Is Resilience a function of Risk and Security?

Should Resilience be the business of Risk and Security Functions, not HR?

I’m here to share some thinking on Resilience with you from the individual and human perspective, and as I go through, I’ll make some connections with what I understand of organisational resilience.

Now Resilience is often considered to be the opposite of vulnerability and I think that there are many dots that can be connected between organisational resilience and individual resilience, at a time that the adversity feels like it will continue to come.

Now I’m going to move away from the typical language and narrative that I use when talking about Resilience today because recently my thinking has evolved, and I’d like to share a new theory with you. I hope it prompts some thoughts and I manage to draw some relevant parallels from which you’ll be able to generate your own insights. 

Let me share with you why I think the game has changed… 

For me, Resilience shouldn’t be the trending, fluffy concept as it is at risk of becoming. It is core human security business and has always been core business, but its importance may have been compromised as a subject to some extent by it sitting in the wrong space, often coupled with mental health and wellbeing.

But like the management of organisational security and risk it’s about developing awareness of vulnerability, risk management, building protection and sometimes decisive action at the individual level, and more now than ever it remains critical.

In any organisation, there are many factors that need attention as we work toward mitigating organisational risk: the systems and hardware in place enable us to do the work efficiently and safely. Policy and processes provide our references, experiences, a common language and best practice. People’s individual skills are developed through training, and performance is influenced through leadership and management and holding each other to account. But the development and sustainment of solid resilience and human security need to be considered here too.

Because accountability sits with people and we rely on people to make judgements, when it comes to managing human risk and vulnerability, I’d argue that an injured or mentally ‘unfit’ employee presents as much of a risk as any associated with systems, policies or processes.

We have seen in the past the devastating impact of a disillusioned, disgruntled or vulnerable and mentally injured employee in Edward Snowdon and Chelsea Manning. A lack of human security presents far more organisational risk than someone who remains well.

The Theory

My theory is that human vulnerability and managing human risk around individual wellbeing and resilience should perhaps sit within the risk and security functions of a business moving forward, not with HR as is typically the case.

There are of course productivity, ethical and cultural cases for developing individual resilience but it is too important from an organisational resilience and a risk management angle to just sit with HR alone.

Individual Wellbeing and Resilience as a concept may be as important, if not more important to the risk and security functions of a business and its leadership as it is to HR. Octopus energy don’t even have an HR department because, like us, they believe that wellbeing and resilience are a function of leadership.

To objectively ensure that resilience is being developed, it needs to be a shared responsibility. Relying on individuals to just be or become resilient doesn’t reassure and inform the collective, and this is a situation that hasn’t changed as the world continues to change around us. You cannot develop resilience and a sense of wellbeing for someone else either, so HR can’t do wellbeing to us and build our individual resilience. I’d argue that their focus should be input and providing support.

Line Managers are reported to be overwhelmed by two years of enhanced pressure supporting their teams, and with the impending cost of living crisis, we can’t expect them to become resilient overnight.

We must share responsibility for individual resilience development with those individuals in those teams. We must hold them to account to communicate, build their own awareness and take responsibility to develop and sustain solid resilience, communicating that progress to their managers. Similarly, Line Managers have to follow suit and do the work themselves within the conditions that we help to manage with them, allowing them to grow not just survive.

HR professionals are also reported to be overwhelmed too, so there is an opportunity to share responsibility for human security and resilience with Risk and Security functions and again set expectations for individuals to do the work up front and invest in themselves rather than keep pushing, burning out and then blaming others or the conditions. I believe that either taking it on or working collaboratively with leadership and HR, risk and security functions can pay it proper attention and contribute to mitigating the human risks as part of a wider risk management strategy.

This graphic presents for consideration the three key stakeholders that could be involved in managing human security more holistically.

Human Security

You can have the best policies, processes and systems in place, all important stuff to enable the human to do the work, but without building protection and resilience in the human element they can still carry or present a risk. People may appear fit for purpose at the surface, but without an organisational understanding of their actual resilience, all it takes is for someone to find changing or unfavourable conditions and mistakes are made, opportunities not taken, and the moment gone.

Another physical analogy here…you can have the best gym kit, studio, nutrition and personal training advice available, but nothing actually changes unless the human element does the work.

They may well appear healthy but they won’t be fit. They can’t enter a race at this stage, do well and hit the standard required. Without the human element in good condition and well-prepared, there IS no race and there IS no performance.

Success or failure is always apportioned to the human element, not the dumbbell, racetrack or the weather. What the human needs to guarantee success is a solid awareness of their reality, a plan and the clarity, direction and resources to support their journey to achieve the right standard of performance.

Building Mental Fitness and Resilience is much like building physical fitness. We all need a clear awareness of the risks of not putting in some work, a clear idea of the benefits it brings and if the benefits of the work we put in are clear in our performance, such as we feel fitter and more capable, we are likely to double down on our efforts to mitigate risks and build more protection.

Just like with our physical fitness, taking preventative action with mental fitness and resilience helps manage those risks and builds protection to lower the risk of mental injury and illness.

Awareness and Action

I personally slept walked into mental illness myself, assuming resilience and starting off frankly ignorant and without awareness of my true situation. 

In January 2016 with a building sense of losing control, I dropped to the floor, consumed by panic and anxiety. I went with a huge sense of flight and went straight home, collapsing in an emotional tangle in my wife’s arms. It was a sudden descent into breakdown and within 24hrs I was diagnosed with Complex PTSD and chronic depression. The situation at this stage deteriorated for a few months and my ineffective coping strategies and sticking plasters such as medication didn’t work. I was diagnosed then with bipolar disorder as well, told this was now a barrier to further service and I would be discharged. 

Once genuinely aware of something not being right, the conditions didn’t seem to allow for risk management – I had no reference, saw my situation in no one else around me. I also had no understanding of the significance of continued decline – not clear enough on the implications of unmanaged risk on both myself and the wider situation. Suddenly finding myself having to manage too many risks and the fallout all at once I was overwhelmed by the sudden changes I faced and the overall situation, I wasn’t prepared or resourced to manage the situation and avert further compounding of this personal crisis. Stuck at intention, wanting a different scenario but without the facts, knowledge, and personal resources to grip the situation, I was disempowered and ineffective in fighting a reactive battle and attempting to get on the front foot.

There are only two images amongst these that show me in a good place and not unhealthy or ill. In the remaining four I am not present or in control and presented risks to the organisations I was working for at the time. To the organisation there was nothing to see, but the signs and the evidence sat just above and below the surface, more on that idea to follow in a bit.

Mental security may be much like physical security. Despite the systems, hardware, policies and processes in place, the weakest link may still be the human element – and in my case, everything appeared in place and okay at the surface. However, my mental fitness and the accuracy of the story I was telling myself was way off the mark. At that point I was ignorant, ill-equipped, and consequently a risk to myself, my team and my organisation.


Our mental health and Wellbeing are directly influenced by levels of individual resilience. I had assumed mine for a time and at a time that I had been assuming a constantly developing resilience whilst serving I was in fact becoming more fragile and more vulnerable.

Individual Resilience is itself influenced by many factors – the environment and workplace factors, our mindset, attitude, and our effort. To be healthy and resilient we need to get ahead, using our lived experience and an open mind to anticipate risks and build protective levers into our lives. 

If we are not ‘on the front foot’, with the time and space and permission to build that genuine awareness and target appropriate action, we are actually disempowered and we compromise our ability to influence and control the way we interact with the world. We cannot control the world itself and the way it changes around us, but we can influence our relationship with it, how we offer ourselves to it and how we respond to it.

My recovery has taken 7 years to date, and I’mstill affected by the impacts of the conditions but now far more aware of how to manage the risks, build protection and the conditions I need to perform well and consistently. I have to use a lot of experience, my own frame of reference, anticipation and forecasting to stay on a steady course, but critically I also rely on external stakeholders – my wife, friends and colleagues to ensure I am not set on seeing only what I want to see or convincing myself I am in a good place, when I’m not.

Organisational Resilience and Individual Resilience

My understanding of your world is that external stakeholders are often used to ask objective questions, expose the ground truth, and help to highlight risks to an organisation, so to me it is partly about using evidence and data and partly about using objectivity to prepare for the future with influencing factors playing a key part, both in the sector and the wider world. It is about identifying and managing risk and building protection, aiming to get as far ahead of any risks that can impact your organisations as is possible.

Individual resilience is no different. It’s both about an ability to manage adversity appropriately in any context and keep moving forward for sure, but it’s also about creating the conditions to allow us to build and retain real awareness of the situation we’re in and what may be ahead, planning and taking action to remove risks and build protection well in advance. Time, space or capacity and permission allow us to do this.

If we are consumed by circumstances in the moment, we’ve already lost. 

Identifying what lies beneath

I mentioned earlier this idea of risk indicators sitting above and below the surface.

The image below depicts individual awareness: what typically sits in our conscious and subconscious.

What sits in our subconscious is really there and influencing our performance but may sit outside our true awareness. Some of these elements are deep but they are deeply influential.

We pay real attention in the moment to what we choose in our conscious awareness, so to build resilience we MUST pay attention to the risks presented from what lies beneath the surface, and even the source of the risks themselves seeking to reduce their influence or remove them as risk factors entirely.

Protective factors that lie beneath the surface are deeply embedded foundational elements for us, such as physical elements in life that provide us with security, our mindset and attitude driven by or true values and what drives us. Above the surface is the condition in which we show up in the world each day.

