EP 130 The Hidden Muscle Every Leader Needs: Resilience with Rick Cudworth

Show Notes

“Resilience doesn’t stop you falling off the bike — it helps you get back on.”
– Rick Cudworth

In this powerful episode of The Security Circle, host Yolanda is joined by organizational resilience expert Rick Cudworth, whose career spans engineering, technology, strategic risk, and leadership across some of the most complex environments — from chemical plants to the London 2012 Olympics and UK government preparedness for Brexit.

Rick unpacks the critical shift from reactive crisis planning to “Resilience by Design” — building organizational strength into systems, processes, and people before disruption strikes. He shares practical insights from leading readiness programs, including how to prepare teams to respond not just to major incidents, but to the everyday friction that derails operations.

Together, they explore:

• Why resilience is not just a plan, but a mindset and structure.
• How human purpose and well-being are central to a resilient workforce.
• Why we should focus less on “likelihood” and more on high-impact risk preparedness.
• The future of resilience — from AI and climate shocks to supply chain adaptation.

With powerful reflections on COVID, black swan events, stakeholder psychology, and personal resilience built through sport, Rick brings calm clarity to a chaotic world.

Security Circle ⭕️ is an IFPOD production for IFPO the International Foundation of Protection Officers

Transcript

0:01

If you enjoy the security circle podcast, please like share and comment or even better. Leave us a fab review. We can be found on all podcast platforms. Be sure to subscribe. The security circle every Thursday. We love Thursdays.

Yoyo: 0:36

Hi, this is Yolanda. Welcome. Welcome to the Security Circle podcast. I should say the award winning Security Circle podcast. IFPO is the International Foundation for Protection Officers, and we are dedicated to providing meaningful education information and certification for all levels of security personnel and make a positive difference where we can to our members mental health. And well being our listeners are global. They are the decision makers of tomorrow and today. And I want to thank you wherever you are for being a part of the security circle we are on all podcast platforms. Don't hesitate to subscribe that way you get to listen to the podcast at least 24 hours early. It's like an exclusive VIP list. And, Even better, just like, comment, post on LinkedIn, share it. Thank you for your company today. With me, I have, oh, brand new and sparkly Rick Cudworth, the founder and partner at Resiliency. I see what you did with the word play there. he's also a board and executive director at Resilience First. He's a thought leader. And an expert in organizational resilience, operational readiness and strategic risk mitigation. If that isn't a vitamin shot for the security brain, I don't know what is. Rick Cudworth, welcome to the Security Circle Podcast. How are you doing?

Rick: 1:59

I'm great, Yo Yo, and great to be with you as well here today.

Yoyo: 2:03

Only the best here and only the best minds, which I am going to probe into. You've got quite a good, what I would say, pedigree in your career, haven't you? Having worked for organizations like Deloitte, where you were for 20 years, how has that given you the foundation for what you're doing right now?

Rick: 2:25

Yeah, I actually, I think the foundation for what I do right now probably went right back to my university days. Um, where I studied chemical engineering and I remember it was, you know, being drilled into me while I was doing that, that, when you're designing a chemical plant or a nuclear plant, it really has to preferably not fail, but if it's going to fail, fail safe. So your whole design principles were about, you know, really considering what would happen if there is a failure. It was about adding an extra. beyond what normal engineering tolerances would suggest you need, and adding another 20%. So, so I think some of that was my foundation. and then when I sort of started my career, I started in, actually writing computer code based on my engineering days. But that took me through, into looking at how to make IT systems more resilient. So that was probably my background and engineering and then technology sort of background, is where I started. And then my career sort of progressed, a consulting, roles that I had many organizations, very varied. It wasn't just going to be about technology, but there were all sorts of other business dimensions. And, uh, I guess through my career, then I expanded into many of those other dimensions and, I've worked with many, many different organizations.

Yoyo: 3:50

It's phenomenal, really, being a chemical or engineering plant engineer. Sorry, a chemical, what did you say? Chemical

Rick: 3:58

engineering. Yeah, chemical engineering. So designing chemical plants, designing nuclear reactors. Wow. I didn't actually do it. I just studied it.

Yoyo: 4:07

You studied it. So do you have one takeaway from the study that you thought, Wow, I didn't realize I had to think about that while designing in security to a chemical or nuclear plant?

