Hybrid Risk Management | Step by Step
This is a structured, step by step view of how organizations can approach hybrid risk management in practice, focusing on concrete governance and decision making considerations.
We invite you to build on these steps, adapt them to your environment, and shape them according to the unique challenges and realities of your organisation. Use them as a foundation. Expand them, refine them, and make them your own. Every sector, every jurisdiction, and every organisation often faces unique hybrid risks, and your adaptations can turn these steps into a living, evolving practice.
Step 1. Establish Board level ownership and accountability.
Step 1 establishes legal defensibility, and a governance architecture that can withstand supervisory scrutiny, litigation discovery, post incident attribution, and accountability challenges.
a. Responsibility must be assigned to the Board for hybrid risk. Make no mistake, operational functions may design and run controls, but the Board must own the risk, and approve these controls. This is what regulators and courts seek when evaluating whether an entity acted prudently.
Unfortunately, there are still organizations that treat hybrid risk as cyber risk. After a critical incident, this mistake becomes a liability amplifier, because the organization may be forced to argue that a technically scoped function was called to defend areas that were strategic, legal, reputational, and cognitive. That argument is rarely persuasive when the event includes cross jurisdictional regulatory triggers, contractual termination cascades, market conduct challenges, or reputational and narrative manipulation. The Board must be positioned as the final authority for risk appetite, tolerance, prioritization of resilience investments, and hybrid risk management that includes legal and strategic exposure.
b. Have an official hybrid risk oversight mandate. It describes what the Board supervises, what reports and information senior management must bring to the Board, what the Board may demand, and what constitutes an exception requiring escalation. The mandate must explain that hybrid risk oversight includes cyber and ICT disruption, legal and regulatory exposure, operational continuity, third party and supply chain risk, geopolitical and jurisdictional constraints, reputational and narrative threats, cognitive and information risk. This scope ensures that the Board is not later confronted with the argument that a given attack vector fell between committees or outside the remit of any accountability framework.
The hybrid risk oversight mandate must not be framed as an aggregation of silo risks. Hybrid risk oversight must be described as oversight of correlated, cascading, and adversarially coordinated risks. This matters legally because it aligns the mandate with the foreseeability expectation. The organization will be judged on whether it anticipated the reasonably foreseeable risk that multiple vectors will be activated in tight sequence or in parallel, each designed to degrade the organization’s decision making and credibility.
c. Establish a forensically sound framework for digital evidence. It includes collection, preservation, and admissibility. Quick and informal updates are common practice, but they are structurally incapable of satisfying the evidentiary needs that arise after a major event. They do not create a stable record of what management learned and disclosed, what the Board learned and asked, and what management committed to do. The legal objective of formal reporting is defensibility, traceability, and the capacity to show that oversight was active, not notional.
Documented challenge and escalation rights are very important in hybrid contexts, because the greatest harm often arises from delayed and misgoverned decisions. When legal, communications, compliance, and operational concerns collide, it is common for management to seek consensus that never arrives. A Board approved escalation model must specify who may escalate, to whom, within what timeframe, and with what minimum information.
Step 1 must treat reporting as a dual purpose instrument, a decision support channel, and a legal record. To serve both purposes, reporting must be standardized sufficiently to allow comparability over time, and flexible enough to capture emerging hybrid patterns, and cross domain escalation. It should provide the Board with a consolidated view of the organization’s hybrid risk exposure, including material changes in threat environment, major control deficiencies, and readiness indicators derived from scenario exercises.
In litigation and supervisory review, the decisive question is often whether management and the Board understood the risk and accepted it, or whether the organization failed to identify and govern it. Formal reporting is required evidence.
After Step 1, the Board’s ownership is explicit and unambiguous, the oversight mandate is framed across the full hybrid domain, reporting is formalized and evidence proof, and escalation is clear. This is the governance foundation on which all subsequent hybrid risk management steps depend. Without it, even when the organization has controls, tools, and competent teams, it will lack the legal structure necessary to demonstrate prudent management.
Step 2. Integrate hybrid risk into Enterprise Risk Management (ERM)
With this integration, we move from intent to implementation. The way hybrid risk is positioned within ERM determines whether the organization can credibly argue that this category of risk was identified, assessed, and managed in accordance with the applicable standard of care. Treating hybrid risk as an appendix, add on, or an annex to ERM, is legally indistinguishable from failing to integrate it at all.
When regulators, supervisors, auditors, or courts examine risk management, they ask whether the organization’s primary risk management system captured the material risks to which the organization was exposed, and whether those risks were governed in a structured manner. If hybrid risk is not clearly defined and managed within the ERM, it is implicitly classified as non core. That classification becomes indefensible the moment a hybrid event produces material operational disruption, regulatory breach, financial loss, or reputational damage.
Embedding hybrid risk scenarios directly into enterprise risk management requires a structural reengineering of how risk is identified, interpreted, and assessed. This is important, as in hybrid risks we have weak, often ambiguous signals across multiple domains that, when considered individually, may appear tolerable, unrelated, or operationally insignificant. Traditional ERM logic is ill suited to this pattern because it is optimized for discrete risks with stable ownership, linear causality, and clearly attributable impacts. Hybrid risk is nonlinear, and deliberately designed to remain below individual risk thresholds until aggregation produces systemic effect.
a. Risk ownership. In traditional ERM, risk owners are accountable for managing risks within their functional domain. Hybrid risk scenarios disrupt this model because ownership is inherently shared and situational. Reengineered ERM must redefine ownership to include an obligation to identify and communicate dependencies and weak signals that originate outside an owner’s immediate domain. This transforms risk ownership from a static assignment into a relational responsibility, requiring continuous engagement with other domains. Legally, this helps counter the common post incident narrative that no one owned the risk.
b. Risk identification. Conventional ERM frameworks rely on categorical enumeration. Risks are identified within predefined domains, such as credit, operational, physical, cyber, financial, legal. This approach assumes that risks can be observed and managed within a single functional domain. Hybrid risk disrupts this model. The earliest indicators of a hybrid event rarely appear as risks in any one category. They appear as weak signals distributed across domains. None of these signals, taken alone, necessarily trigger escalation within a traditional ERM framework.
Reengineering risk identification requires shifting from a domain centric to a signal centric approach. In the Defensive Hybrid Intelligence (DHI) framework (link at the top of the page), you can find our opinion on how risk identification must work in this new environment.
c. Risk assessment. Traditional ERM assessment methodologies evaluate risks giving probability and impact dimensions within a single domain. Hybrid risk cannot be assessed meaningfully using this model alone, because probabilities are not static, and their impact is not exclusive in one category. Hybrid scenarios often involve low probability events in isolation that, when combined, produce high impact outcomes. Adversarial coordination means that probability itself cannot help. The activation of one vector increases the likelihood and severity of others. Assessment logic must be adapted to consider escalation and cross domain amplification.
This requires ERM to incorporate assessment mechanisms that explicitly evaluate how risks propagate across domains. For example, a cyber incident should not be assessed solely in terms of operational disruption, but also in terms of its potential to trigger regulatory scrutiny, contractual non performance, reputational harm, or legal scrutiny. Also, a regulatory development or enforcement trend may increase the materiality of otherwise manageable technical vulnerabilities.
The attention to cross domain weak signals requires changes to escalation thresholds within ERM. Traditional thresholds are often calibrated to domain specific materiality, such as financial loss amounts, system downtime, or regulatory breach criteria. Hybrid risk requires thresholds that are sensitive to pattern formation, not magnitude alone. Multiple weak signals across domains may collectively require escalation even when no single threshold has been breached. Reengineered ERM must allow for aggregation based escalation, where the convergence of signals triggers higher level attention.
d. Documentation and evidence. It must include the reasoning process by which signals were interpreted and correlated. This is critical in supervisory and judicial contexts. The presence of documented consideration of weak signals and cross domain dependencies can materially affect the assessment of whether the organization acted prudently in light of what was reasonably knowable at the time.
In Step 2, we have integrated hybrid risk into Enterprise Risk Management (ERM). Weak signals across domains are elevated from background noise to legitimate inputs into risk assessment. Ownership is redefined.
Step 3. Identify and map critical dependencies and single points of failure.
In hybrid risk scenarios, the most damaging outcomes arise from the cascading effects that occur when a dependency that is taken for granted fails in a manner that propagates across technical, legal, operational, and reputational domains.
Organizations are not expected to anticipate every conceivable disruption, but they are expected to understand the structural dependencies in their critical functions. Where such dependencies are known, or should reasonably be known, failure to identify and govern them can be interpreted as a deficiency in risk management. Regulatory frameworks require entities to identify the dependencies that could affect continuity of services. In the hybrid context, this obligation extends beyond traditional operational resilience mapping, and includes legal, jurisdictional, and informational dependencies that may be exploited or stressed.
Mapping critical assets, processes, suppliers, data flows, jurisdictions, and technologies requires a departure from static inventories toward relational mapping. Traditional asset registers and process maps often include all components, but they do not capture how those components interact, or how failure in one domain translates into exposure in another.
A critical process must be linked not only to the systems that support it, but also to the suppliers that maintain those systems, the data flows that enable them, the jurisdictions in which those suppliers and data flows are located, and the legal regimes that govern access and disclosure. The absence of any one of these elements can render the entire process ineffective under stress.
Jurisdictional mapping is particularly significant. Hybrid events frequently involve cross border effects through cloud service locations, outsourced service providers, data replication arrangements, or regulatory obligations triggered in multiple legal systems simultaneously. An organization must reconcile conflicting legal obligations during a crisis, such as disclosure requirements and data access restrictions. The legal exposure arising from conflicts is a foreseeable consequence of operating across jurisdictions.
Identifying single points of failure, or choke points, requires moving beyond obvious critical systems. In hybrid risk scenarios, choke points are often organizational or contractual, not technical. A single service provider responsible for identity management, incident response support, or regulatory reporting can become a point at which technical disruption, legal non compliance, and reputational damage converge.
Similarly, an approval process that works well under normal conditions, may become a bottleneck under crisis conditions, delaying action across multiple domains simultaneously. From a governance perspective, these choke points are as material as any technical vulnerability, because they determine the organization’s ability to respond when faced with compound stress.
Supervisors and courts increasingly examine whether organizations took reasonable steps to mitigate obvious concentration and dependency risks. Where a single disruption predictably cascades across domains, the failure to identify and address that concentration can be framed as a governance failure. This is particularly true where the organization had visibility into the dependency but treated it as operationally convenient or economically efficient, ignoring systemic risk. Hybrid risk management requires that efficiency driven concentrations are explicitly recognized and governed.
Prioritizing low visibility but high impact assets is critical. Traditional risk management tends to focus on assets that are highly visible, heavily regulated, or directly linked to core operations. Hybrid adversaries often target assets that sit at the periphery of formal governance, but have disproportionate influence over outcomes. Subcontractors, specialized data brokers, configuration settings in shared cloud environments, and niche service providers embedded in critical workflows, are typical examples. They often escape rigorous oversight precisely because they do not appear central to the business model when viewed in isolation.
When a low visibility dependency becomes the trigger for a hybrid event, organizations frequently find themselves unable to demonstrate that they exercised adequate due diligence or ongoing oversight. The argument that the asset was not critical is not persuasive when its failure demonstrably compromised critical functions or legal obligations.
