In this white paper:
- Are you aware of the vulnerabilities in your company?
- How much do you know about your supply chain?
- Can you improve its management?
- How can you limit the damage incurred as a result of business interruption?
Know your vulnerabilities
One in five companies does not have a business continuity plan. This is a reality that belies a deeper problem: organisations systematically underestimate their own vulnerabilities. BCM is often associated with disaster recovery plans, but the real departure point is having an honest insight into your organisation’s internal vulnerabilities.
Most business interruptions are caused by internal failures: short circuits, staff absences, IT outages, or even a fire. And too many entrepreneurs are convinced that such risks won’t affect them. This kind of “it won’t happen to us” mentality constitutes a dangerous blind spot.
Take control
Effective business continuity starts with taking responsibility. Rather than taking control of their own risks, too many organisations passively wait for external parties (such as insurers, regulators, and consultants) to tell them what to do. Without risk, there is no business, you could argue. But you have to face risks and make them explicit.
Establish your weaknesses
To appreciate what your vulnerabilities are, you first need to know what you depend on. Many companies don’t fully understand their own footprint, for example. An effective vulnerability analysis will identify five core areas:
- Processes and activities
Which activities and assets are indispensable for the provision of your services? What must always continue, even in a crisis? - People & knowledge
Which of your employees have unique knowledge? And what will happen if your IT specialist, sales manager, or production manager is no longer available? - Technology & data
Which systems, applications, and data connections are you completely dependent on? And how quickly would you notice if something stopped working? - Facilities and resources
What would happen if your office, warehouse, or production facility were to become inaccessible? Do you have alternatives? - External parties
Which of your suppliers are indispensable? Would the failure of one software supplier paralyse your entire organisation?
This analysis can often expose surprising dependencies. An SME in which just one person has all the crucial knowledge, for example, a manufacturer that is wholly dependent on one supplier, or a service provider that relies on a vulnerable cloud strategy.
Ask uncomfortable questions
Real vulnerabilities become apparent when the right questions are asked.
- What are we not prepared for? What questions make us feel uncomfortable because we don’t have the right answers?
- Who are our critical employees? If person X becomes unavailable, which processes will be impacted?
- Do we have a single point of failure? That one system, that particular supplier, or that one location of which everyone agrees that: “If that fails, we have a problem”.
- Have we considered alternatives for critical company assets and/or processes?
- Have we ignored any near misses? Those times that we got by, but only just. And what did we then learn about our weaknesses?
Start today
Your business continuity is in your own hands. As soon as you know your vulnerabilities, you can take action.
The first steps
- Put continuity on the management agenda.
- Identify your critical dependencies.
- Make your vulnerabilities visible.
- Check out whether you can reduce your dependencies and vulnerabilities.
- Think about alternatives.
- Set up a vulnerabilities team.
- Plan a contingency drill.
Risk management is a bespoke approach; it is certainly not a panacea. The secret lies in finding the optimum balance: frameworks that provide the necessary stability without oversimplifying reality. True resilience won’t be achieved with the flawless execution of an external checklist, but by gaining deep insight into your organisation. Acknowledging your weaknesses will enable you to make the necessary improvements. And managing your dependencies will allow you to develop alternatives.
He who maintains a firm grip on the wheel will navigate more safely through every storm.
Internal risks: priority number one
What companies underestimate the most can often pose the greatest threat. While organisations ready themselves for possible cyberattacks, natural disasters, and geopolitical crises, a looming disaster is usually somewhat closer to home. Effective BCM starts with managing what can happen in your immediate environment.
Allianz research has demonstrated that after fire and natural disasters, poor maintenance and technical failures account for 14 per cent of all major business damage worldwide. A malfunctioning machine, a short circuit, or human error can be just as devastating as a flood. But with one crucial difference: it will only affect you, and not your competitors.
Recent statistics have underscored this reality. Last year, for example, commercial fires alone were up by 23 per cent, with approximately a quarter of affected agricultural and logistics businesses losing complete buildings. About half of all businesses that suffer major fires go bankrupt within two years. Most fires are the result of human error (24 per cent) and short circuits (22 per cent). But with the proper preparation, these are risks that can be easily managed.
Four contingencies that could happen tomorrow
Industrial accidents
A refinery is hit by a fire that, despite being quickly extinguished, results in weeks of downtime. Although no one is injured and the fire is quickly brought under control, all production has to be stopped to carry out repairs and safety checks.
Lesson learned: Even with well-trained teams and modern facilities, “simple” operational errors can have catastrophic repercussions.
IT outage
A railway operator is affected by an IT outage that brings nearly all train services to a standstill. As a result of the failure of the scheduling system, the operator has no overview of the locations of its trains and personnel. In the ensuing evaluation, the operator concedes that it was insufficiently prepared for such a prolonged IT outage.
Lesson learned: No organisation is immune to technical failures. Proactive measures — ranging from redundant systems to comprehensive backups and rapid escalation procedures — are what make all the difference between limited disruption and operational chaos.
Staff shortage
During the corona virus pandemic, 45 employees at a meat processing plant test positive, constituting some 20 per cent of the workforce. The authorities have to close the slaughterhouse immediately. In one fell swoop, production grinds to a halt, and suppliers have to send their livestock to other facilities. The outbreak was accelerated through the plant by insufficient social distancing, and the company had neither adequate plans for the outbreak of a major illness nor alternative work schedules.
Lesson learned: The availability of key personnel is often underestimated as a risk factor. To keep critical operations running in the event of a sudden outage, companies must think about backup staffing, cross-training, and rotation schedules.
Infrastructure failure
A fire breaks out at a supplier – as a result of which a critical component, for both the assembly of new machines and the maintenance of existing ones – cannot be delivered. Due to the extent of the damage, it could take several months for production to resume. The company takes immediate action. Within the global organisation, an inventory is made of how many products of this critical component are still in stock. The research department assesses how long the component can function without failure and develops a plan to overhaul and temporarily redeploy existing parts. Thanks to the collaboration between logistics, supply chain, and engineering, there are no production downtimes whatsoever – the end result of effective crisis management and local cooperation.
Lesson learned: Because a structural problem can manifest itself unexpectedly, an up-to-date contingency plan and strong partnerships will make all the difference between one-day inconvenience and several months of disruption.
Why internal risks should be your priority
If a volcano erupts or a cyberattack impacts the entire sector, everyone shares the pain. But if it’s just your factory that burns down, your IT that crashes, or your key personnel that are out of the running, it is only you that is affected. Your competitors will then be only too pleased to take over what were your customers.
Reflect on your situation:
- What would constitute the greatest risk in your organisation in a similar incident?
- Which systems or processes completely depend on a single risk factor
- Who plays a key role in your organisation, and has no backup?
- When did you last test your crisis plan?
A business interruption that is due to internal causes can immediately cost you market share, damage your reputation, and deplete your financial reserves. Yet internal risks are usually more manageable than external disasters. You can improve fire safety, for example, build in IT redundancy, optimise staffing plans, and think about alternatives beforehand.
He who manages internal vulnerabilities has less to fear from external threats.
External threats
While most business disruptions originate internally, external threats can hit your organisation just as hard. The difference is that they are beyond your direct control. During the past few years, we’ve seen just how vulnerable our interconnected world has become.
A blocked shipping canal, infrastructure sabotage, cyberattacks, or geopolitical tensions – your supply chain and business operations are only ever as strong as their weakest link. The issue then isn’t “whether” you’ll be affected by external factors, but “when”. And how well prepared you are.
Four recent external threats that were game changers
1. Supply chain chokepoints: Suez
In March 2021, the 400-metre-long container ship, Ever Given, became wedged in the Suez Canal. For six days, the vessel blocked this shipping artery, delaying the delivery of an estimated US$9 billion worth of goods, per day. More than 400 ships had to either just wait, or reroute around Africa – a detour of over a week.
The impact was huge. IKEA had 110 containers on board and saw deliveries to its European stores delayed. Car manufacturers, already struggling with microchip shortages, faced the prospect of production shutdowns within a week. And retailer, Aldi, reported that promotional items would not arrive in their stores until weeks later.
Lesson learned: While modern supply chains are efficient, they are fragile. Many organisations underestimate how dependent they are on a few transport routes or logistical hubs.
