Business continuity
consulting for today’s
leading companies.
MHA Consulting is a leading provider of business continuity services. Our work decreases the likelihood of disruptive instances and ensures proactive crisis management for organizations of all industries.
Our clients will tell you we provide results.
We pride ourselves on proven methodologies, experience, and the work ethic that produces long-lasting relationships. We’re gratified by the quality of clients we’ve served and that our average client relationship spans over five years.
Our Consulting Services
Streamline your Business Continuity
Program with our suite of BCM Software
- Create a comprehensive look at your BC and IT disaster recovery functionality
- Establish well-informed business continuity decisions based on metrics in mere minutes
- Keep your BC plans up to date with our software updates when standards change
- Meet the needs of all of your stakeholders with clearly-defined reports
- Be up and running quickly with our attentive onboarding and support
Download or Search the
Terms Every BCM
Professional Should Know
Our glossary includes nearly 200 terms that form the core vocabulary of business continuity management (BCM), IT disaster recovery, and crisis management.
Knowing these terms well enough to use them confidently will make you a stronger business continuity professional. It will help you sharpen your thinking about your organization’s business continuity challenges.
Learn from our wealth of experience
Pragmatic Resources
A proven leader in business continuity planning disaster recovery planning, IT best practices, and crisis management, MHA helps you from program conception to maintenance with actionable guides written by industry thought leaders.
Events & Trainings
As an industry leader, the MHA Consulting team regularly hosts educational webinars, conducts live workshops at BCM events, and co-hosts panels and discussions around the country on business continuity best practices and industry trends.
A Team of Experts
The MHA Consulting leadership team has over a century of business continuity and disaster recovery experience. Protecting trillions of dollars in global market assets for today’s leading companies, we adhere to the highest business continuity standards.
Your Roadmap to Resiliency
Your source for business continuity news and best practices.
New to Business Continuity? Here’s what you need to know.
What is business continuity management (BCM)?
BCM is the development of strategies, plans and actions that provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might bring about a seriously damaging or potentially fatal loss to the enterprise.
What are the three core components of BCM?
- Crisis Management is a process designed to enable an effective response to an event. Crisis management processes focus on stabilizing the situation and preparing the business for recovery operations.
- Business Resumption Planning, or Business Recovery Planning, involves the recovery of critical business functions and processes that relate to or support the delivery of core products or services to a customer.
- IT Disaster Recovery addresses the recovery of critical IT assets, including systems, applications, databases, storage, and network assets.
BCM seems to include many different terms, some of which appear to be very similar. How are they similar or different?
One of the more confusing aspects of business continuity is the terminology. A number of terms are similar to those used in BCM, but with slightly different meanings. Examples include:
-
Business Continuity (BC) is the strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.
-
Business Continuity Plan (BCP) refers to the documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical products and services at an acceptable predefined level.
-
Disaster Recovery is a term reserved for the recovery and resumption of critical technology assets in case of a disaster. Disaster recovery can include tasks such as resuming individual systems (e.g., Wide Area Network or an ERP application), or recovering all critical aspects of the IT environment.
-
Resumption Planning is reserved for the recovery of critical business functions that are separate from IT. Examples of resumption planning include resuming call center functions, manufacturing processes or payroll.
-
Crisis Management refers to the process designed to enable an effective response to an event. Crisis management processes focus on stabilizing the situation and preparing the business for recovery operations.
-
Crisis Management Team refers to a group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision makers trained in incident management and prepared to respond to any situation.
-
Contingency Planning refers to tactical solutions addressing a core resource or process. As opposed to BCM, contingency planning is typically an isolated action and does not resemble a program or a series of related actions. An example of contingency planning is determining how to handle the loss of a specific vendor, or creating processes to work around the loss of a key piece of equipment on an assembly line.
-
Emergency Planning refers to the development and maintenance of agreed procedures to prevent, reduce, control, mitigate and take other actions in the event of a civil emergency.
-
Emergency Response includes the immediate actions taken to preserve lives and safeguard property and assets. Emergency response is often a subset of a broader crisis management program. An example of an emergency response action is an evacuation plan.
-
Recovery Strategies refers to the approach used by an organization that will ensure its recovery and continuity in the face of a disaster or other major outage. Plans and methodologies are determined by the organization’s strategy. There may be more than one methodology or solution for an organizational strategy.
-
Exercise refers to the process of rehearsing the roles of team members and staff, and testing the recovery or continuity of an organization’s systems (e.g., technology, telephony, administration) to demonstrate business continuity competence and capability.
-
Test is the activity that is performed to evaluate the effectiveness or capabilities of a plan relative to specified objectives or measurement criteria. Types of tests include: structured walkthrough, standalone test, integrated test, and operational test.
-
Supply Chain Management refers to management of the linked processes that begin with the acquisition of raw material and extend through the delivery of products or services to the end user across the modes of transport. The supply chain may include suppliers, vendors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end user.
Is there a best approach to business continuity management (BCM)?
Although a vague question, it is commonly asked and is actually quite valid. A company’s business continuity approach and project scope may vary widely, and are driven exclusively by business requirements (and constraints). However, a number of common project characteristics remain (although the process to meet these project objectives vary):
- Business Continuity Program Design and Deployment – including definition of policies, standards and tools to support business continuity efforts. In addition, an effective BCM program should include assigning accountability and responsibility for each key area (e.g., crisis management, business resumption and IT disaster recovery).
- Business Impact Analysis – establishing recovery objectives (business and technology), as well as the associated justification for each.
- Threat & Risk Assessment – identifying and prioritizing threats and failure scenarios to which the organization may be vulnerable.
- Strategy Design and Implementation – identifying and implementing continuity strategies that best meet the organization’s needs, based on a cost-benefit analysis.
- Plan Documentation – documenting response, recovery and restoration procedures to enable effective business continuity operations.
- Testing – validating and continuously improving business continuity strategies and plans.
- Training and Awareness – increasing knowledge regarding business continuity operations, both in terms of response/recovery team members, as well as employees in general.
- Compliance Monitoring and Audit – establishing compliance with internal and third-party business continuity standards.
What is the value to an organization in designing and deploying BCM programs?
Contingency Planning & Management, an industry periodical, conducted a study to determine why organizations invest in BCP. Stakeholder protection, past experiences, regulatory concerns and corporate image made up the majority of reasons given.
Organizations design and deploy business continuity solutions to manage:
-
Regulatory risk
-
Financial risk
-
Reputation risk
What are the most common areas of weakness in BCM programs?
We typically find two areas that are weak in many programs that happen to be the most critical. These areas are Recovery Strategies and Recovery Exercises. Many programs do not have documented, implemented, and validated recovery strategies for their critical business units and systems. Many don’t implement a strategy or, if they do, are unwilling to fully implement the strategy due to its cost, time, and resource requirements. The second area, Recovery Exercises, is typically weak because many companies only conduct desktop/tabletop exercises where people get around the table and run through a simulated disruption with no real live execution of the plan. You play like you practice, and it’s proven that to achieve the ability to address a disruption requires you to practice as close to a real event as possible and perform functional tests.
Why is the FFIEC regulation called “the BCM Gold Standard”?
The Federal Financial Institutions Examination Council (FFIEC) standard is the most aggressive standard in the U.S. marketplace. The FFIEC has greater governance, risk assessment, business impact analysis, planning, testing and maintenance requirements than any other standard. It contains an entire section on senior management’s business continuity responsibility, which is a helpful reference for any company in any industry.
The FFIEC’s own summary is an excellent resource for developing the scope of a business continuity program:
- BCM should be conducted on an enterprise-wide basis.
- Thorough business impact analyses and risk assessments are the foundation of an effective BCM program.
- BCM is more than the recovery of the technology; it is the recovery of the business.
- The effectiveness of a business continuity plan can only be validated through thorough testing.
- The business continuity strategy/plan and test results should be subjected to an independent audit.
