Wednesday, June 25, 2008

ERM-BC-COOP: All about image

A recruiter called yesterday.

Actually two from the same office.

When all was said and done, I was left with second thoughts about working for, or recommending, the organization.

    I often get calls which I pass along to planners looking for work, and I often tell recruiters to post their opportunities - for free - on Continuity Central, DRII, and DRJ web sites.

There were a several problems, all impacting the organization's image.

I wonder if the image problem I encountered also is encountered by potential customers of the organization.

The recruiters, based on their language and accents, called me from somewhere in the Far East. Their employer managed to display a local-to-me phone number, not terribly difficult technology.

The first problem was that the agency was using simplex voice-over-IP (VoIP).

Simplex, for those who never dealt with two-way radio, means "I talk-you listen - you talk-I listen."

Think about the movies where one character is talking to another over a two-way and says "Over" each time the person completes a thought. Over.

Anyway, beside the simplex issue (modern landline phones are, by the way, duplex, which means we can - and too often do - interrupt each other in mid-sentence), the quality of the calls was terrible. Between voice quality and latency (IT for "delay"), the "conversation" was frustrating at best.

The second problem was that the first caller didn't know what she was calling about.

Or maybe she just didn't understand American English when I asked "is this a project or a staff job."

The second caller explained that it was both. How so? Well, the offer is to be a staff employee of the caller's organization for the duration of a project with a client of the organization. Bottom line: it's a project.

The second caller started off badly when he told me that a woman from his office called me several days ago.

Now I know about the international date line, but this man clearly didn't have his facts straight.

I told the second caller that the connection was bad - true - and asked that he send the job description via email.

That would be done, he promised, and I disconnected.

I'm still waiting for the email.

To be absolutely fair, I was talking to the recruiters on a Sony-Ericsson cell phone with AT&T (nee' Cingular) service (which still is better than my Nokia unit and Verizon service - the problem is more the instrument than the carrier). Landline normally is better than either mobile unit/service - unless there is a thunderstorm outside the window.

Word to the wise: Always have at least one Plain Old Telephone Service (POTS) phone available for use during power outages. Fancy phones that require AC to work are useless, but simple phones, which take power from the phone lines, usually work. Still, in an electrical storm, stay away from anything with a cord.

What's the ERM-BC-COOP connection?

Image is very much a risk.

If the company projects the same image to prospective customers as it presented to a prospective employee, its bottom line must be threatened. I want to talk with someone who understands what I say and can communicate with me (comprehension and technology).

I don't think I'm a chauvinist; I work with people every day with accents similar to my callers'. I'm accustomed to talking to people with non-US accents (and, in truth, some US accents are as difficult to understand as any from the Far East). I am "image conscious": my own image, that of my employer, and, frankly, that of the client.

I wouldn't go to a ERM-BC-COOP job interview in a torn tee-shirt and dirty jeans; it's image.

Image is communication and, as with all communication, the audience's comprehension and perception must be a concern.

This company's recruiters failed the test with this practitioner.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Tuesday, June 24, 2008

ERM-BC-COOP: Out of sight . . .

Yesterday nothing happened.

Same as the day before and the day before that.

About 9 months ago a VP-level customer asked what he could expect if something went bump in the night. My organization provides IT support to the customer, but the customer is, wisely, looking for something more . . . as in "What about MY people who use YOUR applications and boxes?"

He asked the right person who then asked me.

I had to reply that "not much - we don't have a comprehensive plan."

Trumpets blast, banners wave, and the call goes out to Assemble the Troops.

Somehow, the "troops" never got the message.

And the project, which never got off the ground, was forgotten.

Jump ahead 8 months.

Someone realizes we are no farther along in meeting our customer's request than we were 8 months previous.

More trumpets, more banners, more cries to rally the troops.

Lots of chatter, but no substance.

Most ERM-BC-COOP practitioners know the story.

If the practitioner lives in an area visited by hurricanes, along about September - well into the June to December hurricane "season" - people suddenly discover they lack a survival plan and solicit planners to give them a plan - and be quick with it !

Come November 31st, when the season "officially" ends, they suddenly decide that since they escaped the wrath of weather one more time, maybe they don't need a plan after all.

When the risk is out of sight, the push for a plan is out of mind.

There's only one minor problem with the theory.

There is more than one risk.

Worse, not all risks are as obvious as a hurricane.

Worse still, most risks are not as easily predictable as a hurricane - modern technology allows storms to be tracked for days before landfall. 'Course hurricanes are fickle; they may seem to be aimed at, say, Florida's east coast and end up churning up the middle of the Gulf of Mexico to Mississippi and then on up to southern North Carolina - ask the folks in Charlotte NC. Sometimes a nervy storm will criss-cross Florida and no one knows with any precision where it will go next.

Enterprise Risk Management, ERM, looks at all risks to the enterprise and, doing that, looks at all risks to all the components that make up the enterprise.

Our - I like to think "my" - VP-level client wants, as I understand the requirement, a pseudo-enterprise plan, "pseudo" because the client's operation is one of very many which make up the global enterprise. In my scheme of things, the client's plan will consist of multiple functional unit plans which will "roll up" into the operation plan which, should someone higher up "see the light," would roll up into a true enterprise plan.

The person who asked me about the existence of a plan, a proponent of planning, thought she was dangling a carrot before me when she suggested the plan would be a model for other organizations. While that is enticing, the real carrot is the opportunity to help an organization protect itself - starting with its most important resource: people.

Will the project for the VP-level customer ever get underway?

Like the old Frank Sinatra song, I have "high hopes."

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Monday, June 23, 2008

ERM-BCP-COOP: How did it happen?

All I've seen are news articles, but the headlines are tragically pretty much the same:

    Ferry sinks in typhoon; hundreds feared dead

The "hundreds" range from 700 to 800.

The ferry, The Princess of Stars, is - or was - a 23,824 gross ton vessel, not a small boat by any means.

Philippine President Gloria Arroyo upbraided maritime officials in a conference call broadcast live on local radio. "Why did you allow it to sail and why was there no ample warning?" she demanded. "I want answers."

Typhoons are hurricanes in the Pacific. (The wind direction - clockwise or counter-clockwise is of no consequence when the force is 75 mpg and greater.)

I've experienced hurricanes in the States, so I know something about them.

Unlike other risks, hurricanes don't suddenly "pop up" out of no where; there always is ample warning - assuming, of course, that those with hurricane (and tsunami) tracking technology share the information and that those (governments) receiving the information act upon it.

Big assumptions.

I don't know how far the Princess of Stars was sailing or how far out it was when it sunk.

Unless the trip took more than several days - and again, I was not there, but I can't imagine a "ferry" being in transit more than a few hours - there is no excuse for the boat setting sail with passengers, or even more than a skeleton crew.

Most Navy and Coast Guard deep water sailors will tell us that the safest place for a ship during a storm is out to sea. Assuming - there's that word again - that the captain and crew know how to handle the vessel in a storm.

When a storm is bearing down on Florida, Navy ships put to sea. Many cruise ships also head away from port - but not with passengers.

President Arroyo wants to know why the ship was allowed to sail.

As an Enterprise Risk Management practitioner, I also would like to know.

What was the reasoning? The typhoon will track elsewhere? Anyone who has watched hurricanes/typhoons knows that even the best predictions often are fooled by the storm's whimsy.

One of the greatest risks we face, day in and day out, is our own chutzpah; we know what is going to happen or we know what "can't" happen.

Chutzpah, foolishness, stupidity, or "all of the above."

Human error.

Human error which could have, should have, been avoided.

Who made the decision to sail?

Why was the decision made to sail? Greed, perhaps?