Rick: 4:19

Yeah, I think it was more when I reflect back that I started to realize how did I get into this? And why did I find it interesting? And I think it, you know, as I reflect back, there's a connection to what I studied, uh, at university to, to what I do now, which is actually about trying to make sure that if things go wrong. We can mitigate the impacts as fully as we can, as sensibly as we can. And if it goes really wrong, it goes wrong in a safe way, you know. So I think those principles are still there. And they're very much in some of the thinking I put around a concept called Resilience by Design. So, you know, this is trying to move the thinking away from, resilience isn't just about plans. It's actually about trying to engineer into an organization Inherently, a more resilient position, so they either have the capacities or the capabilities within the organization to absorb some of the shocks that happen or some of the changes that happen over time to them.

Yoyo: 5:21

Now, a topic that most people will remember, certainly in the UK, was the London 2012 Olympics. You led the delivery, didn't you, of the Integrated Readiness Programme. when you tackled that, let's take us back to day one, what were you thinking at the time? Because this is a huge project, isn't it?

Rick: 5:37

It is a huge project. I mean, people I don't think always appreciate the sheer scale of it, but literally, you know, in a short period of time, the organizing committee grows from a very small group, a few hundred, to something the size of a FTSE 100 company. Literally it's a foot in the last year or so. It's that size of organization. And then literally within 48 hours of the end of the games, it's closing down again, very rapidly. So it's quite an unusual environment. I'll tell you what I thought. I didn't have lots of experience other than, you know, personally, I was, I used to do a lot of running. I was a competitive athlete. So I was quite keen and interested in the sports side of everything. I don't have a lot of experience at the time in, major games, but what I did think was, how do these individuals who are going to run the games, I don't mean the athletes here, I mean the organizers, when you look at it, majority of them have never actually been involved in running a games before. Okay, so there's a small percentage that are, but quite a lot are new to it. Um, so, how do you get to a point where those individuals feel they're ready for the games on day one? Uh, and, there's no movable feast you can't wait to be ready. The games happen on the, you know, day one is set in stone, that's when it's going to happen. Um, and I thought, well, How do we get organizations ready for a crisis they don't fight every day? It's the same sort of principle, uh, you, you exercise, you rehearse and everything. So it was really through that process that I, I thought about it and said, one of the routes to success for the games is to make sure everybody is ready day one, to deal with all the things that can happen. I don't mean just major, um, major events and problems that could happen. I mean, all the little things that happen that go wrong. Uh, and if you think about it, a big part of preparing for the games is about planning, but at some point you have to stop the planning and start to get ready to actually run things. And that's when you say, well, the plan tells me what I should do in a perfect world. But what the rehearsals did, uh, the exercises we ran and we ran hundreds of them was to help people understand the world isn't perfect. We call it a day in the life. And little things go wrong all the time, and you have to be able to adjust, and you have to be able to absorb those, and you have to be able to deal with them, uh, and you have to be able to deal with them at the right levels in the organization. So a lot of that, games readiness or operational readiness for the games was about that. So yeah, fantastic time, great, great project to be involved in, and a great, uh, success the games were too.

Yoyo: 8:19

And when we look at the, you know, the triad of. Pillars in physical security like people and, uh, property and I've got the other one because I work in cyber now, uh, people, people, people, property, and what's the other one?

Rick: 8:35

I don't know.

Yoyo: 8:37

It's people, property and assets, is it? Yeah, I think it is people, property and assets. Um, uh, because in cyber, it's people, process and technology. And I think all of those pillars apply with the exception, obviously, that humans or hoomans, I should say, featuring both. What element of preparedness do you have to take personally when you consider how important humans are? to the preparedness and resiliency part of your programs.

