Rethinking risk

Emerging risks don’t announce themselves with a bang. They creep in through backdoors—new technologies, market shifts, regulatory ripples, human shortcuts. In fast-growing companies, where the pace is high and structure is light, the real danger isn’t what you don’t know; it’s what no one’s looking for.

This Playbook offers a sharper lens: a multi-layered mental model to help leaders anticipate, interrogate, and act on the risks that don’t fit neatly into a register.

Why emerging risk is so often missed

Emerging risk isn’t just about unknown unknowns or black swan events. It’s about the second-order effects of change—new technologies, rapid scaling, external pressures—that outpace your ability to adapt, monitor, or govern. These risks often stem from within the business, not just the outside world.

Here’s why they’re easy to miss:

• Speed > certainty: Fast-growth environments optimise for momentum. The cost of delay is clear; the cost of unmitigated risk is deferred.

• Fragmented accountability: No one “owns” the unknowns. They fall between strategy, ops, and compliance. For example: Who owns AI risk? Product? IT? Legal?

• False confidence in frameworks: Traditional ERM processes—RCSA, bowties, risk registers—aren’t designed for ambiguity or pace. They look backwards or sideways, not forward.

• Tech, talent, and trade-offs: AI, third-party dependencies, new markets—risk increasingly arises from innovation itself.

• Misaligned incentives: Execution targets, OKRs, and commercial urgency can create blind spots and brittle decisions. The sales team closes a risky client. The product team ships before the auth process is built.

It’s not just about spotting the risk. It’s about how fast your organisation can metabolise uncertainty.

The mental model: three interlocking layers

This isn’t a checklist, nor will it expose every possible risk. Instead, it’s a mental model designed for reflection. These three interlocking lenses can help you spot risk that emerges through growth, change, and complexity.

1. Exposure

What are we newly exposed to?

• New activities (e.g. AI-powered features, API integrations, offshore contractors)

• New stakeholders (regulators, activists, suppliers, users, adversarial actors)

• New thresholds (volume, scale, velocity)

💡 This layer is about mapping surface area, not risk ratings. It’s about noticing where the business model has quietly shifted.

Prompting questions:

• What’s changed in how we operate?

• What are we doing now that we weren’t 12 months ago?

• What parts of the business are outpacing our policies?

2. Fragility

Where are we increasingly brittle?

• Single points of failure (e.g. one vendor, one person, one workaround)

• Informal process dependencies (e.g. “Jen always handles that”)

• Cultural fragility (e.g. silos, reluctance to escalate, founder dependency)

• Incentive fragility (e.g. targets that drive risky behaviour or quiet bad news)

💡 This layer is about system stress-testing. Fragility is what turns exposure into incidents.

Prompting Questions:

• Where are we relying on goodwill or informal workarounds?

• What would break if that person left tomorrow?

• Where are people incentivised to move fast, but not flag problems?

3. Blindness

Where are we flying blind?

This is the hidden layer—risk you’re not even thinking about yet. You can’t manage what you’re not looking at.

• Data latency: Reporting lags, vanity metrics, or dashboards that show what happened, not what’s brewing.

• Assumptions that go untested: “We’d know if something went wrong.” Would you? Who would tell you?

• Narrative anchoring: Leaders sticking to a storyline that’s no longer true: “We’re lean and agile” or “We’ve de-risked the model.”

• Over-rotation to familiar risks: Fixating on phishing while ignoring synthetic media, or drilling into compliance while culture is decaying.

• Deliberate blindness: Metrics that no one wants to surface. Risks that are tolerated because fixing them would slow down progress.

💡 Blindness is where leadership courage and cultural honesty matter most. The goal here is to see what your system is designed to ignore.

Prompting Questions:

• What weak signals are we missing?

• Where do we assume things are “fine” without evidence?

• Are we incentivising truth-telling or quiet compliance?

Real-world signals

1. AI gone wild
   A scaling SaaS business deploys a customer-facing AI tool without strong monitoring of how it learns. Bias, hallucination, and regulatory questions follow.

→ Blindness to model drift, fragility in decision auditability.

2. The licensing loop
   A fintech enters a cross-border data partnership assuming its UK regulatory licence extends to all new use cases. Turns out, the arrangement technically triggers licensing or consent requirements in another jurisdiction.

→ Exposure via cross-border complexity, blindness in edge-case legal interpretations.

3. The burnout bottleneck
   A high-growth tech-enabled logistics company realises that one person in ops is holding the company together. When they leave, critical processes stall.

→ Cultural fragility, informal risk ownership.

4. Sales vs sanity
   A revenue team hits targets by onboarding large clients without proper diligence. Six months later, service fails, and the client exits noisily.

→ Exposure from client complexity, incentive misalignment, and blindness to operational impact.

How to use this model

This is a reflection tool for founders, CFOs, and anyone with executive or board-level oversight.

• Pressure-test growth narratives: Ask which assumptions are out-of-date, and what’s growing faster than your oversight.

• Cross-functional risk sprint: Invite product, ops, legal, and finance to map exposures across domains.

• Monthly or quarterly reviews: Use the model to surface weak signals during exec sessions, where discussions often default to performance metrics.

• Pre-mortem lens: Apply the layers before major launches or pivots to uncover second-order risks.

The bottom line

Emerging risk isn’t just a compliance challenge. It’s a leadership one.

The businesses that weather uncertainty best aren’t those that predict every risk—they’re the ones that notice shifts early, act fast, and stay structurally honest.

You don’t need to see around every corner. But you do need to design a company that notices when the ground shifts under its feet.