3820 W Happy Valley Rd, Glendale, AZ 85310
(888) 689-2290

MHA Consulting



Understanding your individual & family risk profile

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

Along with the rest of the world, I have been thinking about and praying for those in Japan and Ecuador. When these tragic events occurred I was thousands of miles away on another continent working with a client. My thoughts immediately went to my family and how grateful I am to live in a place with very little risk of natural disasters. My thoughts also went to a friend of mine who recently passed away. He was in his early eighties and had an amazing life – we had many stimulating conversions and he walked several miles each day. He died suddenly of a heart attack and was not found until three days later – when his children had not heard from him and called the police.

While my family has a plan for gathering and communicating in the event we are separated during a crisis event, I must admit, in my heart of hearts, I don’t think we will actually ever have to use it – ironic for someone in my field. If I have those feelings, I know many of you have the same thoughts. The recent death of my friend and earth showing its power have made me realize that I need to follow the counsel I give to clients.

The most important aspect of any organization is the people – that includes our families. Do you know the risks to your family (most impactful, most likely, etc.)?

Families have many characteristics – biological relationships (children, parents), spouses, partners, extended relationships, friends, and pets. They may live in the same dwelling, in the same city, same region, or far away.

As a BCP professional, in order to support your business, you need to be available. If your family is impacted – whether as part of the business crisis or as a separate family crisis – you may not be available to help keep your business resilient.

The good news: you can use the same methods to determine risks and plan for your family as you do for your business.

  • What are the natural threats to your family members (at home, school, and work)? For example, I know that during the summer, microbursts can have major impacts to localized areas in my metropolitan area.
  • What are the most likely threats to your family (violent crime, health or injury risks)?
    • Understand your family members’ hobbies and extracurricular activities. Understand family health conditions and how those may impact each family member.
    • What is the risk profile of your neighborhood – are there any potential high crime or protest locations, hazardous vehicle routes, etc.? Talk to the local police and understand the crime distribution. For example, vehicle theft is relatively high in my zip code.
  • Create a basic communication, relocation, and assembly plan.
    • Practice and review the plan on a regular basis. Make updates as situations change. A plan that includes young children is different from one that includes teenagers, adults, or adult dependents.
  • Put a plan together on how to check on a family member or loved one not living with you to make sure all is well. (Side benefit, you to get communicate more often.)

There is nothing more important than you and your family or support group. Take the time to plan – it will give you a little more peace of mind.

Your Administrative Assistants are your Friends

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

Who is the most important person in an organization? I was thinking about this when conducting some Business Impact Analysis interviews recently. I asked some of the people during the interviews what they thought. Some of the answers: CEO, COO, “me,” “no one – everyone is important,” sales people, operations, etc. A position that never came up, but should arguably be included, is the administrative assistant. During the BIA process, I spoke with the admins/office managers at several locations and they all had insights that no one else provided. There was knowledge of both defined and actual organizational procedures, and how processes actually were performed vs. how they were “supposed” to be performed.

As you consider how to ensure that various BCP documents are created or updated, work to include the administrative assistants or other support individuals in these activities. They are often an underutilized group as it relates to business functions. When I had management responsibilities, the admin assigned to me kept me on track with those tasks that were most important or needed to be completed. Without this individual I would not have been nearly as successful.

Here are some of the ways to use these important and knowledgeable people:

  • Ask the individuals they support for permission to use them.
  • Have them develop draft documentation – they know more than you think.
  • Ask them to assist with getting the team to complete their updates/tasks. You’d be amazed how much influence and urgency they can provide.
  • Ask them who to contact when issues arise and you are not sure who can help.
  • Include them in the Crisis Management Team in communication, logistics, or other support type roles. They are typically among the best in the organization with these skills.
  • Include them in assessments and information gathering.
  • Include them in the Crisis Plan and Communication Plan development. They know who to contact, the best methods to use, and when those individuals want/need to be informed.

Administrative Professionals have a tremendous amount of information and knowledge. They can make your job easier and help you get the BCP tasks completed.

Many BCM Practitioners Continue to Ignore BCM Standards

By No Comments

Michael Herrera, CEO, MHA Consulting

Many BCM practitioners talk about BCM standards, but few walk the walk. I write this blog as this subject continues to boggle my mind in today’s risk-filled environment.

I recently presented to two groups: one at a major conference in Orlando and the second at a leading continuity group in Nebraska. We spoke to a total of about 140 practitioners regarding standards and compliance. The attendees were all from mid-level to very large companies – some regulated, some not. Experience levels ran from beginner to advanced.

The first question I asked both groups was: How many of you have adopted a standard to drive your enterprise BCM program?

Want to guess what percentage had adopted a standard?  1%? 25%? 50%?  Less than 10% of the 140 had adopted a standard—a dreadfully low number.

Many used the excuse that they are not regulated (which I don’t get in this day and age). Others don’t know what standard to use, how to implement it, or what value it will bring. I believe that in some cases the BCM program attempts to stay under management radar.

In today’s world, the BCM Office and its efforts, resources, and needs typically cost companies hundreds of thousands, if not millions, of dollars annually. Staff cost alone can be over a million dollars in salaries, not to mention all of the other moving parts.

Would you want your multi-million house built without using building codes and standards?  How about the airplanes we fly in or the medical facilities we use?

Today’s constantly emerging risks, increasing expenses, and responsibility for recovery mandate that you use a standard to build your program from to ensure that it can operate at a high level when it’s needed most.

The dark ages of our industry are long gone. To be “world class” you need to have high compliance and low residual risk.

Remember, you might not be able to change the destination of your program today, but you can change your direction. Be a BCM leader; adopt a standard.


Five Tips to Prepare for a Program Audit

By No Comments

Michael Herrera, CEO, MHA Consulting

As BCM professionals we have all gone through program audits at one time or another. It is in our best interest to know what to expect from an auditor, how to deal with the audit experience in a positive way, and how to respond to findings and move our program forward.

At MHA, we are the BCM Office for a good number of our clients. We manage each program using industry best practices and standards as our measuring stick to ensure that the program provides the highest level of resiliency and meets or exceeds compliance requirements. We know which of our managed programs are in line with best practices and which ones need more time and work. Audits are a part of our daily consulting efforts.

We are finding that it is increasingly common for audits to be inconsistent in their application, findings, and outcomes. It is not unusual for audit findings to conflict with what we know to be the true state of compliance in a BCM program. Common conditions we see during audits:

  • Audit teams lack intimate understanding of BCM industry standards and guidelines.
  • Audit teams don’t grasp the difference between standards and guidelines.
  • Audit teams don’t read what you send them.
  • Audit teams generate findings that often have little to do with raising resiliency.
  • There is often conflict created by a “them versus us” mentality.

How do we make audits as bearable and consistent as possible?

Tip #1 – Be prepared – understand your compliance status

  • Ensure your BCM Office and internal audit have a clear understanding of the program to be able to speak to it as needed during an audit.
  • Familiarize yourself with the standards, regulations, and best practices that apply to your industry and BCM program.
  • Understand your compliance status and where your deficiencies are prior to the audit.

Tip #2 – Be proactive – understand how your program will be evaluated

  • Auditors should provide you with a scope of the audit, including what standards they will use to evaluate your program. Note any variations from the standards you actually use and resolve that ahead of time.

Tip #3 – Be cooperative – the auditor is a potential ally

  • Provide the auditors with the information and documentation they need in a timely and thorough manner. Gather your documentation ahead of time, if possible.
  • Compile requested data and information in a logical and organized manner. The documents should tell a positive story of your program from end to end.
  • Don’t attempt to produce documents you know you don’t have at the last minute.  It’s not worth the embarrassment.

Tip #4 – Be realistic and respond honestly to findings; it’s OK to disagree with a finding

  • A BCM GRC tool like BCMMetricsTM can be used to help you prepare for and respond to an audit. BCMMetrics allows you to do your own due diligence so you know where you stand (level of compliance and successes/opportunities) before the audit. Run reports to identify where you are in compliance and where you have big gaps. Share these efforts with your auditors, including any plans you have to address any deficiencies.

Tip #5 – Be accountable – follow through with your action items; improve your own internal standards as needed

What do you do when you disagree with an audit finding?

Fear of possible repercussions for speaking out often keeps us from pushing back on audit findings. I believe that if you have solid evidence a finding was not merited, by all means, push back. Be respectful and specific with your disagreement, and don’t hesitate to propose an alternate conclusion or recommendation. There is no reason to be saddled with needless work that does not raise the resiliency of your program.

In closing, working with auditors is a worthwhile investment of time that can lead to increased management focus and support. Don’t underestimate the importance of preparation, cooperation, honesty, and accountability throughout the audit engagement.



Is Your Work-At-Home Strategy Functional?

By No Comments

Susan Diehl-Brenits, Advisory Consultant, MHA Consulting

An often-overlooked component of a strong business continuity program is having a work-at-home option as part of an alternate worksite strategy. But making it a realistic option is essential.

With the cost of alternate worksites (hot/warm sites) increasing, having the ability for employees to continue critical business activities from home during a business disruption is vital, but the right components need to be in place to ensure this strategy works.

Here are some best practices to consider:

Make working from home part of your corporate culture

Employees need to have the right tools to succeed. This includes company issued laptops or the ability to access company systems from a personal computer. Do employees take laptops home every night and/or can they access corporate systems from a personal computer? If not, you’re limiting your employees to working only from the official alternate worksite or waiting until a laptop can be issued to them.

Define critical work beforehand

Critical work needs to be defined in advance so that during a business interruption employees are focusing on the prioritized business activities and not the activities that can be deferred until after the disruption.

Can the network handle the traffic load?

Does every employee working remotely during a business disruption need to be working at the same time? Is there the potential to work in shifts? By having employees access network systems during different times, you will reduce the demand on the corporate network. Defining and communicating times to work/access systems should be considered.

Keep the lines of communication open

Communication is key when working from home. Employees should be able to troubleshoot problems and minimize downtime. Make sure employees know who to contact when they are having issues – whether it is problems accessing a system, network connectivity, or questions about a business activity.

Practice makes perfect

Finally, make sure that when you need to implement your work-at-home strategy for a business disruption, it is not the first time employees are working from home. Allow employees to work from home occasionally to ensure they know how to connect to the corporate network from home, or how to work with the IT helpdesk to troubleshoot a connection.

Is Your BCM Program in Sync with your organization?

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

As a business continuity professional, what is most important to you? Do you ask yourself:

  • Are business departmental plans up to date?
  • Does the IT DR solution actually work?
  • Do you have enough alternate location seats or enough remote access capacity?
  • Will the next exercise be successful?

These are important, as is keeping the management team updated on status and issues. Your real value comes when you can integrate BCM concepts with the core competencies of your organization. See if you can answer the following:

  • Do you know the priorities of your business departments (e.g., Supply Chain, Accounting, Marketing, Sales)?
    • What are the sales goals (revenue, profit margin)?
    • What is the supply chain strategy (real time shipments, safety stocks)?
    • What are the marketing strategy and target markets (media, demographics)?
  • Do you know the organization’s core competencies?
    • Is it a services or product based company? What are those products or services?
    • Is the organization brick and mortar, online, or mixed? Which provides the most revenue/profit? What is the long-term outlook for each?

Understanding what your organization does at both a macro and micro level will help ensure that your BCM program is viable, functional and relevant. It also will help you know where gaps and issues exist. We encourage you to regularly spend time learning and understanding the priorities and goals of your organization. This knowledge makes you more effective and more valuable to the organization. In future blogs, we will discuss additional aspects of how the BCM program can ensure it is aligned with the business units and organization as a whole.

Is Your BCM Office an Epic Fail?

By No Comments

Top 15 Reasons BCM Offices Fail Miserably

Michael Herrera, CEO, MHA Consulting

As a global BCM firm, we work across all sizes and shapes of organizations. We work across a multitude of industries, with teams with lots of talent and not so much talent, management that cares and management that doesn’t have a clue about BCM. So, what causes epic failures in BCM Offices? Here are our Top 15 reasons:

  1. BCM Managers lack the basic skills to manage themselves productively, let alone to manage cross-functional teams in large organizations.
  2. Managers believe BCM certifications are the BE ALL and END ALL to ensuring success, and they only hire people with them versus people who can EXECUTE.
  3. Team members have no clue about where the enterprise program stands when it comes to compliance and residual risk.
  4. There is no one single set of goals for the team to follow and accomplish.
  5. NO time is made for regular status meetings, strategic planning or there is NO use of a roadmap that outlines key initiatives for the program.
  6. Trying to “boil the ocean” by working on the entire organization versus only on high priority/high risk areas that will heighten compliance the most and reduce the most risk.
  7. Attempting too many BCM initiatives that can never be finished, that bring no value to the program, or that should be outsourced to make better use of staff time.
  8. Hiring too many BCM specialists who often end up with nothing to do, or who can’t help out across other parts of the program.
  9. Believing a new tool of some sort will save the day, but ending up with another function to administer or with failure of the tool due to lack of proper setup.
  10. Constantly making changes to their BCM methodology, causing rewrites that do nothing but confuse the stakeholders or waste their time.
  11. Micromanaging team members; not letting team members make their own mistakes and grow as planners.
  12. No cross training of team members to build succession into the organization.
  13. They don’t measure the skills of each team member to better understand baseline skill levels and how each team member can be used effectively.
  14. They try to do everything themselves and fail versus using a knowledgeable consultant to educate them and get things done in a timely manner.
  15. They hide from senior management because they don’t want them to know how bad the situation is across the organization.

So, who is at fault? All too often, the responsibility for failure of the BCM team falls on one person – the BCM Manager. He/she never takes a step back to look at the big picture and see what is happening across the organization. If you CAN’T manage yourself well, there is a low probability that you will be successful in managing a cross-functional team for any size organization.

As the CEO of MHA, I must constantly step back and see how we are executing across our many clients, and how this fits into out strategic roadmap for the year. We have different skill sets that must be married to work across many different organizations and cultures. Our people know what our annual goals are, and where they fit in to make themselves and MHA successful. It took time and mentoring to heighten my ability to run an organization working across the globe. It didn’t happen overnight and I made a lot of mistakes.

But, as Jim Rohn, one of our greatest motivational speakers, said, the more you work on yourself, the more success you will attract. In other words, work on yourself, not on your job.

So, what do we see as characteristics of successful BCM Offices?

  1. Team manager manages himself/herself and daily operations in a highly organized and productive manner.
  2. Team manager clearly understands where the enterprise program stands by assessing compliance and residual risks on a regular basis.
  3. Team manager has a strategic plan and roadmap that is based on the state of compliance and residual risk.
  4. Team manager identifies a small number of key initiatives (3 to 5) that can be accomplished by the team to bring the greatest improvement in compliance and reduction in risk.
  5. Team meets on a regular basis to hold productive team reviews of where things stand, action items to resolve, and congratulate successes.
  6. Team manager hires multi-talented people who can execute to the roadmap and aren’t afraid to work in the trenches.
  7. Team manager focuses on simplicity in their BCM methodology and approach to maximize execution.
  8. Team manager makes it a priority to delegate tasks to team members to make them productive and let team members grow and make fewer mistakes over time.
  9. Team manager cross trains across areas of specialty to build succession into the team.
  10. Team manager continually assesses compliance, risk and team performance to update and execute roadmaps.

Reducing the Pain in BCP and DR Plan Documentation

By No Comments

Richard Long, Senior Advisory Consultant, Business Continuity Planning, MHA Consulting

“Organizations do not do a good job with documentation” is a generalization, but one that we have experienced is often true. There are some who like and are good at documentation and, more importantly, at keeping that information current, but they are in the minority. Some larger organizations have staff dedicated to various documentation efforts, but most do not have staff in place to concentrate only on that task. When it comes to business continuity related documentation, it can be even more difficult since it requires effort to be spent on something we do not want to think about and that will probably not occur. Why spend the time when there are many other “more important” activities?

In the BCP field we often work to create documentation first and then test based on that information; or put in technology first and then document procedures after implementation. We have been changing that paradigm with organizations that have limited time or human resources to perform documentation activities. Rather than trying to create documentation and then use it in the testing, we are using the testing or implementation activities as time to also generate the documentation. This works very well with technical recovery and business recovery plans. While it does take a bit more time during the exercise, the benefit of getting the majority of the content generated in this way outweighs the time. Also, it allows for efficient use of downtime during exercises. People can work on documentation rather than sitting and waiting for their next activity. Another benefit is that the initial version of the plan is more accurate. Steps are documented as executed rather than the procedures being a thought exercise that is often rushed through to check a box as complete.

Are there weapons in your workplace?

By No Comments

Richard Long, Senior Advisory Consultant, Business Continuity Planning, MHA Consulting

Movie theaters, schools, homes and businesses are all places where people have been injured or killed in shooting incidents. The nation is in the midst of a debate over the level of gun control that is appropriate. State laws vary widely from one state to another. No matter where you live or work, the risk of an active shooter exists. In a state such as Arizona (my home state), I would be very confident in saying that a gun has been in your building recently even if you have a “No Weapons Allowed” sign. If you live in a state that has more restrictive concealed carry laws, it may not be a daily occurrence, but it does happen. Even if you don’t feel that guns are a concern, individuals can enter most buildings with other weapons (such as a pocket or folding knife), and they do so on a regular basis. According to an FBI study on active shooters (September 2014), there were 160 occurrences between 2000 and 2013, with the largest percentage of events (45.6%) occurring in a commercial environment. The remaining 24.3% occurred in educational and other environments.

No matter your social or political leanings, planning for your response to workplace violence should occur, and your plan must be updated along with all other plans and strategies. Thinking or hoping it cannot happen is not a strategy. While the planning process may be difficult, how your organization reacts to and prevents violent incidents will make the workplace more comfortable and efficient for everyone. In your plans, do not contemplate just a singular type of event – such as an active shooter – but consider all types of violence. Guns are the big concern in our current environment, but it is important to remember that people are the reason behind these acts (this is not intended as a political statement), and our plans need to consider how people act and react.

Items to consider:

  • What barriers are in place in your facilities preventing access to critical equipment?
  • What measures are in place in your facilities to keep people safe?
  • What are your evacuation procedures for a workplace violence situation? Are they the same as those for a fire? Should they be different? For example, in a workplace violence incident you may want to use both elevators and stairs.
  • Do all staff members follow the procedures for visitor access? Have you ever seen someone who does not belong in your building? What did you do?
  • What is your weapons policy? Does that include knives? Should it?
  • Is workplace violence part of your overall training for all employees?

As in all aspects of our continuity planning, not planning for something does not make the issue or risk go away. This is especially true with workplace violence preparations.

Myths in your Continuity Program

By No Comments

By Richard Long, Senior Advisory Consultant, Disaster Recovery, MHA Consulting

Bigfoot, alien visits to earth, “I will win the lottery,” and other “myths” are popular topics for books and television. We might wish they were true, but we know they are, at best, highly unlikely. It is the same in business continuity and disaster recovery. Which of these do you think, or wish, were true?

  • Recovery Time Objectives are not reality.
  • Customers and vendors will understand if I have a DR event.
  • I don’t need DR, my applications run in the Cloud.
  • I don’t really need formal DR; we will figure it out.

The reality is, the “old” way of looking at disaster recovery requires reassessment. Our requirements have changed in the last 5-10 years—whether due to lack of manual processes and technology dependence or to the fact that new technologies/strategies are now commonplace (such as cloud-based computing)—but the need for formal plans, preparation, and technology remains critical to ensuring the continuity capability of your organization. (Did you catch the change from disaster recovery to continuity?)

Let’s look at those items again.

  • Recovery Time Objectives are not reality.
    • When was the last time you performed a BIA to validate requirements? Is that statement based on IT knowledge or on an actual understanding of objective risk? You still need to know the requirements to communicate to management and set appropriate expectations.
  • Customers and vendors will understand if I have a DR event.
    • No, they won’t. Most continuity events are not those that people “understand” like natural disasters. They cause a loss of confidence (data breaches, self-inflicted outages, etc.).
  • I don’t need DR, my applications run in the Cloud.
    • What is your Cloud provider’s continuity solution? Does it meet your requirements?
  • I don’t really need formal DR; we will figure it out.
    • This may be true, but if you don’t have the necessary technology and capability, even with smart people who are able to “figure it out,” the required data may not be available for them to work with.

Take a few minutes to review the “myths” in your program, and identify which may be preventing your organization from being as prepared as necessary.