Itscore for Business Continu 2053103

Gartner for IT Leaders Publication Date: 17 September 2010

ID Number: G00205310

ITScore for Business Continuity Management Roberta J. Witty, John P Morency

A series of highly publicized, extremely damaging events has made it clear that business continuity management (BCM) is an essential concern for all enterprises, whatever their type, industry or region of operation. BCM professionals can use Gartner's BCM ITScore maturity assessment, and its accompanying diagnostic tool, to identity their current and desired levels of maturity, and improve their BCM efforts. Key Findings The traditional IT-centric view of BCM is necessarily shifting toward a comprehensive, enterprisewide focus on business resilience, driven by 24/7 service delivery requirements, the impact of globalization, and increasing natural and man-made risk. Improving an enterprise's BCM maturity is a long-term undertaking, and not all enterprises can — or should attempt to — reach the highest level of maturity. Maturity improvements will inevitably move the enterprise's BCM efforts well beyond the IT organization, and will require significant commitment from senior executives and many key stakeholders across the enterprise and external to it. Many large global enterprises have made significant investments in recovery initiatives, but few have yet undertaken any formal maturity assessment of their BCM programs. Key indicators of progressing maturity encompass management processes, people and organization, technologies and tools, and business culture.

Recommendations Assess the maturity of your BCM program using Gartner’s ITScore for BCM online diagnostic tool and address the areas needing improvement. Begin the BCM maturity improvement process by appointing an individual responsible for the enterprise's BCM program — even if the program does not yet exist. This individual will develop BCM strategies, beginning with key functions such as IT disaster recovery management (IT DRM) and crisis management. Establish a BCM steering committee that comprises representatives of stakeholders throughout the enterprise. Build on existing ad hoc BCM/DR communication and collaboration mechanisms to develop a formal mechanism for discussing BCM issues and responsibilities with the lines of business and other stakeholders.

© 2010 Gartner is a registered trademark of Gartner, Inc. and/or its affiliates. Gartner for IT Leaders is a service mark of Gartner and/or its affiliates. All rights reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Critically evaluate your current BCM program to determine if it has been founded on well-defined principles, policies, practices and processes. Engage external expertise if necessary. Develop a vision and strategic plan to establish or improve the maturity of the BCM program, and manage to that plan. Work to develop repeatable activities, realistic metrics and workable testing plans that can be used enterprisewide. Make aligning the enterprise's BCM program with day-to-day business operations the ultimate goal of the maturity process.

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 2 of 16

TABLE OF CONTENTS Strategic Planning Assumption ..................................................................................................... 4 Analysis ....................................................................................................................................... 4 1.0 An Introduction to the ITScore Approach to BCM Maturity .......................................... 4 2.0 Overview of Maturity Levels ....................................................................................... 4 3.0 Dimensions and Key Indicators of BCM Maturity ........................................................ 6 3.1 Dimensions ................................................................................................... 6 3.2 Four Key Indicators ....................................................................................... 7 4.0 Level 1: Initial ............................................................................................................. 8 4.1 Characteristics............................................................................................... 8 4.2 Recommended Actions for Improvement ....................................................... 8 5.0 Level 2: Developing.................................................................................................... 9 5.1 Characteristics............................................................................................... 9 5.2 Recommended Actions for Improvement ....................................................... 9 6.0 Level 3: Defined ....................................................................................................... 10 6.1 Characteristics............................................................................................. 10 6.2 Recommended Actions for Improvement ..................................................... 11 7.0 Level 4: Managed .................................................................................................... 11 7.1 Characteristics............................................................................................. 11 7.2 Recommended Actions for Improvement ..................................................... 12 8.0 Level 5: Optimizing .................................................................................................. 12 8.1 Characteristics............................................................................................. 12 8.2 Recommended Actions................................................................................ 13 9.0 Diagnostic Tool Overview ......................................................................................... 13 10.0 Directions for Use................................................................................................... 13 Recommended Reading ............................................................................................................. 15

LIST OF FIGURES Figure 1. Overview of ITScore BCM Maturity Levels ..................................................................... 5

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 3 of 16

STRATEGIC PLANNING ASSUMPTION Through 2014, 65% of large enterprises (those with more than 5,000 employees) will have a formal BCM program (including formal maturity assessments), but no more than 35% will have achieved a maturity level of Managed or Optimizing.

ANALYSIS

1.0 An Introduction to the ITScore Approach to BCM Maturity BCM is increasingly recognized as a mission-critical function for most enterprises. There are three main drivers for this broad awareness of the importance of BCM — 24/7 service delivery requirements, globalization, and increasing natural and man-made risk — and they are expanding the scope of BCM well beyond its roots in IT DRM. Enterprises must concern themselves with much more than the need to restore their data centers following a natural disaster such as a hurricane or an earthquake. They must also take into account regulatory and other compliance requirements, reputational damage, and maintaining the confidence of customers, business partners and the financial markets. They must also ensure that their BCM efforts are costeffective and sustainable. For all these reasons, virtually every enterprise needs to make a serious, sustained effort to advance its BCM maturity level. A maturing program will move the enterprise beyond a traditional, narrow IT-centric focus, and eventually beyond the IT organization itself. As the BCM program matures, it will come to embrace business recovery, contingency planning, crisis/incident planning, pandemic planning and emergency response, along with IT DRM. The ultimate goal is to deliver not only business continuity, but true business resiliency. This is a long-term undertaking that requires serious commitment from senior executives and line-of-business leaders, and also from other internal stakeholders ranging from the legal department to the HR organization and external partners. Virtually every enterprise can, and should, improve its BCM maturity, and the first step in this process is to conduct a detailed, realistic assessment of the enterprise's current state. For this reason, Gartner developed ITScore, a comprehensive Maturity Assessment Framework. (The ITScore system has also been applied to many other disciplines, including IT operations, application development, compliance, identity and access management, information security, privacy and risk management.) ITScore makes it possible to determine an enterprise's current level of BCM maturity, and offers detailed recommendations for moving to the next level. It is important to note that the highest levels of BCM maturity may not necessarily be attainable — or even desirable — for all enterprises. However, the process of continuous improvement that ITScore makes possible can deliver important benefits for all enterprises.

2.0 Overview of Maturity Levels This ITScore-based Maturity Assessment represents an evaluation of an enterprise BCM program based on key indicators of maturity, which encompass management processes, personnel and organization, technologies and tools, and business culture. Gartner has identified five maturity levels — aligned with Gartner's established maturity levels — that represent increasing capabilities (see Figure 1): Level 1: Initial. The enterprise is broadly aware of the need for improvements in its recovery capabilities, but lacks the knowledge base to build a true BCM program. Its activities and processes (where they exist) are ad hoc, improvised and reactive, and largely IT-centric — and extremely siloed.

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 4 of 16

Level 2: Developing. The enterprise's focus is largely on recovery of IT services, but different stakeholders are beginning to collaborate — informally — to address business recovery issues. Recovery activities are not repeatable, and program management and improvement automation is basic and manual, mainly leveraging office automation tools. Level 3: Defined. The enterprise has designated formal responsibility for BCM, but an integrated enterprisewide BCM program and organization do not yet exist. Processes are more formalized across the enterprise, repeatable recovery plan management and testing processes are in place, and formalized budgets have been established in at least some areas. Level 4: Managed. An integrated enterprisewide BCM program is in place, with recovery activities that are aligned with business processes and operational needs. Key enterprise stakeholders are briefed regularly. Testing has become more comprehensive, and program management automation has begun to be implemented. Level 5: Optimizing. BCM activities, processes and practices are fully integrated with and in the lines of business. The enterprise BCM program encompasses IT DRM, business recovery, contingency planning, crisis/incident management, pandemic planning and emergency response, delivering the best possible chance for business resilience across the enterprise. Figure 1. Overview of ITScore BCM Maturity Levels

KPI = key performance indicator; KRI = key risk indicator Source: Gartner (September 2010)

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 5 of 16

Each stage of maturity builds on the previous stage, but, in practice, elements of different stages may exist at the same time. Organizational readiness and/or willingness means that some elements may be farther advanced than others. The Gartner BCM Maturity Assessment is based on the principle that the quality of an organization's BCM program and recovery plans will be directly related to the quality and maturity of the BCM processes and practices used to create and maintain them. Such an assessment is a useful diagnostic tool. It helps organizations discern where they are and what they should do next, and also serves as a prognostic tool to determine what is likely to happen next. It is important to note that although all organizations should strive to improve their BCM processes and practices, moving from one maturity level to the next is not necessarily a simple task, and that enterprises shouldn't necessarily target Level 5 as their goal. The effort to get to that stage may not be required to achieve a satisfactory level of risk for enterprise stakeholders. Level 3 is the minimum level that organizations should find acceptable. In fact, this may be entirely unrealistic for many enterprises, which may not need, or not be able to justify the costs of, the highest levels of BCM preparedness. BCM professionals need to conduct a realistic assessment not only of the current BCM maturity levels of their enterprises, but also of their future requirements and their organizational and technological capabilities.

