Tuesday, May 31, 2011

Putting a surplus to use

 

Q1:   What is piled high in sea ports and rail heads around the world?

Q2:  What is one of the biggest problems in developing countries?

A1:  Containers. 20-foot containers. 40-foot containers.

A2:  Housing; low cost, functional housing for people, schools, hospitals, manufacturing, and more.

What's the connection?

Simple - move the containers stacked in ports around the world - including every major port in the U.S. - to places in need of facilities of all types.

HAITI - Devastated by an earthquake more than a year ago, thousands of Haitians remain homeless. Schools and hospitals are rubble.

This country is pathetically poor; according to the U.S. Agency for International Development (USAID, the annual per capita income of less than $400. "Haiti is the poorest country in the Western Hemisphere," according to USAID (http://www.usaid.gov/policy/budget/cbj2004/latin_america_caribbean/haiti.pdf).

Of course Haiti is not the only country that could put containers to good use.

Refugees in the Sudan - Darfur - could be housed, educated, and provided medical care in modified containers. There are a number of companies in the U.S. that convert containers to housing - that's housing in generic terms; housing for people, for students, for patients, for offices and factories, perhaps even jails. For a small, albeit impressive, sample of container use, go to http://tinyurl.com/lk8w9w.

The "campus," below, was built of containers by Mobile Modular Management Corporation (http://www.mobilemodularrents.com/).

 

 

According to its Web site, Mobile Modular "currently serves Alabama, Arkansas, California, Delaware, Florida, Georgia, Louisiana, Maryland, North Carolina, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, West Virginia and Washington D.C."

Imagine clearing out empty containers taking up space at Gulf ports and at the same time generating a great deal of good will for the United States. If anyone wants to be assured that the folks who will use the converted units know they are a gift of the people of the United States, paint the units in red, white, and blue motifs.

Most countries have a sea port that can handle container ships. Those that don't, such as Darfur, and those that need containers inland, usually have rail lines; worst case, containers can be trucked overland. Darfur's situation is almost unique in that it is landlocked and surrounded by people not particularly friendly to the area.

We're not talking about making people live in 10 foot by 20 foot or 40 foot boxes.

Units are adapted to provide large, multi-floor facilities to meet a variety of needs.

The photo below shows a three-story facility being assembled by Germany's Container Lion (http://www.container-lion.com/en/container-raumcontainer-buerocontainer.php).

 

 

When I worked for Zim, a shipping company that carts containers around the world, I was told that it wasn't worth returning empty containers to their ports of origin. Because of economics, many ports, certainly the major U.S. ports, have containers stacked up 4, 5, or more levels high. If they are used at all, it is by local homeless who manage to sneak by security.

(Yes, Virginia, the U.S., too, could benefit by converting unused containers to dwellings, even if only as barracks and shelters.)

How much does it cost to convert containers into a different function? I imagine it depends on the function and the volume of containers to be converted; there usually are "advantages of scale."

It seems it would be a win-win situation.

The surplus containers would be reduced at the ports; companies would have work converting the units, shipping companies - are there any American flag carriers? - could carry the converted containers to their destinations, and people in need of the facilities would have a rood over their head. Locally, we could create "container towns" where people could receive the services they need to become taxpaying citizens again.

Who would pay for all this?

The taxpayer.

But consider, the taxpayer already is paying for refugee facilities and getting nothing in return. If American companies modify the containers, taxes will be paid by the companies and the companies' employees; shippers will be paid to move the containers and again, taxes will be paid. At least this way, the taxpayer is getting SOME return on his or her tax dollar and the folks who will use the modified containers will have a constant reminder of this nation's help.

Thursday, May 26, 2011

ERM-BC-COOP: Gaining knowledge

 

Before donning my risk management hat I was in "communications."

That translates to: technical documentation, public relations, marketing, and newspapering. I never called myself a "journalist"; that was too fancy for the likes of this scrivener.

When I worked for the Harrisburg (PA) Patriot-News, I wrote a full newspaper page about Three-Mile Island and the safety controversy surrounding it at the time.

