Moving beyond black swans
Across industries, leaders face a landscape that is more volatile and interconnected than ever. From cyber-physical convergence to climate extremes, geopolitical fragmentation, and technology-enabled threats, disruption is no longer occasional, it is the baseline.
Amid this environment, the term “Black Swan” still circulates widely as leaders are surprised by what feel like overwhelming emerging risks and shifting global trends, and find themselves looking for answers and that next big shock event in the aftermath.
Yet in today’s interconnected world, many so-called emerging risks are neither unpredictable, unknowable or deserve the “Black Swan” label. They are risks that have been modelled, analyzed, and repeatedly warned about but too often remain underprioritized, siloed or disconnected from strategic planning.
Emerging risks remain underprioritized on many risk registers. Why? Because emerging risks feel misaligned with priorities, are hard to own by a single team, feel diffuse and or haven’t happened yet. Despite detailed modelling and scenario tools, many organizations remain underprepared.
We might suggest that rather than compiling lists of risks or modelling likelihood and impact in isolation, organizations must focus on building resilience by going beyond understanding individual risks on the register to mapping their interconnections, assessing their implications for organizational capacity, and implementing frameworks that enable effective response and recovery.
Disruption isn’t the surprise – as revealed in the findings of WTW’s Emerging and Interconnected Risks survey – it’s the standard. The real risk is failing to evolve beyond traditional risk approaches that consider risks in silos. It’s time to stop mythologizing risk and start mastering it. So, in this insight, we examine:
Nassim Taleb’s definition of a black swan requires unpredictability, extreme impact, and retrospective rationalization. However, most recent high-impact disruptions that have driven attention – pandemics, geopolitical crises, record breaking wildfires – all fail to meet this definition.
| Disruption | Misindentified swans |
|---|---|
|
The 2008 financial crisis? |
Warnings about housing market instability had been circulating for years. |
| COVID-19? | Global health agencies had modeled pandemic risks long before 2020. |
Consider systemic cyberattacks, an event described as a black swan event because it hasn’t happened yet. Research by the Cambridge Centre for Risk Studies demonstrates that a sustained global attack on payment systems could inflict $3.5 trillion in economic losses over five years, rising to $16 trillion in a worst-case scenario. While many would see this as a black swan and the value at risk unthinkable, it’s not just a hypothetical – the likelihood for that worst-case scenario is 1:1,000 years.
As soon as you identify and prepare often for a systemic level risk, it's no longer unknown, and no longer meets the definition. In truth, many of these so-called black swans weren’t unpredictable – they were unattended. They reveal more about organizational readiness and governance failures than randomness.
“Across August and September, a swarm of jellyfish caused major disruption twice at one of France's largest nuclear power plants. This has been the classic Black Jellyfish risk case study, but after multiple incidents across the world since the 1990s this risk is now the elephant in the room.”
Lucy Stanbrough | Head of Emerging Risks, Willis Research Network
Consider this: one person’s “Black Swan” may be another’s “Grey Rhino”, “Elephant in the Room” or “Black Jellyfish”. It’s not just about the event or risk label, it’s about who saw it coming, who didn’t, and why.
“Across August and September, a swarm of jellyfish caused major disruption twice at one of France's largest nuclear power plants. This has been the classic Black Jellyfish risk case study, but after multiple incidents across the world since the 1990s this risk is now the elephant in the room.” Lucy Stanbrough, Head of Emerging Risks, Willis Research Network
Labelling disruption as unforeseeable can become an excuse. It paralyzes decision-making and shifts accountability away from foresight and toward fatalism. This framing matters. Organizations that cling to the myth of unforeseeable emerging risks miss the opportunity to integrate resilience into strategy, rather than treating risk as a set of isolated items to be documented and monitored.
Traditional risk management remains rooted in approaches that no longer reflect the reality of today’s interconnected world. Risk registers continue to capture threats in isolation, often as static lists, with little consideration of how they connect to wider business strategy or interact with other risks across the enterprise.
