The pandemic did not bankrupt many companies directly. It closed a port, which stranded a container, which idled a factory, which left a carmaker short of one cheap chip, and a business with no obvious exposure to a virus suddenly could not ship its product. That chain is the whole subject here. Emerging risk is a threat that is new or rapidly changing, so your past data barely describes it. Systemic risk is a threat that spreads through the connections between things, so a failure in one place becomes a failure everywhere. Geopolitical, climate and pandemic shocks are dangerous because they are usually both at once.

The quick version

  • Emerging risk is novel or fast-moving (a new technology, a shifting climate, a mutating pathogen), so the historical numbers you would normally lean on don't yet exist or no longer apply.
  • Systemic risk spreads through interconnection: one failure cascades across supply chains, markets and borders. The harm is the chain reaction, not just the first domino.
  • Many of these shocks are not bolts from the blue. The danger you can see coming and still ignore, a "gray rhino", is more common, and more preventable, than the truly unforeseeable "black swan".
  • You cannot forecast these precisely, so don't try. Build for resilience, the ability to absorb a hit and keep functioning, rather than for a prediction you'll get wrong.

The idea in depth

Start with why these risks resist the normal toolkit. Ordinary risk management runs on history: you look at how often something has happened, estimate likelihood times impact, and price it. Emerging risks break that machine because they have little or no track record, a novel pathogen, a first-of-its-kind cyber weapon, a climate that no longer behaves like the twentieth-century average. The international risk standard ISO 31000 makes "dynamic" one of its core principles for exactly this reason: risks emerge, change and disappear as an organisation's context shifts, so risk management has to anticipate and respond to change rather than sit still. The practical upshot is to stop treating your risk register as a once-a-year document and start treating it as a live feed. Name an owner for "what's changing in our environment," and review the things you cannot yet quantify on a separate, faster cadence from the things you can.

The systemic part is about connection rather than novelty. The World Economic Forum's Global Risks Report 2025, its 20th edition, drawing on a survey of around 900 experts, ranks state-based armed conflict as the most pressing risk for the year ahead, with misinformation and disinformation topping the two-year horizon for a second consecutive year, and environmental risks (extreme weather, biodiversity loss, critical change to Earth systems) dominating the ten-year view. The report's recurring theme is interconnection: the risks don't queue politely, they amplify each other. A drought drives migration, which feeds polarisation, which strains a fragile state, which becomes a conflict, which disrupts grain exports, which raises food prices on another continent. The leadership task, then, is to map your second-order exposure. Not "are we at war?" but "what do we buy, from where, and what happens to it if a place we've never thought about becomes unstable?"

flowchart LR
  A(["Trigger shock
conflict · heatwave · outbreak"]) --> B(["Choke point
port · chip · grain · grid"])
  B --> C(["Cascade
supply, prices, services"])
  C --> D(["Your business
no direct exposure, still hit"])
  C -.-> E(["Second shock
migration · unrest · default"])
  E -.-> B
Systemic risk travels through choke points: the harm reaches firms with no direct line to the original event. Leaders Loop

The most useful idea for a working leader, though, is one that cuts these shocks down to size. Nassim Nicholas Taleb's "black swan", set out in The Black Swan (2007), is the rare, unpredictable, high-impact event that is only obvious in hindsight. It is a real and important category. But policy analyst Michele Wucker argues it has become an excuse. In The Gray Rhino (2016), she names the more common animal: the "gray rhino" is a high-probability, high-impact threat charging straight at you that everyone can see and nobody acts on, the underfunded levee, the over-concentrated supplier, the pandemic that public-health experts had warned of for years. The discipline she's pushing for is to stop reaching for "nobody could have predicted this." Before each shock, ask the colder question: was this actually unforeseeable, or merely unwelcome? Most of what damages organisations is a rhino, not a swan, and rhinos can be prepared for.

Most of what damages organisations is a gray rhino, not a black swan, a danger we saw coming and chose not to act on.

An honest limitation. This neat menagerie can mislead two ways. First, hindsight makes almost anything look like a foreseeable rhino once it has happened, be wary of using the label to blame people who genuinely faced a swan. Second, the WEF rankings are an expert perception survey, not a measurement of probability; they tell you what informed people are worried about, which is useful for scanning the horizon but is not a forecast. Treat both as lenses that sharpen your questions, not as instruments that give you answers.

Why you build for resilience, not prediction

If you can't reliably forecast which shock hits or when, the rational response is to stop optimising your forecast and start strengthening your ability to take a punch. This is the practical heart of the field. Taleb's companion idea, that some systems are fragile (they break under stress), some robust (they hold), and a few antifragile (they actually improve under stress), reframes the job. You are not trying to predict the next disruption; you are trying to make sure that whatever it is, it doesn't take you down with it.