The process of prioritization must take into account the information asymmetry. Low visibility assets are often poorly understood by senior management and the Board. In hybrid scenarios, this lack of understanding can be exploited to create confusion, delay in response, or manipulate narratives. Mapping and prioritizing these assets within the dependency framework helps in governance clarity.
After Step 3, organizations can identify and map critical dependencies and single points of failure. They can demonstrate an integrated understanding of how critical functions depend on assets, processes, suppliers, data flows, jurisdictions, and technologies, and how disruption at specific points can cascade across domains. This understanding must be reflected in risk assessments, governance decisions, and resilience planning.
Step 4. Design integrated scenario stress tests for multi domain risks.
To design hybrid threat informed scenarios, we must understand how real world adversaries attack, and how pressures and systemic stresses actually unfold. In legal and governance terms, this step is about ensuring that the organization’s stress testing and preparedness exercises reflect the manner in which harm is likely to materialize, not the manner in which risks are conveniently categorized internally. The objective is to test whether the organization’s governance, decision making, and control structures remain effective when multiple vectors interact in a coordinated way.
Scenarios must not be designed around abstract hazard lists or generic incident templates. Also, the organization is not expected to imagine implausible catastrophes, but it is expected to consider realistic patterns of coordinated pressure that are observable in its sector and operating environment.
Hybrid scenario design requires a fundamental shift in what scenarios are intended to test. Traditional scenarios often focus on control performance, whether systems fail over, whether backups restore, or whether notification timelines are met. Hybrid scenarios are designed primarily to test governance under stress. They examine whether the organization can recognize escalation, integrate information across domains, make legally defensible decisions under uncertainty, and maintain coherence facing conflicting obligations.
Hybrid scenarios must be explicitly cross domain. A scenario that focuses on ICT disruptions and supply chain failures in isolation, does not test hybrid resilience. It tests functional preparedness within a silo.
To become clear in practical terms, a hybrid threat informed scenario is constructed as a sequence, not a single event. It begins with weak signals, often ambiguous and easily dismissed, and evolves through interaction. Each step in the sequence is designed to stress a different aspect of the organization’s governance, but the cumulative effect tests whether decision making remains coordinated and efficient.
Hybrid scenario design must explicitly incorporate legal and regulatory constraints as active variables. In many traditional exercises, legal challenges are treated as downstream consequences to be handled once the incident is resolved. In hybrid scenarios, legal obligations are often part of the pressure mechanism itself. Disclosure requirements, supervisory expectations, cross border data access restrictions, and contractual notification clauses may conflict as the scenario unfolds. Including these elements in scenario design, forces participants to confront the reality that legal compliance is not binary, and that trade offs must often be made under time pressure.
A hybrid scenario design is not a checklist exercise, a tabletop simulation focused on operational response, or a compliance demonstration. It is a structured stress test of the organization’s capacity to govern itself under compound pressure. Success is not measured by whether every action is correct, but by whether roles are understood, information flows are integrated, escalation occurs when required, and decisions are made with awareness of cross domain consequences.
Hybrid stress tests are not designed to be passed, nor are they designed to be celebrated. They exist to expose blind spots, institutional overconfidence, and carefully documented assumptions that fail under stress. An outcome never invites satisfaction, approval, or applause.
Hybrid stress tests are intended to disturb linear reasoning, invalidate comfort narratives, and demonstrate that resilience is conditional, fragile, and frequently overstated. Confidence is not a control, and relief is not an outcome.
Hybrid threat informed scenario design must be adaptive. Scenarios should evolve as the threat landscape, regulatory environment, and business model change. Each change and trend should refine the organization’s understanding of where governance breaks down, where assumptions prove false, and where dependencies amplify impact. Documenting this evolution proves that the organization is actively learning from structured analysis. In legal terms, this supports the argument that the organization exercises ongoing diligence and adapts its risk management practices in response to emerging realities.
In Step 4, we design multi vector scenarios (like cyber intrusion + data leak + disinformation + reputational damage + regulatory pressure). We include non technical attacks, such as legal harassment, social media pressure, insider manipulation, or strategic litigation. We ensure scenarios stress decision making too, not just systems.
Step 5. Run integrated scenario stress tests for multi domain risks.
This step determines whether the organization merely understands hybrid risk in theory, or can actually govern itself when multiple domains are simultaneously stressed. At this stage, actions, delays, omissions, and conflicts become part of an evidentiary record.
An integrated stress test evaluates whether the organization can operate as a single decision making system, or as a collection of technically competent but disconnected functions. These tests intentionally introduce ambiguity by forcing participants to choose between imperfect options, such as whether to disclose incomplete information, whether to suspend operations at the risk of contractual breach, or whether to prioritize regulatory engagement over public communications.
Stress tests often surface issues such as inconsistent situational awareness, competing narratives presented to different stakeholders, and misaligned priorities between business continuity, legal defensibility, and reputational management. These failures are rarely visible in siloed exercises.
Supervisors and regulators do not expect organizations to eliminate all risk, but they do expect them to demonstrate that they have tested their ability to manage foreseeable stress. Running integrated stress tests shows that management considers how its own governance structures perform under realistic pressure, including whether information flows reach decision makers.
The execution of integrated stress tests must also be documented in a manner that supports accountability and learning. This documentation should capture decision pathways, including what information was available at each stage, who made which decisions, what alternatives were considered, and what assumptions proved incorrect. In legal terms, this record is essential in demonstrating that the organization exercised reasonable judgment under the circumstances. It also provides the basis for governance improvement, allowing the organization to refine escalation criteria, clarify roles, and adjust policies in light of observed behavior.
