Friday, February 24, 2012

ERM-BC-COOP

Cat's paw scratches employer

 

According to AdvisenFPN, the U.S. Supreme Court ruled that, basically stated, an employer is liable for managers' decisions when they affect personnel.

In the case, the plaintiff sued the employer under the United Services Employment and Reemployment Rights Act ("USERRA") alleging that the Human Resources VP who fired the employee was merely a "cat's paw" for the employee's direct supervisors.

The Court held that "if a supervisor performs an act motivated by animus that is intended by the supervisor to cause an adverse employment action, and if that act is a proximate cause of the ultimate employment action, then the employer is liable under the USERRA." While the Court addressed the claim under USERRA, other courts have now addressed the issue in other legal contexts. (The full article can be read at

Attorney Ashley Kasarjian of Snell and Wilmer LLP wrote on her blog that "When terminating employees, companies need to take a close look at the process leading up to the termination. There are many questions companies should ask: Why is the company taking the adverse action? What led to that decision? Who provided input into this decision? Was any input from a supervisor “rubber-stamped” or did Human Resources conduct an independent investigation?" She noted that while independent investigation will not foreclose liability under the Cat’s Paw theory, it is among the most important things a company can do.

While the actions of managers and HR may be outside the scope for a business continuity practitioner, they are well within the purview of an enterprise risk management practitioner.

The "avoidance/mitigation" options must originate with the Legal staff - in-house or external. The practitioner's role is to raise the issue, assure that it is addressed, and also to assure that the company creates strong, unambiguous polices and procedures to prevent an occurrence.

Addressing the issue is similar to addressing sexual harassment issues; generally training to define what constitutes sexual harassment, providing a reporting procedure, and having consequences for violations; and again, having published policies and procedures.

Actions such as this "cat's paw," even if he organization prevails, are costly to

  • the bottom line
  • the organization's image
  • staff morale

All those "costs" are the result of threats either ignored, or more often, not considered by the risk management practitioner. The way to at least help assure that the "cost" threats, and similar threats, are identified is to involve all personnel in risk identification and avoidance/mitigation. No one person can think of everything, but together most threats can be identified.


According to Merriam-Webster (http://www.merriam-webster.com/dictionary/cat's%20paw) a "cat's paw" is

  1. a light air that ruffles the surface of the water in irregular patches during a calm
  2. [from the fable of the monkey that used a cat's paw to draw chestnuts from the fire]: one used by another as a tool : dupe
  3. a hitch knot formed with two eyes for attaching a line to a hook — see knot illustration

Tuesday, February 21, 2012

ERM-BC-COOP

Nothing funny
@ comic headquarters

 

I'm at a loss to figure out how a risk management practitioner could have predicted, and avoiding, a situation that must be turning Archie's orange hair grey.

According to an Associated Press story by Jennifer Peltz, the owners of the comic book company that produces the Archie comics has two co-CEOs, and the two co-CEOs are warring against each other.

The battle is no laughing matter and now is before the New York courts.

The two contenders before the bench are the grandson of one of the 70-year-old organization's founders and the widow of the other founder's son (the AP article apparently skipped a generation.

The problem goes beyond the squabbling relatives-by-marriage; the small company is in jeopardy. According to one of the battling CEO's, ""An iconic American company is in serious danger of failing and being liquidated."

The obvious "avoidance measure" is to avoid co-owners or at least to have one owner superior to the other, with buy-out options. For Archie Comic Publications, there was supposed to be a separation of duties; the AP article states that one co-CEO was to oversee scholastic and live theatrical endeavors. while the other would have final say on everything else. Each controls 50 percent of the company."

There are 25 people staffing the company's headquarters whose livelihoods are endangered. Additionally, consider the vendors and clients - the outlets for the comic.

This "who's on first" feud is far outside the realm of a business continuity practitioner and, to this scrivener, adds one more reason to promote enterprise risk management - an umbrella covering all threats to "business as usual."

The issue is one that, had a risk management practitioner been involved early on, might have raised a warning flag for the lawyers; the legal staff might have cobbled something together to prevent the present finger pointing and dates before the state courts. Certainly it is not the risk management practitioner's job to draw up a contract - that's a job for the lawyers, and no one should expect the risk management practitioner to be a legal expert. BUT perhaps a risk management practitioner might have foreseen the possibility of a feud between equals and encouraged the lawyers to create contracts to avoid court battles.

Rather like a pre-nuptial agreement.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

Friday, February 17, 2012

ERM-BC-COOP

So you think you're covered?

 

The headline in Pittsburgh Tribune-Review's "TribLive" reads: Penn State sues its liability insurer.

It seems, according to court papers filed by Penn State (PSU) that the university is suing its insurance company, the Pennsylvania Manufacturers' Association Insurance Co. (PMA), to enforce its rights under its policies and is in sharp contrast to PMA's tactical action

PSU went to court in response to a PMA civil suit filed on Jan. 31 seeking to get out of having to pay for costs coming from a civil suit against the university.

Disputes between insurers and insured seem to be becoming more and more commonplace.

The other day a story related how one insurer is delaying payment on a business interruption claim.

The bottom line - and I suppose it's not really a direct risk management practitioner's problem - is that policies must be carefully read before being signed.

Insureds need to know, and understand all the "small print."

In the case of business interruption insurance, know what documentation the insurer will demand before any payment will be made.

Know the limits of the coverage; is supplemental coverage needed, and how much is enough? How much is the business worth? Is there an insurance overlap or gap?

Does the insurance cover everything that may cost the organization money. Beyond court costs and lawyers fees; how about PR damage control? What happens if the plaintiff prevails; can a huge award be paid without the organization going belly up?

Who can you ask?

Start with insurance sales people; talk to several that specialize in the needed coverage. Try and get sample policies.

Talk to independent insurance adjusters. Have them - get at least two opinions - review the proposed plans and discuss with them your perceived needs. These people are insurance Subject Matter Experts (SMEs); listen to them.

Find out who is the insurance company's reinsurer; the company that backs up the insurer in the event claims swamp its financial resources. What is the reputation of the insurer and the reinsurer?

Also check with the state Insurance Commissioner (or equivalent). Are the leading contenders for your insurance business well respected by the agency that regulates them?

I am not an insurance adjuster and I don't play one on tv. I do read insurance related news every weekday thanks to Advisen and I know that when I have an insurance question, I practice what I just preached.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

Thursday, February 16, 2012

ERM-BC-COOP

Crisis chief is target

Group wants cruise lines crisis chief charged

 

An Agence France-Presse article states that "An Italian consumer group (Codacons) on Wednesday formally requested that the operator of the Costa Concordia cruise ship which crashed last month with the loss of 32 lives should be held criminally accountable."

    CODACONS, an umbrella group of associations for the protection of the environment and of consumers and users, is a non-profit association which, in accordance with its articles of association, seeks to safeguard standards of quality, efficiency and correct behaviour in contractual relations and in the provision of public services. http://ec.europa.eu/justice/policies/privacy/docs/lawreport/paper/codacon_en.pdf

The interesting thing for risk management practitioners is that the group, according to the AFP article, also believes that "the head of the company's crisis unit, Roberto Ferrarini, should be held responsible for multiple counts of manslaughter."

Codacons contends that ""This request is based on the fact that the hour or more that it took to evacuate the ship led directly to the deaths."

I cannot think of any other case where a person in a risk management position has been named a defendant in a criminal or civil action.

While Codacons wants the crisis chief included in the criminal complaint, the final decision will come from the courts.

If Ferrarini is like most risk management - and this includes "crisis management" - practitioners, all he can do is recommend things to management. If management elects to ignore his recommendations, the practitioner should be dropped from any civil or criminal actions.

The problem for Ferrarini may be proving he performed due diligence on the job; that he did tell Costa, and by extension, Carnival, that emergency responses needed improvement.

If he did tell Costa management and was ignored, did he escalate his concerns to Carnival in Miami?

Can he prove any of it?

From time-to-time the question arises: What risks does the risk management practitioner face when he, or she, advises a client, be the client internal or external.

If I, for example, tell a client that the client needs to upgrade a generator to provide AC for the entire facility rather than only IT, and if the client ignores my recommendation, am I responsible for a 5-day power outage that prevents the organization's profit center from making a profit?

A related question is: Does a risk management practitioner, particularly in a consult role, need malpractice insurance?

What's a practitioner to do?

Document, document, document.

But not on the client's computer - documentation could "disappear" when it might be most needed.

I hate to recommend the "CYA" approach, but when things such as the Carnival/Costa disaster occur, the risk management practitioner may be in the "line of fire" of people who want to bring criminal, or more often, civil actions.

I have no idea what Ferrarini did or failed to do, nor am I privy to his ability to influence management.

I am aware that Codacons has pointed its finger at him as having some responsibility for the disaster. He didn't run the ship onto the rocks; there's no indication he was on the ship or that he had, at any point, any authority over the ship's captain or crew.

Wednesday, February 15, 2012

ERM-BC-COOP

BC, DR mutually exclusive?

 

I was just poking around a major disaster recovery site. The site includes blog space and on it I read, in two installments, that disaster recovery planning, "DRP," is separate and apart from business continuity planning, "BCP."

Now I may be a new comer to the business, I only got started in 1994 on a real disaster recovery - vs. business continuity - project, so perhaps I can be forgiven if I disagree with the blogger.

Truth in blogging: The site's professional blogger is not a business continuity practitioner; the writer is a PR person who should be working under the supervision of an experienced practitioner.

This writer treats InfoTech as an independent entity, separate from the profit center and its other resources, e.g., HR, Facilities, Finance, Vendor Management.

There is "business continuity" for the "business" operations and there is "disaster recovery" for InfoTech.

With no apologies, I will offer my one-word opinion of this arrangement:
NONSENSE.

What the PR person fails to understand is that if the profit center (on the "BC" side of the data center door) can't function, there's no need for InfoTech.

Moreover, "disaster recovery" is not limited to InfoTech. If an event occurs, ALL functions must be "recovered."

I am a firm believer in functional unit mini-business continuity plans; have a plan for InfoTech, another for HR, still another for Facilities, ad infinitum. That's fine. If an event occurs in a functional unit, if that event can be rectified before it can impact any other functional units, wonderful. Use that functional unit's mini-plan to recover the unit. If the event will prevent the functional unit from meeting its Service Level Agreements (SLA's) to internal and external "clients" (other functional units and customers), then the issue is escalated to the enterprise business continuity plan.

What I cannot continence is separating InfoTech - or any other functional unit - from the overall business continuity plan.

While some glossaries will disagree, my basic definition of business continuity is risk avoidance and mitigation. Disaster recovery ignores both - in the DRP world, "avoidance and mitigation" means having a back up site. That is neither avoidance Nor mitigation; it is "survival mode."

I write with some experience. For several years I was Manager of IT Business Continuity for a Fortune 100 organization; trust me, there was no "business continuity."

At best, disaster recovery is an integral part of business continuity; it never should be a separate entity, glossaries not withstanding.

We - risk management practitioners - should have grown up enough to realize that in order to protect the organization, and that means avoiding and mitigating threats as well as responding to them when they occur, we must have business continuity and "disaster recovery" must be an integral part of it,

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

Monday, February 13, 2012

ERM-BC-COOP

Major Boothroyd's toys?

Security tips for travelers

 

The "leed" paragraph on a New York Times article headlined Traveling Light in a Time of Digital Thievery caught my eye. It read:

    SAN FRANCISCO — When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film.

My attention was drawn to the article both because of the subject and because of the unusual-in-this-day craftsmanship shown by the writer.

The article goes on to describe some of the measures Lieberthal takes to assure his private thoughts remain private.

One of his acts reminds me that we are in a "James Bond" world of spy technology.

According to the NYT story, when he travels to certain counties known for unscrupulous behavior, "he disables Bluetooth and Wi-Fi (on his loaner computer), never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely."

The article goes on to cite Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence, as stating that mobile devices carried into those countries "will get penetrated" (compromised).

The article offers both an interesting lesson in security steps that can be easily undertaken as well as some equally interesting war stories, including one about the U.S. Chamber of Commerce.

Even if the risk management practitioner is not directly involved in security - and this is more than "just" data security - it is an article worth sharing with those who are involved with security and management, whether anyone in the organizations travels or not.

The old days of Mad Magazine's Spy-vs.-Spy have given way to the novelties provided 007 by Major Boothroyd, a/k/a "Q."

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

Friday, February 10, 2012

ERM-BC-COOP

Looking for deep pockets

 

Two articles of interest crossed my desk(top) this morning.

One, Tribe sues beer companies for alcohol problems , is an Associated Press article carried in Canadian Business .

The other, David Laffer victim's family files $20M suit, carried by Newsday.

In the Tribe sues story, the AP reports that the Oglala Sioux Tribe of South Dakota filed suit against beer makers Thursday, claiming they knowingly contributed to devastating alcohol-related problems on South Dakota's Pine Ridge Indian Reservation. The suit also names four off-reservation retailers.

The Indians are seeking damages for the cost of health care, social services, and child rehabilitation caused by chronic alcoholism on the reservation, where alcohol is banned.

The article cites a high rate of fetal alcoholism and a greatly reduced life span among reasons for the suit.

In Newsday's David Laffer article, "The family of one of four people killed during the Father's Day holdup of a Medford pharmacy has filed a $20 million lawsuit against a doctor, a pharmacy and a drug company.

Since I am not involved in either case, there will be no discussion of the cases' merits.

However, from a risk management point of view, there are a couple of lessons to be (re-)learned.

Lesson One: Plaintiffs always go for "deep pockets" and are encouraged by their lawyers to sue "jointly and severally"; in plain English, sue everyone and hope there's money to be found among the defendants.

Lesson Two: People are not required to protect themselves from adverse events, at least in so far as bringing suit.

In both cases, a smart risk manager will make certain to recommend insurance coverages "in the event of."

A organization need not lose to suffer. The costs to defend can be extremely high.

There also is the image hit; protecting that image also can be costly.

Apparently warning labels and laws are not a defense in the alcoholism action. Translation: organizations must involve their Legal departments in the risk management process, developing ways to assure that the organization has done its "due diligence" to make users of the product aware of any potential hazards.

Bear in mind that the information in this blog entry is just a snippet of the articles. I encourage practitioners to read the articles completely and then to keep in mind these are simply filings. The cases have been neither heard nor decided.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

Wednesday, February 1, 2012

ERM-BC-COOP

Who would have thought ?

A headline taken from the New York Times (http://www.nytimes.com/2012/02/01/nyregion/hurled- shopping-carts-at-new-york-malls-worry-shoppers.html) closed out Wednesday morning's AdvisenFPN email.

The headline: Shoppers Shaken by Assaults With Carts at City’s Malls tells how shopping carts are "the latest, bizarre weapon of choice" in the New York City area malls.

According to the Times, there have been two recent incidents. In one case, someone allegedly threw a shopping cart from the third floor of a parking garage. In the other case, two 12-year-old boys dropped a shopping cart from a fourth floor walkway.

The Times failed to mention if any arrests were made.

Since we, as risk management practitioners, are unable to control people's anger (in the fist instance) or stupidity or meanness in the second, what can we do to avoid a recurrence, if not in the New York venues then in our own areas?

Security guards apparently are not the answer. There were rent-a-cops at both locations. CATV - closed circuit cameras - also is not the answer ; they can capture an image, but the response time, the time between someone thinking an incident may occur and the time someone can respond, is far to long to prevent an incident.

One mall security expert (consultant) told the Times that, based on his 40 years experience, these two incidents did not indicate a pattern. Attack by shopping cart, he told the newspaper, is rare; in his 40 years as a shopping mall security consultant, he's only heard of couple of (other) incidents.

Fencing, such as seen now on most Interstate overpasses, particularly in rural areas, is one answer.

It won't prevent fights - which led to the incident in the parking garage - but it will corral flying objects.

Likewise, fencing would have prevented the juveniles from seeing if they could hit passersby with their cart.

Limiting shopping carts to a pick-up point next to the facility entrance works in some areas; this is common in Northern Virginia, but not in most Florida cities. Would it work in New York City or San Francisco?

Obviously, as with most things "risk management," one size does not fit all.

Yet something must be done to protect people and shopping carts as well.

Secondary concern: Image

In addition to protecting people, which always must be the top priority, business owners need to consider both their image - "Attacked by Shopping Cart" makes a great headline - and their insurance coverage. Lawyers for people injured by a shopping cart will go after the property owner and the shopping cart owner. (Strangely enough, most people do NOT think of taking a civil action against the people responsible for the incident; in the New York cases, against the person who threw the cart from the parking garage, and against the parents of the juveniles who "cart bombed" passersby, nearly killing one woman.)

Coverage of the incidents also appeared in "SFGate," the San Francisco Chronicle Web site at http://www.sfgate.com/cgi-bin/article.cgi? f=/c/a/2012/01/31/MN891N0RCU.DTL.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

passersby with their cart.

Limiting shopping carts to a pick-up point next to the facility entrance works in some areas; this is common in Northern Virginia, but not in most Florida cities. Would it work in New York City or San Francisco?

Obviously, as with most things "risk management," one size does not fit all.

Yet something must be done to protect people and shopping carts as well.

Secondary concern: Image

In addition to protecting people, which always must be the top priority, business owners need to consider both their image - "Attacked by Shopping Cart" makes a great headline - and their insurance coverage. Lawyers for people injured by a shopping cart will go after the property owner and the shopping cart owner. (Strangely enough, most people do NOT think of taking a civil action against the people responsible for the incident; in the New York cases, against the person who threw the cart from the parking garage, and against the parents of the juveniles who "cart bombed" passersby, nearly killing one woman.)

Coverage of the incidents also appeared in "SFGate," the San Francisco Chronicle Web site at http://www.sfgate.com/cgi-bin/article.cgi? f=/c/a/2012/01/31/MN891N0RCU.DTL.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/