Friday, August 22, 2008

ERM-BC-COOP: NYC earthquake prone?

OK, you are in California sitting on a fault line.

You're looking for a safe alternate site.

New York, where else? No quakes there.

Well, maybe not quite.

According to "Earthquakes may endanger New York more than thought" at, "A study by a group of prominent seismologists suggests that a pattern of subtle but active faults makes the risk of earthquakes to the New York City area substantially greater than formerly believed. Among other things, they say that the controversial Indian Point nuclear power plants, 24 miles north of the city, sit astride the previously unidentified intersection of two active seismic zones."

Now it's not likely that a quake will hit both coasts at the same time, so while the alternate site in the Empire State still is valid, it does point out the need to thoroughly research alternate site locations before putting down a contract.

I am not a Nervous Nelly when it comes to nuclear power generating plants such as Indian Point - I used to comfortably live near Three Mile Island (TMI) and would do so again - but including earthquakes into the equation seems reasonable.

Granted, in the "normal" scheme of things, Enterprise Risk Management (ERM) practitioners will "prioritize" risks by probability and impact, and granted, the probability of an earthquake at TMI or Indian Point or Turkey Point is minimal, but the impact could be substantial.

As an ERM practitioner, I would be obliged to point out - loudly and in whatever manner that would get results - that "Houston, we have a potential problem" of some magnitude.

In this day and age, we know how to build earthquake-resistant (is there such a thing as "earthquake proof"?) structures; the Japanese do it routinely.

Because of the terrorist threat, and - going back to the "cold" war, the threat of enemy attack (the difference being rogue threat vs. state threat), n-plants are fairly well fortified.

The question: is "fortification" mutually exclusive with "earthquake-resistant?"

I'm not an architect or geo-physical scientist, but I am an ERM practitioner who knows that I need to find Subject Matter Experts (SMEs) - architects and geo-physical scientists, among others - who can provide the information I need.

As a relatively young reporter at the Harrisburg PA Patriot-News, I wrote enough copy about the pros and cons of TMI to fill a newspaper broadsheet page. As a reporter, it was my job to report, not editorialize. As an ERM practitioner, my job is to editorialize. And to promote my "educated opinion."

I hope I - we - are not "a voice crying in the wilderness" (a misquote and taken out of context as it happens) or that our voice falls on deaf ears as is, alas, too often is the case.

Should practitioners go around shouting "The sky is falling, the sky is falling" because someone wants to do something that is less than 100% safe.


And no.

In the case of the n-plant, if someone insists on building it on a fault, at least insist that the site be earthquake "tolerant" - that is, so that if a quake does happen, even in the "worst case" situation, danger to the people will be controlled.

The bottom line is that no matter what is proposed, and no matter where it is proposed, the ERM practitioners must do his or her in-depth homework - do more than just read back issues of the local paper (although that is a good resource) to ferret out all the risks, even the unlikely ones.

Risk management includes risk mitigation, in the case of the n-plant site selection, the location on a fault line can be mitigated by the structure's architecture.

(As an ERM practitioner, I would most assuredly have a couple of independent construction experts maintain close supervision of construction. I am not a "Nervous Nelly," but when the risk is as great as presented here, I am "suspicious.")

Trade-offs are OK, providing we have done our homework in-depth, and that means talking to all the SMEs, both locally and elsewhere.

But an earthquake in Manhattan?

Who would'a thought?

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Tuesday, August 19, 2008

ERM-BC-COOP: GTAG, you're it

I was introduced this morning to the Institute of Internal Auditors'(IIA) Web site (

I was pointed there by another practitioner who agrees with me that "auditors are our friends."

The IIA publishes a series of documents called GTAGs; translation: Global Technology Audit Guides. There are 11 linked from .

GTAG 10 is titled Business Continuity Management.

It's a free PDF download and worth every bit of the 1.65M of space it will take up on a hard drive.

GTAG 10's authors - whose bios are included at near the end of the document, are real-world risk managers and come from a variety of industries.

I confess I was ready to hit the email when I read in the Page 1 Executive Summary that "The goal of business continuity management (BCM) is to restore critical business processes after a disaster has been declared."

While I agree with the focus on the business, my knee-jerk reaction was "where's avoidance and mitigation?" These two gems separate BC from DR more than anything else (in my book).

Page 2 was no better: BCM capabilities are focused on the recovery of critical business processes to minimize the financial and other impacts to a business caused during a disaster or business interruption."

But then I read:

2. Can the organization prove the business continuity risks are mitigated to an approved acceptable level and are recertified periodically?

and hope began to shine forth.

I found myself nodding my head in agreement as I read on Page 3 how IIA defines BCM:

Business continuity management is the process by which an organization prepares for future incidents that could jeopardize the organization’s core mission and its long-term viability. Such incidents include local events like building fires, regional events like earthquakes, or national events like pandemic illnesses. The key components of the BCM are:

  • Management Support — Management must show support to properly prepare, maintain, and practice a business continuity plan (BCP) by assigning adequate resources, people, and budgeted funds.

  • Risk Assessment and Risk Mitigation — Potential risks due to threats such as fire, flood, etc., must be identified, and the probability and potential impact to the business must be determined. This must be done at the site and division level to ensure the risks of all credible events are understood and appropriately managed.

  • Business Impact Analysis (BIA) — The BIA is used to identify business processes that are integral to keeping the business unit functioning in a disaster and to determine how soon these integral processes should be recovered following a disaster.

  • Business Recovery and Continuity Strategy — This strategy addresses the actual steps, people, and resources required to recover a critical business process.

  • Awareness and Training — Education and awareness of the BCM program and BC plans are critical to the execution of the plan.

  • Exercises — Employees should participate in regularly scheduled practice drills of the BCM program and BC plans.

  • Maintenance — The BCM capabilities and documentation must be maintained to ensure that they remain effective and aligned with business priorities.

Crisis Management Planning and Disaster Recovery of IT were separate headings.

I might quibble about the order of Risk Assessment and Risk Mitigation and Business Impact Analysis (BIA) in the IIA's list, and I firmly believe crisis management is part and parcel of business continuity, and that IT disaster recovery in part of the business continuity recovery process.

But all-in-all, IIA's document seems to have gotten off to a good start.

IIA really won me over when, on Page 6 it listed people as Number 1 under the Common Disaster Impacts heading. Following People were Facilities and equipment, Communication infrastructure, Supplies, and Information and IT systems.

I agree with so much of what is presented in GTAG 10, Business Continuity Management, I could have authored (most of) it.

For the ERM/BC/COOP practitioner, GTAG 10 is an excellent resource if for no other reason that it comes from auditors.

While many middle- and upper-level managers cringe when they hear the words "The auditors are coming," I delight in them.

Auditors, if they have any concept of business continuity, can be an asset to the practitioner.

Auditors, if they lack any concept of business continuity, should find a practitioner to give them an over view - or point them to this document and to the IIA.

There are a number of very good "what's business continuity and how to do it" documents out in the world; the International Facility Management Association has one.

What sets this publication apart is that auditors, unlike - say - facility managers, (should) have a broad view, a view that is focused on the enterprise rather than only a small part of the enterprise.

From my perspective, GTAG 10 is a keeper.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Thursday, August 7, 2008

ERM-BC-COOP: Real threat

A Yahoo group in which I participate - not just lurk, but participate - recently had an appeal for help, bits and pieces of the thread follow.

"A friend of mine needs a template for a COOP plan for a tenant activity on a military base. I have many COOP templates, but not for a military unit. I'd appreciate your assistance.

"I'm looking for someone's experience writing a plan specifically for an individual unit in support of the overall military installation COOP.

"This guy is in Army National Guard and his civilian job is with my organization, the *. He has been tasked by his Guard unit to develop the COOP plan during his two week training, so I thought I could find a good template/plan that he could use as a guideline since he's not an experienced COOP planner."

My response to the poster was perhaps less than politically correct, although it was restrained and polite.

How anyone with any conception of ERM-BC-COOP could even suggest that a less-than-tyro could create a plan in two weeks - even with a fill-in-the-blanks template - is beyond my ken.

The officer who assigned this detail may have it "in" for the Guardsman; certainly the weekend warrior has been thrown into a lose-lose situation; worse, if he does cobble something together that hints at being a plan, it probably will be accepted and touted as The Answer To All Threats when in fact it's nothing more than wasted effort that can endanger the unit's personnel and mission.

