Find out more

www.thebci.org

BCI Horizon Scan

Report 2024
 BCI Horizon Scan Report 2024

Contents

07 Executive summary

14 Risk and threat assessment:

past twelve months

34 Consequences of disruptions

40 Risk and threat assessment:

next twelve months

48 Benchmarking long term threat analysis

61 Benchmarking business continuity

70 Looking ahead

78 Annex

2 Find out more www.thebci.org

 Foreword

Foreword
We are pleased to introduce the 2024 BCI Horizon Scan Report, one
of the most eagerly anticipated reports in our portfolio. We extend our
thanks to Noggin for their continued sponsorship of this year’s report.
This year’s report falls at a critical point. We are in a ‘super election’
year with more of the global population heading to the polls than ever
before with 64 elections taking place globally. This is giving rise to
significant civil unrest in some regions, while others are having to deal
with the devastating impacts of cross-border conflict – both having
severe knock-on effects on global supply chains, cyber-security, staff
physical and mental wellbeing, and company balance sheets.
In addition to a complex geopolitical backdrop, other businesses
are having to deal with the reality of climate change. At the time
this report is published, Spain is dealing with the aftermath of its
worst flood in modern history, blamed on extreme sea temperatures
in the Mediterranean. Meanwhile, El Niño continues to bring extreme
heat to parts of Asia, with deaths reported in Thailand and demand for
electricity reaching a record high due to the demand for
air conditioning.
However, while these events may have been dominating headlines, it
is the less headline-grabbing disruptions which are having the most
extreme effects on organizations. For the first time in this report’s
history, financial fraud is at the top of the list of disruptions for 2024
with a risk score of 16.1. This came as somewhat of a surprise given
the impact of known cyber attacks over the past year. However, the UK
Financial Ombudsman reported a rise of 43.3% in reported financial
fraud cases in the most recent quarter, while also revealing the
complexity of those frauds was increasing too. Globally, PWC
also reported that procurement fraud is the third greatest cause
for financial disruption over the past year1.
One of the reasons for the high level of financial fraud this year may
be due to the lack of preparedness over the past year. Last year’s
report showed that fraud was only in 17th place (out of 28) in terms
of concerns for 2024.

3
 BCI Horizon Scan Report 2024

Although it has now risen to 11th place for 2025, the laggard still remains
between perceived risk (which can be steered by news coverage without
comprehensive horizon scanning techniques in place) and emphasises the
importance of having plans that are flexible enough to cover the diverse
range of events that could hit an organization, often unexpectedly. The
one unchallenged event for top position in terms of risks for 2025 remains
cyber-attacks. These are traditionally a top-of-mind concern for senior
management and, with practitioners all-too-often having to deal with the
aftermath of a successful cyber-attack, its position at the top of the table
remains unlikely to be challenged.
The heightened awareness of risk and the importance of being prepared
is also being driven by tightening regulatory environments, particularly
with deadlines for implementation of the EU Digital Operational Resilience
Act (DORA), NIS2, and the UK FCA/PRA/Bank of England regulations just
around the corner. As such, investment levels in business continuity and
resilience are likely to increase for over a quarter of organizations in 2025
(26.1%), while just under half (47.8%) are still planning for investment to be at
the same levels.
Our profession is becoming more dynamic but, for many organizations,
this means that the use of industry standards is more important than ever.
Last year’s report showed an all-time high in alignment to the ISO 22301
standard. This year, many of those organizations have held true to their word
in last year’s report with certification levels now at an all-time high (21.1%).
We would like to thank our members and contacts for their time and
valuable insights; and for making this report possible through filling in
the survey and being available for interviews. We have noted a step
change in how organizations are approaching their horizon scanning
processes this year: while there still remains a disconnect between
perceived future risk vs the disruptions an organization is actually
faced with, the gap is closing fast with organizations clearly putting
more time into risk scanning and using technology solutions more
than ever to help with it. We would, once again, like to offer our
sincere appreciation to Noggin for the sponsorship of this report.

Rachael Elliott
Knowledge Strategist
The BCI

4 Find out more www.thebci.org

 Foreword

Foreword
It has become almost reflexive now to note the dizzying
rise of crises – the evidence being so overwhelming of the
deteriorating threat environment companies are facing. But
the BCI Horizon Scan 2024 is anything but predictable. Not
just the number, the report also finds a sharp uptick in the
variety of crises as well as a new pattern of critical events
overlapping, exacerbating their individual impacts.

It is studying the effects of this pattern that makes the report

so rich in insights. One practitioner put it best when reflecting
how common it now was for emergency operations centers
to remain active for months on end, handling multiple
crises simultaneously: “Events are more frequent, and this is
becoming more of a ‘business as usual’ scenario.”

This theme runs throughout the report. We see how risks

are fusing together: emerging technologies are creating
new cyber threats, natural disasters are causing travel
restrictions, and geopolitical conflict is exacerbating
already high price volatility.

This new risk picture is presenting a wider variety of

challenges to organizations, who are being forced to ramp
up and maintain measures to prepare for the escalating
likelihood of disruptions. As the report notes, “Professionals
must adopt comprehensive resilience strategies that address
both technological and geopolitical disruptions to safeguard
their operations.”

The alternative is inaction – or even half action. Starting with

loss of productivity, though, which rose from 63.7% last year
to 69.5% this year, organizations are feeling impacts more
heavily than ever – so too with customer complaints and
reputational damage.

5
 BCI Horizon Scan Report 2024

The broad trend captured is that companies are experiencing

increasingly severe and complex repercussions from multifaceted
disruptions, necessitating ever stronger resilience and
preparedness strategies to mitigate impacts going forward.

Like last year, the data points up a mixed response. On the one
hand, resilience as a new mantra is taking hold across government
agencies, non-profit entities, and enterprise corporations.
Investments seem healthy.

For instance, 60.5% of respondents state that the use of

technology to analyze their organization’s threat landscape
and its potential impact increased over the last two years, a
salutary trend.

But given the radically increased probability of experiencing

critical events, as evidenced by higher overall risk across a
growing number of vectors, much more needs to be done.

As a provider of purpose-built, integrated resilience management

technologies, we at Noggin, of course, put our stake in the
ground for specialized solutions that help to better address
specific risks, streamline operations, and enhance critical event
response and recovery. However, there is more to resilience
than simply technology.

Indeed, reports such as this one remain critical to conducting

the type of short, medium, and long-term trend analysis that is
becoming increasingly necessary to navigate the deteriorating
threat landscape. And that’s why Noggin is proud to once again
sponsor the Horizon Scan Report. It aligns perfectly with our own
leading principle; resilience is a global objective.

And so, I close by saying to readers to take heed of what is

contained in this report – not just the worrisome trends but also
the many practices identified as sterling opportunities to forge a
culture of resilience.

James Boddam-Whetham
General Manager,
Noggin

6 Find out more www.thebci.org

Executive
summary

7
 BCI Horizon Scan Report 2024

The threat landscape proves to be quite

varied, as the top five most frequent and
impactful events include diverse drivers
such as IT outages, increased cost of
living, and travel restrictions. Compared
to previous years – without the
overarching presence of the pandemic
– organizations are now facing a wider
range of challenges, which makes the
operating context just as frantic.

Top five most frequent & impactful

events over the last 12 months

Fraud or
1 attempted fraud

2 Cyber attacks

3 IT and telecom outage

4 Increased cost of living

5 Travel restrictions

8 Find out more www.thebci.org

 Executive summary

Similar types of disruptions continue to

cause significant damage to organizations, The most significant impacts from
as seen in previous years. The top four disruptions are loss of productivity, which
most disruptive events have remained can severely affect operations, and an
consistent when compared to 2023, with increase in customer complaints, indicating
IT and telecom outages still being the most dissatisfaction and potential damage to
frequent and impactful. The CrowdStrike client relationships. These two impacts
incident has played a key role in this trend, highlight how disruptions can undermine
having a global impact on numerous both internal efficiency and external
organizations and critical infrastructures perceptions of the organization.
over the past twelve months.

Top five single biggest cause of disruption Top five consequences of

to organizations in the past 12 months disruptions for organizations

1 23.6% 1 69.5%
IT and telecom outage Loss of productivity

15.1% 39.1%
2 Critical infrastructure 2 Customer complaints
failure received

39.1%
3 8.5% 3 Negative impact on
Extreme weather events staff morale/wellbeing/
mental health

4 8.5% 4 38.1%
Cyber attack Reputation damage

5 4.7% 5 36.2%
Supply chain disruption Loss of revenue

9
 BCI Horizon Scan Report 2024

The top five risks for organizations in the future.

Short-term: next 12 months Medium term: 5 to 10 years

1 Cyber-attacks 1 Cyber security

Extreme weather events

2 (e.g. floods, storms, 2 Climate risk
freeze, etc.)

Technology/
3 Data breaches 3 telecoms failure

4 IT and telecom outage 4 Supply chain issues

Introduction of emerging
5 Critical Infrastructure failure 5 technologies

The use of long-term trend analysis in BC/resilience within organizations has risen again, to a new
historic high.
The number of organizations drawing from the outputs of the trend analysis has grown over the years,
with a noticeable increase particularly since the pandemic.

Usage of the outputs of trend analysis within organizations’ business continuity programmes
2014 - 2024

90%
81.3%
80% 77.4%
73.0% 74.2%
77.5%
70% 67.3% 67.5% 68.3% 68.4%
67.6%
60%
59.6%
50%
2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024

10 Find out more www.thebci.org

 Executive summary

Most organizations manage their processes through a centralised approach, leveraging

a corporate function or department to enhance consistency and efficiency. This structure
streamlines decision-making and aligns risk assessment practices across the organization.

Does your organization conduct longer term trend analysis to better understand the
threat landscape?

53.9% 23.1% 19.8%

Yes, this is conducted Yes, however many No

by a central, corporate different departments
function or department do this according to
their own needs

ISO 22301 remains a key reference point for business continuity practices.
Most organizations use ISO 22301 as a framework for business continuity, with a significant portion also
certified to it. Some organizations plan to adopt ISO 22301 in the coming year.

If you have a formal business continuity management programme in place, how does it relate
to ISO 22301?

36.8% 21.1% 5.3%

We use ISO 22301 as We use ISO 22301 We use ISO 22301 as a

a framework but are as a framework framework, are not certified
not certified to it and certify to it to it, but are in the process
of getting certified

11
 BCI Horizon Scan Report 2024

Top three benefits of certification Organizations prioritise collaboration

and human interaction to effectively
carry out their horizon scanning and risk
management assessments.
79.2% Data indicates a strong reliance on internal
1 Increases our risk and threat assessments, highlighting the
organization’s resilience
importance organizations place on peer-to-
peer consultation and traditional methods for
analysing risks. Collaboration with industry
75.0% peers and using external reports play a
Allows us to demonstrate crucial role in shaping risk management
2 the effectiveness of our strategies, demonstrating that organizations
BCM programme to
external stakeholders value shared knowledge and insights.

Top five tools for conducting trend

analysis/horizon scanning within
66.7% organizations
Enables consistent
3 BCM measurement
and monitoring
92.1%
1 Internal risk and
threat assessment

80.9%
2 External reports/industry
insight (e.g., Horizon Scan)

3 62.9%
Collaboration with peers

4 60.7%
Social media monitoring

5 56.2%
Research reports

12 Find out more www.thebci.org

 Executive summary

Investment in business continuity and resilience is likely to remain at current levels through 2025.
Most organizations plan to maintain their investment levels, with over one in four aiming to increase
funding to meet emerging challenges. However, a percentage still lacks any investment in these areas,
highlighting potential vulnerabilities. Organizations must prioritise resource allocation to strengthen
their resilience against future threats.

How will investment levels in BC/resilience programmes in 2025 compare to the current
year in order to better prepare for the challenges/threats identified by your organization?

47.8% 26.1% 10.2% 8.0%

Investment will Investment Investment We do not have

be maintained at will be will be investment in a BC/
appropriate levels increased reduced resilience programme

13
 BCI Horizon Scan Report 2024

1
Risk and threat
assessment:
past twelve
months

14 Find out more www.thebci.org

 Risk and threat assessment: past twelve months

Frauds: the top incident

for organizations in 2024
Frauds are the most frequently reported incident in
the 2024 report, with an overall score2 of 16.9. This is
a significant change compared to last year, when this
type of risk ranked out of the top five with a value of 12.1
Delving into the details of occupational fraud around
the world, it is possible to appreciate the reasons
behind respondents’ concerns. The 2024 fraud study
from the Association of Certified Fraud Examiners
(ACFE) highlights key insights into global fraud, showing
that organizations lose an estimated 5% of revenue
each year due to such malicious acts3.

Asset misappropriation is the most frequent fraud type,

though it results in relatively smaller losses compared
to those leveraging financial statements, the costliest
type, with a median loss of $766,000. The study also
reveals that employee tips are the leading detection
method, responsible for uncovering 43% of cases. Fraud
is also commonly detected through email or web-based
reports, surpassing telephone hotlines4.

15
 BCI Horizon Scan Report 2024

Frauds involving multiple perpetrators or long-

tenured employees cause significantly higher
losses. For instance, the involvement of owners or
executives results in losses seven times greater than
regular employees, and schemes involving three or
more perpetrators have median losses four times
higher than those by a single perpetrator. Internal
control deficiencies or overrides are also major
enabling factors. Over half of victim organizations
improved their anti-fraud controls after an incident,
with many believing these measures would be
highly effective in preventing future fraud5.

Looking specifically at digital frauds, the joint report

by the European Banking Authority (EBA) and the
European Central Bank (ECB) assessed payment
data and fraud trends for credit transfers, card
payments, direct debits, e-money transactions,
and cash withdrawals in the EU between 2022 and
2023. The report highlights losses of €4.3 billion in
2022 and €2.0 billion in 2023, with most schemes
concentrated in credit transfers and card payments.
Card payment fraud mainly involved remote
transactions, while detection benefited from Strong
Customer Authentication (SCA). Cross-border
transactions showed higher fraud rates, especially
outside the European Economic Area (EEA).

Criminal acts were significantly lower when SCA

was applied, and higher frauds were associated
with SCA exemptions like low-value transactions.
The report emphasises that while SCA has
improved payment security, further scrutiny is
required to ensure compliance. Liability for losses
varied across payment methods and countries,
with users bearing a substantial portion of losses,
especially in credit transfers. Despite improvements
in prevention, the report stresses continued
vigilance from regulators and industry players
to combat fraud trends5.

16 Find out more www.thebci.org

 Risk and threat assessment: past twelve months

Cybercrime: when fraud and

digital threats collide
The line between fraudulent actions and digital
threats is hard to draw, since the two often
collide in the modern business landscape. In
this perspective, it seems logical that the second
most disruptive event for respondents was the
occurrence of cyber attacks, with an overall value
of 14.5. The connection between cyber attacks and
frauds shows clearly in a recent report by Interpol,
which highlights the alarming rise of cybercrime
and financial fraud globally, largely fuelled by new
technologies. In 2023, scammers stole over $1
trillion worldwide, leveraging advanced tactics like
artificial intelligence (AI), cryptocurrency schemes,
and deceptive social engineering, such as “pig-
butchering” scams. These frauds often involve
building trust with victims, only to exploit them
for financial gain7.

“Cyberattacks genuinely scare me,

especially with the rise of AI technology.
I don’t fully understand its implications.
which is why it is a significant concern.”
Business continuity manager,
professional services, UK

“In cybersecurity, our businesses

rely heavily on technology, making
us constant targets for hackers.
Ransomware and phishing are prevalent
threats we continue to struggle against.”
Group head of business resilience,
multisector, Madagascar

17
 BCI Horizon Scan Report 2024

“In today’s world of geopolitical uncertainty, there’s a lot of potential for hostile state actors
to disrupt things, especially during back-to-back election cycles. This environment makes
local governments prime targets for cyber attacks, as we’re often seen as low-hanging fruit.
The cyber domain is evolving rapidly, and I believe we’ll see an uptick in the sophistication
and impact of attacks.”
Corporate emergency programme manager, public sector, Canada

One notable concern is the connection between cybercrime and human trafficking, where individuals
are lured into fraudulent jobs and forced to participate in financial scams. INTERPOL’s report warns that
organized crime groups are becoming more sophisticated, using AI and large-scale fraudulent operations
with minimal technical expertise required. Geographically, Southeast Asia has emerged as a hotspot for
fraud, particularly call-centre-based operations targeting victims across Europe and the Americas8.

Looking at emerging trends, in recent months security agencies have discovered several significant new
ransomware and malware threats. One notable incident involved a ransomware-as-a-service (RaaS)
operation that impersonated the legitimate Cicada 3301 organization, quickly targeting companies
worldwide and listing 19 victims on its extortion portal. Meanwhile, federal agencies in the United
States intensified their efforts against Russian cyber-operations, particularly focusing on the destructive
WhisperGate malware. This malware, linked to a Russian military intelligence unit, has been involved in
various hacking campaigns that threaten the security of numerous entities9.

Central Asia is currently facing threats from Ajina Banker malware, which targets bank customers and aims
to steal their financial information via Android devices. Similarly, a hacker group known as CosmicBeetle
has developed new ransomware named ScRansom, primarily attacking small and medium-sized businesses
across Europe and Asia. Moreover, a new version of the Necro malware loader has been found, which was
installed on over 11 million Android devices through malicious software development kit (SDK) supply chain
attacks on Google Play10.

18 Find out more www.thebci.org

 Risk and threat assessment: past twelve months

Many of the abovementioned attacks will have been as the result of a failure in human process. Interviewees
highlighted that humans are the weak link in cyber security, highlighting the importance of training:

“Our IT team understands that human “On the cybersecurity front, malicious
error is our biggest vulnerability in actors are becoming increasingly
cybersecurity, and while we haven’t sophisticated, yet I’ve noticed a concerning
experienced an actual cyber attack, trend: our users are becoming more
our testing has identified the human relaxed about what they click on. Despite
error challenges. This becomes very ongoing training and news coverage about
evident with phishing email outcomes data breaches, I’ve observed high click
‘from the CEO’ that offer some rates on simulated phishing attacks.”
monetary bonuses. Ongoing training Admin director emergency preparedness
was required, and vigilance was and telecommunications, healthcare, USA
prioritised, focusing on the importance
of cybersecurity awareness.”
Business continuity and governance
consultant, charity, Australia “We suffered a cyber attack and
data breach which caused significant
reputational damage due to our
uncertainty about the extent of the data
“On the cyber front, threat actors breach. We were concerned about the
are evolving quickly, and the biggest potential implications for our staff and
challenge often lies with end users. Just clients, especially since personal details
one mistake can lead to serious issues.” were stolen without consent.”
Emergency planning & response Business continuity manager,
manager, public sector, UK professional services, UK

19
 BCI Horizon Scan Report 2024

IT and telecom outages: a major concern for organizations

The third most significant incident according to participants stays in the digital domain. IT and telecom
outages reported an overall value of 14.4, a significant increase from last year’s 12.1. According to the Uptime
Institute11, while the overall number of outages is experiencing a decline, the financial implications of outages
are significant. The survey shows that over half (54%) of respondents reported that their most recent serious
outage incurred costs exceeding $100,000, while 16% faced losses of over $1 million. Power-related issues
remain the predominant cause of severe outages, although network problems are identified as the leading
single cause of IT service interruptions. Notably, around 80% of respondents indicated that their latest
serious outages could have been avoided with improved management practices, better processes, and
configuration adjustments.

20 Find out more www.thebci.org

 Risk and threat assessment: past twelve months

On average, the Uptime Institute’s data reveals that each year, 10 to 20 major IT outages or data centre
incidents occur globally, leading to substantial financial losses, business disruptions, damage to reputations,
and, in extreme cases, loss of life12.

“In the past, we’ve experienced “We outsource our data centre
outages due to factors beyond our management. When a system breakdown
control, like issues with external caused an internet outage, we faced
providers. Even with our business significant challenges.”
continuity and disaster recovery plans, Risk and business continuity manager,
we couldn’t process transactions until infrastructure, Uganda
the outage was resolved. During that
time, we worked closely with our
customers to support them.”
Business continuity consultant, “Early in the year, we experienced a
financial sector, USA telecom outage due to an issue with
an external electricity supplier. While it
halted operations, the impact was not
extensive. Most employees transitioned
“When IT disruptions occur, it doesn’t to working from home, with only security
shut us down, but it significantly strains personnel remaining on-site.”
our operations. Middleware vendors are Business continuity manager,
crucial for transferring laboratory results professional services, UK
into the EMR, and downtime can turn a
test that usually takes 20 minutes into
an hour-long process. This delay impacts
patient care and complicates billing, as
“Recently, we faced major power failures
we then need to manually reconcile all
impacting our data centres”
charges before submission.”
Group head of business resilience,
Admin director, emergency preparedness
multisector, Madagascar
and telecommunications, healthcare, USA

“When it comes to infrastructure, we faced a significant challenge recently. The country

(Australia) relies on two main network providers, and there was a nationwide issue with
one of them. On that day, services across the country, including trains and health services,
were disrupted.”
Business continuity and governance consultant, charity, Australia

21
 BCI Horizon Scan Report 2024

IT disruptions in 2024: The case of CrowdStrike

In July 2024, a significant IT outage caused by a faulty update from cybersecurity firm
CrowdStrike led to widespread disruptions across various sectors, including aviation and
banking. Approximately 8.5 million Windows devices were affected, resulting in the cancellation
of over 5,000 flights globally. The incident raised alarms about the vulnerabilities within critical
infrastructure, as companies faced severe operational challenges and financial repercussions
estimated between $540 million and $1.08 billion13.

CrowdStrike’s software primarily serves corporate clients, with a substantial portion of its customer
base comprising Fortune 500 companies. The faulty update specifically impacted systems running
Windows 10 and 11 as the issue stemmed from a problematic configuration. CrowdStrike quickly
acknowledged the error and worked to reverse the update, but the manual recovery process
proved cumbersome, requiring businesses to reboot affected machines and potentially
restore backups14.

The incident highlighted the critical need for robust backup plans and contingency measures
in organizations. Industry experts have warned that without proper contingency frameworks,
similar outages are likely to recur, particularly given the heavy reliance on a few major technology
providers for essential services. On this note, the looming “2038 Problem” poses another
significant threat, akin to the Millennium Bug of the late 1990s. This issue arises from the way many
computers count time, leading to potential failures as systems may struggle to recognize dates
beyond 19 January 2038. The growing dependence on interconnected systems heightens the
urgency for organizations to evaluate their disaster recovery strategies and implement sufficient
measures to maintain operational continuity during outages. The Crowdstrike outage serves
as a stark reminder of how vulnerable essential services are to technological disruptions15.

22 Find out more www.thebci.org

 Risk and threat assessment: past twelve months

The ongoing challenge of the “The ongoing upward trend in energy

cost-of-living crises prices has been a significant concern
for us. Until we start producing our
Moving further down the chart, the only risk that remains
own oil, expected by 2027, we can
in the top five for both 2023 and 2024 is the increased
anticipate continued price shocks,
cost-of-living, with an overall value of 13.6. Last year’s
particularly for fuel.”
report pointed out the potential relationship between
higher costs and supply chain disruptions – which Risk and business continuity manager,
rank 15th overall at 10.1 but have one of the highest infrastructure, Uganda
impact scores in the chart (2.1). The narrative on supply
chain disruptions driving prices upwards has become
a recurring theme since the pandemic and it has found “Over the past year, we’ve seen energy
confirmation in studies on inflation and monetary price shocks severely impact our
policy. The Centre for Economic Policy Research (CEPR) organization. As a local authority, our
reported a study that concluded that global supply chain duty of care to prevent homelessness
disruptions were the main cause of inflation in the EU has become increasingly challenging.
in 2022 and 202316. On the other hand, research across The ongoing housing and cost of living
different geographical areas – such as the US – shows crisis is driving more families to seek
more mixed results, suggesting a demand spike might help from us, leading to skyrocketing
also be at the root cause of the surge in prices17. demands on our budget for social
housing. We’re grappling with systemic
Regardless of the cause, the consequences of higher issues that are only getting worse.”
prices are imposing a significant toll on organizations. S&P
Global reports how operating expenses eroded higher Emergency planning & response
portions of revenues for US organizations across several manager, public sector, UK
sectors, with the exception of the information technology
industry18. For instance, several airlines warned that rising
costs, including fuel and labour, would negatively impact “When there’s a volatile exchange
their profits. Airlines like Delta, American, and Alaska rate, it often means our budget
Airlines revised their earnings forecasts downward due to exceeds what we initially planned,
higher fuel prices and newly negotiated labour deals. For forcing us to mobilise additional
instance, American Airlines expects a significant expense funds to complete projects.”
of $230 million for its new pilot contract, which includes Risk and business continuity manager,
substantial pay raises over the next four years. Delta also infrastructure, Uganda
adjusted its earnings due to fuel and maintenance costs19.

Beyond airlines, other sectors are facing similar

challenges. UPS recently finalised a labour deal with “Interest rates are crucial for large
the Teamsters, which will increase costs at a 3.3% corporations like ours because they
annual growth rate over five years. The auto and directly impact our profitability and
entertainment industries are also addressing labour target setting. Alongside selling our
demands, including wage increases and better benefits, business solutions, market drivers
driven by unions negotiating new contracts. Despite like these shape our strategies.”
strong demand in some sectors, these rising operational Technical officer enterprise security,
expenses are expected to strain profits for companies manufacture, Netherlands
across industries20. 23
 BCI Horizon Scan Report 2024

Travel limitations in a post-COVID world:

the rise of natural disasters and conflicts
Interestingly, the incident that completes the top five is travel restrictions, with a risk score of 13.1.
Although most of the formal restrictions due to COVID-19 have been lifted, there are other types of
physical limitations that might impede travel. Events such as natural disasters and conflicts represent a
threat to freedom of movement, which have intensified over the past year with the persistence of the
Ukraine war and the escalation of violence in the Middle East.

Weather related events keep causing considerable disruption to organizations, being the number
one topic for many organizations:

“In Uganda, we heavily rely on “We have two offices in Manila, where
hydroelectricity, but we faced a typhoons hit frequently. Earlier this year,
significant challenge when an island I was part of the response team when
shifted and blocked the turbines of a severe flooding forced staff to work
completed dam due to heavy rains. from home.”
This incident forced us to improvise Business continuity consultant,
and remove the obstruction, which financial sector, USA
not only delayed our work but also
increased our costs.”
Risk and business continuity manager,
infrastructure, Uganda “We’re in a heavily urbanised area
and climate change has led to more
frequent and intense rainfall, causing
surface water flooding. This affects us
“We’re vulnerable to winter weather. on multiple levels: some of our buildings
In recent years, we’ve experienced are not as well-maintained as they
larger snowfalls and colder conditions, should be, leading to business continuity
which our infrastructure isn’t really concerns. More troubling though is the
built to handle.” impact on our residents; many homes
Corporate emergency programme and businesses inevitably face flooding.”
manager, public sector, Canada Emergency planning & response manager,
public sector, UK

24 Find out more www.thebci.org

 Risk and threat assessment: past twelve months

Looking at travel risk advice from specialised According to the Peace Research Institute Oslo
organizations, it is possible to observe that (PRIO), the past year saw a dramatic rise in global
the majority of countries have an increasing violence, marking 2023 as one of the most violent
risk status and caution is recommended when years since the Cold War ended. A record 59 state-
traveling to most destinations21. This might based conflicts were reported, the highest since
also explain why travel restrictions are closely 1946, although the number of countries experiencing
followed by safety (12.83) and health conflict dropped slightly from 39 to 34. This increase
(12.71) incidents. in violence is attributed to the growing complexity
of conflicts, with multiple actors, including non-state
groups, expanding across regions such as Asia,
“We have personnel in Israel, the UAE, Africa, and the Middle East22.
and previously in Ukraine and Russia,
areas affected by conflict. During the Africa remains the region with the highest number
Ukraine war, we worked to help any of conflicts, with 28 ongoing state-based conflicts,
team members who wanted to relocate nearly doubling compared to a decade ago. The
for their safety. As a global company, Middle East saw a reversal in its conflict decline,
we continuously monitor geopolitical with an increase from 8 to 10 conflicts between 2022
events to ensure the well-being of and 2023, with the majority of deaths occurring in
our employees.” Palestine. While there is hope for a reduction in
older, complex conflicts and new, highly violent ones
Business continuity consultant,
continue to emerge, posing ongoing challenges for
financial sector, USA
peace efforts23.

25
 BCI Horizon Scan Report 2024

The frequency of incidents in the past twelve months and the associated impact
levels on respondent organizations
3.0 3.5 4.0 4.5 5.0 5.5 6.0 6.5 7.0 7.5 8.0
High impact, lower frequency Higher impact, higher frequency
2.5 2.5

War/conflict
Critical infrastructure failure
2.4 2.4

2.3 2.3

Enforcement by regulator
Lone attacker/active shooter incident IT and telecom outage

Increased cost of living

2.2 2.2
Regulatory changes
Natural disasters
Fraud/attempted fraud

Higher interest rates

Impact

2.1 Political violence/civil unrest Supply chain disruption 2.1

Energy price shock Extreme weather events
Data breaches Cyber-attacks
Political change(s)
Interruption to energy supply
Non-occupational disease Health incident
Exchange rate volatility Travel restrictions
2.0 Safety incident 2.0

Security incident

Natural resources shortage

1.9 1.9
Introduction of new technology

1.8 Issues arising from remote/hybrid working 1.8

Product safety recall

1.7 1.7
Lower impact, lower frequency Low impact, high frequency
3.0 3.5 4.0 4.5 5.0 5.5 6.0 6.5 7.0 7.5 8.0
Frequency

Figure 1. The frequency of incidents in the past twelve months and the associated impact levels on
respondent organizations

26 Find out more www.thebci.org

 Risk and threat assessment: past twelve months

Rank Event Frequency Impact Risk Index

1 Fraud/attempted fraud 7.84 2.15 16.90
2 Cyber attacks 6.98 2.08 14.50
3 IT and telecom outage 6.41 2.25 14.42
4 Increased cost of living 6.17 2.21 13.64
5 Travel restrictions 6.50 2.01 13.09
Safety incident (personal injury, fatality, asset damage,
6 6.43 2.00 12.83
dangerous occurrence, reportable incident)
Health incident (NOT transmissible disease such as COVID
7 but occupational disease, reportable occupational disease, 6.31 2.01 12.71
stress/mental health, increased sickness absence)
8 Non-occupational disease (e.g. pandemic) 6.21 2.01 12.49
9 Security incident 6.08 1.94 11.81
10 Critical Infrastructure failure 4.80 2.41 11.56
11 Interruption to energy supply 5.51 2.04 11.23
12 Extreme weather events (e.g. floods, storms, freeze, etc.) 5.19 2.09 10.85
13 Product safety recall 6.06 1.73 10.48
14 Natural resources shortage 5.32 1.91 10.15
15 Supply chain disruption 4.84 2.09 10.11
16 War/conflict 4.14 2.42 10.03
17 Exchange rate volatility 4.89 2.01 9.82
18 Enforcement by regulator 4.28 2.27 9.72
19 Political violence/civil unrest 4.56 2.09 9.54
Issues arising from remote/hybrid working (the new working
20 5.25 1.80 9.44
environment)
21 Higher interest rates 4.38 2.12 9.31
22 Lone attacker/active shooter incident 4.14 2.25 9.29
23 Regulatory changes 4.22 2.19 9.23
24 Data breaches 4.30 2.08 8.94
25 Political change(s) 4.28 2.07 8.88
26 Energy price shock 4.13 2.08 8.61
27 Introduction of new technology (IoT, AI, Big data) 4.25 1.90 8.08
28 Natural disasters (earthquakes, tsunamis, etc.) 3.64 2.17 7.91

Table 1. The frequency of incidents in the past twelve months and the associated impact levels on
respondent organizations

27
 BCI Horizon Scan Report 2024

Rising reliance on digital

infrastructure: the impact of
IT and telecom outages
IT and telecom outages remain the cause for
organizations’ single-greatest source of disruption
over the year, rising from 20.4% last year to 23.6% this
year. This highlights the increasing reliance on digital
infrastructure across industries, as well as the growing
complexity of IT systems that make them more prone
to failures. The disruptions caused by these outages
often ripple across multiple functions, halting operations
Biggest and causing financial and reputational damage. The
disruptive Crowdstrike incident is one such clear example that
highlighted a global single point of failure that had
events over been missed.
the past year
The incident showed how a large-scale IT failure can
Organizations were queried on have serious consequences on public infrastructure
the primary causes of disruptions across several sectors, from banking to air transport.
over the past year. IT and telecom Therefore, it is unsurprising that critical infrastructure
failures, critical infrastructure failure also saw a notable increase from 10.9% to 15.1%,
failure, extreme weather reflecting the growing strain on essential services like
events, and cyber attacks energy grids, transportation networks, and utilities. The
were the main single reliability of such infrastructure is crucial, as even minor
disruptive events failures can lead to significant disruptions, particularly in
identified by manufacturing and logistics industries, where smooth
respondents. operations depend on consistent access to
these resources.

“The biggest disruption we faced was an IT

and telecom outage, which mainly resulted
in lost productivity and a spike in customer
complaints. Having worked in telecoms before,
I saw firsthand how frequent these disruptions
can be. In 2023, our emergency operations
centre was active for nine months straight,
handling multiple events at once. Events are
more frequent, and this is becoming more
of a ‘business as usual’ scenario.”
Corporate emergency programme manager,
public sector, Canada

28 Find out more www.thebci.org

 Risk and threat assessment: past twelve months

“We faced a significant challenge when an underground cable explosion severed part
of our fibre network. Instead of rerouting as intended, the IT infrastructure between our
two network entry points failed to communicate, resulting in a complete loss of Internet
connectivity across our estate.”
Emergency planning & response manager, public sector, UK

Extreme weather and supply chain

Extreme weather events remained a persistent challenge, with a slight decrease from 10.2% to 8.5%, yet
they still pose significant risks, especially for industries that rely on stable production and distribution
environments. The emergence of supply chain disruption, affecting 4.7% of organizations this year, can
be linked to unpredictable weather patterns, as well as geopolitical instability, both of which have caused
delays and bottlenecks in global trade.

In this regard, a Maersk case study24 during the COVID-19 pandemic provides a comprehensive example
of how business continuity and crisis management strategies can help mitigate supply chain disruptions.
Maersk outline their approach, which included forming an executive team to maintain supply chain
operations, ensuring continuous communication with customers and suppliers, and activating Business
Continuity Plans (BCPs). The company leveraged alternative transport routes and methods to maintain the
flow of goods despite physical disruptions. The case also emphasises how Maersk’s prior experience with
the 2017 NotPetya cyberattack supported their rapid response to the pandemic, showcasing the importance
of preparedness.

They identified key challenges such as low vendor capacity, raw material shortages, and infrastructure
closures, which led to increased labour and logistics costs. Their experience with NotPetya, which involved
rebuilding their IT system in 10 days, highlighted the importance of resilience and swift decision-making
during crises. This shows how organizations must improve supply chain visibility, create cross-functional
leadership teams, and regularly update contingency plans to prepare for future disruptions, whether they
stem from pandemics, cyberattacks, or other global crises.

29
 BCI Horizon Scan Report 2024

Many interviewees explained their experiences with weather related events:

“Within just 20 days, we experienced “Being close to the Pacific, we experience

a significant ice storm, leaving severe wind and rainstorms, including the
about half an inch of ice, followed ‘Pineapple Express’ or atmospheric rivers,
by tornadoes a week or two later. which dump massive amounts of water.
While tornadoes and hailstorms are These events, along with increasing wildfires
challenging, hurricanes are the most and snowmelt-driven river flooding, create a
daunting because they combine vicious cycle of extreme weather, landslides,
multiple severe weather events. In and infrastructure damage. On top of that,
those situations, the focus often shifts extreme heat events have become a major
to recovery after the storm passes.” risk, impacting critical infrastructure and
Admin director emergency increasing mortality rates.”
preparedness and telecommunications, Corporate emergency programme manager,
healthcare, USA public sector, Canada

“Extreme weather events and climate “We constantly monitor for natural disasters
change have taken us by surprise. like earthquakes, tsunamis, and typhoons.
Who would have thought we’d see After the earthquake in Turkey, we felt
floods in Dubai?” aftershocks in our Cyprus office.”
Business continuity manager, Business continuity consultant,
professional services, UK financial sector, USA

Cyberattacks also rose from 6.1% in 2023 to 8.5%, reflecting the increasing complexity and scale of digital
threats. As organizations expand their digital presence, they become more vulnerable to cybercriminals
targeting sensitive data, customer information, and financial systems. This rising trend is in line with the
aforementioned increasing risk of malicious acts, highlighting the need for more robust cybersecurity
measures to protect digital assets.

“There’s another dimension tied to wars and conflicts, and that’s the cyber domain, which
heavily affects us. Our components, systems, and solutions are integral to the critical
infrastructure in countries directly involved in conflict and those indirectly affected.
These infrastructures are under constant threat from various state actors.”
Technical officer enterprise security, manufacture, Netherlands

30 Find out more www.thebci.org

 Risk and threat assessment: past twelve months

On the other hand, political violence/ civil unrest (3.8%) and war and conflict (2.8%) emerged as new
concerns, reflecting growing geopolitical instability and its impact on those operating in volatile regions.

“Geopolitical tensions are exacerbating “Civil unrest is a significant concern,

problems, leading to rising prices and particularly with the upcoming elections.
increased immigration pressures, all of This year has the highest number of
which add to the challenges we face.” elections globally, leading to heightened
Emergency planning & response tensions and conflicts in many areas.
manager, public sector, UK We’re especially mindful of the anxiety
surrounding the electoral process in the
United States, and we’ve taken steps to
prepare and monitor the situation closely.”
“In Uganda, civil unrest and political Business continuity consultant,
tensions have led to protests, financial sector, USA
especially among opposition leaders
dissatisfied with public services.
Unfortunately, these demonstrations
can damage national infrastructure “In Portland, we faced challenges due to
for instance, when protesters burn civil unrest riots, which prevented people
tyres on the roads.” from getting to the office.”
Risk and business continuity manager, Business continuity consultant,
infrastructure, Uganda financial sector, USA

“In today’s world of geopolitical uncertainty, there’s a lot of potential for hostile state actors
to disrupt things, especially during back-to-back election cycles. This environment makes
local governments prime targets for cyber attacks, as we’re often seen as low-hanging fruit.
The cyber domain is evolving rapidly, and I believe we’ll see an uptick in the sophistication
and impact of attacks. It seems like every day there’s news of breaches, and it would be wise
for organizations to integrate their cyber and continuity efforts, as they work hand in hand.”
Corporate emergency programme manager, public sector, Canada

31
 BCI Horizon Scan Report 2024

“Geopolitical issues impact our organization. Our offices (including our data centres location)
are located near borders with countries in conflict.”
Business continuity manager, professional services, UK

“Our organization is focused on national critical infrastructure and frequently engages with
contractors. Due to Uganda’s dependence on imported fuel, the war in Ukraine has caused
significant price hikes. This increase affects contractors’ budgets for projects, leading to
higher contract prices and ultimately impacting our project budgets and timelines.”
Risk and business continuity manager, infrastructure, Uganda

“War has a significant impact on us as a global company, particularly the conflict in Ukraine.
We had to cut off and sell part of our organization in Russia. The sanctions resulting from
these tensions impacted our operations. Overall, conflicts and tensions are detrimental to
business and corporate organizations. We’ve seen effects such as the inability to export
certain goods and shifts in supply chains.”
Technical officer enterprise security, manufacture, Netherlands

Overall, while digital and infrastructure-related risks have intensified, organizations are facing an
increasingly complex risk environment. Cyber threats, supply chain vulnerabilities, and geopolitical tensions
now pose significant challenges alongside longstanding risks like extreme weather events and infrastructure
failures. Professionals must adopt comprehensive resilience strategies that address both technological and
geopolitical disruptions to safeguard their operations.

Interestingly, loss of talent and key skills, which accounted for 5.4% most major disruptions last year, did not
appear in this year’s rankings, potentially indicating a shift in focus towards operational risks rather than
workforce challenges. However, an interviewee highlighted this as an issue.

“We experienced the Great Resignation, where many employees left the company, saying
they were done. This has led to a significant knowledge drain as our more experienced
team members depart. While we’re bringing in young talent eager to learn, finding skilled
individuals for coding, customer service, and other roles hasn’t been easy. The challenge lies
in bridging that gap and ensuring we have the right people to maintain our operations.”
Business continuity consultant, financial sector, USA

32 Find out more www.thebci.org

 Risk and threat assessment: past twelve months

Causes of disruption to organizations in the past 12 months

IT and telecom outage 23.6%
Critical infrastructure failure 15.1%
Extreme weather events 8.5%
Cyber attack 8.5%
Supply chain disruption 4.7%
Political violence/civil unrest 3.8%
War/conflict 2.8%
Political change(s) 2.8%
Lack/loss of talent/key skills 2.8%
Introduction of new technology 2.8%
Higher cost of living 2.8%
Fraud/attempted fraud 2.8%
Natural disasters 1.9%
Exchange rate volatility 1.9%
Enforcement by regulator 1.9%
Data breaches 1.9%
Safety incident 0.9%
Regulatory changes 0.9%
Issues arising from remote/
hybrid working 0.9%
Interruption to energy supply 0.9%
Health incident 0.9%
Energy price shock 0.9%
Other 5.7%

% 0 10 20 30

Figure 2. Causes of Organization’s main disruptive event 2020-2024

disruption to organizations 2024 IT and telecom outage
in the past 12 months 2023 IT and telecom outage
2022 Cyber-attack & data breach
2021 Non occupational disease
2020 IT and telecom outage

33
 BCI Horizon Scan Report 2024

2
Consequences
of disruptions

34 Find out more www.thebci.org

 Consequences of disruptions

The dual impact of disruptions:

internal dynamics and external
reputation
The data on the consequences of organizational disruptions
over the past twelve months shows an increase across several
critical areas compared to last year. Loss of productivity
remains the most significant impact, rising from 63.7% last
year to 69.5% this year. Such an increase indicates that the
complexity of managing global operations and external
pressure has further strained productivity.

“Every year, we deal with tornadoes, ice storms,

hailstorms, and occasional earthquakes -
usually between three and four on the Richter
scale, often due to nearby fracking activities.
These natural disasters generally result in
an impact on staffing, productivity, and the
services we provide.”
Admin director emergency preparedness and
telecommunications, healthcare, USA

“The most significant impacts we’re facing

are those linked to productivity, customer
retention, and revenue loss.”
Group head of business resilience,
multisector, Madagascar

35
 BCI Horizon Scan Report 2024

As in last year’s report, it is important to highlight that the negative impact on staff morale, wellbeing, and
mental health also increased – albeit to a lesser extent – reaching 39.1%. Loss of productivity and low
morale among the workforce might be a symptom of unsatisfactory working conditions that fail to boost
motivation and engagement among employees.

On this note, one of the most debated trends in shaping the future of work has been the adoption
of remote work. Remote work statistics show significant increases in flexible working arrangements,
particularly since the COVID-19 pandemic25. According to a survey reported on Forbes, a substantial 58% of
employed Americans report having the opportunity to work from home at least one day a week, with 35%
able to work from home full-time. This indicates a notable shift in workplace dynamics, reflecting a growing
preference for flexibility amongst employees. Interestingly, when offered the option, 87% of workers take
advantage of remote work opportunities, spending an average of three days a week working from home.
Most employees desire even greater flexibility than what is currently offered. Many respondents expressed
a preference for fully remote work arrangements, revealing a mismatch between employee desires and
employer offerings.

“Overall, we’re facing significant pressures across “The biggest challenge we face
the organization due to a dwindling workforce. is stress and mental health
We’re trying to maintain productivity with fewer issues, especially post-COVID
staff, and while everyone is dedicated to serving burnout, which has affected
our residents, this constant demand is starting to healthcare systems worldwide.
take a toll. It’s often the same small group that There’s been a troubling
steps up repeatedly, and I can see the mental increase in violence against
strain it’s causing.” healthcare workers - reports
Emergency planning & response manager, of assaults are common, and
public sector, UK this takes a toll on morale.
Even as younger professionals
join the field, they encounter
this rising violence, leading
to burnout and departures
“For me, the strongest impact of incidents has
from healthcare. Those who
been on staff morale and wellbeing. During the
are injured often feel scared to
disruption in Oregon with civil unrest, I could sense
return, impacting not just our
how disheartened the team was. The local conflicts
organization but healthcare
and unrest made it hard for them to reach the
systems across the country.”
office. Eventually, we had to relocate the Portland
office out of downtown, which further added to Admin director, emergency
the emotional strain on the team.” preparedness and
telecommunications,
Business continuity consultant, financial sector, USA
healthcare, USA

36 Find out more www.thebci.org

 Consequences of disruptions

Another key topic in changing workplace Effective crisis communication, as outlined by ISO
arrangements is the impact of AI on productivity standards on crisis management, should emphasise
and operational dynamics. According to an MIT clarity, timeliness, and consistency. Organizations
Sloan article26, generative AI can significantly should establish clear protocols for disseminating
enhance the productivity of highly skilled workers, information, ensuring that messages are tailored
potentially improving performance by nearly to different stakeholders, including employees,
40% when tasks align with the AI’s capabilities. customers, and the media. It is essential to
However, performance can drop by 19% if communicate promptly to manage perceptions and
tasks fall outside these capabilities. The study mitigate misinformation. Regular updates should be
emphasises the importance of understanding provided to maintain trust, and messages should be
the boundaries of AI’s abilities and suggests consistent to avoid confusion. Additionally, training
that organizations should implement thoughtful employees in crisis communication and conducting
integration strategies, such as training and role regular simulations can enhance preparedness and
reconfiguration, to maximise the benefits of response effectiveness during actual crises27.
generative AI while maintaining accountability
and worker engagement. Loss of revenue also saw a substantial increase,
jumping from 29.5% to 36.2%, underscoring
On a different note, customer complaints the financial toll that disruptions are taking on
increased to 39.1% in a joint second place, a rise businesses. Alongside this, increased costs of
from the previous year. These effects are closely working (29.5%) and supply chain disruption
linked to reputational damage, which climbed (23.8%) highlight the financial strain resulting
from 33.6% in 2023 to a current 38.1%, as customer from inefficiencies and higher operational
dissatisfaction negatively affect public perception. costs. Compared to last year, the data suggests
Professionals should not underestimate the that organizations are facing more severe and
importance of addressing external pressures multidimensional consequences from disruptions,
through well-structured response measures that pointing to the need for stronger resilience and
include communications plans to deploy in the preparedness strategies to mitigate these impacts
case of an incident or a crisis. in the future.

“The customer complaints we’ve

received are primarily related to supply
chain issues. Shortages have resulted
in increased lead times, which directly
affects our productivity and leads to
customer complaints.”
Technical officer enterprise security,
manufacture, Netherlands

37
 BCI Horizon Scan Report 2024

Interviewees explained the consequences experienced because of weather events:

“The top consequence we face “Extreme weather poses significant health risks
from climate events is damage for our workers, especially those outside dealing
to our premises. In a healthcare with roads, streetlights, plumbing, and sewage
setting, this damage often leads systems, making heat and cold injuries a concern.
to a cascade of other issues, It also disrupts transit, delays or cancels services,
making it the root cause of and impacts critical infrastructure like power,
many challenges we encounter.” heating, and telecommunications, leading to
Admin director emergency outages and affecting our ability to carry out
preparedness and normal operations.”
telecommunications, Corporate emergency programme manager,
healthcare, USA public sector, Canada

38 Find out more www.thebci.org

 Consequences of disruptions

Impacts or consequences of the disruptions experienced in the last 12 months

Loss of productivity 69.5%
Negative impact on staff morale/
wellbeing/mental health 39.1%

Customer complaints received 39.1%

Reputation damage 38.1%

Loss of revenue 36.2%

Impaired service outcome 30.5%

Increased cost of working 29.5%

Supply chain disruption 23.8%

Damage to premises 22.9%

Increase in regulatory scrutiny 21.9%

Staff loss or displacement 20.0%

Delayed cash flows 15.2%

Loss of customers 12.4%

Loss of premises 8.6%

Loss of corporate knowledge 6.7%

Fine by regulator for
non-compliance 6.7%

None 4.8%

Share price fall 4.8%

Product recall/withdrawal 2.9%

Other 1.9%

% 0 10 20 30 40 50 60 70

Figure 3. Impacts or consequences of the disruptions experienced in the last 12 months

39
 BCI Horizon Scan Report 2024

3
Risk and threat
assessment: next
twelve months

40 Find out more www.thebci.org

 Risk and threat assessment: next twelve months

Resilience in a complex world:

addressing interconnected threats
with integrated strategies
The assessment of potential risks for the upcoming year
reveals several vulnerabilities that organizations need to
address. Compared to last year, the impact of the top ten risks
remains relatively similar; however, the likelihood of these risks
materialising has increased significantly, resulting in higher
overall risk indexes.

This shift indicates that while the potential consequences of

risks such as cyber attacks and extreme weather events remain
consistent, organizations now face a greater probability of
experiencing these events. Therefore, there is a growing need
for enhanced preparedness and proactive business continuity
and crisis management strategies to mitigate the escalating
likelihood of disruptions.

Cyber attacks remain the top risk, with an increased risk index
of 11.3 compared to 6.9 last year. This highlights the growing
sophistication and frequency of cyber threats, necessitating
enhanced cybersecurity measures and employee training
to protect sensitive data. Delving further into the cyber
threat issue, the BCI Cyber Resilience Report 2024 reveals a
significant rise in cyber-attacks, with 74.5% of organizations
reporting increased attempts, particularly in phishing and
credential harvesting, driven by AI28.

41
 BCI Horizon Scan Report 2024

In response, organizations are becoming Training remains one of the main concerns, as
more proactive, employing tools like Security only a few organizations regularly practice for
Information and Event Management (SIEM) and climate-related disruptions, despite supply chain
End Detection and Response (EDR) alerts to detect disruptions being a major outcome. While some
and address threats more quickly. Nearly half of progress has been made, most organizations
the organizations successfully thwarted attacks are still transitioning from monitoring climate
by focusing on preparedness, training, and timely impacts to actively implementing climate resilience
responses. Cyber insurance is also helping mitigate measures. Due to the growing realisation that
direct financial losses, although indirect costs, governments alone may not be able to mitigate
such as lost sales, remain underestimated. The climate risks, organizations must adopt proactive
report also shows a growing commitment from strategies to safeguard operations31.
top management to manage cyber risks, as well as
faster response times. Looking at the foreseeable Further down the chart, data breaches have
future, staff awareness and training remain a top significantly risen to an index of 8.3, compared
priority, as human error is still a key vulnerability29. to 5.3 last year, emphasising the urgent need for
robust data protection policies. On a similar vein,
One of the recurring themes through the report IT, and telecom outages, now at 8.1, up from 5.9,
is the coexistence of both physical and digital indicate that reliance on digital infrastructure is
threats, which at times may even overlap. In this more critical than ever. These findings echo the
regard, extreme weather events, now at a risk index concerns experienced by professionals regarding
of 8.4, experience a rise from last year’s score of the past twelve months, where IT outages
6.3, revealing the increasing unpredictability and represented the most significant disruption.
intensity of climate-related disruptions.
Critical infrastructure failure rounds up the top
The BCI Extreme Weather & Climate Risk Report five future concerns with a risk index score of
202330 highlights that several organizations have 7.9, up from 5.1 in 2023. International bodies
been affected by climate-related events over the such as European Commission emphasise the
last five years. However, many still treat extreme importance of protecting critical infrastructure
weather as an isolated event, lacking a dedicated in sectors like energy, health, and transport to
climate risk budget. Despite the rising risks, ensure societal stability. The 2023 Critical Entities
particularly to supply chains, many remain reactive Resilience Directive requires EU Member States
rather than proactive. While most organizations to strengthen the resilience of critical services by
have integrated ESG with business continuity, high developing national strategies and conducting
costs and short-term focus remain barriers to more risk assessments. Additionally, a 2022 Council
robust climate risk strategies. Recommendation introduced further actions to
enhance preparedness and response to threats32.

42 Find out more www.thebci.org

 Risk and threat assessment: next twelve months

Moving to a different geographical area, the Practitioners explained their concerns over the next
Australian Government is working to safeguard twelve months such as weather events, political
critical services through reforms under the tension, geopolitics, regulations, and health issues:
Protecting Critical Infrastructure and Systems of
National Significance initiative, part of the 2020
Cyber Security Strategy. The Security Legislation “Looking ahead to the next 12 months,
Amendment Bill 2020 seeks to expand we’re preparing for more extreme weather
coverage from four to eleven sectors, including events. Even rare occurrences, like a
communications, financial services, health care, once-in-500-year event, are happening
transport, and more. These measures aim to more frequently now. While our central
strengthen resilience against cyber threats across office in Georgia typically faces just wind,
vital national sectors33. rain, and some tornadoes by the time
hurricanes reach us, we also have offices
Furthermore, on 25 June 2024, the Hong Kong
in Florida, South Carolina, North Carolina,
Government proposed the Protection of Critical
and Virginia. We have to closely monitor
Infrastructure Bill to enhance cybersecurity
hurricanes along the East Coast to ensure
for critical infrastructures. Key points include
our teams and operations are prepared
regulating large organizations to secure their
for any potential impact.”
systems, establishing a Commissioner’s Office
to designate critical infrastructure operators Business continuity consultant,
(CIOs), and imposing strict incident reporting financial sector, USA
timelines. The bill introduces financial penalties
for organizations, holds CIOs accountable for
third-party compliance, and is expected to be
introduced to the Legislative Council by the end “A concern is the growing tension in
of the year34. society, exacerbated by rising prices and
housing costs. This isn’t just a local issue in
As an overview of the risks that follow those the Netherlands; it’s a global phenomenon.
in the top five, security incidents (7.5) are also Increased societal tensions can undermine
elevated compared to last year. In addition, trust, which is critical for our business.
supply chain disruptions, now at 7.4, reflects the As we operate in a business-to-business
ongoing complexities in global supply chains, environment, if trust erodes and anxiety
necessitating comprehensive management grows among our partners, it could
strategies. Regulatory changes (7.2) and the jeopardise long-term investments.”
introduction of new technology (7.1) also both
Technical officer enterprise security,
underscore the need for organizations to remain
manufacture, Netherlands
agile in the face of evolving market dynamics.

43
 BCI Horizon Scan Report 2024

“With red weather warnings and the “In the next 12 months, I expect
potential for a harsh winter in the UK, increased enforcement by regulators
we’re grappling with the ongoing war within healthcare. Our accrediting body,
in the Middle East affecting operations. which reports to CMS, will conduct
It raises concerns about gas supply and a survey every three years, and we’re
heating for our staff.” preparing for our next audit in March
Business continuity manager, 2025. This could lead to additional visits
professional services, UK or scrutiny.”
Admin director emergency preparedness
and telecommunications, healthcare, USA

“Regulatory changes are a constant

challenge for us. Companies frequently
update their requirements, and to stay “Regulatory changes like DORA are
competitive, we must ensure compliance new to me from a business continuity
with their standards. Additionally, perspective, although not to my
we need to navigate government colleagues in finance. With our ISO
regulations, both domestically and audit scheduled for January, it’s crucial
internationally, which adds another that I ensure all my ‘I’s are dotted
layer of complexity.” and ‘t’s crossed.”
Business continuity consultant, Business continuity manager,
financial sector, USA professional services, UK

“Health issues and accidents are “As we enter the RSV and influenza
ongoing concerns, particularly in a season from October to January, we
large organization like ours. While these anticipate operational impacts due to
incidents may not disrupt our business increased staff absences and higher
operations significantly, they do have patient census. When staff members or
a considerable personal impact on the their children contract these illnesses,
individuals involved, their families, they often need to stay home, leading
and colleagues.” to further strain on our operations.”
Technical officer enterprise security, Admin director emergency preparedness
manufacture, Netherlands and telecommunications, healthcare, USA

“Working in the tropics, we’re always on guard for unexpected diseases, like the recent
emergence of monkeypox. It impacted our operations and the communities we serve.”
Risk and business continuity manager, infrastructure, Uganda

44 Find out more www.thebci.org

Risk and threat assessment: next twelve months

45
 BCI Horizon Scan Report 2024

The likehood of incidents in the next twelve months and the expected impact
levels on respondent organizations
0.9 1.4 1.9 2.4 2.9 3.4 3.9 4.4
High impact, lower frequency Higher impact, higher frequency
3.1 3.1

Cyber-attacks

2.9 2.9

War/conflict
Data breaches

2.7 Natural disasters Critical infrastructure failure 2.7

Lone attacker/active shooter incident

2.5 IT and telecom outage 2.5

Impact

Supply chain disruption

Interruption to energy supply Extreme weather events

2.3 2.3
Non-occupational disease
Enforcement by regulator Regulatory changes
Health incident
Security incident
Safety incident

2.1 Political violence/civil unrest Fraud/attempted fraud 2.1

Increased cost of living
Political change(s) Introduction of new technology
Energy price shock
Higher interest rates
Natural resources shortage
1.9 Exchange rate volatility 1.9
Product safety recall
Travel restrictions
Issues arising from remote/hybrid working

1.7 1.7
Lower impact, lower frequency Low impact, high frequency
0.9 1.4 1.9 2.4 2.9 3.4 3.9 4.4
Likelihood

Figure 4. The likehood of incidents in the next twelve months and the expected impact levels on
respondent organizations

46 Find out more www.thebci.org

 Risk and threat assessment: next twelve months

Rank Event Frequency Impact Risk Index

1 Cyber attacks 3.80 2.96 11.27
2 Extreme weather events (e.g. floods, storms, freeze, etc.) 3.58 2.35 8.42
3 Data breaches 3.00 2.75 8.25
4 IT and telecom outage 3.27 2.48 8.13
5 Critical Infrastructure failure 2.94 2.70 7.94
6 Security incident 3.38 2.21 7.46
7 Supply chain disruption 3.10 2.39 7.41
8 Regulatory changes 3.19 2.25 7.17
9 Introduction of new technology (IoT, AI, Big data) 3.43 2.06 7.08
10 Interruption to energy supply 2.65 2.35 6.22
11 Fraud/attempted fraud 2.91 2.07 6.02
12 Increased cost of living 2.89 2.07 5.97
13 Natural disasters (earthquakes, tsunamis, etc.) 2.17 2.70 5.84
Health incident (NOT transmissible disease such as COVID
14 but occupational disease, reportable occupational disease, 2.63 2.20 5.78
stress/mental health, increased sickness absence)
15 Non-occupational disease (e.g. pandemic) 2.56 2.26 5.78
Safety incident (personal injury, fatality, asset damage,
16 2.62 2.18 5.71
dangerous occurrence, reportable incident)
17 War/conflict 2.04 2.76 5.63
18 Political violence/civil unrest 2.60 2.10 5.45
19 Political change(s) 2.59 2.04 5.28
20 Enforcement by regulator 2.32 2.23 5.18
21 Higher interest rates 2.29 1.96 4.49
22 Energy price shock 2.11 2.00 4.22
23 Travel restrictions 2.10 1.85 3.88
24 Exchange rate volatility 2.00 1.88 3.77
Issues arising from remote/hybrid working (the new working
25 2.06 1.83 3.76
environment)
26 Lone attacker/active shooter incident 1.39 2.69 3.75
27 Natural resources shortage 1.48 1.96 2.90
28 Product safety recall 1.13 1.87 2.12

Table 2. The likehood of incidents in the next twelve months and the expected impact levels on
respondent organizations

47
 BCI Horizon Scan Report 2024

4
Benchmarking
long term threat
analysis

48 Find out more www.thebci.org

 Benchmarking long term threat analysis

Risk scanning: a centralised activity

Data indicates that the majority of organizations (53.9%)
have centralised functions conducting long-term trend
analyses, which suggests a hierarchical approach to risk
and threat assessments.

“We conduct horizon scanning through a centralised

approach in our corporate functional department.
We use a Hazard Vulnerability Assessment (HVA)
that includes around 75 hazards we face, scored by
probability and severity to calculate their relative
risk. This assessment categorises risks into human,
natural, technological hazards, and emerging
infectious diseases. We gather data from regional
partners and other healthcare systems to compare
risks and justifications.”
Admin director emergency preparedness and
telecommunications, healthcare, USA

“Horizon scanning in our organization begins

with a centralised framework for enterprise risk
management, where we then identify and evaluate
risks relevant to each subsidiary. By engaging
stakeholders from different departments, we share
diverse perspectives that enrich our understanding.
This collaborative approach allows us to tailor the
analysis to our unique circumstances.”
Technical officer enterprise security, manufacture,
Netherlands

49
 BCI Horizon Scan Report 2024

2.2%
1.1%
However, 23.1% of organizations operate on

13
.2%
a decentralised model, potentially leading to
inconsistencies in sharing the findings of the
assessment but allowing – on the other hand –
for better granularity. The fact that 6.6% are still 6.6%
in the process of developing these functions Does your organization
highlights a gap that could expose them to conduct longer term
vulnerabilities. Meanwhile, 13.2% of organizations trend analysis to better 53.9%
are not engaging in these practices at all, understand the threat
underscoring a significant risk management
landscape?
challenge. This data calls for a more uniform
approach across sectors to ensure all organizations
.1%
are prepared for potential disruptions. 23

Looking at historical data between 2014 and

2024, it is clear that awareness on the importance
of long-term trend analysis has consistently
hovered around 70%. However, the COVID-19 Yes, this is conducted by a central,
pandemic served as a wake-up call, leading to a corporate function or department
peak in risk awareness as organizations recognised
the reality of low probability-high impact events
and the potential for large-scale disruptions. Yes, however many different departments
Despite this heightened awareness, data shows do this according to their own needs
that there are signs that organizations relaxed
their vigilance after the COVID-19 pandemic,
feeling that such significant threats are unlikely Not yet, however this is in process
to recur anytime soon. within our organization

No, we don’t do this

Unsure

Other

Figure 5. Does your organization conduct

longer term trend analysis to better understand
the threat landscape?

50 Find out more www.thebci.org

 Benchmarking long term threat analysis

Organizations developing long trend analysis 2014-2024

90%

81.3%
80%
77.2%

76.9%
72.7% 74.7% 75.2%
74.3%

70% 71.6% 72.0%

70.4%
68.9%

60%
2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024

Figure 6. Organizations developing long trend analysis 2014-2024

51
 BCI Horizon Scan Report 2024

Enhancing long term threat analysis: the importance

of collaboration
Organizations use various tools for their trend Research reports often leverage data from experts
analyses on risks and threats, each contributing in resilience-related roles, delivering data-driven
to a comprehensive understanding of their risk analyses and cases that inform decision-making and
landscape. Despite a few changes, most tools in highlight current trends. On this note, participation in
last year’s top five remain among the preferred industry events also features further down the chart
ones for respondents. at 51.7%, just out of the top five.

Internal risk and threat assessments, consistently Social media monitoring (60.7%) allows organizations
with last year’s figures, lead the chart with 92.1% to track public sentiment and identify emerging
respondents saying they conduct such assessments issues in different ways, enabling proactive risk
(a slight increase from 87.9% in 2023). Internal management. For instance, social media can help
assessments are a long-standing practice in predict the impact of natural disasters by analysing
business continuity management and organizational user posts to detect behavioural changes in affected
resilience. However, different professionals hold populations. A study highlighted that social media
different views on the role and relevance of business posts, especially during floods and fires, can reflect
continuity risk assessments. Some practitioners emotional states like anxiety or confusion. Advanced
fully embed this practice within their analyses, machine learning techniques can enhance disaster
gathering data on potential risks on prioritised forecasting by processing this data. The research
processes. Others consider risk assessments as a suggests that combining social media information
tool to provide context to the business continuity with real-time meteorological data can offer more
management lifecycle and raise awareness on accurate and timely responses to natural disasters36.
potential risks, but they do not place it at the core of Additionally, the EU Joint Research Centre (JRC) has
the programme. In some cases, professionals might developed a disaster risk management tool. The tool
even take a risk-agnostic approach, where the focus uses advanced algorithms to analyse vast amounts
is on the internal dynamics and vulnerabilities of the of social media data in real time, helping authorities
organization and not on external threats35. identify trends and respond more effectively to
crises like natural disasters and emergencies37.
External reports and industry insights, at 80.9%, both
provide a broader perspective on market dynamics Over half of the respondents highlighted country or
and emerging threats, allowing organizations to industry risk registers as another tool they consult
stay informed about industry trends. These sources to identify threats to their organization. There
hold a connection with the next most popular are several public documents that are published
method for understanding the risk landscape, every year on global risks and threats that can aid
which is the collaboration with peers (62.9%). Both organizations’ risk management strategies. In this
facilitate knowledge sharing and the exchange of regard, the BCI Horizon Scan provides guidance to
best practices, enhancing overall risk management. organizations, but there are other well-established
Interestingly, research reports (56.2%) also move publications such as the World Economic Forum
into the top five in 2024, highlighting a trend where Global Risk Report, the Allianz Risk Barometer
professionals rely on peer-to-peer consultation more and the UK National Risk Register that can
than in previous years. guide practitioners.

52 Find out more www.thebci.org

 Benchmarking long term threat analysis

Practitioners talked about the different tools that they use to develop horizon scanning within their
organizations.

“I implemented a new mass “I actively engage with horizon

communication platform that integrates scanning reports, webinars, and
threat intelligence and monitoring. Our networking opportunities to stay
Director of Security also introduced ahead of trends and best practices.”
a threat intelligence platform that is Business continuity and governance
strategically partnered with our systems. consultant, charity, Australia
This setup provides us with live, real-time
updates on potential threats that may
impact our sites.”
Admin director emergency preparedness “I often rely on trend analysis reports
and telecommunications, healthcare, USA from contracted experts to inform our
planning and exercise scenarios. These
reports serve as a valuable guideline
for response plans, particularly when
“Currently, our horizon scanning process assessing risks. I’m fortunate that our
is manual, and I haven’t yet discussed team shares knowledge internally,
acquiring software for this purpose. which helps me identify what’s
The BCI Horizon Scan Report is one of relevant for our specific hazards and
the most comprehensive resources I’ve enables me to offer guidance and
found, as it collects information from counsel effectively.”
various practitioners rather than just a Corporate emergency programme
government perspective.” manager, public sector, Canada
Business continuity manager, professional
services, UK

“I leverage a variety of incident

response technologies, such as
“Our horizon scanning processes are emergency operation software, which
currently manual, relying on tools have proven effective in managing
like Microsoft Teams, Zoom, and email initial emergency responses. From
for communication. We are working a business continuity perspective,
on digitalising these processes to I’ve also used a third-party provider,
improve our alert notifications and amongst other tools, to enhance our
overall response.” preparedness.”
Group head of business resilience, Corporate emergency programme
multisector, Madagascar manager, public sector, Canada

53
 BCI Horizon Scan Report 2024

Despite the tool of choice for horizon scanning, most interviewees emphasised that collaboration is the key
when assessing threats and challenges for organizations:

“I think that collaboration is crucial when doing horizon scanning. I rely heavily on the insights
from those on the ground, as they provide invaluable information. It’s essential to check
various sources, even social media or government updates, as every country views risk through
its own lens. From our organizational perspective, we need to integrate all these insights.”
Business continuity manager, professional services, UK

Which tools do you use to conduct trend analysis/horizon scanning of the risks/
threats to your organization?
Internal risk and threat assessment 92.1%

External reports/industry insight 80.9%

Collaboration with peers 62.9%

Social media monitoring 60.7%

Research reports 56.2%

Participation in industry
events/conferences 51.7%

Country or industry risk registers 50.6%

Automated systems for cyber security 30.3%

Use a third-party organization to
conduct risk mapping/horizon scanning 29.2%
Internally developed
tools and systems 28.1%

Risk assessment software 28.1%

Forecasting tools 15.7%

Simulation technology 10.1%

Other 2.3%

% 0 10 20 30 40 50 60 70 80 90 100

Figure 7. Which tools do you use to conduct trend analysis/horizon scanning of the risks/threats to
your organization?

54 Find out more www.thebci.org

 Benchmarking long term threat analysis

A mixed landscape: modest technology use amidst manual

processes in threat analysis
Data shows a mixed picture regarding the use
of technology to analyse threats over the past “I believe that the more we can
two years. While 60.5% of respondents state harness technology to streamline our
that the use of technology to analyse their operations, the better we can respond
organization’s threat landscape and its potential and recover from crises. The COVID-19
impact increased over the last two years, this is pandemic proved that many can work
done to different degrees. efficiently from anywhere, so adapting
to new technologies and approaches
Although 14.3% of respondents have seen a is not just beneficial; it’s essential for
considerable increase in the use of technology our resilience.”
and 30.8% a moderate increase, a substantial
36.3% report no increase at all. This suggests that Corporate emergency programme
while a significant number of organizations are manager, public sector, Canada
investing more in technological tools to assess their
threat landscape, a large portion still develop their
threat assessments manually, using tools such as This is consistent with last year’s trend when
Excel spreadsheets, public sources and through automated tools were less popular than more
peer-to-peer collaboration. traditional approaches. However, the fact that
nearly two-thirds (60.5%) of respondents indicate
an increase in technology adoption is consistent
“We have significantly increased our with the findings of the BCI Technology in
use of technology over the past two Resilience Report 2023, which highlighted that 50%
years to manage potential disruptions. of organizations are now using technology for crisis
We now use a vendor which serves as a management and business continuity. Artificial
software-as-a-solution repository for our intelligence, automation, and data analytics are
continuity of operations plans, allowing increasingly being adopted to enhance decision-
them to be stored off-site.” making and operational efficiency. Still, the report
emphasises the need for organizations to balance
Admin director emergency preparedness technological innovation with robust security
and telecommunications, healthcare, USA measures to effectively manage future risks38.

55
 BCI Horizon Scan Report 2024

3.3%

3%
The data on the use of software reveals

14.
a wide range of approaches. Enterprise
software (42.9%) like Microsoft 365 or Google
Workspace is widely used, likely due to its
Has the use of accessibility and general utility. However,
36.3%
technology to analyse 36.3% of organizations still have no formalised
your organization’s system for managing disruptive incidents,
threat landscape and indicating potential vulnerabilities. Specialised
its potential impact incident management software (27.5%) and
integrated business continuity systems (23.1%)
increased over the last 30. show a more focused approach by some
8%
two years? organizations, while 16.5% use custom-built,
fit-for-purpose software tailored to their
specific needs.
15.4%

Organizations adopting more customised

or dedicated tools are showing a decisive
commitment towards resilience, whereas
others may be lagging due to resource
Yes, has increased considerably
constraints or differing threat perceptions.
The significant use of general enterprise
software shows a reliance on multifunctional
platforms, but specialised and custom tools
Yes, has increased moderately
could offer better-tailored solutions for those
seeking to address specific risks. The gap in
formalised systems remains a concern and
shows the importance of a broader adoption
Yes, has increased somewhat
of dedicated risk management tools.

No, we haven’t increased our use of technology

Unsure

Figure 8. Has the use of technology to analyse

your organization’s threat landscape and its
potential impact increased over the last
two years?

56 Find out more www.thebci.org

 Benchmarking long term threat analysis

A number of interviewees highlighted resources as the main challenge when trying to incorporate more
technology either for horizon scanning or crisis response.

“In my role, I’ve explored various tools for cyber “In an incident response,
horizon scanning, however the reality often hits all I really need is a mobile
hard when I see the price tag. I’ve had to get phone and a contacts list.
creative, leveraging tools like Microsoft 365 tools. We’ve got a dedicated app
We have also implemented solutions such as a for alerts, which can notify a
board portal and fleet management software to wider group, but with budget
monitor some of our operating activity landscape. pressures, it’s tough to justify
For example, we can identify sub-optimal driving investing in more advanced
behaviours that pose a threat to the organisation, tools. While I know there are
allowing us to address these issues proactively. It enhancements available, the
is important to find smart, cost-effective ways to cost-benefit conversation is
enhance our capabilities without breaking always challenging.”
the bank.” Emergency planning
Business continuity and governance consultant, & response manager,
charity, Australia public sector, UK

57
 BCI Horizon Scan Report 2024

Are you currently using software to manage disruptions in your organization?

Enterprise software 42.9%

No formalised electronic system

to manage disruptive incidents 36.3%

Incident management
software provider 27.5%

Integrated incident management and

business continuity software provider 23.1%

Custom-built software 16.5%

Other 1.1%

% 0 10 20 30 40 50

Figure 8. Are you currently using software to manage disruptions in your organization?

The 2024 data reflects significant organizational engagement with trend analysis outputs, as 50.6% of
respondents report being aware of and actively using these insights, while 30.8% participate in developing
the analyses themselves. Despite this progress, 14.3% lack access to this critical information, and 2.2% do
not see its value. When viewed alongside a decade-long trend, the growing adoption rate – from 56.9% in
2014 to 81.3% today - demonstrates a marked increase in the recognition of trend analysis as a vital tool for
strategic decision-making and risk management. This rising engagement suggests that more organizations
now see the benefits of data-driven insights in navigating an ever more crowded risk landscape. However,
the remaining portion of organizations without access or appreciation for these analyses highlights the
need for further efforts to increase access and showcase the value of these tools across all levels.

58 Find out more www.thebci.org

 Benchmarking long term threat analysis

2.2%
2.2%
14
3%.

As a business continuity/
resilience practitioner,
do you draw on the 50.6%

outputs of trend analysis

for your programme?
.8%
30

Yes, I’m aware of the outputs and use them

Yes, I help develop the analysis in the first place

No, I do not have access to this information

No, I don’t see the value of this information

Other

Figure 9. As a business continuity/resilience

practitioner, do you draw on the outputs of
trend analysis for your programme?

59
 BCI Horizon Scan Report 2024

Usage of the outputs of trend analysis within organizations’ business continuity

programmes 2014 - 2024
90%

81.3%

77.4%
80%
74.2%
73.0%
77.5%
68.3% 68.4%
70% 67.3% 67.5%

67.6%

60%
59.6%

50%
2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024

Figure 10. Usage of the outputs of trend analysis within organizations’ business continuity programmes
2014 - 2024

60 Find out more www.thebci.org

5
Benchmarking
business
continuity

61
 BCI Horizon Scan Report 2024

The benefits of certification are

valued as most organizations
align to ISO standards.
Most organizations align towards ISO 22301, although
on different levels. While 21.1% of organizations
are certified and 36.8% use the framework without
certification, there is also an uptick in the formalisation of
approaches, with 26.3% planning to adopt the standard
in 2024. The figures highlight an evolving landscape
where the framework remains foundational for many, yet
certification is still not a priority for most organizations.
As organizations increasingly recognise the value of
structured business continuity management programs,
there is significant room for improvement in achieving
formal compliance with ISO standards. Overall, there is
an encouraging trend towards enhancing organizational
resilience through ISO 22301, even as some
organizations struggle with the full implementation
of the framework.

“Our ISO compliance primarily stems from

the requirements of our key stakeholders.
This compliance is not just a box-ticking
exercise for our senior leaders; it reflects
their commitment to meeting the
expectations of clients and partners.”
Business continuity manager,
professional services, UK

62 Find out more www.thebci.org

 Benchmarking business continuity

“We use the ISO 22301 framework for our formal business continuity management program,
even though we’re not certified. The decision stems from both practical and financial
considerations. While the framework itself is robust and serves as an excellent guide for our
efforts, the return on investment for certification isn’t compelling for local government. The
process of certification is both costly and labour-intensive, and the benefits simply don’t
justify the investment for us at this time.”
Corporate emergency programme manager, public sector, Canada

“We use ISO 22301 as “I find ISO 22301 useful “While there’s
a framework, but we’re as a framework because no mandatory
not certified because it establishes a common requirement for us
there are no regulatory language that facilitates to pursue an ISO
requirements in our collaboration across 22301 certification,
country mandating organizations. While we’re support can fluctuate
such certification not certified, it allows us based on competing
for most of our the flexibility to adapt priorities and
organization. However, to a shared approach initiatives. However,
we are open to to business continuity. I make it a point to
pursuing certification Aligning with its principles align our practices
when needed, as one ensures we’re taking with ISO standards
of our subsidiaries has the right steps, even and advocate
already achieved it for if certification doesn’t for continuous
a specific part of the guarantee effectiveness. It improvement.”
organization.” sets us on the right path to Business continuity
Group head of business manage crises effectively.” and governance
resilience, multisector, Emergency planning & consultant, charity,
Madagascar response manager, Australia
public sector, UK

63
 BCI Horizon Scan Report 2024

10.5
%
The percentage of organizations that don’t align

.1%
or certify to ISO 22301 and have no plans to do

21
so in the future figures at an all-time low (10.5%),
highlighting the fact that organization see the
value of using this framework to develop their If you have a formal
resilience programmes. business continuity
26.3%
Among the most recent updates to the ISO management
22301 family of standards, it is important to programme in place,
mention the amendment on climate action. how does it relate
Specifically, on a wide number on standards to ISO 22301?
including those on security and resilience, ISO
now specifies the need for the organization to
determine whether climate change is a relevant

36
.
8%
%
issue to its threat landscape. This amendment

5. 3
aims to enhance organizational accountability
regarding climate-related risks and promote
sustainability practices. It underscores the We use ISO 22301 as a framework and certify to it
necessity for organizations to incorporate
climate considerations into their management
systems, ensuring they are better equipped to
address environmental impacts and contribute We use ISO 22301 as a framework
to global sustainability goals39. but are not certified to it

We use ISO 22301 as a framework, are not certified

to it, but are in the process of getting certified

We don’t currently use ISO 22301 as a framework

but we intend to move towards this during 2024

We don’t use ISO 22301 as a framework and have

no plans to move towards this during the next year

Figure 11. If you have a formal business

continuity management programme in place,
how does it relate to ISO 22301?

64 Find out more www.thebci.org

 Benchmarking business continuity

Organizations that don’t use ISO 22301 as a framework and have no plans to
move towards it within the following year 2015-2024
30% 28.3%

23.4%
20.7%
22.6% 18.1%
20%
16.7%
16.8% 11.8%
13.4% 10.5%
10%

0%
2015 2016 2017 2018 2019 2020 2021 2022 2023 2024

Figure 12. Organizations that don’t use ISO 22301 as a framework and have no plans to move towards it
within the following year 2015-2024

Responses on the benefits of certification illustrate its critical role in enhancing organizational resilience.
A significant 79.2% of respondents noted that certification increases resilience, indicating that certified
organizations are better prepared to withstand and recover from disruptions. Furthermore, 75.0%
highlighted the ability to demonstrate the effectiveness of the business continuity management programme
to external stakeholders, which can enhance credibility and trust.

The consistency in BCM measurement and monitoring, valued by 66.7% of respondents, ensures that
organizations can evaluate their preparedness systematically. Meanwhile, 62.5% of participants mentioned
that certification helps stakeholders manage risks more effectively, fostering a proactive approach to risk
mitigation. Additionally, the dual benefits of improved customer satisfaction and faster recovery (both at
50%) underscore how certification not only enhances operational stability but also strengthens relationships
with clients.

“Having an ISO 22301 certification significantly improves our organizational resilience and
communication. For instance, when COVID-19 was first detected we quickly developed a
business continuity plan, identifying essential workers. By the time it reached Uganda,
we were well prepared, allowing us to adapt while ensuring the safety of our staff.”
Risk and business continuity manager, infrastructure, Uganda

65
 BCI Horizon Scan Report 2024

“The benefits of ISO certification are significant. It provides consistency across our various
locations and departments, ensuring that everyone follows the same protocols. This
uniformity is crucial in a large organization like ours. It helps me encourage collaboration
and engagement among team members. Achieving ISO compliance has significantly
improved our resilience, now we have a much simpler and more effective operational
framework.”
Business continuity manager, professional services, UK

What benefits does certification provide to you and your organization?

Increases our organization’s resilience 79.2%

Allows us to demonstrate the

effectiveness of our BCM programme 75.0%
to external stakeholders
Enables consistent BCM
measurement and monitoring 66.7%

Helps stakeholders to
better manage risks 62.5%

Ensures alignment with industry peers 54.2%

Improves customer satisfaction 50.0%

Enables faster recovery

after a disruption 50.0%

Enables the management

of disruption 45.8%

Helps to reduce insurance costs 45.8%

Improves communications and

employee engagement 41.7%

Supports international trade 29.2%

% 0 10 20 30 40 50 60 70 80 90

Figure 13. What benefits does certification provide to you and your organization?

66 Find out more www.thebci.org

 Benchmarking business continuity

Data shows that 81.4% of organizations have not moved away from ISO 22301, showing its continued
relevance in business continuity management. However, 10.2% have done so, influenced by several factors.
The top driver is a lack of business requirement (56.9%), followed by organizations that align with ISO 22301
but feel no need for certification (44.8%). Other reasons include insufficient staff time (36.2%), no available
budget (34.5%), and lack of management commitment (17.2%). These factors highlight both practical and
strategic considerations behind opting out of certification, but it is still important to note that those moving
away from the standard represent a very small subset compared to the overall sample.

“While I appreciate ISO 22301 as a valuable “We’re not certified to ISO 22301
standard, it doesn’t add extra value to our because it’s not a business requirement
existing systems. Implementing it merely for us. While it provides direction, I
for the sake of compliance isn’t beneficial; believe certification doesn’t guarantee
organizations that lack a foundation can the effectiveness of our program.
greatly benefit from it, but we already have There are no external regulations
effective measures in place.” forcing us to certify.”
Technical officer enterprise security, Emergency planning & response
manufacture, Netherlands manager, public sector, UK

One of the reasons for sticking with ISO 22301 might be in the fact that several governing bodies have
begun to include business continuity management practices in upcoming legislation. Over the past five
years, new operational resilience legislations across the world have increasingly incorporated business
continuity elements present in ISO 22301. For instance, regulations like the EU’s Digital Operational
Resilience Act (DORA), the UK FCA and PRA guidelines, and US financial oversight focus heavily on
resilience and business continuity. Similarly, Hong Kong’s Cyber Resilience Assessment Framework and
Singapore’s MAS guidelines emphasise risk management and continuity planning.

While there are differences in these legislations – both in terms of concepts and language – ISO 22301
already includes many of the key practices required for compliance. These include performing a business
impact analysis (BIA), validating business continuity plans, having an effective crisis management structure,
and ensuring continual improvement – all key elements for operational resilience. Adopting ISO 22301
allows organizations to meet many of the emerging regulatory requirements more easily, streamlining
their efforts to comply with multiple frameworks while ensuring preparedness. By adhering to ISO 22301,
organizations can better align with new legislative demands and cover foundational resilience activities. This
not only facilitates smoother compliance processes but also enhances their capacity to handle disruptions,
making it a strategic choice for many businesses facing evolving regulations. It can also provide a valuable
tool in supply chain management, too. Third-parties are being asked for increasing amounts of information
at the pre-contract onboarding stage, and the presence of either certification or alignment to ISO 22301
can help to showcase a supplier’s resilience.

67
 BCI Horizon Scan Report 2024

%
8.5%

10.2
Answers from respondents on their alignment
with ISO 22301 revealed different perspectives.
One respondent highlighted the necessity of
conforming to both The Joint Commission and
CMS standards, demonstrating that regulatory
requirements significantly influence practices Have you moved away
in sectors like healthcare. Meanwhile, another from using ISO 22301
participant mentioned their use of NFPA 1600, in place of another
which focuses on emergency management. resilience standard over
the past two years?
“We’ve always adhered to the FFIEC
standards because, as a payment
processor, we fall under federal
regulations. There’s not much difference

81.4%
between FFIEC and ISO 22301. When
ISO 22301 was introduced, I made it a
point to understand its requirements. Yes
However, given the complexities of what
we do, we find that the FFIEC standards
align better with our operations and
No
regulatory needs.”
Business continuity consultant,
financial sector, USA
Unsure

Another respondent noted the integration of ISO

27001 for information security management, due Figure 14. Have you moved away from using
to the importance of data protection within their ISO 22301 in place of another resilience
resilience framework. Furthermore, an additional standard over the past two years?
respondent mentioned aligning its policies with
ISO standards and BCI Good Practice Guidelines
but clarified that ISO accreditation is not mandated
in their industry.

These comments highlight the importance of

industry-specific standards and frameworks, while
also illustrating the flexibility organizations have in
choosing which standards to implement based on
their unique operational needs. This adaptability is
needed to achieve the dual purpose of enhancing
resilience and ensuring compliance with various
regulatory and best practice frameworks.

68 Find out more www.thebci.org

 Benchmarking business continuity

What are your reasons for not being certified or having no plans to be certified
to ISO 22301?
No business requirement 56.9%

We align ourselves to ISO 22301 but

there is no need for us to certify 44.8%

Lack of staff time to meet the

requirements of a standard 36.2%

No budget available 34.5%

No management commitment 17.2%

Unable to convince senior

management on the value it provides 17.2%

No external drivers 15.5%

We only do what we are

mandated to do by law 13.8%

Do not believe it adds any

value to our organization 13.8%

We are too small 12.1%

Scope shifting from BCM to resilience 10.3%

We certify to an alternative standard 8.6%

We have to conform to an
alternative industry regulation 6.9%

ISO is not aligned to our organization 5.2%

We feel it is out of date 1.7%

% 0 10 20 30 40 50 60

Figure 15. What are your reasons for not being certified or having no plans to be certified to ISO 22301?

69
 BCI Horizon Scan Report 2024

6
Looking ahead

70 Find out more www.thebci.org

 Looking ahead

Rising digitalisation is influencing

medium-term risks, alongside the
enduring threat of climate-related
challenges
Survey data highlights five key risks anticipated to shape the
next 5-10 years, with cybersecurity emerging as the most
significant concern at 76.7%. This marks a slight decrease from
last year’s figure of 78.5%, but still shows that organizations are
increasingly prioritising cybersecurity as digital transformation
accelerates. With cyberattacks becoming more sophisticated,
businesses must enhance their security protocols and
employee training to safeguard sensitive information and
ensure operational resilience.

Following in second place is climate risk, now standing at 40%,

which reflects a significant decline from last year’s 48.8%,
since some organizations may feel better equipped to address
environmental challenges, likely due to heightened awareness
and preparedness initiatives. Nevertheless, the ongoing
impact of climate risk needs continue prioritisation from
organizations, focusing on disaster preparedness to mitigate
potential disruptions.

Technology and telecom failures account for 26.7% of the risk

landscape, showing a slight decrease from last year’s 29.8%.
As organizations increasingly depend on technology for daily
operations, the risk of outages or failures remains a critical
concern. While some organizations may have improved their
infrastructure and maintenance practices, continued investment
in reliable technology and contingency planning is essential to
ensure operational continuity and resilience.

Supply chain issues represent 25.6%, also down from 30.6%

last year. This shift may be due to organizations adapting to the
complexities of global supply chains, perhaps by enhancing
visibility and flexibility. However, disruptions from geopolitical
tensions, natural disasters, and pandemics remain significant
challenges. To mitigate these risks, organizations must continue
to strengthen their supply chain strategies to ensure agile
responses to unexpected events.

71
 BCI Horizon Scan Report 2024

The risk of emerging

technologies
Lastly, the introduction of emerging
technologies stands at 21.1%. This figure
demonstrates a shift in focus, as last
year’s data did not specifically highlight
this risk. While the adoption of new
technologies can drive innovation, it
also introduces new vulnerabilities.
Organizations must balance the
benefits of innovative solutions with
comprehensive risk assessments
to adequately prepare for
potential consequences.

72 Find out more www.thebci.org

 Looking ahead

Thinking about the next 5-10 years, what are your top three concerns for the
mid- to long-term?
Cyber security 76.7%
Climate risk 40.0%
Technology/telecoms failure 26.7%
Supply chain issues 25.6%
Introduction of emerging
technologies 21.1%
Geopolitical changes 20.0%
War/conflict 17.8%
Mental wellbeing of staff 16.7%
Meeting the demands of new
regulation/regulatory change 15.6%
Talent/manpower concerns 11.1%
Physical security issues 11.1%
Reputational risk 11.1%
Civil unrest 10.0%
Managing hybrid/virtual
working environments 10.0%
Health and safety matters 8.9%
Competitor risk 7.8%
Out of date policies
and processes 5.6%
Economic turmoil 5.6%
Armed conflict 5.6%
Trade wars 4.4%
Pandemic/non-
occupational disease 4.4%
Terrorism 3.3%
Lack of guaranteed
energy supply 3.3%
Lone/active shooter 1.1%

% 0 10 20 30 40 50 60 70 80

Figure 16. Thinking about the next 5-10 years, what are your top three concerns for the mid-
to long-term?

73
 BCI Horizon Scan Report 2024

Notably, just outside of the top five risks are two highly related threats, namely war/conflict at 17.8% and
geopolitical changes at 20%. These concerns arise from growing international tensions across various
regions and can intersect with other risks such as cyberattacks – especially if state-sponsored – and supply
chain disruptions, which may necessitate rerouting of maritime and road transport.

“Today everything relies on cyber “We’re anticipating several regulatory

systems; there’s hardly any aspect changes, particularly in the cybersecurity
of our operations that isn’t tied to sector and especially in the EU. Since
technology. The magnitude of cyber we are suppliers of key components, we
threats is growing, and much of our will undoubtedly be affected by these
sensitive data is stored in the cloud. regulations. We’re actively preparing for
The amount of sensitive information we the Cyber Resilience Act, which targets
hold makes cybersecurity our biggest products, software, and solutions.”
fear. The stakes are incredibly high, Technical officer enterprise security,
and we need to remain vigilant and manufacture, Netherlands
proactive in our approach to mitigating
these risks.”
Business continuity manager,
professional services, UK “Climate risk is just the tip of the iceberg;
with increasing rainfall, summer heat,
and winter storms, we’re not adapting
fast enough. Coupled with high
“In the medium term, I see several population density, the impacts are
significant risks, particularly real and will only get worse.”
regarding the mental wellbeing of Emergency planning & response manager,
our staff, physical security issues, and public sector, UK
cybersecurity threats. The current
political polarity in the U.S. has
heightened concerns around physical
security, especially as some healthcare
“Climate risks pose significant challenges,
services we provide have been deemed
particularly with cyclones affecting our
illegal by the state.”
operations in Africa, which can severely
Admin director emergency impact our resilience.”
preparedness and telecommunications,
Group head of business resilience,
healthcare, USA
multisector, Madagascar

74 Find out more www.thebci.org

 Looking ahead

“Geopolitical changes are a significant “The major risks we face are tied to
concern for the coming decade. There’s armed conflict and economic tensions,
a growing sense that, as a society, particularly the decoupling between the
particularly in the west, we’re somewhat US and China, which is shifting the global
complacent about the escalating balance of power and impacting our
volatility and risks we face globally. supply chains.”
If tensions continue to rise without Technical officer enterprise security,
resolution, we could find ourselves on manufacture, Netherlands
the brink of a global conflict.”
Corporate emergency programme
manager, public sector, Canada
“I’m increasingly concerned about
civil unrest and ongoing conflicts. This
situation isn’t going to just resolve
“Future concerns include war and itself; it’s likely to persist. I also consider
conflicts, like the war in Gaza and Israel, the potential for major protests that
and the situation in Ukraine and Russia. could impact the infrastructure of our
While the US has not deployed troops, buildings and the safety of our staff as
many of our staff are part of our reserve they come and go from the workplace.
organization and could be called up The ramifications of such events could
anytime, impacting our operations be significant.”
and workforce.” Business continuity manager,
Business continuity consultant, professional services, UK
financial sector, USA

“With new legislation on psychological

“Mental health is an important issue that safety at work now in place in Australia,
comes to mind over the medium term. In we’re also tasked with ensuring a safe
our line of work, we often find ourselves and supportive workplace for our
in the midst of trauma, particularly when staff, physically and psychologically.
supporting carers who are overwhelmed It can be challenging, especially when
by their responsibilities.” the definition of what constitutes a
Business continuity and governance psychologically safe environment remains
consultant, charity, Australia unclear without legal precedence. This
will definitely have some medium-term
impact on the organisation.”
Business continuity and governance
consultant, charity, Australia

75
 BCI Horizon Scan Report 2024

Mixed approaches to investment in BC and resilience over 2025

The survey results reveal varied expectations regarding investment in business continuity (BC) and resilience
programs for 2025.

Approximately 26.1% of respondents plan to increase their investments to meet the needs of a growing
programme or new requirements, indicating an awareness of the evolving threat landscape.

Most interviewees stated that they were expecting more investment over 2025.

“In terms of investment, we do “I’m optimistic that there will be a

anticipate an increase moving into significant upward shift in our budget
2025. The budget for next year has for next year. I’m hopeful that local
already been agreed upon and is set leadership recognises the critical need
higher than this year’s, due to the for more resources.”
need for more training and exercises.” Corporate emergency programme
Business continuity manager, manager, public sector, Canada
professional services, UK

“Our budget for next year will likely

remain the same as this year. This is
“I believe management recognises
largely due to the nature of our funding;
the critical importance of investing
I have a relatively loose budget and a lot
in business continuity and resilience.
of management support. Recently, I’ve
They understand that these
increased my departmental spending
investments strengthen the business
significantly and finance didn’t question
and help achieve our targets, viewing
it, which is a testament to the value we
them not merely as costs but as
provide. As long as I can demonstrate
valuable contributions to our
value, I’ve yet to be turned down
overall objectives.”
for funding.”
Group head of business resilience,
Admin director emergency preparedness
multisector, Madagascar
and telecommunications, healthcare, USA

76 Find out more www.thebci.org

 Looking ahead

1.1%
6.8%
The largest subset of respondents (47.8%),
however intends to maintain current investment

8.
.1%

0%
levels, suggesting a focus on sustaining existing 26

capabilities rather than expanding. Notably, 10.2% How will investment

anticipate reduced investment, which could limit
10.2%
levels in BC/resilience
the scope and effectiveness of their programmes. programmes in 2025
This is understandable in the context of high
inflation and a cost-of-living crisis where many
compare to the current
organizations have reduced their budgets amidst year in order to better
competing priorities. Lastly, 8% of organizations prepare for the challenges/
still lack investment in BC or resilience initiatives, threats identified by your
highlighting a potential vulnerability as threats organization?
continue to grow.

47.8%
“The bottom line is that instead of
focusing on improving our resilience,
we’re facing potential budget cuts. The Investment will be increased to meet the needs
driving force behind this is the cost of of a growing programme or new requirements.
living, housing crisis and increasing
demand on social care, which is costing
the organization millions.” Investment will be maintained at appropriate levels for
the programme scope and position in the lifecycle.
Emergency planning & response manager,
public sector, UK
Investment will be reduced, limiting the
scope or effectiveness of the programme.

We don’t have investment in a BC/

resilience programme

Unsure

Other

Figure 17. How will investment levels in BC/

resilience programmes in 2025 compare to
the current year in order to better prepare
for the challenges/threats identified by your
organization?

77
 BCI Horizon Scan Report 2024

Annex

78 Find out more www.thebci.org

 Annex

4.5%
1.11%%
1.
1.1%
2. 3
2.

%
3%
2.
3%
2. 3
%
2. 3 7%
% 33.

3.4%

Which of the following

4.5% best describes your
5th - 30th
functional role?
August
5.6%

Survey dates
%
7.9

16.
111

9%
9.0%
Business continuity Risk management
Respondents

Top management Operational resilience

38 IT disaster recovery/ Emergency

IT service continuity planning
Countries
Organizational Crisis
resilience management

14
Quality/ business Information
improvement security
Sectors

Consulting Internal audit

12 Health and safety Physical

management security
Respondent
interviews
Line of business or
service directorate Other

Figure 18. Which of the following best

describes your functional role?

79
 BCI Horizon Scan Report 2024

3.4%
1.1%
2.3%
1.1%
2.3%

5. 6
3. 4

%
%

5%
6.
7%
4.

.
22
5%

4. 5
%

9.0%
5.6%
What sector does
Which region
your company 53.9%
are you based in?
6.7%
belong to?
10.1%
16.9
%

%
7.9

2%
11.
11.2
%
10.1

Financial & Professional

insurance services services Europe

Public administration Health &

& defence social care North America

Manufacturing IT & communications Asia

Energy & utility services Education Africa

Retail & wholesale Telecommunications Australasia

Engineering & Support

construction services Middle East

Charity Transport & storage Latin America & The Caribbean

Figure 19. What sector does your company Figure 20. Which region are you based in?
belong to?

80 Find out more www.thebci.org

 Annex

Approximately how many employees are there in your organization globally?

More than 100,000 10.5%

50,001 - 100,000 7.0%

10,001 - 50,000 19.8%

5,001 - 10,000 16.3%

1,001 - 5,000 24.4%

501 - 1,000 4.7%

251 - 500 2.3%

101-250 7.0%

51-100 1.2%

21-50 2.3%

11-20 1.2%

1-10 3.5%

% 0 10 20 30

Figure 21. Approximately how many employees are there in your organization globally?

81
 BCI Horizon Scan Report 2024

About the authors

Rachael Elliott
(Knowledge Strategist, The BCI)
Rachael has twenty years’ experience leading commercial research within organizations
such as HSBC, BDO LLP, Marakon Associates, CBRE, and BCMS. She has particular
expertise in the technology and telecoms, retail, manufacturing, and real estate sectors.
Her research has been used in Parliament to help develop government industrial strategy
and the BDO High Street Sales Tracker, which Rachael was instrumental in developing, is
still the UK’s primary barometer for tracking high street sales performance. She maintains
a keen interest in competitive intelligence and investigative research techniques.

She can be contacted at rachael.elliott@thebci.org

Maria Florencia Lombardero Garcia

(Thought Leadership Manager, The BCI)
Maria has over 15 years of experience in academic and market research and has been
responsible for the design and implementation of a wide range of policies within public
and private organizations such as the Argentine Ministry of Defence, RESDAL, and BMI
(Fitch Group). She has served as a policy advisor and political analyst at the Argentine
Ministry of Defence and coordinated the Argentine National Security Council’s Office.
She has particular expertise in geopolitical risk, defence, and intelligence and her work
has been applied to develop government defence strategies and draft legislation on the
matter. Her areas of interest relate to open-source research and how geopolitics impacts
resilience within organizations.

She can be contacted at maria.garcia@thebci.org

Gianluca Riglietti
(Content Specialist in Business Continuity and Resilience)
Gianluca is a researcher and a freelance content creator interested in the development
of resilient and safe societies. He has experience managing international research
projects for companies such as BSI, Zurich, Everbridge, and SAP. He works regularly
with a number of organizations in the field of organizational resilience, such as the BCI.
In his publications he has addressed a wealth of topics, such as climate change, cyber
security, supply chain management, and business continuity. He is also a PhD candidate
at Politecnico di Milano, where he investigates the impact of business continuity
management on supply chain resilience.
He can be contacted at SCWF@protonmail.com.

82 Find out more www.thebci.org

 Annex

About the BCI

Founded in 1994 with the aim of promoting a more resilient world, the BCI has
established itself as the world’s leading institute for business continuity and resilience.
The BCI has become the membership and certifying organization of choice for
business continuity and resilience professionals globally with over 9,000 members in
more than 100 countries, working in an estimated 3,000 organizations in the private,
public, and third sectors. The vast experience of the Institute’s broad membership
and partner network is built into its world class education, continuing professional
development, and networking activities. Every year, more than 1,500 people choose
BCI training, with options ranging from short awareness raising tools to a full academic
qualification, available online and in a classroom. The Institute stands for excellence
in the resilience profession and its globally recognised Certified grades provide
assurance of technical and professional competency. The BCI offers a wide range of
resources for professionals seeking to raise their organization’s level of resilience and
its extensive thought leadership and research programme helps drive the industry
forward. With approximately 120 partners worldwide, the BCI Corporate Membership
offers organizations the opportunity to work with the BCI in promoting best practice in
business continuity and resilience.
The BCI welcomes everyone with an interest in building resilient organizations from
newcomers, experienced professionals, and organizations. Further information about
The BCI is available at www.thebci.org.
Contact The BCI +44 118 947 8215 | bci@thebci.org
9 Greyfriars Road, Reading, Berkshire, RG1 1NU, UK

About Noggin
Noggin, a Motorola Solutions Company, is a global provider of critical event
management & resilience software. Its software helps enterprises, government
agencies, and critical infrastructure anticipate, prepare for and efficiently respond to
incidents. Noggin’s integrated platform offers flexible workflows and checklists, built-in
maps and situational awareness dashboards to help streamline incident management
and strengthen business resilience.

83
References
1. www.pwc.com/gx/en/services/forensics/economic-crime- 21. www.global-monitoring.com/en/corporate/risk-map/
survey.html 22. www.prio.org/about
2. The BCI Horizon Scan risk score is calculated by considering the 23. Ibid.
number of times and event has occurred (analysing incidents in 24. “Maersk’s European Business Continuity Plan in Response to
the past year) or the likelihood of an event occurring over the COVID-19.” Maersk, 21 Mar. 2020,
following year (threats for the following year), assigning these www.maersk.com/news/articles/2020/03/21/maersk-europe-
values a number and multiplying it by whether the impact was/ business-continuity-plan-covid-19. Accessed 14 Oct. 2024.
will be minor (by 1), moderate (by 2), major (by 3) or extreme 25. “Remote Work Statistics: 2023 Trends and Insights.” Forbes,
(by 4). 2023, www.forbes.com/uk/advisor/business/remote-work-
3. www.acfe.com/-/media/files/ACFE/PDFs/RTTN/2024/ statistics/. Accessed 14 Oct. 2024.
Infographics/Key-Findings.pdf 26. Friedman, Victor. “How Generative AI Can Boost Highly Skilled
4. Ibid. Workers’ Productivity.” MIT Sloan Management Review, 2023,
5. Ibid. mitsloan.mit.edu/ideas-made-to-matter/how-generative-ai-
6. www.eba.europa.eu/sites/default/files/2024-08/465e3044- can-boost-highly-skilled-workers-productivity.
4773-4e9d-8ca8-b1cd031295fc/EBA_ECB%202024%20 Accessed 14 Oct. 2024.
Report%20on%20Payment%20Fraud.pdf 27. ISO. “Crisis Management — A Guide to Crisis Management.”
7. www.weforum.org/agenda/2024/04/interpol-financial-fraud- International Organization for Standardization, 2024,
scams-cybercrime/ www.iso.org/iso-22301-business-continuity.html.
8. Ibid. Accessed 14 Oct. 2024.
9. www.cm-alliance.com/cybersecurity-blog/september- 28. www.thebci.org/resources/cyber-resilience-report-2024.html
2024-major-cyber-attacks-data-breaches-ransomware- 29. Ibid.
attacks#Malware 30. www.thebci.org/resources/extreme-weather-and-climate-risk-
10. Ibid. report-2024.html
11. uptimeinstitute.com/resources/research-and-reports/annual- 31. Ibid.
outage-analysis-2024 32. home-affairs.ec.europa.eu/policies/internal-security/counter-
12. Ibid. terrorism-and-radicalisation/protection/critical-infrastructure-
13. CNN Business. “CrowdStrike CEO Explains Costly Outage resilience-eu-level_en
Impact.” CNN, 21 July 2024, 33. www.homeaffairs.gov.au/reports-and-publications/
edition.cnn.com/2024/07/21/business/crowdstrike-outage- submissions-and-discussion-papers/protecting-critical-
cost/index.html. Accessed 14 Oct. 2024. infrastructure-systems
14. Ibid. 34. www.aoshearman.com/en/insights/ao-shearman-on-data/
15. Reuters. “Without Backup Plans, Global IT Outages Will hong-kong-proposes-new-critical-infrastructure-
Happen Again.” Reuters, 19 July 2024, https://www.reuters. cybersecurity-law
com/technology/without-backup-plans-global-it-outages-will- 35. www.thebci.org/news/crisis-leadership-report-bci-white-
happen-again-2024-07-19/. Accessed 14 Oct. 2024. paper-q3-2022.html
16. Buckle, Simon J., et al. “Global Supply Chain Pressures, Inflation, 36. www.uoc.edu/en/news/2023/163-natural-disasters-
and Implications for Monetary Policy.” VoxEU, 7 July 2024, social-media
cepr.org/voxeu/columns/global-supply-chain-pressures- 37. joint-research-centre.ec.europa.eu/jrc-news-and-updates/
inflation-and-implications-monetary-policy. Accessed 14 Oct. new-open-source-software-decrypts-social-media-messages-
2024. help-manage-risks-and-disasters-2022-06-20_en
17. cepr.org/voxeu/columns/drivers-post-pandemic-inflation 38. www.thebci.org/resource/bci-technology-in-resilience-
18. www.spglobal.com/marketintelligence/en/news-insights/ report-2023.html
latest-news-headlines/operating-expenses-take-a-bigger- 39. “Cambiamento Climatico: L’Attualità Entra Nelle Norme dei
share-of-us-corporate-revenues-in-q4-2023-80690728 Sistemi di Gestione.” Accredia, 15 Mar. 2024, www.accredia.
19. www.cnbc.com/2023/09/14/more-companies-warn-higher- it/2024/03/15/cambiamento-climatico-lattualita-entra-nelle-
costs-will-eat-into-profits.html norme-dei-sistemi-di-gestione/. Accessed 14 Oct. 2024.
20. Ibid.

BCI 9
 Greyfriars Road, Reading, Berkshire, RG1 1NU, UK bci@thebci.org / www.thebci.org