Rick: 9:05

Yeah, so the human side is really, really important, I think. And if we go back to that sort of whole games preparation, that was about taking it off the plans and putting the human element to it. Because it was all about people running the games. It was about people, the decisions they make at all points in time during the running of the games. So the rehearsals were really about not familiarizing people with the plans, but just familiarizing themselves with how to do it. deal with situations that they're likely to come across. Um, so the, so it was about getting people to understand what their roles were, how they would deal with different situations, uh, when to escalate them. But more importantly than that, it was also about getting people to work together as a team. So again, think about it. A lot of the planning was done as functional, uh, zones in, in the games. The first time you start to bring people together is at venues where you get cross functional operations going. So an awful lot of the, um, the Games Readiness was about starting to get cross functional working, getting teamwork going as well, getting people to understand what each individual does, uh, and the handoff points, etc. So, so really, really important there. And then the second bit that brings home the people piece to me was a study I commissioned, actually while I was at Deloitte, um, with King's College London. And it was a PhD student, uh, a lady called Lorna Riddle. And, uh, she researched the, uh, um, potential impacts of severe events on sort of human responses. Um, and she looked across a number of different sectors in the research. Um, and using different scenarios, it was a paper that we titled, um, willing and able, but essentially what, what it showed was in certain severe events, I don't know, like a biological or chemical attack or, um, uh, a pandemic say, right, even if people were able to come to work, would they be willing to And it was quite interesting to see. The differences, um, in terms of how people perceive certain threats, but also how different sectors perceived, um, their willingness to come to work as well. So in other words, people who felt that jobs were of value to society and were vital indeed to society were more willing to come in, even though they might perceive the risk to be quite high to them, but people who didn't perceive their jobs were very important. particularly to wider society, we're less willing to do that. And of course, that has quite big consequences because most organizations rely on people being willing to work, even in difficult circumstances. So understand, trying to understand how people will behave in those situations is quite, it's quite interesting.

Yoyo: 12:10

You're talking about purpose and where people have purpose, they have better mental health as well, where people have less or perception of less purpose, they have a greater propensity to have, a varying amount of mental health challenges. And so I think this is all linked. What you've just said there is the health of the individual is very much linked to, you know, how relevant they feel in society, in their communities, in their families and within their workplaces. I had a good chat with a friend. over coffee on Saturday morning. And she was telling me that, and I agreed with her. She said all of the ticky boxes that she needs in life, you know, to satisfy go and state and Maslow's hierarchy of needs, you name it, all of those needs that she has, she finds in her career, in her workplace. And it made her look and think, Oh my gosh, why am I not going to Why am I not getting these outside of my career, outside of my job? And I said, lady, I'm doing the same. Do you know what I mean? Because we are more in tune with purposefulness in terms of our careers than outside, which is, is a relevant kind of psychological way of looking at things. But don't you find that it's easier to include the human element in the human element? Within the resiliency piece, when you know, the purpose is stronger. And then when it isn't give us an example of maybe how you've seen both.

Rick: 13:41

Yeah, I think absolutely. so in, in the sort of thinking now on organizational resilience and the work I've been doing, um, resilience first, for example, which is a not for profit member organization. We've just published through Resilience First, a new model for organizational resilience alongside Cranfield's University School of Management. And that's based around what we term the five capitals. So clearly an organization needs to be financially resilient. It's infrastructure and operations, including supply chain, needs to be resilient. Uh, it needs to be mindful about environmental resilience. Uh, and it needs, uh, clearly to be thinking about social resilience, its reputation and, and the like there. But the other fifth dimension is workforce, uh, which is all about people. So workforce resilience is a key thing. Key one of the five capitals that we've got. And when we're looking at that, there are a number of things that organizations may want to deem as very important when they consider their workforce resilience and how they measure it. But I think one of the factors there is what we're terming as sort of like personal resilience or the overall workforce resilience. And that's related to their well being, but it's also very directly related, as you say, to how they see the purpose and usefulness of that organization, not just to them, but to wider society, as I've mentioned. It's also related to their motivation, um, which is linked to that purpose and all the rest. So there are some factors around workforce resilience and then personal resilience, which is a key subcomponent of that, which are very related to what you've just talked about.

Yoyo: 15:24

Yeah, and to be honest with you, I think you've tapped into something there around workforce resilience. You made me go instinctively back to COVID because there were those organizations that became weaker after COVID because they didn't have the workforce resilience. Maybe they took, more drastic decisions to let go of, their employees. There were some organizations that kept their employees and therefore had workforce resiliency, when the kind of the wheels of motions got started again, how involved were you at that stage in witnessing this type of organizational resilience within workforces during that time?

