Wednesday, December 29, 2010

ERM-BC-COOP: Case of the Wounded Womb


Here's a thought: Can a person who works in a home office collect worker compensation for physical and mental injuries sustained as the result of a home invasion (a/k/a break-in)?

How about being cut opening a can of tuna during working hours - however "working hours" might be defined?

At first blush the questions may seem silly, inconsequential, frivolous.

But consider . . .

According to the Fayetteville (NC) Observer, as reported on the AdvisenFPN Web site (, - which, incidentally claims permission to republish the Observer article - a man shot in the face on his way to the school where he was the principal is entitled to workers compensation.

The school superintendent and NC Department of Public Instruction didn't think so, but the NC Industrial Commission ruled otherwise.

The reasoning, according to the Observer/AdvisenFPN piece, is that:

    (a) The school system paid the principal a biannual allowance to help cover travel expenses related to his job, including commuting to and from the school. Therefore, the principal technically was on school time when he was shot.

    (b) The principal was talking to a staff member about official school business on a district-issued cell phone when the unknown assailant pulled up and fired a shotgun blast through principal's driver's side window.

The shooter, incidentally, remains on the loose since April 2009.

I normally work from my home office, and typically I'm pretty careful when opening a can of tuna - or anything else for that matter. But what if during "normal" work hours, which for me easily could be 9 a.m. to 9 p.m. Sunday through Thursday, "something" happens?

Let's take this to what I consider an extreme case of silliness: let's assume a husband and wife team are working at home. During a break - some states require workers - especially female workers - to take breaks, the husband and wife engage in the games husbands and wives play with each other. For whatever reason, pregnancy preventive measures fail and the wife discovers she is with child. Could she file for workers compensation claiming her delicate condition is work related?

We are a litigious bunch, but is the Case of the Wounded Womb actionable?

As a reporter and later managing editor I learned that even if you win in court, you still lose. The defendants lose time in defending themselves, they lose money to lawyers and lost production, and sometimes suffer a reputation hit.

Bottom line: Don't Get Sued.

How can an organization - say a company that engages my expertise - protect itself?

Actually, in a very simple way.

Define, by contract/employment agreement, what shall be considered non-job related injuries - or, conversely, what can be considered job related injuries. The employer also can specify - in writing - what are considered "normal work hours."

As a risk management practitioner, I would work closely with both legal and HR staff to cover most possibilities with the correct legal phrasing.

That, of course, is not an absolute defense, but it should eliminate any workers comp claims for an unintended pregnancy.

What goes into a vendor contract should be considered for the organization's Policies and Procedures (once again, P&Ps are a risk management concern) and all employees must be made aware of the P&Ps . . . and confirm their awareness.

While the Case of the Wounded Womb is at best unlikely, there are ways - simple, low cost, ways - an organization can mitigate its exposure to threats of legal action and these ways are very much within the purview of a practitioner's recommendations.

John Glenn
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Thursday, December 9, 2010

ERM-BC-COOP: Risk management gets new life


From: Advisen FPN: Professional Edition - Thursday, December 09 2010

    (A) renewed zeal for risk management extends far beyond the banking sector. Events such as the financial crisis, and more recently the oil spill in the Gulf of Mexico, have reminded senior executives that failures in risk management can prove to be extremely costly, not just to a companys (sic) financial performance, but to their own careers and, sometimes, the lives of employees. The incentive to ensure that there is a clear and consistent approach to managing risk across the enterprise has never been greater.

The Advisen FPN article is at: Fall guys: Risk management in the front line,

The Economist Intelligence Unit, which bills itself as "the world's leading resource for economic and business research, forecasting and analysis. Like The Economist, we are independent of all governing bodies and corporations, leaving us free to deliver accurate and impartial business intelligence," created the study for ACE and KPMG.

As with most good news, there was another side to the coin. The study continued:

    "However, although risk management is currently enjoying an unprecedented level of authority and visibility, it remains a function in transition. Examples of companies that take a genuinely strategic approach to their risk management remain few and far between. Communication between risk functions and the broader business can sometimes be fragmented, while an enterprise-wide culture and awareness of risk can be difficult to achieve."

This comes as no surprise to practitioners.

The "things are looking up" news is supported by a recruiter who told me via email that ERM/BC "will be a growth area for next year for anyone with Sarbanes Oxley or financial experience, IT including Java development, Web sphere or Portal on the front end, Oracle PL/SQL on the back end, (and) good analytical skills"

The related questions now are:

    For organizations needing our expertise: Will they escape the risks already at their door until they (a) realize the need for our services and (b) manage to get a practitioner on board

    For practitioners: Will we be able to survive until the organizations see the light. Peanut butter sandwiches can get awfully boring (but of course they are "better than nothing").

John Glenn
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Friday, November 19, 2010

On being "politically correct"


Stupid or Arrogant?

As the holiday travel season gets underway, airline passengers can expect longer and longer lines as the clerks of the U.S.' Transportation Security Administration (TSA) either ogle passengers as they pirouette in a machine designed to undress them before the clerk's eyes or play grab and grope with the would be passenger's privacy.

In an article on the New York Post's Web site (, correspondent Michael J. Totten explains how it's done in Israel. Totten's bottom line is that "The Israeli experience isn't pleasant, exactly, and there's a lot not to like about it. It can be exasperating for those of us who are interrogated more thoroughly.

"The system has its advantages, though, aside from the fact that no one looks or reaches into anyone's pants. Israelis don't use security theater to make passengers feel like they're safe. They use real security measures to ensure that travelers actually are safe. Even when suicide bombers exploded themselves almost daily in Israeli cities, not a single one managed to get through that airport."

I have been going back-and-forth between the U.S. and Israel since 1975. I've flown El Al, KLM, Northwest/Air France, and most recently US Airways.

On my first trip to Israel, I boarded an El Al plane with two full size duffle bags. The El Al (read Israeli) security guy asked me the standard questions and the bags went on board. This was before the baggage xray machines were installed. Coming back, I dragged my luggage to the security guy at Lod - the airport's name at the time and the one I prefer - who chatted with me for a minute or so, the let me and my luggage move on.

The first time my gear was inspected LEAVING Israel was in 2009. It went through the xray machine . . . and was flagged. I had two bottles of maheyah (arak) in a suitcase and the security people wanted to see it "up close and personal."

A few weeks ago I followed another American through the xray check point. He had a jar or can of some Israeli something in honey that the xray machine caught. The security guy asked the fellow what was in the container and suggested some common souvenir. No, the visitor said, and told the security guy what it was. The bag continued unopened.

On the other hand, I did watch as El Al security insisted that an elderly couple going to Israel from JFK unpack everything from one of their suitcases. Why? I don't have a clue. Perhaps, as Totten suggests in his article, their passports had too many visas to enemy states - at that time this included Egypt and Jordan.

Israeli security depends heavily on profiling.

Totten claims it is not racial or ethnic. Given the senior citizens whose luggage was emptied, I suspect that is true.

We in the U.S., are denied the luxury of profiling.

We can't do it at the airports.

We can't allow our police to do it on the highways and byways - although at least one Florida State Highway Patrol officer had an excellent record of apprehending drug couriers, mules, until a defense attorney discovered his success was based on his profiling skills.

Totten makes a point that the Department of Homeland Security (DHS) and TSA are looking for terrorists who might be using a tactic that already was discovered.

If you try something and you fail, will you try the same thing again? Not likely.

Profiling is a legitimate security tool.

We need to use it.

We need to follow Israel's lead - as we finally did with "sky marshals" who are too few.

For many years I have been a consultant and mentor. When someone recognized that I had expertise their organization could use, they contacted me to "rent" my wisdom.

DHS and TSA ought to admit to their masters in Congress that they need help; they need to engage Israeli security experts - people with actual experience in preventing terrorism in the air - to train U.S. personnel and the courts need to choose human life over political correctness and allow profiling.

Anything less eiteher is stupid or arrogant, a waste of time and money, and an insult to the air traveler. .

Thursday, October 14, 2010

ERM-BC-COOP: When insurance isn't


An article I just read suggests to me that insurance policies should be read very carefully before signing on the bottom line.

The article, at, describes a sex discrimination suit against a school board.

Briefly, the plaintiffs threatened to go to court. The district's insurer apparently - the article lacked details - made a deal with the plaintiffs' attorney without consulting the board; the school board rejected the settlement. A judge ordered the school board to settle.

Now the interesting part.

