Emerging risks don’t announce themselves with a bang. They creep in through backdoors—new technologies, market shifts, regulatory ripples, human shortcuts. In fast-growing companies, where the pace is high and structure is light, the real danger isn’t what you don’t know; it’s what no one’s looking for.

This Playbook offers a sharper lens: a multi-layered mental model to help leaders anticipate, interrogate, and act on the risks that don’t fit neatly into a register.

Why emerging risk is so often missed

Emerging risk isn’t just about unknown unknowns or black swan events. It’s about the second-order effects of change—new technologies, rapid scaling, external pressures—that outpace your ability to adapt, monitor, or govern. These risks often stem from within the business, not just the outside world.

Here’s why they’re easy to miss:

• Speed > certainty: Fast-growth environments optimise for momentum. The cost of delay is clear; the cost of unmitigated risk is deferred.

• Fragmented accountability: No one “owns” the unknowns. They fall between strategy, ops, and compliance. For example: Who owns AI risk? Product? IT? Legal?

• False confidence in frameworks: Traditional ERM processes—RCSA, bowties, risk registers—aren’t designed for ambiguity or pace. They look backwards or sideways, not forward.

• Tech, talent, and trade-offs: AI, third-party dependencies, new markets—risk increasingly arises from innovation itself.

• Misaligned incentives: Execution targets, OKRs, and commercial urgency can create blind spots and brittle decisions. The sales team closes a risky client. The product team ships before the auth process is built.

It’s not just about spotting the risk. It’s about how fast your organisation can metabolise uncertainty.

The mental model: three interlocking layers

This isn’t a checklist, nor will it expose every possible risk. Instead, it’s a mental model designed for reflection. These three interlocking lenses can help you spot risk that emerges through growth, change, and complexity.

1. Exposure

What are we newly exposed to?

• New activities (e.g. AI-powered features, API integrations, offshore contractors)

• New stakeholders (regulators, activists, suppliers, users, adversarial actors)

• New thresholds (volume, scale, velocity)

💡 This layer is about mapping surface area, not risk ratings. It’s about noticing where the business model has quietly shifted.

Prompting questions:

• What’s changed in how we operate?

• What are we doing now that we weren’t 12 months ago?

• What parts of the business are outpacing our policies?

2. Fragility

Where are we increasingly brittle?

• Single points of failure (e.g. one vendor, one person, one workaround)

• Informal process dependencies (e.g. “Jen always handles that”)

• Cultural fragility (e.g. silos, reluctance to escalate, founder dependency)

• Incentive fragility (e.g. targets that drive risky behaviour or quiet bad news)

💡 This layer is about system stress-testing. Fragility is what turns exposure into incidents.

Prompting Questions:

• Where are we relying on goodwill or informal workarounds?

• What would break if that person left tomorrow?

• Where are people incentivised to move fast, but not flag problems?

3. Blindness

Where are we flying blind?

This is the hidden layer—risk you’re not even thinking about yet. You can’t manage what you’re not looking at.

• Data latency: Reporting lags, vanity metrics, or dashboards that show what happened, not what’s brewing.

• Assumptions that go untested: “We’d know if something went wrong.” Would you? Who would tell you?

• Narrative anchoring: Leaders sticking to a storyline that’s no longer true: “We’re lean and agile” or “We’ve de-risked the model.”

• Over-rotation to familiar risks: Fixating on phishing while ignoring synthetic media, or drilling into compliance while culture is decaying.

• Deliberate blindness: Metrics that no one wants to surface. Risks that are tolerated because fixing them would slow down progress.

💡 Blindness is where leadership courage and cultural honesty matter most. The goal here is to see what your system is designed to ignore.

Prompting Questions:

• What weak signals are we missing?

• Where do we assume things are “fine” without evidence?

• Are we incentivising truth-telling or quiet compliance?

Real-world signals

1. AI gone wild
   A scaling SaaS business deploys a customer-facing AI tool without strong monitoring of how it learns. Bias, hallucination, and regulatory questions follow.

→ Blindness to model drift, fragility in decision auditability.

2. The licensing loop
   A fintech enters a cross-border data partnership assuming its UK regulatory licence extends to all new use cases. Turns out, the arrangement technically triggers licensing or consent requirements in another jurisdiction.

→ Exposure via cross-border complexity, blindness in edge-case legal interpretations.

3. The burnout bottleneck
   A high-growth tech-enabled logistics company realises that one person in ops is holding the company together. When they leave, critical processes stall.

→ Cultural fragility, informal risk ownership.

4. Sales vs sanity
   A revenue team hits targets by onboarding large clients without proper diligence. Six months later, service fails, and the client exits noisily.

→ Exposure from client complexity, incentive misalignment, and blindness to operational impact.

How to use this model

This is a reflection tool for founders, CFOs, and anyone with executive or board-level oversight.

