Professional Documents
Culture Documents
BCI A Year in The World of Resilience Report 2023
BCI A Year in The World of Resilience Report 2023
org
Contents
Executive summary 7
Spending in 2024 50
Annex 68
Foreword
Welcome to the first edition of the BCI’s A Year in the World of
Resilience Report. This seeks to form conclusions gained from
the monthly reports that the BCI has published through the
year. These have covered disparate subject areas relating to
resilience and the current report pulls all the key insights into
one place, as well as injecting current practitioner views on how
these findings will translate into working practices for resilience
professionals in 2024.
We are very grateful to Riskonnect for their sponsorship of this
new report in our portfolio.
2023 is now drawing to a close and, for us, the year can be
categorised into three themes. Firstly, there have been huge
advances in technology this year, both advantageous and
disadvantageous to organizational resilience. Secondly, after
years of practitioners and senior management being engaged
in the response to COVID-19, there are early signs that apathy
is creeping in to operational and strategic resilience planning.
Finally, the human side of resilience is a key theme throughout
the reports this year: from both a wellbeing perspective and
from a risk perspective.
This year, the use of artificial intelligence (AI) has seen
its highest growth ever in resilience settings, with some
practitioners keen to exploit its benefits from a planning, data
mining, and analytical perspective. Training and exercising
are being transformed through AI-built scenario plans and
the BIA process can be made more efficient through the use
of AI. However, many professionals are still erring on the side
of caution, taking a risk-based approach to adoption until
regulation and better controls are in place. Indeed, a ‘wait and
see’ approach is commonly seen. Furthermore, with cybercrime
on the increase and attacks becoming more sophisticated and
targeted, management concern is clearly warranted. However,
with senior management keen to increase investment in
technology in 2024, the benefits are certainly outweighing the
risks – for the time being.
3
A Year in the World of Resilience 2023
A BCI Report
Rachael Elliott
Head of Thought Leadership
The BCI
Foreword
Riskonnect, who acquired Castellan Solutions in July 2022,
is very pleased to sponsor the BCI’s inaugural A Year in the
World of Resilience Report. This thought leadership document
summarises the considerable research performed by the BCI
throughout calendar year 2023.
5
A Year in the World of Resilience 2023
A BCI Report
This report excels in covering the topic and I firmly expect that
AI will be a focus of discussion in 2024 and beyond. It offers
perspective on the value proposition associated with AI and
the business impact analysis process, including automation
and improvements to the identification of dependencies. Next
year, I expect we will start focusing on how AI will contribute to
the identification of third- and fourth-party vulnerabilities, with
recommendations on proactive risk treatment.
I hope that you enjoy reading this report and trust it arms you
with the information to assist with stakeholder engagement and
planning for 2024 and beyond.
7
A Year in the World of Resilience 2023
A BCI Report
9
A Year in the World of Resilience 2023
A BCI Report
11
2
Strategic
leadership
of resilience
12
Strategic leadership of resilience
13
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
Therefore, before exploring some of the key themes within the BCI’s 2023 research reports, it seems
pertinent to open this report by exploring what practitioners think are the current strategic priorities for
senior leadership. To address this, survey respondents were asked to rank the top three areas where senior
leadership is most likely to take a strategic lead in their organization.
Cyber resilience is the top area where senior leadership will be looking to take a strategic lead, with over
half of respondents (56.7%) listing the area as one of their top three areas of focus. This aligns with findings
earlier in the year, where the BCI Cyber Resilience Report 2023 showed that most organizations had a
medium- to high-level of top management commitment in this area.
Which are the top three areas where senior leadership is most likely to take a
strategic lead in your organization?
Implementation of
artificial intelligence 14.2%
Other 1.7%
% 0 10 20 30 40 50 60
Figure 1. Which are the top three areas where senior leadership is most likely to take a strategic lead in
your organization?
15
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
The BCI Operational Resilience Report 2023 also showed how important
regulation was for driving operational resilience programmes: figures
from the report showed that most organizations without a programme
did not have one due to not having to comply to regulation. This is
further supported by the finding that one of the top areas for senior
management to take a strategic lead is with regulatory requirements
(41.7%). As noted above, this is related to their role in the implementation
of these regulations, but it also reflects the severity of the repercussions
for an organization not complying with the regulations, with fines for
non-compliance already issued in the UK3.
17
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
19
3
Practitioner
priorities for
2024
20
Strategic leadership
Practitioner of resilience
priorities for 2024
21
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
As shown already, the same is clear here: with respondents claiming cyber
resilience to be the top priority with senior leadership. In addition to this,
despite cyber-attacks being the most disruptive event this year for just 6.1%
of organizations, this area was still rated as the most significant risk for both
the coming 12 months and in the mid- to long-term (next 5-10 years) in the
BCI Horizon Scan Report 2023. This concern is likely to be because of the
financial and reputational implications of attacks.