In a word, the proposal to have an absolute novice create a plan in two weeks is, at best, "stupid."

If I wrote it, you can quote it.

The Guardsman's predicament is symptomatic of what's wrong with ERM/BC/COOP today.

Ignorance at the top expecting perfection from unskilled staff.

I'd like to invite a high school biology student to perform surgery on the officer(s) who assigned this task. I seriously doubt the officer(s) would tolerate such a situation, yet they are willing to jeopardize lives and mission by tasking an untrained person with a critical task.




John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Monday, August 4, 2008

ERM-BC-COOP: Bottom line

The Bottom Line for Enterprise Risk Management (ERM), Business Continuity (BC), and Continuation Of Operations (COOP) practitioners IS the bottom line.

When proposing ERM (a/k/a BC and COOP) to a person with fiduciary responsibility the first question the practitioner should expect to be asked is "What's the ROI?" ROI=Return On Investment.

In other words, if the organization puts up "n" units of local currency, what is it going to buy the organization.

It is a good question. It is a legitimate question. It is a difficult to answer-with-hard-facts question.

After all, if there is a program in place and a risk is avoided or mitigated to a pittance, how can the practitioner tell the organization "the program saved 'n' units of local currency or "because of the program, the organization was able to make 'n' units of local currency in revenue." If a competitor or neighbor goes "belly up" and the planner's organization survives the threat, the "incident," then the practitioner can point to the competition or neighbor and say with some confidence "there, but for the ERM program, goes this organization."

It's wonderful when an organization's senior management is so enlightened that it recognizes the importance of its personnel and places them at the top of the list of resources to protect. Unfortunately many organizations are run by people from the MBA school of thought that considers people a renewable resource. (They are, but like trees, it takes time to "grow" them into the job.)

Given all that, we're back trying to show a benefit to the bottom line.

We have a new ally, perhaps several.

According to an article in ZD Net Asia (,3800011228,63005446,00.htm) by Nathaniel Forbes, director of Forbes Calamity Prevention ( the "U.S. credit rating agency Standard & Poor's (S&P) started evaluating the enterprise risk management (ERM) capabilities of non-financial companies that it covers.

"S&P currently evaluates risk management at banks, insurance, energy and agribusiness companies, and now wants to do so for companies in other sectors. The S&P 500 index of American companies is well known. S&P rates companies, governments and debt instruments all over the world."

He predicts that "The other ratings agencies won't be far behind in making similar announcements if S&P succeeds in selling its concept of ERM evaluations to its customers."

Forbes contends that "Extrapolating an ERM evaluation to a logical, eventual conclusion, if a company didn't have a business continuity management (BCM) program, its credit rating could be lowered. The consequence? Borrowing money would cost more, and for the large companies that S&P reviews, that could be a material consequence."

The article includes a sample calculation that is worth sharing. It goes like this:

"Suppose" Forbes suggests, "one of those companies rated by S&P wanted to issue a bond for US$200 million to build a new plant in.. Suppose that, due in part to its assessment of the company's risk management, S&P lowered the company's credit rating from, say, A- (upper medium grade) to BBB+ (lower medium grade). As a result, the company is forced to pay a 4.1 percent coupon instead of 3.9 percent to make the bond attractive to investors or underwriters. Based on US$200 million, two-tenths of 1 percent (the difference between 4.1 percent and 3.9 percent) is US$400,000.

"What could you do for US$400,000? Could you develop a company BCM program for US$400,000? Could you hire an experienced, certified BCP professional to run it for US$400,000? Set up a recovery site? Could you make a company genuinely more resilient--and therefore more credit-worthy--for US$400,000? As we say in Minnesota, "You bet'cha!" The benefit side of the BCP cost-benefit equation would be much easier to quantify."

Something to think about when the CFO asks "what's the ROI?"

It provides a better answer than asking in response "What's the ROI on liability or property insurance?"

For most organizations, even NGOs, non-profits, and charities, The Bottom Line IS the bottom line.

Anything an ERM practitioner can do to enhance the bottom line - not just protect it but enhance it - makes the effort to "sell" ERM a little easier.

The entire article, with included links, is well worth reading.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @