From corporate to personal resilience: why it’s time for a Chief Resilience Officer

Business resilience isn’t just a boardroom buzzword—it’s fast becoming the difference between long-term viability and systemic vulnerability. At a recent COO Network roundtable event hosted by James Hampshire, Partner and expert in Technology and Cyber Security, leaders from across sectors debated how to align cyber resilience with broader organisational resilience—and why this shift is as personal as it is corporate.

The opening provocation - cyber is no longer just about security, it’s about survivability.

We’re living in a world where business value increasingly depends on connected technology, data, and digitally reliant processes. In that world, cyber security can’t be ring-fenced or treated as a niche domain. Instead, it must be embedded in a holistic business resilience framework that protects what matters most: your purpose and your critical services.

Cyber Resilience ≠ Cyber Security

The conversation quickly moved from controls and frameworks to a bigger question: what really underpins resilience?

The answer, it turns out, is everything.

From process dependencies and capital adequacy, to supplier fragility and operational risk appetite, resilience is a multi-dimensional construct. Cyber is only one part of it. Yet, too many organisations still treat it as a siloed technical function, divorced from core operational strategy.

This mindset is out of date. What matters now is understanding which business services are critical, how they are supported (especially by technology), and what it would take to recover them under stress. It was agreed if we can’t answer that clearly, the resilience isn’t real—it’s aspirational.

The COO as a CRO - Chief Resilience Officer

The group explored whether the term “CISO” is now holding us back. When the title implies a narrow focus on securing data, it distracts from what business leaders actually care about: continuity, confidence, and performance under pressure.

So who should own resilience? Many pointed to the COO. After all, resilience spans systems, processes, people, and partners—and the COO is already responsible for stitching these elements together. Whether or not the title changes, the mindset must! Resilience can’t be outsourced to IT or Compliance. It needs to be owned at the Executive level and understood across the business.

Focus on the plausible, not the paranoia

As the discussion went on, the elephant in the room became clear: there's too much to worry about. So how do you focus?

Start by defining what’s plausible. Use risk appetite as a compass. Stop stressing about alien invasions and start modelling the risks that are likely, business-relevant, and within your influence. Visual tools, scenario modelling, and clear storytelling in board-friendly language are vital. So is accepting you will never be 100% resilient. You just need to be resilient enough for the risks that matter. And testing your resilience plans, through exercises based on the scenarios you worry about, are critical to identifying improvement opportunities and to embedding muscle memory – so you are not running through the plan for the first time during a real crisis.

Awareness without paralysis

Another tension discussed is how increasing cyber awareness often magnifies anxiety. The more leaders learn about cyber threat and risk, the more overwhelming it feels—and the more likely it is to be pushed back onto “the Security team”.

That’s dangerous. If resilience is to become a growth enabler rather than a blocker, we need to ditch the bunker mentality. Locking everything down isn’t a strategy. It’s a fear response.

Instead, the best security leaders act as partners, not gatekeepers. They support informed risk-taking, embedded in the team’s delivering critical outcomes. That means security isn’t a checkbox—it’s a dialogue, continuously aligned with evolving business needs.

What keeps COOs up at night?

“If Microsoft goes down, what’s our plan?”
“If AWS is hacked, what happens to us?”

These aren’t just hypothetical questions. They’re legitimate board- and executive-level concerns—and the right answer often isn’t a technical one. It’s knowing whether you’ve acknowledged the risk, documented your assumptions, and rehearsed your response.

You can’t prevent every shock. But you can make sure people know what to do when the shock comes.

The link to personal resilience

Perhaps the most powerful insight of the session was this: organisational resilience is personal.

When you carry the burden of cyber or operational risk—especially in adversarial threat environments—it’s not just a professional challenge. It’s a psychological one. The weight of responsibility can be immense, particularly when the risk is never zero.

That’s why personal resilience matters. Those involved in security, business continuity and wider resilience need support (both moral and tangible – for example, access to mental health resources), clear boundaries, and a healthy level of detachment. They need board-level backing, not just budget. And above all, they need to know when they have the right level of planning and preparedness. That only happens when risk appetite is clearly defined, roles are respected, and planning is taken seriously.

As one attendee put it: “The real gold isn’t perfect protection—it’s shared understanding, trusted plans, and confidence in our ability to recover.”

Final thought

Resilience is no longer just a line in the risk register. It’s a mindset. It’s a muscle. And it might just be the defining leadership trait of the next decade.

The question for COOs: are you ready to own it?