After every major failure, organisations tell a familiar story. The event was unforeseen. The signals were ambiguous. The risk sat in the category of “unknown unknowns.” This narrative is comforting, but it is rarely accurate.
Most significant organisational failures are not surprises. They are the result of known issues that were observed, discussed, and repeatedly deprioritised. The real governance failure lies not in a lack of information, but in how organisations interpret, tolerate, and normalise risk over time.
This article challenges the myth of “known unknowns” and examines why enterprise risk becomes invisible precisely because it is familiar.
The comfort of uncertainty as an explanation
Labeling failures as unknown unknowns serves an important psychological and organisational function. It absolves decision-makers of responsibility and reframes governance breakdowns as unavoidable complexity.
In reality, post-incident reviews often reveal a trail of indicators: near-misses, audit findings, staff concerns, delayed investments, or recurring control exceptions. None of these were unknown. They were known, but they were not acted upon decisively.
Uncertainty becomes a convenient explanation when organisations struggle to confront uncomfortable trade-offs earlier.
Explore Our: Enterprise Risk Management (ERM) Training Courses
How known risks become tolerated risks
Risk does not usually escalate suddenly. It accumulates incrementally. Small issues are accepted because they are manageable. Temporary workarounds become permanent. Exceptions are granted with the intention of future remediation that never arrives.
Each individual decision appears reasonable in isolation. Collectively, they shift the organisation into a risk posture it never explicitly approved.
This is how known risks become tolerated risks. They remain visible, but they lose urgency. Over time, their presence becomes normalised, and their potential impact is discounted because nothing adverse has happened yet.
Normalisation through repetition
Repetition is one of the most powerful forces in risk blindness. When issues recur without immediate consequence, organisations adjust their perception of severity.
Incident reports that do not escalate into losses are downgraded. Control breaches that are routinely remediated manually are no longer seen as failures. Warning signs are reclassified as background noise.
This process is gradual and rarely deliberate. It emerges from operational pressure, performance expectations, and the human tendency to learn from experience rather than probability. Unfortunately, experience is a poor teacher when it comes to low-frequency, high-impact risk.
Governance forums reward reassurance, not challenge
Risk discussions at senior levels often favour confidence and control. Executives are expected to demonstrate grip, not doubt. As a result, issues are framed to show management rather than uncertainty.
Language softens. Probabilities are reduced. Timeframes for remediation extend. What began as a concern becomes a managed issue, then a standing item, and finally part of the organisational landscape.
The governance process does not eliminate risk. It reshapes how it is described, often in ways that make it easier to live with.
The danger of hindsight bias
After a failure, organisations frequently reconstruct the past to make events appear more predictable than they felt at the time. This hindsight bias obscures the real governance problem.
The issue was not that leaders lacked perfect foresight. It was that they consistently chose to defer action despite persistent indicators. By focusing on what could not have been known, organisations avoid examining why known issues did not trigger decisive intervention.
This prevents learning. If every failure is framed as unforeseeable, governance frameworks never improve.
Why risk thresholds quietly erode
Formal risk appetite and tolerance thresholds are designed to define limits. In practice, they erode through behaviour. Each exception, extension, or workaround stretches the boundary slightly.
Because no single decision appears to breach tolerance materially, the cumulative effect goes unnoticed. By the time a threshold is clearly crossed, the organisation has already been operating beyond it for some time.
This erosion rarely triggers formal approval. It happens through silence, inaction, and the absence of challenge.
Reclaiming visibility over enterprise risk
Enterprise risk management fails not because risks are unknowable, but because organisations struggle to confront what they already know. The most valuable risk insights are often the most uncomfortable: recurring issues, unresolved weaknesses, and dependencies that leadership hopes will hold.
For boards and executives, the critical question is not what risks are unknown, but which known issues feel too familiar to worry about anymore.
For GRC leaders, the task is to resist normalisation. To keep uncertainty visible. To challenge repetition. And to ensure that familiarity does not become a substitute for control.
In effective governance, the greatest danger is rarely what lies beyond the horizon. It is what has been in plain sight for too long. Explore Our: Enterprise Risk Management (ERM) Training Courses