2025 showed just how many different types of disruption organisations now have to deal with. Physical failures, cyber incidents, supply‑chain issues, cloud outages and even an AI service interruption all featured at some point. Combined with wider geopolitical tension and rapid advances in automation and AI, the year highlighted how easily modern operations can be knocked off course.
For SMEs and mid‑market firms this can feel particularly demanding. You face the same kinds of incidents as larger enterprises, but with fewer people and limited time to wade through unnecessary complexity. The volume of cyber attacks increased again during the year, supply chains became more strained and tightly coupled, and the operational impact of outages grew. A Business Continuity Plan is no longer a nice‑to‑have. It is a core part of running a resilient organisation.
The events of the past year reinforce something simple: the purpose of continuity planning is to keep your most important activities going when something critical stops working. Whether the cause is a transformer fault, a cyberattack, a system outage or an issue with a key supplier, the basic approach stays the same. Know what matters, know what could interrupt it, and have practical ways to carry on.
This is the approach our consultants are taking into 2026 when supporting SMEs and mid‑market clients. The priority is to cut through noise, avoid over‑engineering and focus on continuity measures that are realistic to maintain and workable during an incident.
With that in mind, the disruptions seen in 2025 help shape the continuity priorities for the year ahead. They do not add complexity. They help firms stay focused on what needs to be in place to keep operations moving when things go off track.
Below are the major themes we see influencing continuity planning this year.
AI is now woven into everyday business operations, whether organisations realise it or not. From automating documents and summarising meetings to triaging service tickets and supporting decision‑making, AI tools have quietly become embedded in core processes. As a result, AI is no longer an enhancement — it’s an operational dependency. A recent Copilot outage, during which users across the UK and Europe lost access to Microsoft’s AI assistant, demonstrated how quickly workflows can slow when AI‑driven productivity steps disappear. Teams found themselves unable to auto‑summarise emails, generate routine documents, or rely on AI‑driven insights, prompting a sudden reversion to manual effort.
For 2026, continuity planners must explicitly map where AI appears in processes, even indirectly — such as in workflows supported by automated drafting, analysis or recommendations. BC plans should include non‑AI fallback methods using pre‑approved templates, scripts, or manual pathways. Organisations should also treat “AI degradation” or “AI unavailability” as a scenario to test in exercises; this not only validates fallback methods but also trains staff to operate confidently without automated support. AI should now be classified alongside other critical dependencies like SaaS, identity services and connectivity — a normal part of the resilience landscape requiring straightforward, pragmatic planning.
Late‑2025 delivered two of the clearest reminders yet that cloud services — while resilient — are not infallible. The 29 October 2025 Azure outage, caused by an Azure Front Door configuration error, disrupted identity, content delivery and application access across multiple regions. Meanwhile, on 20 October 2025, AWS experienced a DNS‑related failure in the US‑EAST‑1 region, affecting thousands of dependent services worldwide. Both incidents were resolved, but each created significant operational delays for organisations relying heavily on cloud infrastructure, SaaS platforms and cloud‑based authentication.
For 2026, continuity planning must assume temporary loss or degradation of cloud identity, storage, and content delivery networks, even if only for a few hours. Organisations should map which business processes depend on cloud layers (Azure AD/Entra, DNS, CDN, SaaS tools, cloud databases) and understand the operational consequences of losing each. Practical preparation includes maintaining offline access to runbooks, emergency contact lists, and operational instructions; preparing alternate communication channels in case Teams or cloud email become unavailable; and conducting short‑duration cloud outage exercises to reveal reliance on real‑time authentication. Supplier management also becomes increasingly important — organisations should strengthen cloud‑provider monitoring, document recovery commitments and ensure they can evidence their understanding of cloud‑related risks during audits or tenders. Cloud outages are still rare, but their operational impact is large enough that they must be treated as a realistic scenario.
Standards continue to evolve, and 2026 will be a significant year for organisations certified to (or aligning with) ISO frameworks. ISO 22301:2019/Amd 1:2024, now fully in effect, introduces climate‑action‑related expectations that require organisations to explicitly consider climate change within their continuity planning. This means BIAs and continuity strategies should include relevant climate‑driven scenarios — for example, extreme heat affecting operations, flooding disrupting access routes, or drought impacting utilities or production. ISO auditors will increasingly expect evidence that organisations have assessed environmental factors within organisational context, stakeholder needs and recovery planning.
At the same time, ISO 9001 is undergoing its first major revision in a decade, with publication expected in September–October 2026. Early guidance indicates stronger emphasis on governance, ethical leadership, supplier controls and long‑term organisational resilience (all of which align naturally with continuity principles).
For continuity planners, 2026 will require adjusting BCMS documentation to reflect climate scenarios and ensuring cross‑links between continuity, quality, environmental and health‑and‑safety systems. Organisations should also anticipate stronger external scrutiny of supplier resilience, leadership accountability and cross‑functional risk governance. The year ahead will reward organisations that proactively align continuity thinking with these evolving standards rather than waiting for audit findings to surface gaps.
While much attention goes to cyber and cloud failures, the core continuity risks — facilities disruption, supply chain fragility, logistics constraints, workforce availability and utility failures — remain as relevant as ever. The past year reinforced this point. The Heathrow substation fire, caused by a transformer failure, resulted in airport closure and widespread travel disruption, showing how physical infrastructure incidents can have nationwide operational consequences. Similarly, the Jaguar Land Rover cyberattack affected manufacturing output and supply chain partners across the UK automotive sector, emphasising how interconnected modern operational ecosystems have become.
In 2026, firms should continue to strengthen their planning around these long‑standing risks. Facilities management remains essential, particularly where sites rely on older infrastructure or have known environmental vulnerabilities. Utilities planning should be realistic and should consider how long power, water or comms may be unavailable, not just the presence of backup equipment. Climate‑related disruption is becoming more common, including heavy rainfall, localised flooding, heat‑related equipment failures and storms. These events should be routine planning considerations rather than unusual exceptions.
Supplier dependency is also still a significant part of this picture. Many SMEs and mid‑market firms rely on a small number of critical suppliers for goods, logistics or specialist services. A disruption at one supplier can have a similar impact to a facilities incident. Diversifying key suppliers, reviewing single points of failure and mapping where alternative options already exist remain important steps for building resilience.
These risks often occur together. A flood may cut site access and affect utilities at the same time. A fire may create an immediate need to relocate and also cause delays or shortages from suppliers. Continuity planning for 2026 should recognise how these disruptions interact and should focus on joined‑up planning across people, facilities, suppliers and core processes.
Cyber threats continue to evolve and remain one of the most common causes of real operational disruption for SMEs and mid‑market organisations. Incidents in 2025 showed that cyber is no longer just an IT issue. It is a business interruption risk that can affect production, customer services, finance operations, communications and supply chain performance at the same time.
Ransomware, business email compromise and third party breaches are still the most frequent issues affecting smaller organisations. These incidents often lead to systems being isolated, access being restricted or data becoming unavailable. The immediate impact is operational stoppage, not just data loss. Many firms discover during an incident that they have no practical way to work offline, no manual processes and no agreed fallback for basic functions such as customer communication, order handling or payments.
In 2026, continuity planning should treat cyber disruption as a normal operational scenario to test. This includes identifying which processes depend on systems that are most commonly affected by attacks, agreeing manual workarounds, preparing offline materials and ensuring that teams know how to continue working if access to email, files or finance platforms is temporarily paused. Incident response plans also need to be connected to continuity plans so that the technical investigation does not prevent essential work from continuing.
For SMEs and mid‑market firms, the goal is not to create a complex technical playbook but to make sure the business can keep running while the IT teams handle the containment effort. Clear communication routes, agreed manual steps and the ability to function for a short period with reduced access are often the most effective continuity measures.
Many organisations still treat continuity risk assessments as a complex technical exercise — producing long lists, heatmaps and detailed scoring. But continuity planning is far simpler and far more practical than that.
Here is the principle:
If a risk disrupts a critical activity for long enough, it becomes a continuity scenario. If it doesn’t, it isn’t a continuity priority.
Your BIA should tell you what actually matters (and what "long enough" means). Emerging risks matter only when they intersect with those critical activities and timeframes.
Translate risks into operational scenarios - Instead of evaluating “cyber attack”, “extreme heat”, or “supplier collapse” generically, ask:
“If this happened, what would it stop us from doing?”
This turns each risk into something real, testable and meaningful.
Likelihood doesn’t change the need to plan.
For continuity planning, likelihood is only useful for deciding which scenarios to tackle first. If a scenario is feasible and the business impact would be significant, you plan for it — regardless of whether it’s likely or unlikely.
This keeps planning practical and impact‑driven.
Use a small, controlled set of scenarios. Most continuity programmes only need a small set of core scenarios such as:
Loss of site, Loss of people, Loss of system, Loss of supplier, Loss of utility, Loss of key third party, Loss of data/integrity
Emerging risks simply map onto these.
Continuity planning in 2026 is likely to be shaped by AI adoption, cloud‑service dependencies, updated standards, and evolving operational risks. But underlying all of this is a simple truth:
Continuity planning is scenario‑driven - If you know what’s critical, what could stop it, and how you’ll continue, you have an effective continuity programme.
Everything else is detail.