The crisis in the Middle East and its global ripple effects have the potential to trigger a wave of ill-conceived business continuity initiatives. The most important thing we can learn from this situation is that every organization needs a resilience program that matches its industry, location, and threat environment.
Related: Same Old, Same Old: To BC Pros, the Challenges of the Iran War Are Not New
The conflict in the Middle East has seen drone and missile attacks on previously quiet cities, strikes on oil infrastructure and data centers, and an oil shock that has reached around the globe.
At many organizations, the crisis has generated new interest in BC. This is a positive development provided that organizations recognize that any initiatives they begin now will, at best, provide protection for future crises. Companies are going to have to get through the current situation with the BC programs they now have.
A potential pitfall of the new interest in continuity is that, given the current drama and high emotions, organizations might be led to make ill-considered decisions and investments regarding their resilience programs.
MHA has first-hand experience working with clients in the Middle East. MHA Senior Advisory Consultant Richard Long and I have worked on engagements in Israel, Saudi Arabia, and Bahrain. Two hotels in the region we stayed in last year were both hit in recent air strikes by Iran. I discussed the state of business continuity in the region in this post from a couple of years ago.
Some Middle Eastern countries have a long history of living under the threat of attack. Others have until recently been seen as safe havens. In the current crisis, some organizations are putting well-drilled BC plans into effect. Others are scrambling to deal with disruptions for which they are completely unprepared.
And of course the challenges aren’t limited to organizations located in the Middle East. The stranding of personnel, disruption of airline routes, war-related cyberattacks, shortages of oil and natural gas, and potential for financial shocks are affecting countries around the world.
In this environment, it would be easy for companies to conclude—and for business continuity consultants to suggest—that the sky is falling and every organization needs to start hardening itself to the maximum.
That would be unfortunate, because that is not the lesson of the current crisis in the Middle East.
The best insight to take away from the current situation is that every organization should harden itself to the degree that makes sense given its industry, geographic footprint, regulatory requirements, and threat environment. (For another take on this undramatic but proven approach to resilience, see Richard Long’s latest post, “Same Old, Same Old: To BC Pros, the Challenges of the Iran War Are Not New.”)
For organizations in the Middle East, this might mean being prepared in case 50 of your employees are suddenly called away to serve in the military or missiles start falling. In companies in the US and Western Europe, it is more likely to mean being prepared for cyberattacks, storms, reputational damage, or financial shocks.
Overinvesting in resilience can waste resources without improving outcomes. Organizations do not need to strive for maximum resilience. They should strive for appropriate resilience.
So far we’ve focused on the possibility of organizations overreacting to the crisis in the Middle East. Another type of response is when companies underreact, and this might be even more counterproductive.
It’s still the case, particularly in relatively stable regions like the United States, that many leaders dismiss the need for serious continuity planning. They assume that because they have operated successfully for decades without a major disruption, they will continue to do so. “We’ve been here 50 years,” they tell us. “We’ll be fine.”
The current crisis highlights the flaw in that thinking. Even organizations far removed from the Middle East are feeling the effects through supply chain disruptions, energy price volatility, cyber risks, and broader economic uncertainty. The idea that geography provides protection is becoming untenable.
Right-sizing resilience means doing what is necessary based on current risks, not old habits and casual assumptions. For many organizations, that will mean doing more than they are doing today in terms of identifying critical dependencies, addressing single points of failure, and ensuring they can continue operating through plausible disruptions.
The goal is not to match the resilience posture of organizations in high-risk regions. It is to ensure that your organization is prepared for the risks it is actually likely to face, and that it can withstand them without unacceptable impact.
The crisis in the Middle East is a powerful reminder of how quickly disruptions can escalate and how widely their effects can spread. It has also sparked renewed interest in business continuity, —an encouraging development if approached with discipline.
The key lesson is not that every organization needs maximum resilience, but that every organization needs the right level of resilience. Overreacting can waste resources, while underreacting can leave critical vulnerabilities unaddressed.
If you’re looking to determine the appropriate level of resilience for your organization—and build a program that aligns with your risks and objectives—MHA can help. Our BCMMetrics platform can help you assess the maturity of your program, and our team has extensive experience helping organizations gauge their exposure and implement practical, effective continuity strategies.
Further Reading
No. Organizations should aim for the level of resilience that matches their actual risk profile, not the maximum possible level. The appropriate level depends on factors such as industry, geographic footprint, regulatory obligations, and operational dependencies. Overinvesting in resilience can waste resources without improving outcomes.
High-profile events can create urgency, but they can also distort judgment. Organizations may overreact by investing in extreme scenarios that are unlikely to affect them, rather than focusing on the risks they are most likely to face. Decisions made under pressure can lead to misallocated resources, poorly prioritized initiatives, and programs that are not aligned with the organization’s real exposure. Effective business continuity planning should be driven by structured risk assessment and impact analysis, not by headlines.
No. A lack of past disruption is not a reliable indicator of future risk. Standards and leading practices in business continuity emphasize that organizations should prepare for plausible threats based on their operations, dependencies, and environment—not on their historical experience alone. Many disruptions, such as cyber incidents, supply chain failures, and regional crises, can affect organizations indirectly and without warning. Organizations that delay building continuity capabilities often discover their vulnerabilities only when it is too late to respond effectively.