This assessment evaluates an organization's preparedness for disruptive events across six dimensions: business impact analysis, disaster recovery readiness, key-person dependency, insurance and financial resilience, crisis communication, and testing practices. Aligned with ISO 22301 principles, the output identifies the most critical gaps in organizational resilience. [src1]
What this measures: How well the organization understands critical processes, likely disruptions, and financial impact of downtime.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | No formal risk identification; critical processes undocumented | No BIA; cannot list top 5 risks; no RTO/RPO defined |
| 2 | Emerging | Informal risk awareness; some critical processes identified | Ad hoc risk discussions; systems loosely identified |
| 3 | Defined | Formal BIA; processes ranked by impact; RTO/RPO for tier-1 systems | Documented BIA; risk register; RTO/RPO for critical systems |
| 4 | Managed | BIA updated annually; quantitative risk modeling; dependency mapping | Quantitative models; scenario-based financial impact analysis |
| 5 | Optimized | Continuous monitoring; AI-driven threat intelligence; dynamic BIA | Automated scanning; real-time dependency graphs |
Red flags: Cannot state cost of 24 hours downtime; RTO/RPO undefined; risk discussions only after incidents. [src2]
Quick diagnostic question: "What is the cost of 24 hours downtime for your most critical process?"
What this measures: Maturity of technical DR capabilities — backups, failover, and recovery procedures.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | No DR plan; backups inconsistent or untested | No documented DR plan; backups not verified |
| 2 | Emerging | Basic backups; DR plan on paper but never tested | Daily backups; written plan; no testing; RPO in days |
| 3 | Defined | Tested DR for critical systems; automated backup verification | Annual DR test; cloud DR for tier-1; RPO <24 hours |
| 4 | Managed | Quarterly DR tests; automated failover; RPO <4 hours | Quarterly drills; multi-AZ; DR metrics tracked |
| 5 | Optimized | Near-zero RPO/RTO; chaos engineering; self-healing infra | Active-active multi-region; chaos testing; RPO <1 hour |
Red flags: Last DR test 12+ months ago or never; backups never restored; single point of failure. [src4]
Quick diagnostic question: "When was your last DR test, and what was the actual recovery time vs. target RTO?"
What this measures: Vulnerability to loss of critical individuals and institutional knowledge.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | Critical knowledge in individuals; no documentation; bus factor = 1 | Single person knows critical systems; no cross-training |
| 2 | Emerging | Key-person risks acknowledged; some documentation exists | Partial documentation; 1-2 backups for some roles |
| 3 | Defined | Dependency map created; documentation enforced; cross-training active | Key-person register; runbooks; each critical role has backup |
| 4 | Managed | KMS active; succession planning for leadership; knowledge audits | KMS with search; succession plans reviewed quarterly |
| 5 | Optimized | Self-documenting systems; no single points of failure | Automated documentation; knowledge base as team culture |
Red flags: "Only [name] knows how to do that"; vendor relationships tied to one person; no succession plan. [src3]
Quick diagnostic question: "If your most critical employee were unavailable for 30 days, what would break?"
What this measures: Adequacy of financial protection against disruptive events.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | Minimal insurance; no financial contingency planning | Basic liability only; no business interruption; no cash reserve policy |
| 2 | Emerging | Standard policies not reviewed against risks; limited reserves | General liability + property; 1-2 months cash |
| 3 | Defined | Annual review mapped to risks; business interruption adequate; 3-6 months cash | Annual review; BI policy with adequate limits; documented gaps |
| 4 | Managed | Optimized portfolio; cyber + key-person insurance; 6-12 months reserves | Comprehensive coverage; scenario-tested reserves |
| 5 | Optimized | Dynamic program; parametric triggers; stress-tested financial model | Parametric insurance; captive program; quarterly stress tests |
Red flags: Insurance not reviewed in 3+ years; no cyber insurance; BI limits below 3 months revenue. [src5]
Quick diagnostic question: "When was your insurance last reviewed against your risk profile?"
What this measures: Ability to communicate and coordinate during a crisis.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | No plan; response improvised; stakeholders learn through informal channels | No templates; no spokesperson; reactive social media |
| 2 | Emerging | Basic contact lists; draft plan untested; single channel | Emergency contacts; draft plan; CEO handles all crisis comms |
| 3 | Defined | Documented plan with roles; templates for scenarios; multi-channel | Tested plan; pre-drafted templates; notification system |
| 4 | Managed | Tested via tabletop exercises; stakeholder-specific messaging | Annual tabletops; stakeholder matrix; media monitoring |
| 5 | Optimized | Automated notification; real-time sentiment monitoring; simulation program | Automated alerting; sentiment dashboards; regular simulations |
Red flags: No crisis plan; customers learn about outages from social media first; no media training. [src6]
Quick diagnostic question: "Do you have a crisis communication plan, and when was it last tested?"
What this measures: How rigorously the organization tests, maintains, and improves continuity plans.
| Score | Level | Description | Evidence |
|---|---|---|---|
| 1 | Ad hoc | No testing; plans outdated | Plans last updated years ago; no test schedule |
| 2 | Emerging | Annual document review; one-time DR test | Annual review; one-time test at deployment |
| 3 | Defined | Annual BCP testing; semi-annual DR drills; after-action reports | Test calendar; after-action reports; plan updates post-test |
| 4 | Managed | Quarterly scenarios; unannounced tests; metrics-driven improvement | Quarterly cadence; surprise drills; improvement backlog |
| 5 | Optimized | Continuous testing via chaos engineering; automated validation | Chaos engineering; automated validation; continuous loop |
Red flags: BCP never tested; DR "success" with no metrics; plans reference departed employees. [src3]
Quick diagnostic question: "How often do you test BCP, and what changed after the last test?"
Overall Score = (BIA + DR Readiness + Key-Person + Insurance + Crisis Comms + Testing) / 6| Overall Score | Maturity Level | Interpretation | Recommended Next Step |
|---|---|---|---|
| 1.0 - 1.9 | Critical | Unprepared for disruption; significant incident could threaten survival | Conduct BIA; establish basic DR and crisis communication; review insurance |
| 2.0 - 2.9 | Developing | Basic awareness but plans untested; recovery would be slow and chaotic | Complete formal BIA; test DR; address key-person risks; update insurance |
| 3.0 - 3.9 | Competent | Solid foundation with tested plans; may struggle with novel disruptions | Expand scenarios; increase test frequency; build financial resilience |
| 4.0 - 4.5 | Advanced | Comprehensive program with regular testing and improvement | Focus on emerging risks; chaos engineering; advanced financial instruments |
| 4.6 - 5.0 | Best-in-class | Resilience embedded in culture; self-healing capabilities | Maintain through continuous testing; innovate on resilience approaches |
| Weak Dimension (Score < 3) | Fetch This Card |
|---|---|
| Business Impact Analysis | BIA Development Guide |
| Disaster Recovery | DR Planning Playbook |
| Key-Person Dependency | Succession Planning Framework |
| Insurance and Financial | Insurance Coverage Review |
| Crisis Communication | Crisis Communication Playbook |
| Testing and Maintenance | BCP Testing Program Guide |
| Segment | Expected Average Score | "Good" Threshold | "Alarm" Threshold |
|---|---|---|---|
| Startup/SMB (<50 employees) | 1.5 | 2.2 | 1.0 |
| Mid-market (50-500) | 2.3 | 3.0 | 1.5 |
| Large enterprise (500-5000) | 3.2 | 3.8 | 2.5 |
| Global enterprise (5000+) | 3.8 | 4.3 | 3.0 |
Fetch when a user asks to evaluate disaster preparedness, assess organizational resilience, prepare for a board risk review, evaluate key-person dependencies, or comply with business continuity regulations.