Key Takeaways
- Executive buy-in improves significantly when resilience is framed around business outcomes, real incidents, and direct participation rather than program metrics and compliance reporting.
- Vendor concentration risk and third-party visibility are growing faster than most continuity strategies have accounted for.
- AI adoption is creating operational dependencies that governance frameworks, criticality inventories, and continuity plans have not yet caught up with.
- Testing is expanding beyond technology failure scenarios, and the programs gaining the most traction are those building repeatable, evidence-based capability rather than periodic documentation.
Fusion brings together resilience and business continuity practitioners across regional user group sessions throughout the year. The spring 2026 sessions in Boston and the Southwest gave participants space to talk through what is actually happening in their programs: what is working, what is getting harder, and where the pressure is coming from.
Two topics anchored both conversations: navigating the current disruption landscape and building the executive support resilience programs need to mature. What surfaced was a consistent picture of programs under pressure from multiple directions at once, and teams working to move from documentation-centric approaches toward something more operationally grounded.
Here’s what we heard.
The Risk Environment Has Changed Faster Than Most Programs Have
Participants in both sessions described a disruption landscape that has become more interconnected and harder to contain. Geopolitical instability, workforce reductions, cyber incidents, and vendor outages are not separate events managed by separate teams; they cascade. A cloud platform goes down, and the business impact spreads faster than the continuity plan anticipated, in part because the manual workarounds that used to absorb disruptions have been eliminated.
That dynamic came up repeatedly. Organizations that moved aggressively to cloud-first environments often discover, after the fact, that their resilience strategies were built for a different operating model.
Vendors frequently require customers to own their own backup strategies. When an outage occurs, translating a technology failure into a business impact requires a live view of dependencies that many organizations do not yet have.
The Southwest group described this as a shift from plans to reality. The plan is a starting point, not an execution script. What matters during a disruption is the ability to trace impact, make decisions under uncertainty, and coordinate a response across functions that do not always work together under normal conditions.
Vendor and Concentration Risk Are Growing Concerns
Third-party and vendor risk featured prominently in both sessions, with participants identifying it as one of the most significant gaps in current programs.
The concerns are specific. Organizations often have limited visibility into what vendors are actually doing during an incident, no reliable way to assess downstream impact across extended supply chains, and little transparency into vendor response processes. When something goes wrong with a critical vendor, the organization frequently has to assume worst-case impact because it lacks the data to determine actual exposure.
Concentration risk is compounding the problem. Dependence on a small number of cloud providers and platform vendors has created single points of failure that are difficult to address operationally.
Some organizations in the Southwest session are reconsidering on-premise infrastructure for mission-critical functions, not because cloud is the wrong choice, but because the concentration of risk in shared platforms has reached a level that continuity strategies need to account for more explicitly.
The Boston session also highlighted the insurance dimension. Cyber insurers often lack a clear picture of organizational workflows and dependencies because that information is siloed across teams. Accurately representing operational exposure during underwriting requires the kind of cross-functional visibility that many programs are still working to build.
AI Is Creating New Dependencies Before Governance Has Caught Up
AI-related concerns dominated much of the Boston discussion, and the pattern was consistent: organizations are adopting AI-enabled tools across departments faster than governance frameworks can account for them.
The resilience implications are practical. If an AI-enabled tool becomes part of a critical workflow and fails, where does it appear in the business continuity plan? Is it in the configuration management database? Is it defined as an application for criticality purposes? What happens to the human skills those tools have started to replace?
Participants described a “wait and see” posture on AI governance that most acknowledged would not hold for long. The more immediate concern raised in Boston was not the next six months but the next two to five years, as organizations lose institutional knowledge, reduce manual process capability, and build operational dependencies on tools whose resilience implications are not fully mapped.
The Southwest session raised a connected issue: ecosystem and concentration risk now extends to AI infrastructure. Governance frameworks, procurement policies, legal alignment, and criticality inventories all need to account for AI dependencies, and most organizations are still working out where ownership for that sits.
Gaining Executive Buy-In Remains the Persistent Challenge
Across both sessions, building and sustaining executive support came up as the most persistent operational challenge resilience teams face.
The framing problem is familiar. Resilience is often positioned as insurance, a cost center whose value is most visible when something goes wrong. That framing makes it difficult to justify under normal operating conditions, especially when ongoing platform costs require repeated justification from stakeholders who do not see the program’s work day to day.
Participants who reported stronger executive engagement described a consistent approach: frame the conversation around business outcomes, not program activities. In practice, that means leading with:
- Downtime avoided and revenue protected
- Operational continuity maintained under real conditions
- Lessons from actual incidents, not hypothetical risk assessments
Real incidents are more persuasive than hypothetical risks. Several participants described using market-facing events, CrowdStrike being a frequently cited example, to create urgency and open conversations that regulatory pressure alone had not prompted. Direct involvement also matters. Executive tabletop exercises consistently surfaced as one of the most effective tools for building both awareness and sponsorship. When executives participate in scenarios rather than receive briefings about them, the program becomes something they have a stake in rather than something they fund.
The Boston session highlighted a related dynamic: regulatory pressure is improving executive engagement in financial services specifically. As DORA and equivalent frameworks raise the bar on demonstrable resilience capability, senior leadership is more frequently referencing resilience initiatives, and some organizations are establishing dedicated enterprise resilience leadership roles as a direct result.
Testing Is Getting Broader, and That Is the Right Direction
Both sessions reflected a shared view that testing is the part of resilience programs with the most room to grow.
Current testing tends to concentrate heavily on technology failure scenarios, primarily ransomware. What is getting less attention:
- Workforce events and staffing disruptions
- Supplier and vendor failures
- Facility-level and physical location events
The business impact scenarios that are hardest to model are often the ones least practiced. The direction of travel is toward continuous, integrated testing rather than periodic exercises. Organizations further along described testing that:
- Connects technology recovery through to business impact
- Involves the network operations center (NOC) as a first line of response rather than a downstream notification
- Uses real-world probability weighting in scenario design rather than generic threat categories
The goal those organizations are working toward is repeatable, scalable testing that produces evidence of capability rather than documentation of coverage. That distinction matters increasingly as regulators focus less on whether a plan exists and more on whether it can be executed.
What This Means for Resilience Programs
The conversations from both Regional User Group sessions point in a consistent direction. Programs that are gaining traction are treating resilience as an operational capability, not a compliance function.
That means building a live, connected view of critical services, dependencies, and third-party relationships; framing executive conversations around financial and operational impact; expanding scenario testing beyond technology failures; and getting ahead of AI governance before dependencies outpace the organization’s ability to map and manage them.
The practitioners in these sessions are working through genuine complexity. The tools and frameworks exist. What makes the difference is the organizational commitment to use them as a decision-making capability rather than a documentation exercise.
Ready to see how Fusion helps your organization build decision-ready resilience? Request a demo.
Fusion hosts regional user group sessions throughout the year to connect resilience practitioners across industries. For information on upcoming events, visit https://www.fusionrm.com/engage-community/engage-community-events/
Authors
