Tuesday, July 31, 2012

ERM-BC-COOP:

Even theaters (and theatres) need a plan


 

The shooting rampage at a screening of "The Dark Knight Rises" in Colorado early Friday left theater owners and police scrambling to figure out how to beef up security for patrons as the movie opened in more than 4,000 theaters nationwide.

'Dark Knight' shooting leaves theaters scrambling to address security concerns (LA Times http://tinyurl.com/cucs3fd)

A media representative for Cinemark (the company that owns the theater) was unavailable to comment on last night’s violent outburst or on what measures the theater operator will take to ensure security going forward. Cinemark released a statement that it was "deeply saddened about this tragic incident."

'Dark Knight Rises' shooting raises security concerns (Pittsburgh Business Times http://tinyurl.com/bwscd7a)

The disaster in Aurora, CO, was not the first attack on an entertainment venue.

Not the first in the U.S. and not the first elsewhere in the world.

In other words, the attack was not a "black swan." It might be an ostrich since apparently people who run theaters and theatres and other such venues have acted like the proverbial ostrich and buried their heads in the sand to avoid the unpleasant possibility of a disaster occurring.

Why don't such places have risk management plans?

Could a risk management plan have prevented, or even mitigated, the event in Aurora?

What could have been done and at what cost both to the owner of the facility and to the customers?

Perhaps the first thing to consider is what made this night different from all other nights?

In a word, costumes. People came dressed - and masked - as characters from the film.

The "Dark Knight Rises" is but one of several fantasy flicks that draw costumed clients. Star Trek and Star Wars films also bring out the costumes; I'm certain there are others. (Would anyone really dress up as the Creature from the Black Lagoon? Probably.)

The bottom line for theater owners is that costumed customers are a recurring threat.

People who own or manage entertainment venues need to have risk plans in place for a multitude of possibilities - everything from a power failure to a fire or other occurrence requiring quick evacuation of the premises. How to notify the "house" without causing panic.

Someone "going postal" and wildly firing into a mass of people should be easier to prevent. Check for weapons at the door.

Given the draw of a "Dark Knight Rises" the cost of a metal detector borrowed from the local airport or extra ushers with metal detecting wands - with armed police in the near vicinity - would seem a reasonable expense. The mere presence of these tools probably would deter all the most determined shooter - or bomber.

True, it is a "sad state of affairs" to have to install metal detectors at the door of an entertainment venue, but it is a state of affairs we have reached and one we as risk management practitioners must recommend.

What happened at the movie house in Aurora could have happened anywhere.

In a church, mosque, synagogue, or other place of worship.

In a stadium or other sports venue.

At a school, particularly at any event where students congregate.

At a concert hall.

At Times Square on New Years' Eve.

And of course at the "ubiquitous other" location not listed above.

No place where masses of people congregate can be excluded from the possibilities.

As risk management practitioners we need to consider all the probabilities:

Why an attack - what is there that could prompt someone to "go off the deep end"?

What weapon(s) would be used - what is commonly available locally and what can a person with Internet access learn to do with it; the Muir Building was brought down by a simple, albeit huge, made-in-a-garage bomb.

What can be done to detect potential weapons?

How far in advance of an event should security be ramped up - is one day enough?

Then there is the response should the threat materialize, with protecting the innocent the first priority.

Creating a risk management program for an entertainment venue is basically the same as creating a program for any organization. The risks and response may be unique to the organization, but the approach to the program will be the same.

It's time that owners and managers of entertainment venues realized they, too, need a risk management plan and all the things (training, exercises) that go with it.

If I wrote it, you may quote it.




Tuesday, July 17, 2012

ERM-BCP-COOP:

The trouble with standards

 

The Disaster Recovery Journal Summer issue's lead article , ISO 22301: The New Standard, tells practitioners about the latest and greatest "standard" for business continuity.

The article, written by John A. DiMaria (CSSBB, HISP, MHISP, AMBCI), a British Standards Institute (BSI) Group America product manager, tells us that the new ISO document replaces the BSI's BS 25999-series "standards" and requires recompliance to the new "standard."

As an after thought, the author notes that the (few) organizations involved with PS-PREP need to wait until the new "standard" is accepted by the U.S. Department of Homeland Security (DHS) before it is acceptable for PS-PREP compliance. Meanwhile, both ANSI and NFPA approved standards remain in force for PS-PREP.

