In this article
The World Economic Forum's Global Risks Report 2025 warned that 2026 would usher in an "age of competition."
This prediction has materialised, with uncertainty now dominating the global risk landscape. As cooperative mechanisms erode and governments retreat from multilateral frameworks, geoeconomic confrontation and state-based armed conflict now rank as the top risks in the WEF's Global Risks Perception Survey.
The ongoing conflict across the Middle East has further compounded this uncertain outlook, with countries responding to the crisis in accordance with their own sovereign priorities.
In risk management, there is a concept that deserves more attention than it typically receives. It is called the Grey Rhino. Coined by Michele Wucker in The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore, it refers to a probable, high-impact threat that is visible but neglected.
Unlike a Black Swan — the rare, highly unpredictable shock made famous by Nassim Nicholas Taleb — a Grey Rhino is a threat that is visible and predictable. Wucker warns that the biggest failures come not from unpredictable events, but from ignoring or neglecting the dangers we can foresee.
The difficulty lies not in recognising it, but in deciding how and when to prepare. Wucker's key insight is psychological: we often fail to act as humans in our personal and professional lives because of denial, complacency or because a problem feels too big to fix.
The conflict in the Middle East is not a Black Swan. For organisations across the GCC, the risks it exposed — energy security, regional spillover, hybrid cyber operations, the fragility of global supply chain, weakness in global diplomacy, the likelihood of new regulatory and governance pressures — have more than likely been recognised for many years. What the conflict did was accelerate everything. GCC boards, general counsel and risk leaders now all face a choice they cannot afford to defer: the need to build the enhanced risk management infrastructure your organisation needs, rather than wait for the ongoing crisis to expose additional gaps.
The window to act is now.
At Diligent, we work with more than 25,000 organisations across 130 countries. We see, in real time, how boards govern risk, how the GC’s risk mandate is expanding, how CROs and CISOs manage it, and how internal audit provides assurance. That vantage point gives us something unusual: a global picture of what good risk management looks like, where most organisations fall short, and what separates the ones that recover fastest from disruption.
The picture, right now, is unfortunately concerning.
Our Diligent Institute's General Counsel Risk Index 2026 found that GCs rate the current business risk environment at 7 out of 10 — up from 5.8 at the start of 2025. High risk is no longer an episodic condition. It has become the baseline.
Our What Directors Think 2026 survey — the 23rd edition, conducted with more than 200 actively-serving public company directors — found that 94% of directors believe there is room for improvement in their board's risk oversight. Nearly half want more frequent, structured risk discussions at full-board level. Only a third feel their board has a clear connection between risk oversight and strategic decision-making.
These are global findings. But in a region navigating the impact of a regional conflict, they may land with particular force.
When the conflict began in February, many early assessments suggested kinetic action had degraded Iran's cyber capabilities. That assessment proved to be premature.
The GCC region has made significant progress over the past decade in establishing robust, government-led cybersecurity frameworks. However, fragmentation can exist across jurisdictions, alongside uneven maturity levels within the mid-market and broader private sector — particularly in managing the vulnerability of third-party vendor risk.
For boards, GCs and risk leaders across the GCC, the implication is direct: the threat environment you are operating in today is no longer the one you planned for at the start of the year and continuous threat intelligence cannot be aspirational. It is a core operational requirement.
Diligent's Cyber Leadership Playbook — developed from insights shared by more than 4,500 practitioners at our Cyber Risk Virtual Summit — found that 75% of board members rank cyber risk as their top crisis concern, while 41% admit they struggle to oversee it effectively. A recent Diligent Institute study found that 88% of S&P 500 companies lack a board member with specialised cybersecurityexpertise . The boardrooms most worried about cyber risk are often the least equipped to govern it.
This gap — between awareness and capability — is exactly what the Grey Rhino exploits.
Many GCC organisations enter disruption with compliance programmes that are, on paper, mature. Risk registers. Vendor assessments. Audit cycles. Cybersecurity frameworks mapped against regional standards. None of that is wrong. But compliance programmes built to satisfy regulatory requirements are rarely built to withstand shocks.
Compliance asks: are we meeting the standard? Resilience asks: what do we need to protect, and how do threats affect our specificobjectives? The first question has a fixed answer. The second never does.
A vendor assessment completed nine months ago provides little assurance six months into a regional conflict. A control test run two years ago tells you very little about your current exposure to wiper malware and coordinated DDoS. Risk, audit, compliance and third-party exposure managed through separate processes and reporting lines creates a picture of an organisation that exists in PowerPoint decks — not one that reflects operational reality.
The organisations best positioned for the next phase of recovery are closing this gap now — not waiting for audit season.
BCG's research after COVID-19 on organisational resilience frames the stakes clearly. A crisis is a variance amplifier — it reconfirms top performers and creates new winners. Around 30% of a company's long-run total shareholder return is driven by how it performs during a crisis, with resilient companies demonstrating lower shock impact, faster recovery speed and greater recovery extent.
The organisations that emerged from COVID-19 stronger didn't get lucky. They had three structural advantages:
The ongoing GCC disruption and challenges will create exactly this divergence. Some organisations will gain from disorder and emerge stronger. Their resilience will deliver improvement not simply survival. Others will manage incidents reactively and spend the next 18 months catching up. The difference will come down to whether risk functions were connected into a coherent, responsive view of organisational exposure — or siloed, static and slow.
It comes down to three capabilities.
The post-conflict period that we hope is achieved very soon in the GCC will not herald a pause before the next crisis. The organisations that will be best positioned 18 months from now — when much of the financial impact of the conflict becomes more evident — are making decisions today about how they can enhance risk governance and connect their GRC functions.
The Grey Rhino was visible before it charged. The question now is whether your risk management infrastructure is built to see the next one before it reaches you — and to move faster than it does.
Download ‘Risk & Resilience in the Gulf’ → An 8-step self-assessment for risk, legal, security and audit leaders — built around the capabilities that separate the organisations that recover fastest from the ones that don't.
