Thursday, March 25, 2010

ERM-BC-COOP: Spring World 2010

Just returned from DRJ's Spring World 2010 at Walt Disney World (WDW) near Kissimmee FL. (No, it's not in Orlando; not even in the same county.)

It was an interesting several days.

FINDING the conference location was a challenge. WDW signs leave a lot to be desired, but then even my GPS failed to find a direct route. (MapQuest did better.)

Most of the General Session speakers were good although most managed to pitch a book (or several) before stepping down from the podium. That's not a complaint, just an observation.

The made-in-advance DVD that came with the welcome goodies suffers because the presenters are not heard, nor are attendees' questions. The DVD includes the presenters' slides, but looking at them yesterday evening I realized that slides by themselves lack the sparkle they have when accompanied by the speaker - moreover, most of the speakers - proving they were good presenters - generally talked to the slide rather than wasting our time by reading it to us.

There simply is no way to create a DVD of a presentation before the fact. Bottom line: the DVD is "better than nothing." Again, not a complaint, just an observation.

What's the difference between a "complaint" and an "observation?" If I complain about something I should offer a remedy; if I just make an observation, I let myself off the hook.

My main interest was in developing skills and techniques to exercise - never "test" - my plans. There were a couple of titles that caught my fancy. One, presented by Steven Goldman, included some exercises that not only had us thinking, but working in pick-up groups of folks we'd never met before and finding out that group dynamics really pay off - and the bigger the group, the better. My little 7-member group came up with good stuff, but when the entire two-room assembly put heads together there was real quality "stuff."

I missed Sunday's workshops and a Norm Harris presentation . The first presenter I heard on Monday was Steve Gilliland, a professional speaker (vs. a BC or DR person). I heard why he's in demand; if he's on anyone's agenda, go hear him.

I had the opportunity to meet some folks I see on the lists; Regina Phelps - who has more initials after her name than a popular alphabet soup - was one. As an RN (among other things), her interests tend toward the medical. She presented twice; once in a General Session on the pig pandemic. Regina's always worth hearing.

There were the usual software and IT exhibitors, but very few (one or two) consultant houses represented. Since I am looking for a staff consulting job that will let me work in, or from, southeast Florida, I was a little disappointed. Still, visiting with the vendors always is interesting and I now have enough pens to last until at least Spring World 2012.

Ethics was a topic at Tuesday's General Session. Bob Chandler of University of Central Florida - Orange County Community College has come a long way - managed to make us think twice about putting our business cards into a bowl to win a vendor's prize . . . would the value of the prize violate our corporate ethics standards? (Just what IS the limit on gifts in your company? Do you know? That was one of Chandler's challenges.)

Social Networking - Tweeter, Facebook, LinkedIn, and the like got a fair share of attention, both as a means to communicate with the troops and as a way to get feedback - sometimes less than flattering feedback - from customers. The bottom line for organizations: watch the media and be prepared to respond quickly. (We have scripts for spokespeople to use in the event of; why not scripts at the ready to respond on Twitter, Facebook, LinkedIn, et al? We DO have scripts at the ready, right??)

I got to meet some people with whom I've had email exchanges over the years, and I managed to spend about 15 minutes talking with my mentor, Norm Harris. I also met some new folks, some both new to me and new to the business. Lest I forget, I also met jon @ drj.com and bob @ drj.com.

Would I recommend a DRJ conference. For someone with 0 to 5 years experience, there is a lot of knowledge that can be gained in the professional sessions and in the general sessions as well. For the long-time pro, the networking (especially if this is an annual or semi-annual gathering) and the vendor presentations are worthwhile . . . and even an expert - are there any? - can pick up some new ideas or revisit old ones by sitting in the presentations.

One thing I would ask Bob and Jon to consider for 2011 "and beyond" - if you must have specialty tables (e.g., Insurance, Financial, Manufacturing) for the various meals, have a table for consultants and generalists. I met some interesting folks when I pretended to be in a specific industry (such as manufacturing) so I'm not complaining, and frankly, I learned a little about some things I had not considered before (and I have worked in manufacturing).

Actually, I was looking for a table that was for Out Of Work Enterprise Practitioners, a/k/a consultants looking for work.

Hats off to all the DRJ folks that worked to put together Spring World 2010.

John Glenn, MBCI
Enterprise Risk Management - Business Continuity practitioner
Hollywood/Fort Lauderdale Florida
JohnGlennMBCI at gmail dot com

Thursday, March 18, 2010

Going to Orlando

.

B"H

I expect to be at DRJ's Spring World near Orlando March 21 through 24.

I will be checking email during those days only in the evening. If you want to set a meeting, please send an email to JohnGlennMBCI at gmail dot com.

Wednesday, March 17, 2010

ERM-BC-COOP: Things we can't avoid

Recently there was an article about ricin, an almost always fatal, easy to make and distribute poison.

As an Enterprise Risk Management - Business Continuity practitioner, I always am looking for ways to avoid or mitigate a threat. In the best case, this approach saves lives and limbs; in the worst case, it helps expeditiously, economically, and efficiently restore operations to "business as usual."

But ricin and its fellow killers - anthrax, sars, and the like - are not easily or economically avoided or mitigated.

What can be done?

In most of my plans I include "Personnel Safety and Awareness" as a major function.

While this covers everything from the parking lot to the work space, one of the key functions is to make personnel aware of their surroundings.

A number of years ago I had the pleasure of working with some people in a shipping company. The organization had incoming and outgoing call centers and I spent a lot of my time talking with the ladies (and a couple of men) who handled the calls.

When I started developing a plan for the organization I played a game with the staff: "Where is the ...?" Where is the nearest fire extinguisher, the nearest two exits, the nearest fire alarm box, etc.

The facility was in southern Virginia which, this Floridian quickly learned, gets "chilly" during the winter months. Several of the more sensitive ladies brought in personal electric heaters to keep their feet warm.

The "Where is" game grew to include "What if" such as "what if the heater cord is pinched by your chair:" "what if the heater is too close to the (fabric-covered) furniture" and similar.

We also played "What if someone parks a tractor-trailer on the street next to the office and the driver walks away from the rig?" This was an obviously Israeli company next door to an insurance company staffed largely by ex-military types: translation, a great target for a bomber. (I was unable to convince management to appeal to the city government to ban on-street parking next to the building despite the narrowness of the street.)

I wasn't trying to scare the folks; all I wanted to do was encourage awareness of their surroundings. Does something smell different? Is there an unusual sound? What color is the sky? Silly question? Not really. Green skies, at least in Florida, tell me a tornado is nearby.

The company insisted, as many organization do, that visitors be badged. It insisted that an employee meet and "sign for" visitors at the front desk.

Vendors, however, were exempt. I suppose management assumed a vendor employee was harmless; why would the guy who stuffed the junk food machine want to hurt anyone?

The visitor tags looked very much like the employee tag.

I recommended that different tags be created for employees, vendor personnel, and visitors. (Recommendation ignored.) In the meantime, I encouraged the personnel who did care - mostly the folks in the call centers - to make a mental note of any "new" people, especially if the person lacked an escort.

I confess I was not concerned about ricin. Not even anthrax since the mailroom crew was aware of the threat and usually acted accordingly (fortunate since the mailroom was not segregated from the rest of the facility).

If awareness is the best, and perhaps only, way to defend against a killer such as ricin, then the Safety and Awareness part of my plans needs on-going reinforcement.

A wise organization might take my "games" and turn them into real, "win-a-prize" contests. The prize could be inexpensive providing there was personal recognition.

John Glenn, MBCI
Enterprise Risk Management - Business Continuity practitioner
Hollywood/Fort Lauderdale Florida

Available for staff or contract opportunities in, or from, southeast Florida

Wednesday, March 10, 2010

ERM-BC-COOP: KISS is too complicated

I recently posted a job as a favor to a recruiter. The text reads:

"Perm" BC Job in Tampa FL

BUSINESS CONTINUITY PLANNER

The Business Continuity Program Manager develops, maintains, and tests Crisis Management (CM), Disaster Recovery (DR), and Business Continuity Plans (BCP), including the technology associated with the restoration of the business and technology areas for the company. This individual will lead, facilitate and work closely with the business units to manage continuity efforts, and establish testing schedules, and manage the testing efforts to ensure full disaster preparedness. In addition, the Business Continuity Program Manager will plan for disaster recovery for all aspects of the business, and will be responsible for establishing and maintaining interactive communications and CM/DR/BCP training programs.

To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

EDUCATION AND/OR EXPERIENCE

Bachelor's degree from four-year college or university in Information Systems, Computer Science, Business Administration, or related field preferred; along with a minimum of five (5) years Business Continuity experience and/or training. A combination of education and experience may substitute.

CERTIFICATES, LICENSES, REGISTRATIONS

Certification in Business Continuity Planning (CBCP) required, or must be obtained within first six (6) months.

Lynn Madden, Sr. Resource Consultant
Rita Technology Services
Human Capital Management since 1972
Phone: (813) 289-3000 x213
Fax: (813) 289-8173
Web: www.ritatech.com

CONTACT RECRUITER DIRECTLY - DO **NOT** CONTACT JOHN GLENN


Now I'm pretty simple, but I fail to understand why people, seeing the recruiter's name and the admonishment to "contact recruiter directly" can't do that simple task.

What has this to do with ERM?

Is points out the woeful state of the people who claim to be practitioners; has everyone forgotten how to read?

If we, "practitioners," can't follow simple directions, how can we expect responders to follow directions.

The instructions on the advertisement were simple and direct.

Now imagine if a responder has to perform a complicated task, especially one that is similar to, but not exactly the same as, one performed on a routine, "business-as-usual" basis.

I have been in the documentation business for more than a few years, so I'm not going to take the blame for the several people (mostly from the UK) who sent me their resumes - which, I must add, I ignored and confined to the digital dust bin.

Since I'm sure it's not a documentation problem, I need to find a corrective action.

For this particular incident, there is no corrective action.

But for a recovery process, there is corrective action.

In a word: EXERCISES.

Exercises uncover over-confidence in responders - "I'm an expert; I know what I'm doing so I don't need no stinkin' instructions."

Exercises uncover the folks who can't adjust to situations.

Exercises, we hope, make it clear to the responders that "Yes, you DO need to read (and heed) those "stinkin instructions" if the process is to be restored in an expeditious, efficient, and cost-effective manner.

The other day I asked "Why can't the English learn to speak . . . the language?" (http://johnglennmbci.blogspot.com/2010/02/speak-english.html; maybe I should have asked "Why can't the English (speakers) learn to READ"?

In truth I'm not too surprised. As a reporter on the courts beat I am used to seeing illiterate letters from collegians asking the judge to forgive their offense (usually very excessive speed) and spare them the trip to the courthouse.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida

Tuesday, March 2, 2010

ERM-BC-COOP: Cause for concern

Once again there is a post on one of the boards. A recent post reads

    "I work for a local authority (government) in the UK and I have been given responsibility for reviewing our current BCP's. These have been written by each department (17) on a template designed in 2005. Obviously when I have gone to review these against BS25999 they are nowhere near up to scratch.

    We are looking at various options to 'encourage' the departments to seriously look at their plans and one of these is to basically start again using a software package which would guide them through the process with minimum input from our team (only 2 of us for all emergency planning and BC work).

    I am very new to BC so had to use google to find software packages, SunGard's LDRPS looks like a good package that also has the management/administrator function that we require to oversee the process.

    Does anyone have views on this particular product and experience of using it in the public sector?

    I would really appreciate any advice you could give to a novice in BCM!

    Many thanks,

Note that the writer admits he is "very new to BC" and later in the post adds he is "a novice in BCM!"

To the poster's credit, he asked a list (Yahoo's discussbusinesscontinuity group) and he has received a number of good responses.

My concerns are that the local authority gave responsibility for business continuity to a novice and that the local authority seems to believe specialty software will save the day.

SunGard's (nee' Strohl's) LDRPS is a heavyweight tool that requires trained and dedicated-to-its-management personnel to take full advantage of it. It also takes a fair amount of IT resources to tailor it to each organization. I've worked for five organizations - four commercial and one government entity - that owned LDRPS and none - not one - implemented the program. I also know there are many organizations that swear by - vs. swear at - LDRPS; it would not be the 800-pound gorilla in its niche if it failed to do what it promised.

Remember, our local authority BC person - I'm not certain "practitioner" is appropriate at this point in his professional life - noted that there are "only 2 of us for all emergency planning and BC work."

At least one of the responders suggested that whatever product was used to create and maintain business continuity to BS25999 (the poster's goal) the tool should be easy for the people covered by the plan to use; they will be expected (both the responder and I believe) to provide document input and to use the program's reports.

There ARE some applications on the market that probably would be more appropriate for our tyro and his local authority. EMC's newly acquired Access might be OK; it seems fairly (and I cringe as I write this) "user friendly" and easily adaptable. I've seen several demos - but never an evaluation copy; there is a BIG difference between watching someone else drive and actually having hands-on time with the program - but I confess I was impressed.

But, I have been plying my trade for more than a baker's dozen years and I am supposed to know what I'm doing.

My worry is than in the hands of a business continuity innocent, the application will drive the plan rather than the planner; the novice won't see what may be missing for his particular situation. He also may be left wondering how to respond to a software-generated query that does not apply to his local authority.

It could be worse.

One organization that contracted my services proudly showed me the $200 package of Word templates it bought. At first blush, the package was impressive, but on closer examination it turned out to have more holes than a Swiss cheese.

Since our novice is in the UK I suggested, in a private response, that he contact the Business Continuity Institute (http://www.thebci.org) and check out the organization's mentor program. Although I am a BCI "member" I'm not certain he'll get the help he needs, but hope springs eternal.

Thrusting a novice essentially alone into a planning role is akin to asking a pilot whose total air time is 10 hours in a Aronica Champ to fly a Lockheed L-1011 from New York to Tel Aviv with an equally novice co-pilot. I'll wait for the next flight, if you don't mind.

Again, to our poster's credit, he DID ask others what they would recommend and to several of the responders' credit, they cautioned him that software was not the answer; not LDRPS or any other product.

John Glenn, MBCI
Enterprise Risk management practitioner
Hollywood/Fort Lauderdale Florida

Looking for work in - or from - southeast Florida