What is Emerging Risk?

In traditional risk, historical loss data allow risk professionals to build credible risk models. Past experience is a proxy for future behaviour. Loss histories, actuarial patterns, and empirical correlations provide a degree of predictability that allows firms to quantify exposure, allocate capital, and design effective controls.

Emerging risks operate outside this universe. They involve evolving technologies, regulatory transitions, geopolitical tensions, behavioural shifts, and environmental transformations. There is no sufficient loss history, no stable frequency distribution, and no validated severity model. Their characteristics are dynamic, shaped by innovation cycles, public sentiment, political decisions, and complex feedback loops. The underlying system that generates risk is itself changing while it is being observed, invalidating assumptions, rendering traditional statistical inference unreliable.

The operating model for managing emerging risks must be designed around three mutually reinforcing capabilities: horizon scanning, anticipatory assessment, and adaptive response.

Horizon scanning is the disciplined process of detecting early indicators of change across technological, regulatory, geopolitical, behavioural, and environmental domains.

It is a structured intelligence process that synthesises weak signals from diverse sources such as scientific research, supervisory consultations, court judgments, enforcement trends, market anomalies, and cultural or demographic shifts.

This includes draft legislation, court opinions, emerging enforcement patterns, shifts in supervisory tone, data analytics, and external advisory reports to identify early warnings that traditional key risk indicators cannot yet quantify. The outcome of horizon scanning is preparedness, the early recognition of subjects and challenges that may evolve into material risks, allowing leadership to consider options before circumstances dictate the responses.

Anticipatory assessment converts these signals into structured hypotheses about potential consequences, transmission channels, and control vulnerabilities. It requires a shift from measuring probabilities to exploring plausible futures. This capability draws on stress testing scenarios and expert elicitation, not on quantitative models.

The objective is to describe how an emerging trend could translate into operational disruption, legal liability, regulatory breach, or reputational harm, and to test the resilience of governance structures against those scenarios.

Adaptive response is the capacity to translate foresight into decisive and coherent action under conditions of ambiguity.

Emerging risks include:

1. Artificial Intelligence and Algorithmic Governance. AI has moved from experimentation to critical infrastructure. Algorithms influence credit, employment, trading, and surveillance decisions, and often operate without transparency. Regulators are pressing for explainability, fairness, and accountability, raising complex issues of causation and responsibility. For risk and compliance professionals, model documentation and governance increasingly have legal weight comparable to financial reporting. Bias, data provenance, and opaque decision chains can lead to enforcement actions or litigation for discrimination, misrepresentation, or breach of fiduciary duty. Boards must integrate AI oversight into governance structures and ensure that human accountability remains traceable when outcomes are delegated to machines.

2. Cyber Resilience. As institutions consolidate operations through global cloud and software providers, operational resilience becomes a systemic challenge. Outages, ransomware, and state-backed cyber operations increasingly propagate through shared technology layers. Regulatory frameworks demand demonstrable continuity of critical functions. A single service interruption can escalate into regulatory breaches, financial loss, and reputational collapse across jurisdictions.

3. Quantum Computing and Cryptographic Vulnerability. Quantum computing threatens foundational assumptions. Once commercially viable, quantum processors will be capable of breaking widely used encryption standards, exposing stored data and historical transactions. The transition to quantum resistant cryptography requires years of planning, inventorying, and reengineering. For risk and compliance professionals, this raises immediate questions about the adequacy of current controls under due diligence standards, as adversaries may already be capturing encrypted communications for future decryption. Contractual warranties and representations regarding “state-of-the-art” security may prove indefensible when quantum threats materialise.

4. Synthetic Media, Deepfakes, Digital Identity Manipulation. Advances in generative AI enable the creation of synthetic images, voices, and documents that undermine traditional verification mechanisms. Fraud, market manipulation, and disinformation campaigns are increasingly powered by indistinguishable fake content. For risk and compliance officers, this challenges the integrity of KYC (know your customer), due diligence, and evidence gathering processes.

5. Climate Transition and Litigation Risk. The climate crisis has entered the courtroom and the boardroom. Transition plans, sustainability disclosures, and green claims are now legally testable statements. Regulators and investors expect that governance structures integrate climate competence and that risk assessments address both physical and transition scenarios. Misstatements or inconsistencies between public disclosures and internal deliberations can trigger allegations of misrepresentation or director negligence. The challenge is to embed credible, data-driven climate governance that aligns strategic intent with legal and fiduciary accountability.

