Articles - Resilience in a world of interconnected risk

 By Jennifer Caldarella, Managing Director, Global Large Account Strategy, WTW and Lucy Stanbrough, Head of Emerging Risks, Willis Research Network 

 Amid this environment, the term “Black Swan” still circulates widely as leaders are surprised by what feel like overwhelming emerging risks and shifting global trends, and find themselves looking for answers and that next big shock event in the aftermath.

 Yet in today’s interconnected world, many so-called emerging risks are neither unpredictable, unknowable or deserve the “Black Swan” label. They are risks that have been modelled, analyzed, and repeatedly warned about but too often remain underprioritized, siloed or disconnected from strategic planning.

 Emerging risks remain underprioritized on many risk registers. Why? Because emerging risks feel misaligned with priorities, are hard to own by a single team, feel diffuse and or haven’t happened yet. Despite detailed modelling and scenario tools, many organizations remain underprepared.

 We might suggest that rather than compiling lists of risks or modelling likelihood and impact in isolation, organizations must focus on building resilience by going beyond understanding individual risks on the register to mapping their interconnections, assessing their implications for organizational capacity, and implementing frameworks that enable effective response and recovery.

 Disruption isn’t the surprise – as revealed in the findings of WTW’s Emerging and Interconnected Risks survey – it’s the standard. The real risk is failing to evolve beyond traditional risk approaches that consider risks in silos. It’s time to stop mythologizing risk and start mastering it. So, in this insight, we examine:

 Why traditional “Black Swan” thinking is no longer sufficient
 The limitations of siloed approaches
 The evolving landscape of emerging risks
 Putting interconnectivity front and center: three actions to prepare for the emerging risk landscape

 Why traditional “black swan” thinking is no longer sufficient
 Nassim Taleb’s definition of a black swan requires unpredictability, extreme impact, and retrospective rationalization. However, most recent high-impact disruptions that have driven attention – pandemics, geopolitical crises, record breaking wildfires – all fail to meet this definition.

 Misidentified swans in two large events.
  

 Consider systemic cyberattacks, an event described as a black swan event because it hasn’t happened yet. Research by the Cambridge Centre for Risk Studies demonstrates that a sustained global attack on payment systems could inflict $3.5 trillion in economic losses over five years, rising to $16 trillion in a worst-case scenario. While many would see this as a black swan and the value at risk unthinkable, it’s not just a hypothetical – the likelihood for that worst-case scenario is 1:1,000 years.

 As soon as you identify and prepare often for a systemic level risk, it's no longer unknown, and no longer meets the definition. In truth, many of these so-called black swans weren’t unpredictable – they were unattended. They reveal more about organizational readiness and governance failures than randomness.

 Consider this: one person’s “Black Swan” may be another’s “Grey Rhino”, “Elephant in the Room” or “Black Jellyfish”. It’s not just about the event or risk label, it’s about who saw it coming, who didn’t, and why.

 “Across August and September, a swarm of jellyfish caused major disruption twice at one of France's largest nuclear power plants. This has been the classic Black Jellyfish risk case study, but after multiple incidents across the world since the 1990s this risk is now the elephant in the room.” Lucy Stanbrough, Head of Emerging Risks, Willis Research Network

 Labelling disruption as unforeseeable can become an excuse. It paralyzes decision-making and shifts accountability away from foresight and toward fatalism. This framing matters. Organizations that cling to the myth of unforeseeable emerging risks miss the opportunity to integrate resilience into strategy, rather than treating risk as a set of isolated items to be documented and monitored.

 The limitations of siloed approaches
 Traditional risk management remains rooted in approaches that no longer reflect the reality of today’s interconnected world. Risk registers continue to capture threats in isolation, often as static lists, with little consideration of how they connect to wider business strategy or interact with other risks across the enterprise.

 Probability and severity modelling still dominates decision-making, prioritizing the most frequent or individually impactful events, but neglecting the complex, systemic interactions that can transform moderate risks into existential threats. Even when controls are in place, they tend to focus on prevention rather than building the adaptive capacity needed to withstand and recover from disruption.

 This reliance on traditional approaches leaves organizations exposed in four critical ways.

 The top themes illustrate both scale and interconnection complicating decision making:

 Hardwired into the organization
 Technology requires enterprise-wide alignment across risk and strategy. Developments in AI are reshaping the risk and opportunity for large and complex organizations, while cyber risks continue to evolve and more digital touchpoints are hardwired into your assets. These trends are triggering changes in cybersecurity requirements, talents strategies and investment opportunities. Specialized expertise, robust cybersecurity and real-time visibility of your risks is critical to protect sensitive information and maintain stakeholder trust across timezones.

 42% of global respondents see AI as one of their top 5 emerging risks.
 74% believe technology will remain a key source of emerging risk in the next 10 years.

 Geopolitics of everything
 Running a complex global business involves navigating the geopolitical shifting geopolitical alignments, political instability and regulatory fragmentation. These risks can trigger sudden changes in laws, tariffs or even asset expropriation — directly affecting operations, profitability and strategic planning. A clear understanding of geopolitical and political risk enables more informed decisions, enhance resilience and maintain a competitive edge in dynamic global markets. Respondents identified 259 geopolitical connections covering 36 of the 48 survey risks.

