Guest Contributor Article - Part 1
I’m excited to share the following article from a guest contributor, my colleague, Kenton Friesen.
Kenton is a continuity, emergency, and risk management professional with experience identifying, applying, and managing corporate resiliency strategies. He is experienced with leading or facilitating cross-functional teams to increase organizational resilience, including the development of continuity/preparedness training programs, crisis communication and urgent mass notification systems, quality improvement, and client or stakeholder relations.
Over the past 20-plus years, Kenton Friesen has been a trusted resilience advisor to the Royal Canadian Mint (RCM), Manitoba Public Insurance (MPI), University of Manitoba, Winnipeg Regional Health Authority (WRHA), as well as the Dillon Consulting Limited and its clients.
His credentials include a B.A. (Geography), B.Sc. (Business Computing), Certified Emergency Manager (CEM), Certified Business Continuity Professional (CBCP), Member of the Business Continuity Institute (MBCI), and is a certified ISO 22301:2019 Lead Implementer (LI). Additionally, his affiliations include the Disaster Recovery Information Exchange (DRIE) Central Chapter, International Association of Emergency Managers (IAEM) Canada Council, Disaster Recovery Institute Canada (DRIC), Business Continuity Institute (BCI), Mennonite Disaster Service (MDS), and the Business Continuity Resilience Insurance Network (BCRIN). Connect with Kenton on LinkedIn.
The following is Part 1 of his article on tools and tips for developing a Business Continuity Management Maturity assessment.
Introduction to maturity measurement
One might think that measuring the maturity of business continuity is quite simple. Could it be as simple as decreasing the number of incidents that impact your organization? Could it be as simple as reducing your insurance premium for business interruption insurance with mitigation and preparedness? The answer is no; it is not that simple! This is because there are numerous dimensions to implementing a business continuity management (BCM) program, which includes governance, education, and awareness, understanding of the organization (e.g., BIAs), preparing the organization (e.g., action planning, exercises, etc.), responding to and recovering from disruptions, as well as learning from what has happened to improve for the future (i.e., lessons management, after-action debriefs, and after-action reviews). All of these work together to contribute to the maturity of business continuity.
I suspect that business continuity has been in the spotlight due to the COVID-19 pandemic and the impacts of climate change. There is a tremendous opportunity to integrate our profession into organizations’ general management techniques and practices worldwide. Additionally, over the past ten years or so, the word “management” has been added to business continuity as part of its evolution from “business continuity planning” into “business continuity management,” or BCM for short. As such, BCM practitioners and professionals need to align and integrate with “management,” and in doing so, we must understand that “you cannot improve what you don’t’ measure” (Drucker, 2018).
Measurement types
Then, measuring BCM maturity is as simple as using management measurements tools and techniques, such as:
- Key Performance Indicators (KPIs) or Key Risk Indicators (KPIs);
- Benchmarking, Gap Analysis, Gap Assessment, etc.;
- Lean, Six Sigma, Kaizen, Poka-Yoke (Mistake Proofing);
- Needs, Opportunities, Improvement, Strengths, Exceptions (NOISE) Analysis;
- Total Quality Management (TQM), Quality Management System (QMS); or
- Volatility, Uncertainty, Complexity, and Ambiguity (VUCA) World.
The above management tools and techniques may provide valuable insight into the management of BCM. Still, they do not provide a holistic or comprehensive measurement of the maturity of a BCM program. What, then, can be used to measure this BCM maturity?
- Could it include measuring a declining number of disruptive incidents (i.e., total number, the total cost of impacts, the total cost of response and recovery, etc.)?
- Could it be as simple as purchasing business interruption insurance to cover the costs of disruptions?
Such measurements are valuable to note, but they are more outcomes of continuity or resilience strategies that the organization has chosen to implement. Determining those strategies and implementing the supporting framework to sustain and maintain the resources to achieve those strategies becomes increasingly essential to measuring BCM maturity.
The foundation of measuring BCM maturity
The primary or original source material (i.e., foundation) that initiated my understanding of measuring BCM maturity includes Michael Gallagher’s article ‘Business Continuity Management – “Do you measure up?”’ (Gallagher, 2003) and the “Framework for Voluntary Preparedness” published by the Sloan Foundation in 2008 (Olsiewski, 2008).
The Sloan Foundation report caught my attention because it brought together several vital organizations (i.e., ASIS, DRII, NFPA, and RIMS) to review the best practices and standards of that time (i.e., NFPA 1600:2007, CSA z1600, ISO 22399:2007, ASIS Organizational Resilience, BS 25999-5:2007, TR19-2005, DRII Professional Practices, and the BCI Good Practice Guidelines). The Sloan Foundation report recognizes common elements that can be gleaned from standards and best practices that I believe can form the foundation of BCM maturity. Figure 1 is an adaptation of those common elements.
Search on the Internet or within your local university library stacks (virtual or physical stacks) for BCM maturity. You will find numerous white papers, a thesis, reports, etc., on the topic. What I have come across is listed in the reference section at the end of this article (see Part II). I strongly encourage you to seek out these documents and read them to add to your BCM maturity measurement efforts. If you have access to Info-Tech or Gartner, search their libraries for valuable BCM-related reports.
As you read this article and other maturity measurement related documents, please keep the following in mind:
- Adding Value – Whatever BCM maturity measurement method you choose to follow, ensure your program is always “adding value” to your organization. Shift your mindset to continually “add value” by using BCM artifacts, outcomes, and processes (e.g., BIAs) to inform or influence organizational decisions.
- Bias & Objectivity – Whatever the BCM maturity measurement method you choose to follow, recognize that the model itself, as well as your responses to the questionnaires, are influenced by bias, such as the ambiguity effect, normalcy bias, optimism bias, ostrich effect, herd instinct, and status quo bias (Pretty, 2021).
- Comparability – Whatever BCM maturity measurement method you choose to follow, ensure it is comparable both temporally (i.e., past, present, and future) and inter-organizationally (i.e., how do you compare to your peer organizations).
- Comprehensive – Whatever BCM maturity measurement method you choose to follow, ensure it is complete and accounts for a holistic BCM perspective (i.e., governance, understanding, awareness, quality improvement, incident management, exercise management, and the list goes on).
Figure 1 – Core BCM Program Elements (Olsiewski, 2008)
Maturity models – so many to choose from
Before selecting your BCM maturity model, please know that you do have the option of using the Capability Maturity Model Integration (CMMI) maintained by the Capability Maturity Model Integration (CMMI) Institute of the Information Systems Audit and Control Association (ISACA). This multi-dimensional measurement tool of capacities and maturing dates back to 1986, when the US Department of Defense first used it. It was further developed by the Software Engineering Institute (SEI) at Carnegie Mellon University to assess software capabilities and maturity.
Selecting the CMMI to create or establish your own BCM maturity model can be done, but several factors are considered. In creating a BCM maturity model from scratch, please consider the following:
1. Effort – It will consume time and effort for you and your organization to create the model;
2. Bias & Objectivity – The bias of the creators of the model will influence model design, outcomes, or results;
3. Limitations – The resultant model may not be as comprehensive as needed, providing limited assessment and measurement value.
4. Comparability – The comparability of the results with the results of other organizations may be limited (i.e., apples to apples vs. apples to oranges);
With the above in mind, numerous BCM maturity models are available from which to choose, some of which follow or align with the CMMI. The following (Table 1) lists several models I am aware of and is not intended to be a complete or comprehensive list. Please note that some models are publicly available, and some are only available through a fee-based service.
Source: | Model Name: | Access: |
FEMA | Continuity Assessment Tool (CAT) | Public Access |
Gallagher | BCM Self Assessment Questionnaire | Public Access |
Gartner | ITScore for Business Continuity Management (BCM) | Fee-Based or Membership-Based Access |
ICOR | ICOR Maturity Model Capability Assessment Tool | Fee-Based or Membership-Based Access |
Info Tech | BCP Maturity Scorecard | Fee-Based or Membership-Based Access |
Randeree (2012) | BCM Maturity Model | Not Publicly Available |
RSA Archer | Maturity Model: Business Resiliency | Fee-Based or Membership-Based Access |
Smit (2005) | BCM Maturity Model | Not Publicly Available |
Virtual Corporation | Business Continuity Management Model (BCMM) | Public Access (simple model) & Fee-Based or Membership-Based Access (advanced model) |
Table 1 – List of BCM Maturity Models
The following (Table 2) is an attempt to compare the BCM model scales between four of the BCM models. You could add those scales for internal and authorized usage if you have access to a fee-based or membership-based access model. I hope there is congruence between the various models’ assessments, which has been my experience to date.
Model | Model Scales | |||||||||||||||
Gallagher | Level | 0 | <50 | 55-66 | 65-80 | >80 | 100 | N/A | ||||||||
Description | Considerable work to be done. | Room for improvement | Program in Place – room for improvement | Effective Program in Place | N/A | |||||||||||
Virtual Corporation | Level | 0 | 1 | 2 | 3 | 4 | 5 | 6 | ||||||||
Athlete Analogy | N/A | Able to Crawl | Able to Walk | Able to Run | “Fit” Runner | Competitive Runner | Olympic Runner | |||||||||
Comparative Model | Organization “at risk” | “Competent” Performer | “Best in Breed” | |||||||||||||
FEMA CAT | Level | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | N/A | |||
Description | No Progress | Limited Progress | Moderate Progress | Substantial Progress | Objective Achieved | N/A | ||||||||||
CMMI | Level | 0 | 1 | 2 | 3 | 4 | 5 | N/A | ||||||||
Description | Incomplete | Initial | Managed | Defined | Quantitively Managed | Optimizing | N/A |
Table 2 – BCM Model Scales Comparison
A mature BCM program will carefully select a realistic target maturity level for its organization based on its size, resources, and comparison with similar organizations. Factors to consider for choosing similar organizations include organization size (i.e., number of employees, total revenue, etc.), type of organization (i.e., for-profit vs. non-profit, government vs. private, etc.), and the market or context of the organization (i.e., manufacturing, insurance, banking, healthcare, etc.).
Lessons to Share
After many years of implementing and developing emergency management and business continuity management programs within several sectors (i.e., healthcare, post-secondary education, automobile insurance, and manufacturing), I would like to share the following lessons and learnings.
- Ubiquitous Application – A well-designed BCM maturity model is universal in its application and can be used or applied to a BCM program in any sector of our economy or society.
- Use Multiple Models – Consider using more than one BCM maturity model to assess your program’s maturity. I have or currently use Gallagher, FEMA, Virtual Corporate (public assess version), Gartner, and Info-Tech. The benefits include: a) Limiting potential bias can be confirmed if results are congruent between the different models. b) Continuity of historical maturity data because you may not continue to access a fee-based or membership-based maturity model (i.e., the subscription may be managed by someone else in your organization and could lapse without your knowledge, limiting your long-term assessments and progression).
- Establish Baseline Early – Consider conducting a BCM maturity assessment early in the program implementation to establish a baseline regarding your maturity. Additionally, this provides insights as to what to focus your attention on because it can highlight your program’s strengths and, more importantly, its weaknesses.
- Self Assessments & External Assessments – Consider conducting internal self-assessments once every 2 – 3 years and validate these with an external assessment once every 4 – 6 years.
- Document Maturity Assessment Results – Create a log or list that documents the results of your BCM maturity assessments (i.e., self-assessments or external assessments), which can then be used to demonstrate increasing maturity over time to stakeholders (e.g., board of directors, executive management, auditors, etc.).
- Shared Maturity – The maturity of the BCM program overlaps with the maturity of cybersecurity and IT disaster recovery. The investment and increase in maturity of any one of the three will result in a shared increase in maturity in the other two.
- Collaborative Assessments – Where possible, include others within your organization in the maturity assessment process to maintain engagement and balance your perspective or bias with theirs. Note that some models can facilitate this by sending the maturity survey questionnaires to other employees in your organization via email (e.g., the Gartner ITScore for BCM).
What to Mature
After using a BCM maturity model to assess your strengths and weaknesses, you can then use the result to determine what to invest your energies, time, and budget into. Please know that you cannot support only one dimension and expect to increase maturity. Instead, your strategic plan needs to invest in at least 4 to 5 different areas (at a minimum), such as but not limited to the following:
- Governance (i.e., policies, procedures, committees, risk appetite, risk tolerances, etc.);
- Human Resources and leadership (i.e., leadership commitment, job descriptions, competencies, performance objectives, etc.);
- Program management (i.e., document management, strategic plan, administrative plan, etc. )
- Automation and software (e.g., governance risk compliance or GRC);
- Collaboration and integration (e.g., information technology, change management, project management, etc.);
- Understanding the organization (i.e., purpose, organizational context; business impact assessments, and risk assessments);
- Action Plans (loss of facilities/premises, loss of technology, loss of people, loss of business partner, hazard or topic-specific);
- Resilience and continuity strategies;
- Information technology (i.e., disaster recovery, cybersecurity, etc.);
- Incident management (i.e., event, incident, crisis, emergency, and disaster);
- Exercise management;
- Communications (i.e., alerts, warnings, crisis communications, etc.);
- Lessons management and After Action Reviews (AAR);
- Change management (i.e., organizational change, IT change management, business cases, project management, etc.);
- Performance evaluation and audits (i.e., monitor, measure, analysis, and evaluation);
- Quality improvement (i.e. non-conformity, corrective actions, continual improvement);
- Increasing awareness through education and training;
- Agreements with business partners and third parties.
As an example, please reference Figure 2 below, which is a simple spider graph illustrating the fictitious maturity of a BCM program, including the current and target maturity levels. At first glance, it is clear that the weaknesses of this program include the lack of Automation & Software, Collaboration & Integration, and Agreements with Partners. The BCM program manager would be correct in focusing on these three, as they are the weakest elements of their program. However, to increase maturity as per the BCM maturity models, the BCM program manager would also need to address Human Resources, Exercise Management, Lessons Management, and Governance.
Figure 2 – Example BCM Maturity Spider Graph
Next time: Analysis, Assessments, SWOT
Stay tuned for Part II of Kenton’s article, where he will talk about what to do once you’ve established a maturity baseline. Additionally, Kenton will share his tips on change management related to program maturity. Finally, Part II of his article will round out his thoughts on how to assess program mastery with measurement tools.
I hope you are getting as much out of this information as I am. Kenton’s knowledge base is vast, and I am proud to feature him on Disaster Empire. One of my early commitments was to share information that you might not have access to otherwise. So, it’s a real treat to share Kenton’s insights gained over his long career in business continuity, emergency, and risk management.
If you enjoyed this article, check out my blogs on Resilience Metrics & Measurements and Program Evaluation.
1 thought on “Measuring the Maturity of your Business Continuity Management (BCM) program”
Well written, thank you Kenton.