iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/DTS 31050

(Main)

Risk management — Guidelines for managing emerging risk to enhance resilience

Risk management — Guidelines for managing emerging risk to enhance resilience

Management du risque — Lignes directrices relatives à la gestion des risques émergents afin d'améliorer la résilience

General Information

Status
Not Published
ICS
03.100.01 - Company organization and management in general
Technical Committee
ISO/TC 262 - Risk management
Drafting Committee
ISO/TC 262/JWG 1 - Joint ISO/TC 262 - ISO/TC 292 WG: Managing emerging risk
Current Stage
5020 - FDIS ballot initiated: 2 months. Proof sent to secretariat
Start Date
22-May-2023
Completion Date
22-May-2023
Ref Project

Buy Standard

REDLINE ISO/DTS 31050 - Risk management — Guidelines for managing emerging risk to enhance resilience Released:8. 05. 2023REDLINE ISO/DTS 31050 - Risk management — Guidelines for managing emerging risk to enhance resilience Released:8. 05. 2023
PreviousNext
Draft
REDLINE ISO/DTS 31050 - Risk management — Guidelines for managing emerging risk to enhance resilience Released:8. 05. 2023
English language
35 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/DTS 31050 - Risk management — Guidelines for managing emerging risk to enhance resilience Released:8. 05. 2023ISO/DTS 31050 - Risk management — Guidelines for managing emerging risk to enhance resilience Released:8. 05. 2023
PreviousNext
Draft
ISO/DTS 31050 - Risk management — Guidelines for managing emerging risk to enhance resilience Released:8. 05. 2023
English language
35 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

© ISO 2023 – All rights reserved
— ISO/DTS 31050:2023(E)
Date: 2023-04-28
ISO/TC 262/JWG 1
Secretariat: BSI
Risk Management –management — Guidelines for managing
emerging risk to enhance resilience
Version: 20 February
---------------------- Page: 1 ----------------------
ISO/DTS 31050:2023(E)
© ISO 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of

this publication may be reproduced or utilized otherwise in any form or by any means, electronic or

mechanical, including photocopying, or posting on the internet or an intranet, without prior written

permission. Permission can be requested from either ISO at the address below or ISO’s member body in the

country of the requester.
ISO Copyright Office
CP 401 • CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland.
ii © ISO 2023 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/DTS 31050:2023(E)
Contents

Foreword .......................................................................................................................................................................... v

Introduction.................................................................................................................................................................... vi

1 Scope .................................................................................................................................................................... 1

2 Normative references .................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................... 1

4 Emerging risks .................................................................................................................................................. 2

4.1 The nature of emerging risks .............................................................................................................................. 2

4.2 Characterization of emerging risks .................................................................................................................. 3

4.2.1 General ......................................................................................................................................................... 3

4.2.2 Knowledge aspects .................................................................................................................................. 5

4.2.3 Measurement aspects ............................................................................................................................. 6

4.2.4 Time dimension ........................................................................................................................................ 6

4.2.5 Volatility aspects ...................................................................................................................................... 6

4.3 Development of emerging risks ......................................................................................................................... 7

4.4 Relationship between managing emerging risks and organizational resilience ........................... 7

5 Principles ........................................................................................................................................................... 8

5.1 General ......................................................................................................................................................................... 8

5.2 Integrated ................................................................................................................................................................... 9

5.3 Structured and comprehensive ......................................................................................................................... 9

5.4 Customized ................................................................................................................................................................. 9

5.5 Inclusive ...................................................................................................................................................................... 9

5.6 Dynamic ....................................................................................................................................................................... 9

5.7 Best available information ................................................................................................................................... 9

5.8 Human and cultural factors ...............................................................................................................................1 0

5.9 Continual improvement ......................................................................................................................................1 0

6 Process ............................................................................................................................................................. 10

6.1 Applying the ISO 31000 process to emerging risks ................................................................................ 10

6.2 Communication and consultation ...................................................................................................................1 0

6.3 Scope, context and criteria................................................................................................................................. 11

6.3.1 Scope and context ..................................................................................................................................1 1

6.3.2 Criteria ........................................................................................................................................................1 3

6.4 Risk assessment .....................................................................................................................................................1 3

6.4.1 General .......................................................................................................................................................1 3

6.4.2 Identifying emerging risks .................................................................................................................1 4

6.4.3 Analysing emerging risks....................................................................................................................1 4

6.4.4 Evaluating emerging risks ..................................................................................................................1 7

6.5 Risk treatment ........................................................................................................................................................1 7

6.6 Monitoring and review ........................................................................................................................................1 8

6.7 Recording and reporting ....................................................................................................................................1 8

7 Enhancing resilience by managing emerging risks .......................................................................... 19

7.1 Capability development ......................................................................................................................................1 9

7.2 Emerging risks and resilience indicators ....................................................................................................2 1

8 Risk intelligence cycle and managing emerging risks .................................................................... 22

8.1 Overview ...................................................................................................................................................................2 2

8.2 Applying knowledge to decisions on emerging risks ............................................................................. 23

Annex A (informative) Examples of changes in context that can be sources of emerging

risks ................................................................................................................................................................... 25

Annex B (informative) Example of emerging risks description or recording template .................. 26

Annex C (informative) Systemic risks ................................................................................................................ 28

© ISO 2023 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/DTS 31050:2023(E)

Annex D (informative) Example factors that can influence managing emerging risks .................... 29

