It is often the things we know best that catch us off guard. Familiarity, for all its advantages, has a tendency to dull perception. And when it comes to risk, perception is everything.
In continuity planning, governance work, and operational leadership, we spend a great deal of time identifying formal risks. We talk about regulatory failure, data breaches, reputational threats, natural disaster. We prepare for the unexpected, the external, the difficult to imagine. But in doing so, we often miss the hazards that sit in plain sight – the ones embedded in routine.
That is not a failure of knowledge. It is a failure of perspective. The longer something is familiar, the less likely we are to scrutinise it. Over time, risk becomes ambient. And when that happens, it becomes invisible.
This is the quiet threat that undermines many otherwise competent organisations: not high-profile risk, but habitual exposure.
We trust what we know. That is the problem.
It is a deeply human trait – and a professionally dangerous one. Systems that have not failed are assumed to be strong. Processes that have always worked are assumed to be safe. People who have never missed a deadline are assumed to be available. We become comfortable with routine, and in that comfort, we stop testing the structures we rely on.
This is where governance becomes performative. Continuity becomes theoretical. Assurance becomes something for others – something for the complex, the uncertain, the crisis-prone. Not for us. Not for this setting. Not for this system that has worked well enough, long enough.
Until it doesn’t.
I don’t begin continuity planning by talking about floods, fire, or ransomware attacks. Those things matter, of course, but they are not the core of resilience. The core lies in the seemingly ordinary.
Who has the authority to send the first email if the chief executive is away and the safeguarding concern is real?
What happens if the person who opens the venue, week after week, is suddenly no longer available?
What about the outdated board structure that still gives decision-making power to those who haven’t attended a meeting in months?
None of these things are dramatic. None would appear in a risk register under the heading “catastrophic event.” Yet they are precisely the kind of failures that expose fragility – because they are not perceived as risks at all. They are perceived as familiar.
Continuity is not only about what might happen. It is about what is already happening quietly, consistently, and without scrutiny, and that is where leadership has to shift.
To lead with resilience is to be willing to re-question the familiar. To ask, not in alarm, but in preparation: what have we taken for granted? What assumptions are we relying on? What would fail if one quiet thing – a person, a step, a habit – was suddenly removed?
Familiarity does not protect us. If anything, it conceals risk. Continuity demands that we notice the ground beneath our feet. Because it is not always the earthquake that causes the damage. Sometimes it is the cracked tile on the step we stopped paying attention to.