Walk into any risk meeting and you will hear it within ten minutes: 'Based on historical data, we expect...' It sounds sensible. It sounds scientific. But it is also the single assumption that has sent more risk assessments off the rails than any spreadsheet error or missing control.
Here is the problem: history is a rearview mirror. It tells you what happened, not what could happen. And in a world where supply chains snap, ransomware evolves weekly, and interest rates swing faster than models can update, assuming the past repeats is not cautious—it is reckless. This article names that assumption, shows you where it hides, and gives you a concrete replacement that costs nothing but thought.
Where This Assumption Shows Up in Real Work
A field lead says teams that document the failure mode before retesting cut repeat errors roughly in half.
The annual risk register trap
Every January, someone opens a spreadsheet. Columns for likelihood, impact, RAG status. Rows named after last year's near-misses. I watch teams spend two days coloring cells green, amber, red—then call it risk management. The hard part is done, right? Wrong order. That register becomes a fossil by March. Markets shift. A supplier goes under. The amber row you flagged as 'medium' now threatens quarterly revenue. But nobody updates it because the meeting is in Q4. The catch is: most organizations treat risk as a filing exercise, not a live discipline. They build a static map of a moving river. And when the current changes—surprise.
Cybersecurity threat modeling and the 'last attack' bias
Penetration test results arrive. 'Critical: SQL injection on login endpoint.' The team patches it, adds it to the threat model, moves on. Next quarter, a different vector emerges—API abuse from a compromised third-party token. It wasn't in last year's test. So it wasn't in the risk register. That hurts. The assumption lurking here: the next incident will look like the last one. But attackers don't read your post-mortems. They probe what you forgot. I have seen security teams prioritize mitigations based on the breach that made headlines, not the one creeping through their own configuration drift. It's a mirror—you see the threat you already survived, not the one coming for you next.
'We derisked based on historical loss data. Then the market inverted, and our model predicted peace.'
— Risk officer, after a commodity hedge blew up, 2023
Financial model baselines in volatile markets
Finance teams love the five-year moving average. Smooth. Defensible. Everyone nods at the board meeting. What usually breaks first is the assumption that last year's volatility bracket contains next year's. It doesn't. A currency peg collapses. A supply chain snaps. The baseline becomes a liability—you're steering with a rearview mirror. The trade-off: historical data feels objective, but it hides regime changes. Most teams skip this: questioning whether the past is even the same system anymore. One concrete anecdote: a fund I advised used a 10-year VAR model. It missed every black swan because the model assumed the next shock would match the last one's shape. That's not prudence. That's pattern-matching dressed as math. The fix? Replace the assumption 'history repeats' with 'history hints—then lies.' Then build scenarios that break your own model. Not yet convinced? Try running a stress test on your own risk register: delete the top three rows from last year. Recalculate. See how much of your safety net was really just memory.
The Two Foundations Most People Get Wrong
Probability vs. possibility—why the difference matters
Most risk assessments I see start with a number. A team sits down, stares at a spreadsheet, and assigns an 8% chance that a compliance breach will happen this quarter. They debate 8% versus 11% for twenty minutes. Meanwhile the real threat—the one nobody modeled—walks right past. That is the confusion between probability and possibility. Probability works fine when you have a thousand data points and a stable system. Aircraft engine failures? Sure. Software supply-chain attacks on your three-person startup? Not even close. The catch is that possibility ignores your pretty distribution curves entirely. If a vulnerability can be exploited and the controls are weak, the risk exists regardless of your confidence interval. Wrong order: we chase precision where we should chase exposure.
I watched a team spend two weeks building a monte carlo simulation for insider threat likelihood. They had zero insider incidents in their history. Zero. That simulation was numerology. Meanwhile a contractor with admin privileges copied client data to a personal drive—a scenario they had flagged as 'possible but unlikely' and never mitigated. The illusion of precision isn't just wasted effort. It creates false comfort. You believe you have measured the danger and found it acceptable. But you measured the wrong thing.
Static controls vs. adaptive controls
Second foundation error: treating controls like concrete barriers. A firewall rule set in January is assumed to hold in June. An access review performed quarterly is considered 'effective' for the other 89 days. That assumption breaks because threats adapt faster than your review cycle—and your environment drifts faster than you audit. Static controls are checkboxes. They make the audit pass. Adaptive controls actually stop bad things. The difference shows up during incidents: static controls let you say 'we had a policy,' adaptive controls let you say 'we caught it before impact.'
