3820 W Happy Valley Rd, Glendale, AZ 85310
(888) 689-2290

MHA Consulting



Art of Essentialism BCM Office Leader

By No Comments
I recently spoke at the DRJ Fall Conference in San Diego on the Art of Essentialism and its application in the BCM arena.  The Art of Essentialism was coined by Greg McKeown and is focused on “Less means More, More Means Mediocore”.  As part of my presentation, I covered what it takes to operate a BCM program based on the Art of Essentialism and its concept of the disciplined pursuit of less.
I believe that the problem in many of the BCM programs we are called to  support in a consultative role is not the program itself but the management of the program by the BCM Office Leader.  In many cases, the program is in chaos with no strategic direction or management.
So what are the characteristics of an Art of Essentialism BCM Office Leader:
  • Uses Metrics to Track BCM Program Performance – Adopt a BCM standard or use a tool like BCMMETRICS.com to assess your level of compliance.  Identify your successes and areas of opportunity.  Focus to high importance, low compliance areas to get the highest Return on Investment (ROI) for resiliency.
  • Manages by High Value Activities (HVA) – Identify what HVA’s give us the highest ROI for resiliency.
  • Positions Right People in the Right Seats – Do you have a personnel depth chart for you and your team members?  You should know where talents lie and how you should assign to your HVA’s.  More people is not the right answer, the right people is the right answer.
  • Develops Strategic Roadmap – Based on our critical needs, a roadmap for 12 to 24 months is developed focused on HVA’s to bring highest ROI.
  • Heavily Invests BCM Personnel Time on HVAs  – Based on personnel depth, personnel are assigned to the HVA’s based on their expertise.
  • Believes in Investing Front End Time with Customers – Time is invested in building the infrastructure  needed to have a strong program.
  • Works like an Intrapreneur – Treats the BCM program as his/her own company with strategic goals and objectives to meet and a focus on resiliency ROI.

The focused disciplined pursuit of less will yield a BCM program that has a high level of resiliency for the most critical business activities and systems/applications of the organization.

BCM Audits Gone Rogue…

By No Comments

As BCM professionals we have all gone through audits of our programs at one time or another and dealt with the questions, the need for a better understanding of BCM, and the cautious concern waiting for the final report, etc.

At MHA, we are the BCM Office for a good number of our clients.  We manage each program using industry best practices and standards as our measuring stick to ensure the program provides the highest level of resiliency and meets/ exceeds compliance requirements.  We know which of our managed programs are in line with best practices and which ones need more time and work.  Internal and external audits are a part of our daily consulting efforts.

We are finding that a good number of the audits we have recently dealt with have become increasingly inconsistent in their application, findings and outcomes.  Common conditions found during recent audits:

  1. Audit Teams Don’t Read What You Send Them
  2. Lack Intimate Understanding of BCM Industry Standards and Guidelines
  3. Don’t Grasp Difference between Standards and Guidelines
  4. Generate Findings that Often Have Little to Do with Raising Resiliency
  5. Regularly Lose Data/Information Sent to Them
  6. Require Busy Work Generating New Reports or Gathering Useless Data
  7. “Them versus Us” Mentality Leading to Conflict
  8. Infighting Amongst the Audit Team Members

It’s important to state that we are not saying all audits have proceeded in this manner but a good share has progressed in this manner.  What is most interesting to us is we work at programs in critical industries that should have findings but receive none and other programs that are highly sophisticated and mature receiving findings that make no sense.

So, how do we make Audits bearable and consistent as possible?

  1. Due your own diligence before the audit using a BCM GRC tool like BCMMETRICSTM (www.bcmmetrics.com) so you know where you stand (level of compliance and successes/opportunities) before the audit.  Run reports to identify where you are in compliance and where you have big gaps.  Share your due diligence.
  2. Educate auditors in the BCM process and how it’s applied at your organization before the audit starts by having a short presentation (15-20 min) to go over the program. Make sure you are well prepared and use terminology from the standars you are being audited against.  Refer back to the data and information you sent them.
  3. Compile requested data and information in a logical and highly organized manner.  The documents should tell a positive story of your program from end to end.
  4. Don’t attempt to produce documents you know you don’t have at the last minute.  It’s not worth the embarrassment.
  5. Ensure your BCM Office and internal audit have a clear understanding of the program to be able to speak to it as needed during an audit.

What do you do when you disagree with an audit finding?

We have been taught to not push back on audits in fear the repercussions could be greater if we voiced our opinion.  I believe that if you have solid evidence a finding was not merited, push back by all means.  We have cases of management not pushing back for fear of repercussions and then being saddled with needless work that does not raise resiliency of the program.

In closing, we believe working with auditors is a great investment in time that can lead to increased management focus and support when a partnership approach is used throughout the audit engagement.

BIA Alignment? We Don’t Need NO Stinking BIA Alignment!

By No Comments

Industry best practices recommend that the BCM Office align its organizations Business Impact Analysis (BIA) derived Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) with Information Technology Disaster Recovery (DR) capabilities on a regular basis.  So, here is what are we finding in the industry:  

  • Management does not understand the alignment process and does not recognize its value.
  • The business and IT have different RTOs and RPOs matrices so the alignment process can be somewhat difficult to accomplish.
  • IT does not provide Recovery Time Actuals (RTAs) or Recovery Point Actuals (RPAs) for the critical systems and applications.
  • BIAs are conducted and RTOs / RPOs defined by the business but IT still sets its own timeframes for recovery based on what it can do versus what is needed.
  • The business will reset the RTOs and RPOs to what they can achieve versus what the business BIA derived demands are to continue operations.  They don’t understand that these are objectives and are different than actuals.
  • In limited instances, IT can exceed the RTOs and RPOs but does not communicate it to the business.  They don’t want to be held to it.  

In a perfect world, you should have an alignment meeting at a regularly planned interval (e.g., annually) to identify successes and gaps in business expectations and IT delivery capabilities.  A simple table should be constructed to show alignment and gaps:

Application RTO RTA RPO RPA
System A RTO = 12 Hours RTA = 24 Hours RPO = 4 Hours RPA = 12 Hours
System B RTO = 48 Hours RTA = 24 Hours RPO = 24 Hours RPA = 24 Hours
System C RTO = 5 Days RTA = 5 Days RPO = 4 Hours RPA = 12 Hours

The BIA is conducted for a number of reasons and ensuring alignment across the organization is one of them.    So, get out there and get your systems aligned.

Hiring the Right BCM Consulting Firm…

By No Comments

So you are looking to hire a BCM consultant for your next initiative.  What characteristics should you look for and evaluate as part of your selection process?  Below are a few items we recommend you consider:

1. Methodology

2. Price

3. Experience

4. Customer Focus

5. Ability to Execute


#1 Methodology

This is a critical aspect of your assessment.  Does their methodology follow industry best practices, standards and guidelines?  Make sure their proposed methodology is in line with the industry to make sure your final deliverable meets your needs and does not produce information that could expose you to additional risks or findings.  Their Statement of Work should be clean, concise and consistent with today’s industry best practices.

#2 Price

Are you looking for the lowest price?  Well, if you are, there is a risk associated with that.   There is a great quote that goes like this:  “If you think it’s expensive hiring a professional, wait ‘til you hire an amateur!”    Our prices at MHA aren’t the lowest, but they aren’t the highest either.  A good consulting firm is not going to be cheap, so don’t expect something for nothing. The price may be higher, but if they are capable they should complete your assignment on time and on budget which can be cheaper than a lower priced firm that goes over budget or produces a poor deliverable.

#3 Experience

Now this can be a tricky one.  Just because a consultant has multiple certifications and 20+ years experience doesn’t mean they can execute when the Statement of Work is signed and they come onsite.  You MUST validate the consultant(s) have the proven ability to execute and produce your deliverable.  Also, if you need a consultant to speak in front of your senior management, make sure they have the requisite personal appearance and presentation skills to be successful.

#4 Customer Focus

At MHA, we strive to build long-term partnerships with our customers and be a “trusted advisor.”  In today’s business world, consultants are often treated as disposable, where companies do everything to get you to the lowest price possible for the maximum number of deliverables.  That is not a good relationship for either party, even though it may seem best for the client.   A good consulting firm will focus on customer service and seek to exceed your expectations.

#5 Ability to Execute

This is where the rubber hits the road.  Does the firm have proven experience executing on their Statements of Work with other clients?  Can they be trusted to execute on your behalf when needed?  Do they have a reputation for exceeding expectations and not just meeting them?  Lastly, a good consultant will push back when he sees you are headed in the wrong direction.  They won’t go in your direction just because you signed the Statement of Work.

A Final Thought

Do we, as consultants, ever fire customers?  Yes!  When I first started MHA, I was terrified to let clients know we didn’t need or want their business.  We now look for MHA to be part of organizations that build successful BCM programs that are best practice, and, most importantly, executable when needed in a crisis.    Good customers and consultants work as partners to meet each other’s needs.



ORGANIZED CHAOS: Some semblance of order when it seems otherwise.

By No Comments


Organized Chaos isn’t a new term. But I have always advised our clients that what you want in your organization during a crisis is “organized chaos.

Consider the following scenario:

There is a blazing fire in a building. There is heavy smoke and flames everywhere; you can hardly see your hand in front of you. Fire trucks, police cars, and ambulances with lights blazing are parked everywhere. Water is being sprayed at the fire at blinding speed. The injured are on stretchers or being carried on someone’s shoulders. Dozens of firemen are rushing around, screaming orders back and forth, carrying all kinds of paperwork, medical equipment . . . and the thought might occur to a person that this is absolute chaos. It’s a wonder that the fire is put out and the injured taken care of in this chaotic mess.

But, taking a deep breath and focusing, it becomes clear that there is an order to this confusion. Some wise and unflappable person called the incident commander has been apprised of the state of the fire; knows the potential number of people in the building; has ensured the firemen know what size and type of hose to use and where to attack the fire; knows which of his firemen are in the building and who is not in the building; and has set up a triage area to treat patients before they are taken away by the ambulances. Police have been asked to cordon off the area to ensure no one else can be injured. A Rapid Entry team stands by to go in and extract injured or trapped firemen. Eventually, the fire is put out, everyone is treated, and the site cleaned up. For those of us who love being in the heat of a crisis, this is “organized chaos” at its finest.

CHAOS has the appearance of being uncontrolled. Recent research of chaos helps us to understand that there is some order to that which appears to be out of control. Chaos theory is a prominent concept that gives life to this idea. It is best characterized by the concept of the “butterfly effect”; the illustration that a butterfly flapping its wings in Brazil affects the space, energy, and activity of storm systems in New York City. There is a connection. It is not pure chaos, as in “out of control.”

Organized chaos, therefore, has elements to it that have nothing to do with human endeavor. However, there are elements of ourselves and our organization that we can apply to seemingly “crazy out of our mind” moments. The application of incident or crisis management, for instance, removes the overly-spontaneous character of a crisis or an event. Systematic organization of a team, or of resources, or of an incident management process provides for a planned result.

There is something humorous about the term organized chaos.” Some might consider it an oxymoron, a combination of words that contradict each other. It falls into the same category as the term “herding cats,” which is deemed almost impossible to accomplish by most of us.

My belief and experience is that the secret to organized chaos is revealed when one takes a breath, stands back, and removes one’s trepidation from the scene. It is a matter of perspective. That is not to say that there aren’t chaotic moments which are out of control. But I suspect that many of the times we think we are watching chaos there may be more order to it than we first sense.

So, what are you waiting for? Prepare yourself and your organization to bring “organized chaos” to those seemingly out of your mind moments that can bring your company to its knees!

Art of Facilitating a Large Scale Mock Disaster Exercise

By No Comments


The Art of Facilitating a Large Scale Mock Disaster Exercise

By: Michael Herrera 

We (my brother, who is a Fire Chief at NASA, and I) recently facilitated a large-scale mock disaster exercise that included 60-plus participants and over 10 observers.  Participants included multiple public/private schools (elementary and middle), school administration, emergency services (Police, Fire, EMS, etc.) and external observers such as Homeland Security. From a school and community based perspective it was one of our largest exercises to date.

The art of facilitating an exercise of this size and complexity is a daunting task. Even if the exercise has been designed perfectly, if you can’t lead it properly, it will fail miserably. How many of us have fallen asleep or been bored to death in an exercise?

 So, what do I consider key criteria for being a good exercise facilitator?

  • Dress the Part (Have Command Presence)
  • Smile, Smile, Smile
  • Be Charismatic and Enthusiastic
  • Know Your Exercise Scenario Inside and Out
  • Be Knowledgeable of the Personalities and Capabilities of Key Participants
  • Follow the Agenda, but Go Outside the Box When Needed
  • Know How to Engage the Participants and Ensure Cross Communications
  • Engage Humor to Keep Everyone Lighthearted
  • Look for When Participants Need Breaks
  • Permit Extended Discussions When Merited; Cut Off if of No Value
  • Keep the End Goal in Mind

I could say I have never been nervous facilitating a mock disaster exercise, but I would be lying. I use my nervousness to make me more mindful and focused on my facilitating. I look at the facilitating of a mock disaster exercise like being a storyteller; you are leading the execution of the event from its beginning to its end.

Facilitating a mock disaster exercise is a great opportunity to shine in front of many key people in your organization. Use it to your advantage.



The Art of the BIA (Business Impact Analysis)

By 1 Comment


The Art of the BIA

By: Brandon Magestro

The Business Impact Analysis or BIA can be a daunting task for any organization.  As a foundational requirement of any continuity program, it must be completed in order for you to drive the development of plans, identification of recovery strategies, and implementation of solutions. 

As a company, MHA has conducted well over 2,000 BIA interviews.  Over the years, we have developed a highly refined process to plan, conduct and report the results of a BIA.  I expect our staff of consultants to not require more than 3.5 to 4.0 hours of a business unit’s time to complete their BIA.  This includes 45 minutes to complete the pre-work, 2.5 hours or less for the interview and 0.5 hours to validate the results.   Management is now asking us to finish interviews in 1.5 hours!

We have learned that less is definitely more when it comes to conducting BIAs.  Your questionnaire should be in compliance with best practices, but be tightly focused and have limited questions.

Top Reasons BIAs Go Bad

  1. Management and Participant Communication – Management and/or participants are not apprised of the BIA, what is expected and what will be the end game.
  2. Pre-Work: BIA participants do not complete pre-work, don’t complete it on time or it’s so bad that you spend too much time correcting it at the interview and waste valuable time.
  3. Logistics – Conference rooms don’t have the right audio-visual equipment, rooms are too small, people aren’t fed during lunch interviews, etc.
  4. Subject Matter Experts – The right people from each participating unit do not attend and so cannot provide the needed information.
  5. BIA Tool – The tool is clunky, complex, and no one has a clue how it works!
  6. Facilitators – The person or person(s) leading the interview do not have the skills to lead the participants through a real-time session.  It gets bogged down, people get bored or outright irritated.  This is a REALLY dry subject, so if you aren’t charismatic and can’t keep participants focused, it’s not for you.

A World Class BIA

  1. Management & Participant Awareness – Management and participants are involved from the beginning and have a clear picture of what is expected from them in planning, implementation, validation, and approval of the BIAs.
  2. Pre-Work – Easy to complete pre-work is distributed to participants at least 2 to 3 weeks before interviews.   We have them identify their core business processes, systems/application dependencies, and legal/regulatory requirements for each process.   The data is uploaded to our BIA tool to speed up the interview.
  3. Logistics – Conference rooms are staged for each interview; we require a projector or monitor to display our BIA tool as we walk the participants through it.  They see the results of their efforts real time.
  4. Subject Matter Experts – Participants are picked on their knowledge of the business unit and processes; titles are irrelevant if the participant doesn’t know how the processes work or what they depend on.
  5. BIA Tool – The tool is easy to use, calculates Recovery Time Objectives (RTOs) based on input and is easy for participants to follow.  The key here is: EASY TO USE!
  6. Facilitators – Dress to impress, have high energy and enthusiasm to lead the participants. Keep the energy up and they will respond in kind.  Bring a bag of chocolate; people love it.  We use two facilitators, one to lead the discussion and one to enter the data.

Lastly, remember BIAs are never perfect.  But as you conduct ongoing BIAs, the participants will gain knowledge and refine results.  We are just finishing 11 BIAs for a Fortune 100 entertainment company this week; without following the steps noted above, it would have been a disaster.  We know we have done our job when people leave smiling and saying “It wasn’t as bad as thought it was going to be!”


How Do You Measure Up? – Are You a Leader in BCM Governance, Risk and Compliance (GRC)?

By No Comments


How Do You Measure Up? – Are You a Leader in BCM Governance, Risk, and Compliance (GRC)

By: Michael Herrera

If you’re a BCM Practitioner, you’ve probably been asked this question from your senior management: “How compliant is our Business Continuity program and how does it compare to others in our industry?”  Are you still trying to figure out what industry standards fit your program or are you using inefficient manual tools that are holding you back?  A BCM GRC software tool is something you should consider today.

What the Trends Tell Us

BCM compliance across companies we have worked with has yielded interesting information:

  • Many organizations are afraid to assess their compliance level – better to keep their head under the sand than know the truth
  • Management education is needed to show how BCM compliance benchmarking can be effectively used to manage the program
  • The use of self-assessment tools to measure BCM compliance is non-existent or it is a rudimentary tool with limited functionality
  • The majority of organizations do not have a clear picture of where they stand and/or where their weaknesses or strengths lie
  • Resource time is often being spent on program dimensions that have little to no effect on compliance and resiliency
  • Management is continually asking for compliance benchmarking and reporting, but it doesn’t exist

How A BCM GRC Tool Helps You

In a nutshell, a BCM GRC tool helps you better manage your program by balancing the risks and opportunities of the program. If you’ve devised your own system of assessing your compliance, such as using a manual process, it gets a little trickier to assess and report on compliance on a regular basis.   And if you’ve ever let something accidentally slip through the cracks, you can appreciate a better way to manage your process. Not every GRC platform features questions modeled after industry standards and weighted by importance, permits task assignments, and comprehensive management reporting, but you’ll benefit from choosing one that does. Unless, that is, you have your own personal assistant who keeps you up to date about everything regarding BCM compliance…and these days, who does?

Your Goal Is Compliance and Resiliency

If your goal as a BCM Practitioner – and let’s face it, every one of us has this as a goal – is to raise your compliance and resiliency, you need a reliable system for assessing compliance. A BCM GRC tool can play a major role in making all these business processes much easier.  Let’s say you’ve been asked to assess your BCM compliance. In your BCM GRC tool, you can quickly and easily assess the compliance of the five dimensions  (Program Administration, Crisis Management, Business Recovery, Disaster Recovery, and Supply Chain Risk Management) of your program.  You can attach supporting documentation, so you have everything that relates to that assessment in one handy place.  You can assign fellow planners access to specific programs or grant access to auditors to view reports on your compliance.   You can add tasks and assign responsible parties for resolution to keep the program moving down the compliance trail.  You can run management scorecards and reports on each dimension, outlining the state of the program. This kind of highly valuable data gives a big picture analysis of what the compliance landscape looks like. For example, perhaps the tool identifies your BIA process is critically weak and does not comply with industry standards. This is worth considering. Perhaps it might be time to revise your BIA questionnaire, or look to outside agencies to implement a best practice approach.

Designed for You

The multitude of BCM industry standards is overwhelming even for the experienced practitioner.  But BCMMETRICS makes the process extremely easy to use and administer. Our own BCMMETRICS platform is designed to be simple enough to figure out within minutes.  We offer a free video on BCMMETRICS and overview of the solution on our website.

If you’re serious about succeeding as a BCM Practitioner, make sure you’re using the right tools, like BCMMETRICS. It’s designed to help BCM Practitioners like you be more effective at successfully managing your BCM program through intelligent assessment and measurement. Try a 14-day trial of our paid plans.

If you’re a BCM Practitioner, you’ve probably been asked this question from your senior management: “How compliant is our Business Continuity program and how does it compare to others in our industry? “  Are you still trying to figure out what industry standards fit your program or are using manual inefficient tools that are holding you back?  A BCM GRC software tool is something you should consider today.


Art of Essentialism in BCM – The Disciplined Pursuit of Less

By No Comments

Managing an enterprise BCM program requires BCM Practitioners to address many program initiatives and tasks that must must seamlessly work together.  I liken BCM programs to a watch with many moving parts;  some critical and others not so critical to its operation and ability to provide accurate time.

In today’s high pressure environment, we see BCM Practitioners being overrun with not only managing the program daily but dealing with external influences (e.g, audit requests, questionnaires, etc.) that take up their time.  Yet, many BCM Practitioners continue to attempt to work on everything at once in an effort to maximize productivity but end up actually producing less and making more mistakes.   Are you and your team experiencing any of these symptoms:

  1. Are you and your BCM team stretched too thin?
  2. Do you simultaneously feel overworked and underutilized?
  3. Are you often busy but not productive?
  4. Do you feel like your time is constantly being hijacked by other people’s agendas?
  5. If you answered yes to any of these, the way out is the Way of the Essentialist.

I have learned from being a BCM practitioner and now running multiple BCM related companies that to be successful you must be mindful;  and more importantly,  be an essentialist in order to not get more done in less time but get the right things done that make the most difference.  A member of my Board of Directors had me create a list of everything I was doing and / or  felt I needed  to do in managing our companies.  The list was exhaustive and made it clear how scattered my efforts were and were not focused on the essential tasks that bring the greatest return on investment to me and our organizations.  Eliminating unnecessary tasks was not easy; it required me to train others to take tasks, hire where possible, outsource to external parties, forget about some and most importantly, trust that the minimum set of tasks was what I needed to do.

 So, how do we apply this to our BCM teams and our programs?  

  1. List all of the tasks you and your team members perform.
  2. Inventory all of the program initiatives (Policy, Plans, Strategies, Audits, BIAs, etc.)  you are working on currently.
  3. Starting with your team member list of tasks, review the list and categorize them by essential and non-essential by looking at tasks permit you to make the highest possible contribution.  Determine what to do with the non-essential tasks (e.g., eliminate, transfer, outsource, etc.).
  4. Based on your review of you program initiatives, which ones provide the greatest return on compliance, resiliency and maturity?  Which ones are window dressing?
  5. Revise the tasks you and your team members will perform based on what is essential and brings the highest possible contribution.
  6. Generate a program roadmap with the most essential initiatives that will heighten the sophistication and maturity of your program.

Essentialism is systematic discipline for identifying what is absolutely essential, then eliminating everything that is not, so we can make the highest possible contribution towards the things that really matter.  By applying a more selective criteria for what is Essential, the disciplined pursuit of less empowers us to reclaim control of our own choices about where to spend our precious time and energy to bring about the highest possible contribution to our team and organization.

Planning Your Next Mock Disaster Exercise

By No Comments

As BCM Practitioners we are often required to dream up, plan, implement and facilitate a mock disaster exercise for our Crisis Management teams. The planning process is crucial to developing an exercise that meets the needs of your organization.  Steps in planning a successful mock disaster exercise are:

  1. Consider the past list of scenarios you have presented to the team in the past.  Does a past exercise suffice or do we need to develop a brand new exercise?  A past exercise can be used if  significant gaps were exposed that require you to replay it to validate the teams response.  Always consider the maturity of the team.
  2. Review action items from previous exercises to make sure they have been resolved and do not cause gaps in the upcoming exercise.
  3. Identify the key objectives of the exercise; what are you trying to stress test and validate?  Focus on a core set of objectives that you would like the exercise to meet.  Less is more here.
  4. Based on the objectives, identify Subject Matter Experts who will aid you in building  the exercise.  These individuals can be internal and/or external personnel who will provide you with expertise to build your scenario.  These people typically do not participate in the exercise since they built it.
  5. Hold multiple brainstorming sessions with your Subject Matter Experts to build the exercise based on objectives you are trying to meet.  Typically, a couple of these sessions will build the framework that you can use to create the detail events.  Validate the exercise framework meets objectives.
  6. Build the detailed timeline and list of events to occur based on the framework you developed with the Subject Matter Experts.  Consider how long you have for the exercise,  give people time to address events and respond as needed.  I consider the maturity of the team in determining how long I give them to address and respond to events in the exercise.
  7. Validate the scenario, timeline and events with your Subject Matter Experts; ensure it makes sense and meets the objectives.  Identify gaps or areas that are confusing; you don’t want participants pointing at holes in your exercise that will derail it.
  8. Revise the scenario and you are ready.
  9. Make sure you have a good facilitator ready to lead the exercise.  This person must be prepared to lead the team from the beginning to the end of the exercise.  He or she must know the exercise in and out as well as assess how the team is doing.  If the exercise needs to be slowed down or sped up, the facilitator must address it.
  10. Have fun and enjoy the exercise.  It will never go as perfectly scripted but when does a disaster fit our plans?