Skip to main content

The Importance of Conducting Maturity Assessments for your Business Continuity Management Program

Business interruption is one of the top risks facing organizations today. In Aon’s most recent Global Risk Management Survey, business interruption is listed as the fourth most pressing issue, but many of the other top issues listed in the report can influence business interruption, including economic slow-down and cyber threats. In addition to the risks many organizations are well acquainted with, such as catastrophic weather events, general volatility and the increased rate of change have made business continuity management top of mind for risk managers.

Business continuity management (BCM) is the framework developed by an organization to identify their risk of exposure to internal and external threats and to ensure business continuity is maintained across their organization. According to Disaster Recovery International[1], Business Continuity Planning is “the strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.”

Ultimately, the goal of BCM is to provide organizations with the ability to efficiently and effectively respond to threats and protect the business interests of the organization via rational, effective, and timely recovery protocols.

Driving Maturity in Business Continuity Management Programs

Today, many organizations are seeking formal accreditation and certification for their BCM programs.  The standards are:

  • ISO 22301:2012: Societal security -- Business continuity management systems
  • ISO 22330:2017 Guidelines for people aspects of business continuity
  • NFPA 1600: Disaster/Emergency Management and Business Continuity Programs, 2013 edition
  • ASIS International SPC.1-2009, Organizational Resilience:  Security, Preparedness and Continuity Management Systems – Requirements with Guidance for Use Standards

Aon has developed a BCM Maturity Assessment Workbook, which is based on three of the recognized industry standards (NFPA 1600, ISO 22301, and ISO 22330), that enables organizations to implement an assessment benchmark against best practices. The workbook consists of a menu of requirements, benchmark/comparisons and a best practice compliance aggregation dashboard founded upon recognized standards.

Putting the Standards to Work to Develop an Effective BCM Approach

An effective BCM program should define the risks or threats that could impact business operations, provide the key strategies to respond to the materialization of those risks and exercise the controls in place to determine whether those risks are acceptable. Given the fact that change is a constant in the modern business environment, it is extremely important to perform regularly scheduled assessments.  A BCM assessment is a formalized method for evaluating how business continuity processes are being managed. A goal of the assessment is to determine whether the program/plan has been developed and is managed according to industry best practices, identify weaknesses, and provide recommendations for business continuity plan improvements, as/if warranted.  Why invest valuable time, resources and expenses to develop a business continuity plan to simply let it become outdated?

While business continuity program assessments can be time consuming, up-front and proactive planning can help drive efficiencies and accelerate the process for keeping the plan current with organizational needs.

An effective business continuity assessment requires a structured framework and access to a qualified staff or external consultants to generate high-quality results. 

Maturity assessment activities of a BCM program may include but are not limited to the following:

  • Interviewing key stakeholders and participants in the program;
  • Reviewing plan development documents including business impact analysis and risk assessments;
  • Reviewing individual business continuity planning and disaster recovery plans to ensure that they are complete, accurate, and up to date;
  • Verifying current state of recovery strategies;
  • Verifying recovery time objectives and recovery point objectives;
  • Examining training materials, procedures, and guidelines;
  • Reviewing communication/notification protocols among management, staff and external stakeholders;
  • Reviewing plan exercise results and exercise criteria;
  • Reviewing contractor and service provider contingencies;
  • Verifying senior management sign-off responsibility and accountability;

If you have a Business Continuity Management Program in place, you want to be confident that your investment in business continuity planning will respond effectively in the event of a disaster.  A viable plan should not only help protect your organization’s interests but should also consider the extent of a company’s responsibilities to other entities and be cognizant of supply chain exposures.  It is critical that measures are developed and implemented to track your risks and assure that management is regularly informed of, and ready to assess and improve, the organization’s preparedness and continuity capabilities in the event of a disaster.

Aon’s Business Continuity Management Services has the industry knowledge and resources necessary to provide an unbiased evaluation of your Business Continuity Management Program’s maturity to assure it conforms to current accepted standards and best practices.

Note: The BCM Maturity Assessment is designed to determine whether the applicable best practice processes have been followed as part of the preparedness plan. It is not intended to validate the viability or effectiveness of the plan. Beyond these standards, there are other codes and standards that address the technical aspects of planning, such as evacuation and sheltering in place, among other critical components, that need to be considered as part of business continuity plan development, depending on specific organizational requirements.


ISO 22301:2012: Societal security -- Business continuity management systems 
NFPA 1600: Disaster/Emergency Management and Business Continuity Programs, 2013 edition
Disaster Recovery International

[1] Disaster Recovery International is the leading nonprofit that helps organizations around the world prepare for and recover from disasters by providing education, accreditation, and thought leadership in business continuity and related fields.

About Aon

About Aon - Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.

Copyright 2020 Aon plc.