Thursday, May 29, 2008

ERM-BC-COOP: There IS a difference . . .

[This article also appeared in Disaster-Resource.com's Continuity e-Guide at http://www.disaster-resource.com/newsletter/subpages/v237/meettheexperts.htm]


There IS a difference between "Business Continuity" and "Disaster Recovery," and it is substantial.

Disaster Recovery, a/k/a "DR" or "D/R" is the reactive part of a Business Continuity, a/k/a "BC" or "B/C," plan.

The distinctions have, over the years and because of various reasons, been blurred.

Originally, D/R amounted to restoring InfoTech.

Rebuild the infrastructure (servers, networks) and restore data.

Then, enlightened InfoTech managers decided it would be good to ask InfoTech's customers which of their products the customers needed most so restoration could be prioritized.

The beginning of the Business Impact Analysis, the "BIA."

Problem was, the BIA was a tool of the reactive restoration effort.

The BIA also ignored any risk analysis and associated avoidance or mitigation measures.

InfoTech now had a prioritized recovery list, but little else.

Yet "business continuity" was a part of InfoTech all along even if it wasn't recognized as such.

A little thing hardware manufacturers include in product specs:

  • MTBF: Mean Time Between Failures
  • MTTR: Mean Time To Repair

The biggest problem with InfoTech D/R, however, is that it was InfoTech "centric."

InfoTech went out to the business units for the BIA, and then went back behind the data center door.

No one considered risks to the business units; InfoTech was, after all, the glamour child.

But it wasn't, in most cases, the profit center.

Once someone realized that lacking a profit center generating a profit for the organization there was little raison d'etre for InfoTech, then the focus began to shift from the data center to InfoTech's customers - the profit center and its other resources.

At the same time, someone took heed of the Purolator "Pay me now or pay me later" commercial and decided a little risk avoidance or mitigation might prove financially beneficial.

Trouble is, to fully benefit from the avoidance/mitigation mind set, someone had to identify - and quantify - risks.

Enter risk management.

Find the risks.

Identify ways to avoid or mitigate each risk.

Rate the risk according to probability and by impact on the organization.

D/R has now moved out of the reactive "restore what failed" mode to the proactive B/C "meet the Service Level Agreements" mode, the business continuity/continuation mode.

Still, B/C, as practiced in (too) many organizations, is short-sighted.

It looks at obvious and traditional risks, but fails to go beyond those risks.

Why?

Often senior management withholds the mandate to do more.

Enterprise Risk Management, "ERM," is, to this scrivener, "B/C on steroids."

ERM should be able to look at all risks, from all sources both traditional and non-traditional.

All of an organization's doors must be opened to the ERM practitioner, and the practitioner must be allowed a look at the organization's short and long-term plans. (Actually, B/C planners should see the plans as well so modernization can be implemented early if the opportunity arises.)

ERM practitioners should be invited into all phases of the operation.

Planning to buy property? Involve the ERM practitioner to look at such mundane, things as location (flood plain, access?) , construction (safe room, environment?).

Allow the ERM practitioner to look at processes - that's part of the job, anyway - and invite the practitioner to make recommendations to enhance (or eliminate) processes.

It is understood that the ERM practitioner, as were the B/C and D/R planners, is an expert only in his or her discipline; the practitioner/planner must work with Subject Matter Experts (SMEs) both within and without the organization to fully benefit the organization.

D/R still plays a very big role in both B/C and ERM, but it has expanded to include all the resources a profit center requires to remain a profit center, but for all that, it still is D/R and still reactive.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Friday, May 23, 2008

ERM-BC-COOP: Process to progress

I once was told by the man who then signed my timesheet that what I did was "not business continuity; it's process re-engineering."

Needless to say, I fully agreed with the paymaster.

But he was very much on the mark.

Unfortunately, ERM/BC/COOP practitioners rarely (get to) practice "process re-engineering."

That's a loss for both the practitioner and the organization paying for the practitioner's services.

ERM/BC/COOP, properly done is process oriented.

We look at processes.

Granted, the raison d'etre for ERM etc. is to protect existing processes.

But we are looking at the processes anyway.

If you went to your GP - sorry, Family Practitioner as my doctor reminds me - complaining of a stomach ache and the doctor happened to notice in her examination that you had a suspicious growth, would it be appropriate for her to suggest having it checked by a specialist? (Mine would, which is why she's my doctor.)

She could say "I'm a Family Practitioner examining my patient for a stomach ache; the growth is 'out of scope' for this visit and for my specialty."

Would that be acceptable, or would it border on malpractice?

It is our job to look at processes.

Since we already are looking at processes, and since we should be talking to the people who perform and "own" the processes, why don't we consider ways to enhance the process.

I'm not suggesting that we carry clipboards and pretend to be efficiency experts, but if we see a way to improve something it seems appropriate that we document what we see.

There is, unfortunately, a flip side to this.

