Sunday, January 29, 2012


Value of sharing


I've been in this business for a tad more than 15 years.

I'm pretty good at what I do and I think, when I consider threats to an organization, I identify most most of them.

But sometimes things either get "missed" or given less attention than they deserve.

For example, one of my acquaintances opened a discussion regarding what is needed "post-event." I think his focus is on the financial aspects.

Normally I recommend that organizations have business interruption insurance. At the same time, I tell people that it is critical that careful records are maintained so the insurer will pay a fair amount.

I also recommend that an organization have either a good size contingency fund available or a line of credit at several financial institutions - lenders do fail so organizations need to "double up" - or, better, have a contingency fund AND lines of credit.

I read all too often on AdvisenFPN - an insurance industry publication - that this or that organization is having to sue an insurer to collect on a policy. Even if the insured wins, the time between disaster event and payment can extend for more than a year. Lack of funds can put an organiztion out of business before the isurer pays up.

Beyond insurance, contingency fund, and lines of credit, what are things to consider "post event"?

A few include:

  • Personnel - Are personnel available to (a) maintain the operation and (b) restore the organization to "business as usual"?

  • Policies & Procedures - Overtime, travel, expenses, R&R, maximum time on job, more . . .

  • Property - Is there an alternate site (if needed) and are staff willing to travel to it? Who can evaluate the property for damage, estimate repair or replacement costs, deal with the property insurance company; what about parameter security?

  • Purchases - (Something I learned from my acquaintance's thread) Are there special, event-related account numbers to track related (insured?, tax deductable?) expenses?

My mantra has for years been "You can't create a viable plan in a vacuum."

Being able to share thoughts with other practitioners - both tyros and "old hands" - is one way to avoid a vacuum

There is one caveat, however. Professional exchanges must be EXCHANGES; they cannot be one sided where I give and you take without any input. Everyone - without exception - has something to contribute.

No one practitioner can think of everything in every instance, but we can protect our clients, be they internal or external, by networking.

Longer articles at

If I wrote it, you may quote it.

Wednesday, January 25, 2012


Certifiers as teachers?


The other day a fellow commented on a LinkedIn group thread titled "Why has BCM not opened its doors to mental health?" that he believes "BC practitioner training (should) include a `health` component. I don`t see the BCI doing this any time soon , which is why I left in 2010 !"

So the question: Should a certifying company - The BCI, DRII - teach every aspect of business continuity?

Over the years I have created risk lists, and while all lists include HR issues, none specifically list "mental health."

When I create a risk management plan, I include employee mental health, but not usually in conjunction with a mentally traumatic event - say someone "going postal" or loss of job. My concerns typically are for personnel having to work at alternate sites.

Perhaps I have been remiss.

But that doesn't address the question: "Should a certifying company - The BCI, DRII - teach every aspect of business continuity?"

Actually, perhaps the question ought to be: "Should the certifying business teach anything other than the basic process?"

What, after all, is the function of such a business - and let's be honest, unless the certifying body is giving away certification based on XYZ qualifications, it is a business and the business is selling certification and prep courses to pass qualifying examinations.

From what I know about the prep courses, the material is (a) generic and (b) heavy on buzz words, phrases, and alphabet soup - all great for intra-planner chat, but useless when trying to sell risk management or business continuity to a non-practitioner.

Should the certifiers list all the possible threats?

I don't think that's possible. The list would go on and on and . . .

Human Resources (HR) - a/k/a Personnel - would have a lengthy list all by itself.

I confess that although I have on a number of occasions written about mental trauma I can't write that I make it a specific item on my threat list; maybe I will.

But I don't think it's the job of a certifying company to "teach" any specifics.

Risk management and business continuity (the difference is the scope) requires practitioners who THINK, preferably "outside the box." It also requires that practitioners be willing to share their plans with their peers for comment. My philosophy is that no plan should be created in a vacuum; planning in a vacuum guarantees failure when the plan is most needed.

There is another reason why I don't think certifying companies should teach specifics - a threat list opens the door to the temptation to "check the boxes." That's the failure of most software packages; pseudo-practitioners "assume" that everything is covered by the check list or application and, like kids armed with calculators, the "planner" becomes dependent on external resources and lets the brain atrophy.

