Wednesday, November 30, 2011


Damage Control

GM makes it work


Image can be critical to an organization's bottom line.

    Ask Toyota.

    Ask Ford and Firestone.

Since a damaged "image" can have a severe impact on an organization - any organization, even ones that depend on donors, think charities and blood banks - things that can lower the image in the eyes of "The World" must be considered risks.

Sometimes, as in the case of General Motors and its "fire after an accident" Chevy Volt, the risk cannot be prevented.

But it can - it must - be mitigated.

Everyone knows the story of Toyota's acceleration problems and how Toyota dragged its heels publicly in dealing with the issue.

Many will recall the Ford-Firestone finger pointing when Explorer SUVs started "turning turtle." Rather than immediately move to replace Firestone tires then suspected of being either the cause or a contributing factor in the roll-overs, Ford and Firestone got into a PR battle as Explorers continued to tip over.

Ford finally replaced all Firestone tires on all Explorers but no one accepted blame for a bad combination of vehicle and tires.

One of my frequent admonishments to people who expect a risk management plan to be perfect before the first exercise is "Nothing is perfect the first time out."

No matter how expert the practitioner; no matter how conscientious the Subject Matter Experts, something always is overlooked and discovered only during an exercise. Nothing is perfect the first time out. Nothing.

GM found that out with its Chevy Volt.

According to a Los Angeles Times article titled GM learns from Toyota how not to handle a crisis (see,0,4124119.story), "After reports of fires in Volt electric vehicles that had been crash-tested, GM put the communications pedal to the metal — unlike Toyota, which responded slowly and ineffectually to its sudden-acceleration crisis."

The Times piece detailed the Volt's problem - fires that followed test crashes of its Chevrolet Volt electric vehicles - and what GM was doing to give its customers a "warm fuzzy feeling" toward the company, the brand (Chevrolet), and the specific vehicle (Volt).

GM apparently wants to avoid looking like Toyota, yet it is taking a leaf from Toyota's book from better days. GM is offering Volt owners free loaners until the "fire after an accident" issue is resolved. Toyota did something similar when it introduced it's high-end Lexus model and discovered a couple of problems. According to the Times, "Toyota had Lexus dealers deliver loaners to people's homes, repaired the recalled cars and returned them washed, detailed and with a full tank of gas"

Was Toyota's quick action appropriate? Count the number of Lexus vehicles in the neighborhood.

Understanding that (a) nothing is perfect the first time out and (b) that "things" will happen, the smart risk management practitioner recommends that "generic" scripts be created for possible image gremlins, and works with executive management, legal, and corporate communications/PR so that when - not "if" but "when" - an issue arises the organization can respond quickly.

The organization will have at least an outline of what to say, it will know who is capable of delivering the message (and who might freeze before an audience), and the spokes person will have practiced message presentation.

A really sharp practitioner also will recommend that multiple presentations be prepared to different audiences - all having the same basic content - audiences that include

  • customers

  • employees

  • financial backers (stockholders, lenders, etc.)

  • local media

  • national media

  • regulators

  • trade associations

  • vendors

As an aside, the reason for separating the media into "local" and "national" is to assure that the local media are not slighted. The national media reporters will go home once the story starts having "second day leeds" (cq); the organization will have to deal with the local press for the long term; treat the local reporters kindly. This scrivener once was "local press."

As with most risks, threats to the organization's image can be mitigated but, as with most risks, responses must be planned and practiced, exercised.

It is said that a person's greatest asset is his name.

That applies equally to an organization.

If I wrote it, you may quote it.

Longer articles at

Monday, November 28, 2011


Government as risk


It's not the first time I have suggested that government - at all levels - should be considered a risk to the organization.

Usually we think of government making a rule that restricts the organization's business or adds additional regulations . . . and costs.

Sometimes, though, government may reduce or eliminate regulation.

According to an AdvisenFPN article that first appeared in the Wall Street Journal ( titled Critics Target Bribery Law , corporate America's top lobbyists are trying to limit the Foreign Corrupt Practices Act of 1977, a/k/a FCPA.

In a Joe Palazzolo-bylined article, the WSJ reports that the effort against FCPA has risen to the top of the lobbyists' agenda, sparking a widespread debate about how the legislation is enforced. The reason for the corporate war on FCPA: "In the past five years, a remarkable run of enforcement of the U.S. law has led to about $4 billion in penalties against corporations. The law prohibits companies from paying bribes to foreign officials to win business. A violation can result in criminal prosecution," the WSJ article noted.

I recently did a project for World Compliance (, an organization that specializes in FCPA. It has a multitude of clients in the financial industry who are, thanks in part to FCPA, concerned that their transactions and their clients are above reproach.

World Compliance is akin to the CIA - it collects information from around the world, vets it to assure accuracy, and they packages it for its clients. To its credit, World Compliance takes risk management very seriously.

Click on drawing to enlarge

While eliminating FCPA would not by itself put World Compliance out of business - as the name implies, the organization has clients worldwide and, in addition to FCPA, it also provide data to clients complying with European laws as well as U.S. Treasury Department regulations and the Patriot Act - emasculating or killing the FCPA could impact the organization's bottom line.

Of course World Compliance has more than U.S. lobbyists to consider. It has to take lobbyists into account every place it does business, and that is most of the world. Again, it's core business is gathering information about people from the four corners of the world, analyzing the information, and packing it for its clients.

As with the CIA, most of the data is public information; World Compliance's raison d'ĂȘtre is the analysis and vetting of the information, putting together all the pieces that may come from disparate sources.

No matter what the organization's purpose - be it commercial, industrial, a non-profit, or a charity - the whims of government must be considered a risk. Depending on the type government, the rulers may be swayed by money, favors owed, promises of votes or threats of loss of votes, or less polite measures.

FCPA hurt - and continues to hurt - organizations that did business by bribery. It hurt them because U.S. companies no longer were on a level playing field with their foreign competition, and it hurts them when - despite FCPA - they feel obliged to risk a bribe and get caught.

Longer articles at

If I wrote it, you may quote it.

Thursday, November 24, 2011


Vendor risks

More than meets the eye


When most of us think of vendor risks we think of a vendor failing to meet its Service Level Agreement (SLA) with our organization.

The SLA can cover a product or a service.

Interestingly, the product or service might not be considered critical - until its needed "yesterday." (Forms for bills, for example, or checks to pay bills.)

Smart organizations ask critical vendors if they have business continuity plans. Very smart organizations ask the vendors to supply the plans or at least basic plan information such as

  • Who is the plan/program sponsor? (Should be a Very Senior Executive with fiduciary responsibility.)

  • What does the plan cover (InfoTech only, key business units, the enterprise).

  • When was the plan last exercised. (Should be "within the year.")

  • When was the plan last updated. (Should be "within the year.")

  • Who is responsible for plan maintenance and updating?

Most of the time, the interest in the vendor ends here.

It should not.

What about the vendor's critical vendors? If the vendor provides a finished product - even something as simple as a threaded fastener (a/k/a screw), if that item is crucial then the vendor is critical and the vendor that supplies your vendor with raw materials likewise is critical.

As the risk management person in your organization, you might be wise to ask the critical vendor if it has an alternative supplier of raw materials; has your vendor asked its vendor for a business continuity plan?

Depending on the criticality of a product or service, it might be necessary to go back even father on the vendor chain, but this usually is not the case.

OK - you talked to your critical vendor and you are confident the vendor has a plan to meet all contingencies.

Is that enough?

Not really.

How is the vendor's product or service delivered to your organization?

Click on image to enlarge

Via highways and byways? Railroads and trucks to the door? Ships and barges and trucks? Airplanes and trucks?

Ask the vendor if it has alternate delivery options.

What if the teamsters walk. That shuts down multiple options since trucks almost always are required - door to door, ship to door, plane to door, train to door.

The teamsters may be perfectly content, but weather can close roads and shut down airports; accidents can close roads and seaways and ports of all types.

Knowing that transportation is an easily interrupted critical process, your organization needs to do a little research to determine a "worst case" transportation interruption and maintain product on the shelf to cover that period. "Just In Time" is fine, PROVIDING nothing interrupts delivery.

Ahh, but your vendor delivers data via the Internet. Nothing to worry about, right?


There are as many, perhaps more, things that can go "bump in the night" for digital deliveries as there are with physical delivers.

The vendor's InfoTech can crash; your InfoTech can crash, the pipe can get choked, your organization's Internet Service Provider (ISP) may fail, a power outage anywhere along the line can knock out a service. Sure, everyone has backup generators, but are they checked regularly under load; is the fuel supply dry and sufficient, and . . .

As they say, "Nothing's perfect except you and me, and I'm not sure about you."

There are, by the way, two sides to the transportation issue.

Your organization is a vendor to your clients.

Whether you provide a product or a service, your organization typically has to deliver to the customer.

