What Kept Me Awake in 2014 — and What Keeps Risk Managers Awake in 2025

Introduction: Looking Back from a Different World

Some time in 2014, I jotted down a few notes summarising the five things that were keeping me awake as Group Security Director in a global telecoms company. I was waiting for a late-night connection on my latest international business trip. The words flowed easily and I believed I had captured the essential threats of the time: they were serious, complex, and already stretching organisational resilience.

What I could not have anticipated was how profoundly the risk landscape would shift over the next decade.

The threats themselves did not disappear. In fact, each of the five concerns from 2014 is still with us today. But they have evolved into something larger, faster, and more interconnected. The difference between 2014 and 2025 is the difference between a world of discrete operational incidents and one of continuous systemic risk.

Since then, the pressures on organisations have multiplied:

• geopolitical fragmentation,

• AI-driven disruption,

• criminal cyberattacks with state involvement,

• energy and resource constraints,

• climate volatility,

• social polarisation,

• declining trust in institutions,

• and an increasingly complex web of regulations.

For the last seven years, I have sat on the Future Vision Committee of the US-based Disaster Recovery Institute International (DRI), the oldest and largest nonprofit that supports risk management and resilience professionals through education, accreditation, and thought leadership in business continuity, disaster recovery, cyber resilience and related fields.

Our recent work on the DRI 11th Annual Global Risk and Resilience Trends Report makes clear that the risk manager of today faces a world both more dangerous and more difficult to navigate than the one I described in 2014.

This article reflects on that transformation — comparing my original list from a decade ago with the realities of today — and asks what now keeps risk managers awake at the end of 2025.

I add the usual disclaimer: the conclusions here are my own and do not necessarily represent the views of my colleagues in DRI.

2014 vs 2025: A Decade in Two Columns

In 2014, these were the things that worried me most:

1. Harm to people in interactions involving criminals, terrorists, or protest groups.

2. A major customer data breach, possibly aided by insiders.

3. Loss of sensitive intellectual property to competitors, criminals, or the media.

4. Launching insecure new products or services without adequate assurance.

5. Failure to manage a major crisis, leaving millions of customers without service.

   
   

In 2025, each of these still matters — but in ways that would have been almost unrecognisable ten years ago. The threats have expanded, converged, and in some cases taken on an entirely new character.

Here is the transformation at a glance:

These are not merely updates. They represent a fundamental reshaping of how risk behaves — and therefore of how organisations must prepare.

The following sections explore each evolution in depth.

1. Harm to People → A Convergence of Physical, Digital, and Psychological Threats

How I saw it in 2014

The primary fear was that someone — a customer, employee, or member of the public — might be seriously harmed during an incident involving crime, terrorism, or protest. It was a traditional security concern: physical harm, or liability for failing to prevent it.

How it looks in 2025

The concept of “harm” has expanded dramatically. Physical harm remains, but is now only one part of a broader continuum that includes:

• Digital impersonation, deepfake blackmail, and psychological coercion

• Targeted harassment campaigns amplified by social media

• Misinformation-driven violence or mobilisation

• Hybrid threats that blend digital intrusion with real-world intimidation

• Attacks on critical services (transport, health, energy) that endanger life directly or indirectly

  
  

This reflects a deeper social trend identified in the DRI Trends Report: declining social cohesion, polarisation, and the weaponisation of information flows. Many organisations now recognise that the line between “security incident” and “reputational or online incident” has dissolved.

What keeps risk managers awake now: the possibility that harm could arise not from a physical confrontation but from an online manipulation campaign, AI-generated content, or a misinformed crowd reaction.

2. Customer Data Breach → AI-Driven, State-Linked, and Autonomous Cyber Threats

What kept me awake in 2014

A major breach of customer data. We knew the risks: hacktivists, organised criminals, occasionally hostile nation states. Insider threats loomed large.

What keeps risk managers awake in 2025

Cyber events remain the #1 global risk according to DRI’s 2025 index — but the threat has completely transformed.

The modern cyber threat is characterised by:

AI that attacks

Malware now learns, adapts, and acts autonomously. Attackers deploy AI agents capable of discovering vulnerabilities, crafting phishing at scale, bypassing controls, and moving laterally in minutes.

State–criminal collaboration

The DRI Predictions report highlights a new pattern: loosely aligned groups acting as proxies for Russia, Iran, and North Korea, blending ideological motivation with criminal infrastructure.

Operational disruption is now more feared than data loss

In 2014 we feared a database being stolen. In 2025 organisations fear:

• corrupted data,

• destroyed backups,

• disabled systems,

• paralysed operations,

• cascading supply chain outages.

Executives now face personal liability

Regulation in the EU, UK, and US increasingly assigns individual accountability for cyber governance failures.

What keeps risk managers awake now: a systemic cyber incident amplified by AI, crossing business, regulatory, and geopolitical boundaries — and landing directly on the shoulders of leadership.

3. Loss of Intellectual Property → Loss of Data Integrity, Models, Algorithms, and Supply-Chain Security

In 2014

We worried about trade secrets slipping out: engineering documents, strategic plans, customer lists. This was damaging but conceptually simple.

In 2025

IP is no longer a static asset. It is dynamic, distributed, and embedded in complex digital ecosystems. It can be exfiltrated in seconds, poisoned invisibly, or corrupted without detection.

How IP loss has evolved

• AI Model Theft. Organisations now lose not only data, but the models trained on it — sometimes via “model extraction attacks”.

• Shadow AI and uncontrolled tools. Employees inadvertently leak sensitive information into public LLMs.

• Training Data Poisoning. Subtle manipulations of data that distort outputs and undermine trust.

• Geopolitical technology competition. The latest predictions highlight tensions over rare earth elements and semiconductor supply — meaning that IP loss is now tied to strategic national interests.

• Software supply chain attacks. A single compromised library can contaminate thousands of organisations.

  
  

What keeps risk managers awake now: the fear that core intellectual assets — models, algorithms, and data integrity — could be stolen or silently corrupted, with consequences emerging months or years later.

4. Insecure Product Launch → AI Governance, Ethical Risk, Regulatory Exposure, and Systemic Vulnerability

In 2014

We feared launching a new product or service that had not been adequately security-tested. The concern was customer safety, compliance, and brand trust.

In 2025

The scope has widened dramatically:

• AI governance failures (transparency, bias, explainability)

• Regulatory divergence between EU, US, UK, and China

• Cybersecurity mandates for digital products (e.g., CRA, NIS2, DORA)

• Ethical risk (unintended discrimination, fairness failures)

• Energy and sustainability compliance for digital services

• Quantum risk and crypto-agility requirements

  
  

A flawed product is no longer just “vulnerable”; it can be illegal, ethically indefensible, or operationally dangerous.

The DRI Trends Report emphasises that AI misuse — simplistic reliance on unvalidated outputs — is now seen as both a practical and strategic risk.

What keeps risk managers awake now: that a product failure could trigger regulatory penalties, ethical controversy, cyber vulnerability, reputational backlash, and even geopolitical implications.

5. Crisis Management Failure → Multi-Vector, Multi-Domain, Cascading Crises

In 2014

We feared failing to manage a major incident: a network outage, a natural disaster, a large-scale technical fault.

In 2025

The very idea of a crisis has changed. Crises are now:

Compound

A flood coincides with a cyberattack.A misinformation campaign amplifies a product failure.A cloud outage happens during a heatwave and political protest.

Non-linear

Causes and effects are not proportional. Minor triggers create major failures.

Fast and global

A local error spreads across cloud regions in seconds, affecting multiple countries at once.

Highly scrutinised

Media, regulators, and customers expect transparency in real time.

Governance-heavy

DRI’s 2025 survey shows a significant gap between the level of resilience management organisations want and the level they actually have.

What keeps risk managers awake now: a cascading crisis that overwhelms decision-making, communications, and resilience structures — producing failure across multiple business domains simultaneously.

The Drivers of Transformation: Why 2025 Is Not Just “More of the Same”

Several structural forces explain why the risks have changed so dramatically.

1. Technology acceleration

AI and automation have increased both productivity and vulnerability. Attackers innovate as fast as defenders.

2. Geopolitical fragmentation

DRI predicts three major geopolitical flashpoints that are creating global supply chain fragmentation and regulatory divergence:

• Middle East instability,

• the uncertain trajectory of the Ukraine war,

• and US–China rivalry.

  
  

3. Social polarisation and erosion of trust

Public discourse is more hostile, more fragmented, and more vulnerable to manipulation.

4. Climate volatility

Record-breaking floods, storms, wildfires, and heatwaves threaten infrastructure, supply chains, and workforce availability.

5. Energy and resource constraints

Data centres, AI workloads, and electrification strain already fragile grids.

6. Regulatory escalation

Boards and executives face direct personal accountability.

Together, these forces mean that risk managers are not merely dealing with more risks — but with risks that behave differently, interact unpredictably, and demand integrated, enterprise-wide approaches.

What Hasn’t Changed — and What Has Changed Completely

What remains true from 2014

• People remain at the centre of risk — as victims, insiders, decision-makers, and actors.

• Data and intellectual property remain core strategic assets.

• Crisis leadership is still the ultimate test of organisational culture.

  
  

What has changed completely

• Threats now cross boundaries: cyber–physical–geopolitical–reputational.

• Speed has increased: minutes now matter more than days.

• The attack surface is exponentially larger.

• Regulatory exposure is personal and unavoidable.

• Disinformation transforms crisis communication.

• AI is both an accelerant and an adversary.

• Global stability can no longer be assumed.

  
  

The world is not simply riskier. It is structurally different.

Conclusion: The Risk Manager’s Mindset in 2025

When I wrote in 2014 about the things that kept me awake at night, I believed I had identified the most serious risks we faced. Looking back, those concerns were accurate — but the world has developed in ways none of us could have fully anticipated.

Today’s risk manager must navigate:

• cyber threats with geopolitical implications,

• climate uncertainty reshaping operations,

• AI systems that must be governed as carefully as they are deployed,

• legislatures that impose strict accountability,

• societies that amplify outrage and distrust,

• supply chains held together by fragile dependencies.

  
  

The role has shifted from security management to systemic resilience. From responding to incidents to anticipating convergent crises. From protecting the company to protecting its licence to operate.

The truth is this: what kept me awake in 2014 were major incidents. What keeps risk managers awake in 2025 is the possibility of several major incidents happening together.

Resilience today is not about preventing crises, but about building organisations capable of surviving and evolving through them. And that, perhaps above all, is the lesson of the last ten years.

Copyright Richard Knowlton Associates 2025 - All Rights Reserved

Protecting your business from risk is critical in today’s digital age. At Richard Knowlton Associates, we specialize in providing expert advice on all aspects of Security Risk Management to our international business clients. Our team of experienced professionals works tirelessly to keep you secure and your business operations running smoothly. With our advanced technology and cutting-edge solutions, Richard Knowlton Associates is your trusted partner in all aspects of risk management.

To read more about the services we offer in Richard Knowlton Associates, please go to our website here.