Here’s a company culture version which indicates a split of some of the elements that often sit less obviously below the surface:

Just consider a blank version of this for a moment from an organisational resilience angle. Consider what is visible and getting attention each day, what sits below the surface but is within our awareness, and what is not within our awareness that we must anticipate and build protection against, even if it is outside our consciousness?

And now let’s come back to our own individual awareness.

True resilience starts unearthing the truth, with full awareness of all of the factors, not just aligning with the obvious or seeing what we want to see. It is not limited by the boundaries of our current thinking and should not be held back by dogma. It involves the creation of capacity, the protection of the buffer of time and space, and often bold corrective action without the need for the permission of others. It is about personal leadership and never about following and it’s about creating the conditions required to create space, thinking time and facilitating objective observation of the world around you so you can choose how you interact with it.

In December 2019 I was pretty sure that Covid would change the game. I raised it and the general view of the others was ‘it’ll be alright’. I wasn’t clear but instinctively I felt that our organisational resilience may be at risk of compromise, but with the lack of facts, it was of course difficult to forecast its potential impact. What does my gut say?

Do I have the time, space and permission to pay more attention to this, prioritise it in my thinking and move it up the list for action? It was a time for prediction, anticipation and the management of the risk and protective factors that were key to our survival as an organisation.

I left that conversation without a clear sense of the permission to pay it attention, and it is often agreement and collaboration that gives us that permission. SOWhat did we do? Nothing really. We only changed our approach when we were forced to, but luckily, we had moved early on virtual training and so when others were wrestling with Zoom, we were already comfortable, delivering booked business online and ahead of our competitors.

The rest we worked out like others as we went along but we weren’t as in control of our operation as we could have been.

When in the Army my mental health became compromised at a time when I was responsible for coordination and control of lethal target effects on active service in Afghanistan and attached to the Pathfinders. I noticed a sense of fear building, a lack of emotional control and growing anxiety as I did that job.

Every day could have been a potential mistake and it took a huge amount of emotional effort and application to remain steady. The organisation had no awareness of the potential human risks in me that could have human and reputational consequences. Over the next few years, I began to recognise that I wanted to leave the Army but felt I couldn’t, and as my mental health deteriorated further, I became more disconnected, dissatisfied, and even noticeably outspoken and anti-establishment at a time when I was actually an instructor at the Royal Military Academy.

Frankly, although only one of many people in a similar situation, I’d now admit that I had become a risk to myself, my team, and my organisation, both in combat and as I progressed.

How does this relate to organisational resilience?In my experience, which was typical of many and because the Army was on the back foot with, mental health failing to anticipate and provide for the psychological impact of service and proactively mitigate the risk of mental health decline in its people, it didn’t prioritise it.

Cases ballooned, becoming more complex to manage because the organisation was reacting and not ahead of the risks. The organisation would have had no idea where these compromised people were in the organisation, which jobs they were in and the potential for those people to make mistakes, risking life or information security breaches, whether deliberate or unintended.

A quick question for you to ponder based on actual events – Is an employee, who is in the depths of chronic stress, anxiety, and depression, and who takes his wife’s keys to work three times in a week MORE or LESS likely to leave a secure work laptop on the train?

This is just a lived example of how compromised individual resilience can translate to a risk to an organisation.

 mental health, wellbeing, and resilience are for me about human security and organisational resilience as well. Never more has personal resilience potentially been so directly linked to organisational resilience and I believe it is something that should be getting the attention of senior executives, security and risk professionals and be a function of leadership, not just HR.

Human Security and Individual Resilience are just too important to be ignored. Awareness is not enough. Resilience requires objective situational awareness of the ground truth. We need other stakeholders to help us build that real ground truth, to go looking, be ruthlessly honest and objective about the factors likely to influence our resilience and not get stuck at awareness and intention.

The worst-case scenario is that we pay no attention to the risk factors that we are aware of (those known knowns) and we haven’t planned for those outside our awareness (those known and unknown unknowns). If this is our approach we are disempowered, at the fate of circumstances and we lose our ability to influence things.


Managing personal risks and building protection is not an overnight reality. In managing risk amid adversity, it is not enough to just have the surface awareness available to us. We need to acquire it properly and then home in on what’s key. It’s not enough just to keep showing up either and carrying on. We have to adapt and to adopt and maintain the right attitude to navigate personal adversity.

And it is not enough to just have the intention to develop skills and tools. We must take action to master them and target their application.

With wellbeing, I now know that there is no place for excuses, being victims to our situations and disempowering ourselves. If we are to not only remain well in adversity, but to grow through it, a collectively resilient mindset and often a brutally honest awareness of our reality allows us to target our actions, protect our human security and with it our organisations.

If you would like to speak to us about improving resilience in your organisation, please get in touch, we’d love to hear from you.

Written by: Tim Rushmere, Co-Founder

Sign Up for the latest insights and free events

    • This website is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply