Emerging Risk Horizon Scanning for Indian Corporates 2026: Building the Process, the Register and the Insurance Linkage

Most Indian corporates with a functioning enterprise risk management programme maintain a risk register: a structured list of identified risks, scored for likelihood and impact, with owners and controls. The register is good at managing known risks, the ones the business has already experienced or clearly anticipates. It is poor at catching emerging risks: the developments that are not yet material, that have no loss history, that sit at the edge of the business's awareness, but that can become balance-sheet events over a few years. Horizon scanning is the distinct discipline that addresses this gap, and treating it as merely a longer risk register misunderstands what it is for.

The distinction is structural. A risk register entry is a risk the business knows it has and can score with some confidence. An emerging risk is a weak signal, an early indication of a development whose eventual impact, timing and even relevance are uncertain. AI displacing a core service, a climate-driven shift in the insurability of a key asset, a geopolitical realignment disrupting a supply chain, a regulatory regime that does not yet exist but is being debated: these are not register entries to be scored in the ordinary way, because the conventional likelihood-times-impact scoring breaks down when both are deeply uncertain. They are signals to be tracked, assessed for trajectory, and escalated into the register only as they crystallise. Horizon scanning is the process of finding and tracking these signals before they become known risks.

The reason this matters for Indian corporates in 2026 is that the pace and breadth of emerging risk has increased. Artificial intelligence is reshaping business models and creating new liability and operational exposures faster than risk functions can absorb. Climate change is moving from a long-horizon concern to a present operational and insurability issue, with physical and transition risks both accelerating. Geopolitical realignment is disrupting trade, supply chains and energy markets in ways that directly affect Indian corporates with international exposure. The regulatory environment is changing rapidly across data protection, ESG disclosure, sectoral regulation and emerging-technology governance. A corporate that only manages the risks already in its register is managing the last war while the next one forms at the horizon.

The governance dimension reinforces the need. Indian boards, under the Companies Act risk-governance provisions and the SEBI risk-management-committee requirement for larger listed entities, are expected to oversee not just current risks but the firm's exposure to change. A board asked what emerging risks the firm is tracking, and how, should have a substantive answer, the horizon-scanning process and the emerging-risk register, rather than a blank. Investors, lenders and rating agencies increasingly probe how forward-looking a firm's risk management is, and a credible horizon-scanning capability is part of the answer.

The insurance linkage is the practical payoff. Emerging risks shape the insurance programme: some become insurable exposures requiring new or extended cover (cyber, climate-related, liability for new technologies), some reveal that existing cover will not respond to a changed exposure, and some are uninsurable and must be managed through resilience and retention. A horizon-scanning process connected to the insurance programme gives the corporate and its broker early sight of where cover needs to change, rather than discovering the gap when the emerging risk has already become a loss. This post sets out how to build the process: the signal sources, the assessment scoring, the ownership, the linkage to the main register and the insurance programme, and the treatment of the four emerging-risk domains that dominate the 2026 horizon, AI, climate, geopolitical and regulatory.

Horizon scanning begins with signals, and the quality of the process depends on casting a wide enough net to catch developments the business would otherwise miss, then filtering systematically rather than reacting to whatever happens to reach senior management's attention.

Where the signals come from

Emerging-risk signals come from a deliberately broad range of sources, because the defining feature of an emerging risk is that it arises outside the business's normal field of view. Useful sources include: regulatory and policy developments (draft legislation, consultation papers, regulator speeches and discussion documents that signal where rules are heading); scientific and technological developments (research, technology trends, early commercial deployments that may disrupt or expose the business); macroeconomic and geopolitical analysis (the trajectory of trade, energy, currency and political alignment); industry and peer signals (incidents at peers, emerging claim types, insurer and reinsurer commentary on what they are starting to see); internal signals (near-misses, novel incidents, employee and operational observations that hint at a new exposure); and the insurance market itself, where insurers and reinsurers withdrawing capacity, adding exclusions or repricing a risk are often early indicators that an emerging risk is becoming material. The discipline is to scan across these sources continuously rather than wait for an emerging risk to announce itself as a crisis.

The scanning cadence and ownership

Scanning should be a defined activity with an owner and a cadence, not an occasional reaction. A practical model assigns responsibility for horizon scanning to the risk function, which gathers signals from the sources above, supplements them with input from business units and functions (each of which sees signals in its own domain), and convenes a periodic review to assess the signals collected. The cadence is typically quarterly for the formal review, with continuous collection in between and the ability to escalate a fast-moving signal out of cycle. Drawing signals from across the business is important because the risk function alone cannot see everything; the technology function sees AI and cyber signals, the supply-chain function sees geopolitical and supplier signals, the legal function sees regulatory signals, and the horizon-scanning process is the mechanism that pulls these together.

Filtering signals into emerging risks

Not every signal is an emerging risk, and a process that promotes every signal to the register drowns in noise. The scanning process should filter signals by relevance (does this plausibly affect our business?) and by trajectory (is this developing toward materiality, or is it stable or fading?). Signals that pass the filter become tracked emerging risks; signals that do not are noted and may be revisited if their trajectory changes. The filter is a judgement, informed by the business's specific exposures, and it should be applied by people who understand both the signal and the business. The aim is a manageable set of tracked emerging risks that genuinely matter, not an exhaustive catalogue of everything happening in the world.

Avoiding the blind spots

The characteristic failure of horizon scanning is the blind spot: the emerging risk the process did not see because it fell outside the sources scanned or was filtered out as irrelevant. Two disciplines reduce blind spots. The first is deliberately scanning beyond the business's comfort zone, including sources and domains that seem unrelated, because cross-domain developments (a technology shift enabling a new regulatory regime, a geopolitical event triggering a supply-chain and an insurability change at once) are exactly the ones that surprise. The second is challenge: periodically asking what the process might be missing, inviting outside perspective, and revisiting filtered-out signals. A horizon-scanning process that only ever confirms what management already worried about is not scanning the horizon; it is scanning the room.

Once a signal is promoted to a tracked emerging risk, it must be assessed, scored in a way that fits its uncertainty, and assigned an owner, so that the emerging-risk register is a managed artefact rather than a watchlist nobody acts on.

Scoring under deep uncertainty

Conventional risk scoring multiplies likelihood by impact, which works for known risks but breaks down for emerging risks where both are deeply uncertain. Emerging-risk assessment needs a scoring approach suited to that uncertainty. A workable model scores each emerging risk on a small set of dimensions: potential impact (how severe could this be for the business if it materialises?), velocity or time horizon (how soon could it become material, near, medium or long term?), trajectory (is it developing toward materiality, stable, or receding?), and the firm's current preparedness (how exposed are we and how ready?). This gives a richer picture than a single likelihood-times-impact number and supports prioritisation: a high-impact, fast-developing, poorly-prepared emerging risk demands attention now, while a high-impact but distant and slow-moving one is tracked but not yet acted on. The scoring is a structured judgement, not a precise calculation, and should be revisited each scanning cycle as the trajectory changes.

Prioritisation and the watch-and-act distinction

The scoring drives a watch-or-act decision for each emerging risk. Some emerging risks are tracked, watched for changes in trajectory but not yet warranting active treatment, because they are distant, uncertain or low-impact. Others warrant action now, because they are developing toward materiality fast enough, or are severe enough, that waiting is dangerous; action might mean deepening the assessment, developing a mitigation, adjusting the insurance programme, or escalating to the board. The watch-and-act distinction keeps the process proportionate: it does not demand action on every emerging risk, but it forces a conscious decision for each, and it ensures the ones that are moving get attention before they crystallise.

Assigning ownership

Every tracked emerging risk needs an owner, just as every register risk does, but the ownership of an emerging risk is different in character: the owner's job is to track and assess the risk's development and to recommend action as it crystallises, not to manage an established control. The owner is typically the executive whose domain the emerging risk falls in, the technology leader for AI risks, the supply-chain leader for geopolitical supply risks, the legal or compliance leader for regulatory risks, with the risk function coordinating across owners and maintaining the overall register. Assigning ownership prevents the common failure where emerging risks are collectively acknowledged but individually un-owned, so that everyone is aware of them and no one is responsible for tracking them. The owner reports on their emerging risk's trajectory each scanning cycle.

The emerging-risk register

The tracked emerging risks, with their assessments, scores, owners, trajectories and watch-or-act status, form the emerging-risk register, a distinct artefact alongside the main risk register. The emerging-risk register is reviewed on the scanning cadence, updated as trajectories change, and reported to the risk committee and board as part of the firm's forward-looking risk picture. It is deliberately separate from the main register because its entries are managed differently, tracked for development rather than controlled, and because mixing weak-signal emerging risks into the main register either clutters the register with un-scoreable entries or, more often, causes the emerging risks to be quietly dropped because they do not fit the register's format. Keeping the emerging-risk register distinct, with its own format and review, is what keeps emerging risks visible and managed.

An emerging-risk register that sits in isolation, never connecting to the main register or the insurance programme, is an interesting document that changes nothing. The value of horizon scanning is realised at the two linkages: the migration of crystallising emerging risks into the main risk register, and the connection of emerging risks to the insurance programme so that cover changes ahead of the loss.

Migration into the main register

The lifecycle of an emerging risk is that it is identified as a weak signal, tracked and assessed as it develops, and, when it crystallises into a known, scoreable risk, migrated into the main risk register where it is managed with conventional controls. This migration is the point of the whole process: horizon scanning is not an end in itself but an early-warning system that feeds the main risk-management apparatus before the risk arrives. The trigger for migration is the emerging risk becoming material and scoreable enough to be managed as a known risk, at which point it acquires conventional controls, owners and scoring in the main register, and exits the emerging-risk register. The process should define this migration explicitly, so emerging risks do not either linger indefinitely on the watchlist after they have become real, or fall through the gap between the two registers. A well-run process shows emerging risks flowing in from scanning, developing, and migrating into the main register as they crystallise, with the board able to see the pipeline.

The insurance programme linkage

The second linkage connects emerging risks to the insurance programme, and it is where horizon scanning most directly affects risk financing. Each tracked emerging risk should be assessed for its insurance implications: will it require new or extended cover, will it cause existing cover to not respond, or is it uninsurable? An emerging liability from a new technology may need a new liability cover or an extension before the exposure materialises. A climate-driven change in a key asset's risk profile may threaten the availability or pricing of its property cover, signalling the need to act early. An emerging regulatory regime may create a compliance exposure that directors and officers or specific covers should address. By assessing insurance implications as emerging risks develop, the corporate and its broker get early sight of where the programme must change, rather than discovering at renewal, or worse at claim time, that cover has not kept pace with the exposure.

Acting ahead of the market

The insurance linkage also lets the corporate act ahead of the market's response to an emerging risk. Insurance markets tend to react to emerging risks by tightening: adding exclusions, withdrawing capacity, raising prices as the risk becomes material. A corporate that has been tracking an emerging risk and its insurance implications can secure cover, lock in terms, or arrange alternative transfer before the market hardens against the class. The corporate that waits until the emerging risk is obvious finds the cover more expensive, more restricted or unavailable. Horizon scanning connected to the insurance programme converts early awareness into a buying advantage.

The uninsurable residual

Some emerging risks are, or remain, uninsurable, and the linkage must handle these honestly. Where an emerging risk cannot be transferred, the corporate must manage it through resilience, operational change, retention or strategic decision, and the horizon-scanning process should flag the uninsurable emerging risks so that the resilience and strategy functions, not just the insurance function, take them up. Identifying early that an emerging risk will not be insurable is valuable precisely because it directs the corporate's mitigation effort to where insurance will not help, giving more time to build resilience or adjust the business. The linkage to the insurance programme is therefore not only about buying cover; it is about knowing where cover is available, where it is not, and acting accordingly on each.

Horizon scanning that runs as a risk-function exercise, never reaching the board and never embedded in governance, tends to wither: it produces a register nobody acts on, loses sponsorship, and quietly stops. The process needs board assurance and governance to give it standing, sponsorship and consequence, and the board needs the process to answer the forward-looking questions it is increasingly expected to address.

What the board needs from the process

Indian boards, under the Companies Act risk-governance provisions and the SEBI risk-management-committee requirement for larger listed entities, are expected to oversee the firm's exposure to change, not just its current risks. A board asked what emerging risks the firm is tracking should be able to point to the horizon-scanning process and the emerging-risk register as a substantive answer. The risk committee should receive, on the scanning cadence, a clear view of the tracked emerging risks, their assessments and trajectories, the watch-or-act decisions, the migrations into the main register, and the insurance and resilience implications. This reporting lets the board assure itself, and its investors, lenders and rating agencies, that the firm is genuinely forward-looking rather than managing only the risks already in its register.

Reporting that supports decisions, not just awareness

The board reporting on emerging risks should support decisions, not merely raise awareness. For the emerging risks scored as warranting action, the reporting should set out the recommended response, deepening the assessment, developing a mitigation, adjusting the insurance programme, making a strategic change, and seek the board's direction where the response involves significant resource or strategic choice. Emerging risks that are cross-domain, fast-moving or potentially severe deserve board-level discussion rather than risk-committee monitoring alone. The reporting should be synthesised enough for the board to engage strategically, not a raw dump of every tracked signal, while giving the board confidence that the underlying scanning is thorough. The board's role is to direct the response to the emerging risks that matter most, which it can only do if the reporting frames the decisions.

Governance that gives the process consequence

The process needs governance that makes it consequential. This means a defined owner (typically the risk function) accountable for running the scanning and maintaining the register, named owners for each tracked emerging risk accountable for tracking its development, a defined cadence with board and risk-committee reporting, and the authority to escalate fast-moving emerging risks out of cycle. It also means the process is sponsored from the top, so that business units engage with it and supply the signals it needs rather than treating it as a risk-function formality. A horizon-scanning process with executive and board sponsorship is one the organisation takes seriously; one without it is a watchlist that the business ignores until an emerging risk it failed to track becomes a crisis.

Connecting to strategy and risk appetite

The most mature horizon-scanning processes connect to strategy and risk appetite, not just to the insurance programme. Emerging risks that could threaten the business model, or that the firm's risk appetite says it should not run, warrant strategic response, exiting an exposure, diversifying a supply chain, investing in resilience, ahead of the risk materialising. The board's risk-appetite statement is the reference against which emerging risks are judged: an emerging risk that, if it crystallised, would breach the firm's stated appetite is one the firm should act on early. Connecting horizon scanning to risk appetite and strategy is what elevates it from an insurance-and-risk exercise to a genuine input to how the firm steers itself through a changing environment, which is the standard the most forward-looking Indian corporates are setting for FY2026-27 and beyond.

The four domains that dominate the 2026 emerging-risk horizon for Indian corporates, AI, climate, geopolitical and regulatory, each have distinct characteristics that shape how the horizon-scanning process should treat them and how they connect to the insurance programme.

Artificial intelligence

AI is the fastest-developing emerging-risk domain and the one most likely to produce exposures the existing risk and insurance framework does not anticipate. The risks span operational (dependence on AI systems whose failure or error disrupts the business), liability (harm caused by AI-driven decisions, products or services, and the unsettled question of who bears it), regulatory (emerging AI governance regimes), and strategic (business models disrupted by AI). The horizon-scanning treatment of AI should track both the technology's adoption in the firm's own operations and its disruption of the firm's markets, and it should engage early with the insurance question, because AI liability and the response of professional indemnity, product liability, cyber and directors and officers cover to AI-driven harm are still developing. A corporate deploying AI in ways that could cause third-party harm should be asking now how its liability programme responds, rather than after a claim.

Climate

Climate risk has moved from a long-horizon emerging risk to a present and accelerating one, with both physical risk (extreme weather, water stress, sea-level effects on assets and operations) and transition risk (regulatory, market and technology shifts as the economy decarbonises) material to Indian corporates. The horizon-scanning treatment should track climate's effect on the firm's physical assets and operations, on its markets and supply chains, and above all on the insurability of its exposures, because climate is already affecting the availability and pricing of property and related cover for exposed assets. The insurance linkage is acute: a corporate with assets in climate-exposed locations should be tracking whether their cover will remain available and affordable, and acting, on resilience and on cover, ahead of the market repricing the risk. Climate is the domain where the emerging-risk-to-insurance linkage is most immediately consequential.

Geopolitical

Geopolitical risk affects Indian corporates through trade disruption, supply-chain realignment, energy and commodity volatility, sanctions and cross-border exposure. The horizon-scanning treatment should track the geopolitical developments relevant to the firm's specific international exposures, supplier and customer geographies, and commodity dependencies, drawing on macro-political analysis and the firm's own supply-chain mapping. The insurance linkage runs to trade-credit, political-risk and marine and transit cover, and to the contingent business interruption exposures that geopolitical supply-chain disruption creates. Geopolitical emerging risks often crystallise faster than expected, a sanctions regime, a trade restriction, a conflict, so the process should be ready to escalate geopolitical signals quickly when their trajectory accelerates.

Regulatory

Regulatory emerging risk, the developments in data protection, ESG disclosure, sectoral regulation and emerging-technology governance, is distinctive because it is often visible in advance through consultation papers, draft legislation and regulator signalling, giving the well-organised corporate time to prepare. The horizon-scanning treatment should track the regulatory pipeline relevant to the firm across its jurisdictions and sectors, assess the compliance and liability exposures each emerging regime creates, and prepare ahead of the regime taking effect. The insurance linkage runs to directors and officers cover (governance and compliance exposure), to specific liability covers, and to the broader question of whether the firm's programme addresses the new compliance regime. Regulatory emerging risk rewards the firm that scans the pipeline and prepares, and penalises the firm that reacts only when the rule is in force.

Bringing the domains together

These domains do not stay in their lanes; the most dangerous emerging risks are cross-domain, an AI-enabled regulatory regime, a climate-driven geopolitical supply disruption, a regulatory response to a climate or technology event. The horizon-scanning process should look explicitly for these intersections, because they are where the conventional, domain-siloed risk view is weakest. Treating each domain in isolation catches the obvious risks within it; looking across the domains catches the compound risks that surprise.

Throughout, the connection between emerging risks and the insurance programme depends on knowing precisely how the firm's existing wordings would respond to a changed or novel exposure, which triggers apply, which exclusions bite, where the sub-limits sit, and where the cover is silent. Sarvada gives commercial insurance brokers structured, searchable access to insurer policy wordings, so the broker can compare how different insurers' triggers, grants, sub-limits and exclusions would respond to emerging AI, climate, geopolitical and regulatory exposures, and advise the corporate on where cover needs to change ahead of the risk crystallising. Request Access to evaluate how structured wording access supports the insurance linkage that makes horizon scanning pay off.