The poster left The BCI because he felt it should teach business continuity specifics.

That never should have been the reason to buy certification in the first place.

If I wrote it, you may quote it.

Longer articles at

Monday, January 23, 2012


Virtualization is NOT "business continuity"

The king's new clothes


Excuse me for failing "Political Correctness 101," but I'm a tad upset reading emails and headlines telling me data protection and virtualization is "business continuity."

I will concede that disaster recovery, and all its tools, is critical to a true business continuity plan.

But IT by itself, unless it is the organization's profit center is not the "business."

It is not even the business' most critical resource. *

I'm looking at a Web site that informs me the company - which for its own protection shall remain anonymous - shouts in 16 point Helvetica that it provides, quote, True Business Continuity and BDR Solutions, end quote. What it DOES provide is - and again I quote - Simple On- and Off-Site Backup, Virtualization in the Cloud, and On Site and Award-Winning Technology with Instant Virtualization.

I see nothing about protecting any business functions.

I was driven to this site by a sales rep for another company that, according to the rep, offers an "end-to-end business continuity solution" to IT Service Providers. I went to the company's URL and - to the company's credit - failed to find the magic words "business continuity" among the offer product "solutions." Backup and recovery, yes. Monitoring systems, yes. But business continuity, no.

Unfortunately, neither the sales rep nor the content writers for the site he recommended apparently have any conception of true business continuity.

Gregg Jacobsen, with whom I shared the sales rep's email, wondered "What do they recommend to protect the revenue stream and market share for their client if the factory catches fire?"

I think Mr. Jacobsen's question nicely sums up the difference between what the sales rep was promoting and the purpose of business continuity.

I have nothing against either the sales rep or any organization that peddles IT products and services.

But calling disaster recovery - or even "resiliency" - "business continuity" does no one any good.

The gullible executive - and I've met some - may BELIEVE what is on the table is a business continuity contract, but when the gullible exec is up that proverbial creek sans a means of propulsion, someone will realize that what our executive thought was "business continuity" in no way helps the business continue to stay in business.

Assume, if you will, that an event occurs at the facility - let's take Mr. Jacobsen's fire.

Let's further assume that the organization has all its data safely stored in a cloud for near-instant recovery.

That's wonderful, but if no one can access and use the data, of what value is it?

Perhaps if the cloud is accessible by staff working at alternate sites, but if we can make another assumption, no one considered an alternate site or virtual office options; the organization had, after all, a "business continuity" plan - a Web site said so.

If there was a fire in the facility , let it happen when the place was empty. The cloud "business continuity" plan lacks any information about evacuation and assembly, hopefully out of the way of flying debris and arriving fire department vehicles.

Even the folks behind the data center doors are on their own. The data is protected, but not the people manning the machines to transfer data to the cloud - or tape or the backup option du jour. THAT information would have been in an honest business continuity plan; it's not found in a cloud plan, no matter what it's called.

I think the only thing worse than calling an IT DR plan a "business continuity" plan is having a plan cobbled together by a novice armed with a template and check list.

At least with the cloud "business continuity" plan, most people can see the plan really is what it is - the king's new clothes. It is a plan to store data. Period. It has nothing to do with profit centers or non-data resources.

The novice's plan, on the other had, looks like a real business continuity plan and even though it probably is lacking more than it contains, it is a plan. If it ever is exercised someone might discover its deficiencies, but often when a person is plucked from their daily routine and dubbed "Official Business Continuity Planner" sans any relevant training, management has little intention of doing anything more with the plan than letting it gather dust on the shelf. For all that, having a plan gives a - in this case, false - sense of security.

Business continuity, properly practiced, can greatly enhance an organization's "survivability" in case of an event.

Business continuity that translates into "storing data in the cloud" is NOT business continuity, properly practiced or not.

It is an insult to the profession.


* People are an organization's most critical resource. If you don't believe me, try and run a business without staff and customers.

If I wrote it , you may quote it.

Longer articles at

Sunday, January 22, 2012


When "BC" is "DR"

a/k/a "The Name Game"


I got an email the other day announcing "24 NEW BC/DR Openings Just Posted."

Since I will entertain offers of employment, I followed the link in the email and found the following. (The advertiser's name and contact information are removed.)

