Friday, February 26, 2010

A funny thing happened . . .

. . . on the road to Accra

I was invited to present Business Continuity 101 to some folks in Ghana.

I'm always willing to talk about what I do - indeed, this morning I got a call from a man who asked me to "explain business continuity." (I did in a few short sentences.)

The organization that invited me also talked to several other practitioners, including a couple of whom I correspond on a regular basis.

I was agreeable to make the trip to Ghana and I prepared some materials for a two-day show-n-tell in the nation's capital.

In return, I received a letter to attach to my visa request, along with a US$50 money order. I also started looking for someplace that could provide a yellow fever shot, a requirement to enter Ghana.

Everything was fine until I told my potential hosts that I expected them to pre-pay my airfare and local lodging.

Suddenly, I heard no more from Ghana.

I'm new to the rubber chicken circuit, but I wasn't born yesterday. I don't know how experienced speakers handle such things, but I wasn't about to be told after the fact that "the check's in the mail." It's hard enough to collect monies due in the US from US companies - I'm still waiting for my last paycheck and vacation pay from my previous employer - which becomes harder and harder to contact (no, I am not surprised; I was, after all, a budget cut, but this is not what I expected from the least of the Top Five defense contractors in the US).

I confess to being a little disappointed in both the Ghana organization and my former employer.

The Ghana connection because it lacked the foresight to due its budget homework . My fee certainly was reasonable and considered the transportation costs.

When I twice asked that the hosting organization buy the plane tickets and provide me with a contract, the answer was the same - no response at all.

I'm sharing this with The World not because I am upset with the Ghana organization (although I am more than a little upset with my former employer) but so that anyone who finds himself, or herself, invited to a distant venue will be aware that there are "things" to consider, including how much money the invitee is willing to risk.

At least I was spared the needle (yellow fever inoculation) and visa fee. I would feel a lot better to the folks in Ghana had someone sent an email telling me "A budget review forces us to cancel the invitation."

A pity, because I really DO like to talk about enterprise risk management and business continuity. Any time. Any place. To anyone.

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Hollywood/Fort Lauderdale Florida

Looking for work in, or from, southeast Florida

Thursday, February 18, 2010

ERM-BC-COOP: Speak English !


I confess to being a bit "put out" by "de" words.

Words such as "de-identification" as in "Workshop on the HIPAA Privacy Rule’s De-Identification Standard" and "de-duplication."

As a former journalist, flack. and technical writer I find words such as these counter-productive. They cause listeners to ask "Say WHAT?" and readers to reach for their glasses.

I understand what the coiners of these words are trying to convey, at least in broad terms, although to be truthful I had to confirm "de-duplication" (,,sid187_gci1378533,00.html).

There's nothing inherently wrong with coining (making up) words, but these two words in particular offend me eyes and ears.

"De-duplication" is, in English, deletion of duplicate files.

I assume that "de-identification" translates to "remove (patient) identifiers" given the related article. The reason for the "assume" weasel word is that the text at never clearly states that the workshop is about removal of information that could identify a patient .

Per the referenced Web page, "The American Recovery and Reinvestment Act of 2009 (ARRA)1 requires HHS to issue guidance on methods for de-identification of protected health information (PHI) as designated in HIPAA's Privacy Rule.

"To facilitate timely collection of information, OCR is organizing an in-person workshop that will consist of multiple panel sessions. Each panel will address a specific topic related to the Privacy Rule’s de-identification methodologies and policies. The workshop will be open to the public and each panel will be followed by a question-answer period. The workshop will be held March 8-9, 2010 in Washington, DC and, at the present time, this is the only workshop planned."

To borrow a line from My Fair Lady , "Why can't the English learn to speak . . . the language."

I really would like to "de-dictionary" those two words.

By the way, "OCR" translates to "Office [for] Civil Rights" that, it would seem, is part of the U.S. Department of Health & Human Services.

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
English language curmudgeon
Hollywood/Fort Lauderdale Florida

Looking for work in, or from, southeast Florida

Sunday, February 14, 2010

ERM-BC-COOP: Perspective

Another BCM blogger took issue with my Risk Management vs. Risk Management piece, noting that "It certainly seems that they (the State of Florida) are looking for industry-specific risk training. Is that such a bad thing?

"Given that regulatory requirements are probably very specific in health I could see that would be a sensible approach."

The remarks were prompted by my comment that the State of Florida, in its wisdom, certifies risk management people who want to work for medical facilities; the certification requires a very narrow focus (vs. an "enterprise" approach.)

If "industry-specific risk training" is a good thing, then anyone performing a risk analysis for an IT function would need to be an IT guru; a person doing the same for HR would need to be an HR expert, and a person doing risk management for a finance unit would need accountancy training, possibly a CPA.

There is nothing WRONG with having a background in a functional area providing that knowledge doesn't get in the way of the holistic "big picture."

Risk management, be it for a hospital or a transportation company or a - you name a business, including NGOs and non-profits/charities - is ESSENTIALLY the same for all:

    (a) identify the critical process(es)

    (b) identify risks to the process(es)

    (c) prioritize the risks (probability vs. impact)

    (d) identify means to avoid/mitigate/transfer the risk

and then come up with ways to recover to "business as usual" if the risk occurs despite our best efforts.

I approach risk management as a generalist, and that certainly colors my opinions. I have a broad, and varied, background having come to risk management via journalism and technical documentation. I know a little about a lot of things; enough to ask intelligent questions that elicit answers that often lead me down paths I never anticipated - nor would I, perhaps, have traveled if I was an "expert' in the function.

Being a generalist means, to me, that I realize I lack guru status in any area except perhaps risk management where I am at least a "subject matter expert." (Just ask me.)

But back to what I perceive to be the dangers of "focused" risk management.

Based on 13-plus years in the business I am convinced that there are so many inter-dependencies in any organization - that the only effective risk management program is an enterprise, holistic program. While that does not preclude independent "functional unit" plans (which I promote), it does mean that, due to interdependencies any program less than enterprise-wide is bound to overlook risks that can quickly ripple through an organization.

My fellow practitioner and I agree to disagree.

Hopefully, our discussions provide value not only for ourselves but other practitioners as well.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida

Seeking work in -- or from -- southeast Florida

Friday, February 12, 2010

ERM-BC-COOP: How critical IS "PR"

I just read an article in the online version of Communicate, a UK publication. The article, titled "Eurostar - a blizzard of criticism" discusses the PR blunders of Eurostar trains "trapped in the Chunnel" incident in December, 2009.

The article is online at

As I read the blurb I was reminded of the image hit British Airways (BA) sustained when it's sole caterer's employees walked out in August 2005 and who were later joined by airport baggage handlers, effectively grounding BA flights. The ripple effect was that kiosks at the airport quickly ran out of food and passengers were more than "somewhat" upset. (See and

Both the Eurostar and BA stories made headlines around the world, but I don't recall seeing any follow-up articles showing the immediate and, more importantly long-term impact on either business.

As an enterprise risk management (a/k/a business continuity) practitioner and former print journalist, I have to wonder: Do PR gaffes have the lingering impact we tell our clients?

In other words, once the initial anger passes and the finger pointing ceases, do customers come back? Do clients simply "forgive and forget?"

Certainly both BA and Eurostar offered post-event perks to get customers to return. Were they sufficient?

How much did these post-event perks cost and could the cost have been reduced had the companies better handled the PR - image protection - process at the time of the incident? Would maintaining image provide a better ROI than the post-image perks?

Everyone should know how Johnson & Johnson handled the tampered Tylenol incident. It is in every PR textbook. Today, in the US and elsewhere, Toyota is being held up as "How Not to Manage an Image."; where J&J did everything right,, Toyota is following in the BA/Eurostar path of "too little, too late."

I would like to see the financial bottom line for BA a year after the caterer fiasco, and the Eurostar financial report a year or so after the December Trouble in the Tunnel.

Granted, BA, Eurostar, Toyota, and J&J are hardly Mom-n-Pop operations. The British government is highly involved in British Airways and Eurostar and Toyota has an equal involvement with the Japanese government - that's how things work in most places outside North America; perhaps outside the USA. Neither the British nor the Japanese governments will permit a national name to fail.

It also would be interesting to see how different people react(ed) to the incidents.

I recently flew on British Midland Airlines (since, I'm told, acquired by another company). Due to cavalier treatment, I "swore off" future flights with British Midland. I avoid CDG airport because of staff attitude. (On the other hand, I love AMS and KLM, the airline that calls AMS home.) For the most part, when I have a choice, I exercise it, even if it costs me a bit more. But, I was born and raised in the US and that certainly colors my attitude and personality.

But I am left with the question: is there a worthwhile ROI to prevent bad PR, a hit to the image or is it "cheaper" to take a hit and offer a pittance for pride.

Again, the advice for a Mom-n-Pop organization with a limited survival fund might be very different than for a BIG NAME organization, especially one heavily involved with the government (e.g., BA, Toyota).

But I'd really like to see follow-up stories on the long-term impact of a PR foul-up on some Big Name organizations.

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Hollywood/Fort Lauderdale Florida

Available for work in -- or from -- southeast Florida

Thursday, February 11, 2010

ERM-BC-COOP: Risk Management vs. "risk management"

I live in Hollywood, Florida.

Hollywood is in south Florida, read "geriatric" Florida; lots of seniors.

South Florida also is a megopolis; what used to be a series of small communities from Homestead, south of Miami, to West Palm Beach now is one big traffic jam - translation, there are LOTS of people in south Florida.

Both the general head count and the geriatric head count translate into the need for many heath care facilities - hospitals, extended care facilities, nursing homes, etc.

All of these "health care" facilities need risk management.

The State of Florida, in its wisdom, mandates that in order for a person to be employed as a risk manager in a health care facility, the person must be certified by the State.

Since I am looking for new employment, and since I am an experienced and certified enterprise risk management practitioner (inquiries to JohnGlennMBCI at gmail dot com) I checked into the certification requirements.

The State requires that candidates for certification take one of three "programs." The programs generally are provided by a State university.

The University of South Florida (USF) - which is in Tampa on Florida's Gulf coast and not, as the name implies, in "south" Florida - offers a 120-hour on-line course for "only" $800. I use the USF course as an example because USF has the best Web presence for this program.

According to the USF site (, the program topics include

  • History and Purpose of Risk Management
  • Health Care Standards and Regulations Impacting Long Term Care
  • Elements of Negligence, Liability, Malpractice and Managing Insurance Claims
  • Methods for Identifying Risk Exposure in Hospitals, Ambulatory Surgical Centers and Long Term Care
  • Risk Control Techniques to Reduce Patient Errors and Increase Patient Safety
  • Systems Linking Risk Management with Quality Improvement

According to USF, the course would be of interest to professionals in the following disciplines:

  • Administrators
  • Chiropractors (DCs)*
  • Disability Management Specialist
  • Emergency Med. Tech. (EMTs)*
  • Licensed Practical Nurses (LPNs)*
  • Pharmacists (PharmDs, RPh’s)*
  • Physicians (MDs, DOs)*
  • Podiatrists (DPMs)*
  • Radiology Technologists (RTs)*
  • Respiratory Therapists (RRTs)*
  • Registered Nurses (RNs)*

*  Eligible for licensure through the State of Florida.

At the conclusion of this course, participants should be able to:

  • Discuss the history and purpose of risk management
  • Recognize and apply healthcare standards and regulations
  • Identify methods to mitigate risk exposure in a clinical setting
  • Recognize environmental and occupational risk exposures
  • Apply risk control techniques to reduce patient errors and increase patient safety
  • Utilize quality improvement techniques and tools
  • Comprehend elements of negligence, liability, medical malpractice, and management of insurance claims
  • Implement systems linking risk management with quality improvement

All well and good. Rather narrowly focused from an enterprise perspective, but not bad.

Ahh, here comes the kicker.

As I look at the faculty, I see people with the following alphabet soup behind their names (listed alphabetically): ARM, BSN, CPCU, CPHRM, DrPH, JD, LHRM, MBA, MPH, MPP, Ph.D, RN.

No DRII or BCI certifications. No certifications from the lesser-known certifying organizations.

There is, by the way, an American Society for Healthcare Risk Management (

ASHRM sells a 7-day CPHRM prep course for US$250 that has the following main topics (

  • Orientation
  • Session 1: Operations & Ethics
  • Session 2: Loss Prevention & Reduction Part 1
  • Session 3: Loss Prevention & Reduction, Part 2
  • Session 4: Risk Financing Part 1
  • Session 5: Risk Financing Part 2/Claims
  • Session 6: Regulatory/Accreditation Compliance

Sessions 2 and 3 promise "To examine components of the risk management process including, but not limited to, risk identification, risk analysis, risk control, high risk settings, clinical risk management, and patient safety." That suggests that there is some risk management expectations that we would appreciate.

