Why business continuity programs break down and what we built to fix it

Most organizations have a business continuity plan. Far fewer have one that actually works when it matters.

We surveyed more than 500 audit, risk, compliance, business continuity management (BCM), and IT leaders across North America, the U.K., Germany, and the UAE — and the findings, published in our report When business continuity fails, kept pointing to the same problem: fragmentation.

BCM programs are routinely built in isolation, cut off from the risk assessments, audit findings, compliance data, and third-party intelligence they depend on the moment disruption hits. When a real incident unfolds, the plan exists, but the information it needs to function doesn't flow into it.

That's a structural problem that requires a structural fix.

Today, Optro announced its BCM solution, built directly into the same platform organizations already use for GRC — not as a standalone module bolted on afterward, but as a connected part of the same environment where risk, audit, compliance, and third-party data already live. This post shares what leaders told us about where their continuity programs fall short and the foundation for stronger organizational resilience.

Confidence is not the same as capability

Most business continuity leaders (92%) say they are confident their organization can meet defined recovery objectives. What organizations can actually execute on is a different story.

Fewer than four in 10 organizations met their recovery time objectives (RTO) during their most significant disruption, with 54% exceeding their defined recovery window.

The distance between confidence and performance is not a resource problem; it’s a measurement problem. Organizations are tracking preparedness indicators such as documented plans, governance frameworks, and self-reported maturity rather than tested operational capability. In practice, a program can satisfy every documentation requirement and still fail when real pressure is applied.

The real problem is fragmentation

Across every data point, a root cause emerges: BCM programs operate in isolation from the functions they depend on.

Audit, IT, risk, compliance, third-party management, and AI governance each maintain their own processes and priorities. When a disruption occurs, the coordination between those functions is what gets put to the test. For most organizations, those teams are siloed.

Among organizations whose business continuity plans (BCPs) fell short, 31% cite processes that were not accurately mapped before the incident. Another 27% cite third-party failures that were not anticipated in their process mapping.

These are predictable outcomes of isolated program design. The report goes deeper on what integrated programs do differently — and the performance gap between fully integrated and minimally integrated business continuity programs is significant.

Pressure-test your readiness before disruption hits

See BCM in action

Third-party risk has outpaced third-party continuity readiness

Three in four organizations experienced at least one vendor failure in the past two years. Among those incidents, more than half resulted in losses of $1 million or more.

Most organizations have vendor oversight processes in place: documentation reviews, periodic reassessments, onboarding checks, and more. What's missing is operational validation. Only 31% conduct joint continuity testing with critical third parties, meaning the majority of recovery timelines are built on vendor assumptions that have never been tested under realistic conditions.

The report examines which vendor categories carry the highest continuity risk and where stress-testing gaps are most concentrated.

AI is creating a new layer of exposure

Among business continuity leaders, 36% expect AI-enabled disruptions to move faster than human response capacity by 2030. That means AI isn’t a distant concern; it is already embedded in critical operational workflows, and when those systems fail, the downstream effects on business processes can be fast and far-reaching.

Governance has not kept pace. Only 26% of organizations report a formal AI governance program for BCM initiatives. The most frequently untested disruption scenario globally involves agentic AI failure. Shadow AI exposure and AI-enabled cyberattacks follow closely.

Without connecting AI risk to continuity planning, organizations are adding failure points without mapping them. The report breaks down where AI governance gaps are most acute by region and function.

What a connected approach looks like

The problems named above (shadow AI, third-party risk, fragmentation) share a common cause: BCM programs that are not connected to the broader risk ecosystem. Another standalone tool reproduces the same structural problem.

Optro's BCM solution is built into the existing platform so that business processes, dependencies, owners, vendors, and risks are visible in a single view. Plans connect to live process data, so recovery objectives reflect current assessments rather than a snapshot from the last planning cycle. Tabletop exercises link directly to continuity plans, and gaps surface automatically to risk and audit teams.

Kate Marechal, Director of Operational Risk and Risk Services, Shawbrook Bank, says:

The goal is a closed-loop process where continuity, risk, and audit reinforce each other, rather than three separate functions that only intersect when something goes wrong.

The resilience gap is structural. It’s also solvable.

The organizations that perform well in the face of disruption are not simply the ones with the most documentation. They are the ones with the most connected programs: shared visibility, tested assumptions, and cross-functional coordination that holds under pressure.

For the full findings, including regional breakdowns and what high-performing programs do differently, download When business continuity fails.

Discover the 2030 mandate for organizational resilience

Get the report

About the authors

Claire Feeney is a Senior Product Marketing Manager at Optro focused on ESG and RiskOversight. In her role, she helps support organizations in transforming their enterprise risk management and sustainability programs. Prior to joining Optro, Claire worked in product marketing at OneTrust, VMware, and Infor. Connect with Claire on LinkedIn.