Probability and severity modelling still dominates decision-making, prioritizing the most frequent or individually impactful events, but neglecting the complex, systemic interactions that can transform moderate risks into existential threats. Even when controls are in place, they tend to focus on prevention rather than building the adaptive capacity needed to withstand and recover from disruption.
This reliance on traditional approaches leaves organizations exposed in four critical ways.
Emerging risks are no longer discrete, independent events. In our interconnected risk survey, research showed that 333 executives shared 752 emerging risks and mapped more than 1,606 connections between the 48 survey risks.
The top themes illustrate both scale and interconnection complicating decision making:
Technology requires enterprise-wide alignment across risk and strategy. Developments in AI are reshaping the risk and opportunity for large and complex organizations, while cyber risks continue to evolve and more digital touchpoints are hardwired into your assets. These trends are triggering changes in cybersecurity requirements, talents strategies and investment opportunities. Specialized expertise, robust cybersecurity and real-time visibility of your risks is critical to protect sensitive information and maintain stakeholder trust across timezones.
Running a complex global business involves navigating the geopolitical shifting geopolitical alignments, political instability and regulatory fragmentation. These risks can trigger sudden changes in laws, tariffs or even asset expropriation — directly affecting operations, profitability and strategic planning. A clear understanding of geopolitical and political risk enables more informed decisions, enhance resilience and maintain a competitive edge in dynamic global markets. Respondents identified 259 geopolitical connections covering 36 of the 48 survey risks.
Natural catastrophe insured losses have exceeded $100 billion annually for the last six years, environmental volatility is growing and regulatory expectations continue to evolve. These risks have always been present but the impact of their reach into social stability, workplace wellbeing, supply chains and economic security is becoming increasingly apparent. For large and complex organizations with assets across the world, these risks require coordinated action to safeguard people and capital while balancing competing strategic priorities. For some, this will mean a new realism.
1 in 5 (18%) global respondents see natural catastrophe events as one of their top 5 drivers of emerging risks in the next two years
In just the past five years, large and complex organizations have had to think about – and try to finance – risks ranging from AI, climate change and cyber, to geopolitical developments and societal shifts in labor. These trends are disrupting supply chains, altering capital flows and challenging strategic planning, creating a complex web of interconnected financial risks that affect everything from operational continuity to shareholder confidence. Understanding the full risk picture, including insurance gaps and regulatory exposure, enables more informed decisions and supports sustainable growth in uncertain markets.
Economic outlook was the #1 risk chosen most often as part of a risk combination.
From determining how work gets done and how it’s valued to considering population dynamics and what that means for talent strategies, people risks are a critical factor for large and complex organizations. Securing the right skills, maintaining wellbeing and adapting to societal changes underpin the ability to respond to other risks. Strategic workforce planning, inclusive culture, and investment in skills and wellbeing are essential to build a resilient, future-ready organization.
“Human capital perspective threads throughout the reasons why risks were chosen. Respondents chose AI and described the impact of genAI knowledge as a potential flight risk. By only focusing on single risk labels organizations miss opportunities to enable internal connectivity.” Lucy Stanbrough, Head of Emerging Risks, Willis Research Network
Risks are visible but disconnected from action and leaving organizations exposed. The survey revealed key strategic vulnerabilities:
“Human capital perspective threads throughout the reasons why risks were chosen. Respondents chose AI and described the impact of genAI knowledge as a potential flight risk. By only focusing on single risk labels organizations miss opportunities to enable internal connectivity.”
Lucy Stanbrough | Head of Emerging Risks, Willis Research Network
If disruption is now the baseline, the question for leaders becomes: how do we prepare for the inevitable, and adapt when events collide? Resilience must be the organizational lens through which emerging risks are viewed.
