Most organizations discover their business continuity gaps during a crisis, when a cyberattack disables systems, a key supplier fails, or facilities become inaccessible. The question "what do we do now?" becomes harder to answer than anyone expected. And that is because preparing an organization to continue operating under a disruption is genuinely difficult work, and most organizations underinvest in it until the moment they need it most.
Business continuity management (BCM) is the discipline that closes that gap, ensuring organizations' ability to maintain critical operations during disruptions. BCM does not promise to prevent disruptions; rather, it ensures that when disruption occurs, the organization can continue delivering what matters most to customers, employees, and stakeholders.
Most organizations discover what they're missing from a Business Continuity Plan (BCP) at the worst possible moment. A supplier goes dark. A data center floods. A key system fails mid-week. Someone asks "what's the plan?" and the honest answer is: we're figuring it out.
That's not a leadership failure. It's what happens when continuity planning gets treated as something to sort out later, once things settle down.
We're proud to announce that Fortiv has joined the Business Continuity Institute (BCI) as a Corporate Sponsor. The BCI team sat down with our CEO and Co-Founder Thomas Sehested and CPO and Co-Founder Emil Pfeiffer to share what that means, why we chose to become a sponsor, and what we hope the BCM community takes away from the partnership.
Can you tell us a bit about Fortiv?
Two people. A hundred and sixty BIAs. Multiple regulatory examiners. An annual review cycle that was already behind before it started.
That is not an unusually stretched BCM team in financial services. That is a representative one. And every process decision, every tool choice, every shortcut a program makes is shaped by that constraint, not by what good BCM looks like in theory, but by what two people can realistically sustain across an entire enterprise.
If you read Part 1 of this series, you'll know the problem isn't new. BCM teams are small. The scope is enormous. The manual process eats capacity that should go toward strategy. And by the time the work is done, the data behind it has already started to drift.
The question this blog tries to answer is more specific: where, exactly, does AI change that? Not in theory. In practice, across the parts of the BCM lifecycle where the hours actually go.
You send out the BIA questionnaire. You ask people to estimate their Recovery Time Objective. A few days later, the responses come back: two hours. Two hours. Two hours. Every team, every system, every process, all marked as needing recovery within two hours.
It's not that people are being careless. It's that most stakeholders don't have the context to answer the question any other way. "How long can you be down?" sounds straightforward. But without a shared understanding of what impact looks like over time, the answer defaults to whatever feels safe.
A Business Continuity Plan (BCP) is a documented set of procedures that guides an organization to respond to disruptions and restore critical operations within defined time objectives. It identifies essential business functions, assigns recovery responsibilities, and defines communication protocols to minimize downtime and protect revenue, reputation, and regulatory standing.
Most large organizations have business continuity plans. The question is whether those plans would actually hold up when something goes wrong.
Most organizations have one, yet few people can clearly explain what it actually does.
A company’s business continuity policy often ends up buried somewhere on an intranet, signed off by a senior leader, filed under a compliance folder that most employees never open. It was written carefully, probably by someone who genuinely cared about getting it right. And then it was, for most practical purposes, forgotten.
When the pandemic hit, a lot of organizations found out the hard way that having a business continuity plan (BCP) and having a tested business continuity plan are two very different things. Plans that looked complete on paper fell apart in practice. Not because they were poorly written, but because the assumptions inside them had never been put under real pressure.
And it wasn't just the pandemic. Geopolitical instability, supply chain failures, widespread cyber incidents, and extended infrastructure outages have each forced the same uncomfortable realization: organizations weren't facing unpredictable "black swan" events. In many cases, they were facing foreseeable disruptions at a scale they had simply never validated against.
For decades, Business Continuity Management (BCM) has depended on human effort at nearly every step. Interviews to collect operational data, manual analysis of dependencies, periodic plan reviews, and exercises designed to validate documentation that is often outdated by the time it is approved. The model assumes that organizations change slowly enough for readiness to be revisited periodically.
That assumption no longer holds.
Exercises sit at the core of any effective Business Continuity Management (BCM) program. They are where plans are put into practice, assumptions are challenged, and resilience is evaluated under pressure. However, in many organizations, exercises have become routine activities rather than meaningful indicators of preparedness.
This gap is becoming more pronounced as disruptions grow increasingly complex, interconnected, and unpredictable. Modern operating environments span cloud infrastructure, third-party ecosystems, and distributed teams, where a single disruption can cascade across systems, vendors, and geographies. Despite this reality, many exercise programs remain static in design and limited in scope, creating a disconnect between what is exercised and what organizations are likely to face.
The Iran conflict, now ongoing for weeks, with US–Israel strikes and escalating threats to the Strait of Hormuz, has forced Business Continuity Management (BCM) teams worldwide into immediate response mode. What once felt like a theoretical “worst-case scenario” is now a live operational reality.
For many organizations, the current crisis is exposing an uncomfortable truth: the systems designed to ensure continuity are not built for the speed, scale, or complexity of the crisis unfolding in the Middle East. In practice, many BCM frameworks remain too rigid and sequential, struggling when confronted with real‑time, multi‑vector shocks.
I left DRJ Spring 2026 with a strong sense that the resilience profession is in the middle of a reset. Not a gradual evolution, but a real shift in how resilience is understood, practiced, and valued inside organizations. Across sessions and conversations, the same themes kept surfacing. Different words, same direction. Not only in the field itself, but in the role of the profession within organizations. Here are the takeaways that stood out most.
From static plans to validated capability
An inconvenient truth about Crisis Management Exercises
If you gather 1,000 security professionals in a room and ask them how easy it is to get people to complete a crisis preparedness exercise, not a single one will answer: “Very easy.” It’s somewhat of a known secret in the industry that crisis exercises tend to get deprioritized and pushed into the future. They require significant planning and the alignment of multiple calendars, often with very senior people. The goodwill is there but the schedules are busy.