Annex E (informative) Knowledge and the risk intelligence cycle for managing emerging

risks ................................................................................................................................................................... 31

Annex F (informative) Example of a completed resilience indicator template .................................. 36

Bibliography ................................................................................................................................................................. 38

iv © ISO 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/DTS 31050:2023(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a topicsubject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO

collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

diversedifferent types of ISO documents document should be noted. This document was drafted in

accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawnISO draws attention to the possibility that some of the elementsimplementation of this

document may beinvolve the topicuse of (a) patent(s). ISO takes no position concerning the evidence,

validity or applicability of any claimed patent rights in respect thereof. As of the date of publication of

this document, ISO had not received notice of (a) patent(s) which may be required to implement this

document. However, implementers are cautioned that this may not represent the latest information,

which may be obtained from the patent database available at www.iso.org/patents.. ISO shall not be held

responsible for identifying any or all such patent rights. Details of any patent rights identified during the

development of the document will be in the Introduction and or on the ISO list of patent declarations

received (see ).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO -specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the World

Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Technical CommitteesCommittee ISO/TC 262 and , Risk management, in

collaboration with Technical Committee ISO/TC 292 in a joint working group (ISO/TC 262/JWG 01

Managing emerging risk)., Security and resilience.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2023 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/DTS 31050:2023(E)
Introduction

Emerging risks are characterized by their newness, insufficient data, and a lack of verifiable information

and knowledge needed for decision-making related to them. As these risks can develop with the potential

for large threats and opportunities, appropriate managingmanagement of emerging risks should be

established as a part of thean organization’s risk management, and. It should include changes in

circumstances or conditions related to multiple aspects of the organization’s external context and

theirthe implications onfor its internal context.
Emerging risks can include, e.g.:for example:
— risks arising from unrecognized changes in organizational contexts;
— risks created by innovation or social and technological development;
— risks related to new sources or previously unrecognized sources of risk;
— risks from new or modified processes, products, or services.
Consequences of emerging risks can include, e.g.:for example:
— exposure to unforeseen hazards and threats with uncertain outcomes;
— increased exposure to hazards and threats from known risk sources;
— lost or gained opportunities.

Managing emerging risk should be knowledge-focused and dependent on the need to accumulate

verifiable data and information, especially when these are limited or inconsistent. With interpretation,

this information forms knowledge and creates intelligence for strategic, tactical and operational decision-

making.

To this aim, this document provides guidelines for applying ISO 31000 to managing emerging risks to

enhance organizational resilience. The focus is on emerging risks potentially having the most significant

consequences for the organization and its objectives. Applying the ISO 31000 principles and process to

managing emerging risk requires an understanding of the different aspects of the context in which the

organization operates. In particular, this applies to the following:

— Thethe continual scanning of changing circumstances or conditions that can result in an emerging

risk helps to develop knowledge and provide the intelligence needed for strategic, tactical and

operational decision-making;

— Identificationthe identification of changes in an organizational context are often early indicators or

signals that identify vulnerabilities and the sources of emerging risks;

— Managingmanaging emerging risks relies on the application of the ISO 31000 principles under

conditions of extreme uncertainty, increasing volatility, complexity and ambiguity within the

multiple aspects of the context in which the organization operates.
This specificSpecific guidance is provided on:

— how to understand the nature and characteristics of emerging risks (see Clause 4);

— how the principles of risk management apply to emerging risk (risks (see Clause 5);

vi © ISO 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/DTS 31050:2023(E)

— how the ISO 31000 risk management process is applied to emerging risks (see Clause 6);

— how resilience can be enhanced by managing emerging risks (see Clause 7);
— how to use the risk intelligence cycle for emerging risks (see Clause 8).
Further details are provided in informative annexes Annexes A to F.
The application of this guidance document helps organizations to benefit from:

— increased awareness, reducing the likelihood of failing to anticipate emerging risks;

— early recognition of emerging risks and increased level of preparedness and resilience;

— timely dissemination of data and exchange of information among stakeholders;

— alignment of actions on emerging risks across all aspects of organizational contexts.

© ISO 2023 – All rights reserved vii
---------------------- Page: 7 ----------------------
TECHNICAL SPECIFICATION ISO/DTS 31050:2023(E)
Risk Management –management — Guidelines for managing
emerging risk to enhance resilience
1 Scope

This document provides recommendations forgives guidance on managing emerging risks that the

organizations may an organization can face and. It complements ISO 31000.

This document appliesis applicable to any organization, at any stage and to any organization’s activity. of

the organization. Its application can be customized to suit different organizations or the context of

different organizations’ contextsorganizations.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements forof this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 22300, Security and resilience — Vocabulary

ISO 22316, Security and resilience — Organizational resilience — Principles and attributes

ISO 31000, Risk management — Guidelines
IEC 31010, Risk management — Risk assessment techniques
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 22300, ISO 22316, ISO 31000,

IEC 31010 and the following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
— ISO/IEC Directives Part 1, Annex SL
3.1
resilience attribute

feature or characteristic of an organization’s ability to absorb and adapt to a changing context

3.2
knowledge
outcome of the assimilation of information through learning

Note 1 to entry: Knowledge can be acquired through research, experience, or education.

© ISO 2023 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/DTS 31050:2023(E)

Note 2 to entry: Knowledge includes information, facts, principles, theories and practices related to a field of work

or study.

