Friday, March 30, 2012


Cargo theft on rise


An article headed Cargo theft risk may be higher than thought by Sean Kilcarr, senior editor of Fleet Owner, introduces a "secondary risk" for many organizations.

The problem, which directly relates to transportation organizations, is in-transit theft of product.

Strangely enough, the article notes, "low value" thefts - theft of goods valued at US$50,000 or less - is on the rise while theft of goods valued above US$50,000 is declining.

The article quotes Tom Mann, president of TrakLok, a company that provides trailer and container security systems, that maintaining secure custody of freight as it moves through the supply chain is one of the biggest challenges the transportation industry faces as it deals with the threat of cargo theft.

“It’s a problem that really requires ‘layered’ security solutions,” he explained. “It’s not just about putting a lock on a trailer or container; it’s about connecting that lock to GPS and Geofencing technology so it can only be opened at origin or destination and at a certain time – with alerts sent out if the lock is opened or removed outside of those pre-set time windows or is tracked deviating from a prescribed route.”

The concern for non-transportation organizations is to assure that product is properly and fully protected from the time it leaves the point of origin to the final destination.

Admittedly, most cargos are covered by insurance, but most of us know that repeated claims drive up insurance premiums. It might be practical to either (a) insist that the carrier(s) have secure systems to protect the cargo or (b) for the company to invest, and apply, such systems. This would seem most appropriate for multimodal shipments. (Bear in mind that Customs may need to open a container; how that issue is handled needs to be clarified between the shipper and Customs officials in the origin and destination countries.)

Preventing cargo theft should be a concern for all manufacturers, if only to assure that the transportation organization(s) implement advanced security measures.

If I wrote it, you may quote it.

Longer articles at

Thursday, March 29, 2012


Weather risks


According to an Associated Press article by Seth Borenstein titled Mumbai, Miami on list for big weather disasters published in numerous outlets (NB), a 594-page report from the UN's Intergovernmental Panel on Climate Change, "Global warming is leading to such severe storms, droughts and heat waves that nations should prepare for an unprecedented onslaught of deadly and costly weather disasters."

Borenstein states that "This report — the summary of which was issued in November — is unique because it emphasizes managing risks and how taking precautions can work, Field said. In fact, the panel's report uses the word "risk" 4,387 times."

And that is what makes the report of interest to risk management/business continuity practitioners.

While the report targets governments at all level, risk management practitioners are well advised to spend some time considering the potential threats to the organizations they serve, either as staff or consultants.

For a number of years I have promoted incorporating risk management into construction projects, beginning with site selection. This report supports that, noting that "Globally, the scientists say that some places, particularly parts of Mumbai in India, could become uninhabitable from floods, storms and rising seas. In 2005, over 24 hours nearly 3 feet of rain fell on the city, killing more than 1,000 people and causing massive damage. Roughly 2.7 million people live in areas at risk of flooding.

"Other cities at lesser risk include Miami, Shanghai, Bangkok, China's Guangzhou, Vietnam's Ho Chi Minh City, Myanmar's Yangon (formerly known as Rangoon) and India's Kolkata (formerly known as Calcutta). The people of small island nations, such as the Maldives, may also need to abandon their homes because of rising seas and fierce storms."

Even without "extreme" weather events, flooding - along with fire the most common threats to "business as usual" - organizations need to involve risk management practitioners into all aspects of the operation.

If the organization must locate in a flood zone, at least put the profit center on an "above 100 year flood" level . . . and plan to have an alternate site in a no-flood zone. Flood information usually is available, at least in the U.S., but organizations often seem to be ignorant of this.

On top of the danger of flooding, the focus of the AP article, organizations also suffer increased insurance costs, particularly if they are located within close proximity to a large body of water (be it a lake, river, or ocean). This, obviously, takes its toll on the organization's "bottom line" even if the organization is a non-profit or government agency.

Yahoo! News:
Denver Post:
US News & World Report: (Badly edited)

Friday, March 23, 2012


Volcano afterthought


I'm confident that almost everyone remembers the travel delays associated with the eruption of Iceland's Eyjafjallajök volcano in 2010. (You can refresh your memory at and view some dramatic photos at

The bottom line for travelers is that the ash spewed from the eruption grounded flights across much of Europe.

Photo from Wikipedia cited above

At the time I wondered why travelers, particularly business travelers allowed themselves to be "stuck" in one place for several days? There were other transportation options: trains, buses, rental vehicles, with or without chauffeurs.

Some travelers were forced to hunker down wherever they landed because their company's travel policies prohibited independent travel arrangements; others put a limit on expenditures even in an unexpected situation. (The question here is was the eruption really unexpected?

