Image links to the Table of Contents for this report.
BC Management's 2nd Edition Program Maturity Assessment has been Distributed to those Professionals who Participated in our most recent study.
Missing your report? Please inquire with a BC Management representative if you did participate in this 2nd Edition BCM Program Maturity Assessment, but didn't receive a report. This report is also discounted 40-50% through January 15, 2018.
Highlights from the 2nd Edition BCM Program Maturity Assessment:
Business Continuity Management Program Maturity Differentiators
While using the self-assessment program maturity scores, we discovered several key findings that seemed to differentiate between “Immature Programs” and “Mature Programs”.
- A similar percent of respondents place their continuity/ resiliency program underneath Risk Management regardless if the program maturity self-assessment score was “Immature” or “Mature” (23.3% and 23.1% respectively). More respondents with “Immature Programs” noted Information Technology as the program owner (21.7%) compared to their counterparts with “Mature Programs” (15.4%). Regardless of the self-assessment program maturity rating, most respondents either agreed or strongly agreed that Risk Management was the best place to position the program for maximum visibility.
- The top noted program sponsor for “Immature Programs” was a Vice President/ Director (18.3%) followed by Chief Information Officer/ Chief Technology Officer - CIO/ CTO (15.0%) and Chief Operations Officer - COO (11.7%). The top program sponsors noted for “Mature Programs” was evenly distributed between CIO/ CTO (13.8%), COO (12.3%) and Chief Risk Officer (12.3%). More respondents noting “Mature Programs” indicated the program sponsor was one level or less degree separation from executive management (83.3%) compared to their counterparts with “Immature Programs” (66.6%).
- Those respondents who noted “Mature Programs” overall indicated better integration of the business continuity management program with other corporate functions especially with crisis management/ incident management. In reviewing the data findings from 2015, though, we discovered that Compliance was the only corporate function that showed significant improvements in “effective integration” or “complete integration” with the business continuity program (an improvement from 43% to 50%).
- The data findings showed “Mature Programs” on average hire more experienced personnel with 57.4% noting all personnel and 69.8% noting those in leadership positions have 8+ years’ expertise. Those with “Immature Programs” indicated 42.9% and 26.7% respectively for all personnel and those in leadership positions with 8+ years’ experience.
- In terms of assessment, strategy and continual improvement of the program were reported to be the most effective among “Mature Programs” (83.3% and 73.6% indicated effective or very effective respectively) while those with “Immature Programs” reported the same (22.2% and 26.7%).
- On average those respondents who noted “Mature Programs” tended to be more focused on resilient IT services (e.g. cloud computing) – 80.8%, resilient facilities – 71.2% and resilient business processes (e.g. supply chain) – 84.6% compared to their counterparts who noted “Immature Programs” who indicated 64.3%, 47.6% and 47.6% respectively.
- Those noting “Mature Programs” seemed to be more committed to developing personnel competencies with 69.8% noting mentoring, coaching and tutorship to develop competencies compared to those with “Immature Programs” (44.2%).
- An executive board approval/ adaptation of a BCM Policy statement was more prevalent with those respondents who noted “Mature Programs” (85.2%) compared to “Immature Programs” (31.1%).
- Respondents who noted “Mature Programs” were sharing program updates with their Board of Directors more frequently (92.4%) than their counterparts who indicated “Immature Programs” (64.5%).
- Those who noted “Mature Programs” tend to review the program’s maturity level more frequently (73.9%) than their counterparts who indicated “Immature Programs” (38.4%).
- Continual improvement on average was a general focus in elevating program effectiveness regardless of program maturity; however, those with “Mature Programs” indicated 90.2% so while those with “Immature Programs” indicated the same (51.1%).
- Internal audit on average included the review of program effectiveness regardless of program maturity; however, those with “Mature Programs” indicated 84.9% while those with “Immature Programs” indicated the same (43.2%).
- Overall, becoming certified in a standard is something many organizations are either reviewing or working towards. The data findings did indicate that 20.8% of those with “Mature Programs” have achieved certification in a standard while only 6.7% of those with “Immature Programs” indicated the same. The top noted standards that organizations obtained certification in were ISO 22301/313 (previously BS25999) and ISO 27001 Information Security.
