In risk management, we often focus on Black Swans — rare, unpredictable shocks that reshape entire systems. They are dramatic and unforgettable.
But the real danger for organisations lies elsewhere.
Pink Flamingo risks 🦩 — the known, visible, repeatedly signalled risks we collectively ignore — are far more likely to undermine resilience. They sit in plain sight, underestimated due to familiarity, optimism bias or fatigue. And because they are known, failing to act is far more damaging.
This distinction matters now more than ever.
‼️ Why this matters for CSRD, CS3D, NIS2 and GDPR
Europe’s regulatory landscape is converging around one idea:
➡️ Resilience is now a legal, strategic and operational requirement.
-
Sustainability & human‑rights risks (CSRD + CS3D)
Most sustainability‑related negative impacts — human‑rights violations, environmental harm, supply‑chain abuses — are not Black Swans.
They are Pink Flamingos 🦩: well known, repeatedly documented, and often ignored until they escalate into crises.
Under CSRD and CS3D, companies must show they can:
- identify, mitigate, prevent these impacts
- manage the financial risks arising from them
Ignoring known risks is no longer poor governance — it is a compliance failure.
-
Cybersecurity resilience (NIS2 + GDPR)
Cyber incidents are increasingly predictable. Ransomware, supply‑chain attacks, credential theft, DDoS disruptions — none are Black Swans.
They are Pink Flamingos 🦩: widely understood, repeatedly warned about, and capable of causing severe operational disruption or financial loss.
Under NIS2, organisations must prove they can:
- prevent and manage cybersecurity incidents
- secure critical systems and supply chains
- report significant incidents rapidly
- protect others from material or non‑material harm
And when personal data is involved, GDPR applies simultaneously — making cybersecurity both a resilience and legal obligation.
💡Black Swans scare us in theory. Pink Flamingos hurt us in practice.
Most corporate crises — cyber breaches, human‑rights violations, environmental damage and other sustainability-related failures — were visible long before they became catastrophic.
Resilience today means:
- acting on the risks we already know
- closing the gap between awareness and action
- embedding continuous monitoring, governance and accountability
- aligning with regulatory frameworks designed to enforce exactly that
Resilience is capital. Negative impacts and dependencies are financial risks. Double materiality is the method to uncover both.
♟️ The strategic takeaway for leaders
To build a resilient organisation under #CSRD, #CS3D, #NIS2 and GDPR, focus less on predicting the unpredictable — and more on addressing the obvious.
Because the risks we ignore are the ones that break us.
—
👉 Want to strengthen both your resilience and your compliance? Get in touch and we’ll show you how Cleerit can support you.
#ESRS, #SustainabilityReporting, #NIS2, #Governance
Acknowledgement:
This article is based on a Risk and Policy Analysis assignment carried out by Chloé Lefèbvre in February 2024 during her Master’s studies in International Studies and Diplomacy at SOAS University of London. Thank you, Chloé, for introducing us to the world of Pink Flamingos vs. Black Swans!