 Intensifying and amplifying
 Natural catastrophe insured losses have exceeded $100 billion annually for the last six years, environmental volatility is growing and regulatory expectations continue to evolve. These risks have always been present but the impact of their reach into social stability, workplace wellbeing, supply chains and economic security is becoming increasingly apparent. For large and complex organizations with assets across the world, these risks require coordinated action to safeguard people and capital while balancing competing strategic priorities. For some, this will mean a new realism.

 1 in 5 (18%) global respondents see natural catastrophe events as one of their top 5 drivers of emerging risks in the next two years

 An uncertain financial outlook
 In just the past five years, large and complex organizations have had to think about – and try to finance – risks ranging from AI, climate change and cyber, to geopolitical developments and societal shifts in labor. These trends are disrupting supply chains, altering capital flows and challenging strategic planning, creating a complex web of interconnected financial risks that affect everything from operational continuity to shareholder confidence. Understanding the full risk picture, including insurance gaps and regulatory exposure, enables more informed decisions and supports sustainable growth in uncertain markets.

 Economic outlook was the #1 risk chosen most often as part of a risk combination.

 People matter
 From determining how work gets done and how it’s valued to considering population dynamics and what that means for talent strategies, people risks are a critical factor for large and complex organizations. Securing the right skills, maintaining wellbeing and adapting to societal changes underpin the ability to respond to other risks. Strategic workforce planning, inclusive culture, and investment in skills and wellbeing are essential to build a resilient, future-ready organization.

 “Human capital perspective threads throughout the reasons why risks were chosen. Respondents chose AI and described the impact of genAI knowledge as a potential flight risk. By only focusing on single risk labels organizations miss opportunities to enable internal connectivity.” Lucy Stanbrough, Head of Emerging Risks, Willis Research Network

 Risks are visible but disconnected from action and leaving organizations exposed. The survey revealed key strategic vulnerabilities:

 This requires three shifts:

 “Begin your process by understanding the risk profile, appetite and tolerance of your organization.” Jennifer Caldarella, Managing Director Willis Large Accounts.

 Does your organization define acceptable risk and are the thresholds consistent?

 How your organization thinks about cyber threats and its’ effect on supply chain and business interruption but what about the effect on people and performance?

 Defining your risk appetite is essential to a resilient and optimized strategy.

 Reviewing emerging risks is also about considering opportunities and your competitive advantage. Changing markets, designing new products and prioritizing strategic growth are all activities taking advantage of emerging risks.

 Tools such as risk reporting dashboards populated with live risk information can help you more easily filter risk information based on risk category, impact and other categories can help you identify and develop connections between risks. Consider more creative approaches, such as surveying relevant stakeholders to capture insight into underappreciated or unforeseen risk connections or creating scenario exercises simulating one or more risks to explore any potential domino effects. You can also consider multi-layered models that explore cascading effects, use backcasting to learn from past failures, analyze second- and third-order impacts, and leverage generative AI to simulate edge cases.

 Conduct ‘After Action Reviews’ to learn from events that impact your business in a positive and negative way.

 What happened?
 How did we react?
 What can be learned?

 Ensure concrete actions and consider where controls may need to be updated mid-risk lifecycle, centralize insights, and align lessons with capital protection and innovation. This shifts resilience from reaction to design.

 Proof in the present: enhancing data center resilience through interconnected risk assessment
 What does this look like in practice? A leading global technology and internet services provider faced significant challenges in assessing the risk of downtime across its extensive network of data centers. Traditional risk assessment tools were inadequate, as they failed to account for the interdependencies among data centers and the potential for simultaneous disruptions due to shared vulnerabilities.

 Challenge: The company needed a comprehensive understanding of the vulnerabilities within its data center clusters to make informed decisions about operational planning, risk mitigation, and to provide due diligence to its customers. The primary concern was the risk of a single event impacting multiple data centers simultaneously, leading to widespread service interruptions.

 Solution: WTW specialists developed a bespoke shared fate resilience assessment tool tailored to the company's needs. This tool utilized advanced models, including the Global Peril Diagnostic and catastrophe models, to assess current hazards, and the Climate Diagnostic to evaluate the potential impact of chronic hazards such as drought and heat stress on water resources and utilities. The assessment considered various threats, including natural catastrophes, utilities and power outages, proximity to high-risk locations, and geopolitical risks. The solution provided detailed insights into the vulnerabilities of each data center, generating numerical risk scores that allowed the company to prioritize and allocate resources effectively. Additionally, cluster risk scores were developed to understand and compare the cumulative impact of a single event across multiple data centers.

 Outcome: By adopting this interconnected risk assessment approach, the company enhanced its ability to anticipate and mitigate potential disruptions. The insights gained enabled better strategic planning and more effective responses to interconnected and emerging threats, ensuring greater resilience and uptime for its data center operations.

 From lists to foresight
 Disruption is now standard; the real differentiator is resilience embedded into strategy, systems, and culture. The question for boards is no longer: “which risks can we insure?” it is: “where do we need to build resilience and how quickly can we adapt?”

 Organizations that master this mindset will not only survive shocks, but they will also define the future beyond them.