Friday, December 26, 2008


I received the following email on Dec. 25:

Electromagnetic Pulse Attack Would Devastate U.S., But Missile Attack Could Prevent It: A rogue state or terrorists could launch an electromagnetic pulse (EMP) attack on the United States that would kill more Americans than a nuclear strike on a major city, but an EMP attack on the homeland could be defeated with a missile defense system, a noted expert said.

That could involve the Boeing Ground-based Midcourse Defense system, or it could involve using the Lockheed Martin Aegis sea-based ballistic missile defense system that uses the Raytheon Standard Missile interceptors, according to William Graham, chairman of the commission to Assess the Threat to the United States from Electromagnetic Pulse Attack.

Bartlett (where did this name come from? He/she is not listed on or in the report. jg) has pointed out that all a terrorist group would need to do to cause an EMP attack would be to smuggle one missile with a nuclear warhead into the United States, then take it by truck to Iowa or North Dakota.

There, the missile would be launched straight up, and the nuclear weapon detonated at an altitude of about 300 miles. That would create an EMP of immense proportions, covering the continental United States (lower 48), Mexico and much of Canada.

The Missile Defense Agency at this point hasn't been charged with defeating EMP attacks by a missile launched within the United States. Rather, it is charged with creating a multi-layered missile defense shield against missiles from abroad.

Before I go pretending to be Chicken Little, let's find out

    (a) how BIG an N-device would need to be, both in physical size and in kilo-tonnage

    (b) how big the delivery vehicle needs to be - the missile that would carry the nuke up "an altitude of about 300 miles."

I won't claim that a missile and a bomb can't be smuggled into the US or Canada, but I'd say the probability of this occurring is slim. That part of the ERM-BC-COOP practitioner's Probability-Impact equation rates a "Low." Yes, Virginia, I realize our borders, especially those of Canada, can be pretty porous - it is more than hard to police the country's arctic landscape.

I'll also concede that there is lots of open space in the northwest border states (and provinces).

But I lived in the Intermountain states and I will tell you that people are pretty alert to "strange things" happening in their midst and, unlike some others, they are likely to take action, if only to report something to the local sheriff or constable. Little chance of a Kitty Genovese incident in this part of the country.

Then there's the problem of hauling the device - surreptitiously "trucking" the missile cross-country would be difficult, even assuming the bad guys knew how to avoid all the inspection stations.

My gut reaction to the email was" "Someone is trying to sell something" - specifically more missiles.

But here's a thought.

Let's imagine that an N-device and a missile were somehow mated and launched toward that "about 300 mile" elevation.

An anti-missile missile is sent chasing it - I'm assuming the weapon with the N-device is headed more or less straight up as presented by either Graham or Bartlett (email's third paragaph)

First question: How is it going to "catch" the threat missile? The threat would have a pretty good head start - at least in missile speed terms.

Second question: If "our" missile kills "their" missile, won't the N-device be triggered and explode?

I'm not a mad scientist nor do I play one on tv, but it seems to me that it is logical to expect an intercept attempt and if there is an intercept, to make certain the device explodes at the intercept point (maybe only 200 miles altitude). There still would be some "bang for the buck."

My job as an ERM-BC-COOP practitioner is, I think, to consider all the possibilities.

All things considered, and based on what little I know about missiles and nuclear devices, it seems to me the threat probability is too low to go throwing Big Bucks (Canadian or US) at the risk - although it might help stimulate the economy. On the other hand, since the idea was broached, and since "they" have access to the same information as you and I, there is a chance . . .

Question: How to avoid or mitigate the threat?

Number 1 is awareness.

People do live in the proposed launch area.

Planes - commercial at high altitudes and private usually lower - fly over the area. Pilots could become more vigilant.

If we want to throw $$s at the threat, aircraft that regularly traverse the area could be equipped with cameras (infra-red- IR - is a good tool to spot "things" that are out of the ordinary for the terrain), the images could be reviewed by qualified photo interpreters on the ground.

The idea always is to prevent a risk rather than to try to recover from a threat that happened. (Whatever happened to the idea, floated several decades ago, of "blowing up" hurricanes over the Atlantic?)

Much as I would like to help stimulate the economy - I'm already doing my part, just ask my Financial Manager (a/k/a The Spouse) - I don't think pouring money into an additional anti-missile system to shoot down a rocket launched from the US or Canadian west is the answer.

Some background

John Glenn MBCI
Enterprise Risk Management-Business Continuity-COOP practitioner
JohnGlennMBCI @ gmail dot com
If I wrote it, you can quote it.

Wednesday, December 24, 2008

ERM-BC-COOP: Just the fax, m'am

Despite admonishments to Call Miss Utility (or similar), some turkey managed to cut through a fibre cable bundle that was the communications lifeline to The World.

Back when we were looking at risks and ways to avoid or mitigate them, the communications folks told me that if landline phone service "went away" we would be OK since most personnel had company or personal cell phones.

Internet, for email, is segregated from the telco lines.

What we - and despite my telecom background, I have to share the blame - failed to consider was facsimile communication.

In this day-and-age of email with PDF attachments, how many people actually use faxes?

Turns out, a lot of us.

The company was able to work-around the fibre faux pas by reverting to copper that came in to the facility on a different path (than the fibre).

But the copper provided significantly fewer trunks than the fibre.

Which meant that unless the timing was just right, a person trying to send a fax might end up unable to make a connection.

(I suppose I could, given the proper cables, connect a computer to a cell phone and send a fax via the mobile device, but I don't have the proper cables and, frankly, no one ever considered that before the cord was cut. Something to investigate.)

For the very large organization, there are work-arounds.

If a correspondent absolutely positively MUST have a fax - a PDF attachment to an email won't do for whatever reason - we could send an email, with a word processor or PDF attachment, to another company site and ask someone to fax the information from that site.

But what about a Mom-n-Pop?

Print out the fax copy and run down to the local Faxes 'R' Us ? Who minds the store while the fax is being transmitted ?

Still, that's only half of the equation.

What about incoming faxes?

The sender has your fax number which probably is NOT the mobile device number.

There is no way, until the telco line is restored, that the fax can be received. ('Course until the line is restored there will be no incoming calls to that landline number - it pays to advertise the mobile number!)

Hopefully, anyone trying to send a fax to you will get a Ring/No Answer (RNA) or busy returned and, at least in most cases, will receive a report stating that the fax could not be transmitted.

A large organization can fairly easily put several work-around options in place, including redirecting calls -including faxes - to another number.

But the Mom-n-Pop . . .

It's very true that we are becoming less and less dependent on landline communications and email attachments that facsimile communications are "out of sight and out of mind."

Until, of course, you absolutely positively need to send (or receive) a fax.

Now is the time to consider a work-around - for both the Big Organization and the Mom-n-Pop.

John Glenn, MBCI
Enterprise Risk Management/Business Continuity
JohnGlennMBCI @

Wednesday, December 17, 2008

ERM-BC-COOP: Vindication!

I just received an invitation to sign up for a Continuity insights Management Conference in Chandler AZ April 27-29. (As the temperature dips into the single digits where I currently hang my hat, the warmth of Phoenix seems pretty good.)

The post card promo I received tells me, in big, bold letters, that

    Research indicates that an effective manager is not inherently an effective leader in a crisis.
Do I hear an echo?

I have been preaching, in at least three of the 200-plus articles on my URL (, that the people in day-to-day management roles may not be the ideal candidates for a crisis management role.

The first article I found during a quick search dates back to January 2002 and is, funny enough, titled "Crisis management."

The Continuity insights keynoter is Dr. Robert Chandler (apropos for a conference in Chandler AZ) who is to present "Predictive Knowledge: Skills, Abilities, and Traits for Effective Crisis Leadership."

The promotional material goes on to state that this address will consider

  • The key traits, skills, abilities, and task competencies of effective crisis leaders
  • How to select and develop crisis leaders by using trait characteristic measures.

I suppose there is something in that, but based on personal experience over more years than I care to admit, I think the best way to identify both crisis leaders and managers who should be given go-fer tasks is a high-level crisis simulation.

The problem I have with templates for personalities is that they are subject to failure.

The templates may overlook some excellent leadership candidates and they likewise may find acceptable candidates who, when faced with The Real Thing, will fall apart like facial tissue under a strong stream of water.

There are people who seem born to manage during a crisis. There are others - notably in the ERM-BC-COOP world - who are excellent planners but disasters as responders, managers or otherwise.

The problem for us - ERM-BC-COOP practitioners - is to identify who will keep their head when everything seems to be coming apart, and who will panic. There is a second part to this search effort, and it demands of the practitioner a high degree of diplomacy and stratospheric management support: convincing a "day-to-day" manager to take a supporting role and let someone else, perhaps a person who reports to that manager, take the lead.

That may be what separates a so-so manager from a great manager - the ability to step aside for the good of the whole.

I'm told that some American Indian tribes had chiefs for different functions.

The US government, although it has the president as The Final Authority, depends on various "chiefs" - cabinet secretaries - for its operations. In theory, in the event of a national disaster, Homeland Security becomes the senior manager for response operations.

