CM2: Measuring the business continuity model

A capability and maturity model injects rigour into a business continuity model

April 24, 2012

A capability and maturity model injects rigour into a business continuity model—something that’s necessary given its importance. 

By Karen Humphris, senior business continuity management advisor, ContinuitySA

As we all know, the business environment has become much more volatile and changeable: Competition is more intense, and customers are raising the bar all the time. Business agility has become a key business success factor, and the modern corporation is increasingly all about change.
In tandem, business continuity plans have to become as agile in order to ensure they remain up to date with constant change. For that reason, business continuity management has grown in importance globally because it provides a way to embed and continually update business continuity plans. And, as business continuity management has grown in importance, so has the need to assess it effectively.
The old adage, “You can’t manage what you can’t measure”, is equally true here.
We have developed a comprehensive model that allows companies to assess the effectiveness of all the elements of their business continuity management programmes and, perhaps more importantly, to move from their current state to the desired state in a deliberate and planned fashion.
This model—the Capability and Maturity Model, or CM2 Model—is applicable whether you have just begun implementing business continuity management or whether you have a full-blown business continuity management system.
The 12 success factors of business continuity management
Our departure point for building the CM2 model is the 12 success factors of a successful business continuity model. Clearly, the effectiveness of each one of these contributes to the overall maturity of the programme as a whole.
In our experience, the 12 success factors of an effective business continuity model are:

• Executive support. Is there a business case and is it backed up with budget, policies and leadership commitment?
• Resources and expertise. Are they sufficient?
• Core enterprise threat assessment. What are the threats and single points of failure—and how are they managed and mitigated?
• Extended enterprise threat assessment. The same assessment made of the supply chain.
• Continuity strategies. What are the possible strategies for each of the resource dependencies, and which ones should be selected?
• Incident management framework. This should consist of strategic, tactical and operational activities with an appropriate infrastructure.
• Incident (emergency) response. Are the procedures, infrastructure and teams in place to protect your most valuable asset, your people?
• Reputation management. Are the procedures, infrastructure and teams in place to protect your next most valuable asset?
• Business continuity plans. Do they include an initial response, recovery plans and, ultimately, resumption of normal operations?
• Recovery infrastructure. Is it adequate, and is its own risk profile adequately managed?
• Testing. This is one of the most vital steps and one that companies struggle with the most.
• Assurance reviews and audits. These processes are necessary ultimately to drive a culture of continuous assessment.

Creating the CM2 model
Each of these 12 success factors, including the many individual factors that make up each one, can then be scored according to international standards and good practice guidelines. Each scoring would take into account the theory and methodology of business continuity management, the company’s actual practices, the resources it allocates to business continuity management and the underlying business continuity management system.
The scoring we use distinguishes between five levels of maturity, from Level 1 (cannot recover from or survive a disruption) to Level 5 (recoverability is certifiable). These levels correspond to percentage ranges, and so each success factor’s elements can be rated in terms of percentage to generate an overall level for that factor. The assessment results are granular enough to provide many different analyses; for example, business units or individual sites could be assessed.
This model thus provides a clear snapshot of where the organisation is at present—perhaps more important it allows a company to specify where it would like to be in the future. And because it’s so concrete, the steps that need to be taken can also be precisely identified and prioritised. Progress along the journey can also be measured and managed, and improvement quantified.
Measurement truly doesn’t only enable management but also improvement—and that’s where the strength of this model is evident: it helps an organisation to move towards better business continuity management and thus, ultimately, to a company with greater longevity.