Tuesday, December 29, 2009

ERM-BC-COOP: Need to know documents


Lately there has been some discussion on DRJ's LinkedIn site [**] titled "How many employees should understand your organization’s emergency or crisis management plan?"

Fortunately, it has generated a number of responses.

Most responders think that the only answer is "All."

However, a few responders are concerned with sharing too much information, especially sensitive information and especially with some personnel lacking a "need to know."

That is understandable.

The solution is relatively simple and follows the scheme for most useful ERM-BC-COOP documentation: Create a complete document and distribute parts of the document on a "need to know" basis. The document also can be developed so that it can be distributed to "the world" with critical information easily removed prior to publication.

Basically, The Plan - be it business continuity or emergency/crisis management or any other - starts off with a high level overview.

  • What is the plan's purpose
  • What the plan includes
  • When the plan was created/revised
  • Who sponsored the plan; who authored the plan

All the above is "public" information.

In the case of an emergency/ crisis management plan, there might be a listing of several generic scenarios (e.g., building unavailable [for any reason], loss of communication, facility inaccessible [different from unavailable since people may be trapped in the facility]).

The scenarios would be in the "public information" category and distributed to all hands and can even be shared with "the world" much like a sanitized business continuity plan.

Everything else falls into restricted information.

Some of the restricted information can be shared with all hands. Included in this could be:

  • Emergency notification process and relevant numbers to call (e.g., in case of fire, dial 0 and tell the Operator the location of the fire)
  • Action to take in the event of various events (e.g., fire, smoke, electrical failure)
  • Telephone numbers personnel can call to check on operational status (e.g., if the facility is unavailable, when/where to report, what time code to use)
  • Policies and procedures relating to emergency/crisis situations

Finally, there is the restricted information sub-section, the "need to know" portion of the plan.

There an be two valid reasons for "need to know" restrictions.

First, and certainly "politically correct," is that there is no reason to burden all hands with information specific to a few people. The Crisis Management Team is a good example. These people are responsible for assessing (or having assessed) damages and making decisions regarding immediate personnel activities. Since "shelter-in-place" is included in an emergency/crisis management plan, there is more to consider than just "return to the facility."

Second, there may be truly sensitive information that must be restricted to a minimum number of personnel. HR-related information falls into this category; likewise InfoTech user information.

The mechanics of plan creation are documented at http://www.drj.com/articles/fall05/1804-04.html but basically require

  • Thoughtful document design (organization)
  • A word processor's "hidden text" capability
  • An editor/proofreader to assure all "sensitive" information can be hidden
  • A PDF generator (software)

In this case, both those who think everyone needs to know about an organization's emergency/crisis management plan and those who would restrict information are satisfied.

One caveat: As with all ERM-BC-COOP documents, this one must be exercised and maintained (kept up to date).

** http://www.linkedin.com/groupAnswers?viewQuestions=&gid=117659&forumID=3&sik=1262100736213


John Glenn, MBCI
Enterprise Risk Management practitioner (& sometime tech writer)
Looking for a new job

Sunday, December 27, 2009

Paying price for lack of vigilance


First case of highly drug-resistant TB found in US

LANTANA, Fla. [AP] – It started with a cough, an autumn hack that refused to go away.

Then came the fevers. They bathed and chilled the skinny frame of Oswaldo Juarez, a 19-year-old Peruvian visiting to study English. His lungs clattered, his chest tightened and he ached with every gasp. During a wheezing fit at 4 a.m., Juarez felt a warm knot rise from his throat. He ran to the bathroom sink and spewed a mouthful of blood.

I'm dying, he told himself, "because when you cough blood, it's something really bad."

It was really bad, and not just for him.

Doctors say Juarez's incessant hack was a sign of what they have both dreaded and expected for years — this country's first case of a contagious, aggressive, especially drug-resistant form of tuberculosis. The Associated Press learned of his case, which until now has not been made public, as part of a six-month look at the soaring global challenge of drug resistance.

Juarez's strain — so-called extremely drug-resistant (XXDR) TB — has never before been seen in the U.S., according to Dr. David Ashkin, one of the nation's leading experts on tuberculosis. XXDR tuberculosis is so rare that only a handful of other people in the world are thought to have had it.

"He is really the future," Ashkin said. "This is the new class that people are not really talking too much about. These are the ones we really fear because I'm not sure how we treat them."

Forty years ago, the world thought it had conquered TB and any number of other diseases through the new wonder drugs: Antibiotics. Then US Surgeon General William H. Stewart announced it was "time to close the book on infectious diseases and declare the war against pestilence won."

Read entire article at http://news.yahoo.com/s/ap/20091227/ap_on_he_me/as_med_when_drugs_stop_working_killer_tb


Wednesday, December 23, 2009

ERM-BC-COOP: Trapped in trains and planes



Once again* our friends in the UK have proven that they still live in a "disaster recovery" mode. This time they partnered with their neighbors in France.

I realize it's not fair to paint all UK business continuity practitioners with the same brush; I personally know several who understand, and promote, complete risk management, including threat avoidance and mitigation. But I also recall that British Standard 25999 - at least in draft form - lacked any mention of "mitigation."

Recent articles, including "Chunnel train service suspended indefinitely" from the Dallas (TX) Morning News (http://www.dallasnews.com/) report that "passengers stayed underground for more than 15 hours without food or water, or any clear idea of what was going on.

"Services have been suspended since late Friday (18 December 2009), when a series of glitches stranded five trains inside the Channel Tunnel and trapped more than 2,000 passengers for hours in stuffy and claustrophobic conditions. More than 55,000 passengers have been affected" the article continued."

A New York Times article headlined "Eurostar Chief Vows to Resume Partial Service" (http://www.nytimes.com/2009/12/22/world/europe/22chunnel.html) quoted Aude Criqui, a spokeswoman for Eurostar (the company that runs the Chunnel train), as saying the company was working from the assumption that the sharp temperature difference between the cold outside and the relatively warm air inside the tunnel under the English Channel caused extreme condensation in critical electrical parts on the trains, resulting in electrical failure. All Eurostar trains are electric.


Once again, airline passengers in the US were trapped inside metal tubes - airplanes - for as much as 6 hours as weather delayed flights several times in 2009, most recently in late December.

Despite knowing the public relations fall out, airlines elected to keep passengers trapped on the tarmac for hours rather than return to the terminal or to move into a parking area where passengers could be off-loaded to ground transportation and returned to the terminal's warmth, food purveyors, and rest rooms.

As in the UK, some folks in the US fail to understand that while there is not much we can do about the weather, we can mitigate its impact on business. Do practitioners fail to recognize the possibilities, fear to raise the issue with management, or is it that management simply doesn't care (see comment by Air Transport Association President and CEO James May later in this exercise).

Unlike Europe and Japan, the US lacks a reliable and rapid rail system; airline execs are confident that no matter how badly passengers are treated they will continue to buy tickets.

A US federal law to take effect 1Q2010 mandates air carriers to allow passengers to escape confinement if a plane is between gate and wheels up for more than 3 hours. After two hours, the airlines will be required to provide food and water for passengers and to maintain operable lavatories. They must also provide passengers with medical attention when necessary, according to "Gov't imposes 3-hour limit on tarmac strandings," a Yahoo/Associated Press article (http://news.yahoo.com/s/ap/20091221/ap_on_bi_ge/us_tarmac_strandings).

Even now airlines face some consequences. According to the AP article, in November 2009, "the department fined Continental Airlines, ExpressJet Airlines and Mesaba Airlines $175,000 for their roles in a nearly six-hour tarmac delay in Rochester, Minn. In August, Continental Express Flight 2816 en route to Minneapolis was diverted to Rochester due to thunderstorms. Forty-seven passengers were kept overnight in a cramped plane because Mesaba employees refused to open a gate so that they could enter the closed airport terminal."

The AP story also noted that "The airline industry said it will comply with the regulations , but predicted the result will be more canceled flights, more inconvenience for passengers.

"The requirement of having planes return to the gates within a three-hour window or face significant fines is inconsistent with our goal of completing as many flights as possible. Lengthy tarmac delays benefit no one," said Air Transport Association President and CEO James May.

I'm not an airport planner, although I do have some flight line experience. I understand how some weather can cause a short tarmac delay and I understand that unless an airport is closed down - no arriving flights - gates must be available to load and discharge passengers. Can empty aircraft be parked away from the gates, freeing space to off-load passengers stuck on the tarmac? Can't passengers be bused from tarmac (or parking area) to and from the terminal as they are at Washington National?

Extended delays should not be tolerated. From an economic standpoint, keeping engines turning to provide power for lights and heat or air conditioning is an expense. Beyond that, air crews have maximum in-plane times before they are required to take time off. Finally, while passengers still may be obliged to fly from Point A to Point B, most can take their business to another airline, one with a better on-time image.

On a personal note, I was stranded on the ground at CVG for too many hours while DL tried to get a flight-worthy aircraft to the gate. DL "saved face" when around midnight, with the airport effectively shuttered, a couple of DL staff brought out carts loaded with junk food and drinks. That simple courtesy probably kept most of us booking with DL. On the other hand, a now defunct airline kept me on the tarmac for 3-plus hours and then, when finally airborne, lacked the special meal I ordered - and had confirmed at both ticket counter and with a flight attendant (stewardess).

* Reuters, 11 Aug. 2005: British Airways cancels 77 Heathrow flights; Carrier cites dispute between workers, management at catering firm ( http://johnglennmbci.com/BA_meals.html and http://johnglennmbci.com/caterer.html)

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com
Seeking staff or staff consulting work in, or from, southeast Florida


Monday, December 21, 2009

ERM-BC-COOP: Short sightedness


Too many "business continuity" practitioners seem to have a very narrow, "headline" focus.

A decade ago, these people focused on three characters: Y 2 K .

Y2K - Year 2000 - was when the DOS world was slated to unravel because software for DOS-based machines was unable to roll over to the (take your choice) the last year of the 20th century or the first year of the 21st century.

Y2K was all about microprocessors and software. There was a "business" connection outside of the data center since many non-computer devices had microchips embedded in them - everything from time clocks to coffee pots, elevators to electronic room keys.

On January 2, 2000, the world breathed a sigh of relief that nothing disruptive occurred. Few cared to admit what COULD have happened if not-ready processors and programs had not been ferreted out and made ready or replaced.

(Don't get too relaxed; we're going to do it again in 2011(?) for Unix-based systems.)

I live in Florida. In a lot of ways, it's not what it used to be, but in some ways the newcomers have "blended in" and adopted the Cracker mentality. One of those ways is that on December 1, the only hurricanes any one cares about are the ones from Suntan U - University of Miami (to which I add: Go 'Noles1, but that's another story).

Here as elsewhere along the Gulf and Atlantic coasts, people put hurricanes out of their mind as soon as the season ends and refuse to consider it until - no, not the beginning of the next season the following June - a storm threatens. (To their credit, some south Florida counties - and maybe others elsewhere - have toughened wind mitigation laws and, since Andrew's massive destruction, gotten serious about building code enforcement.)

Today's "Y2K" is "The Flu." Take your pick: pig flu or bird flu. (Anyone who ignores "regular" flu is foolish, but despite it being flu season, only the exotic influenzas make headlines; a pity.)

Many, far too many, practitioners - once I was included in the pack - think that the flu threat translates into an empty office. That, they - we - thought, was pretty easy to mitigate: send everyone home and let them work from a virtual office.

That's fine except that not everyone CAN work from a home office or WiFi hot spot.

Most manufacturing operations require a production line of some sort. Most office and manufacturing operations depend on vendors and those vendors either require a production line or produce a service that cannot be provided from the vendor's home.

I once had a Fortune 50 client that truly was "strictly office." Even then, all of my clients personnel were equipped to work "on the road."

While my client's operation was perfect for its staff, that staff depended on manufacturing operations, print-and-mail services, and call centers, all of which had to have in-plant staffing. If any of the facilities closed, my client had a problem.

In the process of creating a plan for this client we decided to see if the vendors had real business continuity plans so my client would know if the vendor could meet its Service Level Agreements (SLAs) "no matter what" or if my client needed to find another/supplemental vendor or help the current vendor become less likely to miss its SLAs.

Since this plan was put to bed in December of 2000, I always consider ways to assure non-office operations are protected, even if I'm working for a "strictly office" organization.

There are many vendors we rarely consider. If the Toshiba notebook on my desk fails, I need to contact Toshiba and arrange for an advance replacement. If my DSL goes away, I'll need to contact the provider. If the router or modem fails, I'll need to hike over to the local modem-and-router purveyor to buy replacement machines.

Then there is ink for the printer, and paper and envelopes to feed it.

And electricity to power all that (but not the phone; I have a POTS unit on my desk that does not require AC input - in storm country, everyone needs one).

Even in my own little office, shared with Spouse and Franklyn, the Rotten Rabbit, I have many external dependencies.

Enterprise Risk Management (ERM) practitioners need to think beyond the confines of an office building; an "empty office" event can mean much more than just an empty office.

1. "Noles" are Seminoles; the reference is to Florida States University, nee' Florida State College for Women (until after WW II). Unlike some colleges, universities, and professional sports teams, FSU has the support of the real Seminoles who, by the way, still have not signed a peace treaty with the US government.


John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
Currently seeking staff or staff consulting opportunities
JohnGlennMBCI at gmail dot com

Wednesday, December 16, 2009

Looking for a new job


I received word the other day that I was left off the 2010 budget.

Translation: I am looking for a new "home." Preferably - and that is the "operative word" - working in a staff or staff consulting job preferably - that word again - in, or from, southeast Florida; however, all opportunities will be considered.

In as few words as possible:

Enterprise Risk Management - Business Continuity defined

Enterprise Risk Management, a/k/a Business Continuity, identifies profit centers, and all related internal and external, processes. It is similar to Business Analysis. Enterprise Risk Management looks at all potential threats to a process from inception (e.g., proposal) to completion (e.g., payment received), identifies means to avoid or mitigate the threats, and prioritizes preventive actions. Additionally, Enterprise Risk Management develops plans to respond to threats if they occur, creates a process to maintain the plan, and creates response exercises to assure efficient, expeditious, and economical recovery if a disaster event occurs. Enterprise Risk Management is, in 3 words, a business survival program.
In brief

Experience More than 13 years creating programs and complete plans for Defense, Energy Exploration, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations
Certification Member, Business Continuity Institute since 2004
Initially certified by The Harris Institute in 1999
Plan types Enterprise, Key Business Unit, IT-specific
Management Diplomatic manager and mentor to personnel at all levels
Managed 47 sites in 17 states from virtual office in Florida
As many as 20 direct reports; unknown number of indirect reports
Presentation Present Enterprise Risk Management/Business Continuity to personnel of all levels, individually and in groups
Related skills Emergency Management
Crisis Management
Documentation: all program and project documents from proposal to final deliverable; marketing materials, proposals, policies & procedures, public relations; technical documentation, user guides, and journalism
Publications Published twice-a-year in the leading quarterly professional journal, frequently published by other professional publications; occasionally published in trade and general media
Other Disaster Recovery Journal (DRJ) Editorial Review Board
Active member, DRJ Forums and Blogs
Maintain professional Web presence and professional blog
Citizenship United States, evidenced by active U.S. passport
Travel Extensive job-related domestic and international travel welcome
Availability January 11, 2010
Resume A detailed resume and list of references is available upon request
JohnGlennMBCI @ gmail.com or 1.727.542.7843


Thursday, December 10, 2009

ERM-BC-COOP: It's how you say it


The other day Google reported that someone had looked for articles on "language."

An article I cobbled together a few days more than 4 years ago became a search engine "hit."

What I wrote then in the piece called "Heard, but not understood" (http://johnglennmbci.com/language.html) was valid then and it remains valid today - on several levels.

The first level is the fact that practitioners need to help clients - be they internal or external - understand the need to select the best people for the jobs at hand.

In this case, the "job at hand" is notification, telling staff and others what's going on and what to do - or not to do.

The concern highlighted in the article is the audience's ability to understand what is being communicated.

The article focused most on accents, pronunciation. We've all struggled with off-shore "Help" staff. We had a hard time understanding their English and they probably had an equally hard time understanding our English. Very often before the problem was resolved, there was frustration and anger on both sides of the connection.

But there is more than simply how a word is spoken.

It also is the choice of words.

Some of us have a limited vocabulary and almost all of us lack familiarity with all the acronyms and buzz words floating around. We need to keep that in mind when talking to others, especially those not "in the know" about an incident at work, or even at home.

The goal is comprehension, understanding. Lacking that means the communication effort failed.

When I was a young reporter I was impressed with the fact that I had to "write to the audience." When I wore a Sports Reporter hat I wrote one way; when I wrote Society news I wore a different chapeau. As an Enterprise Risk Management practitioner, I write certain sections of the overall document to one audience (executive management) and other sections for a different audience (responders).

That does not mean "talking down" either to the executives or the responders; it only means communicating at the reader's comprehension level. Education, by the way, has little or nothing to do with comprehension. (Maybe I should put a "bang" at the end of the previous sentence. You do know what I mean by "bang*," correct?)

On a second level, I was reminded that, as Solomon allegedly claimed, there is nothing new under the sun - even if we practitioners conveniently let something slip our minds.

That was brought to my attention by a IAEM** post that starts off:

    S.F. State students seize business building


    (12-09) 17:47 PST SAN FRANCISCO -- A few dozen students at San Francisco State University seized the business school building early Wednesday, the latest in a rash of student takeovers to protest soaring tuition and diminished course offerings at California's public universities.

    Read more: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/12/10/BA2N1B1P5L.DTL#ixzz0ZIT5PQ9S

    The occupation follows building takeovers at UC Berkeley and UC Santa Cruz last month, and a round-the-clock student campout in an auditorium on the Berkeley campus that began Monday and is expected to last through Friday.

Back in the 60s the San Francisco area was famous for anti-war demonstrations. Other cities also had "events," but the Bay area, especially UC Berkeley, were famous - or infamous - for demonstrations.

The folks at San Francisco State should have been prepared for the takeover of a building. The campus police, city, and state police also should have had a joint plan; maybe they do. Most assuredly, the university and the local Emergency management folks should have worked together long before the takeover for just such an event.

As one correspondent pointed out, planning for a takeover ever is difficult at best since, unlike a hurricane, the threat follows the response. What the writer way presenting is that had there been a plan and had the plan been advertized, the people who took over the building would have been able to counter the school's response.

Assuming they had copies of the plan and assuming the people responding lacked the ability to think dynamically, to change the plan as necessary.

Enterprise Risk Management is not a process that is documented to become shelfware - a binder or several sitting unused and gathering dust on a book shelf.

The core answer to both issues is selecting the right people for the job.

Normally, practitioners have little say in selection of responders, but they should try to recommend requirements for the people who will fill the various roles. That's not always easy, especially when the CEO wants to be the spokesperson yet he, or she, freezes before the cameras.

In regard to identifying threats that are less than obvious - after all, there were no sit-ins since the 60s, almost half a century ago - practitioners need people who think not only "outside the box" but sometimes "off the wall" as well.

