Monday, May 31, 2010

ERM-BC-COOP: Keep Own Copy


An organization with which I am affiliated had a web site.

The web site host provided the organization's site gratis - free, even.

Somewhere along the way, the site was hacked - several times. (My geek son tells me the hacker had an easy time due to sloppy PHP programming; I don't know who did the programming.)

Anyway, the site was taken down until it could be restored to a "pre-hacked" status.

Now here is the "got'cha."

Because (I was told) the site was a freebie, no one ever made back-ups of the files on the server. While I find that hard to believe, it seems true. (Yes, I know you can do selective backups, but all things considered, it seems easier to backup the entire server occasionally than to sort out the paid from the freebies.)

I have my own site ( hosted by ( I pay for the space and I know that 1and1 backs up my files. Over the course of several years, there was one hiccup and all my files were restored to "pre-hiccup" status.

Still, "things" happen, so I make it a practice to keep a copy of at least the newest files on the Toshiba, if not in all the formats I put up on 1and1, then at least in the basic word processor format; I always can recreate the HTML coding, write to PDF, and save as text as long as I have the original file. (My HTML is hardly sophisticated and I have the code strings saved in a text file for east cut-n-paste into the word mangler. CutePDF provides the PDF version.)

Even in "native" format, the word processor files hardly make a dent on the Toshiba's hard drive capacity. Add a few graphics and there still is lots of free space on the drive; plus after a couple of months - when I am absolutely, positively certain 1and1 has backed up my files, I DELete them from the hard drive.

(My first internal hard drive had a 20 MB capacity, so purging unused files from the drive became Standard Operating Procedure (SOP), a procedure that became a habit hard to break. My digi-cam with a slightly-larger-than-a-postage-stamp memory card has many, many times more capacity than my initial hard drive. And is a lot less expensive, too.)

If we ever get the organization's site up again - thanks to allowing the thing to fall through the (time) cracks, the domain name no longer is retrievable - and if I have anything to do with it, original files will be saved locally and replicated to the web host's servers.

It's simply good business practice to CYA - cover (protect) your assets - especially when someone is doing you a favor (or maybe it just seems that way).

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale FL

Comments are welcome, but they MUST be in English to be published.

Friday, May 28, 2010

Who visits?


It's always interesting to see who visits my Web site and who makes return visits.

Apparently one of my biggest recent fans is the United States Army Information Systems Command in Snellville GA.

In one day, someone at USAISC downloaded 30 articles from

Someone connecting through Wildblue Communications in Bostic NC managed to download fine articles over two days - the Army did it all in one day.

Someone at Transact in Canberra, Australian Capital Territory likes the site well enough to visit day after day after day . . . but unlike the Army and Wildblue, they are just readers, not downloaders. Since there is no "Referring Link" the suggestion is that the page is bookmarked or someone's "favorite."

Sotribe of Dallas is another regular visitor, dropping by every week or two. How long has this been going on? I can't tell. I regularly purge my StatCounter logs.

There was a time I tracked - and posted - all the obvious hits for John Glenn, business continuity practitioner (vs. hits where the search most likely was for John Glenn, Marine/Astronaut/Senator/Presidential Candidate). But the list got so long that it was cumbersome to maintain it.

You might call it vanity, my StatCounter counter. I prefer to think of it as an ex-journalist's curiosity.

John Glenn, MBCI
Enterprise Risk Management practitionerJohnGlennMBCI at gmail dot com

Wednesday, May 26, 2010

2010 AT&T Business Continuity Study


The Phone Company (AT&T, rising like the Phoenix from the ashes of divestiture) released its "2010 AT&T Business Continuity Study" media kit (

It has what looks like some great information.

For a business continuity practitioner, the upward trends are most heartening.

But it pays to read past the headlines.

Looking at the Southern Region Results (, I note on Page 7/7 that "The results are based on an online survey of 104 Information Technology (IT) executives in the Southern region of the Unites States (Louisiana, Alabama, Mississippi and Florida). The study was conducted by e-Rewards Market Research with companies having total revenues of more than $25 million (except for state/local government participants). Surveys in the Southern region were obtained between February 23 and February 28, 2010. "

"Information Technology (IT) executives"

Why is business continuity STILL a child of Info Tech? Don't organizations, especially considering the size of some of the organizations represented by the 104 IT execs, understand that BUSINESS Continuity should report to the CEO, CFO, or COO and NOT to an IT exec?

According to AT&T, of the 104 participating executives:

  • 100% have primary responsibility for business continuity planning

  • 95% represent companies with revenues in excess of $25 million; 5% represent state/local governments

  • 37% are VPs/Managers/Directors of IT or IS; 22% are the CIO, CTO, CFO, CEO or COO

  • 56% represent companies with locations outside of the United States

  • Executives represent 16 major industry areas (besides state/local government)

The AT&T report then is for this planner both good news and "less good" news.

It certainly is worth taking the time to read for both consultants and staff practitioners.

John Glenn, MBCI
Enterprise Risk Management practitioner
JohnGlennMBCI at gmail dot com

Comments are welcome but must be in English.

Thursday, May 13, 2010

ERM-BC-COOP: BC in down economy


The economy goes down the tubes and, for foolish organizations, takes business continuity with it ... assuming, of course that the foolish organization even HAS business continuity.

Why not. Business continuity is overhead, no Return On Investment (ROI).


And wrong again.

First, organizations - and business continuity practitioners - need to understand that business continuity is a PROCESS-BASED FUNCTION.

Business continuity practitioners, if they are any good, identify critical processes for the enterprise and follow those processes from origination to completion.

Take, for example, an organization that sells widgets.

    The sales person visits prospects.

    The prospect agrees to buy "n" widgets.

    The sales person calls in the order.

    Order entry personnel enter the order and check with the warehouse to see if there is sufficient product to meet the order.

And on and on until the client receives the product and the client's payment is in the bank - the sales person's commission is paid, the vendors are satisfied, and the warehouse restocked.

There are perhaps 50 to 100 steps in the process that cross multiple "silos."

Granted, the multi-step process can be broken up (down?) into multiple mini-processes.

Who in the organization, beside the business continuity practitioner, can follow a process from beginning to end? The C-levels are not going to that level of granularity, and the folks in the silos are not really interested in the parts of the process that occur before and after the part of the process they perform.

In the process of following the process, a good business continuity practitioner can, if management is smart and permits it, do double duty as a business analyst.

In one of my first business continuity consulting jobs my boss told me what I "really" was doing is "process re-engineering." The consulting job I did immediately after this "process re-engineering" job listed me as a "process analyst."

What does an analyst do? He or she looks at processes and typically tries to identify ways to

    a) enhance the process

    b) eliminate the process

    c) reduce the process cost

Business continuity practitioners look at the same processes; why can't they also be allowed - encouraged - to consider ways to enhance, eliminate, or reduce process costs?

In other words, rather than kill or diminish the business continuity effort, expand it to take full advantage of a good practitioner's capabilities; let the practitioner also recommend process improvements.

Unfortunately for the business/process analyst, the reverse - asking them to be business continuity practitioners - often is less than satisfactory. The business continuity practitioner thinks not only in terms of process improvement, but risks and elimination or mitigation of risks to the process, recovery if the risk occurs, personnel safety and awareness, and all the other business continuity necessities (e.g., plan maintenance, training and exercises).

When times are flush and money flows freely, then the business continuity and process analysis functions can again be separated.

But until that time, it seems to be economically sound to maintain the business continuity function and to expand it to include process analysis.

John Glenn, MBCI
Enterprise Risk Management practitioner
JohnGlennMBCI at gmail dot com
Hollywood/Fort Lauderdale Florida

Wednesday, May 5, 2010

ERM-BC-COOP: Wish I'd thought of that


I preach it.

I practice it.

"It" is planning with group dynamics; conversely, not planning in a vacuum.

The recent BP oil rig collapse and subsequent leak of oil into Gulf waters has been a major topic on the International Association of Emergency Managers (IAEM) list.

Simultaneously on the same list is a thread about what the Department of Homeland Security is really all about.

One poster commented that "If a disorganized band of Somali pirates can take a Ship. I don't see why a semi-organized terrorist cell could not take an oil platform. Realistically they don't have to actually board an oil platform, just drive a boat loaded with explosives under it and blow it from there."

For the IAEM folks, the emphasis is on preventing a disaster once the event - the terrorists' act - is over.

To my mind, thinking as an enterprise risk management practitioner (a/k/a business continuity planner), the time to consider action is before the oil platform is towed to sea.

How can a drilling platform be protected?

It's not (as far as I know) practical to try to put a fence around the platform.

I thought about pirates in the Far East and off Africa.

Lots of ships are attacked. But one flag seems to be avoided. Israel's.

Could it be because the crews on Israel-flag vessels are armed and trained to use the weapons? During the height of the aircraft high jacking era, only one El Al jet was "captured" by air pirates. Since then, all attempts have met with failure - perhaps because Israel has for a long time had unidentified "sky marshals" on board, armed and trained to use their weapons.

There are "no fly" zones all over America. Stay clear of Cape Canaveral, especially when a launch is scheduled. Fly near 1600 Pennsylvania Avenue and expect an Air Force escort to the nearest secure airport.

Why can't there be "no float" zones around oil rigs? Zones that extend far enough out so that there is no repeat of the USS Cole incident at the Aden port in Yemen (see

What would it take to enforce a "no float" zone?

