Tuesday, March 29, 2011

ERM-BC-COOP: Recovery phases


Those of us who "test" their risk management plans usually check to see the reaction at the crisis point; when the event occurs and immediately thereafter.

Realistically, that's about all we can economically exercise, and even that often is pushed down to a simulation.

What we rarely consider is incremental recovery.

For example

  • You operate an IT-dependent call center.

  • The facility is destroyed; any reason will do, but for convenience, let's blame it on a fire.

  • Staff is relocated to temporary housing at a nearby hotel's Grand Ballroom; it is, after all, easily cabled and quickly readied for operations and your organization had an agreement in place for just such an occurrence.

  • The InfoTech operation is worked from a hot site.

  • Business returns to less or more normal operation within 72 hours.

End of exercise.

Now consider,

  • The nearby hotel wants its Grand Ballroom back after 90 days - or less.

  • The cost of maintaining InfoTech at the hot site is becoming prohibitive.

  • The original facility is still far from ready for occupancy.

  • The operation must be moved to another temporary home.

Is looking for a long-term temporary facility in the plan?

Is even consideration of a "restore or relocate" option in the plan, and if so, what are the decision parameters?

What does it take to relocate?

A project risk management plan.

Granted, the details of the project risk management plan may be "out of scope" for the overall organizational risk management plan; after all, decisions made following the initial event will drive later efforts in one direction or another.

Still, the organizational risk management plan needs to consider

  • Temporary facility options

  • Long-term facility options.

  • Consolidation of business units and support units, e.g., HR, InfoTech, including acquisition, installation, and testing of equipment and systems.

  • Impact on personnel, especially if the alternate sites are distant from the original location.

Basically, the relocation project plan will be similar to any facility relocation plan.

The project manager and the risk management practitioner, along with representatives from both internal functional units and external participants - vendors, local fire, police, building, utilities, and zoning offices, perhaps others. The "involve everyone" philosophy is based on the knowledge that one person cannot think of everything; a risk management plan should never be created in a vacuum.

What could possibly go wrong? A partial, alphabetized, list must include:

  • Building lacks occupancy permit.

  • Equipment deliveries delayed.

  • Installation personnel unavailable when scheduled.

  • Telephone and Internet connectivity delayed.

  • Vacations and holidays ignored in the time line.

  • Vendors fail to get required permits when anticipated.

  • Wiring to the building is delayed.

Bottom line: Failing to consider post-crisis events beyond the typical 72-hour "return to minimal operations" requirement can prove to be a greater disaster than the original event. The initial crisis caused a "hiccup" in operations for which the organization was prepared; the post-event activities easily can put a recovering organization out of business unless this period, too, was considered in the overall risk management program.

John Glenn
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Monday, March 28, 2011

NFPA Seeks input on new 1600


The National Fire Protection Association is in the process of developing the 2013 edition of NFPA 1600 "Standard on Disaster/Emergency Management and Business Continuity Programs." Originally published in 1995, development of the 2013 edition (its 6th edition) is well underway.

The technical committee encourages emergency management and business continuity professionals to review the 2010 edition of NFPA 1600 http://www.nfpa.org/assets/files//PDF/NFPA16002010.pdf and submit suggested additions or revisions online via NFPA's Online Submission System http://submissions.nfpa.org/onlinesub/onsubmain.php, or you can download and complete a Document Proposal Form http://www.nfpa.org/assets/files/PDF/CodesStandards/NFPAProposalForm.doc (Microsoft Word format). Instructions for submitting the form via mail, fax, or email are included at the bottom of the form.

The deadline for submissions is May 23, 2011.

The NFPA 1600 technical committee will meet over the summer to review all submissions and issue a first draft of the 2013 edition. Committee action on your suggestions will be published for public review.

Following publication of the first draft, there will be a second opportunity to submit commits before the 2013 edition is published around the end of 2012.



    If you have questions, please contact Mr. Orlando Hernandez, NFPA's staff liaison to the NFPA 1600 technical committee. He can be reached at (617) 984-7482 or ohernandez@nfpa.org

Friday, March 25, 2011

ERM-BE-COOP: Unexpected result


A headline from the Dow Jones News Service announces:

Global Food Scare Widens From Japan Nuclear Plant

The leed (cq) paragraph reads:

TOKYO (AFP)--Countries across the world shunned Japanese food imports Thursday as radioactive steam leaked from a disaster-struck nuclear plant, straining nerves in Tokyo.

In my enterprise risk management plans I normally include loss of customer base. Fortunately for me, that is sufficiently "generic" to cover just about everything.

In my own mind, I am thinking about competitors "stealing" customers, customers failing or changing direction, or simply going out of business "because" - because the owners retired and there was no one to buy the shop or the owners died and lacked a succession plan or . . .

