) for emerging risk. They should be tailored to the definition outlined using the previous guidelines for your organization and specific enough for you to trigger some follow-up activity. It is important to expect these KRIs to have little to no changes for quite some time, as they are measures of events that may ultimately never come to pass. The organization should not panic if a particular emerging KRI is 0 for months or years at a time.
The last component of a good emerging risk product is to clearly articulate what happens when a risk entry comes to pass. If that cyberwarfare event does target your industry and it is very much a current event, what do you expect the organization to do? This has both a strategic and an administrative element to it. There should be some risk response planning that happens so that the control environment is suitable to withstand this new attack. Further, there needs to be some formal retirement of the entry in the emerging risk list and it should find a new home somewhere else such as the organizational risk register, for proper adjudication and treatment. Or if it is determined that an emerging risk can no longer happen, a risk can be retired and removed without a corresponding new risk entry in the register.
Overall, this process and the emerging risk documentation should be reviewed at regular intervals and at least once annually. Following these guidelines will help ensure that the emerging risk product you create is not a duplicate of your existing risk register and helps focus your organization's perspective out into the future.
Jack Freund, Ph.D., CISA, CRISC, CISM, is director, cyberrisk management for TIAA, member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.