Some managers look at what we do as strictly a risk "search-and-destroy" mission.

The only recommendations they want to hear are how to avoid or mitigate an identified risk.

It seems to this scrivener, however, that "improving the process without impairing the product" falls within the realm of risk management. What if a competitor "improves the process without impairing the product" and gets the competitor's product to market faster and sells it at a lower cost. The competitor is a "risk," right?

I would "suggest" that "smart" organizations engaging an Enterprise Risk Management - Business Continuity - COOP practitioner would be better served if they would encourage the practitioner to fully practice his or her profession and to report not only risks to processes, but ways to "improve the process without impairing the product."

A small caveat: Anytime someone messes with an in-place process, risk is injected. Before anyone starts tinkering with something that "ain't broke," make certain the modification risks are fully mitigated before making any changes.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Thursday, May 22, 2008

ERM-BC-COOP: 2-way sweet spot found

From Big Medicine (http://www.bigmedicine.ca/)

Emergency links: NIST identifies 'sweet spot' for radios in tunnels [May 17 Gaithersburg MD]--As part of a project to improve wireless communications for emergency responders, researchers at the National Institute of Standards and Technology (NIST) have confirmed that underground tunnels—generally a difficult setting for radios—can have a frequency “sweet spot” at which signals may travel several times farther than at other frequencies. The finding, which uses extensive new data to confirm models developed in the 1970s, may point to strategies for enhancing rescue communications in subways and mines.

The optimal frequency depends on the dimensions of the tunnel. For a typical subway-sized tunnel, the sweet spot is found in the frequency range 400 megahertz (MHz) to 1 gigahertz (GHz). This effect is described in one of two new NIST publications. The reports are part of a NIST series contributing to the first comprehensive public data collection on radio transmissions in large buildings and structures. Historically, companies have designed radios based on proprietary tests. The NIST data will support the development of open standards for design of optimal systems, especially for emergency responders.

NIST researchers were surprised by how much farther signals at the optimal frequency traveled in above-ground building corridors, as well as underground. Tunnels can channel radio signals in the right frequency range because they act like giant waveguides, the pipelike channels that confine and direct microwaves on integrated circuit wafers, and in antenna feed systems and optical fibers. The channel shape reduces the losses caused when signals are absorbed or scattered by structural features. The waveguide effect depends on a tunnel’s width, height, surface material and roughness, and the flatness of the floor as well as the signal frequency. NIST authors found good agreement between their measured data and theoretical models, leading to the conclusion that the waveguide effect plays a significant role in radio transmissions in tunnels.

Lead author Kate Remley notes that the results may help design wireless systems that improve control of, for example, search and rescue robots in subways. Some handheld radios used by emergency responders for voice communications already operate within the optimal range for a typical subway, between around 400 MHz and 800 MHz. To provide the broadband data transfer capability desired for search and rescue with video (a bandwidth of at least 1 MHz), a regulatory change would be needed, Remley says.

The tunnel studies were performed in 2007 at Black Diamond Mines Regional Park near Antioch, Calif., an old complex used in the early 1900s to extract pure sand for glass production.

The second new NIST report describes mapping of radio signals in 12 large building structures including an apartment complex, a hotel, office buildings, a sports stadium and a shopping mall.

The research is supported in part by the U.S. Department of Justice and the Department of Homeland Security. Both reports will be available on NIST’s Metrology for Wireless Systems Web page.

K. A. Remley, G. Koepke, C. L. Holloway, C. Grosvenor, D.G. Camell, J. Ladbury, R.T. Johnk, D. Novotny, W.F. Young, G. Hough, M.D. McKinley, Y. Becquet and J. Korsnes. “Measurements to Support Modulated-Signal Radio Transmissions for the Public-Safety Sector”. NIST Technical Note 1546, April, 2008.

C. L. Holloway, W.F. Young, G. H. Koepke, K. A. Remley, D. G. Camell and Y. Becquet. “Attenuation of Radio Wave Signals Into Twelve Large Building Structures”. NIST Technical Note 1545.


The benefits of this research applly equally to ERM-BC-COOP practitioners who need to establish an emergency communications network inside large structures (such as multi-floor buildings and buildings with underground operations.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Wednesday, May 21, 2008

ERM/BC/COOP: Unwanted help

I participate on a couple of emergency management (EM) lists. EM is, in many ways, the municipal version of disaster recovery and for some progressive governments, part of Emergency Risk Management (ERM) or Continuation Of OPerations (COOP).

A recent thread concerns some people who packed their bags and, uninvited, flew half-way around the world to China to offer their help.

The volunteers are experienced in what they do and normally would have been welcome.

But China sent them packing.

On the surface that doesn't make sense.

But digging deeper, we can see the Chinese reasoning.

Our volunteers arrived shortly after disaster struck.

They showed up on China's door uninvited - China wasn't ready for "guests" and had not even had time to sort out (a) who is needed to help out and (b) how to put these people to work for the most good.

The volunteers, rejected by China, turned around and went home - and apparently told the local press that China didn't want them; the local press then, apparently, blasted China: how dare it refuse volunteer help when it was in such desperate straits?

Volunteering is a funny thing: when you need one, they can be hard to find; when you are just sorting things out, volunteers just get in the way.

An aside: There apparently is a "clearing house" for volunteers where entities needing volunteers list their needs and volunteers can see if their particular skills are needed.

I am not criticizing either China or the volunteers. As Jack (Sgt. Joe Friday) Webb would say, "Just the facts."

As ERM/BC/COOP practitioners, we could face the same problem as China albeit on, hopefully, a far smaller scale.

Something goes bump in the night and two things typically happen:

  • People show up to help right things
  • People show up wanting to know how the "bump" impacts them

Our plans need to consider the possibility and include ways to mitigate the problem. I don't think there is any way - given human nature - that we can totally avoid the problem, but it can be mitigated.

How?

With on-going education and a decent communications plan.

On-going education means making it clear to new hires who has what responsibility in what type events. On-going education means reminding these people, as they become "old timers," that nothing has changed; they still need to know their responsibilities (particularly as they may change over time).

Communication means to have established - and advertised - channels before an event so the troops (from intern to senior exec) know where to tune for the latest information. Could be the local electronic media, email (if available), a neighborhood laundromat's cork (message) board; any number of options PROVIDING everyone knows in advance.

These really are "no brainer" concepts; they are common sense, but they must be in place before "stuff" happens.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Friday, May 16, 2008

SunGard buys Strohl Systems

http://biz.yahoo.com/prnews/080515/neth122.html?.v=14


Reading between the lines of the May 15 PR Newswire release, it would seem this acquisition by SunGard - it never was called a merger - will enhance Sungard's soft business while being the kiss of death for SunGard's current software offering, Paragon. The only mention of that product was to state " both SunGard's Paragon and Strohl Systems' LDRPS will continue to be supported."

Strohl was acquired by SunGard's SunGard Availability Services. The deal will bring to SunGard "deep intellectual capital in business continuity including experienced developers and customer support professionals, and a dedicated software professional services organization and sales force that will continue to support existing customers and prospects," the release claimed.

SunGard a few years ago acquired Comdisco, theoretically a competitor. It was hardly a "marriage made in heaven" according to both former SunGard and former Comdisco personnel. (In most cases, the "former" are that way voluntarily.)

LDRPS in particular and the other lesser Strohl products probably will keep their product names, but "Strohl Systems" probably will be history in relative short order unless some "ex" Strohl folks can buy the name back from SunGard.

What will be interesting is to see how the mentality at SunGard - an InfoTech disaster recovery hot site vendor - will agree with Strohl's business continuity mentality.

Since I don't use either SunGard sites or Strohl software, the acquisition has zero impact on me, but I know - second hand - some of the Strohl folks and respect their knowledge.

It will be interesting to watch.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Tuesday, May 13, 2008

ERM-BC-COOP: Shot in the arm

Many of us think Business Continuity is a (relatively) new idea.

It isn't.

I was introduced to Business Continuity - as distinct from Disaster Recovery - as a small child.

How can that be?

In my childhood days each small fry was obliged to be probed and prodded and needled before he or she could go to first grade.

What happened to us was called "preventive medicine" and what happened was that we were carefully examined and given a series of shots (sometimes in combination) and vaccinations.

Preventive - or preventative - medicine is nothing more than a Business Continuity preventative; keep the kids healthy by preventing illness or at least by mitigating the severity of an illness.

Another Business Continuity preventive measure was stored in containers along the walls at Eli Lilly & Company's Indianapolis properties. What was this critical product? Salt pills.

In the first case, the puncture wounds to my skin served multiple purposes. First, and the direct result, was to keep me healthy so that I could attend school.

If I was healthy, my parents could be productive at their jobs.

If I was healthy, I would not be a health threat to the staff at P.S. #2 and the other first graders would be safer, too.

In the second case, Eli Lilly knew that it could spend small change on salt pills or lose valuable production from its line personnel.

Lilly was, at least "back then" an organization that realized its personnel were the key to a positive bottom line and it treated them accordingly.

But Business Continuity goes back farther than even my childhood.

Those British sailors didn't get to be known as "Limeys" for nothing. The term dates back to the 19th century (1800s) when, according to http://www.wikpedia.com/, "The term is believed to derive from lime-juicer, referring to the Royal Navy and Merchant Navy practice of supplying lime juice (an anti-scorbutic) to British sailors to prevent scurvy in the 19th century. The term is believed to have originated in Australia in the 1880s."

The citrus juice was for the obvious reasons - the sailors needed to be as able as possible to make the extended journeys from shore to shore.

While most stage coaches probably lacked an on-board spare wheel, most wagon trains carried spares, and often spare draft animals were tied to the back of a wagon. The business of the wagon train was to move people and goods from point to point in a timely (read "in decent weather") manner.

It is no stretch of the imagination to suggest that Business Continuity goes back to the first strategic military thinkers who, as they sent troops into battle, held back a certain number of soldiers in reserve, prepared to enter the fray should the tide start to turn against their flag. Could this be a case of primary and alternate responders?

Business Continuity, unlike Disaster Recovery - and certainly IT disaster recovery - has been with us almost from the beginning. It just was not called "Business Continuity."

Business Continuity as a military device can be linked back to Biblical times. Moses sent 12 men to "spy out" the land of Canaan and Joshua, one of the 12, later sent out two men to spy out Jericho. In both cases, the spies were sent so that Israel would be prepared for what could happen next. The ancient Israelites were in the "business" of conquering the promised land.

Susan Fish, a Business Continuity Specialist with Florida's Transporatation Department (FDOT), wrote in Continuity Insights' Final Thoughts September/October, 2005 issue that she thinks Noah was the first Business Continuity planner; trumping the spies by several hundred years. (See http://www.continuityinsights.com/).

Preventive medicine probably was the first Business Continuity experience for most of us.

But because it was called something else, we never realized that we were indeed introduced to "Business Continuity."

Business Continuity is any action that is performed to keep a business in business. Any business.

We normally think of Business Continuity in terms of an organization of some size. It can be a commercial or industrial enterprise, a non-profit organization, or a government agency.

Business Continuity is all that and more.

If the organization depends on people - and what organization does not - than Business Continuity has to be implemented on the personal level, the preventive medicine level.

Business Continuity, in the most simple terms, is the process which

  • identifies the reason an organization exists
  • identifies risks to the reasons the organization exists
  • identifies ways to avoid or mitigate the risks

Certainly Business Continuity includes responses in the event a risk occurs. That and much more - crisis management, training, maintenance, safety and awareness, to name but a few components of a complete Business Continuity program.

Business Continuity is a holistic approach to making certain the desired results are attained. Those results can be as simple as keeping a first grader in school to keeping a multi-billion dollar business functioning.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Monday, May 12, 2008

ERM-BC-COOP: Corporate murder act

UK organizations now face prosecution where there is judged to be "a gross failing in health and safety management with fatal consequences," according to an article titled "Corporate manslaughter: new challenges for boardroom and advisers" published by Continuity Central at http://www.continuitycentral.com/feature0577.htm.

As with most new laws, the UK's "Corporate Manslaughter and Corporate Homicide Act" was developed "primarily (as) a response to widespread criticism of the existing law, after a series of failed prosecutions over disasters such as the 1987 capsizing of the Herald of Free Enterprise ferry in the English Channel, which resulted in the deaths of 193 people, and the Southall train crash in 1997."

According to the article, "The new law theoretically makes large companies more vulnerable because prosecutors no longer have to demonstrate that a single senior official is the ‘controlling mind’ and shoulders the main responsibility for a death. The act requires instead that senior management as a whole play an accountable role in the offence."

While "fines could dwarf the largest penalties imposed so far under health and safety legislation," there is an unusual twist to the new law which allows that a "potential penalty facing companies convicted under the Act is the imposition of an ‘adverse publicity order’, requiring the offending organisation to announce findings in advertisements or letters to suppliers and shareholders."

Public accountablility may prove a better prod to corporate responsibility than a one-time hit to the bottom line, regardless of the size of the penalty.

Perhaps this is an idea worthy of export.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Friday, May 9, 2008

Aid coin flipped in Burma

The Burmese tragedy unfolding before us in the daily news presents a nearly unique twist to emergency response efforts.

In most cases, nations around the world volunteer assistance, sometimes showing up on the devastated land's "doorstep."

Along with governmental assistance, many non-governmental organizations, those "NGOs" like Red Mogen David and the Salvation Army, also stand ready to provide aid.

Finally, we have the unaffiliated volunteers.

These folks show up, usually unannounced, with no more than good intentions.

All this means is that the locals - the government Emergency Management folks - need to have a plan in place to control and manage all the resources which can pour into the disaster area.

Some do a better job than others.

In Myanmar, the current Burmese (how do you "adjective-ize" Myanmar?) government apparently wants to keep all foreign personnel out. I understand it only reluctantly is allowing aid supplies into the country.

Politics.

Politics taken to the extreme.

In recent memory a predominately Moslem country suffered a disaster. The country avoided diplomatic relations with Israel, yet, when it needed help, Israel offered aid and the Moslem country accepted it.

Burma, under its present government, apparently is more paranoid than North Korea which would accept aid from China. The only country in my time that I think equates to Burma's situation is Albania, and I think that has changed in recent years.

Meanwhile, foreign aid is stacking up - on the ground and in the ports.

Meanwhile, Burmese are suffering; food supplies are bordering on non-existent if the media is to be believed. (How is it that the media got in and aid workers are kept out?)

Sudan is similar - aid caravans are attacked by land pirates; aid gets into the country, but not to disaster victims.

As an enterprise risk management - business continuity practitioner, I worry about controlling volunteers. I never seriously considered anyone refusing aid, especially when it can be properly managed.

Myanmar's government has changed that mentality.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Thursday, May 8, 2008

ERM - BC - COOP: Call me Para Noid

I'm hardly a "neat freak" and during normal working hours my desk may seem cluttered, but I strongly believe in electronic housekeeping. (After hours, 90% of everything that was on the desk is put away under lock-and-key; nothing really "secret," just good business practice.)

At least once-a-day I go into the browser (in this case, IE 6 and 7) and purge all cookies, temporary Internet files, and the history.

With one exception, my StatCounter (http://my8.statcounter.com/) cookie, there are no others I need to keep. Reinstalling the cookie from the StatCounter site is a no brainer, so the global purge is OK.

I know where to find cookies, temporary Internet files, and the browser history on the hard drive, and sometimes, "just to be sure," after instructing IE to purge everything, I'll go look at the "folders" (nee' sub-dirs) where Windows stores them to confirm that they really are empty.

The same with email.

I rarely open anything that is unexpected, particularly if it is (a) from a name I don't know or (b) lacks a subject.

I understand, because I too am guilty, that sometimes an email gets away sans a subject, so if I know the originator I'll "probably" open the post.

I'm also suspicious, as is an acquaintance in Sri Lanka, about things that "fail to compute."

My acquaintance wants to become certified by The Business Continuity Institute (The BCI).

He knows The BCI (http://www.thebci.org) is headquartered in Blighty.

He received an email from The BCI, but the physical address was Vienna Virginia USA.

Since he knows I am a BCI'er, he sent me an email asking if the Vienna operation was kosher.

I didn't know (I apparently missed an announcement from the island).

But I do know some BCI people both in the Several States and at HQ, so I asked them.

Turns out the Vienna address is "kosher" (maybe not Bet Yosef*, but "kosher").

I am an enterprise risk management / business continuity (COOP) practitioner; I am not an InfoTech specialist (anymore than I am an HR or Finance specialist) so my concern for cookies and emails comes from general awareness - an awareness level that all computer users should reach, perhaps with a little help from their friends behind the data center doors.

To me, daily housekeeping is just good business, and being aware is what should be expected of anyone who "thinks ERM."

Now - to get others to "think ERM" even if only for a moment or two each day.

My contention: You don't need to be in my business to be aware of risks.


* Bet Yosef See http://www.kashrut.com/articles/glatt/.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Wednesday, May 7, 2008

ERM - BC - COOP: Security, more than firewalls

If you asked most business managers if they have "security," many would say "Sure" and direct you to InfoTech.

Which is fine, but dangerously limited.

Security needs to include security from all dangers, InfoTech and otherwise.

Certainly information security needs to be implemented across the board - that means protecting servers, the data on them, email, and more. Firewalls, anti-virus, anti-this and anti-that applications all need to be in place.

But true security is more, and it focuses on people, an organization's most important resource.

Security starts before the parking lot and includes, for some organizations, restricting on-street parking (in cooperation with the local government).

I once worked for an foreign-headquartered international shipping company located next door to an insurance company staffed largely by former military types.

From time-to-time large trucks would park next to our building - the curb was less than 20 feet away.

I tried, without success, to get management to request the city to ban parking - at least truck parking - on the narrow street by the building. It was, if nothing else, a traffic safety hazard. What the execs, ensconced on the building's second floor, apparently failed to realize is that the small berm (rise) designed to force rainwater runoff would effectively push any blast from a parked vehicle up toward the second floor (hopefully sparing those of us on the first floor).

Another time I worked for a leading insurance company. This company (to its credit) had a "no tailgating" rule. All employees, including contractors, were badged; the badges opened the entrances to the buildings. The rule was that anyone caught tailgating - entering a building closely behind someone who had used his or her card to open the doors - would be fired. If the person who used his/her card to open the doors allowed the tailgater, that person also was fired. No discussion, just "good bye."

I think that is an excellent rule.

There was a State of Florida department with enlightened management that realized there were security issues to be considered in the parking lot.

All of the organizations so far had pretty good data security, but some realized security is more than just InfoTech.

Security also is more than "just" protecting personnel - employees and visitors.

It is making certain there is a level of personnel awareness, a "security consciousness."

Again, this goes beyond insisting that computers be protected with strong, regularly changed, passwords. It includes emails and phone conversations; it includes "clean desk" environments and secured documents (paper and digital) when an area is unattended.

Security includes personnel awareness training and knowledge both of the rules and why the rules.

The bottom line: Security is more than protecting the servers; it is protecting the organization from all threats and it is a job for everyone, from the newest intern to the most senior executive.

Most organization spend money to keep up to date with data security options.

Keeping "up to date" with physical security options usually is free; worst case, of minmal cost. Just ask the local constabulary. In most cases, the police - like the fire department - will send someone with all the expertise an organization needs to review current practice and recommend any needed enhancements.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Tuesday, May 6, 2008

EMC-BC-COOP: Has pandemic arrived?

It may not, yet, be a pandemic, but we are facing the threat of one.

No, not the H5N1 avian influenza pandemic which has made headlines for several years (but not barely rates an ROP filler).

Measles.

The childhood disease "eradicated" long ago - or so we thought.

Measles has reached (near) epidemic proportions around the world.

No country seems safe from measles. Developed countries such as the U.S. and Israel have it. "Non-developed" countries have it.

It spreads at the "speed of flight."

Thankfully, and unlike avian flu, measles rarely is fatal. (Avian flu has a fatality rate in excess of 50%.) It can be fatal, but not often.

When I was young, back in the Dark Ages before measles could be prevented, children, especially girls, often were deliberately exposed to the malady. Strange? Not really. Measles was a killer and deformer of fetuses. If a young girl contracted measles she developed an immunity to the illness for life. If, having been exposed as a child, she was again exposed as a pregnant adult, her fetus was protected.

Unlike the waiting-in-the-wings H5N1 avian influenza, we have a vaccine for measles.

But because it was "eradicated," we apparently stopped administering it.

Pretty much the same goes with smallpox vaccinations.

Which, to this scrivener - who bears the Mark of Vaccinations - seems foolish.

To be fair, there are those who contend the vaccinations are dangerous, and continuing studies of their safety certainly is in order. Perhaps the parents of my generation were ignorant of the dangers of some vaccinations. Even the medical community - my mother was a registered nurse who at one time worked at an ethical pharmaceutical - was in the dark.

Perhaps we are simply over-protecting. Let's say we allow people to contact measles. For most of us, it's an inconvenience. For a very few, measles may be life-threatening. Could these few be safely vaccinated? That may be a "Catch 22."

There is, of course, an enterprise risk management - business continuity angle to this.

People who get measles - or smallpox or chickenpox or mumps or any other "childhood" disease - can quickly infect coworkers. People who care for children or elderly relatives will take time off if those people become ill.

That impacts the organization's efficiency and, by extension, its "bottom line."

Reinstate preventive medicine for these "childhood illnesses?" If the answer is yes, and if the concern is the organization's financial bottom line, would it be good corporate policy to pay to vaccinate employees and "same household" relatives? Bring the inoculations to the troops or send the troops to the vaccine?

What about the people who refuse the preventive medicine option?

Enterprise risk management may not be rocket science, but it can get complicated and it demands input from many sources; in this instance, medical, legal, HR, finance, and, of course, the rank and file.

Something to consider.


Main Entry: pan•dem•ic
Function: adjective
Etymology: Late Latin pandemus, from Greek pandÄ“mos of all the people, from pan- + dÄ“mos people — more at demagogue Date: 1666
: occurring over a wide geographic area and affecting an exceptionally high proportion of the population

Main Entry: ep•i•dem•ic
Function: adjective
Etymology: French épidémique, from Middle French, from epidemie, noun, epidemic, from Late Latin epidemia, from Greek epidÄ“mia visit, epidemic, from epidÄ“mos visiting, epidemic, from epi- + dÄ“mos people — more at demagogue Date: 1603
1: affecting or tending to affect a disproportionately large number of individuals within a population, community, or region at the same time
2 a: excessively prevalent b: contagious 4
3: of, relating to, or constituting an epidemic

Source: http://www.merriam-webster.com/


John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Monday, May 5, 2008

ERM-BC-COOP: Financial planning part of ERM

Richard Arnold, Disaster Recovery Journal's executive publisher (richard@drj.com), in his "From the publisher's desk" in the Spring 2008 issue* (http://www.drj.com/index.php?option=com_content&task=view&id=2133&Itemid=505&ed=46), writes about the current economic concerns and notes that DRJ is either holding the line on conference costs or helping keep educational costs affordable with webinars.

He and DRJ are to be applauded for the effort.

This is a positive reaction to the economic woes.

Like waiting until a hurricane has passed by or reviewing the results of a tornado, taking action in light of a failing economy is disaster recovery.

While that is the name of the profession's quality quarterly, it should not be the approach we take to protect our clients.

"Clients" in this instance, is generic - the people or organizations that compensate us for our efforts, regardless if we are engaged as staff or consultants.

We - as enterprise risk management/business continuity practitioners - need to advise our clients how to prepare for, as well as weather, the economic "storm" just as we advise them how to prepare for and weather a hurricane, tornado, or any other risk.

Hopefully, our voice will be heard and our advice heeded. Still, failing to at least present the possibilities would be negligence on our part.

Mr. Arnold, in his Page 10 comments, notes that "planners often are performing the tasks of two, three, or more people." Translation: some experienced practitioners are finding themselves "on the market" and some potentially great planners fail to find a place to develop their skills, preferably under the guidance of a senior who has "been there and done that."

The joke goes that when "you" are out of work, its a recession; when "I" am out of work it's a depression.

There are, if Mr. Arnold's words are correct and I see no reason to disbelieve him, a growing number of planners who view their status as a "depression." Even if you are only in a "recession," the plight of our profession is depressing.

For all that, our plight points up the need for enterprise risk management, holistic business continuity planning. The financial well being of our clients very much relates to our financial well being. Trust me, there is nothing wrong with having selfish inclinations, particularly when those inclinations will benefit many more people than yourself.

We, as practitioners, need to understand, and we need to try to convince our clients, that the organization's financial well being must be considered across all risks; when we limit our concerns to environmental, human, and technological risks, we are failing our clients and, in the end, failing ourselves.

* DRJ requires that users be registered to view the magazine online. Registration is free and highly recommended for anyone practicing, or responsible for, enterprise risk management - business continuity - COOP.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Sunday, May 4, 2008

EMC/BC/COOP - When to allow risks

Enterprise Risk Management Business Continuity Continuation Of Operations

It's almost unthinkable that anyone would allow a risk, but there are times when this is appropriate.

For many years, it was U.S. Interior Department policy to rush to extinguish forest fires.

No longer.

By putting out small fires, the forest floor increasingly was covered with fuel waiting for a spark.

Interior now has a burn policy, which as long as it is controlled - no guarantee as Utah residents can attest - reduces big burns. Forest Service and Bureau of Land Management personnel regularly start small, hopefully controlled, burns to clear out some of the fuel dropped on the forest floor in the natural course of events.

It helps to combine Interior's mitigation efforts with decent planning and zoning that prohibits building permanent structures - e.g., multi-million dollar palaces - in "prone to burn" areas.

Right now there is a measles outbreak of almost pandemic proportions.

When I was young, mothers encouraged their children, especially daughters, to "catch" measles. Why? Getting measles while young and otherwise healthy provided natural antibodies which the girl, when an adult and pregnant, needed to fend off the disease to protect the fetus. This was a time before a measles vaccine was developed. The fatality rate for measles was far lower than, say, smallpox.

The problem with the broad range of vaccinations available to the world today is a false idea that the diseases are eradicated.

It's funny. When someone asks me when I got involved in ERM/BC/COOP, I used to reply "1994."

But I actually got "involved" with ERM/BC/COOP as a child going to a pediatrician for then-annual inoculations (and a stick of Juicy Fruit gum). As an Air Force medic I was again "involved" with ERM/BC/COOP, but still with a medical bent.

Between shot lines, I worked for (I learned later) a CIA cover organization "pickle-ing" metal to preserve it from Miami Florida's humidity.

Preventive medicine, preventive maintenance, preventive anything is, at its core, part of the ERM/BC/COOP process. It's mitigation. In the cases mentioned here, the mitigation is far less expensive than the alternative.

Medical care, obviously, has a "response" function as well, but it often is very expensive, time consuming, and invasive - frankly, it is an ideal illustration of ERM/BC/COOP in (in)action.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Friday, May 2, 2008

ERM/BC/COOP risks in a moment

The following list is a "sampling" of risks facing a typical organization. It was cobbled together with little thought, which means that sitting down with functional unit Subject Matter Experts (SMEs) and other planners will identify many more risks, and certainly add to risk specificity.

Sometimes a "risk" also is a benefit. Volunteerism, for example, can be a multi-headed risk (injury to personnel, legal action, image, lost productivity) but it also can be a benefit (image, promotional).

There are some "risks," such as "Evacuation & shelter-in-place training" which obviously must be followed by "lack of."

Using the following as a "basic" checklist is fine, providing everyone understands no list can be all inclusive for all organizations.

Environment

Cold - Heat
Drought - Flood
Dust
Earthquake
Fire
Fog/Smog
Hurricane
Ice
Land or mud slide
Pollen
Rain
Sinkhole
Snow
Solar storms
Space debris
Tornado
Tsunami
Volcano Wind - Flying debris

Laws & Regulations

Additional as business expands
Changes to existing regulations
Fines & Penalties
Hours/Days of operation
Minimum wage
Planning & Zoning
Regulator personal focus
Traffic patterns (access)

Other

Air, rail, roadway, water accidents
Bond rating
Change in


    personnel
    plan
    process
    product
    program
    provider (vendor)
    purchaser

Communications - external
Communications - internal
Community event (celebration)
Facilities
Hazmat incident
Image
Lack of 9-1-1 response
Neighbor's "event" (fire, etc.)
Owners' disputes
Stock value
Rumors

Peers (industry)

Competition
Standards

People

Accident (any type, location)
ADA
Benefit costs
Citizenship status (I-9, visa)
Cross-training
Death
Domestic violence
Education
Family concerns
Handicaps - obvious & hidden
Harassment
Holidays
Human error
Illness
Incompetence
Insurance coverage
Military service
Payroll
Policies & Procedures
Politics
Preventive medicine (flu shots, etc.)
Special needs
Succession
Taxes & Social Security payments
Terrorism - Going "postal"
Unions (by any name, e.g., Guild)
Vacations
Volunteers
Volunteerism
Work actions
Workman's compensation
Workplace violence

Self-Protection

Awareness training
Client well-being checks
Evacuation & shelter-in-place training
Fire, radon, etc. detection/suppression
First aid (advanced training)
Insurance
Plan status (exercised, current)
Security

Technology & Utilities

A/C and Heat
Electricity
Fuel
Gases, etc.
Info Tech
Power
Telephone
Water
also see Vendors

Vendors

Casual staff
Competitors for vender service
Consultants
Couriers
Financial resources
Mail
Transportation
Vendor plan (lack of)
Vendor stability
Waste removal

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Thursday, May 1, 2008

About this scrivener

It belatedly occurred to me that my pontificating may cause some readers to ask themselves: "Who is this person and by what right does he mount the Enterprise Risk Management - Business Continuity soap box ?"

Good question.

I came to business continuity (BC) in 1994 via technical documentation, "tech pubs." I got there by way of a newspaper printer's apprenticeship (a "devil" of a job at the Orlando [FL] Sentinel-Star and Gannett's first Today, in Cocoa FL), reporting and editing at sundry daily and weekly newspapers across the Several States, and PR work in the US and overseas. I "became" a tech writer while overseas, and over the course of my tech writing years I documented commercial and mil-spec electronics, telecommunications systems, and process control systems a/k/a control valves of various sizes and types.

I was working as a tech writer/consultant for Trecom Business Systems when I first encountered "business continuity." Trecom morphed into DMR Consulting Services which was absorbed into Fujitsu Consulting.

My first "real" business continuity work was while I was employed by DMR (nee' Trecom) in Tampa FL. The job: create a quick fall back (failover) plan for a company which convinced one of its clients that it "had a plan." Fortunately, the people working on the plan - the Business Unit Manager, the Technical Director, and this scrivener - already had a working knowledge of our client's operations, so putting something together to keep both our client and our client's client happy was a relatively easy assignment.

There were several Y2K search and destroy missions during this period. Not true business continuity, but it was reinforced to me that risks - even Y2K risks - are sometimes less than obvious. One Y2K project was for a luxury hotel; we went looking for "time bombs" in such places as the kitchen, personnel, and wake-up service, among others, as well as servers and desktop devices. You'd be surprised to know how many things have an embedded computer. Another Y2K job had me tracking down components used in manufacture of vehicle airbag assemblies.

Not exciting? Consider that the airbags are, or at least were, inflated by an explosive charge. The company's R&D folks "played with" Class A explosives. This stint introduced me to risks - and remedies - I previously never considered. It also impressed upon me the need for close coordination between the organization with the plan and external organizations such as EMTs, fire, and police, not to mention planning and zoning agencies.

Somewhere in the mix I was involved in true business continuity planning for a state agency. The state has a "sunshine law" which puts all but the most sensitive information out for all to see. But this state also had a rule that break times were sacred - come lunch time, interviews were interrupted no matter what the cost in continuity. Lesson learned: plan ahead and schedule accordingly.

Since DMR, I have worked at a variety of organizations, including "the" name in the travel and entertainment industry, a "major" insurance company, an Israeli-headquartered shipping company, a municipal government, an energy exploration company, and some others. Today I am applying my expertise in the defense industry.

Once a writer, always a writer. Or, put another way, I love to share what I know about what I do.

That sounds a little like "weasel wording," but it means while I will talk to anyone, any time, about GENERIC enterprise risk management - business continuity - COOP, plan specifics are "off limits."

Over the years I posted more than 200 articles and presentations on my Web site (http://johnglennmbci.com/) and John Glenn articles have been appearing twice-a-year in the quarterly Disaster Recovery Journal (DRJ) for several years. The articles are, for the most part, "generic" ERM/BC in that unlike vendor articles, mine focus on function rather than product.

My byline also pops up in other professional and general media.

That doesn't mean everyone agrees with everything I write or that I know everything there is to know about enterprise risk management - business continuity - COOP.

Some of the people I value most are those who either disagree with my thoughts or who help me expand those thoughts. They remind me that plans never should be created in a vacuum.

COOP, by the way, is "Continuation Of OPerations," not "Continuation Of Operations Planning." Either way, it is "Fed speak" for enterprise risk management.

John Glenn, MBCI, SRP Enterprise Risk Management/Business Continuity http://johnglennmbci.com/ Planner @ JohnGlennMBCI.com