As unpredictable outcomes become the norm in today’s world, achieving true operational resilience is no longer optional. From volatile geopolitical conflicts that can escalate in unexpected ways to AI-driven threats demanding robust cyber risk management, businesses face an increasingly complex range of emerging risks.
Amidst this uncertainty, scenario planning and proactive business continuity management serve as critical lifelines. When integrated into an enterprise risk management framework, they empower leaders to strengthen organisational stability by preparing for multiple plausible futures instead of merely reacting to crises.
To tackle these challenges, the Chief Risk Officer Networking Group (CRONG) gathered at Menara Prasarana on 5 June 2026. The session, titled “Scenario Planning in a World of Unknown Unknowns,” explored how professionals navigate these unprecedented threats.
Co-hosted with Prasarana Malaysia Berhad, the discussion was led by Noraina Mustapha, Head of Risk, Governance & Compliance. She was joined by Ramesh Pillai, Chairman of the Board of Governors for the International Institute of Enterprise Risk Practitioners (IERP)®.
Scenario Planning in a World of Unknown Unknowns
The event began with remarks from Ramesh, who set the tone by highlighting why organisations must look beyond what they can directly control.
“You have known knowns, known unknowns, unknown knowns, and unknown unknowns,” he explained, outlining the categories of risk predictability.
Using the Iran–Israel conflict as an example of an “unknown known,” Ramesh noted that while there was a strong possibility Iran would “hit back” when provoked, the extent of the retaliation remained unpredictable.
Following his address, Noraina steered the discussion toward practical scenario planning.
She explained that when evaluating the conflict, she looked at what Prasarana needed to do immediately. The priority was ensuring all response and business continuity management strategies were robust enough to keep operations running smoothly during the fallout, especially if events unfolded in unforeseeable ways.
The Head of Risk, Governance & Compliance Department added: “For us, (scenario planning) is not about predicting the future. It’s about preparing for more than one plausible future.”
Building Operational Resilience across Different Sectors
The session then opened into an interactive discussion led by Ramesh and Noraina. Attendees from various industries shared their approaches to scenario planning, illustrating how a single macro event may require vastly different approaches to operational resilience for different businesses in different industries.
The group examined how the global fuel crisis stemming from the conflict impacted Malaysia’s public transport sector. With high fuel prices and government policies driving up transit ridership, Noraina noted that Prasarana had to navigate severe operational constraints. On lines nearing peak capacity, this required enforcing strict timelines for response strategies and reputation control.
In the insurance sector, an attendee highlighted the cascading, second-order effects of climate change. The resulting chain reaction on an individual’s mobility and mortality represents a major emerging risk for this industry.
Beyond industry-specific vulnerabilities, an organisation’s structural complexity shapes its approach to evaluating these plausible futures. When departments focus only on their immediate risks, interconnected threats fall through the cracks. This highlights why scenario planning must function as an integrated component of enterprise risk management rather than an isolated exercise.
Cyber Risk Management against Emerging Technological Threats
Another talking point during the session was the ever-evolving technological threat landscape. With the rapid advancement of artificial intelligence and quantum computing, these threats can escalate from a standard IT issue into a potential national crisis.
Take Prasarana, for example. While Noraina noted that their control systems run on an “isolated network,” she shared that they work closely with bodies like CyberSecurity Malaysia to ensure their operations remain protected from digital intrusions.
The nature of these attacks has evolved too. The convergence of polymorphic malware that adapts in real-time, fully autonomous attack chains, and deepfake-powered social engineering are prime examples of the complexities surrounding modern cyber risk management.
When explaining the severity of these sophisticated attacks, Ramesh referenced an early-2024 incident involving the UK engineering firm Arup. Fraudsters tricked a finance employee at Arup’s Hong Kong office into transferring US$25 million in a highly sophisticated deepfake attack.
The scam began with a spear-phishing email from someone posing as Arup’s Chief Financial Officer requesting a highly confidential “secret transaction.” While the employee was initially sceptical, they were subsequently invited to a video conference call populated by deepfake video and audio replicas of the CFO and other familiar colleagues.
In the end, the fraudster succeeded in winning the employee’s trust to bypass traditional verification procedures and authorise 15 fraudulent wire transfers in a single day.
This incident underscores why operational resilience requires systemic safeguards. When human intuition and standard security protocols are defeated by AI, fail-safe mechanisms, such as zero-trust frameworks and mandatory multi-person authorisations, can prevent a single point of failure from crippling the business.
Following these points, attendees shared that another challenge is advising and equipping Boards of Directors who may lack the necessary technical expertise to grasp the severity of these modern risks. Bridging this gap requires positioning cyber risk management not as a standalone IT issue, but as a critical component of enterprise risk management. On this point, Ramesh shared that this was one of the objectives of the IERP’s global pioneering Qualified Risk Directors (QRD™) program.
Turning Scenarios into Actionable Strategies for Operational Resilience
Towards the end, the discussion shifted towards best practices for turning theoretical scenarios into actionable defence mechanisms.
Among the insights offered, one attendee emphasised that institutional knowledge was crucial for effective scenario planning.
At their organisation, playbooks tied directly into business continuity management, crisis management, and stress testing guidelines to guide responses regardless of the nature of the crisis. These playbooks were continually updated to preserve that institutional memory.
The CRONG session at Menara Prasarana concluded with a visit to the Prasarana Mobility Hub, an interactive space where visitors can explore the company’s history, the evolution of Malaysia’s public transportation system, and its vision for a greener future.
As the event drew to a close, the key takeaway for risk leaders was clear. The discussions proved that scenario planning is no longer a theoretical exercise but an essential component of effective enterprise risk management and operational resilience.
Key Lessons for Risk Leaders
Navigating today’s unknowns requires scenario planning to operate as a foundational pillar of an enterprise risk management framework. True operational resilience means preparing for multiple plausible futures, not just reacting to crises.
- Look Beyond Knowns
Prepare flexible strategies that account for second-order effects and “unknown unknowns” that manifest as emerging risks.
- Break Down Silos
Manage interconnected risks collaboratively across departments to prevent blind spots that threaten operational resilience.
- Secure the Human Element
Implement fail-safe mechanisms to strengthen cyber risk management against AI-driven threats.
- Preserve Knowledge
Continually update playbooks and tie them to business continuity management for consistent crisis response.






















