When the lights go out. The Iberian Blackout and the Business Imperative of Risk Management
On April 28, 2025, a massive and unprecedented blackout hit Spain and Portugal, with brief effects in parts of southern France and Andorra. The blackout began around 12:30 pm local time and lasted up to 18-23 hours in some areas: it was the largest in the history of Spain and Portugal, affecting up to 60 million people. The blackout crippled transportation, telecommunications, hospitals and businesses, causing widespread disruption across the Iberian Peninsula. All major Spanish and Portuguese cities were affected, with airports, subway and train networks, and traffic lights all down, stranding travelers and commuters. Hospitals operated on backup generators, and some surgeries and procedures were delayed or canceled.
The exact cause remains under investigation, but there is no evidence of a cyber attack or sabotage. The Spanish grid experienced a sudden, catastrophic drop in power generation of 15 gigawatts – about 60% of national demand – in just five seconds. This triggered a cascading failure that severed the interconnection with France and caused the grid to collapse.
The economic loss was significant: analysts estimate that the blackout could cost the Spanish economy up to €1 billion in lost output. This is a significant but short-term impact-about 0.07% of Spain’s annual GDP, and most experts expect the disruption to be marginal in the long run, provided power is restored quickly and no other episodes occur.
This event is a stark reminder that even the most advanced economies are vulnerable to sudden, large-scale disruptions. For companies, the question is not whether risks will materialize, but whether they are prepared to respond.
The Value of Risk Management: Lessons from the Blackout
In a world defined by uncertainty — geopolitical tensions, economic volatility, environmental disruption, and digital vulnerability — organizations cannot afford to leave resilience to chance. Risk is no longer a peripheral issue to be addressed occasionally; it is a core leadership concern. Organizations that fail to identify and effectively manage risk not only suffer delays or financial losses – they jeopardize their long-term viability.
Can companies be prepared for situations like the recent blackout? Absolutely.
Disciplines such as project management and risk management exist precisely to help organizations identify, assess, and manage risks-whether those risks are technical, environmental, or operational.
A robust risk management strategy enables organizations to:
- Minimize losses and operational downtime by anticipating potential threats and preparing contingency plans.
- Make informed decisions under uncertainty, ensuring business continuity even when unexpected events occur.
- Increase stakeholder confidence by demonstrating resilience and crisis preparedness.
- Protect reputation and financial stability in the face of adversity.
The blackout showed that organizations with effective risk management protocols in place-such as backup power, crisis communication plans, and flexible operations-were better positioned to weather the disruption and quickly resume activities.
Today no company can afford not to have a “risk culture”
Whether the risk is technological, financial, operational, or reputational, the absence of a risk culture leads to avoidable losses and slow recovery.
Business leaders must understand that risk can’t be delegated to compliance teams alone. It is a shared responsibility that must be embedded across departments and functions. A robust risk management process not only minimizes damage – it can also uncover opportunities.
At GBSB Global, we guide organizations in building customized risk frameworks. These include risk registers, response matrices, scenario planning and escalation protocols — all essential tools for managing uncertainty with confidence.
Why Risk Management should be built into every stage of business?
We put this and other questions to one of the leading experts in the field, Dr. Danil Dintsis, Strategic Risk Management expert and Professor at the GBSB Global Business School.
At what stage of business development should an owner start thinking about risk management? Are there clear triggers such as revenue thresholds, number of employees or market expansion — or is it always case by case?
Danil Dintsis: Every business, including startups, should start thinking about risk management from day one. In my experience, even early-stage companies can be affected by external disruptions that they cannot control. For example, one startup I worked with suffered a major service interruption due to a change made by a third-party vendor in their data center – even though that vendor was widely respected. The result? We lost customer confidence and were forced to sell the service rather than scale it.
In my view, there are no universal thresholds that dictate when to start managing risk. Waiting for specific milestones-such as headcount or revenue levels-is a mistake. Risk analysis should start at the very beginning and continue as a routine part of operations. Reactive, case-by-case decisions often lead to worse outcomes because they tend to be rushed, poorly analyzed, and inconsistently implemented.
How can a business owner assess which risks are most critical? Is it realistic to be prepared for all force majeure events?
Danil Dintsis: Strategic risk management requires a structured process called Business Continuity Planning (BCP). This is not a task for the business owner alone – it is a company-wide responsibility.
The goal of BCP is to conduct ongoing assessments of
- Critical business operations and processes;
- Regulatory obligations;
- External factors, including real-world case studies, forecasts, and technological data;
- Potential losses—whether financial, reputational, or operational.
The company then compares the expected losses with the cost of mitigation. The right balance must be struck. For example, storing critical data in a geographically remote location may be expensive but justified. Similarly, paper-based backup procedures should be in place for high-priority operations in case digital systems fail.
However, it’s impossible to prepare for every possible scenario. In risk management, some events are classified as “unknown unknowns”. These are at the far end of the distribution curve-high impact, but extremely rare. Because the specifics of such events are unknown, companies should prepare in two ways:
- Financial reserves – cash or equivalent assets that provide maximum flexibility.
- Escalation and response procedures –a predefined emergency framework for forming a response team and quickly organizing action.
Even if you don’t know what will happen, you need to know how your organization will respond.
What should a company do when faced with a crisis that is not covered by its existing plans?
Danil Dintsis: This is exactly why escalation procedures and the formation of emergency teams are so important. No plan can be completely exhaustive, but your structure for dealing with the unknown must be in place. When an unforeseen event occurs, the company must be able to quickly activate a cross-functional team to assess the situation and coordinate a response – even if the crisis isn’t listed in the manual.
Who should be in charge of crisis management? And how do you justify investments in unglamorous areas such as backup power infrastructure?
Danil Dintsis: Crisis management should be institutionalized through a formal Business Continuity Management (BCM) process that is regularly trained and audited.
According to PMI and ITIL best practices, responsibility should be both centralized and delegated:
- At the executive level, a C-level board should define overarching goals, such as maintaining regulatory compliance or restoring production within a fixed timeframe (e.g., 72 hours).
- At the operational level, individual business units should propose and implement local solutions relevant to their functions. These solutions are evaluated based on risk, cost and feasibility. The Executive Board then decides whether to approve the investment.
Each business should maintain contingency plans for its most critical areas: operations, compliance, cybersecurity, customer communications, etc.
With limited budgets, how should businesses prioritize between employee training, backup generators, cloud storage, and supply chain diversification?
Danil Dintsis: Again, the Business Continuity Board must set the priorities. These priorities should be driven by the organization’s crisis management objectives — not assumptions or trends.
Importantly, downgrading services is often a rational solution during a crisis. For example, if your email systems go down, full restoration may not be possible immediately. Instead, ensuring partial functionality for key personnel-through a third-party provider-may be sufficient to maintain communication with customers, regulators, and critical partners.
In short, effective risk management is not about being invincible. It’s about being prepared, organized, and able to make clear decisions under pressure.
How GBSB Global can help you build a a “risk culture”
For Students
At GBSB Global, project management is a core requirement for all students. Our partnership with the Project Management Institute (PMI) gives Master’s students access to world-class knowledge and the opportunity to earn the PMI Project Management Ready™ certification. This equips graduates with practical tools to identify and mitigate risk in any industry. Explore the PMI certification opportunity.
For Professionals
Join us this October for our open enrollment course on Effective Teamwork and Project Management. This program is designed to strengthen your ability to lead teams, manage uncertainty, and ensure project success-even in the face of unforeseen disruptions.
For Companies and Organizations
Our executive education programs help organizations build long-term resilience. Led by GBSB Global faculty, your HiPo team will develop a customized risk management strategy that fits your industry and business model.
The recent blackout was a wake-up call for the entire business community. In today’s world, uncertainty is a constant. Project and risk management expertise is not a bonus — it’s a requirement.
