Business continuity consulting
for today’s leading companies

MHA Consulting provides business continuity to organizations of all sizes and industries.
Our work decreases the likelihood of disruptive instances and ensures proactive crisis management.

Our clients will tell you we provide results

We pride ourselves on proven methodologies and experience, but also on the work ethic that produces long lasting relationships. We’re proud of the quality of clients we’ve served, and that our average client relationship spans over five years.

American Express
Charles Schwab
Fannie Mae
Hewlett-Packard, Inc.
Keller Williams
Mercedes Benz Financial Services
Mutual of Omaha
  • “We embarked on a journey to make our business continuity program more meaningful to our employees. The support and expertise from MHA made it possible to move our continuity program to the next level.  We now have an improved program that provides a better overall service to the entire business."

    Phil Cook Director, Technology, Operations & Maintenance, Leading Water Utility
  • "Our goal was to make our business continuity program not only more meaningful and usable to our organization, but to make risk mitigation a strategic advantage.  As a global organization with operations in the Americas, Europe, and Asia, we needed a skilled business partner to help us develop a program that provided consistency across the organization – and one that was tailored to meet the specific needs of each local office.  MHA provided us the support and expertise we needed to make this possible and, as a result, we now have robust BCM program that provides functional service, protection and recoverability to the entire global business."

    James A. Garrett Vice President, Associate General Counsel, Litigation|NuVasive, Inc.

What We Provide

We develop business continuity and disaster recovery programs that meet the unique needs your organization.

Crisis Management
Prepare management to respond to a crisis in an organized and decisive manner.
Prepare management to respond to a crisis in an organized and decisive manner.
Business Continuity
Restore your critical business activities and processes in a timely manner.
Restore your critical business activities and processes in a timely manner.
Design solutions to ensure uninterrupted operations of Information Technology.
Design solutions to ensure uninterrupted operations of Information Technology.
Program Augmentation
Maximize the effectiveness of the program with on-demand expert resources.
Maximize the effectiveness of the program with on-demand expert resources.

Why You’ll Love Us

Invaluable Experience

The MHA Consulting team has over a century of business continuity and disaster recovery experience. Having protected trillions of dollars in global market assets for today’s leading companies, we adhere to the highest standards of our field.

Self-Assessment Tools

Our software, BCMMETRICS™  delivers a comprehensive evaluation, measurement, and scoring of your business continuity management (BCM) program with “FICO” like scores so that you can heighten the sophistication of your BCM program over time.

Pragmatic Resources

A proven leader in Business Continuity Planning, Disaster Recovery Planning, IT best practices, and crisis management, MHA helps you from program conception to maintenance by providing actionable guides and presentations written by industry thought leaders.

New to Business Continuity? Here’s what you need to know.

What is business continuity management (BCM)?

BCM is the development of strategies, plans and actions that provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might bring about a seriously damaging or potentially fatal loss to the enterprise.

What are the three core components of BCM?
  1. Crisis Management is a process designed to enable an effective response to an event. Crisis management processes focus on stabilizing the situation and preparing the business for recovery operations.

  2. Business Resumption Planning, or Business Recovery Planning, involves the recovery of critical business functions and processes that relate to or support the delivery of core products or services to a customer.

  3. IT Disaster Recovery addresses the recovery of critical IT assets, including systems, applications, databases, storage and network assets.

BCM seems to include many different terms, some of which appear to be very similar. How are they similar or different?

One of the more confusing aspects of business continuity is the terminology. A number of terms are similar to those used in BCM, but with slightly different meanings. Examples include:

  • Business Continuity (BC) is the strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.

  • Business Continuity Plan (BCP) refers to the documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical products and services at an acceptable predefined level.

  • Disaster Recovery is a term reserved for the recovery and resumption of critical technology assets in case of a disaster. Disaster recovery can include tasks such as resuming individual systems (e.g., Wide Area Network or an ERP application), or recovering all critical aspects of the IT environment.

  • Resumption Planning is reserved for the recovery of critical business functions that are separate from IT. Examples of resumption planning include resuming call center functions, manufacturing processes or payroll.

  • Crisis Management refers to the process designed to enable an effective response to an event. Crisis management processes focus on stabilizing the situation and preparing the business for recovery operations.

  • Crisis Management Team refers to a group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision makers trained in incident management and prepared to respond to any situation.

  • Contingency Planning refers to tactical solutions addressing a core resource or process. As opposed to BCM, contingency planning is typically an isolated action and does not resemble a program or a series of related actions. An example of contingency planning is determining how to handle the loss of a specific vendor, or creating processes to work around the loss of a key piece of equipment on an assembly line.

  • Emergency Planning refers to the development and maintenance of agreed procedures to prevent, reduce, control, mitigate and take other actions in the event of a civil emergency.

  • Emergency Response includes the immediate actions taken to preserve lives and safeguard property and assets. Emergency response is often a subset of a broader crisis management program. An example of an emergency response action is an evacuation plan.

  • Recovery Strategies refers to the approach used by an organization that will ensure its recovery and continuity in the face of a disaster or other major outage. Plans and methodologies are determined by the organization’s strategy. There may be more than one methodology or solution for an organizational strategy.

  • Exercise refers to the process of rehearsing the roles of team members and staff, and testing the recovery or continuity of an organization’s systems (e.g., technology, telephony, administration) to demonstrate business continuity competence and capability.

  • Test is the activity that is performed to evaluate the effectiveness or capabilities of a plan relative to specified objectives or measurement criteria. Types of tests include: structured walkthrough, standalone test, integrated test, and operational test.

  • Supply Chain Management refers to management of the linked processes that begin with the acquisition of raw material and extend through the delivery of products or services to the end user across the modes of transport. The supply chain may include suppliers, vendors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end user.

Is there a best approach to business continuity management (BCM)?

Although a vague question, it is commonly asked and is actually quite valid. A company’s business continuity approach and project scope may vary widely, and are driven exclusively by business requirements (and constraints). However, a number of common project characteristics remain (although the process to meet these project objectives vary):

  • Business Continuity Program Design and Deployment – including definition of policies, standards and tools to support business continuity efforts. In addition, an effective BCM program should include assigning accountability and responsibility for each key area (e.g., crisis management, business resumption and IT disaster recovery).
  • Business Impact Analysis – establishing recovery objectives (business and technology), as well as the associated justification for each.
  • Threat & Risk Assessment – identifying and prioritizing threats and failure scenarios to which the organization may be vulnerable.
  • Strategy Design and Implementation – identifying and implementing continuity strategies that best meet the organization’s needs, based on a cost-benefit analysis.
  • Plan Documentation – documenting response, recovery and restoration procedures to enable effective business continuity operations.
  • Testing – validating and continuously improving business continuity strategies and plans.
  • Training and Awareness – increasing knowledge regarding business continuity operations, both in terms of response/recovery team members, as well as employees in general.
  • Compliance Monitoring and Audit – establishing compliance with internal and third-party business continuity standards.
What is the value to an organization in designing and deploying BCM programs?

Contingency Planning & Management, an industry periodical, conducted a study to determine why organizations invest in BCP. Stakeholder protection, past experiences, regulatory concerns and corporate image made up the majority of reasons given.

Organizations design and deploy business continuity solutions to manage:

  • Regulatory risk

  • Financial risk

  • Reputation risk

Who is the right person in the organization to own the BCM process?

Organizations typically provide leadership to the business continuity program through three roles:

  • Sponsorship – providing or ensuring organizational and financial support

  • Ownership – direct responsibility for ensuring support, as well as overall program execution

  • Custodianship – responsibility for the coordination of BCM tasks that are executed throughout the organization

  • The sponsorship and business continuity program ownership roles continue to trend toward organizational elements with visibility of the entire business, as well as experience with risk management. Based on these trends, MHA has developed a list of sponsors and owners in an order of decreasing effectiveness:

    • Finance – The CFO or a direct report, to include risk management or loss prevention

    • Operations – The COO or a direct report, to include security and Environmental, Health and Safety (EHS)

    • Executive Council – A member of the senior management team, to include the general counsel, director of human resources or manager of corporate communications

    • Information Technology – The CIO or a direct report in data center operations (some organizations have a program/project management office, where BCM may reside)

    • Internal Audit – The director of internal audit enforces the company’s business continuity policies through decentralized execution or dedicated internal audit resources

Why is the FFIEC regulation called “the BCM Gold Standard”?

The Federal Financial Institutions Examination Council (FFIEC) standard is the most aggressive standard in the U.S. marketplace. The FFIEC has greater governance, risk assessment, business impact analysis, planning, testing and maintenance requirements than any other standard. It contains an entire section on senior management’s business continuity responsibility, which is a helpful reference for any company in any industry.

The FFIEC’s own summary is an excellent resource for developing the scope of a business continuity program:

    • BCM should be conducted on an enterprise-wide basis.
    • Thorough business impact analyses and risk assessments are the foundation of an effective BCM program.
    • BCM is more than the recovery of the technology; it is the recovery of the business.
    • The effectiveness of a business continuity plan can only be validated through thorough testing.
    • The business continuity strategy/plan and test results should be subjected to an independent audit.
    • A business continuity plan should be periodically updated to reflect and respond to changes in the institution.
What is the relationship between business continuity and enterprise wide risk management?

In the Enterprise Risk Management (ERM) Integrated Framework, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as:

A process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

The definition reflects certain fundamental concepts. ERM is:

  • A process, ongoing and flowing through an entity

  • Effected by people at every level of an organization

  • Applied in strategy setting

  • Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk

  • Designed to identify potential events that, if they occur, will affect the entity, and to manage risk within its risk appetite

  • Able to provide reasonable assurance to an entity’s management and board of directors

  • Geared toward achievement of objectives in one or more separate but overlapping categories

BCM is one component of an effective enterprise program designed to manage risk and is, therefore emerging as one of many pillars within ERM.

How can you “sell” executive management on business continuity?

In the absence of regulatory requirements, audit findings or specific customer demands, the best method to sell management on the need for a business continuity program is using the results from a risk assessment and Business Impact Analysis (BIA).

The risk assessment is the process of identifying the (continuity-related) risks to an organization through a review of the business environment, an evaluation of the probabilities of certain events, and a review of risk mitigation controls (design and operation).

The BIA is the careful study of an organization’s individual business processes and support functions, as well as the system of business processes in its entirety, to better understand recovery objectives regarding continuity of operations.

The conclusions drawn by the risk assessment and BIA, together with the corresponding recommendations, are bolstered through industry benchmarking data (regarding program scope, recovery objectives, spending and strategies).

The last component of the executive management “sales” message is the cost-benefit analysis. The cost is the funding and resources necessary to add resiliency and recoverability to the existing business and technology environment, whereas the benefit is “impact avoidance.”

Can you explain the regulatory and compliance landscape regarding BCM?

Since 2001, nearly every BCM regulatory requirement or standard has been enhanced or expanded to address increases in the threat environment, as well as a greater focus on corporate governance. Some of the most commonly used industry standards are:

  • International Standards Organization (ISO) 22301

  • Federal Financial Institution Examination Council (FFIEC)

  • National Fire Protection Act (NFPA) 1600

  • Business Continuity Institute (BCI) Good Practices