3820 W Happy Valley Rd, Glendale, AZ 85310
(888) 689-2290

MHA Consulting

Blog

blog-full

Cyber Event Planning – Hope is not a Strategy

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

For Business Continuity planners, data security has become a high priority element of the program. Audits have pushed this to the top of the priority list for many organizations. Even with all the data breaches over the past several years, many organizations are not prepared to react to a data breach. We have seen the entire continuum – from highly prepared for a breach (with formal plans, regular exercises, and technologies in place to  prevent breaches) to a strategy of hope – we hope it does not occur.

Every security expert with whom we have worked says it is not if, but when, an organization will have some type of data exposure or cyber event. The cost of these breaches has grown year over year. A 2015 study by IBM and the Ponemon Institute calculated the average cost to organizations (350 companies in the survey) to be 3.79 million dollars. This is an average of $154 per record lost or stolen. Depending on the industry the cost can vary, with the public sector at $68 and retail at $165.

Organizations must make planning for and preventing data breaches an ongoing activity. It should be noted that a basic security penetrating code can be purchased for a little as 10–15 dollars on the web. These codes are not sophisticated, but the ease of access should cause everyone to pause.

Your planning should include the following:

  • Does your organization have or need cyber insurance?
  • What is your response plan in the event of a cyber event?
  • What is your communication plan?
    • Media
    • Social Media
    • Internal
  • Can you afford to shut down your online presence, your online commerce, or access?
    • For how long?
    • Are there portions that can be shutdown, still allowing critical or limited access?
    • Is there a decision point for shutting down access?

These should be identified in advance to allow the Crisis Management Team to make decisions quickly.

Cyber event planning is both a business and IT endeavor. As it relates to data breach or cyber event planning, hope is not a strategy.

Thinking Outside the Box – Plussing the Show

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

We often sit in meetings or brainstorming sessions and say, “Let’s think outside the box.” What does that really mean?

I was recently in a presentation by Doug Lipp, an author and business consultant who worked for Disney in management and training (www.douglipp.com). He said several things which were quite impactful and pertinent to Business Continuity and business in general. For this blog, I’d like to focus on one: “Plussing the show.” Plussing, a term coined by Walt Disney, means to improve or provide more than expected. This, for me, has become how to “think outside the box.”

We have to keep plussing our show. If we ever lose our Guests, it will take us ten years to get them backWalt Disney

How does this relate to BCP? We have to keep looking for ways to improve what we do. It does not mean to stop doing the basics. It means to make what we know is needed and necessary more relevant, easier to use, and easier to maintain.

I think Disney’s quote above is relevant to those of us in the BCP field. If we lose our business partners, “it will take us years to get them back.”

How might we “plus” our BCP programs?

  • Simplify our documentation and checklists (look for a future blog on this topic)
  • Use and refer to information that is already available
  • Have more frequent and shorter BCP conversations with business partners and leaders
  • Learn about the business needs, concerns, priorities, goals, and processes (See blog: Is Your BCM Program in Sync with Your Organization?)
  • Work to integrate business and technical strategies
  • Remember that each time you talk to someone about BCP, it may be the first time for them. It may be the thousandth time you have said it, but it still may be the first time your colleague has heard it.

Compare your responsibility in this area to those of an amusement park ride operator. The operator says the same thing over and over for each guest, but for some it may be the first time they have ever experienced it. You need to say it like it is the first time for you – it will bring excitement and passion. Go out and “plus your show!”

Will key information be available during a crisis?

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

Information is critical to our businesses. We cannot make good decisions without it. We identify the cause of issues based on it. In a crisis, without information, we may be making decisions or trying to contact appropriate parties like a myopic without his glasses.

What is the information that may be required during a crisis?

