page-blog

BIA Alignment? We Don’t Need NO Stinking BIA Alignment!

Industry best practices recommend that the BCM Office align its organizations Business Impact Analysis (BIA) derived Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) with Information Technology Disaster Recovery (DR) capabilities on a regular basis.  So, here is what are we finding in the industry:  

  • Management does not understand the alignment process and does not recognize its value.
  • The business and IT have different RTOs and RPOs matrices so the alignment process can be somewhat difficult to accomplish.
  • IT does not provide Recovery Time Actuals (RTAs) or Recovery Point Actuals (RPAs) for the critical systems and applications.
  • BIAs are conducted and RTOs / RPOs defined by the business but IT still sets its own timeframes for recovery based on what it can do versus what is needed.
  • The business will reset the RTOs and RPOs to what they can achieve versus what the business BIA derived demands are to continue operations.  They don’t understand that these are objectives and are different than actuals.
  • In limited instances, IT can exceed the RTOs and RPOs but does not communicate it to the business.  They don’t want to be held to it.  

In a perfect world, you should have an alignment meeting at a regularly planned interval (e.g., annually) to identify successes and gaps in business expectations and IT delivery capabilities.  A simple table should be constructed to show alignment and gaps:

Application RTO RTA RPO RPA
System A RTO = 12 Hours RTA = 24 Hours RPO = 4 Hours RPA = 12 Hours
System B RTO = 48 Hours RTA = 24 Hours RPO = 24 Hours RPA = 24 Hours
System C RTO = 5 Days RTA = 5 Days RPO = 4 Hours RPA = 12 Hours

The BIA is conducted for a number of reasons and ensuring alignment across the organization is one of them.    So, get out there and get your systems aligned.

Posted in Article, BCM Governance Risk Compliance, Best Practices, Business Continuity Planning, Business Impact Analysis, Disaster Recovery Planning | Leave a comment

Hiring the Right BCM Consulting Firm…

So you are looking to hire a BCM consultant for your next initiative.  What characteristics should you look for and evaluate as part of your selection process?  Below are a few items we recommend you consider:

1. Methodology

2. Price

3. Experience

4. Customer Focus

5. Ability to Execute

 

#1 Methodology

This is a critical aspect of your assessment.  Does their methodology follow industry best practices, standards and guidelines?  Make sure their proposed methodology is in line with the industry to make sure your final deliverable meets your needs and does not produce information that could expose you to additional risks or findings.  Their Statement of Work should be clean, concise and consistent with today’s industry best practices.

#2 Price

Are you looking for the lowest price?  Well, if you are, there is a risk associated with that.   There is a great quote that goes like this:  “If you think it’s expensive hiring a professional, wait ‘til you hire an amateur!”    Our prices at MHA aren’t the lowest, but they aren’t the highest either.  A good consulting firm is not going to be cheap, so don’t expect something for nothing. The price may be higher, but if they are capable they should complete your assignment on time and on budget which can be cheaper than a lower priced firm that goes over budget or produces a poor deliverable.

#3 Experience

Now this can be a tricky one.  Just because a consultant has multiple certifications and 20+ years experience doesn’t mean they can execute when the Statement of Work is signed and they come onsite.  You MUST validate the consultant(s) have the proven ability to execute and produce your deliverable.  Also, if you need a consultant to speak in front of your senior management, make sure they have the requisite personal appearance and presentation skills to be successful.

#4 Customer Focus

At MHA, we strive to build long-term partnerships with our customers and be a “trusted advisor.”  In today’s business world, consultants are often treated as disposable, where companies do everything to get you to the lowest price possible for the maximum number of deliverables.  That is not a good relationship for either party, even though it may seem best for the client.   A good consulting firm will focus on customer service and seek to exceed your expectations.

#5 Ability to Execute

This is where the rubber hits the road.  Does the firm have proven experience executing on their Statements of Work with other clients?  Can they be trusted to execute on your behalf when needed?  Do they have a reputation for exceeding expectations and not just meeting them?  Lastly, a good consultant will push back when he sees you are headed in the wrong direction.  They won’t go in your direction just because you signed the Statement of Work.

A Final Thought

Do we, as consultants, ever fire customers?  Yes!  When I first started MHA, I was terrified to let clients know we didn’t need or want their business.  We now look for MHA to be part of organizations that build successful BCM programs that are best practice, and, most importantly, executable when needed in a crisis.    Good customers and consultants work as partners to meet each other’s needs.

 

 

Posted in Business Continuity Planning, Business Impact Analysis, Business Recovery Planning, Crisis Management, Disaster Recovery Planning, Threat & Risk Assessment | Leave a comment

ORGANIZED CHAOS: Some semblance of order when it seems otherwise.

 

Organized Chaos isn’t a new term. But I have always advised our clients that what you want in your organization during a crisis is “organized chaos.

Consider the following scenario:

There is a blazing fire in a building. There is heavy smoke and flames everywhere; you can hardly see your hand in front of you. Fire trucks, police cars, and ambulances with lights blazing are parked everywhere. Water is being sprayed at the fire at blinding speed. The injured are on stretchers or being carried on someone’s shoulders. Dozens of firemen are rushing around, screaming orders back and forth, carrying all kinds of paperwork, medical equipment . . . and the thought might occur to a person that this is absolute chaos. It’s a wonder that the fire is put out and the injured taken care of in this chaotic mess.

But, taking a deep breath and focusing, it becomes clear that there is an order to this confusion. Some wise and unflappable person called the incident commander has been apprised of the state of the fire; knows the potential number of people in the building; has ensured the firemen know what size and type of hose to use and where to attack the fire; knows which of his firemen are in the building and who is not in the building; and has set up a triage area to treat patients before they are taken away by the ambulances. Police have been asked to cordon off the area to ensure no one else can be injured. A Rapid Entry team stands by to go in and extract injured or trapped firemen. Eventually, the fire is put out, everyone is treated, and the site cleaned up. For those of us who love being in the heat of a crisis, this is “organized chaos” at its finest.

CHAOS has the appearance of being uncontrolled. Recent research of chaos helps us to understand that there is some order to that which appears to be out of control. Chaos theory is a prominent concept that gives life to this idea. It is best characterized by the concept of the “butterfly effect”; the illustration that a butterfly flapping its wings in Brazil affects the space, energy, and activity of storm systems in New York City. There is a connection. It is not pure chaos, as in “out of control.”

Organized chaos, therefore, has elements to it that have nothing to do with human endeavor. However, there are elements of ourselves and our organization that we can apply to seemingly “crazy out of our mind” moments. The application of incident or crisis management, for instance, removes the overly-spontaneous character of a crisis or an event. Systematic organization of a team, or of resources, or of an incident management process provides for a planned result.

There is something humorous about the term organized chaos.” Some might consider it an oxymoron, a combination of words that contradict each other. It falls into the same category as the term “herding cats,” which is deemed almost impossible to accomplish by most of us.

My belief and experience is that the secret to organized chaos is revealed when one takes a breath, stands back, and removes one’s trepidation from the scene. It is a matter of perspective. That is not to say that there aren’t chaotic moments which are out of control. But I suspect that many of the times we think we are watching chaos there may be more order to it than we first sense.

So, what are you waiting for? Prepare yourself and your organization to bring “organized chaos” to those seemingly out of your mind moments that can bring your company to its knees!

Posted in Business Continuity Planning, Business Recovery Planning, Crisis Management, Disaster Recovery Planning | Leave a comment

Art of Facilitating a Large Scale Mock Disaster Exercise

 

The Art of Facilitating a Large Scale Mock Disaster Exercise

By: Michael Herrera 

We (my brother, who is a Fire Chief at NASA, and I) recently facilitated a large-scale mock disaster exercise that included 60-plus participants and over 10 observers.  Participants included multiple public/private schools (elementary and middle), school administration, emergency services (Police, Fire, EMS, etc.) and external observers such as Homeland Security. From a school and community based perspective it was one of our largest exercises to date.

The art of facilitating an exercise of this size and complexity is a daunting task. Even if the exercise has been designed perfectly, if you can’t lead it properly, it will fail miserably. How many of us have fallen asleep or been bored to death in an exercise?

 So, what do I consider key criteria for being a good exercise facilitator?

  • Dress the Part (Have Command Presence)
  • Smile, Smile, Smile
  • Be Charismatic and Enthusiastic
  • Know Your Exercise Scenario Inside and Out
  • Be Knowledgeable of the Personalities and Capabilities of Key Participants
  • Follow the Agenda, but Go Outside the Box When Needed
  • Know How to Engage the Participants and Ensure Cross Communications
  • Engage Humor to Keep Everyone Lighthearted
  • Look for When Participants Need Breaks
  • Permit Extended Discussions When Merited; Cut Off if of No Value
  • Keep the End Goal in Mind

I could say I have never been nervous facilitating a mock disaster exercise, but I would be lying. I use my nervousness to make me more mindful and focused on my facilitating. I look at the facilitating of a mock disaster exercise like being a storyteller; you are leading the execution of the event from its beginning to its end.

Facilitating a mock disaster exercise is a great opportunity to shine in front of many key people in your organization. Use it to your advantage.

 

 

Posted in Business Continuity Planning, Business Recovery Planning, Crisis Management, Disaster Recovery Planning, Uncategorized | Leave a comment

The Art of the BIA (Business Impact Analysis)

 

The Art of the BIA

By: Brandon Magestro

The Business Impact Analysis or BIA can be a daunting task for any organization.  As a foundational requirement of any continuity program, it must be completed in order for you to drive the development of plans, identification of recovery strategies, and implementation of solutions. 

As a company, MHA has conducted well over 2,000 BIA interviews.  Over the years, we have developed a highly refined process to plan, conduct and report the results of a BIA.  I expect our staff of consultants to not require more than 3.5 to 4.0 hours of a business unit’s time to complete their BIA.  This includes 45 minutes to complete the pre-work, 2.5 hours or less for the interview and 0.5 hours to validate the results.   Management is now asking us to finish interviews in 1.5 hours!

We have learned that less is definitely more when it comes to conducting BIAs.  Your questionnaire should be in compliance with best practices, but be tightly focused and have limited questions.

Top Reasons BIAs Go Bad

  1. Management and Participant Communication - Management and/or participants are not apprised of the BIA, what is expected and what will be the end game.
  2. Pre-Work: BIA participants do not complete pre-work, don’t complete it on time or it’s so bad that you spend too much time correcting it at the interview and waste valuable time.
  3. Logistics - Conference rooms don’t have the right audio-visual equipment, rooms are too small, people aren’t fed during lunch interviews, etc.
  4. Subject Matter Experts - The right people from each participating unit do not attend and so cannot provide the needed information.
  5. BIA Tool - The tool is clunky, complex, and no one has a clue how it works!
  6. Facilitators - The person or person(s) leading the interview do not have the skills to lead the participants through a real-time session.  It gets bogged down, people get bored or outright irritated.  This is a REALLY dry subject, so if you aren’t charismatic and can’t keep participants focused, it’s not for you.

A World Class BIA

  1. Management & Participant Awareness - Management and participants are involved from the beginning and have a clear picture of what is expected from them in planning, implementation, validation, and approval of the BIAs.
  2. Pre-Work - Easy to complete pre-work is distributed to participants at least 2 to 3 weeks before interviews.   We have them identify their core business processes, systems/application dependencies, and legal/regulatory requirements for each process.   The data is uploaded to our BIA tool to speed up the interview.
  3. Logistics - Conference rooms are staged for each interview; we require a projector or monitor to display our BIA tool as we walk the participants through it.  They see the results of their efforts real time.
  4. Subject Matter Experts - Participants are picked on their knowledge of the business unit and processes; titles are irrelevant if the participant doesn’t know how the processes work or what they depend on.
  5. BIA Tool - The tool is easy to use, calculates Recovery Time Objectives (RTOs) based on input and is easy for participants to follow.  The key here is: EASY TO USE!
  6. Facilitators - Dress to impress, have high energy and enthusiasm to lead the participants. Keep the energy up and they will respond in kind.  Bring a bag of chocolate; people love it.  We use two facilitators, one to lead the discussion and one to enter the data.

Lastly, remember BIAs are never perfect.  But as you conduct ongoing BIAs, the participants will gain knowledge and refine results.  We are just finishing 11 BIAs for a Fortune 100 entertainment company this week; without following the steps noted above, it would have been a disaster.  We know we have done our job when people leave smiling and saying “It wasn’t as bad as thought it was going to be!”

 

Posted in BCM Governance Risk Compliance, BCM Metrics, Business Continuity Planning, Business Impact Analysis, Business Recovery Planning, Disaster Recovery Planning, Uncategorized | 1 Comment

How Do You Measure Up? – Are You a Leader in BCM Governance, Risk and Compliance (GRC)?

 

How Do You Measure Up? – Are You a Leader in BCM Governance, Risk, and Compliance (GRC)

By: Michael Herrera

If you’re a BCM Practitioner, you’ve probably been asked this question from your senior management: “How compliant is our Business Continuity program and how does it compare to others in our industry?”  Are you still trying to figure out what industry standards fit your program or are you using inefficient manual tools that are holding you back?  A BCM GRC software tool is something you should consider today.

What the Trends Tell Us

BCM compliance across companies we have worked with has yielded interesting information:

  • Many organizations are afraid to assess their compliance level – better to keep their head under the sand than know the truth
  • Management education is needed to show how BCM compliance benchmarking can be effectively used to manage the program
  • The use of self-assessment tools to measure BCM compliance is non-existent or it is a rudimentary tool with limited functionality
  • The majority of organizations do not have a clear picture of where they stand and/or where their weaknesses or strengths lie
  • Resource time is often being spent on program dimensions that have little to no effect on compliance and resiliency
  • Management is continually asking for compliance benchmarking and reporting, but it doesn’t exist

How A BCM GRC Tool Helps You

In a nutshell, a BCM GRC tool helps you better manage your program by balancing the risks and opportunities of the program. If you’ve devised your own system of assessing your compliance, such as using a manual process, it gets a little trickier to assess and report on compliance on a regular basis.   And if you’ve ever let something accidentally slip through the cracks, you can appreciate a better way to manage your process. Not every GRC platform features questions modeled after industry standards and weighted by importance, permits task assignments, and comprehensive management reporting, but you’ll benefit from choosing one that does. Unless, that is, you have your own personal assistant who keeps you up to date about everything regarding BCM compliance…and these days, who does?

Your Goal Is Compliance and Resiliency

If your goal as a BCM Practitioner – and let’s face it, every one of us has this as a goal – is to raise your compliance and resiliency, you need a reliable system for assessing compliance. A BCM GRC tool can play a major role in making all these business processes much easier.  Let’s say you’ve been asked to assess your BCM compliance. In your BCM GRC tool, you can quickly and easily assess the compliance of the five dimensions  (Program Administration, Crisis Management, Business Recovery, Disaster Recovery, and Supply Chain Risk Management) of your program.  You can attach supporting documentation, so you have everything that relates to that assessment in one handy place.  You can assign fellow planners access to specific programs or grant access to auditors to view reports on your compliance.   You can add tasks and assign responsible parties for resolution to keep the program moving down the compliance trail.  You can run management scorecards and reports on each dimension, outlining the state of the program. This kind of highly valuable data gives a big picture analysis of what the compliance landscape looks like. For example, perhaps the tool identifies your BIA process is critically weak and does not comply with industry standards. This is worth considering. Perhaps it might be time to revise your BIA questionnaire, or look to outside agencies to implement a best practice approach.

Designed for You

The multitude of BCM industry standards is overwhelming even for the experienced practitioner.  But BCMMETRICS makes the process extremely easy to use and administer. Our own BCMMETRICS platform is designed to be simple enough to figure out within minutes.  We offer a free video on BCMMETRICS and overview of the solution on our website.

If you’re serious about succeeding as a BCM Practitioner, make sure you’re using the right tools, like BCMMETRICS. It’s designed to help BCM Practitioners like you be more effective at successfully managing your BCM program through intelligent assessment and measurement. Try a 14-day trial of our paid plans.

If you’re a BCM Practitioner, you’ve probably been asked this question from your senior management: “How compliant is our Business Continuity program and how does it compare to others in our industry? “  Are you still trying to figure out what industry standards fit your program or are using manual inefficient tools that are holding you back?  A BCM GRC software tool is something you should consider today.

BCM GRC Tool BCMMETRICS

Posted in BCM Governance Risk Compliance, Business Continuity Planning, Business Recovery Planning, Crisis Management, Disaster Recovery Planning, Uncategorized | Leave a comment

Art of Essentialism in BCM – The Disciplined Pursuit of Less

Managing an enterprise BCM program requires BCM Practitioners to address many program initiatives and tasks that must must seamlessly work together.  I liken BCM programs to a watch with many moving parts;  some critical and others not so critical to its operation and ability to provide accurate time.

In today’s high pressure environment, we see BCM Practitioners being overrun with not only managing the program daily but dealing with external influences (e.g, audit requests, questionnaires, etc.) that take up their time.  Yet, many BCM Practitioners continue to attempt to work on everything at once in an effort to maximize productivity but end up actually producing less and making more mistakes.   Are you and your team experiencing any of these symptoms:

  1. Are you and your BCM team stretched too thin?
  2. Do you simultaneously feel overworked and underutilized?
  3. Are you often busy but not productive?
  4. Do you feel like your time is constantly being hijacked by other people’s agendas?
  5. If you answered yes to any of these, the way out is the Way of the Essentialist.

I have learned from being a BCM practitioner and now running multiple BCM related companies that to be successful you must be mindful;  and more importantly,  be an essentialist in order to not get more done in less time but get the right things done that make the most difference.  A member of my Board of Directors had me create a list of everything I was doing and / or  felt I needed  to do in managing our companies.  The list was exhaustive and made it clear how scattered my efforts were and were not focused on the essential tasks that bring the greatest return on investment to me and our organizations.  Eliminating unnecessary tasks was not easy; it required me to train others to take tasks, hire where possible, outsource to external parties, forget about some and most importantly, trust that the minimum set of tasks was what I needed to do.

 So, how do we apply this to our BCM teams and our programs?  

  1. List all of the tasks you and your team members perform.
  2. Inventory all of the program initiatives (Policy, Plans, Strategies, Audits, BIAs, etc.)  you are working on currently.
  3. Starting with your team member list of tasks, review the list and categorize them by essential and non-essential by looking at tasks permit you to make the highest possible contribution.  Determine what to do with the non-essential tasks (e.g., eliminate, transfer, outsource, etc.).
  4. Based on your review of you program initiatives, which ones provide the greatest return on compliance, resiliency and maturity?  Which ones are window dressing?
  5. Revise the tasks you and your team members will perform based on what is essential and brings the highest possible contribution.
  6. Generate a program roadmap with the most essential initiatives that will heighten the sophistication and maturity of your program.

Essentialism is systematic discipline for identifying what is absolutely essential, then eliminating everything that is not, so we can make the highest possible contribution towards the things that really matter.  By applying a more selective criteria for what is Essential, the disciplined pursuit of less empowers us to reclaim control of our own choices about where to spend our precious time and energy to bring about the highest possible contribution to our team and organization.

Posted in Business Continuity Planning, Business Recovery Planning, Crisis Management, Disaster Recovery Planning, Uncategorized | Leave a comment

Planning Your Next Mock Disaster Exercise

As BCM Practitioners we are often required to dream up, plan, implement and facilitate a mock disaster exercise for our Crisis Management teams. The planning process is crucial to developing an exercise that meets the needs of your organization.  Steps in planning a successful mock disaster exercise are:

  1. Consider the past list of scenarios you have presented to the team in the past.  Does a past exercise suffice or do we need to develop a brand new exercise?  A past exercise can be used if  significant gaps were exposed that require you to replay it to validate the teams response.  Always consider the maturity of the team.
  2. Review action items from previous exercises to make sure they have been resolved and do not cause gaps in the upcoming exercise.
  3. Identify the key objectives of the exercise; what are you trying to stress test and validate?  Focus on a core set of objectives that you would like the exercise to meet.  Less is more here.
  4. Based on the objectives, identify Subject Matter Experts who will aid you in building  the exercise.  These individuals can be internal and/or external personnel who will provide you with expertise to build your scenario.  These people typically do not participate in the exercise since they built it.
  5. Hold multiple brainstorming sessions with your Subject Matter Experts to build the exercise based on objectives you are trying to meet.  Typically, a couple of these sessions will build the framework that you can use to create the detail events.  Validate the exercise framework meets objectives.
  6. Build the detailed timeline and list of events to occur based on the framework you developed with the Subject Matter Experts.  Consider how long you have for the exercise,  give people time to address events and respond as needed.  I consider the maturity of the team in determining how long I give them to address and respond to events in the exercise.
  7. Validate the scenario, timeline and events with your Subject Matter Experts; ensure it makes sense and meets the objectives.  Identify gaps or areas that are confusing; you don’t want participants pointing at holes in your exercise that will derail it.
  8. Revise the scenario and you are ready.
  9. Make sure you have a good facilitator ready to lead the exercise.  This person must be prepared to lead the team from the beginning to the end of the exercise.  He or she must know the exercise in and out as well as assess how the team is doing.  If the exercise needs to be slowed down or sped up, the facilitator must address it.
  10. Have fun and enjoy the exercise.  It will never go as perfectly scripted but when does a disaster fit our plans?

 

 

 

Posted in Business Continuity Planning, Business Recovery Planning, Crisis Management, Disaster Recovery Planning | Leave a comment

Hidden Benefits of Keeping BCM Teams Intact

A recent Harvard Business Review article in the December 2013 edition entitled “The Hidden Benefits of Keeping Teams Intact” discussed the benefits and reasons for keeping teams familiar with each other.   The article expresses that team familiarity raises performance; leads to fewer mistakes, encourages better decision making, etc.

So how does this apply to us?  In our role of BCM, we deal with a number of different teams including Fire Life Safety, Crisis Management, Business and IT Recovery Teams, etc.  Maintaining familairity consistency across team members is difficult as  existing team members leave and new members arrive.

In my experience, I agree with this article as I can the say that the performance of Crisis Management Teams who have worked together for a number of years or at least have some familiarity is much higher than those who do not have familiarity and/or  long term working relationships.  So what data substantiates this theory:

  • Defense – Special ops teams such as the Navy Seals are kept intact over many years.
  • Aviation – NASA found that fatigued but familiar crews made about half as many errors as rested but unfamiliar teams.
  • Surgery – A study of surgeons who worked across multiple hospitals found performance varied perhaps because of their varying levels of familiarity with the OR teams.

In our consulting firm, we have a high degree of familiarity as the majority of us have worked together over 10 years.  This familiarity has led us to a high level of performance as we are clearly versed in each others strengths, weaknesses and areas of expertise.

So, how do we make this work?  We can’ t keep team members forever; however, we can work teams to have some level of familiarity which is better than none at all.  Hold short training and awareness sessions, short 30 minute mock disaster exercises, etc.

 

 

 

 

 

 

Posted in Business Continuity Planning, Business Recovery Planning, Crisis Management, Disaster Recovery Planning | Leave a comment

Does Having a Compliant BCM Program Equate to Recoverability?

Does having a BCM program compliant with industry best practices, standards and guidelines equate to recoverability?   I do not believe it always does.  Being compliant, in my opinion, ensures the best underlying infrastructure has been assembled, implemented and integrated to  to maximize program efforts and potential for success in a disruption.  It does not mean however; that  you will recover without a hitch or difficulty in all situations.

Lets use the athlete analogy.   Being Tiger Woods doesn’t mean you will win 100% of all golf tournaments played.  Now, because of his talent, preparation and work ethic it does mean he will win more than a good share of those he plays in and so goes it for being compliant.  Working to be compliant is like building the best possible athlete to compete but you will not always dominate; there are too many variables like the people factor, events we never saw coming, just plain bad luck, etc. that can derail us.

So, working towards having a high level of compliance with industry best practices, standards and guidelines is the right thing to do.  I liken the industry best practices, standards and guidelines to a fitness program for your organization.  Some organizations get on it but quit because they get tired, lose interest or don’t want to do it on a routine basis.  Others work through the soreness, the daily grind and the sweat to build a BCM program that is strong, resilient and ready for any disruption that comes its way.

Get your BCM program on a workout routine today!

Posted in Article, BCM Metrics, Best Practices, Business Continuity Planning, Business Recovery Planning, Case Studies, Disaster Recovery Planning | Leave a comment