Insights

In this article, Graeme Keith explores the enduring influence of Nassim Nicholas Taleb’s Black Swan theory and the growing tendency to use unpredictable events as a catch-all explanation for failures in risk management and preparedness. Examining the limitations of traditional modeling frameworks, the dangers of retrospective narrative-building, and the cognitive biases that shape how organizations interpret uncertainty, Keith argues that the real lesson of Black Swan events is not that forecasting is futile, but that current approaches to modeling risk remain fundamentally inadequate for the complexity of the modern world.

As organizations close out reporting cycles and certification bodies continue surveillance activity, a familiar pattern is surfacing inside companies across industries. Policies look polished. Dashboards appear reassuring. Certifications remain displayed proudly on websites and office walls. But under audit scrutiny, many of those systems begin to fracture.

In today’s enterprise, change behaves less like a calendar event and more like a weather pattern that refuses to settle down. Markets shift faster than strategies can catch up, teams appear and disappear like pop-up shops, and regulators rewrite the rules just as everyone finishes reading the old ones. Yet most organizations are still using management models that behave like they live in a museum. Reports, governance frameworks, and analytics engines were built for a world where “change management” meant an annual meeting, not a daily lifestyle.

There was a time when the challenge for compliance teams was visibility. Policies sat in binders. Codes of conduct gathered dust. Ethics, where it existed, lived more in aspiration than in practice. That problem, for the most part, has been solved.

There is a definition of risk that most organizations readily cite but far fewer truly operationalize. It comes from ISO 31000 and is echoed in frameworks developed by COSO. Risk, in its simplest and most useful form, is the effect of uncertainty on objectives.

About a year ago, a risk analyst on one of my client teams told me she had just reviewed a 94-page SOC 2 report in twelve minutes. She used Claude. She did it at her kitchen table at 9 PM because she had two kids and the workday had long since ended.

The response to my session at Icon 2026 reminded me of something I have seen many times in this field. Organizations are not struggling to agree with the argument for supplier risk management. They are struggling to act on it. In the latest piece on my website, We Are Measuring the Value of TPRM Wrong, I argued that the business case for supplier risk management has been framed too narrowly and too focused on workflow, controls, and compliance, and not nearly enough on avoided disruption, avoided loss, and the confidence to move through uncertainty.