Friday, April 27, 2012


Who's corrupt?


According to Infoplease, The United States failed to make the list of the Top Twenty Least Corrupt countries for 2011.

The determination was made by Germany's Transparency International. The Germans define corruption as the abuse of public office for private gain and measures the degree to which corruption is perceived to exist among a country's public officials and politicians. It is a composite index, drawing on 13 different expert and business surveys.

On the other hand, the US also failed to make the Bottom Twenty Most corrupt list. Certainly nothing to write home about.

The lists, if they are at all accurate, tells Enterprise Risk Management practitioners that corruption is a serious threat to the organization.

Since most practitioners lack the expertise to ferret out corruption in an organization, the questions become:

  • To whom does the practitioner turn?
  • Who IS the anti-corruption Subject Matter Expert (SME)?
  • What can be done to prevent or at least discourage corruption?

Several things come to mind, the most important of which is GET TOP MANAGEMENT TO SET AN EXAMPLE and to make clear management's expectation of all personnel.

Sans flag-waving support form the Board Room and Executive Suite, the practitioner's best efforts will be for naught. Very Senior Management must be an enthusiastic example to the troops.

This admonishment is, of course, the standard chorus for all risk management/business continuity activities.

I am embarrassed that the U.S. isn't at the top of the Least Corrupt list, but I predict -looking into my very foggy crystal ball - that the country will do better. The reason for my optimism is the government's increasing enforcement of the Foreign Corrupt Practices Act (FCPA).

Perhaps the threat of Big Brother - or perhaps "Big Uncle (Sam)" - watching will encourage Very Senior Management to do what is necessary for top-down awareness and compliance with national laws in the U.S. and the countries where the organization does business.

If I wrote it, you may quote it.

Longer articles at

Thursday, April 26, 2012


Ripple effect


A New York Times article headlined "With Wal-Mart Claims, Greater Attention on a Law" (see tells how an alleged Wal-Mart bribery-in-Mexico incident in 2005 is costing the retail giant in 2012.

The allegation that Wal-Mart violated the once rarely enforced Foreign Corrupt Practices Act (FCPA) by bribing a Mexican official has, according to Paul Pelletier, a former Justice Department prosecutor who worked on Foreign Corrupt Practices Act investigations, cost the company "billions."

More than that, it has put other organizations on alert that suspected FCPA violations will be the focus of government attorneys.

Pelletier contends that Wal-Mart's loss of "billions in market capitalization over these last few days is going to make companies in close cases more likely to err on the side of promptly self-reporting.”

Making things worse for Wal-Mart is the additional allegation that it "suppressed an internal inquiry into bribery in Mexico in 2005."

Although there are those who will argue that the FCPA should apply only to bribery involving the U.S. government and its contractors, the financial damage to Wal-Mart apparently already has been done.

From a "business continuity" perspective, there is little that a practitioner could do.

I'm not certain even an Enterprise Risk Management practitioner could have done anything more than what probably already was in place, i.e., policies and procedures prohibiting potential FCPA violations. Still, having policies and procedures in place - and known by all who might be in a compromising situation - would give the organization some defense by performing "due diligence."

Wal-Mart's mistake, if it indeed did what is alleged, was trying to cover it up. Shades of Watergate.

FCPA is gaining more attention. I had the pleasure of working for an organization, World Compliance (, that has uncovering FCPA violations as one of its main products.

The World Compliance "take" on the Wal-Mart incident can be read at

While a practitioner may not be able to prevent FCPA violations, the practitioner must assure that the focus of the act is known, and understood, by very senior management. That does not mean that the practitioner needs to present the issue to senior management, but it means that the practitioner should see that the appropriate Subject Matter Experts - in this case, Legal or retained lawyers - include FCPA in their presentations to the Boards and Executive Suites.

If I wrote it, you may quote it.

Longer articles at

Friday, April 20, 2012


Good times are bad times?

Not in scope

The economy's picking up.

The organization has a killer product or service and the competition has been left in the dust.

Things could not be better.

Expect that the organization's business continuity program failed to account for success.

Success as a "disaster?" How can that be?

Success can have the effect of a disaster if the organization can't handle it.

Let's assume - agreed, that's a foolish thing to do - that the organization makes the ubiquitous widget.

The R&D folks have come up with a modification that makes the widget both more efficient and economical for the user. Let's say the "user" is the government and the widget is used on ships. A cutter uses a half dozen widgets, a carrier uses more than 100.