  • The severity of the impact to business processes
  • How long the crisis may last
  • Internal contact lists
  • External contact lists
  • Crisis & Recovery Team members and responsibilities
  • Recovery plans and checklists
  • Business processing requirements
  • Manual processing procedures
  • Information on business risks

You have probably documented much of this information already. The questions to ask are: where is this information? Will it be readily available? Is it up-to-date? The following are issues we at MHA have seen as related to information needed during a crisis:

  • Contact lists are out of date or not accessible.
    • Electronically stored information may or may not be available, even if it is in the “cloud.”
      • Cloud-based information requires Internet access – are you sure that is completely redundant with no single points of failure?
      • If it is on Exchange or some other system – what is the recovery timeframe? Are there any single points of failure? Can you access it remotely?
    • Paper in storage or soft copies on storage devices are often out of date the day after they are printed or stored.
    • Contact lists are constantly changing. In our experience developing contact lists we see that sometimes team members have left the organization before the list has even been finalized.
      • This is the nature of lists. Only you can determine the appropriate update schedule and identify the single points of failure. Annual or bi-annual updates are not enough.
    • Secondary or tertiary team members are not identified.
      • People cannot work 24X7; secondary and tertiary team members are critical.
    • Risks to the business are not documented, but the Crisis Management team depends on this information.
    • Without basic risk information, time must be taken to perform the analysis and figure it out. Having critical process risk impacts identified ahead of time speeds up decision making during events.
    • Business processing requirements are not documented and require multiple teams – IT & business – to identify impacts and what processes are critical, their dependencies, and how to manually run those processes if necessary. Most organizations assume they can just start processing after systems are available. It is assumed everything is self-healing. We have found this is not the case.
    • Teams are hesitant to make decisions without first having all the information available. Some information may not or cannot be gathered. It is critical to determine if it is reasonable to expect that needed information can be obtained in a timely manner. If not, make the best decision based on the information available.
      • Preparing more information as part of the crisis management documentation will enable better decision making during a crisis situation.

The issue is not that the information cannot be obtained, but it may be difficult or take significant time to do so, restricting quick action or decision making that could minimize impact. Take a few minutes to assess if critical information is truly available during different crisis scenarios.

Understanding your individual & family risk profile

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

Along with the rest of the world, I have been thinking about and praying for those in Japan and Ecuador. When these tragic events occurred I was thousands of miles away on another continent working with a client. My thoughts immediately went to my family and how grateful I am to live in a place with very little risk of natural disasters. My thoughts also went to a friend of mine who recently passed away. He was in his early eighties and had an amazing life – we had many stimulating conversions and he walked several miles each day. He died suddenly of a heart attack and was not found until three days later – when his children had not heard from him and called the police.

While my family has a plan for gathering and communicating in the event we are separated during a crisis event, I must admit, in my heart of hearts, I don’t think we will actually ever have to use it – ironic for someone in my field. If I have those feelings, I know many of you have the same thoughts. The recent death of my friend and earth showing its power have made me realize that I need to follow the counsel I give to clients.

The most important aspect of any organization is the people – that includes our families. Do you know the risks to your family (most impactful, most likely, etc.)?

Families have many characteristics – biological relationships (children, parents), spouses, partners, extended relationships, friends, and pets. They may live in the same dwelling, in the same city, same region, or far away.

As a BCP professional, in order to support your business, you need to be available. If your family is impacted – whether as part of the business crisis or as a separate family crisis – you may not be available to help keep your business resilient.

The good news: you can use the same methods to determine risks and plan for your family as you do for your business.

  • What are the natural threats to your family members (at home, school, and work)? For example, I know that during the summer, microbursts can have major impacts to localized areas in my metropolitan area.
  • What are the most likely threats to your family (violent crime, health or injury risks)?
    • Understand your family members’ hobbies and extracurricular activities. Understand family health conditions and how those may impact each family member.
    • What is the risk profile of your neighborhood – are there any potential high crime or protest locations, hazardous vehicle routes, etc.? Talk to the local police and understand the crime distribution. For example, vehicle theft is relatively high in my zip code.
  • Create a basic communication, relocation, and assembly plan.
    • Practice and review the plan on a regular basis. Make updates as situations change. A plan that includes young children is different from one that includes teenagers, adults, or adult dependents.
  • Put a plan together on how to check on a family member or loved one not living with you to make sure all is well. (Side benefit, you to get communicate more often.)

There is nothing more important than you and your family or support group. Take the time to plan – it will give you a little more peace of mind.

Your Administrative Assistants are your Friends

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

Who is the most important person in an organization? I was thinking about this when conducting some Business Impact Analysis interviews recently. I asked some of the people during the interviews what they thought. Some of the answers: CEO, COO, “me,” “no one – everyone is important,” sales people, operations, etc. A position that never came up, but should arguably be included, is the administrative assistant. During the BIA process, I spoke with the admins/office managers at several locations and they all had insights that no one else provided. There was knowledge of both defined and actual organizational procedures, and how processes actually were performed vs. how they were “supposed” to be performed.

As you consider how to ensure that various BCP documents are created or updated, work to include the administrative assistants or other support individuals in these activities. They are often an underutilized group as it relates to business functions. When I had management responsibilities, the admin assigned to me kept me on track with those tasks that were most important or needed to be completed. Without this individual I would not have been nearly as successful.

Here are some of the ways to use these important and knowledgeable people:

  • Ask the individuals they support for permission to use them.
  • Have them develop draft documentation – they know more than you think.
  • Ask them to assist with getting the team to complete their updates/tasks. You’d be amazed how much influence and urgency they can provide.
  • Ask them who to contact when issues arise and you are not sure who can help.
  • Include them in the Crisis Management Team in communication, logistics, or other support type roles. They are typically among the best in the organization with these skills.
  • Include them in assessments and information gathering.
  • Include them in the Crisis Plan and Communication Plan development. They know who to contact, the best methods to use, and when those individuals want/need to be informed.

Administrative Professionals have a tremendous amount of information and knowledge. They can make your job easier and help you get the BCP tasks completed.

Many BCM Practitioners Continue to Ignore BCM Standards

By No Comments

Michael Herrera, CEO, MHA Consulting

Many BCM practitioners talk about BCM standards, but few walk the walk. I write this blog as this subject continues to boggle my mind in today’s risk-filled environment.

I recently presented to two groups: one at a major conference in Orlando and the second at a leading continuity group in Nebraska. We spoke to a total of about 140 practitioners regarding standards and compliance. The attendees were all from mid-level to very large companies – some regulated, some not. Experience levels ran from beginner to advanced.

The first question I asked both groups was: How many of you have adopted a standard to drive your enterprise BCM program?

Want to guess what percentage had adopted a standard?  1%? 25%? 50%?  Less than 10% of the 140 had adopted a standard—a dreadfully low number.

Many used the excuse that they are not regulated (which I don’t get in this day and age). Others don’t know what standard to use, how to implement it, or what value it will bring. I believe that in some cases the BCM program attempts to stay under management radar.

In today’s world, the BCM Office and its efforts, resources, and needs typically cost companies hundreds of thousands, if not millions, of dollars annually. Staff cost alone can be over a million dollars in salaries, not to mention all of the other moving parts.

Would you want your multi-million house built without using building codes and standards?  How about the airplanes we fly in or the medical facilities we use?

Today’s constantly emerging risks, increasing expenses, and responsibility for recovery mandate that you use a standard to build your program from to ensure that it can operate at a high level when it’s needed most.

The dark ages of our industry are long gone. To be “world class” you need to have high compliance and low residual risk.

Remember, you might not be able to change the destination of your program today, but you can change your direction. Be a BCM leader; adopt a standard.

 

Five Tips to Prepare for a Program Audit

By No Comments

Michael Herrera, CEO, MHA Consulting

As BCM professionals we have all gone through program audits at one time or another. It is in our best interest to know what to expect from an auditor, how to deal with the audit experience in a positive way, and how to respond to findings and move our program forward.

At MHA, we are the BCM Office for a good number of our clients. We manage each program using industry best practices and standards as our measuring stick to ensure that the program provides the highest level of resiliency and meets or exceeds compliance requirements. We know which of our managed programs are in line with best practices and which ones need more time and work. Audits are a part of our daily consulting efforts.

We are finding that it is increasingly common for audits to be inconsistent in their application, findings, and outcomes. It is not unusual for audit findings to conflict with what we know to be the true state of compliance in a BCM program. Common conditions we see during audits:

  • Audit teams lack intimate understanding of BCM industry standards and guidelines.
  • Audit teams don’t grasp the difference between standards and guidelines.
  • Audit teams don’t read what you send them.
  • Audit teams generate findings that often have little to do with raising resiliency.
  • There is often conflict created by a “them versus us” mentality.

How do we make audits as bearable and consistent as possible?

Tip #1 – Be prepared – understand your compliance status

  • Ensure your BCM Office and internal audit have a clear understanding of the program to be able to speak to it as needed during an audit.
  • Familiarize yourself with the standards, regulations, and best practices that apply to your industry and BCM program.
  • Understand your compliance status and where your deficiencies are prior to the audit.

Tip #2 – Be proactive – understand how your program will be evaluated

  • Auditors should provide you with a scope of the audit, including what standards they will use to evaluate your program. Note any variations from the standards you actually use and resolve that ahead of time.

Tip #3 – Be cooperative – the auditor is a potential ally

  • Provide the auditors with the information and documentation they need in a timely and thorough manner. Gather your documentation ahead of time, if possible.
  • Compile requested data and information in a logical and organized manner. The documents should tell a positive story of your program from end to end.
  • Don’t attempt to produce documents you know you don’t have at the last minute.  It’s not worth the embarrassment.

Tip #4 – Be realistic and respond honestly to findings; it’s OK to disagree with a finding

  • A BCM GRC tool like BCMMetricsTM can be used to help you prepare for and respond to an audit. BCMMetrics allows you to do your own due diligence so you know where you stand (level of compliance and successes/opportunities) before the audit. Run reports to identify where you are in compliance and where you have big gaps. Share these efforts with your auditors, including any plans you have to address any deficiencies.

Tip #5 – Be accountable – follow through with your action items; improve your own internal standards as needed

What do you do when you disagree with an audit finding?

Fear of possible repercussions for speaking out often keeps us from pushing back on audit findings. I believe that if you have solid evidence a finding was not merited, by all means, push back. Be respectful and specific with your disagreement, and don’t hesitate to propose an alternate conclusion or recommendation. There is no reason to be saddled with needless work that does not raise the resiliency of your program.

In closing, working with auditors is a worthwhile investment of time that can lead to increased management focus and support. Don’t underestimate the importance of preparation, cooperation, honesty, and accountability throughout the audit engagement.

 

 

Is Your Work-At-Home Strategy Functional?

By No Comments

Susan Diehl-Brenits, Advisory Consultant, MHA Consulting

An often-overlooked component of a strong business continuity program is having a work-at-home option as part of an alternate worksite strategy. But making it a realistic option is essential.

With the cost of alternate worksites (hot/warm sites) increasing, having the ability for employees to continue critical business activities from home during a business disruption is vital, but the right components need to be in place to ensure this strategy works.

Here are some best practices to consider:

Make working from home part of your corporate culture

Employees need to have the right tools to succeed. This includes company issued laptops or the ability to access company systems from a personal computer. Do employees take laptops home every night and/or can they access corporate systems from a personal computer? If not, you’re limiting your employees to working only from the official alternate worksite or waiting until a laptop can be issued to them.

Define critical work beforehand

Critical work needs to be defined in advance so that during a business interruption employees are focusing on the prioritized business activities and not the activities that can be deferred until after the disruption.

Can the network handle the traffic load?

Does every employee working remotely during a business disruption need to be working at the same time? Is there the potential to work in shifts? By having employees access network systems during different times, you will reduce the demand on the corporate network. Defining and communicating times to work/access systems should be considered.

Keep the lines of communication open

Communication is key when working from home. Employees should be able to troubleshoot problems and minimize downtime. Make sure employees know who to contact when they are having issues – whether it is problems accessing a system, network connectivity, or questions about a business activity.

Practice makes perfect

Finally, make sure that when you need to implement your work-at-home strategy for a business disruption, it is not the first time employees are working from home. Allow employees to work from home occasionally to ensure they know how to connect to the corporate network from home, or how to work with the IT helpdesk to troubleshoot a connection.

Is Your BCM Program in Sync with your organization?

By 1 Comment

Richard Long, Senior Advisory Consultant, MHA Consulting

As a business continuity professional, what is most important to you? Do you ask yourself:

  • Are business departmental plans up to date?
  • Does the IT DR solution actually work?
  • Do you have enough alternate location seats or enough remote access capacity?
  • Will the next exercise be successful?

These are important, as is keeping the management team updated on status and issues. Your real value comes when you can integrate BCM concepts with the core competencies of your organization. See if you can answer the following:

  • Do you know the priorities of your business departments (e.g., Supply Chain, Accounting, Marketing, Sales)?
    • What are the sales goals (revenue, profit margin)?
    • What is the supply chain strategy (real time shipments, safety stocks)?
    • What are the marketing strategy and target markets (media, demographics)?
  • Do you know the organization’s core competencies?
    • Is it a services or product based company? What are those products or services?
    • Is the organization brick and mortar, online, or mixed? Which provides the most revenue/profit? What is the long-term outlook for each?

