3820 W Happy Valley Rd, Glendale, AZ 85310
(888) 689-2290

MHA Consulting



Availability vs. Recoverability

By No Comments

Are You Confusing Availability with Recoverability in Your DR strategy?

Richard Long, Senior Advisory Consultant, Security Issues

There is a fire in the data center and applications are not available for 48 to 72 hours. Once the applications are available, the CIO receives numerous emails praising the efforts of the recovery team. A month later, the ERP system has 2 short (1 hour) outages and 3 increased response time events over a 1-month period. The CIO receives numerous emails on how poorly the IT team supports applications. Why the differing perception?

  • Many BCP/DR professionals worry about how to implement an effective RTO strategy for the organization’s application – recoverability.
  • Most individuals using applications on a daily basis are concerned with day-to-day access to applications when it is needed – availability.

Have you considered how availability and recoverability are implemented in your environment and which has the most business impact? If not, look at the requirements for these concepts and think about how you might be able to leverage them. Look for more on this topic from MHA in upcoming newsletters and blogs.

How Confident Are You? Mitigating Controls and Your Business Recovery Plans.

By No Comments

In the world of Business Continuity Management (BCM), senior management is placing greater emphasis on understanding what Residual Risk remains after we have implemented all of the mitigating activities available to us. For management to feel comfortable, the remaining Residual Risk must be within their Risk Tolerance/Appetite. If it’s outside their Risk Tolerance/Appetite, they will request that additional work be done on the weak areas to minimize the Residual Risk. In a perfect world, the Residual Risk will be zero or negative, indicating that the controls in place are sufficient.

So, how many of you have thought about the mitigating activities in your Business Recovery Plans? Do you know what they would be and how important each of them might be to recovery? Here is what we see as the mitigating activities for a Business Recovery Plan:

  1. Business Impact Analysis
  2. Recovery Strategy
  3. Recovery Team
  4. Recovery Plan
  5. Recovery Exercise
  6. Third Party Supplier Risk
  7. Training & Awareness

Now, how important is each of these mitigating controls to the success of your recovery plan?  Is each mitigating activity equally important or are some of them more important before a disruption occurs? I believe that each mitigating activity has a different level of importance based on what it ultimately means to the plan and its level of recovery confidence.

In discussion with colleagues and subscribers of our BCMMETRICS(TM) tool, we have agreed that a sample priority for mitigating activities based on the value to minimizing risk is as follows:

  1. Recovery Exercise
  2. Recovery Strategy
  3. Recovery Team
  4. Recovery Plan
  5. BIA
  6. Third Party Supplier Risk
  7. Training & Awareness

What do you see as a priority for the mitigating activities? Begin looking at the mitigating activities for each of your recovery plans and see if a small or significant risk remains. Shore up the mitigating activities that need help and you will reduce your overall residual risk for the business unit and your organization.

Top 5 Reasons Recovery Checklists Get a Failing Grade.

By No Comments

I recently finished The Checklist Manifesto by Atul Gawande, a renowned surgeon. The book deals with the importance of checklists in highly complex environments (airlines, hospitals, etc.) and his mission to minimize the risk of failure and errors and to ensure the safety of those involved. I thought the book would educate me on building better checklists that our clients could use in their plans.

In the world of BCM, our life is about developing checklists for the Crisis Management, Business Recovery and Disaster Recovery Teams of our organizations. But, in all honesty, do our team members read the checklists, understand them or even know they exist? Our average attention span is now eight seconds, less than that of a goldfish.

I looked back at my past checklists; some were good and some were awful. They were too long, not appropriate or had tasks thrown in for filler. The best were short, concise and action oriented. The days of writing long, voluminous checklists so that anyone could pick it up and go are no longer relevant.

So, what makes up a “bad checklist” according to Dr. Gawande:

  • Vague
  • Too Long
  • Hard to Use
  • Impractical
  • They Turn People’s Brains Off Rather than On

But in comparison, what makes up a “good checklist”

  • Written for the Task at Hand (Do-Confirm or Act)
  • Precise
  • Efficient
  • Doesn’t Spell Out Everything

Provides Reminders of Only the Most Critical and Important Steps that Even Highly Experienced Professionals Could Miss

Dr. Gawande notes that in the end, a checklist is only an aid. If it doesn’t aid, it’s not right. But if does, we must be ready to embrace the possibility.

Do your teams refer to their checklists at all? I can’t count the number of real events and recovery exercises I have facilitated where we were lucky if they brought their plan, let alone referred to their checklists if they brought them. But the disciplined teams read the checklists, executed each step, and had a higher rate of success and confidence; they still made mistakes but made the process better and better over time.

You cannot create a good checklist without input and use by your teams. But also remember, checklists cannot make anyone follow them. Teams must have the discipline to use them, execute them and make them better.

Read the book. It’s a good read and will make your checklists better.


Is Management Under a False Sense of Recoverability?

By No Comments

Is your management team aware of your true recovery capabilities? Are you transparent on what the BCM program can really do in a disruption? Or, is management under the misguided interpretation that whatever the situation is, they will make it through and be a recovery superhero?

Tragically, even as the BCM and risk management industry continues to mature over time, we are finding that management is often still living under a misguided belief that their recovery capabilities are much better than what they really are.

But, why is this happening? Who should we blame? Is the BCM Office not being transparent, is it lacking the right knowledge/lack of information or is it being ignored by management? Or, much worse, is management turning their heads away, saying nothing is going to happen and/or as an organization too big to fail.

We have worked across all kinds of organizations; those with seamless, proven capabilities and others with pieces and parts in place or nothing at all.

A recent example was a client who had the majority of the proper pieces of the recovery vehicle in place (a working backup data center, contract for alternate business workspace, resilient network, documented plans, etc.). However, what was missing was the documented proof that these individual pieces had been exercised individually and together to prove that the organization could recover what it said it could in the required timeframes.

Management was upset that we concluded that even though the organization was well on its way to a decent program, we could not confirm it could recover its business and therefore was deficient. I use the example: If I had a Porsche sports-car that I took you in and drove to prove it could meet all of its speed specifications is a lot different than me saying I have a fast Porsche but the parts are laying in the garage and the car needs to be assembled first.

The bottom line is you and your executives must be transparent, knowledgeable and willing to attest to the real capabilities; not what is imagined or believed can be accomplished when a disruption occurs.  As the old saying goes, “the proof is in the pudding”.

What is the Residual Risk of Your Business Unit Recovery Plans?

By No Comments

What is the “residual risk” of your critical Business Units and their continuity capabilities? But first of all, what is residual risk? Residual risk is the risk that remains after an organization has implemented appropriate controls to comply with industry standards, regulatory requirements, best practices, etc.

In a perfect world, you want to have the lowest possible residual risk for your most critical business units and Information Technology to minimize the potential for significant impact to your organization in event of a disruption. The higher the residual risk, the greater the opportunity for a greater impact in event of a disruption. So, lets look at a simple way of assessing residual risk.

First, you must assign an impact factor to the Business Unit or IT entity. To make it simple, we assigned an impact of 5 to each Business Unit/Information Technology System/Application with RTO’s that if disrupted will have a critical impact, 3 to those RTO categories who will have a moderate impact and 1 to those RTO categories who will have little to no impact if they suffer a disruption.

Second, now that you have assigned potential impact to the organization from the Business Unit or Information Technology entity, you must the consider the controls key to reducing the risk of a critical business unit or IT system/application. These may include:

  • Business Impact Analysis
  • Recovery Strategy
  • Recovery Team
  • Recovery Plan
  • Recovery Exercises
  • Training & Awareness

Within each of these controls, you must consider the extent to which each control has been implemented for each business unit  to assess how solid it is. A BIA completed in the last year yields greater risk control than one completed three years ago or never. The use of a geographically diverse recovery strategy greatly reduces residual risk while having a backup site a mile away is not as good. So, you need to assess the strength of each control using common sense (5 = Fully Implemented, 3 = Moderately Implemented, 1 = No Control). More importantly, you must have a solid understanding of what makes a control fully implemented and what does not. Weight each control based on its importance to recovery success with all control weightings adding up to a 100 (e.g, recovery strategy weight is 25%, recovery plan is 10%, etc.). Add up the weighted scores to get your control score.

Third, to get the residual risk, subtract the total weighted score from the impact score. For example, the impact score for an RTO 0 – < 12 hours business unit is 5. The weighted control score for this business unit is 4.3 leaving a residual risk of .7 which is outside our established tolerance level of .5 for business units with a high impact score. If your control score happens to be greater than the establish impact score for the business unit then use the absolute zero rule so you don’t have a negative residual risk score which also means your controls are in good enough shape for that business unit.  Using this approach, you can also quickly identify what controls need to be augmented to reduce residual risk using this approach.

Lastly, in the end, your ultimate goal is to have implemented your plans and associated controls in such a manner that no to very little residual risk exists for the most critical areas of your organization.    We are implementing residual risk analysis in Q3 of 2015 as part of our BCM compliance self assessment tool, BCMMETRICSTM.    To review the tool go to www.bcmmetrics.com  for a comprehensive overview of the tool and its assessment and reporting capabilities.

Rip off the Bandaid..Assess Your BCM Compliance Today not Tomorrow

Ripping off a band aid is painful but its temporary in nature.  Assessing your BCM compliance is a lot like ripping off a band aid; you deal with the initial pain of finding out where your gaps and exposures exist but then experience the healing aspect of generating a roadmap for remediation that brings about a heightened level of compliance and resiliency that significantly outweighs the temporary pain of the assessment.

 So, why are some reasons planners aren’t assessing and scoring their BCM compliance?

  •  Fear of the Unknown
  •   My Program is Already Bad, Why Bother?
  •   What Standard Should We Use that Makes Sense for Us?
  •    How Do I Present the Results?
  •    What Do I Do With the Results

The need to assess BCM compliance and generate metrics that depict your current and future state is coming to the forefront of our senior management and industry.   We must effectively and efficiently balance risks and exposures in our programs by knowing where we stand today and where we need to be over time.

Assessing your BCM compliance permits you to identify critical exposures, that if prioritized for mitigation, will bring about the greatest improvement in compliance and resiliency while permitting you to hold off resolving other exposures off that are a nice to have that we can get to later in the lifecycle of the program.

A very simple approach is as follows:

1.     Pick one standard (ISO 22301, FFIEC, BCI Good Practices, etc.) that best suits your needs.

2.     Review the standard and its requirements for each dimension (Oversight, Crisis Management, Business Recovery, etc.)

3.     Separate out each dimension and its associated requirements.

4.     Weight each requirement based on its importance (high, medium, low) to the successful execution of the program.

5.     Score your compliance on each requirement (no compliance, minimal, full).

6.     Multiply the importance times score the compliance score.

7.     Rank your compliance score (0 to 60 poor, 61 to 80 Moderate, 81 to 100 Excellent).

Once you have ranked each dimension, present the results to management for review and prioritization and remediation of the exposures.

You get a physical on a regular basis why wouldn’t you do a regular health check on your program?  Why do so many programs run without direction year after year?

So, I challenge you, rip off the band aid; pick a standard and assess your BCM compliance.  The time is now…not tomorrow.

If you want to see how we have automated the BCM compliance assessment process, visit our BCMMETRICS self assessment tool website at www.bcmmetrics.com.

I Have a BCM Policy…Why Do I Need Standards?

By No Comments

You have a documented and approved BCM policy. You’re done, right? Well, not really. You told your stakeholders in the policy that they have to play in your BCM game; but what does the playbook look like?   That’s where your standards come in; they outline how your stakeholders will be required to play the game.     If you don’t tell them upfront how they need to play, it will lead to inconsistency in performance and execution of the BCM program.

So what standards are minimally required? The following minimum standards should be a part of your program:

  1. Plan Development & Maintenance – This standard should outline the BCM programs expectation for how a recovery plan (Business and IT) will be developed, the minimum content expected from plan developers (business and IT) and required maintenance.   Stakeholders should be able to clearly understand the process to develop and maintain their plan by reading the standard.
  1. Recovery Strategy – This standard clearly outlines, based on the Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) derived from your Business Impact Analysis (BIA), what the recommended recovery strategy (dedicated alternate work area, work from home, redundant computer systems/applications, etc.) should be for business units and their processes as well as systems/applications.   Plan developers need to reference this standard and implement the recommended recovery solutions and strategies to ensure they can meet their specific RTOs and RPOs.
  1. Recovery Exercise – So you told me in your BCM policy that I need to exercise annually but what does that mean? This standard should outline the type of exercises (tabletop, walkthrough, functional, etc.) required to be conducted based on the RTO of my business unit/process and/or computer system/application, the documentation required (pre and post exercise) and signoff/approvals needed following the exercises.. Your standards should mandate increasingly complex exercises for business and technology over time.

Planners are often concerned that by setting standards they will cause more headaches if they can’t meet what they set as the minimum baseline; set reasonable standards that make sense for your organization and recovery requirements. Standards are not cast in stone; they can be updated to reflect the nature and needs of the organization as it matures over time.  The policy and its supporting standards work hand in hand to provide a clear picture of the expectations of the program.

Lastly, establishing and documenting standards will heighten your level of compliance with today’s industry standards, best practices and guidelines.


If Your BCM Program Were a Publicly Traded Stock, What Would Its Price Be?

By No Comments

As the CEO of a boutique BCM consulting firm, I am responsible for the global leadership to the entire set of industry practices and horizontal capabilities within our organization. Building the firm over the last 16 years from just my laptop and me to an international consulting firm has been quite the adventure.

So I got myself to think over the past years, if our company were on the stock market how valuable would we be to our shareholders? What characteristics would make our company more valuable over time? Are we executing on these characteristics in a consistent manner? How do I heighten awareness and achievement in these key characteristics?

So, you make ask, how does this apply to me as a BCM Manager? In my humble opinion, you should run your organization like a company. It’s your company and your shareholders are your internal customers. You have a brand whether you like it or not, it may be positive or negative. BCM engages every facet of an organization; programs today must be high performing in a number of key areas:

Audience Knowledge

Do you know your customers? Working across the vast spectrum of industries and clients, we have had to learn to quickly understand the client and their culture. Working in a hi-tech startup environment is a lot different than working in an insurance company that has been in business for over 100 years. Know your customers, their culture and their quirks. Figure out what makes them tick and how you can get the best out of them. Some may require more hand holding than others; some will do it with little supervision or oversight.


Whether you believe it or not, your BCM program has a brand identity associated with it. What words would your stakeholders use to describe your program? Would they say it innovative, consistent and easy to use or would they say it’s complicated, lacks direction and wastes their time? We work hard to build a brand characterized by passion, consistency, timeliness, value for the investment and, most importantly, guaranteed results.


Does your team have a passion for what it does? Is this passion exhibited when you work with your stakeholders?  You need passion to bring enthusiasm to not only your team but also your stakeholders, as the subject of BCM is not something most people jump and down about. Do your best to get your stakeholders passionate about BCM and how it benefits them and the organization. I love to hear when our customers say our consultants have a passion for what they do; it comes out in everything they do and bleeds over to the customer. Find people who have passion; it will yield great results.


Do you provide the same, day in and day out consistency of service to your stakeholders? Or is it, hit and miss depending on the day and person providing the service? Stakeholders don’t want to deal with inconsistency, as their time is so limited. As we have grown at MHA, we have worked hard to bring people and processes that ensure a consistent approach in providing all facets of our BCM services. You have to ensure consistency in approach, methodology, timing and customer service. Inconsistency yields unhappy customers in the long run.


I am a highly competitive person in my personal and professional endeavors. I strive to bring that competitiveness to my organization and the people we hire. We have grown tremendously over the years and it’s been due to our competitiveness and desire to improve. Success breeds more success but it can also breed entitlement and complacency. You have to be thinking not just about this year but 2 years down the road. Don’t let your program become stale, work to improve it, day after day, week after week, year over year. Miniscule improvements can yield Mt. Everest like success over time.


Are you communicating regularly with your stakeholders using multiple channels? We have learned that keeping in touch with our stakeholders and our staff is critical to our success. As the saying goes, “Out of sight, out of mind”. Communicate to your stakeholders regularly using email, electronic newsletters, phone calls, onsite visits, etc. Not everyone will read them but some will; it will heighten the exposure of your brand. We do our best to maintain positive contact with our clients using multiple channels on a regular basis.  My Dad  taught me that the best exposure is the personal visit; the chance to hear what your customer has to say (good or bad) and shake his/her hand. In the end, it comes down to the relationship.


As I have said before, the biggest problem we have seen in BCM programs is not the approach and methodology being used but the lack of leadership by the BCM Manager.   To coordinate the efforts of team members and guide a strategic vision for a brand, someone has to step up and steer the ship. You have to be an expert motivator and know how to maximize the strengths of different team members. Learning how to step back, lead and motivate team members took me some time to learn. You need to know where you sit your people on the bus to make the journey successful but also where to move them or, worst case, have them get off at the next stop. I have learned I am more valuable to the organization providing global leadership and direction than I am engaged in each and every engagement.



Where is Your BCM Roadmap Taking Your Program in 2015?

By No Comments

Where is your BCM roadmap taking your program in 2015?  Do you even have a roadmap to guide your efforts?  Do you find you and your team  more focused on fighting  day to day fires, dealing with management told you so’s or addressing client audits then setting a plan for heightened sophistication, compliance and maturity.   As the old saying goes, it doesn’t matter what road you are taking if you don’t know where you are going!

We find a good number of BCM programs in all sizes and shapes of organizations with no roadmaps to direct BCM efforts across the organization.  Producing a roadmap based on critical needs, sets the tone for targeted efforts that will bring the biggest return on investment of time and resources. Having a roadmap is a key component of BCM Governance Risk and Compliance (GRC).  The roadmap shows due diligence was conducted in the management of the program and its risks.

But before you have created a proper roadmap, you need to have a good understanding of the state of your program.  Look at the following areas of your BCM program and assess each for successes, weaknesses and opportunities for improvement:

  • Program Administration
  • Crisis Management
  • Business Recovery
  • IT Disaster Recovery

Based on your high level assessment, identify where the strengths, weaknesses and opportunities for improvement lie in each of the four areas.  Prioritize findings by criticality and importance to heightening the sophistication, compliance and maturity of your program over the next twelve months.

Now create a roadmap for the next four quarters to include ongoing BCM activities (maintenance, testing steering committee sessions, etc.) plus critical areas of opportunity you identified in your high level assessment.   You may not be able to get to all of them so further prioritize your list to the most important opportunities that will yield the greatest opportunity for heightened resiliency in the next twelve months.

The roadmap is not a static document; it must be refreshed on a monthly basis based on progress or changes in the environment.  Its purpose is to set the tone and direction for your program, its up to you and your team to execute upon it.


BCMMETRICS Celebrates its First Year in Operation…What Did We Learn?

By No Comments

The BCMMETRICSTM self assessment tool has been in production since January 2014 and is being used by subscribers across a wide range of industries that include Consumer, Education, Financial, Insurance Technology and Utilities.

So, what have we learned in the first 12 months of its existence?  The following paragraphs highlight a few of the learnings.  The tool has proven to be a valuable BCM Governance Risk Control (GRC) tool  proven by the size, complexity, global reach and mix of industries using the tool.



Global Learnings 

  • The Financial and Utility industries had the highest level of compliance (e.g., those with Program Administration, Crisis Management, Business Recovery and Disaster Recovery each at 81 or above).

  • The most compliant BCM programs have been in existence for five (5) years or longer and have had the consistent management support and strategic direction needed to make incremental progress.

  • The majority of subscribers had not adopted a specific BCM standard to gauge their level of program compliance prior to subscribing to the BCMMETRICS self-assessment tool.
  • The ability to evaluate compliance across multiple standards and not just one has 

Program Administration

  • BCM policies are widely documented but program standards were often lacking. A lack of documented standards leads to inconsistency in application of the BCM process across the organization.
  • The Business Impact Analysis (BIA) is typically being conducted every two to three years.  A number of highly regulated subscribers are being required to update their BIA results annually. 

  • Pandemic planning is often being addressed through Loss of Resources/Workforce in Business Recovery Plans and not in a separate plan or process.

Crisis Management

  • Majority of subscribers have a defined Crisis Management Team to address an enterprise level disruption.

  •  Most entities have defined physical and virtual locations for their Crisis Management Team to assemble as needed.

  • Those programs with a higher level of compliance are conducting regular training and mock disaster exercises with their Crisis Management Teams.

Business Recovery Planning

  •  BIA information is often not being integrated with Information Technology to ensure Recovery Time Objectives and Recovery Point Objectives are aligning.
  • The best recovery plans are “event neutral” and address multiple scenarios (e.g., Loss of Building, Loss of Technology, Loss of Resources, etc.).

  • The most compliant programs are performing full relocation exercises of their business units to their alternate work areas to validate recovery plans, strategies and integration with IT recovery of critical systems and applications

Disaster Recovery Planning 

  •  Standalone DR testing remains as the standard form of testing being conducted at the majority of subscribers.  Lack of available testing time was identified as the primary reason for only conducting standalone exercises.

  •  Integrated DR testing is very limited and only being performed by the most compliant subscribers.

  •  The most compliant DR programs are exercising recovery of their critical systems and applications throughout the year.

The ability to quickly, easily and regularly measure the compliance of your program has been extremely valuable to the subscribers.  The tool gives subscribers the ability to quickly identify the areas that have the highest importance and least level of compliance ensuring the greatest risk is identified and mitigated in a timely manner.  

Heighten the sophistication and maturity of your BCM program today through intelligent measurement.  Contact us today for a demo at helpdesk@bcmmetrics.com.