Why would someone, knowing a storm approached, willingly get on a vessel which might get caught in the storm? (Where could they go if they elected to stay on land?)

A co-worker from India suggested that the people are so poor that they had no choice but to board the vessel and take a chance to earn a daily pittance.

As with most things ERM, one question leads to another and each needs to be answered so that we don't again see headlines like the one at "Over 800 missing in Philippine ferry disaster"

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Friday, June 20, 2008

ERM-BC-COOP: On-going effort

Risk management, be it for an organization or for a government at any level MUST be an on-going effort.

Polio, we thought, had been eradicated - along with smallpox, measles, and other diseases which can maim or kill.

But, according to ProMed (, polio continues to be a threat, mostly in Africa and the Indian sub-continent, despite the availability of an easily acquired and easily distributed vaccine. Likewise smallpox and measles.

Tuberculosis, sometimes in very hard-to-treat forms, continues to make headlines, many years after a vaccine was developed.


Basically two reasons.

One: Some managements (governments) fail to immunize the populations.

Two: The illness was wiped out; we don't need to be concerned any more.

Obviously, Reason Two is false.

How do vaccinations relate to the non-government ERM-BC-COOP practitioner?

If people get sick, their production is reduced, sometimes to zero.

The illness can spread, so more people get sick, with another production "hit."

Lose enough people and there are two choices: shut down or hire new people (who probably also will become ill).

Now that everyone understands that people are an organization's most critical resource, consider how to protect that resource.

Preventive medicine.

When I was in the military, I often felt like a pin cushion as I made my way down the shot line. (Those were the days of needles.)

But I was protected from a host of maladies.

Today, about the only time an organization sponsors a preventive medicine event is just before flu season.

Perhaps we - risk management people - need to encourage management to reconsider implementation of a broader range of preventive medicine measures.

Understanding, of course, there are those who, for one reason or another, will spurn any preventive medical efforts. That's a problem "out of scope" for this day.

Northern Nigeria is currently affected by a new outbreak of wild poliovirus type 1 (WPV1), which has begun to spread internationally. In 2008, a 9-fold increase in new cases caused by this serotype has been reported compared with the same period in 2007. This outbreak in northern Nigeria has the potential to cause major international outbreaks, as occurred in 2003-2006. This year [2008], Nigeria accounts for 86 percent of WPV1 cases in the world.

This new outbreak in Nigeria has occurred because upwards of 20 percent of children remain unimmunized in key high-risk areas for polio in the north of the country. From 2003 to 2006, an outbreak in northern Nigeria led to national and international spread of the disease, eventually re-infecting 20 previously polio-free countries, causing outbreaks in places as far away as Indonesia and Yemen, and resulting in 1475 cases in these 20 countries.

New WPV1 genetically linked to viruses from northern Nigeria has now been confirmed in Benin (one case, onset 17 Apr 2008) and the western part of Niger (one case, in Tillaberry province, close to the borders with Burkina Faso and Mali; onset 11 Apr 2008). It is from these areas that WPV1 originating from Nigeria spread across west, central, and the Horn of Africa in 2003-2004, re-infecting -- among others -- Cote d'Ivoire, Ghana, Guinea, and Togo. In addition to international spread of WPV1 from northern Nigeria, wild poliovirus type 3 (WPV3) originating from northern Nigeria has been reported from Chad (onset of most recent case 13 Apr 2008).

The risk of renewed international spread of polio from Nigeria is increasing due to the intensity of the outbreak in northern Nigeria, the upcoming rainy season, which is associated with increased transmission of poliovirus, and the anticipated large-scale population movements for the Hajj (pilgrimage to Mecca, Saudi Arabia) in the 2nd half of 2008. Saudi Arabia has been notified of the increased risk of polio infection to Hajj pilgrims.

