Wednesday, September 28, 2011


Contractor or employee

Feds want to know


According to a Wall Street Journal article titled Price Of Reclassifying Workers, the federal government is going after employers - typically small businesses - that have questionable contract employee practices. (Read the full article at

The problem is: When is a contractor a staffer?

This is a problem an alert risk management practitioner should identify and bring to the client's attention.

As with most things "risk management," the practitioner can only lead the horse to water (make the client aware of a risk), the practitioner can't make the horse drink (make the client avoid or mitigate the risk).

The IRS, which is running the investigation, announced a program to allow small businesses to "reclassify" personnel the IRS might determine to be employees (vs. contractors) with only "limited' penalties.

There are pluses and minuses to "converting" a person's status from "contractor" to "employee. Some of the negatives come into play when an organization's head count reaches 50. On the plus side, some companies report improved worker loyalty and increased profitability by bringing on staff as actual employees (vs. contractors).

The bottom line for risk management practitioners is to be aware of the situation and to recommend, where appropriate, that the client seek professional advice from a labor law specialist. It's far less expensive to pay for a consultation with a labor law expert than to try to defend a position against the IRS, especially in an IRS court where there is no appeal.

Friday, September 23, 2011


Ignore experts at own risk


According to multiple sources (see end of file for list/URLs), the New York Court of Appeals ruled that the Port Authority of New York and New Jersey is free of liability for the 1993 bombing of a World Trade Center building.

The reason cited by the court in its split decision was that the Port Authority is immune from suits as a government agency.

A little history.

The Port Authority owned the World Trade center buildings.

According to the New York Times, although "the court’s decision highlighted many of the warnings that had been made to agency officials about the potential risk of a car bomb in the garage, the court made it clear that the agency had also believed it had good reasons to concentrate its security measures elsewhere at the trade center complex." (Emphasis mine.)

Reuters reports that the "February 1993 bombing killed six people and injured close to 1,000. Six men were convicted including Ramzi Yousef, who was tied to al Qaeda."

The Reuter's article continued: "Lower courts had ruled that the Port Authority acted as a private landlord because the World Trade Center was largely a commercial complex. In her dissent, Appeals Court Judge Carmen Beauchamp Ciparick agreed with that position.

"The Port Authority's security decisions regarding the garage were made by civilian managers, not law enforcement or security authorities, and stemmed from commercial concerns," Ciparick wrote.

In the majority opinion the court noted that, "the Port Authority solicited numerous expert opinions on the security risks and measures to be considered before allocating its police resources. While the Port Authority's decision-making could have proceeded along different acceptable paths of action, in this case, it reached a reasoned discretionary conclusion to heighten security in sectors of the WTC considered more susceptible to harmful attack" according to

But, as Judge Ciparick noted in her opinion, the "Port Authority's security decisions regarding the garage were made by civilian managers, not law enforcement or security authorities. (Emphasis mine.)

To be fair to Port Authority management, decisions had to be made based on available resources. That's the unfortunate case for all organizations.

At the time, and despite the warnings from "numerous expert opinions on the security risks and measures to be considered," car bombings, especially car bombings to bring down buildings in the US were almost unknown.

Two truck bombs had gone off outside a military barracks in Beirut in 1983 killing 299 American and other servicemen; Islamic Jihad claimed responsibility But that was overseas; such things didn't happen on U.S. soil. (Actually bombings were common in the U.S., including bombing buildings, but never on the scale of the Trade Center buildings.)

The Alfred P. Murrah Federal Building in downtown Oklahoma City wasn't brought down by Timothy McVeigh and friends until April 19, 1995.

The lower court ruling that was appealed to the higher court allocated 68 percent of the fault to the Port Authority for the terrorist attack. The terrorists were ruled to be 32 percent responsible.

Apparently had the Trade Center buildings been owned by a non-government agency, the decision would have been against the Port Authority.

There are lessons to be learned here.


New York Times, Port Authority Not Liable in Bombing, Court Rules

Reuters, Port Authority not liable in 1993 WTC attack, court,, New York court: Port Authority not liable for 1993 World Trade Center bombing,

Thursday, September 22, 2011


Read and forgotten


What happens when a person applies for a job.

The Rerader's Digest version:

    HR reviews the resume to see if the candidate meets the requirements.

    The hiring manager reviews the resume and may decide to interview the candidate.

    The candidate is hired - or not.

    The resume goes into the files, be they paper or electronic, with the intent that the information will be readily available in the future.

    And then the resume is forgotten.

It happens all the time, in all manner of organizations.

Case in point. I was on a contract when I learned that a fellow - a staff person - two doors down from my work area had business continuity experience.

I'm glad I got the job, but the client HAD AN EXCELLENT RESOURCE IN HOUSE.

The guy was doing something other than business continuity and no one either bothered to ASK if anyone in the area had business continuity experience or to check the resume database.

I was hired at one company as an IT business analyst, basically to go between my boss and his customers, people who he promised to give what HE wanted to give them.

Somewhere along the way, a decision was made at a pay grade far above my boss' that the organization needed a business continuity plan, something more than what a colorful Big Name company called "business continuity."

Anyway, I went flying into the boss' office waving my resume and pointing to 8 or so years business continuity experience.

I got to do the plan, my boss ignored the recommendations, the facility was closed for a week due to power outage, and my boss was transferred to a less desirable location. At this point I already was working elsewhere.

While ostensibly employed as a technical writer, my employer needed some marketing created. Having been a marketing director - that and $5 may buy a lousy cup of coffee - at another outfit, I volunteered my services - knowing that HR never read that part of my resume.

At another tech writer job, I reminded my boss that I one flacked for a university and we started some PR/marketing projects "in my spare time." Since I also was a former reporter/editor and printer, we starting producing an internal/external (to our distributors) newsletter, complete with black and white (read "inexpensive") co-op advertisements.

Many people have broad backgrounds, either as a vocation or avocation.

I know people who are HAMs - amateur radio operators who have all manner of equipment, mostly high frequency shortwave, but their knowledge of two-way communications covers the frequency spectrum. A great asset when considering two-way radio as an alternative communications option.

Once, between "real" jobs I worked tinning railroad "stuff."* At one point my boss offered to teach me to drive a forklift. I stupidly passed on the opportunity.

Turns out on my very next "real" job that talent would have been very useful; we needed to move some crates. We had a forklift, but no one - not my boss, not a co-worker, and of course not this scrivener - knew how to operate the machine. We had to wait - and wait and wait - until someone with the skills I could have acquired for free came to drive the forklift to move the crates.

All this leads up to a suggestion that risk management practitioners get to know as many of the folks as possible; chat with them; find out their interests, their backgrounds, their hidden talents and skills.