“You see a lot of attacks at the time of year when new students
join. Someone thinks it’s great fun to go and attack the
university from the inside.”
Risk and resilience, education, UK
“We are seeing a lot of organized teams and gangs that are
backed by foreign states attacking the higher education sector.
To date, there’s been about fourteen or fifteen universities hit
this year, there is no reason to suggest they will back off, it will
continue; they are after research.”
Risk and resilience, education, UK
“It’s not all about defence, it’s also about support for our
stakeholders, for our students.”
Risk and resilience, education, UK
23
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
25
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
“If we look at the last year, there were “We have experienced issues with
challenges for supply chain arrangements the supply chain in the COVID era,
with our customers because of the especially transportation. We were
Ukraine and Russia war. This year, the unable to secure sufficient capacity
political situations in African countries to transport our products from the
(the Economic Community of West African factory to the market via ship or
States; ECOWAS) and the simultaneous plane. We have also had difficulty
military coup attempt in a few of the Sahel obtaining semiconductor parts from
regions has ultimately impacted some of semiconductor companies. So, the lack
our business operations in those countries. of supply chain resilience has been a
We continue to see many countries within significant problem for suppliers and
a conflict zone and ultimately it is quite manufacturers; these vulnerabilities will
challenging to support our people and not disappear any time soon.”
our operating projects in those countries.” Risk management, manufacturing,
Crisis manager, manufacturing, Denmark Japan
Expectations from consumers remain the same In terms of good practice and ensuring supply
despite the issues facing global supply chains. chain resilience, this report’s findings align with
It is therefore critical that resilience is built into those in the BCI Supply Chain Resilience Report
these supply chains to ensure that orders can 2023 which showed that 73.6% of respondents
be processed and met on time, in order to usually ask key suppliers whether they have
remain competitive and sustain the organization’s business continuity measures in place. Reviewing
reputation. Organizations also should consider the resilience of potential suppliers should be a
working with their external communications critical part of the procurement process (i.e. before
departments to ensure messaging is ready entering into a contract), but it is also important to
should an unexpected disruption happen. review the BC measures for ongoing suppliers on a
regular basis as well.
An interviewee from the manufacturing sector
explored the issues that they have faced with
distribution throughout their supply chain and in “Clients are expecting us to have
the semiconductor market this year. The global business continuity measures in place
semiconductor shortage has been a major threat and so they should, but we should also
for the manufacturing and technology sectors since be asking our suppliers if they have BC
the COVID-19 pandemic exposed the challenges too. We should all be asking: ‘What’s it
in this sector due to a reliance on suppliers for and how valid is it, does it cover the
in Asia. Indeed this, along with trade-related service that we’re providing, and vice
tensions between the US and China, has seen versa?’ This is what gives us a greater
manufacturers look to diversify the production resilience capability.”
of semiconductor chips into new countries in
order to build resilience into this supply chain5. Head of resilience, industry association, UK
27
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
The BCI Horizon Scan Report 2023 also showcased the impact of this theme for organizations. Firstly,
corroborating the result seen in the 2023 BCI Supply Chain Report, the greatest disruptor for organizations
over the past 12 months has been health incidents, such as occupational disease leading to a sickness
absence. In addition, the report showed that the greatest consequence of disruptions was a loss of
productivity in organizations’ workforces, once again highlighting the importance of ensuring that
employees remain physically and mentally well, are incentivised with their work, and have the tools to be
able to perform their role to the best that they can do.
Supporting this, the Chartered Institute for Personnel and Development (CIPD) reported the highest
employee sickness absence rate in the UK for a decade6. The CIPD’s report also showed that 76% of
respondents saw some stress-related absences in their organizations but, positively, over three-quarters
of organizations are making progress in identifying this cause and are attempting to reduce it through
methods such as flexible working options and employee assistance programmes.
Exploring other elements of this critical topic, the BCI Emergency Communications Report 2023 found
that human errors were the most common cause of failure within emergency communications plans.
For example, almost half of organizations claimed that change to plan failures were related to the lack
of maintaining accurate staff information. Such failures also point to a lack of training and exercising
taking place, which would allow the workforce to better understand their roles when the emergency
communication plan is activated and would also highlight errors in contact information.
The BCI Cyber Resilience Report 2023 supported this theme further by showing that human error was
the most common reason for cyber criminals being successful in their attacks. In this case, it could be
employees unintentionally clicking and opening malicious links in an email, or using unsecured public Wi-Fi.
The similarities to the vulnerabilities shown in the BCI Emergency Communication Report 2023 are clear,
with a similar solution of increasing exercising and training being recognised.
29
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
%
can help resilience, but also hinder it, depending
.5
21
on the setting. A further 21.5% believe it to be
solely a resilience enabler, whilst just 0.8% believe
41.3
% it is a hindrance. However, with 41.3% still unsure as
How do you to how it could help or hinder their organization’s
0.8%
resilience, there is clearly some way to go before AI
consider the role can be fully trusted with making important business
of AI within your decisions.
organization?
This paints the picture that BC and resilience
practitioners see the potential for AI to become a
key part of the resilience function going forward,
but many also remain cautious about its potential
36
.
A resilience disabler
“The disabler would be when we get
‘hallucinations’ or the wrong answers to
our questions. What’s the source data
that it is generating its results from?
Both, resilience enabler/disabler, So, we need to develop guardrails and
depending on the use do it responsibly. This has been a real
concern of ours and it was a focus even
before ChatGPT and everything that
has happened since the end of last year.
We were already looking at this because
we saw it looming on the horizon. It’s
Unsure
a great new technology. We can get a
lot of benefit from it, but we have to be
cautious on how we proceed.”
Resilience manager,
Figure 2. How do you consider the role of AI
information technology, USA
within your organization?
31
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
Practitioners are also concerned about the Other professionals are likely to be considering
addition of another element of risk into an the threats to cyber resilience which can be posed
already crowded risk environment. Indeed, one by generative AI. Indeed, some organizations are
interviewee explained that there is a concern now banning or severely limiting the amount that
about spending an inordinate amount of time ChatGPT can be used in organizations. In February
determining whether AI is a resilience enabler or 2023, the North American telecommunications
disabler and missing other threats which are still provider Verizon outlined that ChatGPT was not
of high risk to the organization. accessible from its corporate systems, stating that
their priority is to its key stakeholders and, as such,
it has to be thoughtful when introducing a new and
“We could spend time thinking about emerging technology. The organization also noted
the AI side of it, but, actually while that the technology was not accessible through its
we’re spending time thinking about corporate systems as it could put the organization
that, we’re not actually doing the at risk “Of losing control of customer information,
bit that we should be. Whatever AI source code, and more.”7 In contrast, comments in the
will bring, positively or negatively, research rooms at BCI World Hybrid 2023 showed
down the line or how we consider it that other organizations were embracing AI internally
as part of our process, it still doesn’t to support collaborative working practices, as well
change the fundamental element as ensuring that information could easily be found
of what could go wrong naturally, on servers. This highlights the delicate balancing
technologically, or through terrorism act that organizations will find themselves trying to
or human nature, as part of what manoeuvre when assessing their risk appetite for the
could impact on our business and usage of AI.
how we navigate our way through
One interviewee explained that including AI in their
that if that happens.”
operations introduces risk both internally (as seen
Business continuity manager, above) and externally (throughout their supply chain)
financial & insurance services, Australia when considering data control.
33
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
In terms of how AI might be used to improve Similarly, another interviewee explained that AI is
the resilience of an organization, 47.5% of being used to increase efficiency and filter customer
respondents in the BCI Technology In Resilience support queries, so those which cannot be resolved by
Report 2023 stated that it could be used to an automated function can be handled by an internal
improve an organization’s risk assessment support team.
process. Indeed, data can be collected from
internal and external sources and analysed to
show patterns or trends, which may identify “For us in enterprise risk management, AI
future threats or risks. The organization can is all about the customer experience and
then proactively adapt their own operations ensuring operational resilience. We’re into
to mitigate the impact of this threat. Some of digital marketing and what we’re trying to
the data points which could be used for the do is make the customer experience more
risk assessment could be near misses logged efficient, so we’re very heavily involved in
by the organization, environmental data, social chat boxes or automated email responses.
media feeds, or live supply chain disruption Then, if the customer doesn’t get what they
information. want, then they can go to online support.”
However, different sectors face different risks and the method of AI usage to mitigate threats would be
different. In financial services organizations, for example, some are using AI to identify fraud and financial
crime. A current estimate suggests that more than half of large financial institutions are, at present, using AI
to manage risk,9 with the developments in generative AI helping this process along. It is also important to
note that other iterations of AI have been in use to support the resilience of operations for some time. An
interviewee from the manufacturing sector explained that their organization has been using the technology
to detect defected items on a production line.
“AI has been used for a long time in our “It would be useful if we could
factory to inspect products and remove the employ generative AI to plot and
defective ones. AI utilises a pattern matching generate scenarios for our BC
method in our manufacturing process, which exercises and tabletop exercises.”
is highly beneficial for quality control.” Risk management, manufacturing,
Risk management, manufacturing, Japan Japan
35
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
%
10.7
Many countries are now
29
.8% seeking to regulate AI
Some of the reticence around exploring the
When it comes to 19.8% benefits of AI in resilience settings is because
supporting your of the current lack of universal regulations
around the technology. Therefore, the
resilience activities in
introduction of regulations may be one of the
2024, how important controls that can help AI become a resilience
will AI be? enabler within organizations.
37
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
The European Union has also drafted legislation With all of this in mind, where does that leave
relating to the use of artificial intelligence and organizations in the year ahead regarding the
those involved in the creation of the EU AI Act have use of AI as a tool for resilience? An interviewee
already suggested that these rules could be used as noted that for 2024, their priority is still “About
a guideline for other countries15. This is similar to how putting in place what we know we need to
the UK’s FCA/PRA/Bank of England Operational have in terms of the right people, right place,
Resilience framework has provided a framework for right time, and right resources.” For example,
other similar regulations around the globe. in terms of people, the interviewee noted that
the processes within their organizations are still
However, if already using the technology or based around people processes and that AI, as a
intending to rely upon it in the future, businesses technology, will still require a human element to
must also be conscious of how any upcoming function. Going back to whether the technology
regulations impact their usage. One interviewee is a resilience enabler or disabler, they note
discussed how their organization would look to take that their priority is getting the basics of the
a proactive role in the development of regulations BC programme right and then to establish
to ensure that their interests are also represented by whether AI will enhance this resilience capability
the new rules. further or not.
Other interviewees offered their views on AI within their organizations; mostly from a positive perspective.
“We are not highly dependent on AI at “We already have smart tools: special
present because we are a manufacturing data input is coming into a command-
team; IT teams are more inclined towards and-control centre, telling us what the
the artificial intelligence tools.” fault or service areas are and, based on
Crisis manager, manufacturing, that input, a new sales lead is captured.
Denmark This benefits our customers because the
sooner they correct their equipment,
the better their productions are. This
increases the client’s productivity and
revenues which in turn brings
“Whenever there is a diminishing
us more service orders and inflow
product life cycle, these tools (AI) give
of our products.”
us notifications and, based on this
information, it will allow us to have Crisis manager, manufacturing, Denmark
equipment serviced when it is needed,
rather than when a service is due on
the calendar.”
“With AI, we need to leverage the tools
Crisis manager, manufacturing, Denmark
that are available and work out the best
way to integrate them. We always have
a human to make sure that what we’re
doing is ethical, so we need to make
sure that whatever we do still covers off
that governance and to make sure that
everything is done in the right way.”
Business continuity manager,
financial & insurance services, Australia
39
5
How have
attitudes
towards
BC practice
changed
this year?
40
How have attitudes towards BC practice changed this year?
41
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
7.6%
Overall, 61.4% of interviewees are very happy
5%
6.
.
(18.5%) or moderately happy (42.9%) with
18
7%
Moderately happy
Moderately unhappy
Very unhappy
In other instances, practitioner satisfaction with their However, just under a quarter of organizations
BIA process was directly proportional to the level at say that they are moderately (19.3%) or very
which their BIA process had been adapted to fit to their (5.0%) unhappy with their BIA process. In
own organization’s needs. For instance, one interviewee this regard, interviewees highlighted specific
explained that they have introduced advanced problems with the tools and software used to
technological solutions, such as digital twins, into the conduct BIAs, whilst noted their own concerns
BIA process. This process allowed the practitioner to with the BIA process in general.
simulate attacks on their critical processes in order to
understand how this would change their cyber security One interviewee explained that their
posture. organization was using an end-of-life tool
and how the changing circumstances of
This year’s BCI research has found that more than the organization have not been met by
a third of organizations are developing their own the tool, particularly after the COVID-19
in-house solutions for BC/resilience purposes. This pandemic altered the working practices of the
is typically a choice for organizations who can use organization.
internal resources, such as personnel or technology,
to construct assets which brings the BIA process to
life and shows keys relationships in a way that has not “We are using an end-of-life tool
been previously explored. An asset which has been that we haven’t been able to update
developed internally will likely increase satisfaction in since COVID. The focus on a physical
the BIA process because the features will be tailored to disruption scenario has really
the needs of the organization. One interviewee from changed because most people have
the higher education sector discussed how they have that work from home capability. It’s
utilised technology to build a BIA process that suits only our frontline staff that really
their requirements. need to be in the office, the rest of
our workforce can work from home
or work from an alternative location.
“We’ve done our initial BIAs and developed Prior to COVID, the BIA was really
a nomological map. We’ve identified all the focused on people in seats: if we had
assets and the relationships between the a crisis, we would move employees
assets, whether that is services, products, from one physical location to another.
or stakeholders. Using logarithmic However, that thinking has changed
mathematical modelling, we know how dramatically; we are not able to
quickly we can feel pain between our assets really reflect that in the plans and the
and we now know what our recovery time templates that we have in the system.
objective should be or our recovery point This is one area where we have just
objective. Using that information we can had to accept that it’s a limitation.”
create a digital twin.” Business continuity manager,
Risk and resilience, education, UK financial & insurance services, Australia
43
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
Another interviewee explained that when looking An interviewee from the manufacturing sector
to switch to other providers of BIA applications, the explained that their organization does not
backing of senior management is critical. conduct a BIA process but senior management
informally discuss prioritised services and
decide a period of time for which they can
“We highly rely on Microsoft applications tolerate losing the operation of this service. In
for our BIA software, however we are in addition, as a manufacturing organization, they
touch with some other providers but still maintain a level of stock to ensure that they
in the planning stage and will need to have a window of time to restore operations
have buy-in from the senior management to the line which has shut down. Of course, a
on that.” formalised process does allow information to
be shared more effectively and allows others
Crisis manager, manufacturing, Denmark
to view the information if a key contributor is
absent during a disruption.