It is not, then, unheard of that a junior assumes leadership from a senior, if only for "the duration."

It would not be wise or politic for a practitioner to advise a Very Senior Manager that the manager might be less than suitable for a crisis management role.

But the wise practitioner might be able to convince said manager by conducting realistic exercises. (Such exercises also can be useful in showing demanding personalities that their ranting and raving and "I want it NOW" demands are counter-productive.)

While I am certain Chandler's keynote address will be worthwhile, I think that the better approach is to put the candidates under as much stress as can be realistically applied and see how they react.

The articles:

January 2002: Crisis management ( - footnote
January 2, 2006: Testing 1, 2, 3 (
August 29, 2006: Primary and secondary jobs (

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Tuesday, December 16, 2008

ERM-BC-COOP: Curmudgeon

Call me a "curmudgeon."

Tell me I lack a sense of humor.

Even tell me I take things too seriously.

I'll admit to all of these things.


I just read a Help Wanted posting from a recruiter I know and who should know better than to post the advertisement he posted.

The recruiter, who along with his company shall remain nameless, posted a job for a Senior Business Continuity Planner with "2 to 4 years experience" in business continuity planning.


With two to four years experience.

Actually, it is worse.

Read further into the posting and the Experience requirement DROPS to a mere "1 - 2 years"

Two years!

The recruiter, or his client, "requires" candidates with a graduate studies level.

The only thing I can write in the recruiter's defense is that he probably only is following his client's desires.

I know several recruiters, both here and outside the U.S. To the best of my knowledge none will endanger a commission by trying to educate their clients regarding requirements for various ERM/BC practitioner levels. As an experienced practitioner, I grumble, but if I was in their shoes, I don't know.

A planner with but two years experience normally rates a little more than "tyro"; the only exception may be a practitioner who worked with a senior planner who has been responding to crises for "the duration."

I prejudiced, to be sure, but it seems to me the recruiters are being derelict or at least negligent in their jobs by allowing clients to jeopardize the client organizations to consider a person who is at best a "junior" planner to be put into the position where a senior's expertise is expected.

I'll give this recruiter credit - he advertised the opportunity on the Web site of a professional publication, presumably marketing the job only to people with at least a passing interest in ERM/BC.

'Course the posting was free.

Funny enough, the posting omitted any client requirement or desire that the "senior" planner hold any professional certification, not that certification by itself guarantees anything, but it is something many planners with more than beginner experience possess.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Tuesday, December 9, 2008

ERM-BC-COOP: Like a winter holiday

The holidays, especially Thanksgiving and Christmas are a lot like Enterprise Risk Management (a/k/a Business Continuity and COOP).

During the "season" we hear a lot about helping the less fortunate.

That's commendable and I encourage everyone to do just that.

However . . .

The less fortunate are less fortunate before and after the Big Give holidays.

They need to eat and they need shelter and they need employment for self esteem.

These needs are not limited to two months in the winter; they are a year-round requirement.

Rather like ERM/BC/COOP.

Now is the time to plan for the coming hurricane season, not June 1 when the 6-month (June 1 to November 30) season commences.

Now is the time to plan for the coming floods of spring and drought of summer, not when the water is creeping under the door or when firefighters are praying for rain to drench wild fires before they scorch homes and businesses.

But, like the needy, unless we are reminded again and again and again that ERM/BC/COOP is an on-going program, it - like the needy - becomes "out of sight, out of mind."

Let me rewrite that last paragraph a bit. Make it read "Unless we remind others again and again . . . " That's part of our job. First get "their" attention, then tell "them" what we are about to say, say it, and finally tell "them" what we said . . . then start over.

We have some allies. I notice billboards put up by various governments promoting personal emergency planning. States and some municipalities encourage business continuity and personal emergency planning on their Web sites. Not only do governments encourage such planning, many offer guidance.

Maybe we need bell ringers standing not outside the Big Box Stores but outside the Mom-and-Pops and Small-and-Medium organizations (non-profits and charities as well as for-profits") to get the attention of owners and senior managers. I'd settle for getting ANYONE's attention, on the assumption that, like ants toting sustenance to the mound, our message will find its way inside.

The less fortunate need assistance more than 2 or 3 days-a-year.

Likewise, ERM/BC/COOP programs need to be functional more than only when a threat, like the Three Little Pig's wolf, is at the doorstep. (You'll recall that one of the pigs had a plan - he built a wolf-proof house.)

Now, go forth. Put something into the red kettle and promote organizational survival planning.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

ERM-BC-COOP: History forgotten is bound to repeat

Sunday was December 7.

Apparently for most folks it was "no big deal."

It was a "big deal" 67 years ago.

On that December 7 Sunday in 1941 U.S. forces in the Pacific were attacked by Japanese planes, pulling us officially into World War Two.

Was it a sneak attack as most Americans believe, or did the president (FDR) and some of his cabinet anticipate the attack? Was information available but not shared? Some claim that is the case.

A good December 7th Web site is the (US) Library of Congress,

How long before we "forget" 9-11? I suspect that for many, the year in which the Islamists flew high jacked aircraft into the World Trade Center towers and the Pentagon already has been forgotten - for the record, it was 2001. For the record, there was a fourth plane that crashed into a Pennsylvania field because the passengers fought back.

9-11 should have taught us a lesson that communication between groups - sometimes, as in the case of the US government, competing groups - can make the difference between a 9-11 type disaster, or a Katrina disaster, or . . . - or avoiding or mitigating a threat.

Your typical Enterprise Risk Management (Business Continuity/COOP) practitioner could not have prevented 9-11 or Katrina; those events were too far above our pay grade.

But perhaps we can make a difference at a smaller organization were the concern is more about protecting people and the operation than politics and finger-pointing.

Still, in order to make a difference, we have to have very senior management's attention and, more, its visible and on-going support.

As Dwayne F. Schneider (Pat Harrington Jr., on tv's "One Day at a Time") frequently said, "Always remember and never forget." We seem to have forgotten that Sunday on December 7, 1941; once the lesson is forgotten, it or something similar will happen again, if not on December 7, then perhaps September 11.

Part of our job as ERM/BC/COOP practitioners is to learn from the past and to keep the lessons learned current and before those who engage our expertise.

We may be excused for missing something that never happened before, but we can have no excuse for ignoring lessons learned.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Thursday, December 4, 2008

ERM-BC-COOP: Lessons from automakers

The shrinking "Big 3" US automakers should provide a lesson for all ERM-BC-COOP practitioners.

As they teeter on the brink of disaster - although I am Ivory soap sure the US government will float the companies a loan - we should be able to see what I have been preaching:


The guys who make the Very Big Bucks (auto company execs) and the folks who make Pretty Good Bucks (union workers) control one of the first dominos in a very long string of dominos.

Not all of those dominos down the line are obviously linked to Detroit. Not all of those dominos are in Detroit or even in the U.S.

I am not an auto company insider so I won't cite statistics, but I know that most parts that go into the average "American" flivver are made by a company other than the so-called Big 3.

GM used to make parts for its vehicles in Kokomo IN at a huge Delco plant. Delco was spun off years ago - is Delco still in business? Parts from molded plastic pieces to nuts and bolts are manufactured by vendors - some fairly large companies, others Mom-n-Pops. How much paint does GM use at one plant for one model? More than I need to paint my house.

If you drive a Chrysler, Ford, or GM product, look at - not just through - the glass. More than likely it will be marked, in small print, "Made in Mexico."

It doesn't stop there.

Those vendors have to get their wares to the customer work site. Trucks, boats from ocean-going vessels to barges, trains, and an occasional plane.

That means people. Lumpers (people who load trailers), drivers, railroad people of all types, ship crews, stevedores, pilots and load masters . . .

And then air traffic controllers, guards, fuel purveyors, gas pump jockeys . . .

People with mortgages, people who think that eating from time to time is a god thing, people who want to stay warm in the winter . . .

All these will be impacted by the ripple effect of a Big 3 failure.

John Donne was right. No man - and men make up organizations that employ them - is an island.

Ben Franklin, at the signing of the Declaration of Independence, is quoted as saying "We must all hang together or, most assuredly, we shall all hang separately."

Call it the domino effect or the ripple effect or anything else that tickles your fancy, but the bottom line remains: no business in the U.S. is immune to a failure by another business, and, in this global economy and all its inter-relations, the U.S.' borders are hardly a fence preventing economic impact - going either direction.

ERM plans must consider both sides of the production stage - vendors, including money vendors - and clients, particularly (but not exclusively) major clients. (Keeping one major and losing many lesser clients easily can bring about the same result - a shuttered business.)

Think about it.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Tuesday, December 2, 2008

ERM-BC-COOP: Passionate practitioner

The other day someone asked me if I was "passionate" about business continuity.

Most people who know me would have replied for me "That's an understatement."

I only half-jokingly tell people that when I was a consultant regularly traveling between Tampa and Tallahassee, the flight attendants, if they lingered too long near my seat, became at least semi-expert in the field.

