6 levels of business continuity maturity: Your BCM program is so mature (or not)!

How mature is your organization when it comes to business continuity & organizational resilience? Does your Business Continuity Management (BCM) program crawl, walk or run? From self-governed to synergistic, we have identified 6 levels of BCM maturity that most companies fall into. What is your organization’s level? Here is our breakdown:


You’re so BCM immature!

Levels 1-3 represent organizations that have not yet completed the necessary program basics needed to launch a sustainable enterprise Business Continuity Management (BCM) program.


Level 1 - Self-Governed: It’s every man (or woman) for him/herself!

Individual business units and departments are "on their own" to organize, implement, and self-govern their own business continuity or disaster recovery efforts. The state-of-preparedness for disruptive events is low across the organizational enterprise. The organization or individual departments reacts to disruptive events when they occur. There is no real planning involved: business continuity recovery if reactive vs. proactive.


Level 2 – Departmental: Sole BCM survivor

At least one business unit gets it.  You have reached Level 2 of BCM maturity if at least one department or business unit has initiated efforts to establish management awareness of the importance of Business Continuity. A few functions or services have developed and maintain BC plans within one or more BC disciplines such as:

  1. Incident Management
  2. Technology Recovery
  3. Security Management
  4. Business Recovery

At level 2, your organization has at least one internal or external resource assigned to support the business continuity efforts of the participating business units and departments. The state-of-preparedness may be moderate for participants, but remains relatively low across the majority of the company. Management may see the value of a BCM Program, but they are unwilling to make it a priority at this time with minimal executive buy-in. 


Level 3 – Cooperative: Moderately prepared, but not quite mature

 Participating business units and departments have instituted a rudimentary governance program, mandating at least limited compliance to standardized BCM policy, practices, and processes to which they have commonly agreed. (Note: this is not an enterprise BCM policy.)

  • A BCM Program Office or Department has been established, which centrally delivers BCM governance and support services to the participating departments and/or business units.
  • Audit findings from these participants are being used to reinforce competitive and strategic advantage for their groups.
  • Interest in leveraging the work already done is being promoted as a business driver for launching a BCM Program.
  • Some business units and departments may have achieved a high state-of-preparedness; however, as a whole, the enterprise is at best moderately prepared.
  • Still lacking executive buy in: senior management has not committed the enterprise to a BCM Program.


 Mature_BCM_program.pngYour BCM program is all grown-up!

Levels 4-6 represent the evolutionary path of the maturing enterprise BCM program. If your company achieves level 4, you are compliant with most standards. Content has been added that specifically address the following standards; ISO 22301, NFPA1600, ASIS and BS25999.


Level 4 - Standards Compliant: You have reached early BCM maturity adulthood

Congratulations! Senior management gets it and is committed to the strategic importance of an effective BCM program throughout the organizational enterprise. In addition there is an enforceable, practical BCM policy which adopts associated standards, including methods and tools for addressing all 4 BC disciplines:

  1. Incident Management
  2. Technology Recovery
  3. Security Management
  4. Business Recovery

But wait, that’s not all! A BCM program office or department has been created to govern the program and support all enterprise participants ensuring that:

  • Each group has acquired its own and/or utilizes the central BCM professional resources.
  • BCM policy, practices, and processes are being standardized across the Enterprise.
  • A BCM competency baseline was developed and a competency development program is underway.
  • All critical business functions have been identified and continuity plans for their protection have been developed across the Enterprise.
  • Departments conduct “unit tests” of critical business continuity plan elements.
  • All business continuity plans are updated routinely.


Level 5 - Integrated: You have raised the BCM bar!

At level 5, the organization meets all of the requirements of level 4 that is now integrated throughout the company enterprise adopting continuous quality improvement practices.

  • All business units and departments have completed tests on all elements of their business continuity plan including their internal and external dependencies.
  • Plan update methods have proven to be effective.
  • Senior management has participated in crisis management exercises.
  • A multi-year plan has been adopted to continuously "raise the bar" for planning sophistication and Enterprise-wide state-of-preparedness.
  • A communications and training program exists to sustain the high level of business continuity awareness following a structured BCM competency maturity program.
  • Audit reports no longer highlight business continuity shortcomings.
  • Strategic and competitive advantage achieved from the BCM Program are highlighted in periodic internal and external communications.


Level 6 – Synergistic: You have reached BCM self-actualization!

You rock levels 4 and 5 with a new air of worldly wisdom. As official business continuity gurus you have:

  • Sophisticated business protection strategies are formulated and tested successfully.
  • Cross-functional business continuity capabilities are measured.
  • Change control methods and continuous process improvement keeps this organization at an appropriately high state-of-preparedness even though the business environment continues to change radically and rapidly.
  • Innovative policy, practices, processes, and technologies are piloted and incorporated into the BCM Program.


Keep in mind, BCM maturity is not static, so if you haven’t reached your desired maturity level, you can still progress to the next level. Be sure your BCM program doesn’t lose momentum or it can fall back one or more levels. As with any business process, if the supporting infrastructure is removed or significantly diminished, the effectiveness of the BCM Program will deteriorate and with it the company’s state-of-preparedness.

These Business Continuity Maturity Model (BCMM) standards can be easily applied to other standards including government and military COOP standards. Feel free to contact our business continuity service center for a free 15 minute consultation to find out more. https://www.virtual-corp.com/bcmm 


Resilience, business continuity, project planning, disaster recovery, BCMM

Recent Posts

Business Continuity Virtual Event - Organizational Resilience Planning - DRJ Fall Event

Virtual Corporation is excited to be a Silver sponsor at DRJ Fall 2021. Stop by our virtual booth to learn about how Virtual Corporation specializes in partnering to develop and sustain repeatable, pr... Read More

Webinar: Business Continuity Management & Disaster Recovery (BCM&DR) on a Limited Budget

In this session, Michael Beth, Host and BCM Practice Lead for Virtual Corporations Professional Services, shares some ideas on how to manage, grow and mature a BCM&DR program with limited funding ... Read More

Business Continuity Management vs. Virtual Corporation’s Business Continuity as a Service

While most organizations understand the need for a business continuity management program, the costs of the program can begin to outweigh the need after a few years of engagement. To many executives, ... Read More