Complexity is not a complication to eliminate.
It is the environment leaders must learn to navigate.
Most organizations have risk registers. Categories of risk, mapped by probability and impact, with assigned owners and mitigation plans. It is a reasonable approach to known, bounded risks. It is insufficient for the kinds of risks that actually derail organizations.
The limits of standard risk categorization
The four standard categories - strategic, hazard, financial, and operational - are useful. They provide structure. But they share a critical limitation: they treat risk as discrete and bounded, when in practice, risk is interconnected and cascading.
COVID-19 was initially a hazard risk. It became a strategic, financial, and operational risk simultaneously, at global scale. The categories remained accurate; what they failed to capture was the velocity and reach of the disruption.
The complexity problem
The deepest challenges organizations face are not in any single risk category. They are in the interactions between categories, and between organizations.
The 2021 semiconductor shortage made this visible: a handful of fabrication facilities supplied chips to automotive, consumer electronics, and medical device industries. Production shutdowns at Ford, GM, Toyota, and Apple were the consequence of complexity that standard risk frameworks hadn't captured: dependencies three tiers deep that no one was monitoring.
The SME ecosystem risk
One underappreciated dimension: the dependency on small and medium enterprises. When large organizations focus on their own survival, SMEs in their extended networks receive insufficient attention. When SMEs fail, the damage propagates outward, often noticed only after it's too late.
From risk management to complexity navigation
The shift required: from managing discrete risks to navigating complex interdependencies. That requires mapping (full scope of supply chain relationships), scenario planning (multiple simultaneous risks), monitoring (real-time intelligence), and genuine relationships with key partners across the network.
Key fact: McKinsey (2020) found that on average, companies experienced a disruption of one to two months' duration every 3.7 years - and a major disruption lasting four months or more about once per decade.
MAPPING YOUR HIDDEN DEPENDENCIES
Most risk registers capture what's visible. The risks that actually derail organizations often live further down the supply chain.
A practical exercise for your next leadership offsite or strategy session:
Pick your three most critical products or services - the ones your organization genuinely cannot afford to lose. For each one, map the following:
Tier 1: who are your direct suppliers for critical inputs? (You probably know this.)
Tier 2: who are your suppliers' critical suppliers? (You probably know some of this.)
Tier 3: are there any components, materials, or services where a single company supplies most of the market - including your tier-2 suppliers? (This is where most organizations go blank.)
Where in that map is there a single point of failure that, if it went wrong, would cascade back to you - and that you currently have no alternative for?
That's your most urgent resilience project.