What usually breaks first is the gap between review dates. You approve a temporary exception for a developer to access production logs. The ticket closes. The access stays open for fourteen months. That isn't malice—it's drift. Your risk assessment scored the control as 'strong' because the policy existed. But the policy had a hole the size of a forgotten Jira ticket. Most teams skip this: they score the control design, not the control operation. The risk score remains unchanged while the actual protection erodes. That hurts.
Static controls also fail when the threat shifts. A DDoS mitigation plan designed for 10 Gbps attacks looks solid—until botnets start pushing 500 Gbps. The control didn't weaken. The environment changed. Your risk score didn't update, because nobody re-evaluated the control's adaptive capacity. I have seen this pattern repeat across fintech, manufacturing, and healthcare. Teams build a fortress wall and then forget that walls need moats, patrols, and the ability to raise the drawbridge fast.
The illusion of precision in risk scoring
Here is a direct quote from a threat model I reviewed last year: 'Impact: Critical (9.2). Likelihood: Medium (4.7). Score: 43.24.' That number—43.24—is a lie wrapped in a decimal point. The team argued for twenty minutes over whether likelihood was 4.7 or 5.1. Neither number had empirical grounding. They were guesses dressed as data. The precision implied rigor where none existed. The real question wasn't 'is it 4.7 or 5.1?' The real question was 'do we have any control that actually reduces the scenario's chance of happening?' They didn't. They had a score.
The trade-off is painful to acknowledge: coarse ordinal scales (High, Medium, Low) often outperform numeric scoring because they force honest uncertainty. A team that admits 'we cannot estimate the probability' is closer to useful action than a team that fabricates a 43.24. The pitfall is that executives want numbers. Boards want heatmaps. So teams oblige—and the precision becomes a shield. 'We scored it properly, so we are managing the risk.' No. You colored a cell on a spreadsheet. The risk is still there, unfelt and unmitigated.
Worth flagging—this does not mean all quantification is bad. When you have event frequency data, actuarial tables, or controlled experiments, use them. But for most strategic risks, especially novel ones? Accept the imprecision. Spend the saved time on scenario testing and control improvements. We fixed this on one project by replacing a 5x5 probability-severity matrix with three questions: 'Can it happen?', 'What stops it?', 'How fast can we detect failure?' The scores vanished. The risk posture improved.
'We spent six weeks perfecting a risk register with color-coded borders. The CFO asked what changed last month. We had nothing to show except prettier spreadsheets.'
— CISO, mid-market logistics firm, after their first post-assessment incident review
Patterns That Usually Work (When You Ditch History)
A shop-floor trainer explained that the pitfall is treating symptoms while the root cause stays in the checklist.
Scenario matrices that force you to imagine the unexpected
Most teams build risk matrices from what has happened—past incidents, known attack patterns, yesterday's news. The result is a rear-view mirror dressed up as a windshield. I have watched teams spend weeks calibrating the likelihood of a phishing campaign that already hit them, while ignoring the supply-chain pivot that would hollow out their data layer. A better pattern: matrix axes that force impossible combos. Not 'high impact + high probability' but 'low probability + catastrophic reach' paired with 'high uncertainty + irreversible damage.' The catch is that these cells stay empty until you push a contrarian into the room—someone who has never seen your last breach. We fixed this once by handing a junior engineer veto power over the matrix labels. She swapped 'likelihood' for 'surprise potential.' The resulting rows looked broken. They were more honest.
What usually breaks first is the belief that scenario boundaries must be plausible. Wrong order. Plausibility is a hindsight bias in disguise. Instead, define three states: 'already observed,' 'theoretically possible but absent from our logs,' and 'someone in a different industry laughed at this until it killed them.' Map controls only against the middle state. Ignore the third—it is a distraction until the second state converges with it. That sounds fine until a team realizes their entire compliance framework only covers state one.
‘You are not preparing for the future; you are perfecting a museum of past failures.’
