Managing Emerging Risks Using Integrated Models

"This paper advances the risk modeling component of AI risk management by introducing a methodology that integrates scenario building with quantitative risk estimation, drawing on established approaches from other high-risk industries. Our methodology models risks through a six-step process: (1) defining risk scenarios, (2) decomposing them into quantifiable parameters, (3) quantifying baseline risk without AI models, (4) identifying key risk indicators such as benchmarks, (5) mapping these indicators to model parameters to estimate LLM uplift, and (6) aggregating individual parameters into risk estimates that enable concrete claims (e.g., X % probability of >$Y in annual cyber damages). We examine the choices that underlie our methodology throughout the article, with discussions of strengths, limitations, and implications for future research. Our methodology is designed to be applicable to key systemic AI risks, including cyber offense, biological weapon development, harmful manipulation, and loss-of-control, and is validated through extensive application in LLM-enabled cyber offense. Detailed empirical results and cyber-specific insights are presented in a companion paper." Henry Papadatos Malcolm Murray, Steve Barrett, Otter Quarks, Alejandro Tlaie Boria, PhD, Chloe Touzet, Siméon Campos

🚀 My latest research "Cognitive Integration Process for Harmonising Emerging Risks" is now published in the Journal of AI, Robotics and Workplace Automation. 95% of Australian businesses are SMEs operating on ~$500 cybersecurity budgets. Yet they're being asked to securely integrate AI, quantum computing, and blockchain into their operations. How do you make sound security decisions about emerging technologies when you lack both technical expertise and enterprise-level resources? This is fundamentally a systems engineering challenge that requires first principles thinking. When I presented this research at the Programmable Software Developers Conference in Melbourne in March, I asked the room: "Heard of an AI security incident?" No hands up. "Would you know what an AI security incident looked like?" No hands. This illustrates the gap between AI hype and foundational security understanding - the first principles are missing. That's why I developed CIPHER (Cognitive Integration Process for Harmonising Emerging Risks) - a cognitive mental model that applies systems thinking to technology integration in resource-constrained environments. 🧠 Six cognitive stages: Contextualise, Identify, Prioritise, Harmonise, Evaluate, Refine 🔧 Systems engineering foundation: Built on cognitive science, game theory, and dynamical systems theory 🎯 Technology agnostic: Works across any emerging technology, any environment, any resource constraint CIPHER is a cybersecurity framework that gives smaller organisations the same strategic decision-making capabilities that large enterprises use, designed for their operational realities. It bridges the gap between cutting-edge security research and the practical constraints that define how most Australian businesses operate. The framework recognises that in resource-constrained environments, enterprise security models cannot be applied at scale. You need cognitive tools that help teams think systematically in complex integration challenges without requiring extensive technical depth or large security budgets. My research journey continues: I'm now deep into my UNSW Canberra Masters Research capstone, building on my 2023 work on LLMs in SME cybersecurity. The goal? Developing specialised security models and creating an agnostic, holistic measurement framework for LLMs in Australian SMEs - essentially taking the $500 problem from 2023 into the AI-driven reality of 2025. #CyberSecurity #SystemsEngineering #SME #Australia #AI #EmergingTech #ResourceConstrainedSecurity #CIPHER #FirstPrinciples

Part I of my AI in Insurance Series — AI Adoption & the Evolving Risk Landscape Across industries, AI has shifted from supporting isolated experiments to powering core business operations. In financial services, algorithmic trading, automated credit scoring, and fraud detection increasingly rely on AI outputs to make decisions worth billions. Healthcare organizations use AI in diagnostics and patient triage, where erroneous outputs may impact patient outcomes. Logistics companies leverage AI to forecast demand, optimize routes, and reduce costs, but overreliance can cascade into inventory overstock, delayed shipments, and contract disputes. In HR and marketing, AI models influence hiring, promotions, dynamic pricing, and customer recommendations, affecting legal and reputational risk. The operational benefits of AI are compelling, but come with unique exposures. Unlike traditional tech failures or human error, AI-related losses often originate from probabilistic outputs. For example, a financial institution’s AI credit model over-approves applicants due to subtle biases in training data, leading to portfolio losses. In healthcare, an AI triage system misclassifies patient risk because its training data was not representative of the full patient population, prompting regulatory review and litigation. A logistics firm’s AI-driven inventory forecasts lead to warehouse over capacity and shipments delays when its model overestimates demand. AI risk is operational, multi-stakeholder, and difficult to attribute to a single failure point. Complicating these risks is the intricate ecosystem in which AI operates. AI models rarely exist in isolation. They rely on foundation models provided by third parties, cloud platforms for deployment, APIs for integration, and external datasets for training. Failures or misalignment at any stage can produce cascading operational impacts affecting multiple insureds simultaneously. Insurers must assess not only an organization’s internal practices but also the maturity, concentration, and reliability of the third-party vendors supporting its AI operations. Governance and data integrity are critical. Organizations that fail to maintain version control, monitoring, human oversight, and proper documentation expose themselves to operational failure and regulatory sanctions. Regulatory frameworks now require transparency, explainability, and fairness in AI outputs, tying governance directly to potential liability. Poorly documented, poorly understood, or unmonitored models may trigger claims even if no tangible operational harm occurs. For insurers, these dynamics present significant implications. AI must be treated as an operational and governance risk, not just a tech risk. Losses may propagate across departments, contracts, and portfolios when multiple insureds rely on the same third-party platforms. Understanding these complexities is critical for underwriting responsibly and anticipating emerging claims. #Ai

Qualitative and Quantitative Risk Assessment: A Comprehensive Technical Overview Effective #RiskManagement depends on deploying rigorous and structured risk assessment methodologies. The two predominant frameworks across enterprises are Qualitative Risk Assessment (QRA) and Quantitative Risk Assessment (QnRA). Both are essential for identifying, evaluating, and prioritizing risks but differ greatly in analytical approach, data granularity, and computational complexity. Qualitative Risk Assessment leverages expert judgment, structured workshops, and standardized scoring matrices (e.g., Low, Medium, High likelihood and impact) to estimate severity and probability of adverse events. Ideal for rapid screening where historical data is sparse, it employs tools like risk heat maps, risk registers, and Failure Mode and Effects Analysis (#FMEA). In contrast, Quantitative Risk Assessment utilizes mathematical models, probabilistic simulations (e.g., Monte Carlo analysis), and statistical inference to generate objective numerical risk values such as Expected Monetary Value (#EMV), Probability of Failure on Demand (#PFD), and Loss Exceedance Curves. It is vital in high-stakes sectors such as nuclear, aerospace, and financial services, often integrating fault tree analysis (#FTA), event tree analysis (#ETA), and reliability block diagrams (#RBD). Integrated Risk Assessment Workflow Overview: See attached This approach combines qualitative and quantitative methods in a dynamic architecture: Risk Identification: Inputs from operational data, audits, and expert interviews Qualitative Assessment: Scoring matrices, risk workshops, heat maps Quantitative Assessment: Data ingestion, statistical models, simulations Decision Support: Dashboards with drill-down analytics Governance & Compliance: Integrated with #GRC platforms for audit and reporting This workflow emphasizes real-time data exchange, iterative feedback loops, and role-based access control to ensure robust risk oversight. Key Stakeholders & Groups Involved: @Risk Management Teams — risk governance & strategy @Safety Engineers & Analysts — assessment & scenario modeling @Data Science & Analytics Teams — data modeling & simulations @IT & Security Operations — data integrity & incident response @Compliance & Audit Groups — regulatory validation @Executive Leadership & Boards — strategic risk oversight Mastering when and how to apply these complementary methodologies is crucial for building resilient, scalable risk management programs. This framework empowers professionals and leaders to leverage data-driven insights, promote continuous improvement, and embody the Safety Leader’s Mindset—grounded in knowledge, growth, and proactive leadership. #RiskAssessment #EnterpriseRiskManagement #SafetyLeadership #DataAnalytics #Compliance #Governance #RiskCulture #OperationalRisk #Leadership

Banks’ risk management is often too reactive due to the fact that many banks still rely on fragmented data systems and manual reviews, making it difficult to detect early warning signs and trends. Additionally, the sheer volume and pace of regulatory changes make it hard for banks to anticipate and adapt quickly, leading to compliance issues being addressed after the fact rather than proactive. Reactive strategies often tie up resources that could be used for growth or innovation, as staff are diverted to deal with emerging problems instead of preventing them. Insufficient adoption of advanced analytics and automation prevents banks from continuously monitoring risks and learning from past incidents, which would otherwise support a proactive approach. But HRO (High Reliability Organization) principles can offer a structured framework to transform banks from reactive risk managers into resilient, antifragile institutions by addressing systemic weaknesses in culture, processes, and decision-making. HROs treat near misses and minor errors as critical indicators of systemic vulnerabilities. For banks, this means continuous monitoring of emerging threats (e.g., cyber risks, liquidity mismatches) rather than waiting for regulatory penalties or crises. By learning from small failures, banks adapt processes to withstand larger shocks, turning volatility into a source of improvement. HROs reject oversimplified explanations for risks, forcing deeper analysis. Addressing underlying issues like siloed data or flawed incentive structures instead of temporary fixes. Banks would design systems to handle interconnected risks (e.g., climate-linked credit defaults) rather than compartmentalizing them. Real-time awareness of frontline activities enables rapid response. Branch managers or traders with situational expertise can escalate risks immediately, bypassing bureaucratic delays. Shifting capital or personnel to emerging hotspots (e.g., fraud spikes) prevents crises from escalating. HROs build systems that adapt under stress can with regularly simulating black-swan events (e.g., AI-driven market collapses) to refine contingency plans. Balancing cost efficiency with fail-safes (e.g., backup liquidity pools) to avoid over-optimization fragility Prioritizing knowledge over hierarchy flattens power dynamics. For example, risk analysts or compliance officers can override outdated protocols during fast-moving crises. Encouraging open reporting of errors without blame reduces cover-ups and fosters innovation. HRO principles align with Nassim Taleb’s antifragility concept by institutionalizing mechanisms to gain strength from volatility. Near-miss data feeds into predictive models, improving risk forecasts. Regulatory compliance becomes a feedback loop for improvement rather than a checkbox exercise.

🌐 NIST SP 1331: Tackling Emerging Cybersecurity Risks with CSF 2.0 NIST’s new draft Quick-Start Guide (SP 1331) highlights how organizations can strengthen their resilience against emerging risks by leveraging the Cybersecurity Framework (CSF) 2.0. 🔍 Key Takeaways Two Types of Emerging Risks: Risks known to some but not all (e.g., ransomware, phishing, DDoS). Risks unknown to everyone, with no prior mitigations demanding adaptive responses. Systems-of-systems complexity (IT, OT, IoT, AI/ML) amplifies unpredictability and requires multi-disciplinary risk approaches. ERM Integration: Aligning CSF 2.0 with Enterprise Risk Management (ERM) enables better prioritization, governance, and resource allocation. CSF 2.0 in Action: Govern: Update policies, roles, and oversight to account for emerging risks. Identify: Leverage risk registers, BIAs, and root-cause analysis for stronger visibility. Protect: Build resilience via segmentation, redundancy, and zero-trust practices. Detect/Respond/Recover: Accelerate detection, improve crisis response, and ensure prioritized recovery with alternative communication strategies. Improvement Loop: Lessons learned from incidents must feed directly into governance and planning cycles. 💡 Action Steps for CISOs & Risk Leaders Embed emerging risks into policy, strategy, and role definitions. Strengthen containment and redundancy mechanisms to prevent cascading failures. Use cross-domain coordination (IT, OT, AI, ERM) to anticipate novel risks. Treat resilience as an enterprise-wide mandate, not just a security function. Bottom Line: Preparing for the unknown unknowns of cybersecurity requires CSF 2.0 not just as a checklist, but as an adaptive governance model. Emerging risks demand foresight, flexibility, and continuous improvement. #NIST #CSF2 #CyberResilience #RiskManagement #ERM #Governance #CybersecurityFramework #CISO #EmergingRisks #ZeroTrust

After a decade of working with geospatial data, I’ve seen how overwhelming and fragmented datasets can obscure the signals institutional investors are trying to distill.  The data is rich, but the insights are hard-won. For institutional investors and asset managers, the challenge isn’t access to data - it’s making sense of data across many different dimensions linked to their deals and portfolios to quantify risk and uncover actionable signals. Today, solutions exist to make this possible. #geospatialAI enables institutional investors to: 📌 Identify and quantify emerging risks ❇️ Optimize portfolios for climate and spatial impact factors 🌎 Run scenario-driven forecasts Excited to share more on our latest #AI modeling framework, Populous, in this blog written in collaboration with David Schottlander Ph.D, CEng. Together, we build on the latest research from Tristan Ballard, PhD, Peter Sousounis and Mike Sierks at Sust Global. We unpack this framework for training and serving inference with multimodal #geospatialAI models, leveraging the population dynamics foundational model (PDFM) from Google Research. We also explore how these capabilities can be integrated by institutional investors to gain a clearer, more dynamic view of financial materiality. Stay tuned as we will be presenting and demoing this model in action at Google Cloud #Next25 and #ICLR 2025 next month. If you're focused on integrating financial, climate materiality, and demographic metrics and wondering how AI can help you move from raw data to risk intelligence — read more here. Link: https://lnkd.in/g572H_uB #AssetManagement  #InstitutionalInvesting  #FinancialMateriality  #ClimateRisk #AI  #DataDrivenDecisions  #SustainableFinance #GeoFM #GoogleResearch

