Insight from the ISRM Joint breakfast briefing, hosted by the Liberal Club’s Defence and Security Circle, on what resilience really means in an increasingly complex and interconnected world. 

This breakfast briefing brought together risk, resilience and security leaders to discuss a challenge that feels increasingly familiar: we are no longer managing isolated crises, but operating inside a continuous, interconnected disruption.

From this event, one idea surfaced repeatedly: we are no longer planning for rare shocks to otherwise stable systems. We are operating inside continuous disruptions.

The language alone tells the story.

Twenty years ago, emergency management was built around incidents and recovery. Today we are discussing unthinkable events in inconceivable contexts, cascading system failure, and even non-recoverable outcomes. Risks are no longer discrete or bounded. They are systemic, interconnected and compounding.

Cyber incidents halt logistics. Supply chain fragility amplifies geopolitical shocks. AI accelerates both defence and attack. Human behaviour — trust, fear, decision-making under pressure — can determine whether disruption spreads or stabilises.

In this environment, “bounce back” is not always realistic. Sometimes there is nothing stable to return to.

What we are seeing is not incremental change but a paradigm shift: from managing incidents to navigating complexity. 

The changing nature of the profession: Risk is not resilience

One implication is that our professional roles are evolving faster than our structures.

A recurring theme during the discussions was the distinction between risk and resilience functions. These are often treated as interchangeable, but they are not the same.

Risk management traditionally focuses on identification, control and assurance — understanding exposures and reducing the likelihood or impact of loss. Resilience, by contrast, is concerned with adaptation, continuity and learning under conditions that cannot be fully predicted or prevented.

Both are essential. But they require different mindsets, capabilities and leadership approaches. Conflating the two creates blind spots. An organisation can be highly compliant yet brittle. Equally, it can be adaptive but poorly governed. Treating resilience as simply “more risk management” misses the point.

As complexity grows, organisations need not only technical specialists in cyber, supply chain management, security, or insurance, but also generalists who can translate across domains, connect the dots on interdependencies, and see the system as a whole. Increasingly, resilience looks less like a technical discipline and more like a coordination capability.

Convergence everywhere changes everything

Another strong theme was convergence.

Digital, physical and human systems are inseparable. A cyber vulnerability becomes an operational outage. A logistics delay becomes a supply chain crisis. A communications failure becomes a trust crisis. Human behaviour — trust, fear, decision-making under pressure — can amplify or dampen every other risk.

Many organisations continue to operate in silos—such as security, IT, operations, HR, communications, and strategy—each focusing on optimising their own areas. However, this separation is becoming a liability in today's interconnected risk environment. The points where these silos interface are often the sources of failure. Security, operations, IT, HR, communications, and strategy cannot plan independently and expect to achieve consistent results. The interdependencies among these areas now represent a significant risk.

Several participants noted that assurance models must also evolve: People and culture are equally critical. Decision-making, incentives and behaviours often determine outcomes more than plans do; therefore, they require as much attention as processes and technologies. Failure rarely sits neatly within one domain; it usually emerges at the interfaces.

The language problem

If resilience is inherently interdisciplinary, then communication should be straightforward. In practice, it rarely is. Collaboration is often hindered by something deceptively simple: language.

Different sectors still speak different dialects of risk. Insurance, emergency management, security and resilience each bring their own glossaries, frameworks and assumptions. Even when everyone is discussing the same threat, they may be using different terms and framings to describe it.

This creates friction precisely when speed and clarity matter most.

Resilience is inherently interdisciplinary, and therefore, our language must reflect this diversity. We need a shared, human-centred terminology that can be used across different functions and organisations, rather than just technical definitions that are limited to specific subdomains. Without such a shared language, achieving interoperability will remain just a goal. 

This may seem trivial, but it is not. A common language acts as infrastructure; without it, collaboration becomes slow and ownership unclear. In contrast, a shared language enhances coordination and accelerates progress. 

If we aim for interoperability, we must design our communication methods to support it.

From knowledge to action

Perhaps the most striking reflection was that we do not lack knowledge.

Frameworks, evidence and guidance already exist in abundance. Lessons are repeatedly identified. Reports are written. Recommendations are made. And yet there's an uncomfortable truth here - implementation lags.

The barrier is rarely information; it is incentives and accountability. When risk and liability can be delegated, offset or transferred, the path of least resistance tends to prevail. Short-term pressures frequently outweigh long-term resilience. In those conditions, compliance becomes the goal rather than a capability. 

This leads to a familiar pattern: compliance over capability, documentation over practice. 

This is where ethics entered the conversation in a serious way. Ethical decision-making — not simply legal compliance — may be one of the few mechanisms that keep responsibility anchored rather than passed on. When leaders frame decisions around “what is right and sustainable” rather than “what is minimally acceptable,” risk is reduced at source. One participant noted the value of the humanitarian principles - This leads me to actively consider: is ethics potentially one of our most underutilised levers for mitigating risk in risk management? 

Trust, transparency and the willingness to acknowledge mistakes are not soft skills; they are operational assets. Organisations that hide failure lose the opportunity to learn. Those who surface it early adapt faster.

Getting upstream: societal resilience

A particularly compelling thread focused on moving upstream of risk with an emphasis on societal resilience. 

If communities and frontline staff are the first and last line of defence – our zero responders, then resilience cannot be built solely through plans and professionals. It must also be societal. 

Investment in public education, community capability and local preparedness was framed not as a social good but as a strategic one. Recent research suggests that every £1 invested in societal resilience can generate £35.12. This is a substantial return on investment for societal resilience, alongside those intangible multiplier effects - it turns out, resilience is both economically rational as well as ethically sound.

In other words, resilience is not a cost centre. It is one of the highest-return investments available. This reframes preparedness from an insurance policy to a growth strategy.

A capability problem, not a technical one

A consistent conclusion from the discussions was that resilience is not primarily constrained by tools or frameworks, but by capability.

Technical expertise remains essential. Organisations need specialists in cyber security, supply chains, infrastructure, hazards and assurance. However, technical depth alone is insufficient in an environment where risks are interconnected and failures propagate across domains. What is equally required are professionals who can integrate perspectives, translate between disciplines and understand how decisions in one part of the system affect outcomes elsewhere.

In practice, resilience is less a discrete technical function and more an organisational coordination challenge. It depends on how effectively people, teams and functions align under pressure.

What this means in practice

If risk is systemic, then resilience must be systemic too.

This has several practical implications. Organisations need to integrate functions rather than manage them in parallel. They need shared, accessible language that enables consistent understanding across departments and partners. They need to invest upstream in culture, education and community capability, not only in response and recovery. And they need leadership and ethical frameworks that reinforce ownership of risk rather than allowing responsibility to be displaced or deferred.

These outcomes are not achieved through additional plans, dashboards or compliance processes alone. They require structural alignment, clear accountability and deliberate cultural change.

The real challenge

Three recurring gaps were highlighted throughout the morning: imagination, leadership and preparedness.

1. The ability to anticipate unfamiliar or non-linear risks.

2. The willingness to act early, before disruption forces decisions.

3. The discipline to translate lessons identified into sustained capability.

   
   

These are not technical shortcomings. They are organisational and behavioural ones.

This distinction matters. Investments in technology or new frameworks will have limited impact if incentives, decision rights and culture remain unchanged. Resilience ultimately depends on judgement, responsibility and collective ownership.

In an environment characterised by cascading and, in some cases, non-recoverable disruption, resilience can no longer sit at the margins as a specialist concern. It must be embedded as a core leadership responsibility.

So what needs to change?

In the current environment of growingly complex challenges, advancing the goals of managing risk and enhancing resilience require some effective steps:

1. Defining clearer roles and responsibilities between risk, resilience and operational functions.

2. Ensuring a stronger integration between planners, technical specialists and responders.Regular cross-sector testing and learning.

3. Creating a shared terminology that enables interoperability.

4. Maintaining governance models that reward long-term resilience rather than short-term optimisation.

5. Above all, organisations need both specialists and integrators: deep expertise within domains, and the capability to connect those domains coherently.

   
   

The central message is straightforward. The next phase of risk practice will not be defined primarily by better tools or more data. It will be defined by how effectively organisations coordinate, make decisions and take responsibility under uncertainty.

Resilience is therefore not simply a technical discipline. It is a leadership and organisational capability.