I am fortunate to do what I enjoy doing. That isn't to say flatly that every business continuity opportunity is enjoyable; there is a difference. I enjoy helping organizations protect all their resources, starting with people. I am frustrated by organizations that limit business continuity to little more than Info Tech disaster recovery.

An aside. An Info Tech ops manager told me that the "business continuity" plan for his operation was more than disaster recovery. Oh, I replied, then you have risk avoidance and mitigation, key components of business continuity. Certainly, he replied, we have back-up sites in case the primary goes down.

No, I countered, that's not avoidance or mitigation. Avoidance or mitigation work against the risk. What you have is a response plan. It isn't a bad response plan, but it is not "avoidance or mitigation."

Mind, I am in favor of Info Tech business continuity plans. I also am in favor of HR plans and Finance plans and Operations/Production plans, and Facilities plans. Providing they all roll up into an all-inclusive enterprise plan.

If something in a functional unit - that is any organization other than The Enterprise - goes "bump in the night" the folks in that functional unit need to quickly assess the impact of the "bump." Will it impact on that functional unit's Service Level Agreements (SLAs) with internal and external "clients?" Can the "bump" be smoothed out before any other clients feel the impact? If it can, the recovery is handled within the functional unit; if not, the issue is escalated as needed.

My contention remains that what an organization really needs is "Enterprise Risk Management."

Enterprise Risk Management, ERM, is not just another name for business continuity (which, let me be perfectly clear, is NOT another name for disaster recovery). As business continuity grew out of disaster recovery and in the process changed the focus from a resource (Info Tech) to the profit center, ERM expands business continuity to include all risks an organization faces.

For example, how many enterprise business continuity plans considered lenders as vendors prior to the current financial disaster? How many enterprise business continuity practitioners ask critical vendors - and exactly what determines "critical" - for their business continuity plans? How many practitioners consider the ripple effect of a work action against a vendor? That is a consideration a very famous international air carrier now considers as a "lesson learned."

How many practitioners include Legal in more than a plan review role? Crisis management is, to this scrivener, part of ERM. In many organizations, crisis management is "out of scope" for business continuity. Succession planning likewise often is "out of scope" for business continuity.

The above is not to suggest that the ERM practitioner - I dislike the term "planner" since it implies a project with identifiable beginning and end; business continuity and ERM must be, if they are to be successful, on-going programs - should manage everything. The ERM practitioner should be the person holding the umbrella under which all functional units are sheltered. The practitioner need be a Subject Matter Expert (SME) only in ERM and understand that the program depends on input from the SMEs of each functional unit. Let each of these SMEs act as an auditor not only for their particular functional unit, but the program as a whole.

Am I passionate about what I do? You bet.

Will I talk about, write about, and otherwise wave the ERM flag at every opportunity? Absolutely.

Do I recruit - sometimes con - non-practitioners into becoming, if not a practitioner at least a participant, in the program? By all means. That's why I have this blog. And a Web site. I'm a believer.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Wednesday, November 26, 2008

ERM-BC-COOP: Holiday hiccups

Here's a timely topic: holidays.

Today is the day before Thanksgiving in the US.

The cube farm in which I reside for 9 or so hours each day is practically empty.

Dotted line bosses are "away."

Solid line bosses are "away."

While we are largely "virtual office" people, and while managers are expected to check email and answer phones even when they are "away," things do slow down.

From now until at least the second week in January, it will be difficult to gather the troops (except maybe for the mid-winter holiday bash).

Progress won't exactly come to a complete halt, but any movement will be at a stagger.

If something happened we would be hard pressed to round up the responders necessary to respond.

Which means we have a risk.

If we have a risk, we need also to have a way to manage the risk.

In this case, we - collectively - need to know who is available; a designated responder.

For the run-of-the-mill daily operations - getting a Business Impact Analysis (BIA) reviewed and approved by Upper Management for example - we need to seriously plan ahead and "sandbag" (a term dear to bowlers) the schedule to allow for Missing Managers.

What normally requires a 24-hour turn-around now takes closer to 5 or 6 days (Wednesday before Thanksgiving, Thanksgiving, Friday after Thanksgiving, the "regular" weekend, and maybe the Monday following Thanksgiving).

Some folks have vacation time the have to use (or lose) before year's end.

Add to that a mentality in many organizations that "business continuity is a low priority" and the prospects of clearing up any outstanding issues is about as bright as a rainy day.

As I look at my calendar, I see the holiday risk pop up again and again.

Some are linked to religion - the Jewish "Big Three" plus New Year's and Yom Kippur, Easter and Christmas; national holidays such as July 4th, Memorial and Veteran's days, and more. (Even when I'm at work, a federal holiday can slow things down due to a lack of snail mail.)

Granted, the holiday risk usually isn't a big deal, but when it is combined with another risk, e.g. fire, it suddenly starts to get attention.

The reality is that for most planners, holidays - and vacations and sick time and other absences - usually are treated too casually.

We need to give a little more thought to the holidays as we develop, or review, our plans.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Wednesday, November 12, 2008

ERM-BC-COOP: Lenders as risks

I can't claim to have been "harping" on it, but I have noted in passing that Enterprise Risk Management (ERM) - Business Continuity (BC) - COOP practitioners must - not "should" but "must" - include the money lenders in the list of risks to threaten an organization.

I've also noted - and this I have harped on - that ERM-BC-COOP practitioners must - again, not "should" but "must" - make certain vendors have viable, verifiable ERM-BC-COOP programs. (Projects are nice, but only when they are part of a total, on-going program.)

Validation of my concerns hit the air and pages of the local press this morning.

An article on D.C. radio station WTOP's Web site,, leads off with

WASHINGTON - In a last-ditch effort to avoid financial disaster, Metro - faced with more than $400 million in bank payments - is turning to the Treasury Department for help.

The transit agency's financial woes stem from the recent collapse of financial giant AIG (American International Group). Metro had used AIG as an insurer for a number of deals it made with banks. The deals allowed Metro to do things like extend the transit system and buy new rail cars.

But because AIG's financial status has been downgraded, the banks Metro dealt with can now technically claim default and ask for all of their payment at once.

Metro runs buses and light rail in D.C., Northern Virginia, and near-DC Maryland. It is funded by riders, advertisers, and area governments.

It seems that AIG guaranteed Metro's loan from Belgian Bank KBC Group. This loan, with US$43 million due, apparently is one of many loans Metro has floated to keep transportation moving in DC and parts of Northern Virginia and Maryland. AIG, according to the WTOP article ( backed Metro for 16 financial deals that, if AIG fails and the lenders call in the loans, could force Metro to pony up more than US$400 million. As the article continues, Metro's 2009 capital budget is US$600 million.

Metro is not alone having AIG as the financial backer. The WTOP article identifies Atlanta, Chicago, LA, and San Francisco as other cities that must closely watch the AIG saga.

It seems, based on lessons learned from the AIG "weakness" and our understanding of "business in America" (and probably elsewhere) that not only do we need to ask vendors for their plans, but to ask the same question we should be asking hot site vendors - how many other customers do you have in our organization's situation. For AIG, someone needed to look at its financials, its balance sheet, to compare its assets with its liabilities - including loan guarantees.

Most of us, at one point in our lives, either have guaranteed a loan or had a loan guaranteed by another. We know that the guarantor is "on the hook" if the person getting the loan defaults, and the lender is very careful to assure the guarantor as the assets to clear the debt. I don't know that the lender could demand payment in full if the debtor defaults; that is what the Belgian financial organization is attempting.

In light of Citi Group's wise decision to mitigate its mortgage losses, Citi announced it will work with property owners to help them keep their property. That's just good business; in the end, the properties will (more than likely) be maintained and, when the economy recovers, the borrowers, sure to become Citi Group loyalists, will be able to start paying down the mortgage again. What Citi will ask for in the meantime - interest at some level perhaps - is to be determined, probably on an individual basis.

I seriously doubt Metro will have to sell off its rolling stock and rip up its tracks - D.C. is highly dependent on the system and while it lacks a loud voice in congress, it can have a physical presence on the Capitol steps.

I also think the Belgian lenders are being foolish and short-sighted; theirs is, in my opinion, a knee jerk reaction. Metro is not going to "go away"; it's too valuable an asset in the nation's capital. KBC Group would be better served by taking Citi Group's approach.

For us, ERM-BC-COOP practitioners, the bottom line remains the same: lenders are a risk; they need to be treated as a threat to the organization no matter if the loan is for operational use or expansion. Check the lender's - or in this case, guarantor's - balance sheet, research its major loans/guarantees (most brag that they count BIG NAMES as customers), and have an alternate financial source in mind, "just in case."

While we are at it, we are wise to check out our major customers' financial well being.

Do we need to be CPAs or financial experts to accomplish this? No. But we do need to be smart enough to know CPAs and financial experts and to utilize their expertise.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity/COOP

Thursday, November 6, 2008

Comments welcome, but ...

Comments to this blog are welcome PROVIDING they include the poster's real name and email which will be included in the comment. If you write it, stand behind it. Comments from posters who cannot be identified will be deleted.


Wednesday, November 5, 2008

ERM-BC-COOP: 4th year risk

I have noted in the past that "government" should be considered a risk.

My focus was on local and state government.

Licensing organizations. Regulators.

But the Federal government also is a concern.

The people of the United States just elected a new president, one who promises to change the way things are done in DC.

The new president will enjoy a same-party majority in both the Senate and House of Representatives.

(That, by the way, does not - as previous presidents have found - assure that all of the president's programs will receive congress' approval.)

It's far too early to guess at what the new administration, when it officially takes office in January, will do to keep its promise to change things.

An end to the war in Iraq could mean a cancellation of some defense-related contracts.

Big-bucks military modernization plans may be scrapped - or maybe not.

The size of the armed forces may be reduced and that would impact the defense industry - fewer troops mean few guns, transports, ready-to-eat meals, etc.

It could mean higher unemployment, but logically the first troops to be released would be Guard and Reserve who would return to their civilian employment - assuming they still have their old jobs. (The jobs are guaranteed by Federal law, but some weekend warriors are having to sue their employers - including the US Veterans Administration ! - to get their jobs back.)

Then there's The Bailout.

Backing the Big Banks is a done deal, even when some of the banks apparently told the Feds they did not want the funds.

Will GM get a loan to buy Chrysler? Chrysler was the first major company to get a Federal loan which, I'm happy to note, was repaid, with interest, on schedule.

Will home owners facing foreclosure get protection that the outgoing administration was reluctant to promote?

What about SMBs - Small (and) Medium Businesses? Will they receive any Federal benefits or breaks?

The president-elect promised tax breaks for everyone making (earning or just collecting?) $200k (I thought at one time is was $250k, but either way, I'm well under the cap). What about the people who are making nothing - zero, zip, nada. The unemployed. How do you give a tax break to people who have no income on which to pay taxes?

No matter which candidate won the Nov. 4th election, the US was bound to see change.

For the most part, the US goes through this change-of-government exercise once every eight years (with few exceptions, most presidents have had two four-year terms) and most often, after eight years of one party's philosophies, the nation is ready to try on the other party's ideas - it's a swinging pendulum that has kept the US on a fairly even keel for decades.

The first Tuesday in November should be a reminder on every ERM/BC/COOP practitioner's calendar that government - at all levels - impacts the organization regardless of the organization's size or product/service.

The impact may be positive; the impact may be negative. For us, the impact of the impact has to be considered a risk.

How can a positive impact be a risk? Consider that if Organization A benefits from a positive impact, so does competitor Organization B - who can respond most rapidly and most efficiently to take advantage of the change?

Being able to anticipate change - risk - is as much what our work is all about as being able to avoid or mitigate events that could would against our organization's interest.

It's going to be an interesting four years.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity/COOP

Tuesday, October 28, 2008


An interesting article appeared in a supplement to several Ziff-Davis magazines.

The supplement was titled "Innovations" and was, according to the cover, focused on the "power consumption crisis" in data centers.

But, interestingly, on Page 18 (a very good number) there's a two-page article titled "Banking scandals prod companies to rethink risk policies."

The article started off by citing an incident at Wachovia in the US and another with France's Societe Generale.

Why would a Ziff-Davis publication concern itself with risk management? Good question, but a pull head on Page 19 explains that "software and technology in general is really only as good as the people who use them."

So we know Z-D's interest is software.

The article focuses on Governance, Risk, and Compliance (GRC) software, but there are some Enterprise Risk Management (ERM)/Business Continuity (BC) nuggets worth mining.

For example, the article by Renee Boucher Ferguson, notes that a Deloitte study (financed by what interest group - always ask that question when citing any survey) found while banks have made "considerable progress" in increasing compliance management across the different parts of their business, there still is a lot of fragmentation and duplication of efforts.

Why fragmentation and duplication of efforts?

The Deloitte survey, the article continues, suggests that the reason for this is that initiatives often are managed on a case-by-case basis, based on a specific (and looming) regulations [sic] - an approach that leads to siloed initiatives.

Richard Speer, Speer & Associates CEO, adds that "most financial institutions want to understand what their risk exposure is on an ongoing basis. But the fact is that most don't have any particular knowledge of what is going on day-to-day in a particular business unit."

Narina Sippy, SVP/GM of SAP's GRC group, adds "Software and technology in general is really only as good as the people who use them, and as good or strong as the corporate commitment and the cultural willingness to embrace the technology that is put into place. (Emphasis mine.)

"Sometimes," Sippy continues, "it's change management (issues), sometimes it's cultural. If these are not aligned, the software is not going to be as effective as it could be."

Jeremy Roche, Coda CEO, claims that "The thing about properly designed (GRC) systems is that once they're designed, they don't make mistakes. People make mistakes."

I think Sippy is closer to the truth by noting that there are people issues to be considered. As for as Roche's comment that systems don't make mistakes, my only comment is "programmers make mistakes (GIGO) and software can be fooled - the word 'hacker' comes to mind."

From the perspective of an Enterprise Risk Management practitioner, I think there are several telling sentences in the article.

First and foremost, "an approach that leads to siloed initiatives". The only - repeat only - way to avoid the "siloed" approach is to have an enterprise - holistic, all-inclusive - risk management (business continuity if you prefer, albeit there can be a difference) program. Note I wrote "program" - an on-going process - and neither "plan" nor "project" both of which have start and, unfortunately, end times.

Almost every organization is made up of silos. That's the nature of functional units, be they "business" (profit centers) or "resource" (e.g., Facilities, HR, IT).

It has been my experience that with few exceptions, most personnel have little idea of what transpires before a "transaction" (for want of a better term) lands on their desk or after it is passed on to the next "silo." Unlike a functional unit exercise, the enterprise program follows a process from beginning to end, and identifies all interdependencies, both internal and external.

The other thing that had me nodding my head up and down in full agreement with the writer is the statement that anything - in this case software - "really is only as good as the people who use them, and as good or strong as the corporate commitment and the cultural willingness to embrace the technology that is put into place."

Lacking "corporate commitment" assures that any Enterprise Risk Management program is doomed; failure is assured. The commitment must be on-going and come from the highest level; the sponsor must be an 800-pound gorilla in the organization, someone who has fiduciary responsibility and who is perceived to be an honest broker when the inevitable internecine conflicts occur.

I doubt the article was intended to promote Enterprise Risk Management, but it did point out several reasons why Enterprise Risk Management is really the best tool to avoid or at least mitigate the problems encountered by Wachovia and Societe Generale, but by all manner of risks to the organization, both from within and from without.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity/COOP

Thursday, September 25, 2008

ERM-BC-COOP: Interesting items

A couple of interesting crossed my desk today.

One is a business card-size CD.

The other is a notification system.

The CD needs more research, but I think the effort may be worthwhile.

I discovered it scanning a posting on one of the Emergency Management lists I follow.

Basically, a product called "Pocket MD" ( creates a card/CD that contains "up to 200 pages of data" and can be played on any Windows computer.

If we assume - I know, that's dangerous - that "200 pages" equates to 200 8*10 or "A" size pages, that's a lot of information.

Enough to hold a complete ERM/BC/COOP plan.

According to the blurb, the data on the CD have "protections for privacy in place now under the Health Insurance Portability and Accountability Act, with penalties for violations." That really doesn't tell me a lot, but then I'm not interested in the product, only its media.

I can password protect or encrypt data before it goes onto a CD - regardless if the CD is "normal" size or a mini.

At this point, I don't know (a) where to buy macro CDs and (b) if I can write to them; reading on a computer (why only Windows?) is one thing; writing may be another.

I'm a person who still prefers documentation on paper, but I realize there are many people who prefer their information presented on a monitor, even a miniature, cell phone-size one. The macro-CD allows both (all I need is printer access, paper, and "ink").

The idea that I can stick an entire plan in my wallet - I hope the CD is rugged - appeals to me.

Easier to keep handy than a full-size CD or memory stick that might get erased.

True, I still have to lug around a machine to display the CD's contents, but can equally small CD players be far away? Image inserting a micro CD into a Walkman-size or BlackBerry-size device with, hopefully, connectors to a BIG monitor and printer.

I wonder if the micro CD can handle audio as well as text. Let me listen to the plan, rather than try to read it on a BlackBerry screen.

The notification system is called "Twitter" (

Twitter can send messages to cell phones or an Internet connection (IMs, Web page).

Messages to cell phones and IM devices are limited to 140 characters, which may not seem like a lot, but actually can convey useful information. The sentence you just read is 144 characters, including spaces and the final period; 140 of those characters are in red.

If a message is longer than 140 characters, it can be read on the WWW (with the first 140 characters displayed on phone or IM device).

The URL above - - is the FAQ which I thought was a good place to introduce you to the application's functionality. There is a link on that page back to the Twitter home page.

Twitter's raison d'etre is simple: "Twitter is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?"

For ERM-BC-COOP practitioners and EM responders, the "What are you doing" can be turned into something more akin to "ET call home."

I already get text messages on my phone from my county's emergency management folks (and emails as well), so I understand the value of a short message.

Something to consider.

Macro CDs and another way to alert people who want to be alerted.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity/COOP

Wednesday, September 17, 2008

ERM-BC-COOP: Not in scope?

If an organization's

  • image
  • production
  • employee welfare & attitude
  • vendors
  • credit sources
  • market value (stocks, bonds)

are "in scope" for the Enterprise Risk Management (Business Continuity/COOP) practitioner, why not the organization's financial concerns that, after all, impact everything on the bulleted list - and more?

I'm thinking of the financial crisis du jour.

Banks belly up.

Insurance company bailed out with a federal loan in the billions.

All somehow laid at the feet of mortgage brokers who, it is claimed, allowed too many too-risky mortgages to be approved.

No organization or person is immune from some impact of this money crisis. Even if you don't have money in The Market, you are spending money at the (super)market, and prices there have crept - in some cases, leapt - up.

'Course fuel prices must share some of the blame.

But the real crunch seems to be due to the number of "bad" loans.

Many of the mortgages were issued with minimal collateral - the lender figured, with some justification, that the value of the property would go up and therefore protect the loan. When values dropped, the loan-to-collateral ratio was reduced.

That might not have been so bad, but at the same time, people started losing their jobs.

With no income, mortgage payments stopped.

Since the property value was less than the loan . . .

The results are obvious.

I understand the mortgage business is complicated.

I took a mortgage on a property and before the first payment it had been sold to another company.

Actually, it may have been sold several times before I got my payment coupon book.

As the paper traveled from hand to hand, I have to wonder if there was "full disclosure" about the loan. Did the organization that "packaged" my loan with others package it with similar-collateral loans or was mine tossed into a "pot" of loans of various "creditability."

Did the organization - apparently the AIGs of the world - know the true loan risk when it bought the mortgage packages?

In the "real world" of personal finance, my Financial Manager (a/k/a The Spouse) insists that we diversify our limited funds. I am in full agreement.

I am inclined to take a bit more risk in the market; she is more conservative, but we both agree that diversification is the best way to protect what we have.

The market's decline HAS hurt us, but because we are diversified, we are surviving better than some.

AIG, as big as it is, apparently put too many "eggs" into one basket.

Lehman Bros., ditto.

Just two of the recent headline names.

I wonder if these organizations had a comprehensive enterprise risk management program, if the management had been honest and candid with the risk management practitioners, if the practitioners had recommended greater diversity, and - finally - if management had listened to and followed the practitioners' advice, would they be as deeply in financial trouble.

Too often, the books are "out of scope" for the practitioner.

Too often, working with qualified financial auditors is "out of scope" for the practitioner.

OK, I'll concede that there have been some less than above board auditors, but "in general."

The risk manager must be privy to ALL the organization's interests. The risk manager need not be an expert in anything (other than risk management); the risk manager depends on specific-discipline Subject Matter Experts (SMEs) such as the aforementioned auditors.

I've worked with CPAs; they know a lot more about accounting that this scrivener can ever hope to know.

I've worked with police who know physical security inside out.

I've worked with data security folks who protect my bits and bytes from miscellaneous dangers I've never heard about.

Most of my career as a risk management practitioner and as a writer before that has required that I identify and turn to SMEs.

Enterprise risk management must be allowed to look into all the organization's corners and closets.

Still, even when the practitioner ferrets out a risk - in today's exercise, over-exposure in the mortgage market - management has to listen and act.

Could the current financial melt-down have been prevented if risk managers had access to all of an organization's information?


One risk manager at one organization would not have prevented this debacle, but many risk managers at many organizations . . . maybe.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

ERM-BC-COOP: Vacuum (&) bags

I was reading a book the other day.

Not a very good book, but it had one scenario that appealed to me.

The scene is set at an airline's Lost Bags office.

As a consultant, I know the scene very well.

Seems the author and his bags got separated and he was waiting in line to report the loss.

The airline person was asking the person at the front of the queue about his luggage.

    Clerk: "What color is it?"

    Traveler: "I don't know."

    Clerk: "How big is it?"

    Traveler: "I don't know."

At this point, the author tells us he's wondering what idiot doesn't know the color or size of his bag?

Then, the author continues, he learns - to his embarrassment - that the person in front is blind.

The author's point, and it is a good one, is that we should get all the facts before we come to a conclusion.

The story, when given some thought, seems to ring as false.

If we can assume our blind passenger didn't get off the plane and go directly to the Lost Bags office, consider this:

    Our traveler goes to the baggage carousel.

    He can't see the bags as they go round-and-round.

    So he needs help from someone nearby.

    To get help he needs to tell the helpful neighbor something about the bag.



    Something unique - a colorful strap, an unusual luggage tad, something.

Things the traveler could, and I'm confident would, have known and shared with the Lost Bags clerk.

(Do you know anyone who would buy or borrow a suitcase without knowing ANYTHING about it?)

'Course if our sightless traveler was high tech, the bag may have had a small transmitter, but there was no indication of this and, besides, it ruins my story.

The point I'm trying to make is if our author had batted around the idea with others before setting the story to paper he might have seen the "holes" I found.

Believe it or not, THAT is the point of this exercise.

Practitioners should never - repeat never - create a plan in a vacuum.

One person simply will not think of "everything."

I was in a meeting the other day and we were dealing with a violence in the workplace scenario.

The group mulling the situation - a person, believed to be a disgruntled employee came to the office building with a shotgun, blew away the weaponless guards, and proceeded up a staircase to the fourth floor - included Facilities, HR, IT, and Security, and maybe others representing interests I don't catch.

The exercise was interesting. We had input from a variety of perspectives, both professional and personal.

I was the only professional risk management practitioner in the group.

Trust me, I learned things; I was introduced to "what ifs" I had not considered, "what its" I normally would not consider on my own.

I've been doing risk management for more than a baker's dozen years, and every time I'm involved in an event such as the one the other day I learn something new - or at least I'm reminded of something that might have slipped my mind.

While it often is fun to play the "what if" game with other practitioners - we do have some interesting "off-the-wall" experiences - we need to listen to ALL sources, even if we think they are talking outside their professional area of expertise.

I practice what I preach.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Sunday, September 14, 2008

ERM-BC-COOP: Suicide murder passé?

While suicide murderers normally are not a high risk for most Enterprise Risk Managers/Business Continuity planners, falling more into the realm of government agencies such as police and intelligence groups, maintaining awareness is appropriate for us both to protect facilities (and the people in them) and our people on the move. We all know of shoulder-fired missile attacks on commercial (civilian) aircraft.


Ronen Bergman, a correspondent for Yedioth Ahronoth, an Israeli daily, is the author of "The Secret War With Iran."

Copyright 2008 The New York Times Company

The following appeared on the NY Times' September 10, 2008 op ed page titled "Living to Bomb Another Day"

"AMONG all the bombs, explosives and guns, the number of martyred dead is rising. Though this is the will of Allah, it is nevertheless possible to cause the enemy greater damage without exposing the Muslims to danger. How is it to be done?"

This question, which appeared as a post in May on the Web site Al7orya, one of the most important of Al Qaeda's closed Internet forums, is only one example of the evidence that has been accumulated by American and Israeli intelligence in recent months of a significant ideological change under way within Osama bin Laden's organization. Seven years after 9/11, it may well be that we are witnessing the beginning of the end of suicide terrorism and a shift toward advanced technologies that will enable jihadist bombers to carry out attacks and live to fight another day.

Although Islamic suicide terrorism dates back to the anti-Crusader "assassins" of the 11th century, its modern history begins with statements made by Sheik Mohamed Hussein Fadlallah, the spiritual compass of Hezbollah, in an interview published in 1983. "We believe that the future has surprises in store," he said. "The jihad is bitter and harsh, it will spring from inside, through effort, patience and sacrifice, and the spirit of readiness for martyrdom."

A short time later, Sheik Fadlallah's bodyguard, Imad Mughniyah, organized a series of murderous suicide attacks - first against Israeli military targets, than against the American Embassy in Beirut and finally, of course, against the barracks of the American-led multinational force in Lebanon, causing nearly 300 deaths. From there, it was a short march to 9/11.

Despite countless attempts by Western intelligence agencies, and the many projects by psychologists trying to draw the profile of the average suicide terrorist, we have failed miserably in finding a solution to the "poor man's smart bomb." Now, however, attrition may achieve what the experts have not: after years of battle in two main arenas - Iraq and Afghanistan - Al Qaeda's suicide-recruitment mechanisms are beginning to wear out.

While the terrorist group has been careful not to mention it in its official statements, it is no longer uncommon to find jihadists in their chat rooms and, according to Western intelligence sources, in interrogations, stating that young men are reluctant or simply too scared to take part in suicide attacks. At the same time, military blows against Al Qaeda's training structure since 2001 have meant that the number of extremists with combat experience is decreasing, and that new recruits are harder to train.

The startling cost in lives of its operatives in Iraq and Afghanistan has motivated Al Qaeda's technical experts to start seeking technical solutions, primarily on the Internet, that would render suicide unnecessary. These solutions mostly revolve around remote controls - vehicles, robots and model airplanes loaded with explosives and directed toward their targets from a safe distance.

This turn to technology, however, is not devoid of religious aspects: although dying in battle is undisputedly holy, many scholars claim that any intentional taking of one's own life is forbidden, thus outlawing suicide attacks altogether. Even religious rulers who endorse suicide attacks consider them to be a last resort, to be used only when all other means are exhausted.

"Martyrdom operations are legitimate, and they are among the greatest acts of combat for Allah's cause," said Bashir bin Fahd al-Bashir, a Saudi preacher and one of Al Qaeda's most popular religious authorities, in a recent sermon. "But they should not be allowed excessively. They should be allowed strictly on two conditions: 1. The commander is convinced they can definitely inflict serious losses on the enemy. 2. This cannot be achieved otherwise."

The meaning of such dictates is clear: carrying out suicide attacks when there are alternatives that would allow the bomber to survive should be considered "intihar," the ultimate sin of taking one's own life without religious justification.

Avoiding suicide has become the major topic on Al Qaeda's two main Web platforms for discussing the technological aspects of jihad, the forums Ekhlaas and Firdaws. "Those overpowering Satan's seduction are few, and we sacrifice those few since they may win us Paradise," read a posting on both sites this summer on the subject of "vehicle-borne improvised explosive devices." It continued: "Yet, keeping them alive is beneficial for us, since every one of them is tantamount to an entire people. So we must find a way to save those lives and harness that zeal."

The post led to a vast and heated online discussion among extremists, illustrating the new complexity of the topic. As the jihadists on these sites move from discussing ideology to the practical aspects, it becomes clear that their biggest technological challenge will be moving on from the radio-wave technology that has proved highly successful in remotely setting off homemade bombs against military convoys in Iraq to the more delicate task of getting the explosive to its target and then detonating it without being exposed.

Unfortunately, Al Qaeda seems well on its way to gaining such an ability. Chatter on these sites has tended toward discussions of the various types of remote-piloted aircraft able to carry the necessary weights, as well as specific robot designs, including models that police forces use to dispose of explosive devices. One extremist pointed out the ease with which such robots can be acquired commercially.

Also, in a document posted last month at Maarek, the most sophisticated jihadist forum for discussing explosives manufacturing, a prolific technical expert calling himself Abu Abdullah al-Qurashi suggested training dogs to recognize American troops' uniforms, then releasing other dogs carrying improvised explosive devices toward American soldiers so the bombs can be detonated from a safe distance. The author begins with the following words: "I.E.D. operations, but this time, with dogs. Yes, dogs! Brothers, some may find my words fantastic. But, believe me, we should better let a dog die, than let a Lion of Islam die!"

To get a feeling for how Western militaries and security services plan to counter this next wave of terrorism, I talked to Gadi Aviran, the founder of Terrogence, a company made up of former members of Israel's intelligence community and special military units that gathers information on global jihad as a subcontractor for intelligence agencies in Israel, the United States and Europe. "All of these secretive discourses in the password-protected cyber forums are of the same spirit," he told me. "Mujahedeen's lives are fast becoming too valuable to waste and although this seems like good news, the alternatives may prove to be just as difficult to deal with."

So, while an end of suicide terrorism might seem like a good thing for the troops in Iraq and Afghanistan, the bad news is that the extremists seem to be well on their way to mastering all sorts of new technology, much of which, such as using dogs and remote detonators, is simple and cheap.

Most counterterrorism experts estimate that for military forces to devise and deploy countermeasures to a new insurgent strategy usually takes two to five years. Moreover, in the case of remote-control systems, improvements in technology mean that the signal-blocking systems now being used by Western militaries may no longer be effective.

Another hurdle Western forces may face is that a new emphasis on remote execution would significantly change the profiles of the terrorists. The uneducated, enthusiastic youths from weak economic backgrounds who have formed the bulk of Al Qaeda's followers - and whom our intelligence services have spent a decade identifying and neutralizing - will give way to a new type of activists: electricians and robotics experts will join the qualified chemists who make the explosives in order to carry out non-suicide attacks.

The good news is that suicide bombing seems to be on the wane. The bad news is that Western forces will almost certainly face a new breed of highly educated Qaeda terrorist.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Wednesday, September 3, 2008

ERM-BC-COOP: Small businesses not prepared

An article from the Continuity eGuide for 3 September 2008 addresses small business risk management in the UK. The article, British Small Businesses Unprepared for Risk, is on the WWW at http://disaster-

A new survey by YouGov has found that small- to medium-sized businesses in the UK often disappoint customers because they lack business continuity planning.

In an article on the website, Rosalie Marshall says the online survey of more than 1,000 small business owners and managers revealed that only one third of SMBs are taking steps to ensure their business will continue to operate normally in the event of disruption.

Stephen Rankin, regional director for UK employers’ organization the Confederation of British Industry, told Marshall “companies cannot afford to be out of action for any extended period of time because they risk losing customers in the short term and damaging their relationship in the longer term. This survey highlights the fact that some businesses have a long way to go in getting their plans up to scratch.”

In other findings, 40 percent of respondents said a computer hardware failure would be detrimental to their business, and only 10 per cent said they would be able to function as normal after a failure.

“Also, less than ten percent of the SMB managers had heard of BS 25999, the first British Standard for Business Continuity Management, which was launched at the end of last year and sets best practices for business continuity plans,” Marshall adds.

However, it looks like the message might be sinking in a bit after all. The survey also found that after the managers were informed of the BS 25999 standard, 30 percent said they would apply for certification.

The problem, at least on this side of the pond, is that Small & Medium Businesses (SMBs) usually can't afford to engage a qualified planner full time and likewise lack the budget to hire a consultant.

I can understand the SMB owners' and managers' predicament.

There is a solution, but it takes a third party, or perhaps a group of third parties.

As much as practitioners want to provide their expertise to everyone, there is the small matter of paying the bills.

Last month I had a blog entry titled "SMBs and Understanding ERM" ( that looked at ways for SMBs to finance business continuity.

The point I was making then is worth making again - mostly because no one has been banging on my e-door asking for more information.

Then, and now, I suggest that trade, professional, and industry organizations - primarily national and regional - employ experienced practitioners and make their expertise available to their members. The organizations already change a membership fee to help offset various and sundry activities. Some of the money collected might be directed to a practitioner's compensation. Individual members also might pay a percentage of a plan's development and on-going maintenance costs.

Another approach would be for auditors and insurance companies or agents - and similar vendors - to engage a full-time practitioner to create plans for their clients as "value added" services. Again, the client might be able/willing to pick up some of the cost.

Frankly, Scarlett, I don't care how or who finances risk management, as long as a risk management program is undertaken.

Now, before someone pushes back and tells me "but all plans are different," I'll concede the point. But, having been doing this for more than a dozen years, I know there are some basic - repeat, basic - steps that can be translated into a "one size fits all" template or skeleton plan.

Since most SBMs are, by definition, "small," the plans should be relatively simple and straight-forward - translation: relatively quick to create and validate. Rather than have a plan reviewed by 20 people at several different management levels, the SMB plan typically will be reviewed by one or two Subject Matter Experts (SMEs) and one or two managers or owners.

Basic Statements of Work (SOWs) and Project Plans almost could be boilerplate, particularly if the program is sponsored by an affinity group (e.g., grocers, Realtors, doctors, religious organizations).

Bottom line: The wheel does not have to be reinvented for every plan. "Tweaked," yes; reinvented, no.

Every organization needs an enterprise risk management program, every organization deserves an enterprise risk management program.

Note I wrote program and not project.

Enterprise risk management, business continuity/COOP - call it what you will - to be successful needs to be an on-going program. Projects have a start and end point - and while a plan is created as a project, it is only one part of the program that includes continuous maintenance and exercises. Plans that gather dust on the shelf quickly become not just useless but sometimes dangerous.

There IS a way to assure that SMBs can afford enterprise risk management and that practitioners can make a decent living.

Now, if we can just get the organizations and vendors on board . . .

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Tuesday, September 2, 2008

ERM-BC-COOP: Validation is wonderful

Validation is wonderful, especially if lives are saved.

I don't know if the folks at DHS/FEMA visit my Web site, but after Katrina I posted three Katrina-related articles to my URL:

  1. The "What if" game after Katrina ( - Sept. 4 2005
  2. All aboard ( - Sept. 25, 2005
  3. Applying Katrina lessons to Business Continuity planning ( - Nov. 30, 2005

Much of what I wrote was put into action.

It was interesting, and satisfying, to see buses taking people to Amtrak trains bound for safe haven.

It was good to see the mayor apparently in control and making what I consider the "right" decision in ordering evacuation.

It was good to know that people coming down to assist were in place at selected staging areas, not just for New Orleans LA (NOLA), but other cities and towns in the threat area as well.

It was not good to learn

  • the levees weren't ready

    I know it takes time, but could the effort have been expedited?

  • that a politician was encouraging his followers to descend on the threatened area to offer help

    This encouragement was later tempered by the politician's decision to tell all to wait and see what help was needed

  • that of the fatalities linked to Gustave, most were the result of an auto accident in Georgia when a driver apparently fell asleep

    If the car was traveling on I-10, there are rest stops; if on US 90, there are towns where evacuees could pull over; I doubt any cop would tell someone escaping a hurricane threat to "move on"

  • that a couple of (scrapped?) Navy vessels were "loose" and might threaten the levees

But, all-in-all, NOLA and communities along the Gulf coast escaped with little damage. Then again, Gustave, while threatening as a Cat 4 or 5 storm, came ashore as a Cat 1.

I'm a Floridian and, trust me, I do NOT denigrate any hurricane.

I know that most damage is caused by flooding, and if the TV pictures I saw are accurate, there was substantial flooding, but not as it was in Katrina.

And again, although there still were too many, the hurricane-related fatality count was minimal.

Is there room for improvement?

Of course.

Will some of the folks who evacuated this time think the mayor - whomever is in office at the time - is playing "Chicken Little" crying "The sky is falling" and elect to "hunker down?" I'd bet on it.

Will the mayor be critized for ordering an evacuation?

Of course.

Was it the right thing to do?

I think so.

A tip of the hat to the presidential candidate who proposed that we respond as Americans, rather than as members of this or that political party. (His appeal probably will be mocked on The View, but that won't surprise anyone.)

Nothing's perfect, and I expect a post-event critique to point out ways to improve, without, I hope, the finger pointing prevalent after Katrina.

My only complaint is that the focus was totally on NOLA. Granted, it IS below sea level and it IS "the" city in the area, but there are other folks in cities, towns, hamlets, and farms along the Gulf coast that also are in danger from storms - hurricanes and otherwise.

My only remaining question: Will The Feds bail out - literally and financially - those people who insist on building where common sense tells us not to build, and - worse - who, as they did before Katrina, fail to insure.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Friday, August 22, 2008

ERM-BC-COOP: NYC earthquake prone?

OK, you are in California sitting on a fault line.

You're looking for a safe alternate site.

New York, where else? No quakes there.

Well, maybe not quite.

According to "Earthquakes may endanger New York more than thought" at, "A study by a group of prominent seismologists suggests that a pattern of subtle but active faults makes the risk of earthquakes to the New York City area substantially greater than formerly believed. Among other things, they say that the controversial Indian Point nuclear power plants, 24 miles north of the city, sit astride the previously unidentified intersection of two active seismic zones."

Now it's not likely that a quake will hit both coasts at the same time, so while the alternate site in the Empire State still is valid, it does point out the need to thoroughly research alternate site locations before putting down a contract.

I am not a Nervous Nelly when it comes to nuclear power generating plants such as Indian Point - I used to comfortably live near Three Mile Island (TMI) and would do so again - but including earthquakes into the equation seems reasonable.

Granted, in the "normal" scheme of things, Enterprise Risk Management (ERM) practitioners will "prioritize" risks by probability and impact, and granted, the probability of an earthquake at TMI or Indian Point or Turkey Point is minimal, but the impact could be substantial.

As an ERM practitioner, I would be obliged to point out - loudly and in whatever manner that would get results - that "Houston, we have a potential problem" of some magnitude.

In this day and age, we know how to build earthquake-resistant (is there such a thing as "earthquake proof"?) structures; the Japanese do it routinely.

Because of the terrorist threat, and - going back to the "cold" war, the threat of enemy attack (the difference being rogue threat vs. state threat), n-plants are fairly well fortified.

The question: is "fortification" mutually exclusive with "earthquake-resistant?"

I'm not an architect or geo-physical scientist, but I am an ERM practitioner who knows that I need to find Subject Matter Experts (SMEs) - architects and geo-physical scientists, among others - who can provide the information I need.

As a relatively young reporter at the Harrisburg PA Patriot-News, I wrote enough copy about the pros and cons of TMI to fill a newspaper broadsheet page. As a reporter, it was my job to report, not editorialize. As an ERM practitioner, my job is to editorialize. And to promote my "educated opinion."

I hope I - we - are not "a voice crying in the wilderness" (a misquote and taken out of context as it happens) or that our voice falls on deaf ears as is, alas, too often is the case.

Should practitioners go around shouting "The sky is falling, the sky is falling" because someone wants to do something that is less than 100% safe.


And no.

In the case of the n-plant, if someone insists on building it on a fault, at least insist that the site be earthquake "tolerant" - that is, so that if a quake does happen, even in the "worst case" situation, danger to the people will be controlled.

The bottom line is that no matter what is proposed, and no matter where it is proposed, the ERM practitioners must do his or her in-depth homework - do more than just read back issues of the local paper (although that is a good resource) to ferret out all the risks, even the unlikely ones.

Risk management includes risk mitigation, in the case of the n-plant site selection, the location on a fault line can be mitigated by the structure's architecture.

(As an ERM practitioner, I would most assuredly have a couple of independent construction experts maintain close supervision of construction. I am not a "Nervous Nelly," but when the risk is as great as presented here, I am "suspicious.")

Trade-offs are OK, providing we have done our homework in-depth, and that means talking to all the SMEs, both locally and elsewhere.

But an earthquake in Manhattan?

Who would'a thought?

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Tuesday, August 19, 2008

ERM-BC-COOP: GTAG, you're it

I was introduced this morning to the Institute of Internal Auditors'(IIA) Web site (

I was pointed there by another practitioner who agrees with me that "auditors are our friends."

The IIA publishes a series of documents called GTAGs; translation: Global Technology Audit Guides. There are 11 linked from .

GTAG 10 is titled Business Continuity Management.

It's a free PDF download and worth every bit of the 1.65M of space it will take up on a hard drive.

GTAG 10's authors - whose bios are included at near the end of the document, are real-world risk managers and come from a variety of industries.

I confess I was ready to hit the email when I read in the Page 1 Executive Summary that "The goal of business continuity management (BCM) is to restore critical business processes after a disaster has been declared."

While I agree with the focus on the business, my knee-jerk reaction was "where's avoidance and mitigation?" These two gems separate BC from DR more than anything else (in my book).

Page 2 was no better: BCM capabilities are focused on the recovery of critical business processes to minimize the financial and other impacts to a business caused during a disaster or business interruption."

But then I read:

2. Can the organization prove the business continuity risks are mitigated to an approved acceptable level and are recertified periodically?

and hope began to shine forth.

I found myself nodding my head in agreement as I read on Page 3 how IIA defines BCM:

Business continuity management is the process by which an organization prepares for future incidents that could jeopardize the organization’s core mission and its long-term viability. Such incidents include local events like building fires, regional events like earthquakes, or national events like pandemic illnesses. The key components of the BCM are:

  • Management Support — Management must show support to properly prepare, maintain, and practice a business continuity plan (BCP) by assigning adequate resources, people, and budgeted funds.

  • Risk Assessment and Risk Mitigation — Potential risks due to threats such as fire, flood, etc., must be identified, and the probability and potential impact to the business must be determined. This must be done at the site and division level to ensure the risks of all credible events are understood and appropriately managed.

  • Business Impact Analysis (BIA) — The BIA is used to identify business processes that are integral to keeping the business unit functioning in a disaster and to determine how soon these integral processes should be recovered following a disaster.

  • Business Recovery and Continuity Strategy — This strategy addresses the actual steps, people, and resources required to recover a critical business process.

  • Awareness and Training — Education and awareness of the BCM program and BC plans are critical to the execution of the plan.

  • Exercises — Employees should participate in regularly scheduled practice drills of the BCM program and BC plans.

  • Maintenance — The BCM capabilities and documentation must be maintained to ensure that they remain effective and aligned with business priorities.

Crisis Management Planning and Disaster Recovery of IT were separate headings.

I might quibble about the order of Risk Assessment and Risk Mitigation and Business Impact Analysis (BIA) in the IIA's list, and I firmly believe crisis management is part and parcel of business continuity, and that IT disaster recovery in part of the business continuity recovery process.

But all-in-all, IIA's document seems to have gotten off to a good start.

IIA really won me over when, on Page 6 it listed people as Number 1 under the Common Disaster Impacts heading. Following People were Facilities and equipment, Communication infrastructure, Supplies, and Information and IT systems.

I agree with so much of what is presented in GTAG 10, Business Continuity Management, I could have authored (most of) it.

For the ERM/BC/COOP practitioner, GTAG 10 is an excellent resource if for no other reason that it comes from auditors.

While many middle- and upper-level managers cringe when they hear the words "The auditors are coming," I delight in them.

Auditors, if they have any concept of business continuity, can be an asset to the practitioner.

Auditors, if they lack any concept of business continuity, should find a practitioner to give them an over view - or point them to this document and to the IIA.

There are a number of very good "what's business continuity and how to do it" documents out in the world; the International Facility Management Association has one.

