Wednesday, November 26, 2008

ERM-BC-COOP: Holiday hiccups

Here's a timely topic: holidays.

Today is the day before Thanksgiving in the US.

The cube farm in which I reside for 9 or so hours each day is practically empty.

Dotted line bosses are "away."

Solid line bosses are "away."

While we are largely "virtual office" people, and while managers are expected to check email and answer phones even when they are "away," things do slow down.

From now until at least the second week in January, it will be difficult to gather the troops (except maybe for the mid-winter holiday bash).

Progress won't exactly come to a complete halt, but any movement will be at a stagger.

If something happened we would be hard pressed to round up the responders necessary to respond.

Which means we have a risk.

If we have a risk, we need also to have a way to manage the risk.

In this case, we - collectively - need to know who is available; a designated responder.

For the run-of-the-mill daily operations - getting a Business Impact Analysis (BIA) reviewed and approved by Upper Management for example - we need to seriously plan ahead and "sandbag" (a term dear to bowlers) the schedule to allow for Missing Managers.

What normally requires a 24-hour turn-around now takes closer to 5 or 6 days (Wednesday before Thanksgiving, Thanksgiving, Friday after Thanksgiving, the "regular" weekend, and maybe the Monday following Thanksgiving).

Some folks have vacation time the have to use (or lose) before year's end.

Add to that a mentality in many organizations that "business continuity is a low priority" and the prospects of clearing up any outstanding issues is about as bright as a rainy day.

As I look at my calendar, I see the holiday risk pop up again and again.

Some are linked to religion - the Jewish "Big Three" plus New Year's and Yom Kippur, Easter and Christmas; national holidays such as July 4th, Memorial and Veteran's days, and more. (Even when I'm at work, a federal holiday can slow things down due to a lack of snail mail.)

Granted, the holiday risk usually isn't a big deal, but when it is combined with another risk, e.g. fire, it suddenly starts to get attention.

The reality is that for most planners, holidays - and vacations and sick time and other absences - usually are treated too casually.

We need to give a little more thought to the holidays as we develop, or review, our plans.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @

Wednesday, November 12, 2008

ERM-BC-COOP: Lenders as risks

I can't claim to have been "harping" on it, but I have noted in passing that Enterprise Risk Management (ERM) - Business Continuity (BC) - COOP practitioners must - not "should" but "must" - include the money lenders in the list of risks to threaten an organization.

I've also noted - and this I have harped on - that ERM-BC-COOP practitioners must - again, not "should" but "must" - make certain vendors have viable, verifiable ERM-BC-COOP programs. (Projects are nice, but only when they are part of a total, on-going program.)

Validation of my concerns hit the air and pages of the local press this morning.

An article on D.C. radio station WTOP's Web site,, leads off with

WASHINGTON - In a last-ditch effort to avoid financial disaster, Metro - faced with more than $400 million in bank payments - is turning to the Treasury Department for help.

The transit agency's financial woes stem from the recent collapse of financial giant AIG (American International Group). Metro had used AIG as an insurer for a number of deals it made with banks. The deals allowed Metro to do things like extend the transit system and buy new rail cars.

But because AIG's financial status has been downgraded, the banks Metro dealt with can now technically claim default and ask for all of their payment at once.

Metro runs buses and light rail in D.C., Northern Virginia, and near-DC Maryland. It is funded by riders, advertisers, and area governments.

It seems that AIG guaranteed Metro's loan from Belgian Bank KBC Group. This loan, with US$43 million due, apparently is one of many loans Metro has floated to keep transportation moving in DC and parts of Northern Virginia and Maryland. AIG, according to the WTOP article ( backed Metro for 16 financial deals that, if AIG fails and the lenders call in the loans, could force Metro to pony up more than US$400 million. As the article continues, Metro's 2009 capital budget is US$600 million.

Metro is not alone having AIG as the financial backer. The WTOP article identifies Atlanta, Chicago, LA, and San Francisco as other cities that must closely watch the AIG saga.

It seems, based on lessons learned from the AIG "weakness" and our understanding of "business in America" (and probably elsewhere) that not only do we need to ask vendors for their plans, but to ask the same question we should be asking hot site vendors - how many other customers do you have in our organization's situation. For AIG, someone needed to look at its financials, its balance sheet, to compare its assets with its liabilities - including loan guarantees.

Most of us, at one point in our lives, either have guaranteed a loan or had a loan guaranteed by another. We know that the guarantor is "on the hook" if the person getting the loan defaults, and the lender is very careful to assure the guarantor as the assets to clear the debt. I don't know that the lender could demand payment in full if the debtor defaults; that is what the Belgian financial organization is attempting.