That means transportation from your organization to the customer, be the customer another manufacturer, a wholesale or retail organization, or an individual.

Your organization's delivery options - and hazards - are the same as those of the critical vendors.

The bottom line is that when considering risks relating to critical vendors, you must think of all related risks.

If I wrote it, you may quote it.

Longer articles at

Comments to JohnGlennMBCI at gmail dot com

Tuesday, November 22, 2011


Employee loyalty


In today's job market, with high unemployment, management has the upper hand and can, if it desires, disregard staff concerns.

Smart managers don't.

They know that when the market eventually turns around, those employees who got the short shrift during the "high jobless rate" times will start looking for new employment homes.

Taking with them skills they honed on the job.

Possibly taking with them information a competitor would be delighted to have.

Never mind non-disclosure agreements; they are difficult, and expensive, to enforce.

If the employee doesn't bolt, he or she can "bad mouth" the organization and destroy its reputation as an employer and, perhaps, as an organization.

The translation of all the above is that employees are a risk to the organization.

A "necessary" risk.

At the same time, a happy employee - or at least one who feels respected by management and peers - is a definite asset to the organization. While the unhappy current or past employee knocks the organization, an employee who feels he or she has the respect of management - at all levels - promotes the organization to other employees and to "the world."

It's been many years since I worked as a contractor at Lucent Technologies, but I still fondly remember the way it treated its personnel, even contractors. On the other hand, there have been some other organizations . . . .

While it is not something a risk management practitioner can control, the practitioner should be aware of the "mood" of the workforce and the practitioner should "suggest" to management that there are risks to employing unhappy staff.

Most people appreciate recognition for a job well done.

The nice thing about recognizing jobs well done is that it need not be expensive.

Most people appreciate an organization-sponsored (funded) function; like recognition, this need not be overly expensive.

The economy will pick-up - no, I do NOT know "when" - and when it does, unhappy employees will become mobile; their resumes already are up-to-date.

The risks to the organization include, "but are not limited to"

  • loss of knowledge base

  • cost of recruiting - advertising, interviewing, relocation

  • cost of training, both job and corporate customs

  • temporary slump in productivity, possibly due to resentment of the new employee

  • possibly higher salary for the new hire

  • risk that the new hire will leave before the organization realizes any ROI

It is not hard to mitigate the risk of disgruntled personnel.


Acknowledgement of a job well done.

Support in the form of training.

There are many ways an employer can show respect for the troops; HR knows them all.

Longer articles at

If I wrote it, you may quote it.

Sunday, November 20, 2011


Have you created a plan for XYZ industry?

  The other day I was asked if I had done any plans for a specific industry.

I took the question at face value: have I done any plans for an industry, as in "industry association."

The question could have been less global and concerned with a specific organization in the industry (e.g., natural gas exploration) or a specific function of the industry's members (e.g., manufacturing mil-spec monel 16-inch 3-way valves with electronic control modules).

There are lots of ways I could have considered the question.

But in each case, the answer was the same: "Yes."

The reason the answer for each option is the same, "Yes," is because as a risk management practitioner I am looking at risks and means to avoid or mitigate them.

It makes no difference to me if I am working for a Mom-n-Pop corner grocery, Monster Motors, or Sara's Soup Servers charity.

The PROCESS is the same.

Find out why the organization exists.

    Mom-n-Pop's grocery exists to sell groceries and, hopefully, make a profit.

    Monster Motors exists to make automobiles (and other products) and, hopefully, make a profit.

    Sara's Soup Servers exists to provide food for the hungry and, hopefully, to keep donations rolling in.

In each case, the organizations DO something to justify their existence.

There are some common concerns across the board - vendor management and liability as examples - but the bottom line is that each organization has risks and that the risks to each organization must be addressed; means must be identified to avoid or mitigate the risks.

Mom and Pop belong to a grocers' association.

The association's concerns are for the Mom-n-Pop grocery, but they are not the same as harbored by Mom and Pop. The association is concerned with lobbying, with member welfare, with recruiting and retaining members, and with collecting dues to support the association's operations.

Whether creating a plan for Mom-n-Pop or the association, the PROCESS is the same:

Mom-n-Pop Grocer's Association
1. Identify the reasons the organization exists
2. Identify critical processes to No. 1
3. Identify risks to No. 2.
4. Identify means to avoid or mitigate risks.
5. Prioritize risks based on probability vs. impact.
6. Present recommendations to management.
7. Create response plans based on management's decisions re risk management implementation.
8. Create plan maintenance procedure.
1. Identify the reasons the organization exists
2. Identify critical processes to No. 1
3. Identify risks to No. 2.
4. Identify means to avoid or mitigate risks.
5. Prioritize risks based on probability vs. impact.
6. Present recommendations to management.
7. Create response plans based on management's decisions re risk management implementation.
8. Create plan maintenance procedure.

The same PROCESS can be applied to all organizations.

The organization's critical processes will vary, as will the risks, the means to avoid or mitigate them, the risks' priority, and the means to respond to the threats, but the PROCESS remains the same:

    1. Identify the reasons the organization exists
    2. Identify critical processes to No. 1
    3. Identify risks to No. 2.
    4. Identify means to avoid or mitigate risks.
    5. Prioritize risks based on probability vs. impact.
    6. Present recommendations to management.
    7. Create response plans based on management's decisions re risk management implementation.
    8. Create plan maintenance procedure.

Creating a program for Mom-n-Pop might be completed within a few weeks while a similar program for Monster Motors could require more than a year, especially if the practitioner is expected to train responders and do more than run a basic "desktop walk-through" exercise. Indeed, Monster Motors ought to have a full-time staff of risk management practitioners.

The bottom line for all plans is the same: It's all about the PROCESS.

If I wrote it, you may quote it.

Longer articles at

Friday, November 18, 2011


These are "professionals"?

A rant


I'm thinking about cutting down the number of LinkedIn groups and other lists and forums I follow. Maybe a few blogs, too.

Several of the lists/groups/forums that I am considering leaving have "Professional" in the title.

Professional in name only

    That led me to believe any discussions would be at a professional level.

    Yet many, far too many, discussions are at the tyro level.

    By itself that's not bad - tyros need help, too, and they can - and I'm thinking of one in particular - and do raise important questions; queries that get us all thinking.

    One of the things that irritates, that - as we say in Dixie, "sticks in my craw" - is the titles many of these blatant-by-their-post amateurs advertise.

    Senior this and Master that.

    Another irritant is the level of the questions.

    Good grief; do your homework before asking someone else to do it for you.

    DRJ ( has a Website fill of good information.

    DRII ( likewise has megabytes of useful information.

    The information is free.

    Of course the curious person needs to invest a little time to locate and extract the nuggets.

    Why bother? It's easier to ask an actual practitioner "How do you spell "BIA?"

    Because there are so many tyros-with-professional-titles claiming to be business continuity practitioners, people who engage them due to a title or employment by a Big Name Consulting Firm, expect a professional product. They deserve a professional; product.

    But they don't get a professional product.

    If the plan doesn't work? The independent likely lacks performance insurance, and the Big Name Consulting Company will try to tie the client up in a finger-pointing court date. In any case, it is hard to prove that the client ignored the practitioner's recommendations or failed to exercise the plan.

    But all business continuity practitioners take the hit.

When "BC" really is "DR"

    As long as I am IN "curmudgeon" mode I may as well express my opinion of groups that have "business continuity" in the title but in truth are misnamed "disaster recovery" groups.

    There is nothing wrong with a disaster recovery group, but please, call it what it is: disaster recovery or even "resilience" which one Big Name Company has high jacked for its disaster recovery services.

Link, don't think

    One or two of the groups I am about to drop consist of 90% links to magazine articles.

    The article may be really worthwhile, but I sometimes suspect the linker never read past the headline.

    I really would like a synopsis of the article before I waste my time following the link.

    I'm sure some of the articles are worth reading, but I don't have the time to follow each and every link on the chance that the linked copy is relevant to what I do.

Longer articles at

Monday, November 7, 2011


Check the obvious


About two weeks ago I put down some weed-n-feed.

The instructions state to thoroughly water in the chemicals - soak the pellets until they melt.

Not a problem.

I have a well. Flip a switch and water comes out via a number of sprinkler heads scattered around the grounds.

So I wandered back to the pump switch and flicked it on - to be greeted by a spurt of nasty brown water from a PVC pipe.

Turns out the guy who used to cut the grass once again punched a hole in the pipe. Second time.

So now I have to replace the PVC - a learning experience - and reseed a portion of the yard, a portion only recently reseeded.

I can't prove the ex-yard guy did the damage, but the substantial circumstantial evidence is pretty strong: twice since he's been cutting the grass a hole has been punched into the pipe, and no one went back by the pump except the ex-yard guy.

Anyway, the grass that got the weed-n-feed is dying because I failed to make sure the pump worked before I put out the chemicals.

Lesson learned: Even with a very low probability of failure, equipment needs to be checked before it is needed.

When I get ready to go on a trip, even a relatively short one, I eyeball the tires to see that they have sufficient pressure. I check the gasoline to make sure I can get where I'm going. I should, but I don't always, check the oil level and condition. Top off the windshield washer fluid.

Basic "stuff."

Like checking the cell phone battery level.

If I'm traveling with the notebook, I charge the battery. (Leaving the battery in the machine and constantly at or near full charge diminishes the battery's charge time.)

To say I'm upset with the ex-yard guy is probably safe to say. To say I am more upset with myself for failing to practice what I preach is absolutely correct.

I'm paying for my false confidence . . . dig up the pipe, cut out the damaged section and replace it, gluing a new piece into place, testing everything and then covering the pipe, and finally reseeding the lawn.

Longer articles at

Wednesday, November 2, 2011


Troubles on the tarmac


JetBlue, the low cost airline, is facing stiff penalties for letting roughly 100 passengers sit in a plane on the ground for seven - 7 - hours.

The food and drinks apparently ran out and the bathrooms apparently were at capacity, so passengers were more than a little "uncomfortable."

The question is not "What happened?" but "Why was it allowed to happen?"

The plane, from Fort Lauderdale-Hollywood International (FLL) was bound for a northern airport. Before it got to its scheduled destination, weather conditions forced the airport to close.

The plane was diverted to another airport.

That, in itself, is not a major problem when passenger safety is the First Priority. Besides, diversions happen all the time.

But things went from bad to worse when the plane landed at the alternate airport.

Apparently shortly after the plane got on the ground, that airport also was closed due to weather conditions.

Now the problem goes from "worse" to "inexcusable."

I'm guessing that the newly landed aircraft - re-routed from another airport and unexpected at the airport where it landed - couldn't get a "gate," a jetway where passengers could disembark.

Since all flights were grounded, the planes already at the gate were "stuck" there; they could not leave for their destinations.

Realistically what could JetBlue have done? I'm a bit claustrophobic when planes are on the ground waiting for a gate so I gave this some serious consideration. I've also flown into a number of airports in the U.S. and elsewhere.

JetBlue could have done one of two things.

Thing 1, possibly the least inconvenient, would be to send a truck and buses to the plane.

The truck would bring stairs so passengers could safely get off the plane and onto the ground. This is not an emergency and there is no need to risk passenger injuries by using the emergency slides.

Lots of airports - probably most have mobile stairs and most airports have buses - if not owned and operated by the airlines, then airlines could borrow from the rental car companies or the airport authority, whichever runs the shuttles.

Thing 2, a little more inconvenient for the airline but a lot more satisfactory to the people paying to ride, would be to push back a grounded flight from a gate to make the gate available for the incoming flight.

Does this take a flight crew?

I don't think so.

It does take a push truck and a couple of people to guide the push truck's driver to avoid clipping other aircraft.

Where to put the moved birds? How about a maintenance area? What about the military section of the airport, assuming there is one and the Air National Guard gives its OK for "until the storm's over" parking permission.

In truth, the empty pushed back aircraft could be parked on the taxiways and runways, although getting them back can prove a logistics problem later. Use taxiways and runways as a last resort.

Lack of planning seems to be the bane of airlines.

Qantas' management grounded all its flights in the face of a threat of a strike. Management's pre-emptive strike.

While that may have seemed like a good idea at the time, management failed to gets its passengers booked on other airlines' flights. "Sorry, we're closed and you (passengers) are out of luck."

Then there was the Chief of Security at a U.S. airline that told me, after 9-11-2001, that terrorists couldn't get on board his airplanes using methods I proposed. "Impossible," he said - and continued to believe that even though a number of journalists proved my point.

I don't know if airline people simply ignore risks or just refuse to deal with them.

There certainly was no excuse for JetBlue to leave passengers sitting on a plane on the ground for seven hours.

What about the fuel costs? Even at idle, jet engines are expensive to operate.

Now JetBlue faces the potential of huge fines by the government. I understand it is offering free tickets to anyone on the flight who is willing to once again board a JetBlue plane.

A financial and PR fiasco that could easily have been avoided if someone had a plan - of even if someone "stepped up to the plate" and made the right decisions.

An expanded and updated article on airlines' image problems can be read at

If I wrote it, you may quote it