In Step 5, the organization can demonstrate that it has actively tested its ability to make coordinated, lawful, and timely decisions under stress conditions that reflect realistic hybrid risk scenarios. Integrated scenario stress testing transforms hybrid risk from an abstract concept into a measurable aspect of organizational resilience, and provides the evidentiary foundation upon which claims of prudent management rest.
You may visit the Hybrid Stress Testing link at the top of the page, for a detailed explanation, and case studies.
Question: Do we need 2 steps? Step 4 to design hybrid stress tests and Step 5 to run hybrid stress tests?
Answer: Two distinct steps are justified, and necessary. Collapsing them into one step is a common mistake and weakens legal defensibility.
Scenario design credibility and organizational performance are judged separately in law, supervision, and post incident accountability.
You can find more at the Hybrid Stress Testing link at the top of the page.
Step 6. Harden governance, not just controls.
Hardening governance reflects the recognition that in hybrid risk scenarios the primary failure mode is rarely the absence of technical or procedural safeguards, but the inability of the organization’s governance system to function under stress. This step addresses a fundamental misconception, that resilience can be achieved by accumulating controls, policies, and tools without ensuring that the decision making architecture governing those controls is hardened for crisis conditions. In hybrid events, controls often exist and even operate as designed, but harm escalates because governance processes collapse under ambiguity.
Controls demonstrate intent to comply with obligations. Governance demonstrates the capacity to direct, coordinate, and justify action when obligations conflict, or when information is incomplete. In post incident reviews, regulators and courts consistently focus on governance questions. Who had authority, when did they act, what information did they have, and why did they choose one course of action over another. An organization that has controls, but no clear policies about how governance enables or constrains their use, is exposed to the argument that it was procedurally compliant but substantively unprepared.
Hardening governance requires a systematic examination of whether existing policies, delegations, and decision rights are designed for stability, not stress. Many governance frameworks are optimized for predictability, deliberation, and risk avoidance under normal conditions. They rely on layered approvals, committee deliberations, and consensus building mechanisms that function well in normal conditions, but become liabilities in crisis situations. Hybrid risk scenarios, by design, compress timelines, fragment information, and introduce competing legal and operational challenges.
The clarification and preauthorization of decision rights under stress is critical. This includes defining who is empowered to declare an incident, trigger crisis management structures, suspend normal operations, accept regulatory or contractual risk, and communicate with external stakeholders. Preauthorization is essential to avoid paralysis and unauthorized action. Without clear mandates, individuals may hesitate to act for fear of exceeding authority, or may act unilaterally in ways that later prove legally indefensible. Hardened governance ensures that emergency powers are not improvised, but follow Board approved policies.
Emergency decision making powers must be consistent with applicable corporate law, regulatory expectations, and internal governance documents. Hardening governance requires legal review of crisis governance structures, escalation paths, and delegation instruments to ensure that they remain valid and enforceable under extreme conditions. This is particularly important in cross border organizations.
Governance hardening includes eliminating structural ambiguities that allow responsibility to diffuse during crises. In hybrid events, it is common for multiple functions to assert partial authority over different aspects of the response (like security over containment, legal over disclosure, communications over messaging, compliance over regulatory engagement), without a clear mechanism to resolve conflicts. Hardened governance establishes a hierarchy of decision making that can impose a unified course of action. This does not diminish functional expertise. It ensures that expertise informs decisions, but does not serve a personal agenda for control.
Regulatory regimes emphasize that Boards and senior management cannot delegate accountability for critical risk decisions. Governance frameworks must enable management body involvement. This includes ensuring that information flows are structured to reach decision makers promptly, that escalation thresholds are meaningful, and that Boards or designated committees can convene and act without procedural delay. A governance system that technically complies with reporting requirements but fails to support timely management intervention under stress may be deemed ineffective.
The focus on governance reflects an understanding that hybrid risk often exploits procedural gaps. Adversarial actors may time actions to cause governance handovers, exploit approval bottlenecks, or create confusion about which rules apply in exceptional circumstances. Hardened governance anticipates these tactics by stress testing governance processes, identifying where rules conflict or slow response, and simplifying where necessary. This is resilience engineering applied to decision making.
Hardening governance is an ongoing obligation. Governance arrangements must evolve as the organization’s risk profile, regulatory environment, and operational dependencies change. Integrated stress testing, incident experience, and supervisory feedback should all feed into periodic reassessment of governance effectiveness. This process demonstrates that the organization treats governance as a living system, capable of learning and adaptation. This is a powerful indicator of diligence and prudence, in environments characterized by rapid technological, regulatory, and geopolitical change.
After Step 6, governance is hardened, and the organization no longer relies on controls as substitutes for judgment. Decision making authority is explicit, traceable, and can be exercised under stress. Controls support governance instead of compensating for its absence. When disruption occurs, the organization responds without procedural paralysis.
Step 7. Strengthen legal and regulatory resilience.
In many cases, the decisive impact of a hybrid event is legal exposure. Regulatory intervention, supervisory enforcement, litigation risk, contractual breach, and compelled disclosures can produce more lasting damage than a technical disruption. This step deals with the organization’s capacity to remain compliant, defensible, and credible when facing simultaneous and often conflicting legal and regulatory pressures, applied under conditions of uncertainty and time constraint.
Legal and regulatory resilience is different from regulatory compliance, that assumes stable facts, predictable timelines, and clear legal pathways. After a hybrid attack, decision making in legally ambiguous situations is a major challenge. The legal standard in such circumstances is not perfection, but reasonableness, proportionality, and good faith, grounded in a structured governance framework.
