One of the goals of the business impact analysis (BIA) process is to establish recovery objectives. Having established recovery objectives, the next step is to assess whether one's IT portfolio can actually meet those objectives. Unfortunately, there is no well-defined and prescriptive process for this. This article describes a model that can be customised and applied in any organisation to take an IT-centric view to assessing resilience capabilities. The first stage of this process is to gather IT-specific data, either through a questionnaire or by querying the configuration management database directly. The next step is to leverage a set of scoring rubrics in order to assess the capabilities of each application with respect to meeting recovery point objectives, recovery time objectives and service-level targets, as well as the strength of staffing, documentation and disaster recovery plans. The output of the model is a composite score for each application (based upon an aggregate capability score and a weighting factor) that identifies those services in the IT portfolio with the greatest gaps in their capabilities (ie those services in greatest need of remediation). The logic of the model can either be built with spreadsheets or automated through business continuity management planning platforms.