  • Business Continuity Management (BCM) Manager – Consultant– FTE/Permanent (local candidates. No relo). Candidates must have (either) previous 3rd party Big 5 consulting experience or with a technology consulting organization will be considered.

    Note there is no mnimum experiece requirement. Degree yes; experience, not necessarily. Also no certification requirement.

  • Consultant – Enterprise Resiliency – Multiple Positions!!! No Relo Assistance. Candidates must have 2+ years in business continuity, IT resiliency or risk management coupled with a Bachelor’s Degree. Candidates must have (either) previous 3rd party Big 5 consulting experience or with a technology consulting organization will be considered.

    The term "resiliency" gives this posting instantly away as an IT DR gig. Note the "2+ years" mnimum experiece requirement. Degree yes; experience, not necessarily. Also no certification requirement.

  • Senior Consultant – Enterprise Resiliency – Multiple Positions!!! No Relo Assistance. Candidates must have 5+ years in business continuity, IT resiliency or risk management coupled with a Bachelor’s Degree. Candidates must have (either) previous 3rd party Big 5 consulting experience or with a technology consulting organization will be considered.

    OK, "resiliency" tells us the job is IT DR, but at least a "senior" consultant has to have at least 5 years experience. No certification necessary.

  • Business Leader, Global Business Continuity - Strong IT Architecture Experience No relo assistance. The client is seeking a candidate who has previous experience working within a data center operations environment. Experience with highly resilient Infrastructure environments is a primary requirement for this position. Financial industry experience is highly preferred.

    We're told right at the beginning that the candidate has to have "strong IT architecture experience." This is followed by a qualification that the candidate has " previous experience working within a data center operations environment."

  • Engineer - IT Disaster Recovery No relo assistance. Experience with highly resilient Infrastructure environments across many platforms is a primary requirement for this position. Financial or high transaction based industry experience within a large enterprise environment is crucial.

    Bravo! No game playing here; the client wants a DR person.

  • Senior Disaster Recovery Specialist FTE/Permanent.- No relo. Non-local candidates encouraged to apply.

    .OK, this job also tells it like it is; the only problem is that the candidate pool is strictly local to the advertiser; better candidates who live outside the area need not apply. I hope the advertisers pool is Olympic size.

  • Head of Business Continuity Management - Bachelors degree required, Graduate degree highly preferred. Successful candidate must have proven previous experience as Senior Managing Director or Global BC Head for large enterprise.

    .True BC. The question is, since a degree is required but no experience, will this person (attempt to) manage experienced practitioners or will the successful candidate find - as frequently the case, that there are no direct reports; that the manager also is the practitioner.

  • Disaster Recovery Manager Senior – FTE/Permanent (#2412) – Minneapolis, MN. Relo assistance provided. Experience with highly resilient Infrastructure environments is a primary requirement for this position. Must have recent experience designing high availability solutions within multiple platforms within a large IT enterprise environment. Banking industry experience is highly preferred.

    Once again, the title tells it like it is; DR.

The reason the advertiser's name was omitted is because the mis-use of the term "business continuity" is all to common. Disaster recovery jobs must seem more "glamorous" than plain ol' DR.

In what I suspect was an attempt to make DR sexy, one of the Big Name organizations dreamed up "resiliency" as DR's nom du jour. The word has been around, according to Merriam-Webster Online sine 1836, but M-W fails to define it. My Webster's unabridged lists "resiliency" as a variation on the word "resilient" dating back to 1620-1630.

Given that "resilient" means to "bounce back" or recover from something, that still doesn't equate it to "business continuity" and certainly not "risk management."

I don't know if recruiters deliberately mis-categorize jobs or if the titles are supplied by clients.

I do know that a recruiter dare not suggest to a client that the requirements should be revisited; even recruiters have to have happy clients if they expect repeat business.

For all that, it is frustrating to see a DR job under a BC heading.

That's rather like advertising for a Boeing 777 captain when airplane is a DC 3; it sounds impressive, but there is a BIG difference between the tail dragger and the newest jumbo out of Everett, WA. Don't misunderstand, the "gooney bird" still the aircraft of choice for many operators and it has a proud history, but it still can't compete with a Boeing 7-series anything.