If you are working for a monster company where the folks on the third floor don't know the people on the sixth, make friends with HR and maybe, just maybe, they can help you identify those hidden attributes.

Or you can make it part of a risk management questionnaire, but be forewarned, in a monster company you'll be burning lots of midnight oil getting all this good information into a database on your computer.

But it could prove to be a very useful exercise.

* I also once worked pickling metal for a CIA front. I didn't know it was a CIA operation then, but it makes a good story now.  

If I wrote it, you may quote it.

Wednesday, September 21, 2011


My bosses made me do it


This will be short.

If you believe Jerome Kerviel, the Société Générale trader who allegedly lost billions for his company, the reason he managed to gamble so much at a time was because, he told Der Spiegel, his "supervisors had deactivated the system of alerts. If I had wanted to, I could have even invested €100 billion in a single day. My bosses removed all the safeguards off my computer."

The Der Spiegel article is online at,1518,729155,00.html.

According to Kerviel, his supervisors knew about his bogus trades. "Already in April 2007, they received an e-mail saying that I was making bogus trades with nonexistent counterparties on a massive scale. My bosses told me that I should take care of the problem. Over the course of 2007, they received many more e-mails on the same issue."

It should be noted that, again if Kerviel's claims are true, that the trader made billions for his employer by risking similar large amounts.

He came crashing down, perhaps bringing Société Générale with him, when be made several wrong bets and lost roughly €5 billion.

What could a risk management practitioner have done?

Aside from going to whatever authorities regulate trading in France, it would seem "not much."

Obviously - and again, if Kerviel is being honest - management was willing to close its eyes to his excessive and bogus trading - he had been making profits for the company after all - and turned off some of the risk prevention or limitation controls.

Could an auditor have discovered this?


Could email monitoring have uncovered it. Likely as Kerviel stated, "they (management) received many more e-mails on the same (bogus trades) issue."

It is often frustrating to advise management about risks and means to avoid or mitigate them only to have management either ignore the recommendations or to actually work to enhance the risk as Kerviel claims his management did at Société Générale.

It's worth reading the entire Der Spiegel interview with Kerviel.


If I wrote it, you may quote it

Tuesday, September 20, 2011


Partial risk list


I was putting together a short version of my BBA and MBA-targeted presentation Risk Management - an introduction and I started thinking about risks - a/k/a threats - that a risk management practitioner would identify, but that a business continuity practitioner probably would consider "out of scope."

There are only 76, but the list hardly is "all-inclusive." An " * " by an entry indicates a risk I would expect a business continuity practitioner to identify.

  1. Acquisitions

  2. Alternate site options *

  3. Alternate site - short term

  4. Alternate site - long term

  5. Auditors

  6. B&D insurance

  7. Business interruption insurance *

  8. Changes (personnel, processes, product, etc.)

  9. Chemicals - for processes, cleaning

  10. Civic events

  11. Clients/Customers

  12. Competition

  13. Compliance - all areas (HR, product, supplies)

  14. Construction

  15. Copyright, trademark issues

  16. Discrimination in workplace

  17. Disabled and the ADA

  18. Documentation (government-required, processes, product, etc.)

  19. Employee travel

  20. Employee welfare *

  21. Ethics

  22. Evacuation/Sheltering policies

  23. Family issues (domestic violence, illnesses, death, etc.)

  24. Financial vendors

  25. Fire *

  26. Flood *

  27. Government - Federal

  28. Government - Local

  29. Government - State/Provincial

  30. Harassment of/by employees

  31. HazMat on site *

  32. HazMat off-site

  33. Hiring practices

  34. Hurricanes *

  35. Injuries (staff, visitors)

  36. Image (corporate, executives)

  37. Industrial espionage

  38. In-place sheltering site and policies (safety, food, legal issues)

  39. Internal communications *

  40. IT failure *

  41. Legal

  42. Loss of facility other than fire, flood (plane, satellite crash)

  43. Management

  44. Marketing (false claims, etc.)

  45. Media response *

  46. Neighbors

  47. Planning and Zoning *

  48. Policies & procedures

  49. Politics

  50. Public relations *

  51. Regulators

  52. Relocation - to/from alternate site

  53. Remote recovery conditions

  54. Secondary strikes

  55. Security - data *

  56. Security - facility (inside and outside)

  57. Security - intellectual property

  58. Social media

  59. Special interests (e.g., ADA)

  60. Stock and bond markets

  61. Succession

  62. Supplemental staffing (vetting)

  63. Telecommunications failure *

  64. Terrorism

  65. Tornados *

  66. Training - incorrect, incomplete

  67. Transportation *

  68. Utilities *

  69. Vendors *

  70. Vendors - post-event

  71. Vendors' vendors

  72. Web site

  73. Work actions *

  74. Work actions - government agencies (fire, police, Customs)

  75. Work actions - secondary (vendors, transportation, etc.)


There always is a ubiquitous "other" that can be discovered during all-hands "What If" sessions. As this is written, Chicken Little's worst fears are coming to fruition - the sky is falling, or at least parts of a man-made satellite are bearing down the third planet from the sun. It can't be a "black swan" - or even a grey one - since you and I know about it.

PowerPoint short and long Risk Management presentations available to BBA and MBA programs.

If I wrote it, you may quote it.

Sunday, September 18, 2011


Evolution of a practitioner


The other day a fellow seemed to be challenging my bona fides, so I thought to put together how I happen to be an enterprise risk management practitioner.

I was introduced to risk management at the tender age of a few days.

I didn't know it then, but my first encounter with risk management was in the form of preventive medicine.


As I got older I was taken annually for check-ups and shots - still painful, but I was rewarded with a stick of Wrigley's Juicy Fruit chewing gum.

When I was old enough, I joined the (U.S.) Air Force.

More shots and vaccinations.

Somewhere along the line I encountered veterinary preventive medicine; I must have been on a work detail before starting a specialty school - I was to become a corpsman.

The Air Force drummed into me the need for risk management.

Not just preventive medicine, but as a way of life.

It also convinced me of the value of training, training, and more training.

When the Air Force and I parted company, risk management pretty much was forgotten.

But lessons die hard.

Back in the day I used to carry in the trunk of my car

  • 5 gallon can of gasoline

  • 5 gallon can of water

  • fire extinguisher

  • flares

plus the standard jack and spare tire.

In the glove box I had a flashlight and fuses.

Back then, leaded regular was about 50 cents-a-gallon so I could afford to give 5 gallons away if I encountered a stranded motorist.

I didn't realize it then, but I was practicing a level of risk management.

For a number of years I worked as a reporter and then as an editor, happily knocking across the country.

Sometimes the newspaper paid for my relocation, sometimes not.

I used to staple a note to my tax forms explaining why I had - or did not have - high fuel deductions. Back in the day, relocation expenses and job-related expenses - i.e., gasoline for a reporter on the beat - were tax deductable with a lot less paperwork. The note was "risk management"; I was never invited to an audit of my returns.

I went overseas as a reporter/editor and came back as a tech writer. I also had done a brief stint as a PR flack.

While overseas, I was documenting mil-spec equipment and systems.

The military - at least the militaries what bought our products - expected to maintain the products, beginning with preventive maintenance.

Preventive maintenance. Preventive medicine. The connection.

Still, risk management was, at best, an after thought.

Working as a contract technical writer, I was engaged to document a disaster recovery program for a national data network. While I did the job, I also bothered the DR pros to find out what DR was all about.

Interestingly enough, about 6 months after the project was completed, the network failed, but because of "our" work, it was quickly restored.

A little later I went to work for a consulting house as a tech writer.

One of our clients monitored data networks. Our client had told its client that it had a business continuity plan. When our client's client asked to SEE the plan, our client asked us to develop a plan "yesterday."

Fortunately for all concerned, we knew the client's operation and we managed to put together a solid continuation of operations plan with not one but two alternate sites; all sites were at least 1200 miles from each other so we could avoid environmental risks.

We - the Business Unit Manager (BUM), the Technical Manager, and this scrivener put the plan together in a matter of a few days. There was no training, no maintenance procedure, no extended contact list, and indeed no response plan other than to "redirect the data to Alternate Site A if available or Alternate Site B if A is not available.

If the communications link failed - and that was THE concern - there were alternate links and the techs could track down the break almost at their leisure.

In retrospect, it wasn't much of a plan, but it WAS a plan . . . of sorts.

Somehow our man in the state capitol managed to sell a business continuity project to a state department.

The company brought down a DRII certified practitioner from Canada to be the technical lead and installed a Project Manager to keep the books. Our girl-from-Canada brought along a fat binder of someone's How to Do Business Continuity instructions and forms; we quickly discovered they were of little use other than as general guidance.

This gig is where I learned to appreciate "all hands" meetings where people can play off each other as they think about risks to their processes and the resources they use to perform the processes.

Both the BUM and I decided certification might be a good idea - this is early 1999 and everyone was thinking Y2K, so I researched the options. DRII was well known, but it was highly recommended that an expensive pre-test course be taken to learn DRII's buzz words and alphabet soup. Then the candidate had to wait until a test venue could be set - testing was at specific sites at specific dates.

The alternative was Norm Harris' Certified Recovery Planner (CRP) certification. His Harris Institute, besides offering a more economical way to certification, appealed to me because DRII accused Harris of "selling" certification . . . while it was selling courses and certification. Pots and kettles.

Anyway, I took four increasingly difficult tests that were reviewed by none other than Norm Harris, a founding father of the industry. On one test I wrote an answer with which the pro disagreed. He called me from Ohio - I was in Florida - to explain the error of my ways.

There were, however two problems with my CRP certification.

Problem One: Hardly anyone outside of the industry knew about the CRP designation.

Problem Two: Norm sold his business, including the certification end, sealing the fate of the CRPs.

Once again I was looking for a suitable certification, and remembering the hassle (then) to get DRII certification I found The BCI, often incorrectly referred to as the British Continuity Institute.

At the time certification was based on what you knew and could prove. I paid the fee, provided the evidence, and became a Member of the BUSINESS Continuity Institute.

Meanwhile, I am working contracts for some Fortune 50 companies, a couple that owned banks so I became familiar with FFIEC expectations. I also worked for a municipal government, an energy developer, a shipping company, and a former leader in the defense industry. There were some other "odds and ends" and some interesting Y2K work to round out the background.

As I learned more and more about business continuity, I began to realize business continuity is too limited for what organizations need.

Business continuity looks, correctly, at the profit center. Then it expands out to the obvious resources - vendors, utilities, in-house resources, including InfoTech.

But business continuity rarely considers (alphabetically)

  • competition
  • customers
  • ethics
  • financial vendors
  • government regulation
  • image
  • policies and procedures
  • succession plans
  • travel
Being a former reporter I need to write and not being very good at keeping things to myself, I started writing Run Of Press (ROP) copy for the Disaster Recovery Journal (DRJ). Editor Jon has been running two John Glenn articles-a-year since, I think, 2004. The byline also has appeared in other professional, trade, and general media, but DRJ gets the bulk of the copy.

Today I fancy myself a mentor to tyros and someone with whom other practitioners compare notes.

Now, as Paul Harvey used to say, "you know the rest of the story."

Someday I may explain why the rabbit avatar.

Friday, September 16, 2011


Economics plan?


A person wrote on the DRJ Forum "Seeking business continuity industry recommendations - Should U.S. businesses begin developing a BCP that addresses impacts associated with economic decline?"

Gregg Jacobsen, a planner who has been around the block, correctly responded to the query. The question was "Should U.S. businesses begin developing a BCP that addresses impacts associated with economic decline?"

Gregg's answer was "No."

I went off on a tangent and explained HOW an economic downturn could impact an organization.

But I agree whole-heartedly with Gregg.

We do NOT need an "economics" specific plan any more than we need a "pandemic" specific plan or any other specific risk plan.

We do need to consider economic risks, but not in isolation.

Risk management, which is what business continuity is all about, must consider ALL risks, from whatever source.

We all know about "the usual suspects" as Capt. Louis Renault (Claude Rains) called them in Casa Blanca: environment, human error, and technology. (OK, Rains was referring to people off screen, but it's a good line.)

But there are others, many off the short range radar of business continuity, but very obvious when the focus is enterprise risk management.

Risks, to name just a few, include but are not limited to the following sampling::

  • Competition

  • Financial - the lender failing in the middle of a construction project or acquisition

  • Government regulations at all levels

  • Image - before general public, financial audience, stockholders, customers, vendors, industry

  • Legal - Law suits against the organization for any number of reasons including trademark infringement, copyright violations, intellectual property theft (either way), employee retaliation, and more

  • Military call up or conscription, even if only for local deployment

  • Municipal events that disrupt traffic (police, fire activity, parades)

  • Neighbors that may be targets of strikers, picketers for any reason

  • Succession

  • Vendors' vendors

  • Work actions - primary and secondary

A down turn in economics is a very real threat to all organizations.

Charity or non-profit? There is a mandate to do something. Feed the hungry from a food bank.

As the economy tanks, people give less and less. The number of hungry, at the same time, increases as people lose their jobs and with that their income.

The mandate did not "go away," it increased.

A number of lending institutions failed or were forced out of business by the government. Some of these lenders provided organizations with lines of credit so the organizations could expand.

