Developing the 7-Level Operational Resilience Maturity Model: A Step-by-Step Guide
The BCM Institute’s 7-Level Operational Resilience Maturity Model provides a structured framework for assessing, implementing, and elevating an organisation's resilience capability across key focus areas.
This article provides a step-by-step approach to developing and implementing this model within your organisation, offering practical guidance on tailoring maturity level content to reflect actual progress.
Understanding the BCM Institute’s 7-Level Maturity Model
The BCM Institute’s Operational Resilience Maturity Model (ORMM) categorises an organisation's operational resilience capability into seven progressive levels, from ad hoc to Leading.
Each level reflects the depth of integration, institutionalisation, and strategic alignment of resilience practices.
- Level 0: Ad-hoc: Reactive, unstructured processes.
- Level 1: Reactive: Basic frameworks with sporadic execution.
- Level 2: Proactive: Formal policies and dedicated teams.
- Level 3: Mature: Anticipatory risk management.
- Level 4: Advanced: Integrated, data-driven strategies.
- Level 5: Leading: Predictive analytics and automation.
- Level 6: Excellence: Industry leadership through innovation.
Key Focus Areas
These levels are assessed across key focus areas such as:
| Component (Plan Phase) | Description |
| Assess Capability and Maturity | Evaluate the bank’s existing resilience measures and identify areas for improvement. |
| Analyse Gap | Conduct a thorough assessment to determine vulnerabilities and gaps in the resilience framework. |
| Develop Strategy and Roadmap | Create a structured plan outlining steps to enhance resilience capabilities. |
| Confirm Risk Appetite | Define the organisation’s risk tolerance and establish parameters for operational resilience. |
| Develop and Embed Governance | Implement governance structures to oversee and enforce resilience strategies. |
| Component (Implement Phase) | Description |
| Identify Critical Business Services | Determine essential operations that must be prioritised in resilience planning. |
| Map Processes and Resources | Outline the dependencies and resources required to maintain critical business services. |
| Set Impact Tolerance | Establish thresholds for acceptable levels of disruption to business operations. |
| Conduct Scenario Testing | Simulate potential disruptions to assess response effectiveness and identify areas for improvement. |
| Improve Lesson Learnt | Analyse past incidents and refine resilience strategies based on insights gained. |
| Component (Sustain Phase) | Description |
| Introduce Cultural Change | Promote a resilience-driven mindset across the organisation. |
| Develop Communication Strategy | Establish clear communication channels for crisis response and stakeholder engagement. |
| Implement Training and Awareness | Conduct regular training sessions to enhance employees' understanding of resilience strategies. |
| Provide Self-assessment | Enable teams to evaluate their preparedness periodically and identify areas for growth. |
| Conduct Independent Quality Review | Perform external reviews to ensure compliance with resilience best practices and regulatory requirements. |
Step-by-Step Approach to Developing the Maturity Model for Your Organisation
Step 1: Establish the Organisational Context
- Identify your organisation’s sector, regulatory expectations, risk appetite, and strategic objectives.
- Map the critical business services that support your stakeholders, customers, and society.
Tip: Align with regulatory guidelines (e.g., Basel, RBI, MAS, FCA) where applicable.
Step 2: Identify Focus Areas
- Select the focus areas relevant to your organisation.
- You can use BCM Institute’s seven commonly recommended domains or adapt them to fit internal structures.
- Define objectives, key stakeholders, and expected outcomes for each focus area.
Example: The objective of dependency Mapping may be to "Understand internal and external interdependencies to support resilience."
Step 3: Define Criteria for Each Maturity Level
For each focus area, specify what maturity looks like at each level.
How to determine the content:
- Use existing frameworks, internal policies, and industry best practices to benchmark expectations.
- Start by identifying what minimal effort (Level 1) looks like versus what a fully embedded, strategic capability (Level 6) would entail.
- Interview SMEs, review audit findings, and reference BCM Institute’s model descriptions.
Example: Scenario Testing Focus Area
Maturity Level |
Description |
|
Level 1 (Aware) |
Aware of the need for scenario testing but not practiced. |
|
Level 3 (Defined) |
A formal scenario testing plan is in place but limited to critical departments. |
|
Level 5 (Managed) |
Integrated cross-functional scenario testing aligned with impact tolerances and lessons incorporated into planning. |
|
Level 6 (Leading) |
Scenario testing is strategic, involving executive management, third parties, and evolving risk landscapes. |
Tip: Avoid generic descriptions—tailor criteria to your organisation’s operational realities.
Step 4: Assess Current State
- Conduct maturity assessments across focus areas using workshops, surveys, and document reviews.
- Determine the current position of each function on the 7-level scale.
Use a scoring mechanism: Rate each criterion from 0 to 6 and average scores per domain.
Step 5: Define Target Maturity Levels
- Align target levels with business objectives and compliance requirements.
- Not all areas need to reach Level 6—decide which focus areas need to be industry-leading and which can be functional.
Example: During the initial implementation, a bank may aim for Level 6 in Governance, Level 5 in Scenario Testing, and Level 3 in Communications.
Step 6: Develop a Roadmap for Advancement
- Create a gap analysis by comparing the current vs. target levels.
- Develop a roadmap with initiatives, timelines, and owners for each improvement.
Include:
- Policy and framework development
- Training and awareness programs
- Resource and technology investments
- Enhancements to testing and reporting
Step 7: Implement and Monitor Progress
- Assign roles and responsibilities for each action item.
- Regularly monitor progress using dashboards and maturity assessment updates.
- Conduct periodic reassessments to validate improvements and adjust targets accordingly.
Tip: Include maturity advancement in performance metrics or audit reviews.
Summing Up …
The BCM Institute’s 7-Level Operational Resilience Maturity Model offers a robust foundation for building and benchmarking resilience across critical domains.
By following a structured step-by-step approach—tailored to your organisation’s context—you can drive meaningful progress, demonstrate compliance, and build long-term value through resilience.
More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|