Friday, August 17, 2012


Best laid plans


An article by Aliya Sternstein titled Agencies don’t often share tips on potential terrorist activity on the Nextgov Web site (see complains that "Nearly half of federal agencies are not sharing documented incidents of potential terrorist activity with U.S. intelligence centers, according to officials in the Office of the Director of National Intelligence."

Hardly encouraging.

But reading on, there are three paragraphs that suggests high level planning that failed to consider lower-level considerations.

"One problem with shuttling reports to fusion centers is officers in the field, even years after the program’s inception, lack training in how to create the proper records, said Paul Wormeli, Integrated Justice Information Systems Institute executive director emeritus and a consultant on the project. “Some agencies still just rely on the old manual system of getting tips from the public over the telephone, which is insufficient,” he said.

In addition, it takes time and money to tweak police software so that it works with the system supporting the information exchanges, Wormeli said. And turf wars sometimes get in the way of progress.

“This is a serious problem because unless we are able to convince all the local agencies to participate and to submit their SARs to the fusion center, we create the very real possibility that we will miss detecting the next Mohammed Atta who goes around taking flying lessons and passing up on the lecture of how to land his aircraft,” he said.

How does this relate to enterprise risk management?


A fiat from on high. "You will implement ABC."

At the bottom, the responses are:

  • We don't have the resources

  • We don't have the training

  • We don't have the time

This is similar to the complaints of municipalities to the state and the states to the federal government: You burden us with a law, but fail to provide resources, funding, and training.

One of the risk management practitioner's many duties that rarely appear in the job description is "develop cross-silo communication"; get everyone involved.

Risk management, correctly practiced, is an all-encompassing program.

It requires, again, "if properly practiced," that management fully understand the impact on the troops of that fiat from on high.

Telling, as the Feds apparently did, different federal, state, and municipal agencies that they must send reports of suspicious activity to a data center - what the Feds are calling fusion centers - is fine, but based on the Nextgov article, the information gatherers

  • Lacked the resources

  • Lacked the training (what to submit)

  • Lacked the time to acquire resources and be trained to use them

Practitioners usually start a Business Impact and Risk Analysis with a questionnaire.

    What are the critical processes.

    What are the risks to the processes (this identifies resources).

    What are the work-arounds if a resource is not available.

Eventually the practitioner gets around to making recommendations on how to respond to a threat if it occurs.

At that point, the practitioner should work from the bottom (folks in the trenches) up (to management).

The folks in the trenches usually have the best information on tools to avoid or mitigate a threat and to restore the process to "business as usual" as economically, efficiently, and expeditiously as possible. They also know what they need regarding

  • Resources

  • Training

  • Time to implement resources and training

Sadly, providing all the resources, training, and time won't do much good until the sundry agencies get over their turf wars and start treating all members of the "intelligence" community as equal partners, each with their own value and resources.

Hopefully this cooperation will occur before the next threat become reality.

Thursday, August 16, 2012


Black swan?


I have an acquaintance who is a business continuity practitioner for a government office.

Which government office and where that office is located is not important.

The practitioner is charged with business continuity for all government entities.

One of the entities is responsible for environmental matters.

My acquaintenance has no direct control of this entity, but as the business continuity for the general government she has an interest in each entities' survivability, and that includes public image.

If you think government bodies can ignore their image, think again.

  • They need to project a "helpful" image to generate public support.

  • They need to project a "useful" image to continue to receive tax money.

  • They need to project a "well managed" image so secretaries, directors, and mid-level managers can keep their jobs and pensions.

  • Government bodies at all levels are image conscious.

Recently a private company in the practitioner's bailiwick caused an environmental faux pas. It allowed pollution of the neighbors' skies and waters.

Naturally the neighbors took umbrage at the invasion of unwanted poisons.


Private company is alleged to have committed an environmental crime.

The neighbors whose properties were inundated with the company's poisons are up in arms.

Why, the neighbors are asking, did the environmental agency charged with protecting the environment allow the incident to occur. Good question. Valid question.

For practitioners, the questions is: Should my acquaintance have considered this in the government's business continuity - COOP, if you prefer - plan?

Perhaps as importantly, someone should ask: Was "image" even within the business continuity plan's scope - for the overall government and for the individual operations?

Is it a problem for a practitioner at the Chief Executive level if something goes "bump in the night" at one of the many lower-level organizations (i.e., environmental agency)? Shouldn't each agency have its own business continuity planner? (Ah, that it were so; we'd all be gainfully engaged.)

I don't believe in black swans - the unexpected. If enough people are involved in a risk management program - and I generally recommend "all hands" - and given an opportunity to think "outside the box" and offer "off the wall" comments about potential risks and the ways to avoid or mitigate them, then all the black swans fade, if not to white, then at least grey.

If there is one practitioner for the entire government, that practitioner should be given carte blanche to create a program for the entire government.

That does not mean that the practitioner needs to be a lone wolf, the sole practitioner for the government. Perhaps my acquaintance should manage (ideally) practitioners at each government organization to assure consistency of plans and integration into a government-wide program or (alternatively) could mentor and manage non-practitioners who would represent my acquaintance's office at each organization.

But, back to the main questions:

  • Should my acquaintance's program have included the image risk to the environmental agency?

  • Did my acquaintance have a mandate to consider this risk?

  • Should my acquaintance promote an all-organizations-inclusive risk management program?

Thursday, August 2, 2012


Climate as risk management concern?


A headline in the San Jose Mercury News reads:

California prepares for harsh realities of changing climate

The next-to-leed cq paragraph reads:

A series of state-sponsored scientific studies released Tuesday warns that California can expect more scorching heat waves, severe and damaging wildfires, emergency room visits and strain on the electric grid as the Earth continues to warm and sea levels rise along the state's 1,100-mile long coast

Risk management practitioners, a/k/a business continuity practitioners, normally consider severe weather conditions as recognized threats to "business as usual."

Most of us, however, fail to crystal ball gaze to try an predict what our clients will be facing 10 or 20 years in the future. The question is: Should we (look far into the future for our clients)?

My answer is a definite "Maybe."

In the U.S., too many "long-range" business plans end after 5 years; some don't even make it that long. Given that, I suggest that practitioners limit serious risk concerns to the length of the long-range business plan.

That does not, however, mean to ignore scientifically-based environmental predictions.

For many years the standing joke has been to "buy property in Nevada; it will soon be oceanfront property" due to the frequency of earthquakes in California. That may eventually happen, but it is not likely to happen during any current long-range plans.

Lack of water is a problem that may be closer than we realize.


  • the source of the state's water
  • the population growth in the state in general and in the "south of San Francisco" area specifically; even more specifically the Los Angeles and south (San Diego) area
  • climatic concerns, i.e., global warming

Similar concerns apply to Florida. South Florida's primary water supply comes, via canals, from Lake Okeechobee in the central part of the state.

Another concern listed in the Mercury News article was electricity; specifically the competition for available resources.

"Higher temperatures in the next decade means that far more of the state's 37 million people will depend on air conditioning--increasing demand for electricity by up to 1 gigawatt during hot summer months. One gigawatt is roughly the size of two coal-fired power plants and is enough energy to power 750,000 homes" the article states.

Even if the state permits additional power plants to be built and brought on line, the process is complicated and takes years from concept to completion. Add to this the environmental battles again almost all generating plant types - coal, oil, gas, nuclear, and the natural resources - besides fuel - needed for their operation (e.g., nearby water supply). While California has some hills in the north and to the east, the possibility of water-powered turbines is very limited; more so in flat Florida.

To be fair, both states could - if technology ever develops - take advantage of wave-generated power. Water could be provided - if efficiencies ever emerge - from desalinization. Today, neither technology is economically feasible on a mass scale.

If, then, the risk management is to consider potential risks beyond the "immediate" future - 5 years maximum - should the risks' equally potential mitigating factors also be considered?


While "maybe?"

Because most of the potential mitigating factors are beyond the control of the organization; they are within the realm of government.

For all that, it behooves the practitioner to do at least a little research on what might confront the organization in the near - and perhaps not-so-near - future.

Is it wise to build a second facility near the first, or would a distant venue with other environmental concerns be in order? (That is not a given.)

Something to consider.