3820 W Happy Valley Rd, Glendale, AZ 85310
(888) 689-2290

MHA Consulting

Blog

blog-full

Is Your Greatest BCM Risk Your BCM Team?

By No Comments

Over the years, we have talked about all kinds of risk in our programs. Compliance risk, residual risk, third party risk, and more all need to be considered. However, one BCM risk that we haven’t discussed is closest to us: our own BCM team.

You may ask: how can our own team be a significant risk? Well, don’t forget that you are only as strong as your weakest link. In many cases, you may find that you have more than one weak link. Often, the reason for a low state of organizational BCM compliance and high residual risk has as much as to do with the BCM team as it does as with the organization’s processes, methodology, budget, and management commitment.

The majority of BCM managers do not analyze the skill set of their team on a detailed level, nor do they align it with their strategic roadmap (if they have one). Each member of your team plays an important role, and it is essential that they have the skill set necessary to perform that role and to support one another.

To use a sports analogy, the importance of determining your bench depth is crucial to the success of your program. Identify the skills that your team needs to produce results. Many BCM offices hire based on immediate need rather than considering their strategic goals, or how the new hire will fit in with the team and contribute to its long-term success.

There is a reason professional sports teams spend so much time analyzing their players and knowing where they fit in during certain situations. The ability to quantify the level of skill of each player and how that fits in with immediate and future needs is critical to the success of the team.

In order to ensure that your BCM team is not your greatest BCM risk, you should regularly evaluate the skill set of each member of your team.

BCM Risk Evaluation

At MHA, we have a clear picture of the skill set of each consultant; we understand where each will fit during engagements. Is the consultant a multi-dimensional team player or a better fit for a specific role? Is the consultant comfortable in front of customers or better suited for a support role?

Take the step to eliminate the BCM risk that’s right in front of you. Analyze your people to build a high-performing team today.

The Drawbacks of Planning for a Worst-Case Scenario

By No Comments

While the worst-case scenario approach is a good one to use in order to reflect on organizational needs and the impacts of a disaster, it often brings an improper sense of safety.

So, should you plan for a catastrophic event or a localized disruption? When we work with organizations on business continuity, the scenario that almost always comes up is the “smoking hole” – whether it is a complete loss of the data center or the destruction of the headquarters building. This worst-case scenario is useful for planning, but there are two questions that should be considered as we put plans and strategies together for business and technology resiliency. What is the potential impact of an event, and what is the likelihood of it happening? Will it cause a catastrophic loss (the worst-case scenario), or will it cause a localized failure that will still have a significant impact on the business? Too many organizations fall into using only worst-case scenarios, thinking that with the “smoking hole” plan in place, their business is now adequately prepared to respond to and recover from a disaster.

But, based on statistics and our experience over the past 17 years, an organization is most likely to experience a localized outage rather than a catastrophic event.  In the last several months, what issues have been in the news? Security breaches, human error, and single points of failure have caused significant business impacts. There may be some of you who were impacted by the two recent airline outages. Those were not “smoking hole” scenarios. Data breaches, both large and small, have had an impact on many of us. I have received notice of security breaches from more than one company where I am (or have been) a customer. I now have credit monitoring in place from multiple identity theft vendors, all provided by the impacted companies.

As we perform risk assessments and provide recovery strategy recommendations, resiliency is just as important to consider as recoverability. While they are not the same, they are dependent on each other, and each should be considered as you plan and implement your business continuity strategies. In fact, we are starting to hear organizations refer to BC as BR – Business Resiliency. MHA is increasingly moving toward services that ensure that our clients are building resiliency. When the business is resilient, the organization will be prepared for both the catastrophic event and a localized event.

As you consider impact vs. likelihood, think about this: Do you understand the potential impacts of localized events, are you prepared to manage those impacts, and do you have plans in place to recover? Localized events include:

  • Power outage (UPS failure or generator failure)
  • Network outage (line cut by your provider)
  • Infrastructure outage (single points of failure in servers, storage, network)
  • Building flooding (sewer backup – it happens more than you think)
  • Human resource outage (critical individual with specific knowledge)
  • Building access (crime scene, heating or cooling issues, maintenance issues)
  • Single application outage (human error, unknown dependencies during a change)

This is not to say that a company should not prepare for catastrophic events. Though they have a low probability, they have a disastrous impact. However, planning only for the “smoking hole” will leave your organization vulnerable to more likely events that will have a significant impact on your business. Remember, Murphy’s Law will always be there, ready to rear its ugly head. Don’t get caught planning for a worst-case scenario, only to be done in by an unexpected  power outage.

By Richard Long, Senior Advisory Consultant, MHA Consulting

The Be, Know, and Do of Crisis Leadership

By No Comments

This post has been updated. It was originally published in August 2009. 

During a crisis, management and leadership are crucial to a successful outcome. Consider the triad of BE, KNOW, and DO as a way to improve your crisis leadership capabilities.

As a member of a Crisis Management Team, you are a steward of the core assets of your organization.  Core assets include, but are not limited to: people, brand image, finances, shareholder value, and business operations. You are responsible for more than the management of the crisis. You must be prepared to respond to a crisis situation with crisis leadership.

Crisis management is best defined as the short-term tactical aspect of dealing with an event, while crisis leadership is the long-term strategic component.  We find most teams can handle the management aspect, but need help in developing the leadership component.

For the purposes of illustration, we will use a building relocation resulting from an employee opening a potentially hazardous package.

BE involves being caring and compassionate, displaying a high level of character at all times and having emotional self-regulation.

In any crisis event, the safety of people should be your highest priority. In our scenario, employees’ stress will be heighted. Their concerns will not be on business issues, but on their families. Acknowledging and truly caring about individuals will go a long way in showing true leadership.

Given the stress staff may be experiencing, their responses to the situation may not be normal or professional. As a leader, your ability to demonstrate emotional maturity and control will provide support and stability to everyone else. Do not take comments personally, but respond with empathy.

KNOW involves having the right short-term and long-term vision, knowing your stakeholders and their expectations, and understanding the context (e.g., natural disaster, one or many companies affected, etc.) in which the event has occurred.

In our scenario, the short-term vision may be to ensure that human impacts are minimized and operations continue as normally as possible. The long-term vision would be minimizing brand impact and ensuring customers are not lost due to the service impact. Consider internal and external stakeholders – internal being all levels of your staff, and external being your customers and vendors. Internal stakeholder concerns are for safety, business operations, and financial impacts. Customer concerns may be for service needs or ordering product they may need for their operation, while vendor concerns may be about receiving timely payments. External stakeholders may not understand your crisis or have patience with your efforts to deal with it. It is not their problem and they may look to other providers for service.

DO involves timely communications to our stakeholders in concert with a leadership style that fosters teamwork, gains consensus and buy-in, and facilitates prioritization and executive decision making in a timely manner.

All stakeholders will want communication. They will not want to feel like information is being withheld. In our example, your failure to communicate would allow social media to drive your story. Information (and rumors) from employees and others will be on social media within minutes of your crisis occurrence.

Use the concepts of Be, Know, Do to guide your response during a crisis event. Your internal and external stakeholders will look to you during a crisis. It is up to you to be prepared to lead.

Benefits of Business Continuity and Recovery Testing

By No Comments

As part of our responsibilities as Business Continuity professionals, we spend a significant amount of time writing and following up on documentation, not the least of which is writing business continuity, crisis communication, crisis management, and technical recovery plans. Ensuring that the plans are written and up to date is only half the challenge. The other half – the real challenge (and higher priority, in my opinion) – is to ensure that the documentation is functional and accurate. What is the best method to ensure plans are functional? Business Continuity and Recovery Testing.

Testing requires time, equipment, resources, and expertise to run. Organization of these resources and performing an exercise can be difficult. What are the benefits?

For documentation, the benefits are:

  • Demonstrating that the documentation is accurate.
    • Plan steps are accurate
    • Contact lists are accurate
    • Assumptions are validated
    • Gaps in the plan are identified
    • Identifying unknown contingencies.
  • A tested plan has a much higher possibility of succeeding during a real event.

Additional test benefits are:

  • Verifying resource availability or capability.
  • Training team members for their recovery roles.
  • Determining the actual length of recovery time and the ability to achieve the desired company RTO.
  • Following exercises, those responsible see the need and benefit keep documentation to up to date.
  • Assessing the true functional recovery of the areas tested.

One additional comment on testing: In many organizations, the necessary planning for the exercise can distort the actual level of preparedness because often the documentation, technology, resources, and gaps are either updated or remediated during the planning process. This can give a false sense of accomplishment. If there is a rush to update applications, documentation, or other preparations, it should be noted in the test results. An understanding of the amount of work involved in exercise planning and preparation can demonstrate why continuous review and updates are needed related to documentation, strategies, and technical implementation.

Testing is a critical aspect of your BCM program, demonstrating the actual functional capability of your documentation and technical implementation. In future blogs we will discuss how you can perform tests and exercises, and how to maximize the benefits of testing while limiting the impact of those exercises on your operations.

Business Continuity Begins and Ends with Communication

By No Comments

This post on business continuity communication has been updated. It was originally published in September 2013. 

In society today, communication often is not face-to-face, but is more electronic. This can lead to less than cordial interactions, miscommunication, or misunderstandings. As either the sender or receiver of a communication, we have all experienced the thought “did she understand my message?” or “did he really mean that?” In our role as business continuity professionals, communicating the status and needs of the program can be one of our most important functions. Without proper communication, the following may occur:

  • Tasks and action items are not completed because “someone else” was responsible. Clearly assigning ownership, and receiving acceptance of ownership, for tasks or assignments should be an area of focus for the Business Continuity Management (BCM) office. Emphasize the responsibility of everyone to manage threats in their areas and ensure that documentation is up to date. Communication of risks, documentation, and training should be specific to ensure that risks and responsibilities are understood.
  • Members of the BCM team should consider themselves to be consultants to the organization, working as partners with other departments. This can be achieved by the use of clearly defined language that ensures terms and concepts are understood in non-technical and non-BCM language.
  • Good communication to senior management is critical to the success of a BCM program. They are the final decision makers and have ultimate accountability, so the current state of the risk profile and risk mitigation efforts should be communicated to them clearly and honestly. The benefits of the BCM program should be included in this communication, but “bad news” should not be left out. Education of senior management related to the qualitative nature of risk assessments, as well as the current state of recoverability and preparation, is also key.
  • It may be necessary to secure information from outside experts, such as insurance brokers, consultants, emergency services, and civil authorities. Providing the appropriate information to them allows for feedback on strategies, risks, operational tasks, or other pertinent information that can then be forwarded to various functional areas and senior management within your organization for use in plans or decision making.
  • Ensure all appropriate members of the organization are part of the communication. Their roles and responsibilities, the state of the program, how they will be impacted by the program, and what to expect during an event will invite ownership in the process. This is especially important for those outside the technical implementation or management.

As is the case in other areas in our organizations – the better the communication, the better the results. As business continuity professionals, we cannot execute all the tasks necessary to ensure readiness. Business continuity begins and ends with communication of the necessary information, concepts, and status across all areas of an organization.

Forming the Business Continuity Management Team

By No Comments

This post has been updated. It was originally published in September 2013. 

The size and makeup of an organization’s Business Continuity Management (BCM) team depends on how you plan to roll out the project. It is best to start out small in the beginning and then progress in size. The initial team will lay the groundwork for the project by setting up oversight, coordinating training, building disaster plans, and helping to sharpen the focus of what each plan should contain. This core team should consist of the following:

  • Sponsor:  The senior management individual with overall responsibility and accountability for the Business Continuity Program.
  • The Business Continuity Manager:  The individual with direct responsibility for the Business Continuity Program.
  • Assistant Continuity Manager:  The backup to the Business Continuity Manager. This could be a titled position or an assigned position.
  • Administrative Assistant:  The individual responsible for supporting the BCM team. This is often an administrative assistant working in the Business Continuity office, if it exists, or one of the individuals on the administrative assistant team.  

