Consolidated Assessment

Executive Summary Exemplar (Basic Package)

The report shows a solid management-system foundation, with no domains rated Absent or Ad hoc, but the overall maturity is 59.1%, so the organisation is stronger in design than in consistent operational proof of use. Four domains are at Operational maturity and seven are at Defined maturity, which means the core opportunity is to convert documented processes into demonstrated decisions, behaviours, and improvement outcomes.

Executive summary

This is a credible, above-baseline capability position: strategy, governance, planning, and operational control are the strongest areas, and they are already operating at the target maturity level. The main weakness is not missing documentation; it is the lack of evidence that several frameworks are consistently shaping resource allocation, frontline behaviour, supplier resilience, analytics-led decisions, and continuous improvement.

A useful way to read the report is that E1 and E2 are broadly in place across domains, while E3 is the recurring breakpoint in 7 of the 11 domains. In practical terms, the organisation has built the system, but it has not yet shown enough repeatable proof that the system changes outcomes.

Strengths and gaps

  • Strong strategic alignment: context, stakeholder analysis, scope, and objectives are documented, traceable, and used to steer initiatives and investment choices.
  • Strong governance base: policies, governance structures, leadership participation, issue tracking, and accountability mechanisms are in place.
  • Strong planning discipline: objectives, action plans, continuity strategies, and change assessments are defined and influence priorities and budgets.
  • Strong operational resilience controls: key processes, BCM plans, and emergency procedures are documented, accessible, and evidenced in incidents or exercises.
  • The biggest cross-cutting gap is operational evidence: in seven domains, the report records “YES” for process definition and deployment, but “NO” for proof that the capability is materially influencing decisions or outcomes.
  • Risk and BIA are not yet clearly driving prioritisation and resource allocation, which limits the value of otherwise sound risk methods and registers.
  • People capability, supplier resilience, information use, performance review, and improvement all show the same pattern: defined and repeatable, but not yet demonstrably embedded.

Domain maturity

Heat-map

The top priorities are to close the four target gaps first, then strengthen the lagging domains by proving routine use, not by writing more process material. If that sequencing is followed, the organisation should improve maturity fastest because the report already shows most core structures are in place.

Action roadmap

  1. In the next 30 days, create a single decision trail linking risk ratings, BIA outputs, treatment choices, continuity strategies, and funding or project approvals so that risk and continuity visibly drive priorities.
  2. In the next 30 days, redesign management review packs so every KPI, audit, exercise, and incident trend ends with a required decision, owner, due date, and follow-up check.
  3. In the next 60 days, run targeted exercises for the highest-impact services and use the results to update BIA assumptions, recovery strategies, supplier contingencies, and BCM plans.
  4. In the next 60 days, review critical suppliers and partners for single points of failure, then define diversification, fallback, contractual, or stockholding controls for the highest-risk dependencies.
  5. In the next 90 days, shift people capability from training completion to demonstrated competence by testing key roles in exercises, audits, and incident simulations, especially outside specialist teams.
  6. In the next 90 days, establish a benefits-tracked improvement portfolio that measures repeat incidents, nonconformities, near misses, and resilience gains so learning can be shown in hard outcomes.

The practical message for executives is simple: do not invest first in more framework design; invest in evidence of use, decision traceability, supplier resilience, management-review discipline, and measurable learning loops.

ExecSummaryBasic.pdfDownload

The above note is an example of an executive summary provided with the Basic Package.

Check capability, not compliance.

Unknown's avatar

Author: John Salter & Associates Consulting Services

John Salter - specialising in the facilitation of risk-based capability reviews; needs-based training; business continuity planning; crisis management exercises; and organisational debriefing. Recognised for “preventing disasters, or where that is not possible, reducing the potential for harm” Ref: Barrister H Selby, Inquest Handbook, 1998. Distracted by golf, camping, fishing, reading, red wine, movies and theatre.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.