So what is the problem - more accurately, what ARE the problems - to "standards," especially those emanating from the UK?

Expectations of standards organizations

Standards organizations, in particular BSI and ISO, typically consider their efforts to be The Final Word on any given topic and that all practitioners of that topic must comply with the standard as written.

Some standards organizations promote their efforts outside the relevant profession or trade to pressure practitioners to develop their work to a particular standard. Not knowing what the practitioner is about does not stop some proposal writer from requiring "expertise with <pick a standard>."

Mentality

I have followed international lists and forums for a number of years. Over those years I have come to the conclusion that U.S. and UK thinking often are at odds.

U.S. practitioners, at least the ones I know and respect, emphasize threat management - implementing avoidance or mitigation measures. Some UK practitioners - albeit certainly not all UK practitioners - almost completely ignore threat avoidance and mitigation.
Threat management was absent from the first iteration of British Standard 25999. Threat management eventually did creep into the British Standard before the final release.

To be fair, we have some folks in the U.S. who have their heads as firmly in the sand as the British Air practitioner who told me that the Gate Gourmet fiasco and associated LHR baggage handler strikes could not have been avoided.

Rigidity - real or imagined

Some practitioners, and some clients, will buy the "standard" and rigidly and try to adhere to every word. Standards must be "interpreted" in light of each specific instance. Parts may apply in some cases; parts may not apply in some others, and parts may apply "with modification" to still others.

An experienced practitioner knows when to apply what. The problem for the experienced practitioner may be diplomatically convincing the client that a particular section of the standard needs to be adjusted or ignored.

Constant change to what purpose

I sometimes think, and at other times I am convinced, that some "standards" organizations really are in the publishing business.

Most standards sell in the hundreds of dollars range. ISO 22301 sells for £100 at the BSI Group Web site. £100 equals about US$155, €127, and ₪622.

Cost

In addition to the costs listed above, there also can be training costs. An organization called CIMA offered an ISO 22301 course with a US$100 discount for early sign-up. The actual price of the course never was listed, but the course did require an "ISO 22301 Introduction Course plus practice experience as a prerequisite." The PECB organization offers a similar course, again sans any pricing information. While the post-course exam fees are included in the cost of the course, PECB will sell exams - three levels - separately. Again, no pricing available.

Check-the-box for tyros

Based on queries I see on sundry "professional" forums and groups, I am confident that many "certified" practitioners know little or nothing about the process they pretend to perform.

These people are the same people who will use a "standard" as a check list - the standard requires this, so this will be done; perhaps not to the minimum level of expertise expected by the client, or perhaps even when a particular paragraph of a standard is totally inappropriate for the client.

Who will buy ISO 22301?

Consultancy shops, especially those with deep pockets clients, will jump on the latest and greatest "standard" to sell updates or "improvements" to their clients who recently bought plans aligned with the then-latest-and-greatest standard.

Can anything good be said for standards?

There IS much to be said for standardization as a GUIDELINE, a check list of things to consider for inclusion within a plan or program.

Standards never should be used as a "crutch" by a novice and the check list must not become a "check the box" exercise. A better term for what I think should be considered by practitioners is a "GUIDE."
Does/Did the plan/program consider:
and then list, in a logical order, a generic list or perhaps columns (Pick one from Column A and Two from Column B and ...).

The bottom line for this practitioner is not to be forced to shoehorn square pegs into round holes.

Standards are OK as a staring point, but to blindly follow one as a "hard and fast" rule is, at least in risk management, foolish for the practitioner and dangerous for the client.

For the record "Client" may be an external client for a consultant or an internal client for a "captive" or staff practitioner.


Sunday, July 1, 2012

ERM-BC-COOP

It isn't BC, but . . .


 

For some reason several "If only the BC practitioner had been involved" events came to mind the other day.

They weren't Big Catastrophes for which plans had been made and mitigation options put into place. These are more of the "if only someone had considered" or, in one case, "if only the engineer had listened."

Location, location, location

A company in Florida moved its facility from one site to a new site.

In its wisdom, the Project Manager included business continuity in her plans.

Unfortunately, the company lacked the foresight.

The land it bought was in a flood plain.

Were that not bad enough, it put is core business on the first floor of a three story building. The logic was that visitors to the facility could view the operation through a huge glass wall.

Impressive, but given Florida's June-to-November weather threats, not particularly wise.

Those darn cables - Part 1

This organization made computer equipment.

One system was bench tested and proved a keeper, a real marketable item.

When it came time to assemble everything into a standard 19-inch cabinet the engineers discovered that they failed to allow space for power and communications (ribbon) cables.

Back to the drawing boards; all because someone failed to consider wiring.

Those darn cables - Part 2

Another organization made a top-of-the-lone SMDR device, complete with 9-inch reel-to-reel tape deck.

The "brains" of the machine were stored on a pull-out shelf beneath the tape deck.

At the time I was a tech writer documenting the device. As such, I pulled out the shelf and, in the process and unbeknownst to me, tore a flat cable from its connector. When I was done documenting the connections, I returned the shelf to its position.

The next day the Product Manager tried to demo the unit and it failed. We discovered the problem: a flat cable that was a couple of inches too short to allow access to the equipment on the shelf. A longer cable was ordered and the product was fully operational.

(Tech writers can be both trouble and trouble-shooters.)

Top heavy

A PBX manufacturer, to avoid heat problems from the unit's power supply, mounted the power supply on top of the PBX.

It worked fine and heat dissipation problems were eliminated.

Problem was, when the PBX was trucked to a customer, it had a tendency to tip over, damaging the unit. After two or three instances, the company got wise and made certain the units were secured in an upright position before the truck left the loading dock.

Flattened pins

Another PBX company had a great single-shelf system.

Our first customer for this system was a Big Name in Telephony distributor.

When the switch got to the customer site and the distributor's tech hung the unit, it didn't work.

"Send a new unit. And send the tech writer with it." Why me? I was not a technician, although I did document the system, so ...

The replacement system and I boarded a plane. I got off at the destination; the replacement unit continued on to the airline's Texas hub. (I won't mention the airline's name, but it was not Southwest.)

When the unit came back the next day it was hung with the same results. Panic.

I called back to tech support and explained the problem and what the distributor's tech had done. (He was well trained and knew PBXs.) Talking to several company techs we decided that the unit's backplane had bent pins, preventing a connection with the plug-in cards.

Send a new backplane and this time ship it standing upright (rather than lying flat on its pins).

The new backplane arrived with pins in tact, was installed, and the switch was operational.

Only one problem remained: The operator console was inoperable. I traced the cable from the switch to the console and discovered a different installer had stapled the cable to a wall - and the staple went though the cable. Remove staple; console worked.

Ground - Part 1

A company for which I briefly worked made telecom add-on units.

It rolled out a new unit that I documented.

I noticed that the unit lacked a system ground. I mentioned this to the Chief Engineer who, thinking what can a tech writer know, dismissed my concerns out of hand.

A trainer was showing off the system to some potential buyers. As he bent close to the groundless system, it arced from the power supply to the trainer's metal framed glasses. Fortunately no one was injured, but the box DID get a system ground . . . and I was terminated.

Ground, Part 2

Avoiding the next problem would require a building's plumbing schematic, not normally a requirement for an installer.

According to the tech manual, the installer was to connect a #6 wire from the machine's system ground to either a stake or a cold water pipe. Since it usually was easier to connect to the pipe, most techs used that option.

In one case, the machine was "flaky"; it would go on and off without any obvious reason.

The tech we sent to resolve the issue was an old pro. He tried this; he tried that. Nothing. Finally, he decided to check the ground.

System ground to cold water pipe: OK.

But, being smart, he traced the metal cold water pipe to where it went underground.

The "Ah Ha" moment came when he saw that the metal pipe terminated at a PVC coupling and it was PVC that went into the ground, negating any value the metal cold water pipe might have as a ground.

The tech drove a spike into the ground and terminated the system ground there. No more "flaky" system.

Learning process

As a tech writer, even an experienced tech writer, I lacked knowledge only experience brings. Most of the knowledge was "general" knowledge; knowledge that I applied across products: telephone gear, computers, etc. As I documented equipment and systems, and got to know many - but hardly all - the things that can go bump in the night, I added to my troubleshooting tables. (I did stop suggesting to Big Buck Engineers that a system ground was worth consideration. If UL couldn't convince the gentleman, how could a "mere" tech writer?)

Tech writers and risk management practitioners are some of the few people outside of the Executive Suite who know almost all of an organization's operations. Perhaps not to the last red cent, but "in general."