“We embarked on a journey to make our business continuity program more meaningful to our employees. The support and expertise from MHA made it possible to move our continuity program to the next level. We now have an improved program that provides a better overall service to the entire business."
"Our goal was to make our business continuity program not only more meaningful and usable to our organization, but to make risk mitigation a strategic advantage. As a global organization with operations in the Americas, Europe, and Asia, we needed a skilled business partner to help us develop a program that provided consistency across the organization – and one that was tailored to meet the specific needs of each local office. MHA provided us the support and expertise we needed to make this possible and, as a result, we now have robust BCM program that provides functional service, protection and recoverability to the entire global business."
The MHA Consulting team has over a century of business continuity and disaster recovery experience. Having protected trillions of dollars in global market assets for today’s leading companies, we adhere to the highest standards of our field.
Our software, BCMMETRICS™ delivers a comprehensive evaluation, measurement, and scoring of your business continuity management (BCM) program with “FICO” like scores so that you can heighten the sophistication of your BCM program over time.
A proven leader in Business Continuity Planning, Disaster Recovery Planning, IT best practices, and crisis management, MHA helps you from program conception to maintenance by providing actionable guides and presentations written by industry thought leaders.
BCM is the development of strategies, plans and actions that provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might bring about a seriously damaging or potentially fatal loss to the enterprise.
Crisis Management is a process designed to enable an effective response to an event. Crisis management processes focus on stabilizing the situation and preparing the business for recovery operations.
Business Resumption Planning, or Business Recovery Planning, involves the recovery of critical business functions and processes that relate to or support the delivery of core products or services to a customer.
IT Disaster Recovery addresses the recovery of critical IT assets, including systems, applications, databases, storage and network assets.
One of the more confusing aspects of business continuity is the terminology. A number of terms are similar to those used in BCM, but with slightly different meanings. Examples include:
Business Continuity (BC) is the strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.
Business Continuity Plan (BCP) refers to the documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical products and services at an acceptable predefined level.
Disaster Recovery is a term reserved for the recovery and resumption of critical technology assets in case of a disaster. Disaster recovery can include tasks such as resuming individual systems (e.g., Wide Area Network or an ERP application), or recovering all critical aspects of the IT environment.
Resumption Planning is reserved for the recovery of critical business functions that are separate from IT. Examples of resumption planning include resuming call center functions, manufacturing processes or payroll.
Crisis Management refers to the process designed to enable an effective response to an event. Crisis management processes focus on stabilizing the situation and preparing the business for recovery operations.
Crisis Management Team refers to a group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision makers trained in incident management and prepared to respond to any situation.
Contingency Planning refers to tactical solutions addressing a core resource or process. As opposed to BCM, contingency planning is typically an isolated action and does not resemble a program or a series of related actions. An example of contingency planning is determining how to handle the loss of a specific vendor, or creating processes to work around the loss of a key piece of equipment on an assembly line.
Emergency Planning refers to the development and maintenance of agreed procedures to prevent, reduce, control, mitigate and take other actions in the event of a civil emergency.
Emergency Response includes the immediate actions taken to preserve lives and safeguard property and assets. Emergency response is often a subset of a broader crisis management program. An example of an emergency response action is an evacuation plan.
Recovery Strategies refers to the approach used by an organization that will ensure its recovery and continuity in the face of a disaster or other major outage. Plans and methodologies are determined by the organization’s strategy. There may be more than one methodology or solution for an organizational strategy.
Exercise refers to the process of rehearsing the roles of team members and staff, and testing the recovery or continuity of an organization’s systems (e.g., technology, telephony, administration) to demonstrate business continuity competence and capability.
Test is the activity that is performed to evaluate the effectiveness or capabilities of a plan relative to specified objectives or measurement criteria. Types of tests include: structured walkthrough, standalone test, integrated test, and operational test.
Supply Chain Management refers to management of the linked processes that begin with the acquisition of raw material and extend through the delivery of products or services to the end user across the modes of transport. The supply chain may include suppliers, vendors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end user.
Although a vague question, it is commonly asked and is actually quite valid. A company’s business continuity approach and project scope may vary widely, and are driven exclusively by business requirements (and constraints). However, a number of common project characteristics remain (although the process to meet these project objectives vary):
Contingency Planning & Management, an industry periodical, conducted a study to determine why organizations invest in BCP. Stakeholder protection, past experiences, regulatory concerns and corporate image made up the majority of reasons given.
Organizations design and deploy business continuity solutions to manage:
Organizations typically provide leadership to the business continuity program through three roles:
Sponsorship – providing or ensuring organizational and financial support
Ownership – direct responsibility for ensuring support, as well as overall program execution
Custodianship – responsibility for the coordination of BCM tasks that are executed throughout the organization
The sponsorship and business continuity program ownership roles continue to trend toward organizational elements with visibility of the entire business, as well as experience with risk management. Based on these trends, MHA has developed a list of sponsors and owners in an order of decreasing effectiveness:
Finance – The CFO or a direct report, to include risk management or loss prevention
Operations – The COO or a direct report, to include security and Environmental, Health and Safety (EHS)
Executive Council – A member of the senior management team, to include the general counsel, director of human resources or manager of corporate communications
Information Technology – The CIO or a direct report in data center operations (some organizations have a program/project management office, where BCM may reside)
Internal Audit – The director of internal audit enforces the company’s business continuity policies through decentralized execution or dedicated internal audit resources
The Federal Financial Institutions Examination Council (FFIEC) standard is the most aggressive standard in the U.S. marketplace. The FFIEC has greater governance, risk assessment, business impact analysis, planning, testing and maintenance requirements than any other standard. It contains an entire section on senior management’s business continuity responsibility, which is a helpful reference for any company in any industry.
The FFIEC’s own summary is an excellent resource for developing the scope of a business continuity program:
In the Enterprise Risk Management (ERM) Integrated Framework, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as:
A process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The definition reflects certain fundamental concepts. ERM is:
A process, ongoing and flowing through an entity
Effected by people at every level of an organization
Applied in strategy setting
Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
Designed to identify potential events that, if they occur, will affect the entity, and to manage risk within its risk appetite
Able to provide reasonable assurance to an entity’s management and board of directors
Geared toward achievement of objectives in one or more separate but overlapping categories
BCM is one component of an effective enterprise program designed to manage risk and is, therefore emerging as one of many pillars within ERM.
In the absence of regulatory requirements, audit findings or specific customer demands, the best method to sell management on the need for a business continuity program is using the results from a risk assessment and Business Impact Analysis (BIA).
The risk assessment is the process of identifying the (continuity-related) risks to an organization through a review of the business environment, an evaluation of the probabilities of certain events, and a review of risk mitigation controls (design and operation).
The BIA is the careful study of an organization’s individual business processes and support functions, as well as the system of business processes in its entirety, to better understand recovery objectives regarding continuity of operations.
The conclusions drawn by the risk assessment and BIA, together with the corresponding recommendations, are bolstered through industry benchmarking data (regarding program scope, recovery objectives, spending and strategies).
The last component of the executive management “sales” message is the cost-benefit analysis. The cost is the funding and resources necessary to add resiliency and recoverability to the existing business and technology environment, whereas the benefit is “impact avoidance.”
Since 2001, nearly every BCM regulatory requirement or standard has been enhanced or expanded to address increases in the threat environment, as well as a greater focus on corporate governance. Some of the most commonly used industry standards are:
International Standards Organization (ISO) 22301
Federal Financial Institution Examination Council (FFIEC)
National Fire Protection Act (NFPA) 1600
Business Continuity Institute (BCI) Good Practices