A core component of legal resilience is preincident legal positioning. Organizations must anticipate how key legal regimes will be triggered by hybrid scenarios, and develop defensible responses in advance. This includes understanding notification thresholds, disclosure timelines, cooperation obligations, and enforcement powers across all relevant jurisdictions. In a hybrid event, legal exposure often escalates because decision makers are forced to interpret obligations in real time, without having previously examined how those obligations interact. Preincident legal analysis reduces this risk by clarifying which obligations are mandatory, which allow discretion, and where conflicts are likely to arise.
A critical dimension is the integration of legal and regulatory considerations into incident and crisis management structures. Legal and compliance functions must be embedded in decision making processes. Hybrid scenarios often require rapid decisions with legal consequences. If legal input is delayed or marginalized, the organization risks actions that are operationally understandable, but legally indefensible. Overly cautious legal intervention is also a problem, as it can paralyse response.
Cross jurisdictional complexity is a major component of legal exposure in hybrid risk. Organizations operating across borders may face divergent or even contradictory legal requirements, particularly in areas such as data protection, cybersecurity reporting, and national security. Hybrid events are often designed to activate these conflicts. For example, they may make full disclosure necessary in one jurisdiction, and create data protection liability in another. Legal and regulatory resilience requires a mapped understanding of jurisdictional overlaps and conflicts, and predefined principles for resolving them. Not all conflicts can be eliminated, but having a clear preauthorised approach fights paralysis and demonstrates foresight and reasoned judgment. These are central to legal defensibility.
Contractual resilience is often underestimated. Hybrid events frequently trigger contractual obligations, including notification duties, service level commitments, termination rights, and indemnities. These contractual consequences can amplify operational disruption and reputational harm. Strengthening legal resilience requires that critical contracts, particularly with key customers and suppliers, be reviewed through a hybrid risk lens. This includes assessing whether contractual obligations are realistic under crisis conditions, whether force majeure or hardship clauses are fit for modern hybrid risk scenarios, and whether notification and cooperation provisions support or hinder coordinated response. From a legal standpoint, proactive contract governance reduces the risk of cascading disputes during already strained conditions.
Regulatory engagement strategy is equally central to resilience. The manner in which an organization engages with supervisory authorities can significantly influence outcomes, including the intensity of enforcement, the scope of remedial measures, and reputational impact. Strengthening resilience involves establishing clear principles for regulatory engagement, including when and how to communicate, how to balance transparency with legal privilege, and how to ensure consistency of messaging across jurisdictions.
After Step 7, the organization can demonstrate that it has anticipated the legal and regulatory dimensions of hybrid risk. It has embedded legal expertise into crisis decision making. It has developed preincident legal analysis, and has clarified which obligations are mandatory, which allow discretion, and where conflicts are likely to arise. It has reduced the likelihood that legal exposure becomes a dominant vector of harm in a crisis.
Step 8. Build narrative defense capabilities.
In hybrid risk scenarios, the struggle for control often shifts from systems and processes to meaning, perception, and credibility. Information is manipulated and weaponized. This step addresses the organization’s response in environments where disinformation, selective disclosure, and narrative pressure can materially alter regulatory, market, and stakeholder responses.
Narrative risk is the risk that strategically constructed, disseminated, and amplified narratives, including truthful, distorted, and false, materially influence the legal, regulatory, operational, and strategic position of an organization.
In hybrid risk environments, narrative risk arises where adversaries exploit information asymmetries, cognitive biases, media dynamics, and institutional communication constraints to shape perceptions of legality, legitimacy, compliance, trustworthiness, or intent. Such narratives may operate in parallel with cyber, economic, legal, or other actions.
Narratives can lead to regulatory scrutiny, enforcement, judicial challenges, contractual obligations, and limited market access, before clear forensic evidence can explain what is real and what is fabricated.
In hybrid risk scenarios, narratives are force multipliers. They degrade decision making, constrain lawful response options, distort interpretation, and may trigger regulatory, political, or market consequences that exceed the initiating event. Where unmanaged, narrative risk can invert the burden of proof, compelling organizations to defend against perceptions, not facts.
Narrative risk must be treated as a distinct hybrid risk category, requiring anticipatory governance, legally coherent communication strategies, and evidentiary discipline.
A central component of narrative defense is the ability to distinguish between verified facts, emerging information, and speculation, and to ensure that this distinction is reflected consistently across all internal and external communications. Inconsistent or speculative statements can significantly increase liability, particularly where disclosure obligations apply, or where statements are later alleged to be misleading. Narrative defense capabilities must include governance mechanisms that control how information is validated, authorized, and released, without delaying necessary communication.
Public statements, regulatory notifications, and stakeholder communications may trigger disclosure obligations, affect contractual rights, and be used as evidence in enforcement or litigation. Building narrative defense capabilities requires aligning communications functions closely with legal and compliance teams, ensuring that messages reflect both factual accuracy and legal prudence. This alignment must be preestablished through governance structures, not improvised during a crisis.
Narrative defense extends to the protection of decision making autonomy. In hybrid events, narrative pressure can constrain governance by creating a sense of urgency or inevitability that bypasses established decision rights. For example, media driven outrage may push management toward premature disclosure or operational shutdowns without adequate legal assessment. Fear of reputational damage may delay necessary regulatory engagement.
Internal narratives are equally important. Hybrid events often generate confusion and anxiety within the organization, leading to leaks, inconsistent messaging, or loss of morale. Internal misalignment can undermine external credibility and increase exposure. Building narrative defense capabilities includes ensuring that employees receive clear, consistent, and authorized information, reducing the risk of unauthorized disclosures and rumor propagation. Internal communications, when properly governed, become a stabilizing force.