Solomon was right.

* Bang is a Unix term for exclamation point.

** The International Association of Emergency Managers (IAEM), is a non-profit educational organization dedicated to promoting the goals of saving lives and protecting property during emergencies and disasters. (http://www.iaem.com/)

John Glenn, MBCI
Enterprise Risk Management practitioner
Looking for work in - or from - southeast Florida


Sunday, December 6, 2009

ERM-BC-COOP: Generalize the specific

One of the lists on which I participate recently had the following appeal:


Our University will be gaining ownership of all of our natural gas lines and will need to develop an Emergency Response Plan for gas leaks, terrorism, or other disasters that may involve our natural gas lines.

If you could share any of your emergency response plans regarding natural gas lines or a location or contact to get samples, I would really appreciate it. Thank you in advance!


I provided a very expansive recommendation that could be "generalized" to cover more situations that Jeff's gas line. I submit it below for consideration as how it might apply to a situation in your organization.

Strongly encourage you talk to the experts - the people from whom you are acquiring the pipes.

Failing that, talk to the people who supply the gas that will flow through the pipes.

Either/both (if different) should be able to tell you about the inherent risks and the localized (environment, etc.) risks.

Also talk with local constabulary, fire department, and EMTs (if not part of fire brigade) - all need to know where the pipes are located.

Finally, make certain the pipes are mapped with the local "Before You Dig" operation (that is both good - helps prevent "accidental" breaks by a backhoe or trencher - and bad - makes the location available to a miscreant claiming to be a contractor).

Remember, the best way to handle an emergency is to avoid (or mitigate) it in the first place. The folks I recommended can help you on both counts - protecting the resource and restoring to business as usual if something nasty insists on happening.

I would _not_ recommend a "cut-n-paste" from someone else's plan (although the core information can be used to give direction to _your_ plan) since your university (environment) is unique.


John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
Seeking opportunities that will - preferably - let me work in, or from, southeast Florida.


Thursday, December 3, 2009

ERM-BC-COOP: December events


December has at least a couple of "moments to remember" for risk management practitioners.

Two "big" dates that quickly come to mind are December 3 and December 7.

On December 3, 1984, a methyl isocyanate gas leak from a Union Carbide plant in Bhopal, India, spread over a populated area, resulting ultimately in 15,000 to 20,000 deaths and leaving some half million survivors with chronic medical ailments (Encyclopedia Britannica).

On December 7, 1941, the Imperial Japanese Navy attacked the Pearl Harbor Hawaii Navy installation and nearby U.S. air bases Hickam Field, Wheeler Field, Bellows Field, and Ford Island. According to Wikipedia, when the Japanese retired, 2,402 Americans were killed and 1,282 wounded. (By comparison, 2,976 civilian personnel were murdered by Islamic terrorists on September 11, 2001.)

A visit to http://www.hisdates.com/ list, day-by-day, some events that should deserve our attention but usually don't get it.

Bhopal probably is forgotten except those who live in Bhopal, Charleston WV, or similar chemical valley locations.

Ask an American born during or after the Korean "policing action" (from June 15, 1950) about December 7th and the all-too-frequent response is "huh?"

An enterprising Enterprise Risk Management practitioner (group) could easily put together an ERM calendar identifying Great Events in ERM for (almost) every one of the 365 days of the year - and yes, even a Leap Year's extra day.

The problem with The World is that it - we - have short memories. We fail to take Dwayne F. Schneider's (Pat Harrington Jr.), frequent admonishment on the sitcom "One Day at a Time" to "always remember and never forget." Put at a higher literary level, Jorge Agustín Nicolás Ruiz de Santayana y Borrás wrote in Reason in Common Sense, volume 1 of The Life of Reason that "those who cannot remember the past are condemned to repeat it."

Just poking around the HISDATES.COM (ibid.) for December 1 turns up a number of notable entries. Some might seem unlikely for an ERM calendar of nasty happenings, but consider:

  • 2006 - Typhoon Durian kills at least 388 people in Albay province on the island of Luzon in the Philippines
  • 1996 - In a move that led to a public-relations disaster, America Online shifted to a flat $19.95-per-month fee for unlimited access (Everyone forgot about "New Coke"?)
  • 1995 - Michael Monus, the former president of the Phar-Mor drug store chain, was found guilty of embezzling roughly $1 billion from the company (Need for succession planning, image management, and alternate responders)
  • 1988 - 596 dead after cyclone hits Bangladesh, half a million homeless
  • 1983 - Rita Lavelle, former head of EPA, convicted of perjury (See 1995)
  • 1981 - 180 die as Yugoslav DC-9 jetliner slams into a mountain (Need policy preventing "key personnel" from traveling on same conveyance)
  • 1969 - US government holds its first draft lottery since WW II (Loss of personnel whose jobs are guaranteed by law; staffing difficulties)
  • 1967 - Wilt Chamberlain set NBA record of 22 free throws misses (thereby proving the need to continually practice (exercise) the plan)
  • 1958 - Our Lady of Angels School burns, killing 92 students and 3 nuns (Personnel unable to come to work; parents must attend to dead or injured children)
  • 1955 - Rosa Parks arrested for refusing to move to back of the bus (Civil unrest)
  • 1951 - Golden Gate Bridge closes due to high winds (Personnel unable to come to work; clients unable to visit sales area; vendors unable to deliver goods)
  • 1938 - School bus and train collide in Salt Lake City Utah (Personnel unable to come to work; parents must attend to dead or injured children; railroad service delayed)
  • 1913 - Continuous moving assembly line introduced by Ford (Competition changes processes to gain major advantage)
  • 1887 - Sino-Portuguese treaty recognizes Portugal's control of Macao (Government fiats impact regulations, business practices, import/export processes)
  • 1864 - Fire in Brisbane destroys city area bounded by Queen, George, Elizabeth and Albert streets
  • 1640 - Jews are expelled from Great Russia by Empress Elisabeth (massive loss of personnel, clients, income, possible shut-down of critical vendors all due to loss of personnel)

More about






Pearl Harbor



John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
Looking for staff or staff consulting opportunities working in, or from, southeast Florida

Tuesday, December 1, 2009

ERM-BC-COOP: Pedal to the metal


Toyota is in the process of modifying a number of its models because of run-away engines.

At first the problem was blamed on a floor mat; then something else.

The problem was discussed by talking heads and reported on paper.

But, to the best of my knowledge, no one made any suggestion about what to do it the car continued to accelerate.

Which, being a former reporter, I think is derelict.

What to do is - should be - a "no brainer."

Shift the car into Neutral (do NOT shut off the engine).

Look for a safe place to stop.

When the vehicle's stopped safely off the road, THEN shut off the engine.

If the engine is shut down - or shuts down - before the vehicle is safely off the roadway, the car's power steering and power breaks suddenly become worse-than-manual/pre-power versions and that can lead to an accident.

The problem, and my complaint with both the media and the manufacturer, is that no one talks about "What to do if" situations. (My Hyundai Elantra Owner's Manual fails to mention the possibility.)

As a person who has been in some strange situations, I know the value of considering all the "what if"s and training - again and again and again - to respond when the "what if" happens.

When I was confirming that putting the vehicle in Neutral would not cause any damage, a couple of the respondents (see http://action.publicbroadcasting.net/cartalk/posts/list/2132859.page) noted that, in my synopsis, lack of training prevents the driver from making the correct decision and taking the correct action.

Since my business is risk management, and since risk management includes responding if the risk insists occurring , and since responding requires training exercises, I find the lack of information in my Owner's Manual and in the media a sad state of affairs. How can people practice an emergency action if they don't know (a) that the risk is there and (b) there is an action to take.

All of the above, of course, goes to prove that risk management is a process that belongs not only in the office or factory but in the home and car as well.

John Glenn, MBCI
Hollywood/Fort Lauderdale FL
Looking for staff or staff consulting work preferably in or from southeast Florida


Friday, November 27, 2009

Thanksgiving surprise


My pre-Thanksgiving surprise from my boss was that I was left off the 2010 budget.

Translation: I am looking for a new "home." Preferably - and that IS the "operative word" - working in a staff or staff consulting job preferably - that word again - in, or from southeast Florida; however, all opportunities will be considered.

In as few words as possible:

Enterprise Risk Management - Business Continuity defined

Enterprise Risk Management, a/k/a Business Continuity identifies profit centers, and all related internal and external, processes. Enterprise Risk Management looks at all potential threats to a process from inception (e.g., proposal) to completion (e.g., payment received), identifies means to avoid or mitigate the threats, and prioritizes preventive actions. Additionally, Enterprise Risk Management develops plans to respond to threats if they occur, creates a process to maintain the plan, and creates response exercises to assure efficient, expeditious, and economical recovery if a disaster event occurs. Enterprise Risk Management is, in 3 words, a business survival program.
In brief

Experience More than 13 years creating programs and complete plans for Defense, Energy Exploration, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations
Certification Member, Business Continuity Institute since 2004
Initially certified by The Harris Institute in 1999
Plan types Enterprise, Key Business Unit, IT-specific
Management Diplomatic manager and mentor to personnel at all levels
Managed 47 sites in 17 states from virtual office in Florida
As many as 20 direct reports; unknown number of indirect reports
Presentation Present Enterprise Risk Management/Business Continuity to personnel of all levels, individually and in groups
Related skills Emergency Management
Crisis Management
Documentation: all program and project documents from proposal to final deliverable; marketing materials, proposals, policies & procedures, public relations; technical documentation, user guides, and journalism
Publications Published twice-a-year in the leading quarterly professional journal, frequently published by other professional publications; occasionally published in trade and general media (Publications list)
Other Disaster Recovery Journal (DRJ) Editorial Review Board
Active member, DRJ Forums and Blogs
Maintain professional Web presence and professional blog
Citizenship United States, evidenced by active U.S. passport
Travel Extensive job-related domestic and international travel welcome
Availability Two weeks from employment confirmation
Resume A detailed resume and list of references is available upon request
JohnGlennMBCI @ gmail.com or 1.727.542.7843


Wednesday, November 25, 2009

ERM-BC-COOP: Match resources with needs - and population


A few years ago an IT manager-moving-into-EM and BC asked me for thoughts on his situation. He then was in Pakistan.