Likewise, IT DR is important - as part of an overall, enterprise business continuity plan and even in an IT-only environment, it is best served with true business continuity - avoidance and mitigation as primary points of difference.

Longer articles at

If I wrote it, you may quote it.

Thursday, January 19, 2012


Everyone knows something

I have a cell phone. It's a "slider" made by Sony Ericsson, company that I was given to understand no longer is in the handset business.

I've had this unit for several years and, for the most part, it has served me faithfully.

But lately it started failing me.

It would lose the network connectivity.

It would fail to locate towers.

The only way to "restore" it was to power down and power up again.

Like the old Unix boxes, this took a frustratingly long time.

I took the handset to the network provider and explained the problem.

From the clerk on the floor I learned that

    (a) A handset's life expectancy is about one year (never mind that the initial contract was for TWO years - think about that)

    (b) "We don't fix handsets - we don't even have a screwdriver on site."

The clerk WAS willing to sell me a new handset - and a new two-year contract.

But he made a mistake - he told me in a candid moment that I could buy and use a network-compatible phone, what some retailers call "No Contract" phones. There also are "Prepaid" phones, but since I have a post-pay contract, that option was off the table.

I found a replacement phone by searching the WWW. I was looking for

    an inexpensive phone

    with Bluetooth connectivity

I don't want or need a camera or MP3 player or . . .

Basically I want a phone to make and receive calls.


I found such a phone and I hied myself off to the retailer, a Big Box electronics store.

When I finally got the Sweet Young Thing's (SYT) attention , she got the phone I ordered and set it up.

As she was doing this, I explained WHY I was buying the new phone.

"It could be the handset has pocket lint., said the SWT.

She opened the old handset, blew out enough lint to choke a horse - OK, a small horse - and wiped the battery clean.

Having set up the new phone, I headed for the fliver with both phones.

Being a former writer, I usually RTM - Read The Manual - before turning on whatever it is the manual covers.

I looked at the handset's Quick Start booklet and its User's Guide.

No mention of Bluetooth connectivity.

Finally I found the real User's Manual and started looking for any reference to Bluetooth in the Table of Contents - there was no index.


Neither "blue" nor "tooth."

Back to the store and the SYT.

Again, after cooling my heels, she asked what was the problem.

"No Bluetooth," I said, adding that sans Bluetooth, I don't want the handset.

I told her the company's Web site listed the handset and being Bluetooth compatible and she confirmed this. (The next day, the Web site was corrected.)

In the end, she set up my old handset and I went on my way.

In the process I learned several things, the most important of which is to "de-lint" pocketable electronic devices from time to time.

The way to avoid future lint issues is to get a holster for the phone. I thought I'd use a baggie, but then I thought that probably would really get the handset overheated.

The way to mitigate the problem is to open the device up maybe once a quarter and blow out the accumulated lint and to wipe down the battery.

The ERM-BC-COOP lessons from all this?

    1) Listen to everyone; everyone has something to offer that will come in handy, if not now, then perhaps later.

    (2) Maintain your gear, even if the procedure is missing from the documentation, think about "What If" probabilities.

Murphy's - or someone's - Law has it that something will go wrong at the worst possible moment. Missing an important call is bad enough. Missing an important call because of pocket lint is embarrassing.

Now I - and you - know how to prevent that embarrassment.

Because I listen.

If I wrote it, you may quote it.

Longer articles at

Friday, January 13, 2012


Mitigate or face court date


In an article headed "TEPCO shareholders to sue utility's directors for 5.5 tril. yen", 42 shareholders of Tokyo Electric Power Co. may sue the directors on their own for 5.5 trillion yen.

The stockholders contend that TEPCO calculated in 2008 that a tsunami of 15.7 meters could hit the nuclear power plant if a magnitude-8.3 quake occurred off Fukushima Prefecture, the board members failed to take countermeasures such as raising the height of tsunami barriers protecting the plant.

The tsunami the damaged the Fukushima was the result of a 9.0 earthquake.

The stockholders said that if they prevail, they will use the funds to compensate victims of the crisis.

While the stockholders' action may have to play out in court - did the board have any reason to suspect a stronger earthquake possible in the region? - the lesson for risk management practitioners is simple:

    When faced with a threat that can be mitigated or avoided, failing to act can - and likely will - result in someone bringing legal action. In America, that usually means "all concerned" - boards, executives, and perhaps even the risk management practitioner.

Ignorance is not bliss, at least for the practitioner.

We, as risk management practitioners, are expected to at least warn our employers of a potential threat.

Boards and executives are like horses that can be led to water but cannot be forced to drink.

Still, it IS our responsibility to make threats, however remote, known to management,

Fortunately for most practitioners, we don't face a combined earthquake-plus- tsunami threat, but we all have threats with which we must deal.

How great a threat is determined by the evergreen Probability vs. Impact exercise.

Given the location of the Fukushima n-plant, the earthquake-plus-tsunami threat had a real probability of occurring.

In my part of the world (Atlantic coast), neither earthquakes nor tsunamis are very probable. We do have to protect against a hurricane's storm surge , a minimal tsunami perhaps. We also have our own special concerns, sink holes among them.

Like Fukushima Prefecture,, we are home to n-plants, several in fact. These plants are located to take advantage of sea water for cooling. Did NextEra Energy/Florida Power and Light (FPL) plan for storm surge? Sink holes? Tornados? Probably. Did it plan for a combination of threats? Since I live between two plants, I hope so.

The main point of this article is to make all risk management practitioners aware of their responsibility to considerer all threats and logical combinations of threats, and to make certain that management is aware of the practitioner's concerns.

I suspect that even if TEPCO's directors had Officers & Directors insurance, that the insurer would balk at paying out 5.5 trillion yen, no matter how much that equates to in anyone's $s or €s or NIS.

How would a risk management practitioner KNOW there was a risk and the level of risk? The same way the risk management practitioner knows about all other risks: the practitioner asks the experts.

In the case of threats to the two n-plants that flank my home, many of the experts reside in local universities; some experts may be found far away.

Granted, a commissioned study might be expensive - but if the object of the threat is a nuclear power generating plant the expensive probably is justifiable - but a great deal of information can be gathered with little or no outlay.

The practitioner must be industrious to seek out resources, but in most cases they are available and the people staffing those resources almost always are pleased to share their expertise. (Based on personal experience as a reporter and technical writer.)

We may not be able to force the "horse" to drink the water, but we must at least lead it to the water.

Longer articles at

If I wrote it, you may quote it

Tuesday, January 10, 2012


Executive suite can be
bitter for shareholders


Two headlines from the daily Advisen FPN digital newsletter caught my attention.

Both dealt with shenanigans in the executive suite.

The first, "Olympus Sues Executives Over Covering Up Losses" tells how "The scandal-tainted Olympus Corporation said it was suing 19 current and former executives over their roles in a $1.7 billion cover-up of losses after an independent panel s report into management involvement in the fraud.."

The entire article, from the New York Times, is at Bloomberg ran a similar article titled "Olympus May Sue Executives Over Cover-Up"; the file is found at .

The article had two telling points.

Point 1: An unidentified panel "said it had found a culture of yes men and a board that failed in its duty to stop a rotten core of executives from duping auditors, regulators and investors."

Point 2: "Olympus shares were up about 28 percent in morning trading on the news."

The second headline, from the Miami (FL) Herald, reads: "Lawsuit: Former CompUSA executives stole millions." The Elaine Walker piece may be read at

According to the article, the latest in a series of stories about CompUSA's senior staff, the current legal action "tells a classic tale of executives feeding at the corporate trough. The allegations include stealing electronics worth millions of dollars, taking family and friends on company-sponsored trips, negotiating kickbacks from vendors, and using employees for personal errands on company time."

The suit, Ms. Walker reported, noted that all the alleged actions by the former CompUSA executives a were ".intentionally and maliciously, wantonly, willfully, in bad faith"


In the Olympus's case, the Bloomberg article noted that the camera maker's scandal was uncovered "following an outside panel’s report into management responsibility." Olympus is suing "current and former executives over their roles in a(n alleged) $1.7 billion cover-up of losses," according to the Bloomberg article.

The CompUSA executives' actions were brought to light by employees and vendors who claimed they were tired of the executives' abuse.