Narrative defense capabilities must be adaptive. Like legal resilience, narrative defense cannot be built solely through policy. It must be tested through integrated stress exercises that simulate information pressure, media scrutiny, and disinformation campaigns alongside operational and legal stressors. These exercises reveal whether governance arrangements can withstand narrative volatility. Continuous refinement based on such testing, demonstrates diligence and responsiveness to evolving threat landscapes.
After Step 8, the organization can demonstrate that it possesses the institutional capacity to preserve factual integrity, coordinate legally defensible communications, and withstand narrative pressure during hybrid events. It treats narrative as a governed risk domain.
Step 9. Enhance supply chain and third party resilience.
Organizations increasingly depend on external actors, over whom they do not exercise direct control. Third parties are frequently the entry point, the amplifier, and the leverage mechanism through which coordinated pressure is applied.
The legal foundation for third party resilience is the principle that outsourcing risk does not mean outsourcing accountability. Regulatory frameworks and supervisory practices consistently reaffirm that entities remain responsible for the performance and compliance of critical outsourced activities. A cyber incident at a service provider, a data leak or regulatory failure by a subcontractor, or a geopolitical disruption affecting a supplier’s jurisdiction, can all trigger legal and compliance consequences for the organization.
We must move from static due diligence to continuous third party risk governance. Traditional third party risk management often relies on point in time assessments and periodic reviews. Hybrid risk scenarios expose the inadequacy of this approach, as risk conditions can change rapidly due to technological shifts, regulatory developments, or geopolitical events. Reliance on outdated assessments is difficult to defend if emerging risks were reasonably detectable.
Contractual architecture plays a decisive role in third party risk and resilience management. Contracts must define the organization’s rights and obligations under stress. In hybrid events, deficiencies in contractual provisions lead to critical vulnerabilities. These may include unclear incident notification requirements, insufficient cooperation obligations, limited audit or access rights, restrictive data ownership clauses, or termination provisions that impede rapid disengagement. Strengthening resilience involves reviewing and, where necessary, renegotiating contracts to ensure that they support coordinated response, regulatory compliance, and continuity of critical functions.
Jurisdictional exposure within the supply chain is a key concern. Third party relationships often span multiple legal regimes, some of which may impose constraints on data access, incident response, or regulatory cooperation. Hybrid risk actors exploit these jurisdictional asymmetries. For example, they may trigger legal obligations for disclosure of internal documents and communication. We must map the legal and geopolitical context of suppliers, and must understand how jurisdictional factors affect performance and compliance, especially under stress.
Enhancing third party resilience requires prioritization based on criticality and substitutability. Not all suppliers pose the same level of risk. Hybrid risk management starts with those third parties whose failure would have disproportionate impact on critical functions, legal obligations, or reputational standing. This prioritization must consider the supplier’s role, and the feasibility and timeframe of substitution. Reliance on suppliers for critical services without viable exit strategies is a conscious risk choice that must be visible and justifiable at senior levels. Enhancing resilience involves ensuring that such choices are explicitly governed, not implicitly accepted.
Information sharing and coordination mechanisms are very important. In hybrid events, delayed or incomplete information from third parties can significantly impair response. Enhancing resilience requires establishing clear channels for information exchange, including during crises, and ensuring that these channels are exercised and tested. This includes defining expectations for transparency, escalation, and joint decision making.
Governance over subcontracting chains is often overlooked. Many critical services are delivered through layered supply chains in which the organization has limited visibility beyond the first tier. Hybrid risk scenarios exploit weaknesses at lower tiers, where controls and oversight are weaker. Enhancing resilience requires extending governance expectations throughout the supply chain.
Supply chain and third party risk must be integrated into stress testing and crisis management. Third party failures should be included in hybrid scenarios, and response plans should deal with the practical and legal challenges of coordinating with external actors under pressure. This integration ensures that third party resilience is not treated as a static checklist. Documentation of these efforts supports legal defensibility by showing that third party risk was actively managed.
After Step 9, the organization can demonstrate that it has identified its third party dependencies, has established governance and contractual mechanisms to manage them under stress, and has integrated third party considerations into its broader hybrid risk management and stress testing framework.
Step 10. Align cybersecurity with business and geopolitical reality.
Time and again, we have seen the same governance failure in hybrid risk management, the treatment of cybersecurity as a technical discipline, separated from any strategic, legal, and geopolitical concern.
In hybrid risk scenarios, cybersecurity failures do not cause harm only because systems are compromised. Harm escalates because cyber events lead to intellectual property challenges, regulatory exposure, economic loss, reputational harm. Cybersecurity must reflect the organization’s real world operating environment, not an abstract, one size fits all, tool driven understanding of cyber defence.
Regulators and courts do not assess cybersecurity in isolation. They assess whether the measures adopted were appropriate given the nature, scale, and complexity of the organization’s activities, and the risks to which it was exposed. Cybersecurity controls that are technically robust but misaligned with business priorities may fail this test, if they do not protect what is most critical, or if they ignore foreseeable geopolitical risk factors.
Geopolitical reality introduces additional layers of complexity that must be reflected in cybersecurity strategy. Organizations operating across borders are exposed to different threat actors, regulatory regimes, and state interests. Cyber operations may be influenced or constrained by geopolitical tensions, sanctions, trade restrictions, or national security considerations. Aligning cybersecurity with geopolitical reality requires awareness of how these factors affect threat likelihood, impact, and response options.
From a legal perspective, cybersecurity incidents must be treated as enterprise risks with legal and strategic implications. Cyber incidents often trigger regulatory notification obligations, contractual rights, and potential litigation. Decisions about containment, disclosure, and remediation carry legal consequences that extend beyond technical resolution. Aligning cybersecurity with business and geopolitical reality means ensuring that cyber incident response is integrated into enterprise governance structures, with clear escalation to senior management and the Board, when strategic or legal thresholds are crossed.
