Tuesday, June 29, 2010

ERM-BC-COOP: Volunteer will introduce ERM


The other day I wrote about a fellow who initially said he was an MBA candidate interning as a business continuity planner at a commercial endeavor. Our Manager-in-Training complained to a list that he knew nothing of business continuity planning, had no guidance from the school, and no help from the organization engaging him; ergo, he turned to the people on the list.

Turns out his appeal lacked a certain candidness and that there was more, much more, to the story.

But that is not the point of this post.

I have on my very portable notebook (nee' laptop) computer a PowerPoint presentation designed specifically for the College Crowd. The primary audience is composed of MBA candidates; a secondary audience is made up of BBA hopefuls.

The PowerPoint is a two-parter that introduces Enterprise Risk Management to the people who can take the message back to their employers. There are 30 "slides" spread over two days assuming 2-hour blocks; that allows time for encouraged questions and discussions.

The PowerPoint will not make the students into qualified practitioners - that is not its intent.

It will send them back to their offices with an understanding of what business continuity - enterprise risk management - is all about and with sufficient knowledge to sort the wheat from the chafe when considering engagement of practitioners, either as an in-house resource or on a consultancy basis.

As with most PowerPoint, and similar, presentations, this is best presented by its author. As its author I am more than willing to fill-in for area instructors for a couple of class sessions; I might even be talked into donating my time. I will gladly take the show on the road, but only with pre-paid transportation and lodging.

(I learned the lesson about travel when I was invited to present in Ghana; for that tale, see http://johnglennmbci.blogspot.com/2010/02/funny-thing-happened.html.)

I am a great believer in "educating the masses" about enterprise risk management; that's the reason for this blog and the associated Web site. But first, you have to get the masses to mass.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com


Friday, June 25, 2010

ERM-BC-COOP: Ethics? Who needs'em?


The following email just crossed my desk:

    Hi all, I am currently an MBA Student, and for my internship, I am to implement a BCP for a consumer products company that currently does not have one. I have been given little/no instructions and have no prior experience. There are a few examples of what the company wants and has done in Germany, but it gives little insight into the entire planning and thought process. I am looking for some advice on where to start. Is there some documentation out there that would help me get a better idea? I am in my first week and feel like I may be in over my head a bit. Thanks in advance for all of your input, help, and support. Best Regards,
    [Name withheld]

I responded that since he is totally unqualified for the task, he should not be doing it. I did provide some generic resources, and I did come down fairly hard on the school that has the MBA program. I noted that the best thing he could do, as an MBA candidate, was to know when to hire a professional.

In return I received another email that REALLY got my attention.

    I understand that I am in over my head and that this subject is something that needs experience and expertise. However, I don't think it prudent for me to go to upper management and tell them that they have made a mistake, even if they have (and I may have as well), and to go out and hire a professional. I am looking to make the best of this situation, and am looking for any advice in how to do that. I am not necessarily looking for negative reinforcement. Please let me know if you have any other advice aside from "Hire a Professional."

His lack of planning expertise is bad enough, but his absolute lack of business ETHICS really made me pay attention. He wrote: I don't think it prudent for me to go to upper management and tell them that they have made a mistake, even if they have (and I may have as well), and to go out and hire a professional.

So here we have an MBA candidate who is told by his school that he's on an "internship" without any mentor or supervision (remember, "I have been given little/no instructions and have no prior experience").

He lacks the ethics to either beard his instructor , who it seems also lacks any sense of ethical conduct, or the company to which he has been sent ("I don't think it prudent for me to go to upper management and tell them that they have made a mistake"). A "King's Clothes" mentality that bodes ill for business and for MBA programs.

I suggested that his - and his school's - lack of honestly put him, the instructor, and the school "individually and severally" in jeopardy of a suit if any plan he creates fails due to his professional deficiencies. No I am not a lawyer and I don't play one on tv, but I DID seek a lawyer's opinion (albeit after the fact).

