Wednesday, October 19, 2011


Employer responsibilities?


There is a debate going on LinkedIn's "BCMIX - Business Continuity Management Information eXchange" (

The thread has the rather long title of "U. Delaware: First Responders will report to duty but need assistance with family support and resources and thorough protective equipment training, UD discovered in Mid-Atlantic regional study."

The essence of the thread is "what needs to be done for employees to assure they will report to work" and is linked to a ScienceDaily article titled "Emergency Workers Will Respond: Study Shows First Responders Will Report to Duty, but Need Assistance With Family Matters" at

OK, having gottern all the source references out of the way, I will offer my list of things I think an employer should consider:

    This should come as NO surprise to any risk management practitioner. Most people will justifiably worry about their kin before their job. To mitigate that, we have primary and alternate responders. That lessens the load on all responders - jobs can be handed off after short shifts. We also must be concerned with burn-out and management must recognize this danger and avoid it by limiting work to a reasonable-under-the-circumstances time, say 12 hours, 16 maximum, and require at least an 8-hour "off" period. This must be cast into Policy and Procedures concrete (along with other "event-related P&Ps). Organizations, realizing responders - both local and at an alternate site - need family time (just as soldiers need R&R), need to get this into P&Ps long before an event so that everyone knows what to expect.

Two ladies whom I respect joined in as follows:

Lady #1: The suggestion which emerged was actually that the employers of the first responders help prepare the families in advance and organize support and resources for spouses.

Lady #2, adding to Lady #1"s comment, noted "This is why a 'critical worker support plan' is needed. If we don't build it, they won't come. Would you? Work is a paycheck. It has no chance of competing with the people we love or the need to reestablish family security ASAP. Even when work is a 'calling', there's a breaking point."

Lady #1 is an attorney with interests in Strategic Assessment & Conciliation .

Lady #2 is a business continuity planner for a government agency.

My comment to the ladies - and I really like these two people - was as follows:

    OK - so HR and management need to be involved (as well as unions if they are present) to determine - and publicize - what the organization will do for the staff re family support; e.g., hand-deliver checks to IDed-by-staff kin, who is considered "kin" (may be determined by law), medical/health insurance assistance and perhaps transportation to/from medical facilities; maybe supermarket runs (some families have only one vehicle and public transportation either is distant {bus, train lines} or expensive {taxis}) or reimbursement for transport charges. The foregoing is NOT "all inclusive" by any means. IMO, HR always needs to be involved in all risk management planning.

Here Lady #2 responds that "if you have been through a major disaster, from a hurricane to wildfire to tornado to 9/11, what is really needed to get critical staff in to work is a company commitment to such things as:

and then she proceded to list her requirements; my responses are included

    - evacuate staff's families ahead of rising water or spreading flame

      (jg) That's the employee's responsibility. The organization may offer to assist with transportation, housing, and other per diem subsidies, but in this economy, I would doubt it. It is more likely to evacuate/relocate staff WITH family to the alternate site.

    - send out crews, commercial if necessary, to

    -board windows

      (jg) Home owner's responsibility. I have accordion shutters, my neighbors "board up" using metal or ply board (a PITA in the wind). I doubt there are enough contractors in the area to meet the demand by people who are unable to DIY (absentee owners, high-floor condo owners, invalids, etc.) The days of the Company Town (McGill NV), when the company sent out a guy to change a light bulb, are long gone.

    -cover damaged structures with tarps and plastic

      (jg) Home owner's responsibility. The insurance company will argue that the home owner should mitigate damage by covering holes, but if the owner is one of the above or cannot beg, borrow, buy, or steal a tarpaulin or ladder sufficient to reach the rood, or if the winds are dangerously strong, in the end, the insurer will pay to close the hole and repair related damage. (Common event where I live.)

    -salvage homes from water, mud, smoke, fire

      (jg) Home owner's responsibility. The employer may have a list of "approved" vendors (if not, FEMA and the state do) and the approved vendors may give a discount to the employee, but contracting for the work, supervising the work, inspecting the work, and paying for the work is not a corporate responsibility.

