Rachael Elliott is Director of Global Strategy and Innovation for DRI International. With nearly 20 years of experience leading commercial research in organizations, she has particular expertise in the technology side of resilience, and a keen interest in how artificial intelligence can help to transform the resilience of organizations. In the first of a two-part interview, we asked her how resilience professionals can navigate the integration of AI and business continuity, along with potential ethical implications.

On AI and Business Continuity Plans:

Q: How can AI be used to automate and improve the execution of business continuity (BC) plans?

Using AI to fully automate the BC planning process is something that very few professionals would be comfortable with. What it can do, however, is assist in some tasks, such as the BIA process. Some BC software vendors are already actively implementing AI technology into their suite of tools leading to a natural – and often unintended – department-wide adoption of AI. Some of the uses of AI in business continuity management (BCM) are highlighted below:

• Semi-automation of the BIA process: We are a long way off AI technology fully automating the BIA process (would we ever be comfortable with that?!). However, AI can be used to make the process more effective e.g. using AI to compare multi-departmental BIAs for compliance to good practice and helping to synergize or flag differing opinions from different departments; it can ensure that BIAs are regularly updated based on new or emerging company and/or external information; it could assist those new to the discipline or business continuity championships to create BIAs within a company-recognized format.
• Internal information dissemination: AI has the capability to mine internal company information to map, for example, the number of near misses an organization has encountered over the past year, and break it down by category (e.g. cyber-attack, network outage, weather). This enables organizations to gain knowledge on where gaps lie in their resilience infrastructure. It can also build patterns from historical data to suggest where future vulnerabilities may lie.
• External information gathering: Used on its own or in combination with internal information, using known and trusted sources (such as the National Weather Service, the National Security Agency, regulatory updates, the World Health Authority Disease Outbreak news database, national risk registers), organizations can use data to inform their own risk mapping process which can be tailored to the needs of the company based on data sources selected.
• Scenario planning: A traditional problem when testing BC plans (BCPs) is that “out of the box” scenarios do not fit with an organization’s business model, the market in which it operates, or the intricacies of its operational structures. Organizations are now effectively using AI to create realistic scenarios – right down to creating videos to simulate, for example, a flood in their offices – to help create more engaging training and testing scenarios. More engaging training = more engaged employees (including senior management) which will ultimately mean staff are better prepared in a crisis.
• Integration with monitoring devices: Organizations can use and analyze data generated from monitoring devices connected to networks (IoT devices) to not only obtain patterns of alerts to help with analytics, but could also help provide to alert staff to an impending crisis (e.g. corporate seismic monitoring systems combining data with that from the USGS to trigger emergency plans).

There are just examples of some of the many uses of AI in a business continuity setting. In addition, some organizations might make use of generative AI to assist with template building, or even interlinking with existing software to help provide gamification of exercises already in place. However, with the possibilities – and normalization – of AI in organizations, professionals need to ensure they keep regularly informed of developments to both exploit the possibilities, and remain tuned in to the risks.

Q: What are the potential risks and vulnerabilities associated with relying on AI in business continuity plans, and how can these be addressed?

Information generation is only as good as the information being mined: Although there are clear advantages to using AI to generate insights from company data, if data is incorrect or misclassified, the information generated by an AI tool will also be incorrect. Furthermore, if external sources are also used, this needs to be correct as well – so obtaining information from verified, trustworthy sources is vital.

Also, professionals should be aware of bias by generative AI: a number of studies have shown that generative AI can not only create biased information, but also damaging, incorrect, and potentially litigious content. As well as only using trustworthy sources, professionals should also check any text or information which has been generated by AI.

Over-reliance on AI: For the reasons highlighted above, professionals should always err on the side of caution when using AI. For example, when ChatGPT 4.0 was asked to generate a BCP for a shop selling an English garden favorite, petunias, it put together a plan which, to someone without a BC background, might be used without question – particularly as ChatGPT was asked to create a “professional looking document”. With nothing to go on, the platform picked generic issues such a flower retailer may face, filling out its own ideas for suppliers, and only providing very limited guidance on emergency communications, for example. While such a tool could be very useful for building templates and providing a basis for thought, the information contained in the document will need revision in order to cater to the specifics of an organization.

People are the lifeblood of a successful BCM program: The people in an organization are often the reasons for plans failing: out-of-date HR records, poor password practices, or using public Wi-Fi networks when working on confidential information. While AI might be able to assist in the building of failsafe plans, risk assessments, and other documentation, organizations should not overlook the importance of face-to-face training, and carrying out regular testing (e.g. penetration testing) to ensure an organization’s weakest resilience link – the staff – are as prepared as they can be for an event, and fully trained in best practices.

On Ethical and Practical Considerations:

Q: What skills and expertise do business continuity professionals need to effectively leverage AI in planning and response?

The beauty of AI is in the simplicity of its usage: generative AI platforms (such as ChatGPT) are built on Natural Language Processing (NLP) making it very straightforward for business continuity professionals to adopt generative AI into their daily practices.

Successful AI use is to actually hone in perfectly with the soft skills required of BC professionals: a heightened degree of risk awareness, always questioning the content that AI produces, and ensuring regular information audits are carried out so that any mined data is reliable and accurate.

The ability to maintain an open mind into the use of AI is also needed: with news outlets still running articles about how “AI will steal all our jobs” and “robots will take over the world”, it is easy to view AI as something which should be avoided at all costs, opening up an organization to new and unwarranted risks. With measured adoption and using AI within agreed and trusted frameworks, AI can be viewed more as a business partner than a threat, and a tool for transforming resilience processes for good. My opinion remains: AI won’t be replacing jobs, but in order to succeed as a resilience professional in future, a key factor in that success will be knowledge and adeptness of using AI tools.

Q: How can organizations measure the effectiveness of AI in resilience and business continuity outcomes?

As business continuity professionals, strategies should already be in place to measure the effectiveness of BCPs. Metrics such as Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) can be compared post-AI to pre-AI implementation. The speed of activation of plans could also be a measurement of improvement – for example, can actions to be taken in the Golden Hour (the hour following the report of an incident when initial actions are taken) be met? Has AI improved the percentage of tasks carried out in the golden hour being achieved?

For management, return-on-investment data will be gold dust to ensuing future investment in resilience plans. If metrics can be created to provide an idea of revenue saved by the use of AI (e.g. quick external communications thwarting potential sales losses, early detection of cyber-attacks meaning IT downtime is minimal), then executives are more likely to invest in technologies going forward (which could have the positive knock-on effect of getting them more keen to be involved in training and exercising!).

Click here to read part 2 of the Q&A, discussing AI’s impact on supply chain logistics.