Friday, December 26, 2008

ERM-BC-COOP: EMP threat

I received the following email on Dec. 25:


Electromagnetic Pulse Attack Would Devastate U.S., But Missile Attack Could Prevent It: A rogue state or terrorists could launch an electromagnetic pulse (EMP) attack on the United States that would kill more Americans than a nuclear strike on a major city, but an EMP attack on the homeland could be defeated with a missile defense system, a noted expert said.

That could involve the Boeing Ground-based Midcourse Defense system, or it could involve using the Lockheed Martin Aegis sea-based ballistic missile defense system that uses the Raytheon Standard Missile interceptors, according to William Graham, chairman of the commission to Assess the Threat to the United States from Electromagnetic Pulse Attack.

Bartlett (where did this name come from? He/she is not listed on or in the report. jg) has pointed out that all a terrorist group would need to do to cause an EMP attack would be to smuggle one missile with a nuclear warhead into the United States, then take it by truck to Iowa or North Dakota.

There, the missile would be launched straight up, and the nuclear weapon detonated at an altitude of about 300 miles. That would create an EMP of immense proportions, covering the continental United States (lower 48), Mexico and much of Canada.

The Missile Defense Agency at this point hasn't been charged with defeating EMP attacks by a missile launched within the United States. Rather, it is charged with creating a multi-layered missile defense shield against missiles from abroad.


Before I go pretending to be Chicken Little, let's find out

    (a) how BIG an N-device would need to be, both in physical size and in kilo-tonnage

    (b) how big the delivery vehicle needs to be - the missile that would carry the nuke up "an altitude of about 300 miles."

I won't claim that a missile and a bomb can't be smuggled into the US or Canada, but I'd say the probability of this occurring is slim. That part of the ERM-BC-COOP practitioner's Probability-Impact equation rates a "Low." Yes, Virginia, I realize our borders, especially those of Canada, can be pretty porous - it is more than hard to police the country's arctic landscape.

I'll also concede that there is lots of open space in the northwest border states (and provinces).

But I lived in the Intermountain states and I will tell you that people are pretty alert to "strange things" happening in their midst and, unlike some others, they are likely to take action, if only to report something to the local sheriff or constable. Little chance of a Kitty Genovese incident in this part of the country.

Then there's the problem of hauling the device - surreptitiously "trucking" the missile cross-country would be difficult, even assuming the bad guys knew how to avoid all the inspection stations.

My gut reaction to the email was" "Someone is trying to sell something" - specifically more missiles.

But here's a thought.

Let's imagine that an N-device and a missile were somehow mated and launched toward that "about 300 mile" elevation.

An anti-missile missile is sent chasing it - I'm assuming the weapon with the N-device is headed more or less straight up as presented by either Graham or Bartlett (email's third paragaph)

First question: How is it going to "catch" the threat missile? The threat would have a pretty good head start - at least in missile speed terms.

Second question: If "our" missile kills "their" missile, won't the N-device be triggered and explode?

I'm not a mad scientist nor do I play one on tv, but it seems to me that it is logical to expect an intercept attempt and if there is an intercept, to make certain the device explodes at the intercept point (maybe only 200 miles altitude). There still would be some "bang for the buck."

My job as an ERM-BC-COOP practitioner is, I think, to consider all the possibilities.

All things considered, and based on what little I know about missiles and nuclear devices, it seems to me the threat probability is too low to go throwing Big Bucks (Canadian or US) at the risk - although it might help stimulate the economy. On the other hand, since the idea was broached, and since "they" have access to the same information as you and I, there is a chance . . .

Question: How to avoid or mitigate the threat?

Number 1 is awareness.

People do live in the proposed launch area.

Planes - commercial at high altitudes and private usually lower - fly over the area. Pilots could become more vigilant.

If we want to throw $$s at the threat, aircraft that regularly traverse the area could be equipped with cameras (infra-red- IR - is a good tool to spot "things" that are out of the ordinary for the terrain), the images could be reviewed by qualified photo interpreters on the ground.

The idea always is to prevent a risk rather than to try to recover from a threat that happened. (Whatever happened to the idea, floated several decades ago, of "blowing up" hurricanes over the Atlantic?)

Much as I would like to help stimulate the economy - I'm already doing my part, just ask my Financial Manager (a/k/a The Spouse) - I don't think pouring money into an additional anti-missile system to shoot down a rocket launched from the US or Canadian west is the answer.


Some background


John Glenn MBCI
Enterprise Risk Management-Business Continuity-COOP practitioner
JohnGlennMBCI @ gmail dot com
If I wrote it, you can quote it.

Wednesday, December 24, 2008

ERM-BC-COOP: Just the fax, m'am

Despite admonishments to Call Miss Utility (or similar), some turkey managed to cut through a fibre cable bundle that was the communications lifeline to The World.

Back when we were looking at risks and ways to avoid or mitigate them, the communications folks told me that if landline phone service "went away" we would be OK since most personnel had company or personal cell phones.

Internet, for email, is segregated from the telco lines.

What we - and despite my telecom background, I have to share the blame - failed to consider was facsimile communication.

In this day-and-age of email with PDF attachments, how many people actually use faxes?

Turns out, a lot of us.

The company was able to work-around the fibre faux pas by reverting to copper that came in to the facility on a different path (than the fibre).

But the copper provided significantly fewer trunks than the fibre.

Which meant that unless the timing was just right, a person trying to send a fax might end up unable to make a connection.

(I suppose I could, given the proper cables, connect a computer to a cell phone and send a fax via the mobile device, but I don't have the proper cables and, frankly, no one ever considered that before the cord was cut. Something to investigate.)

For the very large organization, there are work-arounds.

If a correspondent absolutely positively MUST have a fax - a PDF attachment to an email won't do for whatever reason - we could send an email, with a word processor or PDF attachment, to another company site and ask someone to fax the information from that site.

But what about a Mom-n-Pop?

Print out the fax copy and run down to the local Faxes 'R' Us ? Who minds the store while the fax is being transmitted ?

Still, that's only half of the equation.

What about incoming faxes?

The sender has your fax number which probably is NOT the mobile device number.

There is no way, until the telco line is restored, that the fax can be received. ('Course until the line is restored there will be no incoming calls to that landline number - it pays to advertise the mobile number!)

Hopefully, anyone trying to send a fax to you will get a Ring/No Answer (RNA) or busy returned and, at least in most cases, will receive a report stating that the fax could not be transmitted.

A large organization can fairly easily put several work-around options in place, including redirecting calls -including faxes - to another number.

But the Mom-n-Pop . . .

It's very true that we are becoming less and less dependent on landline communications and email attachments that facsimile communications are "out of sight and out of mind."

Until, of course, you absolutely positively need to send (or receive) a fax.

Now is the time to consider a work-around - for both the Big Organization and the Mom-n-Pop.

John Glenn, MBCI
Enterprise Risk Management/Business Continuity
JohnGlennMBCI @ gmail.com

Wednesday, December 17, 2008

ERM-BC-COOP: Vindication!

I just received an invitation to sign up for a Continuity insights Management Conference in Chandler AZ April 27-29. (As the temperature dips into the single digits where I currently hang my hat, the warmth of Phoenix seems pretty good.)

The post card promo I received tells me, in big, bold letters, that

    Research indicates that an effective manager is not inherently an effective leader in a crisis.
Do I hear an echo?

I have been preaching, in at least three of the 200-plus articles on my URL (http://JohnGlennMBCI.com), that the people in day-to-day management roles may not be the ideal candidates for a crisis management role.

The first article I found during a quick search dates back to January 2002 and is, funny enough, titled "Crisis management."

The Continuity insights keynoter is Dr. Robert Chandler (apropos for a conference in Chandler AZ) who is to present "Predictive Knowledge: Skills, Abilities, and Traits for Effective Crisis Leadership."

The promotional material goes on to state that this address will consider

  • The key traits, skills, abilities, and task competencies of effective crisis leaders
  • How to select and develop crisis leaders by using trait characteristic measures.

I suppose there is something in that, but based on personal experience over more years than I care to admit, I think the best way to identify both crisis leaders and managers who should be given go-fer tasks is a high-level crisis simulation.

The problem I have with templates for personalities is that they are subject to failure.

The templates may overlook some excellent leadership candidates and they likewise may find acceptable candidates who, when faced with The Real Thing, will fall apart like facial tissue under a strong stream of water.

There are people who seem born to manage during a crisis. There are others - notably in the ERM-BC-COOP world - who are excellent planners but disasters as responders, managers or otherwise.

