Part Two: Process Institutionalization and Improvement

The concept of using a maturity model to improve operational resilience may not at first glance appear to provide significant advantages over the simple implementation of a code of practice. Codes of practice, after all, typically represent a cumulative view of how an industry faces a challenge such as information security and can be of great benefit to all organizations that share this challenge. For some organizations, using practices alone will bring about improvement—improvement in the way that passwords and user IDs are managed, how incidents are handled, or how continuity plans are developed and tested. But lasting improvement depends on the organization’s ability to develop and inculcate a culture around managing operational resilience—that the operational resilience of the organization is everyone’s job and responsibility. Security and continuity training and awareness alone do not create such a culture or provide it with the foundation it needs to flourish, particularly during times of stress.

At its core, a maturity model is about improving the organization’s capacity and competency for producing high-quality results, no matter the circumstances. When such an approach is taken, the practices performed by the organization are embedded within a culture of improvement so that the performance of these practices is measured and improved and the capability is sustained. This is critical in managing operational risk because not all risks can be identified and responses to realized risk cannot always be planned.

A maturity model with a capability dimension provides a platform for measuring process institutionalization—the degree to which a process is embedded in the culture. Measuring the level of institutionalization of operational resilience management processes tells the organization something about how likely it is to retain these processes in changing risk environments.

In Part Two of this book, we discuss the capability dimension of CERT-RMM and the impact it can have on transforming the organization’s performance. We also provide guidance on how to use the model to begin an improvement effort or to get a “health check” on how your organization is managing operational resilience today.