Power resilience: What risk managers must learn before the lights go out

Power resilience is an increasingly overlooked area of enterprise risk management, yet recent events suggest it deserves far greater attention. Around the world, outages are growing more frequent and more disruptive.

Climate-driven wildfires, grid instability, cyberattacks, extreme weather and fuel shortages have all played a part, and the impacts are no longer limited to developing markets.

Recent years have seen blackouts across California, Texas, South Africa, Pakistan, Australia and southern Europe, with some of the most damaging effects felt in highly digitalised economies. Even in the UK, contingency planning under Programme Yarrow includes scenarios in which just 60% of national electricity demand could be met for up to seven days.

In this context, energy security is no longer an operational issue. It is a board-level threat to continuity, reputation and supply chain integrity. Yet many organisations continue to treat it as a facilities problem rather than a strategic risk.

Overdependence on digital systems

The most significant vulnerability is not the loss of power itself, but the loss of the systems that rely on it. Organisations have spent years digitising processes for speed, efficiency and remote working. But these gains have come at the cost of resilience.

“The blackout underscored that energy security is the foundation of resilience in the digital world.”

During the April 2025 blackout that hit Spain, Portugal and parts of France, even companies with mature continuity plans struggled to activate them. Mobile and internet networks collapsed. Payment systems failed. Cloud access disappeared. Communications between crisis teams broke down completely.

In the words of Marsh’s Álvaro Marin: “The blackout underscored that energy security is the foundation of resilience in the digital world.”

Too many organisations now lack manual alternatives to their core systems, and too few have tested what happens when those systems fail. Without power, even a well-crafted continuity plan becomes a PDF no one can open.

The hidden risks of hybrid working

Hybrid working has further complicated the resilience equation. Many organisations assume that a loss of office access or IT services will be temporary and contained.

But in a decentralised working model, business continuity relies on employees having stable power, broadband and communication tools in their homes, assumptions that no longer hold true.

Zurich’s resilience experts note that most business continuity plans have not evolved to reflect this shift.

Risk managers must now account for new vulnerabilities in home settings, including how to maintain contact with key personnel when mobile and internet networks are down. Hard copy protocols, alternative meeting points and pre-planned check-in schedules may need to be reintroduced.

Employee preparedness matters too. In some regions, such as Australia, residents are encouraged to create home emergency kits and survival plans. Organisations can adopt a similar model, providing staff with guidance and checklists for prolonged disruption.

Communications will fail first

One of the most important lessons from recent outages is that communication failure quickly becomes the biggest operational barrier. When phone lines, internet services and cloud-based platforms fail, even routine coordination becomes impossible.

Businesses must build alternative channels into their plans.

“If you can’t communicate with everyone involved, it is really hard to proceed with the plans.”

This might include satellite phones, two-way radios, pre-agreed fallback comms apps or decentralised command structures with delegated decision-making authority. Simulation exercises should test blackout scenarios specifically, including total loss of connectivity, to expose gaps in real-world response.

Marsh’s post-event analysis concluded: “If you can’t communicate with everyone involved, it is really hard to proceed with the plans.”

Supply chains and external coordination

Even if your organisation is resilient, your partners and suppliers may not be. Most continuity planning still focuses on internal response, but powercuts do not respect organisational boundaries. Transport systems, warehousing, data centres and suppliers all face similar exposure, and your recovery will only be as fast as the slowest link.

Risk managers should conduct end-to-end mapping of critical dependencies. Which suppliers would be affected first? How long could you operate without them? Are alternate sources available in a disruption?

Coordination with external actors also matters. Local authorities, utilities and emergency services may prioritise support for organisations on their protected site lists. In the UK, this falls under the Electricity Supply Emergency Code (ESEC), but eligibility is not automatic. Businesses must apply in advance and demonstrate a qualifying public interest or safety role.

What good looks like

Effective power resilience strategies share several common features:

• Scenario testing under realistic conditions, including multi-day blackouts and no communications
• Backup systems that are appropriately scaled, regularly tested and accessible across all critical operations
• Communication protocols that include offline alternatives and clear escalation chains
• Employee safety planning, including evacuation, site lockdown and remote support procedures
• Energy audits to identify the processes most at risk and support safe shutdown or prioritised continuation
• - Cross-sector collaboration with authorities, utilities and peers to coordinate response and recovery
• - Crisis messaging plans that anticipate disinformation and ensure stakeholders receive timely, trusted updates

These measures must be embedded, trained and rehearsed. As Karla Gahan of Barnett Waddingham put it: “Actively run exercises to test your response teams and to highlight any issues you may have missed. Communication is always an area that can be improved, particularly in situations where traditional channels are unavailable.”

The role of risk managers

Risk leaders are uniquely positioned to drive cross-functional engagement on this issue. They can push for realistic scenarios to be modelled and ensure recovery priorities reflect the real-world complexity of today’s operating models. They can bridge the gap between digital convenience and operational resilience.

There is a tendency to treat blackouts as rare events, something that might happen in developing countries or in the distant future. But they are happening now, and in countries with robust infrastructure. For many organisations, the question is no longer if the lights will go out, but whether they will still be able to function when they do.