10 Keys To A Peak-Performing BCM Program by MHA Cosulting

10 Keys to a Peak-Performing BCM Program
© 2017 MHA Consulting, Inc. Page 0

Table of Contents
INTRODUCTION: THE NEW BCM MINDSET .................................................................................................3

The BCM Department as a Service Provider ................................................................................................................. 4
CHAPTER 1: KNOW YOURSELF ...................................................................................................................5
Inventory Your Personal and Professional Skillsets ................................................................................................. 5
Build a Personal Improvement Plan.....................................................................................................................................6
Takeaways ..............................................................................................................................................................................................6
Resources ................................................................................................................................................................................................6
CHAPTER 2: BUILD YOUR TEAM INTELLIGENTLY AND THOUGHTFULLY ...................................................7
The Solution Isn’t Having More People, It’s Having the Right People ......................................................... 7
Assessing Team Member Skillsets ....................................................................................................................................... 7
Personal Skillsets ......................................................................................................................................................................................... 7
Professional Skillsets ................................................................................................................................................................................ 8
Measure and Quantify the Skillsets ............................................................................................................................................... 9
Build Your Team the Right Way .....................................................................................................................................................10
Takeaways ............................................................................................................................................................................................ 11
Resources .............................................................................................................................................................................................. 11
CHAPTER 3: GAIN MANAGEMENT SUPPORT...........................................................................................12
Be a Picture of Credibility...........................................................................................................................................................12
Find a Champion...............................................................................................................................................................................13
Know Your Business ......................................................................................................................................................................13
Speak in Their Language............................................................................................................................................................13
Communicate Regularly .............................................................................................................................................................14
Takeaways ............................................................................................................................................................................................15
Resources ..............................................................................................................................................................................................15
CHAPTER 4: MEASURE AND MANAGE.....................................................................................................16
What Are Metrics? .......................................................................................................................................................................... 16
Metrics? We Don’t Need No Stinking Metrics............................................................................................................ 16
Why Metrics Are Key.....................................................................................................................................................................17
Meaningless Metrics ......................................................................................................................................................................17
Metrics with Insight and Value ...............................................................................................................................................17
Takeaways ........................................................................................................................................................................................... 19
Resources ............................................................................................................................................................................................. 19
CHAPTER 5: ALIGN WITH STANDARDS ....................................................................................................20
What Is a Standard? ......................................................................................................................................................................20
Which Standard Is Right for Me? .........................................................................................................................................20
Steps to Aligning Your Program to a Standard ..........................................................................................................21
Takeaways ............................................................................................................................................................................................21
Resources ..............................................................................................................................................................................................21
CHAPTER 6: QUANTIFY THE LEVEL OF RISK ............................................................................................22
Why Measure Residual Risk at the Recovery Plan Level? ............................................................................... 22
Where Should You Focus Your Residual Risk Analysis? ................................................................................... 22
What Are the Key Components of Residual Risk? ................................................................................................. 22

What Does the Residual Risk Data Tell Us? ................................................................................................................ 22

Takeaways ........................................................................................................................................................................................... 23
Resources ............................................................................................................................................................................................. 23
CHAPTER 7: BUILD A ROADMAP TO SUCCESS ........................................................................................24
Why a Roadmap Is Essential to Success....................................................................................................................... 24
When Should I Build a Roadmap?...................................................................................................................................... 25
What Timeframe Should My Roadmap Cover?........................................................................................................ 25
What Information Do I Need to Build a Roadmap?................................................................................................ 25
Building the Roadmap................................................................................................................................................................. 25
Maintaining the Roadmap.........................................................................................................................................................26
Takeaways ...........................................................................................................................................................................................26
Resources .............................................................................................................................................................................................26
CHAPTER 8: BUILD CONSISTENCY TO ENSURE QUALITY ........................................................................27
Develop a Catalog of Services .............................................................................................................................................. 27
What Constitutes Quality Service?..................................................................................................................................... 27
Steps to Consistent Service .................................................................................................................................................... 28
Service Quality Training .............................................................................................................................................................28
Takeaways ...........................................................................................................................................................................................29
Resources .............................................................................................................................................................................................29
CHAPTER 9: FOCUS YOUR TIME AND EFFORTS IN THE RIGHT AREAS ...................................................30
How Business Recovery Planning Is Like Golf ..........................................................................................................30
First, Focus on Criticality ............................................................................................................................................................30
Second, Focus on Strategies and Exercises ................................................................................................................31
Takeaways ............................................................................................................................................................................................31
Resources ..............................................................................................................................................................................................31
CHAPTER 10: STAND UP FOR YOUR PROGRAM .....................................................................................32
The Problem with ROI.................................................................................................................................................................. 32
Demonstrating Value on Investment ............................................................................................................................... 32
Your Core Contribution Is Still Recoverability ............................................................................................................ 34
Conclusion ........................................................................................................................................................................................... 34
Takeaways ........................................................................................................................................................................................... 34
Resources ............................................................................................................................................................................................. 34


INTRODUCTION: THE NEW BCM MINDSET
Here’s a newsflash from a person who has seen it from the BCM frontlines: It is time for a mindset
change in the world of business continuity management.
Do you know what the biggest shift in the field of business continuity has been since I started
working in it 27 years ago? The technology. The technology of disaster recovery is light years ahead
of where it was when I became the vice president in charge of business continuity in the southwest
region at Bank of America in 1990. It’s even light years ahead of where it was when I started my
business continuity consulting firm MHA Consulting in 1999.
Want to know what hasn’t changed, or at any rate hasn't changed enough?
The human side of the equation. The culture. The leadership. The mindset.
In my judgment, an outmoded mindset is the single biggest current problem in terms of keeping
most organizations’ BCM programs from being all they could be and should be, if they're to do the
job of protecting their organizations' assets in the event of disruption.
Here is a list of problems that my consultants and I encounter frequently as we travel the country
working on engagements with our clients:
 Most BCM teams are weakened by having gaps in the professional and personal skillsets of their
members.
 Many teams are under the assumption that they must protect EVERYTHING. This attitude lets the
perfect be the enemy of the good.
 Many teams get hung up on creating exhaustive documentation, losing sight of other things that are
more important.
 Most teams overlook the importance of metrics in assessing their programs.
 Many teams that do measure aspects of their programs measure the wrong things, such as the
number of BIAs done and plans completed; these convey nothing about the fundamental resilience
of the program.
 Most teams are not aligned with any BCM standard and have no interest in becoming aligned.
 Most programs are inconsistent in terms of the services and level of service they provide.
 Many teams are overly rigid in their approach.
 Many teams blame their shortcomings on a lack of budget.
 Other teams blame management.
 Some teams have an us-against-them mentality toward their stakeholders.
There is a common denominator to all of these problems: they all have their roots in a certain
outdated mindset which I have encountered in BCM departments across the country. That mindset
can be described as flat-footed, entitled, and almost passive-aggressive in its attitude toward
management. It’s an old-school attitude that focuses on the process, and not on the service or
outcome.

This is the attitude I am referring to when I say that the business continuity field is in need of a
mindset change.
T H E BCM D E PA RT M E N T AS A S E RV I C E P R OV I D E R
What do I propose we put in place of the old attitude? To put it simply, I think the BCM team needs to
stop thinking of itself as a department within an organization and start thinking of itself as a service
provider TO the organization. The BCM team needs to change its mindset to that of a consulting firm.
For program leaders, this means creating a service-based culture that will work with the organization
to deliver key services. In short, it means thinking less like a department manager and more like a
CEO.
The title of this book is 10 Keys to a Peak-Performing BCM Program. If I were only able to give you one
such key it would be the recommendation made just above: that you start thinking of your
department as a service provider and your organization as your client. Fortunately, I am not limited to
just one key!
As you will see, the keys I discuss in the book all have two things in common:
1. They take for granted that you are a knowledgeable and dedicated
business continuity professional who wants to do the best job you can for
your organization and team.
2. They reflect my belief that the mindset most likely to result in a high-
performing BCM program is a service mindset.
If the trademark attitude of the old BCM mindset was “us against them,” the attitude of the modern
BCM team has to be, “We’re all in this together.”
Ultimately your job is to understand and support the larger mission of your organization. Each of the
10 chapters that follow presents one of my 10 keys to developing a high-performing business
continuity program. Collectively these keys can help you open the doors to a BCM program that you
will be proud to lead and which your organization can depend on.

CHAPTER 1: KNOW YOURSELF

Developing a high-performance BCM program for your organization starts with you. As the BCM
leader, you are the person responsible for the fate and direction of your program. The program’s
success depends on your ability to strategically and tactically guide your team’s current and future
efforts.
One of the most important things you must do in leading a BCM team is to develop an understanding
of your personal strengths and weaknesses, and then either improve your weak areas or delegate
those tasks to other people. This is a lesson I learned the hard way.
In the early days of MHA Consulting, which I founded in 1999 after serving as the vice president in
charge of business continuity for the southwest region at Bank of America, I was strategically and
tactically involved in every aspect of my organization, from delivering on our core services to setting
up our IT to handling finance and accounting. In the beginning, this approach had its benefits. It
allowed me to make sure we operated at a high level of performance and integrity, helping MHA
earn the reputation for excellence which it enjoys to this day. But as we grew, my reluctance to
delegate became a hindrance. I micromanaged every project, even though by this time I had a staff
of highly capable people working with me. I was doing tasks that others could have handled better
and more efficiently, while spending less time than I should have on the areas that were my core
strengths.
Eventually I came to understand that the root problem was that I did not have a sufficiently clear
grasp of my skillset and those of my team members, and how these lined up. At first, I didn’t even
realize this was something I needed to think about.
I N V E N TO RY Y O U R P E R S O N A L AND P R O F ES S I O N A L S K I L LS E T S
The skills required to manage an enterprise BCM program are many and varied. You must possess
the relevant technical knowledge. You must also be able to communicate at all levels of the
organization, build relationships with stakeholders, sell your budget needs and risk concerns,
eliminate roadblocks, manage people of various skillsets, and lead during a crisis.
Have you ever taken an inventory of your personal and professional skillsets? Have you performed a
SWOT analysis—strengths, weaknesses, opportunities, threats—with yourself as the subject? Do you
know how your abilities relate to the key requirements needed in a BCM leader?
To be successful as a BCM program head, you must inventory your personal and professional skills
and understand your strengths and weaknesses as they pertain to this role. What we typically find is
that many BCM managers have good tactical BCM skills but lack the management skills needed to
lead their people and guide them to building a responsive and demonstrable recovery capability.
Why is this important? Due to the complexity of today’s BCM programs, knowing how to apply your
strengths and weaknesses across your program is critical. The depth and breadth of your personal
and professional skillsets will greatly impact the success of your program.
Unfortunately, few BCM leaders truly understand where their strengths and weaknesses lie. In many
cases, BCM programs fail due not to a poor methodology or approach but to the lack of good
management. It’s vital that you understand what tasks you should handle yourself and what you
should assign to the various members of your staff.
As the CEO of a global consulting organization for over 18 years, I have had to inventory my
professional and personal skillsets to learn how to capitalize on my strengths and balance out my
weaknesses in leading my firm, working with my consultants, and collaborating with the varied

organizations we work with daily. Over the years, I learned which areas I needed to improve in
(dealing with conflict), as well as those where I should delegate the key tasks to other people
(developing plans and working out IT strategy, among others). I also learned to focus on leveraging
my strengths (public speaking, meeting with senior management, and building relationships) for the
benefit of our team and organization.
So, what are you waiting for? Go to the Resources link at the end of this chapter for links to tools that
can help you inventory your personal and professional skills.
BUILD A P E R S O N A L I M P R OV E M E N T P L A N
Once you have completed your personal and professional skillset inventory, take the time to
celebrate your new understanding of your personal strengths and weaknesses. In developing these
insights, you have taken the first step toward building an exceptional you and a quality BCM program.
After taking stock of your skills, ask yourself the following questions:
 Am I using my strengths to their fullest extent?

 Am I applying my strengths in the right areas?
 How can I use my strengths to heighten the capability of my BCM program?
 How are my weaknesses hindering the success of the program?
 Are there other individuals on my team who can step in and supplement these areas?
 Can I use outside resources to support me in these areas?
 What training or mentorship can I use to strengthen my competence in these areas?
Working from your skillset inventory, build a plan of action to capitalize on each strength and address
each weakness that you have identified. Spell out what steps you will take over the next 6 to 12
months to take advantage of your new insights.
T A K E AWAYS
 Improving your organization’s BCM program starts with you.
 Take an inventory of your personal and professional skillsets.
 Capitalize on your strengths and manage your weaknesses.
R ES O U R C ES
Visit our Resource Page for access to more information and links that we’ve gathered to help you
discover more about this topic.

CHAPTER 2: BUILD YOUR TEAM INTELLIGENTLY AND THOUGHTFULLY

Are you able to describe the specific skills and skill levels of each member of your team from a
professional and personal perspective? Could you say who on your team has the strongest overall
skillset? Do you have a clear idea of who on your staff has the skills to manage a crisis? Do you know
whether your team’s performance is lacking or if any of your people are unhappy?
If you think of such high-performing teams as Navy SEAL units or NASCAR pit crews, it’s easy to see
that their strength comes from the fact that different members of the team are good at different
tasks. Collectively the members cover all the jobs they must perform to excel as a unit. It’s the same
with elite firefighters, as I know from my brother, a fire chief at NASA’s White Sands Test Facility in
New Mexico.
Having a well-balanced team is not something that comes about by accident. It’s the result of careful
planning and training on the part of the team leaders. These leaders make it their business to
understand the personal and professional skillsets of each member of the team as well as how these
mesh together.
Whether your team is changing a set of tires in eight seconds or putting out a launch-pad fire—or
devising and implementing a business continuity plan—it must work together seamlessly to ensure a
high level of performance. Achieving this starts with assessing the professional and personal skills of
your people and using that knowledge to your advantage.
The experience of myself and my staff has revealed that most BCM departments do not perform a
comprehensive analysis of their staff members’ abilities and personal characteristics.
T H E S O LU T I O N I S N ’ T H AVI N G M O R E P EO P L E , I T ’ S H AVI N G THE R I G H T P EO P L E

One thing we see frequently at MHA is business continuity managers who are concerned about gaps
in their program hiring more and more people but giving little thought as to how these new team
members will fit into their strategic roadmap. The intention is good, but the result of such hiring can
be disappointing or even negative. Often in such cases, we see a few staff members ending up
overwhelmed with work while others have nothing to do.
When it comes to building a solid BCM team, the key consideration is not headcount. The most
important thing to focus on is assembling a group of people who collectively have the right
complement of skills to do the work that needs to be done.
A S S ES S I N G T E A M M E M B E R S K I L LS E T S
In today’s job market, there are many individuals out there with varying degrees of BCM experience
and training. In deciding who to bring onto your staff, you must intelligently assess the candidates’
skillsets and determine who will fit best with your team, not just today but in the future. In making
these assessments, it helps to think in terms of two key areas: personal skillsets and professional
skillsets.
Personal Skillsets
Here are some of the key personal qualities to consider when looking at your current team members
and potential new hires:
 Reactiveness. Does the person react to events with the appropriate level of urgency? Your key
people should occupy a middle ground between being too laid-back and being high-strung. You

want people to be attentive and take matters with due seriousness, but not to the point where they
overreact or “freak out.”
 Tenacity. Does the person persist in the face of obstacles? Can they stay focused and work through
problems when things aren’t going well? By its nature, BCM work is about when things go wrong. It
is important to have people on your team who remain productive and determined when the going
gets tough.
 Drive. Does the person take the initiative and make things happen? Some people have it built into
them to make things happen no matter what it takes. The quality of drive is one of the hardest to
teach. People who have it are often invaluable members of a BCM team.
 Leadership. Can the person lead a team effectively? Some people are natural leaders. Some people
who are highly competent but reserved can develop leadership skills with encouragement. There
are many effective styles of leadership. Most good leaders have two key qualities: they make it their
business to know the strengths and weaknesses of the members of their team, and in interacting
with team members individually, they adapt their style to the personality of each individual.
 Conscientiousness. Does the person carry out their assigned tasks to the best of their ability? Do
they keep the interests of the team and organization at the front of their minds? Conscientious
people take to heart the expression, “If you see something, say something.” Since the effectiveness
of your business recovery plan depends on getting lots of little things right, it’s valuable to have
people on your team who are extremely conscientious.
 Extraversion. Is the person comfortable with making and maintaining connections with a variety of
people throughout the organization? Would they be comfortable leading a big group or giving a
management presentation? Business continuity planning is a social activity. To deploy your staff
members effectively, it’s helpful to know where they fall on the spectrum of extraversion.
 Intellectual Openness. Is the person open to trying new ideas, thoughts, or approaches? Do they
have the ability to look at old things in new ways? In a field where one of the few constants is
change—in technology, processes, and personnel—the quality of intellectual openness is key.
Professional Skillsets
In evaluating the professional skillsets of your current staff and potential new faces, consider their
ability across these important areas:
 Company Knowledge. Do they have a keen knowledge of the organization, including its structure,
management, mission, and strategy? Do they have a sound understanding of the goods or services
it produces?
 BCM Methodology. Do they have a sound understanding of current BCM methodology, its
components, and how they should be applied? Do they have a working knowledge of industry
standards and how they apply to the organization?
 Program Administration. Do they understand the key components of program administration (such
as oversight, governance, policy, and standards) and how these should be applied and
implemented?
 Crisis Management. Do they understand the key components of crisis management (team, plan,
mock disasters, emergency notification system, etc.) and how these should be implemented to
ensure a swift, effective response in the event of a disruption?
 Business and Disaster Recovery. Do they understand the key components of business recovery
(plan development, recovery strategies, testing, maintenance, etc.) and how these should be
applied to ensure a timely response?
 Additional Skill Areas. What other skills do they have that can be valuable? Are they good trainers?
Do they understand third party risk management? Do they possess the skill to present in front of
others in your organization?

Measure and Quantify the Skillsets

By evaluating the personal and professional skillsets of your team members, you will develop a clear
heat map of your team’s areas of strength and opportunities for improvement. Your goal is to build a
team that has a superior BCM capability. The ability to perform well in a crisis must be baked into
your team well before the crisis happens.
So, how do you measure your team members’ skillsets? Here’s the way I recommend doing it for
professional skillsets: Create a spreadsheet listing your people down the left-hand side. Across the
top, break out the skills you want to assess them on. I suggest doing it in three headings with the
third subdivided as shown below:
1. Company Knowledge
2. BCM Methodology
3. Ability to Perform BCM Services
a. Program Administration
i. BIA
ii. TRA
iii. Policy/Standards
b. Crisis Management
i. CM Plan
ii. CM Exercises
iii. ENS
c. Business Recovery
i. Plan Development
ii. Plan Exercises
iii. Maintenance
d. Other
i. Trainer
ii. Audits
iii. Third Party Management
Then go through and give each person a rating from 0 to 5 for every skill.
Here’s what the different numbers mean (put this explanation at the bottom of your spreadsheet):
0 = Unwilling or unable; team member should not be considered for this service.
1 = Willing, but ability to provide service untested and unknown.
2 = Willing, probably able to provide service, needs training.
3 = Has contributed to providing this service. Not ready to provide this service
alone. Needs experience and/or training.
4 = Experienced provider of this service. Can provide the service without
supervision. Self-sufficient.
5 = Can manage the client in all regards concerning this service.

Then add a column at the right for the Team Member Skill Average and a row at the bottom for the
Team Average by Competency. Then color-code the fields with these averages as follows:
0 to 2.9 Red: Skillset deficiency critically impacts performance
3.0 to 3.9 Yellow: Skillset deficiency moderately impacts performance
4.0 to 5.0 Green: Skillsets have no deficiency; heightens performance
The final result should look something like this:
A spreadsheet like this enables you to see at a glance where your team members stand in terms of
their skills in different areas and overall. It shows which individuals can do work across multiple areas,
and also who you might want to cross-train. It lets you identify the people who are interested in doing
new things and expanding their capabilities. It also lets you see where you have holes in terms of the
group’s competencies overall.
Fill out a similar spreadsheet for your staff’s personal skillsets, and you will be on your way to
understanding your group and what it can do, as well as where you should target your efforts to
strengthen it individually and collectively.
Build Your Team the Right Way

After you’ve assessed your team, you can go to work on improving it. Here is an action plan to help
you build your team the right way:
 Put Team Members in the Right Seats. Once you understand your team members’ strengths and
weaknesses, you’ll know who can handle what in terms of the challenges that will come your way.
Make sure that everyone is riding in the right seat on the bus.
 Identify Who Needs Training. This is a big one. By honestly analyzing everyone’s skillsets, you will
begin to discover who would benefit the most from the various kinds of training you have access to.
 Remediate Weaknesses. It starts with the two items above.
 Determine Who Wants to Learn Something New. Some people are allergic to learning new things
while others are addicted to it. Find the people on your team who are eager to learn new skills and
help them do so.
 Use Stronger Team Members to Train Others. Often your own staff is an underutilized resource. Do
you have capable people who are open to sharing their knowledge with their colleagues? Not

everyone is comfortable in a teaching role, but some people love it. Consider setting up an in-house
teaching program.
 Identify People Who Need to Look Elsewhere. Often painful, but sometimes necessary.
 Identify People You Can Delegate To. As you learn what your people’s strengths are, you may find
that some are very good at things you’ve been straining to handle yourself. Great! Delegate! The
more of your work your staff can handle, the freer you are to do other things.
Don’t trust to luck in assembling your staff. Build your team intelligently and thoughtfully.
T A K E AWAYS
 Create a team that has the right collection of skills to get the job done.
 Assess your team members’ skills, both personally and professionally.
 The ability to perform well in crisis must be baked into your team ahead of time.
 Plan and take the steps needed to improve the depth and breadth of your team.
R ES O U R C ES

CHAPTER 3: GAIN MANAGEMENT SUPPORT

Organizations in which management is strongly supportive of business continuity efforts have been
proven to have higher-performing programs than those where management support is half-hearted.
Interestingly, the degree of management support given to BCM in various organizations bears little to
no relationship to the organization’s size. There are Fortune 100 organizations that have little to no
management support for BCM and, consequently, weak business continuity programs. There are
organizations with fewer than 500 employees that have superior levels of management support for
BCM and, as a result have stellar business continuity programs.
Why do some management teams staunchly support BCM while others either take a check-the-
boxes approach or don’t concern themselves with it at all? That question might be better asked of an
industrial psychologist than a business continuity professional. But whatever the situation at your
organization, you as the BCM manager have a responsibility to get your senior management’s
support for an effective business continuity program. In this chapter, we will provide some insight into
how you can gain management support.
BE A P I CT U R E OF CREDIBILITY
One of the first steps to take in order to gain management support is to present an impeccable image
of yourself in terms of your knowledge and appearance. Over my years as a consultant, I have
learned that when I walk into a room of senior management personnel to initiate BCM conversations,
my credibility is everything. For this reason, I strive to present a bulletproof image that causes
management to feel highly confident in me and draws them to support me. I know that allowing even
a minute crack to appear in this picture of credibility can lead management to doubt me, hampering
my efforts.
Obviously, there are many differences in the roles of outside consultant and in-house BCM
professional. One thing that is not different is the need to win the confidence of senior management.
To get your management to trust you and take your issues seriously, you too need to be a picture of
credibility. What are the keys to building such a picture? Here are a few:
 Dress the Part. People evaluate you within 10 seconds of meeting you. Present an appearance that
clearly shows you have it all together - from top to bottom at all times. I advise my consultants to
dress 25 percent better than anyone else in the room. Look the part, be the part.
 Believe You Belong. Have confidence in yourself. Think of yourself as a fellow team member, not
as an outsider. Sometimes business continuity professionals worry that they are not at the same
level as the executives they must interact with to carry out their role. Think of it this way: those
executives need what you have to offer. The safety and security of everything they have built is in
your hands.
 Know Your Management Team. Review any available biographies of the management team. Use
the information in these to your advantage. Have a cheat sheet noting where the key managers
went to college and what their work experience has been.
 Build Relationships with Your Management Team. Use the information you gleaned from the
biographies to establish connections with your management team based on things you have in
common.
 Know BCM Methodology Inside and Out. Make sure you know the BCM process and can answer
your managers’ questions. A lack of knowledge in your area of expertise will be seen as a weakness.
If you don’t know an answer, say so, then find out and get back to the person promptly.
 Speak to How BCM Will Apply to the Organization. Know how you will apply BCM to the
organization to increase its resiliency.

If management does not find you personally convincing, you will have a tough time getting them to
support your initiative. Make an effort to look the part, exude confidence, make a connection, know
your stuff, and talk about BCM in bottom-line terms. In a word, to gain management’s support for
your program, be credible.
FIND A CHAMPION
The next step in securing management support is finding a champion for your initiative. This is
someone who understands the importance of business continuity planning, backs what you’re doing,
and can advocate for it from the inside. Among BCM practitioners whose programs are struggling,
the absence of such a person is one of the most commonly mentioned reasons to explain why their
programs are having difficulties. Not having such a person won’t necessarily keep you from
succeeding and shouldn’t be used an excuse for making a half-hearted effort; however, having a
champion can definitely make it easier to gain management buy-in.
Have you searched for a champion? Your champion doesn’t necessarily have to be at the highest
levels of the organization. The important thing is that he or she have influence and connections that
reach across many levels of management. Make time to find a champion who has an interest in BCM.
Oftentimes, you will find your champion in someone who has gone through a disaster before,
perhaps at the organization where they were previously. The champions are out there; schedule time
to find one.
K N OW Y O U R B U S I N ES S
A third component of procuring management support is knowing your organization and showing the
leadership that you understand how the organization operates. This sounds simple, but we find that
many BCM practitioners do not have a good understanding of their organization and how BCM
applies to it. There are times when we at MHA arrive at an organization on an initiative and discover
that we know more about what’s happening there than the in-house personnel we are working with.
How can you expand your knowledge of your organization’s business? Here are a few ways:
 Read the Annual Report. Read the annual report from end to end. After doing so, you will be an
encyclopedia of organizational knowledge. You might learn things that even the senior leadership
doesn’t know.
 Subscribe to News About the Organization. Subscribe to news feeds about your organization so
you can stay on top of events that could impact your BCM function.
 Talk to Management Regularly. Take time to talk to management regularly to gain insights about
what is happening or could happen with the organization. Use this time to build relationships and
support for your efforts.
SPEAK IN T H E I R L A N G UAG E
Another component in getting management support is to talk to them about BCM on their terms, not
yours. Do you know one of the best ways to get someone to stop listening to you? Use terminology
that makes no sense to them. In terms of getting people to tune you out, this ranks right up there with
talking too much or being unfamiliar with your subject area.
How many times have you given a presentation that seemed to be going well at the time but where,
at the end, you got a question that clearly showed the audience had no clue what you were talking
about? If you’re like most of us, more than a few. Chances are, if your management can’t understand
you, they won’t support you. To win their backing, it helps to talk to them in terms they can
understand. Here are some approaches that can help you do that:

 Convert BCM Terms to Business Terms. Don’t use business continuity jargon such as “RTO,” “RPO,”
and “BIA” when talking to your senior leadership. Use terms that make sense to them. Instead of
referring to RTO, talk about the timeframe for recovery. Instead of RPO, talk about the maximum
data loss your organization can tolerate. Instead of BIA, talk about assessing the criticality of
different operations throughout the organization. Keep it simple so you don’t lose them.
 Apply BCM to the Business. Senior managers are interested in the success of the business overall.
Therefore, you should talk to them about what BCM can do for the business. You could tell your
leadership that a dual-site structure will provide diversity of operations, raising the level of resiliency
of the manufacturing plant. But they’re much more likely to listen if you tell them that having such a
structure will ensure that sales of Widget A, your company’s biggest money maker, will remain
uninterrupted if something goes wrong with the company’s facilities or systems.
BCM is a foreign subject to most senior managers. Translate it into terms they understand and tell
them why their business needs it.
C O M M U N I CAT E R EG U L A R LY
The final component to gaining management support is to communicate with senior leadership on a
regular basis. If you regularly send your senior leadership snippets of information about business
continuity, they may not read everything they receive from you, but they will probably read some of
your material. And they are likely to retain the information they see as important to them and the
business.
For the most part, the information you send will fall into two categories: department news and
industry news.
 Department News. Provide regular updates on what your team is doing and has achieved. Share
stories that show how you made a positive difference in your organization’s ability to ensure
uninterrupted operations in the face of disruption.
 Industry News. Send links to relevant articles about business continuity from industry sources and
the general press. Include a short commentary on how the article applies to your organization.
Especially helpful are articles on disasters that have affected organizations similar to yours that
show the impact on the business and the company’s response, and stories on how companies
recovered from crisis. Also good are articles and charts highlighting key trends in business
continuity (include a commentary on whether your organization is ahead of or behind the curve).
Good sources for this material include the Institute for Crisis Management’s annual report, the
Disaster Recovery Journal, and CIO.com, as well as publications from the regular press, such as
CNN.com.
Take the time to communicate regularly with your senior management. A good cadence to follow in
sharing news and updates is around once or twice a month.

T A K E AWAYS
 Management support is important to the success of your program.
 Make every effort to gain the backing of your senior leadership.
 In your dealings with management, present an impeccable picture of yourself in terms of your
knowledge and appearance.
 Find a champion who can advocate for your program from the inside.
 To win the backing of your senior leadership, talk to them in terms they can understand.
 Once or twice a month, send your managers news about your department and the business
continuity scene generally.
R ES O U R C ES

CHAPTER 4: MEASURE AND MANAGE

Have you heard the adage “If you can’t measure it, you can’t manage it”? Its truth is obvious in the
case of someone like the CEO of a company, who could not make sound decisions without knowing
the company’s expenses, profit margin, and revenue. Such data is critical to the survival of his
organization.
The same holds for BCM practitioners; however, many otherwise conscientious BCM professionals
keep no meaningful metrics about their programs. Most BCM managers either don’t measure
anything pertaining to business continuity, or else they measure things that don’t truly reflect
whether their programs can meet their mission.
W H AT A R E M E T R I C S ?
Metrics are numbers that tell you important information about a process. Metrics give you accurate
measurements about how a process is functioning and a basis to identify successes and suggest
improvements. It is said that we can only truly understand something when we can express it in
terms of numbers.
METRICS? WE DON’T NEED NO STINKING METRICS

Metrics are all around us. Your personal health vital signs, the information provided by the gauges on
your car dashboard, your investment portfolio performance, and your kids’ grades are all examples of
metrics. Metrics are critical to understanding and improving performance. What if your doctor didn’t
keep track of your key vital signs over time to assess your health, your car had no dashboard for you
to see how well it’s running, or your children had no grades to look at over their years of education to
determine where their strengths or weaknesses lie? You would have no clue on how to plan your
future efforts.
Over the years, we have heard many interesting responses from BCM practitioners when we ask
them why they don’t use metrics to measure the performance of their programs. Here are a few of
the ways they’ve answered us:
 “What are metrics?”

 “We would use metrics, but we don’t know what to measure.”
 “Management isn’t asking, so we don’t tell.”
 “We don’t care to know.”
 “Using metrics takes up too much time.”
 “I think we can recover, so why should I waste my time measuring things?”
 “Our program is in bad shape. How would metrics help?”
 “What do I do with the metrics once I get them?”
 “Leave me alone!”
Do you and your team make remarks such as these when the conversation turns to the subject of
building and using metrics? Read on to see why metrics are important and how you can use them to
strengthen your program.

WHY METRICS ARE KEY

There are three reasons metrics are key to the performance of any process:
 Metrics Drive the Control and Feedback Loop. Once the ideal state of a process is decided
through analytics, it has to be expressed in terms of metrics. This is because metrics are the
numbers that are being measured on a regular basis. Management philosophy also holds that what
is measured gets managed. Hence metrics suggest whether the process is in order or needs
external interference. Metrics form the basis of control in any organization.
 Metrics Make the Process Objective. Processes have to be designed as per the organization’s
critical-to-quality requirement. Metrics help transform the vague requirements that management
provides into a series of numbers that can be used to accurately map a process for its efficiency.
Metrics tell us whether a process is good enough to meet the organization’s requirements or
whether it needs to be better.
 Metrics Are Necessary for Setting Improvement Goals. For improvement goals to be objective, it is
essential that they be measurable in numbers. Assessments like “good quality,” “bad quality,” and
“acceptable quality” are vague and may depend on the opinion of the person expressing them.
Metrics translate the organization’s requirements and operational performance into numbers that
can be compared. This enables you to objectively state whether the organization’s needs are being
met.
In the end, the metrics you devise must give management confidence that the BCM process is
soundly built, which is a proven precursor to recovery success. Your metrics must also assure
management that risk has been mitigated to the point that it’s well within their risk tolerance, to
ensure a high level of potential for recoverability should the need arise.
M E A N I N G L ES S M E T R I C S
To this day, BCM managers are still gathering age-old metrics that capture little to no meaningful
information about the soundness of their programs. These typically include:
 The number of business impact analyses that have been completed

 The number of recovery plans that have been prepared
 The number of updates that have been made to those plans
 The number of training sessions that have been held
Would having this information provide any insight into the soundness of your BCM program? Would
impressive values for these metrics give you a basis for confidence that the potential for
recoverability of your program is high? The answer in both cases is “No.” Metrics of this kind simply
tell us that a certain volume of work was completed. They don’t provide any insight into a program’s
completeness or capability.
What’s even more absurd is that many BCM practitioners’ performance reviews are still based solely
on these types of metrics. This is like evaluating the performance of a salesperson by counting the
number of sales calls made rather than looking at the actual revenue the person brought in.
Certainly, it is good to know the volume of work completed. However, the truly valuable metrics are
those that depict whether you are performing to the critical requirements of your mission.
METRICS WITH INSIGHT AND V A LU E

We at MHA believe there are two things that are especially worth measuring if you want to get a
clear picture into the state and capability of your business continuity program: the foundation of your
program and your team’s execution of that program.

An easy way of understanding the concepts of foundation and execution as they relate to business
continuity plans is to compare them to a car and driver. The foundation is like a car, and the execution
is how well you drive the car. I drive a Porsche, and it’s so well-built, when I’m behind the wheel I can
detect in every detail that it’s an excellent foundation for high-performance driving. But how well I
drive it is up to me. It’s the same with BCM programs: The better the foundation, the higher the
potential for success. The better the execution, the more of that potential will be realized in the event
of a disruption.
To get specific, the foundation of your BCM program means how well you are aligned with your
chosen standard. The execution is how well you and your team can carry out the provisions of the
foundation when it counts. Skillful execution is critical if you wish to recover at the highest levels.
What should we measure to give us insight into whether our program can meet its mission? The
following two areas are a good place to start:
1. Level of Foundational Alignment with Standards. The precursor to a sound

BCM program is aligning its foundation with an accepted industry
standard. Experience and data both show that BCM programs that adopt a
standard and build their programs in line with it have stronger-performing
programs over time.
2. Level of Execution in Your Recovery Plans. This metric measures residual
risk, the risk that remains after you have considered management’s risk
tolerance, the criticality of each of your recovery plans, and the state of
mitigating controls in your plans (BIA, Recovery Strategy, Recovery
Exercises, etc.). The residual risk metric tells you if your plans are within
management’s risk tolerance. 1 Low residual risk indicates a higher
potential for recovery. High residual risk indicates a lower potential for
recovery. Isn’t this what management really wants to know? Many
organizations are reluctant to measure residual risk because they are
afraid of exposing the skeletons in their closet. They might think their plan
looks good on the surface but worry that rigorous measurement will reveal
underlying problems. If this sounds like your organization, remember that
understanding where problems lie is the first step on the path to correcting
them. It’s far better to discover problems through testing than have them
exposed by a disaster.
The combination of these two types of metrics will give you insight into how your program will
execute when needed. Additionally, this combination of metrics provides insight into the Return on
Investment (ROI) for the program. A high level of alignment with industry standards coupled with high
execution indicates that the company’s investment in BCM has been well worth the effort. When a
program possesses these two qualities, management can have confidence that the potential for
recoverability is high.
1 See Chapter 6 for more information on residual risk.

T A K E AWAYS
 Use metrics to improve the strength of your program.
 Many commonly used BCM metrics are of little value.
 The most important things to measure are the level of your alignment with standards and the level
of execution in your recovery plans.
R ES O U R C ES

CHAPTER 5: ALIGN WITH STANDARDS

Would you trust your life to an airline that didn’t adhere to the standards of the industry? How about a
hospital or drug company? The answer should be a resounding “NO”: you would not do business with
any of these entities if they weren’t following industry standards to ensure your safety.
In 2016 we informally surveyed over 200 BCM practitioners and found that fewer than 10 percent of
programs had adopted one of the established BCM standards. Does your program follow such a
standard? If not, why should anyone place their trust in it? Should your stakeholders feel comfortable
if you haven’t instituted a standards-based framework that promotes a higher potential for a
successful recovery in the event of disruption?
W H AT I S A S TA N DA R D ?
A standard is an agreed-upon way of doing something. In business, standards have been developed
to cover everything from performing customer service to how to use a fire extinguisher. Standards
are the distilled wisdom of people with expertise in the subject matter. The people involved in
creating standards know the needs of the organizations they represent. The community involved in
writing standards for any industry typically includes manufacturers, sellers, buyers, customers, trade
associations, users, and regulators.
Why should you, as a BCM professional, worry about standards? It’s simple: following a standard
increases the chances that you will be able to create, implement, and manage a successful program,
one that can be executed successfully when the need arises.
W H I C H S TA N DA R D I S R I G H T FO R ME?
There are several BCM-related industry standards that you and your organization can align to in
order to provide your program with a consistent, validated approach and methodology. Here is a
breakdown of the five most commonly used BCM standards:
 Business Continuity Institute (BCI) Good Practice Guidelines. Industry agnostic. Inexpensive (less
than $250). From the UK. Similar to ISO 22301 (see below) but goes one level deeper.
 Federal Financial Institution Examination Council (FFIEC) Standards. Originally intended for the
financial industry. Free. The most aggressive standard in the U.S. marketplace. Has greater
governance, risk assessment, business impact analysis, planning, testing, and maintenance
requirements than any other standard. Contains an entire section on senior management’s business
continuity responsibility, which is a helpful reference for any company in any industry.
 International Organization for Standardization ISO 22301. Industry agnostic. More expensive ($500).
Widely used and backed by the most authoritative standards-making body in the world. Because of
its brevity (it’s 20 pages long), it does leave some room for interpretation.
 National Fire Protection Act (NFPA) 1600. Industry agnostic. Free. Extremely thorough. Covers
business continuity needs from end to end. Not only strategic but tactical. Easy to understand. Gets
down in the trenches with you, telling you what you should and shouldn’t do. Much longer than ISO
22301; has been augmented since the September 11 terrorist attacks.
 National Institute Standards Technology (NIST) 800. Industry agnostic. Free. Totally IT-focused.
Says, “Here’s what you should do for your IT” in terms of making sure data is backed up properly
and how to recover it. Very detailed and thorough. Originally intended for use in government, but
any organization can use it. Not used as much for general disaster recovery.

Regardless of which standard you ultimately choose to use, you might find that the FFIEC’s summary
of its standard is an excellent resource to consider as you develop the scope of your program. Here’s
what it says:
 BCM should be conducted on an enterprise-wide basis.

 Thorough business impact analyses and risk assessments are the foundation of an effective BCM
program.
 BCM is more than the recovery of the technology; it is the recovery of the business.
 The effectiveness of a business continuity plan can only be validated through thorough testing.
 The business continuity strategy/plan and test results should be subjected to an independent audit.
 A business continuity plan should be periodically updated to reflect and respond to changes in the
institution.
So which standard should you use? If you are in the banking industry, you will most likely be required
to follow FFIEC. If you are not in a regulated industry, you can follow any of the other standards. At
MHA, we believe that NFPA 1600 is worth consideration by most programs. It’s an excellent standard
that is easy to use. It’s also free. As stated above, it’s very thorough and detailed, telling you exactly
what you need to do in every area. In this, it differs from some of the other standards, which leave a
lot more up to interpretation, putting more burden on the user.
STEPS TO A L I G N I N G Y O U R P R O G RA M TO A S TA N DA R D
Aligning your program to your chosen standard is not as hard as you might think. Take a simple
approach by following these steps:
1. Read and understand the chosen standard from cover to cover.

2. Break out each section and its associated requirements.
3. Create a spreadsheet with each section and its associated requirements.
4. Score each requirement as follows:
a. Green – Your program meets the requirement fully; no gaps exist
b. Yellow – You meet the requirement moderately; minimal gaps exist
c. Orange – You meet the requirement minimally; significant gaps remain
d. Red – Your program does not meet the requirement at all
5. Highlight the critical requirements that are in red or orange for each section.
Once you have evaluated each section and its requirements, produce a “Roadmap for Improvement”
that highlights the key tasks necessary for you to remediate the critical areas of exposure for your
program (for tips on building such a roadmap, see Chapter 7).
T A K E AWAYS
 There are five commonly used BCM standards.
 Choosing and aligning to a standard increases the chances that your program can be executed
successfully when the need arises.
 A good standard for many organizations is National Fire Protection Act (NFPA) 1600.
 To align your program to your chosen standard, score your performance in each area, then focus on
fixing the areas where you have critical gaps.
R ES O U R C ES

CHAPTER 6: QUANTIFY THE LEVEL OF RISK

The simplest way to determine if a program is executable is to measure the level of residual risk
across its critical recovery plans. What is residual risk? Residual risk is the risk that remains after all
efforts have been made to identify and eliminate risk (i.e., your mitigating controls).
The concept of residual risk has been around for many years but has not typically been applied to
the field of BCM. By measuring residual risk, you can identify and quantify the specific areas that are
limiting the capability and recoverability of your recovery plans.
W H Y M E AS U R E R ES I D UA L R I S K AT T H E R EC OV E RY P L A N L E V E L ?
There are two reasons to measure residual risk at the recovery plan level. First, it gives you an idea of
what’s happening at the lowest level of your organization from a recovery perspective. Second, it
allows you to construct a strong foundation that you can build on as you roll the amount of risk up to
the level of the department and enterprise.
By measuring risk at the recovery plan level, you single out specific areas of risk and make it easy to
roll up the residual risk by such attributes as Recovery Time Objective (RTO), facility, city, or division.
This enables you to tell management that their risk is either very low or very high. This foundational
scoring provides beautiful data, really exposing where things stand with your plans and organization.
Imagine the benefits of being able to go to management and give them the residual risk level by city,
building, and RTO. Having the right data will help you:
 Defend your resources (money, people, time)

 Defend the manner in which your resources are being used
 Improve support for your existing recovery plans
 Drive funding decisions for new projects and initiatives to minimize risk and heighten recoverability
 Demonstrate the contributions of your team to the organization
W H E R E S H O U L D Y O U F O C U S Y O U R R ES I D UA L R I S K A N A LYS I S ?
We recommend that in analyzing your residual risk you focus on assessing the risk for the recovery
plans most critical to your organization. Which systems do you need to have up and running within 72
hours or less of a disruption? Do all you can to lower the residual risk of these plans.
W H AT A R E THE KEY COMPONENTS OF R ES I D UA L R I S K ?

The following components are key to determining residual risk:
 Inherent Risk. Inherent risk is the amount of potential impact the company faces before it
implements a recovery plan or other mitigating controls.
 Risk Tolerance. Maximum level of risk that management will accept.
 Mitigating Controls. Controls such as a business impact analysis, recovery strategy, recovery
exercises, and recovery plans that are put in place in order to avoid the risk or lessen its impact. You
will evaluate the quality of the plan’s mitigating controls to determine residual risk.
W H AT D O ES THE R ES I D UA L R I S K D ATA T E L L U S ?
The residual risk data will give you insight into where your successes and opportunities for
improvement exist at a recovery plan and an enterprise level. It will help you answer questions such
as:

 Is our BIA complete and aligned with IT and its recovery capabilities?
 Are our plans documented and consistent with industry best practices?
 Are our recovery strategies capable of recovering the processes or systems? Are they consistent
with what the BIA calls for? (Note: This is the most commonly encountered problem with enterprise
BCM programs.)
 Are we doing the right level of testing, in terms of matching the intensity of the test (e.g., tabletop
versus functional) to the criticality of the activity?
 Have we mitigated third party supplier risk to the maximum possible extent?
 Are our recovery teams properly trained?
Having this knowledge will enable you to seek the resources necessary to strengthen the controls
that are most critical to your recovery plans. It will ensure that the residual risk of your plans is within
management’s risk tolerance.
T A K E AWAYS
 The best way to assess the soundness of your recovery plans is by measuring residual risk.
 Residual risk should be measured at the recovery plan level.
 Focus your risk analysis on the systems that you need to have up and running within 72 hours of a
disruption.
 The residual risk data will give you insight into where your opportunities for improvement exist at a
recovery plan and enterprise level.
R ES O U R C ES

CHAPTER 7: BUILD A ROADMAP TO SUCCESS

As the saying goes, “It doesn’t matter what road you take if you don’t know where you are going.” For
many BCM programs, not knowing the destination is the norm rather than the exception. The BCM
staff at many organizations go about their day-to-day business with no roadmap of strategic and
tactical steps they need to take to heighten the sophistication and capability of their BCM program
over time.
The lack of a roadmap leaves teams and stakeholders with no direction, prioritization, targets,
common understanding, or shared ownership of the plan for the program. The message sent by this
approach is: take whatever road you want; we may or may not get to our goal; it doesn’t matter one
way or the other.
WHY A R OA D M A P I S E S S E N T I A L TO S U C C ES S
There are many reasons why having a roadmap is critical to the success of a BCM program. Here are
a few of them:
 It is just good planning for all the areas that contribute to a successful BCM program.
 Roadmaps incorporate an explicit element of time. By stating when various tasks should be
completed, a roadmap creates a sense of urgency. This is a real boost in terms of getting things
done.
 The roadmap prompts a team to be specific with respect to planned capabilities or performance in
terms of value for stakeholders.
 A roadmap can reveal gaps in product and technology plans. Areas where plans are needed in
order to achieve objectives become immediately apparent. Gaps can be filled before they become
problems.
 Roadmaps prioritize investment based on drivers. At every stage of the roadmapping process, the
focus is on the most important things: stakeholder needs, program drivers, and technology
investments. The team is prompted to identify, implement, develop, or acquire the most important
things first, spending time and resources in the best way. Also, with a set of roadmaps in a common
format, decision makers are better equipped to make the tradeoffs and choices that best meet the
organization’s objectives.
 Having a roadmap helps the team set more competitive and realistic targets. Such targets
provide constructive pressure which helps the team in focusing its efforts and accomplishing its
goals.
 Roadmaps provide a guide to the team, allowing it to recognize and act on events that require a
change in direction.
 Sharing roadmaps allows strategic use of the BCM program across company functions. Cross-
roadmap reviews look at the plans of several company functions to find common needs, capabilities
that can be leveraged, or development costs that can be shared.
 Roadmaps clearly explain to management where the BCM program is going. A roadmap gives
stakeholders information they can use in their own planning, and can be used to solicit their reaction
and guidance.
 Finally, roadmapping builds the BCM team. The roadmapping process builds a common
understanding and shared ownership of the plan, incorporating ideas and insights from team
members.

WHEN SHOULD I BUILD A R OA D M A P ?

Roadmaps can be built at any time, but in a perfect world we would recommend that your BCM
program roadmap be built in the last quarter of the year for the subsequent year. It should be
approved for implementation well before the first quarter of the next year.
W H AT T I M E F RA M E S H O U L D M Y R OA D M A P C OV E R ?
Typically, we like a roadmap to represent the deliverables and actions over a 12-month period,
broken into quarters. You can make it shorter or longer (e.g., 6 months or 24 months) depending on
your needs, but a 12-month period is a good span to consider.
W H AT I N FO R M AT I O N D O I N E E D TO BUILD A R OA D M A P ?
The basic information and data that should be gathered to provide insight into a BCM program
roadmap is as follows:
 Level of alignment with standards. Do we have major compliance gaps that need immediate
attention or is our alignment with standards good enough that we don’t have to allocate resources
to this area?
 Level of residual risk in our recovery plans. What mitigating controls in our plans are not being
executed at the highest levels (e.g., recovery strategy or recovery exercises)? Which plans have the
most risk that needs to be mitigated to bring a higher level of execution?
 Budget. Do we have a sufficient budget to execute everything we want or do we need to choose
what is most critical?
 Resources. Do we have enough team members to execute the roadmap or do we need to hire
more staff or bring in additional external resources?
 Management expectations. Does management want us to work at an accelerated pace or build the
program in small pieces over time?
 Deliverables. What three to five key deliverables would heighten the sophistication and capability
of our program while reducing the most risk in the next year?
 Additional concerns. Do we have audit, customer, or outside regulatory concerns that need to be
addressed as a priority in the roadmap?
BUILDING THE R OA D M A P
The steps involved in building a BCM program roadmap are as follows:
 Gather your team and stakeholders as well as the documentation discussed in the previous
chapters, namely any assessments you’ve prepared on the level of your alignment with your
chosen standard and your level of residual risk. Also include any audit findings regarding what you
need to implement over the next 18 to 24 months.
 Determine the period the roadmap will cover (e.g., 3 months, 6 months, 12 months).
 Break the roadmap into manageable pieces (e.g., months, quarters).
 Define the high-level deliverables and tasks that must be produced and accomplished based on
the data you’ve gathered (regarding compliance; residual risk; audit, customer, or regulatory
concerns; and so on).
 Overlay the high-level deliverables and tasks into the period in which you and your team can
successfully execute them (e.g., the week, month, or quarter).
The goal of the roadmap is to show management and your team a high-level picture of what you will
execute over time to raise the sophistication and capability of the program.

M A I N TA I N I N G THE R OA D M A P
The roadmap is a living, breathing document. You, your team, and your senior management should
review and update it on a regular basis. At a minimum, you should review the roadmap with your
team monthly and your management quarterly to assess the following:
 Which parts of the roadmap have we completed?

 Where are we behind schedule?
 What roadblocks are we encountering?
 Do we need more resources?
 Does the roadmap need to be revised?
T A K E AWAYS
 Knowing where you want your program to go is critical to its success.
 Having a roadmap creates urgency, reveals gaps, guides your efforts, and builds your team.
 The best time to build a roadmap is in the last quarter of the year.
 In building a roadmap, first gather the necessary information.
 Follow the steps set forth in the chapter to build your roadmap.
 Update your roadmap on a regular basis.
R ES O U R C ES

CHAPTER 8: BUILD CONSISTENCY TO ENSURE QUALITY

Service consistency and quality is an expectation of all stakeholders at all times. The people
depending on you want peace of mind and no unpleasant surprises. Providing consistent services
implies achieving sameness, uniformity, and fairness in the delivery or execution of all service
attributes, regardless of time, place, occasion, and provider. The lack of consistent service by the
BCM team is one of the main reasons management and stakeholders get a sour taste in their mouth
about business continuity. BCM practitioners must strive to provide a service environment that makes
its stakeholders happy and supportive of the need for business continuity.
D E V E LO P A C ATA LO G OF S E RV I C ES
The first step in providing consistent, quality service is for your office to decide which services it
provides and which it doesn’t. Have you identified and cataloged the services your team offers? The
following services are among those commonly provided by enterprise BCM offices:
 Business Impact Analysis

 Threat and Risk Assessment
 Crisis Management
 Recovery Plan Development
 Recovery Strategy Selection
 Recovery Exercises
 Plan Update and Maintenance
 Training and Awareness
Delivering consistent service requires you to identify which of these your BCM team provides to your
organization. Once you identify the services you provide, you can work on developing a consistent
approach to each one.
W H AT C O N ST I T U T ES Q UA L I T Y S E RV I C E ?
Your BCM office should strive to provide the highest quality of service possible to your stakeholders.
But what exactly constitutes a high quality in BCM service? Over the years, I have found that the
following nine characteristics are key:
 Timeliness. Be prompt in responding to stakeholder questions and concerns. Get things done when
you say you are going to get them done. As you define your services, establish and document
response windows for handling requests and providing the various services (for example, within 24
hours or within 48 hours). Make it your business to meet or exceed those published response times.
 Accuracy. Make sure that any data you provide your stakeholders is accurate and correct. Double-
check all calculations. Make sure words and names are spelled properly. Everyone notices when
their name is misspelled. Part of providing quality BCM service is getting such details right in your
written communications with your stakeholders.
 Courtesy. Often there’s a lack of courtesy in the way BCM staff interact with their stakeholders.
Don’t let this be the case with your team. In effect, your stakeholders are your clients. Treat them
accordingly. BCM staff should be courteous in their telephone manners and frontline etiquette.
 Responsiveness. Make it your team’s policy and practice to respond to emails and calls within one
business day. If one of your stakeholders brings a concern to your department and says that the
matter is urgent, respond appropriately.

 Completeness. Don’t be satisfied with half measures. Make sure you are ready to provide every
service indicated on your scope of services documentation. Don’t submit BCM forms and templates
until they are completely filled out. Have a process for obtaining and entering missing data.
 Availability. Be flexible in terms of making yourself and your team available to meet your
stakeholders’ needs. In my role as the CEO of MHA, I have been on many phone calls at three in the
morning because that was the only option for connecting with a client in another time zone.
Hopefully, you will be able to keep the middle-of-the-night phone calls to a minimum. However,
you and your team should still strive to accommodate your stakeholders’ needs when it comes to
scheduling.
 Adaptability. Sometimes stakeholders don’t want to follow the traditional avenues. Be ready to
think outside the box when it comes to such things as features, service packages, and product
innovation. Make it a habit to adapt to the stakeholder’s needs and preferences, rather than insist
that they do things your way.
 Personalized service. A little bit of personalized service can earn a lot of goodwill. The wise BCM
leader is highly responsive to one-off requests from stakeholders. Typically, these requests will be
simple things such as asking that the manager take care of an issue personally or that a certain task
be handled a little bit earlier than usual. For the high-performing BCM manager, being responsive to
such requests is part of providing quality service.
 Convenience. Make it easy for your stakeholders to take part in the BCM process. Many managers
would rather take a turn in the dentist’s chair than think about business continuity. It is worth your
while to think about how to make it easy for your management to participate. In doing BIAs, look for
ways to streamline the process. Make things easy to understand and pre-load available information
in your forms whenever possible. I love it when my clients say that completing the BIA process was
easier than they anticipated. If and when your stakeholders say this to you, you’ll know you are well
on your way to providing them with convenient service.
STEPS TO C O N S I ST E N T S E RV I C E
At MHA, we have found that being consistent in the services we provide has been one of the keys to
the success we have enjoyed with our customers. To ensure client and company success, each of
our consultants must deliver services across different industries, people, and cultures in a consistent
manner. Your in-house BCM office can likewise benefit from making a commitment to consistency.
How do we at MHA meet our goal of providing consistent service? For each service we provide, we
clearly outline how it should be executed from beginning to end, covering the following areas:
 Methodology and Approach. Outline the methodology and approach to the service in one or two
paragraphs.
 Roles and Responsibilities. Build a responsibilities matrix showing who is required to participate in
the service and who is responsible for what key tasks of the service.
 Time Requirements. Define how long it should take to complete the service from beginning to end.
 High-level Steps. Document at a high level the steps a trained staff member is expected to perform
to complete the service from beginning to end.
 Systems and Templates. Identify the systems and templates needed to complete the service and
where they can be accessed.
 Sample Documents. Provide samples of completed documents for the service in order to offer a
baseline of reference for staff.
S E RV I C E Q UA L I T Y T RA I N I N G
Once you have documented how each service should be performed, it’s important that you hold a
training class for all the members of your team who will be involved in providing that service. The
training should set forth the standardized approach, methodology, and steps that team members

