You send out the BIA questionnaire. You ask people to estimate their Recovery Time Objective. A few days later, the responses come back: two hours. Two hours. Two hours. Every team, every system, every process, all marked as needing recovery within two hours.
It's not that people are being careless. It's that most stakeholders don't have the context to answer the question any other way. "How long can you be down?" sounds straightforward. But without a shared understanding of what impact looks like over time, the answer defaults to whatever feels safe.
Most large organizations have business continuity plans. The question is whether those plans would actually hold up when something goes wrong.
That gap between having plans and having plans you can use is where most BCM teams quietly live. The documents exist. They're version-controlled, somewhere. They were accurate when they were written. But the business moved on, the plans didn't keep up, and now, in the middle of an incident, the team is scrambling to figure out which copy is current, whether the recovery steps still reflect how the team actually works, and who to call first.
Most organizations have one, yet few people can clearly explain what it actually does.
A company’s business continuity policy often ends up buried somewhere on an intranet, signed off by a senior leader, filed under a compliance folder that most employees never open. It was written carefully, probably by someone who genuinely cared about getting it right. And then it was, for most practical purposes, forgotten.
When the pandemic hit, a lot of organizations found out the hard way that having a business continuity plan (BCP) and having a tested business continuity plan are two very different things. Plans that looked complete on paper fell apart in practice. Not because they were poorly written, but because the assumptions inside them had never been put under real pressure.
And it wasn't just the pandemic. Geopolitical instability, supply chain failures, widespread cyber incidents, and extended infrastructure outages have each forced the same uncomfortable realization: organizations weren't facing unpredictable "black swan" events. In many cases, they were facing foreseeable disruptions at a scale they had simply never validated against.
For decades, Business Continuity Management (BCM) has depended on human effort at nearly every step. Interviews to collect operational data, manual analysis of dependencies, periodic plan reviews, and exercises designed to validate documentation that is often outdated by the time it is approved. The model assumes that organizations change slowly enough for readiness to be revisited periodically.
That assumption no longer holds.
Exercises sit at the core of any effective Business Continuity Management (BCM) program. They are where plans are put into practice, assumptions are challenged, and resilience is evaluated under pressure. However, in many organizations, exercises have become routine activities rather than meaningful indicators of preparedness.
This gap is becoming more pronounced as disruptions grow increasingly complex, interconnected, and unpredictable. Modern operating environments span cloud infrastructure, third-party ecosystems, and distributed teams, where a single disruption can cascade across systems, vendors, and geographies. Despite this reality, many exercise programs remain static in design and limited in scope, creating a disconnect between what is exercised and what organizations are likely to face.
The Iran conflict, now ongoing for weeks, with US–Israel strikes and escalating threats to the Strait of Hormuz, has forced Business Continuity Management (BCM) teams worldwide into immediate response mode. What once felt like a theoretical “worst-case scenario” is now a live operational reality.
For many organizations, the current crisis is exposing an uncomfortable truth: the systems designed to ensure continuity are not built for the speed, scale, or complexity of the crisis unfolding in the Middle East. In practice, many BCM frameworks remain too rigid and sequential, struggling when confronted with real‑time, multi‑vector shocks.
I left DRJ Spring 2026 with a strong sense that the resilience profession is in the middle of a reset. Not a gradual evolution, but a real shift in how resilience is understood, practiced, and valued inside organizations. Across sessions and conversations, the same themes kept surfacing. Different words, same direction. Not only in the field itself, but in the role of the profession within organizations. Here are the takeaways that stood out most.
From static plans to validated capability
COPENHAGEN – Fortiv, the AI-native platform designed to transform how enterprises manage resilience, today announced it has raised €3M in a Seed funding round led by Seed Capital. The investment will accelerate the company's mission to eliminate the manual burden of Business Continuity Management (BCM) and help organizations navigate an increasingly volatile global landscape.
Thomas Sehested
Emil Stenbøg Pfeiffer
Read
Learn more
See first-hand what AI-Native Resilience looks like