This group will prepare standards, training, and processes to make the project flow smoother. Eventually, several key people will need to join the BCM team as they are needed. This may include the following people:

  • Building Maintenance or Facilities Manager:  This individual can provide information on what mitigation steps are already in place for the facility, such as fire suppression, electrical service, etc.
  • Facility Safety and Security:  This individual should already have parts of the disaster plan in place in terms of fire, safety, limited building and room access, theft prevention, etc.
  • Human Resources:  HR people have ready access to up-to-date information about the individuals who are important to the plan.
  • Line Management:  These individuals tend to know the most about what is critical for getting work done in their areas of responsibility.
  • Community Relations:  A disaster may affect more than just your operations. This individual will act as a liaison between your organization and your community to coordinate any community assistance that you may need while recovering from a disaster.
  • Public Information Officer:  This is your voice to the outside world. This role is crucial in getting accurate information out to customers and vendors.
  • Sales and Marketing:  This team knows the organization’s customers the best and can provide insight on what level of service is required.
  • Finance and Purchasing:  This team knows your vendors the best and can provide insight on what kind of support the organization can expect while recovering.
  • Legal:  The legal team can provide important insight on the legal ramifications of activities performed in response to an emergency.

In today’s regulated and compliance-focused environment, communication between senior management and the BCM team is essential. Management requires information related to strategic direction, integrating needs between functional teams, risk profiles, priorities, funding, and status.  The Business Continuity Management team will oversee the program and ensure that senior management is provided with timely and accurate information.

 

Risk Transference – Let Someone Else Handle the Heavy Lifting

By No Comments

Depending on your organization’s resources and size, using risk transference to mitigate your risk may be a good option.  

In a recent blog we discussed the acceptance of risk. When accepting risk is not appropriate, the strategies for risk mitigation include: developing and implementing strategies in house; using third parties to develop and implement the solutions, with in-house maintenance; or turning the entire solution over to a third party. For most organizations, some use of risk transference is appropriate.

Risk Transference: Risk transference is handing risk off to a willing third party.

The most frequently used and easiest method of risk transference is insurance. Insurance is the financial transfer of risk. When using insurance for risk mitigation, it is important to remember:

  1. Insurance does not address brand/image impact. While the insurance may pay for financial losses, the loss of customer or public confidence may severely impact the organization. Think about organizations that lose customer data or restaurants where customers get sick.
  2. Insurance has conditions that must be met before the payout occurs. Ensure that you understand any conditions, notifications, documentation, etc.
  3. All situations may not be covered, depending on the cause. There may need to be additional riders on the policy or other mitigation solutions.

Physical security is another risk transference function that can be performed by third party companies. Economies of scale often make external security a better choice than using an internal solution.

Third parties are often used for cost containment or to allow for more focus on core competencies. These same justifications can be used in the risk transference mitigation strategy. Rather than implementing risk mitigation solutions for business functions or processes, organizations may consider using third parties to accept the risk. For example, certain business functions with operational risk – such as customer service, call center, or payroll services – can easily be performed by third parties.

Technical functions such as network and data security monitoring, first level technical support, and server administration and monitoring are also candidates for third party use. As these functions become more impactful to overall risk, and the integration of technology more complex, the use of experts who can focus on those specific items often makes the most technical and financial sense.

The use of Software as a Service (SaaS) is analogous to using third party providers. The technical risk and recovery risk is moved to the SaaS provider along with the business risk it may mitigate.

For all third party vendor engagements, understanding the services, recovery commitment, service level agreements, change procedures, and risk mitigation strategies is critical to ensuring that your risk is mitigated appropriately.

Consider your current service providers and how they might fit in to your risk mitigation strategy. They may provide services that your organization can or should move to allow for more focus on competencies that are strategic and grow the business.

By Richard Long, Senior Advisory Consultant, MHA Consulting

When A Good Recovery Strategy is Better than a Perfect Recovery Strategy

By No Comments

Your recovery strategy does not have to be perfect, but it does need to be good enough. Remember, perfect is the enemy of good.

When I worked in the IT department at a large retail company, we would strive to get the requirements exact and ensure our designs were perfect – no issues or gaps. This often caused some frustration with our business partners. They wanted it done faster, and we wanted it done right the first time to prevent rework. This is when I first heard two things that changed my perception:

  • Perfect is the enemy of good
  • 80% is good enough

When I asked, are you sure, the response was, “Yes – we are going to want it changed in 3 – 6 months anyway because we will learn something new or need to adjust based on the market.” This response can be especially true for our recovery strategies.

This does not imply that you can just throw together a solution or not perform due diligence. It does imply that you should work to get a strategy and implementation in place that allows for recovery, even if that strategy is not perfect or may not meet all your RTO/RPO requirements.

When we look at strategies for organizations, we look at the current state. If there is something in place that is functional, then we might take more time to craft a more perfect solution. But, as is most often the case, the recovery strategy is not functional and there are significant gaps to be addressed to ensure that, at a minimum, all the critical applications would be recovered.

What is better – an imperfect recovery of all necessary applications within a reasonable timeframe, followed by the remaining environments, or a “perfect” recovery that is within the RTO/RPO of only one or two critical apps, with no certainty that anything else can be recovered at all?

The “good enough” recovery strategy depends on your environment:

  • What is your virtualization position?
  • What are your data privacy requirements?
  • What is your legacy application position?

For example, we have clients with critical applications running on unsupported operating systems, with hardware for which it is almost impossible to get replacement parts. The recovery strategy for these environments might be to virtualize a recovery environment that “sort of” works. It may take manual effort; it might be slow and impact productivity. It is not a perfect solution, but it will work if necessary. What is better – having something that is painful to use, or just hoping an event will never occur? One of my favorite sayings is “Hope is not a strategy.”

If possible, your strategy should include those technologies that will provide your environment flexibility and growth. This allows for adjustment and modifications as environments and business requirements change. Also, along with the strategy, a roadmap to move from current state to good, from good to better, and from better to best will be helpful in communication and planning.

We want to develop the best strategy possible, but sometimes good enough is the best strategy.

by Richard Long, Senior Advisory Consultant, MHA Consulting

Risk Acceptance – Conscious Decision or Ignorance?

By 1 Comment

Risk Acceptance must be a conscious decision, not a default action due to lack of information or desire to act.

Risk Assessments and Risk Mitigation remain important topics in many association groups and business discussions. We are often asked to assist with formal risk assessments, as well as with individual components of an overall risk assessment. Over the last several months we have discussed different risk topics on our blog (Real Risks to an Organization, Maximize Compliance & Minimize Risk). These topics discuss how to prepare for or mitigate risks. One of the most used risk mitigation strategies is “do nothing – accept the risk.” Even if it is not thought of as one, it is a mitigation strategy and is often the most appropriate.

Several questions regarding Risk Acceptance:

  1. Is insurance in place for those areas which would be impacted and are the risk categories covered?
  2. Is the actual impact understood?
  3. Is the true probability of an occurrence known?
  4. Are the risks which are accepted truly known or understood?

Risk Acceptance – Due to lack of execution

We find that there are many risks that are defaulted to “do nothing” – not because of a conscious decision, but because after a risk has been identified, there is no plan for mitigation, or the execution of the plan is not scheduled. In a majority of the Threat & Risk Assessments we perform, there is at least one risk identified for mitigation that is not scheduled and remains a risk for a year or more. Without a plan or schedule of execution, you have defaulted to the Risk Acceptance strategy.

Risk Acceptance – Due to lack of information

There are two reasons for this situation.

  • The risk or impacts are not communicated to the decision makers.
    • Not communicating the risks may be because the risk is not known, but is often due to an unwillingness to share bad news.
  • The risk or impacts are unknown.
    • If risks are not known, it is typically because a risk assessment was not done, was not sufficient, or the appropriate people were not included in the assessment and/or did not share information.

A quote I like is appropriate here – “Bad news does not get better with time.” An example of the lack of information: an IT Department told their business and management team that a recovery solution was in place and the technology could be recovered. In actuality, they had only done a proof of concept on the technology and there was only enough capacity to recovery 1 or 2 applications.

Risk Acceptance – Conscious Decision

Accepting the risk is an appropriate choice in many cases. Often the impact of an event and/or the likelihood of occurrence do not justify the high cost of mitigation. Acceptance of risk does not mean that organizations are not prepared or that there are no actions to be taken. There may not be any technology or process changes, but insurance needs, changes to corporate or local policies, and changes to recovery plans and communication plans are all considerations that must be addressed.

When addressing risk mitigation, remember Risk Acceptance is an option. “Do Nothing” can be the right solution. Due diligence should occur ensuring that the decision is not based on a lack of information or execution, but rather on a conscious and carefully considered plan.

By Richard Long, Senior Advisory Consultant, MHA Consulting

Do You Know the Current Business Climate?

By No Comments

Understanding how the business climate is changing  will allow to you start looking at how you may need to change your recovery and resiliency strategies.

I was recently talking with my father who was in the convenience store and gasoline distribution business his entire career. We were talking about planning and how the business climate changes over time. He mentioned that when pay-at-the-pump devices first came to stations, his company resisted implementing them. Their convenience store model was to get customers to walk into the store to pay so they would purchase additional items. Their money was not made on gas sales, but on the sale of store items (beverages, candy, etc.). My father was an advocate of putting the new pumps in. He saw it as being more important than just having customers walk into the store, but instead making sure that customers were comfortable using the store for both gas purchases and quick stops for other items. If they got in the habit of using a different store to get gas because of pay-at-the-pump, they would likely stop at that store for drinks and other items as well. The result: a lost customer.

Do you know how your business climate may be evolving? Do your current processes or paradigms still meet customer needs and desires? In previous blogs and presentations, we have encouraged those in continuity planning to learn about their business processes. Understanding how the business climate is changing – and how business processes and functions may be changing along with that – will allow to you start looking at how you may need to change your recovery and resiliency strategies.

Consider the items below as you identify how your business may be changing.

Technology/Data

As your technology strategy evolves to meet the needs of the business climate, you need to re-assess the impacts of an event on IT recovery. What is the network impact? Network traffic, availability, and additional devices need to be addressed. Will the need for increased bandwidth impact other areas? What about change in the number of transactions? How might that impact data requirements? Will you need to look at a more resilient architecture rather than a recovery architecture?

How has data changed? What are the HIPAA or PII impacts? How will you ensure that this information is protected during an emergency event or when processing at a recovery location? Will there be changes to your online or social presence; has that changed the recovery/availability requirement?

People

People’s roles and responsibilities may have changed over time. Have these changes created a need for a different maintenance schedule or cycle? How will that impact staffing and shifts? What about potential natural events that may impact personnel availability or access? Will your staffing strategies during events need to change?

Locations

With the change in business processes, does the importance of the physical location change? Are people in the locations at different hours? Will security have to change? While the risks to the locations may remain constant, the impact of any given event may evolve over time.

Documentation

You should also consider how you may need to adjust your recovery plans over time. Will you need to readjust the relocation strategy or workaround procedures to address the changing environment? Will the dependencies between departments impact the continuity strategy? Contact lists and notification processes may have to be modified.

Unsure of where to start? Understanding your current business climate should be an important factor in all your planning efforts. A good place to start your assessment is with a current BIA (Business impact analysis). You can use the BIA information to see how changes may impact the entire organization and what business units may need to be addressed.

by Richard Long, Senior Advisory Consultant, MHA Consulting