I am left wondering, where is risk identification? Where is risk prioritization; even in the health care environment there is limited coin to expend on risk avoidance and mitigation.

Florida requires certification for health care risk managers, but does it really require these certified people to understand true (enterprise) risk management or does the State-certified risk manager have a single focus, as does the IT "risk manager."

I'm trying to find out.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Seeking employment in -- or from -- southeast Florida

Wednesday, February 10, 2010

ERM-BC-COOP: Let it snow

A few weeks ago the UK, or at least parts of it, was blanketed by snow.

According to reports I saw, work for many came to a halt. People were unable to get to their offices.

    (Funny, no one wrote anything - as far as I recall - about manufacturing operations or call centers, sorry, centres, or any other function that requires a "community" effort.)

There was talk about remote computing and costs and ... all the things I normally include in a standard business continuity plan, be it enterprise, key business unit, or IT-centric.

Recently, the Several States have had more than the usual amount of snow, sufficient to prevent access to facilities to all but the most hardy who happen to have snow shoes or skis.

Even states that normally get only a dusting during an average winter had an unusual amount of the white stuff.

It would be an interesting exercise to see how the UK in particular and Europe in general, planned for, and reacted to, the snow fall.

We know that a number of office-based organizations were effectively out of business for several days. These were in cities, not the hinterlands where I would expect less snow-control infrastructure.

I know that in the States most major office organizations are set up so that staff can work from a remote facility (read "the employee's home"). Some, like Northrop Grumman, where I worked for several winters, provide its office workers with security-equipped notebook computers and special dynamic codes to access the corporate intranet. Other companies are more - sometimes a great deal more - casual and allow anyone with the right username and password to access their intranet (much like we access gmail and similar email accounts).

It would be an interesting MBA-level study to investigate how the UK and EU compare to North America - specifically the US and Canada (do Mexican industrial areas get much snow?) - in so far as risk avoidance and mitigation measures are concerned.

The study could be expended to include non-snow events any where and every where as long as a comparison can be made.

I have an idea how the snow survey would play out based on past experience with incidents in the UK and in the US; it would be interesting to know if my conclusion is accurate. (I will keep my opinions to myself - for now.)

Any takers?


John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Hollywood/Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com
Available for work in - or from - southeast Florida

Friday, February 5, 2010

Job ad for already filled position

Edited to protect the "innocent"

Sr. Manager, Business Continuity Planning Manager at [organization]
Location: [US]
Experience: Mid-Senior level
Functions: Information Technology
Posted: January 29, 2010
Employer Job ID: ******

Job Description
The Business Continuity Planning Manager position will lead the development of a global disaster recovery strategy. In this role the Manager will drive the cross-functional collaboration and alignment to create and implement a comprehensive Business Continuity Plan. The ideal individual must possess strong business continuity expertise in a large global organization. The applicant will work extensively with executive management and key business and IT leaders to conduct business impact analysis and risk assessments, develop recovery strategies and plans for business and technology processes and environments, and plan and direct the testing of emergency response, recovery support and business resumption procedures.
The Manager must act as a business partner to key stakeholders across the company and able to proactively handle communication, alignment and change management.

Project Management and Planning

  • Define project scope, goals and deliverables that support business goals in collaboration with senior management and stakeholders.
  • Define project success criteria and disseminate them to involved parties throughout project life cycle.
  • Develop best practices and tools for project execution and management.


  • Detailed understanding of BCP/DRP at both technical and business levels.
  • Certified Business Continuity Professional (CBCP) preferred
  • 10+ years experience in a BCP equivalent role, internal or external.
  • Bachelors Degree in Business, Information Management, or a related field; or the equivalent in education and work experience
  • In-depth risk assessment and solution management skills - strong problem solver.

No Agency help or relocation assistance

Additional Information

  • Referrals through network preferred.
  • Local candidates only, no relocation
  • No third party applications.

Why do I suspect the job posting is not "real?"

Given the job responsibility, most organizations would seek candidates from across the country, if not from around the world. The soliciting organization - note I do not write "hiring" organization - has a world-wide presence so promotion from within, even out of the local area, would seem appropriate, or at least worth investigating.

Still, advertisements for business continuity people, especially those for IT D/R people posing as business continuity planners (as sought by the advertisement above), seem to be increasing. There also are more advertisements for "real" business continuity practitioners.

John Glenn, MBCI
Available for employment in, or from, southeast Florida
JohnGlennMBCI at gmail dot com