BCI A Year in The World of Resilience Report 2023

Find out more www.thebci.
org
A Year in the World

of Resilience 2023
A BCI Report
A Year in the World of Resilience 2023
A BCI Report
Contents
Executive summary 7
Strategic leadership of resilience 12
Practitioner priorities for 2024 20
An overview of artificial intelligence 29
How have attitudes towards

BC practice changed this year? 40
Spending in 2024 50
Predictions for next year 58
Top five takeaways for practitioners 64
Annex 68
2 Find out more www.thebci.org

Foreword
Foreword
Welcome to the first edition of the BCI’s A Year in the World of
Resilience Report. This seeks to form conclusions gained from
the monthly reports that the BCI has published through the
year. These have covered disparate subject areas relating to
resilience and the current report pulls all the key insights into
one place, as well as injecting current practitioner views on how
these findings will translate into working practices for resilience
professionals in 2024.
We are very grateful to Riskonnect for their sponsorship of this
new report in our portfolio.
2023 is now drawing to a close and, for us, the year can be
categorised into three themes. Firstly, there have been huge
advances in technology this year, both advantageous and
disadvantageous to organizational resilience. Secondly, after
years of practitioners and senior management being engaged
in the response to COVID-19, there are early signs that apathy
is creeping in to operational and strategic resilience planning.
Finally, the human side of resilience is a key theme throughout
the reports this year: from both a wellbeing perspective and
from a risk perspective.
This year, the use of artificial intelligence (AI) has seen
its highest growth ever in resilience settings, with some
practitioners keen to exploit its benefits from a planning, data
mining, and analytical perspective. Training and exercising
are being transformed through AI-built scenario plans and
the BIA process can be made more efficient through the use
of AI. However, many professionals are still erring on the side
of caution, taking a risk-based approach to adoption until
regulation and better controls are in place. Indeed, a ‘wait and
see’ approach is commonly seen. Furthermore, with cybercrime
on the increase and attacks becoming more sophisticated and
targeted, management concern is clearly warranted. However,
with senior management keen to increase investment in
technology in 2024, the benefits are certainly outweighing the
risks – for the time being.
3
A BCI Report
A question raised in the report needs serious consideration:

are senior management at risk of becoming too wrapped up
in concerns about cybercrime and neglecting other key threats
of the organization? For some areas, such as supply chain risk,
this does appear to be true. While some organizations have
increased the resilience of their supply chains and continually
look to improve it further as a result of failures during COVID-19,
other professionals report that this much needed attention
is now being diverted to other areas (such as cyber security)
and cracks are starting to appear again as new risks, such as
global conflict, are emerging. Proactively scanning the supplier
landscape for threats, entering into close relationships with
critical suppliers to get early warning of risks deeper into the
supply chain, and ensuring that due diligence is carried out on
new suppliers pre-contract is good practice that should always
be adhered to.
Finally, the people factor remains at the heart of a resilient
organization. Our research shows that some of the measures
that organizations introduced during COVID-19 to improve the
wellbeing of staff are no longer effective; and are even now
branded as tokenism by some. Organizations are seeking new
ways of improving employee wellbeing, such as fostering more
supportive team structures, or using AI to help employees use
their time more effectively. Furthermore, human error is the
entry point for the majority of cyber-attacks and regular training
and penetration testing is crucial to shore-up security.
I would like to thank everyone who participated in all our
research projects across the year which helped to make this
seasonal ‘annual’ possible; and once again I offer my thanks to
Riskonnect who have sponsored this report.
Rachael Elliott
Head of Thought Leadership
The BCI

Foreword
Foreword
Riskonnect, who acquired Castellan Solutions in July 2022,
is very pleased to sponsor the BCI’s inaugural A Year in the
World of Resilience Report. This thought leadership document
summarises the considerable research performed by the BCI
throughout calendar year 2023.
Although not surprising, the risk associated with cyber-related

disruption is top-of-mind for just about everyone, caused by the
prevalence of technology-enabled business processes together
with the continued rapid expansion of the threat environment.
Somewhat surprising is the decreased emphasis on, or

concern with, third-party or supply chain risk issues. Perhaps
a “hangover” effect from a focus on COVID-19 driven supply
chain disruptions or the result of effective investment over the
past five years, 2023 research indicates concern and attention is
waning. Regardless, assessing vulnerability caused by reliance
on third parties should remain a resilience priority, especially
considering complex global supply chains and the ongoing geo-
political threat environment.
Although different forms of artificial intelligence have been

around for years, the introduction of generative AI tools such
as ChatGPT have catapulted the conversation, addressing
the potential for greater business continuity planning process
efficiency but also discussions regarding the risk associated with
a lack of AI governance.
5
A BCI Report
This report excels in covering the topic and I firmly expect that
AI will be a focus of discussion in 2024 and beyond. It offers
perspective on the value proposition associated with AI and
the business impact analysis process, including automation
and improvements to the identification of dependencies. Next
year, I expect we will start focusing on how AI will contribute to
the identification of third- and fourth-party vulnerabilities, with
recommendations on proactive risk treatment.
Finally, specific to budgets, research conclusions indicate

organizational spend on business continuity and operational
resilience will remain flat for most, except for – and again,
not surprisingly – spend specific to the cyber element of
operational resilience as well as the use of AI.
I hope that you enjoy reading this report and trust it arms you
with the information to assist with stakeholder engagement and
planning for 2024 and beyond.
Brian Zawada (FBCI)

Vice President and General Manager – Resilience
Riskonnect

1
Executive
summary
7
A BCI Report
Senior leadership support is the primary

component of a successful resilience
programme:
The significance of obtaining senior leadership support
for resilience programmes has become increasingly
apparent over the year. Building a genuinely resilient
organization relies on the collective contribution and
collaboration of the most senior leaders representing
all core organizational components. To foster an
understanding of their role in the resilience building
process, it is imperative that leadership at the highest
level is actively engaged and supportive.
Cyber security is the top concern for

senior management:
While only 6.1% of survey respondents identify a cyber-
attack as the most disruptive event this year, cyber
security has emerged as the foremost concern for senior
management in 2024 and over the medium to long-
term as well. The anticipated focus of senior leadership
on cyber resilience in 2024 is driven by several factors,
including the increasing frequency of cyber-attacks, the
heightened complexity and sophistication of attacks, how
technology-dependent organizations are today, and
the multifaceted strategic consequences associated with
a successful attack, such as financial and reputational
impacts.
56.7% 48.3% 41.7%

Cyber Operational Regulation
resilience resilience

Executive summary
Operational resilience is now

a management priority in
regulated sectors:
The topic of operational resilience continues
to grow in importance in 2023, with
nearly half of organizations engaging in
operational resilience discussions at least
once a quarter. The frequency of senior
leadership engagement demonstrates
the impact of current and forthcoming
regulations, particularly within the
financial services sector. As operational
resilience regulations evolve, extending
into new markets and sectors, their
influence on the organization’s go-to-
market strategy is expected to persist.
Strategic leadership places significant
importance on operational resilience due
to the requirement to comply, with some
Attention on ensuring a resilient
mandates assigning ultimate responsibility
to the organization’s board. workforce needs to be maintained:
The human factor is crucial for the success
or failure when building and maintaining
business continuity and resilience
plans within organizations, surpassing
Supply chain resilience still needs technological considerations. Failures in
more management attention: emergency responses, cyber security,
Senior leadership engagement to bolster technology adoption, or compliance often
supply chain resilience has changed in stem from workforce-related issues. In 2023,
recent years, largely driven by evolving occupational diseases, particularly mental
threat landscapes. The substantial health challenges, disrupted organizations,
disruption caused by COVID-19 elevated leading to productivity loss and revenue
supply chain discussions to a more decline. The loss of talent and skills shortage
prominent position in executive and in critical areas are widespread and is likely
board-level discussions, but the sustained to persist, demanding ongoing attention.
support for this initiative has waned recently. The human element of risk is likely to remain
Practitioners acknowledge the difficulty in significant in the future risk landscape
obtaining buy-in from senior leadership for and warrant consistent recognition and
this critical issue. addressing.
9
A BCI Report
Uncertainty about application and lack

of regulations is inhibiting rapid take-
up of AI technologies:
The use of AI has emerged as a prominent
topic this year, yet thoughts on its current
and future role in resilience - and other
disciplines - remains mixed. Many organizations
remain uncertain about how AI will fit into
their operations, both in terms of business
continuity/resilience and in a other operational
areas. Responsible use, as well as the privacy
and confidentiality aspect of AI, remains a
concern, with some countries already creating
AI regulation and starting to enforce it. Despite
the aforementioned risks, nearly half of
organizations anticipate AI to be very important
and/or quite important within their settings
in 2024.
Technology use in building resilience

capability increased in 2024, with AI
seeing the greatest rise in usage:
There has been an increase in the number of
organizations leveraging technology to assist
in performing tasks/processes relating to BC
and resilience. 2023 showed a historic high in
the usage of dedicated technology to manage
emergency communications, while AI recorded
the greatest rise in usage among those
technologies participating in building resilience
capabilities over the past four years.

Executive summary
Most are satisfied with their current

BIA process and acknowledge the
value that technology can bring
to the process:
The business impact analysis (BIA) stands as
a foundational component of the business
continuity management system (BCMS). Most
organizations express satisfaction with their
current BIA processes, often attributing this
to program maturity and robust leadership
support. Furthermore, tailoring the BC
process to fit the individual requirements of
an organization can help to ensure increased
support for adoption by senior leadership.
Technology also plays a crucial role in BIA
process execution, offering benefits such
as automation (and therefore efficiencies),
breaking down silos in BIA creation, and Resilience budgets to remain
facilitating real-time updates. A substantial healthy into 2024, with cyber
percentage of respondents (58.8%) indicates resilience the area in line for the
a willingness to embrace AI for process most investment:
automation, emphasising the importance of
Most organizations anticipate
efficiency enhancement but still maintaining a
maintaining their resilience budget
human element in the process.
levels for the upcoming year. Among
Some organizations are, however, dissatisfied those organizations planning to
with their BIA processes, citing issues with increase their investment in 2024, the
time commitment, software usage, and prioritised areas where practitioners
organizational participation, and siloed working expect to see higher expenditure
practices. Inefficiencies often arise from a lack are cyber resilience (64.8%), followed
of centralisation, hindering the identification of by the overall business continuity
business continuity requirements. The cost of and resilience budget (48.5%), and
investing in specialised software to assist with operational resilience (45.7%). Moreover,
the BIA remains a barrier to the widespread 39.6% of organizations are expecting
adoption of technology. their AI budget to be higher in 2024.
11
2
Strategic
leadership
of resilience
12
Strategic leadership of resilience

• Increasing cyber security measures is the top
resilience priority for senior management, with
the area being the most likely to be a recipient
of investment for technology and people to help
bolster organizations’ defences.
• Operational resilience and regulatory
requirements are other top concerns
for leadership.
• Some critical areas, such as supply chain
resilience, may be underserved by top
management.
The importance of senior leadership buy-in for resilience
programmes has become ever more evident in BCI
research throughout the year. A truly resilient organization
can only be created by the sum of its parts (i.e. the people)
and, for employees to appreciate their individual importance
in an organization’s resilience jigsaw, leadership from the top
is vital.
One of the first recognised stages of building a BCMS

is clearly establishing the governance structure of the
programme, as well as its overall aims and objectives. Having
senior leadership buy-in and support for the BC programme
at this stage means that commitment is more likely to be
guaranteed across the organization’s different functions
and departments.
BCI research shows that a board member is ultimately

accountable for the resilience programme in 67.8% of
organizations. In addition, 84% of respondents to the BCI
Continuity and Resilience Report 2023 said that senior
management attention to BC and resilience will increase in
the next five years.
13
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
Therefore, before exploring some of the key themes within the BCI’s 2023 research reports, it seems
pertinent to open this report by exploring what practitioners think are the current strategic priorities for
senior leadership. To address this, survey respondents were asked to rank the top three areas where senior
leadership is most likely to take a strategic lead in their organization.
Cyber resilience is the top area where senior leadership will be looking to take a strategic lead, with over
half of respondents (56.7%) listing the area as one of their top three areas of focus. This aligns with findings
earlier in the year, where the BCI Cyber Resilience Report 2023 showed that most organizations had a
medium- to high-level of top management commitment in this area.
Which are the top three areas where senior leadership is most likely to take a
strategic lead in your organization?
Cyber resilience 56.7%
Operational resilience 48.3%
Regulatory requirements 41.7%
New technology decisions 40.0%
Crisis management 37.5%
Business continuity 35.8%
Supply chain resilience 25.0%
Implementation of
artificial intelligence 14.2%
Pandemic planning 5.0%
Other 1.7%
% 0 10 20 30 40 50 60
Figure 1. Which are the top three areas where senior leadership is most likely to take a strategic lead in
your organization?