Many cybersecurity frameworks are built on assumptions of availability of support, stable regulatory conditions, and clear lines of cooperation. Hybrid risk scenarios challenge these assumptions by introducing legal constraints, geopolitical barriers, or conflicting stakeholder expectations. Aligning cybersecurity with reality requires stress testing these assumptions, and adapting controls accordingly.
Human and organizational factors are central to alignment. Cybersecurity effectiveness depends not only on technology, but on decision making, culture, and incentives. In hybrid contexts, employees and managers may face conflicting pressures, such as maintaining operations versus complying with security protocols, or protecting sensitive information versus meeting disclosure expectations. Aligning cybersecurity with business reality involves designing policies and procedures that reflect these tensions and empower individuals to make informed decisions under stress. This reduces the risk that individual actions will be characterized as negligent or reckless.
Alignment must be dynamic. Business models, geopolitical conditions, and threat landscapes evolve continuously. Cybersecurity strategies that are not regularly reassessed risk becoming obsolete or misaligned. Governance mechanisms must ensure review and adaptation, informed by intelligence, stress testing, and incident experience.
Example
An organisation is operating in a strategically sensitive sector (energy, aviation, advanced manufacturing, semiconductors). The organization can demonstrate formal compliance with cybersecurity standards. It deploys advanced detection tools, maintains a cybersecurity operations center, and reports incidents. From a control based perspective, cyber defense appears adequate. From a hybrid risk perspective, it is incomplete.
State aligned cyber espionage actors do not achieve objectives aligned with financial crime, disruption, or extortion. Their operations are informed by national strategic priorities, including industrial policy, energy security, sanctions circumvention, and diplomatic leverage. Their modus operandi is deliberately calibrated to avoid detection thresholds commonly associated with cyber incidents.
Initial access is frequently achieved through legally and operationally trusted intermediaries, including suppliers. Once access is obtained, the intrusion is characterized by prolonged dormancy, selective privilege escalation, and persistent monitoring of communications, not overt system manipulation. Data exfiltration, where it occurs, is narrowly targeted and volume controlled to avoid triggering detection controls. No ransomware is deployed, no systems are disrupted, and no immediate operational impact is observed.
In the absence of geopolitically informed threat intelligence, such activity is unlikely to be classified internally as suspicious. Management reporting reflects the absence of material findings, and governance bodies remain unaware that strategic decision making, contractual negotiations, or regulatory positioning may already have been compromised.
Where geopolitically relevant threat intelligence is integrated into cybersecurity governance, the analytical procedure changes materially. The organization is capable of identifying itself as a plausible intelligence target, adjusting detection logic to reflect espionage specific tradecraft, and interpreting low noise indicators as legally and strategically significant. Governance escalation occurs earlier, and cybersecurity is aligned with the preservation of critical information.
In Step 10, cybersecurity is demonstrably integrated into the organization’s strategic, legal, and geopolitical context. Cybersecurity is understood and governed as a business critical, legally consequential function shaped by the realities of the organization’s operating environment.
Step 11. Manage cognitive risk.
Cognitive risk is the risk that decisions, judgments, or actions are influenced by cognitive limitations, biases, or distortions in perception, reasoning, or interpretation, resulting in inadequate risk management and legally flawed outcomes. Human decision making fails to meet the standards of care, diligence, objectivity, or reasonableness required by law, due to factors such as stress, fatigue, cognitive bias, information asymmetry, information overload, framing, and reliance on flawed models, assumptions, or automated outputs (including AI assisted decision making). This is a persistent, not formally governed risk, as many organisations assume that rational judgment is a given in a crisis.
Legal risk follows cognitive risk, due to the foreseeability of judgment failure. Hybrid threat actors design ambiguity, noise, and deliberate information distortion, as part of a hybrid campaign. It is foreseeable that decision makers misinterpret signals, defer escalation, or default to familiar frames that are no longer appropriate. Where such environments are foreseeable, governance that fails to address cognitive risk is incomplete. Regulators and courts increasingly assess not only whether organizations had information, but whether their decision making structures were capable of processing that information without distortion or delay. Governing cognitive risk responds directly to this evolving necessity.
Traditional governance frameworks assume that decisions will be made once sufficient information is available. Hybrid risk invalidates this assumption. Waiting for certainty results in irreversible harm. Action must be taken based on patterns, convergence of weak signals, and threat intelligence, not definitive proof. This naturally leads to stress and fatigue.
Under uncertainty, decision makers may hesitate to act for fear of personal accountability, legal exposure, or reputational damage. This hesitation is critical when authority boundaries are unclear, or when escalation is perceived as an admission of failure. Hybrid stress tests that led to predefined escalation triggers reduce the psychological barrier to action, and support timely governance intervention.
For a more detailed explanation, you may visit the COGINT (Cognitive Intelligence) link at the top of the page.
After Step 11, the organization can demonstrate that it has recognized cognitive risk as a material risk, has embedded mechanisms to manage decision making under uncertainty, and has aligned authority, escalation, and documentation practices. Hybrid stress tests have led to predefined escalation triggers, and it has transformed uncertainty from a paralyzing condition into a managed element of organizational resilience.
Step 12: Manage algorithmic and AI mediated risk.
This step addresses the reality that, in many organisations, a material portion of judgment is no longer exercised directly by humans, but is preshaped, filtered, and prioritized by algorithmic systems. Dashboards, risk scores, alerts, predictive models, AI assisted analysis, and automated classifications increasingly determine what decision makers see, what they ignore, and what they perceive as urgent. From a legal perspective, Step 12 deals with the obligation to govern delegated cognition. This is the transfer of interpretive authority from humans to algorithmic systems.
