Where You Stand: Using BC Maturity Models to Assess the Strength of Your Program

Business continuity standards can tell you everything about how your program should be—but they’re silent on the topic of where you stand now. For that you should consult a business continuity maturity model (BCMM), a tool that helps you measure your readiness and identify your best path forward.

[Related: FFIEC: An Introduction to BCM’s Gold Standard]

Bridging the Gap Between Standards and Reality

Regular readers of the blog know I am a big advocate of business continuity standards. I think choosing a BC standard that is appropriate for your industry and organization and striving to meet it is the best way of strengthening your program and improving your organization’s resilience.

However, it has to be said that a significant gap lies between the idealized world of such leading standards as FFIEC, NFPA 1600, and ISO 22301 and the experience of the BC practitioner in the trenches trying to figure out what to do next.

This is where BC maturity models come in.

BCMMs bridge the gap between the BC standard and what you and your organization should be working on day-to-day to improve your resilience.

Think of it this way: Your chosen constitutes all the material that you will be tested on in on your midterm exam. The BCMM is the exam itself, complete with answer key and grade.

I say, “midterm exam” because this is an ongoing process of learning and improvement. There’s never a final exam in business continuity. 

By itself, the standard is important but not sufficient. The BCMM is a way of evaluating your program against the standard. It shows where you’re strong and where you should try to improve. 

Defining the Business Continuity Maturity Model

A BCMM is a diagnostic and planning tool that evaluates the maturity of an organization’s business continuity management (BCM) capabilities. It typically breaks down BCM into a series of domains or components (e.g., governance, risk assessment, business impact analysis, recovery strategies), and ranks the organization’s performance across these domains using a defined maturity scale.

The goal is to provide a roadmap for continuous improvement that is aligned with leading standards like ISO 22301 or NFPA 1600 and/or industry best practices. Think of BCMMs as a framework that overlays the standards with a growth or improvement dimension.

Understanding BCMM Maturity Levels

Over the course of your school career, your teachers probably assessed your efforts using several different systems, whether it was ✓+, ✓, and ✓–, A–F, or something else.

Similarly, each BCMM has its own scale for assessing the state of your program, most using between four to six levels. (I’ll talk about the scale used in MHA Consulting and BCMMetrics’ BCMM tool, Compliance Confidence, in a moment.)

Whatever the terminology, the meanings will tend to be roughly the same. A low rating likely means your organization is vulnerable; a high one indicates strong compliance and readiness. Most programs fall somewhere in the middle—partly compliant, partly prepared, and with room to grow.

Where Do BCMMs Come From?

Business continuity standards are typically developed by government bodies, national standards organizations, and international standards agencies. Their goal is to establish consistent, broadly applicable minimum expectations and best practices for resilience and continuity. 

In contrast, business continuity maturity models are more often developed by private consultancies, industry practitioners, or academic institutions. Their purpose is not to define the destination—but to help organizations measure their progress toward it. 

These models tend to be practical, diagnostic tools grounded in real-world experience. They are designed to assess how deeply continuity practices are embedded within an organization and guide continuous improvement. 

How Maturity Models Help

There are several powerful reasons for using a BCMM:

• They clarify your current state.

Many organizations think they’re in better shape than they are. A maturity model provides an objective way to assess where you really stand.

• They guide strategic improvements.

Knowing your maturity level across different domains helps you prioritize where to invest time, budget, and resources.

• They support conversations with leadership.

Executives want to see measurable progress. A maturity model gives you a way to translate complex BCM work into simple, understandable terms.

• They align with standards.

While maturity models aren’t a substitute for standards, they complement them by helping you build programs that function well—not just exist on paper.

Together, these benefits make BCMMs a practical, results-driven tool for advancing your continuity program.

The Challenge of Using Maturity Models

As valuable BCMMs are, using them effectively can tricky.

The greatest challenge is, most organizations overestimate their resilience. If and when such a company gets a less than stellar rating, skepticism and push-back can arise at all levels.

As the BC professional, it will be on you to be the adult in the room. Prepare everyone ahead of time, set their expectations, and explain that a BCMM rating is not a final grade but a current assessment—one that provides the valuable benefit of pointing out what the organization needs to work on to get more resilient.

Try to help your colleagues pivot from defensiveness to rolling up their sleeves and helping you work on improving the organization’s resilience.

Making Maturity Models Work for You

Here are a few strategies that can help you get the most out of a BCMM:

• Educate your stakeholders.

Before you roll out a maturity assessment, take time to explain what the model is, how it works, and why it matters. Emphasize that it’s not a report card—it’s a growth tool.

• Focus on improvement, not judgment.

Use maturity scoring to identify opportunities for growth, not to assign blame. Present it as a baseline to build from, not a verdict on performance.

• Tailor your message for leadership.

When talking to executives, keep it high-level. Use the maturity framework to show how your program aligns with enterprise risk, regulatory obligations, and operational resilience.

• Celebrate progress.

Maturity models are ideal for tracking improvement over time. When you move up a level, that’s a win—make sure people know it.

Approached the right way, a BCMM can become a motivating and unifying force across your organization.

Our Approach: BCMMetrics and Compliance Confidence

At MHA Consulting we’ve developed, through our sister company BCMMetrics, a business continuity management platform for use by our consultants in conducting client engagements. It’s also available to the public through subscription.

The platform includes five BCM tools, but at the heart of our maturity model is Compliance Confidence (C2)—a web-based tool that helps organizations assess how well their continuity program aligns with leading standards like ISO 22301, FFIEC, NFPA 1600, and others.

C2 doesn’t just check for the presence of documentation—it evaluates your program’s maturity across more than a dozen core domains, from governance to IT recovery. Using our four-tier Enterprise Maturity Scale, it tells you not only how compliant you are, but how prepared you are to recover.

Here’s how the C2 scale works:

• Reactive (0–40): The program is just getting started. There’s little structure, limited documentation, and virtually no recovery capability.
• Organized (41–60): Governance is forming, and recovery planning is underway. Some services could be recovered—but with effort and uncertainty.
• Responsive (61–80): The program is well-established, documented, and funded. Critical services can be recovered with demonstrated capability.
• Resilient (81–100): Continuity is embedded in strategy. All key risks are mitigated, and the organization can recover rapidly and reliably.

Each score is backed by a detailed, objective analysis—along with dashboards, reporting tools, and a prioritized action plan you can use to guide your next steps. C2 helps you benchmark progress, build the business case for improvement, and communicate effectively with leadership.

Whether you’re preparing for an audit, seeking executive buy-in, or simply trying to level up your program, Compliance Confidence gives you a clear, repeatable way to measure and mature your BCM efforts.

If you’re interested in learning more or seeing C2 action, we’d be glad to talk with you or walk you through a demo. Just reach out.

From Assessment to Advancement

Business continuity maturity models help organizations understand where they stand, where they need to improve, and how to align with recognized standards. They’re powerful tools for clarifying gaps, guiding investment, and communicating with leadership.

BCMMs can be challenging to use, but for organizations that are open to honest evaluation, they offer a clear path to improvement. If your goal is to build a stronger, more resilient continuity program, tools like our Compliance Confidence can give you the clarity and direction you need to move forward with confidence.

Further Reading

• Get Out the Map: Why Your BCM Program Needs a Roadmap
• Making the Grade: Navigating Compliance Challenges in Business Continuity Management
• FFIEC: An Introduction to BCM’s Gold Standard
• Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now
• Trust, But Verify: 7 Best Practices for Managing Vendor Risk