should follow in providing the service. Every staff member should understand the expectations for
each service and the importance of meeting those expectations each and every time.
T A K E AWAYS
 Strive to deliver consistent service to your stakeholders at all times.
 Develop a catalog of the services offered by your department, then devise a consistent approach to
delivering each one.
 Clearly outline from beginning to end how each service should be performed.
 Quality service is timely, accurate, courteous, responsive, and convenient.
R ES O U R C ES

CHAPTER 9: FOCUS YOUR TIME AND EFFORTS IN THE RIGHT AREAS

There are many different components to your BCM program, including your business impact analysis
(BIA), recovery plans, exercises, training, and metrics. Some components are from critical business
units that require recovery right away while others can be deferred for an extended period. In light of
the great depth and breadth of the BCM landscape, the question arises: Where should your BCM
office focus its time and resources to ensure the highest potential for recoverability in the event of a
disruption?
More specifically, should the focus be on the front end (BIA, risk assessment), the middle (strategies
and plans), or the back end (exercises and maintenance)? Are there areas in the company where you
can safely spend little to no time and effort? By arriving at informed answers to these questions, you
can greatly increase the return on investment of your organization’s BCM program.
Below I discuss two approaches you can take in prioritizing your efforts. The first is more general self-
improvement advice about identifying and focusing on areas that offer the most potential return for
your efforts. The second is more specifically oriented toward business recovery and is made up of
two parts. The first part looks at tackling your company’s business units based on how critical their
swift restoration is to its survival. The second part is a recommendation that you focus on recovery
strategies and exercises.
H OW B U S I N ES S R EC OV E RY P L A N N I N G I S L I K E G O L F
I love golf, and I have been fortunate to have been a top amateur golfer since I was a teenager. One
of my lifelong goals is to play as an amateur in the U.S. Open. Nowadays I’ve set my sights on
qualifying for the U.S. Senior Open. Unfortunately, as a non-professional, my practice time is limited,
and over the years I have come to recognize that if I hope to substantially improve I need to use my
practice time wisely.
Specifically, I realized that I needed to focus like a laser on the aspects of my game that were most
critical to my success as a tournament player. I began analyzing each round of golf I played to
identify the areas of my game that offered the best chance of helping me reduce my scores. I
identified two areas where I needed to focus my practice time: putting the ball and driving it off the
tee. I then adjusted my practice schedule to spend a much greater percentage of my time on putting
and driving (and less on such things as chipping and bunker shots that offered less room for
improvement). I haven’t yet realized my goal of playing in the Open, but over the years this approach
has helped me improve materially, heightening my potential for ultimate success.
This approach works in golf, and it also works in business recovery planning. To strengthen your
organization’s BCM program, you can benefit from identifying the areas that offer the greatest room
for improvement as you begin to focus your efforts.
F I R ST , F O C U S ON C R I T I CA L I T Y
The BIA identifies what is most critical to the survival of your company. It pinpoints what must be
tackled first and what can be deferred for an extended period. However, many BCM offices scatter
their resources across the full spectrum of criticality. This lack of focus leads to disjointed efforts. In
your program, strive to be laser-focused. Consider allocating your team’s time and resources using a
phased approach as set forth below:
 Phase I – Focus on business units with RTOs of 24 hours or less

 Phase II – Focus on business units with RTOs of 48 hours or less

 Phase III – Work on business units with RTOs of 5 days or less

 Phase IV – Work on business units with RTOs of greater than 5 days
What it comes down to is creating a focus for the “trench warfare” that will keep your company
running in the event of a disruption. Do not move on to areas with a longer RTO until you have bullet-
proofed each criticality segment in the earlier phases.
In the long run, do you really need to do much, if anything, for those business units with RTOs of
greater than five days? If you can recover what you need in the first five days, you will have
succeeded at your mission and be put in your company’s Hall of Fame.
S EC O N D , F O C U S ON S T RAT EG I ES AND E X E R C I S ES
Based on the MHA team’s many collective years of experience, as well as data from our clients and
our BCMMETRICSTM subscribers, we have found that in most companies’ BCM plans, the same two
areas tend to be the weakest links. Inadequacy in these areas typically poses the most significant risk
to recoverability in the organization. These areas are:
 Recovery Strategies
 Recovery Exercises
With regard to recovery strategies, we commonly find in organizations of all sizes strategies that
have not been implemented, aren’t fully vetted, haven’t been funded, and/or will not provide full
recovery capability to the business unit or computer system. Arguably worse than all of these is the
case of the company where the recovery “plan” is to decide on and implement a recovery strategy at
the time of a disruption.
In the area of recovery exercises, we frequently find that most BCM and IT functions are being
exercised at the lowest end of the spectrum. If you want to become a faster runner, it helps to race
with runners who are faster than you are. You may come in last every time, but in striving to keep
pace with the elite you will gradually build improvements in your speed and times. So goes it with
recovery exercises. You must exercise your recovery plans to the highest level based on their degree
of criticality. The more critical the business unit and/or computer system is, the higher the level of
exercises that should be applied to it.
Spend the bulk of your time and resources on the areas that offer the most room for improvement.
Focus on the stuff that will help you get the ball in the hole in the fewest number of strokes. Your
goal is to implement sound recovery strategies that are validated through the highest possible level
of recovery exercises. In working toward this goal be disciplined about where you focus your efforts.
Analyze your program like a golfer trying to improve his or her game, then concentrate your efforts
on the areas where you stand to reap the greatest benefits.
T A K E AWAYS
 First, concentrate on the areas that are most critical to the survival of your company.
 Second, look at recovery strategies and recovery exercises.
 Keep in mind that an awareness of the areas of your program that offer the greatest room for
improvement can be used to focus your efforts.
R ES O U R C ES

CHAPTER 10: STAND UP FOR YOUR PROGRAM

No one can be an effective leader unless they believe in the mission of their organization and have faith that
it is making an important contribution. The best leaders go even farther: they are effective advocates for their
teams—to themselves, their followers, and the wider community. They know backward and forward the case
for why their team’s efforts are worth supporting and can convincingly make it to others. This is as true of
being the leader of a BCM team as for being the head of any other kind of group effort; in fact, I believe it’s
even more true of BCM leaders than for most other kinds of business leaders, owing to some unique aspects
of the business continuity enterprise.
This final chapter discusses some of the special challenges BC programs face in getting outsiders to
recognize their value. It also lays out some ways of thinking and talking about BCM that might be new to you
and which might help you do a better job of explaining the importance of the work your team does to your
management—and not only them but to your staff and yourself, as well. Strengthening your understanding of
these concepts will help you do better at the 10th and final key of building a high-performance BCM
operation: Standing up for your program.
THE PROBLEM WITH ROI

I talked in Chapter 4 about how measuring the level of alignment with standards and of execution in your
recovery plans can provide insight into the kind of return on investment (ROI) your program delivers.
Obviously ROI is a helpful tool for organizations faced with deciding how to use limited resources. It’s
versatile, simple, and a great way of determining profitability. It can help you solve problems such as figuring
out which of two product lines is bringing greater profit and thus merits greater investment.
However, the fact is, ROI has its blind spots. Its focus on dollar return doesn’t account for the value of
intangibles, making it ineffective at evaluating initiatives that don’t add hard numbers to the bottom line.
Business continuity is just such an enterprise. As previously suggested, there are ways of talking about
business continuity in terms of ROI; however, I’d like to suggest another, better way of gauging the
contributions of your BC program to the prosperity of your organization.
I suggest that in talking with management about the benefits of your program you focus the conversation on
a different methodology: that of Value on Investment, or VOI. VOI is a way of measuring the intangible
benefits that contribute to an organization’s performance. It gives you a framework for talking about your
program based on the value of what it delivers today.
VOI is a great way to talk about business continuity because, while the most important value of BC is
obviously the ability to recover from a disruption, a good BC program also brings a number of side benefits
that deliver value in the here and now.
D E M O N ST RAT I N G V A LU E O N I N V EST M E N T
Your program’s functional recovery capability is its most significant value. Therefore, it’s crucial that you can
show your recovery plans will work. As previously discussed, doing this comes down mostly to two things:
having the highest possible level of compliance (alignment with your chosen standard) and having the
lowest possible residual risk (meaning that the risk level is at or below management’s risk tolerance). If you
have those two things in concert—a high compliance level and low residual risk—your plan has a high level
of recoverability, and therefore a high level of value that you can demonstrate for your program.
Beyond this core benefit, sound business continuity programs typically provide several other benefits which
you should know about. Is it possible that your program might be delivering these benefits to your
organization right now? If so, tell people. These are all things you could mention to your management and
others to demonstrate value on investment and stand up for your program.

