Tuesday, August 31, 2010

ERM-BCP-COOP: Some planners don't "get it"


There was a recent exchange on a Yahoo Business Continuity group about the necessity - or lack there of - for a business continuity plan for a long-duration highway project.

One of the correspondents remarked that BCP asks "What happens if this stops?" not "What could go wrong?"

Assuming this person is a practitioner - and admittedly he did not claim to be a professional - this is nothing short of embarrassing since he obviously lacks an understanding of business continuity.

Another practitioner, with more time in grade than this scrivener's 14 years, tried to explain to the initial poster WHY business continuity is important "even" for a long-duration highway project.

The poster's initial question to the group was

We are involved in large construction projects that span years and one of our BCP Advisors has been asked to produce a BCP for the span of a project construction project. Um. I'm not sure how well that it fits. I don't do a BCP for the development of an HR system, why would I do one for the development of a highway? Don't large construction projects go through risk assessments and contingency development like other projects?

One responder told the poster that

As far as I know, project management processes are there to ensure that the project is delivered on time and on budget. PM deals with all of the risks associated with the construction project, this is why specialized project managers are hired and contracts are written with suppliers and business partners - so that the build happens. The project is a one off and not continuing business.

She is partly correct; the project manager is the responsible person, but unless the project manager also is a risk manager, he or she won't identify potential risks to the project, the impact to the project, and ways to avoid or mitigate - then recover from - the risks.

I know several very good project managers and they don't leave home without, if not a practitioner on staff, at least spending time with one before the project gets underway.

In reality, what can possibly go wrong with a simple highway job?

In my reply to the group I listed several risks. The initial poster commented that one of the risks "should have been caught during the Risk Assessment ."

Without realizing it, he made my point. If the project lacks a business continuity plan, there will either be no risk assessment or an incomplete risk assessment.

The other real planner who contributed to the discussion told a story of a highway that had to be rerouted - at great time and expense - due to fossils.

Our poster acknowledged that the practitioner made "excellent points, although I'm still not convinced that BCP is the right solution. How would plans to recover business functions have helped them and would the benefit have justified the costs?"

Once again showing he knows nothing of business continuity.

Sadly, most members of the Yahoo group remained silent, suggesting that maybe they, too, lack an understanding of real enterprise risk management/business continuity.

Fortunately, there ARE lists - and there USED to be a good Forum - for practitioners and tyros who do understand the purpose of the business continuity process.

It's a pity this Yahoo group seems not one of them.

John Glenn, MBCI
JohnGlennMBCI at gmail dot com
Hollywood - Fort Lauderdale Florida

Monday, August 16, 2010

Something to consider



Powder Mailer Strikes Again Monday, Aug. 16, 2010

Global Security Newswire http://gsn.nti.org/gsn/nw_20100816_2130.php

An unidentified individual or group of people this month has sent 30 powder-filled letters to businesses and other sites in three states, part of an apparent campaign that has involved hundreds of mailings and reached eight U.S. embassies, the Associated Press reported (see GSN, Dec. 17, 2008).

To avoiid copyright enfrincement claims see complete article at the above URL.

I am certain there are expensive machines to detect power in the mail, but such machines probably are beyond the budget for Mom-n-Pops and individuals.

It may be possible to do a "touch test" of every incoming envelope (but what about packages?), providing the amount of incoming mail is minimal.

At one point I recall the Post Office checking mail for suspicious powder, but I think that was more for the protection of postal workers than the people receiving the mail.

If there is an effective, low-cost way to check for powder-in-the-mail - both envelopes and boxes - how do we share the information; as soon as the defense is known, the office will change tactics, much as the software miscreants who provide us with an abundance of malware.

Catch 22.

COMMENTS - IN ENGLISH ONLY - ARE WELCOME; all others will be rejected.

