Thursday, July 28, 2011

ERM-BC-COOP

Ignore risks?

 

I'm following an interesting thread on one of the risk management lists.

One of the posters suggested that there simply are too many risks to worry about them all.

Pick two or three and ignore the rest.

Admittedly this list's audience is comprised mainly of external and internal auditors and their concerns generally are limited while ERM practitioners (should) have an enterprise (ergo the "E" in ERM), all-risk approach.

Still, the idea that a risk management practitioner would suggest ignoring risks because there were "too many" boggles the mind.

In my world, we look at all risks.

We look at ways to avoid or mitigate risks - some we "transfer" or "absorb," but most we try to avoid or mitigate.

Once we identify all the risks - and the ways to deal with them - then they are prioritized as we think they should be based on what we know about the organization's current and - if we're privy to it - future operation.

Since the ERM practitioner is always a "consultant," even when in a captive, staff, in-house, "permanent" employee role, we give management our findings and recommendations.

Management, not the practitioner, reviews the recommendations and determines which recommendations to implement, in what order, on what schedule, and then sets up the budgets to implement the decisions.

Some practitioners suggest first working on the "low hanging fruit," risks that offer an easy, inexpensive fix. I dislike that approach, but if the risk management budget is sufficient for only that type risk . . . well, it's better than nothing and may help instill a risk management mentality in the organization's staff.

To my Winnie-the-Pooh mentality, ignoring the presence of risks - versus giving them a low priority - is not risk management, it is risk ignorance.

This is akin to the practitioner who suggested that organizations simply allow a risk to run its course and then pick up the pieces (http://tinyurl.com/3jh9ddr). This is neither risk management nor business continuity; at best it is disaster recovery.

If practitioners in the U.S. were licensed, as are doctors, lawyers, and numerous other professionals, they might be liable for ignoring risks. Unfortunately, or for many, fortunately, an organization would be hard pressed to prevail in court claiming the practitioner failed to consider all risks; in other words, there's no penalty for ignoring threats.

I consider it my mandate to diligently seek out risks from all points, and to related those risks to management.

Tuesday, July 26, 2011

ERM-BC-COOP

Neighbors - revisited

 

A recent discussion on LinkedIn's Business Continuity Management & Risk group with an abbreviated title of I'm looking for a good sample of scenarios brought a number of interesting responses.

One that caught my eye came from Konstantin Smirnov, an IT Risk Consultant in Russia and the CIS.

Proving it pays to engage practitioners with a broad background, Smirnov suggested that "Any industrial food processing facility nearby - it will have tons and tons of liquid ammonia for freezers. Or water processing facility - chlorine, could be tons and tons of it. If we go for industrial hazards - there could be a long list."

Another responder, Herman-Peter Steens of Antwerp Area, Belgium, suggested a related scenario, but with a twist. "A train hits another train with dangerous chemicals (e.g. liquid agriculture fertilizers compounds) and this in a railway station nearby one of your buildings. The alarm is set off at the railway station, but a cloud of toxic gas closes in on your facility. People have to run out of the building, some get intoxicated, they are of finance and you have to give in your financial data to the Fed’s soon, and one of the intoxicated dies; is it your CFO or isn’t it him? To continue in your exercise."

What would be really interesting is if the finance people, including the CFO, are exercise participants. It's always fun to watch a "dead" executive sit on the sidelines while his, or her, staff makes the decisions. Of course in "real life," we know that the CFO has a designated alternate, someone who can take over, seamlessly, if the CFO is unavailable.

My question to Steens is: Why would people "run out of the building"? They should remain safely inside and the building should be sealed against the toxic gases. Depending on the railroad's safety record, perhaps the building should be designed or retrofitted to so that it can easily and quickly sealed closed.

Jack Whittaker of Bristol, UK, suggested that "There is a cold water tank in the roof-space of your office building. One weekend, it starts to leak. Three stories below, your server room is unattended until Monday morning..."

The bottom line for all of the above is that the threat's point of origin is beyond the control of the organization impacted.

All organizations have threats - risks - beyond the control of the organization's risk management personnel.

What we, as risk management practitioners, can do is to carefully look at the facility's neighbors - perhaps even several miles out - and recommend implementation of means to mitigate the threats posed by the neighbors. In this case, include "neighboring" water ways and woodlands.

If a resource, for example, IT, cannot be protected from all possible threats - and nothing can be protected from all possible threats - then the process must be available at an alternate site sufficiently distant to avoid shared power and weather problems. (And if IT service is disrupted, the profit centers need to know how to survive, at least for a short time, without the service.)

In retrospect, there really are two "bottom lines" to this post. Beside the one already cited, the second is that we - practitioners - need to participate (not just "lurk") on the sundry forums, groups, and lists that obviously, or sometimes not so obviously, relate to what we do.

Monday, July 25, 2011

ERM-BC-COOP

Perspective

 

Sometime is early July Shannon Creighton, a young lady in Canada, posted a note to a LinkedIn group headlined Looking for Strike Action/Job Action Advice!. The complete message is as follows:

    My company if facing strike/job action in the next 24 hours. We have a very comprehensive plan for all our mission critical functions, our Emergency Operations Centre is set up and operational, we have the redeployment list for all management and out of scope staff and all Communication key messages and templates have been built.

    My question is to anyone that has been through strike/job action....are there any lessons learned from your experiences that you would like to share with me????.

Unfortunately for Ms. Creighton, no one read her post until I somehow stumbled across it on the 24th of July - well after the strike threat passed (one hopes).

I asked Ms. Creighton for an update. I'm still waiting for that.

But because of my response, LinkedIn flagged the exchange and other people offered their opinions not, alas, directly answering her query but taking the topic in a slightly different direction.

One responder commented that "Responding to strike action is a delicate subject. Very often, well certainly in the UK, the response has to be a suspension of business for the duration of the action because you can't simply replace striking staff.

"Consider something like public transport. If their drivers go on strike you can't simply call in more drivers (firstly because there aren't any but also) because not only would you end up with further union action but you would be in breech of all sorts of health and safety regulations."

A gentleman from Africa joined in noting "in the context of my experience you need to have a good exercise that proves the adequacy of your preparedness." He added "In the case of public 'transport strike', a contingency plan that caters for continuity of operation is often handled by an "outsourcing of drives", that can be called in to take over. ... Did you consider all possible scenario strike actions and tested. Therefore, lesson learned can only be drawn from your special experience?"

The first responder countered by answering the second responder thus: "In the case of public transport, and here I was thinking more of trains and the London Underground service, you can't have an outsourced workforce ready to take over. In the first place there isn't an organisation that has people with the required skills, insurance cover, Public Service Vehicle licenses etc. Furthermore, I would think if the management even suggested a replacement workforce to disrupt their opportunity for strike action, the union would make you test that plan quicker than you might like, with a strike."

Neither responder - nor did I - directly admit to having strike experience.

But reading on to the first responder's second post, I was taken aback by his remark that

    "I think we all have to recognise that business continuity doesn't mean you will be able to keep your operation running under any circumstances. Sometimes we may just have to let events take their course and industrial action can be one of those where we hope the action is short term or negotiations happen quickly."

Point 1: "I think we all have to recognise that business continuity doesn't mean you will be able to keep your operation running under any circumstances."

If business CONTINUITY is not to keep business in continuous operation - that is, meeting a minimum level of service - what IS "continuity."

Merriam Webster Online Dictionary's first two definitions for "continuity" are (see http://www.merriam-webster.com/dictionary/continuity)

  1. uninterrupted connection, succession, or union

  2. uninterrupted duration or continuation especially without essential change

The "key word" in both is "uninterrupted."

Point 2: "Sometimes we may just have to let events take their course and industrial action can be one of those where we hope the action is short term or negotiations happen quickly."

Shades of the British Airways fiasco. Many will recall that BA did nothing to mitigate a threatened walkout by its caterer (vendor) when it could have sought out an alternative, back-up provider to keep its passengers fed.

Those who followed the work (in)action will recall that BA's baggage handlers went on a sympathy strike with the caterer's crew. Unfortunately, unlike the old American telephone company, apparently BA managers were unable or unwilling to load luggage. But, given that there was no food available for the passengers - at least at LHR (BA has no operations at other UK airports??), perhaps it was just as well. Things got worse before they got better, and all because one vendor failed to meet its minimum level of service agreement.

Both the gentleman from Africa and I agree that accepting a risk as inevitable and doing nothing to mitigate it is NOT "business continuity."

I've seen this "it can't be helped" attitude from UK planners in the past (the BA strike).

This is NOT the attitude of any U.S. practitioner I know and, based on the exchange with the gentlemen in Africa, not on his turf, either. Is it unique to the small island?

Our English planner, who happens to be a senior consultant with a name organization, apparently is not alone in his "hunker down and hope for the best" approach to - well, I cannot call it business continuity - we'll just call it "planning."

Meanwhile, I'm still curious. What did Ms. Creighton learn with her brush with a strike.

Sunday, July 24, 2011

ERM-BC-COOP

Unseen risk

 

The recent kidnapping, murder, and dismemberment of a young boy in one of New York's boroughs reminds me that a post-event condition oft-ignored deserves to be included in the "recovery" portion of holistic risk management plans.

That condition is mental trauma, often called "post traumatic stress syndrome."

We no longer are a people accustomed to being told to "suck it up and get on with your life."

Now we need a therapist to guide us back to an even keel. Perhaps we always did, but just didn't know it.

Whenever an event occurs at a school or involves a school's student, the therapists are called out. It's routine.

Stress, however, is not limited to students.

It can happen to any of us given the right circumstances.

  • Loss of home or loved one.

  • Loss of a place to work and fear of losing a job.

  • Job site terrorism (someone "going postal")

  • Dislocation and sometimes simply relocation.

The psyche is a fragile thing.

In order to provide therapeutic assistance to staff and close relatives following an event, there are several things that need to be in place "pre event."

  1. Therapist
    An agreement should be in place with a therapist or group of therapists to be available to personnel on a need basis (the "need" to be determined by the personnel).

  2. Where will mental health professionals meet with employees?
    Typically this will be the provider's office, but other options may be necessary.

  3. Visits
    Is there a maximum number of visits or will this be set based on the level of the event that caused the trauma?

  4. Policies and procedures
    All personnel at all levels need to know the organization's policies regarding mental health providers.

    • How will provider-patient confidentially be guaranteed.
      Will the organization be able to identify the patient?

    • Who is covered?
      Employee, spouse, people residing with the employee?

    • How will the provider be compensated?
      What will the patient be expected to pay, when can the provider expect payment from the organization if that is arranged?

    • How many visits are allowed
      Is a set number appropriate or should the number be determined by the magnitude of the event or the event's impact on the individual?

  5. What are the procedures

    • to access the providers

    • pay the providers (is this covered by employee insurance, the organization, or will the employee be expected to fund all or a portion of the costs?),
    • will the employee be required to report visits to the providers; how will this be done while protecting the employee's privacy?

Organizations must be aware of all local, state, and national laws relating to provider-patient privacy and care, as well as laws relating to releasing personnel no longer able to function in their job - is a job transfer possible, is there a union involved with its rules?

The risk management practitioner's role is not to answer any of the questions presented above, but to lead management - in conjunction with HR, Legal, and internal or external mental health practitioners, as well as union leaders if a union if involved, to review the issue of post-event trauma.

Failure to attend to event-related mental health issues before an event can result in chaos, reputation damage, and possibly legal action.

Friday, July 22, 2011

ERM-BC-COOP

Continuing education

 

In my business, enterprise risk management, "continuing education" is a must.

Not necessarily continuing formal education - although that, too, but continuing education wherever it is found.

The Internet is a wonderful place for continuing education.

Every day I get a post from AdvisenFPN (https://www.advisen.com/). Advisen, as everyone knows who follows this blog, focuses on insurance news.

All practitioners know we need insurance coverage, but that is not the reason I read the daily email. The email provides me with information that impacts insurers, e.g., when they have to pay, when they go to court. It points up a number of risks that may have slipped my mind or, occasionally, that I never considered.

I am a member of several LinkedIn professional groups. I check for new "threads" (topics) daily.

I also subscribe to several Yahoo lists.

Finally, I confess to being a 5 a.m. news junky; I have to have my "fix" first thing in the day.

Continuing education also means keeping in touch with both fellow practitioners and with those Subject Matter Experts (SMEs) who are the backbone of my experts' network. My favorites in the "fellow practitioner" category are those folks who frequently add to my thoughts and sometimes disagree with those thoughts. I don't count "Yes" men (and women) in my list of trusted sources.

The Internet also lets me access the multitude of (U.S.) federal and state Web sites. FEMA probably is the most frequented, but financial sites and medical (HIPAA-related) sites also are bookmarked. The other day I was looking at a distant county's flood history.

I don't "Facebook," nor do I "Tweet."

I may not be gaining Continuing Education Credits (CEUs) by expanding my knowledge outside the brick-and-mortar or electronic "halls of ivy," but I do maintain currency in my field through what might be termed "alternative resources."

I can do that wherever I find a portal to the Internet.

Wednesday, July 20, 2011

ERM-BC-COOP:
Comparing notes

 

An acquaintenance and I were interviewed for the same job.

Both of us are well qualified for it; he's geographically closer to the work site so I think the nod will go - if it goes to either of us - to my acquaintenance.

Since we've known each other for a number of years, we have been comparing notes from the interviews.

Some of our thoughts tend to give pause.

First, my acquaintenance was invited to a face-to-face interview - at his expense (air fare, lodging, local transportation, meals). I was allowed a telephone interview - at my expense. My interview took less than half-an-hour (28 minutes, to be exact). I hope my acquaintenance got closer to his money's worth of interview time.

Both of us were interviewed by people we were given to believe are business continuity people. Neither, as far as we can ascertain, would be the successful candidate's manager. Were we interviewed by people who will report to us? Will they be our peers? Why wasn't the hiring manager at least participating in the interview?

The lead interviewer made it clear that the winning candidate would be no more than "supplemental" staff (vs. consultants) and paid accordingly. Translation: the practitioner will have no leverage to accomplish anything, although the practitioner will be expected to accomplish a great deal.

The interviewers asked us if we had any "change management" experience. We do, but just how did the interviewers define "change management?"

In ERM terms - my terms - change management means managing changes to the program and its documentation. "Change management" in IT-speak is, basically "check out - check in" of code that hopefully is fully exercised before going operational.

No, for the two interviewers, "change management" means changing the organization's perception of risk management, In other words, marketing and education. I don't have a formal "process" or "program" to accomplish this, although I suspect my acquaintenance probably does have such a document in his kit bag.

We were told a decision would be made by the Friday of the interview week and conveyed to the sundry agents representing us and, we suspect, several others.

Monday arrived and my acquaintenance checked with his agent. No response.

Tuesday, same story.

I have a suspicious mind.

My suspicion is, based on the "change management" requirement, the lack of management involvement in the interviews, and the delayed response, is that despite allegedly having 800-pound gorillas supporting risk management, in truth there is little respect for the practice and, I fear, developing same - the change management - will be a long uphill battle that has little chance of success.

I understand there is some "add/move/delete" actions going on at the very senior management level - yesterday's org chart already is outdated. It seems to this practitioner that with management - management that will need to be on board to make "change management" work - in flux, perhaps the requisition, interviews, and decision should be put off until the dust settles.

Right now, taking a job with this organization - which will require more than a little travel - seems like an unnecessary risk.

Tuesday, July 19, 2011

ERM-BC-COOP:
Phoenix - no surprises

 

A few years ago I talked to a guy about a job in Phoenix AZ. The job, which I declined, would have been strictly DR.

But while I was in Phoenix, a town I happen to like a lot, I did some risk research.

There are only a few serious risks.

One, a sandstorm, happened twice in July (2011) - July 6 and again on July 25.

Motorola had a chip operation in Greater Phoenix when I visited, and its business continuity people recognized the threat of a sandstorm, a/k/a "haboob," a word borrowed from Arabic.

When the plant was constructed, Motorola included a space-station like air lock.

Personnel entered the air lock.

The doors closed.

The air was cleaned.

A second door to the work area opened.

Actually, the air lock is the standard approach to a clean room, but Motorola's was, I was told, on a plant-size scale.

Phoenix also has flooding as a risk.

Believe it.

According to the Maricopa County Flood Control District, the county, in which Phoenix resides,

"has two rainy seasons: summer and winter. Winter usually brings longer-lasting but less-intense storms. Summer brings shorter, more intense thunderstorms. These summer thunderstorms are usually the result of the North American Monsoon (also called the Arizona Monsoon or the Mexican Monsoon). The North American Monsoon impacts the southwestern United States and northwestern Mexico every summer (usually July, August and September). "

The county's FCD web site lists floods dating back to 1889 (see http://www.fcd.maricopa.gov/Education/history.aspx).

In addition to sand and flood, the city has two interstate highways - I-10 and I-17 - and a major east-west "U.S." highway, U.S. 60. In addition to the threat of a hazmat mishap, there is the constant risk of accidents preventing staff from timely travel. Sky Harbor International Airport is surrounded by major roadways, including I-10. Once a sleepy airport with only an occasional flight (c. 1957), the airport now has a respectable number of flights provided by 17 airlines, plus the major air freight carriers.

Probably not the last threat, and certainly not the least, is a power outage in a community that cannot remember when it lacked air conditioning.

Phoenix, which at "first blush" appears to be as risk free as any place in the U.S. turns out to have "the usual suspects" plus a couple that fall into the "would you believe" category.

If only Phoenix wasn't so far from a major body of water it would be almost perfect, but I'm used to an ocean or gulf within a short drive.

Friday, July 15, 2011

ERM-BC-COOP: Facebooking?
Laws change by location

 

According to an AdvisenFPN article from Proskauer's International Labor and Employment Practice Group (http://tinyurl.com/6fdwauv),

    "While social media law is too new and undeveloped to give a clear picture, the Labor Board's approach appears to give employees broad latitude to disparage their employer on Facebook and similar social media sites.

    Early indications are that foreign tribunals are taking a different approach. In several recent cases, they have affirmed the employers' right to dismiss employees for comments made in social media forums."

The article goes on to cite two cases, one in England, the other British Columbia (Canada).

Proskauer's article ends with the admonishment that

    "The law is too new, and the sample size too small, to draw any definitive conclusions from these cases. Where possible, expectations of privacy should be defined, particularly with respect to conduct occurring during work time and comments that are widely disseminated. The use of social media sites to disparage the employer's customers, products and services should be addressed, as well as conduct that would be prohibited in the workplace, such as insubordination. As with any multinational HR policy, local rules (both substantive and procedural) should be considered."

Social media must make risk management practitioners aware of several critical needs:

  1. The need to involve HR and Legal in the risk management process. (All functional units should be involved, but especially HR and Legal.)

  2. Policies and procedures need to be carefully crafted and published and there must be evidence that personnel - at all ranks - have read and comprehended the policies.

  3. Policies and procedures must cover all of an organization's locations.

  4. Policies and procedures must consider visiting employees, for example, an employee from France visiting the organization's facility in Finland. See http://tinyurl.com/68uawjw

  5. Someone within the organization needs to monitor the Internet for any comments, good and bad, relating to the organization. Likewise, someone needs the authority to quickly respond to Internet postings, particularly negative postings to prevent damage to the organization's reputation.

Proskauer is located on the Web at http://www.proskauer.com/

Monday, July 11, 2011

ERM-BC-COOP: Read the policy

And be smart

 

According to a story from the Herald - Times of Bloomington, IN, and picked up by AdvisenFPN, if you disconnect a building's sprinker system and there's a fire, don't expect the insurance company to pay off.

It seems that the Little Nashville Opry's sprnkler system failed to work because, as the Brown County TN circuit court found, the structure's owners failed to maintain the sprinkler system so the insurance company "has no obligation to pay."

The story, which may be read at http://tinyurl.com/63b3kux, noted that the reason the sprinkler system failed was because the building owners disconnected the system following a case of frozen-and-then-burst pipes - which an insurance company paid to restore to working order. The article failed to note if it was the same insurance company that now denied the building owers' claim.

For risk management practitioners, there are two lessons to be learned.

    Lesson 1: Maintain, and test, safety equipment.

    Lesson 2: Read and abide by insurance company policy contents.

Unless the policy is in BIG PRINT and in plain English (or whatever the language of the land), get outside help in deciphering it before signing the contract. Insurance adjusters are good resources as interpreters.

One other point.

If the contract is multi-lingual, determine which language is the "base" language for the document. For example, if the English is a translation from Spanish, and if there is a conflict between Spanish and English, Spanish - as the original language - will prevail. (Many hours have been spent arguing the meaning of the Sixth of the "Big 10" commandments, לא תרצח - is it "do not murder" or, as mistranslated, "do not kill?" As with the insurance policy or any other multi-lingual document, "The Original Rules.")

The problem for a risk manager: How to convince management that its action (or inaction - failing to test) is itself a risk, or as in the case of the burned facility, that management compounded the risk.

The article noted that the fire that severely damaged the building appeared to be arson.

Wednesday, July 6, 2011

ERM-BC-COOP:
Out of state,
not out of court

 

In a Los Angeles Times article headlined on Advisen FPN as California overtime-pay laws protect nonresidents too, court rules (read at http://tinyurl.com/3prouu6), the newspaper reports that

"Residents of other states who work for California companies are protected by the state's overtime laws during business trips here, the California Supreme Court decided unanimously Thursday."

According to the court, "Not to apply California law would also encourage employers to substitute lower-paid temporary employees from other states for California employees, thus threatening California's legitimate interest in expanding the job market."