In light of Citi Group's wise decision to mitigate its mortgage losses, Citi announced it will work with property owners to help them keep their property. That's just good business; in the end, the properties will (more than likely) be maintained and, when the economy recovers, the borrowers, sure to become Citi Group loyalists, will be able to start paying down the mortgage again. What Citi will ask for in the meantime - interest at some level perhaps - is to be determined, probably on an individual basis.

I seriously doubt Metro will have to sell off its rolling stock and rip up its tracks - D.C. is highly dependent on the system and while it lacks a loud voice in congress, it can have a physical presence on the Capitol steps.

I also think the Belgian lenders are being foolish and short-sighted; theirs is, in my opinion, a knee jerk reaction. Metro is not going to "go away"; it's too valuable an asset in the nation's capital. KBC Group would be better served by taking Citi Group's approach.

For us, ERM-BC-COOP practitioners, the bottom line remains the same: lenders are a risk; they need to be treated as a threat to the organization no matter if the loan is for operational use or expansion. Check the lender's - or in this case, guarantor's - balance sheet, research its major loans/guarantees (most brag that they count BIG NAMES as customers), and have an alternate financial source in mind, "just in case."

While we are at it, we are wise to check out our major customers' financial well being.

Do we need to be CPAs or financial experts to accomplish this? No. But we do need to be smart enough to know CPAs and financial experts and to utilize their expertise.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity/COOP

Thursday, November 6, 2008

Comments welcome, but ...

Comments to this blog are welcome PROVIDING they include the poster's real name and email which will be included in the comment. If you write it, stand behind it. Comments from posters who cannot be identified will be deleted.


Wednesday, November 5, 2008

ERM-BC-COOP: 4th year risk

I have noted in the past that "government" should be considered a risk.

My focus was on local and state government.

Licensing organizations. Regulators.

But the Federal government also is a concern.

The people of the United States just elected a new president, one who promises to change the way things are done in DC.

The new president will enjoy a same-party majority in both the Senate and House of Representatives.

(That, by the way, does not - as previous presidents have found - assure that all of the president's programs will receive congress' approval.)

It's far too early to guess at what the new administration, when it officially takes office in January, will do to keep its promise to change things.

An end to the war in Iraq could mean a cancellation of some defense-related contracts.

Big-bucks military modernization plans may be scrapped - or maybe not.

The size of the armed forces may be reduced and that would impact the defense industry - fewer troops mean few guns, transports, ready-to-eat meals, etc.

It could mean higher unemployment, but logically the first troops to be released would be Guard and Reserve who would return to their civilian employment - assuming they still have their old jobs. (The jobs are guaranteed by Federal law, but some weekend warriors are having to sue their employers - including the US Veterans Administration ! - to get their jobs back.)

Then there's The Bailout.

Backing the Big Banks is a done deal, even when some of the banks apparently told the Feds they did not want the funds.

Will GM get a loan to buy Chrysler? Chrysler was the first major company to get a Federal loan which, I'm happy to note, was repaid, with interest, on schedule.

Will home owners facing foreclosure get protection that the outgoing administration was reluctant to promote?

What about SMBs - Small (and) Medium Businesses? Will they receive any Federal benefits or breaks?

The president-elect promised tax breaks for everyone making (earning or just collecting?) $200k (I thought at one time is was $250k, but either way, I'm well under the cap). What about the people who are making nothing - zero, zip, nada. The unemployed. How do you give a tax break to people who have no income on which to pay taxes?

No matter which candidate won the Nov. 4th election, the US was bound to see change.

For the most part, the US goes through this change-of-government exercise once every eight years (with few exceptions, most presidents have had two four-year terms) and most often, after eight years of one party's philosophies, the nation is ready to try on the other party's ideas - it's a swinging pendulum that has kept the US on a fairly even keel for decades.

The first Tuesday in November should be a reminder on every ERM/BC/COOP practitioner's calendar that government - at all levels - impacts the organization regardless of the organization's size or product/service.

The impact may be positive; the impact may be negative. For us, the impact of the impact has to be considered a risk.

How can a positive impact be a risk? Consider that if Organization A benefits from a positive impact, so does competitor Organization B - who can respond most rapidly and most efficiently to take advantage of the change?

Being able to anticipate change - risk - is as much what our work is all about as being able to avoid or mitigate events that could would against our organization's interest.

It's going to be an interesting four years.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity/COOP