I confess it never occurred to me that radiation exposure could destroy a market.

It should have occurred to me.

Remember "swine flu" when many ill-informed people stopped eating pork products?

How about the number of people who swore off beef for fear of Mad Cow disease?

Or, the folks who avoid all fish because some fish have high mercury levels.

There is at least a scare-a-day in the food industry.

Scares go beyond food products.

When Ford Explorers equipped with Firestone tires had more roll-overs than normal, tire buyers looked at brands other than Firestone . . . and SUV purchasers had second thoughts about Ford.

Toyota; need more be said?

The product need not be "bad" to cause the public to shun it.

It may simply be perceived as bad or substandard or dangerous.

When a plane crashes, airline management knows it can expect a brief drop in reservations and perhaps some cancellations.

Trouble on board a cruise ship? Expect management to offer perks to get people to suppress their fears and book a cabin.

Since food irradiation is being promoted in some circles - and strongly opposed in others - I am not certain food from Japan - and Japan's waters - should be avoided.

At the same time, I am not sure what type and what level of radiation may be on, or absorbed by, food products. Are there any counter-measures? Will carefully washing food products suffice? Until I have answers from people I consider authorities, I, too, may pass on Japanese food products.

The previous paragraph gives you a potential mitigation option.

Promulgate positive expert opinions that the product is safe - assuming it is safe.

Or, take the Johnson & Johnson "Tylenol" approach - announce a massive recall of the product until it can be proven safe. J&J may have lost some revenue from its Tylenol recall, but it probably gained customers and certainly gained respect for its bold action.

There are so many ways an organization can lose market share. Some, such as loss of customers due to perception, can be mitigated if not avoided.

Perhaps looking more at why customers might leave the fold will help my clients protect their bottom line.

No matter how loss of customer base is treated - generically or specifically - the threat is serious and must be included in all enterprise risk management plans if they are to be successful.

John Glenn
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Thursday, March 24, 2011

ERM-BC-COOP: Supply chain


With all the activity in Japan, many people are starting to realize their supply chain is a critical part of their business.

It is, in many ways.

The "Japan issue" is supply chain interruption.

There also is a "China issue" that focuses on dangerous products.

Finally, there is the "Just In Time issue."


Japan Issue

The "Japan issue" really is only incidentally about Japan and its current problems.

It can apply to all vendors, regardless of geographic location, product, or service.

The obvious concern is that something will prevent a vendor from delivering whatever the vendor is contracted to deliver - product, service, casual staff.

Less obvious is a concern that while the vendor may show up on demand, the vendor will be unable to meet its contract because the vendor lacks a part or a skill.

Example 1: The hard drive fails and a replacement is needed. Trouble is, the vendor lacks the part and the hard drive manufacturer is unable to ship a replacement due to any number of reasons - a strike, transportation shutdown (weather, strike, accident), temporarily out-of-stock. Unless the vendor who shows up on your doorstep has lots of call for your particular hard drive, don't expect him/her to have one handy. Still on the hard drive. You have a replacement drive in house. But you lack installation documentation and, even if it was available, you lack the tools to remove the old drive and install the replacement drive. (Yes, Virginia, I write from experience.)

Example 2: Local event damages multiple businesses in your area. You need a vendor to restore the facility (dry it out, patch the holes, paint the walls, etc.). You also need some casual or supplemental help to pull wires, hang tapes, catch up with correspondence and more. But there is an obstacle in the way: your organization has less "pull" than others in a similar situation. Your insurance adjuster is busy elsewhere; when the adjustor will show up on your doorstep is anyone's guess and as for cutting a check . . . The restoration people, as most business folks who want to stay in business, will respond to the bigger organizations (with more damage and more money) before they can get to your operation. Ditto staffing agencies, especially if the staffing agency has a long-standing relationship with others - such as your competitor. If your organization is less than the 800-pound gorilla, it would be well-served if functional unit managers (e.g., Facilities, HR, IT) were to become acquainted with agency staff.


China issue

The China issue boils down to too many vendors from one location selling less than quality products, be they tires or medicines or toys.

Like the "Japan issue," the China issue is not restricted to China. The problem might originate at your neighbor's if that neighbor supplies a product or service.

As a responsible organization, it is your responsibility to establish incoming quality control. Never depend on anyone else to inspect the product, not even - or perhaps especially - the government.

How many parts per 100 or 1,000,000 depends on a number of factors, but the most important is the vendor's history. If the product has "Made in China" labeled on it, a 100 percent inspection may be in order.

The bottom line is that one way or another, when your organization's name goes on a product, it is yours and your organization's reputation - and future - is on the line.


Just In Time issue

The Just-In-Time issue is kin to the "Japan issue" in that the buyer needs to know that the vendor will provide its product on time, in quantity, and in quality according to contract.

In both cases, the customer - your organization - needs to review the vendor's business continuity plan, or at least a sanitized version of it.

If the vendor depends on vendors, you need to see if your vendor has seen its vendors' plans. How far down the Vendor Road do you need to go? How critical is the vendor's product or service?

If there is a suspicion the vendor might falter or fail, your organization has several options: it can help the vendor shore up its weaknesses or it can look for alternate vendors.

If your vendor is the only vendor available, your organization just found itself in the warehouse business; it will need to stockpile sufficient product to weather a storm along the supply line.

The storm, by the way, need not come from your vendor. It could come along the way in the form of a transportation strike, weather event, or anything that prevents the product from moving from Point A to Point B. (By extension, that also means from your Point B to your customer's Point C.)


Weakest link

As with all "chains," the supply chain is only as strong as its weakest link. Finding that link is the job of the risk management practitioner with help from many sources, both internal and external.

Finding risks, rating risks, and finding ways to avoid or mitigate the risks is the fun part of the business. It takes a curious mind and a fair amount of imagination applied to playing the "What if?" game to be a successful practitioner.


John Glenn
Enterprise Risk Management consultant
Hollywood - Fort Lauderdale Florida

Thursday, March 10, 2011

ERM-BC-COOP: Domino effect


Unrest in Libya and elsewhere in the middle east.

Oil prices shoot up.

Gas prices hit new highs.

Saudia promises to make up oil deficit.

Oil prices dip - a bit.

Gas prices rise again.

What does it mean to my business?

Possibly a hit to the bottom line.

If my business manufactures something, my raw materials will cost more.

My vendor has to pay more to get raw materials for its operations.

The transportation that brings the raw materials to my shop costs more.

The fuel my company uses to create our product costs more.

My employees pay more to get to and from work.

It costs more to ship our product to our customers.

We raise our prices

  • to compensate our employees for their added expense (Priority One)

  • to pay the additional vendor-side expenses

  • to cover our shipping costs to our customers

The $64,000 Question is: Will out customers pay the new price?

Service industries are no better off.

Most have parts to sell/install, and therefore they, too, have increased "vendor-side" costs.

Many provide on-site support - plumbers, electricians, computer techs, ERM/BC/COOP practitioners. There is travel to, and from, the client site. Travel costs have to be recouped, either through a direct charge or by increasing the service charge.

Last month I could have flown to San Francisco for, say, $800. Today, March 10, 2011, a similar ticket on Delta Airlines will cost $1,504 (plus another $41.30 for taxes).

Will lodging costs go up? Probably; hotel and motel expenses are rising just like ours.

What about insurance coverage? Will that go up as well? Does insurance fall into the "service" category? 'Nuff said.

If an organization can move some or all of its operations out of a central facility to its employee's homes (virtual office), there may be some savings, but who will pay for the employee's Internet connectivity, especially if the employee doesn't otherwise have connectivity? Will it be subsidized if a faster-than-dial-up service is required?

Despite government promises since 1975 to encourage "going green," very little has been done to accomplish that goal. True, some things ARE more efficient, but Americans still are highly dependent on foreign oil; whether or not we have enough domestic oil and whether or not it is politically correct to drill for it is another issue. While that issue is very much a concern ERM/BC practitioners, it is NOT one for this blog - at least not now.

The problem we are facing today is nothing new and, in fact, it is so far not as bad as it was in 1975, but it has the potential to reach that level.

If you were around in '75, try to recall what happened to real estate prices. While I can't see the linkage between oil shortages and real estate prices, I know real estate prices soared about the same time.

Call it the ripple effect or the domino effect, the impact touches all of us, directly or indirectly. We need to consider this and other "unpredictable" events as we create ERM/BC plans and programs.

What excuse does anyone have for failing to include hits to the profit margin from any source? I can't think of any.

Friday, March 4, 2011

ERM-BC-COOP: Awareness

The first line of defense


Too many practitioners overlook an organization's most critical risk managers.

We worry about a variety of risks and ways to avoid or mediate them, often at great cost to the organizations.

We promote responder training.

Hopefully we also promote both in-place sheltering and evacuation exercises, not forgetting that some folks are less mobile than others.

But what we rarely seem to do it to train the folks on the ground to be First Alerters.

We need to take the admonishments we hear at the airports and other transportation hubs into the organization's operations and we need to greatly expand that admonishment.

The admonishment, in its most simple words, is "Be aware of your surroundings; if you notice anything suspicious, tell someone."

Employees know what sights, sounds, noises, and smells are "normal" for their environment.

They need to be encouraged to be aware of any changes to those sensory inputs.

Consider: You are walking around your neighborhood. Animals are scurrying about, birds are serenading you, all is right with the world.

Suddenly everything becomes still. The animals disappear; the birds are silent.

You notice that. If you're more than six-years-old, you know this change in your sensory perceptions probably means a change - perhaps a drastic change - in the weather.

Now go inside.

You are working at your desk and you start to smell melting plastic. The smell suggests that you look for the source. You find it - a starting to smoke electrical wire that was pinched by a desk. Left unattended, the wire would catch fire, a fire that could ignite other materials leading to a true conflagration - a disaster.

But, if you knew what to do, and did it in a timely manner, the disaster might be avoided.

Computers and telephones are a risk that, if personnel are alert and recognize a danger, can be avoided with minimal impact and at no cost to the organization.

Someone gets an email that the installed anti-virus program flags as carrying malware. Rather than simply DELete the offending email, the employee needs to know to inform InfoTech and fellow employees - "Watch out for emails from the.malware.com domain." Telephone calls can be a miscreant looking for personal, personnel, or sensitive organizational information.

A situation need not be life threatening to deserve someone's attention.

A leaking pipe needs to be reported before a "slip-and-fall" situation occurs or before the leak causes damage to the floor and the ceiling beneath it. It is a lot less expensive to put a bucket under a leak than to defend against a personal injury law suit or to replace flooring.

Failing to take advantage of the organization's most valuable asset's awareness seems to me nothing short of foolish.

It makes life safer for the staff and it reduces risk to the organization - and the cost is zero or minimal.

To me, employee safety awareness is a no brainer that ought to be part of every Enterprise Risk Management program.

Thursday, March 3, 2011



I subscribe to a daily email from ADVISEN, an organization that offers "productivity and insight for insurance professionals."

Advisen's FPN - Front Page News - is a round-up of insurance-related articles.

Insurance is a small, albeit critical, part of any Enterprise Risk Management program, but the real reason I faithfully read the daily email is for "insurance-related" gems.

The email for March 3, 2010, had the following headline sampling:

    Parents sue Hunter Douglas in Boulder County after 3-year-old dies in blind cord

    Advisen Contributor Content: Dodd-Frank, SEC Enforcement, Whistleblowers and D&O Insurance

    Woman awarded $1.14M after Atlanta sidewalk fall

    Arch Coal to pay $4 million to settle pollution claims [St. Louis Post-Dispatch]

    Supreme Court rejects 'personal privacy' for corporations in Freedom of Information Act case [Los Angeles Times]

    Monitor Liability Managers to Include Social Media Coverage in EPLI Policies

The above are just samples from one day's email.

Granted, not all AdvisenFPN headlines are of interest to practitioners, but a number do get my attention.

In particular, I followed the link to Monitor Liability Managers to Include Social Media Coverage in EPLI Policies, Supreme Court rejects 'personal privacy' for corporations in Freedom of Information Act case [Los Angeles Times], and Advisen Contributor Content: Dodd-Frank, SEC Enforcement, Whistleblowers and D&O Insurance.

Social media currently is the topic du jour for many organizations; its use and abuse are constant water cooler and board room agenda items. While the article is focused on insurance coverage, it should make practitioners aware that social media can be a weapon against an organization. Is the insurance cost justified? Not for me to say, but having publicized policies and procedures on social media use certainly is a proper concern for a practitioner.

Personal privacy is limited to persons; corporations, as AT&T discovered, are not included.

The Arch Coal bit reminds that plans and programs must be aware of the consequences of failing to adhere to government requirements, and, in some cases, industry standards- as was the case for Hunter Douglas (below).

The Whistleblowers blurb is a warning to carefully check, and recheck, insurance policies' fine print, and to make certain any changes during a renewal period are acceptable. Checking the policies may not be the practitioner's job, but it is the practitioner's job to raise the issue with management, or at least the program's sponsor.

Not every headline on the AdvisenFPN email rates my attention, but enough do that I would hate to miss a day.

Some items, such as Woman awarded $1.14M after Atlanta sidewalk fall and Parents sue Hunter Douglas give me pause. In both cases, the complaint is that the defendants failed due diligence - Atlanta failed either to maintain the sidewalk or failed to put up barriers. In the Hunter-Douglas case, the plaintiffs claim the defendants failed to follow industry standards to which the company apparently committed. This case currently is in litigation.

From an ERM perspective, both incidents could have, should have, been avoided by simple mitigation measures.

I devote perhaps 15 minutes to the AdvisenFPN each day. If I just read the headlines I'd be done much faster, but I always - always - find something ERM-related. It's 15 minutes well spent.