Tuesday, December 27, 2011


Stolen item may cost
former owner "big bucks"


If you owned something that was stolen, and the stolen item was used against someone or caused damage, are you liable?


In an article in the Milwaukee Journal-Sentinel headed Patrick Cudahy sues Navy over 2009 fire, "Patrick Cudahy Inc., its parent corporation Smithfield Foods, and several insurers have sued the U.S. Navy, seeking $326 million in losses from the massive 2009 fire at the meat packing plant caused by a stolen military flare set off as part of a Fourth of July celebration."

The plaintiffs contend that the Navy's negligence allowed the flare to be stolen from a California Marine base. The Navy denies responsibility under the Federal Tort Claims Act.

Basically, the suit contends that the Navy failed to properly inventory and control its property.

Strictly a Navy or government problem?


If the plaintiffs prevail, any organization that makes almost anything could be sued for damages.

In most civil suits, plaintiffs sue "the world" jointly and severally, looking for any organization with "deep pockets."

Most organizations have insurance coverage, but increasingly, two things are happening:

  1. Awards, especially jury awards, exceed the insurance coverage
  2. The insurance company either refuses to pay or sues the insured to recover its payout.

In the Navy case, the insurers are among the plaintiffs.

The core complaint in the Navy action seems to be that the Navy allegedly failed to perform due diligence when dealing with its resources, in this specific instance, a green star flare. According to the suit, the flare was found outside the actual training area and therefore the Navy breached its duty.

While the suit was only recently filed in federal court, the outcome will be interesting.

Unlike non-government entities, the Navy claims immunity from such suits. Non-government organizations lack that protection.

What then, based on the main focus of the suit, can an organization due to avoid or mitigate similar suits if someone uses something the organization owned to cause damage ? In three words: Use due diligence.

Inventory both stock on the shelf and resources - hardware and software items - and regularly revisit the inventory. If the organization deals in things that can go "bang in the night," perhaps inspect all packages, briefcases, and the like, as they exit the building.

The organization may still be sued, but if it can prove due diligence it may be removed from the action by the court.

Caveat: I am not a lawyer and I do not play one on tv.

Wednesday, December 21, 2011


Holidays as risk


For most people, holidays are a time away from the workplace.

A time to focus on things other than "The Job."

For the risk management practitioner, holidays are a risk.

Low level risks

Some risks are have a relatively low level impact if - rather "when" - they occur.

The most frequently occurring risk is absence of decision makers.

Absence of crucial personnel - and this can be a person on a production line or a call center staffer during a busy time -also must concern the risk watcher.

Fortunately, these risks are relatively easy to avoid.

In two words: Cross Training.

Practitioners know that every critical function in a response program must - not "should," but "must" - have both a primary and an alternate responder.

Even in the best of times, with no holidays in sight, people get sick, they take time to attend to relatives, they go to conferences and professional courses, and they go on vacation.

On the truly negative side, there are layoffs and dismissals-for-cause.

Practitioners don't need to insist that management come up with a succession plan - although management should do this, if only to keep the organization's clients confident that the organization will muddle along even sans the incumbent C*O.

Practitioners need to convince management that, while no one expects anything untoward to happen to them, they need to groom others to fill in for them when they vacation or are otherwise absent.

The "heir apparent," even if only appointed on a temporary basis, must have

  • the confidence of the about-to-be-absent manager

  • sufficient self-confidence to make decisions

and the manager's decision must be known to "all hands," both up and down the personnel ladder.

It helps if the Most Senior Executive has a formal job description of some type.

The key to the success of selling the idea to everyone reporting (directly or indirectly) to the Top Executive and Board is for the Top Executive to get on board

Note that in all the foregoing, the term "succession plan" has generally been ignored.

Practitioners need to be included in all critical projects to assure that the project manager builds in time for holiday interruptions. This adds a burden on the practitioner: he or she must be aware of all holidays that might reduce the work force and delay project completion. This can be especially challenging for multi-national organizations' planners.

High level risks

Fortunately, risks I term as "high level" are exceedingly rare.

They are "high level" because of the impact they can have on the organization.

High level risks often are holiday-related.

    The Yom Kippur War.

    Pearl Harbor - while not on Christmas, the country already was "winding down" for the holiday.

National and religious holidays often are preferred dates for attacks against defined groups. Occasionally, an attack will be scheduled on the attackers' holiday.

Natural events such as earthquakes, floods, tornados and the like are no respecters of an organization's staffing abilities and can occur almost anytime.

Burglars find holidays a good time to strike - staffs are reduced or facilities closed, making access less difficult. No matter what the intruders are after, they have a better chance of success.

Admittedly, cross training won't help here. Maintaining an increased level of alertness by security personnel will help. The question to ask: is Security - be it in house or vendor-provided - able to meet the staffing requirements; is Security protected against personnel absences?

But again, the likelihood of an event is less likely than the absence of a needed employee.

If I wrote it, you may quote it.

Thursday, December 8, 2011


Lessons from 1942 for ERM
Practitioners in 2012

  The following came to me as an email. I don't know the sender, but the information, if given some thought, can relate to what we see everyday. Aside from formatting the file it is "as received."

"Remember Pearl Harbor - Keep America Alert"

"Remember Pearl Harbor - Keep America Alert" is the is the motto of the Pearl Harbor Survivors, who sadly will disband this year.

As we reflect on the 70th anniversary of the bombing of Pearl Harbor, I'd like to share a piece of an old report with timeless lessons, the

25 Deficiencies from the 1942 Pearl Harbor Congressional Report.

Perhaps you'll find something here you can use in your role preparing Americans for the worst.

These brave men remind us, as George Santayana wrote, "Those who cannot remember the past are condemned to repeat it".

Below are those 25 deficiencies - how far have we come?

Thanks to all who demonstrate what it is to be a hero, and to you who pledge to live in honor of their bravery.


The Failures

  1. Organization
    Multiple parallel organizations with ambiguous authority

  2. Assumption
    Information-sharing convention is not known or understood, but appropriate sharing to avoid disaster is assumed

  3. Omission
    Information-sharing distribution is incomplete, people and entities excluded

  4. Verification
    Commands/information sent, no follow-up to ensure understanding and action, capabilities or actions are assumed and not verified

  5. Supervision
    No close supervision to verify understanding and predictable action - compliance assumed

  6. Alertness
    Heightened alert is undermined by repeated training and exercises

  7. Complacency
    Vigilance relaxes from the day-to-day lull of business as usual; a "what-could-happen ?" attitude

  8. Intelligence
    No centralized intelligence services with tailored dissemination of intelligence products; too many independent sources of collection and analysis

  9. Attitude
    Superiors do not engage in open dialogue with peers and subordinates; the superiors act superior (arrogance)

  10. Imagination
    "Worst-case" scenarios not included in preparedness and response planning

  11. Communications
    Information exchanged is ambiguous, convoluted, or contradictory - no use of common "plain" language

  12. Paraphrase
    Messages altered according to assumption and no verification

  13. Adaptability
    Alert and response thresholds are not matched to the known threat environment

  14. Disclosure
    Intelligence so protected that it is inaccessible to those who urgently need it, rather than converting products to actionable information while protecting "sources and methods"

  15. Insight
    Inadequate understanding of the threat and capabilities to address this threat lead to underestimated risk

  16. Dissemination
    Information is not provided to subordinates who need to know

  17. Inspection
    Leaders do not know or understand their personnel and critical systems

  18. Preparedness
    Prepare for consequences of what a threat might do, instead of what it can do

  19. Consistency
    Official direction is contradicted by unofficial speculation from authorities

  20. Protectiveness
    Individual or organizational one-upmanship for real or perceived self-benefit

  21. Relationships
    Personal friendships inhibit identification and resolution of deficiencies or gaps

  22. Priority
    Failure to prioritize critical needs over day-to-day activities

  23. Reporting
    Subordinates fail to report information up the command chain

  24. Improvement
    Failure to identify gaps, particularly in worst-case scenarios, and correct them

  25. Delegation
    Responsibility is delegated with inadequate authority to act

Hope you'll find this of use; you are of course welcome to share...

From: Interoperability in Critical IT and Communication Systems

Dr. Bob Desourdis cites in his book quotes from the Congressional After Action investigation & report of 1945/46 on the failures of Pearl Harbor. Sharing as food for thought.


Michael Walker

Wednesday, December 7, 2011


Paper trumps experience

a rant


I applied for a job today via a recruiter.

I am an "Ivory Soap" match for the job.

But the 66/100% I lack (Ivory Soap advertises it is 99 44/100th percent pure), when confirmed, caused the recruiter to hang up on me.

I could have brought more than 15 years' experience to the recruiter's client.

But the lack of a degree - the "66/100th percent" - ended the phone call.

"The client requires it," she said.

I can't entirely fault the recruiter. After all, "the client requires a degree."

I know the client - Florida Power & Light, FPL. I send it a check every month.

What I am beginning to think is that whomever created this job requisition for FPL doesn't know much about business continuity.

Would a degree in InfoTech Security meet the requirements?

You bet. Forget that InfoTech security is only a very small part of business continuity.

