Maman Ibrahim is a cyber and digital risk executive, helping boards, CRO, CIO, and CISO turn risk work into decisions, delivery, and proof.gettyA large number can change the weather in a boardroom.The chair looks up. The CFO stops scrolling. Someone who looked calm now studies the paper as if it might bite.The number is £312 million (about $422 million).It comes from a representative oncology pipeline risk scenario informed by pharma industry experience and NPV modeling. In the scenario, a breach involving a third-party clinical platform leads to a modeled £312 million exposure estimate tied to a flagship drug asset. Nobody wants to wave it away.​The number is not fake or reckless. It's in the wrong place.That is how phantom numbers are born: from bad placement. A scenario gets dropped into a risk register, loses its conditions, sheds its probability and enters the boardroom pretending to be a measurement.​​When The Number Is Real But The Label Isn't​In the representative scenario, a clinical platform provider is breached. Attackers access trial data, safety signals and scientific material linked to a flagship oncology asset.The £312 million figure answers a conditional question: What might the company lose if regulators rule the trial data compromised, if a Phase III re-run is required, if launch timing slips and if competitors gain ground?But it’s not the same question as: What has this event cost us, or what can we confidently estimate now?That second question belongs to base-case risk measurement. It covers forensics, regulatory handling, vendor remediation, legal protection and submission support. Those costs live in the present. They may be uncertain, but they do not depend on future events.The £312 million figure represents a modeled future-loss scenario, not a confirmed present-day loss. It should carry its conditions like a passport.Five Teams, Five Truths, One Board PaperThe mess always starts with competence trapped inside silos.Each team does its job. Cyber reports the method. Regulatory reports the consequence. Vendor risk reports the governance locus. Legal reports the exposure. Commercial finance reports enterprise value impact.​The board's job is different. It must turn those views into a coherent decision. That requires structure, because different categories do different work. The method tells you how the event happened. Consequence tells you what harm may follow. Governance locus tells you where control failure began. Legal exposure tells you where liability arises. Commercial modeling tells you what future value could be at risk under defined assumptions.When these categories sit side by side without ordering, the paper becomes loud but not useful. It contains information. It doesn’t contain judgment. A senior executive needs one primary classification and a set of supporting attributes instead of five competing labels. Two Structural Failure Modes That Cover The Mess​The first is classification failure. The organization cannot agree on what the event primarily is.The test is simple. Where did the governance failure begin? With the third-party clinical platform provider. So the primary classification belongs under vendor governance. That doesn’t diminish the cyber, regulatory, legal or commercial dimensions. It gives the event a clean home. The other lenses become attributes that inform the analysis without competing to become the headline.The board sees one primary event: third-party clinical platform breach. Then it sees the attributes: cyber intrusion, trial data integrity concern, IP exposure, possible launch delay and pipeline value sensitivity. Nobody loses their work.The second is scenario contamination. Current costs and conditional future losses blend into one figure. The board sees a swollen number without knowing which part is measured, which is estimated and which depends on triggers that haven't occurred.Measured loss is what has already happened. The estimated loss is what is likely based on known remediation. Conditional scenario loss is what could happen if specific future events unfold. These three numbers shouldn't be merged. They should sit together, clearly separated.That’s the £312 million phantom.Classification failure asks: What is this event?Scenario contamination asks: What type of number is this?If you can answer both, the board paper becomes governable. If you can't, the largest number wins by volume.Why Pharma Falls Into This TrapPharma is built for this problem.A pharma firm can lose future value years before a product earns its first dollar. That value sits inside clinical milestones, regulatory trust, payer confidence, market access, IP protection and launch timing. One data incident can touch them all.The board sees two clocks. One measures current damage. The other measures possible future harm toa molecule that may define the next decade. Both clocks matter, but they do not tell the same time.Pipeline NPV models are useful, but a model is a structured "if." Boards get into trouble when "if" disappears. Then a scenario sounds like a fact, a probability sounds like a loss, and a future pathway sounds like today's exposure.Why You Should Give Every Number A Proper HomeIt would be cowardice to hide the £312 million number. Give it a proper home.Every board paper addressing pipeline-affecting events should be divided into two sections.First, the base-case exposure. This is the current or near-certain cost range. It includes forensics, remediation, regulatory engagement, legal measures, vendor action and submission support.Second, the stress scenario. This is the conditional future loss. It should name the triggers, probability range, value range, owner, review date and update triggers.Now the board can ask useful questions: What do we need to spend now? What could reduce the probability of the worst case? Who owns the next update? What would trigger disclosure? Which decision is due today?​A £2 million regulatory engagement and data assurance program may look expensive against immediate incident costs alone. But if it reduces the likelihood of a Phase III re-run, protects submission credibility or preserves launch timing, it may be a rational investment.You cannot see that decision when the base case and scenario are mashed into one frightening total. The board needs cleaner numbers.The £312 million figure was a useful scenario trapped in the wrong room.Give it a name. Give it conditions. Give it an owner. Give it a review date.Then let the board govern the future without being haunted by it.​Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?