Disaster Recovery Journal Spring 2026

REGISTER TODAY! www.drj.com/spring2026

Spring 2026 u Volume 39, Number 1

The State of Disaster Recovery Preparedness 2026

INSIDE ... Is Cyber Resilience Integrated into Organizational Resilience? Resilience at the Top: How CEOs Future-Proof Organizations Career Spotlight: Bethany Netzel of CME Group Emergency Notification Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification

www.eZPlan

(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by

nner.net

Info@eZPlanner.net

Make Confident Decisions When It Matters Most Fusion Is the Leading Platform for Enterprise Resilience Trusted by the Fortune 100

Visit Us at Booth 301

Scan to book a Meeting Today

Disaster Recovery Journal 1862 Old Lemay Ferry Arnold, MO 63010 636-282-5800 Internet: www.drj.com Email: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com

TABLE OF CONTENTS

PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com MARKETING & DESIGN LEAD

COVER The State of

Disaster Recovery Preparedness 2026 By BRENT ELLIS

Nathan Anton nate@drj.com EVENT MARKETING Sonal Patel sonal@drj.com

EXECUTIVE COUNCIL Dan Bailey, Jeff Dato, John Jackson, Mike Janko, Margaret J. Millett, Ann Pickren, Steve Piggott, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Erick Anez, Robbie Atabaigi, Scott Balentine, Rich Cocchiara, Adam Ennamli, Sherri Flynn, Corey Hahn, Colleen Huber, Lisa Jones, Melanie Lucht, Melissa Muñiz, Bogdana Sardak, Nicole Scott, Paul Striedl, Joy Weddington SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial + 51-1-436-6456 fijo Perú 786-600-1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: 65-6325-2080 Fax: 65-6223-5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience A Division of CORE MANAGEMENT CONSULTING Dhiraj Lal , executive director P. O. Box 127557, Abu Dhabi, UAE +971-2-8152831 | 7-971-2-8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com

8

20 Is Cyber Resilience Integrated into

33 The New Enterprise

Attack Surface: AI Agents, Browsers, and Invisible Data Flows By PRAKASH MANA

Organizational Resilience? By JASON BUFFINGTON

25 Resilience at the Top: How CEOs Future-Proof Organizations By MARGARET J. MILLETT 28 Career Spotlight: Bethany Netzel of CME Group STAFF REPORTS 30 Foundation for Automated Enterprise DR Using AI By JEROME WENDT

36 Why 2026 Will Redefine Disaster Recovery as We Know It By DON BOXLEY, Jr.

44 Emergency Notification Directory

DISASTER RECOVERY JOURNAL is copyrighted 1987-2026, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.

DISASTER RECOVERY JOURNAL | SPRING 2026 5

FROM THE PRESIDENT’S DESK

Staying Relevant in an Uncertain World T he world around us rarely sits still. Cyber threats, supply chain challenges, extreme weather, and economic shifts continue to test organizations in new ways. Even during periods of stability, remain a trusted voice within your organiza tion. This spring 2026 edition of Disaster

BOB ARNOLD, MBCI Hon.

Recovery Journal reflects that shift. Many of the articles focus on disaster recovery, cyber resilience, and how AI and other innovations are reshaping the recovery landscape. Jason Buffington’s survey highlights the growing divide between cyber and operational resil ience programs and the need to keep them aligned. Margaret Millett’s article on how CEOs future proof their organizations brings an important executive perspective and rein forces the need to connect resilience efforts to business value. Across these articles, one message is clear. The pace of change is accelerating, and the professionals who stay engaged and keep learning will be the ones who bring the most value to their organizations. Staying con nected to the broader community and keeping up with new ideas and real-world case stud ies is essential to maintaining credibility and influence. That is why participating in industry events and ongoing learning opportunities is so important. These gatherings provide practical insights, peer connections, and perspectives you can take back to leadership. They help you strengthen your program and reinforce your role as a critical advisor during times of stability, crisis, and uncertainty. Thank you for being part of the DRJ com munity and for the work you do every day to help your organizations stay ready for what ever comes next.

conditions can change quickly. In that kind of environment, resilience professionals are being asked to do more than maintain plans. They are expected to guide decisions and help leadership understand risk, impact, and opportunity. This edition also highlights the career journey of Bethany Netzel, now serving as a chief resilience officer. Her story is a strong reminder of how this profession continues to grow and how important it is to stay engaged, visible, and adaptable. Career paths in resil ience are no longer limited to traditional roles. They are expanding into leadership positions that influence strategy and business direction. Stories like Bethany’s show how continued learning, networking, and involvement in the community can open doors and strengthen long term career stability, especially during times when many professionals are facing uncertainty. The role of the resilience leader is evolv ing. Today’s professionals are not just plan ners or responders. They are strategic advisors who connect disruption to business outcomes and help executives make informed deci sions during stable periods, crises, and times of volatility. To stay in that role, it is critical to remain current on how risks, technolo gies, and expectations are changing. Staying informed and connected helps ensure you

PRESIDENT bob@drj.com

6 DISASTER RECOVERY JOURNAL | SPRING 2026

DRJ Spring 2026 Meet us at booth #310

The State of Disaster Recovery Preparedness 2026

By BRENT ELLIS

8 DISASTER RECOVERY JOURNAL | SPRING 2026

D isaster recovery (DR) is no longer a back‑office function. It is essential to keep the business running in the face of constant disruption. As technology stacks grow more complex and recovery expectations accelerate, DR prac titioners are becoming creative problem-solvers, adapting to new platforms, architectures, and failure modes. While many organizations now position DR as a strategic capability tied to enterprise risk management, readiness remains uneven. This report examines how DR programs are evolving, where gaps persist, and what it takes to meet modern resilience demands.