 Cost savings. Many of the activities associated with building a business continuity program have the added
benefit of uncovering cost-saving opportunities. For example, the development of business recovery plans
sometimes reveals an opportunity for teams with similar equipment or software requirements to coordinate
purchases or upgrades, realizing demonstrable cost savings. Among the kinds of cost savings we’ve seen
come out of BC programs are: equipment and software consolidation, decreased insurance premiums,
decreased expenditures due to audit issues, and savings on future staffing needs.
 Process efficiencies. Business continuity activities naturally reveal inefficiencies associated with workflow.
The business impact analysis (BIA), for instance, delves deeply into the processes and responsibilities of
various business units, often uncovering details that would otherwise have gone unnoticed. The BIA
questionnaires and interviews may reveal an inefficient overlap of responsibilities among business units.
When processes are consolidated and improved, the organization saves money. Among the kinds of
process efficiency savings we’ve seen come out of BC programs are: reduction of redundant processes,
elimination of obsolete processes, increased automation, increased process understanding, and decreased
process errors.
 Regulatory compliance. No matter what your industry or field, it is highly likely that at some point your
organization’s business continuity activities will touch on compliance issues. Sometimes BC initiatives lead
to the discovery that requirements, such as those for data security or reporting, are not being met, exposing
the organization to potential fines. Such occasions are a golden opportunity for you to show the value of
your program in monetary terms. Among the savings we’ve seen with regard to regulatory compliance are:
decreased costs related to governance or oversight, increased data protection, a decrease in the number of
reportable events, a reduction in the time spent under audit, and fewer audit findings.
 Protecting the organization’s reputation. The risk of reputational damage during a crisis is high. If the
public perceives that a company is not handling things well it impacts their level of trust in the company as
well as their willingness to do business with it in the future. The value of a BC program in this area cannot be
overstated. Because of its role in directing the organization’s response to the disruption, the BC team can
play a major role in minimizing reputational damage to the company. The benefits we’ve seen with regard to
BC and reputational damage include reductions in the impact on customers, vendors, revenue, and
regulatory exposure as well as a lessening of negative public presence and an increase in confidence from
stakeholders.
These are the major add-on benefits of a strong business continuity program. Here are a handful of others
that you might be able to identify within your organization:
 Succession planning. By its nature, business continuity planning involves developing a deep understanding
of who the critical members of the organization are and what their roles and capabilities are. As a result,
organizations with strong BC programs are generally well-prepared to identify individuals who can step in
and perform key tasks if those designated to handle them should become unavailable.
 Development of workarounds. When business continuity is top of mind for all employees, they begin to
apply BC concepts automatically whenever they develop a new product or service. This tends to enable
them to be quick to adapt when a process goes awry.
 Valuable business data. BC activities produce tons of data, creating a kind of encyclopedia of valuable
information about the organization’s operations. That data can then be used for things like process
improvement and strategic development.
 Competitive advantage. Your clients or customers demand quick response around the clock and have little
tolerance for unavailability of the data, goods, or services they need. Should their data be lost, the negative
impact on them would likely be tremendous. If you can demonstrate to your clients and potential clients
that you have a good business continuity program, it will show that you can be relied upon as a partner,
making you a more attractive choice than competitors who are weak in BC.

Y O U R C O R E C O N T R I BU T I O N I S S T I L L R EC OV E RA B I L I T Y
These peripheral benefits are important, but of course the reason for being for your program is to enable
your organization to recover in the event of a disruption. In this regard, I’d like to repeat two pieces of advice
that are among the most important things I have to say:
 Seek to maximize alignment with your chosen standard. It is crucial that you choose a BCM standard
appropriate for your organization and seek to maximize your alignment with that standard. If you are in a
highly regulated environment, your level of alignment will need to be much greater than if you are in a non-
regulated environment, where moderate compliance will likely suffice. Remember that standards are the
cookbook for building a successful program. Mix the ingredients together properly and you will be
successful.
 Look to minimize residual risk. If you are able to minimize the residual risk for your critical recovery plans to
the point that the risk is at or below management’s risk tolerance, that is a good sign that your plans are
ready for prime time.
C O N C LU S I O N
The 10th and final key to having a high-performing BCM program is standing up for the program with your
management and team. This starts with having a clear vision of the value of the program’s core benefit of
recoverability and includes being knowledgeable about the many intangible benefits a good BC program
brings. The effective BCM leader has the case for what their program contributes to the organization down
cold and is willing and able to articulate it to their management and team. The best BCM leaders are not just
managers, they are also informed and confident advocates.
T A K E AWAYS
 BCM leaders face special challenges in demonstrating the value of their programs to management.
 The traditional measure of ROI does a poor job of capturing BCM’s contributions to the organization.
 BCM leaders should think in terms of VOI—value on investment.
 In addition to its core value of recoverability, BCM programs provide numerous important benefits to their
organizations.
 The effective BCM leader is knowledgeable about the full range of benefits the program brings to the
organization.
 The strong BCM leader is willing and able to make the case for the value of their programs to their
management and team.
R ES O U R C ES
Visit our Resource Page for access to more information and links that we’ve gathered to help you discover
more about this topic.

10 Keys To A Peak-Performing BCM Program by MHA Cosulting

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10 Keys To A Peak-Performing BCM Program by MHA Cosulting

Uploaded by

Copyright:

Available Formats

10 Keys to a Peak-Performing BCM Program

© 2017 MHA Consulting, Inc. Page 0

INTRODUCTION: THE NEW BCM MINDSET .................................................................................................3

© 2017 MHA Consulting, Inc. Page 1

What Does the Residual Risk Data Tell Us? ................................................................................................................ 22

© 2017 MHA Consulting, Inc. Page 2

10 Keys to a Peak-Performing BCM Program

© 2017 MHA Consulting, Inc. Page 3

© 2017 MHA Consulting, Inc. Page 4

CHAPTER 1: KNOW YOURSELF

© 2017 MHA Consulting, Inc. Page 5

 Am I using my strengths to their fullest extent?

© 2017 MHA Consulting, Inc. Page 6

CHAPTER 2: BUILD YOUR TEAM INTELLIGENTLY AND THOUGHTFULLY

T H E S O LU T I O N I S N ’ T H AVI N G M O R E P EO P L E , I T ’ S H AVI N G THE R I G H T P EO P L E

© 2017 MHA Consulting, Inc. Page 7

© 2017 MHA Consulting, Inc. Page 8

Measure and Quantify the Skillsets

© 2017 MHA Consulting, Inc. Page 9

0 to 2.9 Red: Skillset deﬁciency critically impacts performance

3.0 to 3.9 Yellow: Skillset deﬁciency moderately impacts performance

4.0 to 5.0 Green: Skillsets have no deﬁciency; heightens performance

The ﬁnal result should look something like this:

Build Your Team the Right Way

© 2017 MHA Consulting, Inc. Page 10

© 2017 MHA Consulting, Inc. Page 11

CHAPTER 3: GAIN MANAGEMENT SUPPORT

© 2017 MHA Consulting, Inc. Page 12

© 2017 MHA Consulting, Inc. Page 13

© 2017 MHA Consulting, Inc. Page 14

© 2017 MHA Consulting, Inc. Page 15

CHAPTER 4: MEASURE AND MANAGE

METRICS? WE DON’T NEED NO STINKING METRICS

 “What are metrics?”

© 2017 MHA Consulting, Inc. Page 16

WHY METRICS ARE KEY

 The number of business impact analyses that have been completed

METRICS WITH INSIGHT AND V A LU E

© 2017 MHA Consulting, Inc. Page 17

1. Level of Foundational Alignment with Standards. The precursor to a sound

1 See Chapter 6 for more information on residual risk.

© 2017 MHA Consulting, Inc. Page 18

© 2017 MHA Consulting, Inc. Page 19

CHAPTER 5: ALIGN WITH STANDARDS

© 2017 MHA Consulting, Inc. Page 20

 BCM should be conducted on an enterprise-wide basis.

1. Read and understand the chosen standard from cover to cover.

© 2017 MHA Consulting, Inc. Page 21

CHAPTER 6: QUANTIFY THE LEVEL OF RISK

 Defend your resources (money, people, time)

W H AT A R E THE KEY COMPONENTS OF R ES I D UA L R I S K ?

© 2017 MHA Consulting, Inc. Page 22

© 2017 MHA Consulting, Inc. Page 23

CHAPTER 7: BUILD A ROADMAP TO SUCCESS

© 2017 MHA Consulting, Inc. Page 24

WHEN SHOULD I BUILD A R OA D M A P ?

© 2017 MHA Consulting, Inc. Page 25

 Which parts of the roadmap have we completed?

© 2017 MHA Consulting, Inc. Page 26

CHAPTER 8: BUILD CONSISTENCY TO ENSURE QUALITY

 Business Impact Analysis

© 2017 MHA Consulting, Inc. Page 27

© 2017 MHA Consulting, Inc. Page 28