The problem for us - ERM-BC-COOP practitioners - is to identify who will keep their head when everything seems to be coming apart, and who will panic. There is a second part to this search effort, and it demands of the practitioner a high degree of diplomacy and stratospheric management support: convincing a "day-to-day" manager to take a supporting role and let someone else, perhaps a person who reports to that manager, take the lead.

That may be what separates a so-so manager from a great manager - the ability to step aside for the good of the whole.

I'm told that some American Indian tribes had chiefs for different functions.

The US government, although it has the president as The Final Authority, depends on various "chiefs" - cabinet secretaries - for its operations. In theory, in the event of a national disaster, Homeland Security becomes the senior manager for response operations.

It is not, then, unheard of that a junior assumes leadership from a senior, if only for "the duration."

It would not be wise or politic for a practitioner to advise a Very Senior Manager that the manager might be less than suitable for a crisis management role.

But the wise practitioner might be able to convince said manager by conducting realistic exercises. (Such exercises also can be useful in showing demanding personalities that their ranting and raving and "I want it NOW" demands are counter-productive.)

While I am certain Chandler's keynote address will be worthwhile, I think that the better approach is to put the candidates under as much stress as can be realistically applied and see how they react.


The articles:

January 2002: Crisis management (http://johnglennmbci.com/crisis.html) - footnote
January 2, 2006: Testing 1, 2, 3 (http://johnglennmbci.com/Testing.html)
August 29, 2006: Primary and secondary jobs (http://johnglennmbci.com/060831-AFSC.html)


John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Tuesday, December 16, 2008

ERM-BC-COOP: Curmudgeon

Call me a "curmudgeon."

Tell me I lack a sense of humor.

Even tell me I take things too seriously.

I'll admit to all of these things.

Why?

I just read a Help Wanted posting from a recruiter I know and who should know better than to post the advertisement he posted.

The recruiter, who along with his company shall remain nameless, posted a job for a Senior Business Continuity Planner with "2 to 4 years experience" in business continuity planning.

SENIOR!

With two to four years experience.

Actually, it is worse.

Read further into the posting and the Experience requirement DROPS to a mere "1 - 2 years"

Two years!

The recruiter, or his client, "requires" candidates with a graduate studies level.

The only thing I can write in the recruiter's defense is that he probably only is following his client's desires.

I know several recruiters, both here and outside the U.S. To the best of my knowledge none will endanger a commission by trying to educate their clients regarding requirements for various ERM/BC practitioner levels. As an experienced practitioner, I grumble, but if I was in their shoes, I don't know.

A planner with but two years experience normally rates a little more than "tyro"; the only exception may be a practitioner who worked with a senior planner who has been responding to crises for "the duration."

I prejudiced, to be sure, but it seems to me the recruiters are being derelict or at least negligent in their jobs by allowing clients to jeopardize the client organizations to consider a person who is at best a "junior" planner to be put into the position where a senior's expertise is expected.

I'll give this recruiter credit - he advertised the opportunity on the Web site of a professional publication, presumably marketing the job only to people with at least a passing interest in ERM/BC.

'Course the posting was free.

Funny enough, the posting omitted any client requirement or desire that the "senior" planner hold any professional certification, not that certification by itself guarantees anything, but it is something many planners with more than beginner experience possess.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Tuesday, December 9, 2008

ERM-BC-COOP: Like a winter holiday

The holidays, especially Thanksgiving and Christmas are a lot like Enterprise Risk Management (a/k/a Business Continuity and COOP).

During the "season" we hear a lot about helping the less fortunate.

That's commendable and I encourage everyone to do just that.

However . . .

The less fortunate are less fortunate before and after the Big Give holidays.

They need to eat and they need shelter and they need employment for self esteem.

These needs are not limited to two months in the winter; they are a year-round requirement.

Rather like ERM/BC/COOP.

Now is the time to plan for the coming hurricane season, not June 1 when the 6-month (June 1 to November 30) season commences.

Now is the time to plan for the coming floods of spring and drought of summer, not when the water is creeping under the door or when firefighters are praying for rain to drench wild fires before they scorch homes and businesses.

But, like the needy, unless we are reminded again and again and again that ERM/BC/COOP is an on-going program, it - like the needy - becomes "out of sight, out of mind."

Let me rewrite that last paragraph a bit. Make it read "Unless we remind others again and again . . . " That's part of our job. First get "their" attention, then tell "them" what we are about to say, say it, and finally tell "them" what we said . . . then start over.

We have some allies. I notice billboards put up by various governments promoting personal emergency planning. States and some municipalities encourage business continuity and personal emergency planning on their Web sites. Not only do governments encourage such planning, many offer guidance.

Maybe we need bell ringers standing not outside the Big Box Stores but outside the Mom-and-Pops and Small-and-Medium organizations (non-profits and charities as well as for-profits") to get the attention of owners and senior managers. I'd settle for getting ANYONE's attention, on the assumption that, like ants toting sustenance to the mound, our message will find its way inside.

The less fortunate need assistance more than 2 or 3 days-a-year.

Likewise, ERM/BC/COOP programs need to be functional more than only when a threat, like the Three Little Pig's wolf, is at the doorstep. (You'll recall that one of the pigs had a plan - he built a wolf-proof house.)

Now, go forth. Put something into the red kettle and promote organizational survival planning.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BC-COOP: History forgotten is bound to repeat

Sunday was December 7.

Apparently for most folks it was "no big deal."

It was a "big deal" 67 years ago.

On that December 7 Sunday in 1941 U.S. forces in the Pacific were attacked by Japanese planes, pulling us officially into World War Two.

Was it a sneak attack as most Americans believe, or did the president (FDR) and some of his cabinet anticipate the attack? Was information available but not shared? Some claim that is the case.


A good December 7th Web site is the (US) Library of Congress, http://memory.loc.gov/ammem/today/dec07.html.


How long before we "forget" 9-11? I suspect that for many, the year in which the Islamists flew high jacked aircraft into the World Trade Center towers and the Pentagon already has been forgotten - for the record, it was 2001. For the record, there was a fourth plane that crashed into a Pennsylvania field because the passengers fought back.

9-11 should have taught us a lesson that communication between groups - sometimes, as in the case of the US government, competing groups - can make the difference between a 9-11 type disaster, or a Katrina disaster, or . . . - or avoiding or mitigating a threat.

Your typical Enterprise Risk Management (Business Continuity/COOP) practitioner could not have prevented 9-11 or Katrina; those events were too far above our pay grade.

But perhaps we can make a difference at a smaller organization were the concern is more about protecting people and the operation than politics and finger-pointing.

Still, in order to make a difference, we have to have very senior management's attention and, more, its visible and on-going support.

As Dwayne F. Schneider (Pat Harrington Jr., on tv's "One Day at a Time") frequently said, "Always remember and never forget." We seem to have forgotten that Sunday on December 7, 1941; once the lesson is forgotten, it or something similar will happen again, if not on December 7, then perhaps September 11.

Part of our job as ERM/BC/COOP practitioners is to learn from the past and to keep the lessons learned current and before those who engage our expertise.

We may be excused for missing something that never happened before, but we can have no excuse for ignoring lessons learned.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Thursday, December 4, 2008

ERM-BC-COOP: Lessons from automakers

The shrinking "Big 3" US automakers should provide a lesson for all ERM-BC-COOP practitioners.

As they teeter on the brink of disaster - although I am Ivory soap sure the US government will float the companies a loan - we should be able to see what I have been preaching:

CONSIDER YOUR PRIMARY CUSTOMERS WHEN SEARCHING FOR RISKS

The guys who make the Very Big Bucks (auto company execs) and the folks who make Pretty Good Bucks (union workers) control one of the first dominos in a very long string of dominos.

Not all of those dominos down the line are obviously linked to Detroit. Not all of those dominos are in Detroit or even in the U.S.

I am not an auto company insider so I won't cite statistics, but I know that most parts that go into the average "American" flivver are made by a company other than the so-called Big 3.

GM used to make parts for its vehicles in Kokomo IN at a huge Delco plant. Delco was spun off years ago - is Delco still in business? Parts from molded plastic pieces to nuts and bolts are manufactured by vendors - some fairly large companies, others Mom-n-Pops. How much paint does GM use at one plant for one model? More than I need to paint my house.

If you drive a Chrysler, Ford, or GM product, look at - not just through - the glass. More than likely it will be marked, in small print, "Made in Mexico."

It doesn't stop there.

Those vendors have to get their wares to the customer work site. Trucks, boats from ocean-going vessels to barges, trains, and an occasional plane.

That means people. Lumpers (people who load trailers), drivers, railroad people of all types, ship crews, stevedores, pilots and load masters . . .

And then air traffic controllers, guards, fuel purveyors, gas pump jockeys . . .

People with mortgages, people who think that eating from time to time is a god thing, people who want to stay warm in the winter . . .

All these will be impacted by the ripple effect of a Big 3 failure.

John Donne was right. No man - and men make up organizations that employ them - is an island.

Ben Franklin, at the signing of the Declaration of Independence, is quoted as saying "We must all hang together or, most assuredly, we shall all hang separately."

Call it the domino effect or the ripple effect or anything else that tickles your fancy, but the bottom line remains: no business in the U.S. is immune to a failure by another business, and, in this global economy and all its inter-relations, the U.S.' borders are hardly a fence preventing economic impact - going either direction.

ERM plans must consider both sides of the production stage - vendors, including money vendors - and clients, particularly (but not exclusively) major clients. (Keeping one major and losing many lesser clients easily can bring about the same result - a shuttered business.)

Think about it.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Tuesday, December 2, 2008

ERM-BC-COOP: Passionate practitioner

The other day someone asked me if I was "passionate" about business continuity.

Most people who know me would have replied for me "That's an understatement."

I only half-jokingly tell people that when I was a consultant regularly traveling between Tampa and Tallahassee, the flight attendants, if they lingered too long near my seat, became at least semi-expert in the field.

I am fortunate to do what I enjoy doing. That isn't to say flatly that every business continuity opportunity is enjoyable; there is a difference. I enjoy helping organizations protect all their resources, starting with people. I am frustrated by organizations that limit business continuity to little more than Info Tech disaster recovery.

An aside. An Info Tech ops manager told me that the "business continuity" plan for his operation was more than disaster recovery. Oh, I replied, then you have risk avoidance and mitigation, key components of business continuity. Certainly, he replied, we have back-up sites in case the primary goes down.

No, I countered, that's not avoidance or mitigation. Avoidance or mitigation work against the risk. What you have is a response plan. It isn't a bad response plan, but it is not "avoidance or mitigation."

Mind, I am in favor of Info Tech business continuity plans. I also am in favor of HR plans and Finance plans and Operations/Production plans, and Facilities plans. Providing they all roll up into an all-inclusive enterprise plan.

If something in a functional unit - that is any organization other than The Enterprise - goes "bump in the night" the folks in that functional unit need to quickly assess the impact of the "bump." Will it impact on that functional unit's Service Level Agreements (SLAs) with internal and external "clients?" Can the "bump" be smoothed out before any other clients feel the impact? If it can, the recovery is handled within the functional unit; if not, the issue is escalated as needed.

My contention remains that what an organization really needs is "Enterprise Risk Management."

Enterprise Risk Management, ERM, is not just another name for business continuity (which, let me be perfectly clear, is NOT another name for disaster recovery). As business continuity grew out of disaster recovery and in the process changed the focus from a resource (Info Tech) to the profit center, ERM expands business continuity to include all risks an organization faces.

For example, how many enterprise business continuity plans considered lenders as vendors prior to the current financial disaster? How many enterprise business continuity practitioners ask critical vendors - and exactly what determines "critical" - for their business continuity plans? How many practitioners consider the ripple effect of a work action against a vendor? That is a consideration a very famous international air carrier now considers as a "lesson learned."

How many practitioners include Legal in more than a plan review role? Crisis management is, to this scrivener, part of ERM. In many organizations, crisis management is "out of scope" for business continuity. Succession planning likewise often is "out of scope" for business continuity.

The above is not to suggest that the ERM practitioner - I dislike the term "planner" since it implies a project with identifiable beginning and end; business continuity and ERM must be, if they are to be successful, on-going programs - should manage everything. The ERM practitioner should be the person holding the umbrella under which all functional units are sheltered. The practitioner need be a Subject Matter Expert (SME) only in ERM and understand that the program depends on input from the SMEs of each functional unit. Let each of these SMEs act as an auditor not only for their particular functional unit, but the program as a whole.

Am I passionate about what I do? You bet.

Will I talk about, write about, and otherwise wave the ERM flag at every opportunity? Absolutely.

Do I recruit - sometimes con - non-practitioners into becoming, if not a practitioner at least a participant, in the program? By all means. That's why I have this blog. And a Web site. I'm a believer.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com