Leadership often assumes a lot of “known knowns” when managing a business. Obstacles, challenges, and surprises are just part of being at the helm of an organization, but there are more unknowns out there than most would care to admit.
A balance of caution and confidence is important for navigating these challenges. You don’t want to run a business scared. But there has to be a balance between these two to avoid the grinding halts of being overly cautious and the blind spots that overconfidence can miss.
This combination of rising complexity and high self-reported confidence suggests a known knowns vs. unknown unknowns scenario:
- Known knowns are known things, such as existing or longstanding compliance problems, documented requirements, or tested controls.
- Known unknowns are acknowledged gaps in knowledge, such as the effective date of a new law or policy or the absence of a standard leave policy.
- Unknown knowns are the hidden (tacit) things workers may know through experience that the larger organization doesn’t know or doesn’t standardize, such as frontline hacks or insider tricks of the trade.
- Unknown unknowns are unforeseen challenges, events, or technologies that make a big impact, such as novel AI behavior or unexpected regulatory changes.
Questions like: “What are the rules here?” and “What’s actually being enforced?” can be overwhelming, and the degree to which uncertainty drives decisions should not be balked at. “HR scares people. You don’t want to give advice on something that could be wrong,” remarked Marlo Sanders of Mayroad, a firm that works with military housing and a tenured Mitratech user.
But when leaders believe their controls, policies, and systems are sufficient, they often focus only on familiar requirements. They may miss emerging threats, such as rapid regulatory changes and new technological vulnerabilities. As 3Sixty Insights discussed in our 2024 benchmark report, this can be one of the many reasons a disconnect emerges between HR and the C-suite, and ultimately, how prepared an organization actually is compared to how prepared it feels it is.
Some common risks can be:
- Blind Spots to Emerging Risks: Organizations may focus solely on familiar compliance concerns (“known knowns”) and neglect emerging risks (“unknown unknowns”), including changes in law, new technologies, and unforeseen events.
- Underestimating Complexity: Regulations and technologies can evolve rapidly, creating readiness gaps and response delays.
- Delayed Response to Regulatory Changes by neglecting to follow changes closely or not having a compliance partner that can flag them.
- Insufficient Oversight of AI and Automation: Insufficient governance, poor documentation, and inadequate monitoring increase the risk of bias, discrimination, and data privacy violations.
- Operational Vulnerabilities: Organizations may neglect fragmented systems, policy sprawl, and integration challenges, leading to compliance failures and operational inefficiencies.
- Loss of Trust and Talent: Poor handling of compliance touchpoints, such as leave management or payroll accuracy, can erode employee trust, leading to retention problems and reputational damage.
- Missed Opportunities for Improvement: Overconfidence can prevent organizations from seeking expert advice or adopting best practices, leaving them vulnerable to surprises and setbacks.
In compliance management, the danger isn’t just getting a rule wrong; it’s assuming the rules you already know are the only ones that matter. The best organizations build confidence the hard way by stress-testing controls, listening to frontline employees, tracking regulatory signals early, and establishing clear governance for AI and automation. This approach transforms uncertainty from being a surprise into success.