True story. A Washington DC area contractor had a contract with the Federal government to construct an office building within a specified time period.

Like most contractors, he used a line of credit from his bank to buy materials and pay the workers before the government funds trickled in. Standard Operating Procedure (SOP) for many businesses, big and small, but particularly the small business.

Unfortunately, the contractor's bank failed and with the failure, his line of credit was no more.

No line of credit, no more materials purchases and no more paychecks for the employees.

Bottom line: construction is halted.

But wait. The government has a contract and that contract has financial penalties if the contractor fails to finish the project on time.

Seven words come to mind:

  1. Between
  2. a
  3. rock
  4. and
  5. a
  6. hard
  7. spot.

Some organizations that have a captive or near captive client base simply up their prices or nickel and dime their customers; some, like airlines, do both.

Even if the practitioner's organization is considered more or less safe from the downturn, consider what an economic meltdown does to the customer base.

Bank of America is slated to lay off 30,000 - thirty thousand - employees. That's 30,000 more people on the dole and 30,000 more people who will be hard pressed to pay their mortgage and buy all the groceries they were accustomed to buying, or filling up the flivver as often, or - pick an expenditure.

An economic downturn is very much a risk, but it is "just another risk" in the grand scheme of things.

The organization deserves an enterprise risk management plan, not an economic downturn plan or a pandemic plan or a strike plan or any other one-risk plan.

A risk is a risk is a risk (unless it's a threat, which is just a risk spelled differently).

Practitioners ferret out risks.

Practitioners find ways to avoid or mitigate (or transfer) the risks.

Practitioners prioritize the risks according to probability and impact.

Practitioners present their recommendations to management so management can

  • decide which recommendations to accept

  • set an implementation schedule for the accepted recommendations

  • establish a budget to accomplish the implementation

Creating a plan focused on a single risk is foolish on many fronts.

It ignores other risks.

It duplicates response documentation and, perhaps, training.

It's wasteful of time - the practitioner's time, the Subject Matter Experts' time, management's time.


If I wrote it, you may quote it.


  GREGG JACOBSEN comments:

Economic downturn as a risk is like sea level: it goes up, it goes down, as do all the boats thereupon. The real threat is making sure yours isn't leaky.

The leaks come in many forms, but going into business is itself a risk. The entrepreneur is betting he or she has that better mouse trap concept and gets friends and family, or a venture capital outfit to fund the boat-building effort. All risky stuff, but at the end of the story, it comes back to something Dunn and Bradstreet have been tracking for decades, and the year-to-year figures vary little: about 80% of business failures are the result of "mismanagement."

That word takes in a broad range of opportunities to screw up the enterprise, and yet it comes down to the most basic aspect of what I learned as a quality assurance practitioner in another life: PEOPLE are the single most cause of variability in any process. And variability means defects and failures, whiter in products or services. Th creepy thing is, it comes back to our old friends on the Blue Collar Comedy Tour: "You can't fix stupid."

Thursday, September 15, 2011


A few words re vendors

Modified on September 20, 2011 adding text. Additions are noted by an "*" at the beginning of a line.


  1. Fire and water restoration
  2. *Debris removal
  3. Paper dry out
  4. Facility repairs
  5. Electricians
  6. *Security
  7. Supplemental staffing agencies

    These are a few vendors most practitioners forget to include in the vendor list.

    These vendors become critical very quickly when fire or water damage occurs.

    Of course these are not the only people on the "Who are you gon'na call?" list, but they are at the top of the list once the Fire Marshal and Building Inspector give an all-clear to enter a damaged facility.

    These vendors are not dealt with every day, but it behooves organizations to get to know vendors in these fields long before a need arises.

    It also pays to check with them every so often to assure that

    1. they are still in business and
    2. that your organization is high on their list of preferred clients

    This means something more than an annual holiday greeting card.

    The risk management practitioner (who knows what "technical" questions to ask) and the Purchasing Manager should meet with potential vendors to determine the vendor's capabilities. The Purchasing Manager also should carefully check the vendor's references and look on-line comments about the vendor.

    Find out what the vendor charges for various services, how many people are on staff; how long has the vendor and its employees been doing what it is advertising.

    It might be wise to also (as "in addition to local vendors") consider "out-of-area" vendors who are willing to come to the organization's area in case a regional event either puts the vendor out of business or overloads the vendor's capacity.

    The need for fire and water restoration services is fairly obvious. *Likewise debris clean-up and removal. Even if a facility is intact and can be occupied, there may be post-event debris that must be cleared.

    Likewise the requirements for a structural engineer and an electrician.

    *Securing a damaged facility may be beyond the capabilities of the rent-a-cop company that normally guards the door. Fencing, bright lights, and possibly armed guards on patrol may be required. Local police normally only watch a facility for a brief period; they have other things to do like chase criminals.

    Supplemental or "casual" staffing agencies can provide the hands to move furniture, pull cable, and other non-technical work. Keep in mind that during restoration, some staff will be needed at an alternate site to keep the operation going, and some will be needed at the restoration site to supervise.

    Why, however, look for a vendor with experience drying out paper.

    The organization is, after all, almost paperless; everything is computerized.

    Here's a challenge.

    Ask each functional unit manager, and make sure to talk with HR and Finance, how many paper documents they have. HR has, among others, I-9 "right-to-work" forms that, if missing when a Federal investigator drops by, can result in a very steep fine.

    Trust me. Every organization has paper it must preserve.

    The vendors listed at the top of this entry really are just the tip of the proverbial iceberg.

    Consider just office equipment vendors:

      Copier acquisition, installation, and repair

      Lighting acquisition, installation, and repair

      Printer acquisition, installation, and repair

      Telephone installation and repair

    Talk a walk around the facility and consider "who are you gon'na call?" if the place is scorched or flooded. Even if there is no fire damage, smoke and smell can leave behind a mess, and mold soon finds a home with wet walls and carpets.

    When making up the vendor list, consider the usual suspects - the equipment vendors, the junk food vendors, the utility companies, etc., but also consider the ones that may be needed "in the event of."

  If I wrote it, you may quote it.

Wednesday, September 14, 2011


Random thoughts on plan creation

Never ending project

Enterprise risk management, a/k/a enterprise business continuity or Continuity Of OPerations - starts off as a project, but if it is to be successful - that is, if it is expected to help an organization survive a disaster event - it must become an on-going program, a series of "continuation" projects.

Every project needs a Very Senior Manager as its sponsor. The higher up the management ranks the sponsor, the more respect the program will inherit and the more cooperation will be forthcoming. This is especially true when risk management is first introduced.

Every project needs a Statement of Work (SOW) and a Project Plan..

