The briefing, held in partnership with the Institute of Strategic Risk Management at the National Liberal Club, convened senior leaders including Chief Risk Officers, Chief Resilience Officers and security specialists to examine what organisational resilience looks like in practice.
Moving beyond theory, the discussion focused on how institutions perform under sustained pressure, exploring decision-making, coordination and adaptability during real-world disruptions. The session provided a forum for candid exchange on the challenges of maintaining continuity, safeguarding critical functions and strengthening preparedness in an increasingly complex risk environment.
Resilience is not a fixed state
The starting point for most of the discussion was a simple but important distinction. Resilience is not about having the right plans in place. It is about what happens when those plans break down, which they will. How ready are people at that moment? How quickly can they make decisions? How confidently can they act?
Optimism bias remains one of the most damaging and persistent mindsets. The assumption that past stability guarantees future safety is one organisations carry too easily.
Culture and fear of failure
Fear of failure was discussed. Most organisations say they have a learning culture, but participants acknowledged that the reality is often quite different. People fear blame and that fear shapes behaviour long before anything goes wrong. It stops concerns being raised, assumptions being tested and decisions being challenged.
What came through clearly was that the response is not to remove accountability but to reframe it. Accountability as a mechanism for learning and improvement looks very different from accountability as punishment. Exercises and training were raised as the most practical route to shifting this, giving people the experience of dealing with failure in a setting where it is less personal and less threatening. That cultural dynamic carries directly into how decisions are made under pressure.
Decision-making under pressure
A lot of time was spent on decision-making. Under pressure, participants described how it tends to become either too hierarchical or too fragmented and neither serves organisations well when risk moves quickly.
Modern risks do not sit neatly within functions. Cyber incidents, supply chain disruption, regulatory pressure and reputational damage all cross boundaries. Decision-making needs to reflect that, with clear ownership alongside the ability to draw input from across the organisation. The clarity around who decides what, at which point and with what information, has to exist before a crisis. Working it out during one is too late.
Governance and accountability
Boards were discussed throughout. The observation made by several participants was that the risks boards are now responsible for understanding are harder to see and harder to quantify than they used to be. Cyber, systemic supply chain exposure, AI adoption, these do not always fit neatly into existing governance frameworks and in some organisations there is a visible gap between recognising a risk and actually understanding it well enough to govern it.
On accountability more broadly, the language several participants used was anchoring. Clear anchor priorities and objectives – the agreed reference points that allow people to make sound decisions quickly when information is partial or unclear. Without those, decision-making under pressure becomes improvised.
Testing and exercising
There was no disagreement here. Testing is one of the highest-value things an organisation can do for its own resilience and most organisations do not do enough of it or do not do it seriously enough.
The emphasis was on discomfort. An exercise that feels comfortable is not testing resilience, it is rehearsing assumptions. Good exercises challenge assumptions and force decisions with incomplete information, which is exactly the condition people will face in a real incident.
Recovery and third parties
Recovery was raised, particularly how underinvested most organisations are in planning for it. Prevention receives the attention and the budget. Recovery, which requires different leadership, different decision-making and different external relationships, receives far less.
Third parties were raised as a specific and growing vulnerability. Organisations are deeply dependent on suppliers, partners and platforms, but the role those third parties play in a recovery situation is often undefined until an incident forces the question. Poor visibility of risks and threats was identified as a direct cause of hesitation when response needs to be swift and decisive.
Communicating risk
Communicating risk remained a recurring frustration. Abstract and theoretical risks rarely generate serious engagement, particularly at board level. Impact does. Participants noted that framing risk in terms of what it would actually mean for the organisation, rather than what could theoretically happen, is what tends to move the conversation. Probability matters too but clarity of impact drives action. Risks presented as merely possible are harder to prioritise than those presented with a clearer sense of likelihood, even an imperfect one.
There was also recognition that risk conversations tend to focus almost entirely on downside, without articulating what investment in resilience actually delivers. Over time that weakens the internal case for taking it seriously.
Technology and AI
Nobody in the room was arguing against technology, but the consensus was that AI is a tool to support human thinking, not a substitute for human judgement. The risk participants identified is not AI itself but the gradual or implicit delegation of decision-making to systems, with accountability becoming blurred as a result. Trust kept coming up, built through transparency about how tools are used, why decisions are made and where responsibility sits.
Supply chains
Supply chain resilience was identified as one of the most significant and widespread vulnerabilities in the room. Supply chains were designed for efficiency in stable conditions, not for absorbing disruption across multiple tiers. Visibility deteriorates quickly beyond tier one suppliers and when something goes wrong, confusion about where responsibility sits slows response and compounds the damage.
People and collaboration
The morning kept returning to this regardless of which topic was being discussed. Frameworks, systems and tools depend entirely on whether people trust them and trust each other. In a crisis, that trust is either there or it is not, and it cannot be manufactured quickly.
Collaboration across organisations, not just within them, was seen as increasingly important. No single organisation has full visibility or full capability in a serious incident. The ones that have built relationships and established shared understanding before something happens are in a meaningfully better position than those trying to establish them during it.
Â