FAQ: What Does Business Continuity and Resilience Look Like in 2030?

Since 2020, there’s been significant transformation for the continuity and resilience process and its targeted outcomes. Key changes that have already taken place and continue to evolve include:?

1. Scope – in terms of what’s protected and the type of disruptive events addressed.?
2. Roles and responsibilities – executive leadership is more involved, and the business is taking direct responsibility for the implementation and maintenance of resilience capabilities.?
3. Coordination with different risk disciplines to manage risk – including the shared use of organizational hierarchies, terminology, and risk measurement techniques.?
4. The use of technology – transitioning from a document repository to features that identify vulnerabilities and aid in response.?

So, where does that lead us in the future? I spent time envisioning what’s next, focusing on the transformation leading up to 2030. In addition to even more regulatory requirements and increased customer expectation for mature, well-rehearsed continuity and resilience programs, here are my top ten predictions.?

10 Predictions for Business Continuity in 2030?

1. Resilience Will Be Baked into the Business?

Today, few executives disagree with the importance of organizational resilience to respond and adapt to any form of crisis. But executives are beginning to question the effectiveness of?retroactively bolting resilience on to its go-to-market strategy. In other words, executives prefer building in redundancy or substitution upfront rather than building a recovery strategy. ?

To align to expectations, resilience should be baked into all change initiatives and proactively address vulnerability to disruption by 2030. Rather than solely being the business continuity team’s responsibility, it will be everyone’s responsibility to ensure a state of resilience.??

As a result, it will be difficult to point to a single person accountable for resilience; although it will ultimately be the organization’s top executive. That person will delegate responsibility to all managers to build and maintain resilience. If this is the future, what does that mean for the business continuity professional??

2. The Business Continuity Professional Will Shift Focus?

In many organizations, this next prediction is already taking shape. By 2030, the role of the business continuity professional will shift from doer to coach and advisor. Much of the doer role will shift to the owner of the risk – like the business process owner or someone in a specialty area like procurement.??

The business continuity professional will:?

• Guide executives through strategic decision-making when it comes to resilience?
• QA the work performed by the business?
• Search for unacceptable vulnerability?
• Ensure the organization is well-rehearsed in disruption response?
• Participate in or lead the response to any form of crisis – bringing the right people together to minimize impact?

3. There Will Be a New Form of Situational Awareness??

Many organizations monitor threat data for advanced warning to respond faster and minimize impact. The same sources of threat intelligence can be used to assess trends and influence decisions that proactively “bake in” resilience. But threat intelligence is only one form of situational awareness and there’s opportunity for additional input.?

Resilience leaders will need to know the controls put in place for the viability and continuity of the go-to-market strategy and?an ability to monitor the control operating effectiveness. These actions can serve as a predictor of failure.?

The focus on controls involves tight, strategic coordination with GRC, ERM, and other risk management disciplines. By 2030, situational awareness will become a combination of threat intelligence and controls monitoring – ultimately serving as a more comprehensive means of predicting disruption than we see today.?

4. AI Automation for Observation Will Rise?

Traditional business continuity methods – BIA, risk assessment, strategy identification, plan documentation, and exercise – further a “bolt-on” approach to continuity and resilience which often fails to meet executive leadership expectations. However, many of the outcomes of traditional methodology are still necessary to uncover vulnerability.??

As such, many of the traditional elements of business continuity will not disappear but become automated through usage of different forms of artificial intelligence. For example, generative AI may document the “first draft” of a BIA or business continuity plan, or perhaps AI will assist with recommending controls or a recovery strategy. From there, dedicated business continuity professionals and business leadership can observe the outcomes and act based on highlighted vulnerabilities.

5. The Digital Model of the Organization Will Become Necessity?

The trend towards creating a digital model of the organization is already underway. One key outcome from the automation is the creation and maintenance of a digital model of the organization. The digital model is defined as an inventory of upstream and downstream dependencies and everything in between, such as business processes, locations, applications, information, suppliers, and channels. And in some cases, it’s a collection of information, attributes, and relationships.?

For example, let’s say your organization fell victim to a cyberattack. Leadership needs to understand servers and infrastructure affected, what to shut down following the onset of the attack, hosting locations, what applications the infrastructure was tied to, downtime tolerance for the business for each affected application, and if a product/service was impacted. Generating this type of report requires looking across multiple interconnected datasets – infrastructure, applications, application dependencies, processes, and products/services.?

Because you can’t predict every form of disruption or plan for every scenario, the digital model can be queried before or during a disruption to search for vulnerabilities that may need to be addressed in real time??

The result is simple – teams charged with leading the response and recovery effort will now have the information necessary to drive adaptability. See my article for Disaster Recovery Journal titled “Are Business Continuity Plans Still Relevant?” or my previous article here on LinkedIn “FAQ: What Were the Trending Topics of 2023?” for further reading.?

6. Vulnerability Will Be Redefined?

As a business leader or business continuity professional, imagine firing up your laptop on a Monday morning and typing this question: “In terms of business continuity and resilience, what should I be working on this week?”?

Instead of being told to review and approve a business impact analysis, you receive this reply:?

As the person responsible for Business Line Z, you should be aware that over the weekend, Supplier X warned investors it is evaluating the need to file for bankruptcy. This supplier appears to be the only provider of Product Y and a strategy to source Product Y from another provider is not documented. Supplier X’s failure is likely to result in a disruption to Business Line Z’s primary revenue source within two weeks following Supplier X’s inability to supply Product Y.?????

Before a system can provide this form of intelligence, the organization will need the information found in the digital model of the organization and an understanding of its vulnerabilities. By 2030, the definition of vulnerability will be universally accepted as a single point of failure without a known recovery strategy – alternate or substitute. ?

7. Success Will Be Measured Based on What’s Acceptable?

Unfortunately, today the measure of business continuity success or quality is often based on the completion of activities like BIAs, plans, and exercises. By 2030, the single measure of success for continuity and resilience will be that no matter what threats materialize, organizations can adapt and restart product and service delivery within an agreed upon downtime or impact tolerance. ?

In other words, the true measure of continuity and resilience will be product and service downtime potential, regardless of the cause of disruption. Even further, perhaps a second success measure will be the quality of the product and service output throughout the disruption.?

As such, the organization and all integrated risk management participants must have a universal understanding of the organization’s risk appetite and how it measures risk consistently.?

8. Any Form of Disruption Will Be in Scope?

Remember when Silicon Valley Bank failed? Unfortunately, few business continuity professionals viewed this failure as something they should have been predicted, and many don't think this was the type of crisis they could have led a response to. Many felt that a liquidity or capital availability issue isn’t an in-scope scenario for the “typical” business continuity program. Is that really the right answer????

Referring to the conversation around controls thinking and coordination with other risk disciplines – should there ever be a disruptive event that’s deemed “out of scope” for business continuity? I would argue no. By 2030, systems should help identify disruptive events, the controls that are in place to alert, and the current-state vulnerabilities.?

Now, there are some prerequisites for this change of scope to occur. First, resilience must be the business's responsibility, and business leaders must act to mitigate the risk of disruption and participate in the response. Second, the business continuity professional should fully transition to the role of coach without responsibility for leading the mitigation and response efforts.?

Overall, forecasting and prediction is still a good investment, especially for forms of disruption that are highly frequent. However, since not all forms of disruption can be predicted, a nimble and agile response process will become increasingly important for any resilient organization.?

9. Practice Will Evolve?

Although technology can automate many traditional business continuity methods, one action that can’t be fully automated is gathering to practice crisis response and triggering appropriate recovery strategies.??

Practicing – through tests and exercises – will evolve to both manage immediate impact and the risk of an escalating crisis. This idea of cascading crisis or aftershock impacts from an initial event is a newer, broader way of looking at disruption. One of our partners, OnSolve , talks about the concept of “Dynamic Risk” similarly.?

Practice sessions will evolve from once-a-year scripted events to more frequent, unscripted sessions that build skills, create confidence, and identify improvement opportunities.?

Taken one step further, leadership teams will be increasingly involved and bought in to practice managing crises. True crisis management capabilities that are well-developed, socialized, practiced, and aided by automation are essential to the future of resilience.?

10. Technology Will Be a Driver?

Many of the 2030 predictions I’ve noted so far include a technological element. So, it’s worthwhile to end with a technology innovation recap. Business continuity and resilience solutions are already evolving to become a source of intelligence for driving preparedness, rather than a passive supporting resource. ?

By 2030:?

• The digital model of the organization will update in real-time and suggest acceptable forms of risk treatment that align to the risk appetite and success of others in the industry.?
• The digital model of the organization, combined with public information, will help identify X-party dependencies and relationships and marry this information with threat intelligence to provide an effective early warning system.?
• Technology will manage the closure of corrective actions and opportunities for improvement and self-identify issues to suggest a priority based on business impact and budget constraints.?
• When a disruption is imminent or has already occurred, the technology will suggest what to do, who to involve, and how the situation could worsen.??

While I don’t have a crystal ball, these predictions are shaped by the shifts I’m seeing in day-to-day interactions with business continuity professionals. I’d love to hear your thoughts on where business continuity and resilience is headed in the next five or more years. We can’t predict everything, but we should be prepared.