He was of course concerned about his data center, a target for terrorists, and we discussed ways to protect that.

But his greater concern was threat of natural disasters that would challenge his then-new role in Emergency Management.

Pakistan has some fairly mountainous country (see http://lib.utexas.edu/maps/middle_east_and_asia/pakistan_rel_2002.jpg) and my correspondent was concerned with earthquakes.

I suggested that there were a number of things that could be considered, both before and after an event.

Turns out at least one of my suggestions was tried and proven.

One of the main post-event problems is moving things in and bringing people out.

During the 1906 earthquake, the US Army used mules to carry things into and people out of San Francisco CA (see http://www.sfmuseum.org/movie4.html

Some things never change.

What I recommended were, among other things,

  • acquisition of easy-to-use, limited-frequency shortwave transceivers

  • caching medical and long-life food supplies in strategic locations

  • inventorying high-altitude helicopters, mobile medical facilities, portable housing (tents) and pack animals able to traverse terrain unsuitable to mechanized land vehicles.

I also recommended that my acquaintance develop a plan to control volunteers, both from within Pakistan and from without, including "official" (government and recognized NGOs) and unofficial (individuals and groups who may, or may not, have needed skills).

Most of my recommendations were relatively low-tech and all were "off-the-shelf."

The most "difficult" would be training people in remote villages and camps to use the radios.

On the other hand, if the HF (shortwave) radios were limited to one or two frequencies, antenna tuning problems will be eliminated. If radios were distributed across the HF spectrum, again with only one or two frequencies per unit, the transmission could be identified by the frequency - although some additional burden would be placed on the sponsor who would have to monitor many more frequencies.

The radios would have to either be equipped with hand cranks to generate their own power or the villagers would need to be supplied with, and trained to use, hand-crank generators. This is "ancient" technology. True, solar powered battery chargers or generators are a possibility, but where people are mobile (e.g., moving herds to different pasturing areas), everything has to be "robust." I think hand-crank generators meet this requirement better than mirrors, and they work in the dark.

Always consider the use and the user when selecting tools.

Since I proposed stockpiling some basic medical supplies, someone in each village or group would need advanced first aid training. Indeed, probably several "someones" to preserve modesty (otherwise some injured may reject treatment from a person of the opposite sex; again, always consider the population's mentality).

As with everything else "risk management," all functions should have primary and perhaps several alternates available to accomplish the task(s).

What I failed to suggest was that he should research the life styles of the people he might be called upon to assist.

An acquaintance in Israel tells a story of the government's instruction being bested by family tradition.

Seems the government told its citizens that in the event of an attack, they were to go to the nearest shelter and stay there until the all clear.

The mentality of the people, particularly those from North Africa, is to cluster in family groups, never mind the distance. If the family patriarch or matriarch goes to Shelter Alef, you can bet the rest of the family - including nephews and neices - will go to Shelter Alef as well, bringing with them all the necessities to wait until the Army resolves the problem. (This may be less true today with the "only seconds" notice of incoming missiles from Gaza.)

There are several "bottom lines" to this exercise.

  • Low-tech often is as good as, and sometimes better than, high tech.

  • Understand the targeted population's mentality - "knowing the audience" - is as important as the tools provided.


John Glenn, MBCI
Enterprise Risk Management (Business Continuity) practitioner
Hollywood/Fort Lauderdale Florida

The author of this blog currently is seeking staff or staff consulting opportunities preferably working in, or from, southeast Florida (however all opportunities will be considered).


Tuesday, November 24, 2009

Enterprise Risk Management - Business Continuity practitioner is


looking for staff or staff consulting opportunities preferably working in, or from, southeast Florida. MBCI with 13+ years experience. Extensive domestic and international travel welcome.

1.727.542.7843 or JohnGlennMBCI@gmail.com

That, in as few words as I can manage, is my reaction to my Thanksgiving surprise.

If anyone knows (anyone who knows) of a risk management - business continuity opportunity, please share it with me.

Know that any information will be appreciated.


Sunday, November 22, 2009

Of mammograms and pap smears


Are mammograms and pap smears a risk management issue? For that matter are tests for prostate and colorectal cancers a risk management issue?

They are if we value employees.

It goes beyond Joe or Jo at the workplace.

It includes their near kin; parents, children.

The subject comes up because recent news announcements have suggested that women reduce the frequency of both mammograms and pap smears.

There is scientific evidence that these diagnostic procedures most often show negative results for certain age groups, but to my mind, the operative words are "most often."

I am cognizant that there are too many false positives that lead to additional, always expensive and often uncomfortable, testing, but it seems to me that it beats the alternatives for both the woman and the insurance company or government (that has to pay for extended treatment).

Because I have a suspicious mind, I immediately suspect the insurance industry as the behind-the-scenes promoter of fewer exams. But unless the insurance companies can somehow avoid paying for extended treatments, what do they gain?

I confess to having a personal interest in the recommended cut-backs on the procedures.

I'm told that neither mammograms or pap smears are a walk in the park; women have to steel themselves to the discomfort, but they do it because - given today's technology - they know the annual squeeze and scrape is necessary for a long and happy life.

As a man. I know the discomfort of a manual prostate exam (and the relative ease of the blood test that, I am sure, is easier on me than it is on the insurance carrier). I don't LIKE being "needled," but it's less bothersome than "getting the finger."

But, let's say that G-d forbid, someone close to a worker has cancer. (I have a close friend with cancer and I lost another to a lingering and excruciatingly painful cancer, so I write from personal experience.) I am concerned and, frankly, distracted. Fortunately I don't operate dangerous machinery. If my friend was my wife or a child, I would be taking time off to take the patient to treatments, and more time off helping them recover from the treatments.

You see, preventive medicine - including mammograms, pap smears, prostate exams, et al, - really is a risk management - business continuity issue.

As we apparently are nearing a national health bill, any recommendations to reduce preventive medicine can be expected to be embraced by the financially conservative; there is no question that the exams can be expensive.

The real question to ask is what is the real cost of reducing or eliminating these, and other, preventive medicine procedures?

It seems to me a "pay me now or pay me (more) later" situation.

But, I am not a doctor and I don't play one on tv.


John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida

Monday, November 16, 2009

ERM-BC-COOP: Software vs. Brainware


I was just looking at a LinkedIn sub-group (a/k/a SIG) invitation list from a group to which I belong.

Many of the Special Interest Group (SIG) names included software types - not necessarily products (e.g., Oracle) but functions (e.g., ERP, or Enterprise Resource Planning).

While Enterprise Risk Management - Business Continuity (COOP) practitioners have a wealth of software available, from the high end applications to simple word processor templates, most experienced practitioners I know depend not on limited-functionality, fill-in-the-blanks, force-a-square-peg-into-a-round-hole application (or template).

We depend not on software, but brainware.

Software is OK to collect and store information.

Software is good for updating existing information, albeit it is a tad risky that there will be a temptation to only update what is stored rather than going out into the real world to confirm that the changes about to be made are the ONLY changes that need to be made.

Brainware and software are mutually compatible PROVIDING that brainware is superior to the bits-and-bytes application.

The problem for many organizations is that they honestly believe that software can replace brainware; that the organization can engage a tyro or second an already overworked administrative assistant (nee' secretary) to create a plan to save the organization when an interruption to "business as usual" occurs.

Understand, I am NOT disparaging secretaries and I certainly don't want to suggest that a secretary, overworked or not, cannot become a competent - even superior - risk management practitioner; only that to do the job correctly, professionally, the person needs guidance - mentoring - and an understanding that risk management is worthwhile.

At the same time, any organization that delegates risk management to a person with no background in the field shouts to the world that senior management either fails to understand the process and its value, or cares not a whit for the process.

Over the several years I have been doing risk management I have created list after list after list of threats. Each list is longer than the previous list.

Why? Simple. As I work in the field and as I associate with other practitioners, I realize there are risks I failed to previously perceive.

Mind, I usually am ahead of the curve. Planes into tall buildings? Covered that long before 9-11. Am I a seer able to presage the disaster? Hardly.

What I am is open-eyed and a reader of history.

Planes routinely land short of runways; sometimes on top of homes or, in my neighborhood, on the flat roofs of Publix supermarkets; why Publix and not Winn-Dixie I have no idea. In 1945, a US Army Air Corps bomber crashed into the Empire State Building; it had flown off course and too low in a fog.

On 9-11 then, aircraft smashing into the World Trade Center towers should not have come as a total surprise, there was precedent; the deliberate murder of innocents by Moslem terrorists, perhaps that was a surprise (as was Pearl Harbor - an event for which the U.S. apparently also had ample warning).

The financial meltdown also was predictable. It happens about once every 20 to 30 years and usually for the same reason - greed. Could it have been prevented? Probably. But prevented or not, the risk management practitioner, using brainware, would have been aware of the probability and prepared his, or her, client to withstand the "downturn."

Certainly risks can be built into software applications.

But, as I wrote earlier, I have been doing risk management for a bit more than a baker's dozen years and I still have the catch-all words "ubiquitous other" at the end of the list. "Ubiquitous other" is the threat that, so far, has escaped my attention.

My list is long and it gets longer as additional - I'm not sure that "new" is accurate - threats are identified.

I realize that I don't know all the threats to "business as usual" and I long ago learned that a risk management program needs input from everyone - from the janitor, a very "key" person, to the most senior executive (who, in some cases, is one and the same). Everyone has his or her unique perspective on the organization and that person's role in the organization; likewise each person has his or her own personal priorities that must be considered.

Bottom line: A risk management program cannot, if it is to be successful, be created in a vacuum.

I use software everyday in my work. I am heavily dependent on it.

Still, if need be, I can pick up a pencil (and sharpen it with my handy pocket knife) and scribble notes on scraps of paper for later "input" into software.

What I must have is brainware; the ability to think (both inside and outside the box, off the wall, and any other cliche' that comes to mind), to examine ALL the possibilities and ALL the ways to avoid or mitigate the threats, including "but not limited to" as the contract weasel words state, personnel (or personal) awareness.

Software might suggest things, and software might store things, but it takes brainware to create, sustain, and exercise a viable risk management program.

To this scrivener's mind, brainware trumps software every time.

John Glenn, MBCI
Enterprise Risk Management
Hollywood/Fort Lauderdale Florida


Sunday, November 15, 2009

Lover of words


I came to Enterprise Risk Management , a/k/a Business Continuity, via tech pubs.

I got to tech pubs via honest (newspaper) reporting ("journalism" is far too fancy a word for what I wrote) and public relations. I came to reporting (and later editing) from the Orlando Sentinel's "back shop" where, back in the day, metal type (slugs) were carefully placed into forms (chaises) on rolling tables (turtles).

I "lucked into" the backshop having put in an application immediately following separation from the Flyin' Corps - don't call us, we'll call you, said the HR person. Two weeks later she DID, to my surprise.

But, as usual, I digress.

Lacking a journalism, or any other, degree, all I had to open the door to editorial was chutzpah (I knew I could write at least as well as the reporters at the Sentinel (and later Today), my journeyman printer status, and a vocabulary that, while hardly a match for either Hubert Humphrey on the Left or William Buckley on the Right - or even Spiro Agnew who also knew how to turn a phrase - was greater than most, and I deliberately chose the word "greater" in this case. Never mind that my spelling was suspect; there are proofreaders to save my copy (and to all the proofreaders - and typesetters - who DID save me from embarrassment, thank you).

My love of words commenced - began, even - before I crossed the threshold of Benjamin Harrison PS #2 for the first time as a first grader. I had an "in" at the Indianapolis Public Library. (As it happens, I still have an "in" at the library; Donna Foster, a different person - my original long since departed this world - but one I value highly.)

As a tyke, I was read to and I read. (I also was taken to hear the Indianapolis Symphony, both kids' concerts such as Peter and that large predatory canid and "adult" evenings, but that is a topic for another time.)

I read everything I could hold in my hands. True, this was before tv, but radio was entertaining, so I had options. But in addition to a floor-model Philco roll-top radio, we had books, and the main library was just a block down the alley. My reading never was restricted - if I could reach it, I could (try to) read it.

One thing about reading is that the reader's vocabulary increases by osmosis; kids especially are sponges and, unknowingly, I sponged up a great deal of what I read. I remembered the words, but to my misfortune, not always how to spell the words.

Rather akin to Eliza Doolittle (Pygmalion, My Fair Lady), how one speaks - and the vocabulary the person has at "tongue" - really does influence how people respond.

Put another way, "It's not what you say, it's how you say it." With class, but never condescendingly.

Besides letting me squeeze into the editorial department - I got a cub reporter job on a small northern Indiana daily - my way with words helped keep my nose from being "reshaped" by some folks who may have found my opinions "objectionable."

It's been a few years since I got my first library card - now I have a plastic one with a bar code, progress I can appreciate (but, even though I am "computer literate," I miss the card files) - and I still love to read.

Maybe because the general quality of tv is less than it could be, I still find it easy to pick up a book and ignore the tube. I'm not sure my vocabulary is growing as fast as it did in my youth, but thanks to my reading habits, the library card, and the Internet, it's not for lack of material to read.

John Glenn, MBCI
Enterprise Risk Management practitioner and reader


Wednesday, November 11, 2009

ERM-BC-COOP: Off-shoring threats

Carl G. Fsadni, Senior Manager at Cognizant Technology Solutions - Infrastructure Practice, writing on the LinkedIn group Business Continuity/Disaster Recovery Network brings an interesting threat to organizations that sent work off shore.

While Fsadni's comments focus on India, they apply equally to other locations (e.g., the Philippines, Malaysia).

He asks: Is India a soft-target for Taliban terrorists?

His concerns are very real even before the Taliban becomes a nuclear threat, and that is only a matter of time (given Pakistan's nuclear capability, Russian hardware availability, and Iran's and North Korea's development efforts).

The Taliban is just one of many groups - some Islamist, some not, but all with the potential to create mutually beneficial short or long-term working arrangements - scattered around the globe.

In the rush to save a buck, corporate executives sent off-shore as many "first world" jobs as possible. Some jobs went to neighboring states (e.g., auto manufacturing from the US to Mexico), some went to distant continents (e.g., call centers and software coding to Asia).

As the jobs went out of the country, the demand for skilled people to do the jobs diminished and two things happened:

    1) People with skills no longer in demand at home lost their leading edge knowledge and looked elsewhere to survive, and

    2) Prospective additions to the field that was outsourced look to other fields, assuring that if the work ever is brought back, there will be no locals capable of doing the work

While this is happening, schools - trade and university - are having to re-think their offerings, and the government is having to get new rubber stamps for visa requests from the folks elsewhere who will flood the local market (there being few if any locals still retaining equal skills to do the job).

The desire to "save a buck" (or pound or mark or . . . ) may turn out to be short-sighted if something happens to the off-shore operation and the operation can no long be restored in the home, "first world," country.

The Enterprise Risk Management (ERM) perspective is that off-shoring is a risk that, as with other risks, must be considered, prioritized, avoided or mitigated, and a response prepared.

As with all ERM programs, the risks (and responses) must be continually reviewed; in this case, changes to the threat to the vendor (internal or external) and the ripple effect to the "home country" operation must be updated on a frequent basis. How this review is accomplished is another matter for another time.

Just as most organizations failed to consider a financial vendor failure, many fail to see the increasing probability that an off-shore vendor's operations will be disrupted.

From my point-of-view, the time has come to re-think the list of risks facing an organization; we must broaden the view and be all-inclusive; bottom line, it's time to throw away the box and to play the "what if" game sans limitations.

John Glenn, MBCI C Enterprise Risk Management
Hollywood/Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Sunday, November 8, 2009

FEMA Independence Act of 2009 (HR 1174)


(The) FEMA Independence Act of 2009 re-establishes the Federal Emergency Management Agency (FEMA) as a cabinet-level independent establishment in the executive branch.

Requires FEMA to be headed by an Administrator appointed by the President.

Establishes as FEMA's primary mission to reduce the loss of life and property and protect the nation from hazards by leading and supporting the nation in a comprehensive emergency management system of preparedness, protection, response, recovery, and mitigation.

Prescribes the Administrator's responsibilities.

Requires each Regional Administrator to establish a Regional Advisory Council.

Requires FEMA to have an Office of the Inspector General.

Includes among FEMA functions:

    (1) those functions it had on January 1, 2009, including continuity of operations and government programs; and

    (2) functions relating to FEMA under the Robert T. Stafford Disaster Relief and Emergency Assistance Act. Directs the Administrator to continue to maintain a National Advisory Council.

Requires the National Integration Center to ensure that the National Response Plan provides for a clear chain of command to lead and coordinate the federal response to any hazard.

Abolishes the position of Principal Federal Official.

Requires the Administrator to:

    (1) continue to implement a memorandum of understanding with the administrators of the Emergency Management Assistance Compact, state, local, and tribal governments, and organizations that represent emergency response providers to collaborate on developing standards for deployment capabilities, including for credentialing and typing; and

    2) appoint a Disability Coordinator.

Complete details of bill at


Wednesday, October 28, 2009

EMC-BC-COOP: Insurance companies “don't get it”

I recently sent emails or Web messages to several insurance companies (AIG, Fireman's Fund, GEICO, Mass Mutual, and State Farm) asking each one very simple question:

Does your company give discounts to organizations that have business continuity plans?

A simple Yes or No answer was in order.

If the answer was “yes,” the next question was “How do you evaluate the plan?”

It's been about a week and so far I have responses from Fireman's Fund, GEICO, Mass Mutual, and State Farm.

GEICO's Donna Giordano, a Rewrite Supervisor, wrote that “Currently we do not have a partner that offers business continuity insurance.”

I didn't ask if GEICO SOLD business continuity insurance; only if its 'business customers could get a DISCOUNT if they had a business continuity plan.

State Farm's Internet Customer Response Team referred me – twice in response to one request – to its Winter Haven Operations Center (because I reside in Florida).

My question was global in nature and had nothing specifically to do with Florida. Worse, the Internet Customer Response Team advised me that it was “unable to provide the requested information via email.” Worse still, there was no phone number or contact person provided in the email.

Fireman's Fund's Cindy Umsted of Customer Service in the Commercial Insurance Division, wrote that “As you may know, Fireman's Fund uses the American Independent Agency System to sell our products. Based on the information you provided, below is a preferred agent in your area you may contact about your needs.”

To Ms. Umsted's credit, she did provide a local phone number – but I don't want to buy insurance; I want I*N*F*O*R*M*A*T*I*O*N.

Someone at Mass Mutual (I'm sure it used to be Massachusetts Mutual, but with the economy in the tank and the cost of ink . . . ) forwarded my inquiry to Michael E. Klavan, a partner in the Eppy Financial Group in Fort Lauderdaale; he in turn sent me an email asking that I call. (When I did I talked to his voice mail.)

Mr. Klavan's email gave me a clue that whoever read my message at Mass Mutual – like those at the other companies – didn't get it; he wrote that “I have been forwarded your request for information regarding MassMutual and various business coverages.”

The question I asked requires a corporate-level response. Why should it make a difference where my organization is located in order to provide a generic Yes or No answer. Granted, an insurance company may not want to write insurance in a specific geographic area or the discount may vary by location, but again, the question remains:

Does your company give discounts to organizations that have business continuity plans?

Why do I care?

As an Enterprise Risk Management (Business Continuity – COOP) practitioner, it would be nice to tell my clients that in addition to greatly increasing the organization's survivability, there might be an insurance discount available.

It's good for me as it means someone – hopefully a qualified someone – vets my plan, and it may mean more business; it's good for my clients, and it's good for the insurance companies (since the claims would be reduced).

If this is how insurance companies handle inquiries, I wonder how they handle claims.

John Glenn, MBCI
Enterprise Risk Management Practitioner
Hollywood/Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Tuesday, October 27, 2009

ERM-BC-COOP: Affordable protection for the Mom and Pop shop

Enterprise Risk Management, a/k/a Business Continuity, usually is thought of as something only the Big Organizations can afford.

In a sense, that's right.

Most Big Organizations that understand ERM have at least one full-time practitioner; some have staffs.

This luxury is not in a Mom-n-Pop, small to medium business, budget.

Even bringing in an experienced consultant to create a complete plan, to set up an on-going program, may strain the budget to the breaking point. Bringing in an inexperienced consultant, although easing the strain on the budget, jeopardizes the enterprise.

What to do?


Mom and Pop can build their own Business Continuity plan.

But that's akin to a lawyer defending himself – or herself – before the Bar. Foolish.

But there is a way.

I put a two-part article on my Web site that tells Mom and Pop and other small business managers how to create a basic plan. It is not a plan, but a “get started in the right direction” instruction.

Let's be honest; ERM is not brain surgery; that you can do “by the numbers.” ERM takes thought; it means playing the “what it” game, and that takes experience to ferret out most – you never get them all – of the threats to an organization and, moreover, how to deal with the threats.

If Mom and Pop will get together with the two-part article and then call in a consultant (I'm available) to vet their plan, then the small business can have a survival plan without killing the budget.

The article, “Mom and Pop need Business Continuity, too,” is linked from http://JohnGlennMBCI.com/articles.html .

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Monday, October 5, 2009

Zombies get everyones' attention

The following "incident" got a lot of national (and maybe international) press attention. The attention many not have been particularly good for the author, but it DID gain attention for Emergency Management - perhaps we, Enterprise Risk Management practitioners - can use a similar approach to gain attention for our efforts. jg


A University of Florida manager posted a plan to deal with zombies on the school's Web site.

From the Gainesville FL Sun http://www.gainesville.com/article/20091002/ARTICLES/910021006/1002?Title=Thank-goodness-UF-has-a-plan-for-zombie-invasions

By Nathan Crabbe
Staff writer

Forget swine flu: The University of Florida's latest plan of attack concerns the off chance its employees become flesh-eating zombies.

A plan to deal with a campus zombie attack was posted among disaster preparation exercises on the university's e-Learning Web site before being removed late Thursday afternoon.

The plan included medical information on "zombieism" and a form allowing UF employees to explain why they killed infected co-workers, such as those workers making "references to wanting to eat brains."

"Obviously it was meant to be humorous," Doug Johnson, manager of UF's e-Learning Support Services and author of the plan, said Thursday before it was removed.

He said the plan was meant to reduce stress in the office as well as inspire thinking about how to handle a campus closure. With swine flu raising the possibility of such a scenario, he said, the office is making plans including holding a test run by operating its e-Learning services from off campus.

After word of the zombie plan broke Thursday morning, it received national media attention before it was ordered pulled later in the day. No disciplinary action will be taken against Johnson because he wrote the plan on his own time, UF spokesman Steve Orlando said.

Johnson said he has insomnia and that the idea for the plan came to him as he lay awake around 1 a.m. He said he wrote until about 4 a.m., mining Wikipedia for zombie information and using knowledge culled from his own reading of the novel "World War Z: An Oral History of the Zombie War" and previous viewing of movies such as the zombie comedy "Shaun of the Dead."

Zombies are a longtime horror-movie staple that have exploded into a pop culture phenomenon, from the Jane Austen parody "Pride and Prejudice and Zombies" to the new movie "Zombieland." The UF zombie plan included footnotes referring to previous zombie movies such as "Night of the Living Dead" and "28 Days Later" as documentaries.

The six-page document listed "tentative action items" such as equipping offices with easily barricaded doors and giving employees weapons to defend themselves.

"Some employees may prefer weapons such as chain saws, baseball bats and explosives that have been shown to be effective against zombies," the plan said. "Given the stress on staff to be anticipated during a zombie outbreak, employees should be given the flexibility to choose their own weaponry thereby diminishing anxiety."

The plan concluded with an "infected co-worker dispatch form" that included a place to list the co-worker's symptoms such as "lack of rational thought (this can cause problems confusing zombies with managers)." At the end, employees were to note whether housekeeping had been notified to clean up the dead zombie and whether human resources had been told to stop salary payments to the zombie and its victims.

Johnson said his office has actual disaster plans to deal with a hurricane and disease pandemic and is working on one to address a campus closure. Workers will do their jobs from home in the next several weeks as a test run, he said.

His office also puts course materials online for about 3,000 instructors teaching about half of UF's classes.

"Sometimes that can be stressful," he said. "One of my goals was to give the group a laugh."

To read the zombie attack plan, check Nate's blog @ http://chalkboard.blogs.gainesville.com/11334/uf-site-has-emergency-plan-for-zombie-attack/

Key Documents: Zombie Attack: Disaster Preparedness Simulation Exercise ( http://www.gainesville.com/assets/pdf/GS18357102.PDF - 36kb)

Monday, September 21, 2009

ERM-BC-COOP: Security 1, Business Continuity 0

A funny thing happened on the way to increased security.

My current employer, a major contractor to Uncle Sam, changed its computer security tool from a key fob to a smart card.

That makes Uncle happy, but as an enterprise risk manager I am left shaking my head muttering "Too bad no one asked us first."

There are a number of "got'chas" to the change.

The key fob the card replaced wasn't perfect and the cost to maintain the synching service may be more than that charged by the card provider; I am not privy to the bills.

Key fobs could get lost, but since they were always apart from the computer, a lost key fob wasn't a security disaster. The computer is loaded with a unique program that works in conjunction with the key fob - or the smart card.

Smart cards also can get lost, but as long as the computer is not "lost" with the smart card, there is no major disaster; again, the smart card and the computer go together.

But, got'cha #1: Most of us stick the smart card into our computers when we get the card.

Those of us using desktop machines can walk off and leave the card in the machine. This is a double whammy.

First, the installed smart card compromises the machine. A miscreant still would have to know the computer user's network ID - ANY computer user's network ID; there is no machine/user relationship.

Second, when Joe Q. Employee shows up for work tomorrow, Joe Q. won't be able to get inside the building (at least without some hassle and some explanation to the guards); the smart card also is the entry swipe card.

For those of us with notebooks - nee' laptops - the temptation is to stick the card into the box and leave it there. When the office is abandoned for the day, the computer is stuffed into its carrying case and off Jane goes. But if Jane forgets the computer or elects not to take it with her, she'll have to explain herself to the guards in the morning.

But it gets worse.

Let's say Jane has to fly to a customer site with her computer. As she sits in the airport something distracts her and she looks away just long enough for someone to walk away with her computer . . . with the smart card safely stuck in the computer's smart card slot.

Not only is the machine generally compromised, the person who "borrowed" the machine will easily find out who "owns" the machine (Jane) and the company that employs the owner (Secret Projects, Inc.). Even if our airport ganov (thief) lacks any computer skills, the value of the stolen box suddenly increases . . . maybe the hard drive houses sensitive information that can fetch a nice price from a competitor or someone who has another country's best interest at heart.

A lesser got'cha is that now neither Jane nor Joe can use their personal computer to access even a limited amount of places on the corporate intranet .

If the company machine dies - as it will - Joe and Jane are out of luck until a new machine can be provided, imaged, and the files that hopefully were saved to the network recovered and restored. How long with that take? Depends on Jane and Joe's rank within the company; for a rank-and-filer, maybe a week or three; for a C*O, probably less time.

In the "old days" of the key fob, Jane and Joe could access a number of things, including corporate email, from their personal computers. If the company machine failed, they could "make do" by using their own equipment. True, they could not access everything that they could with the company machine, and "sensitive" material should never be put on a personal machine, but life could go on, albeit less efficiently.

Once again, keeping risk management people out of the loop has presented the organization with several probably avoidable "got'chas." I'm not sure the organization had much choice but to implement the smart card system, Uncle Sam being the 800-pound gorilla customer that it is. Maybe Uncle should have talked to COOP experts - COOP being government speak for risk management - before insisting that vendors implement something with so many points of failure.

What do I mean "once again?" How many companies include risk managers when they consider a new building - tornado and earthquake proof, shelter-in-place, wide exits for handicapped - with paved paths away from the facility; full capacity stairwells, and much more; even something as simple as checking the flood history.

"Once again" to consider the risks all vendors pose, even money lenders. Does the vendor have a plan to assure product (including money) or service delivery?

"Once again" to consider the neighbors and the environment - are the neighbors high profile? Is the facility near an airport, major highway, railway, sea port?

"Once again" to consider both insurance coverage and carriers; is there enough of the "right" insurance and can the carrier(s) cover the loss, either individually or as a consortium?

Enterprise risk management is best practiced from the business concept and is a continual process.

Enterprise risk management is a process that requires - if properly done - input from everyone, both within the organization and the organization's vendors - including architects and CPAs, lenders and regulators. No one should be expected to an expect in everything, but an experienced, inquisitive enterprise risk management practitioner can play a major role in discovering the "what if's" that each individual SME knows lie in wait.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida

Wednesday, September 16, 2009

ERM-BC-COOP: BIAs for boxes ??

Maybe I'm way off, but I get really upset when someone tells me to do a Business Impact Analysis (BIA) on a computer system, a box.

First, I'm "ticked off" because the real, critical resource is overlooked - that resource is "people" in case you are a first time visitor to a Glenn site.

But then to worry about BOXES !

My Spouse, while an intelligent woman - she has the MBA in the family - is not a risk manager, so when I ranted that someone wants BIA's on systems - boxes - she didn't understand why I was upset.

Fortunately, Yahoo came to my rescue.

The Spouse has a Yahoo email account; if Yahoo keeps changing things that "ain't broke" (a la Microsoft) she might start using her Gmail account more and Yahoo less (and then on to Linux Ubuntu?).

Anyway, to make my point, I asked her if the machine she was using went away, what would she do.

"Go to the library," she replied. Never mind that there are two more machines in the same room. Doesn't say much for the company she keeps, but …

OK, I said. Now what happens if Yahoo "goes away"? Can you still get your email?


The light comes on; she suddenly realizes that it's the APPLICATION that is critical, not the box, not the "system."

(And that's why whenever I expect an important email, I ask that it be sent to two different e-addresses, and maybe my snail-mail address as well. Hey, risk management is my business and I practice what I preach.)

I'm not suggesting that the box be ignored; my apps still need a place to call home. I will admit that moving some of my applications from machine-to-machine is a pain, especially when I have downloaded updates; fortunately all my critical vendors work with me (since I have all the important product and version license information available).

When I create a disaster recovery plan for an IT organization, I need to know what OSs are on each box and the amount and speed of the box's RAM. Do I care about the hard drive? Not a lot.


If I have 5 XYZ OS machines with 10 critical applications, including databases, I need to know

    (a) how much hard drive capacity I need for all these applications and databases

    (b) if they can co-exist on one machine or do I need to find multiple boxes

If they can co-exist, how fast must the processor run?

I need to know the requirements for a REPLACEMENT machine - or machines. I also need to assure that there is connectivity to whatever the current boxes are connected. (I recently learned THAT lesson when I discovered my new notebook lacks a connector for my old scanner.)

But, basically, a box is a box is a box.

That is not to write that I care nothing about the box. I do. I want to know the machine's Mean Time Before (Between) Failure - MTBF - and I want to know the Mean Time To Repair - MTTR - of the parts with the lowest MTBFs, and I want to know spares - and associated documentation and tools - are available to get the box up and running else I need to know where to find a new host for my applications.

I can live without my company machine -actually, I AM living without it as this is written - but I cannot live without the access to the inter and intranets. I have all manner of email, but the company email and IM are, temporarily, inaccessible. That pretty much puts me out of business. (I still have the phone, and I can use local - on the box - applications but . . .).

Since I have another machine with most of the same applications, I can keep busy, but there are many things - besides email - I cannot accomplish. The box that's "down" actually is fine; it's a security application that has brought email and IM and access to the company intranet to a halt.

The security apps developers know about the bug and are "working on it."

By the way, I actually anticipated this hiccup and created an email auto-responder that explains why I am not getting back to my fans in my usual speedy manner and that if they really need me, call the number on the auto-reply. (I have to tell you, I feel like the Maytag repairman … very lonely. Even the Help Desk hasn't called back; am I the new Rodney Dangerfield [z'l]?)

BIAs for systems? No. BIAs for applications. Yes and yes again.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Wednesday, September 9, 2009

OpenOffice is not MS Office

I hate to admit it, but OpenOffice.org applications and many of the Ubuntu utilities (e.g., Evolution) have a long way to go to compete with Microsoft Office and Microsoft utilities.

Granted, “you get what you pay for,” and OpenOffice IS free versus Microsoft products which are expensive.

But the more I use Ubuntu and the free applications and utilities available to it, the more I realize free apps leave something to be desired.

Since I own Microsoft Office 2007 and I have Vista Home on my new laptop, why did I install Ubuntu 9.04? For the same reason I am abandoning Yahoo mail.

Both Microsoft and Yahoo keep fixing things that “ain’t broke.”

Every time Redmond comes out with a new version of its products – be it OS or application – the User Interface (UI) is revamped. My productivity takes a serious hit when the latest and greatest is installed. As my productivity dips, my frustration level rises.

I’ve been using MS Word since V1.0 for DOS! It’s a great word processor. It never was anything more. Claims that it can be used for long, complex documents are, in my not-at-all-humble opinion so much hot air. If you are cobbling together a technical manual of 100-plus pages, with graphics and tables, get a page composition application and a decent graphics generator. Over the years I used a variety of applications – for page composition, FrameMaker, Interleaf, and Ventura (which still remains my favorite). Graphics? I’ve had Corel Draw, Deneba Canvas, and Micrografx Designer (nee’ In-a-Vision), among others. Using those apps, and Word, I’ve created long manuals, short newsletters, various length articles, brochures, and even a few resumes. By the way, there apparently are no free/low cost real page composition applications for Ubuntu.

When I tell you I LIKE Ubuntu and OpenOffice.org and Evolution (email handler), trust me, I do.

But I also will tell you they lack features and functions I take for granted in MS offerings.

Small frustration.

I created a document for my Web site (http://JohnGlennMBCI.com). I put files up in three formats: html, PDF, and text.

First, the “Web” looks for certain extenders; html, pdf, txt. Using some of those extenders confuses Ubuntu. It’s not a show-stopper, but it does slow down things. The text files are created from the word processor and saved as plain text. With Word, I can force line feeds; I can’t (seem to) do that with OpenOffice.org Writer.

With Vista, and XP before that, I could shrink an application to the ribbon at the bottom of the screen; when I do that with Ubuntu I usually loose the application and have to relaunch it. Ubuntu is fast, but why can’t I see the app in the ribbon?

There is a lot that can be said for Ubuntu and OpenOffice.org and all the rest of the FREE applications available for Linux and I suspect as I spend more time with them I’ll find work-arounds.

But for now, I feel like I’m caught between a rock and a hard spot (or anvil and hammer, if you prefer) – Microsoft is driving me up the wall with its constant mucking about with the UI (and the apps get fatter and fatter) while Linux lacks many features and functions I’ve come to take for granted.

Maybe I should chuck it all and by myself a good fountain pen. Do they still make them?

John Glenn
Scrivener & other things
Hollywood/Fort Lauderdale Florida

Sunday, August 30, 2009

Business Continuity – COOP: Bottom line

Every risk management/business continuity practitioner needs to keep an eye on the bottom line.

If the practitioner is self-employed, that's obvious. If the practitioner works for someone else, helping the company hold the line on expenses will put the practitioner in good sted and may – may – justify a small bonus.

I just bought a new notebook (nee' laptop) computer. My old Compaq still works, but technology leaps and some other goodies, plus a low price convinced me to buy the new box.

The new notebook came with Microsoft Vista pre-installed (and no recovery CD if the drive fails).

I am still struggling to accommodate MS Office 2007's unnecessary User Interface (UI) changes so the jump from XP to Vista and the unnecessary UI changes frosted the cake.

On top of that, Vista is, at best (and even the phrase “at best” seems out of place) an interim operating system between XP and Windows 7, touted as the cure for all of Vista's failures.

Windows 7 is expected to cost about $200 to replace Vista Home. In the interim, knowing Windows 7 is close at hand, many developers are ignoring Vista and working on W7 versions of their applications.

Office 2007 Pro is only $100 – now. (Microsoft offers “Home and Student” for $100; Pro lists for $500; makes me wonder what the retailer's “Pro” really includes.)

Anyway, and back to the bottom line point, besides the COST of new a OS and new applications, there is the cost – and it very much IS a “cost” - of the learning curve for each new thing (OS, application).

What are the options?

Well, there is the MacIntosh (or is it Macintosh?). Problem is, while the Mac may have a consistent UI (I'm not a Mac user so I can't say), the platform is considerably more expensive than one that supports Microsoft Windows.

Moreover, for those that must use Windows applications modified for Macs., there usually is a delay in getting the apps – never inexpensive – to the Mac platform.

The answer for me was Linux.

I am not a computer guru. I've written *.bat files, but that's about my limit. I once tried to learn C++; when I wrote the traditional “hello” code I was presented with a screen that displayed “Beat it!” Compiling files is not my “thing.”

I used – very much past tense – to know my way around DOS command line code, much of it borrowed from UNIX.

But UNIX and now Linux, has come a long way even from when I used HP-UX (and it's desktop UI),

My Linux flavor is Ubuntu.

It's free. Even the mailing cost to send the CD is covered. (It also can be downloaded from the WWW.)

The distribution (“distro” to those in the know) includes OpenOffice that essentially is MS Office 95. It DOES read Office 2007 files and it does create Office 2007 readable files; I've tested that much. (This is created in OpenOffice writer.)

If you want to get closer to the current MS Office formats, Sun's Star Office might provide that for a fee. There also is Applixware, which I've used. There is a short list of application suites and related links at http://www.topology.org/soft/office.html.

Ubuntu comes complete with almost everything a user will find on a Windows OS + MS Office combination. Firefox instead of Internet Explorer (anyone who writes Web code for a single browser, even in the “old days” is foolish), Evolution instead of Outlook, F-Shot and GIMP for photo capture and manipulation; OpenOffice drawing in place of Visio. Of course there is a Notepad-type text editor and Terminal that equates to Windows' Run.

Admittedly, Ubuntu OS utilities (e.g., Evolution) and OpenOffice applications lack some of the bells and whistles of Windows and MS Office, but they meet my needs.

There are some applications under Windows and Mac that are lacking under Linux. Most critically for me is a decent page composition application similar to FrameMaker or Ventura. Still, most Mac and Windows applications are covered nicely in Linux.

Is there a learning curve? Yes, a fairly low one (writes this scrivener who started using Word with DOS V.1.0). Will there be a learning curve for the IT folks who have to install and support Ubuntu? Probably also a very flat curve since, when I asked around, many of my IT SMEs already were running Ubuntu or another Linux OS on their own systems.

Will there need to be a major hardware investment? Not for platforms (computers) and, from what I have seen, not for peripherals, either.

Linux offers all the networking and network security available in the Windows environment.

For my money – that I prefer to keep in my pocket – Linux is a much better option (than Windows or Mac) for what I do (excepting creation of desktop publishing/long, complex documents).


John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida

Thursday, August 13, 2009

Life on an Idiotorial Review Board

I find myself on the Editorial Review Board of a fairly prestigious professional journal.

I was offered the uncompensated post because I am verbose and possibly because I tell one and all that once, about 100 years ago, I was an honest (read "print") journalist: reporter, feature writer, and editor of many titles.

As I read the articles submitted for ERB member consideration, I am reminded that the authors are, for the most part, not professional writers; they are vendors, sometimes techies, sometimes marketing or sales, sometimes execs.

Some have trouble writing their own name - or so it seems..

The prestigious professional journal is supported by advertising revenue; translation, find a way to clean up an advertiser's copy and run it.

Sometimes clean-up is easy, and then other times ... well, suffice it to write that - never mind, this is a family blog.

I do wonder why some folks at larger organizations don't ask their PR people to ghost the articles.

Egos, perhaps. Or they have reason to believe that if PR gets involved, Legal also will get involved and by the time the internal review cycle is complete the product will have been discontinued and the only thing that will remain from a 1,200-word article is the company name.

Having figuratively worn eye shade and sleeve garters, the sign of a "real" copy editor, I cave into my inner pressure to edit the copy on my desktop. Not every fractured phrase, but most tortured text gets at least a comment. One or two articles were so bad - to my mind - that I confess to tossing in the towel and suggesting a rewrite. (Turned out the rewrite was worse that the original article. No good deed, etc.)

I am finding that my "take" on articles frequently is at odds with a few of my fellows on the ERB.

Some reviewers post their comments using REPLY ALL so that "all" will have the benefit of their opinion. Others, this scrivener included, prefer to let everyone - except the Editor-in-Chief, of course - come to their own, independent, conclusions.

I gather that some reviewers want academic-length articles; articles that run to 10 times the allowable 1,200 to 1,500-word length for our publication.

No matter how focused an article, it seems one or two reviewers criticize the author for not providing sufficient information.

Others nit-pick an article because the author is a vendor (remember, vendors finance this publication) and even though the vendor's product may not be named in the article, it's "too commercial." 'Course sometimes the nit-picker happens to sell a competing product and that might color the reviewer's critique.

Back in the day when I was a managing editor, I could call a writer aside and provide some mentoring; usually that was sufficient to get our budding journalist back on track.

That luxury is absent in my present role as an "idiotorial" review board member.

I'm flattered, of course, that I was considered worthy of this uncompensated (did I mention that before) and apparently anonymous honor.

For once I'm glad someone else is Editor-in-Chief, the one who has to balance the comments of the ERB (and make a final decision that is bound to raise the hackles of some) and who has to diplomatically return really awful copy to its author who probably works for an important advertiser (and trust me, almost ALL advertisers are important).

Maybe I'm a masochist , but in my heart-of-hearts, I enjoy the challenge of the honor. Just knowing that the burden of dealing with opinionated people like me falls on someone else's shoulders lets me perform the assignment with a bit less concern for the final product - or the author's feelings.

Sometimes, however, I'd really like to share my thoughts about a few of my fellow ERB members ... but then I mellow out until the next critique crosses my desk.

Meanwhile, I'm having second thoughts about authoring articles for the journal; I couldn't take some of the criticism that is dealt out in the way it is dealt out.

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Hollywood/Ft. Lauderdale FL
Planner @ JohnGlennMBCI.com

Wednesday, August 12, 2009

ERM-BC-COOP: Unrelated things of interest


Two separate emails crossed my desktop this morning.

An email about "flash cookies"

A cartoon about a serious issue, "swine flu" (H1N1).

The first item - and I checked with Snopes, which is attempting to verify the story - basically reports that even though you may THINK you are deleting cookies, you are not getting them all.

The article, You deleted your cookies? Think again is on the WWW @ http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/

The leed paragraphs read:

"More than half of the internet's top websites use a little known capability of Adobe's Flash plugin to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies, UC Berkeley researchers reported Monday.

"Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not."

Don't think you have any Flash cookies?

A search of my XP system turned up 462 *.sol files. Yep, four hundred sixty two.

Now, Mac and Linux users, don't think you are immune. If you use a browser and look at anything on the Internet - even some *.gov sites - you, too, can be victimized.

Users who want to control or investigate Flash cookies have several options, according to reader Brian Carpenter:


* Better Privacy extension for Firefox -

* Ccleaner - http://www.ccleaner.com/ (Freeware)

* Windows: LSO files are stored typically with a ".SOL" extension, within each user's Application Data directory, under Macromedia\FlashPlayer\#SharedObjects

Mac OS X:

* Mac OS X: For Web sites, ~/Library/Preferences/Macromedia/FlashPlayer. For AIR Applications, ~/Library/Preferences/[package name (ID)of your app] and ~/Library/Preferences/Macromedia/FlashPlayer/macromedia.com/Support/flashplayer/sys
GNU-Linux: ~/.macromedia

There was one additional bit of related information I picked up this a.m.

Turns out if you are a member of a Yahoo group, Yahoo is lurking on your system even after you log off Yahoo.

According to Snopes (http://www.snopes.com/computer/internet/webbeacons.asp) , "If you belong to ANY (Snopes' emphasis) Yahoo Groups - be aware that Yahoo is now using "Web Beacons" to track every Yahoo Group user. It's similar to cookies, but allows Yahoo to record every website and every group you visit, even when you're not connected to Yahoo."

Snopes adds that "Yahoo's invasion of privacy - and your ability to opt out of it - is not user-specific. It is MACHINE (Snopes' emphasis) specific. That means you will have to opt-out on every computer (and browser) you use."

The opt-out option is at http://info.yahoo.com/privacy/us/yahoo/opt_out/targeting/details.html

The second item crossing my desktop was a Dry Bones cartoon. Dry Bones, which bills itself as "Israel's Political Comic Strip Since 1973," took note of "swine flu." The cartoon apparently was inspired by two news articles.

The first, from IslamOnline.net & News Agencies (http://www.islamonline.net/servlet/Satellite?c=Article_C&cid=1248187687780&pagename=Zone-English-News/NWELayout) is headlined: Swine Flu Restricting Hajj, `Umrah

"TEHRAN/JEDDAH — As swine flu fears are growing, Iran has banned `Umrah during the holy fasting month of Ramadan while Saudi Arabia ordered mandatory measures for pilgrims during hajj.

"We will have no pilgrims in Saudi Arabia during the month of Ramadan," Health Minister Mohammad Bagher Lankarani said, reported Agence France-Presse (AFP) on Wednesday, August 5."

The Umrah is a pilgrimage to Mecca performed by Muslims that can be undertaken at any time of the year. It is sometimes called the "minor pilgrimage"' or "lesser pilgrimage" (contrasted, of course, with the "major pilgrimage" of the Hajj). The Umrah is generally regarded as not compulsory but highly recommended, and it is undertaken by many Muslims. (Source: http://www.sacred-destinations.com/saudi-arabia/umrah-pilgrimage.htm)

Israel, on the other hand, is taking a different approach.

According to a Ynet (http://www.ynetnews.com/articles/0%2C7340%2CL-3760270%2C00.html) article by Nissan Shtrauchler, "Fifty people, most of them kabbalists join flight aimed at containing epidemic by prayer.

"On Monday morning an Arkia airlines plane took off from Lod Airport (near Tel Aviv) carrying rabbis and kabbalists and flew over the country in a flight aimed at preventing the swine flu virus from spreading in Israel through prayers.

Picky editor's note: I doubt the writer intended to suggest that H1N1 was spread by praying, but that prayers were offered to prevent the spread of the malady.

"The purpose of the flight was to stop the epidemic, thus preventing further deaths' explained Rabbi Yitzhak Batzri whose father, Rabbi David Batzri had initiated the flight. We are certain that because of our prayers danger is already behind us, he added."

The cartoon, by Yaakov Kirschen, is at http://drybonesblog.blogspot.com/2009/08/swine-flu-fever.html

As an Enterprise Risk Management practitioner, I think I would use a combination of both the Moslem and the Israeli "mitigation" measures. For the non-religious reader, trust me, there is at least a psychological benefit for those who want to "cover their bets."


John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Hollywood/Ft. Lauderdale Florida
Planner @ JohnGlennMBCI.com