While ISO/IEC 27005 provides the structural mechanics for assessing known information security risks, modern organisations increasingly face threats that defy standard historical modelling. Cyber-physical convergence, algorithmic disruption, and macroeconomic volatility generate uncertainties that cannot be quantified using traditional probabilistic models. To address this profound gap, ISO/TS 31050:2023 provides highly specialised guidelines for managing emerging risks and enhancing organisational resilience.

The Nature of Emerging and Systemic Risks

Emerging risks are primarily characterised by their novelty, a lack of historical data, and an absence of verifiable knowledge essential for traditional decision-making. These risks operate amidst conditions of extreme uncertainty, volatility, complexity, and ambiguity. They often stem from unrecognised shifts in an organisation's internal or external environment, disruptive technological breakthroughs, or the sudden transformation of familiar risks into unfamiliar contexts where existing knowledge becomes obsolete.

Because emerging risks lack a history of occurrence, organisations cannot rely on actuarial data or standard frequentist models (e.g., assessing the probability of a server failure based on a decade of logs) to assess likelihood or consequence. Attempting to apply legacy quantitative methodologies to these phenomena results in a false sense of security and severe exposure to extreme outlier events. The characterisation of emerging risks is heavily dependent on understanding time-dimension elements. Analysts must focus on the velocity of change, the rate of risk development, and the critical lead time between a subtle contextual shift and the sudden manifestation of a catastrophic threat.

Enhancing Organisational Resilience

The ultimate objective of managing emerging risks through the intelligence cycle is not merely to avoid loss, but to fundamentally enhance organisational resilience. ISO 31050 defines resilience as the ability of an organisation to absorb, recover, and adapt in a changing context.

Resilience relies on three deeply integrated capabilities. Anticipation requires foresight to prepare for unexpected events and to identify fleeting opportunities. Resistance and recovery involve the capacity to absorb stress and return to normal operations, going beyond mere functional maintenance to rapidly restore core value streams. Adaptation represents the pinnacle of resilience: the ability to engage in transformative activities to capitalise on disruptive events, ensuring that post-event functionality actually exceeds pre-existing conditions.