[OR] [MM] Developing the 7-Level Operational Resilience Maturity Model: A Step-by-Step Guide

Developing the 7-Level Operational Resilience Maturity Model: A Step-by-Step Guide

Operational Resilience has emerged as a critical discipline for organizations navigating an increasingly volatile and interconnected risk landscape.

The BCM Institute’s 7-Level Operational Resilience Maturity Model provides a structured framework for assessing, implementing, and elevating an organisation's resilience capability across key focus areas.

This article provides a step-by-step approach to developing and implementing this model within your organisation, offering practical guidance on tailoring maturity level content to reflect actual progress.

Understanding the BCM Institute’s 7-Level Maturity Model

The BCM Institute’s Operational Resilience Maturity Model (ORMM) categorises an organisation's operational resilience capability into seven progressive levels, from ad hoc to Leading.

Each level reflects the depth of integration, institutionalisation, and strategic alignment of resilience practices.

The foundation of the ORMM lies in clearly defining each maturity level, from ad-hoc processes to leading resilience strategies. The seven levels are:

Level 0: Ad-hoc: Reactive, unstructured processes.
Level 1: Reactive: Basic frameworks with sporadic execution.
Level 2: Proactive: Formal policies and dedicated teams.
Level 3: Mature: Anticipatory risk management.
Level 4: Advanced: Integrated, data-driven strategies.
Level 5: Leading: Predictive analytics and automation.
Level 6: Excellence: Industry leadership through innovation.

Key Focus Areas

These levels are assessed across key focus areas such as:

Component (Plan Phase)	Description
Assess Capability and Maturity	Evaluate the bank’s existing resilience measures and identify areas for improvement.
Analyse Gap	Conduct a thorough assessment to determine vulnerabilities and gaps in the resilience framework.
Develop Strategy and Roadmap	Create a structured plan outlining steps to enhance resilience capabilities.
Confirm Risk Appetite	Define the organisation’s risk tolerance and establish parameters for operational resilience.
Develop and Embed Governance	Implement governance structures to oversee and enforce resilience strategies.

Component (Implement Phase)	Description
Identify Critical Business Services	Determine essential operations that must be prioritised in resilience planning.
Map Processes and Resources	Outline the dependencies and resources required to maintain critical business services.
Set Impact Tolerance	Establish thresholds for acceptable levels of disruption to business operations.
Conduct Scenario Testing	Simulate potential disruptions to assess response effectiveness and identify areas for improvement.
Improve Lesson Learnt	Analyse past incidents and refine resilience strategies based on insights gained.

Component (Sustain Phase)	Description
Introduce Cultural Change	Promote a resilience-driven mindset across the organisation.
Develop Communication Strategy	Establish clear communication channels for crisis response and stakeholder engagement.
Implement Training and Awareness	Conduct regular training sessions to enhance employees' understanding of resilience strategies.
Provide Self-assessment	Enable teams to evaluate their preparedness periodically and identify areas for growth.
Conduct Independent Quality Review	Perform external reviews to ensure compliance with resilience best practices and regulatory requirements.

Step-by-Step Approach to Developing the Maturity Model for Your Organisation

Step 1: Establish the Organisational Context

Identify your organisation’s sector, regulatory expectations, risk appetite, and strategic objectives.
Map the critical business services that support your stakeholders, customers, and society.

Tip: Align with regulatory guidelines (e.g., Basel, RBI, MAS, FCA) where applicable.

Step 2: Identify Focus Areas

Select the focus areas relevant to your organisation.
You can use BCM Institute’s seven commonly recommended domains or adapt them to fit internal structures.
Define objectives, key stakeholders, and expected outcomes for each focus area.

Example: The objective of dependency Mapping may be to "Understand internal and external interdependencies to support resilience."

Step 3: Define Criteria for Each Maturity Level

For each focus area, specify what maturity looks like at each level.

How to determine the content:

Use existing frameworks, internal policies, and industry best practices to benchmark expectations.
Start by identifying what minimal effort (Level 1) looks like versus what a fully embedded, strategic capability (Level 6) would entail.
Interview SMEs, review audit findings, and reference BCM Institute’s model descriptions.

Example: Scenario Testing Focus Area

Maturity Level	Description
Level 1 (Aware)	Aware of the need for scenario testing but not practiced.
Level 3 (Defined)	A formal scenario testing plan is in place but limited to critical departments.
Level 5 (Managed)	Integrated cross-functional scenario testing aligned with impact tolerances and lessons incorporated into planning.
Level 6 (Leading)	Scenario testing is strategic, involving executive management, third parties, and evolving risk landscapes.

Tip: Avoid generic descriptions—tailor criteria to your organisation’s operational realities.

Step 4: Assess Current State

Conduct maturity assessments across focus areas using workshops, surveys, and document reviews.
Determine the current position of each function on the 7-level scale.

Use a scoring mechanism: Rate each criterion from 0 to 6 and average scores per domain.

Step 5: Define Target Maturity Levels

Align target levels with business objectives and compliance requirements.
Not all areas need to reach Level 6—decide which focus areas need to be industry-leading and which can be functional.

Example: During the initial implementation, a bank may aim for Level 6 in Governance, Level 5 in Scenario Testing, and Level 3 in Communications.

Step 6: Develop a Roadmap for Advancement

Create a gap analysis by comparing the current vs. target levels.
Develop a roadmap with initiatives, timelines, and owners for each improvement.

Include:

Policy and framework development
Training and awareness programs
Resource and technology investments
Enhancements to testing and reporting

Step 7: Implement and Monitor Progress

Assign roles and responsibilities for each action item.
Regularly monitor progress using dashboards and maturity assessment updates.
Conduct periodic reassessments to validate improvements and adjust targets accordingly.

Tip: Include maturity advancement in performance metrics or audit reviews.

Summing Up …

The BCM Institute’s 7-Level Operational Resilience Maturity Model offers a robust foundation for building and benchmarking resilience across critical domains.

By following a structured step-by-step approach—tailored to your organisation’s context—you can drive meaningful progress, demonstrate compliance, and build long-term value through resilience.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.