Unit 1 : Historical Background

The approach to threat management is changing

Modern threat management approaches are moving from a linear conception of risk management to a holistic understanding.

Threats to an organization are no longer understood as deriving from a single cause-effect relationship, but rather are generated by any organization’s position in a nexus of nesting market and stakeholder relationships.

Modern approaches to risk, therefore, tend to focus on elements that the organization has control over. In addition to prevention, the modern organization focuses on its resilience. 

Why focus on resilience?

Focusing on organizational resilience, of which business continuity is a key discipline, means focusing on reinforcing those elements contributing to success over which the organization can exercise its control.

A resilient organization, with strong business continuity capabilities, is an organization that is never absent from its «market», with all the positives that come from steadiness in the face of adversity, illustrated below. Resilience: 


What’s your toughest challenge?

Human beings, and especially when they cluster in large organizations, have a bias towards inaction – more precisely, a bias towards thinking that the past is always a predictor of the future.

«Things have always worked this way»; «we’ve never had to worry before» are all common memes that prevent an organization from changing with the times, especially when there are no previous examples of a problem that may nevertheless be on the horizon.

However, the tough reality is that though the probability of any specific crisis is hard to predict, the probability that organizations will face some kind of crisis is close to certainity.


Always remember: change is an uphill battle!

R© = F(nm)

“Resistance to change in an organization is a function of the number of employees (n) raised to the number of managers (m).”

An organization can have the most sophisticated resilience and continuity management structures in its “market;” if they are not staffed by people who understand why those structures are in place, and who do not appreciate the need to maintain and improve them, all that work and effort will turn out to be pointless in the hour of need. 


All glory is fleeting…

Resilience is, above all, a competitive advantage. It means more than responding to incidents or managing a crisis. A resilient organization is an organization that is capable of adapting to changes in the environment in which it operates, whether this is because of changes in consumer preference, in technological capabilities, or because of new regulations.

All of the companies on the right were once very successful companies in their respective field – some were even dominant. Yet, for one or more of the reasons we have just mentioned, they either vanished in the span or a few short years or occupy greatly diminished positions – while other competitors prospered. Why?   

“Netflix is not on our radar screen in terms of competition.
It’s Walmart and Apple we should be worried about.”

Jim Keynes – CEO Blockbuster (2008)


Nokia’s Example

In 1991, Nokia became the market leader in cellphone sales and one of the leading telecommunications companies in the world.

Indeed, between 1996 and 2001, Nokia saw an almost fivefold increase in turnover from €6.5bn to €31bn. By 2004, they sit on a 35% market share.

In 2007, Apple launches the I-Phone. By 2012, Nokia is a spent force. Analysts foresee a possible takeover by Microsoft, the company posts losses amounting to €1.3bn and it cuts 10,000 jobs as it closes its last factory in Finland1


1Monaghan, Angela. “Nokia: The Rise and Fall of a Mobile Phone Giant.” The Guardian, Guardian News and Media, 3 Sept. 2013.

Kering: Nokia’s “road not taken”

It’s useful to contrast Nokia with Kering, a luxury brand holding company. Why? Because both companies started out in the wood trade sector, from which they then moved on to other industries.

Instead of telecommunications, Kering moved into the luxury retail and fashion industries, growing to own and manage some of the most recognizable brands in the world (Gucci, Yves Saint Laurent, Balenciaga etc.).

They are not successful because of a single category of products. They rely on a diversified offering, in diverse markets and to diverse customers. In other words, they seem to have a more resilient base than Nokia did.


The most successful companies are always available

Looking at some of the world’s most iconic and most successful brands, they have one thing in common: no matter where you go or where you look, their services are always available, to the point that they almost seem to be thought more of as global infrastructure than private companies selling a product.

Global penetration is not only a strategy for increasing revenues; it’s also a resilience strategy. By not relying on a presence in a single market or national context, these firms inoculate themselves from geographically specific incidents or crises.

This doesn’t mean that they are invulnerable, but it does mean that the probability of any incident or crisis threatening the viability of the organization is much lower than if they did not operate in the way that they are. In other words, perfect business continuity at all times is the cornerstone of their market strategy.

What are the threats that we should be looking out for?

Of course, not every organization has the resources of today’s global market leaders. That doesn’t mean, however, that business continuity and resilience are out of reach.

Indeed, the experience of the Covid-19 pandemic forced many organizations to change the way they operate. Nevertheless, business continuity is not useful only in the face of crises, but also to manage more mundane, though no less severe, incidents that many organizations big or small encounter regularly.

On the right are the results of the Business Continuity Institute’s yearly Horizon Scan, illustrating the most common causes of businesss disruption, as reported by a sample of the global community.

The risk index is calculated as a product of the reported frequency times the reported impact. 

Source: Elliott, R. “BCI Horizon Scan Report 2022”. Business Continuity Institute, 2022