Of the total settlement, the insurance company paid less than 30 percent of the award. The board also had to pay a $10,000 deductable toward the insurance company's lawyer fees; the deductable equates to a little less than 10 percent of the lawyers' bill.

The school district - that means its taxpayers - wound up paying more than 70% of the award despite having insurance.

Beside the fact that, to my mind at least, it is questionable for a third party (the insurer) to make an agreement sans permission from defendant (the insured), this article tells me that as an ERM practitioner, I need to encourage my clients to carefully examine their insurance coverage and the insurer's conditions.

I'm confident that the insurer acted according to its contract with the school district, but I might have a problem with whomever accepted the contract on behalf of the school district.

Insurance is one of the many ways available to mitigate or transfer risks. Most organizations have multiple policies. Insurance often is a big part of an organization's survival plans. It seems appropriate, then, that policies are scrutinized before the contract is inked and that the documents are reviewed regularly to assure the coverage still meets the organization's requirements.

ERM practitioners need not be insurance experts, but practitioners are remiss if they fail to at least encourage their clients to know and understand the coverages.

John Glenn
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Wednesday, October 13, 2010



It may be a stretch to brand this post "ERM-BC-COOP," but then again . . .

Although I travel the country, I call south Florida "home."

One of the area's main sources of income is tourism. Tourists come from all over; not only the other 49 states and Canada, but from Europe, the Middle East, the Far East, and - although I've never met any from there - from "Down Under."

Right now - October 13 - we're into the last half of "Silly Season," a season that wraps up on November 2, the first Tuesday in November. Election Day.

Silly Season makes the tv stations, advertising, and PR folks rich and, frankly, begins to bore most permanent residents after they see the same commercial for this or that political hopeful for the 10th time.

What is bothersome this year is the amount of negative campaigning.

Negative campaigning is nothing new, but it seems that this year the tactic is especially bad.

We have several hotly contested races - one for U.S. Senate, one for Governor (no one ever hears about the gubernatorial candidate's choice for lieutenant governor), and several for the U.S. House.

If I was a visitor to my state and depended on the advertisements on tv, I'd be hard pressed to believe that there was an honest politician in the entire state.

Rather than tell us what the candidate will do for the state's citizens if elected, the candidates are telling us about their foe's pecados. (That's not entirely fair; we have one candidate who tells us that if elected he will make sure drug tests are administered to people on welfare . . . how the two - welfare and drugs - relate is beyond my ken and I find no favor with the ad.)

No matter who wins in November, Florida's reputation has been besmirched before the world.

What must visitors and potential visitors think of us? Are all of our elected officials scoundrels?

What impact will the negative campaigning have on tourism? How about businesses considering relocation to Florida. Or venture capitalists' opinions about investing in Florida-based organizations?

Ahh, the ERM-BC-COOP connection: Image.

Image is important to any individual's and any organization's success. A positive image can bring forgiveness for any number of "sins" while a negative image can damage a reputation for years to come.

The best "image protection" an organization can have is honesty and fairness; honesty and fairness with its clients/customers, with its personnel, and with the public in general.

That being written, a good ERM-BC-COOP plan will include ways to protect the image "in the event of," whatever the "of" may be. The "of" could be something as simple as a slip in stock price or the recall of a product.

Who addresses these issues? Who talks to which groups? Who assures that the stories are the same, even if targeted to different audiences and, consequently, with different words? Are generic scripts prepared with blanks for the specifics? Are these scripts vetted by senior management, legal, and any other appropriate persons.

I suspect that most politician in most places lean heavily on negative, "smear-the-opponent" campaigns. If my suspicions is correct, then maybe Florida's Silly Season will be viewed as PSOP - Politicians Standard Operating Procedure.

I really would prefer hearing what Joe and Jane Candidate will do FOR me and my fellow Floridians then hearing why the candidate's opponent is a liar, a crook, and a general disgrace to humanity.

I also would like visitors and prospective visitors to think my state is civilized and that people respect each other.

For all that, the sun still shines and the weather is warm here in southern Florida.

John Glenn
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

ERM-BC-COOP: Who you gon'na call?


I received an email from an acquaintance via the International Emergency Managers Association (IAEM) list the other day.

It was disturbing in several ways.

The email went as follows:

IAEM Discussion Group:

In this morning’s electronic issue of Federal Insider, I received an article that makes me want to pose the question: –

Suppose you report something suspicious or an actual emergency to your 911, your State Homeland Security Office, to several of DHS’ or the FBI’s hotlines and get referred to a number that doesn’t answer?

Link to the article: or

Here are some numbers for suspicious activity or criminal activity reporting:

  1. Any Emergency or Incident in Progress – 911

  2. If terror activity suspected - Local FBI Office: (contains a list of Offices, their sites and contact info). You can also report activity online, if you are near a computer or have a cell phone with a QWERTY keyboard at:

  3. Immigration/Customs Hotline: 1-866-347-2423

  4. To Report an Oil/Chemical Release – The National Response Center: 1-800-424-8802 or 1-877-24-WATCH
    PS: They also take terrorism reports.

  5. Suspicious Activity/Packages in or around a Federal Building: 1-877-4FPS-411 (1-877-437-7411).

  6. Chemical Facility Anti-Terrorism Standards Violation / Activity: 1-877 394-4347 (if incident has already occurred, 202-282-9201 (the National Infrastructure Coordination Center))

  7. Cybersecurity Incident: 1-888-282-0870 or

  8. Major Terror or Criminal Incident (FBI): Major Case Contact Center at 1-800-CALLFBI (225-5324);

  9. Disaster Relief Fraud: (866) 720-5721

  10. Lost or Missing Child: 1-800-THE-LOST

  11. Sexual Exploitation: 1-800-843-5678

The Washington Post story related an incident where someone repeatedly tried, and generally failed, to report a suspect suitcase.

What is the ERM-BC-COOP connection?

As practitioners we need to know that when we recommend that people call a central number to report a fire, medical alert, or other event, that the call will be answered by a live person who knows how to respond (e.g., call the fire department, medical assistance).

Most often, the phones are manned either by a front desk receptionist , a lobby guard, or security in an out-of-the-way office. Sometimes HR gets the duty.

WHO gets the call is not particularly critical.

What IS critical is that the phone is answered and the person taking the call knows how to handle it.

By extension, this means that there must be procedures in place to assure the phone always is answered - if someone takes a break for whatever reason, someone else must fill in.

It means that when the plan is exercised, making sure the phone is answered must be included in the script.

Maybe Federal phones can go unanswered - they should not, but according to the WashPost article they sometimes are "Ring - No Answer" - but unless the practitioner is developing a plan for a Federal agency, our concern is much more local - will the phone be answered if something happens in our facility or on our campus.

If our plan is for a tenant, we need to understand who is responsible for contacting external resources (police, fire, paramedics, etc.); if the responsibility falls on the host, then the host must be included in the exercise; the host is, after all, a vendor.

Maybe the Feds can brush off the incident, but we should learn from it and make certain it doesn't happen to us or our clients.

John Glenn
JohnGlennMBCI at gmail dot com
Hollywood - Fort Lauderdale Florida

Monday, October 11, 2010

Turning Risk From a Four-Letter Word Into a Value Proposition



According to Money Management Executive,"Managing risk now means a lot more, operationally, than just watching out for mistakes in the middle and back offices, in mismatching details of transactions."

"Which means effective risk management has to go beyond systems to manage all of these individually critical and complex concerns, said Michael Fay, a principal with Deloitte & Touche at the NICSA Risk Management Seminar in Boston."

For the complete article, see the URL at the top of this entry. Risk of a copyright enfringement prevents additional copy here.

John Glenn
Enterprise Risk Management practitioner
Hollywood-Fort Lauderdale FL

Tuesday, August 31, 2010

ERM-BCP-COOP: Some planners don't "get it"


There was a recent exchange on a Yahoo Business Continuity group about the necessity - or lack there of - for a business continuity plan for a long-duration highway project.

One of the correspondents remarked that BCP asks "What happens if this stops?" not "What could go wrong?"

Assuming this person is a practitioner - and admittedly he did not claim to be a professional - this is nothing short of embarrassing since he obviously lacks an understanding of business continuity.

Another practitioner, with more time in grade than this scrivener's 14 years, tried to explain to the initial poster WHY business continuity is important "even" for a long-duration highway project.

The poster's initial question to the group was

We are involved in large construction projects that span years and one of our BCP Advisors has been asked to produce a BCP for the span of a project construction project. Um. I'm not sure how well that it fits. I don't do a BCP for the development of an HR system, why would I do one for the development of a highway? Don't large construction projects go through risk assessments and contingency development like other projects?

