The job of the insurance industry is inherently about managing risks, but the nature of the risk environment is evolving. Traditional risk management frameworks, which have served the industry well for decades, are increasingly being challenged by emerging risks and the evolution of these risks in a world undergoing structural changes. It is a world where systemic influences are crossing geographies, societies and organisations, and where we are entering unchartered territories on numerous fronts. Risks arising under these conditions are characterised by their complexity, interconnectedness and uncertainty, and their ability to exacerbate and accelerate the traditional risks we are more familiar with.

For decades Milliman has supported organisations in understanding and managing complex risks. Throughout this experience, we have observed many insurance companies encounter challenges when trying to effectively manage emerging risks. In this article, I highlight the top five reasons insurers may struggle with these risks and offer suggestions for improving risk management strategies and enhancing organisational resilience.

1. Rethink how traditional risk management techniques are applied to emerging risks

Traditional risk management frameworks frequently fail to capture the dynamic nature and tipping points of emerging risks. Therefore, trying to force these risks into traditional structures is unhelpful. These frameworks are inherently reductionist in design, breaking risks down into buckets and then adding them back together with the belief that we can infer something meaningful from the overall picture. While this approach somewhat works for the types of insurance risks that companies actively accept, mostly due to the availability of data and the ability to assign probability distributions and correlations, this does not work for risks where data is lacking or non-existent. This lack of data makes forecasting impossible. Furthermore, the resulting impacts cut across traditional risk taxonomy categories in non-linear ways which could result in outcomes that are greater than the sum of their constituent parts.

This was starkly evidenced by the COVID-19 pandemic, which highlighted how risks that appear to be on the distant horizon due to lack of historical data can suddenly become an immediate threat, disrupting global markets and economies. Pre-2020, many insurers interpreted pandemic risk as a business interruption issue requiring employees to work from home for a brief period, failing to appreciate the wider economic and long-term consequences, the implication being that severity and interconnectedness was not well understood. Additionally, those insurers that had pandemic risk on a risk register may have assigned a rare frequency measure to a pandemic event, perhaps a 1-in-100-year event, but at what point does this approach provide an indication of an imminent disaster which requires action? Probably too late to do anything meaningful about it.

Instead of focusing on predictive efforts, which are often hampered by cognitive biases, lack of data and the unprecedented nature of emerging risks, companies should adopt explorative qualitative scenarios. These scenarios should recognise the possibility that numerous futures could emerge from current conditions, driven from known or unknown trends and events for which no probability distribution exists. The point of these scenarios is to help senior management explore the implications for the organisation if something similar were to happen. Would you have seen it coming? What low-cost, no-regret actions can be taken now to improve your resilience should something like this happen?

2. Broaden your focus to include wider trends rather than narrowly defined emerging risk events

Insurance companies often start emerging risk exercises by focussing too narrowly on a very detailed emerging risk crystalising in a very specific way—for example a cyber-attack resulting in loss of data, and potentially the payment of a ransom and a GDPR (General Data Protection Regulation) fine. However, by adopting this approach broader trends are often missed, as well as interactions between various factors. This approach also biases all future scenarios to this specific case that is now easier to recall. Consequently, organisations never develop an appreciation for the numerous ways in which a cyber-risk event could develop in reality, limiting the time offered to react to warning signs.

Rather, it is crucial to understand wider trends and systemic interactions, and instead narrow down the number of possible pathways by considering only those that could impact an objective the organisation actually cares about—for example, understanding that cyber-attacks increase during times of geopolitical conflict¹ and that targets include infrastructure; another angle in terms of cyber risk is that insurance companies may just be collateral damage in a wider event. This puts a different lens on what an organisation can do to remain resilient to cyber threats.

By first developing an appreciation of the wider context and interactions, we can then move into very specific scenarios by dressing up the general risk skeleton in different specific outfits. This broader perspective can help identify how different risks interact, emerge and evolve, leading to more effective risk management strategies, warning metrics and actions to improve resilience. It also enables new information to be included in a more agile way, making the process a lot more dynamic. After all, emerging risks are dynamic, so applying an approach that explores the same risk in a constant way will not be effective.

3. Diversify and increase the frequency of scenario analysis exercises

Related to the previous point, it is not uncommon for insurers to define one or two very specific emerging risk scenarios and then simply update these same scenarios year after year. This approach is problematic because it assumes that emerging risks will manifest in predictable ways, which is rarely the case. In a complex system, risks emerge as a result of the interactions between underlying factors; therefore it is very difficult to know with any certainty what the outcome will be. Emerging risks are inherently uncertain and dynamic, making static scenarios insufficient for effective risk management.