Other Notable Findings in Business Continuity Program Maturity
Our data analysis indicated other noteworthy business continuity management findings by program maturity that would likely benefit from more focus in the future.
- Respondents who rated their programs as “Mature” were more likely to align and support strategic business objectives to the organization’s long-term strategy (51.9%), dedicate enough money to the program (51.9%), implement reporting structures that were totally functional to the program’s success (37.0%) and implement and update program reporting mechanisms (37.0%).
- Although “Mature Programs” (37.0%) were more likely to identify and validate program stakeholders and have their involvement in the program success compared to those noting “Immature Programs” (8.9%), this is certainly an area of future improvement.
- Categories of indicators or complex indicators (index of effectiveness) were more frequently (60.4%) used for those indicating “Mature Programs” to determine the success in deploying the business continuity program while those who noted “Immature Programs” were more likely to use simple indicators only (72.1%).
- Few respondents (35.2%) who rated their programs as “Mature” indicated that metrics were defined for continual program improvement. Many of the respondents (42.2%) who indicated “Immature Programs” indicated that no metrics were defined.
- Few respondents (22.2%) who rated their programs as “Mature” indicated that metrics were implemented and included in the decision making/ continual program improvement. Many of the respondents (53.3%) who indicated “Immature Programs” indicated that no metrics were implemented.
- Although “Mature Programs” (46.3%) were more likely to take advantage of lessons learned and knowledge to advance the program effectiveness compared to those noting “Immature Programs” (11.4%), this should be a topic for future improvement.
- More respondents (45.8%) with “Mature Programs” indicated that the business continuity program is part of the executive annual performance objective compared to those who noted “Immature Programs” (16.7%).
Additionally, respondents were given the opportunity to answer a few of the study questions in an open text format. Below were some compelling responses to the corresponding questions.
- Please provide examples in which executives either did not demonstrate their commitment to the program and/ or examples in which they fully supported their commitment to the program.
- Examples in which executives did not demonstrate their commitment to the program:
- “The framework / policy is neither reviewed, endorsed nor implemented in the organization. Staff awareness on the topic was either ignored and discouraged.”
- “Felt department level BIAs were too detailed and not effective, so we were told to develop a basic one-page description of what we would do if the building was unavailable and that would be our plan.”
- “Only doing the minimum to satisfy Audit finding.”
- Examples in which executives fully supported their commitment to the program:
- “The executives support the BC policy stating that they will participate yearly in a corporate crisis exercise.”
- “Quarterly meetings - participate in tabletop exercises. Follow-up on any business lines not in compliance to the program.”
- “1. Revised enterprise wide corporate policy to include new BC objectives. 2. Included specific BC objectives in Business Unit Scorecards across the organization which are tied to compensation. 3. Participated in BIAs which are being performed for every business unit.”
- Examples in which executives did not demonstrate their commitment to the program:
- Please share recommendations on how executives can better demonstrate commitment to Business Continuity/ Resiliency planning at your organization.
- “Require a program road map with key milestones. Review and approve resources, program plan or key goals. Align program gaps with annual budget process.”
- “Embed business continuity targets into their direct report's annual performance targets. Discuss targets at regular check-ins with their direct reports.”
- “Going forward, I'll ask for our business line exec champions to 'blog' about their department's efforts in support of their team’s engagement. I anticipate good support.”
- “I believe the executives should demand that management document and measure business capabilities and processes in order to ensure proper stewardship, repeatable processes, adequate continuity and benchmarking against other organizations of similar size and scope.”
- Please share how you have personally elevated the program’s maturity and/or executive buy-in/ commitment.
- “Yes. A regional international exercise program was successfully launched this year, as well as a business-wide active shooter response exercise program. Both were proof of concept initiatives that required VP sponsorship and proved themselves worthwhile and value-added.”
- “Yes. I changed our application tiering definitions and have heavily modified the review process for applications and processes.”
- “Yes, to some extent; mainly by raising awareness around the ISO 22301 standard and also by showing that our clients/customers and business partners are interested in our program and want assurance around our capabilities.”
- “Elevating the program's maturity resulted from quarterly reporting that conveys changes in program resiliency compared to the annual revenue-at-risk derived from the annual Business Impact Analysis.”