Skip to content

levels of organisational resilience

Organisational Resilience and the 4 Levels of Maturity

organisational resilience
  • Url copied to clipboard.

When we talk about “organisational resilience” at RiskLogic, we’re implying the implementation and maintenance of crisis management, incident management, emergency management, and business continuity. As a minimum, we would label a well-versed resilient organisation as one that has at least those four disciplines in place, are practised and are recognised as a part of the organisational culture and strategy.

But with most things, there is always room for improvement, even for those who tick many of the response and resilience boxes. Therefore, the next stage up for some may be those who have embodied pandemic management, crisis communications, technology, or annual scenario exercise training.


As the world navigated through the covid pandemic, there is one question that was asked in just about every initial conversation with clients:

How does our organisation stack up from the rest?

There are many ways to measure this through complex programs and business impact analysis and reviews, but this doesn’t score you against another organisation as a benchmark. What we do is narrow the steps into four stages. We call these, The Four Levels of Resilience Maturity. 

By breaking down what constitutes each level and what an organisation would need to measure themselves against, we are able to align ourselves to a tried and tested framework we know works.

Four levels of organisational resilience

Shared widely at the RiskLogic and Department of Health Emergency Management workshop in 2020, Principal Consultants, Joanne Costa and Dr Rebecca Hoile broke down what each level constitutes.

Level 1: Aware

Elements across some areas of resilience are established. 

  • Organisational resilience is established to a small degree and includes, risk management, emergency management, crisis management, business continuity.
  • Policy established for one or two areas.
  • Basic response team established.
  • Some procedures in place.
  • Low level of cultural awareness.

Level 2: Applied

Components of a Resilience Program are in place and communicated. 

  • Deeper understanding and implementation of the components of a resilience program.
  • Several policies with one overarching resilience policy.
  • Established business continuity program, but it’s not yet fully implemented and realised.
  • Some response and recovery plans, but perhaps

Level 3: Embedded

A cyclic program is in place across all elements of business resilience. 

  • A cyclic program in place across all areas of business resilience.
  • Completed at least one life cycle of the resilience disciplines annually.
  • Embedded an established business continuity management system to manage programs.
  • Identification of strategic and operational level teams; including strategic planning, a governing body, or identification of who would be activated during a crisis.

Level 4: Mature

Organisational Resilience is at the core of organisational values, operations and service.

  • Resiliency is at the core of company values, operations, and services.
  • Systems, frameworks and policies in place across all areas of resilience, scheduled, practised and reviewed at least two life cycles every year.
  • Regular team training.
  • Passion, genuine interest, and organisational culture would be embedded across all areas of the business and referenced during onboarding.

The elusive fifth level

Implementing and managing the required steps to be considered a mature, resilient organisation is a sizable, long-term commitment in itself. If more organisations had these levels in place pre-pandemic, the outcome would have been significantly different. But there is another level some are beginning to venture into this year; the ISO 22301 accreditation.

A permanent commitment and annually reviewed by official bodies like the BSIISO 22301 could be considered the final frontier of resilience practises.


This accreditation is as much a statement to the market and investors as it is a useful tool to maintain constant, strong resilience practices. This has been shown by our client NTT who have continued to work on their accreditation for a few years now.

The program suits large enterprises that service on a global scale, wishing to dominate tenders, and prove strategic, ongoing management at an elite level to their shareholders.

Resources coming soon

In the coming weeks, RiskLogic will begin to share complimentary materials and resource to help you understand where on the resilience journey you are.

Carefully curated by our Principal and Senior Consultants, the assets will encourage you to provide better insight into where your organisation is on the four-level scale, help determine or consider timescales and stakeholders to reach (or improve) each level, and begin the conversation of ISO 22301 accreditation (if applicable).

You will have access to:

  • A self-assessment resilience matrix.
  • A simple, single page brochure of the four levels to share with colleagues.
  • A snippet of the RiskLogic and Department of Health Emergency Management webinar where Dr Rebecca Hoile discusses the levels in more detail.
  • An opportunity to book in a 30 minute call directly a member of our consulting team.

Access to these materials will be available in the coming weeks. Make sure to keep an eye on your emails and our social media for more news.

The Resilience Digest