You are on page 1of 16

Gartner for IT Leaders

Publication Date: 17 September 2010

ID Number: G00205310

ITScore for Business Continuity Management


Roberta J. Witty, John P Morency

A series of highly publicized, extremely damaging events has made it clear that business
continuity management (BCM) is an essential concern for all enterprises, whatever their
type, industry or region of operation. BCM professionals can use Gartner's BCM ITScore
maturity assessment, and its accompanying diagnostic tool, to identity their current and
desired levels of maturity, and improve their BCM efforts.
Key Findings
The traditional IT-centric view of BCM is necessarily shifting toward a comprehensive,
enterprisewide focus on business resilience, driven by 24/7 service delivery
requirements, the impact of globalization, and increasing natural and man-made risk.
Improving an enterprise's BCM maturity is a long-term undertaking, and not all
enterprises can or should attempt to reach the highest level of maturity.
Maturity improvements will inevitably move the enterprise's BCM efforts well beyond the
IT organization, and will require significant commitment from senior executives and
many key stakeholders across the enterprise and external to it.
Many large global enterprises have made significant investments in recovery initiatives,
but few have yet undertaken any formal maturity assessment of their BCM programs.
Key indicators of progressing maturity encompass management processes, people and
organization, technologies and tools, and business culture.

Recommendations
Assess the maturity of your BCM program using Gartners ITScore for BCM online
diagnostic tool and address the areas needing improvement.
Begin the BCM maturity improvement process by appointing an individual responsible
for the enterprise's BCM program even if the program does not yet exist. This
individual will develop BCM strategies, beginning with key functions such as IT disaster
recovery management (IT DRM) and crisis management.
Establish a BCM steering committee that comprises representatives of stakeholders
throughout the enterprise.
Build on existing ad hoc BCM/DR communication and collaboration mechanisms to
develop a formal mechanism for discussing BCM issues and responsibilities with the
lines of business and other stakeholders.

2010 Gartner is a registered trademark of Gartner, Inc. and/or its affiliates. Gartner for IT Leaders is a service mark of
Gartner and/or its affiliates. All rights reserved. Reproduction and distribution of this publication in any form without prior
written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable.
Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's
research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or
services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or
inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to
change without notice.

Critically evaluate your current BCM program to determine if it has been founded on
well-defined principles, policies, practices and processes. Engage external expertise if
necessary.
Develop a vision and strategic plan to establish or improve the maturity of the BCM
program, and manage to that plan.
Work to develop repeatable activities, realistic metrics and workable testing plans that
can be used enterprisewide.
Make aligning the enterprise's BCM program with day-to-day business operations the
ultimate goal of the maturity process.

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 2 of 16

TABLE OF CONTENTS
Strategic Planning Assumption ..................................................................................................... 4
Analysis ....................................................................................................................................... 4
1.0 An Introduction to the ITScore Approach to BCM Maturity .......................................... 4
2.0 Overview of Maturity Levels ....................................................................................... 4
3.0 Dimensions and Key Indicators of BCM Maturity ........................................................ 6
3.1 Dimensions ................................................................................................... 6
3.2 Four Key Indicators ....................................................................................... 7
4.0 Level 1: Initial ............................................................................................................. 8
4.1 Characteristics............................................................................................... 8
4.2 Recommended Actions for Improvement ....................................................... 8
5.0 Level 2: Developing.................................................................................................... 9
5.1 Characteristics............................................................................................... 9
5.2 Recommended Actions for Improvement ....................................................... 9
6.0 Level 3: Defined ....................................................................................................... 10
6.1 Characteristics............................................................................................. 10
6.2 Recommended Actions for Improvement ..................................................... 11
7.0 Level 4: Managed .................................................................................................... 11
7.1 Characteristics............................................................................................. 11
7.2 Recommended Actions for Improvement ..................................................... 12
8.0 Level 5: Optimizing .................................................................................................. 12
8.1 Characteristics............................................................................................. 12
8.2 Recommended Actions................................................................................ 13
9.0 Diagnostic Tool Overview ......................................................................................... 13
10.0 Directions for Use................................................................................................... 13
Recommended Reading ............................................................................................................. 15

LIST OF FIGURES
Figure 1. Overview of ITScore BCM Maturity Levels ..................................................................... 5

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 3 of 16

STRATEGIC PLANNING ASSUMPTION


Through 2014, 65% of large enterprises (those with more than 5,000 employees) will have a
formal BCM program (including formal maturity assessments), but no more than 35% will have
achieved a maturity level of Managed or Optimizing.

ANALYSIS

1.0 An Introduction to the ITScore Approach to BCM Maturity


BCM is increasingly recognized as a mission-critical function for most enterprises. There are
three main drivers for this broad awareness of the importance of BCM 24/7 service delivery
requirements, globalization, and increasing natural and man-made risk and they are expanding
the scope of BCM well beyond its roots in IT DRM. Enterprises must concern themselves with
much more than the need to restore their data centers following a natural disaster such as a
hurricane or an earthquake. They must also take into account regulatory and other compliance
requirements, reputational damage, and maintaining the confidence of customers, business
partners and the financial markets. They must also ensure that their BCM efforts are costeffective and sustainable. For all these reasons, virtually every enterprise needs to make a
serious, sustained effort to advance its BCM maturity level.
A maturing program will move the enterprise beyond a traditional, narrow IT-centric focus, and
eventually beyond the IT organization itself. As the BCM program matures, it will come to
embrace business recovery, contingency planning, crisis/incident planning, pandemic planning
and emergency response, along with IT DRM. The ultimate goal is to deliver not only business
continuity, but true business resiliency. This is a long-term undertaking that requires serious
commitment from senior executives and line-of-business leaders, and also from other internal
stakeholders ranging from the legal department to the HR organization and external partners.
Virtually every enterprise can, and should, improve its BCM maturity, and the first step in this
process is to conduct a detailed, realistic assessment of the enterprise's current state. For this
reason, Gartner developed ITScore, a comprehensive Maturity Assessment Framework. (The
ITScore system has also been applied to many other disciplines, including IT operations,
application development, compliance, identity and access management, information security,
privacy and risk management.) ITScore makes it possible to determine an enterprise's current
level of BCM maturity, and offers detailed recommendations for moving to the next level. It is
important to note that the highest levels of BCM maturity may not necessarily be attainable or
even desirable for all enterprises. However, the process of continuous improvement that
ITScore makes possible can deliver important benefits for all enterprises.

2.0 Overview of Maturity Levels


This ITScore-based Maturity Assessment represents an evaluation of an enterprise BCM
program based on key indicators of maturity, which encompass management processes,
personnel and organization, technologies and tools, and business culture. Gartner has identified
five maturity levels aligned with Gartner's established maturity levels that represent
increasing capabilities (see Figure 1):
Level 1: Initial. The enterprise is broadly aware of the need for improvements in its
recovery capabilities, but lacks the knowledge base to build a true BCM program. Its
activities and processes (where they exist) are ad hoc, improvised and reactive, and
largely IT-centric and extremely siloed.

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 4 of 16

Level 2: Developing. The enterprise's focus is largely on recovery of IT services, but


different stakeholders are beginning to collaborate informally to address business
recovery issues. Recovery activities are not repeatable, and program management and
improvement automation is basic and manual, mainly leveraging office automation tools.
Level 3: Defined. The enterprise has designated formal responsibility for BCM, but an
integrated enterprisewide BCM program and organization do not yet exist. Processes
are more formalized across the enterprise, repeatable recovery plan management and
testing processes are in place, and formalized budgets have been established in at least
some areas.
Level 4: Managed. An integrated enterprisewide BCM program is in place, with
recovery activities that are aligned with business processes and operational needs. Key
enterprise stakeholders are briefed regularly. Testing has become more comprehensive,
and program management automation has begun to be implemented.
Level 5: Optimizing. BCM activities, processes and practices are fully integrated with
and in the lines of business. The enterprise BCM program encompasses IT DRM,
business recovery, contingency planning, crisis/incident management, pandemic
planning and emergency response, delivering the best possible chance for business
resilience across the enterprise.
Figure 1. Overview of ITScore BCM Maturity Levels

KPI = key performance indicator; KRI = key risk indicator


Source: Gartner (September 2010)

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 5 of 16

Each stage of maturity builds on the previous stage, but, in practice, elements of different stages
may exist at the same time. Organizational readiness and/or willingness means that some
elements may be farther advanced than others.
The Gartner BCM Maturity Assessment is based on the principle that the quality of an
organization's BCM program and recovery plans will be directly related to the quality and maturity
of the BCM processes and practices used to create and maintain them. Such an assessment is a
useful diagnostic tool. It helps organizations discern where they are and what they should do
next, and also serves as a prognostic tool to determine what is likely to happen next. It is
important to note that although all organizations should strive to improve their BCM processes
and practices, moving from one maturity level to the next is not necessarily a simple task, and
that enterprises shouldn't necessarily target Level 5 as their goal. The effort to get to that stage
may not be required to achieve a satisfactory level of risk for enterprise stakeholders. Level 3 is
the minimum level that organizations should find acceptable. In fact, this may be entirely
unrealistic for many enterprises, which may not need, or not be able to justify the costs of, the
highest levels of BCM preparedness. BCM professionals need to conduct a realistic assessment
not only of the current BCM maturity levels of their enterprises, but also of their future
requirements and their organizational and technological capabilities.

3.0 Dimensions and Key Indicators of BCM Maturity


The maturity assessment for BCM considers seven dimensions and four key indicators.

3.1 Dimensions
The questions and answers in the BCM Maturity Model are categorized into seven dimensions
that provide a detailed structure to assess maturity. They map into the four key indicators in
Section 3.2, which provide a higher level of discussion around characteristics for each maturity
level.
1. BCM Governance: BCM governance is a set of collective decisions and guidance on
using BCM and IT DRM in the business. Early stages of maturity provide no governance
structure. Once at Level 3, the structure starts to take shape.
2. BCM Program Scope: BCM program scope represents the breadth of the BCM program
activities across the enterprise and beyond. In the earlier stages of maturity, the
program will likely only cover IT DRM. In later stages of maturity, it will encompass more
BCM components (crisis management, business recovery and so forth) as well as more
of the enterprise's business activities.
3. Budgeting and Investments: Many organizations with low overall BCM maturity are
reactive and ad hoc, and recovery activities are focused on tactical planning and
budgeting. Mature organizations execute annual planning, with quarterly objectives
aligned with the strategic business plan.
4. BCM Program Organization: Organizational maturity represents the readiness of the
organization and people dimensions of BCM maturity. It addresses characteristics such
as having the right people with the appropriate skills organized in a reporting structure
that minimizes conflicts of interest and clearly defined responsibilities and
accountabilities.
5. BCM and IT DRM Architecture Guidelines and Framework: Organizations with lower
levels of BCM maturity do not include all key components of a standardized BCM
framework, including business and technology interdependencies, risk assessment,

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 6 of 16

business impact analysis, exercise framework and automation that can help ensure that
the standard framework is used by every area within the enterprise.
6. BCM Processes and Controls: Process maturity is a traditional measure of formalizing
BCM processes so that they can be repeatable, measurable, reportable, survivable and
continuously improved.
7. Awareness, Training and Exercising: Training and exercising recovery plans are the
primary means used to assess and improve the effectiveness of the BCM program
aside from experiencing an actual disaster. Lower levels of maturity have no training or
exercising methodology in place. Higher levels of maturity maintain workforce
awareness and exercise recovery plans on a regular basis.

3.2 Four Key Indicators


1. Management Processes: Does BCM have executive sponsorship? Is a formal
governance structure in place? Is there a clearly defined, enterprisewide vision and
strategy for BCM? Are formal planning mechanisms in place? (See "Business Continuity
Management Defined, 2008" and "Activity Cycle Overview: Business Continuity
Manager Role, 2010 to 2011.") The dimensions that map to this key indicator are BCM
governance, BCM program scope, and budgeting and investments.
2. People/Organization: Is there a program management office (PMO) with a charter to
manage the BCM program and its portfolio of projects, applications and products? Are
the roles of different constituents (people and organizational functions) well-defined and
documented, typically in a responsible, accountable, consulted and informed (RACI)
matrix (see "Business Continuity Management Governance Defined, 2010," "Toolkit:
BCM Governance and Implementation Responsibility Decision Matrix, 2010" and
"Toolkit: Business Continuity Management Charter Best Practices and Template")? Is
there a professional development program in place to ensure that participants' skills
meet program needs? The dimension that maps to this key indicator is BCM Program
Organization.
3. Processes and Tools: Are there a BCM program architecture, IT DRM recovery
infrastructure design, and IT DRM and work area recovery sourcing strategies? How
well does IT DRM infrastructure design support recovery class requirements? What is
the formalization, integration, business alignment and so on of the BCM processes? To
what degree is IT DRM aligned with or embedded within enterprise architecture (EA)?
Note that this aspect of BCM program maturity should not be judged on the kind of BCM
and IT DRM technologies that an enterprise has selected and implemented; for
example, lack of a BCM planning tool or a real-time infrastructure doesn't indicate
immaturity, because there may be several reasons why an enterprise has chosen a
different technology set to address recovery and continuity needs (see "Hype Cycle for
Business Continuity Management, 2009"). The dimensions that map to this key indicator
are: BCM and IT DRM Architecture Guidelines and Framework; BCM Processes and
Controls; and Awareness, Training and Exercising.
4. Business Culture: To what degree is BCM aligned with critical business objectives? How
and to what degree are business stakeholders engaged with BCM not at all, within
individual initiatives and technology projects, or within the BCM program strategy
overall? Does BCM contribute to business enablement (direct business value) as well as
risk management and IT operations efficiency and effectiveness (see "A New Approach:
Obtain Business Ownership and Investment Commitment for Business Continuity and
Resilience Management Through Key Performance and Risk Indicator Mapping")? The
dimension that maps to this key indicator is BCM Governance.
Publication Date: 17 September 2010/ID Number: G00205310
2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 7 of 16

4.0 Level 1: Initial


4.1 Characteristics
The enterprise's BCM/DR activities at this early, highly immature level are ad hoc, improvised and
reactive. There is a general awareness that BCM or, more commonly, IT DRM activities are
important. This awareness is frequently triggered by a major event that affects the enterprise
directly or receives significant media attention; however, the enterprise does not possess a
"critical mass" of information, knowledge and processes that could form the basis of a formal
program. Recovery of the business after a disaster will be long, costly and arduous, with closure
of the business being a distinct possibility:
Management Processes: BCM has no executive sponsorship and no formal governance
structure. No enterprisewide vision, strategy or program management for BCM or IT
DRM.
People/Organization: Responsibilities for BCM or IT DRM are extremely siloed, based in
separate data centers, lines of business or geographical locations, and are neither
formally assigned nor aligned with the business. No professional development program
is in place to ensure that participants' skills meet program needs. Most importantly, no
formal accountability for BCM or IT DRM has been established.
Processes and Tools: There is no BCM program architecture, IT DRM recovery
infrastructure design or IT DRM sourcing strategy. Activities are extremely IT-centric,
with the only established processes likely to be regularly scheduled server backups, and
the only technologies used being backup and restore software; however, formal
recovery classes do not exist. No program management automation is in place.
Recovery plans are nonexistent, out of date or merely checklists of actions to execute.
Business Culture: Neither BCM nor IT DRM is aligned with critical business objectives or
contributes to business enablement. Business stakeholders are not engaged at all with
IT DRM.

4.2 Recommended Actions for Improvement


Begin a "bottom up" process of developing an IT DRM program, naming an individual
within the IT organization who will be responsible for developing IT DRM strategies for
the various "siloed" areas, beginning with more-basic functions such as IT DRM and
event response management.
Document business drivers for recovery: service-level agreement requirements,
regulatory requirements, industry standards, supply chain partner requirements and so
forth.
Establish an initial budget for IT DRM (including required capital equipment, staffing and
supporting services).
Align business-unit IT DRM delivery expectations with what IT can realistically provide
given current and projected budget allocations.
Inventory current recovery capabilities, processes, responsible parties, skill sets and
technologies. Perform an assessment against business expectations of recovery needs.
Develop a gap report of current capabilities to recovery need expectations.

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 8 of 16

Begin producing internal (IT only) reports of progress being made with IT DRM plan
construction and/or management process development.
Develop a basic crisis management and communications process for all types of
disasters, not just IT events.
Create checklists defining how the enterprise, and organizations and individuals within
the enterprise, should respond to specific situations (for example, who should be notified
in an emergency, what vital records the enterprise holds, where and in what form, what
key applications need to be protected, and the locations where recovery operations may
need to be initiated).

5.0 Level 2: Developing


5.1 Characteristics
This level of maturity is characterized by a continued focus on IT DRM, rather than on continuity
of business operations. Management processes are still reactive, only supporting post-disaster
event response. Interaction among IT and business stakeholders remains informal, with little
involvement or commitment from the business. Supporting technologies are still basic, with no
program management automation in place. Recovery plan development or modification
responsibility has been assigned, and plan updating has begun:
Management Processes: BCM has no executive sponsorship and no formal governance
structure. No enterprisewide vision, strategy or program management for BCM or IT
DRM. Management reporting is done on request.
People/Organization: IT DRM responsibility likely resides with data center operations.
No professional development program in place to ensure that participants' skills meet
program needs.
Processes and Tools: An initial set of recovery class definitions exist. IT DRM plans that
support the recovery classes are initially being developed or modified. Comprehensive
testing of the IT DRM plans is focused on test execution mechanics (test step ordering
and execution, definition of recovery team responsibilities, remediating backup media
problems and correcting test execution deficiencies) and is not focused on meeting
specific recovery time objectives (RTOs) and recovery point objectives (RPOs). There is
no BCM program architecture, IT DRM recovery infrastructure design and IT DRM
sourcing strategy. No program management automation is in place. Recovery plans are
developed using office automation tools.
Business Culture: Neither BCM nor IT DRM is aligned with critical business objectives or
contributes to business enablement. Business stakeholders are consulted for feedback
on IT DRM direction. Business expectations far exceed what IT can deliver.

5.2 Recommended Actions for Improvement


Define the RTO and RPO requirements for all application recovery classes.
Obtain senior executive sponsorship for the IT DRM program by defining key delivery
milestones and program success metrics that can be tracked and reported on a regular
basis.
Staff an IT DRM management team with individuals with appropriate skill sets and
defined responsibilities for IT DRM (whether full- or part-time).

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 9 of 16

Develop plans for the creation of a more comprehensive BCM program, with leadership
responsibility and organizational structure clearly defined. This program may report into
the IT organization, the security organization or business operations Gartner
considers this a best practice or its structure may be location-specific.
Institute a BCM steering committee, with appropriate business unit and IT membership,
to govern the BCM program and establish program mandates and authority, and more
effectively align business-unit recovery expectations with IT delivery capabilities.
Define the data center infrastructure upgrades that will be required to support all
application recovery classes. Begin upgrade implementations that can be initiated within
data center budgetary constraints.
Define a sourcing strategy that defines how external service providers can most costeffectively support IT DRM program goals and objectives.
Develop improved contingency planning and testing including formalized tabletop
testing of business responses. Expanding the scenarios used, to consider more
components of BCM, and more types of risk, which will eventually make possible the
creation of a more comprehensive, formalized program.
Create formal mechanisms for communicating with senior management about the
developing program, its successes and challenges, and its evolving drivers (for
example, pressure from customers or partners to demonstrate program maturity).
Develop and formalize a set of BCM processes (for example, risk and business impact
assessment, testing and exercising, change management) with their respective
responsible, accountable, consulted and informed (RACI) charts and metrics.
Begin evaluating supporting automation tools.

6.0 Level 3: Defined


6.1 Characteristics
At the Defined level, formal responsibility for BCM has been established, but a true BCM program
does not yet exist. The "BCM organization" is more comparable to that of a program management
office at this point. However, there is the beginning of process formalization, with different regions
and different lines of business supporting a similar set of recovery and continuity processes. IT
DRM recovery plans are now in place, and the enterprise has repeatable processes, including
testing processes, in place. Formalized budgeting has been established that inevitably raises
awareness of, and accountability for, BCM:
Management Processes: BCM has obtained executive sponsorship, but there is still no
formal governance structure. Enterprisewide vision, strategy and program management
are beginning to be defined. Management reporting is done on an annual basis.
People/Organization: IT DRM responsibility is still likely to reside with data center
operations. BCM program responsibility lies in an expanded role for IT DRM, or has
been assigned to IT risk management, HR or another operational business unit. A BCM
steering committee made up of key operational managers is in place. Non-IT recovery
roles and responsibilities are being defined. No professional development program is in
place to ensure that participants' skills meet program needs.

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 10 of 16

Processes and Tools: IT DRM application recovery class definitions and plans are in
place for all mission-critical applications, at a minimum. Comprehensive testing of IT
DRM plans continues and is now focused on meeting specific RTOs and RPOs. IT DRM
recovery infrastructure design and IT DRM sourcing strategy are well under way, and
BCM program architecture and management are in the beginning stages of
development, although program management automation is not place. Recovery plans
are developed using office automation tools.
Business Culture: BCM and IT DRM are starting to be aligned with critical business
objectives, but still do not contribute to business enablement. Business stakeholders are
consulted for feedback on IT DRM direction. Business recovery expectations and IT
DRM recovery capabilities are aligning more effectively.

6.2 Recommended Actions for Improvement


Name a BCM program manager.
Define the BCM program manager's role with respect to the management and
orchestration of the BCM steering committee.
Define the key policies, program management procedures and success metrics that will
constitute the basis for effective BCM governance.
Complete the internalization of the recovery and continuity vision and execution strategy
with business operations.
Begin evaluation and piloting of recovery and continuity program management
automation tools.
Provide business operations with the support and tools needed to develop recovery and
continuity plans and programs so that operations can become more self-sustaining over
time.
Develop and apply actionable metrics that can demonstrate the value and maturity of
the program to senior management, line-of-business managers, shareholders and
others.
Increase the depth, breadth and integration of BCM testing.

7.0 Level 4: Managed


7.1 Characteristics
The enterprise BCM and IT DRM programs are aligned and integrated. Metrics are in place that
enable the BCM manager to measure and report on the successes and challenges of the
program. BCM processes are standardized and exercised throughout the enterprise. Senior
management, shareholders and other key stakeholders are briefed on the status of the BCM
program on an annual basis. The depth and breadth of testing has increased significantly, and
program management automation is in place and utilized across the enterprise for program
activity execution and reporting. KPIs are beginning to be used to measure supporting process
improvements:
Management Processes: BCM governance is formalized. Enterprisewide recovery and
continuity vision, strategy, and program management are defined.

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 11 of 16

People/Organization: IT DRM program is reporting into higher levels of IT management


(for example, enterprise architecture, IT risk management and so forth). BCM program
responsibility lies with business operations management. A BCM steering committee
made up of key operational managers is in place. Non-IT recovery roles and
responsibilities are in place. A professional development program has been established
to ensure that participants' skills meet program needs.
Processes and Tools: The scope of IT DRM class definitions and plans is expanding to
include non-mission-critical applications. Business recovery plans are in place. As a
result of more-comprehensive testing of recovery plans, business and IT recovery
readiness and effectiveness are becoming more sustainable. BCM program
architecture, IT DRM recovery infrastructure design and IT DRM sourcing strategy are
established and used across the enterprise. Program management automation is being
used to provide consistency of BCM activity execution, recovery plan management and
disaster execution. Program improvement processes and supporting metrics are in
place.
Business Culture: BCM and IT DRM are aligned with critical business objectives and are
starting to contribute to business enablement. Business recovery expectations and IT
DRM recovery capabilities are aligned.

7.2 Recommended Actions for Improvement


Fine-tune the established metrics framework to make it more adaptable to and aligned
with critical business processes.
Introduce continuous process improvement for recovery, and continuity testing and
exercising.
Begin reporting KRI and continuous program improvement status to steering committee
members and senior management on a quarterly basis.
Refine KRI definitions and continuous improvement targets to address steering
committee and senior management feedback.

8.0 Level 5: Optimizing


8.1 Characteristics
The most important characteristic of the Optimizing level of BCM maturity which Gartner
estimates fewer than 10% of enterprises have currently reached is the integration of BCM
processes and practices with the business. The enterprise's program now embraces all the key
components of BCM: business recovery, contingency planning, crisis/incident management,
pandemic planning, emergency response and, of course, IT DRM. Line-of-business managers
and business process owners now have "ownership" of BCM practices for their functional areas.
The result is that BCM has moved well beyond narrow, "siloed" approaches to embrace
enterprisewide business resilience:
Management Processes: BCM governance is formalized. Enterprisewide recovery and
continuity vision, strategy and program management are defined. Key availability risk
indicators are linked to KPIs and are reported on a quarterly basis to senior
management.

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 12 of 16

People/Organization: BCM program responsibility is aligned with strategic business


management and is a core business operations discipline. A BCM steering committee
made up of key operational managers is in place.
Processes and Tools: Comprehensive BCM plans are in place and regularly exercised,
and meet all recovery readiness and effectiveness requirements. Program management
automation is used for business process re-engineering and is a fundamental enabler of
continuous program improvement.
Business Culture: Business resilience is an integral part of business management, and
requirements are considered in all aspects of business operations, including but not
limited to: succession planning, facilities management, mergers and acquisitions, new
product/service design, customer services and so forth.

8.2 Recommended Actions


Continue to optimize processes and process definitions.
Focus processes on the ability to react rapidly to changes in the business, technology
and economic environments.
Complete the integration of automation tools.
Use metrics to monitor the impact of changes on the BCM program and the enterprise
as a whole.

9.0 Diagnostic Tool Overview


The ITScore diagnostic tool can be used to perform an initial BCM/IT DRM maturity assessment
and then on a quarterly or at least annual basis to track improvements in BCM/IT DRM
maturity. The results can be used in:
Improving the enterprise's visibility into its approach to BCM/IT DRM activities and its
related availability risks.
Identifying and prioritizing gaps in BCM/IT DRM and related controls.
Demonstrating to senior management, and other internal and external stakeholders the
value of BCM activities, and justifying the associated costs.
Demonstrating to internal and external stakeholders progress in improving the BCM
program.
Making necessary changes to organizational structure to support BCM/IT DRM and
ultimately true business resilience.
Communicating with different target audiences inside and outside the enterprise (for
example, the IT organization, the board of directors and business partners).

10.0 Directions for Use


Gartner's ITScore BCM Maturity Assessment Tool provides a baseline for determining the
maturity of the organization's BCM program. It also provides insights into the areas of weakness
and opportunities for improvement. The tool can be used to benchmark your program against
your industry or the state of BCM practice across industries and around the world. The BCM
maturity tool can also be used to communicate the need for investments in program

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 13 of 16

improvement, and provides a useful tool for having a fact-based discussion on program maturity,
which can help to overcome the political and cultural issues that may be preventing BCM program
development.
The BCM leadership team should assess BCM program maturity as honestly as possible, since it
is a subjective exercise. It's helpful to adopt appropriate measurement standards, if they exist,
from inside the organization. As long as the maturity assessment is done by minimizing hidden
agendas or motives, it adds value. It can provide valuable insights into areas of constraint and
potential improvement, and can be used as an indicator of risk.
Understanding a BCM program's maturity level is of little use unless it is a starting point for
change. Enterprises should adopt these steps to improve the maturity of their BCM programs:
Assess current state. To increase maturity levels, an enterprise must understand how
it is positioned.
Identify gaps. This analysis identifies factors in the enterprise and its environment that
constrain the success of the BCM program. In many cases, the maturity of the BCM
program is unbalanced across the various dimensions listed here. For example, having
a well-developed set of BCM deliverables will not ensure a positive impact unless they
are supported by an appropriate management governance process to ensure any
activities projects are compliant. The gap analysis works to identify the program
deficiencies that are holding back the BCM program from reaching its full potential.
Set maturity targets. Once the gap analysis is complete, maturity target setting defines
specific goals for improvement. The maturity target is not a "blue sky" activity; it must be
grounded in reality, with recognition of business priorities, required resources, program
change capacity, and prevailing enterprise culture and maturity. It must also be
associated with a specific future time frame.
Plan improvements. Improvement planning identifies the gaps between the current and
the desired future states, and the transformation steps required to fill these gaps. The
program improvement plan must define the improvement projects that will be
undertaken to fulfill the plan. The improvement plan defines the necessary details (for
example, scope, objectives, deliverables, resources, costs and schedule) needed to
initiate the improvement project.
Continuously improve the BCM program. As with other key activities, a continuous
improvement program should be put in place for BCM. Gartner recommends reviewing
BCM maturity and improvement goals on at least an annual basis. BCM program
maturity assessment is a cyclical activity. Subsequent assessments will evaluate nowcurrent states (a measure of the success of any maturity-improvement projects), reevaluate the desired states and define new planned states. This activity will be part of
the normal planning cycle for BCM. In enterprises at Level 3: Defined or above in
Management Processes, the desired states will likely flow from competitive advantage
positioning, supply chain pressure or strategic planning activity.
Enterprises should understand their current maturity levels and use this as a foundation to
increase BCM program maturity. Achieving higher levels of maturity is not an end in itself; rather,
higher BCM maturity will enable the realization of the many benefits of BCM. Also, understanding
the current level of BCM maturity enables organizations to recognize how this maturity level
constrains what can be achieved and to set expectations accordingly.
Organizations are not static. Investment in BCM may ebb and flow over years, which can
sometimes result in a move backward on the path to higher levels of maturity. Acquisitions can

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 14 of 16

also have a significant impact on BCM maturity. Organizations that are improving BCM maturity
will see a step-change pattern in program improvements. The BCM maturity tool should be used
periodically to determine current-state maturity and make knowledgeable decisions about how to
invest in program development in the future.

RECOMMENDED READING
"Business Continuity Management Defined, 2008"
"Activity Cycle Overview: Business Continuity Manager Role, 2010 to 2011"
"Business Continuity Management Governance Defined, 2010"
"A New Approach: Obtain Business Ownership and Investment Commitment for Business
Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping"
"Case Study: Euroclear Bank Applies Business Continuity Management Practices to Financial
Crises"
"Research Roundup: Business Continuity Management and IT Disaster Recovery Management,
2Q10"
"How to Calculate the Cost of Continuously Available IT Services"
"How to Assess Your IT Service Availability Levels"
"Disaster Recovery Sourcing: The Time to Make More-Informed Decisions Has Come"
"Toolkit: RFP for IT Disaster Recovery and Work Area Recovery Services, 2010"
"Disaster Recovery Service-Level Management: Implementation Guidelines"
"Toolkit: Create a Strategy for IT Service Data Availability and Protection"

Go to ITScore Diagnostic Tool


ITScore

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 15 of 16

REGIONAL HEADQUARTERS
Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
U.S.A.
+1 203 964 0096
European Headquarters
Tamesis
The Glanty
Egham
Surrey, TW20 9AW
UNITED KINGDOM
+44 1784 431611
Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600
Japan Headquarters
Gartner Japan Ltd.
Aobadai Hills, 6F
7-7, Aobadai, 4-chome
Meguro-ku, Tokyo 153-0042
JAPAN
+81 3 3481 3670
Latin America Headquarters
Gartner do Brazil
Av. das Naes Unidas, 12551
9 andarWorld Trade Center
04578-903So Paulo SP
BRAZIL
+55 11 3443 1509

Publication Date: 17 September 2010/ID Number: G00205310


2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 16 of 16

You might also like