What sets this publication apart is that auditors, unlike - say - facility managers, (should) have a broad view, a view that is focused on the enterprise rather than only a small part of the enterprise.

From my perspective, GTAG 10 is a keeper.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Thursday, August 7, 2008

ERM-BC-COOP: Real threat

A Yahoo group in which I participate - not just lurk, but participate - recently had an appeal for help, bits and pieces of the thread follow.

"A friend of mine needs a template for a COOP plan for a tenant activity on a military base. I have many COOP templates, but not for a military unit. I'd appreciate your assistance.

"I'm looking for someone's experience writing a plan specifically for an individual unit in support of the overall military installation COOP.

"This guy is in Army National Guard and his civilian job is with my organization, the *. He has been tasked by his Guard unit to develop the COOP plan during his two week training, so I thought I could find a good template/plan that he could use as a guideline since he's not an experienced COOP planner."

My response to the poster was perhaps less than politically correct, although it was restrained and polite.

How anyone with any conception of ERM-BC-COOP could even suggest that a less-than-tyro could create a plan in two weeks - even with a fill-in-the-blanks template - is beyond my ken.

The officer who assigned this detail may have it "in" for the Guardsman; certainly the weekend warrior has been thrown into a lose-lose situation; worse, if he does cobble something together that hints at being a plan, it probably will be accepted and touted as The Answer To All Threats when in fact it's nothing more than wasted effort that can endanger the unit's personnel and mission.

In a word, the proposal to have an absolute novice create a plan in two weeks is, at best, "stupid."

If I wrote it, you can quote it.

The Guardsman's predicament is symptomatic of what's wrong with ERM/BC/COOP today.

Ignorance at the top expecting perfection from unskilled staff.

I'd like to invite a high school biology student to perform surgery on the officer(s) who assigned this task. I seriously doubt the officer(s) would tolerate such a situation, yet they are willing to jeopardize lives and mission by tasking an untrained person with a critical task.




John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Monday, August 4, 2008

ERM-BC-COOP: Bottom line

The Bottom Line for Enterprise Risk Management (ERM), Business Continuity (BC), and Continuation Of Operations (COOP) practitioners IS the bottom line.

When proposing ERM (a/k/a BC and COOP) to a person with fiduciary responsibility the first question the practitioner should expect to be asked is "What's the ROI?" ROI=Return On Investment.

In other words, if the organization puts up "n" units of local currency, what is it going to buy the organization.

It is a good question. It is a legitimate question. It is a difficult to answer-with-hard-facts question.

After all, if there is a program in place and a risk is avoided or mitigated to a pittance, how can the practitioner tell the organization "the program saved 'n' units of local currency or "because of the program, the organization was able to make 'n' units of local currency in revenue." If a competitor or neighbor goes "belly up" and the planner's organization survives the threat, the "incident," then the practitioner can point to the competition or neighbor and say with some confidence "there, but for the ERM program, goes this organization."

It's wonderful when an organization's senior management is so enlightened that it recognizes the importance of its personnel and places them at the top of the list of resources to protect. Unfortunately many organizations are run by people from the MBA school of thought that considers people a renewable resource. (They are, but like trees, it takes time to "grow" them into the job.)

Given all that, we're back trying to show a benefit to the bottom line.

We have a new ally, perhaps several.

According to an article in ZD Net Asia (,3800011228,63005446,00.htm) by Nathaniel Forbes, director of Forbes Calamity Prevention ( the "U.S. credit rating agency Standard & Poor's (S&P) started evaluating the enterprise risk management (ERM) capabilities of non-financial companies that it covers.

"S&P currently evaluates risk management at banks, insurance, energy and agribusiness companies, and now wants to do so for companies in other sectors. The S&P 500 index of American companies is well known. S&P rates companies, governments and debt instruments all over the world."

He predicts that "The other ratings agencies won't be far behind in making similar announcements if S&P succeeds in selling its concept of ERM evaluations to its customers."

Forbes contends that "Extrapolating an ERM evaluation to a logical, eventual conclusion, if a company didn't have a business continuity management (BCM) program, its credit rating could be lowered. The consequence? Borrowing money would cost more, and for the large companies that S&P reviews, that could be a material consequence."

The article includes a sample calculation that is worth sharing. It goes like this:

"Suppose" Forbes suggests, "one of those companies rated by S&P wanted to issue a bond for US$200 million to build a new plant in.. Suppose that, due in part to its assessment of the company's risk management, S&P lowered the company's credit rating from, say, A- (upper medium grade) to BBB+ (lower medium grade). As a result, the company is forced to pay a 4.1 percent coupon instead of 3.9 percent to make the bond attractive to investors or underwriters. Based on US$200 million, two-tenths of 1 percent (the difference between 4.1 percent and 3.9 percent) is US$400,000.

"What could you do for US$400,000? Could you develop a company BCM program for US$400,000? Could you hire an experienced, certified BCP professional to run it for US$400,000? Set up a recovery site? Could you make a company genuinely more resilient--and therefore more credit-worthy--for US$400,000? As we say in Minnesota, "You bet'cha!" The benefit side of the BCP cost-benefit equation would be much easier to quantify."

Something to think about when the CFO asks "what's the ROI?"

It provides a better answer than asking in response "What's the ROI on liability or property insurance?"

For most organizations, even NGOs, non-profits, and charities, The Bottom Line IS the bottom line.

Anything an ERM practitioner can do to enhance the bottom line - not just protect it but enhance it - makes the effort to "sell" ERM a little easier.

The entire article, with included links, is well worth reading.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Thursday, July 31, 2008

ERM-BC-COOP: Two eGuide articles

BC, DR, and COOP

Just read an article linked from the Continuity eGuide by Tod Newcombe titled "Should BC and DR Be Replaced by COOP?".

Good article. It even includes a quote from Dr. Jim Kennedy, principal consultant for business continuity and disaster recovery at Alcatel-Lucent and a long-time professional acquaintance.

But . . .

But the article, which initially appeared in Government Technology ( focuses almost exclusively on Info Tech. (Given the publication's audience, that almost rates a "duh!")

It addresses issues Chief Information Officers (CIOs) face.

It also suggests that business continuity is a sub-set of Continuity Of Operations (COOP), as disaster recovery is part of business continuity.

According to the article, "Kennedy recommends CIOs become champions for BC planning and find a champion on the business side to help when it comes time to implement and test the plans. But that's not all: CIOs also must ensure their plans have the support of senior-level managers. The National Association of State Chief Information Officers (NASCIO) insists today's government CIO needs to go one step further and ensure public-private partnerships -- especially with the industry sectors that deliver power and telecommunications -- are on board ahead of any crisis."

I have two problems with the article.

First, business continuity, by definition, means keeping the business going - meeting Service Level Agreements (SLAs) or mandates. In order to do that, Emergency Risk Management (a/k/a Business Continuity and COOP) practitioners need to protect the business processes and all the resources used by those processes.

Second, ERM should not be a function of the CIO.

ERM needs to be a function of a Chief Risk Officer or, failing independence, then a function of a Chief (Something) Officer who has fiduciary responsibility or the Chief Law/Legal Officer - someone who is independent of the individual functional units.

To my Winnie-the-Pooh mind, the only viable plan is an enterprise plan.

Even the US Federal government seems to agree with that: COOP used to be disaster recovery - save Info Tech and all is good; now it's protect the people and the organization (including Info Tech). The fact that the Government Accountability Office, GAO, annually criticizes Federal agencies for the quality of COOP plans is another matter. Still, at least there is "COOP awareness" and that's progress.

One thing the article did point out was "don't forget the details. One company had a detailed BC plan, but when a disaster struck, it failed to consider how it was going to feed workers who had to stay on the job for several days. Now it stocks the same ready-to-eat meals used by the military. Another mistake organizations make is not having an alternative work site, a problem that plagued firms devastated by the 9/11 terrorist attacks. What good is backed-up data if your workers have nowhere to work?"

Which, since it hints at the myriad of interdependencies in most organization, is one more reason to move Enterprise Risk Management - by any name - out of the data center and into the executive suite.

Insurance options

The second article that caught my eye was titled An Insurance Primer for Business Continuity Professionals by Kimberly R. Matlon, JD.

Ms. Matlon, a partner in R&A Crisis Management Services, writes at about a number of different insurance types.

She tells us that "Creating a resilient organization is a combination of purchasing and maintaining appropriate business insurance products, and developing and maintaining a comprehensive business continuity plan. " She adds that "There are a wide variety of commercial insurance products out there to protect your business. The most common of these are property, liability and insurance products that provide coverage for your workforce."

Well and good, but what about business interruption insurance?

What about checking vendor insurance coverages - governments and other "800-pound gorilla" clients do it all the time.

Ms. Matlon missed some critical coverage in her brief article, but she did at least point out the need for insurance.

Enterprise Risk Management practitioners need to locate knowledgeable insurance representatives - preferably from different vendors - not only to find out what coverages are available and appropriate, but what each coverage demands of the insured - for example, business interruption insurance requires extensive record keeping (which also means keeping a copy of the records off site) in order to collect.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @