BCI White Paper Q3: How to measure BCM programme maturity PDF Free Download
1 / 24/24
100%
Find out more
www.thebci.org
BCI White Paper Q3:
How to measure BCM
programme maturity
Contents
3 Introduction
4 Existing maturity models
8 Opinions from the experts
12 What are the key ndings from
consulting practitioners?
18 Conclusion
BCI White Paper Q3: How to measure BCM programme maturity
2Find out more www.thebci.org
Introduction
This white paper explores the issue of business continuity management (BCM) programme
maturity levels. Establishing a sound BCM programme can be quite challenging, depending on
the internal requirements and operating context of an organization. There have been previous
attempts at creating maturity models for business continuity, but this still remains an ongoing
eort1. This analysis does not aim to add another model, focusing instead on some key principles
that practitioners can use as guidance with some degree of exibility. To achieve this goal, a
small group of experts in business continuity and resilience were consulted regarding their
involvement with BCM over the years and across dierent sectors. The experts were interrogated
about metrics such as time, formative elements, alignment towards good practices, and the
eectiveness of the programme. They also had the opportunity to elaborate on their answers
and delve into the internal dynamics of BCM.
3
Introduction
Existing
maturity
models
BCI White Paper Q3: How to measure BCM programme maturity
Find out more www.thebci.org4
Virtual Corporation model
It is important to rst explore existing maturity models to gain
insights into their current status and the progress achieved
thus far. Previous attempts to build BCM maturity models have
predominantly been based on international standards, such
as ISO 22301, and in some cases serve as a rst step towards
certication2,3. One of the most well-known models was created
by Virtual Corporation in 2005 and includes the following six
levels of maturity4:
Standards compliant
Cooperative
Departmental
Self-governed
Integrated
Synergistic
01
02
03
04
05
06
5
Existing maturity models
The BSI Group
On a similar note, the BSI Group oers a self-
assessment questionnaire5 to evaluate the level
of alignment with the ISO 22301 standard. The
questionnaire includes several sections reecting
the dierent dimensions of BCM. To better
understand the scope of the programme and the
level of commitment from top management, it starts
from the operational context and expectations
of the organization. It then proceeds to verify the
existence of a BCM policy and set the desired
objectives, looking at the resources dedicated
to the programme and the expertise present
within the workforce.
Moving forward, the next sections focus on the
key activities of BCM, such as the business impact
analysis (BIA), risk assessments, the establishment
of an incident response structure, and awareness-
raising initiatives. The document ends with
actions dedicated to continual improvement and
maintenance, which reect a key principle of the ISO
standards on BCM and organizational resilience6.
This approach to assessing BCM maturity follows
the principles of ISO 22301 without trying to reinvent
the wheel, but in addition asks several detailed
questions at each stage. It not only examines
whether the organization has the necessary policies
and procedures, but also veries whether these are
updated, tested, and reviewed regularly.
This model sees organizations start from basic
response capabilities where a) the organization does
not have any real structures to address disruptive
events; b) business units act independently; and c)
there is no real planning involved.
Moving forward with the model, organizations
that already exhibit some degree of maturity
may start to develop a resemblance of a BCM
programme across a few units, with some planning
and response measures. The next step consists
of the establishment of an initial governance
structure with some resources dedicated towards
business continuity. At this stage, there is still limited
compliance with good practices and the programme
is far from mature.
Building on the above, if the organization wants
to improve its response capabilities, it must obtain
top management buy-in and develop sound BCM
measures, which should be compliant with
international standards.
At this point, business units should be aware
of the mission and importance of BCM, and
should undertake those actions mandated by the
programme, such as identifying critical processes
and running tests or exercises.
Finally, the last two stages of Virtual Corporation’s
model reect a highly mature BCM programme
which is deeply embedded in the organization
from top to bottom, including activities such
as the establishment of a crisis management
function, successful exercises, and routine updates.
Furthermore, when embedding is at its most
complete, BCM becomes part of daily business
considerations, such as the launch of new products
or the acquisition of new facilities. This maturity
model mirrors the complexity of a BCM programme,
providing not just a simple checklist but a nuanced
evaluation of aspects such as activities, resources,
commitment, and validation.