Nigeria has planned 2 large-scale rounds of emergency polio immunization in the northern states in July and August 2008. Large-scale emergency polio immunization campaigns were conducted on 13-16 June [2008] in high-risk and border areas of Benin, Burkina Faso, Mali, and Niger [see prior ProMED-mail posting Poliomyelitis (02): Africa, Asia 20080614.1882] , followed by additional campaigns in July. Disease surveillance is being heightened in 'at-risk' countries, including in those re-infected in 2003-2006.

Total cases: Year-to-date 2008 / Year-to-date 2007 / Total in 2007 Globally: 599 / 213 / 1313
- - in endemic countries: 560 / 179 / 1207
- - in non-endemic countries: 39 / 34 / 106

Case breakdown by country

Country: Year-to-date 2008 / Year-to-date 2007 / Total in 2007 / Date of onset of most recent case
India: 268 / 62 / 873 / 25 May 2008
Pakistan: 12 / 9 / 32 / 19 May 2008
Afghanistan: 8 / 3 / 17 / 14 May 2008
Angola: 16 / 1 / 8 / 12 May 2008
Nigeria: 272 / 105 / 285 / 9 May 2008
Ethiopia: 2 / 0 / 0 / 27 Apr 2008
Benin: 1 / 0 / 0 / 17 Apr 2008
Chad: 4 / 0 / 21 / 13 Apr 2008
Niger: 9 / 4 / 11 / 12 Apr 2008
Central African Republic: 1 / 0 / 0 / 6 Apr 2008
Democratic Republic of Congo: 2 / 13 / 41 / 24 Mar 2008
Sudan: 1 / 0 / 1 / 2 Mar 2008
Nepal: 3 / 0 / 5 / 16 Feb 2008
Myanmar: 0 / 8 / 11 / 28 May 2007
Somalia: 0 / 8 / 8 / 25 Mar 2007

Communicated by: ProMED-mail Rapporteur Marianne Hopp

[The figures cited in section [2] above represent an increase in 41 cases of polio reported to WHO in the past week -- (see prior ProMED-mail posting Poliomyelitis (02): Africa, Asia 20080614.1882 for cumulative cases reported as of 10 Jun 2008). Of these 41 newly reported cases, 25 were reported in Nigeria, 10 were reported in India, 4 were reported in Angola, one was reported in Pakistan, and one was reported in Ethiopia. The number of cases reported from Nigeria since the beginning of 2008 is 272 whereas in 2007, the total number of cases reported during the entire year was 285. - Mod.MPP]

Something to consider.

John Glenn, MBCI, SRP Enterprise Risk Management/Business Continuity Planner @

Wednesday, June 18, 2008

ERM-BC-COOP: EM survey

Hal Newman, Executive Director, National Emergency Management Resource Center [NEMRC], posted an Emergency Management questionnaire for WGBH (a Boston public tv station).

Whether or not you participate in surveys is not important; what is important is that you, as an ERM-BC-COOP practitioner, read the questions. (You don't have to transmit your answers.)

A few of the questions are answerable only by folks working for government agencies, but the majority of the questions can be applied to the private sector as well.

Reviewing the questions may give practitioners in the non-government world some ideas to enhance safety for physically challenged staff and visitors - or at least cause them to think about improving safety for all concerned.

I know Hal well enough to know this is not "spam" or a gimmick.

Hal's appeal follows.

Dear Colleagues:

You are invited to take a brief survey to address an important subject: emergency notification for consumers who are deaf, hard of hearing, blind, visually impaired, or deaf-blind.

We would like to restrict respondents to 1) people working in emergency management and 2) people who have involvement with accessibility initiatives related to emergency notification practices. Multiple people from the same agency or organization are welcome to respond, and you are welcome to forward this invitation to others in the groups referenced above.

This twenty-two question survey is designed to identify existing and planned practices to make emergency notifications accessible. It should take about 10 minutes to complete. The survey is available online at Please answer every question, even if the answer is “don’t know”. The survey will be open until July 2, 2008.

This survey is being conducted by the Carl and Ruth Shapiro Family National Center for Accessible Media at WGBH ( through the “Access to Emergency Alerts for People with Disabilities” project, funded by the U.S. Department of Commerce (

The survey is screen-reader and keyboard accessible. If you have questions or need assistance filling out the survey, please e-mail . Thank you for taking the time to complete the survey; the results will inform our final project recommendations. We greatly appreciate it and will share the results on our Access Alerts Web site.

Be well. Practice big medicine.


Hal Newman
Executive Director, National Emergency Management Resource Center [NEMRC]
Toll Free: 1-888-NEMRC-11 [1-888-626-7211]

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Thursday, June 12, 2008

ERM-BC-COOP: Risk Czar

To my simple mind, one the primary risks to any ERM/BC/COOP effort lies with the ERM/BC/COOP organization.

Emergency Risk Management (ERM), Business Continuity (BC), and Continuation Of OPerations programs need to be structured similar to the military.

At the very top is the Commander-in-Chief; in the Several States, the nation's president.

The CinC's top military person is the Defense Secretary, the SecDef, who holds a Cabinet-level position.

Reporting to SecDef is the Chairman of the Joint Chiefs of Staff; the chiefs of staff are the top managers of each service.

In the risk management world, the CinC is the corporate executive, either an individual (CEO) or executive team where, hopefully, one person is "more equal" than the others; someone has to be where the buck stops.

SecDef equates to the risk management sponsor, ideally a "C" title (CEO, CFO, CLO*, COO).

The Joint Chief's chair is the Enterprise Risk Management Director - it would be great if this person was at the SecDef/"C" level, but given the state of recognition for ERM, this is pretty much wishful thinking.

The other Chiefs of the Joint Chiefs are functional unit heads on the Enterprise Risk Management Director's level but outside this person's authority. There is a "dotted line" relationship of peers.

The Enterprise Risk Management Director is responsible for, among other things,

  • Business Continuity (proactive functions)
  • Contracts (review of critical vendor plans)
  • Contracts (with ERM vendors)
  • Crisis Management (including Communication)
  • Disaster Recovery (reactive functions)
  • Documentation creation and maintenance (with Tech Pubs)

  • Personnel Awareness & Safety (with HR input)
  • Policies & Procedures (as they relate to ERM)
  • Training and exercises (disaster response)

The ERM director has all the usual management functions such as budgets, staffing, etc.

Depending on the size of the organization, the ERM director may departmentalize some of the functions and anoint - sorry, appoint - managers to be responsible for the day-to-day operation of the various functions.

The ERM director is the Risk Czar, the King of Continuity. The "director" title is appropriate since, if an event occurs, the ERM director (or alternate - even a director needs an alternate) "directs" operations - and assures that all responders have what they need to succeed; the technical name for this activity is Gofer as in "go for this" and "go for that." (The "gofer" may the director's most important job if all responders are capable.)

The bottom line is that there must be a "supreme commander" with the knowledge and authority to coordinate all activities; to assure that, if Business Continuity is separate from Disaster Recovery that both groups' efforts dovetail to a common goal; that there is a smooth hand-off from Crisis Management to Disaster Recovery to Business Continuity and so that everyone not only knows what is expected but by whom.

Picture a relay race.

The fellow with the baton comes charging up to a group of three other fellows standing around; only one is eligible to receive the baton, but the current baton wielder doesn't know which one is THE one.

The ERM Director needs to know - and share with all the troops - who hands off what to whom.

* CLO = Chief Legal (Law) Officer

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Wednesday, June 11, 2008

ERM-BC-COOP: SMBs and Understanding ERM

The June 6 issue of CPM Industry Insider has a couple of articles of general interest.

The first, titled Survey: 40 Percent Of Small Businesses Have No Disaster Preparedness Plan reports that a "new national survey reveals that a startling number of small businesses remain unprepared to face a potential disaster, be that a hurricane, tornado, wildfire or computer virus, and the majority of these businesses have no plans to change."

I doubt anyone will be surprised when they read the complete article at

The other article that caught my attention was headlined Executives Generally Confident With Enterprise Risk Management Efforts, Though Questions Remain.

The leed (cq) reads: "American executives may not fully grasp the scope of their companies' Enterprise Risk Management (ERM) needs, according to the results of a survey recently conducted by Accretive Solutions, in conjunction with Harris Interactive."

I can empathize with Small-Medium Business (SMB) owners; they usually are operating on a tight budget and thay can't afford a high-priced consultant to come in to create a Business Continuity plan, nor can they afford the training (is there anyone other than the owner and perhaps the owner's spouse, to train?). Plan maintenance? Out of sight, out of mind.

Despite the financial strain, SMBs need business continuity plans, perhaps moreso than the Fortune 100s. Northrop Grumman was hit, hard, by Katrina, but because it has the financial muscle, it managed to buy its way out of the mess left behind by the storm. While I lack specifics - I doubt anyone has hard numbers - I suspect many SMBs in Katrina's path never came back after the winds died down and the waters receded.

What is an SMB to do?

There are several options that are worth investigating.

One is joining (or forming) a group of like-businesses. Most of us know about the Independent Grocers Alliance, the IGA markets (see Car dealers have "interest" groups, why not jewelers or refuse haulers or ... pick a business.

An organization, such as the IGA, could employ a consultant or, if it is a national organization, employ a full-time program manager, to create plans for each entity and the organization.

An alternative is for professional service organizations - accountants, insurance agents, etc. - to offer planning services as a "value added" service.

Many SMBs depend on accounting firms to do the books on a quarterly basis; likewise, all organizations need insurance of one or more types. For the insurance agent, it makes good business sense for the insureds to have professionally developed plans.

Joe's Garage needs a plan, but it can't afford to pay my rates and it can't keep me busy.

But if Joe of Joe's Garage and Sara of Sara's Feed and Seed and several others in the area get together (what's the common link? The Chamber of Commerce, of course) - ahh, then I can make a living and keep busy and "they" will have plans created by an experienced planner.


Back to the Enterprise Risk Management article.

"Thirty-nine percent of respondents to this survey of Executive-level decision-makers at Fortune 1000 companies labeled IT security, a significant concern of any effective Enterprise Risk Management strategy, as their number one worry over the coming twelve months while at the same time just 6 percent of respondents expressed any discomfort with their existing ERM efforts.

"Since ERM is still such a new, unfamiliar concept for many executives, these results highlight two key points,” said Dirk Hobgood, Executive Vice President and Chief Financial Officer for Accretive Solutions ( “First, many executives are still in need of more education as to what Enterprise Risk Management means and entails, and second, that a surprising number of companies believe themselves to be protected when in fact their exposure to several key, unmitigated risks continues to be very real.”

These two paragraphs tell me that the surveyed executives fail to understand that, in most cases, IT is NOT the profit center; that IT is a RESOURCE for the profit center - along with Facilities, HR, Finance, Accounting, etc.

As Bob Dylan's song, Blowin' in the Wind, goes: "When will they ever learn?"

Still, I suppose just knowing the term "enterprise risk management" is a step forward.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Friday, June 6, 2008

ERM-BC-COOP: People and British Airways

I'm a member of the Business Continuity Institute, "The BCI." One of the membership benefits is "Continuity," a very slick (in the best sense) 6-times-a-year magazine.

I opened the May issue the other day and on Page 1 I read two articles, one by the magazine's editor (Nigel Allen) and one by the BCI chair (Chris Green).

Putting people into the plan by Mr. Green gave me a great deal of satisfaction.


I have been preaching for some time (as in "years") that "an organization's most important resource is its people."

My Spouse learned, as an MBA candidate, that "people are a renewable resource." That is, I gather, the MBA mentality. (I didn't write that The Spouse agreed with the opinion.)

Mr. Green apparently was pleased that the "buzz phrase" heard at the recent Business Continuity Expo "seemed to be 'the human aspects of business continuity'." But he also expressed amazement, as do I, that organizations are just now catching on to this idea.

"I find it difficult to understand how this (organizations only now recognizing the importance of people) can be the case, Surely people are the very bedrock upon which organisations are built and as such should be an integral component of any continuity strategy."

Bravo! Mr. Allen.

Only as good as your last response by Mr. Green gives a brief overview of the latest British Airways (BA) faux pas, "The Terminal 5 Incident."

BA has had its problems recently.

First it was the caterer strike (2005), which spread to baggage handlers and severely inconvenienced passengers.

Now the problem with the new terminal.

Mr. Green wrote that "according to BA, it (BA) conducted six months of 'proving trials' in the run-up to the opening." That certainly is to the airline's credit.

But it failed to avoid the disaster that came with opening day.

Like an MBA, BA has a mindset about business continuity, and it seems to be "disasters can't be avoided."

I had an exchange, "warm" but polite, with a Business Continuity person at BA following the caterer/baggage handler strike; his take: there was nothing BA could have done to avoid or mitigate the risk even though the airline knew there was dissension in the caterer's ranks.

BA did have "disaster recovery" in both cases, but the events damaged both BA's reputation and its financial well-being.

According to the thisismoney Web site, the caterer's strike cost BA some GBP45 million (US$88,299,000/Euro 70,488,000).

Mr. Green, correctly, cautions that "while we look at BA, let's also look inwards; how would your incident team have coped?"

Mr. Green has, perhaps inadvertently, stumbled upon the problem which is the disaster recovery mentality: "how would your incident team have coped?" That's a good question, but the better question is "How would your ERM team plan to identify and avoid or mitigate risks?"

Yes, I understand BA exercised the terminal's operations, but it wasn't prepared for the unexpected.

As Mr. Green wrote: "In the end, the problem has occurred and BA has dealt with it. An incident review must occur. What obvious oversights happened, and what assumptions were made? What must BA do differently in the future? What can BA learn, and what can it change for the future?"

Might I suggest that BA - and all organizations - should think proactively rather than reactively; consider all the risks and then plan for them and "the ubiquitous other" that always is a threat.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Thursday, June 5, 2008

ERM-BC-COOP: Security an ERM issue?

All of the following are from SC Magazine's URL,

    AT&T management staff data on stolen laptop: An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop. (June 4)

    Walter Reed suffers peer-to-peer data breach: Unauthorized file-sharing is to blame for a data breach at Walter Reed Army Medical Center that exposed the personal information of nearly 1,000 patients. (June 3)

    Medical data breaches on the rise: During the month of May, for example, patients at Staten Island University Hospital in New York were told that a computer with their medical records was stolen four months earlier, while information on patients of the University of California San Francisco (UCSF) Medical Center was accessible on the internet. The affected patients were told six months after it was discovered. (May 14)

    Deloitte stolen laptop: A laptop containing the personal information of an undisclosed number of Deloitte & Touche partners, principals and other employees was stolen while in possession of a contractor responsible for scanning the accounting firm's pension fund documents, learned today. (Dec 4)

The above are just the "tip of the iceberg." Stolen notebook computers, data removed on floppies, memory sticks, external hard drives, and other media, compromised passwords and more.

All are a security manager's nightmare.

But are the Chief Security Officer's (CSO) worries an ERM practitioner's worries?

Let me rephrase the question (a technique every ERM practitioner needs to practice): is security - data and physical - a risk to the enterprise and any or all of its components?

The answer to the question, as I see it, is a resounding "YES!" Security, in all its forms, falls within the "interest" of the ERM practitioner.

That is not to suggest the CSO should report to the ERM practitioner any more than the Chief Financial Officer (CFO), concerned with financial risks, or the Chief Information Officer (CIO), or any other Chief anything should report to the ERM practitioner (who, if you ask me, also should be a "C"-level officer).

These people need to be allies; they need to work together for the good of the organization.

I work with a CSO - we used to sit in adjacent cubes 'til he moved up (literally, to the 6th floor). We share many of the same concerns, albeit sometimes from a different perspective.

My cube used to back to a physical security person's cube.

My ERM interests and her security (badging, mostly) interests generally aligned.

We - the three of us - became, and remain, a "mutual admiration society."

While the CSO's mandate is computer security and the "badger"'s is physical security, mine covers both areas. When ERM is in the lead role, these two people are my Subject Matter Experts (SMEs) in their respective fields - and believe me, they ARE experts in their fields.

All of this, of course, still fails to identify a means to stop security violations and "just plain stupidity."

Training? That's a start.

Carrot and stick? Might prove useful; or it could antagonize.

Tighter security; "Big Brother" at the portals and physical doorways?

So far, nothing seems to be all things to all people.

What is certain is that something needs to be done.

Maybe the "something" needs to vary by organization.

The bottom line is security is an ERM concern and the ERM practitioner is in an ideal position to gather ERM allies to coordinate and promote security measures appropriate for the organization, and to assure the measures are current as the organization evolves.

Late email on June 5


ID Experts: Customers Cut Ties After a Data Breach

According to "The Consumers' Report Card on Data Breach Notification," a study by the Ponemon Institute released in April 2008, 31 percent of respondents cut ties with the organization responsible for the breach of their personally identifiable information.

That helps make my point about security being an ingredient of Enterprise Risk Management.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Wednesday, June 4, 2008

ERM-BC-COOP: Critical documentation

I wrote an article, "Thinking Outside the Box: Ignored BIA can be costly," that appeared in the Spring '05 issue of the Disaster Recovery Journal.

The article, based on articles I read elsewhere, looked at the need for a skilled business continuity planner; the leed (cq) read:

A computer magazine article I recently read makes it clear that ...

(a) failing to employ the services of a business continuity planner who “thinks outside the box” and

(b) failing to implement the planner’s recommendations can be expensive for the organization.

The article made reference to court actions and a Maine PUC decision.

What the article lacked were citations, footnotes.

When the article was published back in "oh-five," I got a few emails asking "what court cases" and I had to go back to my copy, which included footnote links, to provide the answer.

Unfortunately for me, the hed (cq) on my version ( is different than the one on the DRJ version ( That's OK, except it was a job finding my version on my URL.

The other day, the article was pulled from the archives and advertised on the Disaster Recovery Journal eXpress, an email that goes to all DRJ subscribers.

The emails began again.

Now I'm flattered that people read what I write and maybe leaving "holes" in an article is a good way to find out if it is being read or not, but I feel obliged to put it all on the table.

OK. What's the Enterprise Risk Management (ERM) link to all this? Besides the obvious article connection.

The link is "documentation."

Documentation is a critical element in ERM/business continuity/COOP programs.

It must be concise.

It must be written with the audience's level of comprehension in mind.

It must be complete.

The article that appeared in DRJ lacked the references; it was not complete.

No harm was done; people who wanted to know which courts could - and did - contact me.

However, if this had been "What to do when the siren wails," and it was incomplete, someone could be injured or even killed. Even the absence of something simple such as "You will need an XZY widget to install the thing-a-ma-bob" can delay recovery and prove dangerous to the bottom line.

I should know better. I used to be a reporter, and then I was a technical writer. I know documents need to be complete.

But either I was in a hurry or I was lazy, and my story in DRJ was lacking.

Fortunately, no harm was done and I got to exchange emails with some interesting people.

But I am reminded - again - that documentation must be complete to be fully useful.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @