Assessing the unknown risks
In risk management, you will all be familiar with the Black Swan concept. Everybody expects the white swans, and all of a sudden there is this black swan. So how do you incorporate the black swan into your risk management framework, and how do you assess it, and how do you prepare yourself? Clearly, you don't know the black swan, so you cannot be specific in your risk framework, and you also cannot be specific in the precise actions to be taken when it would occur. It could be orange, for all you know. Or worse, it might not even be such a nice swan.
So, it will be impossible to incorporate it into standard risk frameworks. But that would leave you with a serious gap. Something quite comparable to searching for the keys under the lamppost; you will only look for the risks you know, where there is light. Clearly, not the way to go. So what can you do?
One thought is that you include 'black swan events' for all key processes in your business, and run a risk assessment. You ask yourself the question what would be the worst possible impact for that business process, for that entity. Typically, on the financial dimension, this would be the money involved in any given period, but also the reputational, legal and safety dimension should be addressed.
And then secondly, rather than assessing the likelihood (how could you?), you assess your risk preparedness. How prepared are you for 'something' that effectively destroys that particular line of business, that process. Not easy to assess, but it is related to how quickly you will find disastrous events, and what your standard business continuity and recovery plans look like. Of course, you still don't know what will hit you, and when. But you do know (better: have an idea) where your business continuity plans should be focusing. Based on that first analysis, you may run more traditional risk assessments to find out per business process (business line, area of business) in which risk areas you're most vulnerable; whether you're most vulnerable in fraud, in external risks like competitive pressure, security risks, and operational risks and so on.
Now, this still doesn't prepare you what to do exactly when it happens. It might help you to look in the right direction. If you were honest, especially in the preparedness assessment.