If it comes to that - legal action - there will be a great deal of finger pointing, with the defense being that the employer accepted the sub-tyro's plan (if indeed it DOES accept the MBA candidate's effort).

Whether it "comes to that" or not, this whole exercise gives legitimate practitioners a black eye and damages what little professional image we are struggling to acquire.

I am frustrated and, frankly, angry.

At the MBA candidate who shows total lack of ethics.

At the school that would throw this lad to the wolves and that would jeopardize an organization (albeit one that apparently is trying to get something on the cheap)

I'm also angry at the school and its personnel for, if the letter writer is correct, calling this exercise an "internship."

Hopefully this MBA candidate will discover that risk management is not for him. I doubt he will ever understand that part of a professional practitioner's job IS telling the King that he's naked.

It's a bad day for risk management.

It's a bad day for business (ethics).

Its a bad day for decent MBA programs.

John Glenn, MBCI
Enterprise Risk management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Thursday, June 24, 2010

ERM-BC-COOP: More than just Info Tech


I often write that a good enterprise risk management plan needs input from the legal staff (in-house or external).

An article on the Advisen FPN site (http://tinyurl.com/28otd8x) titled Natural Disasters (from Mondaq.com), lists concerns linked to the following legal issues:

  • The Fair Labor Standards Act

  • The Family and Medical Leave Act

  • The Uniformed Services Employment and Reemployment Rights Act

  • The Employee Retirement Income Security Act and Tax Relief

  • The Consolidated Omnibus Budget Reconciliation Act (COBRA)

  • The Health Insurance Portability and Accountability Act

  • The Americans with Disabilities Act

  • Occupational Safety and Health Administration

  • The National Labor Relations Act

  • The Worker Adjustment and Retraining Notification Act

  • Immigration Issues

  • Insurance Issues

It is worth the time to read and worth the time to discuss the issues with HR and legal experts.

And you thought all a business continuity planner needs to know is IT. ;-)

Go forth and make friends with the folks in HR and get to know the lawyers, too.

John Glenn, MBCI
Enterprise Risk Management practitioner
Seeking work in, or from, south Florida
JohnGlennMBCI at gmail dot com

Wednesday, June 16, 2010

ERM-BC-COOP: Lessons learned
How NOT to manage a disaster
By British Petroleum


British Petroleum, BP, is truly the poster child for risk management and how NOT to handle an event.

This seems, based on incidents at other leading British organizations, to be the norm.

BP, according to a New York Times piece at http://www.nytimes.com/2010/06/10/us/10access.html not only by all accounts failed to do "due diligence" to avoid or at least mitigate the Goo in the Gulf caused by an explosion on a drilling rig - an explosion that, lest we forget, cost the lives of 11 people - it is exacerbating matters by its heavy-handed efforts at public relations.

The PR is so bad, I suspect Israel is working for BP; the Israel government is expert at creating bad PR from good opportunities.

Worse, the US government, in the form of the Homeland Security Department, FAA, and the Coast Guard command, appears to be in bed with BP in an effort to strangle news from the area.

I would expect heavy-handed handling of the media in the UK, but for the US to cave to a business, especially a foreign-owned and controlled business, shames me.

Honesty in Blogging: I came to risk management from journalism via PR, marketing, and tech pubs, both here and overseas.

While I can agree that reporter over-flights need to be controlled, albeit not prohibited, I have a hard time accepting that a BP staffer apparently determines who can fly over the spill and who cannot (reporters).

According to the NYT,

    "A pilot wanted to take a photographer from The Times-Picayune of New Orleans to snap photographs of the oil slicks blackening the water. The response from a BP contractor who answered the phone late last month at the command center was swift and absolute: Permission denied.

    "A spokeswoman for the agency (FAA), Laura J. Brown, said the flight restrictions are necessary to prevent civilian air traffic from interfering with aircraft assisting the response effort.

    "Ms. Brown also said the Coast Guard-FAA command center that turned away a Southern Seaplane was enforcing the essential-flights-only policy in place at the time; and she said the BP contractor who answered the phone was there because the FAA operations center is in one of BP’s buildings. "

But who is controlling access? It seems like the FAA is taking its orders from BP.

Still, reporters are in good company.

The NYT reports that

    "Last week, Senator Bill Nelson, Democrat of Florida, tried to bring a small group of journalists with him on a trip he was taking through the gulf on a Coast Guard vessel. Mr. Nelson’s office said the Coast Guard agreed to accommodate the reporters and camera operators. But at about 10 p.m. on the evening before the trip, someone from the Department of Homeland Security’s legislative affairs office called the senator’s office to tell them that no journalists would be allowed. "

    "Mr. Nelson has asked the Homeland Security secretary, Janet Napolitano, for an official explanation, the senator’s office said.

    "Capt. Ron LaBrec, a Coast Guard spokesman, said that about a week into the cleanup response, the Coast Guard started enforcing a policy that prohibits news media from accompanying candidates for public office on visits to government facilities, 'to help manage the large number of requests for media embeds and visits by elected officials'.”

Public relations is all about image, perception.

I suppose even BP could consider itself in "good company" as this PR disaster unfolds on the human and environmental disaster.

When the fox answers the phone in the chicken coop, one suspects collusion with the farmer. It LOOKS like Homeland Security, the FAA, and the Coast Guard are working for BP. It doesn't have to be true, but given the NYT article, that's the impression the reader almost has to take away.

Learning from mistakes is a good thing, especially when the mistake is someone else's.

Any practitioner who fails to present the BP fiasco in all its variations - loss of life, oil in the waters, PR faux pas - to the client, internal or external, is failing to fulfill the role of risk management and doing the client a disservice.

Management that ignores what is happening to BP's image, its stock price, and the shrinking bottom line - the financial impact can be as much as US$17 billion (capped by Federal statute), is doing the organization a disservice and should be replaced.

I suppose I should say "Thank you" to British Petroleum for presenting this excellent example of how NOT to practice risk management. Still, I would have preferred to have this as a theoretical exercise than a real disaster (11 dead equals a disaster in my book).

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Monday, June 14, 2010

ERM-BC-COOP: You've GOT to be kidding


The following invitation to disaster was posted on the Projects for Freelancers web site (http://tinyurl.com/238hnon) by oDesk.

    Develop a Business Continuity Checklist

    I am seeking a suitable candidate with BCP knowledge or skills sufficient to put together a 2-3 page BCP checklist in MS Word format. The document should be titled "Business Continuity Global Checklist" as per the web site: http://www.businesscontinuityblog.com/

    The checklist must be useful to someone putting together a BCP plan for there business and will be given away FREE to those people that sign up to the "Subscribe Today" double opt in form at: http://www.businesscontinuityblog.com/ .

    There is likely to be another checklist to be developed to the Disaster Recovery market to the successful applicant. Kind regards; talk soon.

    Starting On: April 30, 2010
    Ending On:
    Posted On: June 13, 2010 23:43 UTC
    ID: 100884752
    Category: Writing & Translation > Technical Writing
    Skills: Business Continuity Planning, BCP, Technical Writing
    Country: Australia
    Hours Billed: 0.00

So far, the only response seems to be from "An Internet entrepreneur - Freelance Consultant, India" whose stated goal is "To establish a career that would suit my intellectual capabilities and enhance my personal well being. " He is, by his own admission, "a goal-oriented person. I am able to handle professional work pressure well and develop positive working relationships with employer."

What do we have?

First we have an advertiser who either cannot or will not proofread the copy (e.g., "there" rather than "their").

We have an advertiser who suggests he or she manages a business continuity blog (!) but lacks sufficient knowledge to put together a (useless) check-list.

Any business continuity practitioner with any experience knows check lists and templates are invitations to disaster; at BEST they provide a false sense of security.

Our advertiser, you may have noted, wants the job to start on April 30; although the job was posted on June 13.

The respondent from India may be the perfect person for the job. He apparently lacks any business continuity experience - his response fails to address any of the requirements , but his price - $5.56/hour - is probably more than his work is worth at least for this posting.

With attitudes toward business continuity such as shown by this posting, it's no wonder that

(a) we are the Rodney Dangerfields of the professional world

(b) that people think that, like writing and photography, anybody who can spell the profession can call himself/herself a professional (writer, photographer, planner).

Perhaps I'm missing something.

Perhaps I ought to submit a bid.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Thursday, June 10, 2010

ERM-BC-COOP: Nothing can possibly go wrong, go wrong, go . . .


The headline reads: "Worker killed when natural gas pipeline explodes in fireball "

The video and article under the headline are about the explosion and fire that followed when 14 workers were digging holes for new power lines; a drill bit apparently punctured a buried 36-inch gas pipeline, according to a story on the WFFA tv web site (http://tinyurl.com/2g4u664).

One person was killed and 8 others were injured; one seriously enough to require hospitalization.

Most underground utilities are mapped. This particular pipe was 36-inches (diameter) and was pressurized to about 1000 pounds/square inch (psi).

According to the WFFA blurb, "State and federal investigators will now try to determine how the power line workers managed to strike the huge natural gas line in an area that's cris-crossed with underground pipes."

It happens all the time

I have seen telephone lines severed - both copper and fibre.

I know of broached water mains.

This probably avoidable accident follows along.

In all the cuts prior to this one, the problem can be laid directly to the company doing the digging, Someone failed to call "Miss Utilities" or similar service to get a map of underground utilities where the dig was to commence. A simple call and, in most jurisdictions, a call required by statue. The WFFA story did not flatly state that the pipe was mapped, but a pipe of that size and capacity . . .

An a risk manager for an organization the question is: How does that effect me?

First, if you depend on natural gas, suddenly you are without power. How long? It took several hours before the fires were out; how long did (will?) it take to repair the pipe? Until it's repaired and pressure tested, no gas will flow through that line. Admittedly a 36-inch pipe is not going to terminate at a factory or office building, but it serves distribution sites that do serve such facilities.

Second, if your organization was close to the accident site, it might have suffered damage to the facility.

Third, at least for a while, access to the area was restricted; no deliveries in or out, no visitors with orders, no employees coming in or going home.

In short, even though the incident happened to someone else, your organization felt the impact.

It behooves you, as a risk manager, to look beyond the walls of the facility, to look beyond the usual suspects, and consider what is in and around the neighborhood.

Underground utilities. Of course.

But what about airports, sea ports, rail lines, major highways where trucks travel with hazardous materials, or even major arteries that funnel traffic to your door.

Who are your neighbors? Are they organizations that might be unpopular with activist groups - PETA for example. Are they organizations that often have work actions? This is NOT to get into the propriety of the activists or justifications for work actions; the only intent is for you to consider that what happens across the street or down the block CAN negatively impact your organization's operation.

But so can a parade in the neighborhood.

If your neighbor has a fire, will the fire brigade's presence impact your operation. (Of course it will.)

Risks don't necessarily have to happen to your organization to impact it.

As a professional risk manager, your due diligence must look beyond your organizations walls and beyond the "usual suspects" of environment, human "error," and technology.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com


Wednesday, June 9, 2010

ERM-BC-COOP: Consider HR risks

Anyone who thinks IT is an organization's only concern should consider the following:

In a blurb at http://tinyurl.com/26ahmqh promoting a for-fee Webinar: "According to the Department of Labor, wage and hour class actions currently outnumber all types of employment discrimination class actions combined. The retail sector has been the hardest hit, but no sector is immune. To better understand this epidemic and effectively manage increased risks of wage and hour claims, join a panel of experts for an Advisen Wage and Hour Webinar on Wednesday June 16, 2010 at 11:00 AM EDT."

Maybe considering business continuity-related policies and procedures, and making certain all personnel are aware and understand them should be a higher priority.

Granted, some managers (and business continuity practitioners) enthusiastically DISagree with this "have policies in place and advertise them" recommendation claiming that it will "tie management's hands" and limit response options.

It seems to me that if enough thought is put into the policies and procedures, there will be sufficient "wiggle room" for management to adapt to meet any situation.

LACKING policies and procedures seems to me to invite legal action. Based on my limited experience with the Bench, I assure you that judges prefer to deal with things in writing.

Having written - and published - business continuity-related policies and procedures may not keep the organization out of court, but they might make defending management's actions easier and less costly.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Monday, June 7, 2010

ERM-BC-COOP: DC doesn't "get" it


I just received an email from George S. LeMieux, Florida's junior senator.

The email missive concerned, primarily, the disaster in the Gulf of Mexico (that threatens to meander up the US' Atlantic seaboard).

Florida's junior senator wrote: "I have joined Senators David Vitter (R-LA), Roger Wicker (R-MS), and Jeff Sessions (R-AL) in introducing the Oil Spill Response and Assistance Act (OSRA), which would dramatically increase the liability of companies responsible for oil spills. It is clear that the economic damage done to the Gulf region will far exceed the $75 million cap currently in place. OSRA would raise that limit for a company like BP to $17 billion dollars. For the future, this bill also requires the best technologies and equipment are staged to respond to potential spills within 24 hours. I am closely following the situation, and will do all that I can to protect our fisheries, our tourism industry, our environment, and our economy. "

Several things concern me regarding the senator's message.

Let's start with the Oil Spill Response and Assistance Act (OSRA) that would "dramatically increase the liability of companies responsible for oil spills."

Apparently the cap for damages from an oil spill such as the one BP allowed is a mere US$75 million (US$75,000,000). Is it any wonder, then, that BP is claiming it will pay to clean up the mess, knowing as its lawyers must, that the maximum it can be obligated to fund is US$75 million. Clean-up costs in the billions - n,000,000,000 - have been suggested. The Act would raise the cap a BP would be forced to pony up to US$17 billion (US$17,000,000,000). While that seems an improvement, I think any cap is a way for a BP to shirk its responsibility.

    An aside. While I read that several (re)insurers are telling everyone they will meet their contract agreements with insured clients, I also heard that at least one insurer told its insured in Louisiana that it will NOT pay for damages; if its insureds want to make a claim against BP et al, they are welcome to do so, but don't look to the insurance company for assistance. Sounds a lot like Florida after Andrew and Louisiana and Mississippi after Katrina - take the money and run. (What does that have to do with risk management aside from the Gulf? Consider any insurance coverage your organization may have as a financial risk - your insurer may decide to just "walk away.")

The senator's email continues: "For the future, this bill also requires the best technologies and equipment are staged to respond to potential spills within 24 hours."

Senator, that's just disaster recovery, sort of.

What is needed is an Act that demands avoidance and mitigation processes to be built into all projects that can turn into an ecological mess - not even a "disaster," just a "mess."

From all reports I have read or heard, BP and its vendors were woefully unprepared for any spill of consequence. The risk of a major spill was considered so unlikely (low probability) that even though the impact might be great the companies elected to risk it. After all, worst case, the damage "cap" is only US$75 million.

It's good that the senators - all Republicans in a Democrat-controlled, highly politicized Congress - are thinking about disasters and assuring that the proposed Act "requires the best technologies and equipment are staged to respond to potential spills within 24 hours."

What is needed is more PRO-ACTIVE legislation to prevent or mitigate risks and with a painful penalty for wealthy organizations (such as BP) so that the Act will be taken seriously.

US$17 billion seems like a lot of money, but (a) that's a maximum and (b) it fails to take into account long-term damage to the environment, employment, people's lives and livelihoods.

We don't need more "disaster recovery"; we need an Act that demands risk management from the beginning: identification, avoidance and mitigation, and then recovery if it becomes necessary.

Sorry senators; you just don't get it.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Friday, June 4, 2010

ERM-BC-COOP: Once again assumptions are dangerous


Updated Sunday, June 6, with undated comments from a McDonald's Web site.

By now almost everyone who frequents McDonald's has seen headlines similar to the following:

McDonald's Recalls 12 Million Shrek Drinking Glasses Over Toxic Metal

The question we should be asking as Enterprise Risk Management (business continuity/COOP) practitioners is: How did this happen? Actually, the question should not be how but WHY.

According to a HILIQ article (http://tinyurl.com/33f9r7o) McDonald's purchased the glasses from ARC International of Millville, NJ.

However, the article continues, "While ARC International is credited with the manufacture, it appears the glasses were really manufactured in China according to a CNN report"

About seven million glasses have been sold with another five million in outlets or warehouses.

The question is: Who is responsible for allowing cadmium-laced glasses to get into the hands of McDonald's customers, especially small customers?

The article notes that "The U.S. Consumer Product Safety Commission (CPSC) announced the voluntary recall early Friday. It warned consumers to immediately stop using the glasses. McDonald's is expected to post instructions on its website next week regarding refunds.

"The CPSC stated in its recall notice that ''long-term exposure to cadmium can cause adverse health effects.'' Cadmium is a known carcinogen which can also cause bone softening and severe kidney damage. The kidney damage of cadmium poisoning is irreversible and does not heal over time. "

From an ERM/BC/COOP perspective, both ARC International and McDonald's are on the hook, and for the same reason - failure to perform "due diligence."

Why not the Chinese manufacturer? Simple: Neither ARC nor McDonalds can control a foreign company, particularly a Chinese company.

China has a long and unfortunate history of sending defective and dangerous products to the U.S. (see http://tinyurl.com/27o5uqq). Given the justified reputation for providing shoddy and dangerous products, it falls on the importers - in this case ABC International - to carefully check the incoming products. Again, based on China's record, frequent random samplings would have been in order.

McDonalds likewise should have checked the product. Granted, it had a right to "assume" that ARC International inspected the Chinese product and stood behind its quality assurance/quality control. That might have been sufficient for Joe's Burger Joint in Beautiful Downtown Burbank, but when you are a McDonalds and damage to your reputation is an international concern, then this practitioner believes it behooves McDonalds to do its own sampling.

'Course maybe reputation is no big thing to McDonalds; it wasn't so long ago it used beef fat to fry its fries in India - does anyone in India remember or care?

Would an ERM-BC-COOP practitioner been able to side-track the problem before it put poison glasses into little peoples' hands? Probably not.

Not because the practitioner would have overlooked or ignored the threat but because the practitioner probably would not have been involved or aware of the purchase. The problem, our problem, is invisibility - we, practitioners, are "invisible" to very senior managers (until something goes "bump in the night").

One of the reasons I believe we are "invisible" to Very Senior Management (VSM) is the name many of use elect to call ourselves: "Business Continuity" practitioners/planners/professionals, etc.

"Business Continuity" fails to suggest, to me in any event, that we are RISK MANAGERS and that means any and all risks, not just ones that interrupt work flow. Reputation is a very big item on the risk list; just ask Deon Binneman (deonbin@icon.co.za) , a reputational expert.

This "incident" then points up a couple of things.

Thing One: Organizations must take responsibility for vendor products. It makes no difference if the product is a novelty glass or a steel casing; incoming inspection is a necessity. How great an inspection depends on the vendor's history with the company and what goes on at the vendor - change of management, budget concerns, labor problems, etc. (Ask British Airways what happens when a vendor's staff strikes.)

Thing Two: We - practitioners - need much greater visibility and I believe we need to rethink what we call ourselves as a first step toward gaining, and holding, that visibility. We need to be involved, by executive fiat, in ALL aspects of the organization. We may be limited to recommendations, but at least VSM will have the recommendations of professional "What If" sayers.

To be fair

In a McDonald's press release at http://tinyurl.com/23ofjn2, the company states:

In collaboration with the Consumer Product Safety Commission (CPSC), and as a precautionary measure, McDonald’s USA today issued a voluntary product recall of the four Shrek Forever After™ promotional glassware currently being offered in U.S. restaurants.

To be clear, the glassware was evaluated by an independent third-party laboratory, accredited by the CPSC, and determined to be in compliance with all applicable federal and state requirements at the time of manufacture and distribution. However, in light of the CPSC's evolving assessment of standards for consumer products, McDonald’s determined in an abundance of caution that a voluntary recall of the Shrek Forever After glassware is appropriate.

Is the glassware unsafe? The CPSC has said that the glassware is not toxic. In addition, the glassware was evaluated by an independent third-party laboratory, accredited by the CPSC, and determined to be in compliance with all applicable federal and state safety requirements at the time of manufacture and distribution. This action is being done as a precautionary measure.

Didn’t McDonald’s test the glassware? Yes. McDonald’s safety standards are among the highest in the industry, and we have a strong track record. The glassware was evaluated by an independent third-party laboratory, accredited by the CPSC, and determined to be in compliance with all applicable federal and state requirements at the time of manufacture and distribution. It’s important to know that the CPSC has said that the glassware is not toxic

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Wednesday, June 2, 2010

ERM-BC-COOP: Consider the law


I subscribe to a free service called Advisen Front Page News https://www.advisen.com/. It bills itself as "Productivity and Insight for Insurance Professionals."

Insurance professionals deal with risks. Enterprise Risk Management practitioners deal with risks, ergo my interest in the site.

Two articles in a recent email tickler caught my eye.

One, titled "Woman sues Google after Park City accident" http://tinyurl.com/2frcwbl reminds that when someone sues, they - or their legal representatives - sue everyone that might be remotely involved, especially if any of the potential defendants is suspected of having "deep pockets" - the capacity to pay big awards.

The second, titled 'Venting Online, Consumers Can Land in Court" http://tinyurl.com/38f8u9f is about "strategic lawsuits against public participation", a/k/a SLAPP.

The danger to organizations in the first case is obvious. If the organization can be linked, even indirectly, then it is liable to be named in a suit. The smaller the directly related organization and the larger your organization, the higher probability your organization will find itself defending its honor - and bank account.

The second issue is a little different, but like the first it can be expensive to defend.

In most states, "truth is an absolute defense" against libel suits brought against newspapers. The same holds true for claims of slander in most states. Neither is nationwide and once outside the Several States I have no idea what laws apply.

The issue here, however, is not just a slander suit against - in this case - a blogger who claims he was wronged by a towing company. If the blogger has a known association with an organization - as an employee or board member - or advertises a relationship with an organization that organization is subject to inclusion in a libel action.

When I was an honest journalist - back when Hector was a pup - I learned that while truth was the absolute defense against a libel suit, I also learned that (a) it was expensive for my paper (albeit great for the lawyers) and (b) time consuming both before and during the trial. Unless the person suing my newspaper was a real scoundrel, my reputation and the paper's was at stake.

Enterprise Risk Management, a/k/a business continuity, is all about managing risks.

There really is no legal way (that I know about) to prevent an employee from railing against Joe's Fly-By-Nite Towing and Car Crushing Company, even if Joe and friends fraudulently towed and crushed the employee's car.

Employers may have well-advertised policies and procedures in place clearly stating that employees will not reference their employer in personal communications, including but not limited to emails and blogs and that all officials of the organization, that is, people generally known to be associated with the organization, will refrain from making any non-complimentary comments about any one or any thing until the comment has been vetted by Legal.

The organization is not trying to stifle free speech as much as it is trying to avoid legal actions or to at least be prepared for legal actions as "injured parties" look for deep pockets.

True story.

I once was "Deputy Director of Engineering" for a PBX manufacturer. In that role I was "the" technical writer and, in the director's frequent absence, in change of customer support.

The company sold, and maintained, its product through a vendor network.

Seems one of our vendors left a client without service. The client, a small hotel in California, had a problem with the PBX and, being unable to contact the vendor (that went out of business without telling anyone - customers or us) called us. I answered the phone. I managed to get the customer support in relatively short order and set him up with another vendor in his area.

I THOUGHT that was the end of it. A pat on the back for the Deputy Director who, like Mighty Mouse, saved the day.

Then, a few weeks later I was informed that I, along with the Director and the Director's VP, was named as a co-defendant with the company by a suit brought by the person I had helped !

Fortunately, the company's legal folks headed off the suit. How much it cost the company is unknown, but the exercise was disruptive and put a dent into the budget.

The bottom line for all this is that organizations must make an effort to distance themselves from individuals without being seen as limiting free speech. A well defined policy that can be shown to be known by the author of an offending comment may be sufficient to get the organization off the hook.

Then again, it may not.

Check with your legal counsel; I am not a lawyer nor do I play one on tv.

As for the first threat, the Google map, again with the caveat that I am not a lawyer, it seems like a disclaimer on the product might be sufficient. Still, another item in the Advisen Front Page News email suggests that even that may not be sufficient: see "Concerns over floor mat issue activate safety probe of some Ford models" (http://tinyurl.com/29f7ql8).

As Star Trek's Mr. Spock would opine: "Interesting."

John Glenn, MBCI
Enterprise Risk Management Practitioner
Hollywood - Fort Lauderdale Florida


Tuesday, June 1, 2010

ERM-BC-COOP: Kaleidoscope


I subscribe to Google Alerts (http://www.google.com/alerts); the search string is "business continuity."

Google Alerts is a very handy tool, although it isn't perfect - other than you and me, what/who is? - it sometimes returns hits for "business" without "continuity" and sometimes "continuity" sans "business." But, all-in-all, it does a commendable job.

What I notice is that "business continuity" is many different things to many different people. A kaleidoscope of opinions.

There is "business continuity" for

  • IT (of course)

  • telecom

  • email

  • key personnel insurance

  • compliance/privacy

and more.

In itself, the kaleidoscope approach isn't too bad - each niche is inhabited by leading, if not bleeding, edge vendors.

The PROBLEM is that none of the above is business continuity.

It is NICHE continuity, and niche continuity is anything but "business continuity."

What I have said, repeatedly, is that if you don't protect the business - the PROFIT CENTERS - you may as well go home. If the profit centers don't/can't turn a profit, the services on which the profit centers depend cannot be funded. No business means layoffs, and layoffs mean less users for IT and telecom and email and ...

By the way, "business continuity" may be a misnomer for some. Charities, governments, non-profits (intentional or otherwise) - ALL are businesses, but many don't see them that way and ignore business continuity as a survival requirement. They don't (care to) realize that donors may withhold their money, that governments can - if the taxpayers scream loudly enough - cancel funding, and that clients can look elsewhere for similar services, taking away an organization's raison d'ĂȘtre.

While I preach "mini plans for functional units," I also wave the flag for enterprise planning. All organizations have a myriad of interdependences - they make a spider's web look simple - and all those internal and external interdependencies must be identified and the associated risks/threats addressed.

When I create a plan I try - I'm a consultant and often am limited by client constraints - to create a complete, truly enterprise plan, one that addresses all the niche areas and many more (e.g., money vendors, clients, competition).

I really like kaleidoscopes. I liked them as a child and I like them as an adult. They range, like a business continuity plan, from the simple, cardboard tube variety to sophisticated collections of materials in precious metal tubes.

Business continuity is in some aspects like a kaleidoscope - an enterprise plan is composed of many different parts. Unlike a kaleidoscope, business continuity must come together as a whole if it is to be successful.


John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com