Insights

The Middle East is fracturing. Not along a single fault line, but across several simultaneously, under pressure that has been building for years and is now visibly breaking the surface. And yet most of the commentary remains trapped in the same tired framework: Who fired what, who controls which corridor, and which government is destabilised. These are real questions. They are not, however, the questions that matter most to the organisations, communities, and regulatory bodies that have to function in this reality.

This article is not about geopolitics. It is about something harder to ignore, which is what happens when a crisis of this complexity becomes the new operating baseline, and whether the tools we have built to manage risk are actually fit for that challenge.

To understand what is happening in the Middle East right now, you need to step back from the headlines and look at the structural picture. There are three vectors of attack that, in any major crisis, tend to move together. The first is human, involving violence, displacement, social fracture, and the collapse of institutional trust. The second is machine, involving the targeting and degradation of digital and physical infrastructure, cyber operations, and the disruption of supply chains and financial systems. The third is climate, involving extreme heat, water scarcity, agricultural failure, and the slow and accelerating erosion of habitability in certain zones.

In most crises, you see one of these vectors dominate, with the others playing supporting roles. In the Middle East today, all three are running in parallel, and they are feeding each other. Human conflict degrades the infrastructure that societies need to adapt to climate stress. Climate stress creates the resource pressures that drive human conflict. Machine vulnerabilities are exploited by actors on every side, eroding the digital systems that coordinate everything from emergency response to food distribution.

This convergence is not accidental. It is structural. And it is why the conventional toolkit of risk management, calibrated for one threat at a time, is failing in plain sight.

There is a harder question to ask here, and it is one the profession has avoided for too long. Is classical risk management conceptually obsolete?

Risk management, as most organisations practise it, is a statistical discipline. It looks backward. It assigns probabilities to defined scenarios based on historical data, attaches financial impact estimates, plots events on a matrix, and produces a register. This approach has genuine value in stable, bounded environments. But it was never designed for convergent, non-linear crises. It was not designed for a situation where three vectors are amplifying each other simultaneously, where the reference data from previous cycles no longer applies, and where the trajectory of the crisis is genuinely unknown.

The fundamental problem is not methodology. It is ontology. Risk management assumes that the future resembles the past closely enough that historical frequencies are a meaningful guide. Today, in the Middle East and increasingly in other global contexts, that assumption is invalid. The distributions have shifted. The tails have fattened. The scenarios that were marked as extreme outliers are arriving with uncomfortable regularity.

Resilience is a distinct discipline. Rather than focusing on the probability of an event, it asks: What is our capacity to continue functioning when something unexpected occurs? It is both forward-looking and practical, encompassing the full cycle of anticipation, preparedness, response, recovery, and, critically, the potential to generate a competitive advantage.

Crisis on. What now?

That last part is the one most organisations skip. They treat resilience as a defensive posture. It is not. Think of a goalkeeper who is so well-prepared and good at reading the game that she does not just stop the shot; she reads the trajectory early enough to redirect the ball, organise a counterattack, and tell the striker exactly where to run. She is not defending; she is creating.

That’s what genuine organisational resilience looks like when it works properly. It is not the absence of damage. It is the capacity to convert pressure into forward momentum because you built the system, culture, and people to do exactly that. And they do it not by accident, but by design.

This is the point where most articles stop. They diagnose the problem, gesture toward resilience, and leave the reader without a practical frame. That is not good enough.

The starting point is to accept that what we are seeing is not a temporary disruption on the way back to a known baseline. The crisis in the Middle East, in its current form, may be the operating environment for years. Organisations that are waiting for stability before they reconfigure their postures will wait too long. The honest framing is this: the new normal may not be normal at all.

From that starting point, three dimensions of resilience become immediately relevant.

The organisational dimension concerns the specific entity, whether a company, an NGO, a government department, or a critical infrastructure operator. The question here is not whether you have a crisis plan. The question is if the plan was made for your current situation, if it were recently tested, and if the people who have to use it under pressure were truly ready. Preparation in a stable environment and preparation for a multi-vector crisis are not the same thing. The former is a process. The latter is a culture.

The societal dimension is larger and harder to control, but it matters enormously. Societal resilience is the aggregate capacity of communities, institutions, and civil systems to absorb disruptions and continue to function. In a prolonged crisis, this is where the real fragility often lies. Not in individual organisations, which frequently have more formal planning than the communities around them, but in the connective tissues of society: trust in institutions, social cohesion, and the ability of communities to self-organise when formal systems fail.

In the Middle East, this connective tissue is under severe strain. Understanding its condition is not a soft concern. It is a challenging operational variable.

The regulatory dimension is the one most frequently underestimated by practitioners. In a crisis of this scale and duration, regulatory frameworks do not stay still. Governments impose emergency measures. International standards get suspended or reinterpreted. Compliance obligations shift. Organisations that are not tracking the regulatory environment in near-real time will find themselves operating in a space that no longer matches their assumptions.

More importantly, the regulatory dimension also presents opportunity. Post-crisis reconstruction, infrastructure investment, and new governance frameworks: these are not abstract policy matters. They are the terrain on which the next decade of commercial and institutional activity will unfold.

Moreover, recovery is not restoration. And this is where most organisations make their most expensive mistake.

The instinct is to return to the previous state as fast as possible. Get back to normal. But stop and ask the question honestly: What exactly was that normal? In a significant number of cases, the pre-crisis baseline was already fragile. The supply chains were already overextended. The governance frameworks were already outdated. The leadership capability was already thinner than it should have been. The crisis did not create those problems — it revealed them.

So, what should you actually be recovering toward?

Here is where classical risk thinking truly fails you. Pull out your 4x4 risk matrix. Plot the scenarios. Assign the probabilities. Then ask yourself: does any of this help me understand what the new operating environment looks like or what I need to build for it? The honest answer, for most organisations operating in or connected to the Middle East right now, is no.

The matrix was calibrated for a world that no longer exists. The distributions have shifted. The reference data is stale.

This is precisely the moment you need a chief resilience officer mindset. Many risk officers are ready for this. They want to do more. They can see the inadequacy of the register, the limitations of the matrix, the gap between governance rituals and genuine preparedness. But they are kept in the role of box-colourer, fulfilling compliance duty, when what the organisation actually needs is someone willing to stand in the wreckage of the old normal, refuse to rebuild it blindly, and ask the harder question: What should we be building for the new one?

The risk function has the talent, but it often lacks the mandate. That is a leadership failure, not a professional one. Give it the mandate, and become the goalkeeper who reads where the game is going, not just where it has been.

The competitive advantage does not go to the organisation that recovers fastest from the past. It goes to the one that moves most deliberately toward the future.

Your shareholders will say: Congratulations, you survived. Now what? Because if the answer is that you're going to return to what you had before, you just paid a very high price to stand still.

The Middle East will not wait for your risk committee to reconvene. Neither will your competitors. So, the only question is: Are you rebuilding for the past or designing for the future?

This article has been written by Cedrick Moriggi from Resilience World Nexus Summit (RWN) team and has been published by The Crisis Response Journal.