Friday, November 27, 2009

Thanksgiving surprise


My pre-Thanksgiving surprise from my boss was that I was left off the 2010 budget.

Translation: I am looking for a new "home." Preferably - and that IS the "operative word" - working in a staff or staff consulting job preferably - that word again - in, or from southeast Florida; however, all opportunities will be considered.

In as few words as possible:

Enterprise Risk Management - Business Continuity defined

Enterprise Risk Management, a/k/a Business Continuity identifies profit centers, and all related internal and external, processes. Enterprise Risk Management looks at all potential threats to a process from inception (e.g., proposal) to completion (e.g., payment received), identifies means to avoid or mitigate the threats, and prioritizes preventive actions. Additionally, Enterprise Risk Management develops plans to respond to threats if they occur, creates a process to maintain the plan, and creates response exercises to assure efficient, expeditious, and economical recovery if a disaster event occurs. Enterprise Risk Management is, in 3 words, a business survival program.
In brief

Experience More than 13 years creating programs and complete plans for Defense, Energy Exploration, Financial, Fortune 100, Government, Insurance, International, and Transportation organizations
Certification Member, Business Continuity Institute since 2004
Initially certified by The Harris Institute in 1999
Plan types Enterprise, Key Business Unit, IT-specific
Management Diplomatic manager and mentor to personnel at all levels
Managed 47 sites in 17 states from virtual office in Florida
As many as 20 direct reports; unknown number of indirect reports
Presentation Present Enterprise Risk Management/Business Continuity to personnel of all levels, individually and in groups
Related skills Emergency Management
Crisis Management
Documentation: all program and project documents from proposal to final deliverable; marketing materials, proposals, policies & procedures, public relations; technical documentation, user guides, and journalism
Publications Published twice-a-year in the leading quarterly professional journal, frequently published by other professional publications; occasionally published in trade and general media (Publications list)
Other Disaster Recovery Journal (DRJ) Editorial Review Board
Active member, DRJ Forums and Blogs
Maintain professional Web presence and professional blog
Citizenship United States, evidenced by active U.S. passport
Travel Extensive job-related domestic and international travel welcome
Availability Two weeks from employment confirmation
Resume A detailed resume and list of references is available upon request
JohnGlennMBCI @ or 1.727.542.7843


Wednesday, November 25, 2009

ERM-BC-COOP: Match resources with needs - and population


A few years ago an IT manager-moving-into-EM and BC asked me for thoughts on his situation. He then was in Pakistan.

He was of course concerned about his data center, a target for terrorists, and we discussed ways to protect that.

But his greater concern was threat of natural disasters that would challenge his then-new role in Emergency Management.

Pakistan has some fairly mountainous country (see and my correspondent was concerned with earthquakes.

I suggested that there were a number of things that could be considered, both before and after an event.

Turns out at least one of my suggestions was tried and proven.

One of the main post-event problems is moving things in and bringing people out.

During the 1906 earthquake, the US Army used mules to carry things into and people out of San Francisco CA (see

Some things never change.

What I recommended were, among other things,

  • acquisition of easy-to-use, limited-frequency shortwave transceivers

  • caching medical and long-life food supplies in strategic locations

  • inventorying high-altitude helicopters, mobile medical facilities, portable housing (tents) and pack animals able to traverse terrain unsuitable to mechanized land vehicles.

I also recommended that my acquaintance develop a plan to control volunteers, both from within Pakistan and from without, including "official" (government and recognized NGOs) and unofficial (individuals and groups who may, or may not, have needed skills).

Most of my recommendations were relatively low-tech and all were "off-the-shelf."

The most "difficult" would be training people in remote villages and camps to use the radios.

On the other hand, if the HF (shortwave) radios were limited to one or two frequencies, antenna tuning problems will be eliminated. If radios were distributed across the HF spectrum, again with only one or two frequencies per unit, the transmission could be identified by the frequency - although some additional burden would be placed on the sponsor who would have to monitor many more frequencies.

The radios would have to either be equipped with hand cranks to generate their own power or the villagers would need to be supplied with, and trained to use, hand-crank generators. This is "ancient" technology. True, solar powered battery chargers or generators are a possibility, but where people are mobile (e.g., moving herds to different pasturing areas), everything has to be "robust." I think hand-crank generators meet this requirement better than mirrors, and they work in the dark.

Always consider the use and the user when selecting tools.

Since I proposed stockpiling some basic medical supplies, someone in each village or group would need advanced first aid training. Indeed, probably several "someones" to preserve modesty (otherwise some injured may reject treatment from a person of the opposite sex; again, always consider the population's mentality).

As with everything else "risk management," all functions should have primary and perhaps several alternates available to accomplish the task(s).

What I failed to suggest was that he should research the life styles of the people he might be called upon to assist.

An acquaintance in Israel tells a story of the government's instruction being bested by family tradition.

Seems the government told its citizens that in the event of an attack, they were to go to the nearest shelter and stay there until the all clear.

The mentality of the people, particularly those from North Africa, is to cluster in family groups, never mind the distance. If the family patriarch or matriarch goes to Shelter Alef, you can bet the rest of the family - including nephews and neices - will go to Shelter Alef as well, bringing with them all the necessities to wait until the Army resolves the problem. (This may be less true today with the "only seconds" notice of incoming missiles from Gaza.)

There are several "bottom lines" to this exercise.

  • Low-tech often is as good as, and sometimes better than, high tech.

  • Understand the targeted population's mentality - "knowing the audience" - is as important as the tools provided.


John Glenn, MBCI
Enterprise Risk Management (Business Continuity) practitioner
Hollywood/Fort Lauderdale Florida

The author of this blog currently is seeking staff or staff consulting opportunities preferably working in, or from, southeast Florida (however all opportunities will be considered).


Tuesday, November 24, 2009

Enterprise Risk Management - Business Continuity practitioner is


looking for staff or staff consulting opportunities preferably working in, or from, southeast Florida. MBCI with 13+ years experience. Extensive domestic and international travel welcome.

1.727.542.7843 or

That, in as few words as I can manage, is my reaction to my Thanksgiving surprise.

If anyone knows (anyone who knows) of a risk management - business continuity opportunity, please share it with me.

Know that any information will be appreciated.


Sunday, November 22, 2009

Of mammograms and pap smears


Are mammograms and pap smears a risk management issue? For that matter are tests for prostate and colorectal cancers a risk management issue?

They are if we value employees.

It goes beyond Joe or Jo at the workplace.

It includes their near kin; parents, children.

The subject comes up because recent news announcements have suggested that women reduce the frequency of both mammograms and pap smears.

There is scientific evidence that these diagnostic procedures most often show negative results for certain age groups, but to my mind, the operative words are "most often."

I am cognizant that there are too many false positives that lead to additional, always expensive and often uncomfortable, testing, but it seems to me that it beats the alternatives for both the woman and the insurance company or government (that has to pay for extended treatment).

Because I have a suspicious mind, I immediately suspect the insurance industry as the behind-the-scenes promoter of fewer exams. But unless the insurance companies can somehow avoid paying for extended treatments, what do they gain?

I confess to having a personal interest in the recommended cut-backs on the procedures.

I'm told that neither mammograms or pap smears are a walk in the park; women have to steel themselves to the discomfort, but they do it because - given today's technology - they know the annual squeeze and scrape is necessary for a long and happy life.

As a man. I know the discomfort of a manual prostate exam (and the relative ease of the blood test that, I am sure, is easier on me than it is on the insurance carrier). I don't LIKE being "needled," but it's less bothersome than "getting the finger."

But, let's say that G-d forbid, someone close to a worker has cancer. (I have a close friend with cancer and I lost another to a lingering and excruciatingly painful cancer, so I write from personal experience.) I am concerned and, frankly, distracted. Fortunately I don't operate dangerous machinery. If my friend was my wife or a child, I would be taking time off to take the patient to treatments, and more time off helping them recover from the treatments.