Understanding what your organization does at both a macro and micro level will help ensure that your BCM program is viable, functional and relevant. It also will help you know where gaps and issues exist. We encourage you to regularly spend time learning and understanding the priorities and goals of your organization. This knowledge makes you more effective and more valuable to the organization. In future blogs, we will discuss additional aspects of how the BCM program can ensure it is aligned with the business units and organization as a whole.

Is Your BCM Office an Epic Fail?

By No Comments

Top 15 Reasons BCM Offices Fail Miserably

Michael Herrera, CEO, MHA Consulting

As a global BCM firm, we work across all sizes and shapes of organizations. We work across a multitude of industries, with teams with lots of talent and not so much talent, management that cares and management that doesn’t have a clue about BCM. So, what causes epic failures in BCM Offices? Here are our Top 15 reasons:

  1. BCM Managers lack the basic skills to manage themselves productively, let alone to manage cross-functional teams in large organizations.
  2. Managers believe BCM certifications are the BE ALL and END ALL to ensuring success, and they only hire people with them versus people who can EXECUTE.
  3. Team members have no clue about where the enterprise program stands when it comes to compliance and residual risk.
  4. There is no one single set of goals for the team to follow and accomplish.
  5. NO time is made for regular status meetings, strategic planning or there is NO use of a roadmap that outlines key initiatives for the program.
  6. Trying to “boil the ocean” by working on the entire organization versus only on high priority/high risk areas that will heighten compliance the most and reduce the most risk.
  7. Attempting too many BCM initiatives that can never be finished, that bring no value to the program, or that should be outsourced to make better use of staff time.
  8. Hiring too many BCM specialists who often end up with nothing to do, or who can’t help out across other parts of the program.
  9. Believing a new tool of some sort will save the day, but ending up with another function to administer or with failure of the tool due to lack of proper setup.
  10. Constantly making changes to their BCM methodology, causing rewrites that do nothing but confuse the stakeholders or waste their time.
  11. Micromanaging team members; not letting team members make their own mistakes and grow as planners.
  12. No cross training of team members to build succession into the organization.
  13. They don’t measure the skills of each team member to better understand baseline skill levels and how each team member can be used effectively.
  14. They try to do everything themselves and fail versus using a knowledgeable consultant to educate them and get things done in a timely manner.
  15. They hide from senior management because they don’t want them to know how bad the situation is across the organization.

So, who is at fault? All too often, the responsibility for failure of the BCM team falls on one person – the BCM Manager. He/she never takes a step back to look at the big picture and see what is happening across the organization. If you CAN’T manage yourself well, there is a low probability that you will be successful in managing a cross-functional team for any size organization.

As the CEO of MHA, I must constantly step back and see how we are executing across our many clients, and how this fits into out strategic roadmap for the year. We have different skill sets that must be married to work across many different organizations and cultures. Our people know what our annual goals are, and where they fit in to make themselves and MHA successful. It took time and mentoring to heighten my ability to run an organization working across the globe. It didn’t happen overnight and I made a lot of mistakes.

But, as Jim Rohn, one of our greatest motivational speakers, said, the more you work on yourself, the more success you will attract. In other words, work on yourself, not on your job.

So, what do we see as characteristics of successful BCM Offices?

  1. Team manager manages himself/herself and daily operations in a highly organized and productive manner.
  2. Team manager clearly understands where the enterprise program stands by assessing compliance and residual risks on a regular basis.
  3. Team manager has a strategic plan and roadmap that is based on the state of compliance and residual risk.
  4. Team manager identifies a small number of key initiatives (3 to 5) that can be accomplished by the team to bring the greatest improvement in compliance and reduction in risk.
  5. Team meets on a regular basis to hold productive team reviews of where things stand, action items to resolve, and congratulate successes.
  6. Team manager hires multi-talented people who can execute to the roadmap and aren’t afraid to work in the trenches.
  7. Team manager focuses on simplicity in their BCM methodology and approach to maximize execution.
  8. Team manager makes it a priority to delegate tasks to team members to make them productive and let team members grow and make fewer mistakes over time.
  9. Team manager cross trains across areas of specialty to build succession into the team.
  10. Team manager continually assesses compliance, risk and team performance to update and execute roadmaps.