Rick: 16:01

Yeah, I mean, I was very involved in helping guide quite a few organizations through it. I was actually also involved again, in, in the Olympics in the guiding, uh, the, uh, IOC through the Tokyo 2020, scenario. Preparations as well. Um, so I, when I look at workforce resilience or any aspect of resilience, I say there are areas where you want to be looking progressively. So this is forward thinking. So as an organization on workforce. You, you want to be thinking about have I got the skills fit for the future and where I'm going and where, you know, the world is going, and then they're going to be others which are defensive and they will be, uh, things like have I got enough of a focus on the sort of critical capabilities or skills I need as an organization to keep the lights on, um, both now and, and in the, in the near term. Uh, and I think what, you know, partly what happened in the pandemic is some organizations were better at understanding that the pandemic is not going to last forever. There is a point when we will start to move back to normality. Um, but do I have a strong enough focus on the core capabilities I'll need and the volume of capabilities I'll need when we start to get back to business as usual? And I think some organizations will thought that through, others I think probably perhaps less so and felt that they would just be able to get people when they needed them. And, and it's never that easy just to get people when you need them. Uh, there's a, you know, quite a long pipeline quite often for bringing people back.

Yoyo: 17:34

Do you feel that people, I mean, I get frustrated when people don't take my advice because I feel like it's such a waste of energy. It's good advice. Yeah. It comes from a reason, comes from good rationale, comes from a good place. Do you get frustrated when people don't take on board what you recommend and can you include an example where it's difficult to influence stakeholders into why they really should follow your instructions?

Rick: 17:58

Yeah, I, you can get frustrated, um, but you step back and you learn to move on and, and work with organizations who are prepared to listen and act on the advice you give them. Um, but I, I think in my career, I found that many times an organization may not have always taken on the advice first time round, but quite often they've come back later, um, which is always quite interesting to reflect on. Um, one of the things I've tried to do is, Keep the advice I give really simple, really practical, um, and not overwhelming. So, you know, organizational resilience as a topic can be huge. Um, and if I go to any two or three organizations and ask them what they mean by it, I'll get different answers. Uh, and I'll get different, um, uh, considerations, et cetera. So. What we're trying to do with the new model is sort of break it down into these five capitals I've talked about, but you can look at each one in turn, you don't have to, you know, you don't eat, have to eat the whole elephant in one go, you can do this in increments, and in doing so, I also try to get it. People to think about what matters to you as an organization most right now and why most importantly why does it matter? So if we really understand why it matters Then we can start to build resilience around Around the things that really matter and then it's much easier to persuade people about If there's an investment case to get on with the investment case And a lot of work I do is really just trying to frame things as simply as I can, focus on what really, really matters, what's essential, and, and build a case for moving forwards on those.

Yoyo: 19:47

A lot of security professionals that listen, um, they're in a learning mindset, continually evolving, continually adapting. and that's why having people like you who are expert in your field. is, is really healthy and good for security brains, but can you share for their benefit and for their learning and for the opportunity to learn what you learned from an experience, an opportunity where you maybe saw that the resilience strategy had failed, doesn't need to be your own, but you can see that a resilience strategy had failed. Could you identify the reasons why it didn't work?

Rick: 20:25

Um, sometimes it's about a lack of faith. imagination, being able to actually imagine the things that have happened would happen. Uh, and then in hindsight, you can go, well, it's fairly obvious. I mean, we could say that about the pandemic in a way. Um, some of it is, I think, not just a lack of imagination, but a failure in understanding that when organizations do a risk analysis, And they map it by likelihood and by impact, that likelihood and impact are not equal. They're not equally, um, as important in, in the weighting. If you start to think about it from a resilience point of view, because what you tend to find is some of the most high impact events are weighted as the least likely, and they end up in the least likely things to happen. And therefore organizations aren't focused on them as we saw with the pandemic. But I could say that a pandemic, if it has a You know, one in 80 year likelihood that could be tomorrow. And yet the impact is extremely high. So if you start to decouple likelihood and start to focus on impact and say, what are my top 10 highest impact things as an organization that I do understand and know about, have I built, and do I have sufficient resilience to deal with those situations? So that's the way I would encourage people to look at it. One is, you do have to have the imagination to think, sometimes the unthinkable. But secondly, even on the risks you know about, and have thought about, decouple that likelihood and just think about what are my top 10 highest impact risks here and and how would I deal with those.