- A business continuity plan should be periodically updated to reflect and respond to changes in the institution.
Who is the right person in the organization to own the BCM process?
Organizations typically provide leadership to the business continuity program through three roles:
- Sponsorship – providing or ensuring organizational and financial support
- Ownership – direct responsibility for ensuring support, as well as overall program execution
- Custodianship – responsibility for the coordination of BCM tasks that are executed throughout the organization
The sponsorship and business continuity program ownership roles continue to trend toward organizational elements with visibility of the entire business, as well as experience with risk management. Based on these trends, MHA has developed a list of sponsors and owners in an order of decreasing effectiveness:
- Finance – The CFO or a direct report, to include risk management or loss prevention
- Operations – The COO or a direct report, to include security and Environmental, Health and Safety (EHS)
- Executive Council – A member of the senior management team, to include the general counsel, director of human resources or manager of corporate communications
- Information Technology – The CIO or a direct report in data center operations (some organizations have a program/project management office, where BCM may reside)
- Internal Audit – The director of internal audit enforces the company’s business continuity policies through decentralized execution or dedicated internal audit resources
What is the relationship between business continuity and enterprise wide risk management?
In the Enterprise Risk Management (ERM) Integrated Framework, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as:
A process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The definition reflects certain fundamental concepts. ERM is:
-
A process, ongoing and flowing through an entity
-
Effected by people at every level of an organization
-
Applied in strategy setting
-
Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
-
Designed to identify potential events that, if they occur, will affect the entity, and to manage risk within its risk appetite
-
Able to provide reasonable assurance to an entity’s management and board of directors
-
Geared toward achievement of objectives in one or more separate but overlapping categories
BCM is one component of an effective enterprise program designed to manage risk and is, therefore emerging as one of many pillars within ERM.
How many people should be in my BCM office?
It’s not the number of people but the right people. We have seen programs with one to two people who have more success than those with ten or more people. Its critical you identify the roadmap for the program to be executed and then identify the BCM skillsets needed to support the roadmap and its implementation. We recommend that you take small steps at a time and build your program over time. It’s best to assemble your team and its skillsets intelligently. Using a sound consulting firm like MHA to develop your program roadmap and provide strategic advice can be crucial to success over time.
How can you convince executive management on business continuity is worth the investment?
In the absence of regulatory requirements, audit findings or specific customer demands, the best method to sell management on the need for a business continuity program is using the results from a risk assessment and Business Impact Analysis (BIA).
The risk assessment is the process of identifying the (continuity-related) risks to an organization through a review of the business environment, an evaluation of the probabilities of certain events, and a review of risk mitigation controls (design and operation).
The BIA is the careful study of an organization’s individual business processes and support functions, as well as the system of business processes in its entirety, to better understand recovery objectives regarding continuity of operations.
The conclusions drawn by the risk assessment and BIA, together with the corresponding recommendations, are bolstered through industry benchmarking data (regarding program scope, recovery objectives, spending and strategies).
The last component of the executive management “sales” message is the cost-benefit analysis. The cost is the funding and resources necessary to add resiliency and recoverability to the existing business and technology environment, whereas the benefit is “impact avoidance.”
Can you explain the regulatory and compliance landscape regarding BCM?
Since 2001, nearly every BCM regulatory requirement or standard has been enhanced or expanded to address increases in the threat environment, as well as a greater focus on corporate governance. Some of the most commonly used industry standards are:
-
International Standards Organization (ISO) 22301
-
Federal Financial Institution Examination Council (FFIEC)
-
National Fire Protection Act (NFPA) 1600
-
Business Continuity Institute (BCI) Good Practices
Why is the business impact analysis so important?
The Business Impact Analysis (BIA) is the foundation of the BCM program; it sets the recovery times (Recovery Time Objectives) and tolerance for data loss (Recovery Point Objectives) for the business units, their processes, and associated resource dependencies (systems, dependencies, etc.). The data and information generated by the BIA are vital to setting the tone for developing recovery plans and appropriate recovery strategies for the critical areas of the organization.