What is ISO 31050 and where does it fall short for directors?

ISO/TS 31050:2023 is a technical specification published as a complement to ISO 31000, providing guidance on managing emerging risks to enhance organisational resilience. Its core contribution is the risk intelligence cycle: scanning for weak signals and converting information into actionable knowledge. Where it falls short for directors: it provides process without content (how to scan, not what to scan for), assessment without instruments, and no diagnostic framework for the human dimension that determines whether an organisation can actually respond to what the scanning reveals.

What is the human dimension of emerging risk?

The human dimension is the set of organisational and behavioural factors: governance gaps, cultural inertia, threat responses, and the recursive loop between leadership signals and workforce capacity. Together they amplify or dampen every other risk on the register. When the human system is unready, even well-identified risks produce poor outcomes because the organisation freezes rather than adapts. Five governance indicators determine whether an organisation's people will sustain their capacity to adapt, or quietly do exactly what is asked and nothing more: honesty, visibility, recognition, agency, and progress.

How can directors assess whether their organisation is ready for emerging risks?

Readiness for emerging risk requires more than process compliance. Directors can assess readiness through three dimensions: financial exposure across six quantifiable channels, organisational preparedness measured independently of disclosure or ESG ratings, and the human dimension assessed through five governance indicators. The critical diagnostic insight: there is effectively zero correlation between process completeness and actual readiness. An organisation can govern its risk register thoroughly and still be profoundly unready, because readiness lives in the human system, not the governance architecture.

← Insights

Emergent Risk & Board Governance

Emergent Risk and the Board: Why Your Risk Framework Can't See What's Coming

The tools designed for complicated risks produce false confidence in a complex world. Here's what directors need to see, and why the human dimension determines whether your organisation adapts or freezes.

Joanne Flinn · Thinkers50 Radar 2026 · Chair, ESG Institute

The Landscape

What emergent risk is, and why your risk committee can't see it

Risk committee time. The register is current, the heat map is on the screen. Cyber, regulatory, supply chain, climate, geopolitical; each one categorised, rated, owned.

Yet around the table there is silence. You can almost hear them think.

We keep adding risks to this register. But the one that just actually hurt us — with a $3 million price point — wasn't there.

Compliant. Covered. The numbers work. So why does none of this feel like it adds up?

The process is thorough. Yet I just can't tell whether we're actually ready.

Traditional risk registers, by design, cannot hold what is happening at the moment. At the cutting edge, the risk profession knows this. It is why they published ISO/TS 31050:2023, published as a complement to ISO 31000.

The new risks are emergent: arising from conditions not yet recognised, from new combinations of existing forces, or from changes so interconnected that they behave as systems rather than events. Because they are new, different, and not well measured, the traditional hindsight-based risk processes are challenged.

Risks that emerge in this current world need a new risk intelligence cycle. One with an external scan. One that picks up on small signals, precursors to system changes and tipping points. And one that is future-oriented, not past-oriented.

ISO 31050 alone isn't enough, for two reasons. There is more to the human dimension than stated. The assumption is that emerging risks are temporary. That with enough scanning, data, and process, they eventually become known, manageable and conventional. That assumption may not survive contact with the current moment.

ISO 31050 provides a process architecture for emerging risk but does not provide the content, the instruments, or the human dimension diagnostic that directors need.

Where your risk frameworks fail on emerging risk

In this fast-moving, systems-colliding, emergent risk world, you can see the challenge distilled into two words: less certain, and changing and cascading faster than ever.

Look at your approach. Does it fall into one of these camps?

A Process-Heavy Framework

Tells directors how to scan, how to govern, how to report, but never what to scan for. Excellent governance architecture. An empty scanning brief. The building code is immaculate. Nobody lives in a building code.

A Data-Heavy Platform

Excellent at delivering information, but not interpretation. ESG ratings, carbon analytics, scenario models. More data than any previous generation of leaders. And no way to distinguish which signals matter for their specific portfolio, their specific exposures, their specific organisational readiness.

On their own or together, neither produces the thing directors actually need.

Risk intelligence today requires three lenses working simultaneously: what is coming at the organisation, what is happening inside it, and what it signals to the world around it.

Outside-In

Reads the forces bearing down: regulatory shifts, market transitions, planetary boundaries tightening.

Inside-In

Reads what is happening within, to your ability to deliver value. Capability erosion, cultural drift, the gap between stated values and lived decisions.

Insight-Out

Reads what the organisation signals to stakeholders, communities, and markets, and how those signals loop back to shape internal culture and capacity.

Emergent risk lives in the interactions between these three lenses. A regulatory shift (Outside-In) meets a workforce taught to comply rather than adapt (Inside-In), and the organisation's public commitments collapse under scrutiny (Insight-Out). No single lens catches the cascade. No traditional risk register built for isolated risks can hold it.

How emergent risks link to financial exposure

When emerging risks start flowing through a business model, they translate into financial exposure through six specific channels. Research across 20 stock exchanges and over 900 companies identifies them:

Cost of Capital

Rises as sustainability risk increases borrowing costs.

Performance Premium

Lost when environmental factors go unmanaged and cut margin.

Hidden Erosion

Accumulates when transformation programmes fail on the human side, not the technical side.

Catastrophic Events

Includes the withdrawal of insurance, a catastrophe without the catastrophe. Destroys value without warning.

Human Capital

Degrades as capability gaps widen and discretionary effort withdraws through stress and technology disruption.

Regulatory Compliance

Exposure tightens as disclosure frameworks vary or converge globally.

The channels are quantifiable.

Bloomberg data¹: 22 basis points of additional financing cost per 10-point increase in sustainability risk. A 650 basis point performance gap over a decade between companies that manage environmental factors and those that do not. Researchers from the University of Oxford's Saïd Business School² estimate a quarter of investment in transformation programmes is at risk from underinvesting in the human dimension.

From the perspective of transition readiness: there is effectively zero correlation between an organisation's ESG rating or its disclosure compliance and its actual transition readiness. Traditional proxies are no longer adequate.

Why the Risk Landscape Is Alive

Why emergent risk stays emergent

ISO 31050 and the broader risk management tradition treat emerging risks as complex but ultimately containable. With enough scanning, data, and process, the thinking goes, you bring emerging risks into the known-risk framework where they can be categorised, rated, and managed conventionally. This works for complicated systems: systems with many parts that behave predictably once you understand the mechanics.

If that assumption is wrong, so is everything built upon it.

The risks directors face with climate disruption, AI transformation, regulatory divergence, and supply chain reconfiguration have properties of what is called a complex adaptive system. The parts interact. Points tip. Behaviour emerges that no component predicted. The system adapts to interventions, including the intervention of trying to manage it.

Then the second layer of complexity arrives: the human dimension.

Cognitive bias

Distorts which signals get attention.

Cultural inertia

Delays response long after the evidence is clear.

Threat response

Freeze, flight, fight, in that neurobiological order, shuts down the adaptive capacity that emergence demands.

And then there is the recursive loop that amplifies everything: the signal the organisation sends about human value shapes the culture, the culture shapes discretionary effort, and discretionary effort determines whether the organisation can adapt at all.

This is what makes emergent risk wicked-wicked. The first wicked: the problem resists resolution. The second: the human system responding to it is part of what generates it.

Risk intelligence operates in a reality where risk does not converge toward "known." Emergent risk stays emergent because the human system and the business system responding to it are part of the system generating it.

When investment pours into technology and human readiness gets hope and a cut in the training budget, the imbalance shows up. When one gets too far ahead of the other, risks increase and value erodes. This is the Gyroscope framework, presented at the AI for Developing Countries Forum at the United Nations in Bangkok.

In a wicked-wicked world, the tools designed for complicated risks produce false confidence in a complex world. Directors who rely solely on process-driven frameworks are governing with instruments calibrated for a world that no longer exists.

Diagram comparing complicated systems, which are predictable and converge toward known risk, with complex adaptive systems, where risk stays emergent because the human and business systems responding to it are part of the system generating it.

Five governance indicators for the human dimension

If the human dimension amplifies every other risk on the register, then the board's question is not whether human readiness matters. It is whether the board can see it, assess it, and govern it.

Five governance indicators determine whether an organisation's people will sustain their capacity to adapt, or quietly do exactly what is asked and nothing more: honesty, visibility, recognition, agency, and progress. Or even lie flat.

01 — Honesty

Has the organisation communicated honestly about change and its impact on roles, including the uncertainties? People absorb difficult truths. What destroys adaptive capacity is the suspicion of being managed.

02 — Visibility

Is investment in human readiness proportionate, in seriousness not just budget line, to investment in technology? The workforce reads the budget, not the speech.

03 — Recognition

Does the organisation recognise that capability disruption shows up when a person whose expertise is being restructured experiences something closer to grief than inconvenience? A Teams call is not enough.

04 — Agency

Do people have genuine influence over how change is integrated into their work, or is it done to them? This is the indicator most often missing, and the one that matters most. Without agency, you have a workforce that is trained but not enabled for high performance.

05 — Progress

Can the board show demonstrated evidence that the human dimension of the transition is producing results? Sustained uncertainty without visible direction erodes the capacity to adapt and drives the best judgment to competitors who can show their people a credible path.

Each indicator is assessable. Each is a signal the organisation is already sending, whether the board is governing it or not. Together they form a diagnostic for the recursive loop: the signal you send shapes the culture you get, and the culture you get shapes the performance you earn.

The board that assesses these honestly has line of sight into whether its strategy will deliver value or merely efficiency.

The board that cannot is governing a living risk landscape with instruments designed for a static one.

Five questions for the next risk committee

These are not audit questions. They are governance questions designed to surface whether the board can see the human dimension that determines organisational readiness for emergent risk.

When did we last assess our emerging risk exposure through financial channels, not just categories on a register?

Can we show that our risk framework sees what is happening inside the organisation, and what we signal outward, not only what is coming at us?

Where is the evidence that our people have the agency and the readiness to adapt, rather than the compliance to follow process?

Which of the five governance indicators is our strength, and which is the one leadership has not yet been willing to examine?

If the human system that must respond to emerging risk is itself part of the system generating it, what are we doing to govern that loop?

If the gap between your risk framework and the living reality of emergent risk is wider than you'd like, a conversation exists.

Start a Conversation →

Subscribe: what directors need to see about risk, value, and the human dimension →

Go deeper

Transition Risk and Board Governance: the governance foundation. How boards should govern transition risk, including the five questions every director should be able to answer. How to govern transition risk at board level →
Transition Risk and Business Model Change: why transition risk is a business model question, not a strategy question, and what the Value Multiplication Model reveals about where value is actually created. Why transition risk reshapes business models →
Portfolio Risk and the Transition: what investors need to see across holdings, why ESG ratings miss it, and how to construct a portfolio for the transition ahead. What your portfolio analytics aren't showing you →
ClearSight Intelligence Cohort: where directors close the gap between framework and readiness. Six weeks. Senior peers. The lens to lead the conversation your risk committee hasn't had yet. Express interest in the next cohort →

Frequently Asked Questions

Emerging risk arises from conditions not previously recognised, new combinations of existing forces, or changes so interconnected they behave as systems rather than events. It matters for boards because conventional risk registers, designed for known risks with historical data, cannot hold emergent risks that shift as the system adapts. Directors need instruments that see across financial, human, and systemic dimensions simultaneously, not just governance processes for scanning.

Notes

Bloomberg Intelligence ESG research. The 22 basis point financing cost differential per 10-point increase in sustainability risk score is drawn from Bloomberg's analysis of credit spreads and ESG risk ratings across global fixed income markets. The 650 basis point outperformance gap over a decade reflects Bloomberg's comparison of companies scoring in the top and bottom quartiles of environmental factor management.
The finding that approximately a quarter of capital invested in transformation programmes is at risk from underinvestment in the human dimension draws on the research of Professor Chris Sauer at the University of Oxford's Saïd Business School, whose work on IT project failure and programme risk established the evidence base for human-factor driven failure rates. See also Flinn, J., The Success HealthCheck for IT Projects (Wiley, 2010). The broader evidence is supported by McKinsey & Company, 'Unlocking Success in Digital Transformations' (2018) and BCG, 'Flipping the Odds of Digital Transformation Success' (2020).

Joanne Flinn

Founder & Chair, The ESG Institute

Thinkers50 Radar 2026 strategist. A former PwC Country Head and Head of Change on the IT ExCo at DBS Bank, Joanne advises boards and senior leaders on transition risk, work that has helped enable over $610M in catalytic capital and delivered a 27.5% improvement in portfolio value through transformation readiness. Her research spans 20 stock exchanges, over 900 listed companies, and six channels of financial exposure that most risk frameworks do not yet measure.