Thursday, May 31, 2012


What happened to security?


Security in the U.S. is a farce.

Actually, security in the U.S. is similar to risk management.

One day it's "all the rage" and at the top of management's list of priorities.

The next day it's a historical yawn.

Until, of course, someone, often with no great security intelligence, decides there is a Big Threat to America.

Why the rant?

I am about to take an international journey.

I booked the flights weeks ago.

No one - not the airline, not the ticketing agency - asked me if I had a passport and if I did, what was it's number.

No one asked for my Social Security number either, which is just as well since it NEVER was intended to be an ID for anything other than the Internal Revenue Service (IRS) and the Social Security Administration. Social Security has come a long way since it was introduced as a voluntary tax.

We have - or perhaps had - a "24 hour law" for lading ships bound for the U.S.

We had - but apparently no longer have - a similar law requiring international carriers to provide passenger lists; the law was intended to compare the traveler's ID to a "No Fly" list.

Everyone knows the "No Fly" list misses more than it catches.

The last time I travelled overseas I was obliged to provide my passport information. Fair enough.

I will have to pass through an intrusive x-ray machine as TSA tries to detect things they prohibit from being brought on board an aircraft. Unfortunately, TSA's best efforts and all its machines can't detect everything so what should give me a warm, fuzzy feeling of security doesn't.

On the other hand, when I go through the security check on the way back to the U.S. I won't remove my shoes and I won't be x-rayed. I will go through a metal detector and my luggage will be x-rayed and maybe - maybe - I'll be asked to prove those two bottles of liquid really contain what I claim they contain.

Rather than the invasion of privacy TSA puts travelers through, I'll chat with a well-trained security person who knows the questions to ask and the answers to expect.

Security, where I am going, is a critical issue and unlike the U.S., it always is a concern. No ramping up and standing down like a yo-yo on a politician's string.

The risk management "bottom lines" to all of the above are several, including

  • CONSISTANCY - A level of awareness must remain high, even when, with no active threat presenting itself, it seems over-kill. It CAN be "over-kill" if security is allowed to slip.

  • TRAINING - Security personnel need to be trained to recognize potential threats. If that means profiling - admittedly a no-no for liberals - then profile. Learn to identify a person's actions and manner of speech. be concerned if a person is wearing a rain coat when there's a drought or an overcoat during a heat wave. In short, learn from the experts; visit the folks who provide security at the airport in Lod.

  • ALL HANDS - All hands, everyone, needs to be involved. The folks manning the desks and the production lines need to be aware of their surroundings. They also need to know how, and to whom, to report something out of the ordinary: a green sky (tornado possible), an unescorted stranger, flickering lights or power surges. The people who keep the organization operating are the organization's first line of defense, but they MUST know what to do when they perceive something is amiss.

I'd feel a lot better if someone had asked me to provide passport information when I purchased my ticket.

I'm sure the passport will be scanned as I check my bag, but if there is a computer or communications glitch, what then?

Apparently we - the U.S. - are in a confident mode.

For a traveler, that's scary.

If I wrote it, you may quote it.

Longer articles at

Sunday, May 20, 2012


Half a program
Not worth the price


I have an anti-virus program. The license is roughly $50 a year, about average for such an application.

As a virus checker, it is one of the best.

Unfortunately, as a virus BLOCKER it falls short.

As a virus REMOVER it is sorely lacking.

Making matters worse, this application doesn't "play nicely" with similar applications from other vendors (e.g., AVG).

My machine was "bugged," probably from an infected email.

I ran the anti-virus app.

It found the problem.

It identified the problem.

It reported that it removed the problem.

But the problem remained.

I called tech support.

Tech support told me to try another, free, product.

I did. The problem remained.

Contacted tech support again.

Same response, different product.

Same result.

On my third chat with tech support I was told to try yet another free product. This last product DID eliminate the problem.

Mind, none of the tech support recommended programs belongs to the anti-virus company I pay to keep my system clean.

This particular anti-virus software also has an applet that it claims can erase files.

I have a file on the machine it cannot erase.

But then it can't be erased by other applications, either.

The "bottom line" to this rant. A product that doesn't work is not worth having, no matter how good parts of the product may function.

I'll grant that the tech support was superior, but having to resort to other folks' applications, especially free ones, speaks volumes for the product. Unfortunately, those are NOT volumes of praise.

The problem with virus checkers is that you don't know how good they are - or are not - until after the fact.

I wrote earlier that this anti-virus application wouldn't "play nicely" with other, similar programs such as AVG.

That's true, but both can be installed and one turned off while the other works.

From an ERM-BC-COOP perspective, it seems sensible, if not "centsible," to install two same-type programs even if the user must turn one off to run the other - at least until one of the two has proven its value. Either that or maintain a list of free, Internet-accessible products (or have a really good working relationship with the vendor's tech support folks).

If I wrote it, you may quote it.

Longer articles at

Thursday, May 17, 2012


"Clawbacks" may improve
 Execs' appreciation of ERM


A Wall Street Journal article headed Pay Clawbacks Raise Knotty Issues (, Suzanne Kapner and Aaron Lucchetti write that "Wall Street is getting its first high-profile opportunity to prove it is serious about recovering pay from executives whose blunders waste shareholder treasure."

Clawbacks, they explain, "are efforts to recover prior compensation paid to employees who engaged in behavior that hurt companies and their shareholders."

What that means for ERM, BC, and even perhaps COOP practitioners is that Very Senior Executives may now have a very good, "financially sound" reason to take an active role in risk management.

Unlike Dodd-Frank and Volker laws, "A far-reaching provision in the new financial-overhaul law will force U.S. public companies to get tougher about making top executives repay improperly awarded incentive compensation," writes WSJ reporter Joann S. Lublin in an article headlined Law Sharpens 'Clawback' Rules for Improper Pay (

Lubin adds that "Under the legislation signed July 21, the Securities and Exchange Commission must order all (public) companies to adopt so-called clawback policies. The provision requires businesses to recoup as many as three years of ill-gotten pay from current and former executive officers after a material financial restatement—even if the executive wasn't to blame."

If Ms. Lubin's article is accurate, Very Senior Executives need to copy President Harry S Truman's desktop admonishment: "The buck stops here," meaning their desk - even if they are absent.

It is a given that executives facing loss of revenue from as much as three years back will be able to fight the claim in court. Someone must pay the executives' legal fees; asking the organization to foot the bill to defend the executive may be denied. Will an executive insurance policy cover such issues? Will the insurance company pay up if it is covered?

The bottom line for executives, and apparently those people reporting to them - as is the case with the recently exposed $2 billion loss by J.P. Morgan Chase - is that even if they escape a clawback effort, their defense will be expensive and the legal hassle may damage the organization's image.

If the new SEC requirements are enforceable and if they are indeed enforced, Very Senior Executives may develop a respect for risk management and may begin to give it some serious support.

If I wrote it, you may quote it.

Longer articles at

Friday, May 4, 2012


Kidnapping considerations


A New York Times Online article titled Dealing With Kidnapping Abroad ( warns that kidnapping is alive and well and offers some experts' advice on how to avoid or mitigate the threat.

In addition to the quoted experts, the Times' David Wallis also references several Web sites that provide additional information:

While the article is most assuredly worth a read, if only for the real life stories, it offers very little that's new. The main points are

  1. Vary routes and schedules, and occasionally be early or late to meetings
  2. Meet in public places, eschew private estates.
  3. Make your own transportation arrangements.
  4. Be aware of your surroundings and suspicious of people seen too often on your travels - perhaps you are being followed.
  5. Consider kidnapping and ransom insurance.
  6. Consider paying a professional for self-protection advice and training.