    -install portable generators

      (jg) Home owner's responsibility. Someone would have to stockpile hundreds of generators, make sure they functioned and were fueled - and what about fuel; who is supposed to see that the tank is topped off (and how big a tank is needed?). Most assuredly not a company responsibility.

    -remove fallen trees and debris from homes, power lines (when the power company refuses)

      (jg) Debris removal from public areas (streets, sidewalks) is a government function. Debris removal from private property is the (you guessed it) home owner's responsibility.
      I have NEVER seen any power company anywhere - and I have "lived around" - refuse to deal with downed wires, live or not, nor have I ever encountered a gas company that didn't respond to a reported/suspected leak. Maybe in NYC or California, but not in VA (Dominion's really good) or Florida (FP&L is excellent) .

    - deliver MRE's, water, dry ice, and survival goods

      (jg) Staples (food, water, ice) normally are provided by do-gooder agencies - Salvation Army, ARC, etc.; Procter & Gamble brings in the laundromat-on-wheels (great idea, BTW). As for MREs, if you MUST have MREs, please avoid the self-heating ones (LaBriute as example). They are a storage fire hazard (ask the U.S. Army). My Own Meals are, according to the firm's owner, edible cold (and she personally samples them that way - the lady is one of my sources).

    - evacuate, house and aid reclamation for families whose housing is destroyed

      (jg) Partially addressed above (first of your dash lines). Otherwise the home owner's responsibility - doing battle with the insurance companies. A generous employer may give some (paid? unpaid?) time off to battle the insurers.

    - ensure electronic deposit of paychecks and reimbursement checks (although notoriously after 9/11 one financial services company suspended all salary and other payments to the families of hundreds of dead workers)

      (jg) How can electronic deposits be "ensured" if the WWW is down at any point: the check writer's, the financial institution. How much will be paid? Logged hours? Previous pay period (typical), average for year? (With differences cleared up later.) Since I cannot guarantee electronic fund transfer, I might write a check or issue a voucher/promissory note, but to whom shall I gave the document? Spouse who may be estranged? "Significant other?" Who may be considered a "partner" might be determined by local law. I covered this in my post.

    - coordinate searches of hospitals and morgues for injured and dead staff and family

      (jg) The do-gooder agencies already do this; the employee can contact them; this is not an employer function.

    - provide medivac and crisis transport of injured, dying and dead staff and family.

      (jg) Most employers, other than the Federal government, lack suitable aircraft and ground transport for this function; even if the employer wanted to take on the task, there probably are insufficient vehicles to move injured. Moving the dead is something that can be done only after a Coroner/Medical Examiner/doctor declares the person deceased, in which case the government or funeral home would move the body; this is not an employer function, even in "normal" times.

    That's what people are really doing back at home. It's no walk in the park.

I don't know of any organization, anywhere, with the possible exception of government-funded agencies, who provide what Lady #1 thinks employers should provide.

I include employee welfare in all my plans, but I stop short of what I term "employer socilaism," a term I hasten to add that Lady #1 empathetically rejects.

So the question to followers of this blog: Are Lady #1's expectations - I won't call them "demands" - realistic for any non-government-funded organization?

Does anyone know of any non-government-funded organization that satisfy Lady #1's wishes?

Either way, the address is JohnGlennMBCI at gmail dot com.

If I wrote it, you may quote it.

Monday, October 17, 2011


Importers put on notice - again


The husband of a woman who apparently died following an accident on an untested inflatable pool slide was awarded US$20.6 million by a Salem (MA) Superior Court jury.

According to an article in The Salem News (, Toys "R" Us sold a Chinese-made Banzai Falls inflatable pool slide via Amazon. The 6-foot slide was installed in an in-ground pool.

The jury ruled that Toys "R" Us was responsible for the death five years ago of a 29-year-old wife and mother. Amazon and the slide's manufacturer, SLB Toys USA, settled with the survivors for an undisclosed amount.

Meanwhile, Wal-Mart and the Chinese manufacturer are being sued following a similar accident in Missouri that left a man a quadriplegic.

Court records note that more than 4,000 of the slides have been sold in the U.S.

Once again

Courts are holding importers and retailers responsible for the products they handle.

This is becoming a regular message in this blog space.

According to The Salem News article, Toys "R" Us apparently failed to have its Chinese testing company test the slide for compliance with U.S. safety rules. Toys "R" Us contended that the slide, since it is inflatable, did not need to be tested. Federal standards require testing.

The complete article can be read on The Salem News' Web site (ibid.).

The bottom line is that any business that touches a product that is blamed - no proof necessary - for causing death, injury, or financial loss (e.g., Chinese wall board) can find itself in court. Even if it prevails, there are both financial and reputational damages to overcome. It if loses, there can be - as in the Salem MA instance - hefty penalties.

There may not be any 100 percent protection, but if the organizations that "touch" the product perform "due diligence" and either test or confirm that another organization along the supply chain has tested the product for compliance to both federal and local laws, all organizations are at risk.

Will a 1-in-1000 unit sampling be sufficient?

In the case of the Banzai Fall, a 1:1000 sampling ratio would be considered insufficient. Perhaps 1:100 would be valid. In the specific Banzai Fall case, just one test to U.S. safety standards might have been sufficient to identify the problem that is alleged to have caused at least one death and one spinal cord injury. (The accident details are on the newspaper's Web site.)

With 4,000 units scattered around the U.S., and with multiple retailers (Wal-Mart, Toys "R" Us, and perhaps others), the importer would seem to have the greatest responsibility for testing. The courts, at least the one in Salem MA, apparently believe the retailer should bear the financial burden.

Even Amazon, which apparently only provided a link to the Toys "R" Us advertisement, ended up as a defendant in the Salem case.

If I wrote it, you may quote it

Sunday, October 16, 2011


Note worthy


Today's AdvisenFPN offered a couple of note worthy items.

First, from the New York Times, an article headlined Bits: Stanford Researcher Finds Lots of Leaky Web Sites/.

The NYT article tells us that scientists at Stanford University discovered that

  • If you type a wrong password into the Web site of The Wall Street Journal, it turns out that your e-mail address quietly slips out to seven unrelated Web sites.

  • Sign on to NBC and, likewise, seven other companies can capture your e-mail address.

  • Click on an ad on and your first name and user ID are instantly revealed to 13 other companies

These are, according to the Center for Internet and Society at Stanford Law School, among the leaks found on 185 top Web sites.

If the rest of the Times' copy is accurate, it's all downhill from there.

The entire document is on the NYT Web site at

Next, in an in-house story headlined Top Cyber Losses Are Not All Hacks! , Advisen's Research & Editorial group writes that "Not every headline-grabbing cyber loss is caused by sophisticated hackers. A case in point is one of the latest actions captured in Advisen's MSCAd Loss Events database—a $20 million suit against Stanford Hospital & Clinics."

    As reported in last Friday's FPN edition, in an article titled How Did Data About Patients Land on Web? Don't Even Ask," the hospital acknowledged that a breach of 20,000 records occurred on Sept. 8, 2011. The convoluted series of events leading to the breach had no hacker in sight. Instead, a job applicant for a marketing firm posted a spreadsheet containing the medical records on a homework-help website, seeking advice on how to convert the spreadsheet information into a graph. The marketing firm offering the job was a vendor for the hospital's billing contractor.
By the way, asking "The World" for help to accomplish something seems to be an everyday event, especially if you watch the social networks, even the one's with a professional demeanor.

According to Advisen's MSCAd database, more than half of the largest known data breach events, potentially compromising millions of identities, have resulted from lost CDs and hard drives, stolen laptops, and missing storage tapes.