These two incidents - alleged until adjudicated but cautionary none the less - should alert risk managers and business continuity practitioners with a broad mandate, that risk often can be found in the executive suite.

In Olympus' case, the company hopes to recover allegedly misused funds. With a 2.1% rise in its stock price, the suggestion is that the misuse of funds and the newly filed legal action comes as no surprise.

In the CompUSA matter, the issue seems to be, if the news article is accurate, primarily a matter of greed by the company's founders who allegedly treated their company as a cash cow for their personal enjoyment.

In neither case was the activities in the executive suite something that just occurred.

Could the actions have been prevented or brought to light earlier? How?

One way the deeds might have surfaced sooner, at least in the CompUSA situation, is if the risk management people had a close relationship with the rank and file, the personnel in the trenches. Having a nodding relationship with key vendors, based on the risk manager's concern that the vendor had a business continuity plan, might have given a hint to vendor unhappiness with CompUSA's way of doing business.

Japan's Olympus, on the other hand, is another matter. The NYT article noted that a "culture of yes men and a board that failed in its duty to stop a rotten core of executives." In other words, board members failed to do their duty and, if this was done in the U.S., could find themselves facing legal action along with the company president and his associates.

Thursday, January 5, 2012


Dust off pandemic plans


My email just delivered notifications that a version of the avian influenza - bird flu - is making the rounds.

In separate emails , I read that

  • A Chinese bus driver who tested positive for the H5N1 bird flu virus died Saturday in a city bordering Hong Kong, health officials said, in the country's first reported case of the disease in humans in 18 months.
  • The Ministry of Health and Population of Egypt has notified WHO of a case of human infection with avian influenza A (H5N1) virus.‪ The case is a 29-year-old male from Dakahlia Governorate. He developed symptoms on 8 December 2011 and was admitted to hospital on 15 December 2011, where he received oseltamivir treatment. He was in critical condition and died on 19 December 2011.

It's time to dust off those Pandemic Plans so carefully crafted in 2008 and start the update process.

If the organization really is risk conscious, it won't have a Pandemic Plan.

Blasphemy? Heresy?

Not really.

Progressive organizations - and that means businesses, governments, non-profits, charities, and any other grouping you can conjure - have an Enterprise Risk Management Program that is kept up-to-date, and that considers all risks.

ALL risks?

OK, no one can think of every risk. That's why smart practitioners insist that programs involve all personnel - from the Board Room and Executive Suite to the newest intern and the organization's key personnel - the cleaning crew.

There are several things about a pandemic that set it apart from the typical "empty office" scenario.

  • It travels at the speed of flight.

  • It impacts vendors, customers, and intermediaries.

  • It can return again and again, albeit usually with less impact each time.

  • Buildings get "sick" and require treatment before they can be reoccupied.

In some respects, the pandemic looks like an "empty office" event. The building may be standing, but it cannot be occupied. There are a number of other risks that can have the same impact.

In some respects, the pandemic looks like a simple flu epidemic, but it is more virulent than the average winter flu. Personnel might be protected from the standard flu strain by the "best guess" anti-flu shots promoted by the government. The U.S. Center for Disease Control and Prevention (CDC), claims that "The U.S. 2010-2011 seasonal influenza vaccine will protect against an H3N2 virus, an influenza B virus, and the 2009 H1N1 virus that emerged last year to cause the first global pandemic in more than 40 years and resulted in substantial illness, hospitalizations and deaths."

What to do?

First, try to protect personnel.

Find out what the Center for Disease Control and Prevention recommends to combat the flu - both the "standard" Asian variety and the H1N5 variety. Start with the CDC Website at; it has information from the 2009 threat.

Cross training should be a priority. While cross training, make certain managers are up-to-date with the functions of the people they supervise.

Develop a succession plan. Encourage managers at all levels to name an alternate, someone who has the manager's authority and the manager's confidence to make decisions in the manager's absence. Again, the absence can be for any reason. The manager must announce the alternate - even "alternate du jour" if the manager wants to rotate the assignment - so the decision will be clear to everyone.

Review and, if necessary, update policies and procedures.

A good risk management practitioner, with management cooperation, can do a lot to assure that the organization will be able to meet at least a minimum level of service.