Be it under the banner of disaster recovery, contingency planning, or business continuity management, the discipline of business protection has been around for over 40 years. And yet today, the discipline still lacks many of the sophisticated tools that would allow business continuity professionals to objectively measure the maturity of a company’s business continuity program. Several “capabilities maturity models” existed for various disciplines, including software development. However, for the business continuity field, nothing had yet been developed. The opportunity to build one appeared worth pursuing, and the idea for a Business Continuity Management Maturity Model was born.
The first consideration was to determine what factors most significantly influence the development of a sustainable BCM program. It was determined that for a BCM program to be sustainable, it must be implemented as a business process. Other enterprise wide business processes can be highly sustainable when implemented effectively, e.g., budgeting and personnel performance evaluations. The common success factors of such implementations include:
- Enterprise wide commitment, driven from the top down, and the recognition that it is the responsibility of every manager to be knowledgeable and accountable for the implementation of these processes (budgeting and personnel) within his or her functional area
- The existence of a dedicated corporate department or group, staffed with professionals deeply knowledgeable in the business discipline, functioning as internal consultants, trainers, and facilitators who support the management team and their staff in the execution of their individual responsibilities
- The development of a companywide infrastructure that reinforces the value and importance of the discipline, including the presence of well-articulated company policy, the integration of specific performance measurements in the company’s management incentive and audit programs, the development of a skills competency baseline, a competency development program, and a variety of communications vehicles that keep the message in front of the management team on a consistent basis.
Applying these factors to the implementation of a sustainable BCM program, the following Program Basics emerged:
- The commitment of senior management to drive and fund the BCM program, grounded in the corporate recognition that responsibility for BCM rests with every manager in the organization.
- The availability of professional business continuity personnel to manage, deliver, and administer a program that adheres to accepted best practices.
- The application of prudent and practical business continuity governance supported by a properly implemented infrastructure.
With the basic ingredients for establishing a sustainable program identified, the evolutionary path for the emergence of this BCM program as it matures could now be characterized. It was determined that this path should articulate how the BCM program matures from simple participation to complex interactions between participants. Based on comparisons with a variety of successful enterprise BCM program implementations, the following milestones along this evolutionary path came to light:
- Milestone 1 — All departments across the enterprise have been included in the BCM program. All the Program Basics described above are now in place and the enterprise has completed an appropriately scaled program launch that distributes BCM responsibility across all departments. Every critical business function is covered by a business continuity plan.
- Milestone 2 — The participants have gained expertise with and confidence in BCM principles. They are able to develop, write, and test more complex plans. Risk assessment, business impact analysis, and mitigation activities have become familiar exercises. Critical multidepartmental aspects of the business are now being integrated into the business protection strategy.
- Milestone 3 — The BCM program now encompasses the full scope of the business and keeps pace with change in the organization. Enterprise business processes are protected through appropriately structured cross-functional recovery plans and risk mitigation programs. Creative new continuity strategies are identified, evaluated, and utilized as appropriate.
These milestones and program ingredients fit into a six-level maturity development sequence. Levels One through Three represent organizations that have not yet completed the necessary Program Basics needed to launch a sustainable enterprise BCM program. Levels Four through Six represent the evolutionary path of the maturing enterprise BCM program.
Level 1: Self-Governed
Business continuity management has not yet been recognized as strategically important by senior management. There is no enterprise governance or centrally coordinated support function. If the company has a BCM policy, it is not enforced. Individual business units and departments are “on their own” to organize, implement, and self-govern their business continuity efforts. The state of preparedness is generally low across the enterprise.
Level 2: Supported Self-Governed
At least one business unit or corporate function has recognized the strategic importance of business continuity and has begun efforts to increase executive and enterprise wide awareness. At least one internal or external BCM professional is available to support the business continuity efforts of the participating business units and departments. The state of preparedness may be moderate for participants but remains relatively low across the majority of the company. Senior management may see the value of a BCM program but they are unwilling to make it a priority at this time.
Level 3: Centrally Governed
Participating business units and departments have instituted a rudimentary governance program, mandating at least limited compliance to standardized BCM policy, practices, and processes to which they have commonly agreed. (Note: this is not necessarily an enterprise BCM policy.) A BCM program office or department has been established, which centrally delivers BCM governance and support services to the participating departments and/or business units. Audit findings from these participants are being used to reinforce competitive and strategic advantage for their groups. Senior management interest is being piqued. Interest in leveraging the work already done is being promoted as a business driver for launching a BCM program. Several business units and departments have achieved a high state of preparedness. However, as a whole, the enterprise is at best moderately prepared. Senior management, as a group, has not yet committed the enterprise to a BCM program, although they may have a project under way to assess the business case for it.
Level 4: Enterprise Awakening
Senior management understands and is committed to the strategic importance of an effective BCM program. An enforceable, practical BCM policy has been adopted. A BCM program office or department has been created to govern the program and support all enterprise participants. Each group has acquired its own and/or utilizes the central BCM professional resources. BCM policy, practices, and processes are being standardized across the enterprise. A BCM competency baseline was developed and a competency development program is under way. All critical business functions have been identified and continuity plans for their protection have been developed across the enterprise. Departments conduct “unit tests” of critical business continuity plan elements. All business continuity plans are updated routinely.
Level 5: Planned Growth
All business units and departments have completed tests on all elements of their business continuity plans, and their plan update methods have proven to be effective. Senior management has participated in crisis management exercises. A multiyear plan has been adopted to continuously “raise the bar” for planning sophistication and enterprise wide state of preparedness. An energetic communications and training program exists to sustain the high level of business continuity awareness following a structured BCM competency maturity program. Audit reports no longer highlight business continuity shortcomings. Examples of strategic and competitive advantage achieved from the BCM program are highlighted in periodic enterprise communications. Business continuity plans and tests incorporate multidepartmental considerations of critical enterprise business processes.
Level 6: Synergistic
All business units have a measurably high degree of business continuity planning competency. Complex business protection strategies are formulated and tested successfully. Cross-functional coordination has led participants to develop and successfully test upstream and downstream integration of their business continuity plans. Tight integration with the company’s change control methods and continuous process improvement keeps the organization at an appropriately high state of preparedness, even though the business environment continues to change radically and rapidly. Innovative policy, practices, processes, and technologies are piloted and incorporated into the BCM program.
Note that at each level companies may progress to the next level or, if they lose momentum, fall back one or more levels. As with any business process, if the supporting infrastructure is removed or significantly diminished, the effectiveness of the BCM program will deteriorate and with it the company’s state of preparedness.
Through wider acceptance, use, and refinement, this BCM Maturity Model can be of significant benefit to the business continuity profession at large. The model can be used by professionals to address some key questions raised by their managers, such as:
- Where are we now? What level of BCM program maturity do we currently possess?
- What is the target we are shooting for? What does a mature BCM program look like?
- What evolutionary path do we want to follow to get there? What level of BCM program maturity do we want to achieve next?
The model can also be used in other ways, such as:
- A concept tool helpful in persuading senior management to invest appropriate resources in establishing a sustainable BCM program.
- A benchmark measurement tool for any organization looking to evaluate how their efforts compare with others in their industry, geographic region, or other relevant classification.
- An evaluation tool that can be used by auditors and insurers to objectively assess the effectiveness of an organization’s state of preparedness, leading to more accurate risk assessment and program direction.
At the end of this session the learner will be able to:
- Discuss the purpose of the Maturity Model
- Identify the three Program Basics
- Discuss the six levels of the Model