• Pressure-test growth narratives: Ask which assumptions are out-of-date, and what’s growing faster than your oversight.

• Cross-functional risk sprint: Invite product, ops, legal, and finance to map exposures across domains.

• Monthly or quarterly reviews: Use the model to surface weak signals during exec sessions, where discussions often default to performance metrics.

• Pre-mortem lens: Apply the layers before major launches or pivots to uncover second-order risks.

The bottom line

Emerging risk isn’t just a compliance challenge. It’s a leadership one.

The businesses that weather uncertainty best aren’t those that predict every risk—they’re the ones that notice shifts early, act fast, and stay structurally honest.

You don’t need to see around every corner. But you do need to design a company that notices when the ground shifts under its feet.

This checklist flips the usual approach. Instead of building from policies upward, we work backwards from the moment of impact. Think of it as a pressure test: if a major claim landed today, how well would your strategy hold up?

1. Start at the end: walk through a hypothetical claim

Forget hypotheticals; get specific. Take a material loss scenario (fire, cyber attack, product recall, serious injury) and walk through it in detail.

✅ Have we simulated what a material claim might look like for each key policy?

✅ Have we set explicit, board-approved thresholds for what constitutes a “material” loss in each risk category (e.g., property, cyber, liability)—both in dollar terms and operational impact?

✅ Who’s likely to identify the incident first? Would they know what to do next?

✅ Do we have the right information flow in place to quickly trigger a claim?

Tip: Tabletop exercises reveal more than strategy documents ever will. Run one and watch where friction shows up.

2. Review policy wordings against real-world events

Now map your policy documents against your messy operating environment.

✅ Do the triggers and definitions reflect how we’d actually describe the event?

✅ Are our sums insured and policy limits regularly updated to reflect current asset values, revenue, and business scale?

Warning: Underinsurance is a leading cause of claim shortfall, especially for fast-growing businesses. If your cover hasn’t kept pace with your growth, even a successful claim could leave you exposed to significant out-of-pocket costs.

✅ Are there grey areas or vague triggers (e.g. “unforeseen,” “sudden,” “malicious”)?

✅ Have we tested exclusions using real examples from our business?

✅ Would indemnity periods, limits, and sublimits hold up under our current operations?

✅ Are we relying too much on extensions or endorsements to fill core coverage gaps?

E.g.: Would our cyber BI policy respond if a third-party SaaS outage took us offline? And how would we prove causation?

✅ Do we have a process in place to review and update our insurance program whenever there are material changes, such as new locations, product launches, acquisitions, or entry into new markets?

Tip: Many claims are denied or reduced because policies weren’t updated after business changes. Schedule policy reviews after any major operational shift—not just at annual renewal.

3. Map claim ownership and documentation gaps

Claims don’t fail because something went wrong, they fail because no one can prove what happened.

✅ Who owns the claims process internally (beyond initial notification)?

✅ Are we clear on who prepares claim files, liaises with adjusters, and controls messaging?

✅ Have we documented key workflows for evidence collection, incident logs, and financial loss tracking?

✅ Can we reconstruct timelines from systems, emails, and decision logs under pressure?

✅ Are we capturing costs that may be recoverable under claim preparation or loss mitigation clauses?

4. Challenge broker and insurer alignment

This is where many programs fall short—not due to bad intent, but because no one asked hard questions.

✅ Does our broker proactively test our policies against emerging risks and real scenarios?

✅ Have we had a claims-focused review? Or just a renewal meeting?

✅ Do we know who will represent us in a claim, and do we trust them?

✅ Are we relying on assumed market norms that don’t hold up when contested?

✅ Have we seen how similar claims played out across the market?

5. Test strategic fit and appetite alignment

Insurance should match your risk appetite, not misrepresent it.

✅ Does our program reflect our operational reality?

✅ Are there legacy covers in place that no longer match how we work?

✅ Have we adjusted for changes in scale, geography, tech infrastructure, or supply chain risk?

✅ Are emerging exposures (e.g. ESG litigation, regulatory change, digital dependencies) covered?

Final check: could we move at claims speed?

When a major incident occurs, speed and clarity of response can make or break your claim. Even the best policy won’t help if notification is delayed or evidence is lost. Claims are just as likely to fail on execution as on policy wording. Test both.

✅ Do key people know how to notify and escalate a claim right now?

✅ Is our notification process fast, documented, and easily actioned under stress?

✅ Do we have legal, PR, finance, and operational responses aligned in advance?

✅ Have we captured lessons from near misses, small claims, or industry events?

Wrap-up

Most businesses only see the cracks in their risk strategy after a claim. The smart ones reverse the lens early.

This checklist is designed for leaders who are accountable for their organisation’s resilience. Use it to uncover blind spots, challenge assumptions, and ensure your risk strategy holds up under real-world pressure.