Bottom line, that's a lot of widgets.

Trouble is, the organization is set up to deliver tens of widgets a month; the government wants hundreds of widgets a month.

In order to meet the government requirements, the organization has to

  1. Employ more people to staff the production line, which means

  2. Expand the facility and

  3. Expand the production line which means it must

  4. Expanding the QA/QC operation

  5. Find the funds to do all of the above; are lenders available and willing; how much of the organization will have to be "signed over" to the lenders?

  6. Increase raw materials orders from vendors (can the vendors meet the new requirements?

  7. Train new hires (are clearances needed?)

Of course the above are just the tip of the proverbial iceberg.

Unfortunately, few business continuity practitioners consider good times as a risk. Good times simply are "not in scope."

Enterprise Risk Management practitioners should; good times are within "scope" for them.

Business continuity practitioners "scope" typically includes the obvious, and some not-so-obvious threats to the organization. Fire, flood, empty building events, vendor failures, the ubiquitous computer failure.

Business continuity is for small-minded organizations. Granted, business continuity is one step up from simple IT disaster recovery, but it leaves the organization fragmented into far too many "silos."

Some of the silos may not even be integrated into the organization. As examples, Legal and Public Relations (a/k/a Corporate Communications). These, like payroll, often are jobbed out to vendors working on retainer or on a hourly basis.

Yet Legal, Corporate Comm, Payroll, and all the other "support" functions need to be included in the Enterprise Risk Management program.

Even the crystal ball gazers; those folks who try to predict future needs and what customers may desire down the road. "Futurists."

Should the Enterprise Risk Management practitioner be a "futurist"? A lawyer or even a para-legal? What about a PR mavin?

Asking the practitioner to be an expert in these disciplines is akin to asking the practitioner to be an SME for HR, Production, QA/QC, Shipping/Receiving, or even InfoTech, the latter where expertise is outdated in the blink of an eye.

What the Enterprise Risk Management practitioner must be is a diplomatic "master (or mistress) of ceremonies," someone able to get everyone working together toward the common goal of protecting the organization from all threats. The practitioner needs to keep up with the "threats du jour" and have an interest in all the "silos" of the organization. The practitioner needs a curious mind unbounded by an artificial "business continuity interests" frame. This curiosity needs to be channeled into "What if" questions for all the SMEs with whom the practitioner works.

John Donne's famous quote was true when he penned it. It remains true today, both for individuals and organizations.

If I wrote it, you may quote it.

"No man is an island, entire of itself; every man is a piece of the continent." Meditation XVII: Devotions upon Emergent Occasions

Longer articles at

Thursday, April 19, 2012


"Usual suspects" replaced

Make way for economic turmoil, commodity pricing fluctuations and business/supply chain interruption

Companies in the global industrial and materials industry face three specific global risks: economic turmoil, commodity pricing fluctuations and business interruption, which includes supply chain disruption, according to a new study from Aon.

The new "primary risks" for global industrial and materials industry operations replace the usual suspects: environment, human, and technology.

The new threats also highlight the need for true enterprise risk management, vs. "just" business continuity or "just" disaster recovery.

For the typical business continuity practitioner, economic turmoil, commodity pricing fluctuations typically are "out of scope." These are areas requiring a financial guru's crystal ball. Traditionally, business interruptions, including supply chain disruptions, are within the business continuity practitioner's scope.

The Aon report focuses on "the global industrial and materials industry," but when practitioner's look at what any organization does to justify its existence, all are in one way or another directly or indirectly in a "global industrial and materials industry."

Pick a product or service,. Somewhere along the way to product or service delivery there is an international link. It is a global economy; what happens in Greece impacts Japan, half-a-globe away.

Commodity pricing fluctuations may seem to be a problem for the Fortune organizations, but they impact even a Mom-n-Pop operation, particularly if it makes deliveries. (Have you checked the price at the pump lately? Oil is a commodity, as is the corn that goes into ethanol instead of on the dining room table.)

This all connects back to the threat of supply chain disruption. If the vendor (supplier) cannot

    (a) Make the product because it lacks raw materials (for any reason)

    (b) Deliver the product because it can't afford the transportation

Mom-n-Pop will fail to meet their service level agreements with their customers.

