Regional threats to Bishkek, 2026
As part of the regular review of the regional risk profile, the register of typical threats to Bishkek has been updated. The update is focused on practical application in business continuity management (BCM) and operational risk management systems, with a slight emphasis on the needs of financial and credit institutions and telecommunications operators.
The region’s threat profile is shaped not only by “major” events (such as earthquakes), but also by more frequent scenarios that lead to downtime, limited staff availability, and infrastructure failures: severe weather, local flooding, power outages, communication disruptions, and information security incidents.
What has changed in version 2026.1
- The technological risks section (IT/cyber and infrastructure) has been strengthened.
The risk of IT failures and cyberattacks is reflected as one of the most likely and costly scenarios for organizations working with digital services and customer channels. The complexity of equipment and software deliveries is considered separately, as are possible restrictions on updates and support due to sanctions regimes and export restrictions. These factors increase the cost of recovery and prolong downtime. - The impact of power supply and communications on continuity has been revised.
For banks, telecom operators, and many organizations in the city, the stability of power and telecom channels is a basic condition for operation. Therefore, the impact on the Business Continuity parameter for power and telecom infrastructure failures is set at a high level, and the assessments are supplemented with exposure clarifications (reserve capacity, autonomous power supply, availability of alternative communication channels). . - An exposure approach has been introduced for “local” threats.
A number of events are not “on average” high-risk for the entire city, but become critical under certain conditions of asset location. Therefore, modifier comments have been added to the registry to increase the risk level for a specific site, for example:- landslides — for landslide-prone areas and foothill zones;
- aviation incidents — for facilities in close proximity to airport infrastructure and approach/departure routes;
- Serious traffic accidents involving large vehicles — when critical assets are located on the first floor near a roadway without physical barriers.
- A geopolitical/sanctions contour has been added as a factor of systemic impact.
Risks of indirect impact of international instability (including secondary effects of sanctions and tensions in certain regions of the world) on supply chains, equipment delivery times, restoration costs, and availability of critical technologies have been noted.
How to use the registry
The registry is intended for initial calibration and planning of resilience measures. The final assessment for a specific organization should be refined taking into account:
- the geography of sites and the vulnerability of the territory;
- the architecture of asset placement (basements/plinths/ground floors near roads);
- the availability of backup (diesel generators, UPS, alternative communication channels, backup site);
- the organization’s role in critical infrastructure and level of digital dependence.
Below is an updated threat registry (2026.1) with brief explanatory comments.
How to use the registry
The registry is intended for initial calibration and planning of resilience measures. The final assessment for a specific organization should be refined taking into account:
- the geography of sites and the vulnerability of the territory;
- the architecture of asset placement (basements/plinths/ground floors near roads);
- the availability of backup (diesel generators, UPS, alternative communication channels, backup site);
- the organization’s role in critical infrastructure and level of digital dependence.
Thus, the risk profile for Bishkek in 2026 is characterized by the continued severity of natural disasters (seismic activity), increased technological and cyber risks, the growth of systemic geopolitical factors, and the dependence of the risk level on asset architecture and reserves. What becomes critical is not so much the threat itself as the degree of preparedness of the organization: the availability of a backup site, autonomous power supply, diversification of suppliers, and mature information security architecture.
In this publication, the threat profile focuses on external events of a physical, technological, biological, and geopolitical nature that have a direct impact on the continuity of operations and financial stability of organizations.
However, the public version of the profile does not include risks associated with changes in the regulatory environment, the transformation of regulatory requirements, the revision of rules for conducting activities, or other compliance factors arising in the process of organizations’ interaction with government and supervisory institutions.
These risks are usually individual and sector-specific, require separate legal and compliance analysis, and are assessed through specialized procedures (regulatory monitoring, legal risk assessment, compliance review). Their impact may be significant in terms of strategic stability, but they do not fall into the category of extraordinary or crisis events that form the basis of this regional threat profile.
Thus, the published register reflects event-driven and infrastructure risk factors. Issues of regulatory changes, law enforcement practices, and institutional transformations are considered separately within the framework of regulatory and compliance risk management systems.
Below is an updated threat registry (2026.1) with brief explanatory comments.
| Threat | Likelihood (P) | Business Continuity (BC) | Financial Impact (FI) | Exposure notes |
|---|---|---|---|---|
| Natural hazards | ||||
| Strong wind / squalls | Medium | Medium | Medium | Higher BC/FI with overhead telecom/power lines, rooftop equipment. |
| Severe precipitation (snow, ice, heavy rain, hail) | Medium | Medium | Low | Impacts staff availability, branch operations, transport logistics. |
| Local flooding (stormwater / groundwater) | Medium | Medium | Medium | Higher if critical assets are in basements/ground floors without drainage protection. |
| Mudflows / high water (foothills / outskirts exposure) | Low | Low | Low | Increase to Medium/High for foothill sites or near channels prone to runoff. |
| Landscape fires (smoke / access restrictions) | Low | Medium | Low | Main effect is operational disruption; direct fire risk is usually limited within the city. |
| Lightning strike | Medium | Medium | Medium | Higher BC without lightning protection / surge protection / redundancy. |
| Drought / heatwave | Medium | Low | Medium | Energy demand and cooling risks (server rooms, telecom nodes). |
| Earthquake | Medium | High | High | Primary regional hazard by severity; drive BCM/DR planning assumptions. |
| Landslide | Low | Low | Low | Increase by one level for landslide-prone zones / foothills / unstable slopes. |
| Rockfall / avalanche | Low | Low | Low | Relevant mainly for foothills and transport routes, not typical urban sites. |
| Technological hazards | ||||
| Building unavailability (structural issues / access restriction) | Low | High | High | Higher FI if no alternate site / remote-work readiness. |
| Municipal utilities disruption (water/heat/sewer) | Medium | Medium | Medium | Server rooms and telecom nodes may reach High BC without autonomy. |
| Power outage | Medium | High | Medium | High BC expected without UPS / generator / dual feed. |
| IT disruption / cyber attack | High | High | High | Sanctions/export controls may increase recovery time and cost (patching, licensing, hardware supply). |
| Telecommunications disruption | Medium | High | Medium | Critical for online banking channels and operator core services; consider multi-provider redundancy. |
| Internal building fire | Medium | High | High | High FI due to rebuild costs and longer replacement lead times for equipment. |
| Aircraft accident (direct impact) | Low | Low | Low | Increase for sites in close proximity to airport infrastructure and approach/departure corridors. |
| Major road traffic incident (direct impact) | Low | Medium | Medium | Increase to High if critical assets are on ground floor near roads without physical barriers (bollards, fencing). |
| Biological hazards | ||||
| Infectious disease outbreak / epidemic restrictions | Medium | Medium | Medium | Operational effect via staff availability, shift scheduling, access limitations. |
| Contamination of water/food | Low | Low | Low | Increase where on-site catering/mass feeding is present. |
| Human & geopolitical factors | ||||
| Public unrest / civil disorder | Medium | Medium | Medium | For central locations and high-footfall areas, BC may increase to High. |
| Terrorism threat | Medium | High | High | Severity-driven; focus on protection of crowded venues and critical service points. |
| Hazardous materials release (CBRN) | Low | Medium | Medium | Increase with proximity to hazardous facilities or storage/transport routes. |
| Armed attack | Low | High | High | Low probability, high consequence scenario; requires response readiness. |
| Hostage-taking | Low | High | High | Low probability, high consequence scenario. |
| State of emergency (regional restrictions) | Medium | Medium | High | Financial impact via restrictions, curfews, mobility limitations and service disruption. |
| Martial law | Medium | High | High | System-wide disruption through logistics, regulation, workforce availability. |
| Sanctions / export controls / supply chain disruption | High | Medium | High | Indirect but material impact on IT hardware/software availability, recovery times, and costs. |
| Regional instability (global logistics & energy markets) | Medium | Medium | Medium | Indirect exposure via transportation routes, energy price volatility, and supply chain shocks. |
Purpose of publication
The purpose of updating the regional threat profile is to form a unified and comparable view of external events and factors that may affect the continuity of operations and financial stability of organizations operating in Bishkek. The profile is intended for use in business continuity management (BCM) systems, operational and IT risk management, and for preliminary calibration of resilience scenarios.
Status of the threat profile
The published threat profile is of an overview and analytical nature. It is not an individual risk assessment of a specific organization and does not replace a detailed analysis conducted taking into account the specifics of the business, geography of sites, asset architecture, and level of redundancy. The assessments reflect the regional context and typical infrastructure operating conditions.
Approach to profile formation
The threat profile is based on an event-driven approach and includes physical, technological, biological, anthropogenic, and geopolitical factors. The assessment takes into account both the probability of events occurring and the potential severity of their consequences. For certain threats, an exposure principle is applied, whereby the final risk level is adjusted depending on the location of facilities, the characteristics of the development, and the nature of the placement of critical assets.
Scope and limitations
The public version of the profile considers threats that are event-driven and capable of causing operational disruptions, service availability issues, or direct financial losses. The profile deliberately excludes risks associated with changes in the regulatory and normative environment, as well as other compliance factors that require separate legal and industry analysis. Such risks are assessed as part of specialized regulatory and compliance risk management procedures.
Assessment scale
For clarity and comparability, a three-level qualitative assessment scale is used:
- Low — a low level of threat, characterized by limited probability and manageable consequences;
- Medium — a medium level of threat, where the event is realistic and could have a significant impact on operations;
- High — high threat level, reflecting a significant probability and/or critical consequences for business continuity and financial stability.
Practical application
The threat profile is intended to be used as a starting point for developing and updating business continuity plans, disaster recovery plans, and prioritizing infrastructure and service redundancy. Final management decisions should be made taking into account the internal context of the specific organization and the results of in-depth analysis.
Each threat is assessed according to three independent parameters that reflect various aspects of its potential impact.
- 1. Likelihood (P) — Probability of occurrence
This parameter reflects a qualitative assessment of the probability of an event occurring in a regional context.
The following factors are taken into account when determining the level:
- historical recurrence of similar events;
- climatic and geographical characteristics of the region;
- technological and infrastructural environment;
- the current macroeconomic and geopolitical situation.
The Likelihood assessment is not a statistical probability in the mathematical sense, but rather an expert categorical classification of the frequency and realism of the scenario.
- 2. Business Continuity Impact (BC) — Impact on business continuity
This parameter reflects the degree of operational impact of an event on an organization’s ability to continue performing key functions.
The assessment takes into account:
- possible downtime duration;
- loss of access to premises or infrastructure;
- unavailability of personnel;
- disruption of IT and telecom services;
- the need to switch to alternative operating modes.
A high level of BC means that without backup mechanisms, the event could cause a significant interruption in the provision of services or fulfillment of obligations.
- 3. Financial Impact (FI) — Financial impact
This parameter reflects the potential economic effect of the threat being realized.
The following are taken into account:
A high level of FI means a significant impact on the financial results, liquidity, or capital expenditures of the organization.
- Interrelation of parameters
The parameters P, BC, and FI are assessed separately because:
- an event may be unlikely but have critical consequences (e.g., an earthquake);
- an event may occur regularly but have a moderate impact (e.g., weather restrictions);
- the financial impact and operational impact do not always coincide in scale.
This approach avoids simplistic aggregation and provides a more balanced picture of resilience.