That doesn't mean that hackers are not a concern, only that hackers should not be the ONLY concern.

Included among the victims are large U.S. financial institutions, private companies abroad, and government agencies in the U.S. and Canada.

A sampling of NON-HACKER damage includes:

  • Data CDs lost in transit

  • Data DVD and CD improperly disposed of, found on street

  • Data storage tapes lost in transit

  • Identity theft by help desk worker, ran up $50m of fraudulent charges

  • Identity theft from unauthorized sale of customer data

  • Identity theft resulting in re-routing of policy proceeds, through call center

  • Illegal access by employees & outsiders to credit history data

  • Laptop stolen from employee's home

  • Lost hard disk drive

  • Stolen microfiche tax records

  • Unauthorized distribution/sale of personal & financial consumer data

The point being that protecting data is not just an InfoTech function or even a Security function. It is most assuredly a risk management function.

In the above bullet list, how much damage might have been avoided by personnel training and awareness? How much by having, and enforcing, policies and procedures to protect data?

While I am a risk management subject matter "expert," I am not a security guru.

Sunday, October 9, 2011


No experience necessary


As most readers who frequent this blog know, I am active on a number of lists and forums.

Today I was reading an appeal from a consultant with a Big Name Company.

Our poster, who, it turns out misspelled "consultant" and "architect" on his bio, asked the group for exercise scenarios.

Now this person claims to have been around the IT block for a number of years and worked with companies whose names most of us recognize.

There is nothing in his recent job titles to indicate any experience with business continuity but he does claim "IT Disaster Recovery" experience.

Today, the consultant is a "lead technology architect."

The questions I have to ask are:

    WHY does his organization put a person in a position for which he obviously is not qualified?

    WHY does the person turn to the groups rather than his consultant peers in his company? Is no one qualified?

    WHY, if this person has been "around-the-block" enough times, does he need help coming up with scenarios; he's not asking for exercise plans, just ideas. What, after all, can possibly go wrong, go wrong, go . . .

I have known of companies who promote a journeyman IT staffer to a business continuity function sans any knowledge of business continuity on the victim's part - and I use "victim" deliberately since the person is being thrown to the wolves. Of course in those conditions, everyone in the organization is being thrown to the wolves.

I'm more than willing to help newbies, especially if the newbie makes an effort on his or her own behalf.

Most "senior practitioners" feel likewise.

But my peers and I take umbrage - usually with our morning coffee - when a person represented as an expert (consultants are, after all, supposed to be experts, that's why they get the Big Bucks) has to appeal to the masses for some really basic information.

Worse, the poster should have a multitude of resources available within the organization; again, it is a Big Name company. If not, then I have some names of people the Big Name company should engage if it intends to market risk management, even if only IT disaster recovery; these true experts can mentor others to develop a well-trained cadre of competent consultants.

If I wrote it, you m,ay quote it

Thursday, October 6, 2011


Experience pays


In a very short AP article picked up by AdvisenFPN, a lawyer is claiming that the cause of the crash of Air France Flight 447 from Rio to Paris was faulty data fed to the air crew by the Airbus' computers.

Both the airline and the aircraft maker are charged in France with involuntary homicide for the crash that killed all 228 on board.

According to French accident investigators the accident occurred when poorly trained pilots reacted exactly as they should not have by pointing the plane's nose up instead of down when it stalled over the Atlantic.

However, the report also noted that the aircrew was dealing with bad weather, faulty sensors, incoherent speed readings, and a cacophony of alarms.

Compare the fatal Air France crash with the US Airways crash into the Hudson.

The difference, if the French government agency is to be believed, can be summed up in one word:


The difference between an efficient and expeditious recovery and an over-budget, over-time recovery can be summed up in the same word.

Training - exercises - cannot be emphasized enough.

The problem is that a person knowing how to perform day-to-day operations may not - indeed, probably will not - know how to perform "similar" functions when responding to an event.

I discovered while working for a former top-tier defense contractor that things taken for granted can sometimes foul up the works.

For example, rebuilding a computer.

    Where is the media?

    Where are the licenses if needed?

    Where are the installation instructions? (They should be in the Plan document, but . . .)

By the way, if restoration depends on Internet-accessible information, how can the Internet be accessed if the data center is ash? Run to Starbucks for WiFi connectivity?

Capt. Chesley "Sully" Sullenberger and his US Airways crew drilled and drilled and drilled some more on emergency situations to the point that the flight deck crew knew when to believe or ignore instrumentation.

Granted, the US Airways flight was not well off-shore over an ocean and not at altitude - had those conditions been the case, the flight might have ended tragically, but perhaps not.

When Canada moved from Imperial gallons to liters, there was a foul-up on a Boeing's fuel capacity.

On a cross-country flight, the jet's tanks ran dry.

But because the pilot was well trained, he managed to glide the aircraft safely to the ground from its normal altitude of 30-plus thousand feet. (Its glide ratio of 17:1 is about 17 feet forward for every 1 foot in altitude.)

Actually that was "no big deal"; the space shuttles glide in from a much higher altitude. (Glide ratio is about 1:1)

In all three cases, US Airways, the Canadian jet, and the space shuttles, the one thing that these crews had that, apparently, the Air France crew lacked was TRAINING.

Not training to snooze through a routine, mostly on auto-pilot flight, but training to handle complex and unusual situations.

Not training to come into an office, turn on a computer and use a special phone in a call center, but training to go to an alternate site and perhaps use a pencil and paper to record call activity until IT can restore links to a database.

Exercises can be expensive - they take personnel away from their "real" jobs for the duration - but in the long run, exercises can be the difference between a successful, rapid recovery and no recovery.

After thought. Experience also pays handsome dividends when engaging a risk practitioner, someone who knows where to look for threats to "business as usual."

If I wrote it, you may quote it

Sunday, October 2, 2011




Two articles on the same day in the AdvisenFPN bulletin addressed the issue of "intellectual-property."

The first, headlined DuPont Wins Nearly $1 Billion In Secrets Case reports that a court awarded DuPont US$919.9 million in damages for a Korean company's alleged theft of secrets regarding the manufacture of Kevlar body armor.

The second, with the head SAP will pay fine of $20 million in Oracle copyright case, details how Germany's SAP AG agreed to pay a criminal penalty of US$20 million for stealing secrets from Oracle. Oracle still has a civil suit against SAP and is seeking additional financial penalties against the Germans.

For a risk management practitioner, these stories raise a two-sided concern.

Side One: Don't be a victim.

    In the DuPont Kevlar case, DuPont claims the Korean company, Kolon, acquired its trade secrets by hiring and attempting to hire former DuPont employees. There was no mention in the article, originally in the Wall Street Journal, of any Non-Disclosure Agreements (NDAs) or indication that DuPont was suing any former employees.

    Kolon has filed an anti-trust suit against DuPont; the article did not provide specifics.

    In the Oracle secrets case, reported in the San Jose Mercury News, SAP admitted its personnel "accessed Oracle's computers without permission and made thousands of unauthorized copies of Oracle's software."

Side Two: Don't spy on the competition.

    It's tempting to try and gain an advantage through someone else's effort, as SAP admitted to doing, but it's expensive.

    Being able to define what is a "kosher" way to acquire information about a rival and its products - and in the case of international organizations and patients, this can include a number of laws, some of which may be in conflict with others - is what keeps patient lawyers in business.

    Even if the defendant - your company - prevails, the company bottom line takes a hit with lawyers and expert witness fees.

Industrial espionage is big business and it is a specialty business.

The risk management practitioner needs to know the risks are there and the practitioner needs to make the risks known to management.

Most risk management practitioners that I know are notindustrial espionage experts - nor are they financial gurus or HR mavens or ... They ARE risk management Subject Matter Experts - people who know to whom to turn for expert advice.