The "usual suspects," while supplanted by the new trio, remain in the wings and must - not should, but "must" - get practitioner and management attention.

OK, so the practitioner is hardly a commodity pricing authority. But the practitioner also is not an authority on HR employment laws nor competitive analysis, but we expect the practitioner to know where to find Subject Matter Experts (SMEs) in these fields.

Likewise, the commodity pricing authority - an SME for the practitioner - also turns to other SMEs for input before predicting the future. Experts in a variety of disciplines, not the least of which is the weather forecaster, are queried by the commodity expert.

The "bottom lines are that

    (a) The only way to protect the organization is with a true, enterprise risk management program

    (b) The risk management practitioner needs to be a Subject Matter Expert in risk management with the ability to ask the right questions of the right people, both inside and outside the organization

    (c) Nothing should be "out-of-scope" for the enterprise risk management program

It should go without saying, but the enterprise risk management sponsor must be a Very Senior Executive or Board member with fiduciary responsibility.

If I wrote it, you may quote it.

Longer articles at

Wednesday, April 18, 2012


Marsh report warns of supply chain dangers


According to new whitepaper published by Marsh, Supply Chain: How Prepared Is Your Organization?, "Many risk managers not adequately familiar with the tools that are available to help mitigate supply chain risk and improve resiliency, including insurance options."

The 12-page report, a PDF document, is online at
lists the "top 10" most expensive events, in terms of property and business interruption insurance claims. The report notes that "The two costliest events of 2011, the Japan earthquake, tsunami, and nuclear event and flooding in Thailand, illustrate how an event in one part of the world can have a significant effect on supply chains globally."

The Marsh report acknowledges the risk management practitioner's plight when it notes that "many organizations today suffer from a “siloed” approach to supply chain risk management." Product leads, procurement, and logistics make strategic decisions about supply chains while (insurance) risk management practitioners tend to address supply chain exposures by focusing on insurance issues such as contingent business interruption (CBI) and contingent extra expense (CEE), the report contends.

There seems, as Solomon wrote, "nothing new under the sun"; most enterprise risk management, and many business continuity, practitioners are painfully aware that one of the biggest risks to an organization is compartmentalization, a/k/a siloing.

Not only are there the usual "turf" issues, but the lack of comprehension of "the big picture" prevents staff from working together for the common good. (Rather like the U.S. congress and government agencies.)

Good practitioners insist that critical vendors have plans to meet their commitments to the organization in the event something goes "bump in the night."

Good, smart practitioners follow the trail from the vendor's door to the organization's door, and make sure the transportation link is protected.

Really good and really smart practitioners consider all vendors, including lenders, as potential risks.

The very best practitioners also, as in "in addition to the above," consider their organizations role as a supplier, either to a wholesaler or retailer or to the final customer. Can the product or service be delivered. The "supply chain" usually doe not stop when the practitioner's organization receives product or service from its vendors.

Insurance - Marsh's business - is important, and this practitioner is a strong believer in bringing in insurance advisors along with other Subject matter Experts (police, fire, etc.) to make certain the organization is as protected as it can be; that threats or avoided or mitigated.

Although I found nothing new in the Marsh report, its presentation of selected statistics can be valuable if Very Senior Management needs to be convinced that compartmentalization is a very real threat to an organization's future.

If I wrote it, you may quote it.

Longer articles at

Monday, April 9, 2012


How many practitioners
to assure a plan is viable?


Quick question: How many practitioners does it take to assure a high degree of likelihood that a plan will succeed when it is needed?

In a "Best Of All Worlds" situation.

By my count, three.

Someone needs to create the plan.

Granted, in some really big organizations, there are multiple people charged with creating a plan for this or that location.

And, granted, that there are folks in functional units - HR, Facilities, IT, etc. - who may write a mini-plan for their unit, hopefully under guidance from the enterprise planner.

But one practitioner is charged with overall plan creation.

Someone needs to vet the plan, to assure the plan is complete.

True, walk-throughs and desktop exercises go a long way to exposing plan deficiencies, but the deficiencies probably will be more obvious to an outside practitioner who has extensive planning experience but no direct connection to the plan to be vetted.

Finally, the plan needs to be audited.

The auditor isn't looking for plan deficiencies. Instead the auditor is looking to assure than what the plan requires can be provided. If the plan assumes something will be in place, the auditor will confirm that the "something" is indeed in place, or the auditor will report that the "something" is missing and due to that, the plan may be in jeopardy.

Depending on the size and dynamics of an organization, the planning practitioner may be either a staff practitioner or a consultant. This person will take up the lion's share of the time and money required to create, vet, and audit the plan.

I would recommend that the person selected to vet the plan be a consultant.

This person must have a wealth of experience, more than the plan developer and more than the auditor.

It's OK if the plan developer and the practitioner selected to vet the plan know each other, but they should not come from the same "stable" (agency). Ideally, they will not have created a plan together in the past. Independent minds are needed.

If the plan developer and the person vetting the plan have a good working relationship, that's wonderful. If this is an adversarial relationship, the process is doomed.

The ideal auditor will have an understanding of business continuity, albeit not necessarily a practitioner's experience. The auditor's function is not the review the plan for deficiencies - that's the vetting practitioner's job. The auditor needs to make certain that the avoidance and mitigation processes agreed to by management are put into place; the auditor needs to confirm that exercises have been held and critiqued, and that the "To Do" list has become the "Was Done" list.

The development practitioner and the vetting practitioner need to work together as "almost peers," with the vetting practitioner being slightly senior.

In the vetting role, the practitioner needs to diplomatically work with the plan developer to "enhance" the plan, to "fill in any holes." The practitioner vetting the plan needs both extensive experience in creating plans and ferreting out risks - to borrow from Star Trek, to go where no (planner) has gone before, and to an equal amount of charm, diplomacy, or "presence" to convince the plan developer to rethink all the threats.

The auditor also should be a master of tact.

Finally,, there needs to be a referee; in most cases, this would be the 800-pound gorilla plan sponsor.

While the sponsor may - and should - agree that the vetting practitioner is correct in the practitioner's assessment, the sponsor may end up ruling for the development practitioner due to any number of reasons, including the organization's ability to implement the vetting practitioner's recommendations.

It may only take two to tango, but I suggest it takes three to fully develop a plan that will survive almost anything.

  1. A practitioner to develop the plan.
  2. A practitioner to vet the plan.
  3. A person with risk management "awareness" to audit the plan.

If I wrote it, you may quote it.

Longer articles at



To the shores of Tripoli


Why is it that piracy still is a threat to both commercial and private ships and boats?

It is so easy to put an end to piracy, if not the pirates themselves.

Legally, according to even the UN's rules.

During World War 2, ships crossed the Atlantic and Pacific oceans in convoys, escorted by naval vessels, primarily U.S. Navy and Coast Guard ships.

The escorts didn't totally eliminate attacks on the merchant ships - submarines took their toll as did a few aircraft - but the losses to other surface ships was greatly minimized.

Today's pirates have neither submarines nor airplanes to sacrifice in kamikaze attacks.

Today's pirates primarily are armed with rocket-launched missiles, heavy (50 caliber) machine guns, and rifles.

They attack using small, relatively fast, maneuverable boats, knowing that with few exceptions, crews on ships either are not armed or if they do have weapons, they are not sufficiently trained to use them effectively.

The pirates capture people and cargo for ransom.

If the US and other countries with a naval presence in pirate-infested waters were to take a leaf out of a World War 2's history book they would once again form convoys.

Gunners on board naval vessels need to be allowed to fire and sink boats approaching them or a ship in the convoy in a threatening manner; this permission to fire is to prevent another USS Cole, the ship attacked by Muslim terrorists working out of Iran.

Use of unmanned aircraft as sentries could alert the convoy to a threat not yet positively identified by shipboard radar. These aircraft need not be sophisticated "spy" planes with radar-deflecting skins. Let the enemy - the pirates - know the aircraft are in the sky, watching for them.

The waters favored by modern pirates are well known to both commercial and military sailors.

Why can't ships be staged at a safe harbor until there are enough for a decent convoy.

Once a convoy is assembled, naval vessels can escort it safely past the pirates. Other ships can assemble and convoy from the opposite direction under their own escort, rather like commuter trains on intra-city buses.

I know a ship not underway is losing revenue for its owners, but it would seem a day or two forming a convoy to avoid being attacked, with possible loss of life and cargo, might offer a good return on investment. Consider it a form of insurance.

I am not a sailor and I don't play one on tv, but it seems to me some frigates armed with conventional weapons having a range greater than the pirates' weapons (I never favor a "fair" fight) would be a pretty convincing argument for the pirates to find another occupation.. Another point to consider - pirates - like Hamas, Hezbollah, and other terrorists - are not military personnel, they don't wear uniforms, and they do not qualify, when captured, as prisoners of war with Geneva Convention rights.

If I wrote it, you may quote it.

Longer articles at

Thursday, April 5, 2012


Weather, weather everywhere . . .


  • The deadliest weather disasters are droughts followed by famines.
  • During 2011, 820 natural catastrophes were documented around the world, resulting in 27,000 deaths and $380 billion in economic losses

In a Western Farm Press article titled, Droughts reign as deadliest weather disasters, "During 2011, 820 natural catastrophes were documented around the world, resulting in 27,000 deaths and $380 billion in economic losses, according to data compiled by Munich Reinsurance Company and analyzed in the Worldwatch Institute's Vital Signs series. The number of natural catastrophes was down 15 percent from 2010 but was above the annual average of 790 events between 2001 and 2010, and considerably above the annual average of 630 events between 1981 and 2010."

The report continues that "The deadliest weather disasters are droughts followed by famines, particularly in Africa. From October 2010 to September 2011, a severe drought in the Horn of Africa caused widespread famine and large-scale migratory movements, particularly in Somalia and Kenya. Around 80 percent of the livestock of Somalia's nomadic population died, some 13 million people required humanitarian aid, and an estimated 50,000 people lost their lives. But because human agency played a large role in this catastrophe, it was not included in the analysis of 2011 natural disasters."

In face of all the negative news, an AFP World News story headlined US forecasters see drop in 2012 Atlantic hurricanes informs that "The number of 2012 Atlantic hurricanes will be below average this season due to a cooling of tropical waters and the potential development of El Nino conditions, US forecasters said Wednesday.

"The Colorado State University forecast team predicted 10 named storms during the hurricane season from June 1 to November 30.

"Four of the storms are expected to achieve hurricane strength and two of those are expected to be major hurricanes, with sustained winds of 111 miles (178 kilometers) per hour or greater."

Monday, April 2, 2012


Outsourcing management


There is an interesting discussion on one of the LinkedIn groups about "Outsourcing."

The question was asked: "How can I prepare for missing key personnel in a small company?"

My take on the question is at - Outsource.

But then some one asked "Outsource management?"

It seems to me if ANY positions are to be outsourced, management should be at the top of the list.

Am I crazy? Never mind; that's a rhetorical question.

Consider that most Very Senior Management is far removed from day-to-day, in the-trenches, operations. Unless the organization is very small, does anyone really expect the company president to now how to weld a joint or operate a lathe? Maybe at one time, before CAD/CAM was introduced, but today? Not likely.

Would the Senior VP know how to keep the books to satisfy a CPA's audit? Why? That's why the company has bookkeepers.

Hopefully Functional Unit managers can function in a hands-on role, but does anyone really expect Top Management to work on the production line?

    To be fair, I have to note that "All generalities are lies." There ARE some Very Senior Managers - usually owners of the company - who CAN and often do enjoy keeping their hands in the business. They are few and far between, but they exist.
Think of all the Very Senior Executives who move from industry to industry. Robert Townsend was a good example. He was, according to his Wikipedia bio (
  • An officer in the United States Navy
  • Senior vice president for investment and international banking at American Express
  • CEO of Avis
  • A senior partner of Congressional Monitor
  • Chairman of the executive committee of Leadership Directories, Inc.
He also managed to write one of my favorite management books: "Up the Organization."

Granted while there ARE "specialty" MBAs, the majority of MBAs are of the generic variety. They teach management - otherwise known as How to get the most out of the throw-away human resource. They do not teach how to do production or sales work, profit center work.

Admittedly, most small organizations are managed by people who have a concept of what the organization is all about, but I would suggest that organizations run by MBAs might be well-served by "outsourcing" the positions. Who knows what a fresh take on the business might bring. Yes, there are two sides to that coin.

There is a problem with outsourcing management: How much does permanent management want the temporary managers to know about the organization and its product, it finances, its personnel?

Outsource IT. Probably, as long as the temporaries are supervised by a permanent IT person.

Outsource payroll? It probably already is outsourced, perhaps along with accounting.

Outsource production and sales - that might prove difficult.

Outsource management - now that's worth considering.

If I wrote it, you may quote it.

Longer articles at