This particular assessment covered three sites against all 11 management capability domains, with results showing a solid common framework but uneven maturity in a small number of operational resilience areas.
Site 1 is the current benchmark at 75.0 overall maturity with all 11 domains rated Operational, Site 2 is at 70.5 with 9 Operational and 2 Defined domains, and Site 3 is at 59.1 with 8 Operational, 2 Ad hoc, and 1 Absent domain; the graph (above) shows both the overall spread and the domain-level pattern.[2][3][1]
Portfolio status
Across the portfolio, all three sites are already Operational in context and strategy, leadership and governance, framework integration, planning and change, people and capability, stakeholder and supply chain management, information and documentation, and performance measurement and review.[1][2][3]
This indicates that the core management system architecture is broadly established and that the main challenge is not framework design, but consistent execution and evidence of practice in a few critical domains.[2][3][1]
Main findings
The main maturity gap is concentrated in three areas: Integrated Risk & Opportunity Management, Operational Control/BCM Plans/Emergency Response, and Learning/Improvement/Innovation/Resilience Evolution.[1][2][3]
Site 2 remains below benchmark in risk management and BCM execution, while Site 3 shows the greatest exposure because risk management is Ad hoc, operational control and BCM arrangements are Ad hoc, and the improvement domain is Absent.[2][3]
The strongest portfolio insight is that uplift can be targeted and practical, because most domains are already stable and the shortfall is not system-wide.[3][1][2]
Executive priorities
Use Site 1 as the standard model for minimum expected evidence, controls, and governance, because it is the only site assessed as Operational across all 11 domains.[1]
For Site 2, prioritise stronger linkage between risk and BIA outputs and decision-making, plus more consistent use and review of BCM and emergency arrangements.[3]
For Site 3, immediately formalise risk registers and BIA practices, make BCM and emergency procedures current and role-based, and establish a basic lessons-learned and improvement process.[2]
Management action
A practical 90-day program should focus on replicating Site 1 controls where reusable, closing the two Defined domains at Site 2, and addressing the three weak domains at Site 3 first.[1][2][3]
Sources
[1] Full Site-1_report.pdf
[2] Full Site-3_report.pdf
[3] Full Site-2_report.pdf
John Salter Consulting Services 