— paraphrased from a CISO who shredded his own heat map during a tabletop exercise
Red team exercises that test assumptions, not just controls
Standard red teaming validates whether a firewall blocks port 445. Useful, but it reeks of the historical assumption—because the red team knows the blue team's last incident report. A deeper pattern: run exercises where the attacker's goal is to prove a risk assumption wrong, not to breach a specific asset. Two concrete shifts. First, give the red team a budget of 'three improbable but non-zero paths' and forbid them from using any technique documented in the organization's own risk register. Second, force the blue team to articulate, in writing, why a particular scenario cannot happen before the exercise begins. The red team then spends half their time finding the flaw in that written rationale. I have seen this surface a catastrophic DNS trust gap that five years of compliance audits had missed—because nobody had bothered to test the assumption that 'our upstream provider has the same threat model as us.' The trade-off: these exercises are emotionally brutal. Teams revert to comfortable breach simulations afterward. Worth flagging—if the facilitator cannot handle a room where the CISO's pet assumption gets dismantled, skip this pattern. It will fail anyway.
Rolling risk thresholds that adjust with new signals
Static thresholds are the quiet killer. A risk appetite statement written in January looks heroic until July, when a new vulnerability class shifts the entire threat landscape. The pattern that works: thresholds that move on a quarterly cycle, tied to signal velocity rather than calendar dates. For example, define three signal types—'new exploit in the wild for our stack,' 'regulatory shift in a jurisdiction where we hold data,' 'internal detection gap identified by a failed test'—and let any two signals in a thirty-day window automatically lower the acceptable risk ceiling by one tier. No committee vote. No retrospective. The hidden cost is that someone must watch the signal feed daily, and most teams do not staff for that. They staff for the annual review. That is the drift point. But when we piloted this with a mid-market fintech, the threshold moved four times in the first quarter. Each move was uncomfortable. Each move prevented a decision that would have felt fine under the old static model. The pattern feels fragile. That is the point—fragility in the threshold keeps the team alert instead of asleep.
Anti-Patterns and Why Teams Revert
The comfort of spreadsheets that never change
I walked into a quarterly review once and found the same Excel workbook from 2019 still open on the projector. Same columns. Same color coding. Same three-year-old volatility factors pasted into cells that had no business holding them. The team knew the model was stale—they had laughed about it at lunch. Yet nobody touched it. Why? Because that spreadsheet had passed two audits, survived one re-org, and never once thrown a red cell that forced a hard conversation. The trade-off is brutal: you trade accuracy for peace of mind. Spreadsheets that never change become sacred texts. They feel stable. They let you produce a number at 4:45 PM on a Friday. But that number? It's a fossil wearing a hard hat. The real cost isn't the outdated assumption itself—it's the hours spent tweaking formulas to make the output match what your gut already knew. Most teams skip the hard reset because the spreadsheet works. That's the lie.
Regulatory pressure to produce 'auditable' numbers
Regulators want to see a trail. They want a paper chain that leads from input to output without a gap. So teams bolt on documentation that justifies historical assumptions retroactively. Worth flagging—this is not the same as doing rigorous work. It's theater. I have seen risk managers write three-paragraph justifications for a 12% volatility floor that came from a napkin sketch in 2017. The auditor smiled. The assumption stayed. The catch is that regulatory bodies rarely penalize you for using old data—they penalize you for not being able to explain it. So teams revert to the familiar: last year's inputs, last quarter's correlation matrix, whatever survived the last examination. The pressure to produce auditable numbers quietly kills any incentive to question whether those numbers are still true. That hurts.
'We passed audit with this model three times. Why would we change it now?'
— Risk officer, after a $2M misallocation traced to an expired assumption
The false safety of 'we have always done it this way' is the last anchor. It's the phrase you hear in the hallway after a workshop on forward-looking methods. Teams nod along to the new approach, then default to the legacy method because it's what the board expects, what the regulator has seen, what the junior analyst can run in thirty minutes. The revert is rarely dramatic. No shouting. Just a quiet drift back to the old spreadsheet, the old correlation table, the old probability curve that nobody remembers setting. And the assumption that broke last quarter? It breaks again. The team blames the market. But the market was fine—the assumption was the rot.
Maintenance, Drift, and the Hidden Cost of the Old Way
An experienced operator says the trade-off is speed now versus rework later — most shops lose on rework.