Yoyo: 22:13

I'm going to ask you now if you think there's an apathy around likelihood because this is the stumbling block I've always come up against and to a point where my opinion or my way into a conversation, my way in as in W E I G H, has been somewhat diminished because I've been called a harbinger of doom. That's never going to happen. You know, the comments we get as professionals and in a sense, it's a bit like having a superpower when you're in the risk and resiliency field because you see things and you see the light, you see that it's actually not. a fantasy to imagine that a pandemic was going to happen. We had before COVID, 10 years before COVID, even with SARS, we had a number of clear indicators that the likelihood was increasing. When you look at the 9 11 incident, horrible, horrible incident that shaped so many lives that listen, you know, there were, there are those that would say, that's not a black swan event. That. There were, there were a number of different incidents that happened before when planes went into tall buildings. There was a number of different evidences around in the counter terrorism intelligence field that indicated that America was going to receive an attack. So what do you do when people don't listen and they call you a harbinger of doom and, and then, you know, we can't turn around, can we, and say, I told you so. That's the worst thing you can say in our field.

Rick: 23:41

Yeah, yeah. I think the other thing, I mean, apart from trying to decouple the likelihood, because, as I say, it's not equal to impact. Impact is quite objective. It can be scientifically and quantitatively analysed. And the scale of impact can be understood, if you put your head to it. Quite often, likelihood, unless you're in the insurance industry and you're dealing with a risk which has a long, long track record, and you're not in a very changing environment, that track record could be modelled forwards. It's highly subjective, uh, and quite often in the more recent sort of risks, we're talking about climate and cyber. There isn't history to model it on, so, so it's even more subjective. But apart from doing that, I think the other thing I try to do is decouple resilience from individual risks. So I'm not really talking about risks. What I, the way I do it, and the way the The model I've talked about that we've launched describes it is let's build resilience more generically, let's build the capacities and the capabilities and each of these capitals that we're talking about, which has the ability to absorb any event. And buy us time and give us time to respond and then adjust or adapt as we go forwards. And what I then do is say, I will use different risks just to stress test against now the resilience I've built. Well, the resilience I've built is to withstand against multiple forms of risk. So I'm not going to focus on one risk. I'm going to talk generally about being more resilient organization. And resilience is a strength. Resilience, as a former runner and athlete, is something you want. It's something that leads to success. Resilience is a foundation for success. So let's, let's build a strong organization, which is a resilient organization, has capacities and capabilities to absorb events, to adapt to events. And now just use risk to stress test. Have I got enough resilience given the sort of risks I'm facing today and in the, and in the sort of foreseeable future. So that's the, that's the approach that I try to take. So I don't talk about particular catastrophic risks. I do talk about building a successful organization and strengthening resilience as a core foundation of that.

Yoyo: 26:04

So you have resilience, you have agility. And you have preparedness and you have three very magical components that all work in synchronicity to protect, uh, an organization. Haven't you there? I can see.

Rick: 26:19

Yeah. And I think, you know, I had, uh, an economist talking to me the other day saying, you know, so resilience is a cost, you know, and if I make my supply chain more resilient, it's going to cost, which is going to make us sort of less of less efficient and therefore less profitable as an organization. And, but my argument was. The days of a lean supply chain and a lean efficient supply chain work really, really well when you have a non volatile world, stable, then there's an argument to say that is, as a resilient strategy, that probably is okay. But the world today is far more volatile. So we, we, we've changed. And if you try to run a very lean supply chain, you're starting to see the costs of running such a lean supply chain actually are outweighing perhaps building additional resilience into that supply chain today to make it able to absorb the volatility that we've got in the world. So, in other words, resilience isn't static. It needs to adjust to the world that you're in. And, you know, if we go to a more stable environment in the future, organizations may go back to sort of leaner supply chains. But right now, actually, organizations, I think the cost of that is quite high. And maybe it is better to build some resilience, whether that's a traditional stockholding or it's reengineering some of the supply chain, so it's more diverse or spread. So whichever way they want to go, that they're actively building more resiliency, it's a reaction to the changing world.

Yoyo: 27:48

Most of us who are around now were around during COVID in the workplace. Take us through our lessons learned because the lean supply chain process literally was realized as being very vulnerable during those times. And COVID came on quite quick, didn't it? Is it the speed of it that caught it off guard? And what has business learned in general since then?

Rick: 28:14

It is potentially the speed that caught it off guard, but it was Probably already starting to hit headwinds because geostrategic changes were already happening as well. And those were going to put pressure on on lean supply chains for sure. And we were seeing, you know, increases in terrorism and cyber attacks starting to happen and impacting supply chains. So I think some of the headwinds were already there before the pandemic. So I think, as I say, resilience has to be based on the context of the world in which the organization operates. Uh, some of that will be their own internal context and degree of change they're going through, but some of those are outside events. Uh, and, you know, I think the world economic forum. In its, um, risk report for 2024, I identified four strategic forces that are going to impact organizations over the next 20, 30 years or so. One is demographics, changing demographics. Now that doesn't just mean changes potentially or pressures on workforce, but it means changes to products and services that you might be supplying. Um, another is around technology acceleration. Thank you That isn't just about cyber, but it's about new technologies, including AI. And when you're looking at that, it's not just AI as a risk, actually, but AI very proactively can be used to improve resilience of organizations. How do we use it in that way effectively? It was about climate and climate change and the impact that has. And the fourth one was around geostrategic shifts. So they very clearly set out these. for strategic forces. And again, when I'm talking about resilience, I am increasingly talking about it as not so much just a risk management discipline. In fact, fundamentally, it starts with strategy and business model, because that's your opportunity to adapt your organization. That's your opportunity to build in resilience in the context of the world that you're operating. And when you think about it, risk management then is this sort of sticking plaster after you've made those decisions. So that's, that's really what's happening. So if you can build resilience in this part of strategy business model, make the better decisions, then you build an inherently more resilient organization. And then your risks that you're left with are perhaps slightly, slightly less or slightly less onerous in terms of what you want to put around it.

Yoyo: 30:49

When we had the pre chat, you said there were three strategic themes. You've added another one. There's now four.

Rick: 30:54

Yeah, well, in our model, we've not, uh, for the year on Resilience, we're not yet focusing on demographics. So we're focusing on three demographics we may look at in the future. But we, we picked three out three of them out of the four for a focus from, from what we're doing.

Yoyo: 31:10

And we can all see, certainly with the Suez Canal, the Red Sea, how geostrategic shifts have adjusted supply chains as well, or the management of supply chains from, through exporting. Do you see this as a long term issue now, or? Or is there something else at play here that's benefiting some countries? Well, I

Rick: 31:35

don't know on that. I was going to do an analogy. I talked about adjusting resilience based on the context you're, you are operating in both internally as an organization, but also the external world you're in. And there's a similar, there's a Similar to security, there are security threat levels that are used. And, you know, if we're operating at level 3, that tells security people something about the world they're in, right? And if it moves up to level 4 or level 5, they're expected to adjust their security stance. That's what happens. Um, and that's the point of those levels. Well, resilience isn't so different. It may not be quite so formalized as in, you know, we're operating in a world that's at level three or level four, but we're doing exactly the same thing. We're saying the context that we're operating in has changed. So what does that mean for our resilience? Can we stand it down a little bit? Can we, do we need to raise it up a bit? So that's exactly what I'm, I was talking about, um, in terms of adjustments to supply chain and lean efficient supply chains may not be as. uh, effective today as they were 20 years ago.

Yoyo: 32:48

When you look back at the incidents that we can all say with hindsight had a degree of predictability about them, and we've discussed some of the most notorious, are there any other black swan events, I should say, Are there any Black Spot events that you think a young resiliency risk professional should be focusing on right now? Certainly with a bit of future scanning, a bit of horizon planning what would you advise those professionals?

Rick: 33:18

It's always difficult because, uh, people always ask that and I say, I don't think my crystal ball is any better than anybody else's. Uh, so it's really, really hard. And again, I do think that is one of the fundamentals I talk about decoupling resilience from risk as well is. You're not building resilience to every specific risk. Build it more generically, build it as a strong organization and then use different risks, different types of risks to stress test. That is the best way to do it. That means that you're less focused on just trying to prevent or be resilient to a particular event. So I've got an example, one organization I've been looking at that suffered a catastrophic failure and you know in their minds it was, Well, this was a data issue. It was a unique data issue. We could never have actually foreseen exact circumstances of this data issue, da da dum. And you're going, yeah, no, you are right. It was highly unusual. It was difficult to foresee that particular data issue. But, the way you'd constructed your technology systems, It was clearly not beyond the imagination to have thought I could have a, a data issue generically. and data integrity issue, which if it fed into my primary system, would also impact my secondary system. And that would lead to a catastrophic failure. And that would be quite complex to then navigate through and recover from. And it might take longer than we normally would take in a standard recovery. And I think, again, to your point there, is it about second guessing? No, but sometimes stand back and just look at sort of bigger themes. and look at how your organization is engineered to cope with that. So I don't need to think about a specific supply chain failure necessarily, you could, but I could think more, more broadly. If I had a supply chain failure, which impacted this set of products, which are really important to the community that I serve, how would I deal with that? Or how is my supply chain currently set up to get around that? Where are the weaknesses?

Yoyo: 35:38

There is the lesson learned. I don't know if anybody picked that up, but the lesson learned is don't think about one specific black swan incident. You're absolutely right. Look more broadly because like asking you to predict the future is really cool. I did the same to Dr. David Rubens as well. Dr. David, uh, very eloquently. said a very similar thing, but he said there were themes of reoccurrence and they were war, instability, climate, food security. And we know by looking back in 2024, for some countries, it was power. security and it was broadband security because the West Coast of Africa lost all their broadband for several weeks. And it was due to a landslide underground that affected the cables. so there are lots of things to consider, but whether it's power or whether it's an uprising in your country, uh, you're going to have to deal with a lack of something. And it's that lack of generally you're asking professionals to think about, aren't you?

Rick: 36:35

It is, yeah, absolutely. And then, as I say, the first thing is, a lot of people then jump to, so how would we respond, what plans we've got. I'm going, no, the first is, how does your organization or the system, actually respond to that because is it straight catastrophic failure or is it that system absorbs some of it so and it's still the way it can still do certain things in which case I'm now what levers can I adjust to make that better and then I can get on to what more do I need to do to start to further improve it which is the planning so there's a more systematic way of looking at it.

Yoyo: 37:11

Lastly, and before we finish up, you advise the UK government, civil contingency security, I've got to say, this is such a hard sentence to read, let me try again. You advise the UK government, civil, hang on. You advise the UK government, civil contingency secretariat on C3 design readiness and capabilities in preparation for EU exit. Brexit as part of the cross government C3 concept of operations and capability development program. Yes, that was hard to say. What is C3 design and how did you support the government in this case? I'm curious.

Rick: 37:49

Yeah. So some people might call it C4, whatever, but C3 command control communications effectively. So it's just basically your crisis core crisis structure in managing an event. Um, and I guess The EU exit was a precursor test for the pandemic, actually. Um, in the sense that, although when UK government has to react, you know, and we have COBRA, which is the crisis committee, et cetera, to major events, uh, quite often they are predominantly single departments that have some cascade effects to other departments. EU exit was genuinely a cross cutting all, all government departments, et cetera, thing. So, as then was the pandemic in reality. So, this was a real test of C3 capabilities, or it was the start of a test of C3 capabilities, or the building of C3 capabilities to deal with that much wider cross government. all of government, um, event. So that's, uh, part of what was being involved. And to be fair, although a lot of preparation was done when we break, you know, the Brexit on the, the day of or the night of whatever, it wasn't that the world was going to fall apart. It was, uh, it was going to be more gradual, uh, in terms of the impacts of Brexit coming through. So it probably wasn't fully tested ultimately in the pandemic. Then as we've seen, tested that, Much further.

Yoyo: 39:32

So I want to ask you about Crumfield. Yeah, we're talking about the Cranfield That's actually not so far away from me. I hear you, you frequent quite often.

Rick: 39:45

Well, as, um, Cranfield University, the School of Management there, uh, Professor David Denier in particular, uh, has been involved, um, both in becoming a partner of Resilience First. So, uh, one of our academic partners, uh, for Resilience First. And one of the reasons. We selected Cranfield. The school of Management is, they are a practical engineering university. It's post-grad, it's not a graduate university. And they're very focused on the application of what they do in, in, into industry. In fact, you know, they don't have a traditional setup of, of, if you like departments and, uh, and the like that most universities have. So they don't have likes. Humanities and social sciences, they face off to industry sectors. So that was a key feature, but the other was work they'd already done around resilience. And,, again, it was when I was at Deloitte and then through the national preparedness commission, I was very much involved in effectively, um, commissioning and then editing. Um, a paper called Resilience Reimagined, which, uh, Professor David Denier and Mike Sutcliffe from Cranfield wrote, uh, and that started a bit of a journey because that paper became, um, a key input into the revision of BS 65, 000, the Code of Practice on Organizational Resilience, which I co chaired. And that has subsequently been a key input to the current working draft, which I'm the lead author on, which is the International Standard Revision on Organizational Resilience. So I've been working through that with Cranfield for some time. When I took on the board and executive director role for Resilience First, I was looking for these key partners and Cranfield is a key partner for Resilience First. So we work together based on some of that. Those standards I've just talked about to create this new model for organizational resilience. So that's, that's really, uh, what we've just, um, Published. It's, it's an outline model at this stage. We're on a two to three year journey to, uh, as resilience first with Cranfield to build out more and more content for that. So. more examples, more case studies, uh, specific sector level measures, which might be relevant for resilience in finance or in workforce, as we've said. Um, so that's, yeah, quite a, quite a lot we've got planned over the next two to three years.

Yoyo: 42:18

I can see this sparking a lot of interest in some of our listeners actually wanting to find out more. What would be your advice to much younger, uh, security professionals, in the resiliency, sort of part of their journey right now? What would as a seasoned, you know, uh, um, dude. How do you look back at the younger generations emerging through and what would you advise them that you wish somebody maybe had advised you?

Rick: 42:48

Yeah, I mean, always keep things practical and relevant to the organizations you're working with or for. Um, you know, think about what really, really is important, um, from their perspective. I mean, in security, it's often perhaps a little bit more black and white clearly, because safety and human safety is very, very clear. Resilience is not quite always so clear. I mean, the safety bit is always there, but it's like, beyond that, if this is not about a life safety issue or an asset protection issue, what's really important? And again, I, the way we've tried to phrase it from a resilience point is, what is it you do or provide to others, um, which is vital to their interests? So whether that is as an investor into the company, or it's a customer of the company, or it's an employee of the company, right, there are things you do which are vital to them. And resilience is trying to understand that, uh, understand why it's vital to them, and then make sure those elements are resilient. So as an organization, you've got a clear focus on what matters.

Yoyo: 44:01

And lastly, are you a person that has high level of personal resilience? I

Rick: 44:08

think I probably am. Uh, and I do, you know, I talked about how did I get into this and I talked about my engineering at the start and then into IT and writing computer systems, etc. But I do think there's probably another dimension is, I think I have a high degree of personal resilience, uh, across, I don't know, it's possibly built through years and years of competitive running cross country in the worst of weathers, you know, and you train hard, you train on, and then sometimes you have success, but sometimes you don't, right? And, uh, and you have a choice at that point, you give up or you get out there the next day and try harder. It's a bit like if you fall off your bike. Do you get back on that and go again? Or do you throw the bike away? So I think I've built a lot of personal resilience probably through, through that sort of sporting life that I had.

Yoyo: 45:00

So I used to do that cross country running when I was younger, and you know, where you get the mud all the way up the front, all the way up the back, and you know, you get back into the changing rooms in school, and you've got ruddy cheeks, and you're still out of breath. I was really good at it. I was like, My, my friend and I, we were like the top two. Um, and then we even competed in secondary school, when we separated and went into two second, he's still running by the way, she has a running body. I'm not, and I don't, um, but when you look back at that resilience, you you made a really good point. Um, I hated it. I was really good at it, but I hated it and I had to stop doing it because you can't keep doing something you hate doing, uh, even if you're good at it.

Rick: 45:42

Like,

Yoyo: 45:46

can you imagine being a really good magician, but hating it and go, Oh, here's another trick I'm going to show you. Um, right. So, so I think resiliency is about, Really fine tuning into what you love because I think if you're doing what you love, it's right. Yeah

Rick: 46:02

But it's also about understanding that it's part of success You know people who are successful usually quite resilient because they've had to take you know You don't automatically get success in life. Generally unless you're very lucky you pitfalls on the way Again, what I do say, um, uh, and, and this is probably very relevant for security as well, is because a lot of people say resilience is about preventing things from going wrong. It isn't in that sense. Resilience doesn't stop you falling off your bike. What it does, it helps you get back on it. And hopefully it helps you learn so the next time you may not fall off. For the same reason, because you've learned that, but you may still fall off again, but it's all about, yeah, being able to get back on and keep going.

Yoyo: 46:46

Absolutely. Well, Rick Cudworth, it has been a pleasure. You did deliver. I'm really grateful for, uh, your time spent with me today. Thank you for bringing your incredible energy around resilience to the Security Circle podcast. You smashed it. Have, a great rest of the year. And thank you so much for joining us on the Security Circle podcast.

Rick: 47:10

Thank Yoyo. Thank you very much.