6. Supply Chain Fragility and Geoeconomic Fragmentation. Supply chains are being reshaped by sanctions, trade restrictions, and geopolitical decoupling. Critical materials, technologies, and logistics nodes are potential points of systemic failure. Compliance functions must navigate dual-use regulations and environmental due diligence obligations. Legal exposure extends to failure to exercise adequate oversight across subcontracting tiers, particularly where regulatory regimes impose extraterritorial reach.

7. Data Privacy, Sovereignty, and Regulatory Conflict. The global regulatory landscape for data protection has fragmented into competing jurisdictions asserting sovereignty over digital assets and personal data. Cross-border transfers are increasingly constrained by conflicting legal regimes, invalidated adequacy decisions, and localisation mandates. The result is operational friction and legal uncertainty that challenge compliance with fundamental principles such as lawfulness, transparency, and purpose limitation. Boards must anticipate data-related disputes and enforcement beyond administrative fines, including reputational damage and personal accountability for executives under emerging national security–linked data laws.

8. Space Infrastructure Dependency and Orbital Risk. Economic and security infrastructures are becoming critically dependent on satellite networks for navigation, communication, and monitoring. Space congestion, debris proliferation, and militarisation of orbit create exposure beyond the reach of current insurance and liability frameworks. Legal regimes must face technological reality, dealing with uncertain attribution in the event of collisions, jamming, or cyber interference.

9. Biotechnology, Biosecurity, and Genetic Data Governance. Synthetic biology and genetic data analytics are transforming healthcare, agriculture, and security, but they also blur ethical and regulatory boundaries. Dual use technologies capable of beneficial innovation can also be weaponised or exploited. Legal frameworks struggle to define ownership, consent, and permissible use of genetic data across borders.

10. Societal Polarisation. Information manipulation and ideological fragmentation have become drivers of operational and reputational risk. Corporations, regulators, and critical infrastructure operators face targeted campaigns designed to erode legitimacy, destabilise markets, or provoke regulatory intervention. Legal exposure arises when misinformation triggers investor loss, consumer harm, or discriminatory outcomes. Risk professionals must treat disinformation as a vector for systemic instability requiring cross-functional coordination.

11. Autonomous Decision Systems. The emergence of autonomous decision systems raises profound governance and liability challenges. When systems act independently of direct human oversight, attribution of fault, intent, and responsibility becomes ambiguous. Contractual structures, insurance coverage, and regulatory standards are not yet equipped to handle self-modifying or learning systems operating at scale. Legal and compliance officers will need to redefine accountability frameworks, ensuring traceability, explainability, and human control remain embedded in system design and oversight.

12. Cognitive Security and Human Manipulation. Cognitive security is the protection of human perception, judgment, and decision-making processes from manipulation, distortion, or exploitation. It involves psychology and information warfare, addressing threats that target not systems but the human mind, which is the ultimate endpoint in any security framework. In this domain, the adversary’s objective is not to destroy data or infrastructure but to shape beliefs, decisions, and behaviours in ways that serve strategic, political, or financial interests.

Emerging risks define a new operating environment capable of anticipating uncertainty, reconciling regulatory conflicts, and demonstrating to stakeholders that foresight, integrity, and resilience remain central to corporate conduct.

---

Learning from the Annual Reports

Emerging Risks, from the Annual Report, Lloyds Banking Group plc

EMERGING RISKS

Horizon scanning and emerging risks are important considerations for the Group, enabling our business to identify the most pertinent risks and opportunities and respond through our strategic planning and long-term risk mitigation framework.

Internal working groups have been established to regularly scan the horizon and identify emerging risks. This is supplemented by consultation with external experts, to gain an external context, ensuring broad coverage.

Progress has been made this year on a data-driven approach, piloting a methodology for interrogating industry news and other external data sources, using available technology to further expand our insight. It is intended to develop this further in 2022, to incorporate more sophisticated technology and innovation practices.

In many cases, the Group’s most notable emerging risks are aligned with the themes identified. These emerging risks themes raise questions in respect of our participation choices, HR policies, recruitment and retention strategies in response to the changing socio-economic, competitive and technological landscape.

Background and framework

Understanding emerging risks is an essential component of the Group’s risk management approach, enabling the Group to identify the most pertinent risks and opportunities, and to respond through strategic planning and appropriate risk mitigation.

Although emerging risk is not a principal risk, if left undetected emerging risks have the potential to adversely impact the Group or result in missed opportunities.

Impacts from emerging risks on the Group’s principal risks can materialise via two different routes:

• Emerging risks can impact the Group’s principal risks directly in the absence of an appropriate strategic response.

• Alternatively, emerging risks can be a source of new strategic risks, dependent on our chosen response and the underlying assumptions on how given emerging risks may manifest.

Where an emerging risk is considered material enough in its own right, the Group may choose to recognise the risk as a principal risk.

Recent examples of this include climate risk and strategic risk. Such elevations are considered and approved through the Board as part of the annual refresh of the enterprise risk management framework.

Risk identification

The basis for risk identification is founded on collaboration between functions across the Group. The activity incorporates internal horizon scanning and engagement with external experts to gain an external context, ensuring broad coverage.

This activity is inherently linked with and builds upon the annual strategic planning cycle and is used to identify key external trends, risks and opportunities for the Group.

The Group is evolving its methodology in respect of the identification and prioritisation of emerging risks. 2021 saw the development of a quantitative risk assessment methodology for understanding the connectivity of strategic risk. Drawing on this methodology and findings, we have expanded our insights by considering the emerging risks that relate to macro strategic risk themes.

Notable emerging risks and their implications

The Group considers the following emerging risk themes as having the potential to increase in significance and affect the performance of the Group. These risks can align to one or more of the Group’s macro strategic risk themes (detailed in the risk overview section on page 51) and are considered alongside the Group’s operating plan.

Breakdown of the EU - Wide-ranging risks associated with dissolution of the European Union, with member states choosing to function independently.

Climate change transition risk - Risks arising from the Group's participation choices, policies and investments to support transition to a zero carbon economy and its ability to meet published climate targets.

Data-driven propositions - Harnessing real-time data, emerging technologies and communication channels, to meet consumer appetite for bespoke products and services.

Digital currencies - Risks and opportunities posed by introduction of new, or wider adoption of existing, digital currencies, associated supporting infrastructure and subsequent management.

Evolving regulation - Changing regulatory standards and possibility of retrospective application, driving reputational damage, fines, litigation and remediation activity.

Future pandemics and the world’s ability to respond - Economic, political, social and technological impacts caused by mutations of existing viruses, new viruses, or resistance to treatments for existing illnesses.

Inequality and changing demographic - Widening wealth and opportunity gap, increasing diversity and changing age mix within society, resulting in changing demands on banking.

Long term impact of the UK’s exit from the EU - Long-term macro-economic, regulatory and social impacts on the UK as a result of the UK’s exit from the EU.

Modern skills and recruitment diversity - Diversification of recruitment approach in respect of candidate backgrounds, skills and avenues of attainment, to adapt to a modern technology-driven landscape.

Pace of technological change - Ability to keep pace with accelerating technological change, evolving technology landscape, changing customer expectations and new product and service propositions.

Populism, de-globalisation and supply chains - Disenfranchisement driving geopolitical tensions between states, diminishing integration and adverse effects on supply chains.

Science, technology, engineering and mathematics (STEM) qualification supply vs demand - Risks posed by the balance of STEM degree qualification in the UK lagging behind the accelerating demands for STEM qualified candidates in the workforce.

Scottish independence - Wide-ranging consequences arising from the movement for Scotland to become a sovereign state, independent from the United Kingdom.

Ways of working - Ability to provide a colleague proposition enabling flexible location and agile working, aligning to individual requirements, together with associated risks of such arrangements (e.g. Operational, People and Data risk).

---

You may visit:

Frontier Risk

Emerging Risk

Hybrid Risk

Cognitive Risk

Artificial Superintelligence Risk

AI-Human Hybridization Risk

Political Risk

Strategic Risk

Systemic Risk

Climate Risk

Conduct Risk

Reputation Risk

Liquidity Risk

Cyber Risk

Credit Risk

Market Risk

Operational Risk

---