Wednesday, April 30, 2008

True BC = ERM

Continuity e-Guide #232 (http://disaster-resource.com/newsletter/continuityv232.htm) has an article by John C. Phelps that tells me I am not alone in thinking that what I do is "Enterprise Risk Management" (ERM) and not "just" Business Continuity (BC).

The article, "Business Continuity Planning and Enterprise Risk Management," is on the WWW at http://disaster-resource.com/newsletter/subpages/v232/meettheexperts.htm .

Mr. Phelps, who is Director, Business Risk Solutions for Blue Cross and Blue Shield of Florida, notes that "ERM helps provide an understanding of the relationship of risks, which cannot be obtained from a traditional risk management or business continuity perspective. ERM and its associated methodology and tools provide an opportunity for business continuity professionals to burst out of their silo to observe how business interruption risk relates to the other enterprise level risks. This approach also elevates BCM to a higher strategy with Boardroom and c-suite attention. Companies that can achieve this level of maturity with their business continuity program will make better decisions about the allocation of limited capital."

The article is well worth a read, especially by "business continuity" planners who realize, and want to impress upon management, that business continuity is more than just the usual risks, but should properly include all risks under one umbrella.

John Glenn, MBCI, SRP Enterprise Risk Management/Business Continuity http://JohnGlennMBCI.com Planner @ JohnGlennMBCI.com

Tuesday, April 29, 2008

Pay me now or pay me later

As I cobble this together I am looking at an Adobe Flash Player advert on the WWW that tells me "Our formula is simple . . . Plan. Practice. Prevail." The advert continues that the company "delivers the expertise and the resources to help you" do those three things to "prevail over disasters."

Good advertisement.

The scrolling words caught my eye and I actually paid attention to the flying letters.

I didn't click on the invitation to "learn more" because I know about the organization (its product has an excellent reputation) and because the advertisement tells me the company is in the disaster recovery - not business continuity - business.

I know the company's spokesfolk would argue the point, and that's ok.

But the advertisement is the damning evidence.

Like BS 25999-*.

No, it's not something I read in the advert.

It is something I find glaringly absent in the advert.

M-I-T-I-G-A-T-I-O-N

Actually, the advertisement also fails to mention risk identification; lacking risk identification, how would anyone know what to mitigate? BS 25999-* at least suggests we look for risks. (To be fair, I only have the 25999-* drafts to go on; I have yet to see the Final Deliverables.)

The primary difference between "disaster recovery" and "business continuity" is approach.

Disaster recovery is REactive.

Business continuity is (supposed to be) PROactive.

  • Disaster recovery is an iron lung.
  • Business continuity is a polio vaccination (or sugar cube).
  • Disaster recovery is a head in traction (if the person is lucky).
  • Business continuity is a tested helmet.

I could carry the comparisons on for a great many lines, but I hope by now you understand this scrivener's concept of the two terms.

The problem with a lot of organizations claiming to be in the business of business continuity is that they remain in the business of disaster recovery - the only thing "business continuity" is the nom du jour of the product or service. (Some organizations have gone farther, to "resiliency planning," which, I contend, is what business continuity promises - resiliency to recover to business as usual, sometimes better than before an event.)

From a cost perspective, which is better? Think of the old Purolator commercial: "Pay me know or pay me later." Now think about the cost of a new oil filter every 3000 to 7000 miles over the life of a vehicle vs. the cost of replacing an engine, and maybe a transmission, too.

Pay me now or pay me later.

How much for that polio vaccine vs. a stay in an iron lung (cost + lost wages + lost companionship, etc.)

How much for a top of the line helmet vs. head surgery, days in intensive care, rehab, etc.

Pay me now or pay me later.

Next time someone asks how the cost of risk avoidance or mitigation can be justified, remind them of the Purolator commercial.

John Glenn, MBCI, SRP Enterprise Risk Management/Business Continuity http://JohnGlennMBCI.com Planner @ JohnGlennMBCI.com

Sunday, April 27, 2008

Mitigating the energy problem

Some time ago I wrote, based on someone else's predictions, that ethanol could become as much of a problem as the oil "shortage."

Trouble is, I can't find where I published my concerns, so I can't now point to something and write "I told you so."

Unfortunately, it doesn't change the issue: corn is being diverted from food on the shelves to fuel for vehicles. Corn diversion is not the only reason fuel prices are higher than ever in the U.S. (They still are substantially lower than in, say, most European countries.)

