Business Continuity Maturity Assessment

Everything You Need to Know about a Business Continuity Maturity Assessment

How far has your company progressed in terms of business continuity? What is the state of your business continuity management (BCM) program? Is it crawling, walking, or running? We’ve discovered six levels of BCM maturity that most businesses fall into, ranging from self-governed to synergistic. What is the level of your company? Here’s how we broke it down.

Everything You Need to Know about a Business Continuity Maturity Assessment

1.    Immature

Organizations at Levels 1 through 3 have not yet accomplished the program basics needed to establish a long-term organizational business continuity management program.

  • Level 1 – Self-governed: Each man or woman is on his or her own!

Individual corporate units and departments are responsible for organizing, implementing, and self-governing their business continuity and disaster recovery plans. Disruptive occurrences are dealt with by the organization or by specific departments. Business continuity recovery is reactive rather than proactive, as there is no meaningful planning involved.

  • Level 2 – Departmental: The lone survivor of the BCM

It is received by at least one business unit. If at least one sector or business unit has taken steps to raise management knowledge of the necessity of business continuity, you’ve attained Level 2 of BCM maturity. Within one or more business continuity categories, a few operations or services have produced and maintained business continuity plans, such as:

  • Incident management
  • Technology recovery
  • Security management
  • Business recovery

At Level 2, your company has designated at least one internal or external resource to assist the collaborating business units and departments with their business continuity activities. However, they are still hesitant to make a concerted effort at this time due to a lack of leadership support.

  • Level 3 – Cooperative: Prepared to a moderate degree, but not quite mature

Participating business divisions and departments have put in place a fundamental governance model that requires at least limited adherence to standardized BCM policy, procedures, and processes that they have all agreed upon.

  • A BCM Program Office or Department has been formed to provide BCM governance and support programs to the collaborating departments.
  • These participants’ audit results are being used to strengthen their groups’ competitive and strategic advantages.
  • Although some corporate units and divisions may have attained a high level of preparedness, the organization as a whole is only moderately prepared.
  • Senior management has not dedicated the company to a BCM program, therefore there is still a lack of executive buy-in.

2.    Maturing

The mature enterprise BCM program’s evolutionary route is represented by Levels 4 through 6. If your organization achieves Level 4, it complies with the majority of regulations. ISO 22301, NFPA1600, ASIS, and BS 25999 have all had content added that particularly addresses them.

  • Level 4 – Standards compliance: You’ve entered the stage of early BCM adulthood.

Kudos! Senior management understands the strategic value of an effective BCM program across the firm and is dedicated to it.

A BCM program office or section has been established to oversee the program and provide assistance to all organization participants.

  • Each group has its expert resources and/or makes use of those provided by BCM.
  • The Enterprise is standardizing BCM policy, procedures, and processes.
  • A competency baseline for BCM has been established, and a proficiency development program is now underway.
  • All essential business functions have been recognized, and enterprise-wide continuity plans have been devised to protect them.
  • Level 5 – Integrated

At Level 5, the firm has met all of the requirements of Level 4 and has implemented consistent quality improvement methods throughout the company. All business divisions and departments have successfully tested all aspects of their business continuity strategy, including external and internal responsibilities.

  • Level 6 – Synergistic: You’ve reached the peak of BCM self-actualization!

You provide a new air of worldly understanding to Levels 4 and 5. As official business continuity experts, you have the following responsibilities:

  • Complex business protection techniques are devised and successfully tested.
  • Capabilities for cross-functional business continuity are assessed.
  • Even if the business environment constantly changes dramatically and rapidly, change control strategies and continuous quality improvement keep this company at an adequately high level of preparedness.
  • The BCM program pilots and incorporates creative policy, procedures, processes, and technologies.


Remember that BCM maturity isn’t definite, so if you haven’t attained your ideal degree of maturity, you can still advance to the next level. Make sure your BCM program doesn’t lose steam, or it will regress a level or more. The efficiency of the BCM program will worsen, as will the firm’s state-of-preparedness, if the surrounding infrastructure is withdrawn or considerably reduced, as it is for any business process.

Have Questions?

Want to find out more about how Resilience3™ security, risk, and compliance solutions will improve your business resiliency?