Radar and sonar manned 24*7 to detect threats.

Trained personnel with sufficiently long-range weapons to keep threats at a distance. These personnel might of necessity need to be military to be equipped with sophisticated targeting equipment. (Shoulder-fired missiles come to mind.)

Consider what is available to the bad guys.

What is the probability of such an attack occurring? My guess is that today, 5 May 2010, the likelihood is small.

But as long as the "developed" world remains heavily dependent on oil, and as long as the "developed" world fears environmental disasters (such as the BP incident), and as long as drilling platforms are easy targets, the probability of an attack increases.

Is it worth putting avoidance measures in place?

Cleanup may cost BP more than US$12 billion according to a Christian Science Monitor article (, a mess that night have been avoided or greatly mitigated through engineering. It cost 11 lives at the platform - sadly a loss that seems overlooked by the media.

Risk management always is a "bottom line" issue. Is it worth the money and the possible image hit for a company to take a chance? Can a government be obliged to share clean-up costs if it fails to protect drilling rigs within its coastal waters? What ARE the obligations of the drilling company and of the government?

I suppose we'll have to wait until the first terrorist attack to see what could have been accomplished if reasonable risk management options had been implemented.


John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Monday, May 3, 2010

ERM-BC-COOP: What is the difference?


I just read a digital promo for a US$500 book titled

"Strengthening The Relationship Between Risk Management And Business Continuity " being peddled by Forrester, "an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology."

The blurb, an excerpt from the book, tells me that "Business continuity is an essential element of enterprise risk management (ERM), although organizationally, the two disciplines are not often connected directly."

So, I ask, what is the difference between enterprise risk management and enterprise business continuity?

Although what (I think) I do is "risk management," my certification is as a "business continuity" practitioner - not a "professional" since I am certified by the Business Continuity Institute and DRII tells me only people certified by DRII are entitled to be called a "certified business continuity professional". My initial certification, from Norm Harris was as a "certified recovery planner," although even then (1999) the emphasis was on enterprise-level risk avoidance/mitigation efforts.

Maybe an "enterprise risk manager" can tell me what he or she does that I don't do.

There ARE risk managers - note lack of the word "enterprise" - who deal with insurance issues. There are risk managers - again, sans the word "enterprise" - who deal with risks to medical organizations. There are a number of specialty risk management fields, but none carry the "enterprise" label.

That is not in any way presented to denigrate what these people do. As a matter of fact, these specialty risk managers are Subject Matter Expert resources for the enterprise risk management practitioner (a/k/a enterprise business continuity planner) in the same way as are Facilities, Finance, HR, IT, and vendor management, etc., SMEs.

What DOES an "enterprise risk manager" do that is different from a business continuity practitioner?


  • Both can manage a project or program

  • Both identify critical business functions (profit center processes)

  • Both identify internal and external risks to the critical business functions

  • Both identify means to avoid, mitigate, or "transfer" (i.e., insure) risks

  • Both attempt to prioritize identified risks

  • Both depend on SME input and management decisions re risk limitation measures

In my case, I also

  • Create, with SME input, documentation to recover the critical business functions (and their resources) to business as usual in the most expedient, efficient, and economical manner possible

  • Develop personnel safety and awareness programs

  • Create a plan maintenance process

  • Create, with professional trainers if available, programs to exercise the plan and means to critique the exercises to see how things can be done better (vs. pointing fingers about what whet wrong).

I search for risks within the organization and without. The "usual suspects" always are present - environment, technology, human error - but I look beyond those to vendors and clients.

"Everyone considers vendors," I hear you say.

True, but most practitioners fail to consider money vendors - lenders, stock and bond markets.

I also consider policies and procedures since most organization's P&Ps lack anything specific to a business interruption.

So, again, what is the difference between what I call myself - an enterprise risk management practitioner - and what it states on my BCI certification - certified business continuity planner?

There IS a difference between "disaster recovery planner" and enterprise risk management/enterprise business continuity practitioner; disaster recovery is an integral part of the latter . Disaster recovery, by the way, should be enterprise wide, not limited to information technology.

So tell me, someone, anyone:

What is the difference between

    (a) Enterprise Risk Management (ERM) and

    b)[ Enterprise] Business Continuity (BC)

I can be reached at JohnGlennMBCI at gmail dot com.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida

Sunday, May 2, 2010

ERM-BC-COOP: Drill, Baby, drill


As oil from the BP disaster (11 people were killed) continues to flow into the Gulf of Mexico proves, risk management was absent from the beginning.

An aside. a Google search for "BP oil rig disaster" brought up many hits for the environmental impact but none were concerned about the 11 missing-presumed-dead. It required a more specific search to generate hits on missing personnel. Allow me to editorialize: We have out priorities wrong. Granted, there is great environmental and financial damage, but people died; the environment and finances can be recovered or restored, but those lives are lost forever. THAT's the real disaster.

According to an AP/Yahoo report headed "Document: BP didn't plan for major oil spill" (, "In its 2009 exploration plan and environmental impact analysis for the well, BP suggested it was unlikely, or virtually impossible, for an accident to occur that would lead to a giant crude oil spill and serious damage to beaches, fish and mammals."

With that thinking, it obviously was not necessary to consider technological methods to avoid - or at least mitigate - the oil "spill" resulting from the collapsed drilling platform.

I'm not writing about computer technology, although that would be involved.

I'm writing about valve technology; some way to automatically close a valve "in the event of."

I worked for a while as a tech writer for Leslie Controls, a company that makes valves and valve systems - "process control systems" - for both commercial and military applications. It made valves of all sizes, from 1/4-inch openings to 16-inch openings, two-way and three-way, for fluids, superheated steam, and gas, valves that can withstand seawater and severe pressures, so although not a valve engineer, I know a little about valves and control systems.

There are "normally open" (NO) and "normally closed" (NC) valves.

Valves can be deigned and built so that when the power (electrical or otherwise) that keeps them open is removed the valves close automatically.

If such valves had been in place in the pipe leading to the oil were in place, the flow would have been stopped someplace between the source of the oil and the sea.

I am NOT an engineer - valves or otherwise - but I am certain there was some method that could have been employed to prevent, or at least limit to a minimal amount, oil "leaking" into the Gulf.

As a Florida resident, I hope this disaster will put a halt to any new, POTUS-promoted off-shore drilling - and in fact stop all off-shore drilling until safety measures are put into place.

As an American, I hope this disaster will cause us to more seriously look at ways to wean ourselves from oil and other non-renewable resources. We have been kidding ourselves since at least the mid-1970s that we were "going" to do something to reduce dependency on oil. (So far, we've mostly (a) ignored the promise we made to ourselves and (b) switched a little to other sources of non-renewable energy, e.g., natural gas and coal.)

What about on-land drilling? For the most part, drilling from land-based rigs has proven fairly safe for both people and the environment. That is NOT to say we are accident free. Likewise, there is a transportation issue - pipelines and tankers on land and water.

The immediate need is for oil and gas exploration companies - and I used to work for one of those, too - to involve risk management people, "off-the-wall thinkers" if you will, in the exploration methodologies and LISTEN to those people.

The drillers are symptomatic of business in general.

I was contracted with a company that monitored other companies' data centers. This company's profit center was its computer center. It relocated its facilities across town to a lovely new building. The profit center was on the bottom floor behind a huge glass window so visitors could see that they were buying. Support services were on the second and third floors.

An the problem was?? The problem was is that the building was in a flood plain.

The company played with business continuity during the relocation, but failed to involve a practitioner in the search for a new location.

I think maybe this practitioner's theme song should be Pete Seeger's "Where have all the flowers gone" which asks the question at the end of every stanza "When will they ever learn? When will they ever learn?"

John Glenn, MBCI
Enterprise Risk Management practitioner
JohnGlennMBCI at gmail dot com


ERM-BC-COOP: Value of Awareness and Safety training


Car bomb scares Times Square but fails to explode


Thousands of tourists were cleared from the streets for 10 hours after a T-shirt vendor alerted police to the suspicious vehicle, which contained three propane tanks, fireworks, two filled 5-gallon gasoline containers, and two clocks with batteries, electrical wire and other components, Police Commissioner Raymond Kelly said.

The T-shirt vendor alerted police at about 6:30 p.m., the height of dinner hour before theatergoers head to Saturday night shows.

Smoke was coming from the back of the dark-colored Pathfinder, its hazard lights were on and "it was just sitting there," said Rallis Gialaboukis, 37, another vendor who has hawked his wares for 20 years across the street.

An alert street vendor gets credit for possibly saving lives and avoiding what might have been considerable physical and financial damage (this despite the fact that "police have spent years trying to crack down on street hustlers and peddlers preying on tourists ").

I preach, mostly to deaf ears I fear, that risk management (business continuity) programs need to include a personnel awareness and safety component.

Staff are the first line of defense against many events, particularly fires and leaks.

Strange smell? Small puddle? Flickering lights?

All are hints that something might be amiss. All deserve to be reported to a central point and "investigators" dispatched to determine the cause.

Sky turning green? Tornado likely - move away from windows.

Management should understand that staff need to be encouraged to pay attention to the environment - both inside the building and outside as well.

Personnel, and personal, vigilance: the least expensive avoidance and mitigation measure an organization can implement.


John Glenn, MBCI
Enterprise Risk Management practitioner
JohnGlennMBCI at gmail dot com