When I started gathering information for the article I knew nothing - nada, zero, klum - about nuclear energy or power plants.

By the time I was finished interviewing the pro-plant, the anti-plant, and the state's experts I knew a great deal about nuclear power plants. Hardly an expert, but "knowledgeable."

In Gillette, WY, I learned about coal; in Ely NV about copper mining and smelting. Aside from knowing about coal fires smoldering under some Pennsylvania towns, before I got to Gillette I had little idea of coal mining and storage. I was educated via "OJT" - On the Job Training."

For a reporter, OJT means interviewing people. It means LISTENING to people and asking the "right" questions.

Back in the day, reporters were expected to provide, as Detective Joe Friday (Jack Webb) would intone, "Just the facts"; putting a "spin" on hard news was, to put it mildly, "discouraged."

I learned about government's inner workings by interviewing the people in the know. Ditto higher education, banking, transportation, and other topics I discovered really interesting.

The thing I learned early on, and the key to whatever success I had as a "communicator," was how to ask questions. Listening to the answers, and often following a tangent suggested by my source, was a major part of Interviewing 101.

This rant is prompted by a blog I read earlier today by auditor Richard Chambers. The entry that caught my eye was titled You Don't Have to Be a Clown to Audit the Circus in which Mr. Chambers makes much the same point that I often try to make here:

    The risk management practitioner need not be an expert in every business function in order to protect the function from risks.

The risk management practitioner, like the auditor, needs to be expect in his or her field; in our case, risk management.

I don't need to know the inner workings of a micro computer nor how bits and bytes are packed for fast transit to "wherever." Likewise I don't need to know double-entry bookkeeping or how to disassemble a 16-inch valve, or how to run a switchboard/reception desk, or even how to provide building security.

I DO need to know how to talk to the people who do these things.

Just for the record, I have done everything except double-entry bookkeeping.

At one point I knew nothing of the Federal Financial Institutions Examination Council, I couldn't even spell "FFIEC." But I listened to a client and "discovered" the FFIEC on the WWW.

Funny enough, my next client needed my knowledge of the FFIEC.

Besides the ability to listen, interviewers - be they risk management practitioners or auditors - need to be sincerely curious about the processes performed by the folks we are interviewing.

We need to listen to everyone - managers AND the people in the trenches.

    I once asked an HR manager if he had anything I needed to consider as a risk.

    He thought and replied: "Not a thing."

    His assistant - who had more HR experience than the manager - innocently asked "What about the I-9s?"

    Suddenly the HR manager realized he did have something the lack of which could be very expensive if the Feds came asking for the paperwork.

Talk to everyone.

Listen to everyone.

What we doNOT need to be is a Subject Matter Expert (SME) in all things.

There is a "flip side" to all the above.

A person who is an SME for, say, an HP3000 running Oracle might think he or she knows everything there is to know about HP3000s running Oracle; after all, the expert just completed an audit/plan that involved an HP3000 running Oracle.

Except THIS HP3000 has a different OS version and the Oracle is "tweaked" differently and ...

I knew how to fly an Aeronca Model 7 Champion, but rest assured flying a "Champ" is a great deal different from piloting a Boeing 7*7 or even a Beechcraft King Air 350i. (By the way, when did the Beech Banana [Bonanza] lose its distinctive "V" tail?)

Friday, May 20, 2011

ERM-BC-COOP: Terror targets

 

According to a Global Security Newswire headline on May 20 (http://gsn.nti.org/gsn/nw_20110520_2896.php), Antiterrorism Program Cuts Funding for More Than 30 U.S. Cities,  "More than 30 U.S. cities have been informed by the Homeland Security Department that they will not receive terrorism preparedness funding under one top grant program in this budget year due to budget constraints, the Associated Press reported on Friday"

Naturally all the communities on the chopping block are asking "Why us?"

The Big Cities are getting the dollars, but the cities in the hinterland are not. The article states that "Some of the cities that will lose out on program funding include Providence, R.I., Hartford, Conn., Bridgeport, Conn. and three Texas cities -- Austin, El Paso and San Antonio. Those Texas population centers were awarded roughly $14.5 million from the funding initiative in fiscal 2010."

Human life in Austin TX is as valuable as human life in New York City, so why one place and not the other?

Ignoring politics, consider the purpose of terrorism: Not (just) to kill and maim, but to strike fear into the population.

As a terrorist, where could I do the most damage?

Austin TX where the folks likely would take up arms and hunt me down?

Or unarmed New York City, which not only strikes at Americans but at visitors to these shores as well.

Compare Columbus OH with San Francisco. The California city, like Greater New York, has a high density population assuring a bigger bang for the buck, the bang being both death and injury as well as panic and lingering fear.

Also consider that some of the communities that will receive the Fed's largesse are port towns - New York, Boston, LA, San Francisco, Seattle - and some of the towns with reduced or eliminated funding are port-free, Bridgeport CN and San Antonio TX being two examples.

It is possible that the terrorists will attack wherever an opportunity is presented, but both domestic and imported terrorists typically go for the greatest exposure.

Jerusalem and Tel Aviv are more often the scene of suicide murderers than Bet Shean and Zefat, both "tourist" towns but off the main roads.

As with all things "risk management," avoidance and mitigation measures must be focused on the greater risks, the more probable risk with the greatest impact if allowed to occur.

I don't live in any of the communities mentioned in the article, but I do live close to several major sea and air ports and in an area with more possible threats than anyone dare count.

While it would be nice if money to defend against terrorists was unlimited, that is not the case so the standard probability vs. impact matrix we routinely use needs to be applies to anti-terrorist funding.

Basic risk management.

No one like it, but its the reality of budgets.

Wednesday, May 18, 2011

ERM-BC-ERM: Ripple effect

 

I talk about the ripple or domino effect quite a bit.

Sometimes this is in connection with vendors.

According to a United Press International (UPI) piece on Advisen FPN, "The (U.S.) Federal Reserve said manufacturing production fell 0.4 percent in April after nine consecutive months of increases. The most notable drop in the sector was a decline in vehicle production, which fell to an annual rate of 7.9 million units from a previous rate of 9 million." (Emphasis mine.)

The Fed blamed the decline in auto production on Japan's earthquake.

Consider the global picture.

Japanese parts destined for US assembly plants were not manufactured, so they were

  • not stuffed into truck-to-train-to-ship containers

  • not shipped to Japanese ports
  • not inspected by U.s. agents stationed in Japan
  • not shipped to the U.S. west coast ports
  • not off-loaded by union steveadores at US ports
  • (import duties, if any, were not collected)
  • not shipped by rail and truck to assembly plants
  • not assembled into "American made" vehicles
  • not shipped by rail and truck to dealers across the U.S.
  • not sold by sales people at the dealerships

Plus, additional parts never made it to dealership maintenance facilities so faulty or damaged parts were not replaced, possibly putting unsafe vehicles on the road

But it doesn't stop there.

I'm not sure is anyone at any of the Japanese assembly plants in the U.S. was laid off, but I am sure that sales people who have nothing to sell have $0 commissions so unless they have a nice financial buffer in the local bank, there could be missed mortgage payments, reduced spending at the supermarket, fewer entertainment-related purchases, less miles traveled - and less fuel bought, and on and on.

Granted, there may - MAY - be "pent up demand" when Japanese parts start arriving on America's shores again (meanwhile Korea's Hyundai and Kia are enjoying record sales and even U.S. automakers are noting an up tick in sales).

We have a global economy; no longer is any country's economy independent of others' economies, be they across the border or around the world.

The U.S. had an "economic meltdown" and most of the world felt the heat.

When the dominos start to fall, they fall around the world.

Something to think about.

Sunday, May 15, 2011

ERM-BC-COOP: Awards

 

The other day I read an appeal by a person claiming Business Continuity Management expertise, including, specifically "Business Impact Analysis," asking members of a supposedly professional group "for some suggestions on inclusions for a BIA questionaire"(sic). The appeal, for what it's worth, is at http://tinyurl.com/3ty5otb.

I suggested, as I often do, that people claiming expertise but lacking same, cause practitioners with time-in-grade to take up Jacob Cohen's plaint: "I don't get no respect."

We ought, I suggested to a couple of my peers, create an award with Mr. Cohen's mug on it and present it to the people who cause us to exclaim that infamous expression.

I'd show you a photo of the late Mr. Cohen, but due to copyright vigilantes I'm forced to forego the pleasure. You may, of course, visit http://tinyurl.com/3n9opvj to see the gentleman's photographs.

But today I realized we also need an award for executives who with fail to engage our expertise - at least those of us who DO have the expertise - or, worse, fail to implement our carefully researched and thought out recommendations.

Such people make me MAD, and it is from MAD Magazine that I found my poster boy for this award.

Good ol' Alfred E. (http://tinyurl.com/3o23al7

But, like Mr. Cohen, a/k/a Rodney Dangerfield, I fear to run Alfred E.'s likeness here.

But picture MAD's favorite cover guy with his famous "What, me worry?" statement on a suitably framed award.

Since I musing about awards, maybe there also should be an award for "business continuity" practitioners who deal only with Information Technology.

My recommendation for this award's poster boy is Moshe Dayan, the late one-eyed Israeli general and politician (or are "general" and "politician" redundant).

Don't like Dayan? Maybe a cartoon character with a telescope. The one here is a royalty-free image from Microsoft Word's collection.

There's nothing wrong with a business continuity planner coming from an InfoTech background, but all practitioners need to understand that InfoTech usually is a profit center resource rather than the profit center.

How about an Alex Trebek (http://jackpendarvis.blogspot.com/2009/03/vintage-trebek.html) award for the client who expects the practitioner to know everything about everything, not realizing that a really good business continuity practitioners is an expert in one field: business continuity.

Have an idea for an award? Share it with me at JohnGlennMBCI@gmail.com .

Friday, May 13, 2011

ERM-BC-COOP: There ought'a
be an award for . . .

 

JOHN GLENN

Enterprise Risk Management Practitioner & Curmudgeon

Most enterprise risk management (business continuity) practitioners participate on, or at least "lurk" on, one or more professional lists.

There are many.

DRJ has its Forum and a separate presence on LinkedIn.

There are numerous business continuity groups on LinkedIn, including the BC-COOP group.

There are Yahoo groups for business continuity and emergency management.

And of course there are sundry groups focused on Information Technology issues of concern to a practitioner. Most of the time, the discussions are professional.

  • A tyro asking how to approach something.

  • A pro telling how he or she managed to overcome an obstacle
  • .

But occasionally, alas all to frequently, we read a post asking experienced practitioners to give away the farm.

Most practitioners are delighted to mentor the juniors and newbies. We once were in their shoes.

But most experienced practitioners are, to be polite, miffed when asked to do the work for a person claiming to have experience, especially when that person claims expertise in the area they are seeking basic help.

My refrain, one I share with a number of my peers, is "We're becoming a Jacob Cohen profession" due to people claiming expertise they sorely lack.

It became abundantly obvious when one person, appealing for help from a group, admitted via post-appeal correspondence, that his employer of many years insisted he appeal to a wider audience, despite the person's claim to expertise in the area in which he sought assistance.

It's no wonder, then, as Jacob Cohen continually whined:, we "don't get no respect."

Our profession, with tyros masquerading as experts, causes us to "get no respect."

Because of people such as the tyro-pretending-to-expertise, I suggested to some of my peers that we need an award for such folk.

No Respect Award

The first "award" that comes to mind is the "We Don't Get No Respect" award.

The poster boy for this award would be the late Jacob Cohen's alter ego, Rodney Dangerfield.

Mr. Dangerfield made a career of five words: "I don't get no respect."

For us, the profession "don't get no respect" when it's populated by tyros flying professional colors. When a novice with a manufactured resume is turned loose on a client, old timers hope that these mountebanks are hoisted by their own patards.

That some organizations are cognizant that the practitioner lacks expertise is obvious when one such practitioner admitted that his employer instructed him to ask the on-line groups for help.

