Monday, August 29, 2011

ERM-BC-COOP

Define that

In the Lerner & Loewe's musical version of Geo. Bernard Shaw's Pygmalion, A Play in Five Acts, Professor 'enry 'iggins loudly challenges his chum with "Why can't the English learn to speak . . . the language!"

The original "My Fair Lady" debuted on Broadway in 1956; the film version dates to 1964, roughly the same time as the Von Trapps were singing across the alps of New York and Hollywood.

Shaw's complaint in 1912, Pygmalion's initial publication date, remains a valid complaint to this day.

Granted, English is a "living language." What was nouveau in 1912 often was passé' by 1956 and down right ancient by mid-(19)60s.

Still, some words linger and find themselves in the vocabularies of the 21st century.

Unfortunately, and I blame it on our laziness, we - practitioners in particular - no longer use words in their "common" - as in "most understood," not "vulgar" - form. Punctuation also has been abused, and, along with our choices of words, can wreak havoc when we try to communicate critical thoughts to others. For an interesting appreciation of punctuation, watch Victor Borge explain Phonetic Pronunciation at http://www.youtube.com/watch?v=lF4qii8S3gw

I'm not talking - this time - about "alphabet soup" or even "techno-speak."

I'm talking about "plain English." Yes, I know the problem exists in other languages as well, but this blog is in English and the few visitors to it are English speakers/readers.

For example, a person asked "When does an incident become a crisis."

Pretty straight forward question.

But the answers suggest that how Merriam-Webster defines "incident" and "crisis" and how some of the responders define those words are substantially different.

Just for the record, M-W defines "incident" as

in•ci•dent

1: something dependent on or subordinate to something else of greater or principal importance

2

    a : an occurrence of an action or situation that is a separate unit of experience : happening

    b : an accompanying minor occurrence or condition :concomitant

3: an action likely to lead to grave consequences especially in diplomatic matters

and "crisis" as

cri•sis plural cri•ses

1

    a : the turning point for better or worse in an acute disease or fever

    b : a paroxysmal attack of pain, distress, or disordered function

    c : an emotionally significant event or radical change of status in a person's life

2: the decisive moment

3

    a : an unstable or crucial time or state of affairs in which a decisive change is impending; especially : one with the distinct possibility of a highly undesirable outcome

    b : a situation that has reached a critical phase

Frankly, I don't like the word "crisis" in relation to risk management. "Crisis" suggests that things have gotten out of control and that suggests a lack of preparation.

I will accept that something can reach a "crisis STAGE" - as an example, a hurricane pushing a huge tidal way toward the island of Hispaniola, or the liftoff of a space shuttle, but for events at most organizations, "crisis" should only be a word in a dictionary.

I am not discounting the "crisis management" function - I was on a "crisis management team" once, but our job was not to manage a "crisis" but to make certain an incident did not become a crisis. "Crisis prevention" would have been a better title.

It behooves practitioners, especially those of us who create the related and necessary documentation, to c a r e f u l l y select the words, and perhaps graphics as well, that we use for each specific audience.

It only takes a moment or two to visit an on-line dictionary - searching in an unabridged is much more interesting . . . and time consuming - to determine the most understood word for the thought you are trying to convey.

If the listener or reader fails to comprehend what you are trying to convey; if the listener or reader can possibly "interpret" the words, not only have you failed to communicate but you also may be making an incident into a crisis.

Sunday, August 28, 2011

ERM-BC-COOP

Odds & Ends

 

Two things to share, one that is suitable to share with clients, the other more on a personal level.

Thing 1: American Red Cross "Safe & Well" Web site

    The ARC "Safe & Well" Web site allows people in, or from, disaster areas to post their status on line and make it available to selected people.

    The "Safe & Well" home page is at

    https://safeandwell.communityos.org/

    Using the page takes some pre-planning and sharing of information before the event.

    Searches are by name and address (street, city, state, zip) or name and telephone number (the person who is "safe and well" may register as many as three 20-digit numbers, a match on one is sufficient).

    The information is straight forward both for the person who survived an event and for people searching for the person. The add-a-name form includes a dropdown menu with a list of current disasters, but is made flexible by offering an "Other" option.

    The site is well supported by HELP (how to) and FAQ pages.

    The only pre-event activity is to make sure the people who you want to find you (or the people you want to find) have the critical search information: first and last name, as many as three (3) telephone numbers, and a complete address. The more information the more accurate the search.

Thing 2: Closing out social networking accounts

    AccountKiller,

    http://www.accountkiller.com/en/

    is a Web site that lists ways to kill/delete accounts on a number of programs, including

      4shared, 9lives, Aardvark, About Me, About.com, Adobe, Adsense, AdultFriendFinder, AIM, Alexa, Amazon, Amigos.com, Amplify, Ancestry.com, Answerbag, Answers.com, AOL, Apartment Therapy, Auran, Backupify, Badoo, Bart Smit, Battle.net, Bearshare, Beautiful People, Bebo, Beliefnet, Bigpoint, Bitly, BlackPlanet, Blekko, Blip.tv, Blockbuster, Blogcatalog, Blogger, Blogshot, Bol.com, Buitenlandse Partner, BuxJunction, CGHub, CNET, Facebook, Gmail, Google, Gravatar, Habbo, Hotmail / Live, ICQ, Microsoft Live, MSN / Messenger, Myspace, OurWorld, RuneScape, Skype, Tagged, Twitter, Windows Live, Wordpress, World of Warcraft, Yahoo, Zoosk

    Deleting personal information from some sites is relatively simple; from other sites less so.

Bonus thing: Separate personal and work email.

    Work email is not private; the employer retains the right to read both outgoing and incoming emails.

    If you ever intend to use email for something personal, get a personal account.

    There are a number of free accounts available, some of which allow you to "POP" the correspondence down to an email consolidator such as Outlook.

    If you want to express yourself on groups and blogs - such as LinkedIn - you are well advised to set up an account with a fictitious name and employer. That may limit your "connected to"s, but you cannot be associated with - and possibly fired from - your employer for expressing your opinions. Some organizations have a serious lack of humor when it comes to unflattering information being posted for all the world to read. (Imagine that.)

Friday, August 26, 2011

ERM-BC-COOP

Who're you gon'na call?"

 

There is a raging debate on one of the LinkedIn groups about "Who is the best person to lead people during a crisis?"

"Someone with experience doing what needs to be done."

"Someone who has crisis management experience."

"The business continuity planner."

I've been watching the debate - and its both good and educational - since it commenced.

Then it hit me: The person probably - and that's the operative word, "probably" - best qualified is someone who has been a squad or platoon leader in a combat situation.

Squad and platoon leaders - the sergeants, not the lieutenants - catch it from all sides. The enemy is making their life miserable. The Company commander is pressing to complete the mission.

Meanwhile, the squad/platoon leader is just trying to keep the troops alive and safe.

A field medic also might be a good candidate if the medic has had to operate under fire or if the medic was faced with more wounded than can be accommodated. (Been there, done that, and learned that this practitioner, while I am an excellent planner, I am a not crisis mode commander.)

I do not think the "crisis mode commander" need be a responder with a specific duty other than to make certain the tasks that need to be performed are performed and "meet spec."

The crisis mode commander, I think, needs to be able to direct the troops; he or she needs to stand aside and let others do what they are trained to do.

That's Management 101 - MANAGE the situation.

That's a hard job for people who need to get their hands dirty, who see something that needs doing and insist on doing it "right now" versus getting someone else to do whatever needs to be done.

The crisis mode commander has one job: commanding the troops, managing the troops.

It's unfortunate, but I suspect we have all too many people with squad and platoon leader-under-fire experience, and we have all too many medics who had more wounded than they could care for, and yes, I know about triage.

Why not simply assign a C*O as the crisis mode commander? After all, the C*O does management jobs all day long.

Why not? Because the C*O, like this practitioner, may be excellent in everyday, minimal stress operations but may fail as a crisis mode commander.

Crisis mode commanders

  • need to be able to delegate

  • need to trust the Subject Matter Experts to do their jobs "to spec"

  • need to control, as much as possible, outside interference so responders don't get frustrated by outside pressures

  • need to be able to deal with Very Senior Management to assure that VSMs don't try to highjack or redirect the response effort

  • must be cool under fire

  • must be able to change directions if it's necessary - but must also know when to maintain course; decisions must be made, sometimes with incomplete information

  • must realize that they probably will make a mistake - we all do - and have enough self confidence to get on with the job at hand

The crisis mode commander's onlyresponse function is to control responders, not to perform another response task - not to hang tapes, not to handle communications with the media, not to help HR handle travel and lodging, not to keep track of expenses, but to assure these tasks ARE accomplished.

The bottom line is that the crisis mode commander can be anyone - man or woman, staff or management - who can keep his or her head and direct others.

One caveat: All personnel - absolutely everyone - needs to know that the crisis mode commander and the crisis mode commander-alternate have VSM's full confidence and authority.

As for the risk management practitioner - maybe that person should serve in the role of go-fer as in "go for this" and "go for that."

One minor catch: How to identify a potential crisis mode commander?

Exercises and training, training and exercises - again and again, adding as much pressure as can be brought to bear. It's better if someone "breaks" during an exercise than later when it's the "real thing."

Thursday, August 25, 2011

ERM-BC-COOP

Pay attention!

 

Several tv anchors told the world the other day that a number of zoo animals were acting strangely just moments before the earthquake felt from New York to South Carolina.

Anyone who grew up around livestock - and who paid attention to the animals - knows that animal behavior often provides a clue to a coming weather event.

People who believe in such things think that a "ring around the moon" is a predictor of rain.

In my neck of the woods, a green sky means a tornado may be coming our way; watch for it.

Likewise, when the air gets "heavy" and humidity levels are higher than the temperature, expect a severe storm, usually accompanied by lightening.

Of course we all know someone who, when the weather is about to turn nasty, has aches and pains in joints or teeth, or perhaps gets a "migraine" headache.

An article on the How Stuff Works, a wholly owned subsidiary of Discovery Communications Web site, titled Can animals predict the weather? provides some interesting conjecture.

For the risk manager, the lesson is that we - and the people with whom we work - need to become more attuned to our environment, both inside and outside the building (be "the building" a home or a workplace).

Not all awareness efforts are focused outside. Many are simply paying attention to our "personal space." In some cases, the only animal we need to notice is the human animal.

For example:

  • Smells

    Is there a strange or different smell in the room? Perhaps a burning wire or paper in a waste basket? Caught early, damage may be minor and cause little interruption.

  • Sounds

    Unusual or non-stop sounds can indicate a variety of things. An electrical short is perhaps the worst case; dripping or running water can indicate a leaky pipe or valve that failed to close. Attend to it early and damage may be eliminated with a mop and bucket; ignore it and you may be standing outside while professionals dry out the building,<

  • Sights

    This covers a wealth of things, mostly human.

    • Trucks of any size parked close to the building - where is the driver, how long has the vehicle been there.<,/LI>

    • Strangers, especially unescorted strangers, in the work area - why are they walking around sans an escort; do they have ID badges issued by Security or Reception?

Awareness training, learning to pay attention to normal sights, sounds, and smells, is like having a physical when you feel good - get a "base line" on what is "normal" so when something is amiss, it is quickly detected and addressed.

Awareness training needs to go beyond awareness of the Three Ss (ibid.) - it needs to include What To Do in the event something seems "not right."

There are many parts to a viable risk management program; awareness is just one - albeit a critical one - of the many.

The nice thing about awareness training is that is usually is easy on the budget; the biggest cost is a little production downtime and, for really progressive organizations, perhaps a cookie and cup of coffee.

We still can't "talk to the animals," be we can be aware of their behavior and we can be much more aware of our own surroundings.

All it takes is a little encouragement and some personal effort.

By the way, where IS that fire extinguisher? What ARE the two closest exits that are wide enough for a wheelchair?

Sunday, August 21, 2011

ERM-BC-COOP

BC on a frayed shoestring

 

I have, thanks to LinkedIn, a new acquaintenance who is caught between a hammer (a COOP mandate) and an anvil (lack of budget).

Most risk management practitioners know the situation, having "been there and done that."

This practitioner's plight has been the topic of discussion for maybe 20 individuals, all offering their two cents. If only she could put all our coins together, she might be able to fund her program.

What can this practitioner do to protect the most critical resource, without spending money she doesn't have?

As with all things "risk management," she needs stratospheric support from her management.

True, there is a mandate from On High, but "On High" is remote and is treated accordingly. Our practitioner needs visible and vocal support from the 800-pound gorilla on site, someone people know and respect.

Cost to the organization? Zero.

She needs to develop ways to reach out to the staff - at all levels.

Since she's already on staff and probably has a computer, additional costs are - Zero.

She may need to reach out to other practitioners for their advice - we've proven we give it freely, sometimes more than needed.

So still, zero expenditures.

It is my understanding that our practitioner needs help from the sundry Functional Units (FUs) to maintain the plan.

To do that, she needs

  1. Help from the 800 pound gorilla to encourage FU managers to cooperate.
  2. To create a short list of tasks for the FU Subject Matter Experts (SME) assigned a COOP role; my list would be a heading followed by one or two paragraphs of (a) why the task is needed and (b) how to accomplish the task.
  3. To create a plan to monitor the SME's actions to assure compliance.

So far, still no budget impact.

Our practitioner also needs to turn all personnel into Risk Rangers - OK, it's corny, but catchy.

Risk Rangers, or whatever the practitioner decides to label all hands, will be trained to be aware of their surroundings; more importantly to be aware of CHANGES in their surroundings.

Is there a new or different smell? Could be a pinched wire about to catch fire.

Are lights flickering? Is power OK; does anything need to be powered down?

Are the skies turning green - where this blog's author resides, that a sure sign a tornado is on its way.

Are animals acting strangely - birds suddenly making a racket or suddenly becoming quiet?

Unfortunately, the Risk Rangers also need to be alert for unescorted strangers in their area.

They also need to know what to do - who to call - if they sense something is amiss.

Since both SME and Risk Ranger training cuts into production time, albeit not by much and not often, we finally have a budget hit; a minimal one, but a hit none-the-less.

It would be good if the budget could be stretched to provide finger foods - snacks - for those participating in training. Nothing big or fancy. I'd suggest that our practitioner bake cookies but that would appear chauvinistic (I prefer to bake cakes); it would save the corporate budget(but at the expense of the practitioner's).

So far little damage has been done to the corporate budget, but people have been recruited as FU SMEs for the business continuity effort, and staff has been encouraged to be aware of, and report changes to, their environment.

Our practitioner reports that her facility is located on a fault line.

It's too late to build an earthquake resistant - is there earthquake "proof" - structure and no money to retrofit the facility, but since she works for a government, perhaps she can get help from within her agency or from another agency to come assess the facilities to identify points where people should - or should not - congregate with things start to shake. These areas should be clearly identified on frequently-seen maps and the staff's quizzed from time to time on their locations, as well as the two nearest exits, the AED machines, and fire extinguishers. It's amazing what we pass by on a daily basis and never see.

What about communications. That requires special hardware and software, right?

How about scrape paper and a ball point pen. (I'd suggest crayons, but my grand daughter won't part with hers.)

Keeping in touch with the troops immediately following an event is critical. Identify, "right now," places that offer public bulletin boards. Supermarkets and laundromats are traditional plans; also public libraries. All personnel should know where the primary and alternate sites for each neighborhood are located. If a code is needed, they should know this, too.

I'm a great believer in the buddy system in the work place. It also is useful when a number of employees live in a geographically compact area; they can watch out for one another and keep the organization posted regarding their welfare. Who can they call? Our practitioner's organization is big enough to have remote operations; for those that don't, consider a remote sales office or perhaps make an agreement with a trusted vendor.

Back in the day, the (U.S.) Air Force had a program that challenged its personnel to "cut the cost without impairing the program." Those were relatively affluent days; imagine the challenge in today's penurious conditions.

Somehow we have allowed ourselves to become totally technology dependent. Unfortunately, technology costs and, more unfortunately, sometimes those costs are beyond the budget. We, like our practitioner, need to find ways to "cut the cost without impairing the program." Lacking funds to avoid or mitigate risks WILL "impair the program," but there remain things that can be accomplished even on a frayed shoestring budget.

It's not me

 

Someone - apparently in Thailand - bought the JohnGlennMBCI.com domain after I killed it out.

Google Alerts advised me that someone is using the domain.

I have NO connection with this domain.

If you have the domain bookmarked from the days when I owned it, please REMOVE it from your favorites/bookmarks.

Again, John Glenn has NO connection with the JohnGlennMBCI.com domain.

Monday, August 15, 2011

ERM-BCP-COOP

Read the fine print

 

It's been touched on before on this blog, but it's a topic worth revisiting.

The subject: Reading insurance policies - C A R E F U L L Y .

According to an article in the May issue of Risk Management magazine by Joshua Gold of Anderson Kill & Olick,

    "When reading the fine print of almost any insurance policy, one will see a host of often daunting insurance policy conditions. Almost all insurance policies, including liability, crime, kidnap and ransom, and property insurance policies call for 'notice' of claims within a certain period of time."

The article continues that

    "Policyholders should be careful with these timesensitive provisions as insurance companies often seek a complete forfeiture of insurance coverage when arguing that the policyholder failed to comply with them--even where no harm to the insurance company has resulted."

