Thursday, September 25, 2008

ERM-BC-COOP: Interesting items

A couple of interesting crossed my desk today.

One is a business card-size CD.

The other is a notification system.

The CD needs more research, but I think the effort may be worthwhile.

I discovered it scanning a posting on one of the Emergency Management lists I follow.

Basically, a product called "Pocket MD" ( creates a card/CD that contains "up to 200 pages of data" and can be played on any Windows computer.

If we assume - I know, that's dangerous - that "200 pages" equates to 200 8*10 or "A" size pages, that's a lot of information.

Enough to hold a complete ERM/BC/COOP plan.

According to the blurb, the data on the CD have "protections for privacy in place now under the Health Insurance Portability and Accountability Act, with penalties for violations." That really doesn't tell me a lot, but then I'm not interested in the product, only its media.

I can password protect or encrypt data before it goes onto a CD - regardless if the CD is "normal" size or a mini.

At this point, I don't know (a) where to buy macro CDs and (b) if I can write to them; reading on a computer (why only Windows?) is one thing; writing may be another.

I'm a person who still prefers documentation on paper, but I realize there are many people who prefer their information presented on a monitor, even a miniature, cell phone-size one. The macro-CD allows both (all I need is printer access, paper, and "ink").

The idea that I can stick an entire plan in my wallet - I hope the CD is rugged - appeals to me.

Easier to keep handy than a full-size CD or memory stick that might get erased.

True, I still have to lug around a machine to display the CD's contents, but can equally small CD players be far away? Image inserting a micro CD into a Walkman-size or BlackBerry-size device with, hopefully, connectors to a BIG monitor and printer.

I wonder if the micro CD can handle audio as well as text. Let me listen to the plan, rather than try to read it on a BlackBerry screen.

The notification system is called "Twitter" (

Twitter can send messages to cell phones or an Internet connection (IMs, Web page).

Messages to cell phones and IM devices are limited to 140 characters, which may not seem like a lot, but actually can convey useful information. The sentence you just read is 144 characters, including spaces and the final period; 140 of those characters are in red.

If a message is longer than 140 characters, it can be read on the WWW (with the first 140 characters displayed on phone or IM device).

The URL above - - is the FAQ which I thought was a good place to introduce you to the application's functionality. There is a link on that page back to the Twitter home page.

Twitter's raison d'etre is simple: "Twitter is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing?"

For ERM-BC-COOP practitioners and EM responders, the "What are you doing" can be turned into something more akin to "ET call home."

I already get text messages on my phone from my county's emergency management folks (and emails as well), so I understand the value of a short message.

Something to consider.

Macro CDs and another way to alert people who want to be alerted.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity/COOP

Wednesday, September 17, 2008

ERM-BC-COOP: Not in scope?

If an organization's

  • image
  • production
  • employee welfare & attitude
  • vendors
  • credit sources
  • market value (stocks, bonds)

are "in scope" for the Enterprise Risk Management (Business Continuity/COOP) practitioner, why not the organization's financial concerns that, after all, impact everything on the bulleted list - and more?

I'm thinking of the financial crisis du jour.

Banks belly up.

Insurance company bailed out with a federal loan in the billions.

All somehow laid at the feet of mortgage brokers who, it is claimed, allowed too many too-risky mortgages to be approved.

No organization or person is immune from some impact of this money crisis. Even if you don't have money in The Market, you are spending money at the (super)market, and prices there have crept - in some cases, leapt - up.

'Course fuel prices must share some of the blame.

But the real crunch seems to be due to the number of "bad" loans.

Many of the mortgages were issued with minimal collateral - the lender figured, with some justification, that the value of the property would go up and therefore protect the loan. When values dropped, the loan-to-collateral ratio was reduced.

That might not have been so bad, but at the same time, people started losing their jobs.

With no income, mortgage payments stopped.

Since the property value was less than the loan . . .

The results are obvious.

I understand the mortgage business is complicated.

I took a mortgage on a property and before the first payment it had been sold to another company.

Actually, it may have been sold several times before I got my payment coupon book.

As the paper traveled from hand to hand, I have to wonder if there was "full disclosure" about the loan. Did the organization that "packaged" my loan with others package it with similar-collateral loans or was mine tossed into a "pot" of loans of various "creditability."

Did the organization - apparently the AIGs of the world - know the true loan risk when it bought the mortgage packages?

In the "real world" of personal finance, my Financial Manager (a/k/a The Spouse) insists that we diversify our limited funds. I am in full agreement.

I am inclined to take a bit more risk in the market; she is more conservative, but we both agree that diversification is the best way to protect what we have.

The market's decline HAS hurt us, but because we are diversified, we are surviving better than some.

AIG, as big as it is, apparently put too many "eggs" into one basket.

Lehman Bros., ditto.

Just two of the recent headline names.

I wonder if these organizations had a comprehensive enterprise risk management program, if the management had been honest and candid with the risk management practitioners, if the practitioners had recommended greater diversity, and - finally - if management had listened to and followed the practitioners' advice, would they be as deeply in financial trouble.

Too often, the books are "out of scope" for the practitioner.

Too often, working with qualified financial auditors is "out of scope" for the practitioner.

OK, I'll concede that there have been some less than above board auditors, but "in general."

The risk manager must be privy to ALL the organization's interests. The risk manager need not be an expert in anything (other than risk management); the risk manager depends on specific-discipline Subject Matter Experts (SMEs) such as the aforementioned auditors.

I've worked with CPAs; they know a lot more about accounting that this scrivener can ever hope to know.

I've worked with police who know physical security inside out.

I've worked with data security folks who protect my bits and bytes from miscellaneous dangers I've never heard about.

Most of my career as a risk management practitioner and as a writer before that has required that I identify and turn to SMEs.

Enterprise risk management must be allowed to look into all the organization's corners and closets.

Still, even when the practitioner ferrets out a risk - in today's exercise, over-exposure in the mortgage market - management has to listen and act.

Could the current financial melt-down have been prevented if risk managers had access to all of an organization's information?


One risk manager at one organization would not have prevented this debacle, but many risk managers at many organizations . . . maybe.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

ERM-BC-COOP: Vacuum (&) bags

I was reading a book the other day.

Not a very good book, but it had one scenario that appealed to me.

The scene is set at an airline's Lost Bags office.

As a consultant, I know the scene very well.

Seems the author and his bags got separated and he was waiting in line to report the loss.

The airline person was asking the person at the front of the queue about his luggage.

    Clerk: "What color is it?"

    Traveler: "I don't know."

    Clerk: "How big is it?"

    Traveler: "I don't know."

At this point, the author tells us he's wondering what idiot doesn't know the color or size of his bag?

Then, the author continues, he learns - to his embarrassment - that the person in front is blind.

The author's point, and it is a good one, is that we should get all the facts before we come to a conclusion.

The story, when given some thought, seems to ring as false.

If we can assume our blind passenger didn't get off the plane and go directly to the Lost Bags office, consider this:

    Our traveler goes to the baggage carousel.

    He can't see the bags as they go round-and-round.

    So he needs help from someone nearby.

    To get help he needs to tell the helpful neighbor something about the bag.



    Something unique - a colorful strap, an unusual luggage tad, something.

Things the traveler could, and I'm confident would, have known and shared with the Lost Bags clerk.

(Do you know anyone who would buy or borrow a suitcase without knowing ANYTHING about it?)

'Course if our sightless traveler was high tech, the bag may have had a small transmitter, but there was no indication of this and, besides, it ruins my story.

The point I'm trying to make is if our author had batted around the idea with others before setting the story to paper he might have seen the "holes" I found.

Believe it or not, THAT is the point of this exercise.

Practitioners should never - repeat never - create a plan in a vacuum.

One person simply will not think of "everything."

I was in a meeting the other day and we were dealing with a violence in the workplace scenario.

The group mulling the situation - a person, believed to be a disgruntled employee came to the office building with a shotgun, blew away the weaponless guards, and proceeded up a staircase to the fourth floor - included Facilities, HR, IT, and Security, and maybe others representing interests I don't catch.

The exercise was interesting. We had input from a variety of perspectives, both professional and personal.

I was the only professional risk management practitioner in the group.

Trust me, I learned things; I was introduced to "what ifs" I had not considered, "what its" I normally would not consider on my own.

I've been doing risk management for more than a baker's dozen years, and every time I'm involved in an event such as the one the other day I learn something new - or at least I'm reminded of something that might have slipped my mind.

While it often is fun to play the "what if" game with other practitioners - we do have some interesting "off-the-wall" experiences - we need to listen to ALL sources, even if we think they are talking outside their professional area of expertise.

I practice what I preach.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Sunday, September 14, 2008

ERM-BC-COOP: Suicide murder passé?

While suicide murderers normally are not a high risk for most Enterprise Risk Managers/Business Continuity planners, falling more into the realm of government agencies such as police and intelligence groups, maintaining awareness is appropriate for us both to protect facilities (and the people in them) and our people on the move. We all know of shoulder-fired missile attacks on commercial (civilian) aircraft.