The bottom line when it comes to fuel is simple: We (being our government) let ourselves down by failing to develop alternative energy sources when the writing was first on the wall.

I'm a great believer in nuclear power. Having grown up in South Florida where, back when I was a kid, solar water heaters were commonplace, I know the value of solar power.

During World War II, the Brits powered some vehicles with methane. New idea? Hardly. Perhaps a new application, but "buffalo bricks" fueled many a fire as American's moved west toward the Pacific.

The bottom line is simple: We have - today - alternatives to oil.

Perhaps we cannot become, in the short term, "oil independent," but we could become "less" dependent on oil in relative short order.

In the past we have had government "initiatives" to encourage fuel efficiency, but all the initiatives were short-lived. A year or two and the carrot disappeared and the stick never was seen - until now. The "stick," unlike the "carrot," is not solely a government option.

There was a Diesel car purchase promotion lasted a year, perhaps two and then - no more. There was, briefly, a government incentive for people to install solar water heaters. Operative word: "briefly."

We need to mitigate our dependence on oil, domestic and foreign. America's current fuel "crisis" has been developing for decades. The dependence on fossil fuel can be immediately mitigated with current, even "old," technology. Solar water heaters are NOT "rocket science." Making them affordable and changing the way we think about taxes and taxation will take effort.

There will be, in my myopic view, a need for some amount of fossil fuel for generations to come. (Alaskan's need not worry about paying state taxes for decades.)

The program must combine both the carrot and the stick.

Forcing conservation, such as the effort to replace tungsten bulbs with fluorescents, only generates resentment. A carrot and stick program that (a) can show almost immediate results (e.g., purchase

assistance) and (b) can be sustained over different political philosophies in state and federal capitals is, at least in this scrivener's opinion - what is needed.

Mitigating a risk is, after all, what Enterprise Risk Management/Business Continuity (COOP) is all about.

John Glenn, MBCI, SRP Enterprise Risk Management/Business Continuity http://JohnGlennMBCI.com Planner @ JohnGlennMBCI.com

Wednesday, April 23, 2008

Tires, toys, and drugs

Once again China is being blamed for causing injury or death of Americans (and, in the latest case, others as well).

This time the culprit is "a contaminated blood thinner from China has been found in drug supplies in 11 countries, and federal officials said Monday [21 Apr 2008] they had discovered a clear link between the contaminant and severe reactions now associated with 81 deaths in the USA." Source: ProMED (

http://www.promedmail.org/), based on a New York Times' report (http://www.nytimes.com/2008/04/22/health/policy/22fda.html?ei=5070&en=325163ee977445d3&ex=1209528000&emc=eta1&pagewanted=all).

This blog entry is not so much against the apparent inadequacy of the Chinese government's inspection system as it is the equal inadequacy of U.S., and other, manufacturers to carefully inspect their vendors' products.

In the "olde days," when I was a young reporter in Titusville FL, I bought a Pentax H3v 35mm camera. Except it wasn't "exactly" a Pentax from Japan. It was a Honeywell Pentax. Honeywell was the U.S. distributor for the then well established product.

Why "Honeywell Pentax?" Because Honeywell quality assurance (QA) people inspected the incoming product. How thoroughly? I don't know. I suspect a random inspection based on the vendor's history. As an aside, I never had a problem with the H3v and gave it to a friend who gave it to a son-in-law (who probably gave it to my friend's grandchild). For all I know, the all-mechanical, no-features camera still is being used someplace in Florida.

Later I worked for a company that made valves, primarily for warships, everything from submersibles to nuclear-powered carriers. Leslie Controls had a number of vendors making all manner of parts, including O-rings. (You remember O-rings from the space shuttle disaster. That was not a Leslie O-ring.)

Leslie QA inspectors performed random sample testing on each O-ring shipment, as well as on all other vendors' products. How random depended on the vendor's history with Leslie. A new vendor might be subjected to a 50% inspection, 100% if the part was particularly critical. Granted it was non-destructive testing on all but perhaps a minimal quantity.

Bottom line: Honeywell sampled incoming product before putting its name on the product; Leslie likewise inspected all the components that went into its valve - and then inspected the valve as a unit. Leslie's customer then did its own random sample of the product - including the documentation, which is where I came into the picture.

