The latest business continuity news from around the world

Six levels of business continuity maturity

By Margaret Langsett, Virtual Corporation.

How mature is your organization when it comes to business continuity? Does your business continuity management (BCM) program crawl, walk or run? From self-governed to synergistic, we have identified six levels of BCM maturity that most companies fall into. What is your organization’s level? Here is our breakdown:

Immature

Levels 1-3 represent organizations that have not yet completed the necessary program basics needed to launch a sustainable enterprise business continuity management program.

Level 1 - Self-governed: It’s every man or woman for him/herself!
Individual business units and departments are ‘on their own’ to organize, implement, and self-govern their own business continuity or disaster recovery efforts. The state-of-preparedness for disruptive events is low across the organizational enterprise. The organization or individual departments reacts to disruptive events when they occur. There is no real planning involved: business continuity recovery if reactive instead of proactive.

Level 2 – Departmental: Sole BCM survivor
At least one business unit gets it.  You have reached Level 2 of BCM maturity if at least one department or business unit has initiated efforts to establish management awareness of the importance of business continuity. A few functions or services have developed and maintain business continuity plans within one or more business continuity disciplines such as:

  • Incident management
  • Technology recovery
  • Security management
  • Business recovery.

At level 2, your organization has at least one internal or external resource assigned to support the business continuity efforts of the participating business units and departments. The state-of-preparedness may be moderate for participants, but remains relatively low across the majority of the company. Management may see the value of a BCM program, but they are unwilling to make it a priority at this time with minimal executive buy-in.

Level 3 – Cooperative: Moderately prepared, but not quite mature
Participating business units and departments have instituted a rudimentary governance program, mandating at least limited compliance to standardized BCM policy, practices, and processes to which they have commonly agreed. (Note: this is not an enterprise BCM policy.)

  • A BCM Program Office or Department has been established, which centrally delivers BCM governance and support services to the participating departments and/or business units.
  • Audit findings from these participants are being used to reinforce competitive and strategic advantage for their groups.
  • Interest in leveraging the work already done is being promoted as a business driver for launching a BCM program.
  • Some business units and departments may have achieved a high state-of-preparedness; however, as a whole, the enterprise is at best moderately prepared.
  • Still lacking executive buy in: senior management has not committed the enterprise to a BCM program.

Maturing

Levels 4-6 represent the evolutionary path of the maturing enterprise BCM program. If your company achieves level 4, you are compliant with most standards. Content has been added that specifically address the following standards; ISO 22301, NFPA1600, ASIS and BS 25999.

Level 4 - Standards Compliant: You have reached early BCM maturity adulthood
Congratulations! Senior management gets it and is committed to the strategic importance of an effective BCM program throughout the organizational enterprise. In addition, there is an enforceable, practical BCM policy which adopts associated standards, including methods and tools for addressing all four business continuity disciplines:

  • Incident management
  • Technology recovery
  • Security management
  • Business recovery.

But wait, that’s not all! A BCM program office or department has been created to govern the program and support all enterprise participants ensuring that:

  • Each group has acquired its own and/or utilizes the central BCM professional resources.
  • BCM policy, practices, and processes are being standardized across the Enterprise.
  • A BCM competency baseline was developed and a competency development program is underway.
  • All critical business functions have been identified and continuity plans for their protection have been developed across the Enterprise.
  • Departments conduct ‘unit tests’ of critical business continuity plan elements.
  • All business continuity plans are updated routinely.

Level 5 - Integrated: You have raised the BCM bar!
At level 5, the organization meets all of the requirements of level 4 that is now integrated throughout the company enterprise adopting continuous quality improvement practices.

All business units and departments have completed tests on all elements of their business continuity plan including their internal and external dependencies.

  • Plan update methods have proven to be effective.
  • Senior management has participated in crisis management exercises.
  • A multi-year plan has been adopted to continuously ‘raise the bar’ for planning sophistication and enterprise-wide state-of-preparedness.
  • A communications and training program exists to sustain the high level of business continuity awareness following a structured BCM competency maturity program.
  • Audit reports no longer highlight business continuity shortcomings.
  • Strategic and competitive advantage achieved from the BCM program are highlighted in periodic internal and external communications.

Level 6 – Synergistic: You have reached BCM self-actualization!
You rock levels 4 and 5 with a new air of worldly wisdom. As official business continuity gurus you have:

  • Sophisticated business protection strategies are formulated and tested successfully.
  • Cross-functional business continuity capabilities are measured.
  • Change control methods and continuous process improvement keeps this organization at an appropriately high state-of-preparedness even though the business environment continues to change radically and rapidly.
  • Innovative policy, practices, processes, and technologies are piloted and incorporated into the BCM program.

Conclusion

Keep in mind that BCM maturity is not static, so if you haven’t reached your desired maturity level, you can still progress to the next level. Be sure your BCM program doesn’t lose momentum or it can fall back one or more levels. As with any business process, if the supporting infrastructure is removed or significantly diminished, the effectiveness of the BCM program will deteriorate and with it the company’s state-of-preparedness.

The author

Margaret Langsett has over 25 years’ experience in COOP, marketing, sales, methodology training, support & program content development. Margaret brings extensive executive experience to her role at Virtual Corporation by providing overall leadership including procurement & legal functions. Margaret was also the Project Manager for the creation of the Business Continuity Maturity Model®. As a frequent presenter on the BCMM®, Margaret has introduced & educated continuity professionals on the capabilities & use of the model. In addition, she has participated in the planning, development & delivery of tabletop exercises for conferences & clients. Margaret is a licensed Business Continuity Maturity Model® Assessor and certified BCMM® Trainer.

To help determine the BCM maturity of your organization download the free BCMM template tool.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.