"The organization is expert at transferring risk to contractors, and then assuming the risk has been managed. The risk, however, often comes back transformed."
Ooops! That wasn't supposed to happen!
So, now what? Transfer out the 'transformed risk'? And, who would have put that on the risk register? Not only does it come back, but it comes back as a surprise! Good grief..
Though not rhetorical questions -- there are solutions -- nonetheless it's all context and situationally sensitive. There's probably no way to predict the transform. If there were, we might skip Step 1 and go directly to the transformed risk.
However, we can think in terms of not being fragile in the Taleb sort of way: being anti-fragile requires redundancy, buffers, elements of cohesion, and possibly diversification so that unpredicted risks don't bring down the project.
Check out these books I've written in the library at Square Peg Consulting