Pretend you protect us, and we will pretend to believe you. In some companies and organisations, these unspoken words reduce risk, compliance, and audit to mere formalities, stripping them of their true role as pillars of corporate governance and resilience.
Unspoken words speak volumes. They reveal hidden corporate vulnerabilities that no one dares to acknowledge, risk-blind cultures where silence replaces accountability, and procedural compliance without substance. The “no news is good news” strategy discourages risk disclosures that affect confidence.
Sometimes, the members of the Board prioritise short-term profits over long-term security, so critical risks are undermined until they escalate into crises. This cost-cutting mindset sometimes extends beyond operations and efficiency to risk management, creating a dangerous situation. The board hires a CEO whose primary mandate is to drive cost reductions and profitability. The CEO, in turn, hires a Chief Risk Officer who is expected to align with this cost-minimization strategy, often treating risk management as a financial burden rather than a strategic necessity.
Sometimes, the members of the Board and the CEO leave risk, compliance, and audit, underfunded and understaffed, and push for minimum compliance, just enough to meet regulatory requirements, but not enough to genuinely mitigate threats. Although they always say in public that security is their top priority, behind closed doors, they see it as an annoyance.
When executives prioritize perception over protection, the long-term consequences can be severe. This institutionalized risk blindness is a systemic failure to recognize, assess, and address critical threats to the entity, the critical infrastructure, and the country.
The good news: Many companies and organizations do the opposite. Many Boards understand that risk management is an essential investment. They see corporate governance as a competitive advantage. They embrace a culture of transparency, ensuring that boardroom discussions go beyond checklists and cover resilience, security, and long-term sustainability.
The Hybrid Resilience Initiative (HRI), operated by Cyber Risk GmbH, is there to promote these good corporate governance practices, in the era of hybrid threats and state-sponsored adversaries. It will support organizations and promote the best practices that prioritize resilience over short-term cost-cutting. It will encourage a shift from risk avoidance to strategic risk leadership, where companies view resilience as a long-term asset.
The Hybrid Resilience Initiative (HRI) has the mission to enhance resilience against hybrid warfare tactics, cyber espionage, and asymmetric threats that target the private sector. HRI provides independent insights and strategic defenses against state-sponsored cyber intrusions, hybrid coercion tactics, strategic deception campaigns, influence operations, and insider threats, impacting corporate and national security. The initiative operates with full neutrality, free from commercial, political, or regulatory influences, and the knowledge is shared without financial, legal, or membership obligations.
The initiative envisions a world where citizens and entities of the public and private sector work together and share knowledge in a collaborative, intelligence-driven environment to defend against hybrid warfare tactics, cyber espionage, and disinformation campaigns to protect democracy, critical infrastructure, and societal stability.
HRI is guided by the following principles:
1. Independence: The initiative is free from financial, political, or commercial influence, ensuring neutrality and credibility.
2. Voluntary Participation: Engagement is entirely voluntary, with no obligations, contracts, or membership requirements.
3. Practical Impact: The initiative prioritizes actionable insights, focusing on real-world challenges and solutions in hybrid resilience.
4. Adaptability: HRI remains flexible and agile, allowing for continuous evolution based on emerging threats.
News and updates from the Hybrid Resilience Initiative (HRI) can be found in the monthly newsletter of Cyber Risk GmbH, a comprehensive publication exceeding 80 pages each month. The newsletter provides in-depth insights on hybrid warfare, cyber espionage, and resilience strategies. You can download it at no cost, with no registration, subscription, or commitment required at:
https://www.cyber-risk-gmbh.com/Reading_Room.html
You may also visit:
https://www.hybrid-risk-management.com
https://www.hybrid-stress-testing.com
https://www.defensive-hybrid-intelligence.com
What is Performative Risk Management?
British philosopher John Langshaw Austin (1911–1960) proposed a distinction between performatives and constatives in his lectures (published as "How to Do Things with Words"). Austin’s work challenged the assumption that language is merely descriptive. Instead, he showed that words shape reality.
Austin originally categorized statements into two types:
- Performatives (shaping reality with words - a performative utterance is not just describing reality, it also performs an action simply by being spoken.
- Constatives (describing reality - a constative utterance makes a statement that can be evaluated as true or false).
Performative risk management refers to the practice of appearing to manage risk without actually mitigating real threats. It is a superficial approach that prioritizes optics over substance, often reducing risk management to a bureaucratic checklist exercise rather than an integral part of corporate strategy.
While some organizations present themselves as risk-conscious and compliant, their actual risk management efforts lack depth, enforcement, or a real commitment to security and resilience. This phenomenon is also prevalent in highly regulated industries and the critical infrastructure, where some companies and organisations seek to satisfy auditors and regulators on paper while failing to implement meaningful risk controls.
In Performative Risk Management, entities draft detailed risk policies that look strong in theory but are never fully implemented in practice. Their risk management frameworks are created to pass regulatory inspections rather than to address real vulnerabilities. Risk disclosures are crafted to appear compliant, often downplaying or omitting significant concerns.
What is Internal Disinformation?
Disinformation is almost always associated with external threats, such as state-sponsored campaigns, social media manipulation, or geopolitical influence operations. However, disinformation also exists within organizations.
Internal disinformation refers to the spread of misleading, incomplete, or false information within an organization, influencing decision-making, risk management, compliance, and corporate culture. It can be found in sanitized risk reports, manipulated performance metrics, suppressed security vulnerabilities, and selective disclosure of critical information, leading to a false sense of security, regulatory exposure, and weakened resilience.
Strategic disinformation from leadership includes the manipulation of data or narratives to control investor perceptions or avoid accountability, the overstatement of security readiness to satisfy regulators or shareholders, and the misrepresentation of risk and compliance efforts. In legal terms, it can lead to severe regulatory, civil, and even criminal consequences.
Strength in Adaptation. Power in Resilience.
In an era where risks evolve rapidly, organizations must embrace continuous adaptation and proactive resilience. The ability to anticipate, adjust, and respond to emerging threats is not just a competitive advantage, it is a necessity for survival.
Strength in Adaptation – This is the ability to adjust strategies, processes, and structures in response to evolving threats. Organizations that master adaptation are proactive rather than reactive, continuously learning from internal and external disruptions to anticipate, prepare for, and capitalize on change.
The risk landscape is dynamic. Threats, regulatory requirements, economic downturns, and geopolitical instability create ever-changing challenges. Regulations evolve, and organizations must continuously update their risk and compliance frameworks to meet shifting legal obligations. Adversaries adapt, so must defenses.
Power in Resilience - This goes beyond adapting to change, it is about withstanding shocks, maintaining operations, and emerging stronger from disruptions. Attacks are inevitable, organizations cannot prevent all breaches, but they can build resilience to withstand attacks and minimize damage.
Strengthening Hybrid Resilience Through Knowledge
Cyber Risk GmbH develops and maintains 67 specialized websites, each providing critical insights into risk management, compliance, cybersecurity, and resilience.
As part of the Hybrid Resilience Initiative (HRI), these websites serve as a knowledge hub for professionals navigating the complexities of modern hybrid threats, whether in financial services, critical infrastructure, or geopolitical risk.
Explore our resources and stay informed. Knowledge is the first and most important line of defense.
a. General, Sectors, Industries.
1. Hybrid Risk
4. Defensive Hybrid Intelligence (DHI)
5. Cognitive Intelligence (COGINT)
6. Legal Intelligence (LEGINT)
7. Algorithmic and AI Intelligence (ALGINT)
8. Synthetic Cognitive Intelligence (SCINT)
9. Hybrid Resilience Initiative (HRI)
10. Cyber Risk GmbH
11. Social Engineering Training
22. Sanctions Risk
23. American Privacy Rights Act of 2024 (APRA)
24. Travel Security
25. Risk management, what is different in Switzerland
b. Understanding Cybersecurity.
4. What is Synthetic Identity Fraud?
6. What is Quantum Risk Management?
c. Understanding Cybersecurity in the European Union.
2. The Digital Operational Resilience Act (DORA)
3. The Critical Entities Resilience Directive (CER)
5. The European Data Governance Act (DGA)
6. The European Cyber Resilience Act (CRA)
7. The Digital Services Act (DSA)
8. The Digital Markets Act (DMA)
10. The Artificial Intelligence Act
11. The Artificial Intelligence Liability Directive
12. The Framework for Artificial Intelligence Cybersecurity Practices (FAICP)
13. The EU Cyber Solidarity Act
14. The Digital Networks Act (DNA)
15. The European ePrivacy Regulation
16. The European Digital Identity Regulation
17. The European Media Freedom Act (EMFA)
18. The Corporate Sustainability Due Diligence Directive (CSDDD)
19. The Systemic Cyber Incident Coordination Framework (EU-SCICF)
20. The European Health Data Space (EHDS)
21. The European Financial Data Space (EFDS)
22. The Financial Data Access (FiDA) Regulation
23. The Payment Services Directive 3 (PSD3), Payment Services Regulation (PSR)
24. The Internal Market Emergency and Resilience Act (IMERA)
26. The European Cyber Defence Policy
27. The Strategic Compass of the European Union
28. The European Space Law (EUSL)
30. The EU-US Data Privacy Framework
31. The European Cloud and AI Development Act
34. The EU Cyber Diplomacy Toolbox