Think You’re Resilient? Well, Think Again!
Think You’re Resilient? Well, Think Again!
The 2026 theme from the Business Continuity Institute (BCI) for their Business Continuity awareness week (BCAW), could not be more apt in the current times.
Can any risk professional hold their hand to heart and say they have a view of and prepared for all the risks and threats within their domains? And can they even estimate the level and sheer quantum of the unknowns? I guess the honest answer here would be ‘Hmmm. I wish but no, I don’t’!
This is expected in environment where global challenges are only getting more complex – from war, economic uncertainty, geopolitical uncertainties, climate change, cyber threats, to pandemics and other public health crises, most significant now being AI impacting jobs, skillsets, risk understanding et al.
In this environment, the BCI’s challenge to organizations is well placed. If you agree, the problem is never the lack of awareness but a misplaced sense of preparedness! If organizations believe that they are well placed just because they have an established resilience management function, some tools and software, documented BC plans that were tested, established KPI and KRI metrics, governance forums, and so on; then it is only half the battle won.
The Numbers Don't Lie — And They Hit Hard
I am a big fan of statistics because numbers do not lie and they hit hard! So, here’s some, although there’re so many others to drive the point home.
- The current global financial costs of cybercrime are challenging to estimate, but most surveys estimate it at about $500B every year.
- Natural disasters have caused over $250 billion in economic losses in recent years (global insurance data).
- Companies lose up to 45% of one year’s profits over a decade due to supply chain disruptions (McKinsey).
- Natural disasters have increased by five times over the past 50 years (UN).
- 96% of organizations experienced operational disruption in the last two years (Everbridge).
- The average cost of IT downtime is $5,600 per minute (Gartner estimate).
- 75% of executives say digital risk is increasing faster than their ability to manage it (Accenture).
- 50%+ of global GDP is moderately or highly dependent on nature and ecosystem services (WEF).
- 44% of organizations have already experienced negative consequences from AI-related risks (WEF).
- 80% of organizations say recovery is taking longer than it did five years ago (BCI).
Whew! Not easy data to digest! The BCI and other industry surveys have established that almost 77% of organizations believe they are resilient, but only 27% have validated that confidence through stress testing. An EY report also claimed that 64% of executives admit their risk management strategies lag behind the pace of change.
Have we really factored some aspects around threats like, say, third-party and other supply chain disruptions? Organizations can expect disruptions lasting a month or more every four or so years. Is that covered, or do we have a continuity plan relying on outdated assumptions about stability and recovery time? And with all the focus on third party risk, only 21% of organizations report having full visibility into their supply chains, leaving significant blind spots.
CISCO says: ‘AI capabilities have crossed a threshold that fundamentally changes the urgency required to protect critical infrastructure from cyber threats, and there is no going back.’
I am tempted to quote from an article* I just read from a respected industry security veteran. He stated: ‘Security gaps are less today about missing systems – and more about misunderstood signals.’ An AI-enabled system flags anomalies in real time—but without the right expertise to interpret them, teams either face alert fatigue or miss what truly matters.
Another credible piece of advice I read recently in an AI related article* stated: ‘Most damage in institutions does not begin when something looks broken. It begins when something sounds settled. And the next time an AI system speaks with unusual confidence inside a bank, the room should become more alert, not less’.
Conclusion
My honest ask of every risk and resilience professional reading this is simple. Go back to your frameworks, your plans, your assumptions — and interrogate them with fresh eyes. Ask the uncomfortable questions. When did you last stress-test against a scenario that truly made you uncomfortable? When did you last challenge a long-held assumption about your recovery timelines or third-party dependencies?
The BCI's theme this year is not just a catchy provocation — it is a mirror held up by every organization that has ever confused documentation with preparedness, or a tested plan from three years ago with genuine readiness for today's threats. The gap between perceived resilience and actual resilience is not a small one, and the statistics above make that painfully clear.
Ok, enough said. I think I made my point. Do not get complacent, my fellow risk professionals!
Think you're resilient? Good. Now prove it - to yourself, first.
Attend BCAW+R Webinars
The Talent War in Security: Why Capability—Not Technology—Will Decide Outcomes | LinkedIn
When Core Banking meets AI, Certainty starts to Blur ! | LinkedIn
More on
About the author
Ratna Pawan
Independent Security Risk Consultant
Ratna Pawan is a senior and seasoned Risk, Resilience & Project management professional, based in Toronto, Canada and is currently the lead of The BCI Women-In-Resilience SIG.