John Glenn, MBCI
JohnGlennMBCI at gmail dot com
Hollywood - Fort Lauderdale Florida

Tuesday, August 10, 2010

ERM-BC-COOP: One more time
Vendor products are seller's risk


Lowe's Cos. has agreed to distribute $6.5 million in its gift cards and pay as much as $2.2 million in plaintiffs' attorney fees to settle a class-action suit claiming the home-improvement retailer sold defective drywall. http://tinyurl.com/2bdd4sj

"When will they ever learn?" The line from the Pete Seeger song keeps haunting me every time I read or hear of some organization assuming that the product the organization is selling is satisfactory or that the service a contracted vendor is providing is suitable.

Today it's Chinese dry wall.

Before that it was lead paint in Chinese toys imported by a major US toy maker.

Before that - what?

To be fair, China, while frequently the source of the problem is not the ONLY source. Every country has vendors that cut corners and ignore safety regulations.

Sometimes it simply is a matter of not exercising the "what if" possibilities during testing - I give you a failed O-ring on the space shuttle Challenger; according to the Rogers Commission Report, "The commission found that the Challenger accident was caused by a failure in the O-rings sealing the aft field joint on the right solid rocket booster, which allowed pressurized hot gases and eventually flame to "blow by" the O-ring and make contact with the adjacent external tank, causing structural failure. The failure of the O-rings was attributed to a design flaw, as their performance could be too easily compromised by factors including the low temperature on the day of launch. (http://en.wikipedia.org/wiki/Rogers_Commission_Report#cite_note-0

For Lowes and other retailers, as well as manufacturers such as Morton Thiokol of Challenger fame, the bottom line is the same: QUALITY CONTROL.

Ignore QC and risk a law suit.

As an enterprise risk management practitioner, I consider vendor products a risk.

The problem for manufacturers - versus retailers - is that while a vendor product might be "as advertised," it still might not be suitable as part of a system (e.g., Firestone tires on Ford Explorers). That should force the manufacturer to check all components as they arrive and again as part of the system tests.

It's fairly obvious that 100% testing is too expensive for almost all materials. I can't think of any organization that does 100% testing. For some products, testing is destructive; the test either destroys a product or so degrades it that it cannot be used.

However, sampling always is an option.

Sampling is taking a percentage of a product, be it individual components or a complete system, and testing all the units in the percentage. A 10% sample of 100 units would have 10 units randomly selected for testing.

The percentage of product sampled is based on a number of factors, including past experience.

Testing is expensive. It is expensive to perform and it often results in an unusable product. The cost of 10 nails or threaded fasteners (a/k/a screws) out of a lot of 1000 is relatively inexpensive; but the cost of sampling a 16-inch valve as an assembly is another matter.

All parts, be they vendor supplied or made "in-house" need QC both for quality of product and suitability for use within a system.

As an about-to-be grandfather, I want to look not only at parts, but design as well.

I have in mind infant crib failures and cribs with slightly-too-far-apart side-rail slats. I'm thinking of infant carriers with handles that detach unexpectedly.

If manufacturers fail to consider both design and part quality; if retailers fail to assume responsibility for assuring vendor product suitability, lawyers will continue to enjoy generous incomes.

I learned when I was a newspaper reporter and later managing editor that law suits are to be avoided. Even if the defendant prevails, the cost of the defense - both in money and time away from the job - can be sufficient to force a business into bankruptcy.

Bottom line: lack of QC is most assuredly a risk that must be considered and either avoided or mitigated. Claiming that someone thought the vendor product was satisfactory probably won't impress a judge or jury.

True, the risk may be "transferred" (to an insurance carrier), but that comes at a price. If the carrier is forced to defend once, the carrier's rate is very likely to increase (a risk in itself).

In the end, appropriate QC at all stages of a product's development is the best way to mitigate the risk of component failure or design failure. "Due diligence" failure usually guarantees a stiff penalty.

QC while not "cheap" certainly is better for both the corporate wallet and the corporate image than a law suit, even if the corporation prevails.

To this practitioner's mind, protecting people (including employees' jobs) and the bottom line is fully within the purview of enterprise risk management.


John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida