6 levels of business continuity maturity: Your BCM program is so mature (or not)!

How mature is your organization when it comes to business continuity & organizational resilience? Does your Business Continuity Management (BCM) program crawl, walk or run? From self-governed to synergistic, we have identified 6 levels of BCM maturity that most companies fall into. What is your organization’s level? Here is our breakdown:

Contact Us


You’re so BCM immature!

Levels 1-3 represent organizations that have not yet completed the necessary program basics needed to launch a sustainable enterprise Business Continuity Management (BCM) program.


Level 1 - Self-Governed: It’s every man (or woman) for him/herself!

Individual business units and departments are "on their own" to organize, implement, and self-govern their own business continuity or disaster recovery efforts. The state-of-preparedness for disruptive events is low across the organizational enterprise. The organization or individual departments reacts to disruptive events when they occur. There is no real planning involved: business continuity recovery if reactive vs. proactive.


Level 2 – Departmental: Sole BCM survivor

At least one business unit gets it.  You have reached Level 2 of BCM maturity if at least one department or business unit has initiated efforts to establish management awareness of the importance of Business Continuity. A few functions or services have developed and maintain BC plans within one or more BC disciplines such as:

  1. Incident Management
  2. Technology Recovery
  3. Security Management
  4. Business Recovery

At level 2, your organization has at least one internal or external resource assigned to support the business continuity efforts of the participating business units and departments. The state-of-preparedness may be moderate for participants, but remains relatively low across the majority of the company. Management may see the value of a BCM Program, but they are unwilling to make it a priority at this time with minimal executive buy-in. 


Level 3 – Cooperative: Moderately prepared, but not quite mature

 Participating business units and departments have instituted a rudimentary governance program, mandating at least limited compliance to standardized BCM policy, practices, and processes to which they have commonly agreed. (Note: this is not an enterprise BCM policy.)

  • A BCM Program Office or Department has been established, which centrally delivers BCM governance and support services to the participating departments and/or business units.
  • Audit findings from these participants are being used to reinforce competitive and strategic advantage for their groups.
  • Interest in leveraging the work already done is being promoted as a business driver for launching a BCM Program.
  • Some business units and departments may have achieved a high state-of-preparedness; however, as a whole, the enterprise is at best moderately prepared.
  • Still lacking executive buy in: senior management has not committed the enterprise to a BCM Program.

Contact Us


 Mature_BCM_program.pngYour BCM program is all grown-up!

Levels 4-6 represent the evolutionary path of the maturing enterprise BCM program. If your company achieves level 4, you are compliant with most standards. Content has been added that specifically address the following standards; ISO 22301, NFPA1600, ASIS and BS25999.


Level 4 - Standards Compliant: You have reached early BCM maturity adulthood

Congratulations! Senior management gets it and is committed to the strategic importance of an effective BCM program throughout the organizational enterprise. In addition there is an enforceable, practical BCM policy which adopts associated standards, including methods and tools for addressing all 4 BC disciplines:

  1. Incident Management
  2. Technology Recovery
  3. Security Management
  4. Business Recovery

But wait, that’s not all! A BCM program office or department has been created to govern the program and support all enterprise participants ensuring that:

  • Each group has acquired its own and/or utilizes the central BCM professional resources.
  • BCM policy, practices, and processes are being standardized across the Enterprise.
  • A BCM competency baseline was developed and a competency development program is underway.
  • All critical business functions have been identified and continuity plans for their protection have been developed across the Enterprise.
  • Departments conduct “unit tests” of critical business continuity plan elements.
  • All business continuity plans are updated routinely.


Level 5 - Integrated: You have raised the BCM bar!

At level 5, the organization meets all of the requirements of level 4 that is now integrated throughout the company enterprise adopting continuous quality improvement practices.

  • All business units and departments have completed tests on all elements of their business continuity plan including their internal and external dependencies.
  • Plan update methods have proven to be effective.
  • Senior management has participated in crisis management exercises.
  • A multi-year plan has been adopted to continuously "raise the bar" for planning sophistication and Enterprise-wide state-of-preparedness.
  • A communications and training program exists to sustain the high level of business continuity awareness following a structured BCM competency maturity program.
  • Audit reports no longer highlight business continuity shortcomings.
  • Strategic and competitive advantage achieved from the BCM Program are highlighted in periodic internal and external communications.


Level 6 – Synergistic: You have reached BCM self-actualization!

You rock levels 4 and 5 with a new air of worldly wisdom. As official business continuity gurus you have:

  • Sophisticated business protection strategies are formulated and tested successfully.
  • Cross-functional business continuity capabilities are measured.
  • Change control methods and continuous process improvement keeps this organization at an appropriately high state-of-preparedness even though the business environment continues to change radically and rapidly.
  • Innovative policy, practices, processes, and technologies are piloted and incorporated into the BCM Program.


Keep in mind, BCM maturity is not static, so if you haven’t reached your desired maturity level, you can still progress to the next level. Be sure your BCM program doesn’t lose momentum or it can fall back one or more levels. As with any business process, if the supporting infrastructure is removed or significantly diminished, the effectiveness of the BCM Program will deteriorate and with it the company’s state-of-preparedness.

These Business Continuity Maturity Model (BCMM) standards can be easily applied to other standards including government and military COOP standards. Please contact our business continuity service center for a free 15 minute consultation to find out more.

Contact Us


Resilience, business continuity, project planning, disaster recovery, BCMM

Recent Posts

Infographic: 5 ways to assure optimal outcomes from your resilience plan

Are you getting optimal outcomes for your organizational resilience & business continuity plans? Do you even have a way to measure this? Don't worry, we have a short infographic that can show you ... Read More

Business Continuity Exercise Planning Example

Conducting Business Continuity Planning (BCP) exercises are a well-known means of validating BCP plans and engaging an organization in assessing their response to business disruptive events. One of th... Read More

Outsourcing Business Continuity Planning

Most businesses today rely heavily on their IT systems to access and store vital data that is needed to complete daily tasks. Computers, servers, files, communication tools, and more help modern enter... Read More