Business Continuity Maturity Model: How to Measure and Improve Your Program

TL;DR

• The BCMM gives you a language for describing where your BCM program is — and a roadmap for where it needs to go
• Five maturity levels: Initial, Repeatable, Defined, Managed, Optimized — most regulated financial institutions should be targeting Level 3–4
• A self-assessment scores your program across 8–12 domains, produces a heat map of gaps, and prioritizes improvement investment
• The value isn’t the score — it’s the structured conversation it creates and the improvement roadmap it generates

The Problem with “We Have a BCP”

Every compliance conversation about business continuity eventually hits the same dead end: “Yes, we have a business continuity plan.” Full stop. As if the existence of a document is the answer to questions about resilience.

It isn’t. A BCP filed in a SharePoint folder that hasn’t been tested since 2022, whose BIA inputs are two system migrations out of date, and whose recovery team hasn’t practiced their roles is not a BCM program. It’s a compliance artifact.

The Business Continuity Maturity Model (BCMM) exists to answer a more useful question: not whether you have BCM, but how capable your BCM actually is.

Developed in 2003 and since refined through frameworks aligned with ISO 22301, FFIEC BCM guidance, and DRI International professional practices, the BCMM provides a structured way to assess where your program is across multiple dimensions — governance, risk, BIA, planning, testing, training — and to build a prioritized roadmap for improvement. It bridges the gap between regulatory compliance (meeting the minimum) and operational resilience (being genuinely prepared).

Here’s how to use it.

The 5 Maturity Levels

Most BCMM frameworks use a five-level scale, though you’ll encounter variants with four or six levels. The descriptions below represent the consolidated view across major frameworks (BCM Institute, MHA Consulting, Bryghtpath):

Level 1 — Initial (Ad Hoc)

BCM exists in name only, or relies entirely on individual knowledge and institutional memory. There is no formal program, no documented processes, and no governance structure. Recovery in a disruption event is improvisational. If one or two key people are unavailable, the response degrades dramatically.

Characteristics:

• No documented BIA or recovery procedures
• BCM is reactive — plans (if any) are developed after an incident
• No testing or exercises
• No board or executive visibility into BCM
• Heavy dependence on specific individuals

Where you find this: Early-stage companies, organizations that have never faced a significant disruption, and organizations where BCM is theoretically someone’s responsibility but has never been resourced.

Level 2 — Repeatable (Informal)

A BCM program has been started. Policies may exist but are inconsistently applied. Documentation is partial. Some processes are documented, others exist only in practice. Testing may occur occasionally but isn’t scheduled or structured.

Characteristics:

• Basic BCP documents exist for some functions, not all
• BIA may be completed but not regularly updated
• Governance is informal — a BCM lead exists but without formal authority or committee structure
• Exercise history is spotty; when done, exercises aren’t consistently documented
• Recovery objectives (RTO, RPO) defined for some processes but not systematically

Where you find this: Small-to-mid-size organizations that responded to a regulatory requirement or an exam finding by creating BCM documentation but haven’t invested in making it operational.

Level 3 — Defined (Formal)

The BCM program is formally structured. Governance is documented, the BIA has been completed, BCPs cover all critical processes, and testing is scheduled. The program meets regulatory minimums and would pass a standard examination. Most regulated financial institutions should be here or working toward it.

Characteristics:

• Formal BCM governance: executive sponsor, BCM steering committee, defined roles
• Completed BIA with documented scoring methodology and review schedule
• BCPs for all critical processes, with defined activation procedures
• Annual exercise program with documented results and corrective actions
• Recovery objectives defined and validated for all critical processes
• Management reporting on BCM program status

What it looks like in practice: You can pull out the BIA, the BCP, the exercise schedule, and the corrective action log and answer examiner questions confidently. The plan is complete. The team knows their roles. The last exercise produced documented findings that drove plan updates.

This is the level FFIEC expects financial institutions to reach and maintain.

Level 4 — Managed (Measured)

The BCM program is aligned with the organization’s strategic plan and uses metrics to monitor performance. Recovery strategies are validated through functional or full-scale exercises, not just tabletops. The program proactively adapts when risks or operations change, rather than reacting.

Characteristics:

• BCM program performance tracked with KRIs and metrics (exercise frequency, finding closure rates, BCP currency rates, training completion)
• Functional exercises that test actual recovery capability, not just response procedures
• BCM integrated into change management — system migrations and M&A trigger automatic BIA reviews
• Third-party resilience actively monitored as part of the BCM program
• Post-incident review process formally connects incident findings to BCP updates

Where you find this: Larger financial institutions with dedicated BCM functions, organizations that have been through multiple regulatory exam cycles and have continuously improved, and organizations with active board-level BCM oversight.

Level 5 — Optimized (Continuous Improvement)

The BCM program is considered an organizational best practice. Continuous improvement is embedded in the culture, not just the process. The program proactively identifies emerging risks and adapts before events occur. BCM is integrated across functions — IT, HR, procurement, legal — not siloed in a single team.

Characteristics:

• BCM is culturally embedded — business line owners understand and value continuity planning
• Program continuously benchmarks against external standards and peer practices
• Emerging risk integration (geopolitical, climate, AI-related disruption scenarios) in exercise design
• Supplier resilience programs integrate BCM requirements into vendor contracts and oversight
• BCM outcomes are directly tied to executive compensation and performance metrics

Where you find this: Large, mature financial institutions with dedicated BCM teams, certified ISO 22301 organizations at their second or third certification cycle, and organizations where a significant actual disruption drove permanent program investment.

Most organizations shouldn’t try to reach Level 5 in one cycle. The return on investment diminishes at the top of the scale. The realistic goal for most regulated institutions is Level 3–4.

The Assessment Domains

A BCMM self-assessment doesn’t produce a single score — it evaluates your program across multiple domains. The domain structure varies by framework, but most include:

For each domain, you assess current state against the five-level descriptors and assign a score. The resulting domain scores can be displayed as a radar chart or heat map — giving you an immediate visual of where the program is strong and where the gaps are.

How to Run a Self-Assessment

A BCM maturity self-assessment doesn’t require an external consultant. Here’s a structured process you can run internally:

Step 1: Assemble the assessment team (1–2 days)

The assessment is most valuable when it involves more than one perspective. Include the BCM lead, the operational risk or compliance function, and 2–3 business line representatives from critical functions. External perspective (a peer reviewer or auditor) adds rigor but isn’t required.

Step 2: Gather documentation (3–5 days)

Collect the evidence you’ll assess against: BIA records (with dates), BCP documents (with version history), exercise records and AARs, governance documents (committee charters, role definitions), training records, and management reporting history. Documentation gaps are themselves a maturity indicator.

Step 3: Score each domain (1–2 days)

Work through each domain using the maturity level descriptors. Score independently first, then discuss. Disagreements are productive — they surface assumptions and ambiguities in how the program works in practice versus on paper. Use a consistent 1–5 scale. Fractional scores (e.g., 2.5) are common and appropriate.

Step 4: Identify the heat map and gap list (half day)

Compile domain scores into a heat map. Domains scoring below 2.5 are priority gaps. Domains scoring 2.5–3.5 are in reasonable shape but have specific gaps to address. Domains above 3.5 are relative strengths.

Step 5: Build the improvement roadmap (1 day)

For each gap-level domain, identify the specific actions that would move it from current state to next-level maturity. Prioritize by: regulatory risk (is this a likely exam finding?), operational risk (would this gap matter in a real disruption?), and feasibility (can it be fixed with available resources?).

Step 6: Present to management and schedule review (as needed)

The maturity assessment output — heat map, gap list, improvement roadmap — should be presented to the BCM steering committee or equivalent. Set the expectation: this is an annual assessment, and year-over-year improvement is the metric.

What FFIEC Examiners Are Really Asking

When FFIEC examiners review your BCM program, they’re effectively running an informal maturity assessment. The questions map to the domains:

• “When was the BIA last updated?” → BIA domain currency
• “Can you walk me through how you activate the BCP?” → Plan operability
• “What were the findings from your last exercise?” → Testing domain, with corrective action follow-through
• “Who is your executive sponsor for BCM?” → Governance domain
• “What would happen if your core banking vendor had an outage?” → Third-party resilience domain

An organization that can answer these questions with documentation — not just verbal responses — is demonstrating Level 3 maturity. An organization that can show trend data (we went from a 24-hour RTO for payment processing to a 4-hour RTO after validating our cloud DR strategy) is demonstrating Level 4.

The maturity model isn’t just internal assessment infrastructure. It’s a way of framing your program’s progress for examiners, board members, and bank partners who ask “how good is your BCM program?” The answer “we’re Level 3 across most domains, working to Level 4 in testing and governance” is far more credible than “we have a BCP.”

Connecting Maturity to the Rest of Your Program

Maturity assessment is most powerful when connected to your BCM program’s other components:

BIA currency is a direct input to the BIA domain score. A stale BIA lowers your domain score — and should. For the specific trigger events that require BIA updates, see our guide on how often to update your BIA.

Exercise documentation feeds the Testing domain. Organizations that run exercises but don’t document AARs or close corrective actions will score lower in this domain even if their exercise frequency is high. The after-action report is the evidence base. See our template for writing an after-action report for a BCP exercise.

ISO 22301 alignment mirrors the maturity model structure. Organizations pursuing certification or already certified will find that their clause-by-clause compliance maps closely to Level 3–4 maturity. Our overview of ISO 22301 business continuity requirements covers the standard’s specific expectations.

A Realistic Improvement Roadmap

For an organization currently at Level 2 (Repeatable) looking to reach Level 3 (Defined), here’s a realistic 12-month roadmap:

The transition from Level 3 to Level 4 is harder and takes longer — typically 18–24 months — because it requires cultural change (BCM integrated into change management, third-party oversight, and ongoing metrics) rather than just documentation gaps.

So What?

The Business Continuity Maturity Model gives you something that regulatory compliance frameworks don’t: a way to describe how good your program actually is, not just whether you have one.

Run the self-assessment annually. Score your program across 12 domains. Find the gaps. Build the improvement roadmap. Present the heat map to the BCM steering committee. Track year-over-year improvement.

The practitioner who can say “we moved our testing domain from Level 2 to Level 3 this year by implementing structured AARs and closing all exercise findings within 30 days” is the practitioner whose program is actually improving. The one who says “we ran our annual tabletop” is doing the minimum.

The model isn’t the destination. The program improvement it drives is.

Frequently Asked Questions

What is the Business Continuity Maturity Model (BCMM)? The BCMM is a framework for assessing how capable a business continuity program is across multiple domains, using a tiered scale — typically 5 levels from Initial to Optimized. It bridges the gap between regulatory requirements (FFIEC, ISO 22301) and what organizations should be working on day to day to build genuine resilience.

What are the 5 levels of a business continuity maturity model? Level 1 (Initial): ad-hoc, no formal program. Level 2 (Repeatable): informal policies, inconsistent application. Level 3 (Defined): formal program, documented processes, meets regulatory minimums. Level 4 (Managed): measured, strategically aligned, functional exercises. Level 5 (Optimized): continuous improvement embedded, considered best practice.

How does a BCMM self-assessment work? A self-assessment scores your program across 8–12 domains (governance, BIA, risk assessment, recovery strategies, testing, training, etc.) against maturity level descriptors on a 1–5 scale. Domain scores produce a heat map showing strengths and priority gaps, which drives an improvement roadmap.

What level does FFIEC expect for business continuity? FFIEC’s BCM requirements align with Level 3 (Defined) at minimum — formal governance, documented BIA, tested BCPs, and a structured exercise program. Financial institutions seeking strong examination ratings typically target Level 3–4.

How often should you run a BCMM self-assessment? Annual is the standard cadence, typically timed to coincide with your annual BCM program review. Additional assessments are warranted after significant organizational changes, major incidents, or in preparation for a regulatory examination. Trend tracking over multiple years is more valuable than any single score.

What’s the difference between a BCMM assessment and an ISO 22301 audit? An ISO 22301 internal audit tests conformance to specific clause requirements — it’s pass/fail against defined criteria. A BCMM assessment measures program maturity across a spectrum — it tells you how capable and embedded your program is, not just whether you meet minimum requirements. The two complement each other.