BCI White Paper Q3: How to measure BCM programme maturity
Find out more www.thebci.org6
Key takeaways from existing maturity models
Both documents from Virtual Corporation and the BSI are sound examples of how to evaluate BCM maturity
and provide a basis for further analysis of the subject, which would benet from more discussion.
Here are some key takeaways from the analysis of the two models:
BCM must be pervasive across the business units
that fall under the scope of the programme.
There must be a set of policies and procedures
that dene roles and responsibilities.
Performing key BCM activities is not enough,
their eectiveness is the real goal.
A programme must remain relevant to the operating
context of an organization over time; updates are key.
Good practices can always improve, but it is important
to provide practitioners with support on how to
implement them in their daily operating context.
01
02
03
04
05
7
Existing maturity models
Opinions from
the experts
BCI White Paper Q3: How to measure BCM programme maturity
Find out more www.thebci.org8
This white paper explores the activities that are associated with
more mature BCM programmes and how they evolve over time,
taking into consideration their dierent facets.
This section examines the responses from a pool of experts
who explored the subject of BCM maturity. Experts were
asked a combination of closed and open-ended questions
related to the dierent metrics of their BCM programme.
These metrics include time, regulatory pressure, and the
structure of the programme.
The goal was to analyse the success factors that lead to a mature
BCM programme, the development of which is rather linear
in theory but quite challenging in practice, since it requires
both technical and interpersonal skills. For instance, business
continuity managers must be able to inuence the workplace
culture, make allies, teach the basic principles of BCM, and gain
the trust of the workforce. At the same time, they must know the
technical aspects of the discipline, such as performing a BIA,
identifying recovery times, and communicating in jargon-free
language whenever possible.
The interviewees for this section were based in dierent industry
sectors, including food and beverage, technology rms,
nancial, and professional services. All of them are experienced
practitioners who are aware of industry guidelines and
standards, but at the same time know the practical challenges
of implementing BCM across dierent organizations and
operational contexts.
Opinions from the experts
9
The rst metric considered by the group of
experts was
time
. Most of the group reported that
their organizations have been adopting BCM on
a medium- to long-term basis, consisting of ve
years or more. Interestingly, they also described
how their organizations decided to adopt
BCM as a spontaneous eort, aligning towards
international standards and good practices,
rather than being forced to do so as a
regulatory requirement.
Despite similar adoption times across the group,
when asked to indicate the BCM maturity levels of
their organizations, the results varied considerably.
While this was a small group of experts, as
expected, this does show that the maturity
level should not be judged by the length of
adoption alone.
However, when discussing the relationship
between years of adoption and the overall
maturity of the BCM programme, some
practitioners reported that conversations related
to business continuity had became more active
over time among top management, executives,
and key personnel of various departments. This
was also the result of the increasing number of
exercises improving the communication ow
across dierent business units and levels.
Similarly, some explained how they were able to
obtain more buy in from stakeholders as time
went by, since the perception of BCM shifted
towards business as usual as it became more
embedded. In this regard, a BCM expert from
the ntech sector highlighted the importance
of standards and guidelines, which provide a
benchmark and a guide to keep track of progress
in the implementation of BCM.
Is there a link between length of adoption and maturity?
On the other hand, others showed frustration about
the lack of linear progress in terms of BCM maturity.
Specically, an expert from the professional services
sector stated that despite programmes being adopted
for many years, some of the basics are often still
missing. They pointed out that even in those instances
where the BCM programme seems apparently quite
mature – since it comprises several activities in line with
international good practices – the programme can still
be more of a tick-box exercise. In addition, a resilience
professional from the technology sector reported how,
in a previous organization, BIAs, exercises, and post-
incident reviews were more of a formal eort rather
than true value-adding activities, since they lacked
real commitment.
Another perspective to consider is the impact of
threats and risks to the organization during the period
where the BCM programme is active. According to a
participant from the professional services sector, the
process of learning from past events tends to create a
positive eect that increases the maturity of business
continuity arrangements. However, the number of
events faced during a set period will be dierent for
every organization.
Elsewhere, for those at the start of the BCM
implementation process, the focus may rst be on
embedding a business continuity and resilience culture.