If we lack the ability to control foreign manufacture, we must - there is no option - develop the capability to at least randomly sample incoming product and we must implement and enforce inspections of all products, including the innocuous such as toys and baby bottles, to pick two products at random.

Sampling won't solve all the problems, but it can greatly reduce our risk.

Sampling the end product is the end manufacturer's responsibility; it must begin by inspecting the component parts, regardless of their point of origin - China or Chinatown, Warsaw Poland or Warsaw Indiana.

John Glenn, MBCI, SRP Enterprise Risk Management/Business Continuity http://JohnGlennMBCI.com Planner @ JohnGlennMBCI.com

Tuesday, April 22, 2008

Practitioner's hats

Somewhere in my history I have a caricature of this scrivener hanging on to a sagging coat rack, a coat rack weighed down by my many job hats.

That was before enterprise risk management/business continuity/COOP (ERM/BC/COOP), too.

Except perhaps - and it is "if-fy"- for the steel pot (military helmet), all the hats in the drawing still are donned from time-to-time today.

For example, one of the chapeaus is a fedora with a PRESS card tucked into the ribbon encircling the hat.

What does "journalism" have to do with ERM/BC/COOP? Plenty.

A major portion of a practitioner's effort is gathering information from sundry sources.

The C*O, the VP of Whatever, many managers, the Rank-n-File, and even the mail room's summer intern.

Interview skills are critical. It's not just coming up with response-provoking questions, it's phrasing the queries so that the listener will comprehend or, if not, will ask for clarification.

Sometimes it means being able to "smooze" with people so they feel comfortable playing "20 Questions" with the practitioner and, hopefully, even volunteering information.

A good reporter knows how to phrase questions; more importantly, a good reporter knows how to listen to the answers and make certain what was heard was what was intended.

A little PR background also is helpful.

There's a good amount of "flag waving" involved in developing a plan. First the practitioner needs to get Top Management on board. If the Sponsor happens to be an enthusiastic supporter of the process, the practitioner is halfway home. If the Sponsor is anything less than enthusiastic, maybe the practitioner should start looking for a home somewhere else.

Once Top Management has signed on, the rest of the organization must come on board. (The best a practitioner can hope is about 95%; there always will be a curmudgeon in the crowd.)

A tech pubs background also is handy when it comes time to create The Deliverables.

Our practitioner is not just creating The Deliverables, he or she is creating deliverables for different audiences.

If the practitioner is particularly adept, in addition to deliverables targeted for different internal audiences - executives, managers, and the Rank-n-File - the documents will be designed for both internal (everything is available) and external ("sanitized") distribution.

All documents will be thoroughly indexed for rapid reference and sections will be designed for "pull-out, stand-alone" use; the folks in Finance, after all, probably don't care what the troops in InfoTech have to do to recover a system, so why burden them with those processes?

There are other hats a practitioner needs to have handy. Training, for one.

ERM/BC/COOP practitioners must be versatile. Developing a successful plan - and that deserves defining - is more than just sitting at a desk playing a solitary game of "What If?"

Plans cannot, should not, must not, be created in a vacuum.

John Glenn, MBCI, SRP Enterprise Risk Management/Business Continuity http://JohnGlennMBCI.com Planner @ JohnGlennMBCI.com

Friday, April 18, 2008

Some thoughts about certification

Certification, like professional licensing, is supposed to attest to a practitioner's level of expertise.

But, as there are "universities" and "universities," there are, in the risk management (a/k/a business continuity and COOP) discipline "certifying organizations" and "certifying organizations."

For risk management (as I define it, anyway) there are several "name" certifying organizations. These are, alphabetically:

Truth in blogging: I am certified by the BCI (MBCI) and Richmond (SRP).

There are others, but the above are the "Big Three" and have been around the longest.

Each has a vetting process in an attempt to assure the people awarded the certifications have at least a basic understanding of the business to the level at which they are certified; that is, an "A" certificate - typically an "Associate" - is a tyro in the field who can at least spell "BC"; an intermediate certificate - MBCI, CBCP, CRP as examples - are practitioners with at least a couple of years' experience; while higher-level certificates such as FBCI, MBCP, and MRP are awarded to practitioners who have been around the block a bit longer and, frankly, who are willing to pay a premium for the honor.

Most certifications are awarded following successful completion of a multiple question test. Mid- and upper-level certifications require some indication of experience.

Does that mean the person knows what they are doing?

Not necessarily. Some people simply are good at short-term knowledge retention and test taking; we all know people in that category. Certifications for these people only indicates that they know how to read (to their credit) and pass tests.

I know some certified planners who I would not trust to plan a safe way to cross a deserted road. I also know some planners who, albeit lacking certification, are excellent planners.

Still, a certification from a legitimate organization (such as, but not necessarily limited to, the "Big Three" - caveat emptor) provides some level of confidence to the person engaging the planner).

Who needs it?

Consultants, mostly.

An InfoTech associate called certification "eye candy," and it may be that - especially if the consultant depends solely on the paper rather than curiosity and common sense - but in the consulting world, people are expecting paper. At one time, a high school diploma could get a person through the door, then the entry was via the bachelor's degree; now, anything less than a master's makes getting some jobs a challenge. (Security clearance is another "prestige" issue: "confidential" won't open any doors; "secret" barely gets someone inside; "top secret," or "TS," is the current base requirement.)

Unfortunately, my discipline (profession, trade: check one) lacks an apprenticeship or mentoring program, so the degree (certification) must be suspect until it can be supported by real-world experience.

If that sounds like a "Catch 22," it is, but one which a planner's employer can overcome with minimal cost and less effort.

More on that next.

Considerations before engaging a risk management practitioner.

  • Besides reviewing a practitioner's resume and making an independent reference check - would anyone offer bad references? - make an effort to test the practitioner's interviewing skills.
  • Does the practitioner ask open questions or questions designed to elicit a specific, desired answer?
  • Does the practitioner listen to the responder? Does the practitioner follow a tangent suggested by a responder, and then return to the main line of questions when the thread's end is reached?

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://JohnGlennMBCI.com
Planner @ JohnGlennMBCI.com

Thursday, April 17, 2008

Expectations vs. reality

As a ERM practitioner, am I expected to be an SME of everything ?

Am I expected to be an HR guru?

Perhaps a CPA to develop a plan for Finance, AP and AR?

Do I need to be a member of the IFMA to create a plan to protect the facility?

So why do people, especially InfoTech folks, think an Enterprise Risk Management (a/k/a Business Continuity and COOP) practitioner should be an InfoTech maven?

Certainly it helps if I know something about what goes on behind the data center doors. But unless this data center is identical - down to the last patch and "tweak" - to the last data center, all my InfoTech expertise has to be discounted - not ignored, discounted.

As an enterprise planner, I depend upon Subject Matter Experts (SMEs) in each functional unit. I also depend upon a personal network of SMEs from various disciplines.

I wear enough hats as it is.

  • Diplomat
  • Interlocutor
  • Manager and mentor
  • Planner
  • Presenter
  • Researcher
  • Trainer
  • Writer and editor

Consider if the practitioner needed to be expert in each discipline covered by a plan. How could any normal person manage to keep up with all the procedural and technological advances; who can stay au courant with all the rules and regulations governing different functions. Extend that to an international audience with an even greater number of controlling authorities.

Organizations looking for a planner are well advised to look for a planner who is a Subject Matter Expert in planning, not InfoTech or HR or Finance or pick a discipline. Look for a person who lacks the baggage of prejudice ("I think 'A' is better than 'B' because I'm accustomed to 'A'.")

Find a planner with an open mind; one who knows how to ask questions and, equally important, knows how to listen to the answers (and seek clarification whenever necessary).

Next: About certification.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://JohnGlennMBCI.com
Planner @ JohnGlennMBCI.com

Tuesday, April 15, 2008

Of pope, corn, and light rail

Who would think a papal visit or corn crops as business risks?

Yet both are very real risks,

The pontiff's visit to the U.S., as do most head-of-state visits, disrupts life across the board.

Traffic which cannot (or will not) be rerouted will snarl as the "pope-mobile" travels from Andrews Air Force Base to the Vatican's embassy suites. (Why couldn't he, like the U.S. president, simply fly there by 'copter? Even blocking one street for 30 minutes to allow the visitor to land and travel to the compound seems a lot less disruption than the promised "rolling" blockages.)

Many Federal employees in D.C. proper and in surrounding communities will be either furloughed for the day or "allowed" to work from their residences. My work is in Reston near the (Dulles) airport tollway and while I am able to work via VPN, no one is suggesting that I stay home.

How many businesses will be financially hurt by the Vatican visitor's stay? How many businesses plan for such events. (Dust off the snow plan; the impact should be similar: people not coming to work, customers unable to shop; deliveries delayed.) What about ambulance and other emergency vehicles that might encounter a "rolling blockage" on the visitor's unannounced route?

I wonder if the pope-mobile, a Benz, can run on a 10% ethanol mix. Which brings us to the second problem.

Some months ago I suggested that our growing dependence on corn squeezin's for the flivver's fuel tank would have a negative ripple effect on the economy.

If farmers are paid more to grow corn than other plants, corn (and other products which can be turned into ethanol) would be the product of choice. That's reasonable: if a farmer can make $1 from Crop A and $2 from Crop B, simple economics tells us the farmer will plant Crop B.

For the moment, thanks to the oil "shortage" and the continuing dependence on the fuel, ethanol source material (corn, sugar beets, etc.) is in greater demand than supply - and the old rule of "supply and demand" is in effect with a vengeance. Eventually it will lessen, but in the meantime, gas prices soar and with them, prices for everything that is touched by a gas-powered anything - farm implements, trucks, refrigeration units at the store - and home.

On the flip side, we have in the U.S. senate at least one gentleman who - although his state is not known for its oil reserves - insists on withholding subsidies for public transportation. (The local light rail system is seeking funds for maintenance; the senator believes that the riders must pay the full cost.)

Normally the "American way" is to agree with the senator - let the user pay his or her own way. And, frankly, normally I would agree.

But the user is subsidized on the road.

The user is subsidized in the air.

The user is subsidized on the rails.

I'm not sure if the user is subsidized at the ports, but given the other subsidies, I suspect that this is the case.

So why not subsidize local mass transit?

Does anyone think the super-trains of Europe and Japan run strictly on user fees? They are subsidized.

Does anyone believe the airlines pay for the guys in the control towers? How about the TSA folks? Your Federal taxes at work.

And this, too, is a risk. If personnel can't afford to come to work, if customers can't afford to shop . . . Customers will go elsewhere (to the Internet, in many cases).

None of the risks cited here are found within the confines of the business, certainly not within the InfoTech department, yet all can, and increasing do, take their toll on the business' bottom line; as such they are risks which properly need to be considered. Perhaps they can't be avoided, but there may be means to mitigate them.

It's not always the risk within the walls that does the most damage. Smart planners look beyond the walls to protect the organization.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://JohnGlennMBCI.com
Planner @ JohnGlennMBCI.com

Monday, April 14, 2008

Some thoughts about BSI 25999

There has been a lot of promotion lately by the British Standards Institute (BSI) of its BS 25999-series business continuity standards.

BSI is making every effort to put BS 25999-* on the fast track to International Standards Organization (ISO) status.

BSI seems to be making pretty good headway on the island and the continent, but there appears to be some push-back from the colonies.

How can that be?

Well, the colonies have some pretty good standards and guides of their own, standards and guides which have been around, developing as the business continuity trade moved from "pick up the InfoTech pieces after an event" to "protect the organization through risk avoidance and mitigation."

In the U.S., and with slight variations on the theme in Canada, the de facto standard is the National Fire Protection Association (NFPA) 1600.

Now I confess I had little to do with the BS - I did comment on draft copies, but I have not seen if my suggestions were incorporated. Why? I can't afford the cost of the BS.

It is my understanding that the BS was developed with input primarily from island-based planners. NFPA, on the other hand, developed from input from a variety of sources, including - as the name implies - fire fighters. I am a very strong proponent of involving as many people and as much expertise as possible in every plan. This scrivener, at least, cannot claim to be a Subject Matter Expert in "everything."

I have another problem with "island-based planners." This is a generality (and as I learned in my early teens, "all generalities are lies"): the UK approach to business continuity is somewhat different than the approach by - again a generality - most planners in the U.S. I base my opinion on two British Airways events. The UK response seems to be "there was nothing we could have done" while those of us in the colonies contend that there were many measures that could have been implemented to avoid or mitigate the events. BA has a high-visibility business continuity programme (cq).

The BSI intends for BS 25999 to become an ISO and, by extension, to become by fiat a requirement for organizations wishing to do business on the island, the continent, and any place island and continental organizations have influence.

NFPA 1600, on the other hand, simply is a guide which is voluntarily followed. It is widely implemented because it has proven worth and, perhaps, because it is freely - as in "no charge" - available to "the masses."

People who know me know that "if it's free, it's for me" - and apparently a lot of other planners, too.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://JohnGlennMBCI.com
Planner @ JohnGlennMBCI.com

Friday, April 11, 2008

Know your audience

"I don't care what you said, I understood you to mean . . . "

"Tell them what you are going to tell them; tell them, then tell them what you told them."

"Why can't the English learn to speak . . . the language?"

Confession: I came to Enterprise Risk Management (ERM) - also known as Business Continuity (BC) and, in "FedSpeak," as Continuation Of OPerations (COOP) - after many years as an honest newspaper reporter/editor, PR "practitioner" ("flack"), and writer of commercial and military technical manuals for things which, if documented in a way open to "interpretation" could cause injury or death to someone.

Because of this background, and because I work with people who have English as a second language, I understand that it is my duty to assure my audience understands what I am writing or saying. It is not the audience's task to try to understand my words.

Obviously, that applies to honest journalism and technical documentation.

It also applies to ERM/BC/COOP deliverables at all stages.

It is a planner's obligation to communicate in terms the planner's audience can comprehend. Period.

A brief lesson I learned from experience. Comprehension has little, if any, relationship to formal education. Try this experiment: Ask a master plumber whose "terminal degree" is a GED to instruct a PhD on how to install a toilet. Have the master plumber use terminology any plumber would understand. My guess is that the PhD will stand there muttering "What did he say?" or, more succinctly, "Huh?"

Granted, a misunderstanding of the Executive Overview probably won't directly endanger lives in the same way an omitted "Turn Off Power Before Touching Wire" might, but it could actually play a role in endangerment. I know it's stretching, but what if an executive reading the Overview feels the plan effort is wasted money and allows the plan to die. Later, an event (risk) occurs which, had the plan been implemented, might have been avoided or mitigated. Because the plan never was completed, someone was hurt - physically or financially.

As with most professions and trades, ERM/BC/COOP is replete with acronyms, buzz words, techno-babble, and other esoteric jargon: RTO, MAD, BIA. The Disaster Recovery Institute International (DRII) has a 16-page glossary posted on its Web site (http://www.drj.com/glossary/drjglossary.html).

I've been in the business for more than a dozen years and some of the abbreviations and terms confuse me - imagine the confusion they will cause non-planners, the people who fund and execute the plans. (Am I alone? Hardly. A Business Continuity list recently had a lengthy thread about one phrase's definition. As I recall, in the end the issue remained unsettled.)

Don't think that just because someone speaks the same language, e.g., English, that it really is the same language. American English is different from British English in more than spelling.

Take the verb "table" as an example. In US English, to table an issue means to put it aside - think "put it under the table." In British English, to table an issue means to discuss it, to "put it on the table."

The bottom line for the planner, indeed anyone addressing an audience of people outside the speaker's or writer's area of expertise, is to speak and write in terms the audience understands. It may mean extra work for the planner to "translate" planner terms to audience terms, and it may take extra time to clarify something, but the effort is required.

Planners, this scrivener included, are well advised to purge buzz words and techno-babble from their vocabulary and to communicate in a mutually understood language.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://JohnGlennMBCI.com
Planner @ JohnGlennMBCI.com

Wednesday, April 9, 2008

Case for Enterprise Risk Management (Enterprise Business Continuity)

Over the several years I have been creating risk management/business continuity plans, I have developed enterprise plans, key business unit plans, and IT-specific plans.

All plans have their place.

But . . .

The only plan that has a chance to succeed when things go bump in the night is an enterprise plan.

In an ideal world, each functional unit will have its own mini-plan. Each mini-plan is complete and has all the components found in the enterprise plan; the difference is that a mini-plan must be escalated if a risk cannot be contained to the specific functional unit covered by the plan.

Best example: If a server fails and InfoTech can get it operational before any service level agreements (SLAs) are violated, then only the InfoTech mini-plan is invoked. If that same server fails and one or more business unit SLAs are missed, the issue is escalated to the next higher level (e.g., facility, campus, enterprise).

Enterprise plans offer several advantages over mini-plans.

First, they identify unit interdependencies.

When thinking of interdependencies think of a spider's web - or the World Wide Web. Points connecting to points connecting to points; rarely is there a point with only one input and no output. Sometimes the dependencies are obvious, e.g., the normal business requirement for InfoTech services, sometimes less obvious, e.g., Shipping and Receiving.

In a "best case" situation, a focused plan will connect from the covered unit only to the functional units which feed it or which are fed by the covered unit. Nothing goes beyond the initial contact.

In techno babble, that's known as a "got'cha."

Second, they provide "benefits of scale."

When business SLAs are missed, sometimes even just in danger, people both inside and outside the organization need to know. That means someone with decent communication skills needs to employ those skills, especially when dealing with The Media Octopus with tentacles labeled "Newspaper," "Electronic," "Financial," "Government," "Regulators," "Customers," "Vendors," and others.

Does equipment need to be replaced or supplemental staffing need to be brought in? Look to vendor management, accounting, shipping/receiving, HR, . . .

To paraphrase John Donne1, no functional unit is an island. All have relationships to others within the organization and many have connection to external organizations - clients, vendors, regulators, lenders, etc.

Enterprise risk management (ERM) is, I think, a better name for what is needed than "business continuity," although that name is certainly valid. "Risk management" seems to present a mental picture of an all-encompassing, holistic effort were "business continuity" apparently seems to some to be limited in scope.

Properly done, ERM and business continuity examine all potential risks to an organization and extend outward not only to vendors but to vendors' vendors; to the financial sector; to main clients' well-being. Even things such as "what if the flight is delayed" are fair game for the planner. While making a flight may seem "out of scope" for an ERM plan, the "action to take in the event of" certainly is within the scope and should be covered by both policy and procedure.

Unlike functional unit plans, everything is "within scope" for an enterprise plan.

==================================

1 "All mankind is of one author, and is one volume; when one man dies, one chapter is not torn out of the book, but translated into a better language; and every chapter must be so translated...As therefore the bell that rings to a sermon, calls not upon the preacher only, but upon the congregation to come: so this bell calls us all: but how much more me, who am brought so near the door by this sickness....No man is an island, entire of itself...any man's death diminishes me, because I am involved in mankind; and therefore never send to know for whom the bell tolls; it tolls for thee." John Donne, 1572-1631

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://JohnGlennMBCI.com
Planner @ JohnGlennMBCI.com

Tuesday, April 8, 2008

Who am I?

I'm having an identity crisis.

My business card states that I am a "Certified Business Continuity Planner."

Unfortunately, many people have no clue as to what a "certified business continuity planner" does.

Even within the industry opinions vary widely.

So, I looked closely at what I do and decided a better, more descriptive title would be "Enterprise Risk Management" what - maybe "practitioner"?

In truth, what I do is enterprise risk management - in the most simple terms, find a risk, avoid or mitigate the risk, teach people how to respond if the risk insists on occurring.

But looking at "risk manager" jobs on the Web shows me that "risk managers" often are associated with hospitals (I used to be a military medic, but I'm not an RN, a typical med center requirement) or insurance coverage (which falls within the scope of what I do, but in a different form).

While "enterprise risk management" indeed describes what I do, I wonder if, given the other associations, people understand "my" version of "enterprise risk management."

Then there is the certification question. I am certified as a business continuity planner - it says so right on my certificate. (I'm also certified as a "senior recovery planner," but that label harks back to InfoTech disaster recovery; while disaster recovery is part of what I do, I am not an InfoTech person.)

Can I, given my certificate, claim to be a "certified" enterprise risk management practitioner? Is there such a certification?

Perhaps I need to find an even more basic job title/descriptor.

It came to be yesterday watching an Untouchables rerun of a rerun of a . . .

I'm in the protection racket - sorry, "business."

In the simplest, yet broadest, terms, "enterprise risk management," by any nom du jour, comes down to helping an organization - commercial, industrial, non-profit, government, even a family - protect itself from the risks it faces.

'Course as soon as I start billing myself as being in the protection business, someone will think I'm talking about guarding their property - which my work helps accomplish - either by putting up signs "This facility protected by John Glenn" or by marching back and forth in front of the place like the palace guard, neither of which is the image I think I want to project.

As I wrote at the beginning of this exercise, I'm having an identity crisis - who am I, really?

A business continuity planner (yes), an enterprise risk management practitioner (yes), or a guy in the protection business (yes).

Oh yes, I've also been called a "business analyst" and a "process re-engineer" as well as a few other things that can't appear on a "G" rated blog.

My 21-year-old daughter reminds me I also am her "daddy." The best title of all.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://JohnGlennMBCI.com
Planner @ JohnGlennMBCI.com