Boards fix known knowns like SOX compliance while ignoring strategic unknowns; using the Rumsfeld matrix and WWHTBT framing moves risks toward actionable knowns and protects strategy.
Boards spend millions on SOX 404 compliance and endless risk factor lists, mistaking micro-tasks for real risk mitigation. The article shows that this approach only addresses "known knowns" - the tiny slice of risk that is already understood and easy to control.
The core insight is to apply the Rumsfeld matrix - known knowns, known unknowns, unknown knowns, unknown unknowns - to strategic risk. By surfacing the "what would have to be true" (WWHTBT) assumptions that underpin a company's strategy, leaders can move risks from the vague unknown quadrants into concrete, actionable knowns. The piece gives concrete examples, from SOX compliance to the 2008 financial crisis and COVID-19, illustrating how ignoring WWHTBTs leads to catastrophic surprises.
Practically, the article urges leaders to trim the laundry-list of known unknowns, make tacit knowledge explicit, and accept that unknown unknowns will always exist but can be bounded by strategic awareness. The result is a risk management approach that directly supports decision-making and protects the strategic bets that drive growth.
Check out the full stdlib collection for more frameworks, templates, and guides to accelerate your technical leadership journey.