๐ฎ Test yourself in 15 minutes โ New: the Hormuz Crisis Simulator by ResiPlan. 8 decisions under pressure (viral tweets, SOC alerts, supplier calls, ACPR, media), AI scoring, personalized RETEX. Free, no signup.
The Strait of Hormuz concentrates an unparalleled systemic global risk: 20.9 million barrels of oil per day (20% of global consumption) and ~20% of liquefied natural gas (LNG) transit through it daily, according to the International Energy Agency (IEA, 2024). A blockade โ even partial, even temporary โ would trigger a planetary energy and economic crisis. Recurring Iran-West tensions, Houthi drones, cybersabotage risks, sea mines: interruption scenarios are no longer hypothetical.
This article is the complete guide for European executives, BCMs, Risk Managers and CISOs: understanding the stakes, modeling impacts for your business, building a shortage-resilient continuity plan, and preparing in 90 days.
Why the Strait of Hormuz is a unique systemic risk
Key figures (IEA, OPEC, US EIA 2024)
| Indicator | Value |
|---|---|
| Oil transiting per day | 20.9 Mb/d (โ 20% global) |
| LNG transiting per day | ~20% of global supply |
| Minimum strait width | 33 km |
| Navigation channel | 2 ร 3 km only |
| Dependent exporters | Saudi Arabia, UAE, Iran, Iraq, Kuwait, Qatar, Oman |
| % of European crude transiting Hormuz | ~30% on average (2024) |
Why Hormuz > any other maritime chokepoint
- No large-scale land alternative: Saudi East-West pipelines (5 Mb/d) and UAE Habshan-Fujairah (1.8 Mb/d) can absorb ~6.8 Mb/d, only one-third of current flow.
- LNG concentration: Qatar exports 77 Mt/year of LNG (2024), ~20% of global market, and 100% of this flow goes through Hormuz.
- Immediate consequence of a blockade: Brent surge of +30 to +80% in 7 days per IMF/Goldman Sachs models, physical shortage within 10-20 days on some markets.
The 5 high-risk scenarios
- Open Iran-US/Israel military conflict: closure by Tehran in retaliation (mines, anti-ship missiles, tanker seizures).
- Houthi/Hezbollah proxy escalation: drone attacks on tankers in Oman Gulf.
- Major cyberattack against navigation systems (ECDIS, AIS), port terminals (Hormuz-Jask, Bandar Abbas), or offshore platforms.
- Major accident: supertanker collision in the channel (already occurred 2019), oil spill blocking traffic.
- Informal regional blockade: repeated ship seizures (like Iran vs UK 2019), insurance premium surges, self-exclusion by shipowners.
What actual impact on YOUR European business?
Even if you're not an oil major, the second- and third-order effects are massive.
Sector impact matrix
| Sector | Direct impact | Indirect impact | Criticality |
|---|---|---|---|
| Transport / logistics | Fuel price +50 to +100%, possible rationing | Supply chain disruption, massive delays | Critical |
| Manufacturing | Petrochemical, fertilizer, plastic raw material shortages | Production costs +20 to +40% | Critical |
| Energy & utilities | Gas stress (Qatar LNG), electricity cascade | Government rationing decisions | Critical |
| Agriculture | Nitrogen fertilizers (gas-based) +150%, diesel fleets | Yields -15 to -30% | High |
| Retail & e-commerce | Delivery costs doubled, supplier disruptions | Consumer price hikes, demand drop | High |
| Tech / SaaS | Data center electricity bills +40%, limited remote work | Customer stress, churn | Medium |
| Finance / banking | Extreme market volatility, emerging market exposure | DORA liquidity stress test | High |
| Healthcare | Medicine supply (petrochemical derivatives) | Plastics, ambulance transport | Critical |
| Construction | Bitumen, PVC, diesel equipment | Site freezes | Medium to High |
The 8 most underestimated risks
- Fuel shortage for your employees: physical inability to commute.
- Customer contract breaches with force majeure clauses activated both ways.
- Maritime insurance premium explosion (+300 to +500%) passed down the chain.
- Government rationing: large enterprises will be prioritized; SMEs not always.
- Cascade cyber effect: geopolitical tensions systematically accompanied by cyber campaigns targeting critical infrastructure.
- Panic buying at gas stations, supermarkets โ three days of stock empties shelves.
- Stock market confidence loss: if listed, share drops 15-30% in 2 weeks.
- Third-party supplier dependencies you hadn't identified (cloud provider paying doubled electricity bill, transporter applying 45% fuel surcharge, etc.).
Building a shortage-resilient continuity plan: 7 pillars
Pillar 1 โ Identify your Critical or Important Functions (CIF)
The first step: knowing exactly what must absolutely keep running. This is DORA Art. 3(22)'s CIF concept, generalizable to any business. For each function:
- Criticality justification (financial, continuity, regulatory impact)
- Specific RTO / RPO / MTPD
- Upstream dependency mapping (energy, fuel, transport, raw materials)
- Critical suppliers and substitutability
๐ With ResiPlan, the DORA CIF module maps your critical functions in 30 minutes with AI-generated justification powered by ResiPlan AI and compliant with Art. 3(22).
Pillar 2 โ Complete mapping of energy dependencies
A Hormuz blockade doesn't just affect direct fuel. Cross-layer mapping required:
| Layer | Questions |
|---|---|
| Electricity | What is my peak bill? What share comes from gas plants? |
| Fleet fuel | Days of diesel stock? Non-substitutable vehicles? |
| Heating / cooling | Can my offices withstand -3ยฐC survival mode? |
| Raw materials | Which inputs derive from oil/gas? Plastics, fertilizers, solvents, lubricants... |
| ICT providers | Do my data centers have diesel for generators? For how many days? |
| Transport | Do my carriers have fuel framework contracts? Automatic surcharges? |
๐ ResiPlan's Dependencies Pro module aggregates these 6 layers in a unified graph with cascade simulator time + cumulative โฌ cost per step.
Pillar 3 โ Strategic stocks & alternatives
90-day rule: for each critical resource, target minimum 30 days of stock + 60 days of identified alternatives.
- Fuel: contracts with 2+ providers, private tanks for critical fleet, local gas station agreement.
- Electricity: local green energy contract (panels + battery if possible), generator tested quarterly.
- Transport: agreements with 3 road transporters (different geographic zones) + rail + waterway alternatives.
- Raw materials: second supplier in a geographically decoupled zone from Hormuz (North America, Norway, West Africa).
Pillar 4 โ Sector-specific continuity plans
ISO 22301 specifies 8 plan types ResiPlan preconfigures:
| Plan | Hormuz focus |
|---|---|
| BCP (Business Continuity) | Consumption reduction, generalized remote work, team rotation |
| BRP (Business Recovery) | Progressive post-shock restart |
| DRP (Disaster Recovery) | Secondary data centers, EU cloud failover |
| IRP (Incident Response) | Immediate reaction: crisis cell, communications |
| ERP (Emergency Response) | Evacuation, employees stuck on MENA mission |
| CMP (Crisis Management) | High-level coordination, stakeholders |
| CCP (Crisis Communication) | Customer, employee, media, regulator messages |
| SRP (Supply Chain Resilience) | Backup supplier activation, geo-diversification |
Pillar 5 โ Regular exercises and simulations
An untested plan is worthless. Minimum program:
- 1 annual tabletop on energy scenario (4h, 10-20 people)
- 1 functional simulation every 2 years (half-day, concrete impacts)
- Quarterly DRP technical tests
๐ ResiPlan's Crisis Gaming module includes over 20 ready-to-use scenarios including "Strait of Hormuz Maritime Blockade", "National fuel shortage", "Iranian APT cyber campaign", "Regional blackout", "Critical ICT provider ransomware (DORA Art. 28)", "Data center flooding" โ with real-time AI injections and automatic decision scoring.
Pillar 6 โ Crisis communication
Pre-prepared messages approved by legal for:
- Employees (reassure, remote work, timelines)
- Customers (force majeure, adjusted SLAs, prioritization)
- Suppliers (order follow-ups, renegotiation)
- Regulators (ACPR, AMF, DORA, NIS2 major notification)
- Media (if listed or sensitive sector)
๐ ResiPlan's Mass Notification module sends on 7 channels (SMS, voice, email, push, Slack, Teams, WhatsApp) with bidirectional employee safety check-in.
Pillar 7 โ Continuous monitoring and weak signals
Daily indicators to monitor:
- Brent price (alert threshold: +15% in 48h)
- European TTF gas price
- BDTI index (tanker oil price)
- Diplomatic tensions (Bloomberg Geopolitical Risk Index)
- Military activity in the zone (Gulf, Oman Sea)
- Cyber campaigns targeting energy (CERT-FR, ENISA)
- Government directives (Ecological Transition Ministry, Prefecture)
90-day checklist: your concrete action plan
Weeks 1-2 (now)
- Identify and document your 5-10 main CIFs (DORA Art. 3(22))
- Audit fleet fuel stock + generator reserves
- Activate daily monitoring (Bloomberg / Reuters / Tanker Trackers subscriptions)
- Name an energy crisis coordinator reporting to ExCom
Weeks 3-4
- Map 100% of energy dependencies (direct + indirect)
- Audit critical supplier contracts: fuel surcharges, force majeure, delays, alternatives
- Identify 3 scenarios: 1-week, 1-month, 3-month blockade
Month 2
- Draft / update BCP + SRP with energy dimension
- Negotiate backup contracts: 2nd fuel supplier, secondary transport framework
- Test massive remote work mode (2 days across company)
- Prepare crisis messages for employees + customers
Month 3
- Organize complete tabletop (4h) with ExCom
- Test generators under real conditions
- Document internal rationing procedure (if applicable)
- Submit framework to Audit Committee (listed companies)
Why ResiPlan is the right tool for this crisis
ResiPlan is the only European BCMS + GRC platform covering the entirety of Hormuz crisis preparation:
| Need | ResiPlan module |
|---|---|
| Identify critical functions | DORA CIF with AI Art. 3(22) |
| Map energy dependencies | Dependencies Pro unified 6-layer graph |
| Simulate financial impacts | Cascade Simulator time + โฌ cost |
| 36 risk methodologies | Risk methodologies incl. FAIR, Monte Carlo |
| Test your plan (tabletop) | Crisis Gaming 20+ scenarios (Hormuz included) + AI |
| Alert employees in real time | Mass Notification 7 channels |
| DORA/NIS2 compliance | DORA compliance native |
| Sovereign EU hosting (France) | OVH France โ zero US dependency |
โ Free 14-day trial โ setup in 1 hour, first results in 1 day. โ 39 risk methodologies integrated, DORA/NIS2/CRA/ISO 22301 compliance. โ ResiPlan AI for BIA generation + CIF justification + exercise RETEX.
FAQ
Is a full Strait of Hormuz blockade really likely?
Historically, no prolonged total blockade has ever occurred โ but alerts are regular (Iran-Iraq war 1980-88 "tanker war", 2019 seizures, Israel-Iran tensions 2024-2025). The IEA and IMF consider a partial blockade of a few days to a few weeks the most likely scenario in case of escalation, with already massive consequences.
How long can my business run without new fuel?
Without preparation, most corporate fleets last 2 to 5 days (internal stock + full tanks at hire). With a 30-day strategic stock, you enter the "resilient" category โ the minimum recommended by DORA and ISO 22301 for critical functions.
Does remote work solve a fuel shortage?
Partially. Remote work drastically reduces employee consumption but does not solve: sales tours, customer deliveries, technical interventions, logistics, industrial production. A complete plan must combine remote work + rationing + prioritization + alternatives.
Difference between a BCP and an anti-shortage plan?
The BCP (Business Continuity Plan) is the general continuity framework. An anti-shortage plan is a specialized sub-plan of the BCP, focused on disruption of a critical resource (energy, fuel, raw material). It inherits from the BCP but adds: strategic stocks, identified alternatives, rationing procedure, dedicated communication.
Does DORA apply to the Hormuz crisis?
Yes, for financial entities (banks, insurers, asset managers). DORA requires:
- Art. 5-9: ICT risk management, including data center energy
- Art. 11: operational continuity and recovery plans
- Art. 17: major incident reporting (prolonged CIF unavailability must be notified)
- Art. 25: regular digital operational resilience testing
- Art. 28-30: critical ICT provider risk management (incl. their energy suppliers)
My company isn't a bank โ does DORA concern me?
Indirectly, yes. If your customers are financial entities, they will now require DORA guarantees from their critical suppliers (you). Hence the importance of having a mature and documented BCMS.
What keywords to watch to anticipate a crisis?
Alert on: "Hormuz", "Strait of Hormuz", "Bab el-Mandeb", "Houthi Red Sea", "Iran nuclear", "IRGC tanker", "Saudi oil", "TTF gas price", "Brent crude spike", "OPEC emergency", "Chevron Iran", "Israel Iran strike". Possible monitoring via free Google Alerts + Tanker Trackers (paid but very accurate).
Summary
- The Strait of Hormuz concentrates ~20% of world oil and LNG. A blockade is plausible, not improbable.
- All sectors are impacted โ not just energy. Fuel, raw materials, costs, supply chain, employees: the shockwave is total.
- 90-day preparation is realistic and indispensable: CIFs, dependencies, stocks, plans, exercises, communications, monitoring.
- ResiPlan covers all pillars: ISO 22301 BCMS, DORA CIF, Dependencies Pro, Crisis Gaming, Mass Notification, 36 risk methodologies.
Resilience is not built during the crisis. It is built before.
๐ฎ Play the Hormuz Crisis Simulator (free, 15 min, no signup) โ
Start your free 14-day trial โ