Conducting a Year-End Assessment of Your Business Continuity Maturity

As Q4 approaches, many BCM professionals start to think about their programs in big-picture terms: How are we doing? What shape are we in? What are we doing that’s working or not working? Are there holes that we need to fill? Where do we need to invest additional resources in the coming year? How do we achieve business continuity maturity?

This kind of temperature-taking is very worthwhile, in my opinion; I encourage all BCM leaders to engage in a review of this type. It provides a great opportunity to step back from the day-to-day battles and assess where you are and where you’d like to go, as well as the steps you need to take to get there.

In thinking about this topic the other day, I hit on four questions that seemed to me the most important of all the questions you might potentially ask yourself as you try to get a bead on where your program stands. In my judgment, these are the four questions that will get you quickly to the heart of the matter of what shape your program is in and what you have to do to make it better.

Without further ado, here are my 4 Questions. These will give you a complete assessment of your business continuity maturity and help you plan for improvement.

Question 1: Are you compliant?

Compliance is all about following the known recipe for success. Industry standards such as FFIEC or ISO 22301 amount to the distilled wisdom of the smartest, most experienced BCM professionals as to what organizations need to do to ensure they can recover and get back into business quickly in the event of a disruption. Are you following their advice? Are you meeting the other standards you have agreed to or are obliged to meet?

In talking about compliance, we’re really talking about four things:

1. Are you compliant with industry standards, such as FFIEC or ISO 22301?
2. Have you kept up with your organization’s own policies and standards?
3. Are you compliant with any customer standards you have agreed to meet?
4. Are you compliant with any government standards you are obliged to meet?

Collectively these standards can be thought of as instructions for building a well-performing automobile. An organization that’s in compliance with the applicable standards is like a well-built car: it has a sound structure, one that has prepared it to perform when the need arises. An organization that is out of compliance is like a car that has failed its safety inspection.

This is why the very first thing you need to ask yourself as part of your Q4 review should be: Is our program compliant with the industry, company, customer, and governmental standards we have agreed to meet or are required to meet? Until you know that, you don’t know anything.

Question 2: Have you measured residual risk?

This is a huge one. It’s also the question nobody wants to ask.

Measuring residual risk is all about finding out where the risk in your program resides. Where do you have the most significant exposure? Where do you have holes? What are the three or four areas where your organization is most at risk?

People are reluctant to delve into this topic. They worry that any problems they call attention to will reflect poorly on them as professionals. They’re especially reluctant to tell management about their program’s weaknesses. People tell me, “Management will freak out if I go in and say, ‘We have this exposure.'” It’s human nature: Nobody wants to be told about the termites eating the foundation of their house when they’re out in the backyard hosting a barbecue. However, as a BCM professional, this is one of those times when you have to bite the bullet. It’s good due diligence for yourself as well as for your program.

It helps to look at it this way: if you don’t tell management and something goes wrong in that area, it’s on you. If you do tell them and something goes wrong, it provides you with a certian degree of coverage. Just tell your senior leadership, “Look, we all know we have problems, everybody does. Now, this is where our weaknesses lie and here’s what we can do to address them . . .”

It’s got to be done. We can’t have any heads in the sand when it comes to BCM. That’s why the second question you should ask in doing your Q4 review is: Have you measured residual risk? If you haven’t, you’re driving blind.

Easily evaluate your organization’s level of residual risk with our cloud-based Residual Risk (R²) tool, and get a score for each of your business unit and/or information technology recovery plans. Schedule a demo to see the tool in action. 

Question 3: Have you created a roadmap?

If you have, good for you. I can’t tell you how often we go in and ask clients for a roadmap, and they say they don’t have one.

The roadmap comes out of what you learned in answering questions 1 and 2.

I think a good way of setting out a roadmap is to do it in table form, quarter by quarter, with each quarter having its to-do list of things to deliver and tasks to complete. Your deliverables might include your set of business continuity policy standards or a recovery plan template. Your tasks could be anything from holding quarterly meetings with senior management to review your program to conducting a mock disaster exercise for your crisis management team.

So many organizations take an ad hoc approach to business continuity planning. A roadmap helps you go from being reactive to being proactive.

Question 4: Have you implemented the roadmap?

Obviously, there’s a difference between having a roadmap in your possession and actively consulting and implementing it. Has your organization been following its roadmap? Are you getting the things done that you planned to get done? Are you checking off those little checkboxes?

Make an assessment not only of whether you have a plan for improvement but whether and to what degree you’ve been following it. This is the last but not the least of the four questions you should ask yourself to give you a well-rounded assessment of your business continuity maturity as the year draws to a close.

If you can answer yes to these four questions, then you can be fairly confident you either have or are on your way to a program that can help your organization respond, recover, and get back into business in a reasonable time in the event of a disruption. If you answered no to any of them, you’ve got work to do.

Consider BCMMetrics^TM Business Continuity Management Tools

Want help measuring enterprise compliance or measuring residual risk? Take a look at BCMMetrics. Our cloud-based solutions facilitate compliance across your business continuity program and include tools to help with:

• Evaluating standards compliance. Compliance Confidence (C²) makes it simple to assess your program’s level of compliance against key industry standards and gives you a “FICO-like” score that helps identify areas for improvement.
• Assessing your program’s residual risk. Residual Risk (R²) quantitatively identifies where pockets of residual risk exist and helps you evaluate how to handle them.
• Conducting BIAs. BIA On-Demand (BIA^OD) gives you all the right questions to ask for every BIA interview and organizes the data to provide insights and easily share with your team.

We also offer eight hours of free consulting in the first year to help with each tool, as a result, you’re sure that you are getting everything you want out of them. Our tools are intuitive, secure, and will get the job done. If that’s what you’re looking for in a business continuity management system, schedule a free demo of our software today.