3820 W Happy Valley Rd, Glendale, AZ 85310
(888) 689-2290

MHA Consulting

Blog

blog-full

What is the Residual Risk of Your Business Unit Recovery Plans?

By No Comments

What is the “residual risk” of your critical Business Units and their continuity capabilities? But first of all, what is residual risk? Residual risk is the risk that remains after an organization has implemented appropriate controls to comply with industry standards, regulatory requirements, best practices, etc.

In a perfect world, you want to have the lowest possible residual risk for your most critical business units and Information Technology to minimize the potential for significant impact to your organization in event of a disruption. The higher the residual risk, the greater the opportunity for a greater impact in event of a disruption. So, lets look at a simple way of assessing residual risk.

First, you must assign an impact factor to the Business Unit or IT entity. To make it simple, we assigned an impact of 5 to each Business Unit/Information Technology System/Application with RTO’s that if disrupted will have a critical impact, 3 to those RTO categories who will have a moderate impact and 1 to those RTO categories who will have little to no impact if they suffer a disruption.

Second, now that you have assigned potential impact to the organization from the Business Unit or Information Technology entity, you must the consider the controls key to reducing the risk of a critical business unit or IT system/application. These may include:

  • Business Impact Analysis
  • Recovery Strategy
  • Recovery Team
  • Recovery Plan
  • Recovery Exercises
  • Training & Awareness

Within each of these controls, you must consider the extent to which each control has been implemented for each business unit  to assess how solid it is. A BIA completed in the last year yields greater risk control than one completed three years ago or never. The use of a geographically diverse recovery strategy greatly reduces residual risk while having a backup site a mile away is not as good. So, you need to assess the strength of each control using common sense (5 = Fully Implemented, 3 = Moderately Implemented, 1 = No Control). More importantly, you must have a solid understanding of what makes a control fully implemented and what does not. Weight each control based on its importance to recovery success with all control weightings adding up to a 100 (e.g, recovery strategy weight is 25%, recovery plan is 10%, etc.). Add up the weighted scores to get your control score.

Third, to get the residual risk, subtract the total weighted score from the impact score. For example, the impact score for an RTO 0 – < 12 hours business unit is 5. The weighted control score for this business unit is 4.3 leaving a residual risk of .7 which is outside our established tolerance level of .5 for business units with a high impact score. If your control score happens to be greater than the establish impact score for the business unit then use the absolute zero rule so you don’t have a negative residual risk score which also means your controls are in good enough shape for that business unit.  Using this approach, you can also quickly identify what controls need to be augmented to reduce residual risk using this approach.

Lastly, in the end, your ultimate goal is to have implemented your plans and associated controls in such a manner that no to very little residual risk exists for the most critical areas of your organization.    We are implementing residual risk analysis in Q3 of 2015 as part of our BCM compliance self assessment tool, BCMMETRICSTM.    To review the tool go to www.bcmmetrics.com  for a comprehensive overview of the tool and its assessment and reporting capabilities.

Rip off the Bandaid..Assess Your BCM Compliance Today not Tomorrow

Ripping off a band aid is painful but its temporary in nature.  Assessing your BCM compliance is a lot like ripping off a band aid; you deal with the initial pain of finding out where your gaps and exposures exist but then experience the healing aspect of generating a roadmap for remediation that brings about a heightened level of compliance and resiliency that significantly outweighs the temporary pain of the assessment.

 So, why are some reasons planners aren’t assessing and scoring their BCM compliance?

  •  Fear of the Unknown
  •   My Program is Already Bad, Why Bother?
  •   What Standard Should We Use that Makes Sense for Us?
  •    How Do I Present the Results?
  •    What Do I Do With the Results

The need to assess BCM compliance and generate metrics that depict your current and future state is coming to the forefront of our senior management and industry.   We must effectively and efficiently balance risks and exposures in our programs by knowing where we stand today and where we need to be over time.

Assessing your BCM compliance permits you to identify critical exposures, that if prioritized for mitigation, will bring about the greatest improvement in compliance and resiliency while permitting you to hold off resolving other exposures off that are a nice to have that we can get to later in the lifecycle of the program.

A very simple approach is as follows:

1.     Pick one standard (ISO 22301, FFIEC, BCI Good Practices, etc.) that best suits your needs.

2.     Review the standard and its requirements for each dimension (Oversight, Crisis Management, Business Recovery, etc.)

3.     Separate out each dimension and its associated requirements.

4.     Weight each requirement based on its importance (high, medium, low) to the successful execution of the program.

5.     Score your compliance on each requirement (no compliance, minimal, full).

6.     Multiply the importance times score the compliance score.

7.     Rank your compliance score (0 to 60 poor, 61 to 80 Moderate, 81 to 100 Excellent).

Once you have ranked each dimension, present the results to management for review and prioritization and remediation of the exposures.

You get a physical on a regular basis why wouldn’t you do a regular health check on your program?  Why do so many programs run without direction year after year?

So, I challenge you, rip off the band aid; pick a standard and assess your BCM compliance.  The time is now…not tomorrow.

If you want to see how we have automated the BCM compliance assessment process, visit our BCMMETRICS self assessment tool website at www.bcmmetrics.com.

I Have a BCM Policy…Why Do I Need Standards?

By No Comments

You have a documented and approved BCM policy. You’re done, right? Well, not really. You told your stakeholders in the policy that they have to play in your BCM game; but what does the playbook look like?   That’s where your standards come in; they outline how your stakeholders will be required to play the game.     If you don’t tell them upfront how they need to play, it will lead to inconsistency in performance and execution of the BCM program.

So what standards are minimally required? The following minimum standards should be a part of your program:

  1. Plan Development & Maintenance – This standard should outline the BCM programs expectation for how a recovery plan (Business and IT) will be developed, the minimum content expected from plan developers (business and IT) and required maintenance.   Stakeholders should be able to clearly understand the process to develop and maintain their plan by reading the standard.
  1. Recovery Strategy – This standard clearly outlines, based on the Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) derived from your Business Impact Analysis (BIA), what the recommended recovery strategy (dedicated alternate work area, work from home, redundant computer systems/applications, etc.) should be for business units and their processes as well as systems/applications.   Plan developers need to reference this standard and implement the recommended recovery solutions and strategies to ensure they can meet their specific RTOs and RPOs.
  1. Recovery Exercise – So you told me in your BCM policy that I need to exercise annually but what does that mean? This standard should outline the type of exercises (tabletop, walkthrough, functional, etc.) required to be conducted based on the RTO of my business unit/process and/or computer system/application, the documentation required (pre and post exercise) and signoff/approvals needed following the exercises.. Your standards should mandate increasingly complex exercises for business and technology over time.

Planners are often concerned that by setting standards they will cause more headaches if they can’t meet what they set as the minimum baseline; set reasonable standards that make sense for your organization and recovery requirements. Standards are not cast in stone; they can be updated to reflect the nature and needs of the organization as it matures over time.  The policy and its supporting standards work hand in hand to provide a clear picture of the expectations of the program.

Lastly, establishing and documenting standards will heighten your level of compliance with today’s industry standards, best practices and guidelines.

 

If Your BCM Program Were a Publicly Traded Stock, What Would Its Price Be?

By No Comments

As the CEO of a boutique BCM consulting firm, I am responsible for the global leadership to the entire set of industry practices and horizontal capabilities within our organization. Building the firm over the last 16 years from just my laptop and me to an international consulting firm has been quite the adventure.

So I got myself to think over the past years, if our company were on the stock market how valuable would we be to our shareholders? What characteristics would make our company more valuable over time? Are we executing on these characteristics in a consistent manner? How do I heighten awareness and achievement in these key characteristics?

So, you make ask, how does this apply to me as a BCM Manager? In my humble opinion, you should run your organization like a company. It’s your company and your shareholders are your internal customers. You have a brand whether you like it or not, it may be positive or negative. BCM engages every facet of an organization; programs today must be high performing in a number of key areas:

Audience Knowledge

Do you know your customers? Working across the vast spectrum of industries and clients, we have had to learn to quickly understand the client and their culture. Working in a hi-tech startup environment is a lot different than working in an insurance company that has been in business for over 100 years. Know your customers, their culture and their quirks. Figure out what makes them tick and how you can get the best out of them. Some may require more hand holding than others; some will do it with little supervision or oversight.

Uniqueness

Whether you believe it or not, your BCM program has a brand identity associated with it. What words would your stakeholders use to describe your program? Would they say it innovative, consistent and easy to use or would they say it’s complicated, lacks direction and wastes their time? We work hard to build a brand characterized by passion, consistency, timeliness, value for the investment and, most importantly, guaranteed results.

Passion

Does your team have a passion for what it does? Is this passion exhibited when you work with your stakeholders?  You need passion to bring enthusiasm to not only your team but also your stakeholders, as the subject of BCM is not something most people jump and down about. Do your best to get your stakeholders passionate about BCM and how it benefits them and the organization. I love to hear when our customers say our consultants have a passion for what they do; it comes out in everything they do and bleeds over to the customer. Find people who have passion; it will yield great results.

Consistency

Do you provide the same, day in and day out consistency of service to your stakeholders? Or is it, hit and miss depending on the day and person providing the service? Stakeholders don’t want to deal with inconsistency, as their time is so limited. As we have grown at MHA, we have worked hard to bring people and processes that ensure a consistent approach in providing all facets of our BCM services. You have to ensure consistency in approach, methodology, timing and customer service. Inconsistency yields unhappy customers in the long run.

Competitiveness

I am a highly competitive person in my personal and professional endeavors. I strive to bring that competitiveness to my organization and the people we hire. We have grown tremendously over the years and it’s been due to our competitiveness and desire to improve. Success breeds more success but it can also breed entitlement and complacency. You have to be thinking not just about this year but 2 years down the road. Don’t let your program become stale, work to improve it, day after day, week after week, year over year. Miniscule improvements can yield Mt. Everest like success over time.

Exposure

Are you communicating regularly with your stakeholders using multiple channels? We have learned that keeping in touch with our stakeholders and our staff is critical to our success. As the saying goes, “Out of sight, out of mind”. Communicate to your stakeholders regularly using email, electronic newsletters, phone calls, onsite visits, etc. Not everyone will read them but some will; it will heighten the exposure of your brand. We do our best to maintain positive contact with our clients using multiple channels on a regular basis.  My Dad  taught me that the best exposure is the personal visit; the chance to hear what your customer has to say (good or bad) and shake his/her hand. In the end, it comes down to the relationship.

Leadership

As I have said before, the biggest problem we have seen in BCM programs is not the approach and methodology being used but the lack of leadership by the BCM Manager.   To coordinate the efforts of team members and guide a strategic vision for a brand, someone has to step up and steer the ship. You have to be an expert motivator and know how to maximize the strengths of different team members. Learning how to step back, lead and motivate team members took me some time to learn. You need to know where you sit your people on the bus to make the journey successful but also where to move them or, worst case, have them get off at the next stop. I have learned I am more valuable to the organization providing global leadership and direction than I am engaged in each and every engagement.

 

 

Where is Your BCM Roadmap Taking Your Program in 2015?

By No Comments

Where is your BCM roadmap taking your program in 2015?  Do you even have a roadmap to guide your efforts?  Do you find you and your team  more focused on fighting  day to day fires, dealing with management told you so’s or addressing client audits then setting a plan for heightened sophistication, compliance and maturity.   As the old saying goes, it doesn’t matter what road you are taking if you don’t know where you are going!

We find a good number of BCM programs in all sizes and shapes of organizations with no roadmaps to direct BCM efforts across the organization.  Producing a roadmap based on critical needs, sets the tone for targeted efforts that will bring the biggest return on investment of time and resources. Having a roadmap is a key component of BCM Governance Risk and Compliance (GRC).  The roadmap shows due diligence was conducted in the management of the program and its risks.

But before you have created a proper roadmap, you need to have a good understanding of the state of your program.  Look at the following areas of your BCM program and assess each for successes, weaknesses and opportunities for improvement:

  • Program Administration
  • Crisis Management
  • Business Recovery
  • IT Disaster Recovery

Based on your high level assessment, identify where the strengths, weaknesses and opportunities for improvement lie in each of the four areas.  Prioritize findings by criticality and importance to heightening the sophistication, compliance and maturity of your program over the next twelve months.

Now create a roadmap for the next four quarters to include ongoing BCM activities (maintenance, testing steering committee sessions, etc.) plus critical areas of opportunity you identified in your high level assessment.   You may not be able to get to all of them so further prioritize your list to the most important opportunities that will yield the greatest opportunity for heightened resiliency in the next twelve months.

The roadmap is not a static document; it must be refreshed on a monthly basis based on progress or changes in the environment.  Its purpose is to set the tone and direction for your program, its up to you and your team to execute upon it.

 

Art of Essentialism BCM Office Leader

By No Comments
I recently spoke at the DRJ Fall Conference in San Diego on the Art of Essentialism and its application in the BCM arena.  The Art of Essentialism was coined by Greg McKeown and is focused on “Less means More, More Means Mediocore”.  As part of my presentation, I covered what it takes to operate a BCM program based on the Art of Essentialism and its concept of the disciplined pursuit of less.
I believe that the problem in many of the BCM programs we are called to  support in a consultative role is not the program itself but the management of the program by the BCM Office Leader.  In many cases, the program is in chaos with no strategic direction or management.
So what are the characteristics of an Art of Essentialism BCM Office Leader:
  • Uses Metrics to Track BCM Program Performance – Adopt a BCM standard or use a tool like BCMMETRICS.com to assess your level of compliance.  Identify your successes and areas of opportunity.  Focus to high importance, low compliance areas to get the highest Return on Investment (ROI) for resiliency.
  • Manages by High Value Activities (HVA) – Identify what HVA’s give us the highest ROI for resiliency.
  • Positions Right People in the Right Seats – Do you have a personnel depth chart for you and your team members?  You should know where talents lie and how you should assign to your HVA’s.  More people is not the right answer, the right people is the right answer.
  • Develops Strategic Roadmap – Based on our critical needs, a roadmap for 12 to 24 months is developed focused on HVA’s to bring highest ROI.
  • Heavily Invests BCM Personnel Time on HVAs  – Based on personnel depth, personnel are assigned to the HVA’s based on their expertise.
  • Believes in Investing Front End Time with Customers – Time is invested in building the infrastructure  needed to have a strong program.
  • Works like an Intrapreneur – Treats the BCM program as his/her own company with strategic goals and objectives to meet and a focus on resiliency ROI.

The focused disciplined pursuit of less will yield a BCM program that has a high level of resiliency for the most critical business activities and systems/applications of the organization.

BCM Audits Gone Rogue…

By No Comments

As BCM professionals we have all gone through audits of our programs at one time or another and dealt with the questions, the need for a better understanding of BCM, and the cautious concern waiting for the final report, etc.

At MHA, we are the BCM Office for a good number of our clients.  We manage each program using industry best practices and standards as our measuring stick to ensure the program provides the highest level of resiliency and meets/ exceeds compliance requirements.  We know which of our managed programs are in line with best practices and which ones need more time and work.  Internal and external audits are a part of our daily consulting efforts.

We are finding that a good number of the audits we have recently dealt with have become increasingly inconsistent in their application, findings and outcomes.  Common conditions found during recent audits:

  1. Audit Teams Don’t Read What You Send Them
  2. Lack Intimate Understanding of BCM Industry Standards and Guidelines
  3. Don’t Grasp Difference between Standards and Guidelines
  4. Generate Findings that Often Have Little to Do with Raising Resiliency
  5. Regularly Lose Data/Information Sent to Them
  6. Require Busy Work Generating New Reports or Gathering Useless Data
  7. “Them versus Us” Mentality Leading to Conflict
  8. Infighting Amongst the Audit Team Members

It’s important to state that we are not saying all audits have proceeded in this manner but a good share has progressed in this manner.  What is most interesting to us is we work at programs in critical industries that should have findings but receive none and other programs that are highly sophisticated and mature receiving findings that make no sense.

So, how do we make Audits bearable and consistent as possible?

  1. Due your own diligence before the audit using a BCM GRC tool like BCMMETRICSTM (www.bcmmetrics.com) so you know where you stand (level of compliance and successes/opportunities) before the audit.  Run reports to identify where you are in compliance and where you have big gaps.  Share your due diligence.
  2. Educate auditors in the BCM process and how it’s applied at your organization before the audit starts by having a short presentation (15-20 min) to go over the program. Make sure you are well prepared and use terminology from the standars you are being audited against.  Refer back to the data and information you sent them.
  3. Compile requested data and information in a logical and highly organized manner.  The documents should tell a positive story of your program from end to end.
  4. Don’t attempt to produce documents you know you don’t have at the last minute.  It’s not worth the embarrassment.
  5. Ensure your BCM Office and internal audit have a clear understanding of the program to be able to speak to it as needed during an audit.

What do you do when you disagree with an audit finding?

We have been taught to not push back on audits in fear the repercussions could be greater if we voiced our opinion.  I believe that if you have solid evidence a finding was not merited, push back by all means.  We have cases of management not pushing back for fear of repercussions and then being saddled with needless work that does not raise resiliency of the program.

In closing, we believe working with auditors is a great investment in time that can lead to increased management focus and support when a partnership approach is used throughout the audit engagement.

BIA Alignment? We Don’t Need NO Stinking BIA Alignment!

By 2 Comments

Industry best practices recommend that the BCM Office align its organizations Business Impact Analysis (BIA) derived Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) with Information Technology Disaster Recovery (DR) capabilities on a regular basis.  So, here is what are we finding in the industry:  

  • Management does not understand the alignment process and does not recognize its value.
  • The business and IT have different RTOs and RPOs matrices so the alignment process can be somewhat difficult to accomplish.
  • IT does not provide Recovery Time Actuals (RTAs) or Recovery Point Actuals (RPAs) for the critical systems and applications.
  • BIAs are conducted and RTOs / RPOs defined by the business but IT still sets its own timeframes for recovery based on what it can do versus what is needed.
  • The business will reset the RTOs and RPOs to what they can achieve versus what the business BIA derived demands are to continue operations.  They don’t understand that these are objectives and are different than actuals.
  • In limited instances, IT can exceed the RTOs and RPOs but does not communicate it to the business.  They don’t want to be held to it.  

In a perfect world, you should have an alignment meeting at a regularly planned interval (e.g., annually) to identify successes and gaps in business expectations and IT delivery capabilities.  A simple table should be constructed to show alignment and gaps:

Application RTO RTA RPO RPA
System A RTO = 12 Hours RTA = 24 Hours RPO = 4 Hours RPA = 12 Hours
System B RTO = 48 Hours RTA = 24 Hours RPO = 24 Hours RPA = 24 Hours
System C RTO = 5 Days RTA = 5 Days RPO = 4 Hours RPA = 12 Hours

The BIA is conducted for a number of reasons and ensuring alignment across the organization is one of them.    So, get out there and get your systems aligned.

Hiring the Right BCM Consulting Firm…

By No Comments

So you are looking to hire a BCM consultant for your next initiative.  What characteristics should you look for and evaluate as part of your selection process?  Below are a few items we recommend you consider:

1. Methodology

2. Price

3. Experience

4. Customer Focus

5. Ability to Execute

 

#1 Methodology

This is a critical aspect of your assessment.  Does their methodology follow industry best practices, standards and guidelines?  Make sure their proposed methodology is in line with the industry to make sure your final deliverable meets your needs and does not produce information that could expose you to additional risks or findings.  Their Statement of Work should be clean, concise and consistent with today’s industry best practices.

#2 Price

Are you looking for the lowest price?  Well, if you are, there is a risk associated with that.   There is a great quote that goes like this:  “If you think it’s expensive hiring a professional, wait ‘til you hire an amateur!”    Our prices at MHA aren’t the lowest, but they aren’t the highest either.  A good consulting firm is not going to be cheap, so don’t expect something for nothing. The price may be higher, but if they are capable they should complete your assignment on time and on budget which can be cheaper than a lower priced firm that goes over budget or produces a poor deliverable.

#3 Experience

Now this can be a tricky one.  Just because a consultant has multiple certifications and 20+ years experience doesn’t mean they can execute when the Statement of Work is signed and they come onsite.  You MUST validate the consultant(s) have the proven ability to execute and produce your deliverable.  Also, if you need a consultant to speak in front of your senior management, make sure they have the requisite personal appearance and presentation skills to be successful.

#4 Customer Focus

At MHA, we strive to build long-term partnerships with our customers and be a “trusted advisor.”  In today’s business world, consultants are often treated as disposable, where companies do everything to get you to the lowest price possible for the maximum number of deliverables.  That is not a good relationship for either party, even though it may seem best for the client.   A good consulting firm will focus on customer service and seek to exceed your expectations.

#5 Ability to Execute

This is where the rubber hits the road.  Does the firm have proven experience executing on their Statements of Work with other clients?  Can they be trusted to execute on your behalf when needed?  Do they have a reputation for exceeding expectations and not just meeting them?  Lastly, a good consultant will push back when he sees you are headed in the wrong direction.  They won’t go in your direction just because you signed the Statement of Work.

A Final Thought

Do we, as consultants, ever fire customers?  Yes!  When I first started MHA, I was terrified to let clients know we didn’t need or want their business.  We now look for MHA to be part of organizations that build successful BCM programs that are best practice, and, most importantly, executable when needed in a crisis.    Good customers and consultants work as partners to meet each other’s needs.

 

 

Art of Facilitating a Large Scale Mock Disaster Exercise

By No Comments

 

The Art of Facilitating a Large Scale Mock Disaster Exercise

By: Michael Herrera 

We (my brother, who is a Fire Chief at NASA, and I) recently facilitated a large-scale mock disaster exercise that included 60-plus participants and over 10 observers.  Participants included multiple public/private schools (elementary and middle), school administration, emergency services (Police, Fire, EMS, etc.) and external observers such as Homeland Security. From a school and community based perspective it was one of our largest exercises to date.

The art of facilitating an exercise of this size and complexity is a daunting task. Even if the exercise has been designed perfectly, if you can’t lead it properly, it will fail miserably. How many of us have fallen asleep or been bored to death in an exercise?

 So, what do I consider key criteria for being a good exercise facilitator?

  • Dress the Part (Have Command Presence)
  • Smile, Smile, Smile
  • Be Charismatic and Enthusiastic
  • Know Your Exercise Scenario Inside and Out
  • Be Knowledgeable of the Personalities and Capabilities of Key Participants
  • Follow the Agenda, but Go Outside the Box When Needed
  • Know How to Engage the Participants and Ensure Cross Communications
  • Engage Humor to Keep Everyone Lighthearted
  • Look for When Participants Need Breaks
  • Permit Extended Discussions When Merited; Cut Off if of No Value
  • Keep the End Goal in Mind

I could say I have never been nervous facilitating a mock disaster exercise, but I would be lying. I use my nervousness to make me more mindful and focused on my facilitating. I look at the facilitating of a mock disaster exercise like being a storyteller; you are leading the execution of the event from its beginning to its end.

Facilitating a mock disaster exercise is a great opportunity to shine in front of many key people in your organization. Use it to your advantage.