Business Continuity 2025 - What Will Future Incidents Look Like?

Posted on 12 April

In the first bulletin of his new 'Business Continuity 2025' series, Charlie discusses what incidents might look like in 2025.


There wasn’t a particular incident which took my fancy to write about this week, so I thought I would write about what BC might look like in 2025. On a separate note, I must congratulate and send solidarity to the people of Sudan for toppling their leader of 30 years, Omar al-Bashir. When I was 18, I worked as a secondary school teacher in a small rural village in Sudan for a year. Since then, I have had a great affection for the Sudanese people, their culture and way of life.

I intend to write a series of bulletins over the next few months where I imagine what business continuity might look like in 2025. I aim to cover what incidents might look like, how the business continuity process might change, how resilience might develop and how the role of the business continuity manager could change. These bulletins are based on a webinar I was very kindly asked to present a couple of weeks ago for BRMA (Business Recovery Managers Association), who are Northern California’s largest business recovery association.

So, what do I think incidents are going to look like in 2025?

Generally, we have stopped debating whether climate change is real, and with climate change comes more extreme weather. The wild fires we saw in California last year and the recent Cyclone Idai in Mozambique and the surrounding countries are all attributed to climate change. Climate change is not meant to bring us different patterns of weather, but more extreme iterations of our normal weather. Again, the devastating hurricanes in the Caribbean in 2017 can be seen as part of this change.

If we are going to get more extreme weather, we are going to see more incidents over a wider area, so our recovery centre could be affected by the incident, even if it is tens of kilometres away. Secondly, if the weather devastates whole communities, then our employees’ priority will be survival and looking after their family, not turning up to work. If we provide a service that is non-essential to human survival, our local customers are not going to be interested in purchasing our products and services until long into the recovery period. Therefore, we have to think more about the resilience of our organisation as a whole and look at how we can support our staff and communities, instead of a narrower focus just on our organisation.

Water is going to become more of an issue over the next six years. Over the last few years, two cities have almost run out of water. São Paulo, Brazil's financial capital and one of the 10 most populated cities, nearly ran out of water in 2015, when the main reservoir fell below 4% capacity. Last year, water rationing in Cape Town was implemented and the city was saved from further restriction on water by the drought breaking. This is the first time I have heard major cities being close to running out of water. It does not help that there is a worldwide mass movement to cities, and cities have expanded in size, often without the corresponding investment in infrastructure. As business continuity people, over the next few years we should look at our own buildings and major offices, and think about the local water supply and our reliance on it. If in doubt, come and base your organisation in Glasgow or the West Coast of Scotland, we have plenty of water here!

Threats come in fashions and cyber is the big threat of the moment. Since the 1990s, we have had a series of different threats which have been the main threats of the moment. In the 1990s, we had lots of transport and natural disasters, so emergency planning came of age. This was followed by Y2K and the birth of business continuity. When BC started, I know of a Scottish Local Authority which spent £100k on external consultants to develop their BC plans. Nowadays, they won’t spend anything on external business continuity. After BC came pandemic, followed slightly half-heartedly by supply chain and now cyber is in the focus.

I think cyber security is a little like car security used to be. You used to be able to steal a car by using a coat hanger to open the door; touching two wires together you could start the car and drive away. Nowadays, cars are much more difficult to steal as they have much greater security. I think this will be the same for cyber, generally cyber security will get much better as manufacturers of products are forced to implement stronger in-built security, greatly raising the bar to be able to hack an organisation. It will still happen, as cars are still stolen, but it will be more difficult and require a higher level of skill. So, in 2025 I think cyber will still be a threat, but it will be replaced by another big threat of the moment which we will all be more worried about. I am not sure what this will be, but perhaps it could be resilience (which is gathering a head of steam) and integrating the different risk management disciplines under the banner of resilience.

My final prediction is that the world will get further interconnected and interdependent. We have seen outages of some of the large data centres, such as Amazon or Microsoft 365, which affected large numbers of organisations worldwide. My Hive internet heating system was down last week due to an outage at a data centre. As systems become more and more complex, our ability to spot flaws and risks within the system becomes more difficult. We also have to rely more on third parties who provide the services to our organisation, and we have limited viability of how they manage our systems and their ability to recover. We can ask them for their BC plans, but in the end (often due to size), these companies are more powerful than us so our ability to hold them to account is difficult. The only blessing from this is that when they go down, many other organisations are also affected, so we are not alone and the full focus of the incident is not on our organisation.

It will be interesting in six years’ time to come back and review this to see if it has come true, but if we are horizon scanning we should be anticipating some of these themes now and thinking about our response.