1
Resilience Identification
Asset criticality, RTO/RPO definitions, single points of failure, and documented resilience gaps — the foundation every resilience program needs before anything else.
6 controls
Proprietary Framework · Optecz Core
PROPRIETARYThe ORM Score
for Your
Resilience Program
The only scored operational resilience maturity assessment built for board reporting. 36 controls. 6 domains. One number your board can actually use.
Included in every Core subscription • No add-on required • Universal · All industries
0/ 100
Resilience ID79%
Resilience Program74%
Protection76%
Response72%
Recovery66%
Improvement71%
36Controls across 6 domains
0→100Scored maturity scale
6Domains end-to-end resilience
CoreIncluded in every plan
THE PROBLEM
Why This Exists
NIST CSF scores your posture.
Nobody scores your resilience.
Boards and regulators expect evidence of operational resilience maturity — not just policy checklists. ORM closes the gap between frameworks that describe functions and a single score that describes your program.
01
No framework produces a resilience program score
NIST CSF covers recovery at a function level. ISO 22301 defines a BCP process. SOC 2 checks availability as a trust criterion. None of them produce a scored assessment of your operational resilience program maturity against a 0–100 scale your board can evaluate.
02
Boards and regulators are asking questions you can't answer cleanly
DORA, FFIEC, NAIC model law, and SEC disclosure guidance all now require evidence of resilience program maturity — not just that a plan exists, but that it works. Most security teams spend weeks assembling data that still doesn't answer the question.
03
The gap between 'we have a plan' and 'our program is mature' is uncalibrated
Having a disaster recovery plan is table stakes. Measuring whether your recovery objectives are tested, your runbooks are current, your teams are exercised, and your resilience is actually improving over time — that's what the ORM scores.
THE FRAMEWORK
Six Domains · 36 Controls
Complete resilience program coverage,
end to end.
ORM organizes operational resilience program maturity into six operational domains. Each domain produces its own maturity score. All six roll up to your composite ORM score.
2
Resilience Program
Objectives, roles, architecture integration, dependencies, critical function prioritization, and program metrics — governance that makes resilience operational, not aspirational.
6 controls
3
Resilience Protection
Redundancy, diversity, geographic distribution, graceful degradation, defense-in-depth, data integrity, and segmentation — the structural controls that limit blast radius before an incident occurs.
7 controls
4
Resilience Response
Incident response plan testing, documented runbooks, recovery automation, communication plans, backup validation, failover testing, and team exercises — the difference between a plan on paper and a program that performs.
7 controls
5
Resilience Recovery
Demonstrated recovery capability, lessons learned processes, tracked metrics, post-incident reviews, and executive reporting — closing the loop from incident to improvement.
5 controls
6
Resilience Improvement
Annual program reviews, threat intelligence integration, emerging technology risk assessment, and vendor/supply chain resilience — keeping your program ahead of the threat, not behind it.
5 controls
What ORM measures that NIST CSF doesn't
Why resilience needs its own score
NIST CSF's Recover function asks whether recovery processes exist. ORM asks whether they work — and how well. Are your RTOs and RPOs actually defined and tested? Are your runbooks current? Are your recovery teams exercised? Is your resilience posture reported to leadership? These are the questions insurance underwriters, regulators, and boards are now asking. ORM gives you a scored answer for every one of them.
HOW IT COMPARES
Framework Comparison
What every other framework misses.
Every major security framework touches resilience. None of them produce a scored resilience program maturity assessment.
| Framework | Resilience Coverage | Program Score | RTO/RPO Scoring | Board Report | Dedicated Assessment |
|---|---|---|---|---|---|
| NIST CSF 2.0 | RC/RS functions only | ✕ | ✕ | ✕ | ✕ |
| ISO 22301 | BCP standard (process) | ✕ | Partial | ✕ | ✕ |
| NIST 800-160 | Engineering framework | ✕ | ✕ | ✕ | ✕ |
| SOC 2 CC9 | Availability criterion | ✕ | ✕ | ✕ | ✕ |
| ORM by OpteczPROPRIETARY | 6 domains · 36 controls | ✓ 0–100 | ✓ Scored | ✓ One-click | ✓ Purpose-built |
YOUR SCORE
ORM Maturity Scale
Where does your program stand?
ORM produces a composite score from 0–100 plus per-domain breakdowns. Every score maps to a maturity level with board-ready language built in.
0-34
Initial
Ad hoc. No documented resilience objectives. Recovery is reactive and unpredictable.
35-49
Developing
Plans exist but are inconsistently tested. RTOs and RPOs are defined but unvalidated.
50-64
Defined
Core resilience processes documented. Testing gaps and measurement weaknesses present.
65-79
Managed
Program measured and mostly exercised. Leadership receives resilience reporting.
80-100
Optimizing
Continuously improved. Recovery capabilities demonstrated. Board reporting is data-driven.
WHO NEEDS THIS
Every Organization With a Board
If someone asks about your resilience program,
you need a score.
CISO preparing for board resilience review
“I need to show the board our operational resilience maturity — not just that we have an IR plan, but how mature our entire resilience program is and where we’re investing to improve.”
Board prepGRC lead with DORA or FFIEC obligations
“Our regulator requires evidence of resilience program maturity — tested recovery capabilities, documented RTOs and RPOs, and a clear improvement trajectory. I need a scored assessment I can put in front of an examiner.”
RegulatoryIR lead measuring program maturity post-incident
“We need to demonstrate to the board and legal counsel that our resilience program has materially improved since the incident. We need a before and after score.”
Post-incidentCISO with a DR/BCP audit on the calendar
“Our auditor is asking whether our recovery objectives are tested, our runbooks are current, and our teams are exercised. I need documented, scored evidence — not a spreadsheet.”
Audit prepvCISO managing multiple client programs
“I need a consistent, repeatable methodology to assess resilience program maturity across all my clients, benchmark them, and show each client a clear improvement roadmap tied to a score.”
vCISOCFO or audit committee member
“I’m not a security expert, but I’m being asked to sign off on our resilience posture. I need one number that tells me how mature our program is and whether we’re moving in the right direction.”
Audit / financeGET YOUR SCORE TODAY.
Run your first ORM assessment
in under 30 minutes.
Included in every Optecz Core subscription. No add-on required. Score all 36 controls, generate board-ready findings, and get your composite ORM maturity score the same day.