Australia’s operating environment is becoming increasingly characterised by uncertainty, complexity and interconnected risk. Climate-related disasters, biosecurity threats and cyber-enabled disruption are no longer isolated challenges but increasingly overlap in ways that test organisational resilience.
Abstract
In May 2026, more than 200 participants from local government, emergency management agencies, public health organisations and industry bodies participated in three immersive crisis simulations across Victoria examining severe weather disruption, H5N1 avian influenza and cyber-enabled fraud. Although each exercise focused on a different hazard, participants encountered remarkably similar leadership and organisational challenges. This article examines the findings from these exercises through a resilience lens and argues that organisational preparedness is less dependent upon the nature of the hazard than upon an organisation’s ability to establish situational awareness, make decisions under uncertainty, communicate effectively and adapt as circumstances evolve. The subsequent detection of highly pathogenic H5N1 avian influenza in Western Australia shortly after the epidemic exercise provides a timely illustration of why these capabilities matter.
Introduction
In June 2026, Australian authorities confirmed the first mainland detection of highly pathogenic H5N1 avian influenza in Western Australia. While the outbreak remained confined to wild bird populations, the event attracted considerable attention from emergency managers, agricultural authorities, public health organisations and government agencies across the country.
The significance of the outbreak extended beyond the immediate biosecurity implications. It served as a reminder of how rapidly strategic risks can transition from theoretical concerns to operational realities.
This is not a new lesson. Australia’s recent history has been shaped by a succession of complex and disruptive events. The Black Summer bushfires of 2019–20, the COVID-19 pandemic, repeated flood emergencies across Victoria and New South Wales, and a growing number of cyber incidents affecting public and private sector organisations have all demonstrated that modern crises rarely fit neatly within organisational boundaries. They are characterised by uncertainty, cascading consequences and increasing interdependence between agencies, sectors and communities.
Consequently, resilience has become a strategic concern rather than a specialist discipline. The question facing leaders is no longer whether disruption will occur, but whether their organisations possess the capability to operate effectively when it does.
Only weeks before the Western Australian H5N1 detection, more than 200 participants from local government, emergency management, public health, agriculture and industry participated in three immersive crisis simulations delivered across Victoria using the view360global platform. The exercises examined three distinct threats: a severe weather emergency affecting Campaspe Shire Council, an H5N1 epidemic scenario involving the Loddon Mallee Regional Emergency Management Committee (REMC), and a cyber-enabled fraud incident delivered in partnership with the Melbourne Chapter of the Association of Certified Fraud Examiners (ACFE).
At face value, these scenarios appeared fundamentally different. One involved a climate-driven emergency, another a biosecurity event and the third a cyber-enabled organisational crisis. Yet despite their differences, participants encountered remarkably similar challenges.
Across all three exercises, organisations struggled to establish situational awareness from incomplete information, make decisions before certainty existed, communicate effectively with multiple stakeholders and adapt as circumstances evolved.
These observations suggest that resilience may be less about preparing for specific hazards and more about developing organisational capabilities that remain effective regardless of the initiating event.
Resilience in Contemporary Australia
Traditional approaches to risk management have often been organised around specific hazards. Emergency management frameworks focused on natural disasters. Public health agencies prepared for disease outbreaks. Cyber security functions concentrated on technology-related threats. Business continuity teams addressed operational disruption. Increasingly, however, these distinctions are becoming blurred.
A severe weather event may trigger infrastructure failure, supply chain disruption, misinformation and political scrutiny. A disease outbreak may rapidly become an economic, social and reputational crisis. A cyber incident may evolve into a legal, governance and communications emergency within hours.
This reality aligns with observations from contemporary resilience research. Hollnagel argues that resilient organisations should be assessed not by their ability to prevent disruption entirely but by their ability to anticipate, monitor, respond and learn. Similarly, Weick and Sutcliffe emphasise the importance of collective mindfulness and continuous sense-making within complex and rapidly changing environments.
These perspectives suggest that organisational resilience is not primarily about controlling hazards. Rather, it concerns the capacity to function effectively despite uncertainty.
The Victoria State exercises provided an opportunity to examine this proposition in practice.
A Four Pillar Framework for Organisational Resilience
Analysis of the exercises suggests that four interrelated capabilities underpin organisational resilience.
The first is the ability to sense. Organisations must be capable of establishing situational awareness despite fragmented, incomplete or conflicting information. Without a shared understanding of events, effective decision-making becomes impossible.
The second capability is the ability to decide. Crises rarely provide the luxury of certainty. Leaders are frequently required to make consequential decisions based upon partial information and evolving circumstances.
The third capability is the ability to communicate. Maintaining trust, confidence and coordination often proves as important as managing the operational aspects of an incident. Communication therefore becomes a strategic capability rather than a supporting function.
The fourth capability is the ability to adapt. Plans provide structure, but resilience ultimately depends upon an organisation’s ability to modify assumptions, revise priorities and adjust actions as situations develop.
Although simple, this framework provides a useful lens through which to examine the three Victorian exercises.
Case Study One: Climate Resilience and Cascading Consequences
The Campaspe Shire Council exercise examined a rapidly escalating tornado event affecting multiple communities across northern Victoria.
Initially, participants received meteorological warnings and reports of localised damage. However, as the scenario developed, the consequences became increasingly complex. Power outages affected essential services, transport networks were disrupted, telecommunications failures reduced visibility and public concern intensified.
What emerged was not simply a weather emergency but a broader organisational challenge.
The exercise highlighted the difficulty of establishing a common operating picture as information arrived from multiple sources with varying degrees of reliability. Participants repeatedly revisited their assessments as new intelligence emerged, illustrating the importance of organisational sense-making during dynamic events.
Decision-making proved equally challenging. Escalation decisions had to be made before complete damage assessments were available. Participants frequently found themselves balancing the risks of acting prematurely against the risks of waiting for greater certainty.
Communication rapidly became a critical issue. Community expectations for information often exceeded operational understanding. Participants recognised that silence could create anxiety, yet premature communication risked disseminating inaccurate information.
Perhaps most significantly, the exercise demonstrated the need for adaptation. Recovery planning commenced while response operations remained underway, requiring participants to manage multiple priorities simultaneously.
The scenario reinforced a growing body of evidence suggesting that contemporary disasters are characterised less by the initiating hazard than by the cascading consequences that follow. The tornado became a test of infrastructure resilience, welfare arrangements, stakeholder communication and interagency coordination rather than simply emergency response.
Go to case studyCase Study Two: When the Scenario Became Reality
The Loddon Mallee REMC exercise explored an escalating H5N1 avian influenza outbreak affecting migratory and native bird populations and raising concerns regarding human exposure.
Participants included representatives from public health organisations, agricultural agencies, emergency management bodies, local government and state departments. The scenario commenced with reports of unusual mortality within migratory bird populations before progressively expanding to encompass public health concerns, supply chain disruption, community anxiety and increasing media scrutiny.
As the exercise evolved, participants confronted many of the dilemmas associated with contemporary epidemic response.
Scientific information remained incomplete. Community expectations continued to rise. Social media amplified speculation and misinformation. Agencies were required to balance public health considerations against economic and agricultural consequences.
Viewed through the resilience framework, the exercise exposed significant challenges across all four capability areas.
Participants struggled to establish a coherent picture from fragmented information sources. Decision-makers were required to act despite uncertainty regarding the scale and trajectory of the outbreak. Communication became increasingly complex as stakeholders demanded reassurance before scientific certainty existed. Throughout the scenario, agencies repeatedly revised assumptions and adapted their strategies as circumstances changed.
Then, only three weeks after the exercise concluded, Australia confirmed its first mainland detection of highly pathogenic H5N1 in Western Australia.
The significance of this development was not that the exercise accurately predicted the outbreak. In many respects, it did not. The circumstances differed substantially and the scale of the real-world event remained far more limited. Rather, the outbreak demonstrated how quickly hypothetical risks can become operational realities.
For participants who had recently spent several hours navigating questions relating to public confidence, interagency coordination, resource prioritisation and stakeholder communication, the appearance of H5N1 in Australia provided an immediate illustration of why preparedness cannot be deferred until certainty exists.
Go to case studyPreparedness should not be judged by whether organisations anticipate specific events correctly. It should be judged by whether organisations possess the capability to respond effectively when events occur.
Case Study Three: Cyber Resilience and Organisational Trust
The third exercise examined a cyber-enabled fraud incident involving suspicious financial activity, compromised systems and potential insider involvement. Delivered in partnership with the ACFE Melbourne Chapter, the scenario reflected the increasingly blurred boundaries between cyber security, fraud, governance and organisational reputation.
Initially, participants approached the incident as a technical problem. As the exercise developed, however, it became clear that technology represented only one dimension of the challenge. Questions concerning accountability, trust, legal obligations, stakeholder confidence and organisational reputation quickly became equally significant.
Participants faced familiar challenges associated with establishing situational awareness within complex environments. Technical information was incomplete. Indicators were often ambiguous. The full scope of the incident remained unclear for much of the exercise.
Decision-making was similarly complicated by uncertainty. Leaders were required to determine whether to disclose information, initiate containment measures or activate broader crisis arrangements before investigations had concluded.
Communication proved particularly important. Stakeholders expected transparency, yet many facts remained unknown. Participants recognised that maintaining confidence required careful management of both information and expectations.
The exercise also explored the growing influence of misinformation and synthetic media. Participants acknowledged that future cyber incidents may involve attempts to compromise organisational credibility as well as organisational systems.
The scenario therefore reinforced an important conclusion. Cyber resilience is not solely a technical capability. It is fundamentally an organisational capability requiring leadership, communication, governance and trust.
Go to case studyComparative Findings
Although the three exercises examined very different hazards, their findings were remarkably consistent.
Across all scenarios, uncertainty proved more significant than the initiating threat. Participants rarely lacked plans. Instead, they struggled to interpret incomplete information, make decisions before certainty existed and coordinate effectively across organisational boundaries.
The exercises also highlighted the importance of relationships. Effective responses depended upon trust, shared understanding and pre-existing networks. Participants frequently reported that one of the most valuable aspects of the exercises was gaining a deeper appreciation of how partner organisations think, communicate and make decisions.
This observation supports wider research into resilience and emergency management. Time and again, inquiries into major incidents identify the importance of relationships established before a crisis occurs. Trust cannot be improvised during an emergency.
Finally, the exercises reinforced the importance of adaptability. Participants repeatedly discovered that initial assumptions became outdated as situations evolved. Resilience therefore depended not upon rigid adherence to plans but upon the ability to adjust actions in response to changing circumstances.
Implications for Australian Organisations
The findings from these exercises have implications extending well beyond emergency management.
As Australia’s operating environment becomes increasingly complex, organisations face growing pressure to demonstrate resilience. Regulatory developments such as APRA CPS 230, reforms relating to financial institutions and increasing expectations regarding operational resilience, all reflect this trend. Yet resilience cannot be achieved solely through compliance activities.
Most organisations already possess plans, frameworks and governance structures. The challenge lies in understanding how those arrangements perform under realistic conditions.
Immersive exercising provides a means of testing this capability. By exposing participants to uncertainty, competing priorities and dynamic decision-making environments, exercises help organisations move beyond assumptions and gain a clearer understanding of actual performance.
Conclusion
The central lesson emerging from these exercises is not that organisations require more plans. Most participants already possessed plans. The challenge lay in translating those plans into coordinated action when confronted with uncertainty.
The hazards examined across Victoria, a tornado, an epidemic and a cyber-enabled fraud incident, shared little in common operationally. Yet the capabilities required to manage them were remarkably similar. This suggests that resilience is best understood not as preparation for specific threats but as the development of adaptive organisational capability.
The subsequent detection of H5N1 avian influenza in Western Australia served as a timely reminder that crises do not wait for organisations to feel ready. Strategic risks can become operational realities with little warning.
The organisations most likely to succeed will not necessarily be those that predict the next crisis correctly. They will be those that have developed the capability to sense, decide, communicate and adapt when predictions prove wrong.
In an era defined by climate uncertainty, biosecurity threats and digital disruption, that distinction may be one of the most important lessons for organisational leaders.