This SOW and project plan needs to be created with cooperation from the sponsor and approved by the plan sponsor. Hopefully the sponsor's fellow executives will concur with the sponsor and word will "filter down" to the mid-level managers and line personnel that risk management is a good thing and will benefit all hands.

The best sponsor is a flag waver for risk management; someone who believes in the process and shares the belief with everyone from the Board to the vendors.

As with all projects, the risk management project must have reasonable, attainable goals - reached though the combined efforts of the sponsor and the practitioner.

Deliverables must be defined and include reviews by the Subject Matter Experts (SMEs) who provided information, and the sponsor.

Deliverables by name

My list of deliverables includes

  1. Proposal
    Even an in-house program can, perhaps should, start with a proposal. This is what needs to be done; this is how the organization will benefit. Here are a few concerns even before commencing a program.
  2. Statement of Work and Project Plan
    These contain basically the same general information. The SOW "spells it out" in general terms and while it includes anticipated phase completion dates, it rests on the Project Plan to set tracking and staffing parameters. The SOW's audience normally is the Executive Suite and the staff in general. The Project Plan is more for the Project Manager and the sponsor to track the project's progress. The PM will provide a status report to the sponsor at least once every two weeks. This assures that slippage will be identified and reported in time to eliminate problems or adjust expectations "because."
    Should the practitioner be the PM?
    I have worked both ways, and frankly, I learned a lot from having a PM on board. The only concern I have when a PM is named is making sure that we go together to report to the sponsor. Let the PM write the reports, but the practitioner needs to review these before they go to the sponsor, especially if the PM has little or no risk management experience..
  3. First plan deliverable
    The first scheduled plan deliverable is the Business Impact analysis.
    This is a misnomer since the deliverable includes
    • Identification of critical processes
    • Identification of identified risks or threats
    • Identification of means to avoid or mitigate the threats identified above
    • Prioritization of the risks or threats listed above.
    • Recommendations to avoid or mitigate risks or threats based upon impact on the organization and knowledge of the organization's direction
    Management will, in the end, make the decisions regarding what to implement, when to implement, and setting the implementation budget.

    While management is considering implementation of practitioner recommendations, the practitioner will create

    • Plan maintenance procedure
    • Staff awareness program
    • Exercise procedures
    • .

    The practitioner also should create risk management-related Policies and Procedures for such things as

    • alternate site expenses - limit or per diem
    • alternate site housing - how many to a room
    • communication between alternate site and management
    • communication between employee and family - any limits, who pays
    • conjugal visits - at home or on site, and who pays for transportation, after how long
    • education penalties - if employee is forced to abandon a course due to recovery requirements
    • insurance - is there someone to help family members file claims
    • maximum allowable work hours before required time off
    • on-site transportation - bus, taxi, rental vehicle
    • overtime compensation - pay, comp time, other
    • pay - how is it made, to whom (if direct deposit is not possible)
    • travel to/from alternate site

    By the way, many of these P&Ps apply equally to the responders remaining at the original site to restore the facility or establish a new facility.

    Policies and procedures need top management approval and should be vetted by Legal.

  4. Second plan deliverable
    This deliverable includes the response plan based upon managements' implementation decisions. The specific response plans - for all functional units - probably will vary somewhat from normal, day-to-day operations.
    Ideally, response plans will be one task-per-sheet of paper, with the preceding task identified in the header and the following task identified in the footer


    This deliverable also includes

    • Exercise policy
    • Maintenance procedure
    • Appendices (or addendum)
      1. Contact list
      2. Forms
      3. Relevant Policies and Procedures
      4. Other documents as deemed necessary


If I wrote it, you can quote it.

Tuesday, September 13, 2011


'Creating' a culture


There is an interesting blog article by Ron Ashkenas at titled You Can't Dictate Culture — but You Can Influence It.

Mr. Ashkenas' position is that "Leaders can influence behaviors in several ways — and by so doing shape the culture of their firms. Whether you are a CEO or a department manager, here are three steps that you can take:"

Two of the steps "Convey your vision of a winning culture" and "Demonstrate how new cultural behaviors can advance the business" are within the capability of the risk management practitioner. The third, "Put teeth into the new culture by integrating it into HR processes" is beyond our pay grade, but perhaps within that of the risk management program sponsor.

Convey your vision of a winning culture

    "What are the most critical behaviors that will characterize the culture you want to create?" the author asks. He then cites how Jack Welch "used the mantra of "speed, simplicity, and self-confidence" as the beacon for his transformation of GE's culture in the 1990's "

    We are not the head of the business but we do have a goal to make everyone aware of risks in their work and personal environment. Awareness + Action = Survival

    We, as risk management practitioners, can help develop this several ways.

    Most important, we can be seen doing our job - looking for threats to the organization.

    Putting up fancy posters won't do it, but being seen in action will.

    True stories

    I once worked for an Israeli company in the U.S. (Actually, I worked for several Israeli companies in the U.S., but as a risk management practitioner at only one.)

    I was concerned about flooding so I made a tour of the area looking for drains to draw off water that could be trapped between a blast berm and the building.

    The building had a lot of glass, and a number of people in the first floor call centers saw me walking around the building with my head down.

    When I came back inside, several approached me wondering just what I was doing.

    I explained and, having their attention, did a little flag waving for risk management.

    Another company that engaged my services was so much behind risk management that when it held the obligatory evacuation exercises it fed the troops - and took care of the practitioner, too. Great company.

    The difference between the two organizations is that the former disregarded the culture of awareness - and paid the price later - and the latter encouraged it.

Demonstrate how new cultural behaviors can advance the business

    For the risk management practitioner, that may be easier said than done, but it can be done.

    One of the contract managers at the Israeli company had piles and piles of hard copy contracts.

    My concern, and I convinced him it should be his as well, was that something could happen and the paper would be damaged or destroyed. How could the company prove it had a contract with ZYX Company?

    The risk management approach protected the documents AND lightened the contract manager's load.

    The solution was simple: digitize the contracts, including the signature page.

    The manager was concerned that a digital signature page would fail the test of authenticity, so the compromise was to digitize everything - scan it into a computer and backup the file to the servers which were backed up nightly - and send the hardcopy signature page to the back up archive along with the tapes. Now, when the contract manager went on the road to negotiate new contracts with the clients, he carried a CD with the contract that could be modified on the spot. A new signature page could be printed out and signed while everyone was gathered together.

    The contract manager became a believer - and shared his new found "faith" with his peers.

    Unfortunately, there are too many organizations - and it's been my misfortune to be a captive practitioner in several - that prefer to work against any effort to develop a culture conducive to risk management. Interestingly, several had suffered disasters, yet refused to learn any lessons.

Put teeth into the new culture by integrating it into HR processes

    According to Ashkenas, "People tend to do what's measured and rewarded. So a third step for building a new culture is to use the desired behaviors as criteria for hiring, promoting, rewarding, and developing people."

    About the best the practitioner can do is to suggest and promote this to management. To my mind, the emphasis should be on the carrot, not the stick.

    The company I commended earlier in this post insisted that everyone - staff, contractors, and the executive suite occupants - clear the building during evacuation exercises. Compare that with another organization that ignored rank-and-file staff hiding in the bathroom and - hard to believe but true - under a desk when an evacuation alert was sounded. Amazingly, the alert was announced, with day and time, two days before the event by large signs in the lobby. The people could have ridden the elevator down and taken their lunch just before the alarm sounded!

There ARE things we - practitioners - can do to wave the flag, to make people aware of risks. Many of the things are low budget items - do a survey to see who knows the location of the nearest fire extinguisher and who can name the two nearest exits. If you have someone with mobility issues, see if the person knows if the exit provides a paved path to the assembly area; it's tough pushing a wheelchair over mud or deep sand.

Promote buddy systems so that small groups of 5 to 10 employees keep an eye out for each other.

So far, the organization's budget is totally intact.

We DO need support from the executive suite. We are more likely to get that support if we can show progress without a hit on the budget.

Not everything will be free, but if management can see progress, maybe it can find a few coins for more "advanced" efforts. Cookies and coffee, maybe?

Monday, September 12, 2011


Management as risk


The other day in a closing remark I wrote management may be the biggest threat of all.

The remark was meant to be a little flip, but in retrospect, management may actually be a major risk.

I have worked several projects where management ignored the practitioner's recommendations.

Some of the projects were as in-house staff; some were as an external consultant.

Case in point

I was a staff employee reporting to the VP/MIS at one organization.

The company had hired a colorful Big Name company at its overseas headquarters to do "business continuity" for its worldwide operations.

As far as the colorful Big Name company was - and still is - concerned, "business continuity" equates to little more than disaster recovery.

But at least the Big Name company got the headquarters thinking about true business continuity.

My boss told me the company wanted a plan for its North American headquarters; I was to meet with him and the CFO to discuss what needed to be done.

To the VP/MIS, a "business continuity" plan should be done "at 20,000 feet."

Fortunately, the CFO understood that to be successful, business continuity must be done at the process - ground - level.

I created the plan and made a number of recommendations, among them being that the organization needed to increase its backup power supply output.

Generators were in place to keep the VP/MIS' servers working, but there was no power for

  • Special call center phones

  • Air conditioning - the building was "environmentally sound"

  • Desktop computers and monitors

  • Copiers and printers

  • Lighting

  • Other essential workplace equipment

A hurricane brushed by the facility and electricity was off for about 5 days.

The generator kept the servers serving, and the fuel vendor kept the tanks topped off.

But the building remained empty except for one hot and lonely guy in the data center who monitored the servers.


Because the VP/MIS chose to ignore my recommendations and somehow managed to convince the CFO to do the same.

I don't know how much it cost the company, but the VP/MIS was relocated to a less desirable location.

In this case, management was very much the risk.

In another instance, I was part of a consulting team.

We completed, despite less than enthusiastic support from Top Management, the first phase of a project for a state government department.

Unfortunately the second phase - the response and awareness sections - were considered too expensive so the plan died on the vine. A management decision.

Added September 19, 2011

Finally there was the retail chain that needed to document what was required to move its IT operation from Point A to alternate site Point B and then back to Point A again.

Management would call meetings and everyone would be present and accunted for - except management.

Nothing could be accomplished.

Finally, after three meetings sans critical management, I resigned from the engagement.

And then there are the good guys

On the other hand, some management takes risk management seriously.

One international company for which I created a plan thought it was fairly well situated. In truth it had done a number of "right" things.

But as I started asking questions I uncovered a number of "got'chas that no one had considered. Fortunately for me, my two bosses, the CIO and his second in command, were "risk management aware." They understood my concerns, even though most of the concerns were not IT related, and worked to see them mitigated.

Another client listened when I suggested it ought to ask its vendors for their (vendor) business continuity plans.

Heavily dependent on its vendors, it considered and acted upon my suggestion.

Each of its critical vendors complied. I critiqued each vendor plan and provided feedback to my client which then passed along the information to the vendor who submitted the plan.

It was a win-win-win situation: my client knew which vendors had a viable plan, the vendor got a free plan critique, and I gained knowledge by reading others' plans.

But apparently not many

As an in-house planner for a very large company, once an industry leader, I suggested to corporate management that someone should consider an enterprise risk management plan.

For my concern I nearly was terminated.

In my lowly division position I did manage to involve Facilities and Purchasing in the business continuity plans, a first, and I "discovered" that an agreement my division thought it had with another division to back up our operation "in the event of" was worth less than the paper it wasn't printed on - a handshake between two managers who had moved on. My management showed interest - for about 5 minutes and then dismissed the problem.

There ARE "risk management aware" managers and practitioners treasure these people. But too often the people who determine what will be done with a practitioner's information - no matter how much it cost the organization to develop - really only pay lip service to our recommendations.

I am reminded of the expression "A little knowledge of first aid is a dangerous thing."

Creating, but failing to implement, a plan may seem "good enough" to many managers, but in truth, such a plan provides a false sense of security.

In cases like that, management is the biggest threat of all.

Sunday, September 11, 2011


Mom 'n' Pop need
Survival Plan


The other day Theresa (Tess) Smalley posted a note to an Emergency Management list that reminds me that Mom-n-Pop operations need risk management plans, too.

It also reminds me that (a) most Mom-n-Pops cannot afford our corporate rates and (b) that we need sponsors to market our services to the Moms-n-Pops of the world.

Most Mom-n-Pop organizations don't need 200-page plans; there simply are not that many people working there and there are not that many processes to document and train responders to perform.

Instead of taking six to 12 months to create a plan as is typical for a Big Company, a good practitioner ought to be able to create a decent plan in, say, two weeks. Allow another week for the client to review the results and perhaps a day or two to do some minimal training.

Tess' story that prompts this is as follows:

    The story is about a private child care center that has about 100 customers. They got flooded in the remnants of Tropical Storm Lee. 4 feet of water came into the building then dissipated by morning. The center closed. They called parents late night/early morning to tell them that the center was closed. Most of the teachers and some parents showed up that morning to help clean. Many other parents that did not get the message showed up expecting to drop their child so that they could go to work. There was a lot of frustration and down right anger when they discovered that wasn't going to happen. Things that could have happened differently:
    1. There was a creek of some sort right behind the school, yet it had not occurred to the school that they might flood. They have no plans and no flood insurance.
    2. They do not seem to have as many after-hours contact numbers as they should. I'm sure they have daytime numbers since they need them if the kids are injured, but it is very possible they didn't recognize that there may be a very different number to call at 4am.
    3. They did not have a plan in place and when disaster struck, they did not think on their feet. They did not consider the impact to their customers, only the impact to themselves. Those teachers that showed up would have been better used setting up a temporary child care somewhere else (even if that meant renting a hotel conference room or moving in temporarily with another child care center). It was a waste to have these specialized professionals scooping mud while the parents were struggling to find alternate child care so that they don't miss work and get fired.
    4. They weren't willing and prepared to spend money to fix the problem, hence it is likely they'll lose a lot of their customers and could ultimately go under from it. They could easily have hired people to clean (for example) rather than re-purpose their teachers and thus free the teachers up to do child care.

OK, so who can market our services to Mom-n-Pops to generate enough business to keep us busy and pay our bills?

Two choices come quickly to mind.

Insurance companies' local agents, and accountants.

Insurance agents

Insurance agents should promote risk management to reduce their company's losses "in the event of."

Most Mom-n-Pop's probably don't carry business interruption insurance or Officer and Director insurance (although the second should be a consideration), but they DO carry the standard property and casualty (P&C) insurance and they pay into Workman's Compensation funds - more if there have been claims against the fund by employees.

Risk management would look at all risks to the operation. The same basic risks as for any organization, making certain to include employee safety. (Does that piece of mechanical gear have a guard device in place? Are there slip and fall possibilities that are less than obvious - and even if they are obvious, are they mitigated with signage or other warnings?)

As with most things "risk management," the practitioner might want to seek outside help from sundry Subject Matter Experts (SMEs), most of whom will provide their expertise gratis - free, even. I'm thinking of insurance adjustors, police for security, fire marshal for fire safety, building inspector for building safety, perhaps even someone from an environmental agency - is the facility in a flood plain?


Many Mom-n-Pops depend on Mom to keep the books, but most Moms are smart enough to seek assistance from a real accountant - certified or not - to make certain the books will pass government muster.

Accountants could offer risk management as a value added service. This is a win-win-win situation: the account wins by offering his client an opportunity to get a risk management plan from an accountant-approved practitioner; the client wins by getting an economical plan from a qualified practitioner, and of course the practitioner wins by having an income.

The practitioner performs the same service for the Mom-n-Pop no matter who - insurance agent or accountant - provides the lead.

What the practitioner must do

The practitioner needs to create a small brochure - this can be done on the home or office computer and copied at a quick print outlet. The brochure needs to be factual more than fancy; it needs to show how risk management can help an organization identify risks and suggest ways to avoid or mitigate the risks - without giving away the practitioner's expertise.

Next, the practitioner needs to introduce him/herself to the agents and accountants.

A smart practitioner might go in with some suggestions to the agent/accountant to show the practitioner is professional and experienced.

Bottom line: Mom-n-Pops need risk management as much as General Motors and General Foods. Mom-n-Pops need to be able to afford a risk management practitioner's services.

Risk management practitioners need to be kept busy- volume can make up for deflated hourly rates.

Friday, September 9, 2011


Value of tyros


As most readers of this blog are aware, I participate on a number of groups, forums, and lists.

Operative word is "participate."

For years I have encouraged newbies, tyros, to participate in exchanges on lists, forums, groups, et al.

The push back often was "I don't have anything to offer."

On the flip side of the "can't get the newbies to participate" coin are the novices - some with certifications ! - who ask questions easily answered with a little homework, researching the Internet for answers. These people, all too many of whom abound, tend to discourage real practitioners from polite responses.

Recently, however, there have been several thought-provoking questions raised by a tyro on LinkedIn's BCMIX - Business Continuity Management Information eXchange group.

The questioner is not all that new to risk management; she came to business continuity from DR, but she now finds herself in a real risk management role.

One of her questions

    Black Swans & BCP

    I’ve recently been given the opportunity to work with an EM/BC non-profit organization and I’m pretty excited about it.

    My first assignment was to write an article for their newsletter, which has now gone out, so I’m hoping to engage the community in a conversation and drive a bit of traffic to their Facebook site.

    If you wouldn’t mind sharing your thoughts on Black Swans & BCP, I’d appreciate it. Article below:

    In 2007, Nassim Nicholas Taleb published "The Black Swan: the impact of the highly improbable" and the term “Black Swan” entered the common parlance of the Business Continuity community. At the time, I assumed this was because:

    1. It was highly applicable to bcp
    2. The term was prominent in the minds of business leaders and something they could (painfully) relate to
    3. It spoke of loss and the need for resilience
    4. It’s pretty catchy

    However, having just read some of Taleb’s work, I have to ask “what does the Black Swan mean to business continuity?”

    Taleb describes a Black Swan event as having three characteristics; “it is an outlier, as it lies outside the realm of regular expectations, because nothing in the past can convincingly point to its possibility. Second, it carries an extreme impact. Third, in spite of its outlier status, human nature makes us concoct explanations for its occurrence after the fact, making it explainable and predictable.”

    Given these parameters, wouldn’t an alien invasion qualify as a Black Swan event?

    After all, aliens have been sneaking around stealing our socks, umbrellas and car keys for years. We should have known this would happen.

    OK, it’s a silly example but a good illustration of why I struggle with business continuity and the Black Swan. Where does the Black Swan leave us? Is it a get out of jail free card, a call to plan for the ‘impossible’ or something else altogether?

    Taleb tells us not to waste time trying to predict Black Swans but to build robustness against them. That sounds like business continuity and it is; vaguely. I say vaguely because Taleb is an economist discussing the world financial system. In his “Ten Principles for a Black Swan-robust Society”, Taleb offers advice such as “People who drove a school bus blindfolded (and crashed it) should never be given a new bus” and “don't let someone making an "incentive" bonus manage a nuclear plant - or your financial risk.” While indeed astute, I’m not really sure how to incorporate it into meaningful BCM output.

Obviously the questioner did her homework before putting her query to the group. As this is written, her question has generated more than 30 responses. What is better than 30 responses? Thirty responses that do not necessarily agree with one another, a situation guaranteed to cause practitioners to think about their positions.

Another question that got practitioner attention was

    Critical Worker Support Planning?

    Most of us have mission critical staff who must report to work shortly after a major incident and common sense suggests that they will only do so if they feel that their families are safe and secure. Since nonessential staff outnumber those required to support recovery, it makes sense (at least on paper) to try to leverage that pool and build some kind of critical employee support/assistance program. However, I don't see much written about this, so my questions are:

    1. Do you have plans to support critical workers?
    2. If so, what types of assistance are provided?

This query so far has generated six responses from senior or "very senior" practitioners.

Who certified this practitioner? To date she has avoided the certification wars (BCI vs. DRII vs. several new-on-the-scene).

The bottom line is that no matter if a person is a tyro or a well seasoned - I've always wondered with what seasoning - pro, everyone, without exception has something to offer, if only a thought-provoking question.

Thursday, September 8, 2011


One more concern


"Suicide by Chemical, the title of a video brought to my attention on an Emergency Management list I read, is aimed toward first responders - fire, police, EMTs.

But because my mind works in "different" directions, I started thinking:

    If a person who wants to commit suicide can go to a couple of local stores and by all the individually harmless products needed to make a killing gas, what's to stop a potential terrorist - and that can be a disgruntled (ex)employee - from compounding similar products to sicken or kill people where we work?"

Every housewife and bachelor knows - OK, should know - that bleach and ammonia are never mixed together. The fumes can kill.

Since it has become difficult for potential bombers to acquire their preferred materials, a fertilizer mix, expect them to check the World Wide Web for other options.

I can remember as a kid stories of two-compartment vials of chemicals that, when the vial was shattered and the chemicals mixed, an explosion resulted. OK, that was tv and movie serials, but the idea was, and remains, valid.

Fortunately, for the chemicals used in "suicide by chemical" cases, the area of effectiveness must be both (relatively) small and enclosed.

But consider.

The materials are easily acquired.

The materials can be easily concealed, either separately or together in a two-part vial or even a vacuum bottle - in other words, easily brought into the work place.

To the best of my knowledge "murder by chemical" is not on any terrorist's list of favored weapons, but it behooves risk management practitioners to consider the possibility now and to think of ways to avoid or mitigate the threat - without violating anyone's 'civil rights'.

What can be done to prevent an incident?

What can be done if an incident occurs. What is needed.

Think PPE - Personal Protective Equipment - for one or two people.

Think procedures to clear an area so that innocent people are protected from gases given off by the victims and their clothing.

Think procedures to notify whatever organization is equipped to handle hazmat incidents - usually the fire department - and the police, making certain to warn the responders of the potentially lethal chemicals.

Is the threat likely? At this point, probably not.

But as the video, "Suicide by Chemical," points out, the How To information is on the Internet for all to see.

Nothing is simple, but we are expected to anticipate the threats - no excuse for any black, or even grey, swans - and to develop means to deal with the threats.

Whether or not management agrees is another matter (and management may be the biggest threat of all, but don't quote me on that).

Wednesday, September 7, 2011


The power of people


Risk management - under any name - should never be performed in a vacuum.

A proposal might be written by one person acting alone, but as a former proposal writer, I can tell you that is far less than optimal. Perhaps one person in 1,000 can catch their own typos and grammatical faux pas. Spell check helps, but spell check can't determine which "to/too/two" or "there/their" is appropriate or that "no" should be "now", or even that a negative needs to be inserted to convey what is meant, not what is not meant.

The Statement of Work and Project Plan need input from the client, be the practitioner internal or external - in-house or out-house? Input and approval.

Everyone from Most Senior Management to Newest Mailroom Intern should be involved in ferreting out threats to the organization. Each person has his or her own perspective of the job and of the organization.

Likewise everyone should be involved in searching for ways to avoid or mitigate a threat.

At one time a person in the U.S. or Canada was employed at one job all their working days. I once had a manager who got his job on an uncle's recommendation and when I met the man, he was already into his 30th years with the company. But he is - or was - the exception.

Most people today bring a potpourri of experience to their current job.

Sadly, most resumes, once the person is hired, are filed away and all experience relating to anything but the current job is ignored. I once worked a business continuity job for a city. The guy two offices down from my temporary home had business continuity experience, but no one asked for his help (until I "discovered" the resource).

Today's entry is prompted by several things.

One is the massive fires in Texas; another is a communications thread on LinkedIn.

Texas fire - more than flames

The fires currently raging in Texas - the tv talking head just told me the acreage is about the same as the size of Connecticut - boggles the mind, but I am certain the Emergency Management people have a handle on what can be done and what is being done.

But think for a moment of the organizations who depend upon the people whose homes - or the homes of their kin - are endangered. Think about the organization's facility.

What can be done to support the staff, an organization's most important asset? If staff are worried about their homes - or finding a new home if theirs was burned - they won't work at peak efficiency.

Assume for a moment that the facility is safely out of the fire's path. What about the highways and byways lading to the facility? Can people get to the building? Can vendors deliver? What are the options.

The practitioner can think of some, perhaps many, but there always is "another way to meet the threat." That's why "all hands" sessions are important.

Sanhedrin approach - an aside

Several thousand years ago - give or take a century - when Jewish kings ruled Israel, there was a "supreme court" of 71 elders. This court was called the Great Sanhedrin to set it apart from smaller courts consisting of 23 judges.

As with most courts, the sanhedrins had junior members, members, and senior members.

Unlike some courts, the sanhedrins had an interesting rule: When it came time to decide an issue, the most junior member spoke first. The next-most-junior member gave his opinion next and so on until the court's president - the most senior member - gave his opinion.


The reasoning was that if the president gave his opinion first, those of "lesser rank" would feel obliged to agree with the president.

This normally is a good rule to follow when looking for threats and ways to avoid or mitigate them. Sometimes, however, the practitioner needs a senior member to "prime the pump," to get people talking.

I used this approach with some success when working on a plan for my favorite state's government.

Communication options

The LinkedIn poster started off with a general question:

"Many Blue Chips rely on the Cell network or VPN as a BC option. Given that government agencies can throttle or switch off the networks during a MI, is it still a good idea?"

The query generated a number of responses - 17 as this is prepared.

There were those who suggested cell phones were perhaps less than optimal; some folks noted that Hurricane Irene proved that, while others reminded that on 9/11 (2001) the circuits were jammed and the cell phones were useless.

Others promoted satellite phones - expensive to own and operate, but almost guaranteed to work - almost guaranteed.

One person was pitching a self-contained product that he promised could connect to everything.

Several were concerned with government control of the airwaves; could communications be "throttled down" to make frequencies available for government agencies.

Two-way radio was suggested. Someone thought towers were needed for antennae - they are not; handheld radios include antennas and even shortwave sets can work effectively with slant-wire aerials. Two-way radios can even be networked.

No one suggested two tin cans and a string, semaphore flags, or strong lights. Obviously the first option is facetious, but the flags and lights are legitimate; the only problem being people at both ends need to understand the code.

The LinkedIn exchanges are a worldwide version of an all-hands meeting. You get some off-the-wall suggestions that need to be considered, and you get information about things that have been tried and either succeeded or failed - and why.