The LA Times article notes that the decision impacts on non-California residents working temporarily in California for a California-based organization. The initial suit was brought by non-California employees of Oracle Corporation who "wanted to benefit from California's generous overtime law during business trips."

From a risk management standpoint, the ruling could have several consequences.

  • Companies will have to pay non-resident employees working temporarily in California at California rates.

  • More California companies needing non-resident employees will either

    • Make do without the out-of-state staffers

    • Increase tele- and video conferencing

  • Relocate their headquarters offices to another state, expensive but a one-time cost.

The California ruling may not be the "final ruling" on the matter.

Since the issue is one of "interstate commerce," the Federal courts could be asked to intervene.

 


 

In another Advisen FPN pick-up, the Las Vegas Sun reported that the Clark County commissioners agreed to pay $150,000 to settle a lawsuit brought by person diagnosed with cubicle claustrophobia. The full article as it appears on the Advisen FPN site is at http://tinyurl.com/3hdos3p.

 


 

Advisen focuses on the insurance industry, but for a risk management practitioner, the articles are both interesting and often educational, certainly identifying risks normally not considered in the typical risk litany.

Monday, July 4, 2011

ERM-BC-COOP:
Prepared . . . or not

 

Malcolm Smeaton, Director Security Services and Contingency Planning at Government of Ontario, posted the following question on LinkedIn's Business Continuity-COOP group:

BCM Key Metric: I and others are to consolidate our annual reports to executives. This will include an executive summary that only allows the BCM program to highlight one key metric, what should it be?

I have considered: Last Exercised, last updated, departments covered, critical services covered, % of employees trained on BCP. Any suggestions what key metric I should select? Or any articles that you can point me to that will help me select?

A long-time acquaintenance of mine, Howard Pierpont, Board Chair - Disaster Preparedness and Emergency Response Association, responded that Smeaton should consider:

Being in Ontario, I'd suggest you look at 'Where are we in meeting the requirements of BS25999 or the Canadian equiv of NFPA1600".

Howard's been in the business a long time and has an enviable record; I generally respect his opinion.

But this time, I think he came up a tad short.

My problem is that, in my opinion, "meeting the requirements" does not necessarily equate to being prepared to handle an event.

BS25999-* is a rather broad ISO-want-to-be that was cobbled together by a committee of practitioners, many of whom - and I know this first hand - ignore avoidance and mitigation as if risks are inevitable and must be accepted as the occur. The Canadian version of NFPA 1600 is a better standard, but again, it is generic.

Each organization is unique; indeed, similar operations within the same organization - think national vehicle rental companies - can be unique from one to another. One size generic standard, be it CNFPA 1600 or the BS effort, cannot be all things to all organizations.

There simply are too many things that can go "bump in the night" to be addressed by a standard, accepted or want-to-be.

My answer to Mr. Smeaton's query, probably no more helpful that Howard's, took a different approach and one I think more accurately, yet briefly, states the organization's readiness:

The organisation is prepared for an event based on the recent enterprise exercise using a scenario.

I added that, considering the kick-off question's contents,

Everyone should be trained on the plan; that's a given.

All departments need to be covered; that's a given.

The "last exercised" is included in my suggested statement; the "last update" is a given following the exercise - I assume there were some deficiencies noted during the exercise and they were/are being eliminated

Admittedly I think primarily in terms of enterprise risk management, but even dealing with functional units (creating "mini-plans" if you will), I firmly believe that everyone involved in the unit - functional or enterprise - needs to have a role in the management of risks and should be involved in risk management exercises.

Given that, it seems obvious to me that the best indicator of an organization's readiness is the most recent enterprise exercise.

I do not expect the exercise to be perfect; the points - at least two - of an exercise are to (a) identify any deficiencies and (b) enhance responder confidence and ability; the "B" is as important as the "A."

Critiquing an exercise to determine what "we" can do better - finger pointing and personal criticisms are counter-productive - usually, at least in my experience, usually results in a "to do" list that becomes a living part of the plan, with each item closed out as it is completed (and confirmed) - in other words, answering the Mr. Smeaton's "last updated" concern.

As this is cobbled together only Howard and I have responded; it will be interesting to see others' opinions. The great thing about LinkedIn and its groups is that people can build on each other's input.

Long ago I understood that no one should create a plan - or a program - in a vacuum. People such as Howard are part of a personal, highly valued network of fellow risk professionals. We don't always agree, but we always share our knowledge.