Ronen Bergman, a correspondent for Yedioth Ahronoth, an Israeli daily, is the author of "The Secret War With Iran."

Copyright 2008 The New York Times Company

The following appeared on the NY Times' September 10, 2008 op ed page titled "Living to Bomb Another Day"

"AMONG all the bombs, explosives and guns, the number of martyred dead is rising. Though this is the will of Allah, it is nevertheless possible to cause the enemy greater damage without exposing the Muslims to danger. How is it to be done?"

This question, which appeared as a post in May on the Web site Al7orya, one of the most important of Al Qaeda's closed Internet forums, is only one example of the evidence that has been accumulated by American and Israeli intelligence in recent months of a significant ideological change under way within Osama bin Laden's organization. Seven years after 9/11, it may well be that we are witnessing the beginning of the end of suicide terrorism and a shift toward advanced technologies that will enable jihadist bombers to carry out attacks and live to fight another day.

Although Islamic suicide terrorism dates back to the anti-Crusader "assassins" of the 11th century, its modern history begins with statements made by Sheik Mohamed Hussein Fadlallah, the spiritual compass of Hezbollah, in an interview published in 1983. "We believe that the future has surprises in store," he said. "The jihad is bitter and harsh, it will spring from inside, through effort, patience and sacrifice, and the spirit of readiness for martyrdom."

A short time later, Sheik Fadlallah's bodyguard, Imad Mughniyah, organized a series of murderous suicide attacks - first against Israeli military targets, than against the American Embassy in Beirut and finally, of course, against the barracks of the American-led multinational force in Lebanon, causing nearly 300 deaths. From there, it was a short march to 9/11.

Despite countless attempts by Western intelligence agencies, and the many projects by psychologists trying to draw the profile of the average suicide terrorist, we have failed miserably in finding a solution to the "poor man's smart bomb." Now, however, attrition may achieve what the experts have not: after years of battle in two main arenas - Iraq and Afghanistan - Al Qaeda's suicide-recruitment mechanisms are beginning to wear out.

While the terrorist group has been careful not to mention it in its official statements, it is no longer uncommon to find jihadists in their chat rooms and, according to Western intelligence sources, in interrogations, stating that young men are reluctant or simply too scared to take part in suicide attacks. At the same time, military blows against Al Qaeda's training structure since 2001 have meant that the number of extremists with combat experience is decreasing, and that new recruits are harder to train.

The startling cost in lives of its operatives in Iraq and Afghanistan has motivated Al Qaeda's technical experts to start seeking technical solutions, primarily on the Internet, that would render suicide unnecessary. These solutions mostly revolve around remote controls - vehicles, robots and model airplanes loaded with explosives and directed toward their targets from a safe distance.

This turn to technology, however, is not devoid of religious aspects: although dying in battle is undisputedly holy, many scholars claim that any intentional taking of one's own life is forbidden, thus outlawing suicide attacks altogether. Even religious rulers who endorse suicide attacks consider them to be a last resort, to be used only when all other means are exhausted.

"Martyrdom operations are legitimate, and they are among the greatest acts of combat for Allah's cause," said Bashir bin Fahd al-Bashir, a Saudi preacher and one of Al Qaeda's most popular religious authorities, in a recent sermon. "But they should not be allowed excessively. They should be allowed strictly on two conditions: 1. The commander is convinced they can definitely inflict serious losses on the enemy. 2. This cannot be achieved otherwise."

The meaning of such dictates is clear: carrying out suicide attacks when there are alternatives that would allow the bomber to survive should be considered "intihar," the ultimate sin of taking one's own life without religious justification.

Avoiding suicide has become the major topic on Al Qaeda's two main Web platforms for discussing the technological aspects of jihad, the forums Ekhlaas and Firdaws. "Those overpowering Satan's seduction are few, and we sacrifice those few since they may win us Paradise," read a posting on both sites this summer on the subject of "vehicle-borne improvised explosive devices." It continued: "Yet, keeping them alive is beneficial for us, since every one of them is tantamount to an entire people. So we must find a way to save those lives and harness that zeal."

The post led to a vast and heated online discussion among extremists, illustrating the new complexity of the topic. As the jihadists on these sites move from discussing ideology to the practical aspects, it becomes clear that their biggest technological challenge will be moving on from the radio-wave technology that has proved highly successful in remotely setting off homemade bombs against military convoys in Iraq to the more delicate task of getting the explosive to its target and then detonating it without being exposed.

Unfortunately, Al Qaeda seems well on its way to gaining such an ability. Chatter on these sites has tended toward discussions of the various types of remote-piloted aircraft able to carry the necessary weights, as well as specific robot designs, including models that police forces use to dispose of explosive devices. One extremist pointed out the ease with which such robots can be acquired commercially.

Also, in a document posted last month at Maarek, the most sophisticated jihadist forum for discussing explosives manufacturing, a prolific technical expert calling himself Abu Abdullah al-Qurashi suggested training dogs to recognize American troops' uniforms, then releasing other dogs carrying improvised explosive devices toward American soldiers so the bombs can be detonated from a safe distance. The author begins with the following words: "I.E.D. operations, but this time, with dogs. Yes, dogs! Brothers, some may find my words fantastic. But, believe me, we should better let a dog die, than let a Lion of Islam die!"

To get a feeling for how Western militaries and security services plan to counter this next wave of terrorism, I talked to Gadi Aviran, the founder of Terrogence, a company made up of former members of Israel's intelligence community and special military units that gathers information on global jihad as a subcontractor for intelligence agencies in Israel, the United States and Europe. "All of these secretive discourses in the password-protected cyber forums are of the same spirit," he told me. "Mujahedeen's lives are fast becoming too valuable to waste and although this seems like good news, the alternatives may prove to be just as difficult to deal with."

So, while an end of suicide terrorism might seem like a good thing for the troops in Iraq and Afghanistan, the bad news is that the extremists seem to be well on their way to mastering all sorts of new technology, much of which, such as using dogs and remote detonators, is simple and cheap.

Most counterterrorism experts estimate that for military forces to devise and deploy countermeasures to a new insurgent strategy usually takes two to five years. Moreover, in the case of remote-control systems, improvements in technology mean that the signal-blocking systems now being used by Western militaries may no longer be effective.

Another hurdle Western forces may face is that a new emphasis on remote execution would significantly change the profiles of the terrorists. The uneducated, enthusiastic youths from weak economic backgrounds who have formed the bulk of Al Qaeda's followers - and whom our intelligence services have spent a decade identifying and neutralizing - will give way to a new type of activists: electricians and robotics experts will join the qualified chemists who make the explosives in order to carry out non-suicide attacks.

The good news is that suicide bombing seems to be on the wane. The bad news is that Western forces will almost certainly face a new breed of highly educated Qaeda terrorist.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Wednesday, September 3, 2008

ERM-BC-COOP: Small businesses not prepared

An article from the Continuity eGuide for 3 September 2008 addresses small business risk management in the UK. The article, British Small Businesses Unprepared for Risk, is on the WWW at http://disaster-

A new survey by YouGov has found that small- to medium-sized businesses in the UK often disappoint customers because they lack business continuity planning.

In an article on the website, Rosalie Marshall says the online survey of more than 1,000 small business owners and managers revealed that only one third of SMBs are taking steps to ensure their business will continue to operate normally in the event of disruption.

Stephen Rankin, regional director for UK employers’ organization the Confederation of British Industry, told Marshall “companies cannot afford to be out of action for any extended period of time because they risk losing customers in the short term and damaging their relationship in the longer term. This survey highlights the fact that some businesses have a long way to go in getting their plans up to scratch.”

In other findings, 40 percent of respondents said a computer hardware failure would be detrimental to their business, and only 10 per cent said they would be able to function as normal after a failure.

“Also, less than ten percent of the SMB managers had heard of BS 25999, the first British Standard for Business Continuity Management, which was launched at the end of last year and sets best practices for business continuity plans,” Marshall adds.

However, it looks like the message might be sinking in a bit after all. The survey also found that after the managers were informed of the BS 25999 standard, 30 percent said they would apply for certification.

The problem, at least on this side of the pond, is that Small & Medium Businesses (SMBs) usually can't afford to engage a qualified planner full time and likewise lack the budget to hire a consultant.

I can understand the SMB owners' and managers' predicament.

There is a solution, but it takes a third party, or perhaps a group of third parties.

As much as practitioners want to provide their expertise to everyone, there is the small matter of paying the bills.

Last month I had a blog entry titled "SMBs and Understanding ERM" ( that looked at ways for SMBs to finance business continuity.

The point I was making then is worth making again - mostly because no one has been banging on my e-door asking for more information.

Then, and now, I suggest that trade, professional, and industry organizations - primarily national and regional - employ experienced practitioners and make their expertise available to their members. The organizations already change a membership fee to help offset various and sundry activities. Some of the money collected might be directed to a practitioner's compensation. Individual members also might pay a percentage of a plan's development and on-going maintenance costs.

