Rawpixel.com - stock.adobe.com
Maturity models examine where an organization is from a specific perspective and are used to help the organization advance to an ideal or desired state. Models can range from simple paper-and-pencil designs to robust, computer-based systems.
Business continuity (BC) is a detailed set of processes and procedures, well suited to the maturity model format.
One of the first maturity models addressing BC issues was introduced in 2003 by Virtual Corporation as the Business Continuity Maturity Model. Organizations can use this standard as a reference model to assess their capabilities to manage risks and recover operations quickly.
Characteristics of a maturity model
A maturity model begins with the status of the organization at the start of the process, or the current state. It then defines what the desired state -- or an end state -- of maturity looks like.
Once an organization has set this goal, it can establish various activities in a structured program that moves the organization from its current state to the desired one. By performing tests along the way, the business verifies that it has successfully completed steps defined in the maturity process.
Additional assessments and measurements can demonstrate that each step in the maturity process has been achieved. Organizations might use a spreadsheet or application engine to generate data demonstrating increased maturity. One way to do this is to establish KPIs for various BC performance levels.
The following table provides examples of business continuity KPIs and how they might be applied in a maturity model.
|Performance Indicator||Maturity Level 1||Maturity Level 2||Maturity Level 3||Maturity Level 4||Maturity Level 5|
|Creation of a formal program||X|
|Initial leader employed||X|
|Experienced staff added||X||X||X||X|
|Office area established||X||X||X||X|
|Schedule of policy reviews set||X||X||X|
|Schedule of procedure reviews set||X||X||X|
|Initial BC plan developed||X||X|
|Advanced BC plan developed||X||X||X|
|Automated BC plan developed||X||X||X|
|Schedule of plan reviews set||X||X||X|
|Initial BIA completed||X|
|Schedule of BIAs set||X||X||X|
|Initial RA completed||X|
|Schedule of RAs set||X||X||X|
|Initial exercise completed||X|
|Exercise schedule established||X||X||X|
|Scenario exercising established||X||X|
|Limited senior management support||X||X|
|More active management support||X||X||X|
|C-level position established||X|
|Initial compliance review||X||X|
|Compliance review schedule set||X|
|Department budget established||X||X||X||X|
|Annual budget review set||X||X||X|
|Initial team training completed||X|
|Schedule of training set||X||X||X|
While the previous table and graphics are relatively simple, advanced maturity model systems can be complex and often require users to take system training.
Figure 2 depicts a maturity model optimized for business continuity. Each stage of the process builds on the previous one, and the final stage represents the desired state of business continuity operations for the organization. Continual improvement is understood to be a fundamental element of the maturity process and is found in many standards, especially those from the ISO.
Creating a business continuity maturity model
The previous visuals can serve as a starting point for developing a business continuity maturity model. Support from senior management is essential, and BC teams should position the project to demonstrate that the organization's BC activities are aligned with good practice as well as relevant standards and regulations, and are progressing toward an effective maturity.
If management agrees to the use of a maturity model, the business can assemble a team, define the criteria for demonstrating maturity and define the desired ultimate maturity level. The BC team should complete and document an initial analysis of the current state, then use the steps and activities defined in the model to help identify projects to demonstrate maturity. Performance indicators can help properly define and position projects for elevating maturity.
Pros and cons of maturity models
Preparing and implementing programs to enhance the maturity of BC programs can help organizations achieve desired outcomes. These models identify activities to develop at each level of maturity so that the organization can achieve and demonstrate continual improvement.
Are maturity models a requirement for business continuity? A quick and simple answer is no, they are not necessary for a successful BC plan. However, at some point, senior management might ask about the BC program and what is happening. They might ask if it is still needed and how the associated expenses can be justified. A maturity model is an effective visual tool to demonstrate concrete improvements in a business continuity program.
However, business continuity and disaster recovery is a notoriously high-stakes, complex and often underfunded area. A maturity model is a useful way to demonstrate progress, but it can add more work to an already busy BC department.