When decisions are influenced by algorithmic outputs, responsibility does not disappear. Regulators and courts will not accept that the system assessed the risk as low, unless the organization can demonstrate that the system itself was governed, understood, challenged, and overridden where appropriate. Ungoverned reliance on algorithmic intelligence creates a false appearance of objectivity, and masks embedded assumptions, biases, and optimization priorities that may be misaligned with legal, regulatory, or resilience objectives.
The governance of algorithmic and AI mediated risk starts with the recognition that algorithmic systems are not neutral tools, but decision shaping actors within the governance ecosystem. This recognition must be reflected in governance frameworks that define where algorithmic outputs are advisory and where they are determinative. Where algorithms influence such decisions, governance must require explicit human validation and, where appropriate, documented override.
For a more detailed explanation, you may visit the ALGINT link at the top of the page.
After Step 12, the organization can demonstrate that algorithmic and AI mediated risk is governed, that human judgment retains primacy, and that reliance on algorithmic outputs is disciplined, transparent, and defensible.
Step 13. Establish the hybrid intelligence function.
This step addresses a structural weakness in many enterprise risk management implementations, the total reliance on past indicators and formal reporting cycles that are poorly suited to the dynamics of hybrid risk.
Organizations are not expected to predict the future, but they are expected to monitor their environment in a manner proportionate to their risk profile, and to respond to indicators that would alert a prudent organization to emerging risk. In hybrid contexts, these indicators rarely reside within a single function. Without an intelligence function capable of aggregating and interpreting such signals, these indicators remain fragmented and are easily dismissed.
Intelligence is not synonymous with technical monitoring. Cyber threat intelligence is just one component, but it does not include regulatory trends, geopolitical analysis, market behavior, and emerging hybrid attacks in similar entities. Intelligence must reach decision makers, and must be incorporated into risk assessments, scenario design, and operational planning. Clear policies and procedures, approved by the Board, demonstrate that intelligence is integrated into risk management.
For a very detailed explanation, you may visit the DHI (Defensive Hybrid Intelligence) link at the top of the page.
After Step 13, the organization can demonstrate that it has established structured, cross domain intelligence that informs risk governance, supports timely escalation, and enables reasoned action. It has institutionalized anticipation. You may visit the DHI link at the top of the page, to understand the collection, fusion, interpretation, and decision steps.
Step 14. Continuously adapt.
This step reflects the recognition that resilience is a dynamic capability sustained through structured learning, institutional memory, hybrid intelligence, and continuous governance reform. It addresses how an organization responds to what it learns about itself under stress, and how it converts that learning into improvements in governance, decision making, and risk control.
Organizations are expected to learn from stress tests, incidents, near misses, and supervisory feedback. Regulators, courts, and enforcement bodies recognize that cyber incidents, system failures, and operational breakdowns are unavoidable in complex digital and technical environments. What distinguishes a defensible incident from a legally problematic one is whether the organization had prior knowledge of weaknesses and failed to respond in a reasonable and timely manner.
Organizations are not expected to be invulnerable. They are expected to govern risk. Post incident analysis shifts quickly away from the technical details of a breach or outage, toward the organization’s state of knowledge before the event occurred. Foreseeability combined with inaction is far more damaging than initial failure.
Failure to respond is more consequential than failure to prevent. Regulators and courts expect risks to be assessed, prioritized, escalated, and addressed. When a vulnerability was known, but remediation was postponed indefinitely due to cost, convenience, or organizational inertia, the narrative shifts toward negligence and breach of duty.
Operational learning focuses on improving procedures, tools, or response tactics. Governance driven learning focuses on whether authority, oversight, escalation, and accountability structures functioned as intended. In hybrid risk, operational fixes alone are insufficient. Investigations show that harm escalates because decisions are delayed, responsibilities are unclear, or governance bodies lack the information or confidence to act.
Insights from stress tests, crisis exercises, and real events must be translated into changes to policies, procedures, delegations, committee mandates, escalation thresholds, reporting structures, and risk appetite statements. Informal acknowledgment of lessons, without corresponding governance reform, is legally weak. Embedding learning into governance provides evidence that the organization treats learning as a control, and adapts.
Hybrid stress tests frequently expose problems that cannot be resolved within individual functions, such as conflicting mandates between teams. Governance driven learning ensures that such issues are escalated to senior management and the Board, where structural changes can be authorized. From a legal standpoint, this demonstrates that oversight bodies are actively engaged in risk and resilience management.
External learning is important too. Governance driven learning must extend beyond internal experience to include analysis of external incidents, modus operandi, and industry developments. Incorporating such insights into governance demonstrates environmental awareness and proactive adaptation. From a legal perspective, this supports the argument that the organization maintains situational awareness consistent with its risk profile and sector.
After Step 14, the organization can demonstrate that it systematically learns from stress, embeds that learning into governance structures, and continuously adapts its risk management framework in response to evolving hybrid threats.
What is next? You must understand better how defensive hybrid intelligence works, for the private sector.
Defensive Hybrid Intelligence, Principles
This website is developed and maintained by Cyber Risk GmbH as part of its professional activities in the fields of risk management and regulatory compliance.
Cyber Risk GmbH specializes in supporting organizations in understanding, navigating, and implementing complex European, U.S., and international risk related regulatory frameworks.
Content is produced and maintained under the professional responsibility of George Lekatis, General Manager of Cyber Risk GmbH, a well known expert in risk management and compliance. He also serves as General Manager of Compliance LLC, a company incorporated in Wilmington, NC, with offices in Washington, DC, providing risk and compliance training in 58 countries.