Cyber resilience - the top priority

for senior management
The backing of senior leadership can be a critical
step towards getting the required resources to
tackle the challenges that organizations are facing.
Cyber resilience is at the top of the agenda for
senior managements due to a number of factors
such as the rising number of cyber-attacks, the
more complex nature of attacks with the advent
of AI, and the suite of strategic impacts (such as
financial or reputational impacts) that a cyber-
attack can have on an organization. To back up
these figures, the BCI Horizon Scan Report 2023
placed cyber-attacks right at the top of the risk
landscape for 2024.
An interviewee explained how an incident

showcased the importance of cyber resilience
to their organization’s board and resulted in a
revaluation of technical controls, as well as the
importance of training and exercising.
“We are going to run our annual CMT

[crisis management team] exercise next
week, the board will also join us so that
we can see how they will respond. In fact,
we have been doing a lot more training
and education awareness with the board
around cyber and cyber responses.
Off the back of some significant data
breaches we had in Australia, it has
pushed our board to consider our level of
preparedness, the understanding of what
we would do under certain events and
evaluate our technical controls. So there’s
an uplift program in place around cyber
preparedness as well as what would we
do to respond to that sort of threat.”
Business continuity manager,
financial & insurance services, Australia
15
A Year
BCI in the
the world 2023
A BCI Report
Operational resilience: regulations driving

senior leadership responsibilities
Operational resilience is another key area of consideration for senior
leadership (48.3%). This follows a finding from the BCI Operational
Resilience Report 2023 which highlighted that conversations about this
area were happening at executive committee level on a monthly (17.4%),
quarterly (30.2%), or biannual (8.1%) basis. This reflects the role of current
and upcoming operational resilience regulations, largely in the financial
services sector, as they continue to emerge and influence the future
direction of organizations. Indeed, the importance of operational resilience
to leadership is likely to continue as the development cycles of operational
resilience regulations reach maturity, new markets become regulated, and
regulations are rolled out across new sectors.
Another reason why operational resilience is high on the list of concerns

for strategic leadership is due the implementation of operational resilience
regulations and standards. The Australian Prudential Regulation Authority’s
(APRA) new CPS 230 Operational Risk Management standard1 makes it
clear that ultimate responsibility for the implementation of the standard
lies with an organization’s board. In this, some of the responsibilities
of the board include approving the policies of service providers, as
well as providing oversight for internal operational risk controls and
their effectiveness. Meanwhile, the UK’s FCA/PRA/Bank of England
operational resilience regulations indicate that the SMF24, or the chief
operations officer2, should be taking the lead in the implementation
of the regulations.
The BCI Operational Resilience Report 2023 also showed how important
regulation was for driving operational resilience programmes: figures
from the report showed that most organizations without a programme
did not have one due to not having to comply to regulation. This is
further supported by the finding that one of the top areas for senior
management to take a strategic lead is with regulatory requirements
(41.7%). As noted above, this is related to their role in the implementation
of these regulations, but it also reflects the severity of the repercussions
for an organization not complying with the regulations, with fines for
non-compliance already issued in the UK3.

Of course, regulatory requirements do expand far beyond operational

resilience alone. This, and their recognition by top management, is why
BC and resilience professionals are making calls for regulation in new
areas. While regulation as a tool is important, senior management should
not be solely pre-occupied with compliance with regulations to the extent
that it blinds leadership to other priorities. Regulation should help build
compliance and good practice and not serve purely as a tick box exercise.
However, as an interviewee explained, operational resilience regulation

still has limited infiltration in certain sectors and geographies. While
professionals can work with senior management to engage them in
the importance of adhering to a resilience programme or aligning to a
resilience standard, unless regulation is brought in, many are not hopeful
of implementation.
“As for operational resilience in sectors such as manufacturing

in Japan, there is no interest or knowledge; virtually nobody
talks about it.”
Risk management, manufacturing, Japan
“Our senior leadership team is taking a strategic lead in

operational resilience, crisis management, and supply chain
resilience. We are introducing our business model from the
beginning when our sales team visits clients and offers our
services; therefore, operational resilience plays an important
role with addressing what risk there is and what expectations
we anticipate. Our second objective is crisis management. The
strategy is that we have a dedicated team within the company
and we are now closely working with each department to
understand risk exposure and conducting risk assessments for
each business unit. Lastly, our suppliers have been vetted, we
are in close contact based on the market conditions and the
relationship with carriers over the decades. We have revisited
the list and have a stronger relationship with our providers.”
Crisis manager, manufacturing, Denmark
17
A Year
BCI in the
the world 2023
A BCI Report
Managing a growing list of priorities

Other considerations for senior leadership are Indeed, the role of the senior leadership in crisis
new technology decisions (40.0%) and crisis management is also well established. The BCI
management (37.5%). Crisis Management Report 2023 showed that
crisis management is led and championed by the
The idea that the responsibility for new board or senior executive team in three-quarters
technology decisions lies with an organization’s (74.4%) of organizations. One of the benefits of
senior leadership was explored in this year’s this management-led approach is that it ensures all
BCI Technology in Resilience Report 2023. The parts of an organization are engaged when a crisis
report highlighted how a top-down approach to hits and helps to enable a synchronised response
introducing new technology into the organization, to an incident. It also means that adequate
where senior leadership bring in a technological resourcing for crisis management is more likely
solution to fulfil a strategic purpose, can encounter to take place. However, with over a quarter of
reluctance and resistance from the workforce. respondents still working in organizations where
However, a significant minority (40.0%) of this approach is not adhered to, the risk of an
respondents say that senior leadership takes unordered response to a crisis remains.
a strategic lead in new technology decisions.
While the proactivity should be applauded, the The implementation of artificial intelligence (14.2%)
scenario can lead to the much-praised ‘bottom- sits behind supply chain resilience (25.0%), showing
up’ approach to resilience being avoiding, the diversity of conversations being held at senior
with guidance from IT experts and/or the staff management level. At the start of the year, the BCI
who will be using the technology ignored. This Supply Chain Resilience Report 2023 noted how
‘bottom-up’ approach is also one which is now the commitment of senior leadership to supply
frequently adopted in crisis management scenarios chain resilience has seen numerous shifts in recent
as it creates trust amongst teams, promotes years, mostly due to a changing threat landscape.
information sharing, and avoids building a culture The impact of COVID-19 on global supply chains
of fear and mistrust if workers are excluded from was significant in pushing supply chain discussion
decision making processes. While ‘command and to the top of the agenda. In many cases, this led
control’ structures still have their place, using the to changes such as the remodelling of logistics
knowledge and expertise of people on the networks, greater due-diligence taking place of
ground can be vital in establishing a good current and potential suppliers, and uptake in
resilience culture. new technologies to assist with supply chain
mapping increasing.

However, with attention now moving

away from COVID-19, interviewees
recognised that the challenge of securing
support from senior leadership for this key
area was proving difficult to maintain.
Interestingly, pandemic planning (5.0%) is at

the bottom of the areas where leadership will
take a strategic lead. This may be because, since
COVID-19, pandemic plans have already been
operationalised and adopted. However, it is critical
that organizations do not let planning in this area slip off
the agenda and keep the conversation going with senior
leadership, even if it is not currently the main concern for
organizations’ top management. Professionals also need to
consider that the risk of a new pandemic is very high according
to multiple national risk registers and a new pandemic is
unlikely to have the same characteristics as COVID-19.
Therefore, it is important to ensure that an organization
is prepared for a potentially more virulent and/or more
contagious pandemic than COVID-19.
It is likely that these critical areas will change

over the coming years as new regulations are
brought out, new disruptions encountered,
and technology continues to transform
workplaces. As ever, it is important for
senior leadership to consider the long-
term when assessing the strategic
priorities, as well as considering
immediate concerns such as
regulatory requirements.
19
3
Practitioner
priorities for
2024
20
Strategic leadership
Practitioner of resilience
priorities for 2024
Practitioner priorities for 2024

• The increased engagement in cyber resilience
from senior management has been noted
by practitioners who have seen increased
resources for cyber resilience filtering down
into daily operations.
• Survey respondents highlight the continued
vulnerability of their global supply chains
during a time of high geopolitical risk. With
the subdued levels of commitment from senior
management, many practitioners are concerned
that they will be unable to address areas of
risk in their supply chains.
• The human element of resilience has been a
consistent thread throughout BCI research
this year and its significance should not be lost
among the landscape of emerging risks.
After establishing the strategic priorities for resilience, the
focus now turns towards how these concerns match those
of practitioners in the sector.
The BCI Cyber Resilience Report 2023 was released in

March and showed an increase in the number of cyber-
attacks with 74.0% of respondents reporting a rise over the
last year. Showcasing the role of technology in supporting
the ongoing resilience and day-to-day operations of most
organizations, cyber threats and risks have been a theme
repeatedly encountered across the BCI research this year,
with concerns notably raised from previous years.
21
A Year
BCI in the
the world 2023
A BCI Report
As shown already, the same is clear here: with respondents claiming cyber
resilience to be the top priority with senior leadership. In addition to this,
despite cyber-attacks being the most disruptive event this year for just 6.1%
of organizations, this area was still rated as the most significant risk for both
the coming 12 months and in the mid- to long-term (next 5-10 years) in the
BCI Horizon Scan Report 2023. This concern is likely to be because of the
financial and reputational implications of attacks.
A number of high-profile cyber-attacks and data breaches made the

headlines this year, with the MOVEit data breach ranked as one of the most
significant in 2023. Reports suggest that the number of those affected by
this attack have now reached more than 60 million individuals and over
1000 organizations4. With the scale and damage of these attacks clear to
see, as well as acknowledging that many attacks go under the radar, it is
understandable why this is a top concern for practitioners and organizations
alike. However, it is important that this threat is not being considered to the
detriment of other risks that are also part of the landscape for 2024.
To emphasise its role in the reports throughout the year, it is important to

mention that the BCI Supply Chain Resilience Report, released in January
2023, showed that disruptions from cyber-attacks and data breaches were
the primary cause of concern for supply chain professionals. Meanwhile,
the same threat was also the third most frequent trigger of an emergency
or crisis communications plan, as evidenced in the BCI Emergency and
Crisis Communications Report 2023. While the number of cyber-attacks
has decreased in 2023, the cyber-attack landscape is changing: dwell times
have dropped from ten to eight days on average (meaning less time for
attacks to be spotted) and attackers are favouring highly targeted and more
complex attacks in the place of mass phishing attacks. Furthermore, with the
advent of AI, attackers are now using the technology to help with deception
campaigns, such as through the use of deepfakes.
An interviewee from the higher education sector explained that cyber

incidents originating from highly organized attackers have been a concern
throughout the year, with access to internal systems and ongoing research
a target, but also that attacks can increase during September/October as a
new intake of students increases the chance of insider attacks.
“You see a lot of attacks at the time of year when new students
join. Someone thinks it’s great fun to go and attack the
university from the inside.”
Risk and resilience, education, UK

“We are seeing a lot of organized teams and gangs that are
backed by foreign states attacking the higher education sector.
To date, there’s been about fourteen or fifteen universities hit
this year, there is no reason to suggest they will back off, it will
continue; they are after research.”
Supporting the findings in this report, interviewees were keen to highlight

the investments made by their organizations with regard to cyber resilience,
with one reporting that their organization has invested in increasing its ability
to recover operations from scratch in the event of an attack. As seen in the
previous section, investment in cyber resilience is expected to continue to be
supported by top management due to both the greater impact that attacks
are now causing, and the elevated level of concern.
“We have been investing in our ability to recover from scratch

in the event that our infrastructure, our data, our products,
whatever it may be, is attacked and corrupted.”
Resilience manager, information technology, USA
The interviewee in the higher education sector discussed that cyber

resilience means more than defence against internal and external threats,
but also how the cyber function can support its critical stakeholders.
“We support Student Services; some students have been in dire

need of assistance. When the tutor hasn’t heard from them,
we’ve tracked them down via their IP addresses and found that
they’ve been in hospital abroad. We then have been able to get
them the support and assistance they need.”
“It’s not all about defence, it’s also about support for our
stakeholders, for our students.”
23
A Year
BCI in the
the world 2023
A BCI Report
What is the role of new Legacy systems weigh on

technology in building technology opportunities
resilience? for some organizations
BCI research in 2023 has highlighted the The Technology in Resilience Report outlined that
increasingly important role of technology in two of the barriers slowing implementation of new
building resilience. As one notable example, AI has technology are the difficulty of integrating new
become one of the main trending topics this year technology with existing systems as well as the
across many industries, but its current and future requirement to update legacy IT systems. While
role within resilience remains a hotly debated area. organizations are making decisions about new
Organizations are determining the role it could technology and its role in their resilience functions,
play to assist or even automate certain resilience it is important to recognise the ongoing challenge
functions, against a background of upcoming of legacy technology and how it will integrate
regulations and ethical concerns regarding its with new technology. However, upgrading legacy
usage. Despite this, the advantages of AI mean technology can be used as an opportunity for
that 2023 has seen the steepest rise in usage of an organization to upgrade to a system which
AI in resilience environments than any year since covers any of the known vulnerabilities in the
the BCI has been researching in this area. previous system. This does not come without cost
challenges, however, and interviewees from the
In addition, further BCI research showed that the public sector in the BCI Horizon Scan Report 2023
usage of digital tools and technology to manage spoke about how there was an urgent need for
emergency communications is continuing to systems to be upgraded, but the cost of doing
increase following the changes in workplace so was prohibitive. The education sector is one
environments and work from home strategies of those that faces challenges.
implemented during the COVID-19 pandemic.
The BCI Continuity and Resilience Report 2023
also explored how technology was being used
to speed up and improve the effectiveness of BC
and resilience functions, in particular exploring the
impact of technology on the BIA process.
“In the higher education sector,
However, the BCI Supply Chain Resilience we have a lot of old legacy
Report 2023 highlighted the fairly low uptake of end-of-life equipment which
technology to detect and report on supply chain challenges us with a lot of security
disruptions, with the need for further resources issues and vulnerabilities.”
and commitment in this area clear. Perhaps this is
further ratified by the finding at the start of this
report which suggested that supply chain resilience
was not among the top areas of strategic focus
for top management.

How have global supply chains

“There are many risks involved when
weathered the storms of 2023? you have [people] and machines
involved to support your clients in
Just a quarter of respondents feel that supply
different countries around the globe.
chain resilience is currently a strategic priority for
The geopolitical risk remains the
leadership. Because of this diminished attention from
number one risk for our business.”
leadership, it is perhaps not a surprise that disruptions
to global supply chains have had a continued impact Crisis manager, manufacturing, Denmark
on organizations in 2023.
The impact of cyber-attacks on supply chains has

already been noted, but another significant element “With disruption in the supply chain
this year has been geopolitical threats, particularly for from Ukraine and Russia, these type
organizations operating in multiple countries. One of things have a knock-on effect that
interviewee explained that their organization felt the affects the cost, availability, what
impacts of the conflict in Ukraine on their supply chain you can do, where you can’t do it,
last year, but new challenges were emerging this year sanctions, and all those other things.
which were compounding issues further. In this case, We are also seeing the controls come
the political situation across different regions of Africa in and out of China in terms of how
was impacting not only on supply chains, but also on goods go in, how goods come
the workforce too. Another interviewee recognised out, and customs.”
how geopolitical threats affect supply chains through
Physical security director,
increasing costs and other material aspects, but also
retail & wholesale sector, France
the difficulties that arise through navigating sanctions
and border controls on goods.
25
A Year
BCI in the
the world 2023
A BCI Report
“If we look at the last year, there were “We have experienced issues with
challenges for supply chain arrangements the supply chain in the COVID era,
with our customers because of the especially transportation. We were
Ukraine and Russia war. This year, the unable to secure sufficient capacity
political situations in African countries to transport our products from the
(the Economic Community of West African factory to the market via ship or
States; ECOWAS) and the simultaneous plane. We have also had difficulty
military coup attempt in a few of the Sahel obtaining semiconductor parts from
regions has ultimately impacted some of semiconductor companies. So, the lack
our business operations in those countries. of supply chain resilience has been a
We continue to see many countries within significant problem for suppliers and
a conflict zone and ultimately it is quite manufacturers; these vulnerabilities will
challenging to support our people and not disappear any time soon.”
our operating projects in those countries.” Risk management, manufacturing,
Crisis manager, manufacturing, Denmark Japan
Expectations from consumers remain the same In terms of good practice and ensuring supply
despite the issues facing global supply chains. chain resilience, this report’s findings align with
It is therefore critical that resilience is built into those in the BCI Supply Chain Resilience Report
these supply chains to ensure that orders can 2023 which showed that 73.6% of respondents
be processed and met on time, in order to usually ask key suppliers whether they have
remain competitive and sustain the organization’s business continuity measures in place. Reviewing
reputation. Organizations also should consider the resilience of potential suppliers should be a
working with their external communications critical part of the procurement process (i.e. before
departments to ensure messaging is ready entering into a contract), but it is also important to
should an unexpected disruption happen. review the BC measures for ongoing suppliers on a
regular basis as well.
An interviewee from the manufacturing sector
explored the issues that they have faced with
distribution throughout their supply chain and in “Clients are expecting us to have
the semiconductor market this year. The global business continuity measures in place
semiconductor shortage has been a major threat and so they should, but we should also
for the manufacturing and technology sectors since be asking our suppliers if they have BC
the COVID-19 pandemic exposed the challenges too. We should all be asking: ‘What’s it
in this sector due to a reliance on suppliers for and how valid is it, does it cover the
in Asia. Indeed this, along with trade-related service that we’re providing, and vice
tensions between the US and China, has seen versa?’ This is what gives us a greater
manufacturers look to diversify the production resilience capability.”
of semiconductor chips into new countries in
order to build resilience into this supply chain5. Head of resilience, industry association, UK

How has the human factor impacted organizations this year?

This year’s BCI research reports have shown Practitioners also need to ensure that they view loss
several disparate findings relating to the human of talent in the long-term, as well as short-term. Loss
side of resilience. of talent was the top-rated risk in the short-term,
yet only 39.7% of organizations were considering
The first report of the year, the BCI Supply Chain the impacts of a loss of talent on a five-year basis.
Resilience Report in January 2023, showed that Since the loss of talent has been a recurring issue
the two most significant causes of supply chain in previous years, its potential for future disruption
disruption over the previous 12 months were should not be downplayed or attention lost in favour
both related to the human workforce. Disruption of newly emerging risks. With much of the world
related to a loss of talent or skills was reported going through a difficult financial period, talent will
by 46.8% of organizations, while human illness be an area which could be affected as organizations
was found to be the largest disruptor of supply struggle to hit balance sheet targets. Members
chains for 46.0% of organizations. Human illness have told the BCI that, during the pandemic, their
can also be the cause of other supply chain organizations laid off too many staff which meant they
issues such as transportation disruption, factory were unable to keep up with the competition when
and warehouse closures, and even loss of talent. the immediate response phase finished. These human
Indeed, illness ranked higher in the disruption factors will likely remain a significant part of the future
table than transport network disruption showing risk landscape so need to be duly recognised and
the degree of disruption that poor health established as such.
can cause.
27
A Year
BCI in the
the world 2023
A BCI Report
The BCI Horizon Scan Report 2023 also showcased the impact of this theme for organizations. Firstly,
corroborating the result seen in the 2023 BCI Supply Chain Report, the greatest disruptor for organizations
over the past 12 months has been health incidents, such as occupational disease leading to a sickness
absence. In addition, the report showed that the greatest consequence of disruptions was a loss of
productivity in organizations’ workforces, once again highlighting the importance of ensuring that
employees remain physically and mentally well, are incentivised with their work, and have the tools to be
able to perform their role to the best that they can do.
Supporting this, the Chartered Institute for Personnel and Development (CIPD) reported the highest
employee sickness absence rate in the UK for a decade6. The CIPD’s report also showed that 76% of
respondents saw some stress-related absences in their organizations but, positively, over three-quarters
of organizations are making progress in identifying this cause and are attempting to reduce it through
methods such as flexible working options and employee assistance programmes.
Human error continues to impact organizational resilience

For managers, these findings should call to mind the continued importance of supporting personal
resilience in the workforce through staff wellbeing programmes and other means.
Exploring other elements of this critical topic, the BCI Emergency Communications Report 2023 found
that human errors were the most common cause of failure within emergency communications plans.
For example, almost half of organizations claimed that change to plan failures were related to the lack
of maintaining accurate staff information. Such failures also point to a lack of training and exercising
taking place, which would allow the workforce to better understand their roles when the emergency
communication plan is activated and would also highlight errors in contact information.
The BCI Cyber Resilience Report 2023 supported this theme further by showing that human error was
the most common reason for cyber criminals being successful in their attacks. In this case, it could be
employees unintentionally clicking and opening malicious links in an email, or using unsecured public Wi-Fi.
The similarities to the vulnerabilities shown in the BCI Emergency Communication Report 2023 are clear,
with a similar solution of increasing exercising and training being recognised.

4
An overview
of artificial
intelligence
29
A Year
BCI in the
the world 2023
A BCI Report
An overview of artificial intelligence

• 36.4% of respondents say that artificial
intelligence can be both a resilience enabler
and disabler within organizations, depending
on the context.
• The BC and resilience sector is split over
the importance of AI in supporting
resilience-boosting activities.
• Regulations are likely to become an important
tool to help AI fit within an organization’s
risk appetite.
This year, we have seen an increased level of focus and
debate on AI and its role in organizations, as well as
the specific ability to automate or improve existing
resilience functions.
The BCI Technology in Resilience Report 2023 highlighted

that technologies used within resilience settings, such as AI,
have increased in use by more than 500% since 2019. Now,
with OpenAI’s ChatGPT and Google’s Bard opening up AI
to a new audience, coupled with developments in AI on the
mind of most professionals, debates about whether AI is a
force for good (or not) are now rife in the sector.
To create a snapshot picture of opinion within the industry at

the moment, respondents were asked whether they consider
AI to be a resilience enabler or a disabler within their own
organization. The feedback received shows the diversity of
opinions in the sector.

Just over a third (36.4%) are of the view that AI
%
can help resilience, but also hinder it, depending
.5
21
on the setting. A further 21.5% believe it to be
solely a resilience enabler, whilst just 0.8% believe
41.3
% it is a hindrance. However, with 41.3% still unsure as
How do you to how it could help or hinder their organization’s
0.8%
resilience, there is clearly some way to go before AI
consider the role can be fully trusted with making important business
of AI within your decisions.
organization?
This paints the picture that BC and resilience
practitioners see the potential for AI to become a
key part of the resilience function going forward,
but many also remain cautious about its potential
36
.
for misuse or the added vulnerabilities introduced

4%
into the organization through the application of

the technology. The considerable segment of the
industry which remains unsure points to the need
A resilience enabler
for a deeper exploration of this technology and
perhaps the introduction of regulatory instruments
which can provide more certainty about
its potential.
A resilience disabler
“The disabler would be when we get
‘hallucinations’ or the wrong answers to
our questions. What’s the source data
that it is generating its results from?
Both, resilience enabler/disabler, So, we need to develop guardrails and
depending on the use do it responsibly. This has been a real
concern of ours and it was a focus even
before ChatGPT and everything that
has happened since the end of last year.
We were already looking at this because
we saw it looming on the horizon. It’s
Unsure
a great new technology. We can get a
lot of benefit from it, but we have to be
cautious on how we proceed.”
Resilience manager,
Figure 2. How do you consider the role of AI
information technology, USA
within your organization?
31
A Year
BCI in the
the world 2023
A BCI Report
Practitioners are also concerned about the Other professionals are likely to be considering
addition of another element of risk into an the threats to cyber resilience which can be posed
already crowded risk environment. Indeed, one by generative AI. Indeed, some organizations are
interviewee explained that there is a concern now banning or severely limiting the amount that
about spending an inordinate amount of time ChatGPT can be used in organizations. In February
determining whether AI is a resilience enabler or 2023, the North American telecommunications
disabler and missing other threats which are still provider Verizon outlined that ChatGPT was not
of high risk to the organization. accessible from its corporate systems, stating that
their priority is to its key stakeholders and, as such,
it has to be thoughtful when introducing a new and
“We could spend time thinking about emerging technology. The organization also noted
the AI side of it, but, actually while that the technology was not accessible through its
we’re spending time thinking about corporate systems as it could put the organization
that, we’re not actually doing the at risk “Of losing control of customer information,
bit that we should be. Whatever AI source code, and more.”7 In contrast, comments in the
will bring, positively or negatively, research rooms at BCI World Hybrid 2023 showed
down the line or how we consider it that other organizations were embracing AI internally
as part of our process, it still doesn’t to support collaborative working practices, as well
change the fundamental element as ensuring that information could easily be found
of what could go wrong naturally, on servers. This highlights the delicate balancing
technologically, or through terrorism act that organizations will find themselves trying to
or human nature, as part of what manoeuvre when assessing their risk appetite for the
could impact on our business and usage of AI.
how we navigate our way through
One interviewee explained that including AI in their
that if that happens.”
operations introduces risk both internally (as seen
Business continuity manager, above) and externally (throughout their supply chain)
financial & insurance services, Australia when considering data control.

