This week, The IIA will host its long-awaited International Conference in Singapore. For me, the memories are vivid. Our Singapore International Conference was scheduled many years ago to occur in 2021. But COVID changed the world, and we had to reschedule the conference which is only now taking place. As The IIA’s CEO in 2020, I thought we had sound business continuity plans. We had business interruption plans in the event of cyber attacks, We even had plans for relocating much of our headquarters operations in the event of a catastrophic hurricane in Central Florida where we were based. But we never envisioned that the world would suddenly shut down, and our training events couldn’t proceed and that every certification testing center in the world would be shut down in a matter of days.

The COVID era was a stark reminder that business operations can be very fragile, and that plans must anticipate every conceivable risk. But, COVID was only the beginning of a decade in which business operations have been repeatedly disrupted by extreme weather events, cyber attacks and geopolitical conflicts that choked supply chains and disrupted operations of enterprises and their third-party suppliers around the world.

Business Continuity Has long Been a Risk.

For many years, business continuity management was often viewed as a compliance exercise. Organizations developed plans, conducted occasional tests, documented recovery objectives, and checked the box. The assumption was that if a disruptive event occurred, the organization would be ready.

The events of the 2020s have exposed the flaws in that assumption, and if there is one lesson organizations should have learned by now, it is that disruption is not slowing down. The question is no longer whether a significant disruption will occur. The question is whether your organization will be able to continue operating when it does.

Unfortunately, new research from Optro suggests many organizations remain far less prepared than they believe.

Confidence Is High. Performance Tells a Different Story.

One of the most striking findings in Optro’s report is the enormous gap between confidence and reality. While 92 percent of surveyed leaders expressed confidence in their organization’s ability to meet recovery objectives during a significant disruption, fewer than four in ten actually met those objectives during their most significant disruptive event. More than half exceeded their planned recovery windows.

That finding should concern boards, executive teams, and audit committees alike.

Over the years, I have observed a common tendency among organizations to measure preparedness through documentation, policies, and governance structures. Those elements are important, but they are not proof of resilience. A business continuity plan sitting on a shelf has never recovered a business. Only tested capabilities, clear accountability, and organizational adaptability can accomplish that.

The reality is that disruptions do not care about organizational charts, policy manuals, or assumptions. They expose weaknesses that may have gone unnoticed for years.

The Hidden Risk Most Organizations Cannot See

One of the most important observations in the Optro report is that many organizations still lack a complete understanding of the dependencies that support critical operations. When incidents occurred, 31 percent of organizations reported that affected business processes had not been accurately documented or mapped. More than a quarter encountered third-party failures that had not been anticipated. This finding resonates with something I have said for years: you cannot protect what you do not understand.

Modern organizations operate through a complex web of interdependencies involving technology, data, people, vendors, cloud providers, contractors, facilities, and supply chains. A disruption in one area can quickly cascade across the enterprise. Yet many organizations continue to manage continuity planning through isolated functional silos.

The result is a dangerous visibility gap. Leaders may believe they understand their exposure when, in reality, they are seeing only part of the picture.

Third-Party Risk Has Become a Business Continuity Risk

Organizations increasingly depend on third parties to deliver critical capabilities. Cloud providers, managed service providers, software vendors, logistics partners, and outsourced business services now form part of the operational backbone of many enterprises.

Optro’s research found that 76 percent of organizations experienced at least one vendor-related failure during the past two years. Even more concerning, 57 percent of those incidents resulted in losses exceeding $1 million. Yet many organizations continue to treat third-party continuity as a procurement issue rather than a core operational risk.

Contracts are important, but contracts alone will not restore operations during a major disruption. When it comes to third parties, organizations must:

• Understand how vendor failures would affect critical business processes,
• Participate in joint testing exercises,
• Establish clear escalation procedures before an incident occurs.

As I experienced more than once as CEO of The IIA, the next major disruption may not originate within your organization. It may originate with a third party on which your organization depends.

Artificial Intelligence Creates New Continuity Challenges

Artificial intelligence is rapidly becoming embedded within resilience and continuity programs. Organizations are using AI for risk monitoring, business impact analysis, and continuity planning activities. While these developments offer significant opportunities, they also introduce new risks.

The Optro report highlights that agentic AI failures, shadow AI deployments, and AI-enabled cyberattacks remain among the least-tested disruption scenarios. At the same time, many organizations have not yet established formal governance frameworks to oversee AI-enabled resilience activities.

This should serve as a warning.

As organizations accelerate AI adoption, they must also understand how those systems could fail, how failures might propagate through operations, and how decision-making authority will be maintained during periods of disruption. Resilience planning that ignores AI-related failure scenarios will quickly become obsolete.

Fragmentation Is the Real Resilience Gap

The most important conclusion from Optro’s research is that fragmentation remains the greatest obstacle to resilience. Audit, risk, compliance, business continuity, cybersecurity, technology, and third-party risk management often operate independently, each with its own priorities, tools, and reporting structures. Unfortunately, disruptions do not respect those boundaries.

Organizations with fully integrated continuity programs consistently outperformed those with fragmented approaches. They recovered faster, activated response protocols more quickly, and demonstrated greater confidence grounded in actual performance rather than assumptions.

In today’s environment, resilience is not a departmental responsibility. It is an enterprise capability.

What Internal Auditors Should Do Now

Business continuity management deserves far greater attention from internal auditors than it has historically received.

We should be evaluating whether critical business processes have been accurately identified and mapped. We should assess whether recovery objectives are realistic, whether continuity plans reflect current operating realities, and whether testing programs simulate severe but plausible scenarios. We should be paying particular attention to third-party dependencies, cloud service providers, cybersecurity incidents, and emerging AI-related disruption risks.

We should also challenge management’s assumptions regarding preparedness. The Optro findings suggest that confidence levels often exceed actual performance. Independent assurance can help determine whether resilience capabilities will work when they are needed most.

Most importantly, we should assess whether business continuity is being managed as an integrated enterprise capability rather than a collection of disconnected activities.

The warning signs are clear. The disruptions of the 2020s have demonstrated that continuity failures are occurring with increasing frequency. They can occur suddenly, spread rapidly, and create devastating consequences. Organizations that continue to rely on outdated plans, incomplete dependency mapping, and untested assumptions are taking a significant risk.

More disruption is coming. The organizations that thrive will not be those with the thickest continuity manuals. They will be the ones that have honestly assessed their readiness, tested their capabilities, and built the resilience necessary to continue operating when the next crisis arrives.