Microscope Award

This award could have a microscope rampant on a field of personal, macro, mini, and mainframe computers ranging from the Berkeley Enterprises' Simon introduced in 1950 - yes, 1950, that's not a typo - (http://www.blinkenlights.com/pc.shtml) to today's smallest and largest machines.

I like the microscope since the focus of this award winner is strictly Information Technology. Ignored is the fact that Information Technology rarely is a profit center; its role most often is as a critical profit center's resource.

Winners of this award are convinced that if InfoTech can be recovered following an event, all is right with the world. Never mind the profit centers that fund Information Technology and never mind avoidance or mitigation efforts.

Head In the Sand Award

The "Head in the Sand" award also could be known as the Ostrich Award; this award would feature an ostrich with its head in the sand.

This award goes to organizational management that either

    a.   fails to engage qualified practitioners, or

    b.   fails to implement the qualified practitioners' recommendations.

In the first instance, one has to wonder why a practitioner was engaged in the first place. The most probable reason is because the organization is trying to get business from a potential client that demands its vendors have risk management or because the organization has a government or industry mandate to have risk management.

We all understand that not all recommendations will be implemented, and certainly not necessarily in the order we think appropriate. That's why management always retains the right to prioritize implementation of the practitioner's suggestions.

Smart management may challenge a practitioner's priorities and perhaps the practitioner's reasoning why Option A would be better for the organization than Option B, but in the end, some option will be put into practice.

Ice Floe Award

Picture a polar bear adrift on a chunk of ice, far away from any solid surface.

The "Ice Flow" award is presented to the practitioner - or perhaps the client manager - who thinks a risk management project can be successfully put together with zero input from anyone.

No successful plan can be created in a vacuum; input must come from all sources, from newest intern to most senior executive.

Managers who refuse to share information about the organization's direction or who prevent the practitioner from having access to all personnel who the practitioner - not the manager - deems to have critical information, almost guarantees that should an event occur, the plan will fail.

Spilled Ink Award

Does anyone still fill real ink pens from an ink bottle?

Probably not, but a tipped over bottle of ink remains a suitable graphic symbol to award a practitioner who can't spell "practitioner."

Documentation plays a large part in every risk management program and every project within the program.

From a Statement of Work - or maybe even a proposal - to the final deliverable, the practitioner is called upon to be a wordsmith with a better-than-average command of the local language.

Indeed, the practitioner may need to communicate his or her thoughts, concerns, and reasoning to several different audiences, each with its own interests.

The practitioner who is honored with this award can claim a high level of self confidence, sufficient that he or she foregoes spell check before submitting a document.

Know Everything Award

This award would have Alex Trebek's likeness on it and would be awarded to managers who believe a risk management practitioner needs to know everything about the organization, preferably before the practitioner's credentials are reviewed.

It's fairly common that organizations expect the risk management practitioner to be an expert in data security, but often there is a requirement that the practitioner have experience in a specific industry.

Granted, there are regulated industries and a practitioner who already knows which regulations apply has a head start, but the bottom lines are that

    a.   99 percent of all regulations are available either on-line or in the client's library , and

    b.   the core processes of all plans are the same

    • Identify key processes

    • Identify risks to the processes

    • Identify ways to manage the risks via avoidance, mitigation, or transfer

    • Prioritize the risks

    • Make recommendations to management on how to manage the risks (ergo "risk management").

In truth, the only subject in which the practitioner need be expert is risk management, a/k/a business continuity or resiliency or COOP or whatever the term du jour.

Flying Funds Award

The "Flying Funds" award, which also can be labeled "My bucket's got a hole in it" goes to management that pays to have a plan created and then ignores it. This award is related to the "Head in the Sand Award" and often is presented to the same person or management team.

This wastes the organizations finances - as well as the practitioner's and plan contributors' time - since a plan neither exercised not maintained quickly loses its value.

Ignored plans, if ever implemented, usually fail and, as most practitioners know all too well, all fingers point to the practitioner, even if the practitioner is long gone from the job.

And finally

An Honorable Mention for pounding round pegs into a template's square holes.

This certificate is presented to managers and practitioners who believe that filling in a form or template pulled from the Web or a book will give the organization a plan that will assure its survival "in the event of."

There ARE good programs that, in the hands of an experienced practitioner, are useful tools, tools that are adapted to meet a specific requirements. Unfortunately, most templates and programs in the hands of a novice only lead an organization to false sense of security.

Tuesday, May 3, 2011

ERM-BC-COOP: Inevitable

 

An attack following Osama bin Laden's alleged execution will - not "may" - be forthcoming.

I carefully word that.

Not an "attack to avenge" or "an attack of revenge" for that would suggest that the attack will be by a Moslem, albeit not necessarily an Arab Moslem - radical Islam is not restricted to Arabs.

A revenge attack probably will happen - an attack by a Moslem individual or group, but Bin Laden's claimed death also opens the door for other crazies, non-Moslem crazies, to reap the whirlwind.

Who brought down the Alfred P. Murrah Federal Building, murdering 168 people, including 19 children?

Timothy James McVeigh, a WASP - White, Anglo-Saxon Protestant - who won a Bronze Star for service in the first Gulf War and his partner, Terry Nichols also a WASP were responsible for the Oklahoma City massacre.

Theodore (Ted) Kaczynsk, the "Unabomber", is a Polish American mathematician, social critic, anarchist and Neo-Luddite.

Eric Robert Rudolph, the Olympic Park Bomber, is responsible for a series of bombings across the southern United States between 1996 and 1998, which killed two people and injured at least 150 others.

Buford O'Neal Furrow, Jr. is a former Aryan Nations member and security guard who opened fire on the Los Angeles Jewish Community Center shooting in August 1999. The shooting injured three children and a receptionist. He also shot dead USPS carrier Joseph Ileto, a Filipino American.

James von Brunn fired a weapon into the Washington D.C. Holocaust Museum, resulting in the death of security guard Stephen Tyrone Johns. Von Brunn died while awaiting trial.

Joseph Andrew Stack III flew a small personal plane into an office complex containing an IRS office in Austin, Texas after posting a manifesto on his website stating his anti-government motives and burning his house. One person other than Stack died, 13 were injured.

Not one of the above is a Moslem or even an Arab.

That, or course, is not to exclude Moslems - Arab or not - from the list of potential threats, but only to try to make all risk management practitioners and their clients aware that others may decide to ride the coattails of Bin Laden's supposed death. When a person has a mission, any excuse is a good excuse to act.

Yesterday's entry included suggestions on how to mitigate exposure to crazies.

Today's comment is simply a reminder that no one is, or should be, above suspicion.

Likewise, nothing should be taken for granted. A portable radio allegedly brought down Pam Am 103 over Lockerbie, Scotland.

Israeli airport security routinely takes "pregnant" women - including my wife - aside to "pat them down" to confirm the bulge really is due to pregnancy. The wife did not complain.

The bottom line for risk management practitioners is to be aware that "packaging" may be deceiving.

Monday, May 2, 2011

ERM-BC-COOP: Osama is gone, but . . .

 

If you believe the White House, Osama bin Laden is dead.

Shot in the head and dumped over the side of a ship sailing somewhere in some sea.

Putting aside my skepticism of political "reality" I start thinking about "What if Osama really IS dead? What can we - the non-Muslim world in general and the U.S. in particular - expect?"

My best guess is retaliation, revenge on a grand scale.

Perhaps, however, not on a grandstand scale, although that, of course, always is possible.

The difference, as I perceive it, between "grand scale" and "grandstand scale" is that "grandstand" is along the lines of 9-11 (2001), e.g., a dirty bomb in San Francisco or a sarin attack on the New York City subway system, while "grand scale" implies many smaller, but none-the-less attention-getting, fear-instilling attacks on private and government facilities.

Most of my work is in the private - non-governmental - arena, and even when I do work for governments, the work is for agencies, rather than looking at the world from Emergency Management's Police/Fire/Rescue perspective.

There is not much that I, civilian Enterprise Risk Management practitioner, can do to protect Beautiful Downtown Burbank as they used to say on "Laugh-In," but there is a lot I can do to help private sector - and even some public sector - operations.

First and foremost, people in my business need to make sure everyone is aware of their surroundings.

Long before travelers in U.S. airports, train stations, and bus depots were told to guard their luggage and to report unattended - read "suspicious" - luggage, I lived in Israel where similar warnings date back not years but decades. I have, unfortunately, seen the results of left-behind luggage whose contents killed and maimed.

Being alert means more than just thinking about luggage - although I'm often left wondering what happens to my suitcases when they are both unlocked and out-of-sight.

Being alert means occasionally glancing out the office window to see if there are any vehicles parked alongside the building.

    The Alfred P. Murrah Federal Building in downtown Oklahoma City was brought down by an explosive-packed 20-foot rental truck on April 19, 1995; the blast took 168 lives, including 19 children under the age of 6, and injured more than 680 people.

    A truck bomb was detonated below the North Tower of the World Trade Center in New York City. The explosion was intended to knock the North Tower (Tower One) into the South Tower (Tower Two), bringing both towers down and killing thousands of people. While it failed to do so, six people were murdered and thousands were injured.

Having alert staff is only part of the mitigation equation.

Suspicious staff need to know how, and to whom, to report their observations.

The person(s) receiving the report needs to know how to react.

Finally, staff needs to know where to go in the event of a threat - outside to a parking lot that may be more dangerous than remaining inside against a opposite-to-the-threat wall.

All that needs to be considered in depth, preferably by all hands, and clearly defined in an organization's policies and procedures. It goes without saying that the policies and procedures must be known to, and understood by, all personnel.

One of the easiest ways to plant a device - be it explosive or gas - is to bring it inside on a vendor's cart.

Organization that want to protect their staff do a number of simple things to reduce this risk.

First, all employees are issued photo badges and the badges must be clearly displayed by the wearer. No hiding the badge on the belt or under a collar.

Temps, visitors, and vendors need to be issued brightly colored badges; different colors for different categories; e.g., temps have green badges, visitors wear orange badges, and vendors wear red badges. If the organization can afford it, all badges should have the wearer's photo.

    I recently visited a hospital and was issued a paper visitor's sticker/badge with my name, photo, and badging location on it; it took only a moment to prepare the sticky-backed document that I was instructed to display prominently while I was on premise. I missed a turn in the hospital's maze of halls and, asking how to go back to Square One, a guard read the badging location and pointed me in the right direction. The hospital has hundreds of visitors each day so the cost could not be all that great.

All visitors and vendors must be under escort at all times they are on site. Even Bill, the trusted junk food vendor, needs an escort. It pays to match a vendor's photo ID with the vendor before issuing a facility vendor badge.

Back to awareness: All personnel should be alert to unescorted strangers; if the unescorted person lacks a badge, Security should be quietly alerted.

Outside in the parking lot, are there any unusual trucks of any size? Does UPS normally deliver between 8 a.m. and 10 a.m.? Is there a UPS truck in the parking lot at 4 p.m.? Be suspicious; courier services typically deliver to business addresses in the morning and residential addresses in the evening.

A smart organization will "test" its personnel. Park a truck alongside the building or in a "to-close-to-the-building" spot at the wrong time in the parking lot. Reward the first two or three people spotting the suspicious vehicle.

Have a new hire or temp walk around the facility sans badge or even with the wrong type badge.

Ask a vendor, after returning his or her badge and exiting the building, to come back and try to go back to where they were before (e.g., the break room) without checking in and being badged and escorted again.

While I favor rewards - a coupon good at a Cold Stone Creamery works for me - I would NOT encourage punishments for failures to comply, at least on the first or second offense.

Then there is the mail room.

People are cautioned not to open email attachments or follow links unless they (a) know the email sender and (b) are expecting the attachment or link.

The same basic admonishment applies to incoming mail, especially packages.

It is worthwhile for staff to hand-scan (run their hands across) envelopes to detect grainy materials inside. For organizations where the mailroom opens all mail, this may not work; in that case, the mailroom needs to be segregated and securely closed when mail is opened.

That grainy white stuff in the envelope might be detergent, but then again . . .