Paddy McGuinness CMG OBE, Senior Adviser, Brunswick Group, and former UK Deputy National Security Adviser for Intelligence, Security and Resilience, suggests how boards should think about geopolitical and cyber risk, and what resilience looks like in practice for leaders under pressure.

In your experience of working with boards globally, what distinguishes organisations that respond effectively to crises from those that struggle?

‘Let me start with a slightly provocative point – I don’t believe in the concept of “crisis management”. By definition, if you can manage it, it isn’t a crisis, it’s an incident, an event, or an unwelcome development. Crisis, to my mind, is when the levels of uncertainty or the levels of impact surpass what your systems and processes are able to deal with.

One of the risks of crisis management is complacency. An organisation might successfully deal with one difficult incident or issue, after which they conclude that they are “good at crises”. At Brunswick, we work with some of the world’s most capable companies – global leaders in energy, finance and retail, for example. Yet even their systems can be stretched to breaking point by a true crisis.

The organisations that perform best are those with absolute clarity of business purpose – not in an ESG sense, but in terms of fiduciary duty and operational priority. When a crisis hits, they continue to function because they understand what society needs from them and what they must continue to deliver.

The pandemic illustrated this clearly. Stakeholders initially gave businesses 24 to 48 hours of tolerance. After that, the expectation was simple – work out how to operate in the new environment. Business leaders should therefore not assume that extreme risks such as armed conflict, state interference, pandemics or severe climate events will automatically become someone else’s responsibility.’

What should governance professionals prioritise when designing crisis management frameworks to ensure long-term resilience?

‘Frameworks matter greatly, but they can also induce a false sense of security. Effective frameworks must be functional – they have to be practiced, they have to be tested and they have to be universally applicable. During the pandemic, you never knew who would be available or not on any given day. Systems need to function regardless of which individuals are present. What matters is that business functions are represented, not that specific people occupy those seats.

Increasingly, world-class organisations and regulators are adopting aviation testing methodologies. You test your system until it breaks so you know exactly where the failure point lies. In my experience, most companies never test to failure – they stop just before discomfort begins. True resilience requires knowing your breaking point before reality finds it for you.’

Given your experience of advising the UK government on intelligence, security and resilience from 2014 to early 2018, what would you say are the early warning indicators of geopolitical risk that governance teams should monitor?

‘When approaching geopolitics, boards must first look at behaviours, rather than opinions. Leadership groups naturally hold a range of personal views on geopolitics, but what matters is a disciplined method for processing geopolitical issues – but only where they affect the particular business.

A crucial part of that discipline is establishing what, in UK government practice, we used to call a CRIP, for “commonly recognised information picture”. Leadership must work from a shared, written understanding of what is actually happening, not whatever someone last saw on television, read on a website or picked up on social media. Without this shared information base, time is wasted debating whose news source is right, which can be fatal during fast-moving events.

Many companies now use technologies that provide real-time situational awareness, monitoring political, security or regulatory developments relevant to their footprint. But the tool is only as good as the leadership discipline around it. When an event begins to unfold, everyone must be looking at the same picture.’

During a critical situation, what behaviours help companies maintain trust?

‘The most powerful way to maintain trust is simple – continue delivering your service. Operational continuity remains the core of credibility, but equally important is authentic and disciplined communication. Organisations must avoid optimism bias and the instinct to reassure without evidence. Recently in the UK, several major companies disrupted by cyberattacks publicly announced they would restart operations “next week”, only to remain offline a month later. That damages trust far more than saying “we don’t know yet”.

For listed companies, coherence in communication begins with what is disclosed to the market. Whatever you tell the market must align precisely with what you tell customers, regulators, staff and suppliers. If there is information you are willing to tell one audience, but are not willing to disclose to the market, the obvious question is, why not?

Coherence, accuracy and economy of language are essential. Communication is not the final step in response – it is almost the first step after you’ve established what is happening.’

Cybersecurity continues to rise on the board agenda. What essential questions should boards ask to assess whether management has built genuine cyber resilience? What are the most common blind spots?

‘When we work with boards after a major cyber incident, we often see the same blind spots emerging. Most companies focus the majority of their cyber spending on prevention and a smaller portion on response readiness, but very few have truly thought through or quantified what recovery would look like.

After an operational disruption, a data loss, a technology misconfiguration or even insider malfeasance, boards often tell us they wish they had understood their recovery needs earlier and that they had invested more in that phase. Cyber incidents increasingly feel like a question of “when” rather than “if”, so while prevention remains important, especially given regulatory obligations, boards also need real, lived experience of how they will respond and how they will recover.

The second blind spot is a lack of insight into what has actually happened to other companies. Organisations rarely disclose full details of their cybersecurity failures because doing so can affect reputation and value. They may share limited information with insurers, law enforcement or regulators, but much remains internal. That makes it difficult for boards to learn from real-world events. At Brunswick, we handle many cyber incidents and, when we run response exercises for leadership teams, we replicate everything we have seen happen elsewhere, right up to the point where the system breaks, because it is vital to understand how bad things can get before you face it in reality.

Finally, boards often overestimate their internal capacity to cope during a crisis. There is a natural optimism bias, in which leaders believe their in-house teams will be able to manage whatever unfolds. But major cyber incidents always require outside support – remediation firms, specialist lawyers, communications advisers and, ultimately, recovery partners. And if the incident is systemic, such as a major cloud service or widely used software vulnerability, external capacity in the market is rapidly exhausted. So organisations must know in advance where their help will come from and, ideally, pre-book that support. That preparation makes an enormous difference when the worst happens.’

Looking ahead, what key emerging risks should corporate leaders prioritise over the next six to 12 months?

‘There is no sign that the world will become less uncertain. Uncertainty is a constant. So your ability to deal with uncertainty and instability, your ability to live through uncertainty and instability, that’s going to determine how strong you are. You cannot design a process that eliminates uncertainty. What matters is your agility – how quickly you can respond when something unexpected happens. And agility, in turn, depends not only on systems and processes, but on people.

What we observe in the best-performing boards and leadership teams is a combination of organisational resilience – high morale, a strong mindset, coherent systems – and personal resilience. Leaders and employees who have prepared themselves mentally for disruption cope far better when a crisis hits. One aspect of preparedness that people often overlook is the operational and reputational capital you build before anything goes wrong. If you are a well-run, trusted business, you draw on that capital during a crisis. Strong reputation buys you the benefit of the doubt from stakeholders, which helps maintain value while you resolve the problem.

But alongside those organisational foundations, individual readiness matters just as much. I have spent this year sitting with several major UK CEOs whose businesses were turned upside down by cyber events. My role often became about supporting them as people, helping them remain capable of leading through chaos. When leaders have high morale and personal resilience, they last longer and perform better.’