In other words, before signing on the dotted line for any insurance coverage, make certain the fine print is understood and that the organization can comply with the insurer's requirements.

It was previously recommended that organizations invite an independent insurance adjuster to review any policies and, when necessary, translate "insurance-ese" into understandable language for management and the risk management practitioner (if the practitioner is allowed to be privy to the policy).

Most readers of this blog know that business interruption insurance requires careful record keeping before an event; it is these records on which the insurance payout will be based.

Most readers also are familiar with warranties and guarantees that have time limited claims reporting; if a claim is not made within "n" hours/days/weeks/months of an incident, the claim will be rejected.

Insurance companies are in business to make money for their shareholders. This is basic knowledge that should not be ignored. Paying out on claims reduces the stockholders' revenue.

Risk management practitioners, while they need not be insurance professionals, should be invited to insurance vendor sessions; more people usually means more questions that should be considered.

Beyond the risk manager's role during a vendor conference, the risk manager needs to keep in mind that, as with all other things that impact the organization, there needs to be at last two people who can respond to any incident that might involve filing a claim with an insurer.

Just as Purchasing should be involved in annual (or more often) exercises, so to Insurance department staff. When was the policy last reviewed? Where is the contact information? What happens if the local agent cannot be reached when needed; are there alternate contacts? Insurance agents are vendors and should be treated as such; require of them exactly what is required of other vendors.

The bottom line when it comes to insurance is for someone in the organization to read and understand all insurance requirements before the contract is signed.

Thursday, August 11, 2011

ERM-BC-COOP

Could risk management
prevent food poisoning?

 

News stories across the U.S. recently told us that "an outbreak of multi-drug-resistant Salmonella Heidelberg that has killed one person and sickened 76 others in 26 states appears to have been traced to ground turkey products."

According to CNN, "Cargill Meat Solutions Corporation announced Wednesday an immediate voluntary recall of approximately 36 million pounds of ground turkey meat because it may be contaminated with salmonella bacteria."

CNN also noted that "Cargill's plant in Springdale, Arkansas, processed the suspect fresh and frozen ground turkey products between February 20 and August 2." The entire CNN article can be found at http://tinyurl.com/4yaf4h2.

FoxNews (http://tinyurl.com/43m2f7o) reported that "Meat plants are expected to pass a performance standard that allows up to 49.9 percent of tests to come back positive for salmonella. A Cargill spokesman said the Arkansas plant had passed all USDA performance standards despite what he called "routine" findings of salmonella Heidelberg"

It quoted Elisabeth Hagen, the USDA's top food-safety official, as saying "We have constraints when it comes to salmonella." She said that "unlike E. coli, salmonella isn't officially considered a dangerous adulterant in meat unless that meat is directly tied to an illness or death."

A check of three major kosher certifying agencies - OK, OU, and Star K - indicates that kosher inspection does not include checking products for salmonella, e coli, and other food-borne dangers.

What is a risk managers' role in all this?

A risk manager is not - or at least should not be - expected to be a food scientist who checks products before they ship. In Cargill's case, some 36 million pounds of ground turkey meat was recalled, an amount, CNN reports, equaling "the weight of more than 36 fully-loaded Boeing 747 commercial airplanes."

But the tainted turkey is a risk.

A risk to the consumer. Remember, one died and 76 others were sickened.

A risk to the corporate bottom line; recalling "some 36 million pounds of ground turkey" has to be expensive; plus the original cost of the raw product and processing expenses. Beyond that, the processing facility will have to be thoroughly decontaminated. Finally, Cargill faces legal action from the deceased's kin and the sickened consumers.

A risk to the corporate image; like Chinese products, Cargill products may well be suspect for some time to come.

It also turns out to be a risk for the FDA.

I'm told that the FDA is a bit "gun sky" on ordering recalls and closing plants since when it tried to do this with a Texas producer a federal appeals court blocked the move.

Still, the FDA has to be embarrassed by the incident and it knows Congress will react.

Risk managers could have recommended to Cargill that it engage its own inspectors along the production line to check for contamination of any type. Moreover, the FDA's 49.9% approval rate must be declared unacceptable and substituted with at least a 99.999% contamination-free product. I'm not suggesting a 100% inspection, but given the inherent problems with raw meats and the current embarrassment, a high sampling rate seems in order.

Since the salmonella-infected meat was detected by the federal National Antimicrobial Resistance Monitoring System (NARMS) during an inspection of retail outlets, Cargill might be wise to send its own inspectors into the field to randomly check its products.

Insurance probably will cover a good portion of Cargill's recall loses, but insurance cannot cover Cargill's loss of reputation and loss of consumer confidence. Also, when insurance pays out, it recovers the payout by charging higher premiums for years to come - while Cargill probably will get insurance dollars, it will pay them back to the insurers over the coming years.

The bottom line for Cargill is simple: is it more economical to take a financial and reputational hit or is the profit in better hands if risk management is put into place.

It seems to me that implementing risk management as suggested above would, besides assuring a safer product, substantially enhance the company's image, an image badly in need of attention.

Sunday, August 7, 2011

ERM-BC-COOP

Forums, groups, & lists

 

The other day (July 22) I ended a post noting that "we - practitioners - need to participate (not just "lurk") on the sundry forums, groups, and lists that obviously, or sometimes not so obviously, relate to what we do."

The following alphabetical list are most of the forums, groups, and lists I regularly or at least frequently visit and on which, on occasion, I add my two cents.

BCI - Business Continuity Institute Members & Alumni
   LinkedIn

BCI USA - The Business Continuity Institute US Chapter
   LinkedIn

BCI-London Forum
  LinkedIn

BCMIX - Business Continuity Management Information eXchange
  LinkedIn

BCP/DRP Forum
  http://health.groups.yahoo.com/group/bcpforum/

business continuity
  http://finance.groups.yahoo.com/group/business_continuity/

Business Continuity - COOP
  LinkedIn

Business Continuity and Disaster Recovery Professionals
  LinkedIn

Business Continuity Management
  http://finance.groups.yahoo.com/group/continuity/

Business Continuity Management & Risk
  LinkedIn

Business Continuity Managers
  LinkedIn

Business Resiliency Consultants USA
  LinkedIn

Certified Business Continuity Planners/BC Management
  LinkedIn

Continuity Insights
  http://www.continuityinsights.com/

Continuity Insights
  LinkedIn

ContinuityCentral
  http://www.continuitycentral.com/

Discuss Business Continuity
  http://finance.groups.yahoo.com/group/discussbusinesscontinuity/

DRJ Blog
  http://www.drj.com/drj-blogs.html

DRJ Forum
  http://www.drj.com/drj-community/forums.html

Emergency Management Discussion
  http://health.groups.yahoo.com/group/Emergency-Management/

Enterprise Risk Management
  LinkedIn

Governance Discussion Group
  http://ca.groups.yahoo.com/group/GOV_DG2/

HR, EAP and Business Continuity Management
  LinkedIn

Integrated Risk Management Association
  LinkedIn

RIMS (Risk Mgt Society)
  http://www.rims.org/resources/RIMStore/Pages/BusinessContinuity.aspx

Thursday, August 4, 2011

ERM-BC-COOP

Cloud Perils: Risks, Security & Insurance

 

Joshua Gold

Originally published in the Hospitality Upgrade - Summer 2011
http://www.hospitalityupgrade.com/_files/File_Articles/HUSum11_CloudPerils_Risks_Security_Insurance_Counterpoint_Gold.pdf
Used with permission


Those considering cloud computing must size up the risks of relinquishing that control over data to a third party.


The trend toward cloud computing continues to pick up momentum. Increasingly, individuals and corporations are entrusting to "the cloud" information as varied as family photos, vacation videos, contact information and sensitive business information, including customer account data and employee information.

Those selling cloud computing services speak to the numerous advantages of cloud computing, including claims of cost savings and enhanced data security. There has been some debate regarding the accuracy of these claims, especially involving those promises of heightened data security. Individuals, small businesses and large institutions opting for cloud computing give up one central dynamic: direct control of the stored or processed information. Those considering cloud computing must size up the risks of relinquishing that control over data to a third party. Fueling the debate over the safety of cloud computing is a recent data security breach suffered by customers of one of the largest entertainment and electronics companies in the world. That company had entrusted data to a cloud computing company that was in turn infiltrated by computer hackers. According to reports of the incident, millions of customer account files (including credit and debit card information) were compromised when the hackers infiltrated the cloud site and improperly accessed the sensitive account information. Notably, the hackers actually had a legitimate account set up with the cloud computing site (albeit with phony identifying information and fraudulent intentions), as opposed to anonymously hacking into another's network.

Those considering cloud computing should perform due diligence with respect to how the cloud computing company erects safety walls between the data stored and processed for individual customers. Indemnification and insurance should also be discussed. Businesses should also explore whether they would have to disclose to their customers, employees and potentially others that certain data that they might have an interest in has been supplied, shared or transmitted to a third party for storage or processing. Additionally, businesses may wish to consider whether there are certain categories of information that are simply too sensitive to provide to an external source and, therefore, must remain off of the cloud.

Businesses can help make informed decisions regarding the extent they use cloud computing by having risk managers working in tandem with their IT departments and in-house attorneys to protect data that is created by the business or entrusted to it by outside entities and individuals. One starting point is developing a data security protocol which establishes clear directives regarding the handling of and access to information within the organization and that information which might be transmitted outside the institution as part of cloud computing. Virtually any hospitality firm will have its own business and employee information electronically captured. So too will it have customers' e-data, including credit card information and other information gathered upon checkin and through rewards programs. An important step is to inventory the information possessed and determine its sensitivity. Categories of information calling out for heightened protection include: health information, personally identifying information of customers and employees, certain types of non-public financial information, trade secrets, customer lists and business processes that yield competitive advantages. Once such information is identified for heightened protection, it usually is not enough to simply guard against external threats of unauthorized access. It is also important to make intelligent decisions about internal access to protected classes of information. This applies for cloud computing too: businesses should find out what levels of employees within a cloud computing firm have access to information. Not surprisingly, some cloud computing firms have several other divisions and business enterprises. It is important to know who has access and to what categories of information to get a handle on both the external and internal hacking threat.

Insurance coverage is available for losses arising from computer fraud or theft under both existing and new stand-alone insurance products. Some of this coverage is quite valuable but should never be regarded as "customer-friendly."

Policy terms should be closely scrutinized to determine whether the use of cloud computing would alter or reduce coverage. Beware, for example, clauses purporting to condition coverage on the absence of errors or omissions in the data security measures employed by the policyholder. Such clauses may be exploited by insurance companies arguing that the policyholder was somehow derelict in safeguarding computer data from hackers, among others. Furthermore, some policies may attempt to limit insurance coverage for data breaches occurring in a computer not actively connected to a network.

Risk abounds when dealing with electronically captured information. It is therefore no surprise that cloud computing entails risk as well. Data security measures coupled with risk transfer in the form of insurance coverage and indemnification from the cloud computing firm can serve as a financial buffer when the data genie escapes the bottle.


About Anderson Kill & Olick, P.C.

Anderson Kill practices law in the areas of Insurance Recovery, Anti-Counterfeiting, Antitrust, Bankruptcy, Commercial Litigation, Corporate & Securities, Employment & Labor Law, Health Reform, Intellectual Property, International Arbitration, Real Estate & Construction, Tax, and Trusts & Estates. Best-known for its work in insurance recovery, the firm represents policyholders only in insurance coverage disputes, with no ties to insurance companies and no conflicts of interest. Clients include Fortune 1000 companies, small and medium-sized businesses, governmental entities, and nonprofits as well as personal estates. Based in New York City, the firm also has offices in Newark, NJ, Philadelphia, PA, Stamford, CT, Ventura, CA and Washington, DC. For companies seeking to do business internationally, Anderson Kill, through its membership in Interleges, a consortium of similar law firms in some 20 countries, assures the same high quality of service throughout the world that it provides itself here in the United States.

Anderson Kill represents policyholders only in insurance coverage disputes, with no ties to insurance companies, no conflicts of interest, and no compromises in its devotion to policyholder interests alone.

The information appearing in this article does not constitute legal advice or opinion. Such advice and opinion are provided by the firm only upon engagement with respect to specific factual situations

Joshua Gold, Esq.
Anderson Kill & Olick, P.C.
1251 Avenue of the Americas
New York, New York 10020-1182
UNITED STATES
Tel: 212-278-1000
Fax: 212-278-1733
E-mail: cueckerman@andersonkill.com
URL: www.andersonkill.com

Wednesday, August 3, 2011

ERM-BC-COOP

Product liability
Where's it end?

 

A headline in the AdvisenFPN email of August 3, 2011, reads: Aluminum bat maker liable for pitcher's death, says Montana Supreme Court. The article was originally published by Lawyers USA.

During a teenage league game, a hit ball struck the pitcher in the head, killing the 18-year old hurler.

The pitcher's mother sued, claiming the ”aluminum bat increased the dangers of baseball because infielders have less time to react due to the increased velocity of a batted ball."

The supreme court got the case on appeal of a jury's US$850,000 award.

According to the state supreme court, the bat maker is obliged to warn all players that the bat's properties placed players at risk by the increased exit speed of the batted ball.

Editorial comment. Young people, little leaguers to collegians, have been using aluminum bats for many years. Like McDonald's hot coffee, it seems safe to assume that coaches and players knew that a ball came off an aluminum bat faster than a wooden bat. The pitcher was 18 years old at the time of his death; how many years had he been playing ball on teams using aluminum bats? End of editorial comment.

The question for risk management practitioners is: How, and to whom, should a product's potential danger be advertised?

The court ruling stated that "A warning of the bat's risks to only the batter inadequately communicates the potential risk "

Obviously, in this case, a warning on the bat, if there was one, was insufficient, even though it seems reasonable to believe that the unfortunate pitcher also used the bat from time to time.

The supreme court seemed to suggest that a warning should be posted in each teams' dugout.

Would a warning in only one language be sufficient? What if there is a person who has yet to master the local language - one assumes English in Montana. Must the warning be in all languages that are used privately in the area; as examples, Vietnamese or Hebrew or Spanish?

While it may seem frivolous asking where to post a warning and in what languages, the questions need to be considered before a product is released to the consumer.

The courts apparently are deciding that the obvious based on experience - balls hit with aluminum bats travel faster than those hit with plastic or wooden bats - lacks adequacy and that additional warnings and cautions are required.

Risk managers need to deal in "worst case" scenarios. In the case of the bat maker, the worst case is the death of a young person followed by a suit against the manufacturer. Even had the bat maker prevailed, the costs to defend would have been high.

Could the suit be avoided if additional warnings had been provided? What if the warnings were provided and the consumer (in this instance coaches and managers) failed to post the warnings in locations frequented by the players?

Does the bat maker have insurance to cover the US$850,000 award and costs?

Questions to consider before releasing a product to the market.

Warnings plastered on a dugout's walls and elsewhere might not have avoided either the injury or the legal action, but they might have mitigated the amount of the award.

Risk management is all about playing the "what if" game and coming up with probable answers. It is not a game to be played in isolation; the more "players" the better for all concerned.

Monday, August 1, 2011

ERM-BC-COOP

News Corp good
for risk managers?

 

An article made available via AdvisenFPN about Director and Officer (D&O) insurance notes that in regard to the News Corporation's current and mounting legal woes, suits have been filed in federal district court in Manhattan, and in Delaware's Chancery Court in Dover. Additionally, a class action was filed against the corporation and its directors in New York..

News Corporation, on Monday, August 1, 2011, still is making headlines, so when those headlines include the words "directors and officers," directors and officers of organizations big and small pay attention to the article under the headline.

One of risk management's problems always has been getting attention, and support, from Very Senior Managers and Board Members. Since risk management typically is not a "profit center," it is, if not "out of sight" at least a low priority in the overall operation.

Note, by the way, I earlier wrote "directors and officers of organizations." No organization - be it commercial, non-profit, NGO, charity - is exempt from the threat of legal action against its directors and officers. (Perhaps government entities are exempt, but when officers and directors terms expire, they might be subject to civil or criminal action; I am not a lawyer nor do I play one on tv.)

Even if News Corporation's directors and officers prevail, it is estimated it will cost hundreds of millions to defend, millions more than the organization's D&O insurance covers.

Perhaps with the knowledge that they, the organizations directors and officers, can be sued as a group and individually for what may be perceived as negligence - never mind misfeasance or malfeasance - and knowing that having insurance to protect the organization is a hit to the "bottom line," perhaps the directors and officers will take risk management more seriously and become more involved.

On top of the civil action, in News Corporation's case there may be associated criminal investigations to determine if the organization misrepresented itself to the market. It may be a domino effect, but it is one more thing News Corporation must pay to defend.

Could all or any of this have been avoided?

Perhaps not, but if the organization had - and perhaps it did have - well publicized policies about honesty and ethical behavior, and if it regularly emphasized honesty and ethical behavior to all its employees and board members, perhaps - perhaps - defending against the actions against it and its directors and officers would be an easier, less expensive, task.

It is not normally a risk management practitioner's job to write policies and procedures, nor is it normally a risk management practitioner's job to preach honesty and ethical behavior to the board and all hands, but it IS a risk management practitioner's job to advise the client - be it an internal or external client - of the risks facing the organization, and lack of honest and ethical behavior is very much a risk to be considered.

Amazing what a little phone tapping can do to a company.