Tuesday, December 27, 2011


Stolen item may cost
former owner "big bucks"


If you owned something that was stolen, and the stolen item was used against someone or caused damage, are you liable?


In an article in the Milwaukee Journal-Sentinel headed Patrick Cudahy sues Navy over 2009 fire, "Patrick Cudahy Inc., its parent corporation Smithfield Foods, and several insurers have sued the U.S. Navy, seeking $326 million in losses from the massive 2009 fire at the meat packing plant caused by a stolen military flare set off as part of a Fourth of July celebration."

The plaintiffs contend that the Navy's negligence allowed the flare to be stolen from a California Marine base. The Navy denies responsibility under the Federal Tort Claims Act.

Basically, the suit contends that the Navy failed to properly inventory and control its property.

Strictly a Navy or government problem?


If the plaintiffs prevail, any organization that makes almost anything could be sued for damages.

In most civil suits, plaintiffs sue "the world" jointly and severally, looking for any organization with "deep pockets."

Most organizations have insurance coverage, but increasingly, two things are happening:

  1. Awards, especially jury awards, exceed the insurance coverage
  2. The insurance company either refuses to pay or sues the insured to recover its payout.

In the Navy case, the insurers are among the plaintiffs.

The core complaint in the Navy action seems to be that the Navy allegedly failed to perform due diligence when dealing with its resources, in this specific instance, a green star flare. According to the suit, the flare was found outside the actual training area and therefore the Navy breached its duty.

While the suit was only recently filed in federal court, the outcome will be interesting.

Unlike non-government entities, the Navy claims immunity from such suits. Non-government organizations lack that protection.

What then, based on the main focus of the suit, can an organization due to avoid or mitigate similar suits if someone uses something the organization owned to cause damage ? In three words: Use due diligence.

Inventory both stock on the shelf and resources - hardware and software items - and regularly revisit the inventory. If the organization deals in things that can go "bang in the night," perhaps inspect all packages, briefcases, and the like, as they exit the building.

The organization may still be sued, but if it can prove due diligence it may be removed from the action by the court.

Caveat: I am not a lawyer and I do not play one on tv.

Wednesday, December 21, 2011


Holidays as risk


For most people, holidays are a time away from the workplace.

A time to focus on things other than "The Job."

For the risk management practitioner, holidays are a risk.

Low level risks

Some risks are have a relatively low level impact if - rather "when" - they occur.

The most frequently occurring risk is absence of decision makers.

Absence of crucial personnel - and this can be a person on a production line or a call center staffer during a busy time -also must concern the risk watcher.

Fortunately, these risks are relatively easy to avoid.

In two words: Cross Training.

Practitioners know that every critical function in a response program must - not "should," but "must" - have both a primary and an alternate responder.

Even in the best of times, with no holidays in sight, people get sick, they take time to attend to relatives, they go to conferences and professional courses, and they go on vacation.

On the truly negative side, there are layoffs and dismissals-for-cause.

Practitioners don't need to insist that management come up with a succession plan - although management should do this, if only to keep the organization's clients confident that the organization will muddle along even sans the incumbent C*O.

Practitioners need to convince management that, while no one expects anything untoward to happen to them, they need to groom others to fill in for them when they vacation or are otherwise absent.

The "heir apparent," even if only appointed on a temporary basis, must have

  • the confidence of the about-to-be-absent manager

  • sufficient self-confidence to make decisions

and the manager's decision must be known to "all hands," both up and down the personnel ladder.

It helps if the Most Senior Executive has a formal job description of some type.

The key to the success of selling the idea to everyone reporting (directly or indirectly) to the Top Executive and Board is for the Top Executive to get on board

Note that in all the foregoing, the term "succession plan" has generally been ignored.

Practitioners need to be included in all critical projects to assure that the project manager builds in time for holiday interruptions. This adds a burden on the practitioner: he or she must be aware of all holidays that might reduce the work force and delay project completion. This can be especially challenging for multi-national organizations' planners.

High level risks

Fortunately, risks I term as "high level" are exceedingly rare.

They are "high level" because of the impact they can have on the organization.

High level risks often are holiday-related.

    The Yom Kippur War.

    Pearl Harbor - while not on Christmas, the country already was "winding down" for the holiday.

National and religious holidays often are preferred dates for attacks against defined groups. Occasionally, an attack will be scheduled on the attackers' holiday.

Natural events such as earthquakes, floods, tornados and the like are no respecters of an organization's staffing abilities and can occur almost anytime.

Burglars find holidays a good time to strike - staffs are reduced or facilities closed, making access less difficult. No matter what the intruders are after, they have a better chance of success.

Admittedly, cross training won't help here. Maintaining an increased level of alertness by security personnel will help. The question to ask: is Security - be it in house or vendor-provided - able to meet the staffing requirements; is Security protected against personnel absences?

But again, the likelihood of an event is less likely than the absence of a needed employee.

If I wrote it, you may quote it.

Thursday, December 8, 2011


Lessons from 1942 for ERM
Practitioners in 2012

  The following came to me as an email. I don't know the sender, but the information, if given some thought, can relate to what we see everyday. Aside from formatting the file it is "as received."

"Remember Pearl Harbor - Keep America Alert"

"Remember Pearl Harbor - Keep America Alert" is the is the motto of the Pearl Harbor Survivors, who sadly will disband this year.

As we reflect on the 70th anniversary of the bombing of Pearl Harbor, I'd like to share a piece of an old report with timeless lessons, the

25 Deficiencies from the 1942 Pearl Harbor Congressional Report.

Perhaps you'll find something here you can use in your role preparing Americans for the worst.

These brave men remind us, as George Santayana wrote, "Those who cannot remember the past are condemned to repeat it".

Below are those 25 deficiencies - how far have we come?

Thanks to all who demonstrate what it is to be a hero, and to you who pledge to live in honor of their bravery.


The Failures

  1. Organization
    Multiple parallel organizations with ambiguous authority

  2. Assumption
    Information-sharing convention is not known or understood, but appropriate sharing to avoid disaster is assumed

  3. Omission
    Information-sharing distribution is incomplete, people and entities excluded

  4. Verification
    Commands/information sent, no follow-up to ensure understanding and action, capabilities or actions are assumed and not verified

  5. Supervision
    No close supervision to verify understanding and predictable action - compliance assumed

  6. Alertness
    Heightened alert is undermined by repeated training and exercises

  7. Complacency
    Vigilance relaxes from the day-to-day lull of business as usual; a "what-could-happen ?" attitude

  8. Intelligence
    No centralized intelligence services with tailored dissemination of intelligence products; too many independent sources of collection and analysis

  9. Attitude
    Superiors do not engage in open dialogue with peers and subordinates; the superiors act superior (arrogance)

  10. Imagination
    "Worst-case" scenarios not included in preparedness and response planning

  11. Communications
    Information exchanged is ambiguous, convoluted, or contradictory - no use of common "plain" language

  12. Paraphrase
    Messages altered according to assumption and no verification

  13. Adaptability
    Alert and response thresholds are not matched to the known threat environment

  14. Disclosure
    Intelligence so protected that it is inaccessible to those who urgently need it, rather than converting products to actionable information while protecting "sources and methods"

  15. Insight
    Inadequate understanding of the threat and capabilities to address this threat lead to underestimated risk

  16. Dissemination
    Information is not provided to subordinates who need to know

  17. Inspection
    Leaders do not know or understand their personnel and critical systems

  18. Preparedness
    Prepare for consequences of what a threat might do, instead of what it can do

  19. Consistency
    Official direction is contradicted by unofficial speculation from authorities

  20. Protectiveness
    Individual or organizational one-upmanship for real or perceived self-benefit

  21. Relationships
    Personal friendships inhibit identification and resolution of deficiencies or gaps

  22. Priority
    Failure to prioritize critical needs over day-to-day activities

  23. Reporting
    Subordinates fail to report information up the command chain

  24. Improvement
    Failure to identify gaps, particularly in worst-case scenarios, and correct them

  25. Delegation
    Responsibility is delegated with inadequate authority to act

Hope you'll find this of use; you are of course welcome to share...

From: Interoperability in Critical IT and Communication Systems

Dr. Bob Desourdis cites in his book quotes from the Congressional After Action investigation & report of 1945/46 on the failures of Pearl Harbor. Sharing as food for thought.


Michael Walker

Wednesday, December 7, 2011


Paper trumps experience

a rant


I applied for a job today via a recruiter.

I am an "Ivory Soap" match for the job.

But the 66/100% I lack (Ivory Soap advertises it is 99 44/100th percent pure), when confirmed, caused the recruiter to hang up on me.

I could have brought more than 15 years' experience to the recruiter's client.

But the lack of a degree - the "66/100th percent" - ended the phone call.

"The client requires it," she said.

I can't entirely fault the recruiter. After all, "the client requires a degree."

I know the client - Florida Power & Light, FPL. I send it a check every month.

What I am beginning to think is that whomever created this job requisition for FPL doesn't know much about business continuity.

Would a degree in InfoTech Security meet the requirements?

You bet. Forget that InfoTech security is only a very small part of business continuity.

How about a degree in journalism?

Actually that might be BETTER than a degree in InfoTech security since there is a great deal of documentation involved in creating and maintaining a business continuity plan or program.

The FPL job req writer is telling me that four years of listening to people pontificate about subjects in which they may have zero practical experience is better than 15 years' hands-on experience.

OK, to be fair, I know there are some college instructors who DO have "real world" experience. I had a couple when I attended Barry U and Sarasota U. But I also had the "other" kind. I'm a former journalist - reporter to managing editor. The required English 1 course had the instructor - a high school English teacher during the day - try to teach the class how to write a story for a newspaper. The gentleman could hardly spell "newspaper," let alone create copy for one.

But he had a degree, maybe two, and therefore was an "expert" in the field.

America was not built on degrees. It was built on people developing expertise.

Admittedly, my profession lacks - sadly - an apprentice program.

Likewise "admittedly," there are people who claim expertise, some with certifications, who can't plan their way across a deserted country road.

But if they have a degree . . .

FPL, or at least the contracting agencies, are offering a below market rate so maybe it is just as well that this recruiter abruptly ended the call.

Still, it would have been a good match: FPL and this practitioner.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

Friday, December 2, 2011


(Un)Social Media


In a Wall Street Journal copyrighted article at http://tinyurl.com/88h2q2h, organizations learn that under certain circumstances angry employees can say almost anything they wish against their past or current employer with impunity.

If the employer acts against the employee, the organization may face charges from the National Labor Relations Board (NLRB).

According to what appears to be a supplement to the Melanie Trottman article, the AdvisenFPN version of the copy appends the following:

    Companies are facing a growing number of civil charges over disciplinary actions spurred by online comments from employees. Following are the National Labor Relations Board's guidelines on what workers and employers are allowed to do on social media:

    Protected employee behavior -- things employees should be allowed to do without being fired:

    -- Workers discussing with each other pay or other workplace conditions, or an individual speaking on behalf of other workers about, or with the intention, to improve workplace conditions. The key is there has to be group activity, in intention or result. It is described under the law as "protected concerted activity."

    -- Name-calling -- depending on the word used and the context -- that doesn't involve physical or verbal threats.

    Unprotected employee behavior -- things that could get an employee disciplined or fired:

    -- Mere griping solely by and on behalf of oneself, with no evidence of intended or actual group action to improve working conditions.

    -- Physical or verbal threats against an employer or co-worker, depending on the context.

    Unlawful employer behavior:

    -- Maintaining a company policy that restricts workers' rights to discuss online with co-workers their wages and other working conditions.

    -- Firing an employee for engaging in protected concerted behavior.

So, if a disgruntled employee calls a manager a "scumbag" in the course of an exchange with fellow workers, and if someone replies in any manner, the employee apparently is protected by the NLRB.

It seems to me - and I must add this caveat: "I am not a lawyer and I don't play one on tv" - that the specific person who is maligned - calling a person a "scumbag" is hardly a compliment - ought to, with perhaps assistance from the employer, file a civil complaint against the name caller.

The right of free speech is an important part of the American way, but libel and slander still are actionable.

For all that, organizations of all types should have policies and procedures in place clearly setting forth what is acceptable and expected behavior of people employed - at any level - by the organization. These policies and procedures must

  1. Be vetted by qualified legal counsel, that is, lawyers specializing in HR issues

  2. Be read, and understanding acknowledged, by all employees, regardless of position within the organization, from Most Senior Executive to newest intern and contractors/consultants.

If there is a problem in the organization and an employee, for whatever reason, "goes public" with it on so-called social media, it behooves management to examine the complaint to see if it has merit. At the same time, it seems appropriate to act against libel and slander.

Longer articles at https://sites.google.com/site/johnglennmbci/

If I wrote it, you may quote it.