3.0 Dimensions and Key Indicators of BCM Maturity The maturity assessment for BCM considers seven dimensions and four key indicators.

3.1 Dimensions The questions and answers in the BCM Maturity Model are categorized into seven dimensions that provide a detailed structure to assess maturity. They map into the four key indicators in Section 3.2, which provide a higher level of discussion around characteristics for each maturity level. 1. BCM Governance: BCM governance is a set of collective decisions and guidance on using BCM and IT DRM in the business. Early stages of maturity provide no governance structure. Once at Level 3, the structure starts to take shape. 2. BCM Program Scope: BCM program scope represents the breadth of the BCM program activities across the enterprise and beyond. In the earlier stages of maturity, the program will likely only cover IT DRM. In later stages of maturity, it will encompass more BCM components (crisis management, business recovery and so forth) as well as more of the enterprise's business activities. 3. Budgeting and Investments: Many organizations with low overall BCM maturity are reactive and ad hoc, and recovery activities are focused on tactical planning and budgeting. Mature organizations execute annual planning, with quarterly objectives aligned with the strategic business plan. 4. BCM Program Organization: Organizational maturity represents the readiness of the organization and people dimensions of BCM maturity. It addresses characteristics such as having the right people with the appropriate skills organized in a reporting structure that minimizes conflicts of interest and clearly defined responsibilities and accountabilities. 5. BCM and IT DRM Architecture Guidelines and Framework: Organizations with lower levels of BCM maturity do not include all key components of a standardized BCM framework, including business and technology interdependencies, risk assessment,

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 6 of 16

business impact analysis, exercise framework and automation that can help ensure that the standard framework is used by every area within the enterprise. 6. BCM Processes and Controls: Process maturity is a traditional measure of formalizing BCM processes so that they can be repeatable, measurable, reportable, survivable and continuously improved. 7. Awareness, Training and Exercising: Training and exercising recovery plans are the primary means used to assess and improve the effectiveness of the BCM program — aside from experiencing an actual disaster. Lower levels of maturity have no training or exercising methodology in place. Higher levels of maturity maintain workforce awareness and exercise recovery plans on a regular basis.

3.2 Four Key Indicators 1. Management Processes: Does BCM have executive sponsorship? Is a formal governance structure in place? Is there a clearly defined, enterprisewide vision and strategy for BCM? Are formal planning mechanisms in place? (See "Business Continuity Management Defined, 2008" and "Activity Cycle Overview: Business Continuity Manager Role, 2010 to 2011.") The dimensions that map to this key indicator are BCM governance, BCM program scope, and budgeting and investments. 2. People/Organization: Is there a program management office (PMO) with a charter to manage the BCM program and its portfolio of projects, applications and products? Are the roles of different constituents (people and organizational functions) well-defined and documented, typically in a responsible, accountable, consulted and informed (RACI) matrix (see "Business Continuity Management Governance Defined, 2010," "Toolkit: BCM Governance and Implementation Responsibility Decision Matrix, 2010" and "Toolkit: Business Continuity Management Charter Best Practices and Template")? Is there a professional development program in place to ensure that participants' skills meet program needs? The dimension that maps to this key indicator is BCM Program Organization. 3. Processes and Tools: Are there a BCM program architecture, IT DRM recovery infrastructure design, and IT DRM and work area recovery sourcing strategies? How well does IT DRM infrastructure design support recovery class requirements? What is the formalization, integration, business alignment and so on of the BCM processes? To what degree is IT DRM aligned with or embedded within enterprise architecture (EA)? Note that this aspect of BCM program maturity should not be judged on the kind of BCM and IT DRM technologies that an enterprise has selected and implemented; for example, lack of a BCM planning tool or a real-time infrastructure doesn't indicate immaturity, because there may be several reasons why an enterprise has chosen a different technology set to address recovery and continuity needs (see "Hype Cycle for Business Continuity Management, 2009"). The dimensions that map to this key indicator are: BCM and IT DRM Architecture Guidelines and Framework; BCM Processes and Controls; and Awareness, Training and Exercising. 4. Business Culture: To what degree is BCM aligned with critical business objectives? How and to what degree are business stakeholders engaged with BCM — not at all, within individual initiatives and technology projects, or within the BCM program strategy overall? Does BCM contribute to business enablement (direct business value) as well as risk management and IT operations efficiency and effectiveness (see "A New Approach: Obtain Business Ownership and Investment Commitment for Business Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping")? The dimension that maps to this key indicator is BCM Governance. Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 7 of 16

4.0 Level 1: Initial 4.1 Characteristics The enterprise's BCM/DR activities at this early, highly immature level are ad hoc, improvised and reactive. There is a general awareness that BCM or, more commonly, IT DRM activities are important. This awareness is frequently triggered by a major event that affects the enterprise directly or receives significant media attention; however, the enterprise does not possess a "critical mass" of information, knowledge and processes that could form the basis of a formal program. Recovery of the business after a disaster will be long, costly and arduous, with closure of the business being a distinct possibility: Management Processes: BCM has no executive sponsorship and no formal governance structure. No enterprisewide vision, strategy or program management for BCM or IT DRM. People/Organization: Responsibilities for BCM or IT DRM are extremely siloed, based in separate data centers, lines of business or geographical locations, and are neither formally assigned nor aligned with the business. No professional development program is in place to ensure that participants' skills meet program needs. Most importantly, no formal accountability for BCM or IT DRM has been established. Processes and Tools: There is no BCM program architecture, IT DRM recovery infrastructure design or IT DRM sourcing strategy. Activities are extremely IT-centric, with the only established processes likely to be regularly scheduled server backups, and the only technologies used being backup and restore software; however, formal recovery classes do not exist. No program management automation is in place. Recovery plans are nonexistent, out of date or merely checklists of actions to execute. Business Culture: Neither BCM nor IT DRM is aligned with critical business objectives or contributes to business enablement. Business stakeholders are not engaged at all with IT DRM.

4.2 Recommended Actions for Improvement Begin a "bottom up" process of developing an IT DRM program, naming an individual within the IT organization who will be responsible for developing IT DRM strategies for the various "siloed" areas, beginning with more-basic functions such as IT DRM and event response management. Document business drivers for recovery: service-level agreement requirements, regulatory requirements, industry standards, supply chain partner requirements and so forth. Establish an initial budget for IT DRM (including required capital equipment, staffing and supporting services). Align business-unit IT DRM delivery expectations with what IT can realistically provide given current and projected budget allocations. Inventory current recovery capabilities, processes, responsible parties, skill sets and technologies. Perform an assessment against business expectations of recovery needs. Develop a gap report of current capabilities to recovery need expectations.

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 8 of 16

Begin producing internal (IT only) reports of progress being made with IT DRM plan construction and/or management process development. Develop a basic crisis management and communications process for all types of disasters, not just IT events. Create checklists defining how the enterprise, and organizations and individuals within the enterprise, should respond to specific situations (for example, who should be notified in an emergency, what vital records the enterprise holds, where and in what form, what key applications need to be protected, and the locations where recovery operations may need to be initiated).

5.0 Level 2: Developing 5.1 Characteristics This level of maturity is characterized by a continued focus on IT DRM, rather than on continuity of business operations. Management processes are still reactive, only supporting post-disaster event response. Interaction among IT and business stakeholders remains informal, with little involvement or commitment from the business. Supporting technologies are still basic, with no program management automation in place. Recovery plan development or modification responsibility has been assigned, and plan updating has begun: Management Processes: BCM has no executive sponsorship and no formal governance structure. No enterprisewide vision, strategy or program management for BCM or IT DRM. Management reporting is done on request. People/Organization: IT DRM responsibility likely resides with data center operations. No professional development program in place to ensure that participants' skills meet program needs. Processes and Tools: An initial set of recovery class definitions exist. IT DRM plans that support the recovery classes are initially being developed or modified. Comprehensive testing of the IT DRM plans is focused on test execution mechanics (test step ordering and execution, definition of recovery team responsibilities, remediating backup media problems and correcting test execution deficiencies) and is not focused on meeting specific recovery time objectives (RTOs) and recovery point objectives (RPOs). There is no BCM program architecture, IT DRM recovery infrastructure design and IT DRM sourcing strategy. No program management automation is in place. Recovery plans are developed using office automation tools. Business Culture: Neither BCM nor IT DRM is aligned with critical business objectives or contributes to business enablement. Business stakeholders are consulted for feedback on IT DRM direction. Business expectations far exceed what IT can deliver.

5.2 Recommended Actions for Improvement Define the RTO and RPO requirements for all application recovery classes. Obtain senior executive sponsorship for the IT DRM program by defining key delivery milestones and program success metrics that can be tracked and reported on a regular basis. Staff an IT DRM management team with individuals with appropriate skill sets and defined responsibilities for IT DRM (whether full- or part-time).

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 9 of 16

Develop plans for the creation of a more comprehensive BCM program, with leadership responsibility and organizational structure clearly defined. This program may report into the IT organization, the security organization or business operations— Gartner considers this a best practice — or its structure may be location-specific. Institute a BCM steering committee, with appropriate business unit and IT membership, to govern the BCM program and establish program mandates and authority, and more effectively align business-unit recovery expectations with IT delivery capabilities. Define the data center infrastructure upgrades that will be required to support all application recovery classes. Begin upgrade implementations that can be initiated within data center budgetary constraints. Define a sourcing strategy that defines how external service providers can most costeffectively support IT DRM program goals and objectives. Develop improved contingency planning and testing — including formalized tabletop testing — of business responses. Expanding the scenarios used, to consider more components of BCM, and more types of risk, which will eventually make possible the creation of a more comprehensive, formalized program. Create formal mechanisms for communicating with senior management about the developing program, its successes and challenges, and its evolving drivers (for example, pressure from customers or partners to demonstrate program maturity). Develop and formalize a set of BCM processes (for example, risk and business impact assessment, testing and exercising, change management) with their respective responsible, accountable, consulted and informed (RACI) charts and metrics. Begin evaluating supporting automation tools.

6.0 Level 3: Defined 6.1 Characteristics At the Defined level, formal responsibility for BCM has been established, but a true BCM program does not yet exist. The "BCM organization" is more comparable to that of a program management office at this point. However, there is the beginning of process formalization, with different regions and different lines of business supporting a similar set of recovery and continuity processes. IT DRM recovery plans are now in place, and the enterprise has repeatable processes, including testing processes, in place. Formalized budgeting has been established that inevitably raises awareness of, and accountability for, BCM: Management Processes: BCM has obtained executive sponsorship, but there is still no formal governance structure. Enterprisewide vision, strategy and program management are beginning to be defined. Management reporting is done on an annual basis. People/Organization: IT DRM responsibility is still likely to reside with data center operations. BCM program responsibility lies in an expanded role for IT DRM, or has been assigned to IT risk management, HR or another operational business unit. A BCM steering committee made up of key operational managers is in place. Non-IT recovery roles and responsibilities are being defined. No professional development program is in place to ensure that participants' skills meet program needs.

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 10 of 16

Processes and Tools: IT DRM application recovery class definitions and plans are in place for all mission-critical applications, at a minimum. Comprehensive testing of IT DRM plans continues and is now focused on meeting specific RTOs and RPOs. IT DRM recovery infrastructure design and IT DRM sourcing strategy are well under way, and BCM program architecture and management are in the beginning stages of development, although program management automation is not place. Recovery plans are developed using office automation tools. Business Culture: BCM and IT DRM are starting to be aligned with critical business objectives, but still do not contribute to business enablement. Business stakeholders are consulted for feedback on IT DRM direction. Business recovery expectations and IT DRM recovery capabilities are aligning more effectively.

6.2 Recommended Actions for Improvement Name a BCM program manager. Define the BCM program manager's role with respect to the management and orchestration of the BCM steering committee. Define the key policies, program management procedures and success metrics that will constitute the basis for effective BCM governance. Complete the internalization of the recovery and continuity vision and execution strategy with business operations. Begin evaluation and piloting of recovery and continuity program management automation tools. Provide business operations with the support and tools needed to develop recovery and continuity plans and programs so that operations can become more self-sustaining over time. Develop and apply actionable metrics that can demonstrate the value and maturity of the program to senior management, line-of-business managers, shareholders and others. Increase the depth, breadth and integration of BCM testing.