Disaster Recovery Preparedness Is Evolving, But Many Aren’t Confident DR capabilities continue to make up a significant element in enterprise resil ience strategy, but the technology stack is under rapid evolution first with cloud and now with AI. Forrester and the Disaster Recovery Journal (DRJ) have partnered to field market studies in business conti nuity and DR, gather data for benchmark ing, and guide research and publication of best practices for the industry. This study, which focuses on DR preparedness, was first fielded in fall 2008, and we update it every two years to assess how DR pre paredness is addressing challenges. We designed the 2026 study to assess confidence in DR strategy; drivers fueling improvements in DR preparedness; prac tices regarding DR program governance, planning, plan maintenance, and testing; ways organizations provision and archi tect their data center recovery sites; recov ery objectives and technology adoption; the continued need to scope cloud-native, SaaS, and third-party technology services as part of DR planning; and the emerg ing impact of generative AI on workloads which must be protected and on enter prises’ ability to execute DR strategies. We surveyed 74 respondents who indicated they had a DR program and completed the survey. We detail the survey methodology in the supplemental material section of this report, and our most important find ings follow.

DISASTER RECOVERY JOURNAL | SPRING 2026 9

Most Businesses Have A DR Function

Our 2026 survey responses show busi nesses recognized the need for a DR strat egy and capabilities, with more than 75% reporting some type of formal DR pro gram and an additional 16% indicating an intention to implement a DR program in the next year. Only about half of respon dents planned for DR at the enterprise level in a centralized program, and 6% of respondents planned for DR in localized silos (see Figure 1). The survey also found 66% of respon dents allocated between 0% and 10% of their total IT budget to DR, with 34% spending more (see Figure 2). When examining related responses across the survey, higher DR spend alone did not align with higher confidence in preparedness. Notably, respondents reporting greater preparedness confidence more frequently cited the use of automa tion, more frequent planning updates, and regular testing, suggesting execution discipline may matter more than budget levels alone. Disaster Recovery Is Largely An I&O Function with Executive Oversight Because DR is highly technical, it remains largely IT led: 47% of respon dents said the head of DR sat in infra structure and operations (I&O) (see Figure 3). Security ownership increased to 21%, signaling growing emphasis on cyber recovery. DR programs also reported higher in the organization, with 59% reporting directly to a functional C‑level executive and another 24% reporting one level below (see Figure 4). Alignment with enterprise risk manage ment (ERM) is strong, with 6% reporting via a dotted line, 15% reporting directly, and 45% working closely with ERM (see Figure 5). Together, executive‑level oversight and ERM alignment indicate DR is increas ingly being treated as a strategic function with greater authority to act.

10 DISASTER RECOVERY JOURNAL | SPRING 2026

SHAPING THE FUTURE OF GLOBAL RISK MANAGEMENT UNIFIED INTELLIGENCE, SECURITY, AND MEDICAL OPERATIONS Advanced Technology. AI at Scale. Human Expertise.

VISIT BOOTH #401/403

HEAR FROM OUR EXPERTS AT DRJ SPRING 2026

Solutions Track: Crisis24 Horizon: The Power of a Unified Platform for Mass Communications March 15, 4:00 PM – 5:00 PM Masterclass: Scaling the One-Person Team: From AI-Powered Workaround to Enterprise Resilience Model March 17, 2:45 PM – 3:15 PM Idea Lab: AI in Resilience: Balancing Opportunity and Governance March 17, 3:30 PM – 5:00 PM

FUTURE READY, NOW. GLOBAL RISK FORECAST 2026 Navigating risk with operational insight.

Crisis24’s Global Risk Forecast 2026 equips leaders to anticipate what’s next and act fast - with precision. Our annual report will show you where to focus, when to move, and what to do.

Access Report

DR Planning and Practices Leave Many Unprepared About 42% of survey respondents reported having a significant disaster, outage, or business disruption in the past two years. Additionally, fewer than 40% of respondents felt very or extremely pre pared to deal with a site failure or disaster (see Figure 6). Forrester found that: n Business impact analyses (BIAs), risk assessments, and DR plans need attention. Roughly 59% of respondents updated DR plans annually, with another 35% updating more frequently (see Figure 7). Risk assessments and BIAs followed similar update patterns. Fewer than 20% of respondents updated these three aspects of risk and recovery planning twice a year or more frequently. In a business climate defined by rapid technology change, long planning and update cycles increase the risk organizations are unprepared for disruptions involving new platforms, services, or emerging threats. n DR readiness dashboards remain poorly adopted. Despite increased operational resilience requirements and more tool availability, only 32% of respondents reported having a dashboard to indicate recovery readiness for their organization (see Figure 8). Without effective resilience reporting, identifying and prioritizing gaps in the DR

program becomes significantly more difficult, particularly as environments grow more distributed and complex. Businesses seeking enhanced DR capabilities should be testing DR plans and correlating service health metrics in real time to ensure SLAs for recovery can be met. Backup, risk management tooling, and resilience orchestration vendors have been adding readiness dashboards that report on infrastructure health, test network connections, and estimate recovery time objectives for named workloads according to the estimated time to execute a recovery plan.

12 DISASTER RECOVERY JOURNAL | SPRING 2026

Visit us at booth 400 & 402! Achieve verified recoverability with a measurable, repeatable DR approach that consistently meets RTOs.

Join us for our sessions on Monday & Tuesday:

Table top to Real-World: Proving You Can Recover from Ransomware Before It Happens Monday, March 16 @ 1:00 PM | Breakout Track th

Building Cyber Resilience: Five Actions to Strengthen Your Organization This Week Tuesday, March 17 @ 2:45 PM | Master Class th

Cyber Resilience: How to Show Leadership You’re Ready to Recover Tuesday, March 17 @ 3:30 PM | Idea Lab th

DR Site Preparedness and Failover Testing Lack Scope and Frequency A key component of DR preparedness is having an alternate site to launch work loads in the case of failure. Those DR sites are usually prepopulated with replicated data, virtual machine or container images, and the relevant automation to orchestrate failover in the case of crisis. Public and private cloud technologies have reduced the need for dedicated DR sites, with many businesses implementing disaster recovery-as-a-service strategies which use precached data, infrastructure-as-code (IaC) automation, and pilot light infra structure to minimize resource utilization until the point of failover. n Most businesses have at least one DR site. Sixty-three percent of enterprises had at least one DR site, with 30% of respondents having more than one (see Figure 9). However, increased use of cloud and SaaS means site-to-site failover does not address many core workloads. Additionally, given around 50% of organizations have an enterprise-wide DR program, many organizations may not provide resilience for core applications that are not visible to their DR planning functions. Based on direct conversations with DR leaders, issues related to poor criticality mapping, cost, and capacity planning reduce effectiveness of current DR site investments. n Failover isn’t tested frequently

enough. Forty percent of respondents reported their organization did a partial or full failover to their DR site (see Figure 10). Many organizations only test component by-component DR failover, which doesn’t replicate actual failure scenarios when an entire datacenter may be affected at once. Composable architectures like microservices also increase complexity, making component tests difficult, and can spread the blast radius of failure far beyond an isolated infrastructure environment. DR leaders should at least annually do a full scenario according to their DR runbooks and additionally test after major infrastructure or platform changes to ensure existing DR plans are still relevant.

14 DISASTER RECOVERY JOURNAL | SPRING 2026

Get Ahead of 2026’s Most Disruptive Weather Events

March 17 | 10:30–11:30 am ET

Extreme weather is getting more disruptive and less predictable. Join AlertMedia’s Director of Meteorology, Jason Moreland, to learn how organizations can stay ahead of what’s coming.

What 2025 taught us about climate risk

Key trends that could impact 2026

Practical ways to strengthen your readiness

$500

Visit booth #300 to connect with the AlertMedia team and enter to win a $500 Amazon gift card!

SEE HOW ALERTMEDIA SUPPORTS RESILIENCE

LEARN MORE

(800) 826-0777 // alertmedia.com // ©2026 AlertMedia

Modern Workloads Are Forcing a Rethink of Traditional DR As enterprise architectures shift to SaaS, cloud-native platforms, and emerg ing workloads like Kubernetes and AI, DR strategies are being stress-tested in new ways. Survey results not only show prog ress in expanding DR scope beyond tradi tional infrastructure but also expose gaps in maturity, consistency, and confidence – particularly for SaaS and complex cloud dependencies. The following sections highlight where adoption is strongest, where practices are evolving, and where DR teams still face the greatest resilience challenges. n Enterprise SaaS adoption is high, making it a priority for DR planning. More than 94% of respondents indicated they were using Microsoft 365, Google Workspace, Salesforce, or other enterprise SaaS tools. Furthermore, 93% of respondents considered all or some SaaS platforms in their DR planning. Even though leading SaaS platforms offer a robust backup ecosystem, SaaS resilience varies widely by application. Backing up SaaS data can be challenging, and true operational resilience requires far more than backup alone. Forrester’s “How To Create A SaaS Application Resilience Strategy, 2026” helps document strategies for recovery and resilience for SaaS applications and explains the reasons why enterprises should build a separate strategy for SaaS application resilience. n DR for cloud workloads is maturing

slowly. Cloud disasters typically take the form of service outages or degradation, with complex downstream impacts driven by cloud interdependencies. In 2025, prolonged outages at Amazon Web Services (AWS), Azure, and Cloudflare underscored this risk for organizations incorporating public cloud workloads into DR planning. Within this group, most respondents rely on intraprovider resiliency mechanisms such as failover between availability zones, with very limited use of cross cloud failover. A key challenge for cloud workloads is understanding both their risk exposure and the built‑in resiliency of cloud services. The October 2025 AWS US‑East outage showed how hidden dependencies, service concentration,

16 DISASTER RECOVERY JOURNAL | SPRING 2026

Recover your applications faster with AI-powered automated runbooks

Recover 50% faster

70% faster planning and testing

60% less regulatory prep time

Generate runbooks in seconds with AI

AI agents are revolutionizing disaster recovery and incident management

Many financial services enterprises struggle with manual and complex disaster recovery and incident response, leading to increased downtime and negative impacts on the business and customers. In these high-pressure scenarios, every second counts. Cutover Recover has been proven in the world’s largest banks to failover applications and respond to incidents faster, without sacrificing control or compliance. By providing transparency, explainability, and human-guided AI, Cutover turns operational chaos into coordinated success.

BT2-04

From Complexity to Control: The New Model for Responding to Technology Outages Learn how Al, automation, and orchestration elevate your recoveries, enabling reduced MTTR, improved collaboration, and greater operational transparency.

Respond and recover faster with AI

www.cutover.com

March 16, 2026 2:15 PM-3:15 PM ET

Forrester’s surveys show a vast majority of enterprises use Kubernetes for mainstream enterprise workloads. ... Fewer than one-third of respondents chose to respond to Kubernetes- and AI-related questions, suggesting limited adoption, limited visibility within DR teams, or uncertainty about how these workloads are currently addressed in recovery planning. “

the survey questionnaire. In this survey: n Twenty-nine percent of respondents were from companies that had 0 to 999 employees (which Forrester defines as small and medium-size businesses); 27% had 1,000 to 4,999 employees; 27% had 5,000 to 19,999 employees; and 17% had 20,000 or more employees. n All respondents were decision makers or influencers on their planning and purchasing technology and services related to DR. n Respondents were from a variety of industries. One part of the response set for this study was solicited from a select group of respondents (predominantly DRJ mem bers and Forrester clients) and is therefore not random. These respondents are more sophisticated than the average. They read and participate in business continuity and DR publications, online discussions, etc. They have above-average knowledge of best practices and technology in business continuity/DR. A second set of respondents was solicited based on their professional title in IT, DR, or risk management; this list was randomly generated. Additional responses were solicited via social media on LinkedIn and Twitter for a semiran dom response set. With a combination of random and nonrandom responses, the survey serves as a valuable tool in under standing where both advanced and aver age users are today as well as where the industry is headed. Special thanks to Lauren Nelson, Amy DeMartine, Samishti Bhatia, and Kara Hartig of Forrester Research for their contributions. v “

and technical debt – amplified by hyperscaler automation – can trigger regional failures. Mitigating these risks requires rethinking DR and adopting resilience‑focused practices such as site reliability engineering (SRE), platform engineering, IaC, and chaos engineering. n Resilience-oriented operations practices are gaining traction. Practices such as SRE, platform engineering, IaC, and chaos engineering are well established in cloud native environments and beginning to appear among a small subset of organizations managing on premises workloads. Forrester’s “The State Of Cloud Resilience, 2026” found practices like SRE and platform engineering are gaining traction, especially to improve workload stability and avoid potential outages. While only a limited number of survey respondents reported adopting these practices, their use directionally correlated with more frequent testing and higher self reported recovery readiness. n Address the DR gap in both Kubernetes and AI workloads. Survey questions related to Kubernetes and AI workloads received very few responses, suggesting either

limited adoption, limited visibility within DR teams, or uncertainty about how these workloads are currently addressed in recovery planning. Forrester’s surveys show a vast majority of enterprises use Kubernetes for mainstream enterprise workloads. But container based architecture presents specific challenges for DR, especially for synchronous replication topologies. Fewer than one-third of respondents chose to respond to Kubernetes- and AI-related questions, suggesting limited adoption, limited visibility within DR teams, or uncertainty about how these workloads are currently addressed in recovery planning. Supplemental Material The State of Disaster Recovery Preparedness 2026 survey was fielded globally to IT, DR, and risk profession als with affiliations to Forrester Research and the DRJ as well as to a randomized list of IT, DR, and risk professionals. Additionally, on LinkedIn and Twitter, we solicited responses from technology professionals with responsibility for DR planning. This process generated a total of 95 responses, with 74 indicating they had a DR program and completed the survey. Analysis in this report focused on respon dents who completed relevant sections of

Brent Ellis is a principal analyst with Forrester Research. He is focused on help ing clients find solutions to hard problems like technology resilience, hybrid cloud storage platforms for AI, and modernizing

legacy workloads to unlock business agility. Ellis brings infrastructure and operations experience, empathy for the human elements in technology deployment, understanding of business contexts, and curiosity to every engagement.

18 DISASTER RECOVERY JOURNAL | SPRING 2026

Risk Engineering for What’s Ahead

Fire Protection Engineering

Natural Hazard Analysis

Electrical Protection Services

Jurisdictional Boiler & Pressure Vessel Inspections

Boiler & Machinery Engineering

Infrared Thermographic Surveys

Insurance Asset Valuation

Fire Protection Code Compliance

Resilience isn’t built overnight. It’s built with us.

For 65 years, Global Risk Consultants (GRC) has provided data-driven risk engineering that keeps businesses running smoothly, lowers insurance costs and improves resilience.

Is Cyber Resilience Integrated into Organizational Resilience?

By JASON BUFFINGTON

E DITOR’S NOTE: 502 resilience leaders and professionals were surveyed during the summer of 2025 on a variety of topics related to organizational resilience. Each of the survey respondents had primary responsibility in either business continuity (BC), disaster recovery (DR), crisis man agement (CM) or information security (IS). www

This is second of three articles from this year’s organizational resilience research and covers the knowledge and collabora tion gaps between those responsible for BC, CM, DR and those responsible for information security – and the impacts that has on an organization’s cyber resilience. One of the most insightful ways to understand how functional leaders across four different disciplines might affect their organization’s comprehensive organiza

tional strategy of resilience is by leverag ing the “RACI” model: n Responsible (R): Those who do the work (can be multiple Rs) n Accountable (A): The person ultimately answerable for the outcome or sign-off n Consulted (C): Those engaged for their expertise or as stakeholders n Informed (I): Those who don’t provide input but should remain aware of status

20 DISASTER RECOVERY JOURNAL | SPRING 2026

Is Your BIA a Business Tool or a Paperweight? Find us at booth #407

We’re Presenting at DRJ Spring, March 16th at 2:15 PM

Is your organization’s IT Disaster Recovery (IT/DR) plan integrated into your Business Continuity Program? We’d love to show you how Mitratech’s all-in-one continuity software can seamlessly integrate your IT/DR plan with your BCP. Reach out to us today to schedule your free demo.

Beyond the Checkbox: Transitioning to a Continuous, Data-Driven “Live BIA” Model The Business Impact Analysis (BIA) is a continuity cornerstone, yet traditional manual methods often produce “static snapshots” that are obsolete before they are finished. In today’s high-velocity risk environment, relying on year-old data for real-time recovery is a major vulnerability. This session introduces the “Live BIA”—a shift from labor-intensive annual cycles to a rolling, integrated model. We will explore how to move beyond compliance-driven “checkbox” activities to create a dynamic framework that reflects the current state of the business. Attendees will gain a roadmap for transforming the BIA into a strategic tool for faster, data driven executive decision-making.

Scan to b ook your free demo

Looking to scale or integrate your BIA and Business Continuity with the bigger picture? Mitratech GRC breaks down the silos between IT/DR, Continuity, and Enterprise Risk. We help you move beyond manual processes into a uni ied ecosystem where your data works together to provide a single, real-time view of Operational Resilience. Don’t just manage risk—anticipate it.

Explore Mitratech 's GRC Suite

That said, 68% of survey respondents outside of InfoSec claimed “little to no” experience or exposure, reducing taxon omy and likely cross-functional empathy on how to partner on comprehensive resil ience. It should come as no surprise a sig nificant portion of any resilience education event – including DRJ spring and fall con ferences – boast a significant percentage of its curriculum covering ransomware, AI, or both. Is Cyber Resilience Reaching the C-Suite or Board? For many resilience professionals, a key challenge or inhibitor for them improving the resilience posture of their organization is the lack of support from senior manage ment. n One in four respondents identified “senior management support” as one of their top three challenges. n One in five cited “improved engagement with senior management” would be the single biggest accelerant to their organization’s resilience. Digging deeper, respondents were

FIGURE 1 – Respondents’ RAC across resilience initiatives.

For the purposes of this research, respondents were either engaged, informed, or “out of the loop.” As one might expect, nearly all respondents were engaged in business continuity and nearly the same in crisis management. However, as the resilience initiatives focused more on technologies, engagement gave way to informed or not included (see Figure 1). The art and science of organizational resilience requires expertise from a vari ety of fields, which often gives opportu nities for resilience professionals to gain exposure and expertise across a variety of resilience initiatives. For some, this results in career progression. For others, cross functional acumen enables better partner ing toward the greater goal of business resilience. This can be seen when respon dents from the survey were asked how many years of direct responsibility or rou tine interaction they had across five related disciplines, including the four resilience functions, as well as governance/compli ance (Figure 2). The chart does not tell the whole story. At face value, one could infer less experi ence in cybersecurity. Actually, informa

tion security professionals boasted more than 14 years in the field (equitable expe rience in their area of expertise).

FIGURE 2 – Years of experience in each resilience field, with respondents averaging 17.7 years in resilience roles.

22 DISASTER RECOVERY JOURNAL | SPRING 2026

A Leader in Business Continuity for Now 25 Years

3 solutions

has been helping worldwide organizations manage the unpredictable for 25 years. Whether you need to implement your business continuity program, strengthen it or automate it, you can count on us. Work with a well-rounded BC partner, with a collaborative and holistic approach that supports your teams at every step of your BCM program. Premier Continuum

Automation software

Certified training

World-class consulting

LET'S BUILD SMART RESILIENCE

6 fields of expertise We've been in the business for 25 years. Talk about resilience.

BUSINESS CONTINUITY

OPERATIONAL RESILIENCE

IT/DR

CRISIS MANAGEMENT

RISK MANAGEMENT

EMERGENCY RESPONSE

What To Do About It Those are some data points to show how cyber resilience is not as intrinsically integrated into an organization’s overall business resilience, relative to many of the traditional business continuity or IT disas ter recovery initiatives. As BC/DR profes sionals, ask yourself and your teams to assess your circumstances, compared with the figures above: 1) Where are you and your team in the “RACI” of cyber resilience initiatives? Are you responsible or accountable for any of the supporting functions? Are you consulted on strategy and execution alignment? Are you informed ? Are you completely out of the loop? 2) When considering your interactions with senior leadership related to resilience initiatives, what would you estimate their year-to-year change in interest is related to cyber security? Accordingly, are they spending any less time considering the resilience of other business processes, third-party providers, or governance/ compliance? v

FIGURE 3 – Engagement with leadership regarding organizational resilience.

asked about their engagement with a vari ety of senior leadership roles as shown in Figure 3. The good news, roughly 80% of resilience professionals are either “well engaged” or have “regular awareness” interactions with both business stakehold ers and IT leaders. That said, the amount of engagement declines when seeking sup port from senior leadership or the C-Suite and significantly declines when attempt ing to interact with the board. Of course, not all senior leadership/

board topics are equal. When asked about the year-to-year interests and prioritiza tion of resilience topics within senior leadership, respondents noted concerns of cyber security are gaining a disproportion ate amount of increased interest by senior leaders. That said, with a finite amount of time and focus for resilience by senior leaders, the survey reveals relatively less prioritization of business process resil ience, dependencies on third parties, and governance/compliance.

Jason Buffington has more than 35 years of experience in the IT disaster recovery space, been a CBCP since 2003, spoken at hundreds of DR and IT events, and pub lished in numerous periodicals and blog

sites. He is the founder of Data Protection Matters, an independent research and analyst firm focused on data protection, cyber resilience, BaaS & DRaaS, and BC/DR. Buffington is active in the BCI AI-SIG and the ACP. Outside of BC/DR, he is an executive coach and an active volun teer leader in Scouting America; “Be Prepared” is their motto too. For more on the research topics and methodol ogy, please visit https://DataProtectionMatters.com/OR26.

24 DISASTER RECOVERY JOURNAL | SPRING 2026

Resilience at the Top: How CEOs Future-Proof Organizations

a critical truth: resilience cannot be del egated. It must be led. The chief executive officer (CEO) is uniquely positioned to serve as the chief resilience officer of the enterprise. Sitting at the intersection of strategy, finance, operations, culture, and external stakeholders, the CEO has the holistic perspective required to assess resil ience, strengthen it, and embed it into the organization’s core operating model. Resilience, when approached as a stra tegic capability rather than a defensive function, enables organizations not only to withstand disruption but to emerge stronger because of it. Defining Resilience as a Leadership Discipline Resilience can be defined as the abil ity to prepare for disruption, respond effectively when it occurs, and adapt in

I

By MARGARET J. MILLETT

n an era defined by volatility, uncer tainty, and constant disruption, orga nizational resilience has become a defining leadership responsibility. Market shocks, geopolitical instabil ity, technological change, regulatory pressure, and societal expectations

now converge at unprecedented speed. While many organizations have invested in risk management, business continuity, and crisis response capabilities, research consistently shows leaders and boards continue to feel underprepared for the next major disruption. This gap highlights

DISASTER RECOVERY JOURNAL | SPRING 2026 25

ways that create long-term advantage. This definition expands resilience beyond crisis management or recovery planning. It positions resilience as an ongoing lead ership discipline that supports sustainable performance. Organizations that excel in resilience

tend to address four interdependent dimensions. Financial resilience pro vides flexibility through strong balance sheets, liquidity, and disciplined capital allocation. Operational resilience ensures critical products, services, and processes can adapt quickly at scale. Organizational

resilience enables individuals and teams to cope with change, learn from setbacks, and remain aligned to a clear sense of purpose. External resilience reflects the strength of relationships with customers, regulators, investors, suppliers, and part ners who become essential allies during periods of disruption. Only the CEO has the authority and visibility to balance these dimensions and ensure none are overdeveloped at the expense of others. When resilience is uneven, organizations may appear strong on the surface but remain vulnerable in moments of stress. Embedding Resilience into Vision and Strategy One of the most powerful actions a CEO can take is to embed resilience directly into the organizational vision. During periods of uncertainty, employ ees look to senior leadership for clarity, direction, and reassurance. A clear and consistently communicated “North Star” allows teams to navigate ambiguity while remaining aligned to strategic priorities. High-performing CEOs intentionally balance short-term performance demands with long-term value creation. They adopt a through-cycle mindset that considers second-order and downstream impacts of disruption. Rather than reacting impul sively to immediate pressures, they assess whether to pivot, pause, or stay the course based on long-term resilience and growth objectives. Resilience and growth are not compet ing priorities. In fact, organizations that link the two explicitly are better positioned to innovate during disruption. CEOs can reinforce this connection by introducing structured stress testing, scenario analysis, and simulations that challenge assump tions and expose vulnerabilities before they become crises. These exercises create learning opportunities and strengthen decision-making under pressure. Building Full-Body Organizational Resilience Just as physical strength requires balanced muscle development, orga-

26 DISASTER RECOVERY JOURNAL | SPRING 2026

Disruption is no longer an exception. It is a constant. The organizations that will thrive in this environment are those led by CEOs who embrace their role as chief resilience officer. “

Strengthening External Resilience Through Relationships Modern CEOs are expected to engage with a broad and diverse set of exter nal stakeholders. Reputation, trust, and credibility are strategic assets that directly influence an organization’s abil ity to navigate crises. Strong relation ships with regulators, partners, peers, and communities enable collaboration when speed and coordination matter most. An intentional external stakeholder strategy allows CEOs to shape narra tives, align expectations, and mobilize collective action during periods of stress. Organizations that invest in these rela tionships before disruption occurs are far better positioned to respond effectively when it does. Conclusion Disruption is no longer an exception. It is a constant. The organizations that will thrive in this environment are those led by CEOs who embrace their role as chief resilience officer. By embedding resilience into vision, strategy, culture, and operations, CEOs create enterprises that can endure uncertainty and convert disruption into opportunity. Resilience is not a defensive posture. It is a leadership choice and a strategic advantage. CEOs who make that choice position their organizations to grow stronger, inspire confidence, and remain relevant in an increasingly complex world. v She is the 2023 Business Continuity Institute (BCI) Lifetime Achievement Award recipient and a sought-after global speaker and author. Millett currently serves on the DRJ Executive Council. She serves as past chair of the Alzheimer’s Association of Eastern North Carolina and has been appointed to the North Carolina Symphony Society Board. She has also previously advised the UN Office for Disaster Risk Reduction. She has spoken at numerous business resilience related conferences in North America, Europe, the Middle East, Asia and Africa. “ Margaret J. Millett, MsBC, FBCI (Hon), MBCP, is the CEO and founder of Seamless Horizon, Inc. She has driven business resil ience across Fortune 300 IT and financial services companies in the US and Ireland.

nizational resilience requires propor tional investment across all dimensions. Overreliance on heroics or informal workarounds may solve short-term prob lems but often leads to burnout, inconsis tency, and systemic weakness. CEOs play a critical role in ensur ing resilience is operationalized through clear processes, adaptable playbooks, and decision rights that empower teams while maintaining accountability. When disrup tion occurs, organizations with strong resilience frameworks can respond with speed and confidence rather than improvi sation and confusion. Learning from crises is equally impor tant. CEOs who act as students of crisis systematically capture lessons learned and translate them into lasting improve ments. By embedding resilience into systems, governance, and culture, they reduce reliance on individual intervention and increase organizational capacity to absorb future shocks. Forcing Decisions When Resilience Is at Risk There are moments when resilience must take precedence over convenience, speed, or short-term financial optimiza tion. In these moments, CEOs must be willing to intervene directly, challenge assumptions, and force difficult conversa tions with senior leaders. Decisive leadership strengthens

organizational health. Asking hard ques tions about flexibility, optionality, talent development, and frontline empowerment reinforces the message that resilience is a nonnegotiable priority. Constructive debate, followed by clear decisions, ensures alignment and builds trust even when trade-offs are required. Cultivating Resilient Teams and Individuals Resilient organizations are built by resilient people. CEOs influence this out come through hiring, development, and role modeling. Technical skills and past success matter, but adaptability, grit, and learning orientation often matter more in environments shaped by continuous change. By embedding resilient traits into talent processes and leadership expecta tions, CEOs help create teams that can pivot quickly and remain effective under pressure. Modeling calm, transparency, and vulnerability during challenging moments further reinforces psychological safety and trust. When leaders demon strate resilience openly, employees are more likely to do the same. Maintaining personal resilience is also essential. CEOs who invest in trusted advisors, reflect on their own leadership effectiveness, and manage their energy intentionally are better equipped to lead others through disruption.

DISASTER RECOVERY JOURNAL | SPRING 2026 27

CAREER SPOTLIGHT

Career Spotlight: Bethany Netzel of CME Group

ChicagoFirst regional coalition, which focuses on resilience and security plan ning, and I’ve co-led the Reconnection Working Group for the Financial Services Sector Coordinating Council. How did you get into the business resilience industry? I started in disaster recovery at Progressive Insurance’s technology divi sion. My undergraduate degree was in science – not technology or business – so it was quite a leap to pivot to a role in resilience. When I first interviewed for a role in this area, the hiring manager men tioned he was looking for someone with people skills. He then helped me learn the technical side. That was very refreshing. I’ve had some amazing mentors through out my career, who continue to teach and expose me to different ways of thinking, as well as leadership styles. For that, I am extremely grateful.

gations, executive protection, background checks, security systems processing, officer management and command center security operations. I’m also very active in the financial services sector, focusing on security and resilience. I serve on the board of the Financial Services Information Sharing and Analysis Center (FS-ISAC), where I’ve had the honor of co-writing the TriSector playbook for the communica tions, electricity and the financial sectors, and participating in G7 planning commit tees on reconnection, cloud and geopoliti cal risks. I’m also the board chair for the

Tell us about yourself – your name, company, title, and responsibilities?

I’m Bethany Netzel, managing director and chief resilience officer, operational resilience and global security at CME Group, which is a large exchange and clearing house for the markets. I lead the operational resilience program that includes business continuity, system resilience, crisis management, vendor risk management, operational risk and compliance management. I also head up the global security department that has program areas such as corporate investi

28 DISASTER RECOVERY JOURNAL | SPRING 2026

CAREER SPOTLIGHT

tions change, you have flexibility in your decision. I remember during COVID when there were so many unknowns, it was easy to get stuck. But my team, who are amazing, relied on each other to gather the infor mation we could, provide some direction and keep moving forward with a common goal. Most importantly, I would say be pas sionate about what you do and be a good person. I think treating others with respect and having a good moral compass is the best way to tackle any challenge and lead by example. What aspects of working in this industry would you like to see change or evolve? I would like for the importance of resilience to be understood more broadly. I think the definition and concepts get muddy when there are new risk areas identified. This can often spin up new topical areas and programs without understanding they are within the realm of resilience. In my opinion, if you have different ways of evaluating risks and responding, identifying what is critical, etc., it will not be as effective, and people will make decisions with a narrower view, versus looking at it with a wider lens. At CME Group, I have the opportunity to speak to our board of directors quar terly about resilience and I believe that should be a topic of conversation in any company. The mission of any resilience program is to safeguard the interests of the company, employees, customers and investors. Resilience programs are iden tifying the risks which may be coming down the pipeline, which I believe is something all board members should hear. What types of formal training and certifications have you pursued, and what kinds of learning and networking opportunities are you seeking to continue your professional development? I don’t ever want to be comfortable. I’m always pushing myself to do new

things. I believe if you aren’t uncomfort able every now and again, then you aren’t growing. I’m constantly thrown into situations where I experience new dynam ics, a new topic or audience I may not know and sometimes it can be scary. But I always push myself to do it. My daughter says that nervousness is excitement, and you just need to flip your thinking, which I think is great advice. What gets you excited about your career? I feel very lucky for the experiences I’ve had, but most of all, the people I work with. My teams at CME Group include amazing people who are well rounded, push themselves, are honest with each other and work tremendously hard. It has taken us some time to achieve this dynamic and we have hired in a specific way to ensure we have the best of all worlds. I appreciate we never have “group think” and we respect each other enough to say when we don’t agree. I love when I see everyone laughing together or just teasing one another. It’s the most amazing group of people. I’m also excited to be part of the finan cial services sector work. The people I work with are so passionate, smart and at the best at what they do. Everyone gener ally has a common goal of how we pro tect the sector and progress the agenda. It has been amazing to see this in action. What advice would you give to those embarking on a career in this industry? At the risk of sounding like a Nike ad, “Just do it!” Jump in with both feet if you are interested in resilience. New best practices and evolving risks are popping up every day, so there isn’t anyone who is an expert in everything and there is always something new to discover or plan around. I think being in the resilience industry is a mindset around understand ing risk, balancing priorities and knowing how to move forward. Incidents happen all the time, even though you only hear about ones in the news.

Tell us about some of the challenges you have encountered in your career? The biggest challenge my team and I face on a regular basis is balancing innovation and strategic growth with the requirements of being secure and resil ient. When I started in this industry in the late 90s, it was very much a box check ing exercise, but as the risk landscape continues to become more complex, down time and reputational risk are no longer tolerated, resilience has become a key pillar in the journey for government and businesses, so my team and I often use the guiding post of, “What is right for the company, is right for us.” That doesn’t always mean doing the easy thing – a lot of times, it’s the harder thing to do, but it’s necessary. Have you had any mentors? Describe the effect they have had on your career. I’ve had two mentors in my career who really stand out. Both have been my managers at different times. They’ve been impactful to me because I appreciated the way they operated, how they treated others, the ethics they had and how they stood up for what they believed in. They had extremely high expectations, but I learned the most from them and I’m grateful to have been on their teams. What are some lessons learned you still leverage today? I continue to pick up nuggets along my career journey. I think observing and listening, versus being the person always talking, is very important. It allows you time to read the room and hear what other people are saying. I also believe in understanding your audience and what is important to them when putting forth an idea or providing feedback. I think as you move forward in your career, you must get comfortable with ambiguity. Try not to get paralyzed if there isn’t perfect data and consider what you do know to make a decision. If you need to build-in assumptions, do it so if those assump

29 DISASTER RECOVERY JOURNAL | SPRING 2026