Global instability: Fraying business continuity plans 

International Security Journal hears exclusively from Michael Gips, JD, CPP, Managing Director, ESRM, Kroll about global instability and business continuity.

As sophisticated a world as we live in, something, somewhere, is hanging by a thread. Or a wire. Or a soon-to-be obsolete line of software code.

Consider the 28 April communications outage during which planes disappeared from the radar screens of air-traffic controllers at Newark Liberty International Airport for at least 90 seconds.

For another 60 seconds, controllers could not talk to pilots on the 15 to 20 planes for which they were responsible.

The culprit? A copper wire failure. Fortunately, no collisions or injuries occurred. But the combination of aging infrastructure, crowded skies and understaffed control towers has led to hundreds of flight delays and cancellations involving Newark’s airport, which is sure to have an economic toll in the tens of millions of dollars. 

Not even a year earlier, in July 2024, a global IT outage delayed at least 34,000 flights and scrubbed 3,800 more at airports from Perth to Prague.

That disruption also affected banks, hotels, hospitals, factories, government services and other industries, to the tune of at least $10b.

The culprit? A faulty update to widely used cybersecurity software. And while a single thread may not have caused a significant global business disruption, a whole lot of threads, collectively, have.  

The sheer volume of manufactured and quickly discarded clothing and textiles has led to overflowing landfills, increased greenhouse gases and the introduction of untold volumes of microplastics into waterways.

The clothing and textile business is also one of the fronts in the current tariff skirmishes, part of the global geopolitical war for resources and hearts and minds battled largely by the US and China.

Just these few examples indicate that business continuity management is hitting an inflection point. Absent careful advance contingency planning, a business, an industry or a whole economy can go upside down in an instant.

This article discusses several trends and events driving this change. 

Geopolitics 

The post-Cold War rules-based international order continues to fracture, giving way to a disjointed and unpredictable geopolitical landscape.

Heightened tensions between the US and China and revisionist powers like Russia are ushering in an era where power politics increasingly overrides established norms.

Conflicting visions of global governance are challenging long-standing principles of trade, sovereignty and international cooperation, leading to growing military tension, economic decoupling and the weakening of multilateral institutions.

As alliances shift and regional blocs solidify, global stability is becoming more vulnerable to sudden shocks and prolonged uncertainty.  

Here it is in stark, if somewhat simplistic terms. China is playing the long game, the US is playing the short game and Russia is playing the opportunistic agent of chaos.

In that context, the European Union is drafting new rules to govern the changing environment, Africa is trying to assert itself strategically through its rich lode of resources and other countries and regions are either trying to consolidate their power or reverse their fortunes. 

Unpredictable markets 

This geopolitical shuffling has a heavy toll on business continuity management. Markets famously hate unpredictability; yet many businesses thrive on it, spotting opportunity.

China is reshoring critical industries, such as building its own domestic semiconductor capacity with support from the “Made in China 2025” initiative.

It’s simultaneously asserting control over economic choke points such as semiconductor production and spreading its tentacles via its Belt & Road initiative, including in its digital infrastructure projects in Africa and Southeast Asia.  

With its immediate, transactional approach, the US is rewriting trade policies, as well as imposing and pulling tariffs at a dizzying pace.

Russia aims to destabilise the world order, not just in obvious ways such as via its invasion of Ukraine, but by manipulating energy markets to disrupt markets worldwide, particularly in Africa and Europe.

Consequently, businesses must plan for the rapid decoupling of relationships, evolving legislation and global disruptions. 

Supply chain effects 

Single-sourcing is an untenable strategy, and businesses that depend on a single geography or supply chain face system fragility.

Businesses are responding by moving to multisource, multiregional and modular supply chain models, even to the point of having dual supply chains for critical goods such as pharmaceuticals.

For example, the US and India are simultaneously scaling domestic production of generic drugs to reduce dependence on China. 

Regulation 

National and regional legislation, regulation and rules frameworks also complicate business continuity management.

For example, India and the EU have rolled out new requirements for data localisation, local manufacturing and green transition (e.g., India’s Personal Data Protection Bill for data localisation, the EU’s Chips Act for local manufacturing and the EU Green Deal for the green transition).

Companies must localise not only marketing but also infrastructure and decision-making. 

Consequently, companies are beginning to stand up regional operations centres that can function independently in a decoupled world.

They are also doubling down on finding local redundancy for services such as warehousing, transport and power supply.

In one prominent example, Amazon has established parallel data centres and logistics hubs in multiple continents. 

Meanwhile, both the UK and the EU continue to establish regulatory frameworks that acknowledge political volitivity, rapidly evolving critical infrastructure networks and systemic risks.

