1.1 Have you assigned a BCM program manager?
		No BCM program ownership is assigned
		BCM program manager is part of the disaster recovery (DR) manager's responsibility
		BCM program manager assigned at the business unit level only
		BCM program manager assigned for the enterprise, but no business unit responsibility assigned
		BCM program manager assigned for the enterprise and business units
		The assigned BCM program manager has both intra- and inter-enterprise management responsibilities

1.2 Where does overall BCM program responsibility reside?
		No BCM program is currently in place
		CIO/Senior IT Management
		Business Operations
		CISO, Information Security Management
		CXO — COO, CFO, CAO, CRO
		CEO/Board of Directors/Audit Committee

1.3 What is the scope of governance that is used to manage business continuity within your organization?
		No formal governance is used to manage business continuity today.
		Basic placeholders are defined for IT recovery and continuity management in a still nascent IT governance program.
		Disaster recovery standards, governance and project approvals are in place and managed by central IT.
		Formal technology, vendor and operations standards are enforced across all recovery tiers, along with a formal process for granting exceptions.
		Business continuity management is supported by a strong governance and approval process that is supported by senior management.
		Business continuity initiatives are always driven by business risk mitigation requirements.

1.4 How effectively are business continuity measurement/improvement metrics tied to business performance improvement?
		No business continuity-specific measurement or improvement metrics are defined.
		An initial set of business continuity-specific improvement metrics is being defined.
		A small set of business continuity-specific performance metrics are measured, monitored and reported as part of the program report to senior management.
		Improved business continuity metrics are being heavily driven by key business requirements.
		Recovery service level support readiness is defined and reported to senior IT and business unit management on a regular basis.
		Business continuity maturity benchmarks that are performed confirm best-in-class recovery capabilities.

2.1 How many of the following components are addressed in your BCM program:
	•	IT DR
	•	Incident/crisis management
	•	Emergency response
	•	Business recovery
	•	Contingency planning
	•	Pandemic planning

		IT DR only
		IT DR plus one other component
		IT DR plus two other components
		IT DR plus three other components
		IT DR plus four other components
		IT DR plus all five of the other components

2.2 Which are the following workforce continuity components are part of your BCM program:
	•	Policy on the workforce's responsibility in responding to an enterprise crisis
	•	BCM awareness training
	•	Employee assistance program integration
	•	Workforce preparedness training
	•	Facility to the exchange of information among the workforce during a crisis

		None of the above
		One of the above
		Two of the above
		Three of the above
		Four of the above
		All of the above

2.3 Do you have processes in place to maintain (regularly review and update) the BCM program (risk assessment, business impact and recovery plans) according to current business practices?
		We have not maintained our BCM program within the last 12 months
		We use the IT change management process as a checkpoint for potential recovery changes
		We maintain our recovery plans only after an exercise
		We maintain our BCM program at least once per year
		We maintain our BCM program as part of every major IT project (for example, through the software development life cycle)
		We maintain our BCM program as part of every major business project/activity (for example, new product/service offering, mergers and acquisitions, facilities management and workforce changes, that is, succession planning)

2.4 Do you have a business interdependency map (business process, owner, supporting IT application(s) & data, facilities, workforce, equipment and tools, supplies, forms, vital records, third-party service providers, key public and private partners) for mission-critical business processes?
		No interdependency map exists
		Interdependency map exists for some mission-critical business processes
		Interdependency map exists for all mission-critical business processes
		Business interdependency map exists, but it is not linked to the technology interdependency map
		Business interdependency map is linked to the technology interdependency map
		Enterprise-wide interdependencies are identified and managed at a corporate level

2.5 Can you identify the recovery time objectives (RTOs) and recovery point objectives (RPOs) for every business process and application?
		No RTOs and RPOs are defined
		RTOs and RPOs are defined at the application level only
		RTOs and RPOs are defined at the business process level only
		RTOs and RPOs are defined at the business process and application levels
		RTOs and RPOs are defined at the business process and application levels, and they align with actual recovery times
		RTOs and RPOs are defined for internally and externally facing business processes and applications

2.6 What outage time frame do your BCM program and management procedures cover?
		One week or less
		Up to one month
		Up to three months
		Up to six months
		Up to one year
		Beyond one year

2.7 Have you developed enterprise and business process/line-of-business-specific recovery plans?
		No plans have been developed
		Plans are developed for some business processes/lines of business
		Plans are developed for all mission-critical business processes/lines of business
		Plans for all mission-critical business processes/lines of business have been developed and Integrated with their respective IT DR plans
		Plans for both mission-critical and non mission critical business processes/lines of business have been developed and Integrated with their respective IT DR plans
		Integrated BCM and IT DR plans are reviewed and updated at least once every six months in order to support new business processes, applications and data

3.1 Do you have a technology interdependency map (application, owner, data, hardware, software and workforce) for mission-critical applications?
		No mapping currently exists
		Data mapping exists for some applications
		Hardware, software and data mapping exist for some applications
		Data mapping exists for all applications
		Hardware, software and data mapping exist for all applications
		The technology interdependency map links to the business interdependency map

3.2 Do you use automation to help manage the BCM program?
		We currently have little to no BCM program documentation
		All BCM program documents, tools, templates and reports are developed as needed using office management tools (for example, word processing, spreadsheets and flowcharting)
		BCM planning software is used as a repository for all BCM program documents
		BCM planning software is used to develop and manage all recovery plans
		BCM planning software is used to conduct risk assessments, business impact analyses, and recovery plan development and management
		IT and business unit staff use BCM planning software to create, update and manage their specific portions of a unified continuity plan

3.3 How would you rate the effectiveness of your technology investments in supporting application and data recovery objectives?
		Currently there is little to no understanding of the infrastructure changes needed to support current business recovery and/or resiliency requirements.
		We are in the early stages of managing the alignment between disaster recovery requirements and IT budget affordability.
		We are fairly confident of our ability to support mission critical application RTO and RPO targets.
		We consistently meet RTO and RPO targets for mission critical applications during our recovery tests.
		Within a few minutes, physical and virtual resources can be automatically reallocated in response to changing business continuity and resiliency requirements.
		Virtual and physical server and storage resources can be reallocated dynamically in seconds in order to support changing business recovery priorities.

3.4 How would you rate the effectiveness of your technology investments in supporting continuous application and data availability?
		Little to no support for continuous operations availability exists because of the lack of required IT infrastructure hardware and software.
		Very rudimentary infrastructure, applications and data redundancy and failover support is in place.
		Application service and data restoration times are improving because of additional alarming and event management automation that has been put into place.
		Failover procedures for mission critical applications and data are documented and digitized to the fullest extent possible.
		Business applications resumption following the completion of infrastructure, applications and data recovery procedures is automated and transparent to end users.
		Data center infrastructure, production application operation and data access are resilient across most types of disasters.

3.5 How would you rate the effectiveness of your data backup and replication procedures in supporting mission critical RTO and RPO targets?
		Unable to assess their effectiveness because of the lack of required IT infrastructure hardware and software.
		Very limited effectiveness because very rudimentary procedure definition and supporting infrastructure is in place.
		Effectiveness is improving because of new procedures and/or supporting infrastructure that have recently been put into place.
		Backup and/or restoration procedures for mission critical data are documented, digitized and effective for most mission critical applications and data.
		Backup and/or restoration procedures for mission critical data are documented, digitized and effective for all mission critical applications and data.
		Mission critical data access is resilient across most types of disasters.

Please Note: This test is designed to help you understand the critical issues facing today’s business continuity and recovery professionals and to facilitate conversations between various parties within your organization. Any assertions or assessments made herein based on the answers you provide do not in any way constitute a claim by Gartner or Gartner Events as to your organization's actual level of preparedness, program maturity or ability to address and manage an incident that requires resiliency.

For more insight into business continuity and recovery planning attend the Gartner Business Continuity Management Summit, April 27 – 29 in Chicago, IL. Visit gartner.com/us/bizcon for Agenda details and Conference program information.