You see, preventive medicine - including mammograms, pap smears, prostate exams, et al, - really is a risk management - business continuity issue.

As we apparently are nearing a national health bill, any recommendations to reduce preventive medicine can be expected to be embraced by the financially conservative; there is no question that the exams can be expensive.

The real question to ask is what is the real cost of reducing or eliminating these, and other, preventive medicine procedures?

It seems to me a "pay me now or pay me (more) later" situation.

But, I am not a doctor and I don't play one on tv.


John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida

Monday, November 16, 2009

ERM-BC-COOP: Software vs. Brainware


I was just looking at a LinkedIn sub-group (a/k/a SIG) invitation list from a group to which I belong.

Many of the Special Interest Group (SIG) names included software types - not necessarily products (e.g., Oracle) but functions (e.g., ERP, or Enterprise Resource Planning).

While Enterprise Risk Management - Business Continuity (COOP) practitioners have a wealth of software available, from the high end applications to simple word processor templates, most experienced practitioners I know depend not on limited-functionality, fill-in-the-blanks, force-a-square-peg-into-a-round-hole application (or template).

We depend not on software, but brainware.

Software is OK to collect and store information.

Software is good for updating existing information, albeit it is a tad risky that there will be a temptation to only update what is stored rather than going out into the real world to confirm that the changes about to be made are the ONLY changes that need to be made.

Brainware and software are mutually compatible PROVIDING that brainware is superior to the bits-and-bytes application.

The problem for many organizations is that they honestly believe that software can replace brainware; that the organization can engage a tyro or second an already overworked administrative assistant (nee' secretary) to create a plan to save the organization when an interruption to "business as usual" occurs.

Understand, I am NOT disparaging secretaries and I certainly don't want to suggest that a secretary, overworked or not, cannot become a competent - even superior - risk management practitioner; only that to do the job correctly, professionally, the person needs guidance - mentoring - and an understanding that risk management is worthwhile.

At the same time, any organization that delegates risk management to a person with no background in the field shouts to the world that senior management either fails to understand the process and its value, or cares not a whit for the process.

Over the several years I have been doing risk management I have created list after list after list of threats. Each list is longer than the previous list.

Why? Simple. As I work in the field and as I associate with other practitioners, I realize there are risks I failed to previously perceive.

Mind, I usually am ahead of the curve. Planes into tall buildings? Covered that long before 9-11. Am I a seer able to presage the disaster? Hardly.

What I am is open-eyed and a reader of history.

Planes routinely land short of runways; sometimes on top of homes or, in my neighborhood, on the flat roofs of Publix supermarkets; why Publix and not Winn-Dixie I have no idea. In 1945, a US Army Air Corps bomber crashed into the Empire State Building; it had flown off course and too low in a fog.

On 9-11 then, aircraft smashing into the World Trade Center towers should not have come as a total surprise, there was precedent; the deliberate murder of innocents by Moslem terrorists, perhaps that was a surprise (as was Pearl Harbor - an event for which the U.S. apparently also had ample warning).

The financial meltdown also was predictable. It happens about once every 20 to 30 years and usually for the same reason - greed. Could it have been prevented? Probably. But prevented or not, the risk management practitioner, using brainware, would have been aware of the probability and prepared his, or her, client to withstand the "downturn."

Certainly risks can be built into software applications.

But, as I wrote earlier, I have been doing risk management for a bit more than a baker's dozen years and I still have the catch-all words "ubiquitous other" at the end of the list. "Ubiquitous other" is the threat that, so far, has escaped my attention.

My list is long and it gets longer as additional - I'm not sure that "new" is accurate - threats are identified.

I realize that I don't know all the threats to "business as usual" and I long ago learned that a risk management program needs input from everyone - from the janitor, a very "key" person, to the most senior executive (who, in some cases, is one and the same). Everyone has his or her unique perspective on the organization and that person's role in the organization; likewise each person has his or her own personal priorities that must be considered.

Bottom line: A risk management program cannot, if it is to be successful, be created in a vacuum.

I use software everyday in my work. I am heavily dependent on it.

Still, if need be, I can pick up a pencil (and sharpen it with my handy pocket knife) and scribble notes on scraps of paper for later "input" into software.

What I must have is brainware; the ability to think (both inside and outside the box, off the wall, and any other cliche' that comes to mind), to examine ALL the possibilities and ALL the ways to avoid or mitigate the threats, including "but not limited to" as the contract weasel words state, personnel (or personal) awareness.

Software might suggest things, and software might store things, but it takes brainware to create, sustain, and exercise a viable risk management program.

To this scrivener's mind, brainware trumps software every time.

John Glenn, MBCI
Enterprise Risk Management
Hollywood/Fort Lauderdale Florida


Sunday, November 15, 2009

Lover of words


I came to Enterprise Risk Management , a/k/a Business Continuity, via tech pubs.

I got to tech pubs via honest (newspaper) reporting ("journalism" is far too fancy a word for what I wrote) and public relations. I came to reporting (and later editing) from the Orlando Sentinel's "back shop" where, back in the day, metal type (slugs) were carefully placed into forms (chaises) on rolling tables (turtles).

I "lucked into" the backshop having put in an application immediately following separation from the Flyin' Corps - don't call us, we'll call you, said the HR person. Two weeks later she DID, to my surprise.

But, as usual, I digress.

Lacking a journalism, or any other, degree, all I had to open the door to editorial was chutzpah (I knew I could write at least as well as the reporters at the Sentinel (and later Today), my journeyman printer status, and a vocabulary that, while hardly a match for either Hubert Humphrey on the Left or William Buckley on the Right - or even Spiro Agnew who also knew how to turn a phrase - was greater than most, and I deliberately chose the word "greater" in this case. Never mind that my spelling was suspect; there are proofreaders to save my copy (and to all the proofreaders - and typesetters - who DID save me from embarrassment, thank you).

My love of words commenced - began, even - before I crossed the threshold of Benjamin Harrison PS #2 for the first time as a first grader. I had an "in" at the Indianapolis Public Library. (As it happens, I still have an "in" at the library; Donna Foster, a different person - my original long since departed this world - but one I value highly.)

As a tyke, I was read to and I read. (I also was taken to hear the Indianapolis Symphony, both kids' concerts such as Peter and that large predatory canid and "adult" evenings, but that is a topic for another time.)

I read everything I could hold in my hands. True, this was before tv, but radio was entertaining, so I had options. But in addition to a floor-model Philco roll-top radio, we had books, and the main library was just a block down the alley. My reading never was restricted - if I could reach it, I could (try to) read it.

One thing about reading is that the reader's vocabulary increases by osmosis; kids especially are sponges and, unknowingly, I sponged up a great deal of what I read. I remembered the words, but to my misfortune, not always how to spell the words.

Rather akin to Eliza Doolittle (Pygmalion, My Fair Lady), how one speaks - and the vocabulary the person has at "tongue" - really does influence how people respond.

Put another way, "It's not what you say, it's how you say it." With class, but never condescendingly.

Besides letting me squeeze into the editorial department - I got a cub reporter job on a small northern Indiana daily - my way with words helped keep my nose from being "reshaped" by some folks who may have found my opinions "objectionable."

It's been a few years since I got my first library card - now I have a plastic one with a bar code, progress I can appreciate (but, even though I am "computer literate," I miss the card files) - and I still love to read.

Maybe because the general quality of tv is less than it could be, I still find it easy to pick up a book and ignore the tube. I'm not sure my vocabulary is growing as fast as it did in my youth, but thanks to my reading habits, the library card, and the Internet, it's not for lack of material to read.

John Glenn, MBCI
Enterprise Risk Management practitioner and reader


Wednesday, November 11, 2009

ERM-BC-COOP: Off-shoring threats

Carl G. Fsadni, Senior Manager at Cognizant Technology Solutions - Infrastructure Practice, writing on the LinkedIn group Business Continuity/Disaster Recovery Network brings an interesting threat to organizations that sent work off shore.

While Fsadni's comments focus on India, they apply equally to other locations (e.g., the Philippines, Malaysia).

He asks: Is India a soft-target for Taliban terrorists?

His concerns are very real even before the Taliban becomes a nuclear threat, and that is only a matter of time (given Pakistan's nuclear capability, Russian hardware availability, and Iran's and North Korea's development efforts).

The Taliban is just one of many groups - some Islamist, some not, but all with the potential to create mutually beneficial short or long-term working arrangements - scattered around the globe.

In the rush to save a buck, corporate executives sent off-shore as many "first world" jobs as possible. Some jobs went to neighboring states (e.g., auto manufacturing from the US to Mexico), some went to distant continents (e.g., call centers and software coding to Asia).

As the jobs went out of the country, the demand for skilled people to do the jobs diminished and two things happened:

    1) People with skills no longer in demand at home lost their leading edge knowledge and looked elsewhere to survive, and

    2) Prospective additions to the field that was outsourced look to other fields, assuring that if the work ever is brought back, there will be no locals capable of doing the work

While this is happening, schools - trade and university - are having to re-think their offerings, and the government is having to get new rubber stamps for visa requests from the folks elsewhere who will flood the local market (there being few if any locals still retaining equal skills to do the job).

The desire to "save a buck" (or pound or mark or . . . ) may turn out to be short-sighted if something happens to the off-shore operation and the operation can no long be restored in the home, "first world," country.

The Enterprise Risk Management (ERM) perspective is that off-shoring is a risk that, as with other risks, must be considered, prioritized, avoided or mitigated, and a response prepared.

As with all ERM programs, the risks (and responses) must be continually reviewed; in this case, changes to the threat to the vendor (internal or external) and the ripple effect to the "home country" operation must be updated on a frequent basis. How this review is accomplished is another matter for another time.

Just as most organizations failed to consider a financial vendor failure, many fail to see the increasing probability that an off-shore vendor's operations will be disrupted.

From my point-of-view, the time has come to re-think the list of risks facing an organization; we must broaden the view and be all-inclusive; bottom line, it's time to throw away the box and to play the "what if" game sans limitations.

John Glenn, MBCI C Enterprise Risk Management
Hollywood/Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Sunday, November 8, 2009

FEMA Independence Act of 2009 (HR 1174)


(The) FEMA Independence Act of 2009 re-establishes the Federal Emergency Management Agency (FEMA) as a cabinet-level independent establishment in the executive branch.

Requires FEMA to be headed by an Administrator appointed by the President.

Establishes as FEMA's primary mission to reduce the loss of life and property and protect the nation from hazards by leading and supporting the nation in a comprehensive emergency management system of preparedness, protection, response, recovery, and mitigation.

Prescribes the Administrator's responsibilities.

Requires each Regional Administrator to establish a Regional Advisory Council.

Requires FEMA to have an Office of the Inspector General.

Includes among FEMA functions:

    (1) those functions it had on January 1, 2009, including continuity of operations and government programs; and

    (2) functions relating to FEMA under the Robert T. Stafford Disaster Relief and Emergency Assistance Act. Directs the Administrator to continue to maintain a National Advisory Council.

Requires the National Integration Center to ensure that the National Response Plan provides for a clear chain of command to lead and coordinate the federal response to any hazard.

Abolishes the position of Principal Federal Official.

Requires the Administrator to:

    (1) continue to implement a memorandum of understanding with the administrators of the Emergency Management Assistance Compact, state, local, and tribal governments, and organizations that represent emergency response providers to collaborate on developing standards for deployment capabilities, including for credentialing and typing; and

    2) appoint a Disability Coordinator.

Complete details of bill at