Hybrid Risk Management

What is Hybrid Risk Management?

Hybrid Risk Management is the systematic identification, assessment, mitigation, and governance of interconnected and cross-domain threats that combine cyber, information, geopolitical, economic, technological, and unconventional vectors, to protect critical assets, maintain resilience, and ensure regulatory compliance.

The term Hybrid Risk Management is not yet codified as a standalone legal or regulatory term, but its principles and methodologies are embedded across numerous laws, doctrines, and policy frameworks in security, resilience, and risk management. They require organisations to identify and control complex, cross-domain threats, and to prepare for interconnected ICT/cyber, supply-chain, operational resilience, and geopolitical risks.

In laws and regulations, the clear conceptual bridge to Hybrid Risk Management is the all-hazards approach. This is the legal foundation connecting traditional risk management with hybrid threat governance.

The all-hazards approach in risk management

The all-hazards approach was first conceived and institutionalized in the United States federal emergency management system, where it replaced the narrow civil defense model of the 1950s and 1960s.

Initially, U.S. federal preparedness programs were almost entirely oriented toward nuclear attack scenarios, reflecting Cold War priorities. But repeated experiences with natural and technological disasters revealed that fragmented, hazard-specific planning was inefficient for cascading failures.

By the 1970s, policymakers in emergency management recognized that although the causes of disasters differ, the response requirements (coordination, logistics, communications, resource allocation, continuity of operations etc.) are largely the same. This realization led to the all-hazards philosophy, a unified doctrine for managing all types of risks and emergencies within a single, integrated framework.

In 1978, President Jimmy Carter, in his "Message to the Congress Transmitting Reorganization Plan No. 3 of 1978", he explained that a new Federal Emergency Management Agency was required, serving an important "all-hazards" readiness and response. In 1979, President Jimmy Carter issued Executive Order 12127, which created the Federal Emergency Management Agency (FEMA). FEMA consolidated five separate agencies, each focused on different hazards, into one entity.

FEMA's guidance required state and local governments to develop comprehensive emergency management plans (CEMPs) based on the all-hazards concept.

The September 11, 2001, attacks demonstrated that terrorism could no longer be treated as an exceptional security threat distinct from other hazards. Terrorism was included in the all-hazards framework as another category of hazard with unique but interdependent consequences.

In 2002, the Homeland Security Act created the Department of Homeland Security (DHS), reaffirming the all-hazards principle at a broader level of national security governance. Homeland security doctrine explicitly defined an all-hazards approach to encompass natural disasters, terrorist attacks, cyber incidents, pandemics, and technological accidents.

In the National Preparedness Guidelines (September 2007, Department of Homeland Security), the vision is "A NATION PREPARED with coordinated capabilities to prevent, protect against, respond to, and recover from all hazards in a way that balances risk with resources and need."

The U.S. homeland security began to use terms like “complex catastrophes” and “catastrophic cascading events” to describe phenomena that today fall under hybrid risk categories. The National Infrastructure Protection Plan (NIPP) and later the National Cyber Incident Response Plan (NCIRP) extended the all-hazards doctrine into the cyber domain, emphasizing interdependency analysis, cross-sector coordination, and shared situational awareness.

Hybrid risk management is the 21st-century evolution of the all-hazards philosophy. It expands the principles of integration, interoperability, and consequence-based planning to a new spectrum of interconnected, multi-domain threats that defy conventional classification.

The European Commission’s all-hazards approach was inspired by the FEMA and DHS models.

In Article 21 (Cybersecurity risk-management measures) of the NIS 2 Directive we read:

"1. Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.

2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:

(a) policies on risk analysis and information system security;

(b) incident handling;

(c) business continuity, such as backup management and disaster recovery, and crisis management;

(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;

(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g) basic cyber hygiene practices and cybersecurity training;

(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i) human resources security, access control policies and asset management;

(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate."

In recital 4 of the EU Critical Entities Resilience Directive (CER) we read:

"(4) While certain sectors of the economy, such as the energy and transport sectors, are already regulated by sector-specific Union legal acts, those legal acts contain provisions which relate only to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, this Directive creates an overarching framework that addresses the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental or intentional."

---

In the EU Preparedness Union Strategy, the all-hazards approach is clear.

The all-hazards approach is one of the most durable doctrines in modern risk governance. It replaced siloed hazard-specific planning with a unified, consequence-driven system that focuses on resilience, coordination, and capability maintenance. Over time, it expanded to terrorism, cyber incidents, systemic disruptions, and geopolitical risk, setting the intellectual foundation for hybrid risk management, the comprehensive, cross-domain methodology now reflected in U.S., European, and international law.

---

From the all-hazards approach to Hybrid Risk Management

The all-hazards approach is the intellectual and operational cornerstone of modern resilience. It transformed what had long been a fragmented, hazard-specific model of risk management into a doctrine that is deliberately agnostic to the label, cause, or origin of a disruption. Its focus is not on categorizing events, but on understanding their consequences, the interdependencies they expose, and the capacity of essential functions to withstand and recover from them.

Hybrid Risk Management is the next stage in that evolution. It applies the all-hazards approach to an operating environment in which intentional and unintentional threats, cyber and physical vectors, and state and non-state actors combine, sequence, and amplify one another.

All-hazards programs define risk and preparedness in terms of effects on people, assets, and services, not in terms of the trigger. Hybrid governance extends the field to include deliberate, iterative, and cross-domain combinations of triggers designed to create those effects. It adds intelligence integration, adversary-informed scenarios, hybrid stress tests, and rapid policy decision cycles that deal with attribution uncertainty and legal constraints on response.

All-hazards exercises simulate concurrent incidents and resource contention. Hybrid exercises add deception, contested information, legal dilemmas, and tempo, finding if escalation paths, thresholds, and authorities hold when adversaries attack in multiple domains the same time.

For boards and senior management, this evolution has important implications. Risk management can no longer be a catalogue of single-vector control sets maintained independently by information security, safety, facilities, and operations. Risk management must be architected as a single system. At the top, governance should link risk appetite and impact tolerances to essential business services and statutory obligations. Those tolerances must be expressed as measurable limits on disruption duration, degraded performance, safety margins, and data integrity.

Escalation criteria and decision rights must be defined for ambiguous situations in which attribution is unclear, legal thresholds for law-enforcement engagement are uncertain, and reputational stakes are acute. When accountability and authority are misaligned under uncertainty, hybrid campaigns achieve their objectives, even if the technical response that follows is successful.

In Hybrid Risk Management, risk identification must evolve and include dynamic maps of interdependency. The only objects that matter are the end-to-end service chains. These include core platforms, third and fourth party services, and the enabling infrastructures of power, telecommunications, transport, and cloud. The mapping must describe single points of failure, and substitutability of components.

Legal analysis should be integrated into that map. Exclusivity clauses, exit rights, jurisdictional exposure, data localization, and concentration risk in shared utilities can be material for resilience. This is where hybrid thinking adds value. It treats legal and economic constraints as part of the attack surface.

Scenario design is the bridge between doctrine and practice. An all-hazards scenario library should already include natural, accidental, and deliberate triggers. To make it hybrid, scenarios must be constructed as multi-vector narratives with realistic timing, less than perfect situational awareness, and legal challenges. Scenarios must cover the use of pre-planned playbooks, coordination with external stakeholders, communication under uncertainty, management of scarce resources, and restoration of service within impact tolerances. Post-exercise learning must be institutionalized, driving remediations in architecture, contracts, staffing, and governance, not only in technical controls.

Under an all-hazards law, auditors, supervisors, and authorities increasingly ask for evidence that critical functions stay within tolerance across a spread of conditions. That evidence includes interdependency maps and crown-jewel analyses, board papers linking impact tolerances to investment decisions, results of threat-informed testing and red teaming, third-party oversight that goes beyond questionnaires, and crisis communications plans that recognize the cognitive dimension of hybrid campaigns.

All-hazards programs succeed when roles and responsibilities are understood across functions. Hybrid programs add ambiguity. Legal, compliance, communications, and operations need to train together, so that the first time they negotiate trade-offs between transparency and investigative integrity, or between safety shutdowns and contractual service levels, is not during an actual crisis.

None of this implies abandoning the core disciplines of information security, cyber security, safety, business continuity, or compliance. The point is integration. The all-hazards doctrine teaches that preparedness is measured by what survives or meets the tolerance criteria in a crisis. Hybrid Risk Management adds that the boundary between inside and outside is unclear. That adversaries will use insiders. That adversaries will choose the sequencing, not us. That adversaries attack public trust in organizations.

The evolution from the all-hazards approach to Hybrid Risk Management is a process of adaptation to a more complex strategic environment. Today disruptions are seldom contained within a single domain. Adversaries use synchronized stressors amplified to exploit systemic interdependencies.

Hybrid Risk Management is not an alternative to traditional risk management. In simple terms, it does not replace traditional risk management. It refines, extends, and integrates it to meet the realities of a more complex, interconnected, and adversarial environment. COSO-based traditional risk management has five foundational components, Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. Those components remain indispensable. What Hybrid Risk Management does is to describe and interpret these components in the context of dynamic, multi-domain, and cross-sector dependencies, where events no longer unfold as discrete or independent shocks but as interacting systems of disruption.

Traditional risk management emerged in relatively stable environments where hazards could be classified, likelihoods could be estimated, and control sets could be aligned with specific risk categories (operational, financial, reputational). It assumed that each risk vector could be understood and mitigated within its own domain, using linear cause-and-effect reasoning. Hybrid Risk Management expands this approach in areas where those assumptions no longer hold. It expands traditional risk management’s perimeter to capture hybrid risks.

Hybrid Risk Management introduces the strategic and adversarial dimension absent from many traditional models. Hybrid governance represents maturity, not divergence. In practical terms, Hybrid Risk Management is a lens, not a substitute. It is an interpretive layer that refocuses traditional risk disciplines on adaptive governance, in an age when risks are engineered to interact, amplify, and transcend their formal classifications.

---