Professional Documents
Culture Documents
ID Number: G00205310
A series of highly publicized, extremely damaging events has made it clear that business
continuity management (BCM) is an essential concern for all enterprises, whatever their
type, industry or region of operation. BCM professionals can use Gartner's BCM ITScore
maturity assessment, and its accompanying diagnostic tool, to identity their current and
desired levels of maturity, and improve their BCM efforts.
Key Findings
The traditional IT-centric view of BCM is necessarily shifting toward a comprehensive,
enterprisewide focus on business resilience, driven by 24/7 service delivery
requirements, the impact of globalization, and increasing natural and man-made risk.
Improving an enterprise's BCM maturity is a long-term undertaking, and not all
enterprises can or should attempt to reach the highest level of maturity.
Maturity improvements will inevitably move the enterprise's BCM efforts well beyond the
IT organization, and will require significant commitment from senior executives and
many key stakeholders across the enterprise and external to it.
Many large global enterprises have made significant investments in recovery initiatives,
but few have yet undertaken any formal maturity assessment of their BCM programs.
Key indicators of progressing maturity encompass management processes, people and
organization, technologies and tools, and business culture.
Recommendations
Assess the maturity of your BCM program using Gartners ITScore for BCM online
diagnostic tool and address the areas needing improvement.
Begin the BCM maturity improvement process by appointing an individual responsible
for the enterprise's BCM program even if the program does not yet exist. This
individual will develop BCM strategies, beginning with key functions such as IT disaster
recovery management (IT DRM) and crisis management.
Establish a BCM steering committee that comprises representatives of stakeholders
throughout the enterprise.
Build on existing ad hoc BCM/DR communication and collaboration mechanisms to
develop a formal mechanism for discussing BCM issues and responsibilities with the
lines of business and other stakeholders.
2010 Gartner is a registered trademark of Gartner, Inc. and/or its affiliates. Gartner for IT Leaders is a service mark of
Gartner and/or its affiliates. All rights reserved. Reproduction and distribution of this publication in any form without prior
written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable.
Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's
research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or
services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or
inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to
change without notice.
Critically evaluate your current BCM program to determine if it has been founded on
well-defined principles, policies, practices and processes. Engage external expertise if
necessary.
Develop a vision and strategic plan to establish or improve the maturity of the BCM
program, and manage to that plan.
Work to develop repeatable activities, realistic metrics and workable testing plans that
can be used enterprisewide.
Make aligning the enterprise's BCM program with day-to-day business operations the
ultimate goal of the maturity process.
Page 2 of 16
TABLE OF CONTENTS
Strategic Planning Assumption ..................................................................................................... 4
Analysis ....................................................................................................................................... 4
1.0 An Introduction to the ITScore Approach to BCM Maturity .......................................... 4
2.0 Overview of Maturity Levels ....................................................................................... 4
3.0 Dimensions and Key Indicators of BCM Maturity ........................................................ 6
3.1 Dimensions ................................................................................................... 6
3.2 Four Key Indicators ....................................................................................... 7
4.0 Level 1: Initial ............................................................................................................. 8
4.1 Characteristics............................................................................................... 8
4.2 Recommended Actions for Improvement ....................................................... 8
5.0 Level 2: Developing.................................................................................................... 9
5.1 Characteristics............................................................................................... 9
5.2 Recommended Actions for Improvement ....................................................... 9
6.0 Level 3: Defined ....................................................................................................... 10
6.1 Characteristics............................................................................................. 10
6.2 Recommended Actions for Improvement ..................................................... 11
7.0 Level 4: Managed .................................................................................................... 11
7.1 Characteristics............................................................................................. 11
7.2 Recommended Actions for Improvement ..................................................... 12
8.0 Level 5: Optimizing .................................................................................................. 12
8.1 Characteristics............................................................................................. 12
8.2 Recommended Actions................................................................................ 13
9.0 Diagnostic Tool Overview ......................................................................................... 13
10.0 Directions for Use................................................................................................... 13
Recommended Reading ............................................................................................................. 15
LIST OF FIGURES
Figure 1. Overview of ITScore BCM Maturity Levels ..................................................................... 5
Page 3 of 16
ANALYSIS
Page 4 of 16
Page 5 of 16
Each stage of maturity builds on the previous stage, but, in practice, elements of different stages
may exist at the same time. Organizational readiness and/or willingness means that some
elements may be farther advanced than others.
The Gartner BCM Maturity Assessment is based on the principle that the quality of an
organization's BCM program and recovery plans will be directly related to the quality and maturity
of the BCM processes and practices used to create and maintain them. Such an assessment is a
useful diagnostic tool. It helps organizations discern where they are and what they should do
next, and also serves as a prognostic tool to determine what is likely to happen next. It is
important to note that although all organizations should strive to improve their BCM processes
and practices, moving from one maturity level to the next is not necessarily a simple task, and
that enterprises shouldn't necessarily target Level 5 as their goal. The effort to get to that stage
may not be required to achieve a satisfactory level of risk for enterprise stakeholders. Level 3 is
the minimum level that organizations should find acceptable. In fact, this may be entirely
unrealistic for many enterprises, which may not need, or not be able to justify the costs of, the
highest levels of BCM preparedness. BCM professionals need to conduct a realistic assessment
not only of the current BCM maturity levels of their enterprises, but also of their future
requirements and their organizational and technological capabilities.
3.1 Dimensions
The questions and answers in the BCM Maturity Model are categorized into seven dimensions
that provide a detailed structure to assess maturity. They map into the four key indicators in
Section 3.2, which provide a higher level of discussion around characteristics for each maturity
level.
1. BCM Governance: BCM governance is a set of collective decisions and guidance on
using BCM and IT DRM in the business. Early stages of maturity provide no governance
structure. Once at Level 3, the structure starts to take shape.
2. BCM Program Scope: BCM program scope represents the breadth of the BCM program
activities across the enterprise and beyond. In the earlier stages of maturity, the
program will likely only cover IT DRM. In later stages of maturity, it will encompass more
BCM components (crisis management, business recovery and so forth) as well as more
of the enterprise's business activities.
3. Budgeting and Investments: Many organizations with low overall BCM maturity are
reactive and ad hoc, and recovery activities are focused on tactical planning and
budgeting. Mature organizations execute annual planning, with quarterly objectives
aligned with the strategic business plan.
4. BCM Program Organization: Organizational maturity represents the readiness of the
organization and people dimensions of BCM maturity. It addresses characteristics such
as having the right people with the appropriate skills organized in a reporting structure
that minimizes conflicts of interest and clearly defined responsibilities and
accountabilities.
5. BCM and IT DRM Architecture Guidelines and Framework: Organizations with lower
levels of BCM maturity do not include all key components of a standardized BCM
framework, including business and technology interdependencies, risk assessment,
Page 6 of 16
business impact analysis, exercise framework and automation that can help ensure that
the standard framework is used by every area within the enterprise.
6. BCM Processes and Controls: Process maturity is a traditional measure of formalizing
BCM processes so that they can be repeatable, measurable, reportable, survivable and
continuously improved.
7. Awareness, Training and Exercising: Training and exercising recovery plans are the
primary means used to assess and improve the effectiveness of the BCM program
aside from experiencing an actual disaster. Lower levels of maturity have no training or
exercising methodology in place. Higher levels of maturity maintain workforce
awareness and exercise recovery plans on a regular basis.
Page 7 of 16
Page 8 of 16
Begin producing internal (IT only) reports of progress being made with IT DRM plan
construction and/or management process development.
Develop a basic crisis management and communications process for all types of
disasters, not just IT events.
Create checklists defining how the enterprise, and organizations and individuals within
the enterprise, should respond to specific situations (for example, who should be notified
in an emergency, what vital records the enterprise holds, where and in what form, what
key applications need to be protected, and the locations where recovery operations may
need to be initiated).
Page 9 of 16
Develop plans for the creation of a more comprehensive BCM program, with leadership
responsibility and organizational structure clearly defined. This program may report into
the IT organization, the security organization or business operations Gartner
considers this a best practice or its structure may be location-specific.
Institute a BCM steering committee, with appropriate business unit and IT membership,
to govern the BCM program and establish program mandates and authority, and more
effectively align business-unit recovery expectations with IT delivery capabilities.
Define the data center infrastructure upgrades that will be required to support all
application recovery classes. Begin upgrade implementations that can be initiated within
data center budgetary constraints.
Define a sourcing strategy that defines how external service providers can most costeffectively support IT DRM program goals and objectives.
Develop improved contingency planning and testing including formalized tabletop
testing of business responses. Expanding the scenarios used, to consider more
components of BCM, and more types of risk, which will eventually make possible the
creation of a more comprehensive, formalized program.
Create formal mechanisms for communicating with senior management about the
developing program, its successes and challenges, and its evolving drivers (for
example, pressure from customers or partners to demonstrate program maturity).
Develop and formalize a set of BCM processes (for example, risk and business impact
assessment, testing and exercising, change management) with their respective
responsible, accountable, consulted and informed (RACI) charts and metrics.
Begin evaluating supporting automation tools.
Page 10 of 16
Processes and Tools: IT DRM application recovery class definitions and plans are in
place for all mission-critical applications, at a minimum. Comprehensive testing of IT
DRM plans continues and is now focused on meeting specific RTOs and RPOs. IT DRM
recovery infrastructure design and IT DRM sourcing strategy are well under way, and
BCM program architecture and management are in the beginning stages of
development, although program management automation is not place. Recovery plans
are developed using office automation tools.
Business Culture: BCM and IT DRM are starting to be aligned with critical business
objectives, but still do not contribute to business enablement. Business stakeholders are
consulted for feedback on IT DRM direction. Business recovery expectations and IT
DRM recovery capabilities are aligning more effectively.
Page 11 of 16
Page 12 of 16
Page 13 of 16
improvement, and provides a useful tool for having a fact-based discussion on program maturity,
which can help to overcome the political and cultural issues that may be preventing BCM program
development.
The BCM leadership team should assess BCM program maturity as honestly as possible, since it
is a subjective exercise. It's helpful to adopt appropriate measurement standards, if they exist,
from inside the organization. As long as the maturity assessment is done by minimizing hidden
agendas or motives, it adds value. It can provide valuable insights into areas of constraint and
potential improvement, and can be used as an indicator of risk.
Understanding a BCM program's maturity level is of little use unless it is a starting point for
change. Enterprises should adopt these steps to improve the maturity of their BCM programs:
Assess current state. To increase maturity levels, an enterprise must understand how
it is positioned.
Identify gaps. This analysis identifies factors in the enterprise and its environment that
constrain the success of the BCM program. In many cases, the maturity of the BCM
program is unbalanced across the various dimensions listed here. For example, having
a well-developed set of BCM deliverables will not ensure a positive impact unless they
are supported by an appropriate management governance process to ensure any
activities projects are compliant. The gap analysis works to identify the program
deficiencies that are holding back the BCM program from reaching its full potential.
Set maturity targets. Once the gap analysis is complete, maturity target setting defines
specific goals for improvement. The maturity target is not a "blue sky" activity; it must be
grounded in reality, with recognition of business priorities, required resources, program
change capacity, and prevailing enterprise culture and maturity. It must also be
associated with a specific future time frame.
Plan improvements. Improvement planning identifies the gaps between the current and
the desired future states, and the transformation steps required to fill these gaps. The
program improvement plan must define the improvement projects that will be
undertaken to fulfill the plan. The improvement plan defines the necessary details (for
example, scope, objectives, deliverables, resources, costs and schedule) needed to
initiate the improvement project.
Continuously improve the BCM program. As with other key activities, a continuous
improvement program should be put in place for BCM. Gartner recommends reviewing
BCM maturity and improvement goals on at least an annual basis. BCM program
maturity assessment is a cyclical activity. Subsequent assessments will evaluate nowcurrent states (a measure of the success of any maturity-improvement projects), reevaluate the desired states and define new planned states. This activity will be part of
the normal planning cycle for BCM. In enterprises at Level 3: Defined or above in
Management Processes, the desired states will likely flow from competitive advantage
positioning, supply chain pressure or strategic planning activity.
Enterprises should understand their current maturity levels and use this as a foundation to
increase BCM program maturity. Achieving higher levels of maturity is not an end in itself; rather,
higher BCM maturity will enable the realization of the many benefits of BCM. Also, understanding
the current level of BCM maturity enables organizations to recognize how this maturity level
constrains what can be achieved and to set expectations accordingly.
Organizations are not static. Investment in BCM may ebb and flow over years, which can
sometimes result in a move backward on the path to higher levels of maturity. Acquisitions can
Page 14 of 16
also have a significant impact on BCM maturity. Organizations that are improving BCM maturity
will see a step-change pattern in program improvements. The BCM maturity tool should be used
periodically to determine current-state maturity and make knowledgeable decisions about how to
invest in program development in the future.
RECOMMENDED READING
"Business Continuity Management Defined, 2008"
"Activity Cycle Overview: Business Continuity Manager Role, 2010 to 2011"
"Business Continuity Management Governance Defined, 2010"
"A New Approach: Obtain Business Ownership and Investment Commitment for Business
Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping"
"Case Study: Euroclear Bank Applies Business Continuity Management Practices to Financial
Crises"
"Research Roundup: Business Continuity Management and IT Disaster Recovery Management,
2Q10"
"How to Calculate the Cost of Continuously Available IT Services"
"How to Assess Your IT Service Availability Levels"
"Disaster Recovery Sourcing: The Time to Make More-Informed Decisions Has Come"
"Toolkit: RFP for IT Disaster Recovery and Work Area Recovery Services, 2010"
"Disaster Recovery Service-Level Management: Implementation Guidelines"
"Toolkit: Create a Strategy for IT Service Data Availability and Protection"
Page 15 of 16
REGIONAL HEADQUARTERS
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
U.S.A.
+1 203 964 0096
European Headquarters
Tamesis
The Glanty
Egham
Surrey, TW20 9AW
UNITED KINGDOM
+44 1784 431611
Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600
Japan Headquarters
Gartner Japan Ltd.
Aobadai Hills, 6F
7-7, Aobadai, 4-chome
Meguro-ku, Tokyo 153-0042
JAPAN
+81 3 3481 3670
Latin America Headquarters
Gartner do Brazil
Av. das Naes Unidas, 12551
9 andarWorld Trade Center
04578-903So Paulo SP
BRAZIL
+55 11 3443 1509
Page 16 of 16