Another issue for those unhappy with the BIA is the
siloing of the process. The lack of a centralised process
can easily result in a BIA that is inefficient while the “We do not conduct a BIA or any
siloed nature of the findings also reduces the efficacy kind of systematic analysis, but top
of finding solutions to meet the established recovery management asserts that something
requirements. is our highest priority production
and service. However, this is based
solely on their own impression
and thought.”
“At the moment, our BIA is very much
siloed in the sense that each business unit Risk management, manufacturing,
has their own BIA and the interconnectivity Japan
between internal functions and internal
processes is really not at the level that I
want it to be.” Elsewhere, another interviewee explained
that their organization has recently increased
Business continuity manager,
investment in BC and developed an interest in
financial & insurance services, Australia
developing a formalised BC programme after
managing multiple crises during their many years
of operation through informal business continuity
In addition, 6.7% of organizations are not currently
processes. However, the practitioner added that
conducting BIAs. While this appears to be a high
they have simplified the BIA in order to increase
level, some of the interviewees specified that they are
internal engagement with the process. The same
conducting a process which analyses their priority
interviewee also explained how they felt that it
functions, but in an informal manner. This was
was important that the BC process fits the needs
particularly evident amongst smaller organizations.
of the organization.
45
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
5.0%
2. 5
How is technology changing the
7%
.
implementation of the BIA?
22
20
.2%
Organizations have been increasingly using
technology to adapt and mould the BIA process to
the needs of their organization. Using technology What is your
in the BIA process can have a number of purposes organization’s attitude
such as automating aspects of the BIA, reducing to using technology to
silos by enabling sharing of BIAs created across the help with the BIA? 12.6%
organization, and enabling real-time updates to the
process. According to BCI research this year, 40.6%
of organizations would like to see technology
used to automate the BIA process in some way.
However, more than a third of organizations (37.0%)
%
said that they use standard business software (such
37.0
as Excel) to manage the process and a further third
(35.3%) use specialist software which has either We use specialist software from a third party
been supplied by a third-party (22.7%) or written company to manage the BIA process
in-house (12.6%). Given that technology use is
already fairly high for BIA purposes, it is easy to see
why the use of AI to automate some part of the BIA We use specialist software that we have
process is seen as a next step by 40.6% written to manage the BIA process
of organizations.
Unsure
16.
1%
One of the barriers to the introduction of
0%
15.
specialist software into the BIA process has been
justifying the cost of investment, although several
organizations report that they are considering such
a tool, while others are already planning elevated
If an artificial
spending next year to fund it. Supporting this, BCI 10.1% intelligence solution
research shows that BC planning software has became available
increased in usage this year, with this software to automate the BIA
often including a function for the facilitation of the process, what would
BIA process.
your attitude to
As already discussed in the AI section earlier, one this be?
of the themes this year is the implementation of
AI across the organization and this extends into
the BIA process too. The emerging technology
58.
has the potential to automate certain aspects of
8%
the BIA process and the survey shows a strong
interest in using it for this purpose. The majority I would fully embrace it – the more the
(58.8%) of respondents said that they would use AI BIA can be automated, the better
to automate part of the BIA process but would be
keen to retain a human element as well. There is
an understandable reticence to allow AI to take full
I would use it to automate parts of the
control of such a critical resilience activity because
BIA process but would want to retain
of the relative immaturity of the technology, but human input into the process as well
15.1% still said that they would fully embrace an
automated BIA. Only 10.1% would not be keen to
use AI in the BIA process at all.
I would not use it – AI cannot be
An interviewee explained that they may have an
trusted to develop an effective BIA
opportunity to use Microsoft’s desktop AI tool
(Copilot) to automate data gathering across the
programme as they use the Microsoft Office suite
for BC management instead of other specialised
sources of software. However, respondents did
Unsure
flag concerns about sharing sensitive data with AI
while noting that retaining a human in the process
ensures accountability. Many, including the 16%
who are unsure, state that it is too early to make a
Figure 6. If an artificial intelligence solution
judgement on the benefits of using AI to automate
became available to automate the BIA process,
processes and that further proof of its ability is
what would your attitude to this be?
required before decisions are made.
47
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
49
6
Spending
in 2024
50
Strategic leadership
Spending
of resilience
in 2024
Spending in 2024
• Despite global financial pressures, most
respondents expect their business continuity
and resilience budget to either stay the same
or rise in 2024.
• Cyber resilience is the area where most
respondents expect a higher budget in 2024,
showing the extra resources allocated to meeting
the rising number of cyber-attacks and other
requirements in the digital landscape.
51
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
1.6%
4.7%
9.4%
Given the strategic resilience priorities for
senior leadership discussed in the first section
of this report, respondents were questioned
as to whether this would translate into greater
How will your investment in 2024.
organization’s overall Encouragingly, 93.8% of respondents said
business continuity that their BC and resilience budget would
39.1%
and resilience budget either stay the same or increase in 2024,
45.3% change in 2024 despite the turbulent financial backdrop many
compared to 2023? organizations are experiencing. The most
popular response was that organizations expect
it to remain the same (45.3%) while 39.1% expect
it to be somewhat higher next year. Only 6.3%
believe it will be lower in 2024 compared to
2023; a finding that correlates with the metrics
in the BCI Horizon Scan Report 2023.
It will be much higher
2.3%
0.8%
%
7.1%
5.5%
10.2
11.0
0.8
%
7.1
%
How will your
How will your
organization’s spending
28.1% organization’s spending 34.7%
on business continuity
on operational resilience
management change in
change in 2024?
2024?
.1% .4%
53 39
We won’t spend any money on this area in 2024 We won’t spend any money on this area in 2024
53
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
0.8%
1.6%
8%
However, when asked to extrapolate out the
16.
different components of next year’s budget
compared to this year, the findings are mixed.
32. For BCM solely, more than half (53.1%) say that
8%
spending on BC management will be the same
How will your next year, but 38.3% of organizations will see
a somewhat (28.1%) or much higher (10.2%)
organization’s spending spend in 2024. Comparatively, this means
on cyber resilience that more will be spent in other spheres of
change in 2024? resilience rather than purely on BC.
5.6%
6.4%
4. 8
The resilience area which is due for the biggest rise
%
55
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
7.4%
As explored within this report, the role of AI in
supporting BC and resilience functions is growing
30
.6% and expenditure is rising concurrently. 39.7% of
respondents say that their budget for AI will be
somewhat higher (32.2%) or much higher (7.4%) in
32.2% 2024. However, with nearly a third of respondents
Overall, how will your (30.6%) unsure about spending in the area, it
organization’s spending highlights a lack of certainty on how AI may be
on AI change in 2024? applied within their organization, but also
potential trepidation toward increasing reliance
on this technology.
9.1
% This ‘wait and see’ approach is likely to remain until
certainties in the application of the new technology
8%
19.8%
Unsure
57
7
Predictions
for next year
58
Predictions for next year
59
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
“Globally cyber-attacks
will increase. I can also “We were told to plan for a pandemic, there’s already
see global supply chains some diseases that are insect-borne and are starting
being hit, especially to appear in the Mediterranean and are moving north
with what’s going on over Europe because of climate change. The Health
in Eastern Europe, Protection Agency are already looking at disease
especially on food and X, they’ve already identified there are insect-borne
change to grain. You can diseases and bacteria starting to appear in the country
already see that starting or into Southern Europe that could pose a long-term
to happen in the African threat. I think we will have health issues over the next
continent.” 10, 20 years that we’ve probably not faced before, and
Risk and resilience, I think COVID is only just the start of it.”
education, UK Risk and resilience, education, UK
“If you knock out energy, it’s also going to impact manufacturing, so manufacturing costs
will go up and everything suddenly becomes more expensive. The key to it all is gas.”
Risk and resilience, education, UK
61
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
“APRA have brought out their new CPS “We are going to move into a
230 Operational Risk Management governance risk and compliance tool
standard. Our regulator introduced the so that we’ll have a one-stop source
implementation dates for the end of of data, that includes our vendor
this year. However based on feedback management, connecting it to our risks,
during the consultation period, they’ve controls, and incidents. If an incident
pushed that timeframe back to July 2025. occurs and it gets escalated, what
Even so, they’re wanting to see progress business functions will be impacted?
towards meeting the new requirements What critical operations will be
at certain stages throughout that impacted? As we approach CPS 230,
timeframe. This is really a massive focus having that very clear picture
for us now to be prepared and on the on those end-to-end operations and
front foot to make sure that we hit the different resources that support
that regulatory timeframe and it is going to be a key factor for
demonstrate compliance.” the regulator.”
Business continuity manager, Business continuity manager,
financial & insurance services, Australia financial & insurance services, Australia
However, over the coming months, organizations This does highlight the requirement for clear
will also be exploring their capacity to meet the support from top management in acquiring the
requirements laid out in the regulations. For this, right tools and processes in order to meet the
practitioners may need to fully utilise the support necessary requirements in upcoming regulations.
from senior management in this area, particularly It also demonstrates how regulations can go some
when it comes to resourcing and financial support, way in ensuring resilience best practice
as well as ensuring buy-in for key procedures such within an organization.
as upgrading BIA processes where necessary.
63
8
Top five
takeaways for
practitioners
64
Top five takeaways for practitioners
65
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
67
9
Annex
68
Annex
3.8%
0.6%
0.6%
0.6.6%%
0 %
0.6.6%
0 .3%
1 %
1.9 %
1.9
3 .8
%
5.7%
28 August to 41.8%
22 September
2023
Which of the following
6.3% best describes your
Survey dates functional role?
%
8. 2
158
.1%
10
11.4%
Respondents
Business continuity Risk management
Countries Organizational
Crisis management resilience
10 Line of business or
Information security service directorate
Respondent
interviews
Internal audit Top management
Other
69
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
0.6%
0.6%
1.3%
0.6%
2.6%
0.6%
0.6%
1.3%
1.9%
3. 2
8.8
%
%
4%
3.
.
8%
23
5. 7
%
10. 6%
1% 38.
6.3%
What sector does your Which region are
company belong to? you based in?
6.3%
19. 3%
0% 18.
%
7.0
%
8. 2
20.3%
10.8%
Public administration
& defence Health & social care North America
Australasia
Transport & storage Energy & utility services
Africa
Agriculture, forestry
& fishing Charity
Middle East
Media, marketing
Industry association & entertainment
11 to 20 7.5%
21 to 50 9.4%
51 to 100 4.8%
% 0 10 20 30 40 50 60 70
Figure 16. How many countries does your organization operate in?
101-250 2.0%
51-100 3.3%
21-50 1.3%
11-20 1.3%
1-10 9.7%
% 0 10 20 30
Figure 17. Approximately how many employees are there in your organization globally?
71
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
Kieran Matthews
Content Manager, The BCI
Kieran has several years of experience in developing and delivering content strategies
for many different publications, both in print and online. He has also been involved
in large-scale research projects to explore regional market dynamics in different
industries, using both open-source and quantitative research methods. Through his
work, Kieran has used various research techniques to engage with topics of interest,
such as environmental and sustainability issues, supply chain resilience, and the impacts
of emerging technology on industry.
He can be contacted at kieran.matthews@thebci.org
About Riskonnect
Riskonnect is the leading integrated risk management software solution provider.
Our technology empowers organizations with the ability to anticipate, manage, and
respond in real-time to strategic and operational risks across the extended enterprise.
More than 2,000 customers across six continents use our unique risk-correlation
technology to gain previously unattainable insights that deliver better business
outcomes. Riskonnect has more than 800 risk management experts in the Americas,
Europe, and Asia.
73
A Year
BCI in the
A year in World of Resilience
the world 2023
of resilience Report 2023
A BCI Report
References
1. CPS 230 operational risk management, 8. Department for science, innovation and
APRA (online). Available at: https://www. technology (2023). Safety and security risks
apra.gov.au/operational-risk-management of generative artificial intelligence to 2025
(last accessed 13 November 2023) (Annex B), UK Government (online). Available
at: https://www.gov.uk/government/
2. FCA, The (2019): The Senior Managers publications/frontier-ai-capabilities-and-risks-
and Certification Regime: Guide for FCA discussion-paper/safety-and-security-risks-
solo-regulated firms. FCA. Available at: of-generative-artificial-intelligence-to-2025-
https://www.fca.org.uk/publication/ annex-b (last accessed 14 November 2023)
policy/guide-for-fca-solo-regulated-firms.
pdf (last accessed 29 November 2023) 9. Is artificial intelligence the right technology for
risk management?, Financial Times (online).
3. Hitchens, S and others (2023). FCA and PRA Available at: https://www.ft.com/content/
enforcement trends: operational resilience. ca4e6538-00fe-4c75-b664-90b4b4079863
Allen & Overy (online). Available at: https:// (last accessed 14 November 2023)
www.allenovery.com/en-gb/global/
blogs/investigations-insight/fca-and-pra- 10. La Face, S (2023). Key ways artificial
enforcement-trends-operational-resilience intelligence (AI) will power integrated logistics,
(last accessed 21 November 2023) Maersk (online). Available at: https://www.
maersk.com/insights/integrated-logistics/
4. Page, C (2023). MOVEit, the biggest cloud-and-artificial-intelligence-logistics
hack of the year, by the numbers, Join (last accessed 14 November 2023)
TechCrunch+ (online). Available at: https://
techcrunch.com/2023/08/25/moveit- 11. Thomson, E (2023), Droughts are creating
mass-hack-by-the-numbers/?guccounter=1 new supply chain problems. This is what
(last accessed 14 November 2023) you need to know, World Economic Forum
(online). Available at: https://www.weforum.
5. Malaysia plans to accelerate its EV and org/agenda/2023/10/drought-trade-rivers-
chip sectors as supply chains shift, Financial supply-chain/#:~:text=Droughts%20are%20
Times (online). Available at: https://www. becoming%20more%20frequent,Forum%20
ft.com/content/901e3189-038a-4a6a-8284- fighting%20the%20climate%20crisis%3F
070d5c1288b9 (last accessed 23 November 2023) (Last accessed 23 November 2023)
6. Health and wellbeing at work, CIPD (online). 12. FACT SHEET: President Biden Issues Executive
Available at: https://www.cipd.org/uk/ Order on Safe, Secure, and Trustworthy
knowledge/reports/health-well-being- Artificial Intelligence, US White House (online).
work/ (Last accessed 20 November 2023) Available at: https://www.whitehouse.gov/
briefing-room/statements-releases/2023/10/30/
7. Wilson, R (2023). Will you be our Valentine?, fact-sheet-president-biden-issues-executive-
Verizon (online). Available at: https://www.verizon. order-on-safe-secure-and-trustworthy-artificial-
com/about/news/speed-february-14-2023 intelligence/ (last accessed 15 November 2023)
(last accessed 14 November 2023)
BCI Bibliography
13. He, L (2023). China takes major step in regulating Elliott, R and others (2023), BCI Supply Chain
generative AI services like ChatGPT, CNN Resilience Report 2023, The BCI (online).
Business (online). Available at: https://edition.cnn. Available at: https://www.thebci.org/resource/
com/2023/07/14/tech/china-ai-regulation-intl- bci-continuity-and-resilience-report-2023.
hnk/index.html (las accessed 15 November 2023) html (las accessed 13 November 2023)
14. Zheng, S (2023). China Wants to Regulate Elliott, R and others (2023), BCI Emergency
Its Artificial Intelligence Sector Without Communications Report 2023, The BCI (online).
Crushing It, Time (online). Available at: https:// Available at: https://www.thebci.org/resource/
time.com/6304831/china-ai-regulations/ bci-continuity-and-resilience-report-2023.
(last accessed 15 November 2023) html (las accessed 13 November 2023)
15. EU AI Act to serve as blueprint for global rules, Elliott, R and others (2023), BCI Cyber Resilience
Benifei says, Reuters (online). Available at: https:// Report 2023, The BCI (online). Available at: https://
www.reuters.com/technology/eu-ai-act-serve- www.thebci.org/resource/bci-cyber-resilience-
blueprint-global-rules-benifei-says-2023-11-08/ report-2023.html (last accessed 14 November 2023)
(last accessed 15 November 2023)
Elliott, R and others (2023), BCI Continuity
16. Bank of England/PRA (2022). DP3/22 – And Resilience Report 2023, The BCI (online).
Operational resilience: Critical third parties Available at: https://www.thebci.org/resource/
to the UK financial sector. Bank of England/ bci-continuity-and-resilience-report-2023.
PRA/FCA. 21 July 2022. Available at: https:// html (las accessed 13 November 2023)
www.bankofengland.co.uk/prudential-
regulation/publication/2022/july/operational- Elliott, R. & Garcia, M.F.L. (2023), BCI Horizon Scan
resilience-critical-third-parties-uk-financial- Report 2023. The BCI (online). Available at: https://
sector (last accessed 19 November 2023) www.thebci.org/resource/bci-horizon-scan-
report-2023.html (last accessed 15 November 2023)
17. Lawson, A (2023) ‘National Grid says blackouts
less likely this winter’, The Guardian (last Elliott, R and others (2023), BCI Operational
accessed: 23 November) https://www. Resilience Report 2023, The BCI. Available at: https://
theguardian.com/business/2023/sep/28/ www.thebci.org/resource/bci-operational-resilience-
national-grid-blackouts-this-winter-great-britain report-2023.html (last accessed 12 November 2023)
18. Twidale, S (2023) ‘Britain’s energy grid Elliot, R and others (2023), BCI Technology
operators expect sufficient supplies this In Resilience Report 2023, The BCI (online).
winter’, Reuters (last accessed: 28 September) Available at: https://www.thebci.org/resource/
https://www.reuters.com/business/energy/ bci-technology-in-resilience-report-2023.
britains-energy-grid-operators-expect- html (last accessed 13 November 2023)
sufficient-supplies-this-winter-2023-09-27/
The BCI Good Practice Guidelines (GPG) 7.0 Edition,
19. Darmody, J. (2022): Why lunchtime yoga The BCI (online). Available at: https://www.thebci.
does not count as a work wellbeing culture. org/resource/good-practice-guidelines--gpg--
Silicon Republic (14 January 2022). Available edition-7-0.html (last accessed 13 November 2023)
at: https://www.siliconrepublic.com/
careers/workplace-wellbeing-lunchtime-
yoga (last accessed 27 November 2023)