🎮 Test yourself in 15 minutes — New: the Hormuz Crisis Simulator by ResiPlan. 8 decisions under pressure (viral tweets, SOC alerts, supplier calls, ACPR, media), AI scoring, personalized RETEX. Free, no signup.
The Strait of Hormuz concentrates an unparalleled systemic global risk: 20.9 million barrels of oil per day (20% of global consumption) and ~20% of liquefied natural gas (LNG) transit through it daily, according to the International Energy Agency (IEA, 2024). A blockade — even partial, even temporary — would trigger a planetary energy and economic crisis. Recurring Iran-West tensions, Houthi drones, cybersabotage risks, sea mines: interruption scenarios are no longer hypothetical.
This article is the complete guide for European executives, BCMs, Risk Managers and CISOs: understanding the stakes, modeling impacts for your business, building a shortage-resilient continuity plan, and preparing in 90 days.
Why the Strait of Hormuz is a unique systemic risk
Key figures (IEA, OPEC, US EIA 2024)
| Indicator | Value |
|---|---|
| Oil transiting per day | 20.9 Mb/d (≈ 20% global) |
| LNG transiting per day | ~20% of global supply |
| Minimum strait width | 33 km |
| Navigation channel | 2 × 3 km only |
| Dependent exporters | Saudi Arabia, UAE, Iran, Iraq, Kuwait, Qatar, Oman |
| % of European crude transiting Hormuz | ~30% on average (2024) |
Why Hormuz > any other maritime chokepoint
- No large-scale land alternative: Saudi East-West pipelines (5 Mb/d) and UAE Habshan-Fujairah (1.8 Mb/d) can absorb ~6.8 Mb/d, only one-third of current flow.
- LNG concentration: Qatar exports 77 Mt/year of LNG (2024), ~20% of global market, and 100% of this flow goes through Hormuz.
- Immediate consequence of a blockade: Brent surge of +30 to +80% in 7 days per IMF/Goldman Sachs models, physical shortage within 10-20 days on some markets.
The 5 high-risk scenarios
- Open Iran-US/Israel military conflict: closure by Tehran in retaliation (mines, anti-ship missiles, tanker seizures).
- Houthi/Hezbollah proxy escalation: drone attacks on tankers in Oman Gulf.
- Major cyberattack against navigation systems (ECDIS, AIS), port terminals (Hormuz-Jask, Bandar Abbas), or offshore platforms.
- Major accident: supertanker collision in the channel (already occurred 2019), oil spill blocking traffic.
- Informal regional blockade: repeated ship seizures (like Iran vs UK 2019), insurance premium surges, self-exclusion by shipowners.
What actual impact on YOUR European business?
Even if you're not an oil major, the second- and third-order effects are massive.
Sector impact matrix
| Sector | Direct impact | Indirect impact | Criticality |
|---|---|---|---|
| Transport / logistics | Fuel price +50 to +100%, possible rationing | Supply chain disruption, massive delays | Critical |
| Manufacturing | Petrochemical, fertilizer, plastic raw material shortages | Production costs +20 to +40% | Critical |
| Energy & utilities | Gas stress (Qatar LNG), electricity cascade | Government rationing decisions | Critical |
| Agriculture | Nitrogen fertilizers (gas-based) +150%, diesel fleets | Yields -15 to -30% | High |
| Retail & e-commerce | Delivery costs doubled, supplier disruptions | Consumer price hikes, demand drop | High |
| Tech / SaaS | Data center electricity bills +40%, limited remote work | Customer stress, churn | Medium |
| Finance / banking | Extreme market volatility, emerging market exposure | DORA liquidity stress test | High |
| Healthcare | Medicine supply (petrochemical derivatives) | Plastics, ambulance transport | Critical |
| Construction | Bitumen, PVC, diesel equipment | Site freezes | Medium to High |
The 8 most underestimated risks
- Fuel shortage for your employees: physical inability to commute.
- Customer contract breaches with force majeure clauses activated both ways.
- Maritime insurance premium explosion (+300 to +500%) passed down the chain.
- Government rationing: large enterprises will be prioritized; SMEs not always.
- Cascade cyber effect: geopolitical tensions systematically accompanied by cyber campaigns targeting critical infrastructure.
- Panic buying at gas stations, supermarkets — three days of stock empties shelves.
- Stock market confidence loss: if listed, share drops 15-30% in 2 weeks.
- Third-party supplier dependencies you hadn't identified (cloud provider paying doubled electricity bill, transporter applying 45% fuel surcharge, etc.).
Building a shortage-resilient continuity plan: 7 pillars
Pillar 1 — Identify your Critical or Important Functions (CIF)
The first step: knowing exactly what must absolutely keep running. This is DORA Art. 3(22)'s CIF concept, generalizable to any business. For each function:
- Criticality justification (financial, continuity, regulatory impact)
- Specific RTO / RPO / MTPD
- Upstream dependency mapping (energy, fuel, transport, raw materials)
- Critical suppliers and substitutability
👉 With ResiPlan, the DORA CIF module maps your critical functions in 30 minutes with AI-generated justification powered by ResiPlan AI and compliant with Art. 3(22).
Pillar 2 — Complete mapping of energy dependencies
A Hormuz blockade doesn't just affect direct fuel. Cross-layer mapping required:
| Layer | Questions |
|---|---|
| Electricity | What is my peak bill? What share comes from gas plants? |
| Fleet fuel | Days of diesel stock? Non-substitutable vehicles? |
| Heating / cooling | Can my offices withstand -3°C survival mode? |
| Raw materials | Which inputs derive from oil/gas? Plastics, fertilizers, solvents, lubricants... |
| ICT providers | Do my data centers have diesel for generators? For how many days? |
| Transport | Do my carriers have fuel framework contracts? Automatic surcharges? |
👉 ResiPlan's Dependencies Pro module aggregates these 6 layers in a unified graph with cascade simulator time + cumulative € cost per step.
Pillar 3 — Strategic stocks & alternatives
90-day rule: for each critical resource, target minimum 30 days of stock + 60 days of identified alternatives.
- Fuel: contracts with 2+ providers, private tanks for critical fleet, local gas station agreement.
- Electricity: local green energy contract (panels + battery if possible), generator tested quarterly.
- Transport: agreements with 3 road transporters (different geographic zones) + rail + waterway alternatives.
- Raw materials: second supplier in a geographically decoupled zone from Hormuz (North America, Norway, West Africa).
Pillar 4 — Sector-specific continuity plans
ISO 22301 specifies 8 plan types ResiPlan preconfigures:
| Plan | Hormuz focus |
|---|---|
| BCP (Business Continuity) | Consumption reduction, generalized remote work, team rotation |
| BRP (Business Recovery) | Progressive post-shock restart |
| DRP (Disaster Recovery) | Secondary data centers, EU cloud failover |
| IRP (Incident Response) | Immediate reaction: crisis cell, communications |
| ERP (Emergency Response) | Evacuation, employees stuck on MENA mission |
| CMP (Crisis Management) | High-level coordination, stakeholders |
| CCP (Crisis Communication) | Customer, employee, media, regulator messages |
| SRP (Supply Chain Resilience) | Backup supplier activation, geo-diversification |
Pillar 5 — Regular exercises and simulations
An untested plan is worthless. Minimum program:
- 1 annual tabletop on energy scenario (4h, 10-20 people)
- 1 functional simulation every 2 years (half-day, concrete impacts)
- Quarterly DRP technical tests
👉 ResiPlan's Crisis Gaming module includes over 20 ready-to-use scenarios including "Strait of Hormuz Maritime Blockade", "National fuel shortage", "Iranian APT cyber campaign", "Regional blackout", "Critical ICT provider ransomware (DORA Art. 28)", "Data center flooding" — with real-time AI injections and automatic decision scoring.
Pillar 6 — Crisis communication
Pre-prepared messages approved by legal for:
- Employees (reassure, remote work, timelines)
- Customers (force majeure, adjusted SLAs, prioritization)
- Suppliers (order follow-ups, renegotiation)
- Regulators (ACPR, AMF, DORA, NIS2 major notification)
- Media (if listed or sensitive sector)
👉 ResiPlan's Mass Notification module sends on 7 channels (SMS, voice, email, push, Slack, Teams, WhatsApp) with bidirectional employee safety check-in.
Pillar 7 — Continuous monitoring and weak signals
Daily indicators to monitor:
- Brent price (alert threshold: +15% in 48h)
- European TTF gas price
- BDTI index (tanker oil price)
- Diplomatic tensions (Bloomberg Geopolitical Risk Index)
- Military activity in the zone (Gulf, Oman Sea)
- Cyber campaigns targeting energy (CERT-FR, ENISA)
- Government directives (Ecological Transition Ministry, Prefecture)
90-day checklist: your concrete action plan
Weeks 1-2 (now)
- Identify and document your 5-10 main CIFs (DORA Art. 3(22))
- Audit fleet fuel stock + generator reserves
- Activate daily monitoring (Bloomberg / Reuters / Tanker Trackers subscriptions)
- Name an energy crisis coordinator reporting to ExCom
Weeks 3-4
- Map 100% of energy dependencies (direct + indirect)
- Audit critical supplier contracts: fuel surcharges, force majeure, delays, alternatives
- Identify 3 scenarios: 1-week, 1-month, 3-month blockade
Month 2
- Draft / update BCP + SRP with energy dimension
- Negotiate backup contracts: 2nd fuel supplier, secondary transport framework
- Test massive remote work mode (2 days across company)
- Prepare crisis messages for employees + customers
Month 3
- Organize complete tabletop (4h) with ExCom
- Test generators under real conditions
- Document internal rationing procedure (if applicable)
- Submit framework to Audit Committee (listed companies)
Why ResiPlan is the right tool for this crisis
ResiPlan is the only European BCMS + GRC platform covering the entirety of Hormuz crisis preparation:
| Need | ResiPlan module |
|---|---|
| Identify critical functions | DORA CIF with AI Art. 3(22) |
| Map energy dependencies | Dependencies Pro unified 6-layer graph |
| Simulate financial impacts | Cascade Simulator time + € cost |
| 36 risk methodologies | Risk methodologies incl. FAIR, Monte Carlo |
| Test your plan (tabletop) | Crisis Gaming 20+ scenarios (Hormuz included) + AI |
| Alert employees in real time | Mass Notification 7 channels |
| DORA/NIS2 compliance | DORA compliance native |
| Sovereign EU hosting (France) | OVH France — zero US dependency |
✅ Free 14-day trial — setup in 1 hour, first results in 1 day. ✅ 39 risk methodologies integrated, DORA/NIS2/CRA/ISO 22301 compliance. ✅ ResiPlan AI for BIA generation + CIF justification + exercise RETEX.
FAQ
Is a full Strait of Hormuz blockade really likely?
Historically, no prolonged total blockade has ever occurred — but alerts are regular (Iran-Iraq war 1980-88 "tanker war", 2019 seizures, Israel-Iran tensions 2024-2025). The IEA and IMF consider a partial blockade of a few days to a few weeks the most likely scenario in case of escalation, with already massive consequences.
How long can my business run without new fuel?
Without preparation, most corporate fleets last 2 to 5 days (internal stock + full tanks at hire). With a 30-day strategic stock, you enter the "resilient" category — the minimum recommended by DORA and ISO 22301 for critical functions.
Does remote work solve a fuel shortage?
Partially. Remote work drastically reduces employee consumption but does not solve: sales tours, customer deliveries, technical interventions, logistics, industrial production. A complete plan must combine remote work + rationing + prioritization + alternatives.
Difference between a BCP and an anti-shortage plan?
The BCP (Business Continuity Plan) is the general continuity framework. An anti-shortage plan is a specialized sub-plan of the BCP, focused on disruption of a critical resource (energy, fuel, raw material). It inherits from the BCP but adds: strategic stocks, identified alternatives, rationing procedure, dedicated communication.
Does DORA apply to the Hormuz crisis?
Yes, for financial entities (banks, insurers, asset managers). DORA requires:
- Art. 5-9: ICT risk management, including data center energy
- Art. 11: operational continuity and recovery plans
- Art. 17: major incident reporting (prolonged CIF unavailability must be notified)
- Art. 25: regular digital operational resilience testing
- Art. 28-30: critical ICT provider risk management (incl. their energy suppliers)
My company isn't a bank — does DORA concern me?
Indirectly, yes. If your customers are financial entities, they will now require DORA guarantees from their critical suppliers (you). Hence the importance of having a mature and documented BCMS.
What keywords to watch to anticipate a crisis?
Alert on: "Hormuz", "Strait of Hormuz", "Bab el-Mandeb", "Houthi Red Sea", "Iran nuclear", "IRGC tanker", "Saudi oil", "TTF gas price", "Brent crude spike", "OPEC emergency", "Chevron Iran", "Israel Iran strike". Possible monitoring via free Google Alerts + Tanker Trackers (paid but very accurate).
Summary
- The Strait of Hormuz concentrates ~20% of world oil and LNG. A blockade is plausible, not improbable.
- All sectors are impacted — not just energy. Fuel, raw materials, costs, supply chain, employees: the shockwave is total.
- 90-day preparation is realistic and indispensable: CIFs, dependencies, stocks, plans, exercises, communications, monitoring.
- ResiPlan covers all pillars: ISO 22301 BCMS, DORA CIF, Dependencies Pro, Crisis Gaming, Mass Notification, 36 risk methodologies.
Resilience is not built during the crisis. It is built before.
🎮 Play the Hormuz Crisis Simulator (free, 15 min, no signup) →
Start your free 14-day trial →