itscore for business continu 2053103

8/10/2019 Itscore for Business Continu 2053103

1/16

Gartner for IT LeadersPublication Date: 17 September 2010 ID Number: G00205310

2010 Gartner is a registered trademark of Gartner, Inc. and/or its affiliates. Gartner for IT Leaders is a service mark ofGartner and/or its affiliates. All rights reserved. Reproduction and distribution of this publication in any form without priorwritten permission is forbidden. The information contained herein has been obtained from sources believed to be reliable.Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner'sresearch may discuss legal issues related to the information technology business, Gartner does not provide legal advice orservices and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions orinadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject tochange without notice.

ITScore for Business Continuity ManagementRoberta J. Witty, John P Morency

A series of highly publicized, extremely damaging events has made it clear that businesscontinuity management (BCM) is an essential concern for all enterprises, whatever theirtype, industry or region of operation. BCM professionals can use Gartner's BCM ITScorematurity assessment, and its accompanying diagnostic tool, to identity their current anddesired levels of maturity, and improve their BCM efforts.

Key Findings

The traditional IT-centric view of BCM is necessarily shifting toward a comprehensive,enterprisewide focus on business resilience, driven by 24/7 service deliveryrequirements, the impact of globalization, and increasing natural and man-made risk.

Improving an enterprise's BCM maturity is a long-term undertaking, and not allenterprises can or should attempt to reach the highest level of maturity.

Maturity improvements will inevitably move the enterprise's BCM efforts well beyond theIT organization, and will require significant commitment from senior executives andmany key stakeholders across the enterprise and external to it.

Many large global enterprises have made significant investments in recovery initiatives,but few have yet undertaken any formal maturity assessment of their BCM programs.Key indicators of progressing maturity encompass management processes, people andorganization, technologies and tools, and business culture.

Recommendations Assess the maturity of your BCM program using Gartners ITScore for BCM onlinediagnostic tool and address the areas needing improvement.

Begin the BCM maturity improvement process by appointing an individual responsiblefor the enterprise's BCM program even if the program does not yet exist. Thisindividual will develop BCM strategies, beginning with key functions such as IT disasterrecovery management (IT DRM) and crisis management.

Establish a BCM steering committee that comprises representatives of stakeholdersthroughout the enterprise.

Build on existing ad hoc BCM/DR communication and collaboration mechanisms to

develop a formal mechanism for discussing BCM issues and responsibilities with thelines of business and other stakeholders.


2/16

Publication Date: 17 September 2010/ID Number: G00205310 Page 2 of 16

2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Critically evaluate your current BCM program to determine if it has been founded onwell-defined principles, policies, practices and processes. Engage external expertise ifnecessary.

Develop a vision and strategic plan to establish or improve the maturity of the BCMprogram, and manage to that plan.

Work to develop repeatable activities, realistic metrics and workable testing plans thatcan be used enterprisewide.

Make aligning the enterprise's BCM program with day-to-day business operations theultimate goal of the maturity process.


3/16



TABLE OF CONTENTS

Strategic Planning Assumption ..................................................................................................... 4

Analysis ......................... ........................ ......................... .......................... .......................... ......... 4 1.0 An Introduction to the ITScore Approach to BCM Maturity ......................... ................. 4 2.0 Overview of Maturity Levels ....................................................................................... 4 3.0 Dimensions and Key Indicators of BCM Maturity ............................................... ......... 6

3.1 Dimensions ................................................................................................... 6 3.2 Four Key Indicators ....................................................................................... 7

4.0 Level 1: Initial ........................ ......................... ......................... ......................... .......... 8 4.1 Characteristics............................................................................................... 8 4.2 Recommended Actions for Improvement ..................................... .................. 8

5.0 Level 2: Developing.................................................................................................... 9 5.1 Characteristics............................................................................................... 9 5.2 Recommended Actions for Improvement ..................................... .................. 9

6.0 Level 3: Defined ....................................................................................................... 10 6.1 Characteristics............................................................................................. 10 6.2 Recommended Actions for Improvement ................................ ..................... 11

