What Makes A Resiliency Program Mature?

I've been tackling an interesting challenge recently: how to define a mature business technology resiliency (aka disaster recovery)  program. It's something I've been thinking about for years, but it was only a few months ago that I sat down to develop a concrete framework that enterprises could use to compare themselves to. Yes, I know there are existing frameworks for defining what maturity is for a business technology resiliency program, but in my model, I was trying to accomplish the following:

  • Simplicity. Without going overboard, I wanted to put together a model that could be completed within a few hours, rather than something that would take weeks to complete. The tradeoff, of course, is that this model is much less detailed than others. However, with many conflicting priorities, I know that many IT leaders can't take the time to fill out an assessment the length of the last installment of Harry Potter.
  • Objectivity. One of the benefits I have at Forrester is the ability to address this from a vendor-neutral perspective. I have no ulterior motives with this model and no vendor allegiances that could influence the outcomes.
  • Process-orientation. I strongly believe that a mature business technology resiliency program is built on a bedrock of repeatable, standardized, and streamlined processes. In the model, you will see there is a section on technology maturity, but the emphasis overall is on the process components.

Below is a high-level look at the components I included in the maturity model. I also encourage you to check out the full report describing the model and its uses, as well as the Excel-based self-assessment tool.


I'm interested in your feedback on this: have I included the right components? How do you view maturity in this space? What other maturity models do you use to assess your business technology resiliency programs?