How often to refresh scenario sets
You run the new process for three months. It feels good—your team debates drivers instead of defending last year's numbers. Then you stop looking at it. Meetings get cancelled. The scenario list gathers digital dust. I have watched this cycle kill more risk functions than any bad assumption ever did. The fix is brutal but simple: schedule a refresh before you think you need one. Calendar it at the end of every quarterly review, not when someone complains that the assumptions feel stale. Most teams skip this step because they treat risk assessment as a project, not a metabolic process. That hurts. If you wait until the environment forces a revision, you are already reacting to something that should have been caught two cycles ago.
‘A stale risk library is worse than no library—it gives the illusion of coverage while the real threats walk past.’
— operations director at a logistics firm that lost a quarter's margin to a scenario they had written off as improbable
Signal decay: when yesterday's outlier is today's baseline
Remember the event that everyone called a black swan last year? It is now a routine footnote in quarterly earnings calls. That is signal decay—the quiet process where extreme data points become normal without anyone formally updating the probability curves. I see this most often in supply-chain risk work: a port closure that once triggered crisis-mode now barely registers as a footnote, yet the scenario assumptions still carry the old 'low probability, high impact' tag. The cost is invisible until the seam blows out. A team that does not recalibrate baseline conditions every ninety days will systematically underweight emerging patterns. Not because they are lazy—because the cognitive load of constant questioning exhausts people. They default to 'it worked last time' and drift backward into the old assumption by accident.
What usually breaks first is the risk register itself. Teams add new scenarios on top of old ones without pruning. The list balloons. Nobody trusts it. Then a director asks why there are forty-two active risks for a department with three people. The entire framework gets abandoned, and the organisation reverts to gut-feel decisions dressed up in spreadsheet colours. That drift is the hidden tax—you pay it in credibility, not cash.
The cognitive load of constant questioning
Here is the trade-off nobody talks about: sustaining a dynamic assumption set demands attention that most teams have already spent on other things. Asking 'what changed since yesterday' every morning sounds noble until you realise the same people are also running payroll, handling customer complaints, and fighting a fire in procurement. The pitfall is exhaustion—not from the work itself, but from the absence of rhythm. Without a cadence, questioning feels like a chore, not a discipline. We fixed this in one team by limiting the daily check to a single sentence: 'What would make our top risk look different by noon?' That slashed the mental overhead. The scenarios stayed current because the question was small enough to answer without dread. Worth flagging—this only works if you also kill the old meeting where someone read the entire risk list aloud. Redundancy is drift's best friend.
When Not to Use This Approach
Regulated industries that mandate historical loss data
Basel II/III banking, Solvency II insurance, and certain FDA-adjacent risk filings require you to anchor estimates in observed loss data. No substitute accepted. I have watched a brilliant cyber-risk team try to pitch scenario-based forward models to a European regulator—only to be told: 'Show me the last five years of incident frequency or resubmit.' The assumption that history is the best predictor isn't optional there; it is legally baked. You lose the argument before you start.
The catch: these mandates were written for stable, repeatable risk categories—credit defaults, mortality tables, operational errors in mature processes. When the risk profile itself shifts (new financial instruments, novel supply chains, AI-driven underwriting), the mandated historical anchor becomes an active liability. Teams end up overfitting to a past that no longer resembles the present. Worth flagging—this is not an excuse to ignore regulation. It is a warning to build parallel forward-looking models anyway, even if you never file them. That parallel view becomes your escape hatch when the regulator finally asks, 'What could we be missing?'
High-frequency, low-impact risks where history is stable
Think minor IT outages, routine inventory shrinkage, frequent low-severity workplace injuries. Here the historical distribution holds. Sample sizes are large. Means and variances drift slowly, if at all. You do not need fancy scenario modeling to predict next month's server crash count—you need a decent moving average and a control chart. The assumption works because the underlying system repeats.
What usually breaks first is not the assumption but the boundary. Teams quietly extend this logic to rare, high-severity events in the same domain—treating a catastrophic factory fire as if it follows the same statistical rhythm as a slip-and-fall. Wrong order. That extrapolation is where the old way silently poisons the risk register. Keep the historical anchor for the daily noise; switch to forward-looking, scenario-based methods whenever severity jumps above a defined threshold. One concrete rule: if the event has occurred fewer than ten times in your dataset, history is not your friend.
Situations where stakeholder trust requires backward-looking evidence
'I don't care about your Bayesian priors. Show me the last time this happened and what it cost.'
— CFO, during a capital allocation review, after rejecting a purely forward-looking risk model
That hurts. And it is not irrational. When the audience lacks statistical fluency—or when the decision carries personal accountability (bonuses, regulatory penalties, board scrutiny)—historical precedent is the only language that lands. You can have the best forward-looking framework in the world; if the board cannot defend it to shareholders, it will not be used. The pragmatic move: present the forward-looking result as a delta from the historical baseline. 'Last year's loss was $2M. Our scenario-based view suggests $3.2M under current conditions.' The anchor stays visible. The stakeholder gets their backward-looking proof. You get your improved estimate. Not a perfect solution—but perfect gets filed away. Working gets adopted.
Open Questions and FAQ
According to industry interview notes, the gap is rarely tools — it is inconsistent handoffs between steps.
How do I get buy-in from senior leaders who love the old numbers?
You walk in with a spreadsheet showing last year's incidents, and the director nods. You suggest replacing that with scenario sketches and uncertainty ranges, and suddenly you're speaking a foreign language. I have seen this play out more times than I can count. The fix is not to abandon the numbers—it's to reframe what they represent. Show leadership that historical data, when used alone, already contains a hidden assumption: that the future will repeat the past with exactly the same probability. That is a bet, not a fact. Instead, present the old data as one possible baseline, then overlay three scenarios where conditions change—supplier failure, regulatory shift, demand spike. Let them see the gap between 'the number we had last year' and 'the number we could face.' The catch is that senior leaders often want certainty, not range. Be direct: certainty is a lie, and a range they understand beats a single number that breaks without warning.
One team I worked with used this exact approach. They took their legacy risk register, kept the columns for likelihood and impact, but added a third column: What would have to be true for this to be wrong? That one question opened the door. The director didn't feel attacked—he felt informed. Buy-in came after he saw that the old numbers failed to flag a supply chain disruption that hit them twice in five years.
What if scenario thinking makes the assessment feel too subjective?
It should feel subjective—because it is. The mistake is treating subjectivity as a weakness rather than a feature. A risk assessment built entirely on historical data looks objective, but the objectivity is fake: every number depends on past recording bias, threshold choices, and the unstated assumption that nothing fundamental changed. Scenario thinking replaces fake precision with honest uncertainty. The trade-off is real, though: without a structured method, you get five different analysts producing five incompatible lists. To avoid that, anchor each scenario to specific drivers—commodity price bands, regulatory deadlines, competitor launches. Wrong order. You don't need more data; you need tighter constraints on imagination. Try this: limit scenarios to three. Name them. Force a range, not a point estimate. Suddenly the 'subjective' tag fades because the logic is traceable.
Most teams skip this part: they build scenarios but never pressure-test them against what actually happened in a similar past event. That is a missed opportunity. Use one historical failure as a calibration point—not as a prediction, but as a sanity check. If your optimistic scenario still shows higher risk than what happened in a calm quarter last year, something is off.
Can I mix historical and future-looking approaches?
Yes—but with a hard rule: history informs, it does not dominate. The common anti-pattern is running your historical regression and then tacking on one scenario as an afterthought. That is not mixing; it is window dressing. A better mix works like this: use historical data to set a floor—the minimum risk level you would have seen if nothing changed. Then build two or three scenarios that deviate from that floor based on specific, plausible changes. The historical number becomes the anchor, not the answer. One pitfall I see is teams double-counting: they use historical loss data for likelihood, then build a scenario that assumes the same loss frequency but different severity. That is redundant. Either the scenario changes the assumptions, or it does nothing.
“The old data is a rearview mirror. The scenarios are the windshield. You need both to drive, but you don't steer by what you've already passed.”
— risk manager at a mid-size logistics firm, after collapsing a two-year assessment cycle from weeks to four days
The concrete next action: take your current highest-rated risk. Pull the historical data for it. Write that number on the left. On the right, write three numbers: what it would be if a known supplier failed, if a new regulation passed, if demand dropped 20%. No weighing, no averaging. Present all four. Watch what happens when someone asks why they are different. That is the conversation you want.
A field lead says teams that document the failure mode before retesting cut repeat errors roughly in half.
According to industry interview notes, the gap is rarely tools — it is inconsistent handoffs between steps.
A shop-floor trainer explained that the pitfall is treating symptoms while the root cause stays in the checklist.
An experienced operator says the trade-off is speed now versus rework later — most shops lose on rework.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!