Recent risk assessments have highlighted the escalating concerns surrounding macroeconomic and geopolitical risks, particularly in relation to shifts in policies and priorities impacting operations and market conditions. The sensitivity of businesses to geopolitical and security issues, such as tariffs, sanctions, embargoes, and trade restrictions, poses a real threat to operations. To address these risks effectively, proactive risk organizations are implementing integrated risk management practices. These practices involve continuously reassessing enterprise risks, updating exposure information, and aligning operations to develop informed contingency plans. Some of the key considerations and actions being taken include: - Supply Chain Diversification or Re-location: Exploring options to diversify supply chains or relocate operations to mitigate risks associated with geopolitical and macroeconomic uncertainties. - Negotiated Price Lock-ins, Cost-sharing, or Hedges: Engaging in negotiations to secure price lock-ins, cost-sharing agreements, or hedging strategies to manage financial exposure to fluctuating market conditions. - Inventory Buffers: Building up inventory buffers to cushion against supply chain disruptions or delays resulting from geopolitical tensions or policy changes. - Tariff Engineering, Product Reclassifications, or Exemption Filings: Strategizing tariff engineering tactics, reclassifying products, or filing for exemptions to navigate changing tariff landscapes effectively. - 'Wait and See' :): Monitoring developments closely and adopting a cautious 'wait and see' approach to assess the evolving geopolitical and macroeconomic landscape before making strategic decisions. By aligning risk management practices with operational strategies, organizations can enhance their resilience in the face of geopolitical and macroeconomic uncertainties, ensuring a more robust and adaptive business model.

Will 2025 be the year of imagination? What we know: 1 - Boards are not so confident their teams are on top of fast-moving change. (BCG, The Expanding Agenda for Boards of Directors) 2- Increasingly boards are relying on metrics over intuition. (PwC, 2024 Annual Corporate Directors Survey) 3- But the predictive power of traditional datasets is diminishing in certain domains due to increased volatility and rapid change. New, alternative data sources are often unstructured and require new analytical techniques to extract meaningful insight. (IMF) A recent OECD - OCDE paper on "Using Foresight to Anticipate Emerging Critical Risks" directly addresses the 'failure of imagination' issue prevalent in understanding both long-tail and emerging risk in fast-moving change. Their approach: 🔭 Emphasis on Horizon Scanning: Using horizon scanning techniques that incorporate unconventional data sources such as patent analysis and crowd forecasting, they detect weak signals and early signs of potential risks to capture a broader range of possibilities. 🌎 Use of Structured Foresight Techniques: Tools like futures wheels and scenario-based "Risk-Worlds" allows stakeholders to consider a wide range of outcomes and interactions, fostering a more imaginative approach that goes beyond linear thinking and historical constraints. 🌱 Focus on Risks at Source: Understanding risks from their origins focuses attention on the initial conditions and deeper, interconnected vulnerabilities that could lead to emergent risks. 🤝 Building Collective Understanding: Promoting collaborative analysis, enhancing the collective ability to envision complex scenarios and overcoming cognitive bias. 🔄 Iterative Process: Acknowledging the dynamic nature of risk, they focus on continuous updating and refinement of risk perceptions. By integrating these strategies, organizations can better anticipate uncertainties and harness the possibilities of tomorrow. #2025Predictions

→ What If You Could See Project Risks Before They Strike? Data reveals hidden threats days, weeks, or even months ahead.  This isn’t science fiction - it’s the future of risk management. → Use Current and Future Data Sources • Continuously update your datasets with the latest information. • Don’t just stick to internal data - bring in market and technology trends to capture the bigger picture. → Adopt Advanced Models with Time Awareness • Harness time-series forecasting to anticipate emerging trends and risks. • Run scenario simulations to visualize potential project outcomes and warnings. → Leverage AI with Updated Training • Regularly retrain your models on fresh data to keep predictions sharp. • Adopt the latest AI risk prediction tools designed for evolving challenges. → Automate Data Pipelines for Real-Time Updates • Streamline data ingestion directly from project management tools. • Ensure your risk data flows continuously and in real-time to stay ahead. → Incorporate Emerging Technologies and Trends • Use natural language processing (NLP) to analyze project communications for early warning signs. • Keep a pulse on cybersecurity threats and AI ethics risks that may impact your projects. → Monitor External Economic and Regulatory Changes • Watch economic indicators that influence project viability and timelines. • Stay proactive by tracking new regulations before they affect your work. → Visualize Risks with Interactive Dashboards • Build real-time dashboards that not only track risk but make it tangible and clear. • Visual cues help teams understand and prioritize risk management. → Integrate Risk Predictions into Decision Processes • Embed these insights directly into project planning and review meetings. • Let data-driven risk forecasts guide resource allocation and strategic decisions. Project risk management is evolving. Waiting for problems to emerge is no longer an option. Follow Carlos Shoji for more insights on project management