This requires three shifts:
01
The importance of building an emerging risk process linked to your business model cannot be emphasized enough. Involve a broad range of internal and external stakeholders in risk identification and management processes, with an emphasis on cross-sectoral communication and identifying improvements at an operational and strategic level. Ensure that these stakeholders are engaged early and regularly in the risk management process.
“Begin your process by understanding the risk profile, appetite and tolerance of your organization.”
Jennifer Caldarella | Managing Director Willis Large Accounts
“Begin your process by understanding the risk profile, appetite and tolerance of your organization.” Jennifer Caldarella, Managing Director Willis Large Accounts.
Does your organization define acceptable risk and are the thresholds consistent?
How your organization thinks about cyber threats and its’ effect on supply chain and business interruption but what about the effect on people and performance?
Defining your risk appetite is essential to a resilient and optimized strategy.
Reviewing emerging risks is also about considering opportunities and your competitive advantage. Changing markets, designing new products and prioritizing strategic growth are all activities taking advantage of emerging risks.
02
Just as no risk operates in isolation, leaders increasingly need to have a wider understanding of impacts beyond their function – that requires shared understanding and an approach that brings risk management decision making and financial priorities together.
Tools such as risk reporting dashboards populated with live risk information can help you more easily filter risk information based on risk category, impact and other categories can help you identify and develop connections between risks. Consider more creative approaches, such as surveying relevant stakeholders to capture insight into underappreciated or unforeseen risk connections or creating scenario exercises simulating one or more risks to explore any potential domino effects. You can also consider multi-layered models that explore cascading effects, use backcasting to learn from past failures, analyze second- and third-order impacts, and leverage generative AI to simulate edge cases.
03
Design a framework with built-in repeatability and continuous review as new risks and interdependencies emerge, possibly owned by a steering group with clear responsibility for keeping on top of interconnected risks in a systematic way and developing an adaptive risk management strategy to remain on track.
Conduct ‘After Action Reviews’ to learn from events that impact your business in a positive and negative way.
Ensure concrete actions and consider where controls may need to be updated mid-risk lifecycle, centralize insights, and align lessons with capital protection and innovation. This shifts resilience from reaction to design.
What does this look like in practice? A leading global technology and internet services provider faced significant challenges in assessing the risk of downtime across its extensive network of data centers. Traditional risk assessment tools were inadequate, as they failed to account for the interdependencies among data centers and the potential for simultaneous disruptions due to shared vulnerabilities.
Challenge: The company needed a comprehensive understanding of the vulnerabilities within its data center clusters to make informed decisions about operational planning, risk mitigation, and to provide due diligence to its customers. The primary concern was the risk of a single event impacting multiple data centers simultaneously, leading to widespread service interruptions.
Solution: WTW specialists developed a bespoke shared fate resilience assessment tool tailored to the company's needs. This tool utilized advanced models, including the Global Peril Diagnostic and catastrophe models, to assess current hazards, and the Climate Diagnostic to evaluate the potential impact of chronic hazards such as drought and heat stress on water resources and utilities. The assessment considered various threats, including natural catastrophes, utilities and power outages, proximity to high-risk locations, and geopolitical risks.
The solution provided detailed insights into the vulnerabilities of each data center, generating numerical risk scores that allowed the company to prioritize and allocate resources effectively. Additionally, cluster risk scores were developed to understand and compare the cumulative impact of a single event across multiple data centers.
Outcome: By adopting this interconnected risk assessment approach, the company enhanced its ability to anticipate and mitigate potential disruptions. The insights gained enabled better strategic planning and more effective responses to interconnected and emerging threats, ensuring greater resilience and uptime for its data center operations.
Disruption is now standard; the real differentiator is resilience embedded into strategy, systems, and culture. The question for boards is no longer: “which risks can we insure?” it is: “where do we need to build resilience and how quickly can we adapt?”
Organizations that master this mindset will not only survive shocks, but they will also define the future beyond them.
Want to learn more? Reach out to our specialists.
WTW hopes you found the general information provided here informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, WTW offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