Another approach would be for auditors and insurance companies or agents - and similar vendors - to engage a full-time practitioner to create plans for their clients as "value added" services. Again, the client might be able/willing to pick up some of the cost.

Frankly, Scarlett, I don't care how or who finances risk management, as long as a risk management program is undertaken.

Now, before someone pushes back and tells me "but all plans are different," I'll concede the point. But, having been doing this for more than a dozen years, I know there are some basic - repeat, basic - steps that can be translated into a "one size fits all" template or skeleton plan.

Since most SBMs are, by definition, "small," the plans should be relatively simple and straight-forward - translation: relatively quick to create and validate. Rather than have a plan reviewed by 20 people at several different management levels, the SMB plan typically will be reviewed by one or two Subject Matter Experts (SMEs) and one or two managers or owners.

Basic Statements of Work (SOWs) and Project Plans almost could be boilerplate, particularly if the program is sponsored by an affinity group (e.g., grocers, Realtors, doctors, religious organizations).

Bottom line: The wheel does not have to be reinvented for every plan. "Tweaked," yes; reinvented, no.

Every organization needs an enterprise risk management program, every organization deserves an enterprise risk management program.

Note I wrote program and not project.

Enterprise risk management, business continuity/COOP - call it what you will - to be successful needs to be an on-going program. Projects have a start and end point - and while a plan is created as a project, it is only one part of the program that includes continuous maintenance and exercises. Plans that gather dust on the shelf quickly become not just useless but sometimes dangerous.

There IS a way to assure that SMBs can afford enterprise risk management and that practitioners can make a decent living.

Now, if we can just get the organizations and vendors on board . . .

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Tuesday, September 2, 2008

ERM-BC-COOP: Validation is wonderful

Validation is wonderful, especially if lives are saved.

I don't know if the folks at DHS/FEMA visit my Web site, but after Katrina I posted three Katrina-related articles to my URL:

  1. The "What if" game after Katrina ( - Sept. 4 2005
  2. All aboard ( - Sept. 25, 2005
  3. Applying Katrina lessons to Business Continuity planning ( - Nov. 30, 2005

Much of what I wrote was put into action.

It was interesting, and satisfying, to see buses taking people to Amtrak trains bound for safe haven.

It was good to see the mayor apparently in control and making what I consider the "right" decision in ordering evacuation.

It was good to know that people coming down to assist were in place at selected staging areas, not just for New Orleans LA (NOLA), but other cities and towns in the threat area as well.

It was not good to learn

  • the levees weren't ready

    I know it takes time, but could the effort have been expedited?

  • that a politician was encouraging his followers to descend on the threatened area to offer help

    This encouragement was later tempered by the politician's decision to tell all to wait and see what help was needed

  • that of the fatalities linked to Gustave, most were the result of an auto accident in Georgia when a driver apparently fell asleep

    If the car was traveling on I-10, there are rest stops; if on US 90, there are towns where evacuees could pull over; I doubt any cop would tell someone escaping a hurricane threat to "move on"

  • that a couple of (scrapped?) Navy vessels were "loose" and might threaten the levees

But, all-in-all, NOLA and communities along the Gulf coast escaped with little damage. Then again, Gustave, while threatening as a Cat 4 or 5 storm, came ashore as a Cat 1.

I'm a Floridian and, trust me, I do NOT denigrate any hurricane.

I know that most damage is caused by flooding, and if the TV pictures I saw are accurate, there was substantial flooding, but not as it was in Katrina.

And again, although there still were too many, the hurricane-related fatality count was minimal.

Is there room for improvement?

Of course.

Will some of the folks who evacuated this time think the mayor - whomever is in office at the time - is playing "Chicken Little" crying "The sky is falling" and elect to "hunker down?" I'd bet on it.

Will the mayor be critized for ordering an evacuation?

Of course.

Was it the right thing to do?

I think so.

A tip of the hat to the presidential candidate who proposed that we respond as Americans, rather than as members of this or that political party. (His appeal probably will be mocked on The View, but that won't surprise anyone.)

Nothing's perfect, and I expect a post-event critique to point out ways to improve, without, I hope, the finger pointing prevalent after Katrina.

My only complaint is that the focus was totally on NOLA. Granted, it IS below sea level and it IS "the" city in the area, but there are other folks in cities, towns, hamlets, and farms along the Gulf coast that also are in danger from storms - hurricanes and otherwise.

My only remaining question: Will The Feds bail out - literally and financially - those people who insist on building where common sense tells us not to build, and - worse - who, as they did before Katrina, fail to insure.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @