Thursday, December 20, 2012


What can we do?

About Sandy Hook and hurricanes, and ...


In an email from Kathy Gannon Rainey, publisher of the Disaster Resource GUIDE, Ms. Rainey asks everyone on the email list

• What can be done to prevent such an event in the future?

• What can I personally do to make a difference?

She then suggested mentoring.

To my mind, that's an excellent idea.

AARP, a geezer group to which I do not belong (it's a political issue) asked me, also via an email, if I would be willing to mentor people. I agreed, but since AARP had no checkbox for what I do, risk management, I suspect I'll either hear no more from AARP or I will receive a reply that totally ignores my input. That's Standard Operating Procedure (SOP) for people - and organizations - that live in predefined worlds; if there is no checkbox or radio button, then there can't be any other option(s).

We should make ourselves available for mentoring.

We should make our expertise available to local government.

We should offer our knowledge to BBA and MBA students.

We should make ourselves available to the local media as Risk Management Subject Matter Experts (SMEs).

Organizations to which we belong, such as BCI USA and ACP, because they have a national presence, could develop lists of willing mentors and presenters, and make the lists' availability known to the media. It seems to garner more attention when a professional organization offers to provide SMEs. BCI already has a mentor volunteer list, although I wonder if anyone ever sought out a mentor; in all my years on the list, no one ever contacted me. (I have mentored people who sought me out - sometimes in unlikely locales, "all things considered.")

While I'm certain all my loyal readers - I hope that plural is justified - will agree that we should do all of the above, the problem remains the old one of leading a horse to water (but you can't make it drink). We can announce our availability, but unless someone takes us up on the offer, we - and our profession (trade?) - are no better understood than before.

Unfortunately, the times people are most inclined to invite our knowledge into their domains is immediately following a disaster, and that is too late; the barn door was open and the horse escaped.

I wonder if because a risk management practitioner may not offer the most popular approach - right now, "gun control" and adding armed guards to schools is the reaction du jour to Sandy Hook even though there are better, non-knee jerk reactions to prevent similar occurrences - we are ignored or simply overlooked. Perhaps our recommendations are less than "politically correct" in some circles.

For all that, Ms. Rainey's suggestion that we - the nation - need mentors across many endeavors seems to me a good idea.

Now all we need are people to mentor.

Sunday, December 16, 2012


Protecting us from crazies


This was written before I learned about the crazy who fired at people at Fashion Island mall in Newport Beach CA. ( )

Years ago, long before even the murders at University of Virginia, Columbine, and Sandy Hook, I wrote an article on how to keep killers out of buildings.

As usual, it was based on lessons learned from Israel, with a little input from NASA.

The process is fairly simple.

First, control access to a building.

For a school, and schools have our attention now, access to the building must be limited to one entrance except for brief periods at the start of the school day. Even then, access via multiple entryways needs to be via "choke points" so that school staff can monitor students entering the building. All adults, including staff, must enter through the main entrance.

The question that pops up in most minds at this point is: If there is limited access, what happens if there's a fire or other reason for s quick exit ? Fire doors; the same as found in theatres and other similar venues. They lock from inside and open by pushing on a bar (which also causes an alarm to sound). Good question; good answer.

Once students are inside the building, all entrances but the primary one are closed. Like emergency exits, ibid., these entrances are locked from inside.

Second, all visitors are forced to enter the building is the main entrance where they will be asked their business and show identification. Office staff will be behind bank-like barriers to prevent anyone from climbing over the counter.

Interior doors to enter the building will be locked; locks will be controlled by the office staff.

For maximum protection, anyone allowed into the populated area - there always are exceptions to the rule - must pass through a double door airlock" arrangement. The person is "buzzed in" to the airlock's first door and held there while scanned for metal weapons. If the scan is negative, the second door is buzzed open.

STANDARD OPERATING PROCEDURE IS THAT ALL NON-STAFF PERSONNEL MUST BE ESCORTED BY AN EMPLOYEE; in the case of schools, preferably by a school "resource" officer (police officer).

Better, send the person to the visitor

While it won't prevent a crazy from killing a person, it will limit death and injury if rather than allowing a person entry into a populated area - say a Post Office sorting area - is to ask the person being visited to come to an isolated visitor area; never allow a visitor into a populated area.

If a parent comes to collect a student, most schools contact the teacher and have the student sent to meet the parent. Allowing parents to roam the halls is prohibited.

What about volunteers? This brings a requirement for, at a minimum, metal detectors.

What Israel does is to pass visitors through an "air lock" fitted with metal detectors. Given the potential of non-mental lethal weapons, profiling, coupled with careful observation is a must.

A brief aside. A terrorist boarded an intercity bus, but was quickly pushed off and subdued by the driver and a passenger. The terrorist has not carrying a visible weapon, yet he was identified for what he was. How? He was inappropriately dressed for the season. (He had intended to slaughter innocents using a bomb hidden beneath his coat.) also utilizes profiling; indeed, it depends more on profiling than machines.

Share problems, even if personal

Years ago I worked for OKI Electronics' telecom division in Fort Lauderdale FL.

During my tenure with the company an angry soon-to-be-divorced husband managed to get into the building - people knew him and he told them he needed to see his wife. He found his wife and killed her.

Had the employee shared with HR, or even her co-workers, her domestic situating, perhaps the husband could have been kept out of the building and the woman would have lived for another day. That's not to say the spurned spouse would not have found another opportunity, but the employer would not have been involved.

Employees - and students' parents, too - should be encouraged to share their concerns with people who can help assure their safety. Assuredly, it requires different techniques for different groups and individuals.

Malls and other open venues

First, there is no excuse for a shooter to be in the mall. It, like schools, should control access, but unlike schools, an "air lock" is probably not feasible.

What the mall management must do is develop - and practice - a plan to protect shoppers and staff by securing access to each store; keep customers inside and, after nearby shoppers outside have a chance to enter, close and lock the store's doors. Customers and staff need a place to hide - something that might appropriately be considered when building the stores.

What can be done about a sniper? Not much.

It seems that we would become a paranoid nation if, hearing shots, we automatically look for cover, but may be necessary. We tell shoppers how to protect themselves from muggers at the mall; telling people to "hit the ground" if they hear gunfire is just another caution. Sad but true.

Gun control?

I'm not in favor of generic gun control.

I think we need more control over who buys weapons, but that only covers people who buy guns through legitimate transactions. Black market and stolen weapons are another matter.

While I strongly support a ban on fully-automatic guns and armor-piercing bullets (I have a son who is a cop), I know that if a person is intent on killing another, the killer can use other weapons - knives, cars, poisons, etc. If mass murder is on the killer's mind, there is a world of explosive possibilities.

How to defend, how to prevent, an attack in the open is beyond this scrivener's expertise.

Earlier I referred to killers as "crazies." I believe a person must be deranged to do what these mass murderers have done. Psychiatric care usually is too little, too late. In many cases, the killer is as dead as his - or her - victims and can offer little insight into what prompted the action. For all that, we must assume something triggered the person to behave as he or she did. THAT is what must be determined and eliminated.

We are not - usually - dealing with fanatics who are after world domination; the shooters in Charlottesville VA, Columbine CO, Sandy Hook CN were deranged individuals who had personal agendas having little or nothing to do with politics.

We can, with a little thought, do better. We can, with a little effort, prevent future slaughters at schools. We must put common sense measures into place so protect our children and to protect people in our businesses.

In the end, I fear putting such measures in place will be akin to the government's noise about reducing the nation's dependency on foreign oil - noise with little, if any, action.

Monday, October 22, 2012


Apathy as risk

Like an uneventful hurricane season, U.S. insurers are suggesting that lack of aircraft accidents may be contributing to a lessening of safety consciousness.

According to an AP article in the Seattle (WA) News & World titled Long stretch without fatal airline crash is a paradox for safety (see,

It's been 43 months since the last deadly airline crash in the United States, the longest period without a fatal domestic accident since commercial aviation expanded after World War II. That sounds like unvarnished good news, but one consequence of having such a remarkable record is that it's difficult to justify imposing costly new safety rules on the economically fragile industry.

The article goes on

"The extraordinary safety record that has been achieved in the United States ironically could be the single biggest reason the (Federal Aviation Administration) isn't able to act proactively and ensure safety into the future," said Bill Voss, president of the industry-funded Flight Safety Foundation in Alexandria, Va., which promotes global airline safety. The past decade has been the airline industry's safest ever.

For an Enterprise Risk Management practitioner, good news-bad news reports are a constant concern.

Here in southeast Florida, we have escaped hurricane force winds despite already being ready to assign the letter "S" to the next tropical storm. (As this is written, a tropical wave with a high probability of becoming "Sandy" sits south of Cuba. If it does become a named storm, it is likely that it will brush - hopefully only brush, the state's Atlantic coast.) Only once this season - June 1 through November 31 - have hurricane shutters been closed.

People who have never experienced a storm, and one who experienced a "minor" Category 1 or 2 storm tend to forget about the Andrews and Ritas that occasionally come ashore. The insurance companies never forget, and even with a season of minimal storms such as the current season, continue to raise their rates despite, according to Advisen FPN, making higher profits.

As with airlines, the lack of headline incidents lulls everyone - in the case of the airlines, government, the airline operators, and passengers - into a feeling of "everything is OK as is."

As with airlines, Enterprise Risk Management practitioners know that "everything" never is 100% OK.

Security is 100% - until it is breached with a physical or computer attack.

Power is assured - until it fails for any number of reasons.

A critical vendor has a perfect performance record - until it doesn't.

There are sufficient personnel to staff all critical positions - until there are not.

The above are some "generic" risks that, as the last breach, power outage, vendor failure, or influenza outbreak occurs, are allowed to fade from memory.

Ask a 20-something, or even a 30-something what happened on December 7, 1941 and see what time does to memory. (It pays for the Enterprise Risk Management practitioner to be a bit of a historian.)

Fighting forgetfulness and ostrich-itis - it can't happen to me - are two on-going battles all practitioners face on a daily basis.

Equally as bad for the practitioner is when something does happen and "The Plan" protects the organization from loss. Unless the practitioner can show that loss was prevented directly by risk management efforts, the executive wing may decide that "we would have survived even without the plan; who needs risk management?"

Friday, August 17, 2012


Best laid plans


An article by Aliya Sternstein titled Agencies don’t often share tips on potential terrorist activity on the Nextgov Web site (see complains that "Nearly half of federal agencies are not sharing documented incidents of potential terrorist activity with U.S. intelligence centers, according to officials in the Office of the Director of National Intelligence."

Hardly encouraging.

But reading on, there are three paragraphs that suggests high level planning that failed to consider lower-level considerations.

"One problem with shuttling reports to fusion centers is officers in the field, even years after the program’s inception, lack training in how to create the proper records, said Paul Wormeli, Integrated Justice Information Systems Institute executive director emeritus and a consultant on the project. “Some agencies still just rely on the old manual system of getting tips from the public over the telephone, which is insufficient,” he said.

In addition, it takes time and money to tweak police software so that it works with the system supporting the information exchanges, Wormeli said. And turf wars sometimes get in the way of progress.

“This is a serious problem because unless we are able to convince all the local agencies to participate and to submit their SARs to the fusion center, we create the very real possibility that we will miss detecting the next Mohammed Atta who goes around taking flying lessons and passing up on the lecture of how to land his aircraft,” he said.

How does this relate to enterprise risk management?


A fiat from on high. "You will implement ABC."

At the bottom, the responses are:

  • We don't have the resources

  • We don't have the training

  • We don't have the time

This is similar to the complaints of municipalities to the state and the states to the federal government: You burden us with a law, but fail to provide resources, funding, and training.

One of the risk management practitioner's many duties that rarely appear in the job description is "develop cross-silo communication"; get everyone involved.

Risk management, correctly practiced, is an all-encompassing program.

It requires, again, "if properly practiced," that management fully understand the impact on the troops of that fiat from on high.

Telling, as the Feds apparently did, different federal, state, and municipal agencies that they must send reports of suspicious activity to a data center - what the Feds are calling fusion centers - is fine, but based on the Nextgov article, the information gatherers

  • Lacked the resources

  • Lacked the training (what to submit)

  • Lacked the time to acquire resources and be trained to use them

Practitioners usually start a Business Impact and Risk Analysis with a questionnaire.

    What are the critical processes.

    What are the risks to the processes (this identifies resources).

    What are the work-arounds if a resource is not available.

Eventually the practitioner gets around to making recommendations on how to respond to a threat if it occurs.

At that point, the practitioner should work from the bottom (folks in the trenches) up (to management).

The folks in the trenches usually have the best information on tools to avoid or mitigate a threat and to restore the process to "business as usual" as economically, efficiently, and expeditiously as possible. They also know what they need regarding

  • Resources

  • Training

  • Time to implement resources and training

Sadly, providing all the resources, training, and time won't do much good until the sundry agencies get over their turf wars and start treating all members of the "intelligence" community as equal partners, each with their own value and resources.

Hopefully this cooperation will occur before the next threat become reality.

Thursday, August 16, 2012


Black swan?


I have an acquaintance who is a business continuity practitioner for a government office.

Which government office and where that office is located is not important.

The practitioner is charged with business continuity for all government entities.

One of the entities is responsible for environmental matters.

My acquaintenance has no direct control of this entity, but as the business continuity for the general government she has an interest in each entities' survivability, and that includes public image.

If you think government bodies can ignore their image, think again.

  • They need to project a "helpful" image to generate public support.

  • They need to project a "useful" image to continue to receive tax money.

  • They need to project a "well managed" image so secretaries, directors, and mid-level managers can keep their jobs and pensions.

  • Government bodies at all levels are image conscious.

Recently a private company in the practitioner's bailiwick caused an environmental faux pas. It allowed pollution of the neighbors' skies and waters.

Naturally the neighbors took umbrage at the invasion of unwanted poisons.


Private company is alleged to have committed an environmental crime.

The neighbors whose properties were inundated with the company's poisons are up in arms.

Why, the neighbors are asking, did the environmental agency charged with protecting the environment allow the incident to occur. Good question. Valid question.

For practitioners, the questions is: Should my acquaintance have considered this in the government's business continuity - COOP, if you prefer - plan?

Perhaps as importantly, someone should ask: Was "image" even within the business continuity plan's scope - for the overall government and for the individual operations?

Is it a problem for a practitioner at the Chief Executive level if something goes "bump in the night" at one of the many lower-level organizations (i.e., environmental agency)? Shouldn't each agency have its own business continuity planner? (Ah, that it were so; we'd all be gainfully engaged.)

I don't believe in black swans - the unexpected. If enough people are involved in a risk management program - and I generally recommend "all hands" - and given an opportunity to think "outside the box" and offer "off the wall" comments about potential risks and the ways to avoid or mitigate them, then all the black swans fade, if not to white, then at least grey.

If there is one practitioner for the entire government, that practitioner should be given carte blanche to create a program for the entire government.

That does not mean that the practitioner needs to be a lone wolf, the sole practitioner for the government. Perhaps my acquaintance should manage (ideally) practitioners at each government organization to assure consistency of plans and integration into a government-wide program or (alternatively) could mentor and manage non-practitioners who would represent my acquaintance's office at each organization.

But, back to the main questions:

  • Should my acquaintance's program have included the image risk to the environmental agency?

  • Did my acquaintance have a mandate to consider this risk?

  • Should my acquaintance promote an all-organizations-inclusive risk management program?

Thursday, August 2, 2012


Climate as risk management concern?


A headline in the San Jose Mercury News reads:

California prepares for harsh realities of changing climate

The next-to-leed cq paragraph reads:

A series of state-sponsored scientific studies released Tuesday warns that California can expect more scorching heat waves, severe and damaging wildfires, emergency room visits and strain on the electric grid as the Earth continues to warm and sea levels rise along the state's 1,100-mile long coast

Risk management practitioners, a/k/a business continuity practitioners, normally consider severe weather conditions as recognized threats to "business as usual."

Most of us, however, fail to crystal ball gaze to try an predict what our clients will be facing 10 or 20 years in the future. The question is: Should we (look far into the future for our clients)?

My answer is a definite "Maybe."

In the U.S., too many "long-range" business plans end after 5 years; some don't even make it that long. Given that, I suggest that practitioners limit serious risk concerns to the length of the long-range business plan.

That does not, however, mean to ignore scientifically-based environmental predictions.

For many years the standing joke has been to "buy property in Nevada; it will soon be oceanfront property" due to the frequency of earthquakes in California. That may eventually happen, but it is not likely to happen during any current long-range plans.

Lack of water is a problem that may be closer than we realize.


  • the source of the state's water
  • the population growth in the state in general and in the "south of San Francisco" area specifically; even more specifically the Los Angeles and south (San Diego) area
  • climatic concerns, i.e., global warming

Similar concerns apply to Florida. South Florida's primary water supply comes, via canals, from Lake Okeechobee in the central part of the state.

Another concern listed in the Mercury News article was electricity; specifically the competition for available resources.

"Higher temperatures in the next decade means that far more of the state's 37 million people will depend on air conditioning--increasing demand for electricity by up to 1 gigawatt during hot summer months. One gigawatt is roughly the size of two coal-fired power plants and is enough energy to power 750,000 homes" the article states.

Even if the state permits additional power plants to be built and brought on line, the process is complicated and takes years from concept to completion. Add to this the environmental battles again almost all generating plant types - coal, oil, gas, nuclear, and the natural resources - besides fuel - needed for their operation (e.g., nearby water supply). While California has some hills in the north and to the east, the possibility of water-powered turbines is very limited; more so in flat Florida.

To be fair, both states could - if technology ever develops - take advantage of wave-generated power. Water could be provided - if efficiencies ever emerge - from desalinization. Today, neither technology is economically feasible on a mass scale.

If, then, the risk management is to consider potential risks beyond the "immediate" future - 5 years maximum - should the risks' equally potential mitigating factors also be considered?


While "maybe?"

Because most of the potential mitigating factors are beyond the control of the organization; they are within the realm of government.

For all that, it behooves the practitioner to do at least a little research on what might confront the organization in the near - and perhaps not-so-near - future.

Is it wise to build a second facility near the first, or would a distant venue with other environmental concerns be in order? (That is not a given.)

Something to consider.

Tuesday, July 31, 2012


Even theaters (and theatres) need a plan


The shooting rampage at a screening of "The Dark Knight Rises" in Colorado early Friday left theater owners and police scrambling to figure out how to beef up security for patrons as the movie opened in more than 4,000 theaters nationwide.

'Dark Knight' shooting leaves theaters scrambling to address security concerns (LA Times

A media representative for Cinemark (the company that owns the theater) was unavailable to comment on last night’s violent outburst or on what measures the theater operator will take to ensure security going forward. Cinemark released a statement that it was "deeply saddened about this tragic incident."

'Dark Knight Rises' shooting raises security concerns (Pittsburgh Business Times

The disaster in Aurora, CO, was not the first attack on an entertainment venue.

Not the first in the U.S. and not the first elsewhere in the world.

In other words, the attack was not a "black swan." It might be an ostrich since apparently people who run theaters and theatres and other such venues have acted like the proverbial ostrich and buried their heads in the sand to avoid the unpleasant possibility of a disaster occurring.

Why don't such places have risk management plans?

Could a risk management plan have prevented, or even mitigated, the event in Aurora?

What could have been done and at what cost both to the owner of the facility and to the customers?

Perhaps the first thing to consider is what made this night different from all other nights?

In a word, costumes. People came dressed - and masked - as characters from the film.

The "Dark Knight Rises" is but one of several fantasy flicks that draw costumed clients. Star Trek and Star Wars films also bring out the costumes; I'm certain there are others. (Would anyone really dress up as the Creature from the Black Lagoon? Probably.)

The bottom line for theater owners is that costumed customers are a recurring threat.

People who own or manage entertainment venues need to have risk plans in place for a multitude of possibilities - everything from a power failure to a fire or other occurrence requiring quick evacuation of the premises. How to notify the "house" without causing panic.

Someone "going postal" and wildly firing into a mass of people should be easier to prevent. Check for weapons at the door.

Given the draw of a "Dark Knight Rises" the cost of a metal detector borrowed from the local airport or extra ushers with metal detecting wands - with armed police in the near vicinity - would seem a reasonable expense. The mere presence of these tools probably would deter all the most determined shooter - or bomber.

True, it is a "sad state of affairs" to have to install metal detectors at the door of an entertainment venue, but it is a state of affairs we have reached and one we as risk management practitioners must recommend.

What happened at the movie house in Aurora could have happened anywhere.

In a church, mosque, synagogue, or other place of worship.

In a stadium or other sports venue.

At a school, particularly at any event where students congregate.

At a concert hall.

At Times Square on New Years' Eve.

And of course at the "ubiquitous other" location not listed above.

No place where masses of people congregate can be excluded from the possibilities.

As risk management practitioners we need to consider all the probabilities:

Why an attack - what is there that could prompt someone to "go off the deep end"?

What weapon(s) would be used - what is commonly available locally and what can a person with Internet access learn to do with it; the Muir Building was brought down by a simple, albeit huge, made-in-a-garage bomb.

What can be done to detect potential weapons?

How far in advance of an event should security be ramped up - is one day enough?

Then there is the response should the threat materialize, with protecting the innocent the first priority.

Creating a risk management program for an entertainment venue is basically the same as creating a program for any organization. The risks and response may be unique to the organization, but the approach to the program will be the same.

It's time that owners and managers of entertainment venues realized they, too, need a risk management plan and all the things (training, exercises) that go with it.

If I wrote it, you may quote it.

Tuesday, July 17, 2012


The trouble with standards


The Disaster Recovery Journal Summer issue's lead article , ISO 22301: The New Standard, tells practitioners about the latest and greatest "standard" for business continuity.

The article, written by John A. DiMaria (CSSBB, HISP, MHISP, AMBCI), a British Standards Institute (BSI) Group America product manager, tells us that the new ISO document replaces the BSI's BS 25999-series "standards" and requires recompliance to the new "standard."

As an after thought, the author notes that the (few) organizations involved with PS-PREP need to wait until the new "standard" is accepted by the U.S. Department of Homeland Security (DHS) before it is acceptable for PS-PREP compliance. Meanwhile, both ANSI and NFPA approved standards remain in force for PS-PREP.

So what is the problem - more accurately, what ARE the problems - to "standards," especially those emanating from the UK?

Expectations of standards organizations

Standards organizations, in particular BSI and ISO, typically consider their efforts to be The Final Word on any given topic and that all practitioners of that topic must comply with the standard as written.

Some standards organizations promote their efforts outside the relevant profession or trade to pressure practitioners to develop their work to a particular standard. Not knowing what the practitioner is about does not stop some proposal writer from requiring "expertise with <pick a standard>."


I have followed international lists and forums for a number of years. Over those years I have come to the conclusion that U.S. and UK thinking often are at odds.

U.S. practitioners, at least the ones I know and respect, emphasize threat management - implementing avoidance or mitigation measures. Some UK practitioners - albeit certainly not all UK practitioners - almost completely ignore threat avoidance and mitigation.
Threat management was absent from the first iteration of British Standard 25999. Threat management eventually did creep into the British Standard before the final release.

To be fair, we have some folks in the U.S. who have their heads as firmly in the sand as the British Air practitioner who told me that the Gate Gourmet fiasco and associated LHR baggage handler strikes could not have been avoided.

Rigidity - real or imagined

Some practitioners, and some clients, will buy the "standard" and rigidly and try to adhere to every word. Standards must be "interpreted" in light of each specific instance. Parts may apply in some cases; parts may not apply in some others, and parts may apply "with modification" to still others.

An experienced practitioner knows when to apply what. The problem for the experienced practitioner may be diplomatically convincing the client that a particular section of the standard needs to be adjusted or ignored.

Constant change to what purpose

I sometimes think, and at other times I am convinced, that some "standards" organizations really are in the publishing business.

Most standards sell in the hundreds of dollars range. ISO 22301 sells for £100 at the BSI Group Web site. £100 equals about US$155, €127, and ₪622.


In addition to the costs listed above, there also can be training costs. An organization called CIMA offered an ISO 22301 course with a US$100 discount for early sign-up. The actual price of the course never was listed, but the course did require an "ISO 22301 Introduction Course plus practice experience as a prerequisite." The PECB organization offers a similar course, again sans any pricing information. While the post-course exam fees are included in the cost of the course, PECB will sell exams - three levels - separately. Again, no pricing available.

Check-the-box for tyros

Based on queries I see on sundry "professional" forums and groups, I am confident that many "certified" practitioners know little or nothing about the process they pretend to perform.

These people are the same people who will use a "standard" as a check list - the standard requires this, so this will be done; perhaps not to the minimum level of expertise expected by the client, or perhaps even when a particular paragraph of a standard is totally inappropriate for the client.

Who will buy ISO 22301?

Consultancy shops, especially those with deep pockets clients, will jump on the latest and greatest "standard" to sell updates or "improvements" to their clients who recently bought plans aligned with the then-latest-and-greatest standard.

Can anything good be said for standards?

There IS much to be said for standardization as a GUIDELINE, a check list of things to consider for inclusion within a plan or program.

Standards never should be used as a "crutch" by a novice and the check list must not become a "check the box" exercise. A better term for what I think should be considered by practitioners is a "GUIDE."
Does/Did the plan/program consider:
and then list, in a logical order, a generic list or perhaps columns (Pick one from Column A and Two from Column B and ...).

The bottom line for this practitioner is not to be forced to shoehorn square pegs into round holes.

Standards are OK as a staring point, but to blindly follow one as a "hard and fast" rule is, at least in risk management, foolish for the practitioner and dangerous for the client.

For the record "Client" may be an external client for a consultant or an internal client for a "captive" or staff practitioner.

Sunday, July 1, 2012


It isn't BC, but . . .


For some reason several "If only the BC practitioner had been involved" events came to mind the other day.

They weren't Big Catastrophes for which plans had been made and mitigation options put into place. These are more of the "if only someone had considered" or, in one case, "if only the engineer had listened."

Location, location, location

A company in Florida moved its facility from one site to a new site.

In its wisdom, the Project Manager included business continuity in her plans.

Unfortunately, the company lacked the foresight.

The land it bought was in a flood plain.

Were that not bad enough, it put is core business on the first floor of a three story building. The logic was that visitors to the facility could view the operation through a huge glass wall.

Impressive, but given Florida's June-to-November weather threats, not particularly wise.

Those darn cables - Part 1

This organization made computer equipment.

One system was bench tested and proved a keeper, a real marketable item.

When it came time to assemble everything into a standard 19-inch cabinet the engineers discovered that they failed to allow space for power and communications (ribbon) cables.

Back to the drawing boards; all because someone failed to consider wiring.

Those darn cables - Part 2

Another organization made a top-of-the-lone SMDR device, complete with 9-inch reel-to-reel tape deck.

The "brains" of the machine were stored on a pull-out shelf beneath the tape deck.

At the time I was a tech writer documenting the device. As such, I pulled out the shelf and, in the process and unbeknownst to me, tore a flat cable from its connector. When I was done documenting the connections, I returned the shelf to its position.

The next day the Product Manager tried to demo the unit and it failed. We discovered the problem: a flat cable that was a couple of inches too short to allow access to the equipment on the shelf. A longer cable was ordered and the product was fully operational.

(Tech writers can be both trouble and trouble-shooters.)

Top heavy

A PBX manufacturer, to avoid heat problems from the unit's power supply, mounted the power supply on top of the PBX.

It worked fine and heat dissipation problems were eliminated.

Problem was, when the PBX was trucked to a customer, it had a tendency to tip over, damaging the unit. After two or three instances, the company got wise and made certain the units were secured in an upright position before the truck left the loading dock.

Flattened pins

Another PBX company had a great single-shelf system.

Our first customer for this system was a Big Name in Telephony distributor.

When the switch got to the customer site and the distributor's tech hung the unit, it didn't work.

"Send a new unit. And send the tech writer with it." Why me? I was not a technician, although I did document the system, so ...

The replacement system and I boarded a plane. I got off at the destination; the replacement unit continued on to the airline's Texas hub. (I won't mention the airline's name, but it was not Southwest.)

When the unit came back the next day it was hung with the same results. Panic.

I called back to tech support and explained the problem and what the distributor's tech had done. (He was well trained and knew PBXs.) Talking to several company techs we decided that the unit's backplane had bent pins, preventing a connection with the plug-in cards.

Send a new backplane and this time ship it standing upright (rather than lying flat on its pins).

The new backplane arrived with pins in tact, was installed, and the switch was operational.

Only one problem remained: The operator console was inoperable. I traced the cable from the switch to the console and discovered a different installer had stapled the cable to a wall - and the staple went though the cable. Remove staple; console worked.

Ground - Part 1

A company for which I briefly worked made telecom add-on units.

It rolled out a new unit that I documented.

I noticed that the unit lacked a system ground. I mentioned this to the Chief Engineer who, thinking what can a tech writer know, dismissed my concerns out of hand.

A trainer was showing off the system to some potential buyers. As he bent close to the groundless system, it arced from the power supply to the trainer's metal framed glasses. Fortunately no one was injured, but the box DID get a system ground . . . and I was terminated.

Ground, Part 2

Avoiding the next problem would require a building's plumbing schematic, not normally a requirement for an installer.

According to the tech manual, the installer was to connect a #6 wire from the machine's system ground to either a stake or a cold water pipe. Since it usually was easier to connect to the pipe, most techs used that option.

In one case, the machine was "flaky"; it would go on and off without any obvious reason.

The tech we sent to resolve the issue was an old pro. He tried this; he tried that. Nothing. Finally, he decided to check the ground.

System ground to cold water pipe: OK.

But, being smart, he traced the metal cold water pipe to where it went underground.

The "Ah Ha" moment came when he saw that the metal pipe terminated at a PVC coupling and it was PVC that went into the ground, negating any value the metal cold water pipe might have as a ground.

The tech drove a spike into the ground and terminated the system ground there. No more "flaky" system.

Learning process

As a tech writer, even an experienced tech writer, I lacked knowledge only experience brings. Most of the knowledge was "general" knowledge; knowledge that I applied across products: telephone gear, computers, etc. As I documented equipment and systems, and got to know many - but hardly all - the things that can go bump in the night, I added to my troubleshooting tables. (I did stop suggesting to Big Buck Engineers that a system ground was worth consideration. If UL couldn't convince the gentleman, how could a "mere" tech writer?)

Tech writers and risk management practitioners are some of the few people outside of the Executive Suite who know almost all of an organization's operations. Perhaps not to the last red cent, but "in general."

Friday, June 1, 2012


Organizations not prepared
For natural disasters

Failure to plan puts businesses–and jobs–at risk: FM Global

An overwhelming majority of Americans do not feel their employers are well-prepared for, or might not recover quickly from, a natural disaster, according to research released today by FM Global (, one of the world’s largest business property insurers.

According to the insurer, “Business resilience is more than just about getting back on your feet, it’s also about doing the right things to make sure you don’t get knocked down in the first place”

FM Global’s new Business Risk Pulse Check ( finds 75 percent of U.S.-based workers feel their employer is not well-prepared for a natural disaster, and 72 percent of those polled would not feel totally safe in their workplace during a natural disaster. Additionally, the study finds 71 percent of U.S. workers are not fully confident their employer can bounce back quickly from a natural disaster. The survey comes on the heels of a record year for natural disasters in 2011.

The survey focused solely on natural disasters. While common, risk management practitioners know that there are more risks than those falling under the "national disaster" heading.

"Findings of FM Global’s Business Risk Pulse Check adds further insight as to why U.S. Department of Labor statistics indicate more than 40 percent of businesses never reopen following a natural disaster." This scrivener hunted through the DOL Web site and failed to find any reference to this "statistic" or the basis of how the "statistic" was derived, i.e., what was the condition - financial, employee, customer base - of the organization before the event.

While I am pleased to see that FM Global's research turned up what at first appears to be a high employee awareness of their organization's risk management efforts, I have to wonder about

  • The organization's transparency - does it share with personnel what it does and what it expects to do "in the event of"?

  • Are published policies and procedures in place "in the event of"?

  • Are ONLY "natural disasters" considered? What about

      human issues (work [in]actions, error, sabotage)
      politics and regulations
    issues to name just a few possibilities.

I confess that I am NOT left with a "warm fuzzy feeling" even for the organizations in which the workers are confident their employer will survive a "natural disaster."

The two-page PDF report, available at, omits any mention of what type organizations were surveyed (e.g., commercial, industrial, non-profit, government) and what size - in market share, in ROI, in personnel head count, etc. Were Mom-n-Pop's included and how heavily was the survey weighted toward one industry or another, to one size organization vs. another.

For all the survey's weaknesses, it DOES tell us that risk management is finally being recognized, if not by management than by staff. That's encouraging.

But as with all statistics, unless all the information is available, if the statistic must be cited, it must be cited with the caveat that there are (too) many unknowns.

FM Global is an insurance company and its PR blurb tells us in the leed paragraph that it is "one of the world’s largest business property insurers."

I confess I like the statement made by Jon Hall, executive vice president of FM Global; it's worth quoting. He said, "Business resilience is more than just about getting back on your feet, it’s also about doing the right things to make sure you don’t get knocked down in the first place.

"The findings demonstrate how critical it is that business leaders better prepare for natural disasters and ensure those efforts are understood within the workplace. Not understanding how a business is prepared for disaster can adversely affect both employee performance and, ultimately, the health of a business.”

To my mind that means more than (just) insurance; it means measures to avoid or mitigate the risks before they occur. (It also means having insurance to help out when something does go "bump in the night.")

If I wrote it, you may quote it.

Longer articles at

Thursday, May 31, 2012


What happened to security?


Security in the U.S. is a farce.

Actually, security in the U.S. is similar to risk management.

One day it's "all the rage" and at the top of management's list of priorities.

The next day it's a historical yawn.

Until, of course, someone, often with no great security intelligence, decides there is a Big Threat to America.

Why the rant?

I am about to take an international journey.

I booked the flights weeks ago.

No one - not the airline, not the ticketing agency - asked me if I had a passport and if I did, what was it's number.

No one asked for my Social Security number either, which is just as well since it NEVER was intended to be an ID for anything other than the Internal Revenue Service (IRS) and the Social Security Administration. Social Security has come a long way since it was introduced as a voluntary tax.

We have - or perhaps had - a "24 hour law" for lading ships bound for the U.S.

We had - but apparently no longer have - a similar law requiring international carriers to provide passenger lists; the law was intended to compare the traveler's ID to a "No Fly" list.

Everyone knows the "No Fly" list misses more than it catches.

The last time I travelled overseas I was obliged to provide my passport information. Fair enough.

I will have to pass through an intrusive x-ray machine as TSA tries to detect things they prohibit from being brought on board an aircraft. Unfortunately, TSA's best efforts and all its machines can't detect everything so what should give me a warm, fuzzy feeling of security doesn't.

On the other hand, when I go through the security check on the way back to the U.S. I won't remove my shoes and I won't be x-rayed. I will go through a metal detector and my luggage will be x-rayed and maybe - maybe - I'll be asked to prove those two bottles of liquid really contain what I claim they contain.

Rather than the invasion of privacy TSA puts travelers through, I'll chat with a well-trained security person who knows the questions to ask and the answers to expect.

Security, where I am going, is a critical issue and unlike the U.S., it always is a concern. No ramping up and standing down like a yo-yo on a politician's string.

The risk management "bottom lines" to all of the above are several, including

  • CONSISTANCY - A level of awareness must remain high, even when, with no active threat presenting itself, it seems over-kill. It CAN be "over-kill" if security is allowed to slip.

  • TRAINING - Security personnel need to be trained to recognize potential threats. If that means profiling - admittedly a no-no for liberals - then profile. Learn to identify a person's actions and manner of speech. be concerned if a person is wearing a rain coat when there's a drought or an overcoat during a heat wave. In short, learn from the experts; visit the folks who provide security at the airport in Lod.

  • ALL HANDS - All hands, everyone, needs to be involved. The folks manning the desks and the production lines need to be aware of their surroundings. They also need to know how, and to whom, to report something out of the ordinary: a green sky (tornado possible), an unescorted stranger, flickering lights or power surges. The people who keep the organization operating are the organization's first line of defense, but they MUST know what to do when they perceive something is amiss.

I'd feel a lot better if someone had asked me to provide passport information when I purchased my ticket.

I'm sure the passport will be scanned as I check my bag, but if there is a computer or communications glitch, what then?

Apparently we - the U.S. - are in a confident mode.

For a traveler, that's scary.

If I wrote it, you may quote it.

Longer articles at

Sunday, May 20, 2012


Half a program
Not worth the price


I have an anti-virus program. The license is roughly $50 a year, about average for such an application.

As a virus checker, it is one of the best.

Unfortunately, as a virus BLOCKER it falls short.

As a virus REMOVER it is sorely lacking.

Making matters worse, this application doesn't "play nicely" with similar applications from other vendors (e.g., AVG).

My machine was "bugged," probably from an infected email.

I ran the anti-virus app.

It found the problem.

It identified the problem.

It reported that it removed the problem.

But the problem remained.

I called tech support.

Tech support told me to try another, free, product.

I did. The problem remained.

Contacted tech support again.

Same response, different product.

Same result.

On my third chat with tech support I was told to try yet another free product. This last product DID eliminate the problem.

Mind, none of the tech support recommended programs belongs to the anti-virus company I pay to keep my system clean.

This particular anti-virus software also has an applet that it claims can erase files.

I have a file on the machine it cannot erase.

But then it can't be erased by other applications, either.

The "bottom line" to this rant. A product that doesn't work is not worth having, no matter how good parts of the product may function.

I'll grant that the tech support was superior, but having to resort to other folks' applications, especially free ones, speaks volumes for the product. Unfortunately, those are NOT volumes of praise.

The problem with virus checkers is that you don't know how good they are - or are not - until after the fact.

I wrote earlier that this anti-virus application wouldn't "play nicely" with other, similar programs such as AVG.

That's true, but both can be installed and one turned off while the other works.

From an ERM-BC-COOP perspective, it seems sensible, if not "centsible," to install two same-type programs even if the user must turn one off to run the other - at least until one of the two has proven its value. Either that or maintain a list of free, Internet-accessible products (or have a really good working relationship with the vendor's tech support folks).

If I wrote it, you may quote it.

Longer articles at

Thursday, May 17, 2012


"Clawbacks" may improve
 Execs' appreciation of ERM


A Wall Street Journal article headed Pay Clawbacks Raise Knotty Issues (, Suzanne Kapner and Aaron Lucchetti write that "Wall Street is getting its first high-profile opportunity to prove it is serious about recovering pay from executives whose blunders waste shareholder treasure."

Clawbacks, they explain, "are efforts to recover prior compensation paid to employees who engaged in behavior that hurt companies and their shareholders."

What that means for ERM, BC, and even perhaps COOP practitioners is that Very Senior Executives may now have a very good, "financially sound" reason to take an active role in risk management.

Unlike Dodd-Frank and Volker laws, "A far-reaching provision in the new financial-overhaul law will force U.S. public companies to get tougher about making top executives repay improperly awarded incentive compensation," writes WSJ reporter Joann S. Lublin in an article headlined Law Sharpens 'Clawback' Rules for Improper Pay (

Lubin adds that "Under the legislation signed July 21, the Securities and Exchange Commission must order all (public) companies to adopt so-called clawback policies. The provision requires businesses to recoup as many as three years of ill-gotten pay from current and former executive officers after a material financial restatement—even if the executive wasn't to blame."

If Ms. Lubin's article is accurate, Very Senior Executives need to copy President Harry S Truman's desktop admonishment: "The buck stops here," meaning their desk - even if they are absent.

It is a given that executives facing loss of revenue from as much as three years back will be able to fight the claim in court. Someone must pay the executives' legal fees; asking the organization to foot the bill to defend the executive may be denied. Will an executive insurance policy cover such issues? Will the insurance company pay up if it is covered?

The bottom line for executives, and apparently those people reporting to them - as is the case with the recently exposed $2 billion loss by J.P. Morgan Chase - is that even if they escape a clawback effort, their defense will be expensive and the legal hassle may damage the organization's image.

If the new SEC requirements are enforceable and if they are indeed enforced, Very Senior Executives may develop a respect for risk management and may begin to give it some serious support.

If I wrote it, you may quote it.

Longer articles at

Friday, May 4, 2012


Kidnapping considerations


A New York Times Online article titled Dealing With Kidnapping Abroad ( warns that kidnapping is alive and well and offers some experts' advice on how to avoid or mitigate the threat.

In addition to the quoted experts, the Times' David Wallis also references several Web sites that provide additional information:

While the article is most assuredly worth a read, if only for the real life stories, it offers very little that's new. The main points are

  1. Vary routes and schedules, and occasionally be early or late to meetings
  2. Meet in public places, eschew private estates.
  3. Make your own transportation arrangements.
  4. Be aware of your surroundings and suspicious of people seen too often on your travels - perhaps you are being followed.
  5. Consider kidnapping and ransom insurance.
  6. Consider paying a professional for self-protection advice and training.

Friday, April 27, 2012


Who's corrupt?


According to Infoplease, The United States failed to make the list of the Top Twenty Least Corrupt countries for 2011.

The determination was made by Germany's Transparency International. The Germans define corruption as the abuse of public office for private gain and measures the degree to which corruption is perceived to exist among a country's public officials and politicians. It is a composite index, drawing on 13 different expert and business surveys.

On the other hand, the US also failed to make the Bottom Twenty Most corrupt list. Certainly nothing to write home about.

The lists, if they are at all accurate, tells Enterprise Risk Management practitioners that corruption is a serious threat to the organization.

Since most practitioners lack the expertise to ferret out corruption in an organization, the questions become:

  • To whom does the practitioner turn?
  • Who IS the anti-corruption Subject Matter Expert (SME)?
  • What can be done to prevent or at least discourage corruption?

Several things come to mind, the most important of which is GET TOP MANAGEMENT TO SET AN EXAMPLE and to make clear management's expectation of all personnel.

Sans flag-waving support form the Board Room and Executive Suite, the practitioner's best efforts will be for naught. Very Senior Management must be an enthusiastic example to the troops.

This admonishment is, of course, the standard chorus for all risk management/business continuity activities.

I am embarrassed that the U.S. isn't at the top of the Least Corrupt list, but I predict -looking into my very foggy crystal ball - that the country will do better. The reason for my optimism is the government's increasing enforcement of the Foreign Corrupt Practices Act (FCPA).

Perhaps the threat of Big Brother - or perhaps "Big Uncle (Sam)" - watching will encourage Very Senior Management to do what is necessary for top-down awareness and compliance with national laws in the U.S. and the countries where the organization does business.

If I wrote it, you may quote it.

Longer articles at

Thursday, April 26, 2012


Ripple effect


A New York Times article headlined "With Wal-Mart Claims, Greater Attention on a Law" (see tells how an alleged Wal-Mart bribery-in-Mexico incident in 2005 is costing the retail giant in 2012.

The allegation that Wal-Mart violated the once rarely enforced Foreign Corrupt Practices Act (FCPA) by bribing a Mexican official has, according to Paul Pelletier, a former Justice Department prosecutor who worked on Foreign Corrupt Practices Act investigations, cost the company "billions."

More than that, it has put other organizations on alert that suspected FCPA violations will be the focus of government attorneys.

Pelletier contends that Wal-Mart's loss of "billions in market capitalization over these last few days is going to make companies in close cases more likely to err on the side of promptly self-reporting.”

Making things worse for Wal-Mart is the additional allegation that it "suppressed an internal inquiry into bribery in Mexico in 2005."

Although there are those who will argue that the FCPA should apply only to bribery involving the U.S. government and its contractors, the financial damage to Wal-Mart apparently already has been done.

From a "business continuity" perspective, there is little that a practitioner could do.

I'm not certain even an Enterprise Risk Management practitioner could have done anything more than what probably already was in place, i.e., policies and procedures prohibiting potential FCPA violations. Still, having policies and procedures in place - and known by all who might be in a compromising situation - would give the organization some defense by performing "due diligence."

Wal-Mart's mistake, if it indeed did what is alleged, was trying to cover it up. Shades of Watergate.

FCPA is gaining more attention. I had the pleasure of working for an organization, World Compliance (, that has uncovering FCPA violations as one of its main products.

The World Compliance "take" on the Wal-Mart incident can be read at

While a practitioner may not be able to prevent FCPA violations, the practitioner must assure that the focus of the act is known, and understood, by very senior management. That does not mean that the practitioner needs to present the issue to senior management, but it means that the practitioner should see that the appropriate Subject Matter Experts - in this case, Legal or retained lawyers - include FCPA in their presentations to the Boards and Executive Suites.

If I wrote it, you may quote it.

Longer articles at

Friday, April 20, 2012


Good times are bad times?

Not in scope

The economy's picking up.

The organization has a killer product or service and the competition has been left in the dust.

Things could not be better.

Expect that the organization's business continuity program failed to account for success.

Success as a "disaster?" How can that be?

Success can have the effect of a disaster if the organization can't handle it.

Let's assume - agreed, that's a foolish thing to do - that the organization makes the ubiquitous widget.

The R&D folks have come up with a modification that makes the widget both more efficient and economical for the user. Let's say the "user" is the government and the widget is used on ships. A cutter uses a half dozen widgets, a carrier uses more than 100.

Bottom line, that's a lot of widgets.

Trouble is, the organization is set up to deliver tens of widgets a month; the government wants hundreds of widgets a month.

In order to meet the government requirements, the organization has to

  1. Employ more people to staff the production line, which means

  2. Expand the facility and

  3. Expand the production line which means it must

  4. Expanding the QA/QC operation

  5. Find the funds to do all of the above; are lenders available and willing; how much of the organization will have to be "signed over" to the lenders?

  6. Increase raw materials orders from vendors (can the vendors meet the new requirements?

  7. Train new hires (are clearances needed?)

Of course the above are just the tip of the proverbial iceberg.

Unfortunately, few business continuity practitioners consider good times as a risk. Good times simply are "not in scope."

Enterprise Risk Management practitioners should; good times are within "scope" for them.

Business continuity practitioners "scope" typically includes the obvious, and some not-so-obvious threats to the organization. Fire, flood, empty building events, vendor failures, the ubiquitous computer failure.

Business continuity is for small-minded organizations. Granted, business continuity is one step up from simple IT disaster recovery, but it leaves the organization fragmented into far too many "silos."

Some of the silos may not even be integrated into the organization. As examples, Legal and Public Relations (a/k/a Corporate Communications). These, like payroll, often are jobbed out to vendors working on retainer or on a hourly basis.

Yet Legal, Corporate Comm, Payroll, and all the other "support" functions need to be included in the Enterprise Risk Management program.

Even the crystal ball gazers; those folks who try to predict future needs and what customers may desire down the road. "Futurists."

Should the Enterprise Risk Management practitioner be a "futurist"? A lawyer or even a para-legal? What about a PR mavin?

Asking the practitioner to be an expert in these disciplines is akin to asking the practitioner to be an SME for HR, Production, QA/QC, Shipping/Receiving, or even InfoTech, the latter where expertise is outdated in the blink of an eye.

What the Enterprise Risk Management practitioner must be is a diplomatic "master (or mistress) of ceremonies," someone able to get everyone working together toward the common goal of protecting the organization from all threats. The practitioner needs to keep up with the "threats du jour" and have an interest in all the "silos" of the organization. The practitioner needs a curious mind unbounded by an artificial "business continuity interests" frame. This curiosity needs to be channeled into "What if" questions for all the SMEs with whom the practitioner works.

John Donne's famous quote was true when he penned it. It remains true today, both for individuals and organizations.

If I wrote it, you may quote it.

"No man is an island, entire of itself; every man is a piece of the continent." Meditation XVII: Devotions upon Emergent Occasions

Longer articles at

Thursday, April 19, 2012


"Usual suspects" replaced

Make way for economic turmoil, commodity pricing fluctuations and business/supply chain interruption

Companies in the global industrial and materials industry face three specific global risks: economic turmoil, commodity pricing fluctuations and business interruption, which includes supply chain disruption, according to a new study from Aon.

The new "primary risks" for global industrial and materials industry operations replace the usual suspects: environment, human, and technology.

The new threats also highlight the need for true enterprise risk management, vs. "just" business continuity or "just" disaster recovery.

For the typical business continuity practitioner, economic turmoil, commodity pricing fluctuations typically are "out of scope." These are areas requiring a financial guru's crystal ball. Traditionally, business interruptions, including supply chain disruptions, are within the business continuity practitioner's scope.

The Aon report focuses on "the global industrial and materials industry," but when practitioner's look at what any organization does to justify its existence, all are in one way or another directly or indirectly in a "global industrial and materials industry."

Pick a product or service,. Somewhere along the way to product or service delivery there is an international link. It is a global economy; what happens in Greece impacts Japan, half-a-globe away.

Commodity pricing fluctuations may seem to be a problem for the Fortune organizations, but they impact even a Mom-n-Pop operation, particularly if it makes deliveries. (Have you checked the price at the pump lately? Oil is a commodity, as is the corn that goes into ethanol instead of on the dining room table.)

This all connects back to the threat of supply chain disruption. If the vendor (supplier) cannot

    (a) Make the product because it lacks raw materials (for any reason)

    (b) Deliver the product because it can't afford the transportation

Mom-n-Pop will fail to meet their service level agreements with their customers.

The "usual suspects," while supplanted by the new trio, remain in the wings and must - not should, but "must" - get practitioner and management attention.

OK, so the practitioner is hardly a commodity pricing authority. But the practitioner also is not an authority on HR employment laws nor competitive analysis, but we expect the practitioner to know where to find Subject Matter Experts (SMEs) in these fields.

Likewise, the commodity pricing authority - an SME for the practitioner - also turns to other SMEs for input before predicting the future. Experts in a variety of disciplines, not the least of which is the weather forecaster, are queried by the commodity expert.

The "bottom lines are that

    (a) The only way to protect the organization is with a true, enterprise risk management program

    (b) The risk management practitioner needs to be a Subject Matter Expert in risk management with the ability to ask the right questions of the right people, both inside and outside the organization

    (c) Nothing should be "out-of-scope" for the enterprise risk management program

It should go without saying, but the enterprise risk management sponsor must be a Very Senior Executive or Board member with fiduciary responsibility.

If I wrote it, you may quote it.

Longer articles at

Wednesday, April 18, 2012


Marsh report warns of supply chain dangers


According to new whitepaper published by Marsh, Supply Chain: How Prepared Is Your Organization?, "Many risk managers not adequately familiar with the tools that are available to help mitigate supply chain risk and improve resiliency, including insurance options."

The 12-page report, a PDF document, is online at
lists the "top 10" most expensive events, in terms of property and business interruption insurance claims. The report notes that "The two costliest events of 2011, the Japan earthquake, tsunami, and nuclear event and flooding in Thailand, illustrate how an event in one part of the world can have a significant effect on supply chains globally."

The Marsh report acknowledges the risk management practitioner's plight when it notes that "many organizations today suffer from a “siloed” approach to supply chain risk management." Product leads, procurement, and logistics make strategic decisions about supply chains while (insurance) risk management practitioners tend to address supply chain exposures by focusing on insurance issues such as contingent business interruption (CBI) and contingent extra expense (CEE), the report contends.

There seems, as Solomon wrote, "nothing new under the sun"; most enterprise risk management, and many business continuity, practitioners are painfully aware that one of the biggest risks to an organization is compartmentalization, a/k/a siloing.

Not only are there the usual "turf" issues, but the lack of comprehension of "the big picture" prevents staff from working together for the common good. (Rather like the U.S. congress and government agencies.)

Good practitioners insist that critical vendors have plans to meet their commitments to the organization in the event something goes "bump in the night."

Good, smart practitioners follow the trail from the vendor's door to the organization's door, and make sure the transportation link is protected.

Really good and really smart practitioners consider all vendors, including lenders, as potential risks.

The very best practitioners also, as in "in addition to the above," consider their organizations role as a supplier, either to a wholesaler or retailer or to the final customer. Can the product or service be delivered. The "supply chain" usually doe not stop when the practitioner's organization receives product or service from its vendors.

Insurance - Marsh's business - is important, and this practitioner is a strong believer in bringing in insurance advisors along with other Subject matter Experts (police, fire, etc.) to make certain the organization is as protected as it can be; that threats or avoided or mitigated.

Although I found nothing new in the Marsh report, its presentation of selected statistics can be valuable if Very Senior Management needs to be convinced that compartmentalization is a very real threat to an organization's future.

If I wrote it, you may quote it.

Longer articles at

Monday, April 9, 2012


How many practitioners
to assure a plan is viable?


Quick question: How many practitioners does it take to assure a high degree of likelihood that a plan will succeed when it is needed?

In a "Best Of All Worlds" situation.

By my count, three.

Someone needs to create the plan.

Granted, in some really big organizations, there are multiple people charged with creating a plan for this or that location.

And, granted, that there are folks in functional units - HR, Facilities, IT, etc. - who may write a mini-plan for their unit, hopefully under guidance from the enterprise planner.

But one practitioner is charged with overall plan creation.

Someone needs to vet the plan, to assure the plan is complete.

True, walk-throughs and desktop exercises go a long way to exposing plan deficiencies, but the deficiencies probably will be more obvious to an outside practitioner who has extensive planning experience but no direct connection to the plan to be vetted.

Finally, the plan needs to be audited.

The auditor isn't looking for plan deficiencies. Instead the auditor is looking to assure than what the plan requires can be provided. If the plan assumes something will be in place, the auditor will confirm that the "something" is indeed in place, or the auditor will report that the "something" is missing and due to that, the plan may be in jeopardy.

Depending on the size and dynamics of an organization, the planning practitioner may be either a staff practitioner or a consultant. This person will take up the lion's share of the time and money required to create, vet, and audit the plan.

I would recommend that the person selected to vet the plan be a consultant.

This person must have a wealth of experience, more than the plan developer and more than the auditor.

It's OK if the plan developer and the practitioner selected to vet the plan know each other, but they should not come from the same "stable" (agency). Ideally, they will not have created a plan together in the past. Independent minds are needed.

If the plan developer and the person vetting the plan have a good working relationship, that's wonderful. If this is an adversarial relationship, the process is doomed.

The ideal auditor will have an understanding of business continuity, albeit not necessarily a practitioner's experience. The auditor's function is not the review the plan for deficiencies - that's the vetting practitioner's job. The auditor needs to make certain that the avoidance and mitigation processes agreed to by management are put into place; the auditor needs to confirm that exercises have been held and critiqued, and that the "To Do" list has become the "Was Done" list.

The development practitioner and the vetting practitioner need to work together as "almost peers," with the vetting practitioner being slightly senior.

In the vetting role, the practitioner needs to diplomatically work with the plan developer to "enhance" the plan, to "fill in any holes." The practitioner vetting the plan needs both extensive experience in creating plans and ferreting out risks - to borrow from Star Trek, to go where no (planner) has gone before, and to an equal amount of charm, diplomacy, or "presence" to convince the plan developer to rethink all the threats.

The auditor also should be a master of tact.

Finally,, there needs to be a referee; in most cases, this would be the 800-pound gorilla plan sponsor.

While the sponsor may - and should - agree that the vetting practitioner is correct in the practitioner's assessment, the sponsor may end up ruling for the development practitioner due to any number of reasons, including the organization's ability to implement the vetting practitioner's recommendations.

It may only take two to tango, but I suggest it takes three to fully develop a plan that will survive almost anything.

  1. A practitioner to develop the plan.
  2. A practitioner to vet the plan.
  3. A person with risk management "awareness" to audit the plan.

If I wrote it, you may quote it.

Longer articles at



To the shores of Tripoli


Why is it that piracy still is a threat to both commercial and private ships and boats?

It is so easy to put an end to piracy, if not the pirates themselves.

Legally, according to even the UN's rules.

During World War 2, ships crossed the Atlantic and Pacific oceans in convoys, escorted by naval vessels, primarily U.S. Navy and Coast Guard ships.

The escorts didn't totally eliminate attacks on the merchant ships - submarines took their toll as did a few aircraft - but the losses to other surface ships was greatly minimized.

Today's pirates have neither submarines nor airplanes to sacrifice in kamikaze attacks.

Today's pirates primarily are armed with rocket-launched missiles, heavy (50 caliber) machine guns, and rifles.

They attack using small, relatively fast, maneuverable boats, knowing that with few exceptions, crews on ships either are not armed or if they do have weapons, they are not sufficiently trained to use them effectively.

The pirates capture people and cargo for ransom.

If the US and other countries with a naval presence in pirate-infested waters were to take a leaf out of a World War 2's history book they would once again form convoys.

Gunners on board naval vessels need to be allowed to fire and sink boats approaching them or a ship in the convoy in a threatening manner; this permission to fire is to prevent another USS Cole, the ship attacked by Muslim terrorists working out of Iran.

Use of unmanned aircraft as sentries could alert the convoy to a threat not yet positively identified by shipboard radar. These aircraft need not be sophisticated "spy" planes with radar-deflecting skins. Let the enemy - the pirates - know the aircraft are in the sky, watching for them.

The waters favored by modern pirates are well known to both commercial and military sailors.

Why can't ships be staged at a safe harbor until there are enough for a decent convoy.

Once a convoy is assembled, naval vessels can escort it safely past the pirates. Other ships can assemble and convoy from the opposite direction under their own escort, rather like commuter trains on intra-city buses.

I know a ship not underway is losing revenue for its owners, but it would seem a day or two forming a convoy to avoid being attacked, with possible loss of life and cargo, might offer a good return on investment. Consider it a form of insurance.

I am not a sailor and I don't play one on tv, but it seems to me some frigates armed with conventional weapons having a range greater than the pirates' weapons (I never favor a "fair" fight) would be a pretty convincing argument for the pirates to find another occupation.. Another point to consider - pirates - like Hamas, Hezbollah, and other terrorists - are not military personnel, they don't wear uniforms, and they do not qualify, when captured, as prisoners of war with Geneva Convention rights.

If I wrote it, you may quote it.

Longer articles at

Thursday, April 5, 2012


Weather, weather everywhere . . .


  • The deadliest weather disasters are droughts followed by famines.
  • During 2011, 820 natural catastrophes were documented around the world, resulting in 27,000 deaths and $380 billion in economic losses

In a Western Farm Press article titled, Droughts reign as deadliest weather disasters, "During 2011, 820 natural catastrophes were documented around the world, resulting in 27,000 deaths and $380 billion in economic losses, according to data compiled by Munich Reinsurance Company and analyzed in the Worldwatch Institute's Vital Signs series. The number of natural catastrophes was down 15 percent from 2010 but was above the annual average of 790 events between 2001 and 2010, and considerably above the annual average of 630 events between 1981 and 2010."

The report continues that "The deadliest weather disasters are droughts followed by famines, particularly in Africa. From October 2010 to September 2011, a severe drought in the Horn of Africa caused widespread famine and large-scale migratory movements, particularly in Somalia and Kenya. Around 80 percent of the livestock of Somalia's nomadic population died, some 13 million people required humanitarian aid, and an estimated 50,000 people lost their lives. But because human agency played a large role in this catastrophe, it was not included in the analysis of 2011 natural disasters."

In face of all the negative news, an AFP World News story headlined US forecasters see drop in 2012 Atlantic hurricanes informs that "The number of 2012 Atlantic hurricanes will be below average this season due to a cooling of tropical waters and the potential development of El Nino conditions, US forecasters said Wednesday.

"The Colorado State University forecast team predicted 10 named storms during the hurricane season from June 1 to November 30.

"Four of the storms are expected to achieve hurricane strength and two of those are expected to be major hurricanes, with sustained winds of 111 miles (178 kilometers) per hour or greater."

Monday, April 2, 2012


Outsourcing management


There is an interesting discussion on one of the LinkedIn groups about "Outsourcing."

The question was asked: "How can I prepare for missing key personnel in a small company?"

My take on the question is at - Outsource.

But then some one asked "Outsource management?"

It seems to me if ANY positions are to be outsourced, management should be at the top of the list.

Am I crazy? Never mind; that's a rhetorical question.

Consider that most Very Senior Management is far removed from day-to-day, in the-trenches, operations. Unless the organization is very small, does anyone really expect the company president to now how to weld a joint or operate a lathe? Maybe at one time, before CAD/CAM was introduced, but today? Not likely.

Would the Senior VP know how to keep the books to satisfy a CPA's audit? Why? That's why the company has bookkeepers.

Hopefully Functional Unit managers can function in a hands-on role, but does anyone really expect Top Management to work on the production line?

    To be fair, I have to note that "All generalities are lies." There ARE some Very Senior Managers - usually owners of the company - who CAN and often do enjoy keeping their hands in the business. They are few and far between, but they exist.
Think of all the Very Senior Executives who move from industry to industry. Robert Townsend was a good example. He was, according to his Wikipedia bio (
  • An officer in the United States Navy
  • Senior vice president for investment and international banking at American Express
  • CEO of Avis
  • A senior partner of Congressional Monitor
  • Chairman of the executive committee of Leadership Directories, Inc.
He also managed to write one of my favorite management books: "Up the Organization."

Granted while there ARE "specialty" MBAs, the majority of MBAs are of the generic variety. They teach management - otherwise known as How to get the most out of the throw-away human resource. They do not teach how to do production or sales work, profit center work.

Admittedly, most small organizations are managed by people who have a concept of what the organization is all about, but I would suggest that organizations run by MBAs might be well-served by "outsourcing" the positions. Who knows what a fresh take on the business might bring. Yes, there are two sides to that coin.

There is a problem with outsourcing management: How much does permanent management want the temporary managers to know about the organization and its product, it finances, its personnel?

Outsource IT. Probably, as long as the temporaries are supervised by a permanent IT person.

Outsource payroll? It probably already is outsourced, perhaps along with accounting.

Outsource production and sales - that might prove difficult.

Outsource management - now that's worth considering.

If I wrote it, you may quote it.

Longer articles at

Friday, March 30, 2012


Cargo theft on rise


An article headed Cargo theft risk may be higher than thought by Sean Kilcarr, senior editor of Fleet Owner, introduces a "secondary risk" for many organizations.

The problem, which directly relates to transportation organizations, is in-transit theft of product.

Strangely enough, the article notes, "low value" thefts - theft of goods valued at US$50,000 or less - is on the rise while theft of goods valued above US$50,000 is declining.

The article quotes Tom Mann, president of TrakLok, a company that provides trailer and container security systems, that maintaining secure custody of freight as it moves through the supply chain is one of the biggest challenges the transportation industry faces as it deals with the threat of cargo theft.

“It’s a problem that really requires ‘layered’ security solutions,” he explained. “It’s not just about putting a lock on a trailer or container; it’s about connecting that lock to GPS and Geofencing technology so it can only be opened at origin or destination and at a certain time – with alerts sent out if the lock is opened or removed outside of those pre-set time windows or is tracked deviating from a prescribed route.”

The concern for non-transportation organizations is to assure that product is properly and fully protected from the time it leaves the point of origin to the final destination.

Admittedly, most cargos are covered by insurance, but most of us know that repeated claims drive up insurance premiums. It might be practical to either (a) insist that the carrier(s) have secure systems to protect the cargo or (b) for the company to invest, and apply, such systems. This would seem most appropriate for multimodal shipments. (Bear in mind that Customs may need to open a container; how that issue is handled needs to be clarified between the shipper and Customs officials in the origin and destination countries.)

Preventing cargo theft should be a concern for all manufacturers, if only to assure that the transportation organization(s) implement advanced security measures.

If I wrote it, you may quote it.

Longer articles at

Thursday, March 29, 2012


Weather risks


According to an Associated Press article by Seth Borenstein titled Mumbai, Miami on list for big weather disasters published in numerous outlets (NB), a 594-page report from the UN's Intergovernmental Panel on Climate Change, "Global warming is leading to such severe storms, droughts and heat waves that nations should prepare for an unprecedented onslaught of deadly and costly weather disasters."

Borenstein states that "This report — the summary of which was issued in November — is unique because it emphasizes managing risks and how taking precautions can work, Field said. In fact, the panel's report uses the word "risk" 4,387 times."

And that is what makes the report of interest to risk management/business continuity practitioners.

While the report targets governments at all level, risk management practitioners are well advised to spend some time considering the potential threats to the organizations they serve, either as staff or consultants.

For a number of years I have promoted incorporating risk management into construction projects, beginning with site selection. This report supports that, noting that "Globally, the scientists say that some places, particularly parts of Mumbai in India, could become uninhabitable from floods, storms and rising seas. In 2005, over 24 hours nearly 3 feet of rain fell on the city, killing more than 1,000 people and causing massive damage. Roughly 2.7 million people live in areas at risk of flooding.

"Other cities at lesser risk include Miami, Shanghai, Bangkok, China's Guangzhou, Vietnam's Ho Chi Minh City, Myanmar's Yangon (formerly known as Rangoon) and India's Kolkata (formerly known as Calcutta). The people of small island nations, such as the Maldives, may also need to abandon their homes because of rising seas and fierce storms."

Even without "extreme" weather events, flooding - along with fire the most common threats to "business as usual" - organizations need to involve risk management practitioners into all aspects of the operation.

If the organization must locate in a flood zone, at least put the profit center on an "above 100 year flood" level . . . and plan to have an alternate site in a no-flood zone. Flood information usually is available, at least in the U.S., but organizations often seem to be ignorant of this.

On top of the danger of flooding, the focus of the AP article, organizations also suffer increased insurance costs, particularly if they are located within close proximity to a large body of water (be it a lake, river, or ocean). This, obviously, takes its toll on the organization's "bottom line" even if the organization is a non-profit or government agency.

Yahoo! News:
Denver Post:
US News & World Report: (Badly edited)

Friday, March 23, 2012


Volcano afterthought


I'm confident that almost everyone remembers the travel delays associated with the eruption of Iceland's Eyjafjallajök volcano in 2010. (You can refresh your memory at and view some dramatic photos at

The bottom line for travelers is that the ash spewed from the eruption grounded flights across much of Europe.

Photo from Wikipedia cited above

At the time I wondered why travelers, particularly business travelers allowed themselves to be "stuck" in one place for several days? There were other transportation options: trains, buses, rental vehicles, with or without chauffeurs.

Some travelers were forced to hunker down wherever they landed because their company's travel policies prohibited independent travel arrangements; others put a limit on expenditures even in an unexpected situation. (The question here is was the eruption really unexpected?

I'm about to book a flight from my home in the US to the Middle East via Europe so the volcano came to mind.

Since I believe in practicing what I preach I starting considering my options. Two options came to mind.

One: Have my airline make arrangements with an airline in southern Europe - Portugal, Spain, or Italy for me to continue to my destination from there using my original ticket - which I would expect my airline to arrange with the alternate airline - and I would take a train to Lisbon (TAP), Madrid (Iberia), or Rome (Alitalia) and my destination county's national carrier if it lands at those cities' airports.

Granted, I'd be out the cost of a train ticket (unless, of course I bought travel interruption insurance), but I would get to my destination reasonably close to my originally scheduled arrival.

Two - and this is to my mind far better - is for the airlines' risk management people to be on the ball and recommend (now) that the airlines have a contingency plan that states, basically, that "In the event aircraft cannot fly north or arrive from the north due to any reason - act of God or otherwise - flights from the south with planned continuations to northern Europe will be turned around to carry passengers to destinations outside the "no fly" zone."

In other words, let's say a plane

  • coming from Rome's Leonardo da Vinci/Fiumicino – FCO
  • bound for Amsterdam's Schiphol airport
  • lands at Paris' Chas. de Gaulle airport,
because it was scheduled to land there or because conditions north of France prevented the flight's continuation.

If the former case, there should be no problem with local laws from turning that aircraft around and substituting it for a cancelled flight from Schiphol.

In the latter case I can see where local laws might get in the way, but with so many inter-airline code sharing, perhaps politics could be put aside and another airline's tickets (e.g., Air France) could be honored by the turned around flight from Rome (e.g., Alitalia).

In my case, let's say I fly to the European city on Flight USA1 to connect with my destination flight ME1. ME1 originates at Gardermoe at Oslo, lands at De Gaulle, and then continues to my Middle East destination.

Eyjafjallajök spews ash into the air and grounds ME1 at Gardermoe.

Meanwhile, ME2, from my destination to Gardermoe via De Gaulle, arrives in Paris.

It cannot continue to Gardermoe, but the airline could turn ME2 around, rename it ME1 and have it return to my destination. The passengers continuing to Oslo would be forced to either find other transportation or enjoy a stay in Paris.

My opinion of the airline, whether it put me on one of its on planes or got me to my destination on another carrier would, like the plane I would be riding, soar to new heights. Even if the alternate airline offered superior service, the good will generated by my original "ME1" carrier might be enough, "all things considered," for me to remain a customer of that airline.

There really are two "bottom lines" to this effort.

Bottom Line 1: Airlines should have risk management plans that consider alternatives to a cavalier attitude of "the passengers be damned" and plan to offer passengers alternatives to waiting in the airport until resumption of "business as usual."

Put the passengers destined for non-impacted areas on other flights. Arrange for passengers to impacted areas to continue - if they choose - via rail, road, or waterway to their destination.

A really image conscious airline would, if it had the information, contact people who might be waiting at the destination that Passengers A, B, and c were OK and would be on flight ME? scheduled to arrive at whatever time.

Bottom Line 2: Passengers should be prepared to find alternative means to their destinations.

The same holds true on the return flight - ME2 to De Gaulle then USA2 home.

If De Gaulle is closed due to - pick a reason - let USA1 divert to, say, Lisbon's Portela.

Since my ME2 flight to De Gaulle is cancelled, let the airline book me via Portela to connect with USA1 on its return to the States as USA2.

North-bound travelers can find alternative transportation; others can make their connections from Lisbon.

True story. Flying one January from Philadelphia to Ely NV via Salt Lake City UT. The airline decided it would not or could not continue to Ely, some 250 miles away so it crowed the 8 passengers bound for Ely into a stretch taxi that lacked an efficient heater - translation: we all wore heavy coats, further compacting the passengers.

None of us appreciated the airline's decision but since it was then the only air option in and out of Ely, we were "stuck." The airline eventually abandoned Ely and a smaller, more reliable, service took its place.

If I wrote it, you may quote it.

Longer articles at