Note 3 to entry: Knowledge can be individual or collective. Collective knowledge is gained from people collaborating

and releasing their tacit and subconscious knowledge.
[SOURCE: ISO 56000:2020, 3.4.1]
3.3
intelligence

result of gathering, analyzinganalysing and interpreting data, information and knowledge (3.2)

Note 1 to entry: Intelligence can be of different kinds, e.g. (but not limited to) market, technology, competition,

intellectual property or business.
[SOURCE: ISO 56006:2021, 3.1]
3.4
organizational resilience
ability of an organization to absorb, recover and adapt in a changing context
[SOURCE: ISO 22300:2021, 3.1.167, modified — “recover” added.]
3.5
radical innovation
breakthrough innovation
innovation with a high degree of change
Note 1 to entry: Change can relate to the entity or its impact.

Note 2 to entry: Radical innovation is at the other end of the continuum to incremental innovation.

[SOURCE: ISO 56000:2020, 3.1.1.1]
3.6
disruptive innovation

innovation initially addressing less demanding needs, displacing established offerings

Note 1 to entry: Compared to established offerings, disruptive innovations are initially simpler offerings with lower

performance and they are generally more cost effective, requiring fewer resources and offered at lower cost.

Note 2 to entry: Disruption occurs when a significant ratio of users or customers have adopted the innovation.

Note 3 to entry: Disruptive innovations can create new markets and value networks by addressing new users and

deploying new business and value realization models.
[SOURCE: ISO 56000:2020, 3.1.1.2]
4 Emerging risks
4.1 The nature of emerging risks

The nature of emerging risks (see the examples in Annex A and the example of data to be collected about

them in Annex B) can include:
2 © ISO 2023 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/DTS 31050:2023(E)

— Risksrisks that have not been previously recognized or experienced by an organization;

— Familiarfamiliar risks in a new or unfamiliar context where the existing knowledge is not applicable;

— Significantlysignificantly evolving risk;
— Systemicsystemic risks (see Annex C);
— Aa novel combination of risks .

If an organization does not consider emerging risks, it does not mean that the organization will not be

affected. In many cases, it is initially not possible to formulate scenarios of interest in, to estimate event

likelihood, to anticipate consequences or to identify control options. To better understand the nature of

the particular emerging risk, the nature of similar risks that are better understood should be considered.

The above risks can stem from changes of context in which the organization seeks to meet its objectives,

such as:
— organizational relationships,;
— access to capital and capabilities,;

— interactions or interdependencies with societal, geopolitical, environmental, economic,

technological, legal, perception (see Annex D) and ethical factors, and;
— the internal governance, cultural and operational aspects of its business.

Emerging risks should be proactively identified and characterized from observing changes in

organizational contexts. Emerging risks are typically represented by a set of new circumstances or

conditions, not previously recognized, or changes in characteristicthe characteristics of already identified

risks. The changes can be related to, e.g.:for example:
— societal norms, ;
— organizational culture,;
— perceptions, and;

— data, or information interpreted from data, about a risk or the way that risk evolves .

NOTE There are occasions when risks emerge with little prior visibility in the context.

4.2 Characterization of emerging risks
4.2.1 General

Effective and efficient management of emerging risk requires the continual acquisition of knowledge

about the organization’s function, context, experience, access to data and emerging risk characteristics,

If an organization does not consider emerging risks, it does not mean that the organization will not be affected. In

many cases, it is initially not possible to formulate scenarios of interest in, to estimate event likelihood, to anticipate

consequences, or to identify control options. To better understand the nature of the particular emerging risk, the

nature of similar risks that are better understood should be considered.

There are occasions in which risks emerge with little prior visibility in the context.

© ISO 2023 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO/DTS 31050:2023(E)

(e.g.,. by applying the risk intelligence cycle, see Clause 8 and Annex E). The data, information and

knowledge acquired should recorded appropriately (see Clause 6.7 and Annex B).

The following factors can be of particular importance for the new knowledge about emerging risks:

a) possible deviations from the expected outcomes or consequences, either positive or negative, and

their likelihood;
b) sources and nature of risks;
c) other factors, such as the rate of development of risk and detectability.

Where the organization has not previously experienced particular changes in its context, it is possible

that data related to those changes are limited or that all characteristics of emerging risks are not evident

(e.g.,. for systemic risks, see Annex C). Understanding the characteristics of emerging risks context

depends upon available knowledge relating to nature and source, quantity, and time, in a volatile,

uncertain context, complex, and ambiguous circumstances. Consequently, the knowledge acquired can be

insufficient to identify changes in characteristics and potential sources of risk or, if an emerging issue has

been identified, to determine the likelihood and consequences of deviations from expectations.

Due to high uncertainty, the interpretation of data and information can be biased by individual

perceptions (see Annex D).

Emerging risk characteristics should be categorized, e.g.,for example, by considering the following

elements :
— Knowledgeknowledge elements, including e.g.,, for example:
— unknown changes in organizational contexts,;
— weak signals of change subject to interpretation and bias, and;
— insufficient data to determine likelihood and consequences.;
— Volatilityvolatility elements, including e.g.,, for example:
— conditions or circumstances likely to change, rapidly or unpredictably,;
— impact of change and consequences of an unknown variable,;
— instability of data and information.;
— Uncertaintyuncertainty elements, including e.g.,, for example:
— transition from early warnings and signals to emerging risks,;
— determination of sources of emerging risks.;
— Complexitycomplexity elements, including e.g.,, for example:
— high level of interconnectedness of systems, parts, or processes;

Not all of the above characteristics apply necessarily to all emerging risks and are not unique to emerging risks.

The above categories, however, do represent a common theme for emerging risks, which should be considered when

managing them.
4 © ISO 2023 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/DTS 31050:2023(E)
— unknown interdependencies throughout the organization’s context;

— interactions of emerging risks with other risks or activities that can result in non-linear effects;

— the systemic nature of certain risks (see Annex C), and;
— large degree of complexity of potential decisions and consequences.;
— Ambiguityambiguity elements, including e.g.,, for example:
— limited data open to multiple interpretations and individual perceptions,;
— lack of precedence for the development of knowledge and intelligence, and;
— lack of clarity on the cause and effect of changes in contexts.;
— Timetime dimension elements, including e.g.,, for example:
— velocity of change in the organization’s context, and;
— rate of change in characteristics of emerging risks.;
— Controllabilitycontrollability elements, including e.g.,

, for example, the effects of factors out of the organization’s control, both in internal and external

context.contexts;
— Behavioral behavioural elements, including e.g.,

, for example, the effects of unexpected changes in contexts, people, systems, or processes ().(see

Annex D).

Not all of the above characteristics apply necessarily to all emerging risks and are not unique to emerging

risks. The above categories, however, do represent a common theme for emerging risks, which should be

considered when managing them.
4.2.14.2.2 Knowledge aspects

Knowledge relating to emerging risks should be based on the quantity and quality of data available and

their usability as credible information to support decision-making. In order to manage emerging risks

effectively, the use of systems that can gather and interpret data about capabilities, possibilities, changes

and trends in the external context should be considered, taking into account that the knowledge about

emerging risk characteristics and their influence on the organization’s objectives can depend on the data

still missing or that are limited.

It should be noted that in the absence of adequate knowledge, understanding of emerging risks can be

influenced by individual perceptions, cognitive bias, group dynamics, misinformation or

misinterpretation, preventing the reliable assessment of likelihoods and consequences. In such cases, the

[24]

focus of managing emerging risks should be on assessing their plausibility and enhancing the

[35]
organization’s resilience .

As emerging risks evolve, knowledge about them and their characteristics also evolves with time.

© ISO 2023 – All rights reserved 5
---------------------- Page: 12 ----------------------
ISO/DTS 31050:2023(E)

NOTE Initially, there can be little understanding of the time, too . potential for issues arising from particular

circumstances. As data and information are collected and interpreted, knowledge increases, enabling organizations

to identify emerging risks and make decisions about their potential consequences.

This should be defined within the risk intelligence cycle and the. The application of knowledge as strategic

intelligence and improved decision-making, should be systematic (s.. See Clause 8 and Annex E).

4.2.24.2.3 Measurement aspects

The quality (e.g.,. integrity, reliability, accuracy, timely, relevancy) of available data and information is

essential for acquiring the knowledge necessary to assign values to the measurable elements of emerging

risk characteristics, including consequences and likelihood. The organization should establish a system

for timely acquisition of relevant data on weak signals or early warnings, as well their analysis and

analysis of changes in emerging risk characteristics. This analysis should include the ambiguity of

information, its limitations related to understanding of the development of emerging riskrisks, and trends

and patterns in the organization’s context, indicating the source of possible emerging risks.

4.2.34.2.4 Time dimension

Characterizing emerging risks should include the time dimensions, such as the rate at wh

...

FINAL
TECHNICAL ISO/DTS
DRAFT
SPECIFICATION 31050
ISO/TC 262
Risk management — Guidelines for
Secretariat: BSI
managing emerging risk to enhance
Voting begins on:
2023-05-22 resilience
Voting terminates on:
2023-07-17
Member bodies are requested to consult relevant national interests in ISO/TC
292 before casting their ballot to the e-Balloting application.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/DTS 31050:2023(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO 2023
---------------------- Page: 1 ----------------------
ISO/DTS 31050:2023(E)
FINAL
TECHNICAL ISO/DTS
DRAFT
SPECIFICATION 31050
ISO/TC 262
Risk management — Guidelines for
Secretariat: BSI
managing emerging risk to enhance
Voting begins on:
resilience
Voting terminates on:
Member bodies are requested to consult relevant national interests in ISO/TC
292 before casting their ballot to the e­Balloting application.
COPYRIGHT PROTECTED DOCUMENT
© ISO 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/DTS 31050:2023(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
© ISO 2023 – All rights reserved
NATIONAL REGULATIONS. © ISO 2023
---------------------- Page: 2 ----------------------
ISO/DTS 31050:2023(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction .............................................................................................................................................................................................................................. vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 Emerging risks ....................................................................................................................................................................................................... 2

4.1 The nature of emerging risks .................................................................................................................................................... 2

4.2 Characterization of emerging risks ..................................................................................................................................... 3

4.2.1 General ........................................................................................................................................................................................ 3

4.2.2 Knowledge aspects ........................................................................................................................................................... 4

4.2.3 Measurement aspects .................................................................................................................................................... 5

4.2.4 Time dimension ................................................................................................................................................................... 5

4.2.5 Volatility aspects ................................................................................................................................................................ 6

4.3 Development of emerging risks ............................................................................................................................................... 6

4.4 Relationship between managing emerging risks and organizational resilience ........................ 6

5 Principles ..................................................................................................................................................................................................................... 7

5.1 General ........................................................................................................................................................................................................... 7

5.2 Integrated ................................................................................................................................................................................................... 8

5.3 Structured and comprehensive ............................................................................................................................................... 8

5.4 Customized ................................................................................................................................................................................................ 8

5.5 Inclusive ........................................................................................................................................................................................................ 8

5.6 Dynamic ........................................................................................................................................................................................................ 8

5.7 Best available information ........................................................................................................................................................... 8

5.8 Human and cultural factors ........................................................................................................................................................ 9

5.9 Continual improvement .................................................................................................................................................................. 9

6 Process ...................................................................... ...................................................................................................................................................... 9

6.1 Applying the ISO 31000 process to emerging risks ............................................................................................... 9

6.2 Communication and consultation.......................................................................................................................................... 9

6.3 Scope, context and criteria ....................................................................................................................................................... 10

6.3.1 Scope and context ........................................................................................................................................................... 10

6.3.2 Criteria ..................................................................................................................................................................................... 11

6.4 Risk assessment .................................................................................................................................................................................. 12

6.4.1 General .....................................................................................................................................................................................12

6.4.2 Identifying emerging risks .....................................................................................................................................12

6.4.3 Analysing emerging risks ........................................................................................................................................ 13

6.4.4 Evaluating emerging risks ...................................................................................................................................... 15

6.5 Risk treatment .....................................................................................................................................................................................15

6.6 Monitoring and review ................................................................................................................................................................. 16

6.7 Recording and reporting ............................................................................................................................................................ 16

7 Enhancing resilience by managing emerging risks.....................................................................................................17

7.1 Capability development ............................................................................................................................................................... 17

7.2 Emerging risks and resilience indicators .................................................................................................................... 18

8 Risk intelligence cycle and managing emerging risks .............................................................................................20

8.1 Overview ................................................................................................................................................................................................... 20

8.2 Applying knowledge to decisions on emerging risks ........................................................................................ 21

Annex A (informative) Examples of changes in context that can be sources of emerging

risks ................................................................................................................................................................................................................................23

Annex B (informative) Example of emerging risks description or recording template ...........................24

Annex C (informative) Systemic risks ............................................................................................................................................................26

iii
© ISO 2023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/DTS 31050:2023(E)

Annex D (informative) Example factors that can influence managing emerging risks ............................27

Annex E (informative) Knowledge and the risk intelligence cycle for managing emerging

risks ................................................................................................................................................................................................................................29

Annex F (informative) Example of a completed resilience indicator template .................................................33

Bibliography .............................................................................................................................................................................................................................35

© ISO 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/DTS 31050:2023(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non­governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

ISO draws attention to the possibility that the implementation of this document may involve the use

of (a) patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed

patent rights in respect thereof. As of the date of publication of this document, ISO had not received

notice of (a) patent(s) which may be required to implement this document. However, implementers are

cautioned that this may not represent the latest information, which may be obtained from the patent

database available at www.iso.org/patents. ISO shall not be held responsible for identifying any or all

such patent rights.

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Technical Committee ISO/TC 262, Risk management, in collaboration

with Technical Committee ISO/TC 292, Security and resilience.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2023 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/DTS 31050:2023(E)
Introduction

Emerging risks are characterized by their newness, insufficient data, and a lack of verifiable information

and knowledge needed for decision­making related to them. As these risks can develop with the

potential for large threats and opportunities, appropriate management of emerging risks should be

established as a part of an organization’s risk management. It should include changes in circumstances

or conditions related to multiple aspects of the organization’s external context and the implications for

its internal context.
Emerging risks can include, for example:
— risks arising from unrecognized changes in organizational contexts;
— risks created by innovation or social and technological development;
— risks related to new sources or previously unrecognized sources of risk;
— risks from new or modified processes, products or services.
Consequences of emerging risks can include, for example:
— exposure to unforeseen hazards and threats with uncertain outcomes;
— increased exposure to hazards and threats from known risk sources;
— lost or gained opportunities.

Managing emerging risk should be knowledge­focused and dependent on the need to accumulate

verifiable data and information, especially when these are limited or inconsistent. With interpretation,

this information forms knowledge and creates intelligence for strategic, tactical and operational

decision­making.

To this aim, this document provides guidelines for applying ISO 31000 to managing emerging risks to

enhance organizational resilience. The focus is on emerging risks potentially having the most significant

consequences for the organization and its objectives. Applying the ISO 31000 principles and process to

managing emerging risk requires an understanding of the different aspects of the context in which the

organization operates. In particular, this applies to the following:

— the continual scanning of changing circumstances or conditions that can result in an emerging

risk helps to develop knowledge and provide the intelligence needed for strategic, tactical and

operational decision-making;

— the identification of changes in an organizational context are often early indicators or signals that

identify vulnerabilities and the sources of emerging risks;

— managing emerging risks relies on the application of the ISO 31000 principles under conditions of

extreme uncertainty, increasing volatility, complexity and ambiguity within the multiple aspects of

the context in which the organization operates.
Specific guidance is provided on:

— how to understand the nature and characteristics of emerging risks (see Clause 4);

— how the principles of risk management apply to emerging risks (see Clause 5);

— how the ISO 31000 risk management process is applied to emerging risks (see Clause 6);

— how resilience can be enhanced by managing emerging risks (see Clause 7);
— how to use the risk intelligence cycle for emerging risks (see Clause 8).
Further details are provided in Annexes A to F.
© ISO 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/DTS 31050:2023(E)
The application of this document helps organizations to benefit from:

— increased awareness, reducing the likelihood of failing to anticipate emerging risks;

— early recognition of emerging risks and increased level of preparedness and resilience;

— timely dissemination of data and exchange of information among stakeholders;

— alignment of actions on emerging risks across all aspects of organizational contexts.

vii
© ISO 2023 – All rights reserved
---------------------- Page: 7 ----------------------
TECHNICAL SPECIFICATION ISO/DTS 31050:2023(E)
Risk management — Guidelines for managing emerging
risk to enhance resilience
1 Scope

This document gives guidance on managing emerging risks that an organization can face. It

complements ISO 31000.

This document is applicable to any organization, at any stage and to any activity of the organization. Its

application can be customized to suit different organizations or the context of different organizations.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 22300, Security and resilience — Vocabulary

ISO 22316, Security and resilience — Organizational resilience — Principles and attributes

ISO 31000, Risk management — Guidelines
IEC 31010, Risk management — Risk assessment techniques
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 22300, ISO 22316, ISO 31000,

IEC 31010 and the following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
resilience attribute

feature or characteristic of an organization’s ability to absorb and adapt to a changing context

3.2
knowledge
outcome of the assimilation of information through learning

Note 1 to entry: Knowledge can be acquired through research, experience or education.

Note 2 to entry: Knowledge includes information, facts, principles, theories and practices related to a field of

work or study.

Note 3 to entry: Knowledge can be individual or collective. Collective knowledge is gained from people

collaborating and releasing their tacit and subconscious knowledge.
[SOURCE: ISO 56000:2020, 3.4.1]
© ISO 2023 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/DTS 31050:2023(E)
3.3
intelligence

result of gathering, analysing and interpreting data, information and knowledge (3.2)

Note 1 to entry: Intelligence can be of different kinds, e.g. (but not limited to) market, technology, competition,

intellectual property or business.
[SOURCE: ISO 56006:2021, 3.1]
3.4
organizational resilience
ability of an organization to absorb, recover and adapt in a changing context
[SOURCE: ISO 22300:2021, 3.1.167, modified — “recover” added.]
3.5
radical innovation
breakthrough innovation
innovation with a high degree of change
Note 1 to entry: Change can relate to the entity or its impact.

Note 2 to entry: Radical innovation is at the other end of the continuum to incremental innovation.

[SOURCE: ISO 56000:2020, 3.1.1.1]
3.6
disruptive innovation

innovation initially addressing less demanding needs, displacing established offerings

Note 1 to entry: Compared to established offerings, disruptive innovations are initially simpler offerings with

lower performance and they are generally more cost effective, requiring fewer resources and offered at lower

cost.

Note 2 to entry: Disruption occurs when a significant ratio of users or customers have adopted the innovation.

Note 3 to entry: Disruptive innovations can create new markets and value networks by addressing new users

and deploying new business and value realization models.
[SOURCE: ISO 56000:2020, 3.1.1.2]
4 Emerging risks
4.1 The nature of emerging risks

The nature of emerging risks (see the examples in Annex A and the example of data to be collected

about them in Annex B) can include:

— risks that have not been previously recognized or experienced by an organization;

— familiar risks in a new or unfamiliar context where the existing knowledge is not applicable;

— significantly evolving risk;
— systemic risks (see Annex C);
— a novel combination of risks.

If an organization does not consider emerging risks, it does not mean that the organization will not

be affected. In many cases, it is initially not possible to formulate scenarios of interest in, to estimate

event likelihood, to anticipate consequences or to identify control options. To better understand the

© ISO 2023 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/DTS 31050:2023(E)

nature of the particular emerging risk, the nature of similar risks that are better understood should be

considered.

The above risks can stem from changes of context in which the organization seeks to meet its objectives,

such as:
— organizational relationships;
— access to capital and capabilities;

— interactions or interdependencies with societal, geopolitical, environmental, economic,

technological, legal, perception (see Annex D) and ethical factors;
— the internal governance, cultural and operational aspects of its business.

Emerging risks should be proactively identified and characterized from observing changes in

organizational contexts. Emerging risks are typically represented by a set of new circumstances or

conditions, not previously recognized, or changes in the characteristics of already identified risks. The

changes can be related to, for example:
— societal norms;
— organizational culture;
— perceptions;

— data, or information interpreted from data, about a risk or the way that risk evolves.

NOTE There are occasions when risks emerge with little prior visibility in the context.

4.2 Characterization of emerging risks
4.2.1 General

Effective and efficient management of emerging risk requires the continual acquisition of knowledge

about the organization’s function, context, experience, access to data and emerging risk characteristics

(e.g. by applying the risk intelligence cycle, see Clause 8 and Annex E). The data, information and

knowledge acquired should recorded appropriately (see 6.7 and Annex B).

The following factors can be of particular importance for the new knowledge about emerging risks:

a) possible deviations from the expected outcomes or consequences, either positive or negative, and

their likelihood;
b) sources and nature of risks;
c) other factors, such as the rate of development of risk and detectability.

Where the organization has not previously experienced particular changes in its context, it is

possible that data related to those changes are limited or that all characteristics of emerging risks

are not evident (e.g. for systemic risks, see Annex C). Understanding the characteristics of emerging

risks context depends upon available knowledge relating to nature and source, quantity and time, in

a volatile, uncertain context, complex and ambiguous circumstances. Consequently, the knowledge

acquired can be insufficient to identify changes in characteristics and potential sources of risk or, if an

emerging issue has been identified, to determine the likelihood and consequences of deviations from

expectations.

Due to high uncertainty, the interpretation of data and information can be biased by individual

perceptions (see Annex D).
© ISO 2023 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/DTS 31050:2023(E)

Emerging risk characteristics should be categorized, for example, by considering the following elements:

— knowledge elements, including, for example:
— unknown changes in organizational contexts;
— weak signals of change subject to interpretation and bias;
— insufficient data to determine likelihood and consequences;
— volatility elements, including, for example:
— conditions or circumstances likely to change, rapidly or unpredictably;
— impact of change and consequences of an unknown variable;
— instability of data and information;
— uncertainty elements, including, for example:
— transition from early warnings and signals to emerging risks;
— determination of sources of emerging risks;
— complexity elements, including, for example:
— high level of interconnectedness of systems, parts or processes;
— unknown interdependencies throughout the organization’s context;

— interactions of emerging risks with other risks or activities that can result in non-linear effects;

— the systemic nature of certain risks (see Annex C);
— large degree of complexity of potential decisions and consequences;
— ambiguity elements, including, for example:
— limited data open to multiple interpretations and individual perceptions;
— lack of precedence for the development of knowledge and intelligence;
— lack of clarity on the cause and effect of changes in contexts;
— time dimension elements, including, for example:
— velocity of change in the organization’s context;
— rate of change in characteristics of emerging risks;

— controllability elements, including, for example, the effects of factors out of the organization’s

control, both in internal and external contexts;

— behavioural elements, including, for example, the effects of unexpected changes in contexts, people,

systems or processes (see Annex D).

Not all of the above characteristics apply necessarily to all emerging risks and are not unique to

emerging risks. The above categories, however, do represent a common theme for emerging risks,

which should be considered when managing them.
4.2.2 Knowledge aspects

Knowledge relating to emerging risks should be based on the quantity and quality of data available

and their usability as credible information to support decision-making. In order to manage emerging

© ISO 2023 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/DTS 31050:2023(E)

risks effectively, the use of systems that can gather and interpret data about capabilities, possibilities,

changes and trends in the external context should be considered, taking into account that the knowledge

about emerging risk characteristics and their influence on the organization’s objectives can depend on

the data still missing or that are limited.

It should be noted that in the absence of adequate knowledge, understanding of emerging risks

can be influenced by individual perceptions, cognitive bias, group dynamics, misinformation or

misinterpretation, preventing the reliable assessment of likelihoods and consequences. In such cases,

[4]

the focus of managing emerging risks should be on assessing their plausibility and enhancing the

[5]
organization’s resilience .

As emerging risks evolve, knowledge about them and their characteristics also evolves with time.

NOTE Initially, there can be little understanding of the potential for issues arising from particular

circumstances. As data and information are collected and interpreted, knowledge increases, enabling

organizations to identify emerging risks and make decisions about their potent
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO 31073:2022(Main)
Risk management — Vocabulary

This document defines generic terms related to the management of risks faced by organizations.

  • Standard
    10 pages
    English language
    sale 15% off
  • Standard
    11 pages
    French language
    sale 15% off
  • Draft
    10 pages
    English language
    sale 15% off
  • Draft
    13 pages
    French language
    sale 15% off
ISO
ISO 31030:2021(Main)
Travel risk management — Guidance for organizations
SIST ISO 31030:2021

This document gives guidance to organizations on how to manage the risk(s), to the organization and its travellers, as a result of undertaking travel. This document provides a structured approach to the development, implementation, evaluation and review of: policy; programme development; threat and hazard identification; opportunities and strengths; risk assessment; prevention and mitigation strategies. This document is applicable to any type of organization, irrespective of sector or size, including but not limited to: commercial organizations; charitable and not-for-profit organizations; governmental organizations; non-governmental organizations; educational organizations. This document does not apply to tourism and leisure-related travel, except in relation to travellers travelling on behalf of the organization.

  • Standard
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    48 pages
    English language
    sale 15% off
  • Standard
    52 pages
    French language
    sale 15% off
  • Draft
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    48 pages
    English language
    sale 15% off
  • Draft
    48 pages
    French language
    sale 15% off
ISO
ISO 31022:2020(Main)
Risk management — Guidelines for the management of legal risk

This document gives guidelines for managing the specific challenges of legal risk faced by organizations, as a complementary document to ISO 31000. The application of these guidelines can be customized to any organization and its context. This document provides a common approach to the management of legal risk and is not industry or sector specific.

  • Standard
    31 pages
    English language
    sale 15% off
  • Standard
    34 pages
    French language
    sale 15% off
ISO
IWA 31:2020(Main)
Risk management — Guidelines on using ISO 31000 in management systems

This document gives guidelines for integrating and using ISO 31000 in organizations that have implemented one or more ISO and IEC Management System Standards (MSS), or that have decided to undertake a project implementing one or more MSS incorporating ISO 31000. This document explains how the clauses of ISO 31000 relate to the high level structure (HLS) for MSS. This document does not provide guidance on implementing a management system in general. It does not specify requirements of a MSS. It does not provide a summary of ISO 31000; however, it does, as explained above, provide the background for understanding ISO 31000. Using this document does not remove the need to use other standards to address specific aspects of risk.

  • Standard
    14 pages
    English language
    sale 15% off
  • Standard
    16 pages
    French language
    sale 15% off
  • Standard
    16 pages
    French language
    sale 15% off
ISO
IEC 31010:2019(Main)
Risk management — Risk assessment techniques

IEC 31010:2019 is published as a double logo standard with ISO and provides guidance on the selection and application of techniques for assessing risk in a wide range of situations. The techniques are used to assist in making decisions where there is uncertainty, to provide information about particular risks and as part of a process for managing risk. The document provides summaries of a range of techniques, with references to other documents where the techniques are described in more detail. This second edition cancels and replaces the first edition published in 2009. This edition constitutes a technical revision. This edition includes the following significant technical changes with respect to the previous edition: • more detail is given on the process of planning, implementing, verifying and validating the use of the techniques; • the number and range of application of the techniques has been increased; • the concepts covered in ISO 31000 are no longer repeated in this standard. Keywords: uncertainty, risk management

  • Standard
    100 pages
    English language
    sale 15% off
ISO
ISO 31000:2018(Main)
Risk management — Guidelines
SIST ISO 31000:2018

ISO 31000:2018 provides guidelines on managing risk faced by organizations. The application of these guidelines can be customized to any organization and its context. ISO 31000:2018 provides a common approach to managing any type of risk and is not industry or sector specific. ISO 31000:2018 can be used throughout the life of the organization and can be applied to any activity, including decision-making at all levels.

  • Standard
    21 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    19 pages
    English language
    sale 15% off
  • Standard
    16 pages
    English language
    sale 15% off
  • Standard
    16 pages
    English language
    sale 15% off
  • Standard
    16 pages
    French language
    sale 15% off
  • Standard
    16 pages
    French language
    sale 15% off
  • Standard
    16 pages
    Spanish language
    sale 15% off
  • Standard – translation
    31 pages
    Slovenian and English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    22 pages
    English language
    sale 10% off
    e-Library read for
    1 day
ISO
ISO 22342:2023(Main)
Security and resilience — Protective security — Guidelines for the development of a security plan for an organization

This document gives guidance on developing and maintaining security plans. The security plan describes how an organization establishes effective security planning and how it can integrate security within organizational risk management practices. This document is applicable to all organizations regardless of type, size and nature, whether in the private, public or not-for-profit sectors, that wish to develop effective security plans in a consistent manner. This document is applicable to any organization intending to implement measures designed to protect their assets against malicious acts and mitigate their associated risks. This document does not provide specific criteria for identifying the need to implement or enhance prevention and protection measures against malicious acts. It does not apply to services and operations delivered by private security companies.

  • Standard
    11 pages
    English language
    sale 15% off
  • Standard
    12 pages
    French language
    sale 15% off
  • Draft
    11 pages
    English language
    sale 15% off
  • Draft
    11 pages
    English language
    sale 15% off
  • Draft
    13 pages
    French language
    sale 15% off
ISO
ISO 22393:2023(Main)
Security and resilience — Community resilience — Guidelines for planning recovery and renewal

This document gives guidance on how to develop meaningful recovery activities and renewal initiatives from any type of major emergency, disaster or crisis, no matter what type of impact or damage it has. It provides guidelines on how to identify the short-term, transactional activities needed to reflect and learn, review preparedness of parts of the system impacted by the crisis, and reinstate operations to build preparedness to future emergencies. It distinguishes a longer-term perspective, called “renewal”, and provides guidelines on how to identify visionary initiatives to be addressed through transformation to change lives and futures. The guidelines cover how, in both recovery and renewal, there is a need to identify scalable activity on people, places, processes, power and partners. This document is applicable to all organizations, particularly those involved in recovery and renewal and that are responsible for human welfare and community development (e.g. public, voluntary, community and social enterprise sectors).

  • Standard
    39 pages
    English language
    sale 15% off
  • Draft
    39 pages
    English language
    sale 15% off
  • Draft
    39 pages
    English language
    sale 15% off
ISO
ISO 22385:2023(Main)
Security and resilience — Authenticity, integrity and trust for products and documents — Guidelines to establish a framework for trust and interoperability

This document establishes a framework for a trustworthy environment for information processing and communication that protects integrity along the supply chain of physical and related electronic documents, products, software and services life cycle to mitigate product fraud and counterfeit goods, by using object identification techniques. This document gives guidelines to establish a framework for ensuring trust, interoperability and interoperation via secure and reliable electronically signed encoded data set (ESEDS) schemes for multi-actor applications which are even applicable in multi-sector environment. This document does not interfere with existing traceability and identification and authentication systems but is able to support interoperations between them by introducing an ESEDS scheme.

  • Standard
    16 pages
    English language
    sale 15% off
  • Standard
    16 pages
    French language
    sale 15% off
ISO
ISO/TR 31700-2:2023(Main)
Consumer protection — Privacy by design for consumer goods and services — Part 2: Use cases

This document provides illustrative use cases, with associated analysis, chosen to assist in understanding the requirements of 31700-1. The intended audience includes engineers and practitioners who are involved in the development, implementation or operation of digitally enabled consumer goods and services.

  • Technical report
    31 pages
    English language
    sale 15% off
  • Draft
    31 pages
    English language
    sale 15% off
  • Draft
    31 pages
    English language
    sale 15% off