One responder told the poster that

As far as I know, project management processes are there to ensure that the project is delivered on time and on budget. PM deals with all of the risks associated with the construction project, this is why specialized project managers are hired and contracts are written with suppliers and business partners - so that the build happens. The project is a one off and not continuing business.

She is partly correct; the project manager is the responsible person, but unless the project manager also is a risk manager, he or she won't identify potential risks to the project, the impact to the project, and ways to avoid or mitigate - then recover from - the risks.

I know several very good project managers and they don't leave home without, if not a practitioner on staff, at least spending time with one before the project gets underway.

In reality, what can possibly go wrong with a simple highway job?

In my reply to the group I listed several risks. The initial poster commented that one of the risks "should have been caught during the Risk Assessment ."

Without realizing it, he made my point. If the project lacks a business continuity plan, there will either be no risk assessment or an incomplete risk assessment.

The other real planner who contributed to the discussion told a story of a highway that had to be rerouted - at great time and expense - due to fossils.

Our poster acknowledged that the practitioner made "excellent points, although I'm still not convinced that BCP is the right solution. How would plans to recover business functions have helped them and would the benefit have justified the costs?"

Once again showing he knows nothing of business continuity.

Sadly, most members of the Yahoo group remained silent, suggesting that maybe they, too, lack an understanding of real enterprise risk management/business continuity.

Fortunately, there ARE lists - and there USED to be a good Forum - for practitioners and tyros who do understand the purpose of the business continuity process.

It's a pity this Yahoo group seems not one of them.

John Glenn, MBCI
JohnGlennMBCI at gmail dot com
Hollywood - Fort Lauderdale Florida

Monday, August 16, 2010

Something to consider



Powder Mailer Strikes Again Monday, Aug. 16, 2010

Global Security Newswire

An unidentified individual or group of people this month has sent 30 powder-filled letters to businesses and other sites in three states, part of an apparent campaign that has involved hundreds of mailings and reached eight U.S. embassies, the Associated Press reported (see GSN, Dec. 17, 2008).

To avoiid copyright enfrincement claims see complete article at the above URL.

I am certain there are expensive machines to detect power in the mail, but such machines probably are beyond the budget for Mom-n-Pops and individuals.

It may be possible to do a "touch test" of every incoming envelope (but what about packages?), providing the amount of incoming mail is minimal.

At one point I recall the Post Office checking mail for suspicious powder, but I think that was more for the protection of postal workers than the people receiving the mail.

If there is an effective, low-cost way to check for powder-in-the-mail - both envelopes and boxes - how do we share the information; as soon as the defense is known, the office will change tactics, much as the software miscreants who provide us with an abundance of malware.

Catch 22.

COMMENTS - IN ENGLISH ONLY - ARE WELCOME; all others will be rejected.

John Glenn, MBCI
JohnGlennMBCI at gmail dot com
Hollywood - Fort Lauderdale Florida

Tuesday, August 10, 2010

ERM-BC-COOP: One more time
Vendor products are seller's risk


Lowe's Cos. has agreed to distribute $6.5 million in its gift cards and pay as much as $2.2 million in plaintiffs' attorney fees to settle a class-action suit claiming the home-improvement retailer sold defective drywall.

"When will they ever learn?" The line from the Pete Seeger song keeps haunting me every time I read or hear of some organization assuming that the product the organization is selling is satisfactory or that the service a contracted vendor is providing is suitable.

Today it's Chinese dry wall.

Before that it was lead paint in Chinese toys imported by a major US toy maker.

Before that - what?

To be fair, China, while frequently the source of the problem is not the ONLY source. Every country has vendors that cut corners and ignore safety regulations.

Sometimes it simply is a matter of not exercising the "what if" possibilities during testing - I give you a failed O-ring on the space shuttle Challenger; according to the Rogers Commission Report, "The commission found that the Challenger accident was caused by a failure in the O-rings sealing the aft field joint on the right solid rocket booster, which allowed pressurized hot gases and eventually flame to "blow by" the O-ring and make contact with the adjacent external tank, causing structural failure. The failure of the O-rings was attributed to a design flaw, as their performance could be too easily compromised by factors including the low temperature on the day of launch. (

For Lowes and other retailers, as well as manufacturers such as Morton Thiokol of Challenger fame, the bottom line is the same: QUALITY CONTROL.

Ignore QC and risk a law suit.

As an enterprise risk management practitioner, I consider vendor products a risk.

The problem for manufacturers - versus retailers - is that while a vendor product might be "as advertised," it still might not be suitable as part of a system (e.g., Firestone tires on Ford Explorers). That should force the manufacturer to check all components as they arrive and again as part of the system tests.

It's fairly obvious that 100% testing is too expensive for almost all materials. I can't think of any organization that does 100% testing. For some products, testing is destructive; the test either destroys a product or so degrades it that it cannot be used.

However, sampling always is an option.

Sampling is taking a percentage of a product, be it individual components or a complete system, and testing all the units in the percentage. A 10% sample of 100 units would have 10 units randomly selected for testing.

The percentage of product sampled is based on a number of factors, including past experience.

Testing is expensive. It is expensive to perform and it often results in an unusable product. The cost of 10 nails or threaded fasteners (a/k/a screws) out of a lot of 1000 is relatively inexpensive; but the cost of sampling a 16-inch valve as an assembly is another matter.

All parts, be they vendor supplied or made "in-house" need QC both for quality of product and suitability for use within a system.

As an about-to-be grandfather, I want to look not only at parts, but design as well.

I have in mind infant crib failures and cribs with slightly-too-far-apart side-rail slats. I'm thinking of infant carriers with handles that detach unexpectedly.

If manufacturers fail to consider both design and part quality; if retailers fail to assume responsibility for assuring vendor product suitability, lawyers will continue to enjoy generous incomes.

I learned when I was a newspaper reporter and later managing editor that law suits are to be avoided. Even if the defendant prevails, the cost of the defense - both in money and time away from the job - can be sufficient to force a business into bankruptcy.

Bottom line: lack of QC is most assuredly a risk that must be considered and either avoided or mitigated. Claiming that someone thought the vendor product was satisfactory probably won't impress a judge or jury.

True, the risk may be "transferred" (to an insurance carrier), but that comes at a price. If the carrier is forced to defend once, the carrier's rate is very likely to increase (a risk in itself).

In the end, appropriate QC at all stages of a product's development is the best way to mitigate the risk of component failure or design failure. "Due diligence" failure usually guarantees a stiff penalty.

QC while not "cheap" certainly is better for both the corporate wallet and the corporate image than a law suit, even if the corporation prevails.

To this practitioner's mind, protecting people (including employees' jobs) and the bottom line is fully within the purview of enterprise risk management.


John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Wednesday, July 28, 2010

ERM-BC-COOP: It's all about T R A I N I N G


Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case - Company agrees to substantial corrective action to safeguard consumer information

From an email from the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS)

"Rite Aid Corporation and its 40 affiliated entities have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. In a coordinated action, Rite Aid also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

Rite Aid, one of the nation’s largest drug store chains, has also agreed to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information. The settlements apply to all of Rite Aid’s nearly 4,800 retail pharmacies and follow an extensive joint investigation by the HHS Office for Civil Rights (OCR) and the FTC

Among other issues, the reviews by OCR and the FTC indicated that:

  • Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;

  • Rite Aid failed to adequately train employees on how to dispose of such information properly; and

  • Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes:

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;

  • Training workforce members on these new requirements;

  • Conducting internal monitoring; and

  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Rite Aid has also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent order. The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. "

The other day, July 23, 2010, I blogged about "Security awareness training." I have, on numerous other occasions on the blog and on the Web site, written about the importance of training.

Usually, the focus is on personal safety; people are, after all, both an organizations most important resource and its first line of warning that a threat is about to occur or increase in intensity.

This time the focus is on The Bottom Line.

Granted, not every organization needs to be concerned with HIPAA or the FTC, but the admonishment is the same for all - on-going training is needed to help keep an organization safe - safe physically, safe financially.

Because Rite Aid, according to HHS's OCR regulators, "failed to adequately train employees on how to dispose of such information properly" the business finds itself under the HHS microscope for three years and under the FTC's close scrutiny for TWENTY years.

And of course there's the matter of the $1 million fine that, probably in the overall scheme of things, is a pittance to pay.

It might be argued that the cost of doing what should have been done before, specifically

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;

  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and

  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

might have cost more than the penalty, but remember that now the organization must do all those things AND pay the $1 million fine AND suffer some PR fallout; how much of an image hit depends on how aggressively HHS's OCR publicizes its queue and how much Rite Aid competitors want to risk in a potentially mud-slinging contest.

When it comes to The Bottom Line, and that is what Enterprise Risk Management is all about, it pays to look at all the risks; the obvious (environment, technological, and human) and the less obvious (training, policies and procedures, compliance).

John Glenn, MBCI
Enterprise Risk Management Practitioner
Hollywood - Fort Lauderdale Florida

Friday, July 23, 2010

ERM-BC-COOP: Security awareness training


I preach awareness training for all hands. Mostly the training I recommend is awareness of the environment so that any changes can quickly be identified and, if necessary, dealt with.

The following article from the Washington Times, DC's "other" paper, reminds that awareness training needs to include electronics - computers, telephones, etc. - both in and out of the office.

As with all training, it must be repeated until it becomes second nature, automatic.

The article shows that even people who should know better sometimes don't - there may have been training at one point, but it apparently lacked consistency and reinforcement. While we are at it, let's also think about awareness in the parking lot and other public areas.

Fictitious femme fatale fooled cyber security
Intel, defense specialists fell for ruse in test

By Shaun Waterman Washington Times
Sunday, July 18, 2010

Call her the Mata Hari of cyberspace

Robin Sage, according to her profiles on Facebook and other social-networking websites, was an attractive, flirtatious 25-year-old woman working as a "cyber threat analyst" at the U.S. Navy's Network Warfare Command. Within less than a month, she amassed nearly 300 social-network connections among security specialists, military personnel and staff at intelligence agencies and defense contractors.

But Robin Sage did not exist.

Her profile was a ruse set up by security consultant Thomas Ryan as part of an effort to expose weaknesses in the nation's defense and intelligence communities - what Mr. Ryan calls "an independent 'red team' exercise."

* Ms. Sage's connections invited her to speak at a private-sector security conference in Miami, and to review an important technical paper by a NASA researcher. Several invited her to dinner. And there were many invitations to apply for jobs.

* One soldier uploaded a picture of himself taken on patrol in Afghanistan containing embedded data revealing his exact location.

* A contractor with the NRO who connected with her had misconfigured his profile so that it revealed the answers to the security questions on his personal e-mail account. "This person had a critical role in the intelligence community," Mr. Ryan said. "He was connected to key people in other agencies."

* Many other connections also inadvertently exposed personal data, including their home addresses and photos of their families.

He added that he was surprised about the success of the effort, especially given that Ms. Sage's profile was bristling with what should have been red flags.

"Everything in her profile screamed fake," he told The Times. She claimed to have 10 years' experience in the cyber security field - which would mean that she entered it at age 15 - and there is no such job as "cyber threat analyst" at the Naval Network Warfare Command. Even her name is taken from the code name of an annual U.S. special-forces military exercise, as a two-second Google search establishes.

Several people with whom she attempted to connect spotted the fakery, Mr. Ryan said, "I was pretty much busted on Day Two." He said some people with whom Ms. Sage tried to connect took simple precautions such as trying to call the phone number she provided, or by asking her to e-mail them from her military account. Others checked public records on her purported National Security Agency information security qualification or reviewed the college alumni network for the Massachusetts Institute of Technology, where she claimed to have been educated.

David Wennergren, the deputy chief information officer for the Department of Defense, said in an e-mail that the answer was to continue the Pentagon's effort to "ensure our folks are well trained on responsible use of the Internet - at work and home."

"We should address the behavior, not abandon the tool."

But Paul Strassmann, a professor at George Mason University who was the Pentagon's director of defense information in the early 1990s, said the unrestricted use of social networking by Defense Department personnel poses unacceptable risks.

Mr. Strassmann, who said he was recently engaged by a U.S. agency he declined to name to help develop a policy on social networking, added that it didn't matter that the security breaches in the case were unintentional. "In intelligence, many of the most important leaks are inadvertent."

Another person involved at a senior level in the U.S. military's cyber security efforts, who asked for anonymity because he was not authorized to speak about the case, called it "an object lesson in the dangers of social networking."

"People feel they are safe" on the Internet, he said, but in reality, "it is a perfect environment for preying on people's weaknesses."

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Monday, July 19, 2010

ERM-BC-COOP: Do my job for me

Dear All
Can you please provide me with a risk management report or risk assessment report or any report to indentify risks in the bank
(Name withheld to protect the guilty)

The above was posted to - well what is supposed to be - a professional list.

Note the petitioner is not asking for help or how to go about the task at hand; he is looking for a check list.

"I don't have time to look around the organization to see what risks might be lying in wait. I don't have time to check the regulatory agencies and their examining arm (FFIEC) to see what they might think appropriate to consider."

Call me a curmudgeon, but I chose to ignore the plea. Actually, I showed unusual restraint - I didn't flame the lad. I save that - flaming - for people who pretend to know what they are doing; this tyro, correctly, never made that claim.

I get frustrated both by organizations that engage tyros for jobs best left to experienced practitioners, and by the tyros who take on these jobs. Actually, if a tyro undertakes - and that may be a very appropriate word in this instance - such a job and makes an effort to self-educate before appealing to the lists, I'm inclined to lend whatever limited knowledge I've acquired over a baker's dozen years in the field.

We have lost a valuable resource - the DRJ Forum. It's been down so long I wonder if it will, like the phoenix, ever rise from the ashes. We're left with the Blog - a rather off-putting name, "blog" - several lists, and a few relevant non-commercial Web sites.

There seem to be more and more of these "innocents thrown to the wolves" of late. Maybe it is because of the economy; people looking for cheap product. As a word smith, rest assured I use the word "cheap" with its worst connotation, (There's a difference between "cheap" and "inexpensive" or the "cost effective" euphemism.) As the old grammatically incorrect saw goes: "You get what you pay for."

At least I know if the lad is working for a bank in the U.S. whatever he does will be critiqued by someone from FFIEC; hopefully, for the lad's sake as well as the bank's, the examiner will be knowledgeable. A good examiner - auditor - is worth his, or her, weight in gold.

Knowing that there IS someone to cover the lad's (and the bank's) assets only slightly mollifies my umbrage at once again being asked to put my expertise to work for a person apparently too lazy to do anything on his own other than to ping a list.

  If we continue to tolerate this we truly will be a Rodney Dangerfield* profession.

COMMENTS ARE WELCOME but must be in English; all others will be rejected.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Friday, July 16, 2010

ERM-BC-COOP: BSI to compare DHS BCM standards


Reston, VA -- -- 07/15/2010 -- BSI is hosting an important free webinar on July 20, 2010 at 1:00 pm ET to review the three Business Continuity Management (BCM) standards recently adopted by the Department of Homeland Security for the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep).

BSI’s Product Manager for the Americas, Robert Whitcher, will provide a brief overview of three standards, BS 25999, NFPA 1600 and ASIS SPC-1, and discuss some of the similarities and differences among BS 25999, NFPA 1600 and ASIS SPC-1.

Business Continuity Management helps organizations minimize the risks involved in the event of disruption of business. With a certified BCM plan in place, businesses develop resilience and recovery strategies that protect staff, preserve the organization’s reputation and provide the ability to continue operating during the most challenging and exceptional circumstances.

To register for this free webinar, go to

According to the blurb on the registration page, "Robert Whitcher, BSI’s Product Manager for the Americas, will provide a brief overview of three standards the United States Government has chosen for their Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-PREP). He will discuss some of the similarities and differences among BS 25999, NFPA 1600 and ASIS SPC-1. Come prepared to ask questions so you can determine which standard is right for your organization.

"Whitcher is the Americas Product Manager for IT Service Management (ISO/IEC 20000), Information Security Management (ISO/IEC 27001) and Business Continuity (BS 25999) at the BSI. He is an Information Security and IT professional with over 34 years experience within the IT industry and more than 24 years experience in Information Security, Privacy and Business Continuity. "

It will be interesting to see

    (a) how neutral the presentation will be

    (b) if it will address enterprise risk management (vs. just IT D/R)

    (c) if it will be made clear that DHS accepts NFPA 1600 and ASIS SPC-1 as well as the British BSI-25999.

Caveat: Having last looked at BS 25999-1 and -2 in draft form, I am less than enthusiastic about the British standard. My main problem with BS 25999 - and I have several issues with the document - is that the draft version failed to mention avoidance or mitigation, two key components of risk management. (It may have been corrected before the final release.)

BSI is trying very hard to turn BS 25999 into "the" business continuity management standard with an International Standards Organization ID, this despite NFPA's acceptance well beyond the borders of the United States.

The Webinar should prove interesting.

John Glenn, MBCI
Enterprise Risk Management Practitioner
Hollywood - Fort Lauderdale Florida

Thursday, July 15, 2010

ERM-BC-COOP: Responsibility (liability) does not stop at the door


Store may be liable for attack in parking lot, rules Indiana Supreme Court [Lawyers USA]

From AdvisenFPN

A grocery store may be liable for a criminal attack upon a customer in its parking lot, even though the store was allegedly located in "low-crime" area, the Indiana Supreme Court has ruled in affirming the denial of summary judgment.

Read entire article linked from above URL.

Wednesday, July 14, 2010

ERM-BC-COOP: Risk of not "going green"


"Going Green" is good PR, good for the environment, and good for the bottom line.

FAILING to go green might be a serious risk to the bottom line.

I was reminded that "environment as a risk" means more than just protecting against floods, hurricanes, tornados, earthquakes, sink holes, and the like when I read an article from AdvisenFPN at titled "Biodiversity Inches Up the Corporate Agenda".

The article cited a study that is part of a series titled The Economics of Ecosystems and Biodiversity , a joint initiative by industrialized nations and the United Nations Environment Program intended to draw attention to the global economic benefits of fostering biodiversity.

The leed (cq) paragraph gave four examples of companies profiting by being kind to Mother Nature:

"The report said that Wal-Mart, for example, had sought to eliminate excess product packaging, reducing its disposal expenses while increasing its customer numbers and business revenues. The mining company Rio Tinto has made progress by starting offset projects in Madagascar, Australia and North America, news-media materials accompanying the report said. The energy company BC Hydro was singled out for a policy of no net incremental ecological impact, and Coca-Cola aims to become water neutral by 2020, the materials said."

As governments, both national and "world" become more and more "environmentally aware," they are insisting that organizations that have a cavalier attitude toward nature clean up their act "or else"; the "or else" often being hefty fines.

This is not particularly new in the U.S., but the enforcement seems to be stricter; the governments are trying to avoid future Love Canal situations (see

Even when penalties are too small to seriously impact an organization's budget, there is another issue to consider: public relations; image.

Wal-Mart is very PR conscious. It has to be not only to retain its fickle customer base - after all Target and Kmart are more than willing to accommodate Wal-Mart shoppers - but in order to win community support for new stores in otherwise mega-mart free areas, a problem it encountered on several occasions recently.

While it may be true that enforcement levels vary by jurisdiction and the party in power, the environment-friendly laws are on the books and can be enforced.

The PR value of environmental concern is a two-sided coin.

Failing to implement good environmental practices can lead to fines and, more importantly, loss of stock holder and lender confidence and loss of customers.

Having, and promoting, good environemntal practices - much like having and promoting an enterprise risk management plan or SOx effort - can enhance the bottom line by giving customers and stock holders a "warm fuzzy feeling" about the organization.

Having good environmental practices, like having a viable enterprise risk management plan, is just good business, and one that could enhance the bottom line.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Monday, July 12, 2010

ERM-BC-COOP: Pays to Protect People


This article, of general interest to all Enterprise Risk Management/Business Continuity professionals, has been removed from the Blog as the result of a copyright infringement claim.

Rather than send a courtesy letter requesting the article's removal - a request that would have been imediately accommodated, the copyright holder's first action was to file a suit in US District Court for the District of Nevada.

John Glenn, MBCI

ERM-BC-COOP: Airbus facility certified


I read this morning (July 12, 2010) that "Airbus has become the first aerospace manufacturing company with certification to BS 25999, the Business Continuity Management System standard. BSI Group, the London-based standards developer, performed the audit. The Airbus unit achieving certification is a wing manufacturing site in Broughton, England."

A couple of thoughts.

While I am glad to see at least one unit of Airbus Industries (the wing manufacturing site in Broughton, England) achieving certification, and while wings are important, what about the rest of the aircraft. Minor things such as the fuselage, the tail assembly, the engines, the electronics and electrical system. Sometimes bragging about something opens a Pandora's box of questions. In any even, the certification is for the facility, not necessarily the parts made there.

The other thing - and actually the thing that first caught my attention - was the brash statement that "BS 25999 (is) the Business Continuity Management System standard."

I think that needs a qualifier - it may be the British Business Continuity Management System standard, but the Business Continuity Management System standard may be a bit of wishful BS thinking.

I know the British Standards Institute (BSI) is pushing very hard to make BS 25999 an international standard, but even when it gains an ISO ID, as it surely will, there still will be a question will be about the "international" part of the name.

The US has NFPA 1600 which, in my opinion, is more of a true, all-inclusive risk management document than what I have seen of BS 25999-1 and -2. The Canadians adapted 1600 to their unique requirements (what are county-unique requirements, anyway - risks are risks and avoidance and mitigation measures are just that, regardless of country; likewise response efforts are based on the function to be restored, not the country in which the function is located). ANZ has its own standard as does Japan - neither of which is BS25999-1/-2.

I have nothing against a common standard and maybe, deep down, I'm a little chauvinistic, but even though I am a member of the BCI - often misconstrued as the "British" (vs. "Business") Continuity Institute, I have a problem with BS 25999.

When I reviewed BS 25999 I found it sorely lacking; the word "mitigation" failed to appear even one time in the draft documents. The set seemed to me more than a little "padded" to reach a desired page count and the language, typical for Europe and the island, was passive - in contrast to the typically active voice in the US and Canada; I can't speak for ANZ and Japan.

For all that, it's good to know that the British-made wing assemblies for Airbus aircraft are from a BS-certified facility.

John Glenn, MBCI
Enterprise Risk management practitioner
Hollywood - Fort Lauderdale Florida

Tuesday, June 29, 2010

ERM-BC-COOP: Volunteer will introduce ERM


The other day I wrote about a fellow who initially said he was an MBA candidate interning as a business continuity planner at a commercial endeavor. Our Manager-in-Training complained to a list that he knew nothing of business continuity planning, had no guidance from the school, and no help from the organization engaging him; ergo, he turned to the people on the list.

Turns out his appeal lacked a certain candidness and that there was more, much more, to the story.

But that is not the point of this post.

I have on my very portable notebook (nee' laptop) computer a PowerPoint presentation designed specifically for the College Crowd. The primary audience is composed of MBA candidates; a secondary audience is made up of BBA hopefuls.

The PowerPoint is a two-parter that introduces Enterprise Risk Management to the people who can take the message back to their employers. There are 30 "slides" spread over two days assuming 2-hour blocks; that allows time for encouraged questions and discussions.

The PowerPoint will not make the students into qualified practitioners - that is not its intent.

It will send them back to their offices with an understanding of what business continuity - enterprise risk management - is all about and with sufficient knowledge to sort the wheat from the chafe when considering engagement of practitioners, either as an in-house resource or on a consultancy basis.

As with most PowerPoint, and similar, presentations, this is best presented by its author. As its author I am more than willing to fill-in for area instructors for a couple of class sessions; I might even be talked into donating my time. I will gladly take the show on the road, but only with pre-paid transportation and lodging.

(I learned the lesson about travel when I was invited to present in Ghana; for that tale, see

I am a great believer in "educating the masses" about enterprise risk management; that's the reason for this blog and the associated Web site. But first, you have to get the masses to mass.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com


Friday, June 25, 2010

ERM-BC-COOP: Ethics? Who needs'em?


The following email just crossed my desk:

    Hi all, I am currently an MBA Student, and for my internship, I am to implement a BCP for a consumer products company that currently does not have one. I have been given little/no instructions and have no prior experience. There are a few examples of what the company wants and has done in Germany, but it gives little insight into the entire planning and thought process. I am looking for some advice on where to start. Is there some documentation out there that would help me get a better idea? I am in my first week and feel like I may be in over my head a bit. Thanks in advance for all of your input, help, and support. Best Regards,
    [Name withheld]

I responded that since he is totally unqualified for the task, he should not be doing it. I did provide some generic resources, and I did come down fairly hard on the school that has the MBA program. I noted that the best thing he could do, as an MBA candidate, was to know when to hire a professional.

In return I received another email that REALLY got my attention.