7.0 Level 4: Managed 7.1 Characteristics The enterprise BCM and IT DRM programs are aligned and integrated. Metrics are in place that enable the BCM manager to measure and report on the successes and challenges of the program. BCM processes are standardized and exercised throughout the enterprise. Senior management, shareholders and other key stakeholders are briefed on the status of the BCM program on an annual basis. The depth and breadth of testing has increased significantly, and program management automation is in place and utilized across the enterprise for program activity execution and reporting. KPIs are beginning to be used to measure supporting process improvements: Management Processes: BCM governance is formalized. Enterprisewide recovery and continuity vision, strategy, and program management are defined.

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 11 of 16

People/Organization: IT DRM program is reporting into higher levels of IT management (for example, enterprise architecture, IT risk management and so forth). BCM program responsibility lies with business operations management. A BCM steering committee made up of key operational managers is in place. Non-IT recovery roles and responsibilities are in place. A professional development program has been established to ensure that participants' skills meet program needs. Processes and Tools: The scope of IT DRM class definitions and plans is expanding to include non-mission-critical applications. Business recovery plans are in place. As a result of more-comprehensive testing of recovery plans, business and IT recovery readiness and effectiveness are becoming more sustainable. BCM program architecture, IT DRM recovery infrastructure design and IT DRM sourcing strategy are established and used across the enterprise. Program management automation is being used to provide consistency of BCM activity execution, recovery plan management and disaster execution. Program improvement processes and supporting metrics are in place. Business Culture: BCM and IT DRM are aligned with critical business objectives and are starting to contribute to business enablement. Business recovery expectations and IT DRM recovery capabilities are aligned.

7.2 Recommended Actions for Improvement Fine-tune the established metrics framework to make it more adaptable to and aligned with critical business processes. Introduce continuous process improvement for recovery, and continuity testing and exercising. Begin reporting KRI and continuous program improvement status to steering committee members and senior management on a quarterly basis. Refine KRI definitions and continuous improvement targets to address steering committee and senior management feedback.

8.0 Level 5: Optimizing 8.1 Characteristics The most important characteristic of the Optimizing level of BCM maturity — which Gartner estimates fewer than 10% of enterprises have currently reached — is the integration of BCM processes and practices with the business. The enterprise's program now embraces all the key components of BCM: business recovery, contingency planning, crisis/incident management, pandemic planning, emergency response and, of course, IT DRM. Line-of-business managers and business process owners now have "ownership" of BCM practices for their functional areas. The result is that BCM has moved well beyond narrow, "siloed" approaches to embrace enterprisewide business resilience: Management Processes: BCM governance is formalized. Enterprisewide recovery and continuity vision, strategy and program management are defined. Key availability risk indicators are linked to KPIs and are reported on a quarterly basis to senior management.

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 12 of 16

People/Organization: BCM program responsibility is aligned with strategic business management and is a core business operations discipline. A BCM steering committee made up of key operational managers is in place. Processes and Tools: Comprehensive BCM plans are in place and regularly exercised, and meet all recovery readiness and effectiveness requirements. Program management automation is used for business process re-engineering and is a fundamental enabler of continuous program improvement. Business Culture: Business resilience is an integral part of business management, and requirements are considered in all aspects of business operations, including but not limited to: succession planning, facilities management, mergers and acquisitions, new product/service design, customer services and so forth.

8.2 Recommended Actions Continue to optimize processes and process definitions. Focus processes on the ability to react rapidly to changes in the business, technology and economic environments. Complete the integration of automation tools. Use metrics to monitor the impact of changes on the BCM program and the enterprise as a whole.

9.0 Diagnostic Tool Overview The ITScore diagnostic tool can be used to perform an initial BCM/IT DRM maturity assessment and then — on a quarterly or at least annual basis — to track improvements in BCM/IT DRM maturity. The results can be used in: Improving the enterprise's visibility into its approach to BCM/IT DRM activities and its related availability risks. Identifying and prioritizing gaps in BCM/IT DRM and related controls. Demonstrating to senior management, and other internal and external stakeholders the value of BCM activities, and justifying the associated costs. Demonstrating to internal and external stakeholders progress in improving the BCM program. Making necessary changes to organizational structure to support BCM/IT DRM and — ultimately — true business resilience. Communicating with different target audiences inside and outside the enterprise (for example, the IT organization, the board of directors and business partners).

10.0 Directions for Use Gartner's ITScore BCM Maturity Assessment Tool provides a baseline for determining the maturity of the organization's BCM program. It also provides insights into the areas of weakness and opportunities for improvement. The tool can be used to benchmark your program against your industry or the state of BCM practice across industries and around the world. The BCM maturity tool can also be used to communicate the need for investments in program

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 13 of 16

improvement, and provides a useful tool for having a fact-based discussion on program maturity, which can help to overcome the political and cultural issues that may be preventing BCM program development. The BCM leadership team should assess BCM program maturity as honestly as possible, since it is a subjective exercise. It's helpful to adopt appropriate measurement standards, if they exist, from inside the organization. As long as the maturity assessment is done by minimizing hidden agendas or motives, it adds value. It can provide valuable insights into areas of constraint and potential improvement, and can be used as an indicator of risk. Understanding a BCM program's maturity level is of little use unless it is a starting point for change. Enterprises should adopt these steps to improve the maturity of their BCM programs: Assess current state. To increase maturity levels, an enterprise must understand how it is positioned. Identify gaps. This analysis identifies factors in the enterprise and its environment that constrain the success of the BCM program. In many cases, the maturity of the BCM program is unbalanced across the various dimensions listed here. For example, having a well-developed set of BCM deliverables will not ensure a positive impact unless they are supported by an appropriate management governance process to ensure any activities projects are compliant. The gap analysis works to identify the program deficiencies that are holding back the BCM program from reaching its full potential. Set maturity targets. Once the gap analysis is complete, maturity target setting defines specific goals for improvement. The maturity target is not a "blue sky" activity; it must be grounded in reality, with recognition of business priorities, required resources, program change capacity, and prevailing enterprise culture and maturity. It must also be associated with a specific future time frame. Plan improvements. Improvement planning identifies the gaps between the current and the desired future states, and the transformation steps required to fill these gaps. The program improvement plan must define the improvement projects that will be undertaken to fulfill the plan. The improvement plan defines the necessary details (for example, scope, objectives, deliverables, resources, costs and schedule) needed to initiate the improvement project. Continuously improve the BCM program. As with other key activities, a continuous improvement program should be put in place for BCM. Gartner recommends reviewing BCM maturity and improvement goals on at least an annual basis. BCM program maturity assessment is a cyclical activity. Subsequent assessments will evaluate nowcurrent states (a measure of the success of any maturity-improvement projects), reevaluate the desired states and define new planned states. This activity will be part of the normal planning cycle for BCM. In enterprises at Level 3: Defined or above in Management Processes, the desired states will likely flow from competitive advantage positioning, supply chain pressure or strategic planning activity. Enterprises should understand their current maturity levels and use this as a foundation to increase BCM program maturity. Achieving higher levels of maturity is not an end in itself; rather, higher BCM maturity will enable the realization of the many benefits of BCM. Also, understanding the current level of BCM maturity enables organizations to recognize how this maturity level constrains what can be achieved and to set expectations accordingly. Organizations are not static. Investment in BCM may ebb and flow over years, which can sometimes result in a move backward on the path to higher levels of maturity. Acquisitions can

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 14 of 16

also have a significant impact on BCM maturity. Organizations that are improving BCM maturity will see a step-change pattern in program improvements. The BCM maturity tool should be used periodically to determine current-state maturity and make knowledgeable decisions about how to invest in program development in the future.

RECOMMENDED READING "Business Continuity Management Defined, 2008" "Activity Cycle Overview: Business Continuity Manager Role, 2010 to 2011" "Business Continuity Management Governance Defined, 2010" "A New Approach: Obtain Business Ownership and Investment Commitment for Business Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping" "Case Study: Euroclear Bank Applies Business Continuity Management Practices to Financial Crises" "Research Roundup: Business Continuity Management and IT Disaster Recovery Management, 2Q10" "How to Calculate the Cost of Continuously Available IT Services" "How to Assess Your IT Service Availability Levels" "Disaster Recovery Sourcing: The Time to Make More-Informed Decisions Has Come" "Toolkit: RFP for IT Disaster Recovery and Work Area Recovery Services, 2010" "Disaster Recovery Service-Level Management: Implementation Guidelines" "Toolkit: Create a Strategy for IT Service Data Availability and Protection"

Go to ITScore Diagnostic Tool ITScore

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 15 of 16

REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9° andar—World Trade Center 04578-903—São Paulo SP BRAZIL +55 11 3443 1509

Publication Date: 17 September 2010/ID Number: G00205310 © 2010 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 16 of 16