Standard Continuity & Resilience Review

Review Date: April 2026
Assessment Scope: 7 BCM Capability Domains

Executive Overview

This report synthesises findings from the Management Capability Assessment Report (provided to client) against the Business Continuity Evidence rubric.

The assessment covers seven Business Continuity Management (BCM) domains rated on a four-point maturity scale:
N (Absent) → P (Ad hoc) → L (Defined) → F (Operational).

Of the seven domains, one has reached target maturity (BCM Strategies & Solutions at F/Operational), four sit at L/Defined — documented but weakly enforced (two of these four are at “acceptable” target levels — one remains Ad hoc (P), and one is entirely absent (N).

The consistent pattern across domains is strong foundational documentation (E1) and partial operational effectiveness (E2), but a near-universal failure to embed capability into routine organisational life (E3). Addressing the E3 gap is the single highest-leverage improvement available.

Maturity Snapshot

Strengths

BCM Strategies & Solutions — Only Fully Operational Domain

This is the standout strength of the current programme. All three evidence criteria (E1, E2, E3) are met: a defined approach for selecting strategies exists, those strategies are validated against agreed RTOs/RPOs, and they are aligned with risk appetite, IT DR architecture, supplier contracts, and broader resilience planning. This domain is at target and demonstrates that embedded, cross-functional BCM capability is achievable within this organisation.

Sound Governance and BIA Foundations

In five of seven domains, E1 (the existence of defined artefacts) is confirmed. The organisation has an approved BCM policy, documented governance structure, active oversight by governance bodies, a rigorous BIA and risk assessment methodology, and an exercising program that meaningfully validates assumptions and recovery timelines. These are genuine foundations — the infrastructure exists to advance maturity; what is largely missing is the discipline to use it routinely and the mechanisms to improve it over time.

Competent People and Active Exercising

Culture, Training & Awareness shows that defined BCM roles exist with competency profiles, training has been delivered, and people can demonstrate role competence during exercises. Similarly, the exercising program is more than pro forma — exercises validate decision-making, coordination, and recovery timelines against RTOs/RPOs. These are meaningful achievements that provide a platform for embedding and continuous improvement.

Key Gaps

Gap 1 — Performance Evaluation & Continuous Improvement is Completely Absent

This is the most critical gap in the programme. No mechanisms exist for monitoring, measuring, or evaluating BCM performance. There are no KPIs, no internal audit or review process, and no corrective action framework. The consequence is that the organisation cannot determine whether its BCM programme is actually working, cannot demonstrate compliance or assurance, and cannot close the loop on lessons from exercises or incidents. Without this domain, all other improvement efforts are largely self-referential.

Gap 2 — BCM Plans & Procedures Remain Ad hoc

Plans and procedures are the operational core of any BCM programme and represent the most significant performance risk. While a framework for plan development exists (E1 answered YES), plans are not clear, actionable, or usable under realistic time pressure (E2 answered NO), and there is no evidence they are current, accessible, or actually referenced during incidents or exercises (E3 answered NO). In a real disruption, teams would be working from documents that may be out of date, hard to find, and written for readers rather than responders.

Gap 3 — Systemic Failure at E3 (Embedded) Across All Domains

Six of seven domains fail at the E3 level. This reveals a structural pattern: the organisation has successfully documented its BCM arrangements and can perform them when prompted (exercises, audits), but has not yet woven BCM into the routine operating rhythm of the business. Specifically:

  • Governance is not integrated into ERM, strategy, or management review cycles
  • BIA outputs are not kept current and do not actively drive investment or prioritisation decisions
  • Lessons from exercises are not tracked, assigned ownership, or used to update BIAs, plans, or training materials
  • Culture and awareness are not sustained through onboarding, leadership messaging, or performance frameworks

This E3 gap means that BCM capability is fragile — dependent on motivated individuals and scheduled activities rather than organisational habit.

Recommended Actions

Actions are sequenced by impact and urgency.

Priority 1 — Establish Performance Evaluation & CI (Immediate)

Target: N → L within 90 days

  • Define a BCM metrics set covering plan currency, BIA coverage, exercise completion, training rates, and lessons-to-closure cycle time
  • Assign a BCM performance owner accountable for regular reporting
  • Establish a quarterly BCM management review on a fixed calendar (can be nested within existing ERM or risk committee meetings)
  • Create a simple corrective action register (even a shared spreadsheet) to track findings from exercises, audits, and incidents through to closure

This single action unlocks the ability to govern, improve, and demonstrate BCM effectiveness across all other domains.

Priority 2 — Overhaul BCM Plans & Procedures (0–6 Months)

Target: P → L

  • Audit all current plans against a minimum content standard: triggers, decision points, role-based checklists, contact lists, and dependencies
  • Rewrite plans to be action-oriented and usable under time pressure — short, structured, and role-specific rather than narrative documents
  • Establish a single authoritative storage location with offline/alternate access, and verify plans are referenced in relevant contracts and operational procedures
  • Set a version-control and review cycle triggered by organisational change events, not just calendar dates

Priority 3 — Close E3 Gaps Through Routine Integration (3–12 Months)

Governance integration: Add BCM as a standing item on ERM and management review agendas. Include BCM status in board reporting at least annually. Incorporate BCM accountabilities into relevant executive KPIs or performance discussions.

BIA and risk currency: Establish a defined review trigger framework — annual full reviews plus event-driven updates (major change programmes, new suppliers, restructuring). Ensure BIA outputs are visibly referenced in investment proposals and project business cases.

Lessons-learned loop: After every exercise, appoint an owner for each lesson identified with a due date and track it through the corrective action register. Report lesson closure rates as a BCM KPI. This creates the feedback loop that advances Exercising, Testing & Maintenance from L to F.

Cultural embedding: Integrate BCM awareness into the onboarding programme for all staff and role-specific induction for BCM plan owners. Schedule annual refreshers tied to the exercise calendar. Ask senior leaders to include a brief BCM message at team meetings or all-staff communications following exercises or incidents.

Domain Improvement Roadmap

Conclusion

The organisation has built real BCM capability, especially in strategies and governance, and the BIA and exercising foundations are genuinely sound. The programme is not starting from scratch. The three actions that will generate the most improvement in the shortest time are: establishing a Performance Evaluation framework, making plans usable in an actual emergency, and creating a formal lessons-learned loop from exercises. Together, these would lift the overall maturity score substantially and address the structural E3 gap that currently limits the organisation’s confidence in its ability to respond and recover when it matters.

The Report (above) was an output provided in a “Standard” Gig

About this Gig

Are you unsure whether your organisation is genuinely prepared for disruption, or whether your continuity arrangements would stand up under pressure?

I will provide an independent review of your business continuity and operational resilience capability and give you a practical, plain-English summary of key gaps, priorities, and next steps.

This service is designed for organisations that want a clear outside view without committing to a long consulting engagement.

This Gig can help you:

– identify weaknesses in current continuity arrangements

– understand where plans, governance, and accountability may be unclear

– prioritise practical improvements

– prepare for board, audit, client, or internal review discussions

My approach is structured, independent, and business-focused. I review the information you provide, assess the maturity and usability of your current arrangements, and deliver concise findings you can act on.

Please message me before ordering if your organisation is large, highly regulated, or multi-country.

Frequently, Asked Questions

1. What kinds of organisations is this Gig for?

This Gig is best suited to small and mid-sized organisations that want an independent view of their business continuity or operational resilience capability.

2. What will you review?

I can review continuity plans, crisis management documents, incident response material, governance documents, policies, risk material, and related supporting information.

Business Continuity Review Document Checklist.pdfDownload

2b What electronic files, PDFs do you want from us?

Please consider the Download above including any from this BCM evidence set: policy & framework, risk register with BCM risks and latest assessment, approved BIAs, strategies and BCPs per critical area, crisis/incident plan with contacts, recent exercise and incident review reports, latest BCM audit and management review.

2c Can I have more documents considered in any package?

Yes, additional documents can be included at $50 per document.

3. What do I receive?

Depending on the package, you will receive a concise written summary or report with findings, gaps, and practical recommendations. Plus a phone conversation (package variations).

4. Is this the same as ISO 22301

certification advice?

Not exactly. This Gig provides an independent capability review and practical recommendations. It is not a formal certification audit.

5. Do you write full business continuity plans?

No. This Gig focuses on assessment and advice. If you need plan development or a larger consulting engagement, message me first.

6. Can you review existing documents only?

Yes. This Gig works well if you already have plans or policies and want an independent external review.

7. Do you need access to confidential information?

Only the information needed for the review. Please remove highly sensitive material where possible before sharing.

8. Can you work with regulated or complex organisations?

Yes, but please message me before ordering so I can confirm fit, scope, and timing.

This (sanitized) Example Continuity & Resilience Review Report.pdfDownload
Unknown's avatar

Author: John Salter & Associates Consulting Services

John Salter - specialising in the facilitation of risk-based capability reviews; needs-based training; business continuity planning; crisis management exercises; and organisational debriefing. Recognised for “preventing disasters, or where that is not possible, reducing the potential for harm” Ref: Barrister H Selby, Inquest Handbook, 1998. Distracted by golf, camping, fishing, reading, red wine, movies and theatre.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.