Ratifying this, the BCI Technology in Resilience Report

“Within our organization we try to 2023 found that data privacy and security issues were the
have visibility of our architecture second-most popular response when practitioners were
and exposure with tools and asked about the greatest concerns for organizational
technology; so we can fully disruptions caused by the introduction of new technology.
understand what it does, where
it’s going, how it secures it, and Other concerns relating to the introduction of AI
who has access. Outside of our technology include its involvement in cyber-attacks.
organization, with our suppliers A recent UK government report included cyber-attacks
etc, we take a slightly different as one of the most significant risks posed by generative
approach, but we have the same AI in the run-up to 2025. It outlined that the technology
principles because they have a lot could be used to “Create faster paced, more effective,
of our data. What are you doing and larger scale cyber intrusion via tailored phishing
with it? Where are you going? How methods or replicating malware,”8 by 2025. On top of
are you using AI? If you are using this, the report examined the potential for generative
it, what is it? What is it for? Is it AI to proliferate fake news, targeted disinformation,
owned by you?” and even manipulation in financial markets. These risks
do show the need for an important conversation about
Physical security director, controls, especially for tightly regulated sectors such as
retail & wholesale sector, France financial services.
However, it cannot be overlooked that AI can support

resilience in organizations: three in ten respondents
“Whether it’s AI internally or said that AI would be important in their organization’s
externally, we have our own resilience activities in 2023. This data is backed up by
principles, which are to fully the aforementioned finding in the BCI Technology in
understand all the implications of Resilience Report 2023 where AI saw growth of over
this to make sure it meets business 500% in the last four years.
needs, to make sure it’s secure,
and to be cautious before we move
forward; and it starts with visibility
and assessment.”
Physical security director,
retail & wholesale sector, France
33
A Year
BCI in the
the world 2023
A BCI Report
In terms of how AI might be used to improve Similarly, another interviewee explained that AI is
the resilience of an organization, 47.5% of being used to increase efficiency and filter customer
respondents in the BCI Technology In Resilience support queries, so those which cannot be resolved by
Report 2023 stated that it could be used to an automated function can be handled by an internal
improve an organization’s risk assessment support team.
process. Indeed, data can be collected from
internal and external sources and analysed to
show patterns or trends, which may identify “For us in enterprise risk management, AI
future threats or risks. The organization can is all about the customer experience and
then proactively adapt their own operations ensuring operational resilience. We’re into
to mitigate the impact of this threat. Some of digital marketing and what we’re trying to
the data points which could be used for the do is make the customer experience more
risk assessment could be near misses logged efficient, so we’re very heavily involved in
by the organization, environmental data, social chat boxes or automated email responses.
media feeds, or live supply chain disruption Then, if the customer doesn’t get what they
information. want, then they can go to online support.”
AI also has wider applications in organizations Risk management, professional services,

such as through automation to improve Australia
productivity, ensuring that staff are spending
their time on added-value tasks, as well as new
product development.
“Adopting new technologies, like

generative AI, is huge. Our company
has used a lot of artificial intelligence
and machine learning within our
infrastructure; and analytic solutions
are in the product offerings that
we deliver to customers. It’s been
underpinning our services for many
years now and generative AI is a new
opportunity to improve that. But
we’re also looking at it to improve our
internal operations, like improving
our productivity, so we can spend
more time on adding value as
opposed to repetitive administrative
tasks like building PowerPoint decks.”
Resilience manager,
information technology, USA

However, different sectors face different risks and the method of AI usage to mitigate threats would be
different. In financial services organizations, for example, some are using AI to identify fraud and financial
crime. A current estimate suggests that more than half of large financial institutions are, at present, using AI
to manage risk,9 with the developments in generative AI helping this process along. It is also important to
note that other iterations of AI have been in use to support the resilience of operations for some time. An
interviewee from the manufacturing sector explained that their organization has been using the technology
to detect defected items on a production line.
“AI has been used for a long time in our “It would be useful if we could
factory to inspect products and remove the employ generative AI to plot and
defective ones. AI utilises a pattern matching generate scenarios for our BC
method in our manufacturing process, which exercises and tabletop exercises.”
is highly beneficial for quality control.” Risk management, manufacturing,
Risk management, manufacturing, Japan Japan
35
A Year
BCI in the
the world 2023
A BCI Report
Another prominent example of how AI-backed predictive

analytics can be used to assess risk and proactively
mitigate disruption is in supply chains10. The BCI Supply
Chain Resilience Report 2023 highlighted that the use
advanced technology solutions and supply chain mapping
software is increasing on the back of the recognition of
recent supply chain crises, such as those seen during the
COVID-19 pandemic. Here, AI could reduce shortages
or lags in the supply chain by predicting future demand
patterns by, for example, analysing weather patterns,
market trends and previous disruptions, and adjusting
product and stock levels accordingly. In addition,
simulations can be run to understand the performance of
supply chains, the impact of disruptions, and the effect of
adjustments.
This may be increasingly important as climate change

continues to disrupt existing routes with droughts
eradicating or severely reducing the efficacy of some
inland waterways, for example. Reports reveal that 90%
of products move through oceans and waterways but
these routes are under threat from drought11. A situation
such as this can be modelled in advance to test how this
would impact the supply chain and allow organizations to
proactively prepare adjustments to existing routes.
“With ChatGPT everyone thinks
Several interviewees noted the potential of generative AI it’s great, but we’ve got to have
to write and develop scenario exercises which can be used some caution with this; it can
to validate their business continuity management system. be amazing, but there are very
However, they also recognised that they are still in an early known risks attached to it. It’s
phase of adoption of using AI for resilience purposes and in its infancy stage of maturity
that the first phase is to establish a governance structure and it will take time for people
for the technology. to have confidence that it is
secure, correct, and efficient.
We also need to understand the
“We have a chief data officer who is looking into implications for our people and
AI and building out the governance structure our clients; we know we must be a
around what we need to do to leverage AI. leader on these things, but we’ve
However, we also need to consider how to also got to be cautious because it
protect our organization and what controls we can create as much risk as it can
need to put in place to manage that.” create benefit.”
Business continuity manager, Physical security director,
financial & insurance services, Australia retail & wholesale sector, France

%
10.7
Many countries are now
29
.8% seeking to regulate AI
Some of the reticence around exploring the
When it comes to 19.8% benefits of AI in resilience settings is because
supporting your of the current lack of universal regulations
around the technology. Therefore, the
resilience activities in
introduction of regulations may be one of the
2024, how important controls that can help AI become a resilience
will AI be? enabler within organizations.
% In October 2023, U.S. President Biden signed

9.9
an executive order12 for new standards on
AI safety and security. The order requires
the developers of the most powerful AI
29.8
systems to share safety test results with the

%
Very important US government. “The Departments of Energy

and Homeland Security will also address
AI systems’ threats to critical infrastructure,
Quite important as well as chemical, biological, radiological,
nuclear, and cyber security risks,” according
to the order. In addition, the Department of
Not very important Commerce is expected to generate guidance
for content authentication and watermarking
to identify AI-generated content.
Not important at all
This follows China introducing new
regulations for generative AI in August this
Unsure year as it plans a governance framework for
the technology. It seems that the new rules will
only apply to services available to the general
Figure 3. When it comes to supporting your public in China, not those being developed
resilience activities in 2024, how important will for research purposes or those intended for
AI be? foreign consumers. One of the key measures
is a requirement for providers of generative AI
to conduct security reviews and register their
For 39.7% of organizations, however, AI will be of algorithms with the government under certain
little or no importance to their resilience activities. circumstances13. However, since regulation
Furthermore, nearly a third (29.8%) said that in the AI space is likely to become a factor
they were still unsure of the role that AI would in the years ahead, establishing guidelines
play in their organization over the next year, early is probably a sign of intent and shows
demonstrating the lengths still needed to go to in the critical role that AI is expected to play for
terms of clarity of purpose, as well as meeting the many countries going forward14.
growing calls for regulatory overview.
37
A Year
BCI in the
the world 2023
A BCI Report
The European Union has also drafted legislation With all of this in mind, where does that leave
relating to the use of artificial intelligence and organizations in the year ahead regarding the
those involved in the creation of the EU AI Act have use of AI as a tool for resilience? An interviewee
already suggested that these rules could be used as noted that for 2024, their priority is still “About
a guideline for other countries15. This is similar to how putting in place what we know we need to
the UK’s FCA/PRA/Bank of England Operational have in terms of the right people, right place,
Resilience framework has provided a framework for right time, and right resources.” For example,
other similar regulations around the globe. in terms of people, the interviewee noted that
the processes within their organizations are still
However, if already using the technology or based around people processes and that AI, as a
intending to rely upon it in the future, businesses technology, will still require a human element to
must also be conscious of how any upcoming function. Going back to whether the technology
regulations impact their usage. One interviewee is a resilience enabler or disabler, they note
discussed how their organization would look to take that their priority is getting the basics of the
a proactive role in the development of regulations BC programme right and then to establish
to ensure that their interests are also represented by whether AI will enhance this resilience capability
the new rules. further or not.
“As an organization, we are taking more of “From my limited understanding of

a proactive role in [the regulation] space. AI, there still has to be some sort of
Regulations can be good but they can human element in the middle that
also be bad. So we like to take a proactive has the ability to be aware of what’s
role as an organization to help steer the going on because they can physically
conversation to protect our interests, yet see it and experience it. The BC plan
do the right thing for the community as a might not work at that particular time,
whole. It’s an inevitable thing that has to for whatever reason, but somebody
happen to protect everyone, so we want to still has to make a decision on what
be a proactive partner and voice in needs to be done. All we’re trying to
that space.” do here is give those people as much
Resilience manager, time as possible when something has
information technology, USA the potential to happen or something
does happen. […] So the AI bit, we’re
aware of its potential out there and
what it’s going to bring, but we want
to concentrate on the basics and get
those right. If the AI element enhances
our capability going forward, then
we can look at that and see what the
advantage would be.”

Other interviewees offered their views on AI within their organizations; mostly from a positive perspective.
“We are not highly dependent on AI at “We already have smart tools: special
present because we are a manufacturing data input is coming into a command-
team; IT teams are more inclined towards and-control centre, telling us what the
the artificial intelligence tools.” fault or service areas are and, based on
Crisis manager, manufacturing, that input, a new sales lead is captured.
Denmark This benefits our customers because the
sooner they correct their equipment,
the better their productions are. This
increases the client’s productivity and
revenues which in turn brings
“Whenever there is a diminishing
us more service orders and inflow
product life cycle, these tools (AI) give
of our products.”
us notifications and, based on this
information, it will allow us to have Crisis manager, manufacturing, Denmark
equipment serviced when it is needed,
rather than when a service is due on
the calendar.”
“With AI, we need to leverage the tools
that are available and work out the best
way to integrate them. We always have
a human to make sure that what we’re
doing is ethical, so we need to make
sure that whatever we do still covers off
that governance and to make sure that
everything is done in the right way.”
39
5
How have
attitudes
towards
BC practice
changed
this year?
40
How have attitudes towards BC practice changed this year?
How have attitudes towards BC

practice changed this year?
• The majority of organizations are satisfied with
their current BIA process, with a more universal
understanding across organizations about
the BIA process is a major component of an
organization’s success.
• More than half of organizations would automate
parts of their BIA process if the technology
became available.
• A key area of improvement for tools used
in the BIA process is how it can assist in the
identification of external dependencies.
One of the threads picked up throughout the BCI
research reports this year has been the changing attitudes
to elements of standard BC practice. The BIA is one of
the fundamental elements of the BCMS but, with the
introduction of emerging technologies and ever-
evolving work processes, it is important to evaluate
where organizations are looking to change or
adapt their BIA process.
41
A Year
BCI in the
the world 2023
A BCI Report
7.6%
Overall, 61.4% of interviewees are very happy
5%
6.
.
(18.5%) or moderately happy (42.9%) with
18
7%
their current BIA process. The maturity of the

5.0
% programme and how well the process was
understood and accepted by leadership across the
Is your organization organization were major drivers of respondents’
satisfaction. Of course, support from leadership
generally happy with its means that, when the BIA is due for an update,
current approach to the this can be adopted throughout the organization
19.3% overall BIA process? instead of being dismissed by certain departments
as a low priority item. Even in this though, the
importance of adapting the BC process to suit the
organization was recognised in order to increase
its chance of adoption. This can be achieved by
42
applying the most appropriate type of BIA to

.9%
the organization and keeping it from becoming

Very happy unnecessarily unwieldly.
Moderately happy
Moderately unhappy
Very unhappy
“If you look at the four types of BIAs, we

We do not carry out BIAs don’t do the activity BIA. I know those
terms are changing, but I’m just using it
as a reference. The process level BIA is
Unsure about as low as we would go, and even
that we don’t go too deep because the
information provided from that is not
significant enough to make a difference.”
Figure 4. Is your organization generally
Resilience manager,
happy with its current approach to the overall
information technology, USA.
BIA process?

In other instances, practitioner satisfaction with their However, just under a quarter of organizations
BIA process was directly proportional to the level at say that they are moderately (19.3%) or very
which their BIA process had been adapted to fit to their (5.0%) unhappy with their BIA process. In
own organization’s needs. For instance, one interviewee this regard, interviewees highlighted specific
explained that they have introduced advanced problems with the tools and software used to
technological solutions, such as digital twins, into the conduct BIAs, whilst noted their own concerns
BIA process. This process allowed the practitioner to with the BIA process in general.
simulate attacks on their critical processes in order to
understand how this would change their cyber security One interviewee explained that their
posture. organization was using an end-of-life tool
and how the changing circumstances of
This year’s BCI research has found that more than the organization have not been met by
a third of organizations are developing their own the tool, particularly after the COVID-19
in-house solutions for BC/resilience purposes. This pandemic altered the working practices of the
is typically a choice for organizations who can use organization.
internal resources, such as personnel or technology,
to construct assets which brings the BIA process to
life and shows keys relationships in a way that has not “We are using an end-of-life tool
been previously explored. An asset which has been that we haven’t been able to update
developed internally will likely increase satisfaction in since COVID. The focus on a physical
the BIA process because the features will be tailored to disruption scenario has really
the needs of the organization. One interviewee from changed because most people have
the higher education sector discussed how they have that work from home capability. It’s
utilised technology to build a BIA process that suits only our frontline staff that really
their requirements. need to be in the office, the rest of
our workforce can work from home
or work from an alternative location.
“We’ve done our initial BIAs and developed Prior to COVID, the BIA was really
a nomological map. We’ve identified all the focused on people in seats: if we had
assets and the relationships between the a crisis, we would move employees
assets, whether that is services, products, from one physical location to another.
or stakeholders. Using logarithmic However, that thinking has changed
mathematical modelling, we know how dramatically; we are not able to
quickly we can feel pain between our assets really reflect that in the plans and the
and we now know what our recovery time templates that we have in the system.
objective should be or our recovery point This is one area where we have just
objective. Using that information we can had to accept that it’s a limitation.”
create a digital twin.” Business continuity manager,
Risk and resilience, education, UK financial & insurance services, Australia
43
A Year
BCI in the
the world 2023
A BCI Report
Another interviewee explained that when looking An interviewee from the manufacturing sector
to switch to other providers of BIA applications, the explained that their organization does not
backing of senior management is critical. conduct a BIA process but senior management
informally discuss prioritised services and
decide a period of time for which they can
“We highly rely on Microsoft applications tolerate losing the operation of this service. In
for our BIA software, however we are in addition, as a manufacturing organization, they
touch with some other providers but still maintain a level of stock to ensure that they
in the planning stage and will need to have a window of time to restore operations
have buy-in from the senior management to the line which has shut down. Of course, a
on that.” formalised process does allow information to
be shared more effectively and allows others
to view the information if a key contributor is
absent during a disruption.
Another issue for those unhappy with the BIA is the
siloing of the process. The lack of a centralised process
can easily result in a BIA that is inefficient while the “We do not conduct a BIA or any
siloed nature of the findings also reduces the efficacy kind of systematic analysis, but top
of finding solutions to meet the established recovery management asserts that something
requirements. is our highest priority production
and service. However, this is based
solely on their own impression
and thought.”
“At the moment, our BIA is very much
siloed in the sense that each business unit Risk management, manufacturing,
has their own BIA and the interconnectivity Japan
between internal functions and internal
processes is really not at the level that I
want it to be.” Elsewhere, another interviewee explained
that their organization has recently increased
investment in BC and developed an interest in
developing a formalised BC programme after
managing multiple crises during their many years
of operation through informal business continuity
In addition, 6.7% of organizations are not currently
processes. However, the practitioner added that
conducting BIAs. While this appears to be a high
they have simplified the BIA in order to increase
level, some of the interviewees specified that they are
internal engagement with the process. The same
conducting a process which analyses their priority
interviewee also explained how they felt that it
functions, but in an informal manner. This was
was important that the BC process fits the needs
particularly evident amongst smaller organizations.
of the organization.

“Do we really need to

implement the full BIA
process the way it’s
traditionally done? Or
“While it may pose do we just get straight “We need to simplify the
a hindrance to to the point? We know process for the people
profit assurance, what we do, we know of today, using the same
our company why we do it, we know principles. It’s about
aims to ensure that we depend on it, focusing on the what
production continuity and we know that we ifs and capturing that
by stockpiling need to do it. It’s about information but getting
components and putting those layers it more efficiently. The
materials for our in place so we can get traditional format of the
products. This allows from A to Z in a more BIA was created some
us to have a time efficient and user- time ago for a different
buffer in case any friendly type of way world and in a different
disruptions occur in for today’s people.” time process.”
the supply chain.” Head of resilience, Head of resilience,
Risk management, industry association, industry association,
manufacturing, Japan Global Global
45
A Year
BCI in the
the world 2023
A BCI Report
5.0%
2. 5
How is technology changing the
7%
.
implementation of the BIA?
22
20
.2%
Organizations have been increasingly using
technology to adapt and mould the BIA process to
the needs of their organization. Using technology What is your
in the BIA process can have a number of purposes organization’s attitude
such as automating aspects of the BIA, reducing to using technology to
silos by enabling sharing of BIAs created across the help with the BIA? 12.6%
organization, and enabling real-time updates to the
process. According to BCI research this year, 40.6%
of organizations would like to see technology
used to automate the BIA process in some way.
However, more than a third of organizations (37.0%)
%
said that they use standard business software (such
37.0
as Excel) to manage the process and a further third
(35.3%) use specialist software which has either We use specialist software from a third party
been supplied by a third-party (22.7%) or written company to manage the BIA process
in-house (12.6%). Given that technology use is
already fairly high for BIA purposes, it is easy to see
why the use of AI to automate some part of the BIA We use specialist software that we have
process is seen as a next step by 40.6% written to manage the BIA process
of organizations.
We use standard business software

to manage the BIA process
We do not use software to manage the BIA process
We do not carry out BIAs
Unsure
Figure 5. What is your organization’s attitude to

using technology to help with the BIA?

16.
1%
One of the barriers to the introduction of
0%
15.
specialist software into the BIA process has been
justifying the cost of investment, although several
organizations report that they are considering such
a tool, while others are already planning elevated
If an artificial
spending next year to fund it. Supporting this, BCI 10.1% intelligence solution
research shows that BC planning software has became available
increased in usage this year, with this software to automate the BIA
often including a function for the facilitation of the process, what would
BIA process.
your attitude to
As already discussed in the AI section earlier, one this be?
of the themes this year is the implementation of
AI across the organization and this extends into
the BIA process too. The emerging technology
58.
has the potential to automate certain aspects of
8%
the BIA process and the survey shows a strong
interest in using it for this purpose. The majority I would fully embrace it – the more the
(58.8%) of respondents said that they would use AI BIA can be automated, the better
to automate part of the BIA process but would be
keen to retain a human element as well. There is
an understandable reticence to allow AI to take full
I would use it to automate parts of the
control of such a critical resilience activity because
BIA process but would want to retain
of the relative immaturity of the technology, but human input into the process as well
15.1% still said that they would fully embrace an
automated BIA. Only 10.1% would not be keen to
use AI in the BIA process at all.
I would not use it – AI cannot be
An interviewee explained that they may have an
trusted to develop an effective BIA
opportunity to use Microsoft’s desktop AI tool
(Copilot) to automate data gathering across the
programme as they use the Microsoft Office suite
for BC management instead of other specialised
sources of software. However, respondents did
Unsure
flag concerns about sharing sensitive data with AI
while noting that retaining a human in the process
ensures accountability. Many, including the 16%
who are unsure, state that it is too early to make a
Figure 6. If an artificial intelligence solution
judgement on the benefits of using AI to automate
became available to automate the BIA process,
processes and that further proof of its ability is
what would your attitude to this be?
required before decisions are made.
47
A Year
BCI in the
the world 2023
A BCI Report
How are organizations managing risk from third-party suppliers?

One of the established and understood outcomes of
the BIA process is to identify external dependencies, “Over the last two years, during
including suppliers. Survey respondents identified this COVID and post-COVID, we have
as a key area for improvement, with many labelling been looking at every third-party
their current tool as insufficient for this purpose. Of and looking at every transaction and
course, any inaccuracies in this area are a concern for all of the IT, software, and hardware
organizations since this is a significant outcome for the they use. We’re essentially trying to
BIA and, as such, the BIA tool’s performance in this do a detailed BIA on suppliers as a
area is key. step-by-step process to ensure our
third parties are resilient — making
sure that, if they have access to our
“I think the way we capture our third-party systems, that they’re fully resilient as
suppliers is not really linked to the processes well. If need be, we will get involved in
or the business functions that they are their business continuity and disaster
helping to support. This data is not really recovery exercises.”
the best data that we could use and
Risk management,
probably doesn’t provide the level of
professional services, Australia
insights that we want.”
“CPS 230 is focused on, not only
operational risk and business
This is also a considerable concern for organizations continuity, but also vendor
that outsource significant areas of the business. One governance. We need to make sure
interviewee recognised their reliance on third-party that we understand those third and
suppliers and, as a result, has upgraded to dedicated fourth parties and ensure that we have
BIA software after previously managing it with Microsoft the right contractual obligations in
Excel. The interviewee discussed how they were going place to manage them. Our suppliers
beyond the requirements of the BIA for their third-party will be another area that we will look
suppliers, by reviewing their BC exercises, participating to uplift, from a threat perspective.
in them, as well as making sure that their BC plans The financial and economic
are in place and their recovery time objectives (RTOs) environment is very much key from
are in line with their objectives. Another interviewee our own internal organizational
considered the role of regulations, particularly relating perspective.”
to operational resilience and the increasing importance
of managing third-party relationships through more Business continuity manager,
formal means. financial & insurance services, Australia

The opportunities for technology to improve exercising and training

Exercising remains a critical part of an Despite this, when considering the supply chain, 49.6%
organization’s business continuity capability of organizations have not checked or validated the
and is the indicator of whether plans are business continuity arrangements of their key suppliers.
as reliable and effective as they may appear Therefore, while exercising is a key priority, it is
on paper. important that training and exercising is carried out with
tier one and n-tier suppliers who do still represent key
Therefore, it is no surprise that the role of dependencies within the organization.
training and exercising has been one of
the major themes throughout the research On the other hand, other opportunities are coming
reports this year. However, there has been into fruition for this area. BCI reports have shown
some conflict between some of the findings how training and exercising is the top priority for
for exercising in 2023. For example, exercises organizations looking to introduce new technology
are the most popular method of validation for into their processes and resilience functions. The
plans related to cyber resilience with 64.6% of advantages of this are clear: improving the accessibility
organizations using them. In addition, there of training and exercising programmes (i.e. reaching
has been a sizeable increase in the number those in remote and hybrid working environments),
of organizations participating in training but also the option to increase the flexibility of training
and exercising related to their emergency and exercising programmes by allowing these to be
and crisis communications plans: 41.2% of digested in chunks or at a time that suits personnel.
respondents claimed that their organization Respondents in the BCI’s Crisis Management
carries out exercising at least twice a year with Report 2023 spoke about how they were now using
a further nine in ten organizations carrying out microsimulations to help engage senior management
training and exercising at least once a year. in short, bitesize simulation exercises.
“I am automatically scheduling “Using AI, we could make a digital twin of

exercise and testing, keeping teams our university and start testing virtually; we
up to date. We use SharePoint could change our entire environment using
for that. If I have those sort of the digital twin BIM model. We could also
things, we could start plugging look at our security posture changes, if we
those into BIM models for digital plug in some AI and some machine learning.
twins and we could also start We could determine for example, if we’re
putting it into AI.” attacked in a certain direction, how does that
Risk and resilience, change our security posture.”
education, UK Risk and resilience, education, UK
49
6
Spending
in 2024
50
Strategic leadership
Spending
of resilience
in 2024
Spending in 2024
• Despite global financial pressures, most
respondents expect their business continuity
and resilience budget to either stay the same
or rise in 2024.
• Cyber resilience is the area where most
respondents expect a higher budget in 2024,
showing the extra resources allocated to meeting
the rising number of cyber-attacks and other
requirements in the digital landscape.
51
A Year
BCI in the
the world 2023
A BCI Report
1.6%
4.7%
9.4%
Given the strategic resilience priorities for
senior leadership discussed in the first section
of this report, respondents were questioned
as to whether this would translate into greater
How will your investment in 2024.
organization’s overall Encouragingly, 93.8% of respondents said
business continuity that their BC and resilience budget would
39.1%
and resilience budget either stay the same or increase in 2024,
45.3% change in 2024 despite the turbulent financial backdrop many
compared to 2023? organizations are experiencing. The most
popular response was that organizations expect
it to remain the same (45.3%) while 39.1% expect
it to be somewhat higher next year. Only 6.3%
believe it will be lower in 2024 compared to
2023; a finding that correlates with the metrics
in the BCI Horizon Scan Report 2023.
It will be much higher
It will be somewhat higher
It will be the same
It will be somewhat lower
It will be much lower
We won’t spend any money on this area in 2024
Figure 7. How will your organization’s overall

business continuity and resilience budget
change in 2024 compared to 2023?

Spending in 2024
2.3%
0.8%
%
7.1%
5.5%
10.2
11.0
0.8
%
7.1
%
How will your
How will your
organization’s spending
28.1% organization’s spending 34.7%
on business continuity
on operational resilience
management change in
change in 2024?
2024?
.1% .4%
53 39
It will be much higher It will be much higher
It will be somewhat higher It will be somewhat higher
It will be the same It will be the same
It will be somewhat lower It will be somewhat lower
It will be much lower It will be much lower
We won’t spend any money on this area in 2024 We won’t spend any money on this area in 2024
Figure 8. How will your organization’s spending

on business continuity management change
on operational resilience change in 2024?
in 2024?
53
A Year
BCI in the
the world 2023
A BCI Report
0.8%
1.6%
8%
However, when asked to extrapolate out the
16.
different components of next year’s budget
compared to this year, the findings are mixed.
32. For BCM solely, more than half (53.1%) say that
8%
spending on BC management will be the same
How will your next year, but 38.3% of organizations will see
a somewhat (28.1%) or much higher (10.2%)
organization’s spending spend in 2024. Comparatively, this means
on cyber resilience that more will be spent in other spheres of
change in 2024? resilience rather than purely on BC.
For operational resilience, the figures are similar

to those for BC. 45.7% of organizations will
have a somewhat (34.7%) or much higher (11%)
48
spend on operational resilience in 2024 while

.0
%
a smaller 39.4% say that the budget for this

area will stay the same. Operational resilience
It will be much higher is on the radar for many organizations at the
moment and an increased spend is likely to be
linked to investment in people and technology
to meet regulations in their industry sector.
It will be somewhat higher The BCI Operational Resilience Report 2023
found that most organizations now have
an operational resilience programme or
project in place, with regulation being the
main driver for the implementation process.
It will be the same
Therefore, it is understandable why spending
is increasing over the next year, particularly
as the implementation deadlines for financial
services operational resilience regulations
around the world are approaching. To add to
the spending priorities, in some countries, new
considerations are being adding to existing
regulation frameworks: one such example is the
It will be much lower critical third-party service provider framework
for the financial services industry, borne out
of the FCA/PRA/Bank of England Discussion
Paper 22/316. This means that critical third-party
We won’t spend any money on this area in 2024 suppliers to the financial sectors will be bound
by similar regulations as their financial services
customers. It also supports the previous finding
in this report which showed senior leadership
placing operational resilience as one of the key
on cyber resilience change in 2024?
strategic priorities.

Spending in 2024
5.6%
6.4%
4. 8
The resilience area which is due for the biggest rise
%
in expenditure in 2024 is cyber resilience. Almost

two-thirds of organizations (64.8%) will see higher
spending in the area in 2024, with 16.8% believing
% they will get much higher spending, and a further
25.4
How will your 48.0% hopeful of somewhat higher spending.
The environment for this spending is supported
organization’s spending by the development of an increased range of
on crisis management technologies used to support BC and resilience
change in 2024? functions, as well as the high level of senior
management attention to the subject.
The role of cyber resilience as a key priority for
.9% senior leadership is clear, since only 2.4% of
57
organizations will have lower or no spending
in this area within 2024.
In terms of crisis management, fewer respondents

It will be much higher thought that expenditure will increase in the
area. The majority (57.9%) believe funding will
remain at the same level in 2024, with just a third
(31.8%) saying spending will be much higher
It will be somewhat higher (6.4%) or somewhat higher (25.4%). The BCI Crisis
Management Report 2023 showed that some
key targets for spending in this area will be both
technology and upskilling staff, with education,
training, and exercising emerging as the top
It will be the same
target for funding.
It will be much lower

on crisis management change in 2024?
55
A Year
BCI in the
the world 2023
A BCI Report
7.4%
As explored within this report, the role of AI in
supporting BC and resilience functions is growing
30
.6% and expenditure is rising concurrently. 39.7% of
respondents say that their budget for AI will be
somewhat higher (32.2%) or much higher (7.4%) in
32.2% 2024. However, with nearly a third of respondents
Overall, how will your (30.6%) unsure about spending in the area, it
organization’s spending highlights a lack of certainty on how AI may be
on AI change in 2024? applied within their organization, but also
potential trepidation toward increasing reliance
on this technology.
9.1
% This ‘wait and see’ approach is likely to remain until
certainties in the application of the new technology
8%
are realised and new regulations and policies

0.
19.8%
become available to ensure use remains ethical

and legal.
It will be much higher in 2024 than in 2023
It will be somewhat higher in 2024 than in 2023
It will be the same
It will be somewhat lower in 2024 than in 2023
It will be much lower in 2024 than in 2023
Unsure
Figure 12. Overall, how will your organization’s

spending on AI change in 2024?

Spending in 2024
57
7
Predictions
for next year
58
Predictions for next year

Practitioners were questioned about their top
concerns for next year and these will be compared
and contrasted with themes collected in other BCI
research reports from 2023.
59
A Year
BCI in the
the world 2023
A BCI Report
Maintaining cyber The legacy of COVID-19

resilience
BCI research reports over the past four years have shown how the
COVID-19 pandemic forced many organizations to reconsider and
The BCI Horizon Scan Report
reevaluate their BC plans. In this sense, the pandemic also provided
2023 showed that cyber-
an opportunity for organizations to learn and implement changes to
attacks are the top concern for
their plans to increase ongoing resilience.
organizations in the coming year,
with this report corroborating The BCI Crisis Management Report 2023 showed that most
the finding by showing that organizations have changed their approach to crisis management
spending for cyber resilience as a result of the learnings from the pandemic and have
is set to increase for most implemented it in response to other significant disruptions,
organizations in 2024. The Supply such as the conflict in Ukraine.
Chain Resilience Report 2023 also
showed that while cyber-attacks It is critical that the learnings from events are implemented and
and data breaches were the incorporated into organizational policy going forward. Particularly
sixth highest cause of disruption as, this year, BCI research has showed that the window of
to supply chains over the past opportunity to incorporate lessons learned from the pandemic
12 months, these still remain into organizations is closing as the legacy of pressures caused
the primary concern for supply by the pandemic begin to recede.
chains over the next five years.
An interviewee also highlighted Looking ahead, practitioners also noted that the risk of the pandemic
this concern, predicting an is not over but other non-occupational disease concerns may also
increase in cyber-attacks on a be on the horizon for organizations due to changes in climate. Also,
global scale and explored the given a new pandemic is deemed as still being a likely occurrence,
implications of attacks on global organizations need to ensure they are prepared for a such a
supply chains. scenario, particularly as a new pandemic is unlikely to have the
same characteristics of COVID-19.
“Globally cyber-attacks
will increase. I can also “We were told to plan for a pandemic, there’s already
see global supply chains some diseases that are insect-borne and are starting
being hit, especially to appear in the Mediterranean and are moving north
with what’s going on over Europe because of climate change. The Health
in Eastern Europe, Protection Agency are already looking at disease
especially on food and X, they’ve already identified there are insect-borne
change to grain. You can diseases and bacteria starting to appear in the country
already see that starting or into Southern Europe that could pose a long-term
to happen in the African threat. I think we will have health issues over the next
continent.” 10, 20 years that we’ve probably not faced before, and
Risk and resilience, I think COVID is only just the start of it.”
education, UK Risk and resilience, education, UK

Losing power to essential services

Large-scale events could also take the form of impacts In September 2023, the UK National Grid’s
to critical national infrastructure and, in particular, Electricity System Operator (ESO) explained
interruptions to national energy supply. Loadshedding that the risk of interruptions to energy supply
is already causing significant problems for South are lower this year than in 2022. Last year,
African organizations and the BCI Horizon Scan Report the ESO prepared a scenario with three-hour
2023 showed that interruption to energy supply was long planned power outages as it contended
considered the top risk for 2024 by South African with the reduced gas supply from Russia and
practitioners. A practitioner based in the country noted lower stocks than expected. This year, higher
the impact of loadshedding on their organization’s cost storage levels across Europe and a greater
of operation as well as the multitude of other areas that supply of power from France is expected to
it touches. The practitioner also considered how the mitigate the risk of blackouts in the UK and
cost of diesel has risen in the country and how this is Europe17. Indeed, in 2023, supply of power
impacting the use of alternative power supplies, such in the UK is expected to exceed demand
as the use of generators, adding that the increased cost by 4.4 gigawatts compared to 3.7 gigawatts
may mean that organizations use these supplies as a last last year18. However, practitioners are also
resort to purely stay in business during loadshedding. considering the potential impacts of extreme
weather events on power supply, as well as
However, with power remaining in short supply in potential sabotage to power cables. Overall,
some countries, other countries may follow suit. Indeed, interruption to power supply is one of the
practitioners in the UK explored the consequence of top five risks for 2024, according to the BCI
organizations being asked to voluntarily switch-off their Horizon Scan Report 2023.
supply at peak times this year, particularly as the UK
attempts to meet its target for electricity generation
this winter. “We don’t have gas storage in
the UK, but the gas and energy
sectors have adapted for that; we’ve
“There is a 10% chance of brownout on increased wind, but electricity and
electrical supplies this winter however, if we power are still a risk. We are already
get a sudden stratospheric warming event seeing the impact in the shops
over the Arctic and the jet stream was in a with the cost of goods going up in
certain position along with a Beast from the the supply chain; and it’s down to
East barrelling in from Siberia: you could put logistics and manufacturing costs.
massive demands on electricity.” Risk and resilience, education, UK
“If you knock out energy, it’s also going to impact manufacturing, so manufacturing costs
will go up and everything suddenly becomes more expensive. The key to it all is gas.”
61
A Year
BCI in the
the world 2023
A BCI Report
How will organizations handle climate risk?

BCI research this year showed that 44.0% of For some, climate risk varies from region to
organizations have seen a moderate or significant region. According to the BCI Horizon Scan
impact from climate-related events over the past five Report 2023, for example, extreme weather
years. Going forward, risks posed to organizations as events were the most disruptive event for North
a result of climate change are set to increase. Indeed, America and Asia this year, as organizations
the mounting effects of climate change have received faced challenges with extreme heat/wildfires
much attention over the past year, as unprecedented and flooding, respectively.
extreme weather events take hold and increase climate
risk for organizations. However, even outside these areas, wildfires
are increasing and temperature and rainfall
Climate risk is another strand, much like others seen in extremes are being recorded frequently.
this report, that connect and amplify already existing Furthermore, multinational organizations may
concerns for organizations. For instance, the BCI also be facing considerably different elements
Climate Risk Report 2023 showed the impact of climate of climate risk from their operations in different
events on global supply chains by exploring how more countries at the same time. However, climate
than half of respondents reported delays or were risk does have a considerable effect on supply
unable to deliver critical products as transportation chains, so organizations will need to monitor
routes were disrupted by climate-related events. In the effects of extreme weather on their critical
these instances, the worsening climate needs to be suppliers, as well as the tier two (and beyond)
added as a risk into every organization’s risk register, suppliers of these critical suppliers.
as well as ensuring that senior management are aware.
In this example, climate risk would be considered as
a risk to the management of an organization’s supply “In recent years we’ve gone through
chain, thereby allowing it to identify any vulnerabilities lots of flood events, but now we’re
for both itself and its supplier network before any coming into droughts and fires. We
disruption occurs. did have severe fires, probably two or
three years ago. All of those different
Looking ahead, BCI research shows that there are
environmental factors are something
key elements of climate risk that organizations are
that we really need to consider.”
prioritising in the coming years. This includes flooding,
extreme heat/heatwaves, hurricanes, and tornadoes; Business continuity manager,
as well as wildfires. financial & insurance services, Australia

The importance of meeting new regulations

At the start of this report, we saw how regulatory One interviewee explained that they reviewed
requirements and new standards was one of the some of the available tools in the market for
top strategic concerns for senior leadership in an conducting BIAs and chose the tool that allowed the
organization and this is expected to remain the organization to see the interconnectivity of its data
case going into 2024. points and gain an end-to-end view of its processes.
“APRA have brought out their new CPS “We are going to move into a
230 Operational Risk Management governance risk and compliance tool
standard. Our regulator introduced the so that we’ll have a one-stop source
implementation dates for the end of of data, that includes our vendor
this year. However based on feedback management, connecting it to our risks,
during the consultation period, they’ve controls, and incidents. If an incident
pushed that timeframe back to July 2025. occurs and it gets escalated, what
Even so, they’re wanting to see progress business functions will be impacted?
towards meeting the new requirements What critical operations will be
at certain stages throughout that impacted? As we approach CPS 230,
timeframe. This is really a massive focus having that very clear picture
for us now to be prepared and on the on those end-to-end operations and
front foot to make sure that we hit the different resources that support
that regulatory timeframe and it is going to be a key factor for
demonstrate compliance.” the regulator.”
Business continuity manager, Business continuity manager,
financial & insurance services, Australia financial & insurance services, Australia
However, over the coming months, organizations This does highlight the requirement for clear
will also be exploring their capacity to meet the support from top management in acquiring the
requirements laid out in the regulations. For this, right tools and processes in order to meet the
practitioners may need to fully utilise the support necessary requirements in upcoming regulations.
from senior management in this area, particularly It also demonstrates how regulations can go some
when it comes to resourcing and financial support, way in ensuring resilience best practice
as well as ensuring buy-in for key procedures such within an organization.
as upgrading BIA processes where necessary.
63
8
Top five
takeaways for
practitioners
64
Top five takeaways for practitioners
Cyber security is the top concern for senior

managers and practitioners alike for 2024
– prepare staff:
Cyber-attacks are still increasing in number but
attackers are altering their attack vectors and using
more targeted, personalised, attacks to bring them
greater reward. State-sponsored attacks are on
the increase and AI is bringing more opportunities
for attackers to gain access to corporate systems.
While most organizations have built up effective
technology defences, the weakest line of defence
remains that between the computer and the user.
What resilience professionals need to do:

Training staff on at least a monthly basis to be able
to detect malicious emails and ensure that breaches
cannot happen, together with regular penetration
testing, can be key to ensuring that an organization
does not fall victim to attacks.
65
A Year
BCI in the
the world 2023
A BCI Report
Renewed attention on supply Maintain resilience amongst the

chain resilience is needed: workforce:
Management attention on supply COVID-19 firmly placed physical and mental
chain resilience has waned, yet the health of employees at the top of management
risks of disruption continue to grow. agendas. Whilst COVID-19 may not have had the
There is the sense among some acute burden on physical health that many had
practitioners and senior managers predicted at the start of the pandemic, it did have
that: “We got through COVID, we significant repercussions on workers’ mental health
can get through anything.” However, as a result of staff being furloughed, some losing
with key transport routes being their jobs, and others suffering due to persistent
blocked due to extreme weather lockdowns impacting on their wellbeing outside
events (e.g. the Panama Canal), the workplace. BCI research this year shows that
rising fuel prices, increasing fuel organizations are lessening the mental health
shortages, and talent shortages, support that they provided during the pandemic,
supply chains remain extremely while some staff are finding that some of the
vulnerable. methods to increase wellbeing (e.g. yoga classes,
wellbeing webinars) no longer provide the level of
support they need.
What resilience professionals
need to do:
Ensure that focus is maintained What resilience professionals need to do:
on supply chain management; A reduced workforce can mean reduced
informing senior management of organizational resilience. During the COVID-19
emerging risks and continuing pandemic, many organizations introduced
to prioritise horizon scanning. wellbeing activities into the workplace to improve
Organizations need to invest in employee wellbeing. These included such things
technology where possible, to assist as webinars, lunchtime yoga sessions, fruit baskets,
with supply chain mapping to fully and gym membership. However, new research is
understand where vulnerabilities showing that such gestures are no longer having
(such as backup suppliers sourcing the impact they previously did and resilience
from the same tier 2 supplier) professionals should consider working with HR
are. Regular meetings should be to make changes which fit more effectively into
maintained with critical suppliers employees’ mindsets and daily agendas. The
to gain first-hand insight into use of lunchtime special interest groups, AI-tools
potential disruptions to come; and to help with employee task prioritisation, and
organizations should ensure that creating a no-blame culture of support and
due diligence processes are in place authenticity are now considered more effective
before contracts have been signed. ways of improving wellbeing19.

Top five takeaways for practitioners
Embrace AI with caution: Regulation – use it to your benefit:

The use of AI in resilience settings For many practitioners, regulation may be
has risen to a historic high in 2023. considered to be an unnecessary burden on
Organizations are looking at AI to time, or merely adding red tape to processes
improve processes (e.g. streamlining and procedures which have long been
the BIA process or to provide more proved effective in their own organizational
effective risk mapping), supply chain environments. However, with new operational
management, and training and resilience regulations and standards being
exercising (e.g. using AI to create introduced globally into the financial services
engaging and unique scenarios for sector, resilience professionals are now seeing
exercises). However, most professionals the c-suite investing in resilience in order to
are still not willing to allow AI to meet regulatory requirements. Furthermore,
completely takeover workplace tasks. with operational resilience regulations now
While AI can be useful to help produce extending to third-parties outside the finance
BIAs, for example, it still lacks the sector, the need to comply is stretching into
intuition to allow it to be used without IT providers, cloud solutions providers, and
human intervention. Furthermore, the outsourcing providers.
lack of consistent regulation of AI
means that some are unwilling to use it
because of the risk attached to using a What resilience professionals need to
technology which is still fairly embryonic do:
in its maturity.
Ensure that you keep fully abreast of emerging
regulations and highlight any changes to
senior management/c-suite (if they are not
What resilience professionals already aware). This report shows that most
need to do: resilience professionals expect their budgets
AI’s effectiveness in transforming to stay the same or increase next year and the
aspects of resilience settings should added obligation to comply with regulations
at the least be tracked by resilience could see additional funding going towards
professionals: the capabilities of AI are resilience departments. However, as always
only set to increase in the future and with regulations, resilience professionals
ignoring them could lead to competitive should ensure that they are not merely using
disadvantage. Consider trialling tools a tick box exercise to comply and, instead, are
and technologies that have already engaging the whole organization to ensure
been tried and tested by resilience that a resilient approach is applied by all. Most
professionals and engaging with other of the operational resilience regulations have
professionals in special interest groups been well received by professionals and there
to stay at the forefront of industry are movements in some countries to try and
developments. get wider industry adoption, too.
67
9
Annex
68
Annex
3.8%
0.6%
0.6%
0.6.6%%
0 %
0.6.6%
0 .3%
1 %
1.9 %
1.9
3 .8
%
5.7%
28 August to 41.8%
22 September
2023
Which of the following
6.3% best describes your
Survey dates functional role?
%
8. 2
158
.1%
10
11.4%
Respondents
Business continuity Risk management
39 Operational resilience Consulting
Countries Organizational
Crisis management resilience
IT disaster recovery/ Quality/ business

18 IT service continuity improvement
Emergency planning Communications

Sectors
Health and safety
management Physical security
10 Line of business or
Information security service directorate
Respondent
interviews
Internal audit Top management
Other
Figure 13. Which of the following best describes

your functional role?
69
A Year
BCI in the
the world 2023
A BCI Report
0.6%
0.6%
1.3%
0.6%
2.6%
0.6%
0.6%
1.3%
1.9%
3. 2
8.8
%
%
4%
3.
.
8%
23
5. 7
%
10. 6%
1% 38.
6.3%
What sector does your Which region are
company belong to? you based in?
6.3%
19. 3%
0% 18.
%
7.0
%
8. 2
20.3%
10.8%
Financial & insurance

services Professional services Europe
Public administration
& defence Health & social care North America
IT & communications Education
Australasia
Transport & storage Energy & utility services
Retail & wholesale Manufacturing

Asia
Telecommunications Engineering & construction
Africa
Agriculture, forestry
& fishing Charity
Middle East
Media, marketing
Industry association & entertainment
Support services Latin America & the Caribbean
Figure 14. What sector does your company

belong to? Figure 15. Which region are you based in?

Annex
How many countries does your organization operate in?

1 to 10 68.2%
11 to 20 7.5%
21 to 50 9.4%
51 to 100 4.8%
More than 100 10.1%
% 0 10 20 30 40 50 60 70
Figure 16. How many countries does your organization operate in?
Approximately how many employees are there in your organization globally?

More than 100,000 6.5%
50,001 - 100,000 3.9%
10,001 - 50,000 16.9%
5,001 - 10,000 18.2%
1,001 - 5,000 24.7%
501 - 1,000 9.1%
251 - 500 3.3%
101-250 2.0%
51-100 3.3%
21-50 1.3%
11-20 1.3%
1-10 9.7%
% 0 10 20 30
Figure 17. Approximately how many employees are there in your organization globally?
71
A Year
BCI in the
the world 2023
A BCI Report
About the authors

Rachael Elliott
(Head of Thought Leadership, The BCI)
Rachael has twenty years’ experience leading commercial research within organizations
such as HSBC, BDO LLP, Marakon Associates, CBRE, and BCMS. She has particular
expertise in the technology and telecoms, retail, manufacturing, and real estate sectors.
Her research has been used in Parliament to help develop government industrial strategy
and the BDO High Street Sales Tracker, which Rachael was instrumental in developing, is
still the UK’s primary barometer for tracking high street sales performance. She maintains
a keen interest in competitive intelligence and investigative research techniques.
She can be contacted at rachael.elliott@thebci.org
Kieran Matthews
Content Manager, The BCI
Kieran has several years of experience in developing and delivering content strategies
for many different publications, both in print and online. He has also been involved
in large-scale research projects to explore regional market dynamics in different
industries, using both open-source and quantitative research methods. Through his
work, Kieran has used various research techniques to engage with topics of interest,
such as environmental and sustainability issues, supply chain resilience, and the impacts
of emerging technology on industry.
He can be contacted at kieran.matthews@thebci.org
Maria Florencia Lombardero Garcia

(Research Manager, The BCI)
Maria has over 15 years of experience in academic and market research and has been
responsible for the design and implementation of a wide range of policies within public
and private organizations such as the Argentine Ministry of Defence, RESDAL, and BMI
(Fitch Group). She has served as a policy advisor and political analyst at the Argentine
Ministry of Defence and coordinated the Argentine National Security Council’s Office.
She has particular expertise in geopolitical risk, defence, and intelligence and her work
has been applied to develop government defence strategies and draft legislation on the
matter. Her areas of interest relate to open-source research and how geopolitics impacts
resilience within organizations.
She can be contacted at maria.garcia@thebci.org

Annex
About the BCI

Founded in 1994 with the aim of promoting a more resilient world, the BCI has
established itself as the world’s leading institute for business continuity and resilience.
The BCI has become the membership and certifying organization of choice for
business continuity and resilience professionals globally with over 9,000 members in
more than 100 countries, working in an estimated 3,000 organizations in the private,
public, and third sectors. The vast experience of the Institute’s broad membership
and partner network is built into its world class education, continuing professional
development, and networking activities. Every year, more than 1,500 people choose
BCI training, with options ranging from short awareness raising tools to a full academic
qualification, available online and in a classroom. The Institute stands for excellence
in the resilience profession and its globally recognised Certified grades provide
assurance of technical and professional competency. The BCI offers a wide range of
resources for professionals seeking to raise their organization’s level of resilience and
its extensive thought leadership and research programme helps drive the industry
forward. With approximately 120 partners worldwide, the BCI Corporate Membership
offers organizations the opportunity to work with the BCI in promoting best practice in
business continuity and resilience.
The BCI welcomes everyone with an interest in building resilient organizations from
newcomers, experienced professionals, and organizations. Further information about
The BCI is available at www.thebci.org.
Contact The BCI
+44 118 947 8215 | bci@thebci.org
9 Greyfriars Road, Reading, Berkshire, RG1 1NU, UK
About Riskonnect
Riskonnect is the leading integrated risk management software solution provider.
Our technology empowers organizations with the ability to anticipate, manage, and
respond in real-time to strategic and operational risks across the extended enterprise.
More than 2,000 customers across six continents use our unique risk-correlation
technology to gain previously unattainable insights that deliver better business
outcomes. Riskonnect has more than 800 risk management experts in the Americas,
Europe, and Asia.
To learn more, visit riskonnect.com.
73
A Year
BCI in the
the world 2023
A BCI Report
References
1. CPS 230 operational risk management, 8. Department for science, innovation and
APRA (online). Available at: https://www. technology (2023). Safety and security risks
apra.gov.au/operational-risk-management of generative artificial intelligence to 2025
(last accessed 13 November 2023) (Annex B), UK Government (online). Available
at: https://www.gov.uk/government/
2. FCA, The (2019): The Senior Managers publications/frontier-ai-capabilities-and-risks-
and Certification Regime: Guide for FCA discussion-paper/safety-and-security-risks-
solo-regulated firms. FCA. Available at: of-generative-artificial-intelligence-to-2025-
https://www.fca.org.uk/publication/ annex-b (last accessed 14 November 2023)
policy/guide-for-fca-solo-regulated-firms.
pdf (last accessed 29 November 2023) 9. Is artificial intelligence the right technology for
risk management?, Financial Times (online).
3. Hitchens, S and others (2023). FCA and PRA Available at: https://www.ft.com/content/
enforcement trends: operational resilience. ca4e6538-00fe-4c75-b664-90b4b4079863
Allen & Overy (online). Available at: https:// (last accessed 14 November 2023)
www.allenovery.com/en-gb/global/
blogs/investigations-insight/fca-and-pra- 10. La Face, S (2023). Key ways artificial
enforcement-trends-operational-resilience intelligence (AI) will power integrated logistics,
(last accessed 21 November 2023) Maersk (online). Available at: https://www.
maersk.com/insights/integrated-logistics/
4. Page, C (2023). MOVEit, the biggest cloud-and-artificial-intelligence-logistics
hack of the year, by the numbers, Join (last accessed 14 November 2023)
TechCrunch+ (online). Available at: https://
techcrunch.com/2023/08/25/moveit- 11. Thomson, E (2023), Droughts are creating
mass-hack-by-the-numbers/?guccounter=1 new supply chain problems. This is what
(last accessed 14 November 2023) you need to know, World Economic Forum
(online). Available at: https://www.weforum.
5. Malaysia plans to accelerate its EV and org/agenda/2023/10/drought-trade-rivers-
chip sectors as supply chains shift, Financial supply-chain/#:~:text=Droughts%20are%20
Times (online). Available at: https://www. becoming%20more%20frequent,Forum%20
ft.com/content/901e3189-038a-4a6a-8284- fighting%20the%20climate%20crisis%3F
070d5c1288b9 (last accessed 23 November 2023) (Last accessed 23 November 2023)
6. Health and wellbeing at work, CIPD (online). 12. FACT SHEET: President Biden Issues Executive
Available at: https://www.cipd.org/uk/ Order on Safe, Secure, and Trustworthy
knowledge/reports/health-well-being- Artificial Intelligence, US White House (online).
work/ (Last accessed 20 November 2023) Available at: https://www.whitehouse.gov/
briefing-room/statements-releases/2023/10/30/
7. Wilson, R (2023). Will you be our Valentine?, fact-sheet-president-biden-issues-executive-
Verizon (online). Available at: https://www.verizon. order-on-safe-secure-and-trustworthy-artificial-
com/about/news/speed-february-14-2023 intelligence/ (last accessed 15 November 2023)
(last accessed 14 November 2023)

Annex
BCI Bibliography
13. He, L (2023). China takes major step in regulating Elliott, R and others (2023), BCI Supply Chain
generative AI services like ChatGPT, CNN Resilience Report 2023, The BCI (online).
Business (online). Available at: https://edition.cnn. Available at: https://www.thebci.org/resource/
com/2023/07/14/tech/china-ai-regulation-intl- bci-continuity-and-resilience-report-2023.
hnk/index.html (las accessed 15 November 2023) html (las accessed 13 November 2023)
14. Zheng, S (2023). China Wants to Regulate Elliott, R and others (2023), BCI Emergency
Its Artificial Intelligence Sector Without Communications Report 2023, The BCI (online).
Crushing It, Time (online). Available at: https:// Available at: https://www.thebci.org/resource/
time.com/6304831/china-ai-regulations/ bci-continuity-and-resilience-report-2023.
(last accessed 15 November 2023) html (las accessed 13 November 2023)
15. EU AI Act to serve as blueprint for global rules, Elliott, R and others (2023), BCI Cyber Resilience
Benifei says, Reuters (online). Available at: https:// Report 2023, The BCI (online). Available at: https://
www.reuters.com/technology/eu-ai-act-serve- www.thebci.org/resource/bci-cyber-resilience-
blueprint-global-rules-benifei-says-2023-11-08/ report-2023.html (last accessed 14 November 2023)
(last accessed 15 November 2023)
Elliott, R and others (2023), BCI Continuity
16. Bank of England/PRA (2022). DP3/22 – And Resilience Report 2023, The BCI (online).
Operational resilience: Critical third parties Available at: https://www.thebci.org/resource/
to the UK financial sector. Bank of England/ bci-continuity-and-resilience-report-2023.
PRA/FCA. 21 July 2022. Available at: https:// html (las accessed 13 November 2023)
www.bankofengland.co.uk/prudential-
regulation/publication/2022/july/operational- Elliott, R. & Garcia, M.F.L. (2023), BCI Horizon Scan
resilience-critical-third-parties-uk-financial- Report 2023. The BCI (online). Available at: https://
sector (last accessed 19 November 2023) www.thebci.org/resource/bci-horizon-scan-
report-2023.html (last accessed 15 November 2023)
17. Lawson, A (2023) ‘National Grid says blackouts
less likely this winter’, The Guardian (last Elliott, R and others (2023), BCI Operational
accessed: 23 November) https://www. Resilience Report 2023, The BCI. Available at: https://
theguardian.com/business/2023/sep/28/ www.thebci.org/resource/bci-operational-resilience-
national-grid-blackouts-this-winter-great-britain report-2023.html (last accessed 12 November 2023)
18. Twidale, S (2023) ‘Britain’s energy grid Elliot, R and others (2023), BCI Technology
operators expect sufficient supplies this In Resilience Report 2023, The BCI (online).
winter’, Reuters (last accessed: 28 September) Available at: https://www.thebci.org/resource/
https://www.reuters.com/business/energy/ bci-technology-in-resilience-report-2023.
britains-energy-grid-operators-expect- html (last accessed 13 November 2023)
sufficient-supplies-this-winter-2023-09-27/
The BCI Good Practice Guidelines (GPG) 7.0 Edition,
19. Darmody, J. (2022): Why lunchtime yoga The BCI (online). Available at: https://www.thebci.
does not count as a work wellbeing culture. org/resource/good-practice-guidelines--gpg--
Silicon Republic (14 January 2022). Available edition-7-0.html (last accessed 13 November 2023)
at: https://www.siliconrepublic.com/
careers/workplace-wellbeing-lunchtime-
yoga (last accessed 27 November 2023)
Correct as of November 2023 75

BCI 9
Greyfriars Road, Reading, Berkshire, RG1 1NU, UK bci@thebci.org / www.thebci.org

BCI A Year in The World of Resilience Report 2023

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BCI A Year in The World of Resilience Report 2023

Uploaded by

Copyright:

Available Formats

Find out more www.thebci.

A Year in the World

Strategic leadership of resilience 12

Practitioner priorities for 2024 20

An overview of artificial intelligence 29

How have attitudes towards

Predictions for next year 58

Top five takeaways for practitioners 64

2 Find out more www.thebci.org

A question raised in the report needs serious consideration:

4 Find out more www.thebci.org

Although not surprising, the risk associated with cyber-related

Somewhat surprising is the decreased emphasis on, or

Although different forms of artificial intelligence have been

Finally, specific to budgets, research conclusions indicate

Brian Zawada (FBCI)

6 Find out more www.thebci.org

Senior leadership support is the primary

Cyber security is the top concern for

56.7% 48.3% 41.7%

8 Find out more www.thebci.org

Operational resilience is now

Uncertainty about application and lack

Technology use in building resilience

10 Find out more www.thebci.org

Most are satisfied with their current

Strategic leadership of resilience

One of the first recognised stages of building a BCMS

BCI research shows that a board member is ultimately

Cyber resilience 56.7%

Operational resilience 48.3%

Regulatory requirements 41.7%

New technology decisions 40.0%

Crisis management 37.5%

Business continuity 35.8%

Supply chain resilience 25.0%

Pandemic planning 5.0%

14 Find out more www.thebci.org

Cyber resilience - the top priority

An interviewee explained how an incident

“We are going to run our annual CMT

Operational resilience: regulations driving

Another reason why operational resilience is high on the list of concerns

16 Find out more www.thebci.org

Of course, regulatory requirements do expand far beyond operational

However, as an interviewee explained, operational resilience regulation

“As for operational resilience in sectors such as manufacturing

“Our senior leadership team is taking a strategic lead in

Managing a growing list of priorities

18 Find out more www.thebci.org

However, with attention now moving

Interestingly, pandemic planning (5.0%) is at

It is likely that these critical areas will change

Practitioner priorities for 2024

The BCI Cyber Resilience Report 2023 was released in

A number of high-profile cyber-attacks and data breaches made the

To emphasise its role in the reports throughout the year, it is important to

An interviewee from the higher education sector explained that cyber

22 Find out more www.thebci.org

Supporting the findings in this report, interviewees were keen to highlight

“We have been investing in our ability to recover from scratch

The interviewee in the higher education sector discussed that cyber

“We are going to run our annual CMT

“As for operational resilience in sectors such as manufacturing

“Our senior leadership team is taking a strategic lead in

“We have been investing in our ability to recover from scratch

“We support Student Services; some students have been in dire

AI also has wider applications in organizations Risk management, professional services,

“Adopting new technologies, like

“As an organization, we are taking more of “From my limited understanding of

“If you look at the four types of BIAs, we

“Do we really need to

“I am automatically scheduling “Using AI, we could make a digital twin of