The Year in Resilience: Complex Threats
The resilience landscape is evolving quickly, shaped by both internal transformation and external turbulence. adding significant complexity to organizations’ operating environments. The BCI Year in Resilience Report 2025 supports this view. Reflecting on these pressures, respondents identified geopolitical risks as a major concern for operational continuity and long-term stability, with state-sponsored cyber-attacks and hybrid warfare emerging as the most significant threats, cited by 60.7%.
However, risk also lies in what is overlooked: while prioritising cyber threats aligns with future concerns, it risks allowing other issues such as supply chain disruptions to slip under the radar (cited by 46.4% of respondents), trade disputes, tariffs, or sanctions (quoted by 45.7% of surveyed parties). Threats are interlinked across security, economic, and operational domains, and success now depends on anticipating risks, responding quickly, and building robust, organization-wide resilience.
Increasing complexity, digital rights and internet shutdowns
Recent research[1] sheds more light on threat complexity. Dr. Tony Roberts, a Digital Research Fellow at the Institute of Development Studies, University of Sussex, relates an interesting process that highlights the layers of complexity in risk:
‘Five years ago, I got a small grant to bring together people from ten African countries working on what is now called digital rights. Each participant conducted a scoping exercise on the biggest digital-rights issues in their country. We brought those findings together in a report. We had expected mostly positive examples of creative uses of technology, but instead we heard how governments were using the same technologies to close civic space, dampen democratic debate, conduct digital surveillance, spread disinformation, enforce internet shutdowns, and arrest people for criticising the president. Digital spaces that once allowed people to raise their voices were being closed down, and the most dramatic tactic was simply switching off the internet.’
Since then, university departments and other organizations started tracking shutdowns and developing tools to monitor these[2].
Economic impact
From a business-continuity perspective, governments’ phased shutdowns must have a major economic impact, but this is a yet a little studied area. Only recently have these issues started to be monitored and documented.
Media headlines often focus on the political motives—especially after the Tahrir Square protests in Egypt, when the government, facing an existential threat, switched off the entire Internet[3]. That was the moment the issue gained international attention.
Today, governments who adopt this approach try to avoid the huge economic impact of switching everything off by targeting shutdowns more narrowly.
In Africa and elsewhere, shutdowns are fairly frequent[4], so governments using them repeatedly have been forced to consider economic consequences, which explains why they now target specific provinces or districts. They may keep downtown business areas online while cutting off a region with political opposition. But even targeted shutdowns cost nations millions, simply because millions of people rely on the internet for daily income. So, the impact of shutdowns can quickly amount to tens or hundreds of millions in losses, even when they are short.
Operational impact
The overlapping complexities of resilience are well demonstrated in the operational context section of the BCI report. There is an interesting comment from a humanitarian aid organization on delivering aid during the Ebola crisis.
The commenter said, in part: ‘Operating in that area was incredibly complex. We were dealing with an Ebola outbreak in a very remote part of the Democratic Republic of the Congo and just buying or transporting basic supplies was a huge challenge. Before sending in our emergency personnel, we had to carry out a full security assessment of the region, checking routes, local conditions, and risks. In the middle of all this, we also had to manage a medical evacuation for one of our staff.
‘The conditions were extremely tough. I have seen photos of the roads, and they were in terrible shape, practically impassable in some areas. But this is what resilience means for us: making sure our teams can continue to operate safely, no matter how difficult the circumstances. Our people run Ebola treatment centres, and ensuring their safety is the top priority.’
The restarting conundrum
What comes next for organisations is the difficulty of restarting systems after shutdowns, which is particularly for those in the humanitarian sector. Research on specific “restart costs” is still limited. But while humanitarian agencies often maintain independent communication systems and rely on satellite phones when internet access is unavailable, the challenge of resilience and restarting operations is very real for them.
Tony Roberts, points out that Ethiopia is the African country with the highest number of internet shutdowns, including military-targeted ones. When conflict broke out between the central government and Tigray, the first action was to attack cell-phone towers[5].
‘In Africa, more than 90% of people access the internet via mobile devices, so destroying mobile infrastructure effectively cuts connectivity,’ he says. ‘Fibre-optic cables are sometimes dug up too, though usually for economic theft rather than political motives.’
What can be done?
As hybrid threats have shifted from distant headlines to a regular operational reality, BCI research suggests organizations should embed security considerations in BC plans, in order to stay ahead of potential impacts.
The humanitarian aid organization mentioned earlier also indicate the long-term nature of coping: ‘Back in 2006, some local doctors were killed because of mistrust and misinformation. Now, thankfully, the community has started to understand that we are there to help, not to harm. But that shift took a lot of effort, building relationships, showing up consistently, and proving that we are committed to their safety as much as our own.’
There is an increasing need to ‘build flexibility into strategic and operational plans’ as the report says, going on to note that as the threats are ‘interlinked across security, economic, and operational domains… success now depends on anticipating risks, responding quickly, and building robust, organization-wide resilience.’
As personal safety has become a more tangible concern over the past few years, organizations are also increasingly prioritising duty of care. The report notes: ‘Respondents pointed out that this process goes beyond traditional business continuity and resilience measures to focus on the safety and wellbeing of employees and their families. Risk planning often involves HR and relies on insights from local teams, who have a better understanding of on-the-ground conditions.
By considering the human element alongside operational and regulatory risks, organizations can design more comprehensive and practical plans that protect people while maintaining continuity. Guidance such as ISO 31030 on travel security reinforces this approach, helping organizations embed staff safety and broader human-focused risk management into their resilience strategies.’
Read the full report
More on
About the author
Brian Runciman
Content Manager, The BCI
