Australian organisations are relying on business continuity plans built for a far more predictable world

Tariff escalations, supply chain fragility, geopolitical events, and the ongoing threat of cyber disruption have reshaped the risk environment facing Australian organisations. The problem is that many business continuity plans belong to a different era, one where disruptions were more isolated, resolved faster, and were far easier to predict.
Research indicates that only one in four Australian SMEs has a disaster plan in place. Among those that do, Splunk's research found that while 93% of Australian business leaders believed they were prepared for disruption, 90% experienced a serious incident in the past year that resulted in prolonged downtime. Tom Barham, Director of business continuity training provider Risk Training Professionals, says the way businesses approach risk is part of the issue itself.
“One of the most overlooked continuity risks is treating business continuity as an IT issue rather than a business risk.
“When business continuity plans are built only around IT disruptions, they miss a wide range of other threats that can affect an organisation’s ability to operate, including impacts to people, suppliers, facilities, and critical processes.
“This narrow focus creates a false sense of preparedness, leaving organisations exposed when disruptions fall outside of technology-related scenarios and affect the broader business in unexpected ways.”
These are no longer hypothetical worst-case scenarios. The first quarter of 2026 demonstrated how quickly geopolitical instability can move through global supply chains and land directly on Australian businesses.
Data from more than 1,600 manufacturers showed average sales revenue for Australian small manufacturers fell 44.2% year on year in the first quarter of 2026, while stock on hand values dropped 56.8% as businesses moved to liquidate inventory and preserve cash amid rising input costs and freight surcharges.
A conflict unfolding on the other side of the world began to show up on Australian balance sheets within weeks. Very few organisations had planned for that exact scenario, because very few organisations had predicted it, which is precisely the point.
“Business continuity plans often fail in real conditions because they are too rigid and assume disruptions will unfold in predictable, linear ways,” Barham says.
“In reality, disruptive events tend to be more complex, with multiple issues occurring at the same time and evolving quickly, which can render overly prescriptive response plans ineffective.”
In an environment where geopolitical events can close shipping lanes overnight, and tariff decisions made overseas can ripple through Australian supply chains within weeks, the question is no longer whether businesses will face a serious disruption, but whether they’ll be ready when they do.
For organisations wanting to assess whether their business continuity plan remains fit for purpose, Barham has identified five common warning signs:
- Roles for a continuity response are not clearly defined or understood,
- Testing processes exist in theory only,
- Plans no longer reflect the organisation’s current risk profile,
- Continuity planning doesn't align with other organisational processes and frameworks, and
- Recovery strategies are impractical under real-world conditions.
“A practical way to strengthen business continuity is to ensure roles within the response structure are clearly defined and understood, including by those in leadership”, Barham says.
“This means assigning clear risk ownership, establishing who has authority to make decisions, and setting out escalation points and communication processes in advance, so people are not figuring it out under pressure.
“On top of that, building in redundancy, such as deputies or backup roles, ensures continuity even if key individuals are unavailable and allows the response to adapt as situations change.”
Frameworks such as ISO 22301, the international standard for business continuity management systems, provide a structure for building that capability systematically.
In a global environment where the next disruption may not arrive with a weather warning or a single identifiable trigger, that level of preparation is becoming increasingly harder to treat as optional.


