I'm about to book a flight from my home in the US to the Middle East via Europe so the volcano came to mind.

Since I believe in practicing what I preach I starting considering my options. Two options came to mind.

One: Have my airline make arrangements with an airline in southern Europe - Portugal, Spain, or Italy for me to continue to my destination from there using my original ticket - which I would expect my airline to arrange with the alternate airline - and I would take a train to Lisbon (TAP), Madrid (Iberia), or Rome (Alitalia) and my destination county's national carrier if it lands at those cities' airports.

Granted, I'd be out the cost of a train ticket (unless, of course I bought travel interruption insurance), but I would get to my destination reasonably close to my originally scheduled arrival.

Two - and this is to my mind far better - is for the airlines' risk management people to be on the ball and recommend (now) that the airlines have a contingency plan that states, basically, that "In the event aircraft cannot fly north or arrive from the north due to any reason - act of God or otherwise - flights from the south with planned continuations to northern Europe will be turned around to carry passengers to destinations outside the "no fly" zone."

In other words, let's say a plane

  • coming from Rome's Leonardo da Vinci/Fiumicino – FCO
  • bound for Amsterdam's Schiphol airport
  • lands at Paris' Chas. de Gaulle airport,
because it was scheduled to land there or because conditions north of France prevented the flight's continuation.

If the former case, there should be no problem with local laws from turning that aircraft around and substituting it for a cancelled flight from Schiphol.

In the latter case I can see where local laws might get in the way, but with so many inter-airline code sharing, perhaps politics could be put aside and another airline's tickets (e.g., Air France) could be honored by the turned around flight from Rome (e.g., Alitalia).

In my case, let's say I fly to the European city on Flight USA1 to connect with my destination flight ME1. ME1 originates at Gardermoe at Oslo, lands at De Gaulle, and then continues to my Middle East destination.

Eyjafjallajök spews ash into the air and grounds ME1 at Gardermoe.

Meanwhile, ME2, from my destination to Gardermoe via De Gaulle, arrives in Paris.

It cannot continue to Gardermoe, but the airline could turn ME2 around, rename it ME1 and have it return to my destination. The passengers continuing to Oslo would be forced to either find other transportation or enjoy a stay in Paris.

My opinion of the airline, whether it put me on one of its on planes or got me to my destination on another carrier would, like the plane I would be riding, soar to new heights. Even if the alternate airline offered superior service, the good will generated by my original "ME1" carrier might be enough, "all things considered," for me to remain a customer of that airline.

There really are two "bottom lines" to this effort.

Bottom Line 1: Airlines should have risk management plans that consider alternatives to a cavalier attitude of "the passengers be damned" and plan to offer passengers alternatives to waiting in the airport until resumption of "business as usual."

Put the passengers destined for non-impacted areas on other flights. Arrange for passengers to impacted areas to continue - if they choose - via rail, road, or waterway to their destination.

A really image conscious airline would, if it had the information, contact people who might be waiting at the destination that Passengers A, B, and c were OK and would be on flight ME? scheduled to arrive at whatever time.

Bottom Line 2: Passengers should be prepared to find alternative means to their destinations.

The same holds true on the return flight - ME2 to De Gaulle then USA2 home.

If De Gaulle is closed due to - pick a reason - let USA1 divert to, say, Lisbon's Portela.

Since my ME2 flight to De Gaulle is cancelled, let the airline book me via Portela to connect with USA1 on its return to the States as USA2.

North-bound travelers can find alternative transportation; others can make their connections from Lisbon.

True story. Flying one January from Philadelphia to Ely NV via Salt Lake City UT. The airline decided it would not or could not continue to Ely, some 250 miles away so it crowed the 8 passengers bound for Ely into a stretch taxi that lacked an efficient heater - translation: we all wore heavy coats, further compacting the passengers.

None of us appreciated the airline's decision but since it was then the only air option in and out of Ely, we were "stuck." The airline eventually abandoned Ely and a smaller, more reliable, service took its place.

If I wrote it, you may quote it.

Longer articles at

Wednesday, March 14, 2012


Cloud considerations


In an article titled Cloud-Computing Risks: Due Diligence And Insurance by Joshua Gold on the Metropolitan Corporate Counsel Web site (, the author asks: "Should a company be sending information to a third-party cloud site that hosts data for other businesses? And just what specific information is being sent: customer information? Trade secrets? Employee health information?"

Gold points out both the pros including claims of cost savings and enhanced data security, and the cons that include data breaches. He suggests making a pre-cloud decision checklist to determine if putting secure data into potentially insecure hands is worth any potential benefits.

One point Gold makes with which most readers of this blog will agree is that "Businesses can help make informed decisions regarding the extent to which they use cloud computing by having risk managers working in tandem with their IT departments and in-house attorneys to protect data created by the business or entrusted to it by outside entities and individuals."

He correctly recognizes that legal counsel is needed - be it in-house or external - to assure that the contract between the organization and the cloud providers has no holes that will cause either party grief and that the data dumped to the cloud is free from information that could cause the organization embarrassment and possibly a great deal of money if compromised.

Gold takes cloud considerations a couple of steps that should be, but often are not, considered.

Insurance "Insurance coverage is available for losses arising from computer fraud or theft under both traditional and new stand-alone insurance products. While some of this coverage is quite valuable, do not expect it to be customer-friendly

Indemnity and Hold Harmless Clauses "Those using cloud-computing services should also seek protection from the cloud firms they consider using."

For all of the above, the bottom line remains, according to Gold: "Due diligence is key here, as no company can truly delegate its data security obligations."

The entire article, which I believe deserves every risk management practitioner's attention, is at

As an aside, while searching the Metropolitan Corporate Counsel Web site for the Gold article, I came across a number of other cloud-related articles at I recommend a visit to the site if your organization is considering, or already is involved with, cloud computing.

Tuesday, March 13, 2012


Social Media and the Workplace


According to a John P. Quirke article in Security Management (, "As companies wake up to the incredible marketing power of social media, they are also running headlong into a variety of legal concerns related to just how much power they have—or don’t have—over what their employees post on social media sites."

Quirke's article points out both the benefits - mostly marketing - and dangers of "social media." He cited, as one of the negatives, the infamous pizza video that sowed the pizza outlet in a light that proved to be untrue.

Part of the problem with "social media" is that the medium is new and relevant laws are relatively undefined; "social media" is a developing area of interest.

Quirke looks at the impact of the federal Stored Communications Act of 1986 and its impact on cases to this point, and cites examples to back up his position.

He also considers actions under the auspices of the National Labor Relations Board (NLRB).

Quirke's "bottom line" is that organizations must be "proactive in setting clear policies regarding the Internet, including employee use of social media. By setting clear guidelines, companies can protect their own interests and give employees a much-needed roadmap for appropriate conduct." He then proceeds to outline several steps organizations must undertake; several are risk management "standards," including development of policies and procedures and employee education.

Friday, March 2, 2012


Kidnap and Ransom issues


While it may be "out of scope" for most business continuity practitioners, it's well within the purview of enterprise risk management practitioners.

"It" is the threat of personnel being kidnapped. (By extension, "it" can include product being high jacked.)

This was brought to mind by an article titled "4 Facts About Kidnap and Ransom" at

According to the article's sub-head, "Fueled by continued social and economic unrest, kidnappings are one of the fastest-growing criminal industries."

According to Control Risks’ 2012 RiskMap, the countries ranking highest among the world’s kidnapping hotspots are

  1. Nigeria
  2. Pakistan
  3. Mexico
  4. Afghanistan
  5. Venezuela
  6. India
  7. Philippines
  8. Iraq
  9. Honduras
  10. Colombia

The article is pitching Kidnap and Ransom insurance, but it should get risk management people thinking about the dangers of doing business outside your home area. The "home area" weasel words are deliberate since "outside" could include any high crime area, and every country has at least one such location.

If nothing else, consideration should be given to what the organization would do if one of its staff - or anyone working on its behalf - was kidnapped.

What are the options? The options may depend as much on the kidnappers' politics as on the location.

The same applies to goods.

As with all things "risk management," practitioners need to seek out Subject Matter Experts (SMEs) wherever they are found - the U.S. State Department could be helpful, for example, but probably should not be the only source. Based on the SME input, means to avoid or mitigate the risk need to be considered.

Perhaps a change of venue will suffice to avoid a kidnapping. An alternate route could be enough to protect product. On the other hand, there are steps that can be taken to reduce the probability of kidnapping, among them traveler awareness training and body guards. There also are a number of simple, no-brainer, actions the traveler can take (such as varying routes and schedules).

This scrivener is neither an insurance SME nor a security SME (nor do I play one on tv), but I do know people who are SMEs in these areas and I don't hesitate to ask that they share their expertise with me.

If there are people within the organization that have the expertise, who are SMEs in insurance and security, take advantage of that knowledge. If the organization lacks such people on staff, seek out professionals. A small consulting fee can provide a major ROI if someone - or something - is destined to visit a risk area. Similar to the old Purolator commercial: Pay me now or pay me later.

Once a course of action is decided, formalize it (even if there are many options) into policies and procedures so that everyone - traveler and management alike - know what to expect "in the event of."

If I wrote it, you may quote it.

Longer articles at