How about a degree in journalism?

Actually that might be BETTER than a degree in InfoTech security since there is a great deal of documentation involved in creating and maintaining a business continuity plan or program.

The FPL job req writer is telling me that four years of listening to people pontificate about subjects in which they may have zero practical experience is better than 15 years' hands-on experience.

OK, to be fair, I know there are some college instructors who DO have "real world" experience. I had a couple when I attended Barry U and Sarasota U. But I also had the "other" kind. I'm a former journalist - reporter to managing editor. The required English 1 course had the instructor - a high school English teacher during the day - try to teach the class how to write a story for a newspaper. The gentleman could hardly spell "newspaper," let alone create copy for one.

But he had a degree, maybe two, and therefore was an "expert" in the field.

America was not built on degrees. It was built on people developing expertise.

Admittedly, my profession lacks - sadly - an apprentice program.

Likewise "admittedly," there are people who claim expertise, some with certifications, who can't plan their way across a deserted country road.

But if they have a degree . . .

FPL, or at least the contracting agencies, are offering a below market rate so maybe it is just as well that this recruiter abruptly ended the call.

Still, it would have been a good match: FPL and this practitioner.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

Friday, December 2, 2011


(Un)Social Media


In a Wall Street Journal copyrighted article at http://tinyurl.com/88h2q2h, organizations learn that under certain circumstances angry employees can say almost anything they wish against their past or current employer with impunity.

If the employer acts against the employee, the organization may face charges from the National Labor Relations Board (NLRB).

According to what appears to be a supplement to the Melanie Trottman article, the AdvisenFPN version of the copy appends the following:

    Companies are facing a growing number of civil charges over disciplinary actions spurred by online comments from employees. Following are the National Labor Relations Board's guidelines on what workers and employers are allowed to do on social media:

    Protected employee behavior -- things employees should be allowed to do without being fired:

    -- Workers discussing with each other pay or other workplace conditions, or an individual speaking on behalf of other workers about, or with the intention, to improve workplace conditions. The key is there has to be group activity, in intention or result. It is described under the law as "protected concerted activity."

    -- Name-calling -- depending on the word used and the context -- that doesn't involve physical or verbal threats.

    Unprotected employee behavior -- things that could get an employee disciplined or fired:

    -- Mere griping solely by and on behalf of oneself, with no evidence of intended or actual group action to improve working conditions.

    -- Physical or verbal threats against an employer or co-worker, depending on the context.

    Unlawful employer behavior:

    -- Maintaining a company policy that restricts workers' rights to discuss online with co-workers their wages and other working conditions.

    -- Firing an employee for engaging in protected concerted behavior.

So, if a disgruntled employee calls a manager a "scumbag" in the course of an exchange with fellow workers, and if someone replies in any manner, the employee apparently is protected by the NLRB.

It seems to me - and I must add this caveat: "I am not a lawyer and I don't play one on tv" - that the specific person who is maligned - calling a person a "scumbag" is hardly a compliment - ought to, with perhaps assistance from the employer, file a civil complaint against the name caller.

The right of free speech is an important part of the American way, but libel and slander still are actionable.

For all that, organizations of all types should have policies and procedures in place clearly setting forth what is acceptable and expected behavior of people employed - at any level - by the organization. These policies and procedures must

  1. Be vetted by qualified legal counsel, that is, lawyers specializing in HR issues

  2. Be read, and understanding acknowledged, by all employees, regardless of position within the organization, from Most Senior Executive to newest intern and contractors/consultants.

If there is a problem in the organization and an employee, for whatever reason, "goes public" with it on so-called social media, it behooves management to examine the complaint to see if it has merit. At the same time, it seems appropriate to act against libel and slander.

Longer articles at https://sites.google.com/site/johnglennmbci/

If I wrote it, you may quote it.

Wednesday, November 30, 2011


Damage Control

GM makes it work


Image can be critical to an organization's bottom line.

    Ask Toyota.

    Ask Ford and Firestone.

Since a damaged "image" can have a severe impact on an organization - any organization, even ones that depend on donors, think charities and blood banks - things that can lower the image in the eyes of "The World" must be considered risks.

Sometimes, as in the case of General Motors and its "fire after an accident" Chevy Volt, the risk cannot be prevented.

But it can - it must - be mitigated.

Everyone knows the story of Toyota's acceleration problems and how Toyota dragged its heels publicly in dealing with the issue.

Many will recall the Ford-Firestone finger pointing when Explorer SUVs started "turning turtle." Rather than immediately move to replace Firestone tires then suspected of being either the cause or a contributing factor in the roll-overs, Ford and Firestone got into a PR battle as Explorers continued to tip over.

Ford finally replaced all Firestone tires on all Explorers but no one accepted blame for a bad combination of vehicle and tires.

One of my frequent admonishments to people who expect a risk management plan to be perfect before the first exercise is "Nothing is perfect the first time out."

No matter how expert the practitioner; no matter how conscientious the Subject Matter Experts, something always is overlooked and discovered only during an exercise. Nothing is perfect the first time out. Nothing.

GM found that out with its Chevy Volt.

According to a Los Angeles Times article titled GM learns from Toyota how not to handle a crisis (see http://www.latimes.com/business/autos/la-fi-gm-volt-20111129,0,4124119.story), "After reports of fires in Volt electric vehicles that had been crash-tested, GM put the communications pedal to the metal — unlike Toyota, which responded slowly and ineffectually to its sudden-acceleration crisis."

The Times piece detailed the Volt's problem - fires that followed test crashes of its Chevrolet Volt electric vehicles - and what GM was doing to give its customers a "warm fuzzy feeling" toward the company, the brand (Chevrolet), and the specific vehicle (Volt).

GM apparently wants to avoid looking like Toyota, yet it is taking a leaf from Toyota's book from better days. GM is offering Volt owners free loaners until the "fire after an accident" issue is resolved. Toyota did something similar when it introduced it's high-end Lexus model and discovered a couple of problems. According to the Times, "Toyota had Lexus dealers deliver loaners to people's homes, repaired the recalled cars and returned them washed, detailed and with a full tank of gas"

Was Toyota's quick action appropriate? Count the number of Lexus vehicles in the neighborhood.

Understanding that (a) nothing is perfect the first time out and (b) that "things" will happen, the smart risk management practitioner recommends that "generic" scripts be created for possible image gremlins, and works with executive management, legal, and corporate communications/PR so that when - not "if" but "when" - an issue arises the organization can respond quickly.

The organization will have at least an outline of what to say, it will know who is capable of delivering the message (and who might freeze before an audience), and the spokes person will have practiced message presentation.

A really sharp practitioner also will recommend that multiple presentations be prepared to different audiences - all having the same basic content - audiences that include

  • customers

  • employees

  • financial backers (stockholders, lenders, etc.)

  • local media

  • national media

  • regulators

  • trade associations

  • vendors

As an aside, the reason for separating the media into "local" and "national" is to assure that the local media are not slighted. The national media reporters will go home once the story starts having "second day leeds" (cq); the organization will have to deal with the local press for the long term; treat the local reporters kindly. This scrivener once was "local press."

As with most risks, threats to the organization's image can be mitigated but, as with most risks, responses must be planned and practiced, exercised.

It is said that a person's greatest asset is his name.

That applies equally to an organization.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

Monday, November 28, 2011


Government as risk


It's not the first time I have suggested that government - at all levels - should be considered a risk to the organization.

Usually we think of government making a rule that restricts the organization's business or adds additional regulations . . . and costs.

Sometimes, though, government may reduce or eliminate regulation.

According to an AdvisenFPN article that first appeared in the Wall Street Journal (http://tinyurl.com/7lad3qx) titled Critics Target Bribery Law , corporate America's top lobbyists are trying to limit the Foreign Corrupt Practices Act of 1977, a/k/a FCPA.

In a Joe Palazzolo-bylined article, the WSJ reports that the effort against FCPA has risen to the top of the lobbyists' agenda, sparking a widespread debate about how the legislation is enforced. The reason for the corporate war on FCPA: "In the past five years, a remarkable run of enforcement of the U.S. law has led to about $4 billion in penalties against corporations. The law prohibits companies from paying bribes to foreign officials to win business. A violation can result in criminal prosecution," the WSJ article noted.

I recently did a project for World Compliance (http://www.worldcompliance.com/en/default.aspx), an organization that specializes in FCPA. It has a multitude of clients in the financial industry who are, thanks in part to FCPA, concerned that their transactions and their clients are above reproach.

World Compliance is akin to the CIA - it collects information from around the world, vets it to assure accuracy, and they packages it for its clients. To its credit, World Compliance takes risk management very seriously.

Click on drawing to enlarge

While eliminating FCPA would not by itself put World Compliance out of business - as the name implies, the organization has clients worldwide and, in addition to FCPA, it also provide data to clients complying with European laws as well as U.S. Treasury Department regulations and the Patriot Act - emasculating or killing the FCPA could impact the organization's bottom line.

Of course World Compliance has more than U.S. lobbyists to consider. It has to take lobbyists into account every place it does business, and that is most of the world. Again, it's core business is gathering information about people from the four corners of the world, analyzing the information, and packing it for its clients.

As with the CIA, most of the data is public information; World Compliance's raison d'être is the analysis and vetting of the information, putting together all the pieces that may come from disparate sources.

No matter what the organization's purpose - be it commercial, industrial, a non-profit, or a charity - the whims of government must be considered a risk. Depending on the type government, the rulers may be swayed by money, favors owed, promises of votes or threats of loss of votes, or less polite measures.

FCPA hurt - and continues to hurt - organizations that did business by bribery. It hurt them because U.S. companies no longer were on a level playing field with their foreign competition, and it hurts them when - despite FCPA - they feel obliged to risk a bribe and get caught.

Longer articles at https://sites.google.com/site/johnglennmbci/

If I wrote it, you may quote it.

Thursday, November 24, 2011


Vendor risks

More than meets the eye


When most of us think of vendor risks we think of a vendor failing to meet its Service Level Agreement (SLA) with our organization.

The SLA can cover a product or a service.

Interestingly, the product or service might not be considered critical - until its needed "yesterday." (Forms for bills, for example, or checks to pay bills.)

Smart organizations ask critical vendors if they have business continuity plans. Very smart organizations ask the vendors to supply the plans or at least basic plan information such as

  • Who is the plan/program sponsor? (Should be a Very Senior Executive with fiduciary responsibility.)

  • What does the plan cover (InfoTech only, key business units, the enterprise).

  • When was the plan last exercised. (Should be "within the year.")

  • When was the plan last updated. (Should be "within the year.")

  • Who is responsible for plan maintenance and updating?

Most of the time, the interest in the vendor ends here.

It should not.

What about the vendor's critical vendors? If the vendor provides a finished product - even something as simple as a threaded fastener (a/k/a screw), if that item is crucial then the vendor is critical and the vendor that supplies your vendor with raw materials likewise is critical.

As the risk management person in your organization, you might be wise to ask the critical vendor if it has an alternative supplier of raw materials; has your vendor asked its vendor for a business continuity plan?

Depending on the criticality of a product or service, it might be necessary to go back even father on the vendor chain, but this usually is not the case.

OK - you talked to your critical vendor and you are confident the vendor has a plan to meet all contingencies.

Is that enough?

Not really.

How is the vendor's product or service delivered to your organization?

Click on image to enlarge

Via highways and byways? Railroads and trucks to the door? Ships and barges and trucks? Airplanes and trucks?

Ask the vendor if it has alternate delivery options.

What if the teamsters walk. That shuts down multiple options since trucks almost always are required - door to door, ship to door, plane to door, train to door.

The teamsters may be perfectly content, but weather can close roads and shut down airports; accidents can close roads and seaways and ports of all types.

Knowing that transportation is an easily interrupted critical process, your organization needs to do a little research to determine a "worst case" transportation interruption and maintain product on the shelf to cover that period. "Just In Time" is fine, PROVIDING nothing interrupts delivery.

Ahh, but your vendor delivers data via the Internet. Nothing to worry about, right?


There are as many, perhaps more, things that can go "bump in the night" for digital deliveries as there are with physical delivers.

The vendor's InfoTech can crash; your InfoTech can crash, the pipe can get choked, your organization's Internet Service Provider (ISP) may fail, a power outage anywhere along the line can knock out a service. Sure, everyone has backup generators, but are they checked regularly under load; is the fuel supply dry and sufficient, and . . .

As they say, "Nothing's perfect except you and me, and I'm not sure about you."

There are, by the way, two sides to the transportation issue.

Your organization is a vendor to your clients.

Whether you provide a product or a service, your organization typically has to deliver to the customer.

That means transportation from your organization to the customer, be the customer another manufacturer, a wholesale or retail organization, or an individual.

Your organization's delivery options - and hazards - are the same as those of the critical vendors.

The bottom line is that when considering risks relating to critical vendors, you must think of all related risks.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

Comments to JohnGlennMBCI at gmail dot com

Tuesday, November 22, 2011


Employee loyalty


In today's job market, with high unemployment, management has the upper hand and can, if it desires, disregard staff concerns.

Smart managers don't.

They know that when the market eventually turns around, those employees who got the short shrift during the "high jobless rate" times will start looking for new employment homes.

Taking with them skills they honed on the job.

Possibly taking with them information a competitor would be delighted to have.

Never mind non-disclosure agreements; they are difficult, and expensive, to enforce.

If the employee doesn't bolt, he or she can "bad mouth" the organization and destroy its reputation as an employer and, perhaps, as an organization.

The translation of all the above is that employees are a risk to the organization.

A "necessary" risk.

At the same time, a happy employee - or at least one who feels respected by management and peers - is a definite asset to the organization. While the unhappy current or past employee knocks the organization, an employee who feels he or she has the respect of management - at all levels - promotes the organization to other employees and to "the world."

It's been many years since I worked as a contractor at Lucent Technologies, but I still fondly remember the way it treated its personnel, even contractors. On the other hand, there have been some other organizations . . . .

While it is not something a risk management practitioner can control, the practitioner should be aware of the "mood" of the workforce and the practitioner should "suggest" to management that there are risks to employing unhappy staff.

Most people appreciate recognition for a job well done.

The nice thing about recognizing jobs well done is that it need not be expensive.

Most people appreciate an organization-sponsored (funded) function; like recognition, this need not be overly expensive.

The economy will pick-up - no, I do NOT know "when" - and when it does, unhappy employees will become mobile; their resumes already are up-to-date.

The risks to the organization include, "but are not limited to"

  • loss of knowledge base

  • cost of recruiting - advertising, interviewing, relocation

  • cost of training, both job and corporate customs

  • temporary slump in productivity, possibly due to resentment of the new employee

  • possibly higher salary for the new hire

  • risk that the new hire will leave before the organization realizes any ROI

It is not hard to mitigate the risk of disgruntled personnel.


Acknowledgement of a job well done.

Support in the form of training.

There are many ways an employer can show respect for the troops; HR knows them all.

Longer articles at https://sites.google.com/site/johnglennmbci/

If I wrote it, you may quote it.

Sunday, November 20, 2011


Have you created a plan for XYZ industry?

  The other day I was asked if I had done any plans for a specific industry.

I took the question at face value: have I done any plans for an industry, as in "industry association."

The question could have been less global and concerned with a specific organization in the industry (e.g., natural gas exploration) or a specific function of the industry's members (e.g., manufacturing mil-spec monel 16-inch 3-way valves with electronic control modules).

There are lots of ways I could have considered the question.

But in each case, the answer was the same: "Yes."

The reason the answer for each option is the same, "Yes," is because as a risk management practitioner I am looking at risks and means to avoid or mitigate them.

It makes no difference to me if I am working for a Mom-n-Pop corner grocery, Monster Motors, or Sara's Soup Servers charity.

The PROCESS is the same.

Find out why the organization exists.

    Mom-n-Pop's grocery exists to sell groceries and, hopefully, make a profit.

    Monster Motors exists to make automobiles (and other products) and, hopefully, make a profit.

    Sara's Soup Servers exists to provide food for the hungry and, hopefully, to keep donations rolling in.

In each case, the organizations DO something to justify their existence.

There are some common concerns across the board - vendor management and liability as examples - but the bottom line is that each organization has risks and that the risks to each organization must be addressed; means must be identified to avoid or mitigate the risks.

Mom and Pop belong to a grocers' association.

The association's concerns are for the Mom-n-Pop grocery, but they are not the same as harbored by Mom and Pop. The association is concerned with lobbying, with member welfare, with recruiting and retaining members, and with collecting dues to support the association's operations.

Whether creating a plan for Mom-n-Pop or the association, the PROCESS is the same:

Mom-n-Pop Grocer's Association
1. Identify the reasons the organization exists
2. Identify critical processes to No. 1
3. Identify risks to No. 2.
4. Identify means to avoid or mitigate risks.
5. Prioritize risks based on probability vs. impact.
6. Present recommendations to management.
7. Create response plans based on management's decisions re risk management implementation.
8. Create plan maintenance procedure.
1. Identify the reasons the organization exists
2. Identify critical processes to No. 1
3. Identify risks to No. 2.
4. Identify means to avoid or mitigate risks.
5. Prioritize risks based on probability vs. impact.
6. Present recommendations to management.
7. Create response plans based on management's decisions re risk management implementation.
8. Create plan maintenance procedure.

The same PROCESS can be applied to all organizations.

The organization's critical processes will vary, as will the risks, the means to avoid or mitigate them, the risks' priority, and the means to respond to the threats, but the PROCESS remains the same:

    1. Identify the reasons the organization exists
    2. Identify critical processes to No. 1
    3. Identify risks to No. 2.
    4. Identify means to avoid or mitigate risks.
    5. Prioritize risks based on probability vs. impact.
    6. Present recommendations to management.
    7. Create response plans based on management's decisions re risk management implementation.
    8. Create plan maintenance procedure.

Creating a program for Mom-n-Pop might be completed within a few weeks while a similar program for Monster Motors could require more than a year, especially if the practitioner is expected to train responders and do more than run a basic "desktop walk-through" exercise. Indeed, Monster Motors ought to have a full-time staff of risk management practitioners.

The bottom line for all plans is the same: It's all about the PROCESS.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

Friday, November 18, 2011


These are "professionals"?

A rant


I'm thinking about cutting down the number of LinkedIn groups and other lists and forums I follow. Maybe a few blogs, too.

Several of the lists/groups/forums that I am considering leaving have "Professional" in the title.

Professional in name only

    That led me to believe any discussions would be at a professional level.

    Yet many, far too many, discussions are at the tyro level.

    By itself that's not bad - tyros need help, too, and they can - and I'm thinking of one in particular - and do raise important questions; queries that get us all thinking.

    One of the things that irritates, that - as we say in Dixie, "sticks in my craw" - is the titles many of these blatant-by-their-post amateurs advertise.

    Senior this and Master that.

    Another irritant is the level of the questions.

    Good grief; do your homework before asking someone else to do it for you.

    DRJ (http://www.drj.com) has a Website fill of good information.

    DRII (http://www.drii.org) likewise has megabytes of useful information.

    The information is free.

    Of course the curious person needs to invest a little time to locate and extract the nuggets.

    Why bother? It's easier to ask an actual practitioner "How do you spell "BIA?"

    Because there are so many tyros-with-professional-titles claiming to be business continuity practitioners, people who engage them due to a title or employment by a Big Name Consulting Firm, expect a professional product. They deserve a professional; product.

    But they don't get a professional product.

    If the plan doesn't work? The independent likely lacks performance insurance, and the Big Name Consulting Company will try to tie the client up in a finger-pointing court date. In any case, it is hard to prove that the client ignored the practitioner's recommendations or failed to exercise the plan.

    But all business continuity practitioners take the hit.

When "BC" really is "DR"

    As long as I am IN "curmudgeon" mode I may as well express my opinion of groups that have "business continuity" in the title but in truth are misnamed "disaster recovery" groups.

    There is nothing wrong with a disaster recovery group, but please, call it what it is: disaster recovery or even "resilience" which one Big Name Company has high jacked for its disaster recovery services.

Link, don't think

    One or two of the groups I am about to drop consist of 90% links to magazine articles.

    The article may be really worthwhile, but I sometimes suspect the linker never read past the headline.

    I really would like a synopsis of the article before I waste my time following the link.

    I'm sure some of the articles are worth reading, but I don't have the time to follow each and every link on the chance that the linked copy is relevant to what I do.

Longer articles at https://sites.google.com/site/johnglennmbci/

Monday, November 7, 2011


Check the obvious


About two weeks ago I put down some weed-n-feed.

The instructions state to thoroughly water in the chemicals - soak the pellets until they melt.

Not a problem.

I have a well. Flip a switch and water comes out via a number of sprinkler heads scattered around the grounds.

So I wandered back to the pump switch and flicked it on - to be greeted by a spurt of nasty brown water from a PVC pipe.

Turns out the guy who used to cut the grass once again punched a hole in the pipe. Second time.

So now I have to replace the PVC - a learning experience - and reseed a portion of the yard, a portion only recently reseeded.

I can't prove the ex-yard guy did the damage, but the substantial circumstantial evidence is pretty strong: twice since he's been cutting the grass a hole has been punched into the pipe, and no one went back by the pump except the ex-yard guy.

Anyway, the grass that got the weed-n-feed is dying because I failed to make sure the pump worked before I put out the chemicals.

Lesson learned: Even with a very low probability of failure, equipment needs to be checked before it is needed.

When I get ready to go on a trip, even a relatively short one, I eyeball the tires to see that they have sufficient pressure. I check the gasoline to make sure I can get where I'm going. I should, but I don't always, check the oil level and condition. Top off the windshield washer fluid.

Basic "stuff."

Like checking the cell phone battery level.

If I'm traveling with the notebook, I charge the battery. (Leaving the battery in the machine and constantly at or near full charge diminishes the battery's charge time.)

To say I'm upset with the ex-yard guy is probably safe to say. To say I am more upset with myself for failing to practice what I preach is absolutely correct.

I'm paying for my false confidence . . . dig up the pipe, cut out the damaged section and replace it, gluing a new piece into place, testing everything and then covering the pipe, and finally reseeding the lawn.

Longer articles at https://sites.google.com/site/johnglennmbci/

Wednesday, November 2, 2011


Troubles on the tarmac


JetBlue, the low cost airline, is facing stiff penalties for letting roughly 100 passengers sit in a plane on the ground for seven - 7 - hours.

The food and drinks apparently ran out and the bathrooms apparently were at capacity, so passengers were more than a little "uncomfortable."

The question is not "What happened?" but "Why was it allowed to happen?"

The plane, from Fort Lauderdale-Hollywood International (FLL) was bound for a northern airport. Before it got to its scheduled destination, weather conditions forced the airport to close.

The plane was diverted to another airport.

That, in itself, is not a major problem when passenger safety is the First Priority. Besides, diversions happen all the time.

But things went from bad to worse when the plane landed at the alternate airport.

Apparently shortly after the plane got on the ground, that airport also was closed due to weather conditions.

Now the problem goes from "worse" to "inexcusable."

I'm guessing that the newly landed aircraft - re-routed from another airport and unexpected at the airport where it landed - couldn't get a "gate," a jetway where passengers could disembark.

Since all flights were grounded, the planes already at the gate were "stuck" there; they could not leave for their destinations.

Realistically what could JetBlue have done? I'm a bit claustrophobic when planes are on the ground waiting for a gate so I gave this some serious consideration. I've also flown into a number of airports in the U.S. and elsewhere.

JetBlue could have done one of two things.

Thing 1, possibly the least inconvenient, would be to send a truck and buses to the plane.

The truck would bring stairs so passengers could safely get off the plane and onto the ground. This is not an emergency and there is no need to risk passenger injuries by using the emergency slides.

Lots of airports - probably most have mobile stairs and most airports have buses - if not owned and operated by the airlines, then airlines could borrow from the rental car companies or the airport authority, whichever runs the shuttles.

Thing 2, a little more inconvenient for the airline but a lot more satisfactory to the people paying to ride, would be to push back a grounded flight from a gate to make the gate available for the incoming flight.

Does this take a flight crew?

I don't think so.

It does take a push truck and a couple of people to guide the push truck's driver to avoid clipping other aircraft.

Where to put the moved birds? How about a maintenance area? What about the military section of the airport, assuming there is one and the Air National Guard gives its OK for "until the storm's over" parking permission.

In truth, the empty pushed back aircraft could be parked on the taxiways and runways, although getting them back can prove a logistics problem later. Use taxiways and runways as a last resort.

Lack of planning seems to be the bane of airlines.

Qantas' management grounded all its flights in the face of a threat of a strike. Management's pre-emptive strike.

While that may have seemed like a good idea at the time, management failed to gets its passengers booked on other airlines' flights. "Sorry, we're closed and you (passengers) are out of luck."

Then there was the Chief of Security at a U.S. airline that told me, after 9-11-2001, that terrorists couldn't get on board his airplanes using methods I proposed. "Impossible," he said - and continued to believe that even though a number of journalists proved my point.

I don't know if airline people simply ignore risks or just refuse to deal with them.

There certainly was no excuse for JetBlue to leave passengers sitting on a plane on the ground for seven hours.

What about the fuel costs? Even at idle, jet engines are expensive to operate.

Now JetBlue faces the potential of huge fines by the government. I understand it is offering free tickets to anyone on the flight who is willing to once again board a JetBlue plane.

A financial and PR fiasco that could easily have been avoided if someone had a plan - of even if someone "stepped up to the plate" and made the right decisions.

An expanded and updated article on airlines' image problems can be read at https://sites.google.com/site/johnglennmbci/11-11-03-airlines-image

If I wrote it, you may quote it

Wednesday, October 19, 2011


Employer responsibilities?


There is a debate going on LinkedIn's "BCMIX - Business Continuity Management Information eXchange" (http://tinyurl.com/3dukcyx).

The thread has the rather long title of "U. Delaware: First Responders will report to duty but need assistance with family support and resources and thorough protective equipment training, UD discovered in Mid-Atlantic regional study."

The essence of the thread is "what needs to be done for employees to assure they will report to work" and is linked to a ScienceDaily article titled "Emergency Workers Will Respond: Study Shows First Responders Will Report to Duty, but Need Assistance With Family Matters" at http://www.sciencedaily.com/releases/2011/08/110818190657.htm.

OK, having gottern all the source references out of the way, I will offer my list of things I think an employer should consider:

    This should come as NO surprise to any risk management practitioner. Most people will justifiably worry about their kin before their job. To mitigate that, we have primary and alternate responders. That lessens the load on all responders - jobs can be handed off after short shifts. We also must be concerned with burn-out and management must recognize this danger and avoid it by limiting work to a reasonable-under-the-circumstances time, say 12 hours, 16 maximum, and require at least an 8-hour "off" period. This must be cast into Policy and Procedures concrete (along with other "event-related P&Ps). Organizations, realizing responders - both local and at an alternate site - need family time (just as soldiers need R&R), need to get this into P&Ps long before an event so that everyone knows what to expect.

Two ladies whom I respect joined in as follows:

Lady #1: The suggestion which emerged was actually that the employers of the first responders help prepare the families in advance and organize support and resources for spouses.

Lady #2, adding to Lady #1"s comment, noted "This is why a 'critical worker support plan' is needed. If we don't build it, they won't come. Would you? Work is a paycheck. It has no chance of competing with the people we love or the need to reestablish family security ASAP. Even when work is a 'calling', there's a breaking point."

Lady #1 is an attorney with interests in Strategic Assessment & Conciliation .

Lady #2 is a business continuity planner for a government agency.

My comment to the ladies - and I really like these two people - was as follows:

    OK - so HR and management need to be involved (as well as unions if they are present) to determine - and publicize - what the organization will do for the staff re family support; e.g., hand-deliver checks to IDed-by-staff kin, who is considered "kin" (may be determined by law), medical/health insurance assistance and perhaps transportation to/from medical facilities; maybe supermarket runs (some families have only one vehicle and public transportation either is distant {bus, train lines} or expensive {taxis}) or reimbursement for transport charges. The foregoing is NOT "all inclusive" by any means. IMO, HR always needs to be involved in all risk management planning.

Here Lady #2 responds that "if you have been through a major disaster, from a hurricane to wildfire to tornado to 9/11, what is really needed to get critical staff in to work is a company commitment to such things as:

and then she proceded to list her requirements; my responses are included

    - evacuate staff's families ahead of rising water or spreading flame

      (jg) That's the employee's responsibility. The organization may offer to assist with transportation, housing, and other per diem subsidies, but in this economy, I would doubt it. It is more likely to evacuate/relocate staff WITH family to the alternate site.

    - send out crews, commercial if necessary, to

    -board windows

      (jg) Home owner's responsibility. I have accordion shutters, my neighbors "board up" using metal or ply board (a PITA in the wind). I doubt there are enough contractors in the area to meet the demand by people who are unable to DIY (absentee owners, high-floor condo owners, invalids, etc.) The days of the Company Town (McGill NV), when the company sent out a guy to change a light bulb, are long gone.

    -cover damaged structures with tarps and plastic

      (jg) Home owner's responsibility. The insurance company will argue that the home owner should mitigate damage by covering holes, but if the owner is one of the above or cannot beg, borrow, buy, or steal a tarpaulin or ladder sufficient to reach the rood, or if the winds are dangerously strong, in the end, the insurer will pay to close the hole and repair related damage. (Common event where I live.)

    -salvage homes from water, mud, smoke, fire

      (jg) Home owner's responsibility. The employer may have a list of "approved" vendors (if not, FEMA and the state do) and the approved vendors may give a discount to the employee, but contracting for the work, supervising the work, inspecting the work, and paying for the work is not a corporate responsibility.

    -install portable generators

      (jg) Home owner's responsibility. Someone would have to stockpile hundreds of generators, make sure they functioned and were fueled - and what about fuel; who is supposed to see that the tank is topped off (and how big a tank is needed?). Most assuredly not a company responsibility.

    -remove fallen trees and debris from homes, power lines (when the power company refuses)

      (jg) Debris removal from public areas (streets, sidewalks) is a government function. Debris removal from private property is the (you guessed it) home owner's responsibility.
      I have NEVER seen any power company anywhere - and I have "lived around" - refuse to deal with downed wires, live or not, nor have I ever encountered a gas company that didn't respond to a reported/suspected leak. Maybe in NYC or California, but not in VA (Dominion's really good) or Florida (FP&L is excellent) .

    - deliver MRE's, water, dry ice, and survival goods

      (jg) Staples (food, water, ice) normally are provided by do-gooder agencies - Salvation Army, ARC, etc.; Procter & Gamble brings in the laundromat-on-wheels (great idea, BTW). As for MREs, if you MUST have MREs, please avoid the self-heating ones (LaBriute as example). They are a storage fire hazard (ask the U.S. Army). My Own Meals are, according to the firm's owner, edible cold (and she personally samples them that way - the lady is one of my sources).

    - evacuate, house and aid reclamation for families whose housing is destroyed

      (jg) Partially addressed above (first of your dash lines). Otherwise the home owner's responsibility - doing battle with the insurance companies. A generous employer may give some (paid? unpaid?) time off to battle the insurers.

    - ensure electronic deposit of paychecks and reimbursement checks (although notoriously after 9/11 one financial services company suspended all salary and other payments to the families of hundreds of dead workers)

      (jg) How can electronic deposits be "ensured" if the WWW is down at any point: the check writer's, the financial institution. How much will be paid? Logged hours? Previous pay period (typical), average for year? (With differences cleared up later.) Since I cannot guarantee electronic fund transfer, I might write a check or issue a voucher/promissory note, but to whom shall I gave the document? Spouse who may be estranged? "Significant other?" Who may be considered a "partner" might be determined by local law. I covered this in my post.

    - coordinate searches of hospitals and morgues for injured and dead staff and family

      (jg) The do-gooder agencies already do this; the employee can contact them; this is not an employer function.

    - provide medivac and crisis transport of injured, dying and dead staff and family.

      (jg) Most employers, other than the Federal government, lack suitable aircraft and ground transport for this function; even if the employer wanted to take on the task, there probably are insufficient vehicles to move injured. Moving the dead is something that can be done only after a Coroner/Medical Examiner/doctor declares the person deceased, in which case the government or funeral home would move the body; this is not an employer function, even in "normal" times.

    That's what people are really doing back at home. It's no walk in the park.

I don't know of any organization, anywhere, with the possible exception of government-funded agencies, who provide what Lady #1 thinks employers should provide.

I include employee welfare in all my plans, but I stop short of what I term "employer socilaism," a term I hasten to add that Lady #1 empathetically rejects.

So the question to followers of this blog: Are Lady #1's expectations - I won't call them "demands" - realistic for any non-government-funded organization?

Does anyone know of any non-government-funded organization that satisfy Lady #1's wishes?

Either way, the address is JohnGlennMBCI at gmail dot com.

If I wrote it, you may quote it.

Monday, October 17, 2011


Importers put on notice - again


The husband of a woman who apparently died following an accident on an untested inflatable pool slide was awarded US$20.6 million by a Salem (MA) Superior Court jury.

According to an article in The Salem News (http://tinyurl.com/3c9j5p6), Toys "R" Us sold a Chinese-made Banzai Falls inflatable pool slide via Amazon. The 6-foot slide was installed in an in-ground pool.

The jury ruled that Toys "R" Us was responsible for the death five years ago of a 29-year-old wife and mother. Amazon and the slide's manufacturer, SLB Toys USA, settled with the survivors for an undisclosed amount.

Meanwhile, Wal-Mart and the Chinese manufacturer are being sued following a similar accident in Missouri that left a man a quadriplegic.

Court records note that more than 4,000 of the slides have been sold in the U.S.

Once again

Courts are holding importers and retailers responsible for the products they handle.

This is becoming a regular message in this blog space.

According to The Salem News article, Toys "R" Us apparently failed to have its Chinese testing company test the slide for compliance with U.S. safety rules. Toys "R" Us contended that the slide, since it is inflatable, did not need to be tested. Federal standards require testing.

The complete article can be read on The Salem News' Web site (ibid.).

The bottom line is that any business that touches a product that is blamed - no proof necessary - for causing death, injury, or financial loss (e.g., Chinese wall board) can find itself in court. Even if it prevails, there are both financial and reputational damages to overcome. It if loses, there can be - as in the Salem MA instance - hefty penalties.

There may not be any 100 percent protection, but if the organizations that "touch" the product perform "due diligence" and either test or confirm that another organization along the supply chain has tested the product for compliance to both federal and local laws, all organizations are at risk.

Will a 1-in-1000 unit sampling be sufficient?

In the case of the Banzai Fall, a 1:1000 sampling ratio would be considered insufficient. Perhaps 1:100 would be valid. In the specific Banzai Fall case, just one test to U.S. safety standards might have been sufficient to identify the problem that is alleged to have caused at least one death and one spinal cord injury. (The accident details are on the newspaper's Web site.)

With 4,000 units scattered around the U.S., and with multiple retailers (Wal-Mart, Toys "R" Us, and perhaps others), the importer would seem to have the greatest responsibility for testing. The courts, at least the one in Salem MA, apparently believe the retailer should bear the financial burden.

Even Amazon, which apparently only provided a link to the Toys "R" Us advertisement, ended up as a defendant in the Salem case.

If I wrote it, you may quote it

Sunday, October 16, 2011


Note worthy


Today's AdvisenFPN offered a couple of note worthy items.

First, from the New York Times, an article headlined Bits: Stanford Researcher Finds Lots of Leaky Web Sites/.

The NYT article tells us that scientists at Stanford University discovered that

  • If you type a wrong password into the Web site of The Wall Street Journal, it turns out that your e-mail address quietly slips out to seven unrelated Web sites.

  • Sign on to NBC and, likewise, seven other companies can capture your e-mail address.

  • Click on an ad on HomeDepot.com and your first name and user ID are instantly revealed to 13 other companies

These are, according to the Center for Internet and Society at Stanford Law School, among the leaks found on 185 top Web sites.

If the rest of the Times' copy is accurate, it's all downhill from there.

The entire document is on the NYT Web site at http://tinyurl.com/6cys4fl..

Next, in an in-house story headlined Top Cyber Losses Are Not All Hacks! , Advisen's Research & Editorial group writes that "Not every headline-grabbing cyber loss is caused by sophisticated hackers. A case in point is one of the latest actions captured in Advisen's MSCAd Loss Events database—a $20 million suit against Stanford Hospital & Clinics."

    As reported in last Friday's FPN edition, in an article titled How Did Data About Patients Land on Web? Don't Even Ask," the hospital acknowledged that a breach of 20,000 records occurred on Sept. 8, 2011. The convoluted series of events leading to the breach had no hacker in sight. Instead, a job applicant for a marketing firm posted a spreadsheet containing the medical records on a homework-help website, seeking advice on how to convert the spreadsheet information into a graph. The marketing firm offering the job was a vendor for the hospital's billing contractor.
By the way, asking "The World" for help to accomplish something seems to be an everyday event, especially if you watch the social networks, even the one's with a professional demeanor.

According to Advisen's MSCAd database, more than half of the largest known data breach events, potentially compromising millions of identities, have resulted from lost CDs and hard drives, stolen laptops, and missing storage tapes.

That doesn't mean that hackers are not a concern, only that hackers should not be the ONLY concern.

Included among the victims are large U.S. financial institutions, private companies abroad, and government agencies in the U.S. and Canada.

A sampling of NON-HACKER damage includes:

  • Data CDs lost in transit

  • Data DVD and CD improperly disposed of, found on street

  • Data storage tapes lost in transit

  • Identity theft by help desk worker, ran up $50m of fraudulent charges

  • Identity theft from unauthorized sale of customer data

  • Identity theft resulting in re-routing of policy proceeds, through call center

  • Illegal access by employees & outsiders to credit history data

  • Laptop stolen from employee's home

  • Lost hard disk drive

  • Stolen microfiche tax records

  • Unauthorized distribution/sale of personal & financial consumer data

The point being that protecting data is not just an InfoTech function or even a Security function. It is most assuredly a risk management function.

In the above bullet list, how much damage might have been avoided by personnel training and awareness? How much by having, and enforcing, policies and procedures to protect data?

While I am a risk management subject matter "expert," I am not a security guru.

Sunday, October 9, 2011


No experience necessary


As most readers who frequent this blog know, I am active on a number of lists and forums.

Today I was reading an appeal from a consultant with a Big Name Company.

Our poster, who, it turns out misspelled "consultant" and "architect" on his bio, asked the group for exercise scenarios.

Now this person claims to have been around the IT block for a number of years and worked with companies whose names most of us recognize.

There is nothing in his recent job titles to indicate any experience with business continuity but he does claim "IT Disaster Recovery" experience.

Today, the consultant is a "lead technology architect."

The questions I have to ask are:

    WHY does his organization put a person in a position for which he obviously is not qualified?

    WHY does the person turn to the groups rather than his consultant peers in his company? Is no one qualified?

    WHY, if this person has been "around-the-block" enough times, does he need help coming up with scenarios; he's not asking for exercise plans, just ideas. What, after all, can possibly go wrong, go wrong, go . . .

I have known of companies who promote a journeyman IT staffer to a business continuity function sans any knowledge of business continuity on the victim's part - and I use "victim" deliberately since the person is being thrown to the wolves. Of course in those conditions, everyone in the organization is being thrown to the wolves.

I'm more than willing to help newbies, especially if the newbie makes an effort on his or her own behalf.

Most "senior practitioners" feel likewise.

But my peers and I take umbrage - usually with our morning coffee - when a person represented as an expert (consultants are, after all, supposed to be experts, that's why they get the Big Bucks) has to appeal to the masses for some really basic information.

Worse, the poster should have a multitude of resources available within the organization; again, it is a Big Name company. If not, then I have some names of people the Big Name company should engage if it intends to market risk management, even if only IT disaster recovery; these true experts can mentor others to develop a well-trained cadre of competent consultants.

If I wrote it, you m,ay quote it

Thursday, October 6, 2011


Experience pays


In a very short AP article picked up by AdvisenFPN, a lawyer is claiming that the cause of the crash of Air France Flight 447 from Rio to Paris was faulty data fed to the air crew by the Airbus' computers.

Both the airline and the aircraft maker are charged in France with involuntary homicide for the crash that killed all 228 on board.

According to French accident investigators the accident occurred when poorly trained pilots reacted exactly as they should not have by pointing the plane's nose up instead of down when it stalled over the Atlantic.

However, the report also noted that the aircrew was dealing with bad weather, faulty sensors, incoherent speed readings, and a cacophony of alarms.

Compare the fatal Air France crash with the US Airways crash into the Hudson.

The difference, if the French government agency is to be believed, can be summed up in one word:


The difference between an efficient and expeditious recovery and an over-budget, over-time recovery can be summed up in the same word.

Training - exercises - cannot be emphasized enough.

The problem is that a person knowing how to perform day-to-day operations may not - indeed, probably will not - know how to perform "similar" functions when responding to an event.

I discovered while working for a former top-tier defense contractor that things taken for granted can sometimes foul up the works.

For example, rebuilding a computer.

    Where is the media?

    Where are the licenses if needed?

    Where are the installation instructions? (They should be in the Plan document, but . . .)

By the way, if restoration depends on Internet-accessible information, how can the Internet be accessed if the data center is ash? Run to Starbucks for WiFi connectivity?

Capt. Chesley "Sully" Sullenberger and his US Airways crew drilled and drilled and drilled some more on emergency situations to the point that the flight deck crew knew when to believe or ignore instrumentation.

Granted, the US Airways flight was not well off-shore over an ocean and not at altitude - had those conditions been the case, the flight might have ended tragically, but perhaps not.

When Canada moved from Imperial gallons to liters, there was a foul-up on a Boeing's fuel capacity.

On a cross-country flight, the jet's tanks ran dry.

But because the pilot was well trained, he managed to glide the aircraft safely to the ground from its normal altitude of 30-plus thousand feet. (Its glide ratio of 17:1 is about 17 feet forward for every 1 foot in altitude.)

Actually that was "no big deal"; the space shuttles glide in from a much higher altitude. (Glide ratio is about 1:1)

In all three cases, US Airways, the Canadian jet, and the space shuttles, the one thing that these crews had that, apparently, the Air France crew lacked was TRAINING.

Not training to snooze through a routine, mostly on auto-pilot flight, but training to handle complex and unusual situations.

Not training to come into an office, turn on a computer and use a special phone in a call center, but training to go to an alternate site and perhaps use a pencil and paper to record call activity until IT can restore links to a database.

Exercises can be expensive - they take personnel away from their "real" jobs for the duration - but in the long run, exercises can be the difference between a successful, rapid recovery and no recovery.

After thought. Experience also pays handsome dividends when engaging a risk practitioner, someone who knows where to look for threats to "business as usual."

If I wrote it, you may quote it

Sunday, October 2, 2011




Two articles on the same day in the AdvisenFPN bulletin addressed the issue of "intellectual-property."

The first, headlined DuPont Wins Nearly $1 Billion In Secrets Case reports that a court awarded DuPont US$919.9 million in damages for a Korean company's alleged theft of secrets regarding the manufacture of Kevlar body armor.

The second, with the head SAP will pay fine of $20 million in Oracle copyright case, details how Germany's SAP AG agreed to pay a criminal penalty of US$20 million for stealing secrets from Oracle. Oracle still has a civil suit against SAP and is seeking additional financial penalties against the Germans.

For a risk management practitioner, these stories raise a two-sided concern.

Side One: Don't be a victim.

    In the DuPont Kevlar case, DuPont claims the Korean company, Kolon, acquired its trade secrets by hiring and attempting to hire former DuPont employees. There was no mention in the article, originally in the Wall Street Journal, of any Non-Disclosure Agreements (NDAs) or indication that DuPont was suing any former employees.

    Kolon has filed an anti-trust suit against DuPont; the article did not provide specifics.

    In the Oracle secrets case, reported in the San Jose Mercury News, SAP admitted its personnel "accessed Oracle's computers without permission and made thousands of unauthorized copies of Oracle's software."

Side Two: Don't spy on the competition.

    It's tempting to try and gain an advantage through someone else's effort, as SAP admitted to doing, but it's expensive.

    Being able to define what is a "kosher" way to acquire information about a rival and its products - and in the case of international organizations and patients, this can include a number of laws, some of which may be in conflict with others - is what keeps patient lawyers in business.

    Even if the defendant - your company - prevails, the company bottom line takes a hit with lawyers and expert witness fees.

Industrial espionage is big business and it is a specialty business.

The risk management practitioner needs to know the risks are there and the practitioner needs to make the risks known to management.

Most risk management practitioners that I know are notindustrial espionage experts - nor are they financial gurus or HR mavens or ... They ARE risk management Subject Matter Experts - people who know to whom to turn for expert advice.

Wednesday, September 28, 2011


Contractor or employee

Feds want to know


According to a Wall Street Journal article titled Price Of Reclassifying Workers, the federal government is going after employers - typically small businesses - that have questionable contract employee practices. (Read the full article at http://tinyurl.com/6hn8v4e.)

The problem is: When is a contractor a staffer?

This is a problem an alert risk management practitioner should identify and bring to the client's attention.

As with most things "risk management," the practitioner can only lead the horse to water (make the client aware of a risk), the practitioner can't make the horse drink (make the client avoid or mitigate the risk).

The IRS, which is running the investigation, announced a program to allow small businesses to "reclassify" personnel the IRS might determine to be employees (vs. contractors) with only "limited' penalties.

There are pluses and minuses to "converting" a person's status from "contractor" to "employee. Some of the negatives come into play when an organization's head count reaches 50. On the plus side, some companies report improved worker loyalty and increased profitability by bringing on staff as actual employees (vs. contractors).

The bottom line for risk management practitioners is to be aware of the situation and to recommend, where appropriate, that the client seek professional advice from a labor law specialist. It's far less expensive to pay for a consultation with a labor law expert than to try to defend a position against the IRS, especially in an IRS court where there is no appeal.

Friday, September 23, 2011


Ignore experts at own risk


According to multiple sources (see end of file for list/URLs), the New York Court of Appeals ruled that the Port Authority of New York and New Jersey is free of liability for the 1993 bombing of a World Trade Center building.

The reason cited by the court in its split decision was that the Port Authority is immune from suits as a government agency.

A little history.

The Port Authority owned the World Trade center buildings.

According to the New York Times, although "the court’s decision highlighted many of the warnings that had been made to agency officials about the potential risk of a car bomb in the garage, the court made it clear that the agency had also believed it had good reasons to concentrate its security measures elsewhere at the trade center complex." (Emphasis mine.)

Reuters reports that the "February 1993 bombing killed six people and injured close to 1,000. Six men were convicted including Ramzi Yousef, who was tied to al Qaeda."

The Reuter's article continued: "Lower courts had ruled that the Port Authority acted as a private landlord because the World Trade Center was largely a commercial complex. In her dissent, Appeals Court Judge Carmen Beauchamp Ciparick agreed with that position.

"The Port Authority's security decisions regarding the garage were made by civilian managers, not law enforcement or security authorities, and stemmed from commercial concerns," Ciparick wrote.

In the majority opinion the court noted that, "the Port Authority solicited numerous expert opinions on the security risks and measures to be considered before allocating its police resources. While the Port Authority's decision-making could have proceeded along different acceptable paths of action, in this case, it reached a reasoned discretionary conclusion to heighten security in sectors of the WTC considered more susceptible to harmful attack" according to Jurist.org.

But, as Judge Ciparick noted in her opinion, the "Port Authority's security decisions regarding the garage were made by civilian managers, not law enforcement or security authorities. (Emphasis mine.)

To be fair to Port Authority management, decisions had to be made based on available resources. That's the unfortunate case for all organizations.

At the time, and despite the warnings from "numerous expert opinions on the security risks and measures to be considered," car bombings, especially car bombings to bring down buildings in the US were almost unknown.

Two truck bombs had gone off outside a military barracks in Beirut in 1983 killing 299 American and other servicemen; Islamic Jihad claimed responsibility But that was overseas; such things didn't happen on U.S. soil. (Actually bombings were common in the U.S., including bombing buildings, but never on the scale of the Trade Center buildings.)

The Alfred P. Murrah Federal Building in downtown Oklahoma City wasn't brought down by Timothy McVeigh and friends until April 19, 1995.

The lower court ruling that was appealed to the higher court allocated 68 percent of the fault to the Port Authority for the terrorist attack. The terrorists were ruled to be 32 percent responsible.

Apparently had the Trade Center buildings been owned by a non-government agency, the decision would have been against the Port Authority.

There are lessons to be learned here.


New York Times, Port Authority Not Liable in Bombing, Court Rules http://tinyurl.com/3krxsmn

Reuters, Port Authority not liable in 1993 WTC attack, court, http://tinyurl.com/3g86e48

Jurist.org, New York court: Port Authority not liable for 1993 World Trade Center bombing, http://tinyurl.com/3mzrq3o

Thursday, September 22, 2011


Read and forgotten


What happens when a person applies for a job.

The Rerader's Digest version:

    HR reviews the resume to see if the candidate meets the requirements.

    The hiring manager reviews the resume and may decide to interview the candidate.

    The candidate is hired - or not.

    The resume goes into the files, be they paper or electronic, with the intent that the information will be readily available in the future.

    And then the resume is forgotten.

It happens all the time, in all manner of organizations.

Case in point. I was on a contract when I learned that a fellow - a staff person - two doors down from my work area had business continuity experience.

I'm glad I got the job, but the client HAD AN EXCELLENT RESOURCE IN HOUSE.

The guy was doing something other than business continuity and no one either bothered to ASK if anyone in the area had business continuity experience or to check the resume database.

I was hired at one company as an IT business analyst, basically to go between my boss and his customers, people who he promised to give what HE wanted to give them.

Somewhere along the way, a decision was made at a pay grade far above my boss' that the organization needed a business continuity plan, something more than what a colorful Big Name company called "business continuity."

Anyway, I went flying into the boss' office waving my resume and pointing to 8 or so years business continuity experience.

I got to do the plan, my boss ignored the recommendations, the facility was closed for a week due to power outage, and my boss was transferred to a less desirable location. At this point I already was working elsewhere.

While ostensibly employed as a technical writer, my employer needed some marketing created. Having been a marketing director - that and $5 may buy a lousy cup of coffee - at another outfit, I volunteered my services - knowing that HR never read that part of my resume.

At another tech writer job, I reminded my boss that I one flacked for a university and we started some PR/marketing projects "in my spare time." Since I also was a former reporter/editor and printer, we starting producing an internal/external (to our distributors) newsletter, complete with black and white (read "inexpensive") co-op advertisements.

Many people have broad backgrounds, either as a vocation or avocation.

I know people who are HAMs - amateur radio operators who have all manner of equipment, mostly high frequency shortwave, but their knowledge of two-way communications covers the frequency spectrum. A great asset when considering two-way radio as an alternative communications option.

Once, between "real" jobs I worked tinning railroad "stuff."* At one point my boss offered to teach me to drive a forklift. I stupidly passed on the opportunity.

Turns out on my very next "real" job that talent would have been very useful; we needed to move some crates. We had a forklift, but no one - not my boss, not a co-worker, and of course not this scrivener - knew how to operate the machine. We had to wait - and wait and wait - until someone with the skills I could have acquired for free came to drive the forklift to move the crates.

All this leads up to a suggestion that risk management practitioners get to know as many of the folks as possible; chat with them; find out their interests, their backgrounds, their hidden talents and skills.

If you are working for a monster company where the folks on the third floor don't know the people on the sixth, make friends with HR and maybe, just maybe, they can help you identify those hidden attributes.

Or you can make it part of a risk management questionnaire, but be forewarned, in a monster company you'll be burning lots of midnight oil getting all this good information into a database on your computer.

But it could prove to be a very useful exercise.

* I also once worked pickling metal for a CIA front. I didn't know it was a CIA operation then, but it makes a good story now.  

If I wrote it, you may quote it.

Wednesday, September 21, 2011


My bosses made me do it


This will be short.

If you believe Jerome Kerviel, the Société Générale trader who allegedly lost billions for his company, the reason he managed to gamble so much at a time was because, he told Der Spiegel, his "supervisors had deactivated the system of alerts. If I had wanted to, I could have even invested €100 billion in a single day. My bosses removed all the safeguards off my computer."

The Der Spiegel article is online at http://www.spiegel.de/international/business/0,1518,729155,00.html.

According to Kerviel, his supervisors knew about his bogus trades. "Already in April 2007, they received an e-mail saying that I was making bogus trades with nonexistent counterparties on a massive scale. My bosses told me that I should take care of the problem. Over the course of 2007, they received many more e-mails on the same issue."

It should be noted that, again if Kerviel's claims are true, that the trader made billions for his employer by risking similar large amounts.

He came crashing down, perhaps bringing Société Générale with him, when be made several wrong bets and lost roughly €5 billion.

What could a risk management practitioner have done?

Aside from going to whatever authorities regulate trading in France, it would seem "not much."

Obviously - and again, if Kerviel is being honest - management was willing to close its eyes to his excessive and bogus trading - he had been making profits for the company after all - and turned off some of the risk prevention or limitation controls.

Could an auditor have discovered this?


Could email monitoring have uncovered it. Likely as Kerviel stated, "they (management) received many more e-mails on the same (bogus trades) issue."

It is often frustrating to advise management about risks and means to avoid or mitigate them only to have management either ignore the recommendations or to actually work to enhance the risk as Kerviel claims his management did at Société Générale.

It's worth reading the entire Der Spiegel interview with Kerviel.


If I wrote it, you may quote it

Tuesday, September 20, 2011


Partial risk list


I was putting together a short version of my BBA and MBA-targeted presentation Risk Management - an introduction and I started thinking about risks - a/k/a threats - that a risk management practitioner would identify, but that a business continuity practitioner probably would consider "out of scope."

There are only 76, but the list hardly is "all-inclusive." An " * " by an entry indicates a risk I would expect a business continuity practitioner to identify.

  1. Acquisitions

  2. Alternate site options *

  3. Alternate site - short term

  4. Alternate site - long term

  5. Auditors

  6. B&D insurance

  7. Business interruption insurance *

  8. Changes (personnel, processes, product, etc.)

  9. Chemicals - for processes, cleaning

  10. Civic events

  11. Clients/Customers

  12. Competition

  13. Compliance - all areas (HR, product, supplies)

  14. Construction

  15. Copyright, trademark issues

  16. Discrimination in workplace

  17. Disabled and the ADA

  18. Documentation (government-required, processes, product, etc.)

  19. Employee travel

  20. Employee welfare *

  21. Ethics

  22. Evacuation/Sheltering policies

  23. Family issues (domestic violence, illnesses, death, etc.)

  24. Financial vendors

  25. Fire *

  26. Flood *

  27. Government - Federal

  28. Government - Local

  29. Government - State/Provincial

  30. Harassment of/by employees

  31. HazMat on site *

  32. HazMat off-site

  33. Hiring practices

  34. Hurricanes *

  35. Injuries (staff, visitors)

  36. Image (corporate, executives)

  37. Industrial espionage

  38. In-place sheltering site and policies (safety, food, legal issues)

  39. Internal communications *

  40. IT failure *

  41. Legal

  42. Loss of facility other than fire, flood (plane, satellite crash)

  43. Management

  44. Marketing (false claims, etc.)

  45. Media response *

  46. Neighbors

  47. Planning and Zoning *

  48. Policies & procedures

  49. Politics

  50. Public relations *

  51. Regulators

  52. Relocation - to/from alternate site

  53. Remote recovery conditions

  54. Secondary strikes

  55. Security - data *

  56. Security - facility (inside and outside)

  57. Security - intellectual property

  58. Social media

  59. Special interests (e.g., ADA)

  60. Stock and bond markets

  61. Succession

  62. Supplemental staffing (vetting)

  63. Telecommunications failure *

  64. Terrorism

  65. Tornados *

  66. Training - incorrect, incomplete

  67. Transportation *

  68. Utilities *

  69. Vendors *

  70. Vendors - post-event

  71. Vendors' vendors

  72. Web site

  73. Work actions *

  74. Work actions - government agencies (fire, police, Customs)

  75. Work actions - secondary (vendors, transportation, etc.)


There always is a ubiquitous "other" that can be discovered during all-hands "What If" sessions. As this is written, Chicken Little's worst fears are coming to fruition - the sky is falling, or at least parts of a man-made satellite are bearing down the third planet from the sun. It can't be a "black swan" - or even a grey one - since you and I know about it.

PowerPoint short and long Risk Management presentations available to BBA and MBA programs.

If I wrote it, you may quote it.

Sunday, September 18, 2011


Evolution of a practitioner


The other day a fellow seemed to be challenging my bona fides, so I thought to put together how I happen to be an enterprise risk management practitioner.

I was introduced to risk management at the tender age of a few days.

I didn't know it then, but my first encounter with risk management was in the form of preventive medicine.


As I got older I was taken annually for check-ups and shots - still painful, but I was rewarded with a stick of Wrigley's Juicy Fruit chewing gum.

When I was old enough, I joined the (U.S.) Air Force.

More shots and vaccinations.

Somewhere along the line I encountered veterinary preventive medicine; I must have been on a work detail before starting a specialty school - I was to become a corpsman.

The Air Force drummed into me the need for risk management.

Not just preventive medicine, but as a way of life.

It also convinced me of the value of training, training, and more training.

When the Air Force and I parted company, risk management pretty much was forgotten.

But lessons die hard.

Back in the day I used to carry in the trunk of my car

  • 5 gallon can of gasoline

  • 5 gallon can of water

  • fire extinguisher

  • flares

plus the standard jack and spare tire.

In the glove box I had a flashlight and fuses.

Back then, leaded regular was about 50 cents-a-gallon so I could afford to give 5 gallons away if I encountered a stranded motorist.

I didn't realize it then, but I was practicing a level of risk management.

For a number of years I worked as a reporter and then as an editor, happily knocking across the country.

Sometimes the newspaper paid for my relocation, sometimes not.

I used to staple a note to my tax forms explaining why I had - or did not have - high fuel deductions. Back in the day, relocation expenses and job-related expenses - i.e., gasoline for a reporter on the beat - were tax deductable with a lot less paperwork. The note was "risk management"; I was never invited to an audit of my returns.

I went overseas as a reporter/editor and came back as a tech writer. I also had done a brief stint as a PR flack.

While overseas, I was documenting mil-spec equipment and systems.

The military - at least the militaries what bought our products - expected to maintain the products, beginning with preventive maintenance.

Preventive maintenance. Preventive medicine. The connection.

Still, risk management was, at best, an after thought.

Working as a contract technical writer, I was engaged to document a disaster recovery program for a national data network. While I did the job, I also bothered the DR pros to find out what DR was all about.

Interestingly enough, about 6 months after the project was completed, the network failed, but because of "our" work, it was quickly restored.

A little later I went to work for a consulting house as a tech writer.

One of our clients monitored data networks. Our client had told its client that it had a business continuity plan. When our client's client asked to SEE the plan, our client asked us to develop a plan "yesterday."

Fortunately for all concerned, we knew the client's operation and we managed to put together a solid continuation of operations plan with not one but two alternate sites; all sites were at least 1200 miles from each other so we could avoid environmental risks.

We - the Business Unit Manager (BUM), the Technical Manager, and this scrivener put the plan together in a matter of a few days. There was no training, no maintenance procedure, no extended contact list, and indeed no response plan other than to "redirect the data to Alternate Site A if available or Alternate Site B if A is not available.

If the communications link failed - and that was THE concern - there were alternate links and the techs could track down the break almost at their leisure.

In retrospect, it wasn't much of a plan, but it WAS a plan . . . of sorts.

Somehow our man in the state capitol managed to sell a business continuity project to a state department.

The company brought down a DRII certified practitioner from Canada to be the technical lead and installed a Project Manager to keep the books. Our girl-from-Canada brought along a fat binder of someone's How to Do Business Continuity instructions and forms; we quickly discovered they were of little use other than as general guidance.

This gig is where I learned to appreciate "all hands" meetings where people can play off each other as they think about risks to their processes and the resources they use to perform the processes.

Both the BUM and I decided certification might be a good idea - this is early 1999 and everyone was thinking Y2K, so I researched the options. DRII was well known, but it was highly recommended that an expensive pre-test course be taken to learn DRII's buzz words and alphabet soup. Then the candidate had to wait until a test venue could be set - testing was at specific sites at specific dates.

The alternative was Norm Harris' Certified Recovery Planner (CRP) certification. His Harris Institute, besides offering a more economical way to certification, appealed to me because DRII accused Harris of "selling" certification . . . while it was selling courses and certification. Pots and kettles.

Anyway, I took four increasingly difficult tests that were reviewed by none other than Norm Harris, a founding father of the industry. On one test I wrote an answer with which the pro disagreed. He called me from Ohio - I was in Florida - to explain the error of my ways.

There were, however two problems with my CRP certification.

Problem One: Hardly anyone outside of the industry knew about the CRP designation.

Problem Two: Norm sold his business, including the certification end, sealing the fate of the CRPs.

Once again I was looking for a suitable certification, and remembering the hassle (then) to get DRII certification I found The BCI, often incorrectly referred to as the British Continuity Institute.

At the time certification was based on what you knew and could prove. I paid the fee, provided the evidence, and became a Member of the BUSINESS Continuity Institute.

Meanwhile, I am working contracts for some Fortune 50 companies, a couple that owned banks so I became familiar with FFIEC expectations. I also worked for a municipal government, an energy developer, a shipping company, and a former leader in the defense industry. There were some other "odds and ends" and some interesting Y2K work to round out the background.

As I learned more and more about business continuity, I began to realize business continuity is too limited for what organizations need.

Business continuity looks, correctly, at the profit center. Then it expands out to the obvious resources - vendors, utilities, in-house resources, including InfoTech.

But business continuity rarely considers (alphabetically)

  • competition
  • customers
  • ethics
  • financial vendors
  • government regulation
  • image
  • policies and procedures
  • succession plans
  • travel
Being a former reporter I need to write and not being very good at keeping things to myself, I started writing Run Of Press (ROP) copy for the Disaster Recovery Journal (DRJ). Editor Jon has been running two John Glenn articles-a-year since, I think, 2004. The byline also has appeared in other professional, trade, and general media, but DRJ gets the bulk of the copy.

Today I fancy myself a mentor to tyros and someone with whom other practitioners compare notes.

Now, as Paul Harvey used to say, "you know the rest of the story."

Someday I may explain why the rabbit avatar.