Friday, May 31, 2013


DIY Risk Management

I recently saw a report on consultant compensation for business continuity practitioners.

According to a post on LinkedIn’s BC-COOP group, Cheyene Marling, founder of BC Management, reports that

    BC Management’s 11th Annual BCM Study assesses not only compensations for those who are permanently employed, but also for those who work as independent contractors.

    The attached data graph highlights the average low and high billing rates for independent contractors. The data was collected in BC Management's 11th Annual BCM Study between July - December 2012. All currencies were converted to United States Dollar (USD) for comparison purposes. The study received over 2,200 participants with 100 noting “independent contractor”.

  • The lowest low hourly rate was $10.80 USD from Israel, but then based on personal experience, I know most Israelis can’t comprehend “risk management”.
  • The average low hourly rate for all respondents was $83.03 USD.
  • The highest low hourly rate was $217.75 USD from Australia..
  • The lowest high hourly rate was $24.91 USD from Ghana.
  • The average high hourly rate for all respondents was $128.40 USD..
  • The highest high hourly rate was $362.50 USD from Switzerland.

Ms. Marling even attached a graph ( that generalizes compensation in different parts of the world.

I shared the information with some other practitioners and then I started wondering why practitioner compensation – at least in the U.S. – is relatively low: from $78 as the average low to $123 as the average high. Every other Low/High on the Weebly chart surpassed the U.S. at both ends.

Many practitioners I know who work in the U.S. are paid on an hourly basis. Most, I suspect are “W-2” meaning that the employer – typically a consulting firm or staffing agency, pays a portion of the consultant’s tax obligations. The consulting house or staffing agency usually gets twice – or more – of what they pay the consultant. If the consultant is paid $55/hour, the consulting house/agency probably is charging the client – for whom the consultant is creating a plan – between $125 to $200/hour. The bigger the provider’s “name,” the greater the mark-up for the consultant’s time and expertise.

So maybe the figures for the U.S. are a little skewed. Maybe not. They are if the question was: How much is a consultant worth, then I hope the figures are skewed, but (bearing in mind W-2 salaries vs. 1099) if the question was How much are you paid by the hour then it may be accurate.

Supply and Demand

I just looked at and for “business continuity” opportunities. Strangely, there were more staff jobs than contract jobs. Most of the jobs carefully avoided mentioning compensation, although I did see a job in Ohio offering between $95k and $120k/year, with another in “upstate New York” hoping to snag a risk analyst for $65k/year. On the low end, one consulting gig in Alabama listed by a staffing agency offering compensation of $35 to $45/hour. Another supplemental staffing agency omits any compensation information, but you can rest assured that whatever the consultant expects, the agency will tell the applicant that it can’t manage that – will the consultant take less?

I know a number of practitioners looking for work. Many of them are highly experienced, but the jobs simply are not available.

It occurred to me that one of the reasons so few “less than Fortune 500” organizations fail to engage a practitioner – either as staff or on a project basis – is because risk management is considered, like writing and photography, a Do It Yourself field. Anyone can “do” risk management.” It’s a no brainer.

Writing a decent news story or PR piece; maybe slapping together a technical or even user manual. Grammar? Spelling? Concern for audience comprehension? Who needs them?

Likewise photography. Point and shoot. Never mind that a pipe is growing out of a person’s head or that the tall building falls inward ( / \ ). Shooting an ad for an expensive wine? Show a half-full wine glass and a bottle of the vino. Maybe no one will notice that the bottle has yet to be opened. (That, by the way, is a true story. Resume on request.

For what it’s worth, I was a writer and photographer before moving into risk management. It provided a good background.)

The problem is, risk management is NOT a “DIY” function. Given the advantages a good enterprise risk management program beings to an organization, it seems logical that smart management would rush to engage an experienced practitioner and pay that person a professional wage.

While I’m surprised, and glad, to see so many staff opportunities on Monster and Careerbuilder, I know there are far more practitioners, some highly qualified, than there are jobs, staff or contract.

Our profession is still in a Jacob Cohen profession – it lacks respect. (Who is Jacob Cohen? You know him better as Rodney Dangerfield.)

As long as management considers risk management to be a DIY no brainer, we’ll either be on the market or “transitioning” to a new profession. Maybe senior practitioners should offer their services as Trainers or Mentors for the DIYers.

Meanwhile, practitioners might consider promoting (read generating future business) by presenting risk management or even business continuity to chambers of commerce and BBA/MBA classes at the local U.

As for me, I am not a DIYer. I don’t even like the self-check out machines at the supermarkets. When I need a professional job done, I go to a professional.

Thursday, May 30, 2013


Getting outside expertise

No practitioner is an island

Enterprise risk management should be what the name clearly states:

    Enterprise: Covers the entire enterprise

    Risk: Considers all risks/threats to the enterprise

    Management: Deals with risk avoidance/mitigation and dealing with risks if they occur, both during the crisis stage and the following recovery stages.

Most organizations have some insurance coverage, if only Property and Casualty (P&C). Many have Directors and Officers insurance and some have Business Interruption insurance.

These coverages are only the tip of the proverbial ice berg.

The problem is, insurance also is a risk.

The risks with insurance are several.

    Is there enough insurance; like Goldilocks and the bears’ beds, is the coverage too little, too much, or just right?

    Are all the insurable threats covered, or are some simply not worth coverage?

    Is the insurer’s financial resources deep enough to assure payment even if your organization is but one of many simultaneous claimants?

    Are there a time limits on how soon a claim must be made and when it must be paid?

    If there is a dispute between the insured and the insurer, how is it to be resolved and in what jurisdiction?

As with all things ERM, there are two sides to every coin.

One of the greatest risks is a lack of understanding of the “small print.”

Does the insured comply with all of the policy’s requirements? Does anyone in the organization really know and understand the policy’s requirements?

Insurance policies are created by lawyers and insurers.

You need a lawyer who specializes in insurance coverages and an insurance expert, someone from the field. Not, however, a salesman. The insurance side should be represented by an independent insurance adjuster. Finally, these two people must be willing, and able, to work together and to present their findings in a report prepared in a language that management – and the practitioner - can comprehend.

According to an article titled Counsel's Role In Insurance Risk Management by Finley T. Harckham of Anderson Kill & Olick, P.C. (, “Insurance policies are complex contracts, and pursuit of an insurance claim is often a high-stakes, conflict-ridden endeavor. Yet all too many companies entrust their assets and their very survival to insurance policies that are never seen by their attorneys, and pursue claims without the benefit of counsel's evaluation of the company's contractual rights. In-house counsel have an important role to play both when insurance is obtained and when claims are pursued.”

Harckham recommends six points to consider when considering insurance:

  1. Analyze Insurance Policies Before Coverage Is Bound
  2. Law and Arbitration Provisions
  3. Manuscript Provisions
  4. Review Insurance Applications
  5. Evaluate Coverage For Any Important Claim
  6. Law And Forum Selection

He defines and details each of the items in the article (ibid.)

While Harckham’s focus is on the specialist attorney, he maintains that “An attorney's review of the company's insurance policies is not as daunting a task as it might first appear, at least after going through the exercise once. Most policies consist largely of standard forms, many of which remain largely unchanged from year to year. The insurance broker can be asked to identify all changes in coverage. Moreover, excess policies often "follow form" to primary policies. So, reviewing higher-layer policies in a tower of insurance is typically far less involved than gaining an understanding of primary policies. However, care must be taken to ensure, if possible, that excess policies do not have less advantageous terms, and that if they do, any policies at higher levels do not follow form to them.”

An independent insurance adjuster’s primary function is to work on the insured’s behalf to make a valid claim. Because of this, an adjuster should be included in the policy review team, even with a lawyer specializing in insurance as a team member.

The purpose of insurance is to assure that the organization remains financially viable and able to continue with “business as usual.” If it does not, the premiums are wasted money.

Engaging experts for insurance reviews before the contract is signed is akin to getting specialists’ opinions before undergoing major surgery. On a less critical level, engaging experts to examine property before purchase; is it up to standards, what about radon, is it in a flood zone, etc. Bottom line: It’s a good business practice and common sense; put in a way lawyer’s like, it is “performing due diligence.”

Practitioners would do well to take a couple of minutes to read through Harckham’s article so they can at least "encourage" management to seek specialists' expertise before signing on the dotted line.

Thursday, May 23, 2013


Give job to best person


I’m a fan of the comics.

Dilbert for May 23, 2013 triggered the thought that a risk management practitioner needs to try to match personnel to processes as an organization (a) tries to maintain a minimum level of service and (b) restore the operation to “business as usual.”

Politics and egos can make this a difficult task, but when it can be accomplished, the results are worthwhile.

There are those people, including practitioners, who are excellent workers under normal conditions. These same people may fall apart under event and post-event demands. On the other side of the coin, there are those who “get by” when everything is proceeding normally but shine when the pressure is greatest.

A nurse may handle routine duties in a routine manner, but come alive in a crisis situation. Another nurse also may handle routine duties in a routine manner, but panic in the same crisis.

Most people performing their day-to-day functions are there because they function well under minimal pressure. This is true for most managers; they got to a supervisory position based on their day-to-day performance.

Most older practitioners will remember the infamous “Peter Principle.” To update the younger practitioners, Wikipedia declares “The Peter Principle is a proposition that states that the members of an organization where promotion is based on achievement, success, and merit, will eventually be promoted beyond their level of ability." (; The Free Dictionary agrees, showing “The theory that employees within an organization will advance to their highest level of competence and then be promoted to and remain at a level at which they are incompetent." (

Dilbert simply shows the Peter Principal in action with Dilbert’s Pointed Haired Boss, a/k/a PHB.

Unfortunately, most organizations have managers who prove that the Peter Principle is alive and well.

The practitioner needs first to identify people who, regardless of hierarchy are able to perform under stress and, second, needs to try to assure these people will be in responsible positions during and immediately following a crisis; people who will, as the express goes, be able to keep their heads when all those around them are losing their heads.

There are some ways to (try to) achieve this.


Every response function requires at least a primary and an alternate responder. No exceptions.

Actually, that is just good business sense.

People go on vacation, go to seminars and conferences, get sick, tend to relatives, retire, and die, sometimes unexpectedly. A well-run organization - and some not-so-well-run organizations – needs to have an “order of succession.” Even the U.S. federal government has a succession list.

    Presidential Succession Act of 1947 lists the order of succession for the President of the U.S. (POTUS). The list may be viewed at the Government Printing Office site: . The list is 18 (18 !) levels deep.

For most organizations, temporary duty assignments (“TDY” in military parlance) can be assigned to different people at different times to qualify more people to step in for a missing person, anyone from the CEO to an intern. (Most people probably don’t consider interns needing alternates, but what do interns often end up doing? Going for this and going for that, i.e., “go-fers.” In a crisis situation, there is a need for “go-fers”; if there are no interns, someone else must perform the function.)

Selling the “alternate” idea should be fairly easy for an experienced practitioner. Just ask the question: “What happens if {name of person or title} is absent then a crisis occurs? Who can make the decisions to keep the organization (department to enterprise) functioning?”

Unless the organization’s management is paranoid – and there are some - the practitioner also can stress the benefits of cross-training. The old Bell Telephone/AT&T used to promote managers from the ranks. The company reasoned, successfully, that if the rank and file went on strike, the now non-union managers could fill in for the duration; the service might slow down a bit, but the company would maintain “at least” a minimum level of service. The U.S. Marines operate similarly; every Marine, without exception, is a rifleman – or maybe today, a “rifle person.” The Marine may be enlisted or officer; most have a secondary function (e.g., radio operator, pilot, cook, Corps commandant) but all are trained to use a rifle.

The only recommendation I would have for managers who assign alternates to their positions is to put the authority in writing: “I appoint Tina the Technical Writer to serve in my position during my absence. Tina the Technical Writer has my full authority and is authorized to make all decisions that normally would be made by me. (Signed) PHB”

Tina the Technical Writer could be named for one absence, Wally for another, Carol the Manager’s Manager (a/k/a secretary), and Dilbert. Asok probably is too inexperienced to sub for the PHB, but someone has to report to the temporary PHB.

Using the military as an example, there are Officers of the Day (OODs) who, while in this role, have the authority of the their commanding officer, Non-Commissioned Officers In Charge (NCOIC) and even Charges of Quarters (CQs), all temporarily with the authority of those in command. (Navy and Coast Guard terminology may differ slightly.)

Final thoughts on alternates Alternates also may be primaries providing both primary and alternate tasks don’t occur at the same time. Also keep in mind that responders may be needed at an alternate site while the primary site is restored.

Finding those who keep calm

Identifying responders who can keep their cool under the pressure of a crisis situation can be a difficult task.

The best, and possibly only, way to identify these people is through exercises.

Walk-through exercises are fine to discover the thinkers, those people who can analyze a problem and come up with possible solutions.

Simulations are better.

Simulations with injects are even better.

“Injects” are, in common terms, the proverbial monkey wrench that gets thrown into a situation to make something simple complicated.

“Injects” are intended to put pressure on responders; to simulate a “real life” situation.

Such monkey wrenches can include managers demanding that a task be performed “right now” – having a manager do this may have the added benefit of the manager seeing this interference is counter-productive.

Other monkey wrenches are to tell the responders that something they expected to be available is no longer available, or that a secondary threat has occurred, e.g., the fiber coming into the building has been cut* and there is no phone or Internet connectivity with the outside world.

    * We know this cannot happen because ALL of our facilities have at least 2 separate points where communications lines come into the structure. Right? Right.

Exercises need to be repeated, swapping in alternates for primary responders. Unlike football teams that practice “first team” against “second stringers,” responder swaps should be random. In a “real life” situation, no one will know who will be available. All team members must be able to work together.

Look for both managers and mentors. Managers may be people who rise to the occasion and, through their personalities and expertise, win their fellows’ following.

Mentors are valuable when dealing with less experienced personnel and with any casual (vendor-provided) staff at the primary and alternate sites. Vendor people may have the technical expertise to do the job but probably will lack the organizational background to work within established policies and procedures.

If a manager cannot manage in a crisis situation

You have my sympathies, but you need to find a way to suggest to the manager that maybe someone else could do a better job “just temporarily.”

One tool that is available is the “alternate.” If the manager can’t handle the pressure of a simulation-with-injects, have the alternate play the role on the next exercise. The manager must be in the exercise area to see the alternate’s performance.

If that fails to have the desired result, having the manager's peers or superiors address the issue with the manager might work. About the only way the practitioner can instigate this is to have the manager’s peers or superiors watch him in action. The practitioner should avoid, if at all possible, “going over the manager’s head,” no matter how inappropriate the manager’s actions, short of causing personnel injury or death.

Critiquing the exercise

The exercise has been completed.

Now is the time for (a) critiques and (b) action items.

A successful critique requires at least two things:

  1. Recommendations to improve, not criticisms of what, or who, went wrong; the purpose is to improve, not tear down other participants.
  2. The lowest ranking person who either participated in or observed the exercise – an intern if available – should offer his or her opinion first; the most senior person should give his or her opinion last. This “lesson from the Sanhedrin” assures that juniors won’t be influenced to simply agree with the seniors and will give their (hopefully) honest opinions.

The practitioner must lay down strict guidelines to avoid rancor and finger-pointing.

Ideally, there will be an amanuensis to record an Action Items list and the names of people responsible for each item on the list. Reasonable due dates should be fixed and a report created, to be circulated to all participants and appropriate management, once the items are completed. Most items can be completed and reported on within 14 working days.

The report will be used as the benchmark for the next exercise.

Keep in mind that nothing is 100% the first time out.

Wednesday, May 22, 2013

How hot, how cold?

Why it may not be strictly “risk management,” protecting personnel from the elements is – should be – important to all practitioners.

In the summer

The thermometer may not record a really warm temperature, but the body complains it’s too hot for comfort.

The problem is a combination of temperature and relative humidity.

    What IS “relative humidity?”

    Relative humidity, as defined by The Free Dictionary is “The ratio of the amount of water vapor in the air at a specific temperature to the maximum amount that the air could hold at that temperature, expressed as a percentage.” (See .)

The formula for figuring out the heat index is more than a little complicated, but no one has to be a math maven to get the numbers.

The National Weather Service (NWS) has an online function that lets people plug in the important numbers

    Temperature in F or C (but not K)

    Relative Humidity in percentage.


If you really MUST know the formula, the NWS has the formula linked from the calculator page; click on “How do we calculate the heat index?

There even is a heat index chart link – “Heat Index Chart and Explanation” – just below the calculator at … heatindex.shtml.

In the winter

The NWS comes to the rescue once again, this time at

Links from this URL connect to a Wind Chill Calculator and to both New Wind Chill Chart and Old Wind Chill charts.

Like the heat index calculator, the wind chill calculator requires two inputs:

    Temperature in F or C

    Wind speed in mph

(You can convert metrics to miles per hour at Online Conversions at

New Wind Chill Chart