Sunday, February 27, 2011

What's in a name?






What is the "bottom line"?

What SHOULD be the bottom line?

To me, the "bottom line" is risk management at the enterprise level.

What is risk?

In the business world, and that includes all organizations regardless of profit motive or lack of same for non-profits, "risk" is anything that can interrupt "business as usual."

Risks can come from any where; from where they are expected - the usual suspects of environment, human error, and technology - and from unexpected, "non-traditional" sources such as lenders, customers, and governments at all levels, domestic and foreign.

Scanning the WWW, I find that "risk management," sans the "enterprise" prefix, often means insurance or financial risk. It has a typically narrow focus.

Does insurance risk mean "What happens if there is too little insurance" or does it mean "What happens if the insurance carrier refuses to pay or can't pay." It also means making certain all the insurance company requirements are met; all the i's are dotted and the t's crossed. (This is especially true for business interruption insurance.)

How are risks managed

First, they have to be identified.

That, as most practitioners will admit, is easier to say than to do.

Risks to WHAT?

"What" are "critical business processes," the ground-level processes that keep the business in business. A "view from 20,000 feet" has value only in the board room, and maybe not even there.

How are risks "managed"?

Typically one of three ways: they are (1) avoidance, (2) mitigation, or (3) transferrable.

Avoiding a risk usually is the most expensive option, but for some processes, it may be the only option.

Mitigation, finding ways to reduce the threat's impact, is less expensive "up front" cost, but like the old Purolator commercial went, "You can pay me now or pay me later." Mitigation may leave some "pick up the pieces" costs.

Transferring the risk usually means covering your assets with an insurance policy; sometimes this is supplemental to risk mitigation.

There actually is a fourth option: absorbing the risk. An organization might absorb a risk if the risk is to something that may soon be obsoleted, a something - product, procedures, service, etc. - that is due to be replaced or abandoned. It's simply not worth the other options.

Since most organizations lack the money to avoid all risks, the identified threats must be prioritized, a risk management function. I use "risk" and "threat" interchangeably; Merriam-Webster agrees with me (see End Note).

Management, organizational management this time, decides which of the practitioner's risk management recommendations to implement, sets an implementation schedule, and budgets for the implementation. Part of implementation includes training and exercises even if the capital cost of risk avoidance or mitigation is minimal or no cost (e.g., staff awareness).

The difference between ENTERPRISE risk management and any other type risk management is the same as Enteprise Business Continuity vs. Key Business Unit or InfoTech business continuity.

The former realizes that even in small organizations, there is a myriad of overlaps; a spider's web of inter-relationships, not all of which are blatantly obvious. Unlike an airline's routes, there may be no discernable "hubs." The only way to successfully plan to survive a business interruption is to cover all the bases, and the only way to do that is with an enterprise-level effort.

More than just BC

Enterprise Risk Management is more than just Business Continuity or Business Continuity Management It is what BC/BCM SHOULD be; how BC/BCM should be practiced but most often is not. It may not be fair, but most "senior" practitioners - currently that seems to mean anyone who can spell "BC" without regard to duration or breadth of experience - have blinders when it comes to looking beyond the facility. True the environment is considered, but little else, financial risks are left for someone else, perhaps the Chief Financial Officer's crew, succession concerns to the Board, and whatever is left over (policies and procedures, employee right-to-work [I-9s], communications, et al) to Human Resources.

Disaster recovery is part of business continuity and should cover all functional units.

GRC - Governance, Risk Management, and Compliance - a newcomer to the alphabet soup, is finding some acceptance, but when you break it down, there really is only one initial in the trio that has any real significance: "R."

According to a Wikipedia entry at,_risk_management,_and_compliance, GRC is "the umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. While interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations."


  • Lack of governance is a risk.
  • Failure to comply with applicable laws and regulations is a risk.

Perhaps "GRC" should be written "gRc."

Enterprise risk management must not be confused, as it often is, with a niche risk management effort.

Like Enterprise Risk Management, every functional unit should have a stand-along plan, a plan that may be called "business continuity" since it focuses primarily on the functional unit.

Lacking an enterprise plan is, to my mind, a risk that easily can be avoided.

Definition of RISK

1 : possibility of loss or injury : peril

2 someone or something that creates or suggests a hazard

3 a : the chance of loss or the perils to the subject matter of an insurance contract; also : the degree of probability of such loss

b : a person or thing that is a specified hazard to an insurer

c : an insurance hazard from a specified cause or source

4 the chance that an investment (as a stock or commodity) will lose value

Synonyms: hazard, imminence, menace, peril, pitfall, danger, THREAT, trouble

Definition of THREAT

1 an expression of intention to inflict evil, injury, or damage

2 one that threatens

3: an indication of something impending

Synonyms: hazard, imminence, menace, peril, pitfall, RISK, danger, trouble

Friday, February 25, 2011

Insurer grounds rescue flight


Canadians left in Libya as insurer grounds plane

From AFP via AdvisenFPN (Read entire article at

"Due to the deteriorating security situation in Libya, a charter flight obtained to evacuate Canadians (from Tripoli) couldn't obtain insurance, so we're now looking to work with our partners on other options," Lynn Meahan, spokeswoman for Foreign Affairs Minister Lawrence Cannon, told AFP.

Monday, February 21, 2011

Of templates & check lists


Lately I've seen pleas, some from people claiming to hold "senior" business continuity titles, asking for templates.

Usually the request is for a very specific template; a call center or IT department or HR, or a specific industry such as an airport or hospital..

I'm a relative newcomer to what I prefer to call "risk management," but I've been around long enough to have seen some "fill in the blanks" templates and some more "fill in the blanks" software.

One of my first "real" business continuity projects had the lead planner bring in a very expensive, several-hundred-page thick, book of template forms and explanations.

It didn't work then, and it doesn't work now.

That's not to say I don't have check lists and "talking topics," but for the actual planning I avoid templates.

I do use a "subject to drastic change" documentation outline; call it a template if you must.

Template troubles

What do I have against templates?


First, to my Edward Bear mentality, fill-in-the-blanks templates encourage practitioners to try to shoehorn round pegs into square holes - or is it the other way around?

Second, said templates tend, in the hands of a tyro, to be thought-limiting. The template has a question, the tyro asks it, and the client answers it.

Good enough?


Perhaps the tyro needs to get the client to expand on the answer, but the template doesn't encourage going beyond the initial question and, anyway, there's no place in the template to enter the extended answer.

Templates do not lend themselves to tangents, and going off on tangents is one of the most profitable ways for a practitioner to garner critical information. It also can prevent the practitioner from returning to the main theme.

Third, most templates either try to be very focused and ask everything about the target function, or they cobble together a plethora of generic queries many of which likely have no relationship to the organization for which the plan is being prepared, are - at best - crutches for tyros and people lacking interview skills, a critical requirement for practitioners.

Bottom line: Templates are static; practitioners and their clients need interactive communications.

Mentoring, OJT needed

It is unfortunate that we - risk management/business continuity/COOP practitioners - lack an established mentoring and On the Job Training (OJT) program for tyros.

I'm beginning to think it's also unfortunate that we lack a licensing body to assure that a "senior" practitioner really is a "senior" practitioner. The profession's problem is the abundance of certifying agencies that apparently can't get together to create a universally accepted process to vet practitioners. In any event, there is more to being a successful planner - that means someone whose plan works if ever its needed - that just meeting a template's requirements.

Airline pilots use a check lists before taking off and landing; that's well and good. I get a warm and fuzzy feeling when I see someone from the flight deck walk around their plane, clipboard in hand, inspecting the aircraft and kicking the tires (yes, they still do that). But airline pilots also know things not on any checklist. Ask the US Airways pilot who turned the Hudson River into a runway, or the Delta pilot who safely brought back a plane on one good engine, the other having exploded, dumping parts on the ground (but, according to the FAA, it was a "contained" explosion).

Templates, be they paper or software, don't teach the tyro anything other than to fill in the blanks. They may give both the practitioner and the practitioner's client a sense of a job well done and a false level of confidence that when "push comes to shove" the plan will be at least adequate.

Show me

Show me a template that asks about money lenders.

Show me a template that asks about transportation between vendor and your organization.

Show me a template that includes succession planning, policies and procedures, welfare of people with permanent or temporary handicaps.

How about a template that includes questions about the neighborhood and the other denizens in the area?

Show me a template that lets the practitioner work comfortably with the client, one where the practitioner is not always telling the client to "hold on while I fill in the answer."

Templates never are as good as experience.

People with "senior" in their title should be expected to have experience and at least a general, it not through, understanding of what risk management - under whatever name you wish to call it - is all about.

Ask me for a template.

I'll give you ideas.

I'll give you suggestions.

I will not give you a template even if I had a template, which I do not.

John Glenn
Enterprise Risk Management practitioner
Hollywood - Fort Lauderdale Florida

Wednesday, February 16, 2011

ERM-BC-COOP: Compensation


I went to the dentist the other day for a root canal and crown.

I asked how much this was going to cost and he replied $1,500.

"Maybe," I suggested, "we could negotiate the fee?"

His four-word reply: "Keep your mouth shut."

Later I visited my lawyer to see about a new will.

After the niceties, I asked how much I would be charged for her - and her staff's - effort.

$750 for a simple will I was told.

"Maybe," I suggested, "we could negotiate the fee?"

"Live long and prosper," she replied as she left the room.

The handyman was fixing a window. His quoted rate was $85.

"Maybe," I suggested, "we could negotiate the fee?"

"Of course," he said, "if you want to reinstall the window by yourself."

So why, someone please tell me, do people expect professional planners to "negotiate" our fees?

A "recruiter" called this morning and after attempting to massage my ego he asked what my rate would be for a specific job in a specific location. I told him. His immediate response was "Can we negotiate?"

He did not offer to tell me his client's compensation range.

I asked him if he would ask his surgeon to negotiate before he went under the knife.

My rates are justified by both the length and breadth of my experience. They also reflect the location, duration, and complexity of the work, be it staff or contract.

Employers need to learn that, as with almost everything else in life, "you get what you pay for." There's nothing wrong with a Smart car, but if you have to take the kids to a Little League practice, the two-seater is not going to suffice; a mini-van or full size van is in order. Granted, 33 city/41 highway is impressive, but hauling the team and its gear in the Smart car would mean making at least 10 trips making the gas mileage gain questionable.

As an aside: The Smart "passion cabriolet" shown above has a suggested list of $16,990 to which an $850 option package may be added (

Actually, if truth be known, I'm always ready to negotiate . . . upward.

Think about it the next time someone asks you to "negotiate." You should know what your work is work. Unless you are truly desperate, state your rate and stick to it.

It will help you and it will help the rest of us.

And "for the record," the "recruiter" never followed up with a promised full job description. I wonder why :-)

Friday, February 11, 2011

ERM-BC-COOP: Lack of policies, training = suit


“Disneyland’s failure to have policies and training regarding emergency evacuation procedures for persons with mobility disabilities knowingly endangers the lives of the thousands of persons with disabilities who visit Disneyland each year.”

According to a copyrighted article on the Disability Scoop, LLC Web site (URL above), a visitor with quadriplegia was left "stranded" with only his wife for 40 minutes when the Small World ride malfunctioned.

If anyone thinks that a business continuity plan is complete once written, this action against Disney should be a wake-up call.

    (Disney may very well have policies and training in place, and there may be mitigating factors unknown to the writer; the lawyers will fight that out.)

From a practitioner's perspective, I have to ask who at Disney is responsible to see that

    (a) there are policies and procedures in place covering various aspects of risk management (more than just "traditional" business continuity)

    (b) there is on-going training at levels appropriate to the risk

and were the policies and training current?

Of course the question behind the question is "Did Disney's planner even consider evacuating a handicapped person from the ride?"

One of the problems with incidents such as this one at Disney is that when the incident occurs, headlines are made. Later, often much later, when the issue is resolved, the headline, if any, is small. Translation: Disney's image takes a hit even if its lawyers prevail.

Now, change "Disney" to your employer's name to realize another risk.

Wednesday, February 9, 2011

ERM-BC-COOP: Manufacturer's responsibility


I HAVE BEEN PREACHING for some time that "manufacturers have a duty to perform QA/QC on vendor products" and lacking that, the manufacturer can be held liable for damages.

This also applies to retailers who "brand" a manufacturer's product - such as many Sears' products. (There is nothing wrong with the branding practice.)

Apparently a state appeals court agrees.

It recently ruled that a retailer of imported high-end bicycles was liable following an accident caused when the bike's carbon-fiber fork broke, causing the rider to be thrown face down onto the sidewalk. The rider suffered a head injury, a broken jaw, the loss of four teeth, many cuts, and severe abrasions.

The retailer argued that the frame's manufacturer, not the retailer, should be held liable. The appeals court disagreed because, under the state products-liability law, the retailer was responsible because it had branded the bicycle as its own.

As with most things that end up in court, the defendant - in this case, the retailer - loses, even if the defendant prevails.

How much of a loss is the question and it must be balanced against what it would have cost to do QA/QC on the product, be it a screw or a jet engine.

Total costs must be considered.

Direct cost to defend:


    Expert witnesses

    Lost time and productivity

Indirect cost to defend:

    Damage to reputation and parallel advancement of competitor's product

    And then any damages if the plaintiff prevails.

Given the cost of the product - in this instance, bicycles selling between $130 for a kiddie version to $1,150 - it would seem reasonable to do some sampling or, more accurately, have some sampling performed by a third party (due to the materials and the expense of sampling equipment and skilled personnel to operate it).

Apparently, the defense was unable to show that the retailer performed due diligence; while that might not have absolved the retailer under the state's law, it might affect any award.

ERM-BC-COOP: Execs, Board as risks


According to a copyrighted Dow Jones NewsPlus article by Liz Moyer ( (see, the California Public Employees' Retirement System, a/k/a Calpers, is suing former Lehman Chief Executive Richard Fuld, former Lehman CFOs Christopher O'Meara and Erin Callan, and nine Lehman directors contending they failed to disclose Lehman's true financial position.

The bottom line for risk managers is that executives and board members are risks to the organization. As risks, they should, I think, be included in the risk management process; they should be considered as a functional unit and treated accordingly.

Granted, we are dealing with personalities rather than processes, but these individuals need to understand their actions - or inactions - can greatly impact the organization as well as their personal lives.

At the same time, practitioners need to consider including insurance to protect the organization from legal actions against its executives and board members. Even if the executives and board members prevail, the organization will still face heavy expenses to defend.

Thursday, February 3, 2011

Once again . . .


Passing the buck.

Keeping secrets.

According to a report on the ABC News blog (,

    "A new Senate report on the 2009 Fort Hood shooting blames the FBI and Department of Defense for failing to recognize or act on alleged shooter Army Major Nidal Malik Hasan’s extremist views.

    "The report contends that the FBI and DOD could have prevented the shooting if they had identified Hasan’s radical Islamist views and disciplined or discharged him before the attack occurred.

    “'Our report’s painful conclusion is that the Fort Hood massacre could have and should have been prevented,' Senate Homeland Security Committee chairman Joe Lieberman Lieberman said at a press conference today."

According to Susan Collins, the ranking Republican on committee “Both the FBI and the Army were aware of Major Hasan."

Back to the second paragraph and "disciplined or discharged him (Hasan) before the attack ."

That might have prevented the attack at Fort Hood, but it might have simply allowed Hasan to attack soldiers and civilians off base - at a mall or sports venue where he could have killed even more people.

Then, the report noted, “Although neither DOD nor the FBI had specific information, they collectively had sufficient information to have detected Hasan’s radicalization to violent Islamist extremism but failed both to understand and to act on it.”

Shades of 9 - 11; the right hand refuses to share to the left.

Won't we EVER learn?