Having started with a focus on cyber-risks (e.g. the NIS2 Directive), there is now a clear focus on ‘all cause’ systemic interruption risks across the EU.

This is encapsulated by the Critical Entities Resilience (CER) Directive, established in 2022 and coming into force for designated critical entities from mid-2026.

Of note, CER explicitly calls out hybrid warfare and sabotage. At bottom, more organisations will be required to have enhanced resilience capabilities across a wider range of threats. 

Cyber-threats and disinformation 

Ransomware is practically an epidemic, having disrupted hospitals in the US, oil pipelines and global logistics companies. Insider risk from nation states, competitors, extremists and garden-variety thieves is rampant.

Attacks on operational technology (OT) have also increased. Waterfall’s 2024 review recorded a 146% increase in sites suffering physical impairment of operations because of cyber-attacks and a 5% increase in OT attacks that had direct physical consequences.

Many attacks are not reported or are not publicised by national authorities when reported. 

In addition, threat actors routinely weaponize information to create false narratives, sow distrust in long-respected institutions (such as the judiciary and law enforcement) and turn citizens against each other.

AI-powered misinformation and disinformation manipulate consumer, investor and political sentiment, all of which undermine business continuity.

Cyber-resilience demands are surging, not just for the block and tackle of cybersecurity but for real-time detection, backup systems, digital forensics and detection of manipulation such as deepfakes.

Businesses are still struggling to be credible arbiters of truth in disinformation response, however. 

ESG 

Environmental, social and governance concerns add another level of complexity. For example, the EU Carbon Border Adjustment Mechanism, US SEC climate disclosure mandates and bans on forced labour (for example of Uyghurs in Xinjiang) complicate compliance.

In the case of Xinjiang, US bans have triggered official and unofficial retaliation by the Chinese government, such as by restricting operations of US companies in China or issuing warnings about substandard/dangerous US products.  

Given that supply chains are under scrutiny for human rights violations, carbon use and unethical behaviour, businesses are building traceable and auditable supply chains, sometimes with the help of technologies such as blockchain.

Some companies are also treating ESG compliance as part of operational continuity, not just reputation management. Unilever, as one example, has integrated sustainability into its supply chain auditing. 

Resource scarcity 

Access to critical inputs such as water, lithium, cobalt and rare earth minerals is becoming more competitive and politicised.

For example, China currently controls over 60% of global rare earth processing and has threatened export restrictions during trade disputes. Similarly, severe droughts in Mexico and the western United States have disrupted semiconductor manufacturing and agriculture.

Water-intensive industries, such as textiles and microchip production, are increasingly being forced to justify their consumption or relocate.

Business continuity plans must now account for political and climate-driven shortages of essential resources and materials.

Companies are investing in closed-loop water systems, recycled materials and alternate mineral supply routes. 

Natural disasters 

It’s old news that climate change has intensified the frequency and severity of natural disasters, from wildfires and floods to hurricanes and droughts.

The 2023 floods in northern Italy, which disrupted agricultural production and transportation networks, and Hurricane Ian in 2022, which caused over $100b in damages in Florida, are recent examples.

Natural disasters can paralyse transportation infrastructure, displace workforces and destroy physical and digital assets.

Businesses are responding by conducting detailed climate risk assessments, moving critical functions to disaster-resilient regions and incorporating environmental threat modelling into continuity planning. Resilience now requires climate adaptation, not just disaster recovery. 

Takeaways 

Here are actions to consider to help keep your business running: 

• Map your dependencies – know not only your Tier 1 suppliers, but also the downstream vendors, infrastructure and data that support your operations 
• Design for decoupling – structure your supply chains and operational teams so they can function independently by region 
• Diversify suppliers and logistics – avoid single points of failure by establishing multisource, multi-route and multi-modal redundancies 
• Invest in real-time risk intelligence – use predictive analytics and local insights to anticipate disruption and act before it spreads 
• Watch for malware and disinformation – train staff and implement systems to identify and thwart cyber-threats and educate staff on sourcing and verifying information 
• Make resilience a board-level priority – treat continuity planning as a strategic imperative, not just an IT or facilities concern 
• Localise ESG and compliance controls – ensure that sustainability, labour standards and environmental metrics are monitored across all regions 
• Test often, adapt quickly – move beyond annual tabletop exercises to dynamic, scenario-driven continuity simulations 

In a world where disruption is the new default, business continuity itself may hinge on the easily overlooked elements.

Leaders must recognise that resilience doesn’t just mean bouncing back; it means reinforcing fragile threads before they snap – or replacing threads altogether from a parallel supply chain.

Special thanks to Steve Rumbold and Phil Miles, my colleagues at Kroll UK, for their insights and suggestions, particularly regarding global geopolitics and regulation in the UK and EU.