In plain terms, resilience usually means deliberately accepting some inefficiency. The single-supplier, just-in-time, zero-buffer arrangement that looks brilliant in a calm year is exactly what turns a regional shock into your shutdown. So find your concentration points, the one supplier, country, system or key person you cannot function without, and buy slack at the ones that would hurt most: a second source, a stockpile, a tested fallback. The aim isn't to eliminate the risk, which you can't; it's to make sure no single failure cascades all the way through to you.

A worked example

Take a mid-sized kitchenware brand, call it Greenfield, that assembles appliances in one plant and sources a specialist heating element from a single low-cost supplier in one overseas industrial cluster. (Illustrative figures throughout; this is a teaching example, not a real company.) On a spreadsheet, the arrangement is immaculate: one supplier means volume discounts and simple logistics, shaving perhaps an illustrative 12% off component cost.

Then the systemic risk shows up wearing three hats at once. A heatwave (climate) forces rolling power cuts across that industrial cluster; a port dispute (geopolitical) slows what does get made; and a flu outbreak (pandemic) thins the supplier's workforce. None of this happens to Greenfield directly, and that is the point. The element stops arriving, the assembly line halts, and a brand with no factory in the affected region loses a quarter's production over a part worth a few dollars.

flowchart TD
  A(["One supplier, one cluster
~12% cheaper (illustrative)"]) --> B{"Gray rhino?
foreseeable concentration"}
  B -->|"Ignored, looks efficient"| C(["Heatwave + port + outbreak
element stops arriving"])
  C --> D(["Line halts
a quarter of output lost"])
  B -->|"Acted on, buy slack"| E(["Second source + buffer stock
costs a little, absorbs the hit"])
  E --> F(["Shock arrives, line keeps running"])
The same concentration that looks efficient in a calm year is the channel a systemic shock travels down. Leaders Loop

The resilient version costs Greenfield a little of that 12% up front: qualify a second supplier on a different grid in a different country, and hold a few weeks of buffer stock of the one part that can stop everything. When the triple shock lands, the line keeps moving. Note what changed, not the forecast (nobody predicted that exact week), but the structure. Greenfield turned a single point of failure into two, and a gray rhino it could see into a cost it had already paid down.

Frequently asked questions

What's the difference between emerging risk and systemic risk?

Emerging risk is about novelty: the threat is new or changing fast, so your historical data is thin or misleading (a new technology, a shifting climate). Systemic risk is about connection: a failure in one place spreads through interdependencies to places that look unrelated. They often coincide, a novel pathogen (emerging) that shuts global supply chains (systemic), which is what makes geopolitical, climate and pandemic shocks so hard to handle.

Isn't this just scaremongering? My business is small and local.

The defining feature of systemic risk is that "local" is a comfortable illusion. A small bakery has no foreign-policy exposure until a war doubles the price of wheat, and no climate strategy until a flood closes the road its deliveries use. You don't need a geopolitics team; you need to know your handful of real dependencies, suppliers, energy, key staff, the single road or system you rely on, and to have thought about what you'd do if one of them stopped.

How is a black swan different from a gray rhino?

A black swan (Taleb) is genuinely unpredictable, obvious only in hindsight, and rare. A gray rhino (Wucker) is highly probable and highly visible, the obvious danger we ignore until it charges. The practical value of the distinction is that it stops you hiding behind "nobody could have known." Most organisational damage comes from rhinos, and rhinos can be prepared for; reserve "swan" for the genuinely unforeseeable.

We can't predict these events, so why spend money on them at all?

Because resilience doesn't require prediction. You're not betting on which shock arrives; you're making sure that whatever arrives, no single failure cascades through your whole operation. That means a little deliberate redundancy at your concentration points, a second supplier, a buffer, a tested fallback, which pays off across a wide range of unpredictable events, not one specific forecast.

How do I bring this to a board that wants efficiency?

Frame resilience as the price of an option, not as waste. A second source or a stock buffer is a known, bounded cost that caps a much larger, open-ended loss, the language of insurance, which boards understand. Tie it to a specific cascade you can name ("if this one supplier stops, we lose a quarter's revenue") rather than to abstract fear, and the trade-off becomes a normal capital decision rather than a doom prophecy.

Related in the Toolkit

Emerging and systemic risks don't replace the basics, they stress-test them. They only become manageable once you've set how much risk you'll accept (enterprise risk management & risk appetite) and have a living place to record and own them (risk registers & mitigation strategies).

Where to go next