Measuring the Maturity of your BCM program – Part II

BCM Maturity Scorecard

Guest Contributor Article - Part II

It’s my honor to share Part II of Kenton Friesen’s article on Measuring the maturity of your Business Continuity Management (BCM) Program. If you missed Part I, go back and check it out here. Kenton has over twenty years of experience in multiple industries. Throughout his career, he’s specialized in an emergency, risk management, and business continuity. 

Rounding out the article, Kenton will share his thoughts on analysis, complex change analysis, outcomes, and influence-based assessments. Last, he shares his perspective on measuring competence and utilizing SWOT. Finally, for those who want to delve deeper, Kenton has graciously provided his references, which you will find listed below.

Unplanned for Crisis

Complimentary Analysis & Assessments

After one has established a maturity baseline and periodically measured BCM maturity using a BCM maturity model, there are complementary analyses and assessments to consider. These have been separated into two broad categories: 1) outcome-based, which demonstrates a BCM program has or is achieving maturity, and 2) influence-based, which influences a BCM program maturity.

  1. Outcome-Based Analysis & Assessments:
    a. Blind Spot and Black Swan Analysis;
    b. Complex Change Analysis; and
    c. Stages of Competence.
  2.  Influence-Based (internal or external) Analysis and Assessments:
    a. Driving Forces or Horizon Scan Analysis;
    b. Strengths, Weaknesses, Opportunities, and Threats (SWOT) Analysis.
A Blind Spot Framework

Figure 3 – Blind Spot Framework (Paton, 2017)

Outcome-Based Analysis & Assessments: Blind Spot and Black Swan

The first time I heard the term “known knowns” was when US Secretary of Defense Donald Rumsfeld gave a news briefing on February 12, 2002, regarding the lack of evidence linking the government of Iraq to the supply of weapons of mass destruction (“The Unknown Known,” 2022; “There Are Known Knowns,” 2021). This was followed by comedic satire that discredited the “known knowns” approach for me. That is, until 2017, when I read an article by Chris Paton titled “Checking your Blind Spot” in the Continuity magazine (Paton, 2017). This fresh perspective re-framed the “known knowns” for me into a very compelling perspective that is valuable to all BCM programs (i.e., it prompted me to evaluate my bias).

The fundamental premise of this approach is that you cannot assume you know all of the risks or hazards that can disrupt your organization; there will always be a blind spot. So,  a mature Business Continuity Management program can help address this issue (not solve or fully mitigate) by leveraging the Blind Spot framework.

Then in 2021, Pentland Analytics and AON published an article by Dr. Deborah Pretty titled “Respecting the Grey Swan: 40 years of reputation crisis” (Petty, 2021). In her article, Dr. Pretty established a connection between her Black Swan / White Swan framework and three parts of the Blind Spot framework of Chris Paton. After some dialogue between Dr. Pretty and myself, I established the following (Table 3) outlining the two frameworks and how they connect to BCM.

Blind Spot Framework

Description

BCM Connection

Black-White Swan Framework

Known Knowns (Predictable & Aware)

These are issues or topics regarding the daily life or operations of an organization (e.g. cash flow, payroll, supplier agreements, marketing, etc.)

Addressed daily by management and leadership teams, and are typically in the BIAs and Action Plans.

White Swan

Known Unknowns

These are issues or topics that an organization is aware of, has a plan for, but cannot predict when they might happen.

Addressed by various business units or departments (e.g. safety and health, physical security, cyber security, emergency response, etc.) and Action Plans.

Light Grey Swan / Rhino

Unknown Knows

These are issues or topics that someone within the organization is aware of but has NOT communicated.

Addressed by changing corporate culture (e.g. whistleblowing, audits, enterprise risk management, etc.).

Dark Grey Swan / Rhino

Unknown Unknowns

These are issues or topics that are un-anticipated and cannot be specifically prepared for in advance (i.e. out of left field, lighting bolts, etc.).

Addressed by incident management structures and processes (i.e. ICS, IMS, EOC, etc.).

Black Swan

Table 3 – Blind Spot – Black Swan Framework and the BCM Connection

The results of a Blind Spot and Black Swan Analysis are that an organization with a maturity BCM program will have a clear governance structure (i.e., roles and responsibilities), including a well-established all-hazards incident management structure (IMS). Additionally, the organization remains open to assessing risk because it is aware that its own biases can influence its perception, which allows the organization to reduce its blind spots.

Please know that I realize that a Black Swan event will most likely overwhelm an organization and its Incident Management Structure (IMS), but imagine what it will do to an organization that does not have an IMS at all.

Complex Change Analysis

Change is a constant, and this topic reminds me of a university sociology course I attended, in which we read and discussed the French proverb “the more things change, the more they remain the same” (Wiktionary, 2022). There are two fundamental ways in which change happens:

  1. Gradual or Incremental Change – Organizations continually change due to external or internal influences (e.g., legislation, regulations, quality improvement, etc.). The speed of onset or velocity of these changes is slow and manageable.
  2. Immediate or Abrupt Change – Often outside the organization’s control, these changes are often brief but significantly impact the organization. These changes’ speed of onset or velocity is breakneck and disruptive.

The Cynefin framework is a conceptual framework that can be used to aid decision-making, which was created by Dave Snowden in 1999 when he was working for IBM Global Services (Cynefin Framework, 2021). The framework has five decision-making contexts or domains – precise (previously known as simple or obvious), complicated, complex, chaotic, and confusing.

Figure 4 – The Cynefin Framework (Stoop, 2016)

The following is a summary of the Cynefin framework (Cynefin Framework, 2021):

  1. Simple, Obvious, Clear – This domain represents the “known knowns.” There are rules in place (or best practice), the situation is stable, and the relationship between cause and effect is clear: if you do A, expect B to happen.
  2. Complicated – This domain consists of the “known unknowns.” The relationship between cause and effect requires analysis or expertise; there is a range of correct answers.
  3. Complex – This domain represents the “unknown unknowns.” Cause and effect can only be deduced in retrospect (i.e., similar to a Black Swan event), and there are no correct answers.
  4. Chaotic – In this domain, cause and effect are unclear. Patrick Lambe writes that events in this domain are “too confusing to wait for a knowledge-based response,” writes Patrick Lambe. “Action—any action—is the first and only way to respond appropriately.” To establish order (i.e., turn chaos into the complex).
  5. Disorder / Confusion – The dark disorder domain (see figure 2 above) in the center represents situations without clarity about which of the other domains apply. By definition, it is hard to know when this domain applies.
  6. Moving through domains – As knowledge increases, there is a “clockwise drift” from chaotic through complex and complicated to simple. Similarly, a “buildup of biases” complacency or lack of maintenance can cause a “catastrophic failure.” There can also be counter-clockwise movement as people leave the organization (i.e., choosing to go, retirement, death, etc.) and knowledge is forgotten, or as new generations question the rules; and a counter-clockwise push from chaotic to simple can occur when a lack of order is causes rules to be imposed suddenly.

A mature BCM program will not only help address the immediate changes in the chaotic and disorder/confusion domains but will also influence the gradual change with the long-term goal of reducing the impact of or need to respond to the immediate changes. This includes integration and collaboration with organizational change management, IT change management, business case management, project management, and succession planning. I believe the Cynefin framework can add value to the discussion about complex change because a mature BCM program will result in less disorder when the change occurs. Additionally, did you notice the connection to the Blind Spot Analysis, the only component not mentioned in the “unknown knowns,” which can lead to disruptive outcomes?

Hierarchy of Competence

Stages of Competence Analysis

In psychology, the four stages of competence, or the “conscious competence” learning model, relate to the psychological states involved in progressing from incompetence to competence in a skill. In a BCM context, the organization will increase resilience when its employees and leaders make decisions where resilience is second nature or is a regular habit of decision-makers and employees.

The Four Stages of Competence

The following is a summary of the competence stages (Examined Existence, 2019, Camby, 2016):

  1. Stage 1 – Unconscious Incompetence – The individual does not understand or know how to do something and does not necessarily recognize the deficit. Outcome – I don’t know what I don’t know, incorrect intuition.
  2. Stage 2 – Conscious Incompetence – Though the individual does not understand or know how to do something, they recognize the deficit and the value of a new skill in addressing it. Outcome – I know what I don’t know, incorrect analysis.
  3. Stage 3 – Conscious Competence – The individual understands or knows how to do something. However, demonstrating the skill or knowledge requires concentration. Outcome – I grow and learn, and it starts to show correct analysis.
  4. Stage 4 – Unconscious Competence – The individual has had so much practice with a skill that it has become “second nature” and can be performed easily. Outcome – I go because of what I know, correct intuition.

A mature BCM program has a robust and well-developed awareness and education process that enables its stakeholders and has achieved Stage 4 – Unconscious Competence. And if the three lines of defense model are followed, such maturity would allow the BCM program to operate solely within the 2nd of defense.

Horizon Scanning

Influence-Based (internal or external) Analysis and Assessments: Driving Forces or Horizon Scan

Context is a significant and powerful construct; as a geographer, I have learned to use the technique of site and situation to understand the context. Additionally, I learned about several management analysis and assessment methods, such as PEST, PESTELO, STEEP, or STEEPLE.
As I progressed through my BCM career, I began to value these within the BCM perspective and have repositioned them as internal and external driving forces or as a horizon scan. Why are these important to BCM? They all have the potential to influence your BCM program or organization positively or negatively.

The domains or groups I use within my PESTELO analysis include the following:

  • Political – includes the action (and in-action) and policies of government organizations at the local, municipal, provincial / state, or country level that can influence your organization (i.e., taxation, fiscal policy, ideological difference, international trade agreements, etc.).
  • Economic – includes the broad financial trends that influence the marketplace that can impact your organization (i.e., shifting to a digital economy, interest rates, employment rates, inflation, exchange rates, etc.).
  • Social – includes changes, shifts, and evolution in the ways stakeholders behave that can influence your organization (i.e., lifestyle trends, consumption beliefs, demographic transitions, life expectancy, etc.).
  • Technological – includes the ever-increasing influence of technology that can influence your organization (i.e., automation, IoT, cybersecurity, smartphones, virtual documents, social media, connected vehicles, etc.).
  • Environmental – includes changes to our physical environment that can influence your organization (i.e., climate change, increasing severe weather, sustainability, etc.).
  • Legal – includes changes from legislation, regulation, and court decisions that influence your organization (i.e., licenses, permits, intellectual property, decimalization, etc.).
  • Organizational – includes changes in the structure or mission of your organization (e.g., change in the board of directors, change in executive leadership, employee retention rates, etc.).
  • Professional – includes changes in professional practices and best practices (e.g., professional convergence between enterprise risk management, operational risk management, business continuity management, and emergency management).

A mature BCM program is fully aware of the relevant factors listed above. It can adapt to changes as they occur and incorporates this into a multi-year strategic plan for the program.

BCM Measurements

Strengths, Weaknesses, Opportunities, and Threats (SWOT)

It is a common practice for management or leaders to understand the strengths, weaknesses, opportunities, and threats (SWOT) regarding your organization (both internal and external), which is typically associated with your competitive position within the market. I encourage you to use this technique to understand the value your BCM program currently adds or could potentially add to your organization (i.e., the BCM program’s competitive position).

  • Strengths – What you and your BCM program or organization do well, reflected in the BCM maturity assessment.
  • Weaknesses – What you and your BCM program or organization do not do well and can improve is reflected in the BCM maturity assessment.
  • Opportunities – What you and your BCM program or organization can take advantage of or benefit from, reflected in your after-action reports (AARs) and the other analyses discussed earlier.
  • Threats – You and your BCM program or organization may be hindered or hampered by and unable to achieve your goals and objectives, which are documented in audits, after-action reports (AARs), and risk assessments, as the other analyses discussed earlier.
The following is a simple SWOT analysis example for your consideration:

Strengths:

Weaknesses:

Business process management (Lean, Six Sigma, value stream mapping, APQC, Togaf, etc.) has been centralized and the BIAs have been integrated.

 

INSERT

Opportunities:

Threats:

Business process management (Lean, Six Sigma, value stream mapping, APQC, Togaf, etc.) is an opportunity to centralize the documentation of processes that can benefit the BIA process.

INSERT

Autonomous vehicles present opportunities, such as decreasing claim expenses (i.e. physical damage, bodily injury).

Autonomous vehicles present a potential threat for auto insures (e.g. declining revenue, declining premiums, changing concept of vehicle ownership).

Table 4 – SWOT Analysis Example

Please know there is a reason why this simple yet effective analysis is being shared at the end of this article.  That is, it is essential to go through all of the previous content to open your mind to your potential blind spots while inventorying the influences (i.e., internal or externally, currently or in the future, etc.) that can then feed into your BCM programs strategic and administrative plan (Canton, 2019).  While doing so, if you understand your SWOT, you can then maximize your BCM program efforts.  A mature BCM program clearly understands its SWOT, which is documented and updated regularly.  Then adjust strategic and operational plans as things change.

A Great Overview of BCM Measures

Summary

I hope you enjoyed Part II of Kenton’s article on Measuring The Maturity Of Your BCM Program. If you are just getting started building a maturity model, Kenton’s given you a wealth of resources to consider. And, if you are a seasoned pro at building assessments, you may have picked up a new tip or two. Regardless, I am thankful to Kenton Friesen for sharing his knowledge with us.

I don’t know about you, but I feel like I just finished a masterclass on the subject. You can reach Kenton via LinkedIn if you’d like to connect with Kenton or ask him any follow-up questions. He was gracious enough to write this article after presenting it at a recent Business Continuity Resilience Insurance Network (BCRIN) meeting. The information was so compelling that I asked him to share it with you. 

Article References

Akkermans, Henk A., and Luk N. Van Wassenhove. “Searching for the Grey Swans: The next 50 Years of Production Research.” International Journal of Production Research 51, no. 23–24 (November 18, 2013): 6746–55. https://doi.org/10.1080/00207543.2013.849827.

Almén, Joakim, and Anders Rosqvist. “Evaluate Your Business Continuity Management: A Step towards a More Resilient Company!,” 2008.

Andrews, Ron. “Demonstrating the Value of Business Continuity Planning: Maturity Models.” Presented at the DRIE Central Professional Session, Winnipeg, Manitoba, October 2016. www.driecentral.org.

Avatefipour, Amir. “The Contribution of BCM to Supply Chain Performance under Disruption: A Resilience Perspective.” Master of Science in Management Engineering, Politecnico di Milano, School of Industrial and Information Engineering. Accessed May 21, 2022. https://www.politesi.polimi.it/bitstream/10589/149699/1/2019_10_Avatefipour.pdf.

Berry III, Jonathan, Mitchell Buder, and Zachary Evans. “Business Continuity Management – Evaluating Program Effectiveness.” Navigant Consulting, 2016. www.navigant.com.

“Black Swan Theory.” In Wikipedia. Wikipedia, May 1, 2020. https://en.wikipedia.org/w/index.php?title=Black_swan_theory&oldid=954270840.

Bolton, Patrick, Morgan Despres, Luiz Awazu Pereira da Silva, Romain Svartzman, Frédéric Samama, and Bank for International Settlements. The Green Swan: Central Banking and Financial Stability in the Age of Climate Change. Bank for International Settlements, 2020. https://www.bis.org/publ/othp31.pdf.

“Business Continuity Maturity Matrix.” Intellinet Consulting, LLC, 2017.

“Business Continuity Maturity Model 2.0 – Self-Assessment Workbook.” Budd Lake, NJ: Virtual Corporation, 2016.

Camby, Simon. “What Does Mastery Look Like?” Focus Education, January 29, 2016. https://www.focus-education.co.uk/blog/what-does-mastery-look-like/.

Canton, Lucien G. Emergency Management: Concepts and Strategies for Effective Programs. John Wiley & Sons, 2019.

“Capability Maturity Model.” In Wikipedia, March 18, 2021. https://en.wikipedia.org/w/index.php?title=Capability_Maturity_Model&oldid=1012741504.

“CMMI Institute – CMMI Levels of Capability and Performance.” Accessed May 5, 2022. https://cmmiinstitute.com/learning/appraisals/levels.

“Cynefin Framework.” In Wikipedia, April 17, 2022. https://en.wikipedia.org/w/index.php?title=Cynefin_framework&oldid=1083225827.

Drucker, Jocob. “Council Post: You Are What You Measure.” Forbes, December 4, 2018. https://www.forbes.com/sites/theyec/2018/12/04/you-are-what-you-measure/.

Gallagher, Michael. “Business Continuity Management – Do You Measure Up?” Accountancy Ireland 35, no. 4 (2003): 15–16.

Haidzir, Haniyana bintin, Siti Hajar Othman, and Hazinah Kutty Mammi. “Evaluation of Business Continuity Plan Maturity Level in Healthcare Organization.” International Journal of Innovative Computing 8, no. 1 (May 21, 2018): 33–42.

Islam, Danish. “Weighing the Value of Continuity Management – Analysis of Disaster Recovery Planning in Organizations.” University of Turku, 2010.

Janzen, D. “Capability Maturity Model (CMM) – CalPoly.” November 16, 2009. https://media-exp1.licdn.com/dms/document/C561FAQECHO-EJwgTJg/feedshare-document-pdf-analyzed/0/1651969905396?e=1652108400&v=beta&t=Q0zpZSVVeGMQn08mkuN2EVfP9COgJ0CLI1AXYpjbfZM.

Junttila, Juho. “A Business Continuity Management Maturity Model – The Search for an ISO 22301 Compliant BCM Maturity Model.” Masters of Information Systems Science, University of Turku, 2014.

Langsett, Margaret D. “Business Continuity Maturity Model® Presentation.” Presented at the Virtual Corporation, 2007.

Langsett, Margaret, and Manfred Heinzlreiter. “Using the Business Continuity Maturity Model® To Gain Executive Approval.” June 20, 2006.

Mahal, Ashish. “Business Continuity Management Maturity Model for Banks in UAE.” British University in Dubai, 2008. https://bspace.buid.ac.ae/handle/1234/288.

Mohammed, Armoghan, and Richad Sykes. “Black Swans Turn Grey – The Transformation of Risk.” Risk Practices. United Kingdom: Price Waterhouse Coopers (PWC), January 2012. https://www.pwc.co.uk/assets/pdf/risk-practices-black-swans-turn-grey-the-transformation-of-the-risk-landscape.pdf.

Olsiewski, Paula J. “Framework for Voluntary Preparedness.” Sloan Foundation, January 8, 2008.

Paton, Chris. “Checking Your Blind Spot.” Continuity, 2017.

Paulk, Mark C. “A History of Capability Maturity Model for Software.” Edited by Watts Humphrey. The Software Quality Profile 12, no. 1 (2009): 15.

Pretty, Deborah. “Respecting the Grey Swan: 40 Years of Reputation Crises.” Pentland Analytics, 2021.

Randeree, Kasim, Ashish Mahal, and Anjli Narwani. “A Business Continuity Management Maturity Model for the UAE Banking Sector.” Business Process Management Journal 18, no. 3 (June 1, 2012): 472–92. https://doi.org/10.1108/14637151211232650.

“RSA Archer Maturity Model:  Business Resiliency.” RSA Archer, 2018.

Segovia, Fresia. “Developing a Framework for Business Continuity Management within Local Government,” n.d., 270.

Smit, Naomi. “Business Continuity Management – A Maturity Model.” Masters of Informatics and Economics, Erasmus Universiteit Rotterdam, 2005.

Smith, Neil A. “Business Continuity Maturity “How Mature Are You?” Presented at the DRJ Fall World 2015, San Diego, California, September 27, 2015.

Smith, Neil A., and Sandra Riddell. “CSC and the Business Continuity Maturity Assessment Program.” White Paper, 2013. http://docplayer.net/4427761-Csc-and-the-business-continuity-maturity-assessment-program.html.

Stoop, Edwin. Cynefin Framework by Edwin Stoop.Jpg – Wikipedia. 2016. https://commons.wikimedia.org/wiki/File:Cynefin_framework_by_Edwin_Stoop.jpg.

Taleb, Nassim Nicholas. The Black Swan: Second Edition: The Impact of the Highly Improbable: With a New Section: “On Robustness and Fragility.” 2nd ed. edition. New York: Random House Trade Paperbacks, 2010.

Tammineedi, Rama Lingeswara. “Business Continuity Management: A Standards-Based Approach.” Information Security Journal: A Global Perspective 19, no. 1 (March 17, 2010): 36–50. https://doi.org/10.1080/19393550903551843.

“The Black Swan: The Impact of the Highly Improbable.” In Wikipedia, March 12, 2020. https://en.wikipedia.org/w/index.php?title=The_Black_Swan:_The_Impact_of_the_Highly_Improbable&oldid=945271313.

Examined Existence. “The Four States of Competence Explained,” October 18, 2019. https://examinedexistence.com/the-four-states-of-competence-explained/.

“The Importance of Conducting Maturity Assessments for Your Business Continuity Management Program.” AON Risk Solutions, 2015.

“The More Things Change, the More They Stay the Same.” In Wiktionary, May 6, 2022. https://en.wiktionary.org/w/index.php?title=the_more_things_change,_the_more_they_stay_the_same&oldid=66588214.

The Unknown Known.” In Wikipedia, April 28, 2022. https://en.wikipedia.org/w/index.php?title=The_Unknown_Known&oldid=1085135187.

“There Are Known Knowns.” In Wikipedia, December 22, 2021. https://en.wikipedia.org/w/index.php?title=There_are_known_knowns&oldid=1061600676.

Leave a Comment

Your email address will not be published. Required fields are marked *

Disaster Empire
Scroll to Top