To manage emerging risks effectively, insurers need to conduct frequent and diverse scenario analyses. This means regularly updating scenarios and examining them from multiple angles. In the cyber example within the previous point, this means exploring what a direct attack could look like but also exploring what an indirect or wider infrastructure event could mean. By doing so, insurers can capture a broad range of potential developments and interactions, which helps in developing an understanding of how a risk could evolve and how prepared we are for different outcomes.

A key principle in managing emerging risks is that they should be examined from more than one perspective. Different angles can reveal trends, warning signs and interactions that may not be visible when looking through a single lens. Ignoring this can lead to ‘predictable surprises’² —events that could have been anticipated if the right information had been considered but were overlooked due to a narrow focus, insufficient prioritisation or lack of mobilisation.

4. Develop effective key risk indicators to anticipate emerging risks

Effective emerging risk management requires the use of well-defined and joined-up key risk indicators (KRIs) that can provide an early indication of when an emerging risk is developing, allowing insurers enough time to react. Setting individual KRIs in isolation is not sufficient because it fails to capture the interconnected nature of emerging risk. A collection of KRIs in a green or amber state, for instance, could be masking a potential tipping point, suggesting that the next update could show all indicators in red and a missed opportunity to pre-emptively manage the situation. Therefore, monitoring KRIs collectively can help companies anticipate and respond to emerging risks more proactively.

The aim of emerging risk KRIs is to alert organisations when conditions have changed and to do so in good time to allow for effective action. For most emerging risks, it is unclear if anything can be done immediately, especially for those requiring a cross-industry response. However, the value lies in the early identification and assessment of these risks, enabling organisations to initiate discussions, assign clear ownership and develop actionable deliverables.

Exploring scenarios is crucial for understanding what to look out for. By identifying potential pathways through which emerging risks could emerge and the conditions under which they might develop, organisations can establish relevant KRIs that signal when those conditions are materialising. This proactive approach could enable companies to act before risks fully manifest.

5. Explore opportunities alongside managing risks

Emerging risk frameworks often concentrate exclusively on identifying and mitigating risks, but this narrow focus can cause companies to miss out on the potential opportunities that arise from emerging trends. By broadening their perspective to include opportunities, insurers can not only protect themselves from potential threats but also position themselves to capitalise on new developments.

The rise of artificial intelligence (AI) presents both significant risks and opportunities for the insurance industry. As AI becomes increasingly prevalent, insurers can harness its capabilities for operational efficiency and improving customer experiences. By utilising AI for data analysis for example, insurers can offer personalised insurance plans and optimise risk assessment processes, particularly benefiting demographics that have been previously underserved. Insurers who recognise and act on these opportunities early can develop innovative products that meet the market's evolving needs, thereby gaining a competitive advantage. Additionally, being more prepared than peers for an emerging risk is also an opportunity. There are some emerging risks that are systemic and cannot be avoided; however, by using the techniques described above to act and develop organisational resilience, you may be able to outperform competitors during unprecedented events, relatively speaking.

Moreover, by focusing solely on risks, companies might develop a culture of fear and caution, which can stifle innovation and creativity, and lack senior buy-in. In contrast, a balanced approach that considers both risks and opportunities can foster a more dynamic and forward-thinking organisational culture. This balance encourages employees to think creatively about how to leverage emerging trends for competitive advantage while remaining vigilant about potential threats.

Conclusion

The overarching theme across all five points above is action. Developing an emerging risk register as a record of potential threats is not sufficient to effectively manage emerging risks. Managing emerging risks requires a shift from traditional risk management techniques to more dynamic and comprehensive approaches which aids decision-making and then taking action. By addressing common pitfalls such as over-reliance on outdated frameworks, narrow focus on specific events, infrequent scenario analyses and neglecting effective KRIs, insurers can better navigate the complexities of the modern risk landscape and identify possible mitigations. Additionally, by recognising and capitalising on the opportunities that emerging trends present, companies can foster innovation and maintain a competitive edge when faced with disaster. Embracing these strategies will not only enhance organisational resilience but also ensure that insurers are well-prepared to face and take advantage of the uncertainties of the future, and not be left saying ‘But it was on our risk radar!’

¹ Cyber attacks: What the hack. S&P Global. Retrieved 1 April 2025 from https://www.spglobal.com/en/research-insights/market-insights/geopolitical-risk/cyber-attacks.

² Watkins, M.D., & Bazerman, M.H. (2023 April). Predictable surprises: The disasters you should have seen coming. Harvard Business Review. Retrieved 1 April 2025 from https://hbr.org/2003/04/predictable-surprises-the-disasters-you-should-have-seen-coming.