The ongoing war in the Middle East is yet another stark reminder that the 2020s have been a “house of horrors” for risk managers. The Mideast conflict is the latest chapter in what I have been referring to as the era of permacrisis.

I first tagged the 2020s as “the era of permacrisis” in 2023 as a sober assessment of the chaotic environment organizations had been inhabiting since the beginning of the decade. It wasn’t a term I coined, but it was a great description of the risk-induced chaos that engulfed the world. From a global pandemic to economic upheaval, geopolitical tensions, and now the ongoing war in the Middle East, we are not witnessing isolated disruptions. We are living through a prolonged, seemingly permanent state of instability.

This is not a passing phase. It is a structural shift. And I believe it has rendered traditional risk management obsolete.

For decades, organizations approached risk management with a relatively stable operating assumption: the world, while occasionally disrupted, would revert to a predictable baseline. Risks could be identified, assessed, mitigated, and monitored within established cycles. There was comfort in the notion that crises were episodic. Sharp shocks followed by recovery and a return to normal.

That assumption no longer holds.

Permacrisis has fundamentally altered the nature of risk itself. Risks are no longer discrete or independent; they are continuous, interconnected, and compounding. A geopolitical conflict is no longer just a geopolitical risk; it is an energy risk, a supply chain risk, a cyber risk, and a reputational risk, all unfolding simultaneously. A pandemic is not just a public health crisis; it is a workforce disruption, an economic shock, and a catalyst for social instability.

Traditional risk management frameworks were not designed for this level of volatility or velocity. At their core, these frameworks rely on three principles that permacrisis has invalidated: predictability, cyclicality, and separation.

• First, predictability. Conventional risk models depend heavily on historical data to forecast future outcomes. But in a permacrisis environment, the past is no longer a reliable prologue. We are encountering novel risks and unprecedented combinations of events that defy historical comparison. Black swans have given way to what might be called “gray rhinos” – highly probable, high-impact threats that charge forward in plain sight but interact in unpredictable ways.
• Second, cyclicality. Traditional risk management operates on a cadence—quarterly reviews, annual assessments, scheduled audits. In an era of continuous disruption, risk does not adhere to a calendar. It evolves in real time. By the time a risk register can be updated, it is already outdated. Static snapshots of risk exposure are insufficient in a dynamic threat landscape.
• Third, separation. Risks have historically been categorized and managed in silos—financial, operational, strategic, compliance. That approach assumes risks can be neatly compartmentalized. Permacrisis has demonstrated the opposite. Risks cascade across domains, triggering chain reactions that amplify their impact. A cyber incident can quickly become a regulatory issue, a reputational crisis, and a financial loss event.

The result is a widening gap between how organizations manage risk and how risk actually manifests.

In my book “Connected Risk: Conquering the Perilous Risk Exposure Gap,” I described this as the “risk exposure gap”—the distance between perceived risk and actual risk in an interconnected world. Permacrisis is accelerating that gap at an alarming rate.

To close it, organizations must move beyond traditional risk management and embrace a fundamentally different paradigm – one centered on resilience, integration, and adaptability.

Resilience, rather than prevention, must become the primary objective. In a world where disruptions are constant, the goal is not to avoid all risk. That is neither realistic nor achievable. Instead, organizations must build the capacity to absorb shocks, adapt to changing conditions, and recover quickly. This requires rethinking everything from supply chain design to workforce strategies to technology infrastructure.

Integration is equally critical. Risk cannot be managed effectively in silos when it does not occur in silos. Organizations need a holistic view of risk – one that captures interdependencies and provides enterprise-wide visibility. This is not simply a matter of consolidating risk reports; it requires a connected approach to risk intelligence, where data flows seamlessly across functions and informs decision-making at every level.

Adaptability, perhaps most importantly, must be embedded into the organization’s DNA. Decision-making processes must become faster and more agile. Governance structures must empower leaders to act decisively in the face of uncertainty. Scenario planning and stress testing should replace static risk assessments, enabling organizations to explore how multiple crises might unfold simultaneously and to prepare accordingly.

These shifts are not incremental improvements. They represent a fundamental departure from the way we’ve managed risks for decades.

And they have profound implications for governance, risk, and compliance (GRC) more broadly:

• Governance, in the age of permacrisis, can no longer be anchored in stability and predictability. Boards and executive teams must navigate an environment where uncertainty is the norm. This demands greater engagement with risk, not as a compliance exercise, but as a strategic imperative. Governance must become more dynamic, with a focus on resilience, agility, and informed decision-making under pressure.
• Risk management, as discussed, must evolve from a control-oriented function to a strategic enabler of resilience. This means shifting from backward-looking assessments to forward-looking insights, from isolated analyses to integrated perspectives, and from static frameworks to adaptive capabilities.
• Compliance, too, is undergoing a transformation. Compliance can no longer be a checkbox exercise in a rapidly changing regulatory landscape driven by emerging concerns such as cybersecurity, environmental sustainability, and geopolitical risk. It must be proactive, intelligence-driven, and closely aligned with both risk management and business strategy. Failures in compliance are no longer contained; they can quickly escalate into broader crises that threaten organizational viability.

Ultimately, permacrisis is forcing a convergence of GRC disciplines. The traditional boundaries between governance, risk, and compliance are dissolving, replaced by a more integrated and strategic approach to managing uncertainty.

This is both a challenge and an opportunity.

Organizations that cling to outdated risk management models will find themselves increasingly exposed, reacting to crises rather than anticipating them. Those that embrace the realities of permacrisis by reimagining risk management and integrating GRC into the fabric of their operations will be better positioned not only to survive, but to thrive.

The age of permacrisis is not a temporary disruption. It is the new normal.

And it demands nothing less than a complete reinvention of how we think about risk.