For instance, a BCM professional with a relatively
new programme explained how they are rolling
out a programme to educate the business on what
BCM is and why it is important, but that it is dicult
to determine how impactful the programme might
be in facing disruptions. However, the respondent
showed condence in the fact that this process will at
least increase risk awareness as well as the response
capabilities of the organization.
BCI White Paper Q3: How to measure BCM programme maturity
Find out more www.thebci.org10
The structure of the programme
Digging into the some of the formative elements of
BCM, experts identied some of the activities that are
part of their programme. Each participant reported
engaging in top management discussions, while the
establishment of a crisis management committee was
equally popular. Indeed, the relationship between BCM
and crisis management is closer than it has ever been,
according to the
BCI Crisis Management Report 2023
7,
with responsibility for both increasingly falling under the
same functional role.
Experts also agreed on the importance of analysis and
validation activities, which range from the BIA and a
continuity requirement analysis (CRA) to exercising and
post-incident reviews. On the other hand, opinions were
less consistent across the panel when it comes to risk
assessments and horizon scanning, CRA for suppliers,
and training sessions. These ndings are signicant
despite the restricted nature of the sample, since it is
useful to understand where experts’ opinions converge.
This process helps highlight both good practices and
potential challenges, paving the way for further research
and providing guidance for the practitioner community.
Interestingly, a participant oered their point of view
as an auditor, revealing that most large organizations
have outdated BCM programmes, even those who hold
certications, and they require many improvements.
Large organizations may also run in maintenance mode,
trying to preserve BIAs, business continuity plans, and
risk assessments that were created several years ago.
They may be unaware of when these documents were
established or how to refresh the whole process, which
leads to gaps in the programme. Furthermore, when it
comes to the operating context of the organization –
which includes regulatory requirements, third parties,
and external stakeholders – almost all organizations
have gaps in their preparedness measures.
Opinions from the experts
11
What are the
key ndings
from consulting
practitioners?
BCI White Paper Q3: How to measure BCM programme maturity
Find out more www.thebci.org12
The discussions with practitioners held for this report
highlights some of the diculties of using metrics or the
structure of the programme to assess BCM maturity, without
a qualitative evaluation of the state of the programme.
Existing models look at specic metrics or items that must
be present to assess the eectiveness of BCM. However,
that is a snapshot that can only provide an initial idea of
what is formally present. For instance, in this white paper we
have seen how the length of adoption alone is not a reliable
measure of the quality of business continuity arrangements
in an organization.
Furthermore, the activities present across all the BCM
programmes analysed were similar, although some were
more complete than others, but this also failed to give an
accurate explanation for the dierent maturity levels.
Professionals were able to provide a clearer picture through
qualitative responses, describing the internal corporate
dynamics that under-pinned the foundations of their BCM
programmes. Thus, it was possible to appreciate that the
key element for the establishment of mature and eective
BCM consisted of
how
the organization developed the
programme, regardless of the list of activities that formally
belonged to it. In the absence of true commitment, BCM
programmes were not mature.
What are the key ndings from consulting practitioners?
13
For instance, a resilience professional from the
technology sector revealed how, in a previous
organization, the programme was not ready to pass
an audit despite being present for several years
and including processes such as BIAs and a crisis
management function. In this case, the problem
was that the approach lacked any real structure
and was not updated regularly.
Indeed, maintenance also emerged as another
foundation of BCM. Regular reviews of analysis, plans,
and requirements are necessary to keep these measures
relevant to the operating context, otherwise they
become a mere formality with no real use.
Others remarked upon the importance of proceeding
through dierent steps, without rushing activities when
the organization is not yet ready. A resilience expert
from a software provider stated that the development of
a sound BCM programme realistically requires several
years before it is fully embedded within the organization,
which was echoed by other experts in the sample. The
same participant also specied that providing input into
regular management updates were necessary to the
correct development of a BCM programme.
These ndings are consistent with previous research
from the BCI, such as its
Business Continuity
Resources Benchmarking Report 2022
8, which
showed how BCM teams are more eective when
they can leverage a number of facilitators and
champions across the workforce.
The importance of establishing relationships
with other business units to create an overall
resilience culture was also one of the main
ndings in a BCI white paper on how to embed
business continuity9. In this vein, an assessment
of the collaboration and communication ow
through the organization is necessary to fully
understand
the maturity level of a BCM programme.
A professional from risk management, IT
governance, and service continuity stressed
the importance of dened metrics as well
as standardised documentation in a BCM
programme, which must also be subject to
rigorous quality controls. Building on this, an
expert from the professional services sector
remarked on the value of sharpening the
true response capabilities of an organization,
focusing on exposure and reducing
bureaucracy. Similarly, a practitioner from the
same sector compared the establishment of
BCM to a blending process, where dierent
units of the organization must harmonise
and integrate with each other to achieve true
maturity. The same respondent underlined the
concept that excelling at being compliant is not
the same as developing a BCM programme.
Of course, international guidelines and good
practices are necessary, but they are a means to
an end and should not become a mere checklist.
BCI White Paper Q3: How to measure BCM programme maturity
Find out more www.thebci.org14
Years of adoption
5-10 years
Alignment towards international guidelines
Yes
BCM activities
How would you rank your maturity level
(1 = lowest; 5 = highest)
1
Years of adoption
More than 10
Alignment towards international guidelines
Yes
BCM activities
How would you rank your maturity level
(1 = lowest; 5 = highest)
4
Top management discussions Top management discussions
Supplier CRA Internal CRA
BIA BIA
Exercises Supplier CRA
Internal CRA Risk assessments/horizon scanning
Audits Crisis management committee
Post incident review Post incident or post action reviews
What are the key ndings from consulting practitioners?
15
Years of adoption
More than 10
Alignment towards international guidelines
Yes
BCM activities
How would you rank your maturity level
(1 = lowest; 5 = highest)
4
Years of adoption
1-3 years
Alignment towards international guidelines
Yes
BCM activities
How would you rank your maturity level
(1 = lowest; 5 = highest)
3
Top management discussions
Risk assessments/horizon scanning
Training/awareness
Internal CRA
BIA
Supplier CRA
Post incident or post action reviews
Audits
Exercises
Crisis management committee
Top management discussions
Risk assessments/horizon scanning
Training/awareness programmes
Internal CRA
BIA
Crisis management committee
Post incident or post action reviews
Exercises
BCI White Paper Q3: How to measure BCM programme maturity
Find out more www.thebci.org16
Years of adoption
5-10 years
Alignment towards international guidelines
No
BCM activities
How would you rank your maturity level
(1 = lowest; 5 = highest)
2
Years of adoption
1-3 years
Alignment towards international guidelines
Yes
BCM activities
How would you rank your maturity level
(1 = lowest; 5 = highest)
Top management discussionsTop management discussions
Risk assessments/horizon scanning
Training/awareness programmes
Training/awareness programmes
Internal CRA
BIA
Crisis management committee
Supplier CRA
Post incident or post action reviews
Audits
Exercises
Exercises
What are the key ndings from consulting practitioners?
17
Conclusion
BCI White Paper Q3: How to measure BCM programme maturity
Find out more www.thebci.org18
Conclusion
Overall, this white paper shows dierent aspects to consider
when evaluating the maturity levels of a BCM programme. The
analysis of previous maturity models as well as the consultation
with a panel of experts on the subject oer a series of metrics
that professionals can use to better understand the state
of preparedness of their organization. These include both
quantitative and qualitative metrics, taking into account the
complexity of BCM, and can be found below:
01 Time.
02 Alignment towards
international guidelines.
03
Activities as listed in the
BCMS or as in international
guidelines and standards.
04
Number of facilitators and
champions including their outreach
to dierent business units.
05
Records of updates to key
documents such as BIAs, plans,
and post incident reviews.
06
Communications with top
management and key stakeholders
on the progress of the programme.
07 Training and education
programmes.
08
Establishment of a crisis
management or incident
response structure.
09 Exercises and tests.
10 Post-incident reviews.
19
As shown, the eectiveness of these elements in measuring maturity is limited when used in isolation.
However, these parameters may also form the basis for each organization to formulate their own maturity
model. The issue with many previous models is that they come in pre-established formats that allow for little
exibility in the face of dierent internal requirements and operating contexts. Therefore, the ndings of this
white paper show some key metrics that can oer guidance without imposing a specic model. This is also in
line with the principles underlying international guidelines and good practices, which state how each practice
must be adapted according to the specic needs of an organization.
BCI White Paper Q3: How to measure BCM programme maturity
Find out more www.thebci.org20
Conclusion
Contributors
Gianluca Riglietti
Gianluca is a researcher and a freelance content creator interested in the development
of resilient and safe societies. He has experience managing international research
projects for companies such as BSI, Zurich, Everbridge and SAP. He works regularly with
a number of organizations in the eld of organizational resilience, such as the BCI. In his
publications he has addressed a wealth of topics, such as climate change, cybersecurity,
supply chain management and business continuity. He is also a PhD Candidate
at Politecnico di Milano, where he investigates the impact of business continuity
management on supply chain resilience.
Kieran Matthews, Content Manager, The BCI
Kieran has several years of experience in developing and delivering content strategies
for many dierent publications, both in print and online. He has also been involved
in large-scale research projects to explore regional market dynamics in dierent
industries, using both open-source and quantitative research methods. Through his
work, Kieran has used various research techniques to engage with topics of interest,
such as environmental and sustainability issues, supply chain resilience, and the impacts
of emerging technology on industry.
21
About the BCI
Founded in 1994 with the aim of promoting a more resilient world, the BCI has
established itself as the world’s leading institute for business continuity and resilience.
The BCI has become the membership and certifying organization of choice for
business continuity and resilience professionals globally with over 9,000 members in
more than 100 countries, working in an estimated 3,000 organizations in the private,
public, and third sectors. The vast experience of the Institute’s broad membership
and partner network is built into its world class education, continuing professional
development, and networking activities. Every year, more than 1,500 people choose
BCI training, with options ranging from short awareness raising tools to a full academic
qualication, available online and in a classroom. The Institute stands for excellence
in the resilience profession and its globally recognised Certied grades provide
assurance of technical and professional competency. The BCI oers a wide range of
resources for professionals seeking to raise their organization’s level of resilience and
its extensive thought leadership and research programme helps drive the industry
forward. With approximately 120 partners worldwide, the BCI Corporate Membership
oers organizations the opportunity to work with the BCI in promoting best practice in
business continuity and resilience.
The BCI welcomes everyone with an interest in building resilient organizations from
newcomers, experienced professionals, and organizations. Further information about
The BCI is available at www.thebci.org.
Contact The BCI
+44 118 947 8215 | bci@thebci.org
9 Greyfriars Road, Reading, Berkshire, RG1 1NU, UK
BCI White Paper Q3: How to measure BCM programme maturity
22 Find out more www.thebci.org
References
1. Andrews, R. (2016). Demonstrating the Value of Business Continuity Planning: Maturity Models.
Available at: Enterprise Risk Management: What the BCP Professional Needs to Know (driecentral.org)
2. Langsett, M. (2016). Six levels of business continuity maturity. Continuity Central.
Available at: Six levels of business continuity maturity (continuitycentral.com)
3. BSI (n.d.). ISO 22301 Self Assessment Checklist.
Available at: BSI-ISO-22301-Self-Assesment-checklist.pdf (bsigroup.com)
4. Langsett, M. (2016)
5. BSI (n.d.).
6. ISO (2017). ISO 22316 Security and resilience — Organizational resilience — Principles and attributes.
7. Elliott, R and others (2023), BCI Crisis Management Report 2023, The BCI (online). Available at: https://
www.thebci.org/resource/bci-crisis-management-report-2023.html (last accessed 13 November 2023)
8. Riglietti, G. (2022). Business Continuity Resources Benchmarking Report 2022.
9. Riglietti, G. (2023). BCAW 2023 White Paper: Organizational Resilience in the Workplace.
Available at: https://www.thebci.org/resource/bcaw-2023-white-
paper--organizational-resilience-in-the-workplace-.html
Correct as of November 2023
Annex
23
BCI 9 Greyfriars Road, Reading, Berkshire, RG1 1NU, UK bci@thebci.org / www.thebci.org
