Key Takeaways
- Alignment failure, not missing plans, is the root cause of most response breakdowns, and fixing it requires intentional structural design, not better documentation.
- Culture determines how a response unfolds long before an incident occurs, which means resilience programs that rely on plans alone will plateau when they meet real disruption.
- The industry is shifting from compliance as an end goal to evidence-based resilience, where the standard is proving you can recover what matters most, not just demonstrating that plans exist.
I spent three days at the Continuity Insights Management Conference (CIMC) in late April, and the conversations reinforced something the industry has been circling for a while: the gap in most resilience programs is not documentation. It’s alignment, culture, and the ability to prove recovery.
Here are the themes that stood out.
Alignment Failure, Not Missing Plans, Causes Response Breakdown
Session after session pointed to the same root cause: when responses break down, it’s rarely because an organization lacked a plan. It’s because the people executing it weren’t operating from the same picture.
The clearest example was BC and IT alignment. BC and IT teams frequently activate separately during an incident, each working from their own playbook, with no shared view of what’s happening. The fix is not procedural; it’s structural. One presenter outlined a practical approach: a BC-IT liaison role, joint response calls, and a persistent incident status view that both teams can see in real time. Alignment is a design choice. It has to be built in intentionally.
The same dynamic shows up in operational resilience more broadly. When BC, cyber, risk, third-party, and operational resilience functions operate in silos, they generate multiple definitions of reality. That’s where the communication begins to devolve and confidence gap builds.
Culture Determines the Response, Long Before the Incident
One of the conference’s most thought provoking phrases was also one of its most honest: “We don’t rise to the level of our expectations. We fall to the level of our training.”
Strong plans don’t automatically produce strong responses. What determines how a response actually unfolds is the culture that exists before the incident: whether people feel safe escalating early, whether they’ve practiced under realistic pressure, whether ownership is clear or diffuse.
Two failure patterns came up repeatedly. The first is delay: momentum is lost not because of errors, but while clarity is being sought. The second is diluted ownership: too many handoffs create bottlenecks and slow decisions at exactly the wrong moment. Both are cultural problems, not procedural ones.
This applies directly to crisis and incident management. Practitioners flagged a familiar challenge: engagement spikes during incidents and drops off immediately after. Training gets ignored, exercises feel forced, and plans go stale. The shift that’s needed is finding the carrot rather than relying on the stick, making resilience feel like capability, not compliance.
BIA Data Should Tell a Story, Not Sit in a Folder
One of the sharpest critiques across the conference was directed at how organizations use their BIA data. Many have accidentally optimized for volume: lots of plans, lots of data, none of it particularly useful.
The practitioners pushing back on this made a clear case: BIAs should be built around products and services, not internal departmental workflows. That’s where customer impact and interdependencies actually live. Capture strategies at the dependency level. Compare IT-set RTOs against business-defined tolerances to surface real gaps. And track RTA (Recovery Time Actual) after testing. That’s where the honest numbers show up.
The standard also needs to rise for how this data gets communicated. BIA data should be telling a story to executives, not sitting in a folder waiting to be reviewed during an audit.
AI Is Moving from Buzzword to Infrastructure
Multiple sessions addressed AI in resilience programs, and the framing was refreshingly practical. The near-term value of AI is not in replacing human judgment. It’s in doing the work that currently consumes it: normalizing scattered data, automating dependency mapping, identifying single points of failure, drafting communications and after-action reports, and turning static plans into interactive decision tools.
The pressure driving adoption is real. One presenter described a client that offered a 30-day deliverable or no contract. Traditional IT disaster recovery programs break at scale under that kind of expectation gap. AI-assisted automation can help close it, not by replacing team expertise, but by freeing people to focus on higher-order decisions.
Proving Recovery, Not Just Documenting It
The clearest signal from CIMC 2026 is a shift already underway in how the industry thinks about resilience maturity. The question has moved from “Do we have plans?” to “Can we prove we can recover what matters most?”
That shift shows up in metrics and testing. For a while, organizations were seemingly concerned with the overall number of plans, not necessarily what those plans were accomplishing. Goodhart’s Law came up in one session: when a measure becomes a target, it stops being useful. Watch for metrics that are followed blindly, never questioned, or focused on what’s easy to count rather than what matters. Poor metrics create gaming behaviors and false confidence.
It also shows up in new frameworks. One presenter introduced the Recovery Operability Objective (ROO), designed to fill the gap between RTO and RPO. ROO is defined as the time from disruption onset to when an application is returned to functional use without historical data, which is restored separately at a later agreed-upon time. It gives BC and DR teams a practical way to have honest conversations about recovery tradeoffs and prioritize application restoration more intelligently.
Mature programs test continuously, involve the C-suite and board, and design resilience into business operations. Green dashboards are not enough. Leadership needs visibility into gaps and what’s actively being remediated, and purpose-built software makes that visibility possible.
Where the Industry Stands
CIMC reinforced that the resilience industry is in a meaningful transition, moving away from compliance as an end goal and toward evidence-based programs that can prove performance under pressure. The tools are getting better. The frameworks are getting sharper. The gap that remains is largely cultural and organizational, and that’s where the most important work is happening.
Authors