    I understand that I am in over my head and that this subject is something that needs experience and expertise. However, I don't think it prudent for me to go to upper management and tell them that they have made a mistake, even if they have (and I may have as well), and to go out and hire a professional. I am looking to make the best of this situation, and am looking for any advice in how to do that. I am not necessarily looking for negative reinforcement. Please let me know if you have any other advice aside from "Hire a Professional."

His lack of planning expertise is bad enough, but his absolute lack of business ETHICS really made me pay attention. He wrote: I don't think it prudent for me to go to upper management and tell them that they have made a mistake, even if they have (and I may have as well), and to go out and hire a professional.

So here we have an MBA candidate who is told by his school that he's on an "internship" without any mentor or supervision (remember, "I have been given little/no instructions and have no prior experience").

He lacks the ethics to either beard his instructor , who it seems also lacks any sense of ethical conduct, or the company to which he has been sent ("I don't think it prudent for me to go to upper management and tell them that they have made a mistake"). A "King's Clothes" mentality that bodes ill for business and for MBA programs.

I suggested that his - and his school's - lack of honestly put him, the instructor, and the school "individually and severally" in jeopardy of a suit if any plan he creates fails due to his professional deficiencies. No I am not a lawyer and I don't play one on tv, but I DID seek a lawyer's opinion (albeit after the fact).

If it comes to that - legal action - there will be a great deal of finger pointing, with the defense being that the employer accepted the sub-tyro's plan (if indeed it DOES accept the MBA candidate's effort).

Whether it "comes to that" or not, this whole exercise gives legitimate practitioners a black eye and damages what little professional image we are struggling to acquire.

I am frustrated and, frankly, angry.

At the MBA candidate who shows total lack of ethics.

At the school that would throw this lad to the wolves and that would jeopardize an organization (albeit one that apparently is trying to get something on the cheap)

I'm also angry at the school and its personnel for, if the letter writer is correct, calling this exercise an "internship."

Hopefully this MBA candidate will discover that risk management is not for him. I doubt he will ever understand that part of a professional practitioner's job IS telling the King that he's naked.

It's a bad day for risk management.

It's a bad day for business (ethics).

Its a bad day for decent MBA programs.

John Glenn, MBCI
Enterprise Risk management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Thursday, June 24, 2010

ERM-BC-COOP: More than just Info Tech


I often write that a good enterprise risk management plan needs input from the legal staff (in-house or external).

An article on the Advisen FPN site ( titled Natural Disasters (from, lists concerns linked to the following legal issues:

  • The Fair Labor Standards Act

  • The Family and Medical Leave Act

  • The Uniformed Services Employment and Reemployment Rights Act

  • The Employee Retirement Income Security Act and Tax Relief

  • The Consolidated Omnibus Budget Reconciliation Act (COBRA)

  • The Health Insurance Portability and Accountability Act

  • The Americans with Disabilities Act

  • Occupational Safety and Health Administration

  • The National Labor Relations Act

  • The Worker Adjustment and Retraining Notification Act

  • Immigration Issues

  • Insurance Issues

It is worth the time to read and worth the time to discuss the issues with HR and legal experts.

And you thought all a business continuity planner needs to know is IT. ;-)

Go forth and make friends with the folks in HR and get to know the lawyers, too.

John Glenn, MBCI
Enterprise Risk Management practitioner
Seeking work in, or from, south Florida
JohnGlennMBCI at gmail dot com

Wednesday, June 16, 2010

ERM-BC-COOP: Lessons learned
How NOT to manage a disaster
By British Petroleum


British Petroleum, BP, is truly the poster child for risk management and how NOT to handle an event.

This seems, based on incidents at other leading British organizations, to be the norm.

BP, according to a New York Times piece at not only by all accounts failed to do "due diligence" to avoid or at least mitigate the Goo in the Gulf caused by an explosion on a drilling rig - an explosion that, lest we forget, cost the lives of 11 people - it is exacerbating matters by its heavy-handed efforts at public relations.

The PR is so bad, I suspect Israel is working for BP; the Israel government is expert at creating bad PR from good opportunities.

Worse, the US government, in the form of the Homeland Security Department, FAA, and the Coast Guard command, appears to be in bed with BP in an effort to strangle news from the area.

I would expect heavy-handed handling of the media in the UK, but for the US to cave to a business, especially a foreign-owned and controlled business, shames me.

Honesty in Blogging: I came to risk management from journalism via PR, marketing, and tech pubs, both here and overseas.

While I can agree that reporter over-flights need to be controlled, albeit not prohibited, I have a hard time accepting that a BP staffer apparently determines who can fly over the spill and who cannot (reporters).

According to the NYT,

    "A pilot wanted to take a photographer from The Times-Picayune of New Orleans to snap photographs of the oil slicks blackening the water. The response from a BP contractor who answered the phone late last month at the command center was swift and absolute: Permission denied.

    "A spokeswoman for the agency (FAA), Laura J. Brown, said the flight restrictions are necessary to prevent civilian air traffic from interfering with aircraft assisting the response effort.

    "Ms. Brown also said the Coast Guard-FAA command center that turned away a Southern Seaplane was enforcing the essential-flights-only policy in place at the time; and she said the BP contractor who answered the phone was there because the FAA operations center is in one of BP’s buildings. "

But who is controlling access? It seems like the FAA is taking its orders from BP.

Still, reporters are in good company.

The NYT reports that

    "Last week, Senator Bill Nelson, Democrat of Florida, tried to bring a small group of journalists with him on a trip he was taking through the gulf on a Coast Guard vessel. Mr. Nelson’s office said the Coast Guard agreed to accommodate the reporters and camera operators. But at about 10 p.m. on the evening before the trip, someone from the Department of Homeland Security’s legislative affairs office called the senator’s office to tell them that no journalists would be allowed. "

    "Mr. Nelson has asked the Homeland Security secretary, Janet Napolitano, for an official explanation, the senator’s office said.

    "Capt. Ron LaBrec, a Coast Guard spokesman, said that about a week into the cleanup response, the Coast Guard started enforcing a policy that prohibits news media from accompanying candidates for public office on visits to government facilities, 'to help manage the large number of requests for media embeds and visits by elected officials'.”

Public relations is all about image, perception.

I suppose even BP could consider itself in "good company" as this PR disaster unfolds on the human and environmental disaster.

When the fox answers the phone in the chicken coop, one suspects collusion with the farmer. It LOOKS like Homeland Security, the FAA, and the Coast Guard are working for BP. It doesn't have to be true, but given the NYT article, that's the impression the reader almost has to take away.

Learning from mistakes is a good thing, especially when the mistake is someone else's.

Any practitioner who fails to present the BP fiasco in all its variations - loss of life, oil in the waters, PR faux pas - to the client, internal or external, is failing to fulfill the role of risk management and doing the client a disservice.

Management that ignores what is happening to BP's image, its stock price, and the shrinking bottom line - the financial impact can be as much as US$17 billion (capped by Federal statute), is doing the organization a disservice and should be replaced.

I suppose I should say "Thank you" to British Petroleum for presenting this excellent example of how NOT to practice risk management. Still, I would have preferred to have this as a theoretical exercise than a real disaster (11 dead equals a disaster in my book).

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Monday, June 14, 2010

ERM-BC-COOP: You've GOT to be kidding


The following invitation to disaster was posted on the Projects for Freelancers web site ( by oDesk.

    Develop a Business Continuity Checklist

    I am seeking a suitable candidate with BCP knowledge or skills sufficient to put together a 2-3 page BCP checklist in MS Word format. The document should be titled "Business Continuity Global Checklist" as per the web site:

    The checklist must be useful to someone putting together a BCP plan for there business and will be given away FREE to those people that sign up to the "Subscribe Today" double opt in form at: .

    There is likely to be another checklist to be developed to the Disaster Recovery market to the successful applicant. Kind regards; talk soon.

    Starting On: April 30, 2010
    Ending On:
    Posted On: June 13, 2010 23:43 UTC
    ID: 100884752
    Category: Writing & Translation > Technical Writing
    Skills: Business Continuity Planning, BCP, Technical Writing
    Country: Australia
    Hours Billed: 0.00

So far, the only response seems to be from "An Internet entrepreneur - Freelance Consultant, India" whose stated goal is "To establish a career that would suit my intellectual capabilities and enhance my personal well being. " He is, by his own admission, "a goal-oriented person. I am able to handle professional work pressure well and develop positive working relationships with employer."

What do we have?

First we have an advertiser who either cannot or will not proofread the copy (e.g., "there" rather than "their").

We have an advertiser who suggests he or she manages a business continuity blog (!) but lacks sufficient knowledge to put together a (useless) check-list.

Any business continuity practitioner with any experience knows check lists and templates are invitations to disaster; at BEST they provide a false sense of security.

Our advertiser, you may have noted, wants the job to start on April 30; although the job was posted on June 13.

The respondent from India may be the perfect person for the job. He apparently lacks any business continuity experience - his response fails to address any of the requirements , but his price - $5.56/hour - is probably more than his work is worth at least for this posting.

With attitudes toward business continuity such as shown by this posting, it's no wonder that

(a) we are the Rodney Dangerfields of the professional world

(b) that people think that, like writing and photography, anybody who can spell the profession can call himself/herself a professional (writer, photographer, planner).

Perhaps I'm missing something.

Perhaps I ought to submit a bid.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Thursday, June 10, 2010

ERM-BC-COOP: Nothing can possibly go wrong, go wrong, go . . .


The headline reads: "Worker killed when natural gas pipeline explodes in fireball "

The video and article under the headline are about the explosion and fire that followed when 14 workers were digging holes for new power lines; a drill bit apparently punctured a buried 36-inch gas pipeline, according to a story on the WFFA tv web site (

One person was killed and 8 others were injured; one seriously enough to require hospitalization.

Most underground utilities are mapped. This particular pipe was 36-inches (diameter) and was pressurized to about 1000 pounds/square inch (psi).

According to the WFFA blurb, "State and federal investigators will now try to determine how the power line workers managed to strike the huge natural gas line in an area that's cris-crossed with underground pipes."

It happens all the time

I have seen telephone lines severed - both copper and fibre.

I know of broached water mains.

This probably avoidable accident follows along.

In all the cuts prior to this one, the problem can be laid directly to the company doing the digging, Someone failed to call "Miss Utilities" or similar service to get a map of underground utilities where the dig was to commence. A simple call and, in most jurisdictions, a call required by statue. The WFFA story did not flatly state that the pipe was mapped, but a pipe of that size and capacity . . .

An a risk manager for an organization the question is: How does that effect me?

First, if you depend on natural gas, suddenly you are without power. How long? It took several hours before the fires were out; how long did (will?) it take to repair the pipe? Until it's repaired and pressure tested, no gas will flow through that line. Admittedly a 36-inch pipe is not going to terminate at a factory or office building, but it serves distribution sites that do serve such facilities.

Second, if your organization was close to the accident site, it might have suffered damage to the facility.

Third, at least for a while, access to the area was restricted; no deliveries in or out, no visitors with orders, no employees coming in or going home.

In short, even though the incident happened to someone else, your organization felt the impact.

It behooves you, as a risk manager, to look beyond the walls of the facility, to look beyond the usual suspects, and consider what is in and around the neighborhood.

Underground utilities. Of course.

But what about airports, sea ports, rail lines, major highways where trucks travel with hazardous materials, or even major arteries that funnel traffic to your door.

Who are your neighbors? Are they organizations that might be unpopular with activist groups - PETA for example. Are they organizations that often have work actions? This is NOT to get into the propriety of the activists or justifications for work actions; the only intent is for you to consider that what happens across the street or down the block CAN negatively impact your organization's operation.

But so can a parade in the neighborhood.

If your neighbor has a fire, will the fire brigade's presence impact your operation. (Of course it will.)

Risks don't necessarily have to happen to your organization to impact it.

As a professional risk manager, your due diligence must look beyond your organizations walls and beyond the "usual suspects" of environment, human "error," and technology.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com


Wednesday, June 9, 2010

ERM-BC-COOP: Consider HR risks

Anyone who thinks IT is an organization's only concern should consider the following:

In a blurb at promoting a for-fee Webinar: "According to the Department of Labor, wage and hour class actions currently outnumber all types of employment discrimination class actions combined. The retail sector has been the hardest hit, but no sector is immune. To better understand this epidemic and effectively manage increased risks of wage and hour claims, join a panel of experts for an Advisen Wage and Hour Webinar on Wednesday June 16, 2010 at 11:00 AM EDT."

Maybe considering business continuity-related policies and procedures, and making certain all personnel are aware and understand them should be a higher priority.

Granted, some managers (and business continuity practitioners) enthusiastically DISagree with this "have policies in place and advertise them" recommendation claiming that it will "tie management's hands" and limit response options.

It seems to me that if enough thought is put into the policies and procedures, there will be sufficient "wiggle room" for management to adapt to meet any situation.

LACKING policies and procedures seems to me to invite legal action. Based on my limited experience with the Bench, I assure you that judges prefer to deal with things in writing.

Having written - and published - business continuity-related policies and procedures may not keep the organization out of court, but they might make defending management's actions easier and less costly.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Monday, June 7, 2010

ERM-BC-COOP: DC doesn't "get" it


I just received an email from George S. LeMieux, Florida's junior senator.

The email missive concerned, primarily, the disaster in the Gulf of Mexico (that threatens to meander up the US' Atlantic seaboard).

Florida's junior senator wrote: "I have joined Senators David Vitter (R-LA), Roger Wicker (R-MS), and Jeff Sessions (R-AL) in introducing the Oil Spill Response and Assistance Act (OSRA), which would dramatically increase the liability of companies responsible for oil spills. It is clear that the economic damage done to the Gulf region will far exceed the $75 million cap currently in place. OSRA would raise that limit for a company like BP to $17 billion dollars. For the future, this bill also requires the best technologies and equipment are staged to respond to potential spills within 24 hours. I am closely following the situation, and will do all that I can to protect our fisheries, our tourism industry, our environment, and our economy. "

Several things concern me regarding the senator's message.

Let's start with the Oil Spill Response and Assistance Act (OSRA) that would "dramatically increase the liability of companies responsible for oil spills."

Apparently the cap for damages from an oil spill such as the one BP allowed is a mere US$75 million (US$75,000,000). Is it any wonder, then, that BP is claiming it will pay to clean up the mess, knowing as its lawyers must, that the maximum it can be obligated to fund is US$75 million. Clean-up costs in the billions - n,000,000,000 - have been suggested. The Act would raise the cap a BP would be forced to pony up to US$17 billion (US$17,000,000,000). While that seems an improvement, I think any cap is a way for a BP to shirk its responsibility.

    An aside. While I read that several (re)insurers are telling everyone they will meet their contract agreements with insured clients, I also heard that at least one insurer told its insured in Louisiana that it will NOT pay for damages; if its insureds want to make a claim against BP et al, they are welcome to do so, but don't look to the insurance company for assistance. Sounds a lot like Florida after Andrew and Louisiana and Mississippi after Katrina - take the money and run. (What does that have to do with risk management aside from the Gulf? Consider any insurance coverage your organization may have as a financial risk - your insurer may decide to just "walk away.")

The senator's email continues: "For the future, this bill also requires the best technologies and equipment are staged to respond to potential spills within 24 hours."

Senator, that's just disaster recovery, sort of.

What is needed is an Act that demands avoidance and mitigation processes to be built into all projects that can turn into an ecological mess - not even a "disaster," just a "mess."

From all reports I have read or heard, BP and its vendors were woefully unprepared for any spill of consequence. The risk of a major spill was considered so unlikely (low probability) that even though the impact might be great the companies elected to risk it. After all, worst case, the damage "cap" is only US$75 million.

It's good that the senators - all Republicans in a Democrat-controlled, highly politicized Congress - are thinking about disasters and assuring that the proposed Act "requires the best technologies and equipment are staged to respond to potential spills within 24 hours."

What is needed is more PRO-ACTIVE legislation to prevent or mitigate risks and with a painful penalty for wealthy organizations (such as BP) so that the Act will be taken seriously.

US$17 billion seems like a lot of money, but (a) that's a maximum and (b) it fails to take into account long-term damage to the environment, employment, people's lives and livelihoods.

We don't need more "disaster recovery"; we need an Act that demands risk management from the beginning: identification, avoidance and mitigation, and then recovery if it becomes necessary.

Sorry senators; you just don't get it.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Friday, June 4, 2010

ERM-BC-COOP: Once again assumptions are dangerous


Updated Sunday, June 6, with undated comments from a McDonald's Web site.

By now almost everyone who frequents McDonald's has seen headlines similar to the following:

McDonald's Recalls 12 Million Shrek Drinking Glasses Over Toxic Metal

The question we should be asking as Enterprise Risk Management (business continuity/COOP) practitioners is: How did this happen? Actually, the question should not be how but WHY.

According to a HILIQ article ( McDonald's purchased the glasses from ARC International of Millville, NJ.

However, the article continues, "While ARC International is credited with the manufacture, it appears the glasses were really manufactured in China according to a CNN report"

About seven million glasses have been sold with another five million in outlets or warehouses.

The question is: Who is responsible for allowing cadmium-laced glasses to get into the hands of McDonald's customers, especially small customers?

The article notes that "The U.S. Consumer Product Safety Commission (CPSC) announced the voluntary recall early Friday. It warned consumers to immediately stop using the glasses. McDonald's is expected to post instructions on its website next week regarding refunds.

"The CPSC stated in its recall notice that ''long-term exposure to cadmium can cause adverse health effects.'' Cadmium is a known carcinogen which can also cause bone softening and severe kidney damage. The kidney damage of cadmium poisoning is irreversible and does not heal over time. "

From an ERM/BC/COOP perspective, both ARC International and McDonald's are on the hook, and for the same reason - failure to perform "due diligence."

Why not the Chinese manufacturer? Simple: Neither ARC nor McDonalds can control a foreign company, particularly a Chinese company.

China has a long and unfortunate history of sending defective and dangerous products to the U.S. (see Given the justified reputation for providing shoddy and dangerous products, it falls on the importers - in this case ABC International - to carefully check the incoming products. Again, based on China's record, frequent random samplings would have been in order.

McDonalds likewise should have checked the product. Granted, it had a right to "assume" that ARC International inspected the Chinese product and stood behind its quality assurance/quality control. That might have been sufficient for Joe's Burger Joint in Beautiful Downtown Burbank, but when you are a McDonalds and damage to your reputation is an international concern, then this practitioner believes it behooves McDonalds to do its own sampling.

'Course maybe reputation is no big thing to McDonalds; it wasn't so long ago it used beef fat to fry its fries in India - does anyone in India remember or care?

Would an ERM-BC-COOP practitioner been able to side-track the problem before it put poison glasses into little peoples' hands? Probably not.

Not because the practitioner would have overlooked or ignored the threat but because the practitioner probably would not have been involved or aware of the purchase. The problem, our problem, is invisibility - we, practitioners, are "invisible" to very senior managers (until something goes "bump in the night").

One of the reasons I believe we are "invisible" to Very Senior Management (VSM) is the name many of use elect to call ourselves: "Business Continuity" practitioners/planners/professionals, etc.

"Business Continuity" fails to suggest, to me in any event, that we are RISK MANAGERS and that means any and all risks, not just ones that interrupt work flow. Reputation is a very big item on the risk list; just ask Deon Binneman ( , a reputational expert.

This "incident" then points up a couple of things.

Thing One: Organizations must take responsibility for vendor products. It makes no difference if the product is a novelty glass or a steel casing; incoming inspection is a necessity. How great an inspection depends on the vendor's history with the company and what goes on at the vendor - change of management, budget concerns, labor problems, etc. (Ask British Airways what happens when a vendor's staff strikes.)

Thing Two: We - practitioners - need much greater visibility and I believe we need to rethink what we call ourselves as a first step toward gaining, and holding, that visibility. We need to be involved, by executive fiat, in ALL aspects of the organization. We may be limited to recommendations, but at least VSM will have the recommendations of professional "What If" sayers.

To be fair

In a McDonald's press release at, the company states:

In collaboration with the Consumer Product Safety Commission (CPSC), and as a precautionary measure, McDonald’s USA today issued a voluntary product recall of the four Shrek Forever After™ promotional glassware currently being offered in U.S. restaurants.

To be clear, the glassware was evaluated by an independent third-party laboratory, accredited by the CPSC, and determined to be in compliance with all applicable federal and state requirements at the time of manufacture and distribution. However, in light of the CPSC's evolving assessment of standards for consumer products, McDonald’s determined in an abundance of caution that a voluntary recall of the Shrek Forever After glassware is appropriate.

Is the glassware unsafe? The CPSC has said that the glassware is not toxic. In addition, the glassware was evaluated by an independent third-party laboratory, accredited by the CPSC, and determined to be in compliance with all applicable federal and state safety requirements at the time of manufacture and distribution. This action is being done as a precautionary measure.

Didn’t McDonald’s test the glassware? Yes. McDonald’s safety standards are among the highest in the industry, and we have a strong track record. The glassware was evaluated by an independent third-party laboratory, accredited by the CPSC, and determined to be in compliance with all applicable federal and state requirements at the time of manufacture and distribution. It’s important to know that the CPSC has said that the glassware is not toxic

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Wednesday, June 2, 2010

ERM-BC-COOP: Consider the law


I subscribe to a free service called Advisen Front Page News It bills itself as "Productivity and Insight for Insurance Professionals."

Insurance professionals deal with risks. Enterprise Risk Management practitioners deal with risks, ergo my interest in the site.

Two articles in a recent email tickler caught my eye.

One, titled "Woman sues Google after Park City accident" reminds that when someone sues, they - or their legal representatives - sue everyone that might be remotely involved, especially if any of the potential defendants is suspected of having "deep pockets" - the capacity to pay big awards.

The second, titled 'Venting Online, Consumers Can Land in Court" is about "strategic lawsuits against public participation", a/k/a SLAPP.

The danger to organizations in the first case is obvious. If the organization can be linked, even indirectly, then it is liable to be named in a suit. The smaller the directly related organization and the larger your organization, the higher probability your organization will find itself defending its honor - and bank account.

The second issue is a little different, but like the first it can be expensive to defend.

In most states, "truth is an absolute defense" against libel suits brought against newspapers. The same holds true for claims of slander in most states. Neither is nationwide and once outside the Several States I have no idea what laws apply.

The issue here, however, is not just a slander suit against - in this case - a blogger who claims he was wronged by a towing company. If the blogger has a known association with an organization - as an employee or board member - or advertises a relationship with an organization that organization is subject to inclusion in a libel action.

When I was an honest journalist - back when Hector was a pup - I learned that while truth was the absolute defense against a libel suit, I also learned that (a) it was expensive for my paper (albeit great for the lawyers) and (b) time consuming both before and during the trial. Unless the person suing my newspaper was a real scoundrel, my reputation and the paper's was at stake.

Enterprise Risk Management, a/k/a business continuity, is all about managing risks.

There really is no legal way (that I know about) to prevent an employee from railing against Joe's Fly-By-Nite Towing and Car Crushing Company, even if Joe and friends fraudulently towed and crushed the employee's car.

Employers may have well-advertised policies and procedures in place clearly stating that employees will not reference their employer in personal communications, including but not limited to emails and blogs and that all officials of the organization, that is, people generally known to be associated with the organization, will refrain from making any non-complimentary comments about any one or any thing until the comment has been vetted by Legal.

The organization is not trying to stifle free speech as much as it is trying to avoid legal actions or to at least be prepared for legal actions as "injured parties" look for deep pockets.

True story.

I once was "Deputy Director of Engineering" for a PBX manufacturer. In that role I was "the" technical writer and, in the director's frequent absence, in change of customer support.

The company sold, and maintained, its product through a vendor network.

Seems one of our vendors left a client without service. The client, a small hotel in California, had a problem with the PBX and, being unable to contact the vendor (that went out of business without telling anyone - customers or us) called us. I answered the phone. I managed to get the customer support in relatively short order and set him up with another vendor in his area.

I THOUGHT that was the end of it. A pat on the back for the Deputy Director who, like Mighty Mouse, saved the day.

Then, a few weeks later I was informed that I, along with the Director and the Director's VP, was named as a co-defendant with the company by a suit brought by the person I had helped !

Fortunately, the company's legal folks headed off the suit. How much it cost the company is unknown, but the exercise was disruptive and put a dent into the budget.

The bottom line for all this is that organizations must make an effort to distance themselves from individuals without being seen as limiting free speech. A well defined policy that can be shown to be known by the author of an offending comment may be sufficient to get the organization off the hook.

Then again, it may not.

Check with your legal counsel; I am not a lawyer nor do I play one on tv.

As for the first threat, the Google map, again with the caveat that I am not a lawyer, it seems like a disclaimer on the product might be sufficient. Still, another item in the Advisen Front Page News email suggests that even that may not be sufficient: see "Concerns over floor mat issue activate safety probe of some Ford models" (

As Star Trek's Mr. Spock would opine: "Interesting."

John Glenn, MBCI
Enterprise Risk Management Practitioner
Hollywood - Fort Lauderdale Florida