The illusion of risk preparedness: Why confidence isn’t enough

On 12 November, Healix hosted a panel and networking event at Sea Containers in London to explore how organisations can better anticipate, respond to, and recover from emerging risks.

Moderated by Andrew Devereux, Global Risk Intelligence Manager at Healix, the panel brought together experts Dr Karin Von Hippel, James Stokley, Lucy Stone and James Clancey to unpack the findings of Healix’s latest Risk Radar report. 

The confidence gap: Why feeling ready isn’t the same as being ready

The report, based on insights from 500 senior leaders, found that most feel prepared for crises. But Lucy Stone, Regional Security Manager at Healix, challenged this perception. Some crisis plans, Stone noted, are little more than a two-page document with a phone number. Others are detailed and tested. But even the best plans can fall short if they’re not embedded across the business. 

Risk is no longer siloed - and neither should your response be

The panel made clear that risks don’t sit in neat categories. Cyber and physical security are often treated separately, but they’re deeply linked. A breach in one area can expose another. James Stokley, founder of Morpheus Risk and former head of the UK National Cybercrime Unit, warned against relying too heavily on one role, like the Chief Information Security Officer, to manage cyber threats. Security needs to be everyone’s job.

Supply chains are another example. Stone described how global supply chains are now more complex - and more fragile. The war in Ukraine, trade tensions, and shortages of key materials have exposed vulnerabilities. Digital systems add another layer of risk. Cyberattacks can now disrupt operations just as easily as physical events.

Stokley outlined how AI is lowering the barrier to entry for cybercriminals. The rise of state-sponsored and organised crime collaborations is blurring lines and amplifying risks. The financial impact is huge - and growing. In the UK alone, cyber-attacks cost an estimated £3.8 million in 2024. Globally, the figure is closer to £7.4 trillion.

More than technology, it’s about culture. Training, awareness and clear protocols are fundamental. And businesses must monitor both global risks and local vulnerabilities.

Planning for the unknown: Why imagination matters

Dr Karin Von Hippel, Strategic Advisor to the Healix Risk and Security Advisory Board and a fellow at the Royal United Services Institute, spoke about the breakdown of the post-World War II order. We’re moving into a multipolar world, where alliances are less predictable and global responses harder to anticipate. This uncertainty makes it harder for businesses to plan. Leaders need to think beyond the next quarter and consider how today’s geopolitical tensions could shape tomorrow’s risks.

Von Hippel made a striking point: Hollywood often does a better job of imagining risk than experts. That’s because it’s willing to ask “what if?” - even when the answers are uncomfortable. Businesses need to do the same. 

Stokley echoed this, suggesting a structured approach to digital threats, inspired by the UK’s counter-terrorism strategy. Prevent and protect should be the pillars of cyber resilience. Basics like multifactor authentication and system updates matter. But so does vigilance - spotting disgruntled employees or unusual activity early can prevent major breaches.

James Clancey, Chief Risk Officer at Healix, added that open conversations are key. Too often, risks are dismissed as unlikely or irrelevant. That leads to blind spots. Leaders need to ask hard questions, challenge assumptions, and prepare for worst-case scenarios. Hierarchies can get in the way - but breaking them down helps build readiness.

Stone concluded that this needs to transcend beyond boards and risk teams, to across the business. 

The human factor: Resilience starts with people

One of the strongest themes from the panel was the importance of people. Technology and systems matter - but they’re not enough. Real resilience depends on how people respond under pressure.

Clancey reflected on the lessons of COVID-19. Before the pandemic, many saw operational resilience planning as superfluous. But when the crisis hit, those plans became necessity. Businesses that had invested in infrastructure and flexibility adapted quickly. Others struggled.

But even those that coped well operationally often missed the human impact. Staff wellbeing, communication and reintegration were overlooked. And the effects lasted long after the crisis itself had passed.

This shows that resilience isn’t just about continuity. It’s about care. Businesses need to plan for the emotional and psychological impact of crises - not just the logistical ones. That means listening, supporting and adapting.

It also means building a culture of trust. Stone emphasised the need for transparency. When people feel safe to report risks and mistakes, problems can be addressed early. When they don’t, issues can fester - and escalate.

Day-by-day resilience: Preparing for the inevitable

Clancey offered a realistic view: something will go wrong. The key is how you respond. Stay calm. Act quickly. Learn from what happened. Don’t let the day-to-day distract you from the bigger risks. Build the capacity to cope - and recover.

This means embedding resilience into everyday work. Not just through policies and plans, but through mindset. Stone encouraged people to think about risk. Make it part of KPIs. Talk about it regularly. And make sure everyone knows what to do when things go wrong.

It also means sharing experiences. Forums, panels and industry discussions help businesses learn from each other. Mistakes and successes both offer valuable lessons. And by working together, organisations can build stronger defences.

Final thought: Resilience is built, not assumed

Risk is a shared challenge. No business is immune. The threats are complex, fast-moving and often hard to see. But with the right mindset - open, practical, and people-focused - organisations can build real resilience.

That means moving beyond confidence to capability. It means treating risk as a strategic issue, not a compliance one. And it means investing in people, culture and systems - not just documents.

The Healix panel didn’t offer easy answers - but it did offer direction. Ask better questions. Plan for the unknown. Break down silos. Build a culture where risk belongs to everyone.