2. Geopolitical infrastructure crisis
The sabotage of the Nord Stream pipelines, in September 2022, hit the finances of many European companies hard. Despite the fact that the pipelines were at the time barely operational, the attack eliminated any possibility of restoring Russian energy supplies. Multinational chemical company BASF’s energy costs increased by €3.2 billion, while fertiliser producer, Yara, had to scale back ammonia production to 35 per cent of capacity. Energy-intensive companies were forced to relocate their production to cheaper regions.
Lesson learned: Geopolitical tensions can sometimes translate directly into operational costs. Energy sovereignty changed from an abstract concept into an acute business threat.
3. Systemic cyber attacks
The wave of ransomware in 2024 and 2025 demonstrated how cyber attacks have reached a new dimension. Following one such attack, Marks & Spencer was offline for 46 days, representing £300 million in missed profits.
CDK Global, a software provider that serves the automotive industry, looked on helplessly as thousands of dealers worldwide lost the use of their systems. The attack resulted in US$605 million in lost turnover in just two weeks. Even more serious was the attack on Change Healthcare, which processes healthcare payments in the US. In this case US$100 million in payments were delayed every day. With the system down, patients had to pay healthcare bills from their own pockets.
Lesson learned: Digitalisation creates new, single points of failure. An attack on a single software supplier can disadvantage thousands of customers.
4. Sabotage of critical infrastructure
Since 2022, undersea cables in the Baltic Sea that provide internet and power connections have been systematically cut. In December 2024, the Estlink 2 power cable between Finland and Estonia, along with four telecom cables, simultaneously failed. And it was hardly a coincidence – given that a Russian oil tanker there was thought to have dragged its anchor up to 100 kilometres across the seabed. And while the presence of redundant connections meant that complete internet outages could be avoided, electricity prices in Estonia rose by 10 per cent during the recovery period. Financial institutions, cloud providers, and logistics companies were hit by delays and higher costs.
Lesson learned: Critical infrastructures are being weaponised in international conflicts. Companies that depend on international data or energy connections risk being drawn into geopolitical games.
Secondary perils: the underestimated threats
In addition to the afore-mentioned headline-grabbing incidents, the number of secondary perils – local natural phenomena like flooding, hailstones, and landslides that cause significant business damage – is also increasing. Reinsurers are noticing a clear increase in such regional disasters that directly affect business premises.
From external threats to internal resilience
External threats have one thing in common: you cannot prevent them. However, you can exert some form of influence, by being well prepared for them. The companies that best weathered the Ever Given crisis, the energy crisis, and the major cyberattacks shared three common characteristics:
- Diversification
They had alternative suppliers, transport routes, and energy sources. Companies that were able to quickly switch to alternative routes or local suppliers during the Suez blockage maintained their delivery reliability – while their competitors suffered weeks of delays. - Quick decision-making
They had the luxury of quickly opting for alternatives. CDK Global, for example, recovered relatively swiftly by deciding to immediately pay the ransom and coordinate its recovery. - Contingency planning
They had thought about “what if” situations and put concrete contingency plans in place. This made all the difference between chaos and a controlled response.
As has been described in the previous chapters, preparation begins by having a thorough understanding of your own organisation. It is only when you know your internal vulnerabilities that you can effectively parry external threats.
Consider your external vulnerabilities
- On which international connections (transport, energy, data) do you depend?
- How would a disruption in your most important supplier affect your production?
- What kind of geopolitical tensions could impact your sector or region?
- Do you have alternatives for your most important suppliers and routes?
- Is the location of your company susceptible to local natural phenomena?
The world is not becoming a less complex place, geopolitics are not becoming more stable, and supply chains are not becoming more robust. But companies that invest in resilience — through diversification, contingency planning, and rapid-response ability — can not only survive external shocks, they will emerge from them even stronger.
While your competitors navigate chaos, you have already charted a course to recovery.
What is Business Continuity Management?
Business Continuity Management (BCM) is the ability to respond to the cause of a disruption and recover from its repercussions. It’s about not only having a plan B, but also the ability to execute it.
We define an event here as “an incident that can cause loss and emergency situations”, or as “a change in circumstances that poses a threat to business operations”. In a region that is predisposed to earthquakes — such as Turkey, for example — an earthquake would be the greatest natural risk. In the Netherlands, it would be flooding, and in recent years, possibly even drought.
A (non-exhaustive) list of events and situations that have major repercussions:
- personnel churn;
- strike or lockout;
- terrorism;
- natural disasters (earthquakes, floods, droughts);
- fire;
- defective machines;
- supply-chain problems;
- changes in legislation;
- data-processing or -loss incidents.
These are all events and situations that reinforce the need for a business continuity plan and being well prepared for unforeseen circumstances.
BCM should preferably not be a thick manual in the director’s office that details in minutiae all the steps to be taken in the event of a disaster. Reality has a habit of surprising us. BCM is certainly worthy of your attention: in manufacturing companies, industry, and the service sector.
Your plan B
Developing such a plan and approach is hard work. It calls for research, organisation, planning, assessment, evaluation, training, testing, and practice. What it doesn’t need, however, are reams and reams of paper..
It is important that your plan provides insight into work processes, identifies critical processes, and determines how long your business can withstand a disruption. Mapping out critical dependencies is an essential part of this process. BCM comprises the three basic plans outlined below (see Figure 2).
1. Emergency plan
The protection of people, property, and the environment. Activated immediately after an incident. In addition to meeting legal requirements (occupational health and safety), this plan is crucial for continuity.
2. Crisis management and communication plan
Protects image and reputation, and serves as a guide for decision-making. An incident that doesn’t initially qualify as a crisis can become one at a later stage. In today’s environment of rapid communication and social media, misinformation can spread quickly and cause lasting damage.
3. Business recovery plan
Determines the sequence in which activities are resumed, when they take place, and the resources that are necessary. The objective is the retention of revenue and market share.
Action: put teams to work
A good plan and effective incident response call for competent teams with well-defined roles and responsibilities. Before, during, and after the event.
If companies are properly aware of their business operations and the associated risks (physical, operational, financial, etc.), and if they understand what could cause business disruptions, they will be well placed to deliver a quick and effective response.
Important: you need a risk-management system
In addition to business continuity plans, a risk-management system is also indispensable. A successful system can be set up by applying the “Plan-Do-Check-Act” cycle.
Furthermore, it is also possible to integrate all business continuity activities into existing management systems within the company and have them certified by an independent party. This can then be used to obtain ISO 22301 (Societal security – Business continuity management systems – Requirements) certification, which is sometimes a requirement of clients.
Support
What happens after completing these activities is perhaps the most important step in the whole process. The resulting system must be embraced by the organisation and maintained and updated in the long term. Moreover, it must be a living system, and it is important to periodically practice the processes and procedures, based on realistic scenarios.
As is the case in all management systems, the greatest success factor is for senior management to take ownership of the process, support it, commit to it, and then allocate the necessary resources (time, personnel, and budget) to it.
What can Business Continuity Management do for you?
Organisations that take business continuity seriously and invest in it will be rewarded with significant benefits.
The benefits of a well-thought-out plan B are greater than you might at first expect. Consider, for example:
- underpinning your image and reputation
- the retention of sales, profitability and market share
- avoiding the loss of customers
- gaining a competitive advantage
- compliance with legal and regulatory requirements
- protecting stakeholders’ rights
- getting better conditions on the insurance market
- acknowledging the company’s strengths and weaknesses
- increasing flexibility in the supply chain (both upstream and downstream)
- reducing interruptions in the supply chain
The risk examples we have outlined in this white paper can lead to undesirable repercussions for companies. It is therefore important to have the necessary infrastructure in place and thus be well prepared for undesirable events. In this way, you can minimise these repercussions.
Riskonet’s approach
In the previous chapters, we’ve dealt with how business continuity begins with self-awareness and the management of vulnerabilities. But how should these insights be put into practice? And what differentiates effective BCM from simply ticking compliance boxes?
Riskonet has accumulated years of experience with Business Impact Analyses that expose unexpected dependencies. While many BCM projects begin by drafting the plan, Riskonet starts by asking what the company truly needs to make it resilient.
Business Impact Analysis: from surprises to insights
The approach kicks off by mapping out the entire production chain: goods flows, volumes, utilisation rates, and inventories. By linking the cash flow to the production chain, a comprehensive picture of the financial repercussions of incidents will emerge.
Here is an illustrative example. A company had invested several years in the safety of a department that produced a key raw material used in various end products. “Our analysis revealed that this raw material could be procured elsewhere relatively easily and without additional costs,” says Senior Consultant Gerrit Vink. “In other words, those invested years were not really necessary. We also discovered that there were no alternatives for the production of certain end products. To underscore its business continuity, the company would have been better off investing in additional measures at those locations.”
Scenario planning
Riskonet makes on-site visits and conducts interviews to map out critical processes, interdependencies, and potential damage scenarios. This includes worst-case scenarios without emergency solutions, as well as realistic scenarios, complete with internal and external alternatives. We ascertain the relevant damage scenarios per location and map out the effect that a specific scenario will have on other business units.
The approach to standards like ISO 22301 is pragmatic. They are tools, not goals in themselves. Certification can certainly be worthwhile, but only if the company in question sees added value in it. Risk management is not a static concept; it is a dynamic process that should never stop. Continuity management is part of that process and requires continuous attention and adaptation to changes.
The case studies in this white paper — ranging from internal fires to international sabotage — demonstrate that unexpected events really do happen. Effective preparation calls for more than just filling in templates or undergoing audits.
Successful BCM is achieved when organisations truly understand what their vulnerabilities are, compile realistic recovery plans, and regularly test and tweak those plans. It’s a competency that’s cumulatively acquired, not a box-ticking project.
The power of a Business Impact Analysis
To determine the significance of possible business damage, a Business Impact Analysis was carried out at the manufacturer of meat substitute products.
In addition to providing the financial reports needed for insurance coverage, critical questioning also revealed that the manufacturer’s two locations were very dependent on one another. What’s more, it transpired that in practice, what should have been easily replaceable raw materials caused major problems when regular suppliers were unable to deliver. Using alternative raw materials would call for a modified recipe, resulting in an end product that cannot be delivered to all customers.
Based on the Business Impact Analysis, the manufacturer procured additional financial coverage and decided to strategically stockpile the critical raw materials.
We will be more than happy to advise you on Business Continuity Management and other consultancy and training services. Just email us at [email protected]. Check out all forms of our integrated services at www.riskonet.com
Is it too complicated, and would you like some professional support?
If you’d like to identify the risks that your company is exposed to, or get advice on how you can optimally guarantee your continuity, feel free to contact Özlem Emgen or Volker von Widdern (without any obligation). It’ll be our pleasure to help.
Sources
ISO 22301 Societal Safety
Business Continuity Management Systems – Requirements
www.munichre.com
www.swissre.com/dam/jcr:c37eb0e4-c0b9-4a9f-9954-3d0bb4339bfd/sigma2_2019_en.pdf
Ever Given/Suez blockage (March 2021)
Global supply chain disruption.
www.bbc.com/news/business-56559073
Nord Stream sabotage (September 2022)
EU energy supply disrupted, including consequences for BASF and Yara.
www.reuters.com/business/energy/what-we-know-about-nord-stream-gas-leaks-2022-09-27/
Cyber attack CDK Global (2024)
Major outages at American car dealers.
www.nytimes.com/2024/06/20/business/cdk-cyberattack-car-dealers.html
Cyber attack Change Healthcare (2024)
Disruption of healthcare payments in the US.
www.wsj.com/articles/change-healthcare-cyberattack-2024-impact
Ransomware attack targets Marks & Spencer
What can I buy online at M&S since the hack?
www.bbc.com/news/articles/c0el31nqnpvo
Sabotage of undersea infrastructure in the Baltic Sea (2024)
Estlink 2 & telecom cable breakages, suspicion falls on Russia.
www.politico.eu/article/baltic-sea-subsea-cables-estlink-damage-sabotage/
Disclaimer
This is a Riskonet publication. No part of it may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, whether electronic, mechanical, print, photocopy, or otherwise, without the prior written permission of Riskonet.
It is expressly forbidden to use this publication, either in whole or in part, for training artificial intelligence systems, machine learning models, or any other automated applications without the prior, written permission of Riskonet.