7.0 Level 4: Managed .................................................................................................... 11

7.1 Characteristics............................................................................................. 11 7.2 Recommended Actions for Improvement ..................................... ................ 12 8.0 Level 5: Optimizing .................................................................................................. 12

8.1 Characteristics............................................................................................. 12 8.2 Recommended Actions ........................... ......................... ........................ .... 13

9.0 Diagnostic Tool Overview ....................... ........................ .......................... ................ 13 10.0 Directions for Use................................................................................................... 13

Recommended Reading ............................................................................................................. 15

LIST OF FIGURES

Figure 1. Overview of ITScore BCM Maturity Levels ...................................... .......................... ..... 5


4/16


5/16



Level 2: Developing. The enterprise's focus is largely on recovery of IT services, butdifferent stakeholders are beginning to collaborate informally to address businessrecovery issues. Recovery activities are not repeatable, and program management andimprovement automation is basic and manual, mainly leveraging office automation tools.

Level 3: Defined. The enterprise has designated formal responsibility for BCM, but anintegrated enterprisewide BCM program and organization do not yet exist. Processesare more formalized across the enterprise, repeatable recovery plan management andtesting processes are in place, and formalized budgets have been established in at leastsome areas.

Level 4: Managed. An integrated enterprisewide BCM program is in place, withrecovery activities that are aligned with business processes and operational needs. Keyenterprise stakeholders are briefed regularly. Testing has become more comprehensive,and program management automation has begun to be implemented.

Level 5: Optimizing. BCM activities, processes and practices are fully integrated withand in the lines of business. The enterprise BCM program encompasses IT DRM,business recovery, contingency planning, crisis/incident management, pandemicplanning and emergency response, delivering the best possible chance for businessresilience across the enterprise.

Figure 1. Overview of ITScore BCM Maturity Levels

KPI = key performance indicator; KRI = key risk indicator

Source: Gartner (September 2010)


6/16



Each stage of maturity builds on the previous stage, but, in practice, elements of different stagesmay exist at the same time. Organizational readiness and/or willingness means that someelements may be farther advanced than others.

The Gartner BCM Maturity Assessment is based on the principle that the quality of anorganization's BCM program and recovery plans will be directly related to the quality and maturityof the BCM processes and practices used to create and maintain them. Such an assessment is auseful diagnostic tool. It helps organizations discern where they are and what they should donext, and also serves as a prognostic tool to determine what is likely to happen next. It isimportant to note that although all organizations should strive to improve their BCM processesand practices, moving from one maturity level to the next is not necessarily a simple task, andthat enterprises shouldn't necessarily target Level 5 as their goal. The effort to get to that stagemay not be required to achieve a satisfactory level of risk for enterprise stakeholders. Level 3 isthe minimum level that organizations should find acceptable. In fact, this may be entirelyunrealistic for many enterprises, which may not n eed, or not be able to justify the costs of, thehighest levels of BCM preparedness. BCM professionals need to conduct a realistic assessmentnot only of the current BCM maturity levels of their enterprises, but also of their futurerequirements and their organizational and technological capabilities.

3.0 Dimensions and Key Indicators of BCM MaturityThe maturity assessment for BCM considers seven dimensions and four key indicators.

3.1 Dimensions

The questions and answers in the BCM Maturity Model are categorized into seven dimensionsthat provide a detailed structure to assess maturity. They map into the four key indicators inSection 3.2, which provide a higher level of discussion around characteristics for each maturitylevel.

1. BCM Governance: BCM governance is a set of collective decisions and guidance onusing BCM and IT DRM in the business. Early stages of maturity provide no governancestructure. Once at Level 3, the structure starts to take shape.

2. BCM Program Scope: BCM program scope represents the breadth of the BCM programactivities across the enterprise and beyond. In the earlier stages of maturity, theprogram will likely only cover IT DRM. In later stages of maturity, it will encompass moreBCM components (crisis management, business recovery and so forth) as well as moreof the enterprise's business activities.

3. Budgeting and Investments: Many organizations with low overall BCM maturity arereactive and ad hoc, and recovery activities are focused on tactical planning andbudgeting. Mature organizations execute annual planning, with quarterly objectivesaligned with the strategic business plan.

4. BCM Program Organization: Organizational maturity represents the readiness of theorganization and people dimensions of BCM maturity. It addresses characteristics suchas having the right people with the appropriate skills organized in a reporting structurethat minimizes conflicts of interest and clearly defined responsibilities andaccountabilities.

5. BCM and IT DRM Architecture Guidelines and Framework: Organizations with lowerlevels of BCM maturity do not include all key components of a standardized BCMframework, including business and technology interdependencies, risk assessment,


7/16



business impact analysis, exercise framework and automation that can help ensure thatthe standard framework is used by every area within the enterprise.

6. BCM Processes and Controls: Process maturity is a traditional measure of formalizingBCM processes so that they can be repeatable, measurable, reportable, survivable andcontinuously improved.

7. Awareness, Training and Exercising: Training and exercising recovery plans are theprimary means used to assess and improve the effectiveness of the BCM program aside from experiencing an actual disaster. Lower levels of maturity have no training orexercising methodology in place. Higher levels of maturity maintain workforceawareness and exercise recovery plans on a regular basis.

3.2 Four Key Indicators

1. Management Processes: Does BCM have executive sponsorship? Is a formalgovernance structure in place? Is there a clearly defined, enterprisewide vision andstrategy for BCM? Are formal planning mechanisms in place? (See "Business ContinuityManagement Defined, 2008" and "Activity Cycle Overview: Business ContinuityManager Role, 2010 to 2011.") The dimensions that map to this key indicator are BCMgovernance, BCM program scope, and budgeting and investments.

2. People/Organization: Is there a program management office (PMO) with a charter tomanage the BCM program and its portfolio of projects, applications and products? Arethe roles of different constituents (people and organizational functions) well-defined anddocumented, typically in a responsible, accountable, consulted and informed (RACI)matrix (see "Business Continuity Management Governance Defined, 2010," "Toolkit:BCM Governance and Implementation Responsibility Decision Matrix, 2010" and"Toolkit: Business Continuity Management Charter Best Practices and Template")? Isthere a professional development program in place to ensure that participants' skillsmeet program needs ? The dimension that maps to this key indicator is BCM ProgramOrganization.

3. Processes and Tools: Are there a BCM program architecture, IT DRM recoveryinfrastructure design, and IT DRM and work area recovery sourcing strategies? Howwell does IT DRM infrastructure design support recovery class requirements? What isthe formalization, integration, business alignment and so on of the BCM processes? Towhat degree is IT DRM aligned with or embedded within enterprise architecture (EA)?Note that this aspect of BCM program maturity should not be judged on the kind of BCMand IT DRM technologies that an enterprise has selected and implemented; forexample, lack of a BCM planning tool or a real-time infrastructure doesn't indicateimmaturity, because there may be several reasons why an enterprise has chosen adifferent technology set to address recovery and continuity needs (see "Hype Cycle forBusiness Continuity Management, 2009"). The dimensions that map to this key indicatorare: BCM and IT DRM Architecture Guidelines and Framework; BCM Processes andControls; and Awareness, Training and Exercising.

4. Business Culture: To what degree is BCM aligned with critical business objectives? How

and to what degree are business stakeholders engaged with BCM not at all, withinindividual initiatives and technology projects, or within the BCM program strategyoverall? Does BCM contribute to business enablement (direct business value) as well asrisk management and IT operations efficiency and effectiveness (see "A New Approach:Obtain Business Ownership and Investment Commitment for Business Continuity andResilience Management Through Key Performance and Risk Indicator Mapping")? Thedimension that maps to this key indicator is BCM Governance.


8/16



4.0 Level 1: Initial

4.1 Characteristics

The enterprise's BCM/DR activities at this early, highly immature level are ad hoc, improvised andreactive. There is a general awareness that BCM or, more commonly, IT DRM activities areimportant. This awareness is frequently triggered by a major event that affects the enterprisedirectly or receives significant media attention; however, the enterprise does not possess a"critical mass" of information, knowledge and processes that could form the basis of a formalprogram. Recovery of the business after a disaster will be long, costly and arduous, with closureof the business being a distinct possibility:

Management Processes: BCM has no executive sponsorship and no formal governancestructure. No enterprisewide vision, strategy or program management for BCM or ITDRM.

People/Organization: Responsibilities for BCM or IT DRM are extremely siloed, based inseparate data centers, lines of business or geographical locations, and are neitherformally assigned nor aligned with the business. No professional development programis in place to ensure that participants' skills meet program needs. Most importantly, no

formal accountability for BCM or IT DRM has been established.Processes and Tools: There is no BCM program architecture, IT DRM recoveryinfrastructure design or IT DRM sourcing strategy. Activities are extremely IT-centric,with the only established processes likely to be regularly scheduled server backups, andthe only technologies used being backup and restore software; however, formalrecovery classes do not exist. No program management automation is in place.Recovery plans are nonexistent, out of date or merely checklists of actions to execute.

Business Culture: Neither BCM nor IT DRM is aligned with critical business objectives orcontributes to business enablement. Business stakeholders are not engaged at all withIT DRM.

4.2 Recommended Actions for Improvement

Begin a "bottom up" process of developing an IT DRM program, naming an individualwithin the IT organization who will be responsible for developing IT DRM strategies forthe various "siloed" areas, beginning with more-basic functions such as IT DRM andevent response management.

Document business drivers for recovery: service-level agreement requirements,regulatory requirements, industry standards, supply chain partner requirements and soforth.

Establish an initial budget for IT DRM (including required capital equipment, staffing andsupporting services).

Align business-unit IT DRM delivery expectations with what IT can realistically provide

given current and projected budget allocations.Inventory current recovery capabilities, processes, responsible parties, skill sets andtechnologies. Perform an assessment against business expectations of recovery needs.Develop a gap report of current capabilities to recovery need expectations.


9/16



Begin producing internal (IT only) reports of progress being made with IT DRM planconstruction and/or management process development.

Develop a basic crisis management and communications process for all types ofdisasters, not just IT events.

Create checklists defining how the enterprise, and organizations and individuals withinthe enterprise, should respond to specific situations (for example, who should be notifiedin an emergency, what vital records the enterprise holds, where and in what form, whatkey applications need to be protected, and the locations where recovery operations mayneed to be initiated).

5.0 Level 2: Developing

5.1 Characteristics

This level of maturity is characterized by a continued focus on IT DRM, rather than on continuityof business operations. Management processes are still reactive, only supporting post-disasterevent response. Interaction among IT and business stakeholders remains informal, with littleinvolvement or commitment from the business. Supporting technologies are still basic, with noprogram management automation in place. Recovery plan development or modificationresponsibility has been assigned, and plan updating has begun:

Management Processes: BCM has no executive sponsorship and no formal governancestructure. No enterprisewide vision, strategy or program management for BCM or ITDRM. Management reporting is done on request.

People/Organization: IT DRM responsibility likely resides with data center operations.No professional development program in place to ensure that participants' skills meetprogram needs.

Processes and Tools: An initial set of recovery class definitions exist. IT DRM plans thatsupport the recovery classes are initially being developed or modified. Comprehensivetesting of the IT DRM plans is focused on test execution mechanics (test step orderingand execution, definition of recovery team responsibilities, remediating backup mediaproblems and correcting test execution deficiencies) and is not focused on meetingspecific recovery time objectives (RTOs) and recovery point objectives (RPOs). There isno BCM program architecture, IT DRM recovery infrastructure design and IT DRMsourcing strategy. No program management automation is in place. Recovery plans aredeveloped using office automation tools.

Business Culture: Neither BCM nor IT DRM is aligned with critical business objectives orcontributes to business enablement. Business stakeholders are consulted for feedbackon IT DRM direction. Business expectations far exceed what IT can deliver.


Define the RTO and RPO requirements for all application recovery classes.

Obtain senior executive sponsorship for the IT DRM program by defining key deliverymilestones and program success metrics that can be tracked and reported on a regularbasis.

Staff an IT DRM management team with individuals with appropriate skill sets anddefined responsibilities for IT DRM (whether full- or part-time).


10/16



Develop plans for the creation of a more comprehensive BCM program, with leadershipresponsibility and organizational structure clearly defined. This program may report intothe IT organization, the security organization or business operations Gartnerconsiders this a best practice or its structure may be location-specific.

Institute a BCM steering committee, with appropriate business unit and IT membership,to govern the BCM program and establish program mandates and authority, and moreeffectively align business-unit recovery expectations with IT delivery capabilities.

Define the data center infrastructure upgrades that will be required to support allapplication recovery classes. Begin upgrade implementations that can be initiated withindata center budgetary constraints.

Define a sourcing strategy that defines how external service providers can most cost-effectively support IT DRM program goals and objectives.

Develop improved contingency planning and testing including formalized tabletoptesting of business responses. Expanding the scenarios used, to consider morecomponents of BCM, and more types of risk, which will eventually make possible thecreation of a more comprehensive, formalized program.

Create formal mechanisms for communicating with senior management about thedeveloping program, its successes and challenges, and its evolving drivers (forexample, pressure from customers or partners to demonstrate program maturity).

Develop and formalize a set of BCM processes (for example, risk and business impactassessment, testing and exercising, change management) with their respectiveresponsible, accountable, consulted and informed (RACI) charts and metrics.

Begin evaluating supporting automation tools.

6.0 Level 3: Defined

6.1 Characteristics

At the Defined level, formal responsibility for BCM has been established, but a true BCM programdoes not yet exist. The "BCM organization" is more comparable to that of a program managementoffice at this point. However, there is the beginning of process formalization, with different regionsand different lines of business supporting a similar set of recovery and continuity processes. ITDRM recovery plans are now in place, and the enterprise has repeatable processes, includingtesting processes, in place. Formalized budgeting has been established that inevitably raisesawareness of, and accountability for, BCM:

Management Processes: BCM has obtained executive sponsorship, but there is still noformal governance structure. Enterprisewide vision, strategy and program managementare beginning to be defined. Management reporting is done on an annual basis.

People/Organization: IT DRM responsibility is still likely to reside with data centeroperations. BCM program responsibility lies in an expanded role for IT DRM, or hasbeen assigned to IT risk management, HR or another operational business unit. A BCMsteering committee made up of key operational managers is in place. Non-IT recoveryroles and responsibilities are being defined. No professional development program is inplace to ensure that participants' skills meet program needs.


11/16



Processes and Tools: IT DRM application recovery class definitions and plans are inplace for all mission-critical applications, at a minimum. Comprehensive testing of ITDRM plans continues and is now focused on meeting specific RTOs and RPOs. IT DRMrecovery infrastructure design and IT DRM sourcing strategy are well under way, andBCM program architecture and management are in the beginning stages ofdevelopment, although program management automation is not place. Recovery plans

are developed using office automation tools.Business Culture: BCM and IT DRM are starting to be aligned with critical businessobjectives, but still do not contribute to business enablement. Business stakeholders areconsulted for feedback on IT DRM direction. Business recovery expectations and ITDRM recovery capabilities are aligning more effectively.


Name a BCM program manager.

Define the BCM program manager's role with respect to the management andorchestration of the BCM steering committee.

Define the key policies, program management procedures and success metrics that willconstitute the basis for effective BCM governance.

Complete the internalization of the recovery and continuity vision and execution strategywith business operations.

Begin evaluation and piloting of recovery and continuity program managementautomation tools.

Provide business operations with the support and tools needed to develop recovery andcontinuity plans and programs so that operations can become more self-sustaining overtime.

Develop and apply actionable metrics that can demonstrate the value and maturity ofthe program to senior management, line-of-business managers, shareholders and

others.

Increase the depth, breadth and integration of BCM testing.

7.0 Level 4: Managed

7.1 Characteristics

The enterprise BCM and IT DRM programs are aligned and integrated. Metrics are in place thatenable the BCM manager to measure and report on the successes and challenges of theprogram. BCM processes are standardized and exercised throughout the enterprise. Seniormanagement, shareholders and other key stakeholders are briefed on the status of the BCMprogram on an annual basis. The depth and breadth of testing has increased significantly, andprogram management automation is in place and utilized across the enterprise for programactivity execution and reporting. KPIs are beginning to be used to measure supporting processimprovements:

Management Processes: BCM governance is formalized. Enterprisewide recovery andcontinuity vision, strategy, and program management are defined.


12/16


13/16



People/Organization: BCM program responsibility is aligned with strategic businessmanagement and is a core business operations discipline. A BCM steering committeemade up of key operational managers is in place.

Processes and Tools: Comprehensive BCM plans are in place and regularly exercised,and meet all recovery readiness and effectiveness requirements. Program managementautomation is used for business process re-engineering and is a fundamental enabler ofcontinuous program improvement.

Business Culture: Business resilience is an integral part of business management, andrequirements are considered in all aspects of business operations, including but notlimited to: succession planning, facilities management, mergers and acquisitions, newproduct/service design, customer services and so forth.

8.2 Recommended Actions

Continue to optimize processes and process definitions.

Focus processes on the ability to react rapidly to changes in the business, technologyand economic environments.

Complete the integration of automation tools.

Use metrics to monitor the impact of changes on the BCM program and the enterpriseas a whole.

9.0 Diagnostic Tool OverviewThe ITScore diagnostic tool can be used to perform an initial BCM/IT DRM maturity assessmentand then on a quarterly or at least annual basis to track improvements in BCM/IT DRMmaturity. The results can be used in:

Improving the enterprise's visibility into its approach to BCM/IT DRM activities and itsrelated availability risks.

Identifying and prioritizing gaps in BCM/IT DRM and related controls.Demonstrating to senior management, and other internal and external stakeholders thevalue of BCM activities, and justifying the associated costs.

Demonstrating to internal and external stakeholders progress in improving the BCMprogram.

Making necessary changes to organizational structure to support BCM/IT DRM and ultimately true business resilience.

Communicating with different target audiences inside and outside the enterprise (forexample, the IT organization, the board of directors and business partners).

10.0 Directions for UseGartner's ITScore BCM Maturity Assessment Tool provides a baseline for determining thematurity of the organization's BCM program. It also provides insights into the areas of weaknessand opportunities for improvement. The tool can be used to benchmark your program againstyour industry or the state of BCM practice across industries and around the world. The BCMmaturity tool can also be used to communicate the need for investments in program


14/16



improvement, and provides a useful tool for having a fact-based discussion on program maturity,which can help to overcome the political and cultural issues that may be preventing BCM programdevelopment.

The BCM leadership team should assess BCM program maturity as honestly as possible, since itis a subjective exercise. It's helpful to adopt appropriate measurement standards, if they exist,from inside the organization. As long as the maturity assessment is done by minimizing hiddenagendas or motives, it adds value. It can provide valuable insights into areas of constraint andpotential improvement, and can be used as an indicator of risk.

Understanding a BCM program's maturity level is of little use unless it is a starting point forchange. Enterprises should adopt these steps to improve the maturity of their BCM programs:

Assess current state. To increase maturity levels, an enterprise must understand howit is positioned.

Identify gaps. This analysis identifies factors in the enterprise and its environment thatconstrain the success of the BCM program. In many cases, the maturity of the BCMprogram is unbalanced across the various dimensions listed here. For example, havinga well-developed set of BCM deliverables will not ensure a positive impact unless theyare supported by an appropriate management governance process to ensure anyactivities projects are compliant. The gap analysis works to identify the programdeficiencies that are holding back the BCM program from reaching its full potential.

Set maturity targets. Once the gap analysis is complete, maturity target setting definesspecific goals for improvement. The maturity target is not a "blue sky" activity; it must begrounded in reality, with recognition of business priorities, required resources, programchange capacity, and prevailing enterprise culture and maturity. It must also beassociated with a specific future time frame.

Plan improvements. Improvement planning identifies the gaps between the current andthe desired future states, and the transformation steps required to fill these gaps. Theprogram improvement plan must define the improvement projects that will beundertaken to fulfill the plan. The improvement plan defines the necessary details (forexample, scope, objectives, deliverables, resources, costs and schedule) needed toinitiate the improvement project.

Continuously improve the BCM program. As with other key activities, a continuousimprovement program should be put in place for BCM. Gartner recommends reviewingBCM maturity and improvement goals on at least an annual basis. BCM programmaturity assessment is a cyclical activity. Subsequent assessments will evaluate now-current states (a measure of the success of any maturity-improvement projects), re-evaluate the desired states and define new planned states. This activity will be part ofthe normal planning cycle for BCM. In enterprises at Level 3: Defined or above inManagement Processes, the desired states will likely flow from competitive advantagepositioning, supply chain pressure or strategic planning activity.

Enterprises should understand their current maturity levels and use this as a foundation toincrease BCM program maturity. Achieving higher levels of maturity is not an end in itself; rather,higher BCM maturity will enable the realization of the many benefits of BCM. Also, understandingthe current level of BCM maturity enables organizations to recognize how this maturity levelconstrains what can be achieved and to set expectations accordingly.

Organizations are not static. Investment in BCM may ebb and flow over years, which cansometimes result in a move backward on the path to higher levels of maturity. Acquisitions can


15/16



also have a significant impact on BCM maturity. Organizations that are improving BCM maturitywill see a step-change pattern in program improvements. The BCM maturity tool should be usedperiodically to determine current-state maturity and make knowledgeable decisions about how toinvest in program development in the future.

RECOMMENDED READING

"Business Continuity Management Defined, 2008"

"Activity Cycle Overview: Business Continuity Manager Role, 2010 to 2011"

"Business Continuity Management Governance Defined, 2010"

"A New Approach: Obtain Business Ownership and Investment Commitment for BusinessContinuity and Resilience Management Through Key Performance and Risk Indicator Mapping"

"Case Study: Euroclear Bank Applies Business Continuity Management Practices to FinancialCrises"

"Research Roundup: Business Continuity Management and IT Disaster Recovery Management,2Q10"

"How to Calculate the Cost of Continuously Available IT Services"

"How to Assess Your IT Service Availability Levels"

"Disaster Recovery Sourcing: The Time to Make More-Informed Decisions Has Come"

"Toolkit: RFP for IT Disaster Recovery and Work Area Recovery Services, 2010"

"Disaster Recovery Service-Level Management: Implementation Guidelines"

"Toolkit: Create a Strategy for IT Service Data Availability and Protection"

Go to ITScore Diagnostic Tool

ITScore
http://my.gartner.com/itscorehttp://my.gartner.com/itscorehttp://my.gartner.com/itscore


16/16



REGIONAL HEADQUARTERS

Corporate Headquarters56 Top Gallant RoadStamford, CT 06902-7700U.S.A.+1 203 964 0096

European Headquarters TamesisThe GlantyEghamSurrey, TW20 9AWUNITED KINGDOM+44 1784 431611

Asia/Pacific Headquarters Gartner Australasia Pty. Ltd.Level 9, 141 Walker StreetNorth SydneyNew South Wales 2060

AUSTRALIA+61 2 9459 4600

Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F7-7, Aobadai, 4-chomeMeguro-ku, Tokyo 153-0042JAPAN+81 3 3481 3670

Latin America Headquarters Gartner do Brazil

Av. das Naes Unidas, 125519 andar World Trade Center04578-903 So Paulo SPBRAZIL+55 11 3443 1509

itscore for business continu 2053103

Documents