John Glenn's Thoughts

ERM-BC-COOP Who would have thought ?

2012-02-01T14:13:00.000Z

A headline taken from the New York Times (http://www.nytimes.com/2012/02/01/nyregion/hurled- shopping-carts-at-new-york-malls-worry-shoppers.html) closed out Wednesday morning's AdvisenFPN email.

The headline: Shoppers Shaken by Assaults With Carts at City’s Malls tells how shopping carts are "the latest, bizarre weapon of choice" in the New York City area malls.

According to the Times, there have been two recent incidents. In one case, someone allegedly threw a shopping cart from the third floor of a parking garage. In the other case, two 12-year-old boys dropped a shopping cart from a fourth floor walkway.

The Times failed to mention if any arrests were made.

Since we, as risk management practitioners, are unable to control people's anger (in the fist instance) or stupidity or meanness in the second, what can we do to avoid a recurrence, if not in the New York venues then in our own areas?

Security guards apparently are not the answer. There were rent-a-cops at both locations. CATV - closed circuit cameras - also is not the answer ; they can capture an image, but the response time, the time between someone thinking an incident may occur and the time someone can respond, is far to long to prevent an incident.

One mall security expert (consultant) told the Times that, based on his 40 years experience, these two incidents did not indicate a pattern. Attack by shopping cart, he told the newspaper, is rare; in his 40 years as a shopping mall security consultant, he's only heard of couple of (other) incidents.

Fencing, such as seen now on most Interstate overpasses, particularly in rural areas, is one answer.

It won't prevent fights - which led to the incident in the parking garage - but it will corral flying objects.

Likewise, fencing would have prevented the juveniles from seeing if they could hit passersby with their cart.

Limiting shopping carts to a pick-up point next to the facility entrance works in some areas; this is common in Northern Virginia, but not in most Florida cities. Would it work in New York City or San Francisco?

Obviously, as with most things "risk management," one size does not fit all.

Yet something must be done to protect people and shopping carts as well.

Secondary concern: Image

In addition to protecting people, which always must be the top priority, business owners need to consider both their image - "Attacked by Shopping Cart" makes a great headline - and their insurance coverage. Lawyers for people injured by a shopping cart will go after the property owner and the shopping cart owner. (Strangely enough, most people do NOT think of taking a civil action against the people responsible for the incident; in the New York cases, against the person who threw the cart from the parking garage, and against the parents of the juveniles who "cart bombed" passersby, nearly killing one woman.)

Coverage of the incidents also appeared in "SFGate," the San Francisco Chronicle Web site at http://www.sfgate.com/cgi-bin/article.cgi? f=/c/a/2012/01/31/MN891N0RCU.DTL.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

passersby with their cart.

Obviously, as with most things "risk management," one size does not fit all.

Yet something must be done to protect people and shopping carts as well.

Secondary concern: Image

Coverage of the incidents also appeared in "SFGate," the San Francisco Chronicle Web site at http://www.sfgate.com/cgi-bin/article.cgi? f=/c/a/2012/01/31/MN891N0RCU.DTL.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

ERM-BC-COOP If ads were like food labels

2012-01-30T17:34:00.003Z

I am "on the market" and looking for a new job - contract (I travel) or staff, both will be considered.

Consequently I am surfing the job boards for "Business Continuity" and "Risk Management" titles.

What I am finding comes as no surprise. Many - the majority - of "business continuity" jobs really are "disaster recover jobs" and some are just barely that.

What I would like to see, if I can't get honest advertising, that is, calling a DR job DR and not "business continuity" or "risk management," is something akin to the Food & Drug Administration's content requirements.

When you look at a food product's ingredients you know, but the order in which a component is listed, how what percentage of the component, e.g., sugar, is in the product.

For example, the label on a bottle of salad dressing reads:

Water
Distilled Vinegar
Vegetable Oil
High Fructose Corn Syrup
and finally, Tomatoes, the first "real" veggie in the Thousand Island blend.

I am looking at an Infrastructure/Business Continuity posting. Admittedly, "infrastructure" tells me the job reports to an IT manager so I know the job is behind the data center doors.

But is is after all "business continuity.

So what are the primary "ingredients?" Read on.

Of the 13, "business continuity" comes in at #6. On the other end of the list, Numbers 12 and 13 return to the "it's really IT" theme.

6. 3-5 years experience developing and maintaining a Business Continuity program

And then there is the advertisement for a Business Continuity Analyst that has the following requirements: "Responsible for general support activities in a testing laboratory, including ordering of chemicals and supplies, sample receipt, small equipment maintenance and calibration (balance weight checks, spectrophotometer checks) and various administrative support duties. Will assist in routine “sweeps” of the lab to ensure compliance with safety regulations. "

Most assuredly this is not IT disaster recovery, but neither is it "business continuity."

There ARE some true business continuity advertisements out there. But on a "guesstimate," the ratio of DR/"resiliency" ads to business continuity or enterprise risk management probably is close to 3:1.

"Risk management" is another interesting category.

For some, "risk management" means insurance, with maybe a nod to business continuity.

Other times it's medical facility risk management and this usually demands an RN degree or a special certification (in Florida). I have yet to see a medical facility risk management job with a real "business continuity" element to it.

Both of the above, like financial risk management, are truly risk management jobs . . . albeit niche risk management areas.

When this scrivener keys "enterprise risk management" the operative word is "enterprise."

My perspective is that ERM includes all risks to an organization. It does not, however, mean that the ERM practitioner needs to be a Subject Matter Expert (SME) in all areas any more than an enterprise business continuity practitioner needs to be expert in HR, Facilities, IT, and all the other profit center resources, or even the profit center.

ERM, to my mind, is an umbrella bringing together and coordinating all the niche risk management efforts - Legal, Image, Regulatory, Business Continuity (with its integral Disaster Recovery), Succession, Policies & Procedures, Vendor Management, etc. and et al.

I suppose that what someone titles a job is, like beauty, all in the eyes of the beholder.

Still, I'd like to see titles more accurately reflect the job's actual requirements.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

ERM-BC-COOP Value of sharing

2012-01-29T16:30:00.001Z

I've been in this business for a tad more than 15 years.

I'm pretty good at what I do and I think, when I consider threats to an organization, I identify most most of them.

But sometimes things either get "missed" or given less attention than they deserve.

For example, one of my acquaintances opened a discussion regarding what is needed "post-event." I think his focus is on the financial aspects.

Normally I recommend that organizations have business interruption insurance. At the same time, I tell people that it is critical that careful records are maintained so the insurer will pay a fair amount.

I also recommend that an organization have either a good size contingency fund available or a line of credit at several financial institutions - lenders do fail so organizations need to "double up" - or, better, have a contingency fund AND lines of credit.

I read all too often on AdvisenFPN - an insurance industry publication - that this or that organization is having to sue an insurer to collect on a policy. Even if the insured wins, the time between disaster event and payment can extend for more than a year. Lack of funds can put an organiztion out of business before the isurer pays up.

Beyond insurance, contingency fund, and lines of credit, what are things to consider "post event"?

A few include:

Personnel - Are personnel available to (a) maintain the operation and (b) restore the organization to "business as usual"?
Policies & Procedures - Overtime, travel, expenses, R&R, maximum time on job, more . . .
Property - Is there an alternate site (if needed) and are staff willing to travel to it? Who can evaluate the property for damage, estimate repair or replacement costs, deal with the property insurance company; what about parameter security?
Purchases - (Something I learned from my acquaintance's thread) Are there special, event-related account numbers to track related (insured?, tax deductable?) expenses?

My mantra has for years been "You can't create a viable plan in a vacuum."

Being able to share thoughts with other practitioners - both tyros and "old hands" - is one way to avoid a vacuum

There is one caveat, however. Professional exchanges must be EXCHANGES; they cannot be one sided where I give and you take without any input. Everyone - without exception - has something to contribute.

No one practitioner can think of everything in every instance, but we can protect our clients, be they internal or external, by networking.

Longer articles at https://sites.google.com/site/johnglennmbci/

If I wrote it, you may quote it.

ERM-BC-COOP Certifiers as teachers?

2012-01-25T15:42:00.002Z

The other day a fellow commented on a LinkedIn group thread titled "Why has BCM not opened its doors to mental health?" that he believes "BC practitioner training (should) include a `health` component. I don`t see the BCI doing this any time soon , which is why I left in 2010 !"

So the question: Should a certifying company - The BCI, DRII - teach every aspect of business continuity?

Over the years I have created risk lists, and while all lists include HR issues, none specifically list "mental health."

When I create a risk management plan, I include employee mental health, but not usually in conjunction with a mentally traumatic event - say someone "going postal" or loss of job. My concerns typically are for personnel having to work at alternate sites.

Perhaps I have been remiss.

But that doesn't address the question: "Should a certifying company - The BCI, DRII - teach every aspect of business continuity?"

Actually, perhaps the question ought to be: "Should the certifying business teach anything other than the basic process?"

What, after all, is the function of such a business - and let's be honest, unless the certifying body is giving away certification based on XYZ qualifications, it is a business and the business is selling certification and prep courses to pass qualifying examinations.

From what I know about the prep courses, the material is (a) generic and (b) heavy on buzz words, phrases, and alphabet soup - all great for intra-planner chat, but useless when trying to sell risk management or business continuity to a non-practitioner.

Should the certifiers list all the possible threats?

I don't think that's possible. The list would go on and on and . . .

Human Resources (HR) - a/k/a Personnel - would have a lengthy list all by itself.

I confess that although I have on a number of occasions written about mental trauma I can't write that I make it a specific item on my threat list; maybe I will.

But I don't think it's the job of a certifying company to "teach" any specifics.

Risk management and business continuity (the difference is the scope) requires practitioners who THINK, preferably "outside the box." It also requires that practitioners be willing to share their plans with their peers for comment. My philosophy is that no plan should be created in a vacuum; planning in a vacuum guarantees failure when the plan is most needed.

There is another reason why I don't think certifying companies should teach specifics - a threat list opens the door to the temptation to "check the boxes." That's the failure of most software packages; pseudo-practitioners "assume" that everything is covered by the check list or application and, like kids armed with calculators, the "planner" becomes dependent on external resources and lets the brain atrophy.

The poster left The BCI because he felt it should teach business continuity specifics.

That never should have been the reason to buy certification in the first place.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

ERM-BC-COOP Virtualization is NOT "business continuity"

2012-01-23T20:06:00.002Z

The king's new clothes

Excuse me for failing "Political Correctness 101," but I'm a tad upset reading emails and headlines telling me data protection and virtualization is "business continuity."

I will concede that disaster recovery, and all its tools, is critical to a true business continuity plan.

But IT by itself, unless it is the organization's profit center is not the "business."

It is not even the business' most critical resource. *

I'm looking at a Web site that informs me the company - which for its own protection shall remain anonymous - shouts in 16 point Helvetica that it provides, quote, True Business Continuity and BDR Solutions, end quote. What it DOES provide is - and again I quote - Simple On- and Off-Site Backup, Virtualization in the Cloud, and On Site and Award-Winning Technology with Instant Virtualization.

I see nothing about protecting any business functions.

I was driven to this site by a sales rep for another company that, according to the rep, offers an "end-to-end business continuity solution" to IT Service Providers. I went to the company's URL and - to the company's credit - failed to find the magic words "business continuity" among the offer product "solutions." Backup and recovery, yes. Monitoring systems, yes. But business continuity, no.

Unfortunately, neither the sales rep nor the content writers for the site he recommended apparently have any conception of true business continuity.

Gregg Jacobsen, with whom I shared the sales rep's email, wondered "What do they recommend to protect the revenue stream and market share for their client if the factory catches fire?"

I think Mr. Jacobsen's question nicely sums up the difference between what the sales rep was promoting and the purpose of business continuity.

I have nothing against either the sales rep or any organization that peddles IT products and services.

But calling disaster recovery - or even "resiliency" - "business continuity" does no one any good.

The gullible executive - and I've met some - may BELIEVE what is on the table is a business continuity contract, but when the gullible exec is up that proverbial creek sans a means of propulsion, someone will realize that what our executive thought was "business continuity" in no way helps the business continue to stay in business.

Assume, if you will, that an event occurs at the facility - let's take Mr. Jacobsen's fire.

Let's further assume that the organization has all its data safely stored in a cloud for near-instant recovery.

That's wonderful, but if no one can access and use the data, of what value is it?

Perhaps if the cloud is accessible by staff working at alternate sites, but if we can make another assumption, no one considered an alternate site or virtual office options; the organization had, after all, a "business continuity" plan - a Web site said so.

If there was a fire in the facility , let it happen when the place was empty. The cloud "business continuity" plan lacks any information about evacuation and assembly, hopefully out of the way of flying debris and arriving fire department vehicles.

Even the folks behind the data center doors are on their own. The data is protected, but not the people manning the machines to transfer data to the cloud - or tape or the backup option du jour. THAT information would have been in an honest business continuity plan; it's not found in a cloud plan, no matter what it's called.

I think the only thing worse than calling an IT DR plan a "business continuity" plan is having a plan cobbled together by a novice armed with a template and check list.

At least with the cloud "business continuity" plan, most people can see the plan really is what it is - the king's new clothes. It is a plan to store data. Period. It has nothing to do with profit centers or non-data resources.

The novice's plan, on the other had, looks like a real business continuity plan and even though it probably is lacking more than it contains, it is a plan. If it ever is exercised someone might discover its deficiencies, but often when a person is plucked from their daily routine and dubbed "Official Business Continuity Planner" sans any relevant training, management has little intention of doing anything more with the plan than letting it gather dust on the shelf. For all that, having a plan gives a - in this case, false - sense of security.

Business continuity, properly practiced, can greatly enhance an organization's "survivability" in case of an event.

Business continuity that translates into "storing data in the cloud" is NOT business continuity, properly practiced or not.

It is an insult to the profession.

* People are an organization's most critical resource. If you don't believe me, try and run a business without staff and customers.

If I wrote it , you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

ERM-BC-COOP When "BC" is "DR" a/k/a "The Name Game"

2012-01-22T21:32:00.002Z

I got an email the other day announcing "24 NEW BC/DR Openings Just Posted."

Since I will entertain offers of employment, I followed the link in the email and found the following. (The advertiser's name and contact information are removed.)

Business Continuity Management (BCM) Manager – Consultant– FTE/Permanent (local candidates. No relo). Candidates must have (either) previous 3rd party Big 5 consulting experience or with a technology consulting organization will be considered.
Note there is no mnimum experiece requirement. Degree yes; experience, not necessarily. Also no certification requirement.
Consultant – Enterprise Resiliency – Multiple Positions!!! No Relo Assistance. Candidates must have 2+ years in business continuity, IT resiliency or risk management coupled with a Bachelor’s Degree. Candidates must have (either) previous 3rd party Big 5 consulting experience or with a technology consulting organization will be considered.
The term "resiliency" gives this posting instantly away as an IT DR gig. Note the "2+ years" mnimum experiece requirement. Degree yes; experience, not necessarily. Also no certification requirement.
Senior Consultant – Enterprise Resiliency – Multiple Positions!!! No Relo Assistance. Candidates must have 5+ years in business continuity, IT resiliency or risk management coupled with a Bachelor’s Degree. Candidates must have (either) previous 3rd party Big 5 consulting experience or with a technology consulting organization will be considered.
OK, "resiliency" tells us the job is IT DR, but at least a "senior" consultant has to have at least 5 years experience. No certification necessary.
Business Leader, Global Business Continuity - Strong IT Architecture Experience No relo assistance. The client is seeking a candidate who has previous experience working within a data center operations environment. Experience with highly resilient Infrastructure environments is a primary requirement for this position. Financial industry experience is highly preferred.
We're told right at the beginning that the candidate has to have "strong IT architecture experience." This is followed by a qualification that the candidate has " previous experience working within a data center operations environment."
Engineer - IT Disaster Recovery No relo assistance. Experience with highly resilient Infrastructure environments across many platforms is a primary requirement for this position. Financial or high transaction based industry experience within a large enterprise environment is crucial.
Bravo! No game playing here; the client wants a DR person.
Senior Disaster Recovery Specialist FTE/Permanent.- No relo. Non-local candidates encouraged to apply.
.OK, this job also tells it like it is; the only problem is that the candidate pool is strictly local to the advertiser; better candidates who live outside the area need not apply. I hope the advertisers pool is Olympic size.
Head of Business Continuity Management - Bachelors degree required, Graduate degree highly preferred. Successful candidate must have proven previous experience as Senior Managing Director or Global BC Head for large enterprise.
.True BC. The question is, since a degree is required but no experience, will this person (attempt to) manage experienced practitioners or will the successful candidate find - as frequently the case, that there are no direct reports; that the manager also is the practitioner.
Disaster Recovery Manager Senior – FTE/Permanent (#2412) – Minneapolis, MN. Relo assistance provided. Experience with highly resilient Infrastructure environments is a primary requirement for this position. Must have recent experience designing high availability solutions within multiple platforms within a large IT enterprise environment. Banking industry experience is highly preferred.
Once again, the title tells it like it is; DR.

The reason the advertiser's name was omitted is because the mis-use of the term "business continuity" is all to common. Disaster recovery jobs must seem more "glamorous" than plain ol' DR.

In what I suspect was an attempt to make DR sexy, one of the Big Name organizations dreamed up "resiliency" as DR's nom du jour. The word has been around, according to Merriam-Webster Online sine 1836, but M-W fails to define it. My Webster's unabridged lists "resiliency" as a variation on the word "resilient" dating back to 1620-1630.

Given that "resilient" means to "bounce back" or recover from something, that still doesn't equate it to "business continuity" and certainly not "risk management."

I don't know if recruiters deliberately mis-categorize jobs or if the titles are supplied by clients.

I do know that a recruiter dare not suggest to a client that the requirements should be revisited; even recruiters have to have happy clients if they expect repeat business.

For all that, it is frustrating to see a DR job under a BC heading.

That's rather like advertising for a Boeing 777 captain when airplane is a DC 3; it sounds impressive, but there is a BIG difference between the tail dragger and the newest jumbo out of Everett, WA. Don't misunderstand, the "gooney bird" still the aircraft of choice for many operators and it has a proud history, but it still can't compete with a Boeing 7-series anything.

Likewise, IT DR is important - as part of an overall, enterprise business continuity plan and even in an IT-only environment, it is best served with true business continuity - avoidance and mitigation as primary points of difference.

Longer articles at https://sites.google.com/site/johnglennmbci/

If I wrote it, you may quote it.

ERM-BC-COOP Everyone knows something

2012-01-19T22:03:00.003Z

I have a cell phone. It's a "slider" made by Sony Ericsson, company that I was given to understand no longer is in the handset business.

I've had this unit for several years and, for the most part, it has served me faithfully.

But lately it started failing me.

It would lose the network connectivity.

It would fail to locate towers.

The only way to "restore" it was to power down and power up again.

Like the old Unix boxes, this took a frustratingly long time.

I took the handset to the network provider and explained the problem.

From the clerk on the floor I learned that

(b) "We don't fix handsets - we don't even have a screwdriver on site."

The clerk WAS willing to sell me a new handset - and a new two-year contract.

But he made a mistake - he told me in a candid moment that I could buy and use a network-compatible phone, what some retailers call "No Contract" phones. There also are "Prepaid" phones, but since I have a post-pay contract, that option was off the table.

I found a replacement phone by searching the WWW. I was looking for

with Bluetooth connectivity

I don't want or need a camera or MP3 player or . . .

Basically I want a phone to make and receive calls.

Period.

I found such a phone and I hied myself off to the retailer, a Big Box electronics store.

When I finally got the Sweet Young Thing's (SYT) attention , she got the phone I ordered and set it up.

As she was doing this, I explained WHY I was buying the new phone.

"It could be the handset has pocket lint., said the SWT.

She opened the old handset, blew out enough lint to choke a horse - OK, a small horse - and wiped the battery clean.

Having set up the new phone, I headed for the fliver with both phones.

Being a former writer, I usually RTM - Read The Manual - before turning on whatever it is the manual covers.

I looked at the handset's Quick Start booklet and its User's Guide.

No mention of Bluetooth connectivity.

Finally I found the real User's Manual and started looking for any reference to Bluetooth in the Table of Contents - there was no index.

Nothing.

Neither "blue" nor "tooth."

Back to the store and the SYT.

Again, after cooling my heels, she asked what was the problem.

"No Bluetooth," I said, adding that sans Bluetooth, I don't want the handset.

I told her the company's Web site listed the handset and being Bluetooth compatible and she confirmed this. (The next day, the Web site was corrected.)

In the end, she set up my old handset and I went on my way.

In the process I learned several things, the most important of which is to "de-lint" pocketable electronic devices from time to time.

The way to avoid future lint issues is to get a holster for the phone. I thought I'd use a baggie, but then I thought that probably would really get the handset overheated.

The way to mitigate the problem is to open the device up maybe once a quarter and blow out the accumulated lint and to wipe down the battery.

The ERM-BC-COOP lessons from all this?

(2) Maintain your gear, even if the procedure is missing from the documentation, think about "What If" probabilities.

Murphy's - or someone's - Law has it that something will go wrong at the worst possible moment. Missing an important call is bad enough. Missing an important call because of pocket lint is embarrassing.

Now I - and you - know how to prevent that embarrassment.

Because I listen.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

ERM-BC-COOP Mitigate or face court date

2012-01-13T18:51:00.000Z

In an article headed "TEPCO shareholders to sue utility's directors for 5.5 tril. yen", 42 shareholders of Tokyo Electric Power Co. may sue the directors on their own for 5.5 trillion yen.

The stockholders contend that TEPCO calculated in 2008 that a tsunami of 15.7 meters could hit the nuclear power plant if a magnitude-8.3 quake occurred off Fukushima Prefecture, the board members failed to take countermeasures such as raising the height of tsunami barriers protecting the plant.

The tsunami the damaged the Fukushima was the result of a 9.0 earthquake.

The stockholders said that if they prevail, they will use the funds to compensate victims of the crisis.

While the stockholders' action may have to play out in court - did the board have any reason to suspect a stronger earthquake possible in the region? - the lesson for risk management practitioners is simple:

When faced with a threat that can be mitigated or avoided, failing to act can - and likely will - result in someone bringing legal action. In America, that usually means "all concerned" - boards, executives, and perhaps even the risk management practitioner.

Ignorance is not bliss, at least for the practitioner.

We, as risk management practitioners, are expected to at least warn our employers of a potential threat.

Boards and executives are like horses that can be led to water but cannot be forced to drink.

Still, it IS our responsibility to make threats, however remote, known to management,

Fortunately for most practitioners, we don't face a combined earthquake-plus- tsunami threat, but we all have threats with which we must deal.

How great a threat is determined by the evergreen Probability vs. Impact exercise.

Given the location of the Fukushima n-plant, the earthquake-plus-tsunami threat had a real probability of occurring.

In my part of the world (Atlantic coast), neither earthquakes nor tsunamis are very probable. We do have to protect against a hurricane's storm surge , a minimal tsunami perhaps. We also have our own special concerns, sink holes among them.

Like Fukushima Prefecture,, we are home to n-plants, several in fact. These plants are located to take advantage of sea water for cooling. Did NextEra Energy/Florida Power and Light (FPL) plan for storm surge? Sink holes? Tornados? Probably. Did it plan for a combination of threats? Since I live between two plants, I hope so.

The main point of this article is to make all risk management practitioners aware of their responsibility to considerer all threats and logical combinations of threats, and to make certain that management is aware of the practitioner's concerns.

I suspect that even if TEPCO's directors had Officers & Directors insurance, that the insurer would balk at paying out 5.5 trillion yen, no matter how much that equates to in anyone's $s or €s or NIS.

How would a risk management practitioner KNOW there was a risk and the level of risk? The same way the risk management practitioner knows about all other risks: the practitioner asks the experts.

In the case of threats to the two n-plants that flank my home, many of the experts reside in local universities; some experts may be found far away.

Granted, a commissioned study might be expensive - but if the object of the threat is a nuclear power generating plant the expensive probably is justifiable - but a great deal of information can be gathered with little or no outlay.

The practitioner must be industrious to seek out resources, but in most cases they are available and the people staffing those resources almost always are pleased to share their expertise. (Based on personal experience as a reporter and technical writer.)

We may not be able to force the "horse" to drink the water, but we must at least lead it to the water.

Longer articles at https://sites.google.com/site/johnglennmbci/

If I wrote it, you may quote it

ERM-BC-COOP Executive suite can be bitter for shareholders

2012-01-10T15:21:00.001Z

Two headlines from the daily Advisen FPN digital newsletter caught my attention.

Both dealt with shenanigans in the executive suite.

The first, "Olympus Sues Executives Over Covering Up Losses" tells how "The scandal-tainted Olympus Corporation said it was suing 19 current and former executives over their roles in a $1.7 billion cover-up of losses after an independent panel s report into management involvement in the fraud.."

The entire article, from the New York Times, is at http://www.nytimes.com/2012/01/10/technology/olympus-sues-executives-involved-in-cover-up.html. Bloomberg ran a similar article titled "Olympus May Sue Executives Over Cover-Up"; the file is found at http://www.bloomberg.com/news/2012-01-08/olympus-may-sue-present-past-executives-over-cover-up.html .

The article had two telling points.

Point 1: An unidentified panel "said it had found a culture of yes men and a board that failed in its duty to stop a rotten core of executives from duping auditors, regulators and investors."

Point 2: "Olympus shares were up about 28 percent in morning trading on the news."

The second headline, from the Miami (FL) Herald, reads: "Lawsuit: Former CompUSA executives stole millions." The Elaine Walker piece may be read at http://www.miamiherald.com/2012/01/08/v-fullstory/2579914/lawsuit-former-compusa-executives.html.

According to the article, the latest in a series of stories about CompUSA's senior staff, the current legal action "tells a classic tale of executives feeding at the corporate trough. The allegations include stealing electronics worth millions of dollars, taking family and friends on company-sponsored trips, negotiating kickbacks from vendors, and using employees for personal errands on company time."

The suit, Ms. Walker reported, noted that all the alleged actions by the former CompUSA executives a were ".intentionally and maliciously, wantonly, willfully, in bad faith"

In the Olympus's case, the Bloomberg article noted that the camera maker's scandal was uncovered "following an outside panel’s report into management responsibility." Olympus is suing "current and former executives over their roles in a(n alleged) $1.7 billion cover-up of losses," according to the Bloomberg article.

The CompUSA executives' actions were brought to light by employees and vendors who claimed they were tired of the executives' abuse.

These two incidents - alleged until adjudicated but cautionary none the less - should alert risk managers and business continuity practitioners with a broad mandate, that risk often can be found in the executive suite.

In Olympus' case, the company hopes to recover allegedly misused funds. With a 2.1% rise in its stock price, the suggestion is that the misuse of funds and the newly filed legal action comes as no surprise.

In the CompUSA matter, the issue seems to be, if the news article is accurate, primarily a matter of greed by the company's founders who allegedly treated their company as a cash cow for their personal enjoyment.

In neither case was the activities in the executive suite something that just occurred.

Could the actions have been prevented or brought to light earlier? How?

One way the deeds might have surfaced sooner, at least in the CompUSA situation, is if the risk management people had a close relationship with the rank and file, the personnel in the trenches. Having a nodding relationship with key vendors, based on the risk manager's concern that the vendor had a business continuity plan, might have given a hint to vendor unhappiness with CompUSA's way of doing business.

Japan's Olympus, on the other hand, is another matter. The NYT article noted that a "culture of yes men and a board that failed in its duty to stop a rotten core of executives." In other words, board members failed to do their duty and, if this was done in the U.S., could find themselves facing legal action along with the company president and his associates.

ERM-BC-COOP Dust off pandemic plans

2012-01-05T21:26:00.003Z

My email just delivered notifications that a version of the avian influenza - bird flu - is making the rounds.

In separate emails , I read that

A Chinese bus driver who tested positive for the H5N1 bird flu virus died Saturday in a city bordering Hong Kong, health officials said, in the country's first reported case of the disease in humans in 18 months.

The Ministry of Health and Population of Egypt has notified WHO of a case of human infection with avian influenza A (H5N1) virus.‪ The case is a 29-year-old male from Dakahlia Governorate. He developed symptoms on 8 December 2011 and was admitted to hospital on 15 December 2011, where he received oseltamivir treatment. He was in critical condition and died on 19 December 2011.

It's time to dust off those Pandemic Plans so carefully crafted in 2008 and start the update process.

If the organization really is risk conscious, it won't have a Pandemic Plan.

Blasphemy? Heresy?

Not really.

Progressive organizations - and that means businesses, governments, non-profits, charities, and any other grouping you can conjure - have an Enterprise Risk Management Program that is kept up-to-date, and that considers all risks.

ALL risks?

OK, no one can think of every risk. That's why smart practitioners insist that programs involve all personnel - from the Board Room and Executive Suite to the newest intern and the organization's key personnel - the cleaning crew.

There are several things about a pandemic that set it apart from the typical "empty office" scenario.

It travels at the speed of flight.
It impacts vendors, customers, and intermediaries.
It can return again and again, albeit usually with less impact each time.
Buildings get "sick" and require treatment before they can be reoccupied.

In some respects, the pandemic looks like an "empty office" event. The building may be standing, but it cannot be occupied. There are a number of other risks that can have the same impact.

In some respects, the pandemic looks like a simple flu epidemic, but it is more virulent than the average winter flu. Personnel might be protected from the standard flu strain by the "best guess" anti-flu shots promoted by the government. The U.S. Center for Disease Control and Prevention (CDC), claims that "The U.S. 2010-2011 seasonal influenza vaccine will protect against an H3N2 virus, an influenza B virus, and the 2009 H1N1 virus that emerged last year to cause the first global pandemic in more than 40 years and resulted in substantial illness, hospitalizations and deaths."

What to do?

First, try to protect personnel.

Find out what the Center for Disease Control and Prevention recommends to combat the flu - both the "standard" Asian variety and the H1N5 variety. Start with the CDC Website at http://www.cdc.gov/h1n1flu/; it has information from the 2009 threat.

Cross training should be a priority. While cross training, make certain managers are up-to-date with the functions of the people they supervise.

Develop a succession plan. Encourage managers at all levels to name an alternate, someone who has the manager's authority and the manager's confidence to make decisions in the manager's absence. Again, the absence can be for any reason. The manager must announce the alternate - even "alternate du jour" if the manager wants to rotate the assignment - so the decision will be clear to everyone.

Review and, if necessary, update policies and procedures.

A good risk management practitioner, with management cooperation, can do a lot to assure that the organization will be able to meet at least a minimum level of service.

ERM-BC-COOP Stolen item may cost former owner "big bucks"

2011-12-27T14:27:00.001Z

If you owned something that was stolen, and the stolen item was used against someone or caused damage, are you liable?

Maybe.

In an article in the Milwaukee Journal-Sentinel headed Patrick Cudahy sues Navy over 2009 fire, "Patrick Cudahy Inc., its parent corporation Smithfield Foods, and several insurers have sued the U.S. Navy, seeking $326 million in losses from the massive 2009 fire at the meat packing plant caused by a stolen military flare set off as part of a Fourth of July celebration."

The plaintiffs contend that the Navy's negligence allowed the flare to be stolen from a California Marine base. The Navy denies responsibility under the Federal Tort Claims Act.

Basically, the suit contends that the Navy failed to properly inventory and control its property.

Strictly a Navy or government problem?

Hardly.

If the plaintiffs prevail, any organization that makes almost anything could be sued for damages.

In most civil suits, plaintiffs sue "the world" jointly and severally, looking for any organization with "deep pockets."

Most organizations have insurance coverage, but increasingly, two things are happening:

Awards, especially jury awards, exceed the insurance coverage

The insurance company either refuses to pay or sues the insured to recover its payout.

In the Navy case, the insurers are among the plaintiffs.

The core complaint in the Navy action seems to be that the Navy allegedly failed to perform due diligence when dealing with its resources, in this specific instance, a green star flare. According to the suit, the flare was found outside the actual training area and therefore the Navy breached its duty.

While the suit was only recently filed in federal court, the outcome will be interesting.

Unlike non-government entities, the Navy claims immunity from such suits. Non-government organizations lack that protection.

What then, based on the main focus of the suit, can an organization due to avoid or mitigate similar suits if someone uses something the organization owned to cause damage ? In three words: Use due diligence.

Inventory both stock on the shelf and resources - hardware and software items - and regularly revisit the inventory. If the organization deals in things that can go "bang in the night," perhaps inspect all packages, briefcases, and the like, as they exit the building.

The organization may still be sued, but if it can prove due diligence it may be removed from the action by the court.

Caveat: I am not a lawyer and I do not play one on tv.

ERM-BC-COOP Holidays as risk

2011-12-21T17:47:00.001Z

For most people, holidays are a time away from the workplace.

A time to focus on things other than "The Job."

For the risk management practitioner, holidays are a risk.

Low level risks

Some risks are have a relatively low level impact if - rather "when" - they occur.

The most frequently occurring risk is absence of decision makers.

Absence of crucial personnel - and this can be a person on a production line or a call center staffer during a busy time -also must concern the risk watcher.

Fortunately, these risks are relatively easy to avoid.

In two words: Cross Training.

Practitioners know that every critical function in a response program must - not "should," but "must" - have both a primary and an alternate responder.

Even in the best of times, with no holidays in sight, people get sick, they take time to attend to relatives, they go to conferences and professional courses, and they go on vacation.

On the truly negative side, there are layoffs and dismissals-for-cause.

Practitioners don't need to insist that management come up with a succession plan - although management should do this, if only to keep the organization's clients confident that the organization will muddle along even sans the incumbent C*O.

Practitioners need to convince management that, while no one expects anything untoward to happen to them, they need to groom others to fill in for them when they vacation or are otherwise absent.

The "heir apparent," even if only appointed on a temporary basis, must have

the confidence of the about-to-be-absent manager
sufficient self-confidence to make decisions

and the manager's decision must be known to "all hands," both up and down the personnel ladder.

It helps if the Most Senior Executive has a formal job description of some type.

The key to the success of selling the idea to everyone reporting (directly or indirectly) to the Top Executive and Board is for the Top Executive to get on board

Note that in all the foregoing, the term "succession plan" has generally been ignored.

Practitioners need to be included in all critical projects to assure that the project manager builds in time for holiday interruptions. This adds a burden on the practitioner: he or she must be aware of all holidays that might reduce the work force and delay project completion. This can be especially challenging for multi-national organizations' planners.

High level risks

Fortunately, risks I term as "high level" are exceedingly rare.

They are "high level" because of the impact they can have on the organization.

High level risks often are holiday-related.

Pearl Harbor - while not on Christmas, the country already was "winding down" for the holiday.

National and religious holidays often are preferred dates for attacks against defined groups. Occasionally, an attack will be scheduled on the attackers' holiday.

Natural events such as earthquakes, floods, tornados and the like are no respecters of an organization's staffing abilities and can occur almost anytime.

Burglars find holidays a good time to strike - staffs are reduced or facilities closed, making access less difficult. No matter what the intruders are after, they have a better chance of success.

Admittedly, cross training won't help here. Maintaining an increased level of alertness by security personnel will help. The question to ask: is Security - be it in house or vendor-provided - able to meet the staffing requirements; is Security protected against personnel absences?

But again, the likelihood of an event is less likely than the absence of a needed employee.

If I wrote it, you may quote it.

ERM-BC-COOP Lessons from 1942 for ERM Practitioners in 2012

2011-12-08T15:11:00.002Z

The following came to me as an email. I don't know the sender, but the information, if given some thought, can relate to what we see everyday. Aside from formatting the file it is "as received."

"Remember Pearl Harbor - Keep America Alert"

"Remember Pearl Harbor - Keep America Alert" is the is the motto of the Pearl Harbor Survivors, who sadly will disband this year.

As we reflect on the 70th anniversary of the bombing of Pearl Harbor, I'd like to share a piece of an old report with timeless lessons, the

25 Deficiencies from the 1942 Pearl Harbor Congressional Report.

Perhaps you'll find something here you can use in your role preparing Americans for the worst.

These brave men remind us, as George Santayana wrote, "Those who cannot remember the past are condemned to repeat it".

Below are those 25 deficiencies - how far have we come?

Thanks to all who demonstrate what it is to be a hero, and to you who pledge to live in honor of their bravery.

The Failures

Organization
Multiple parallel organizations with ambiguous authority
Assumption
Information-sharing convention is not known or understood, but appropriate sharing to avoid disaster is assumed
Omission
Information-sharing distribution is incomplete, people and entities excluded
Verification
Commands/information sent, no follow-up to ensure understanding and action, capabilities or actions are assumed and not verified
Supervision
No close supervision to verify understanding and predictable action - compliance assumed
Alertness
Heightened alert is undermined by repeated training and exercises
Complacency
Vigilance relaxes from the day-to-day lull of business as usual; a "what-could-happen ?" attitude
Intelligence
No centralized intelligence services with tailored dissemination of intelligence products; too many independent sources of collection and analysis
Attitude
Superiors do not engage in open dialogue with peers and subordinates; the superiors act superior (arrogance)
Imagination
"Worst-case" scenarios not included in preparedness and response planning
Communications
Information exchanged is ambiguous, convoluted, or contradictory - no use of common "plain" language
Paraphrase
Messages altered according to assumption and no verification
Adaptability
Alert and response thresholds are not matched to the known threat environment
Disclosure
Intelligence so protected that it is inaccessible to those who urgently need it, rather than converting products to actionable information while protecting "sources and methods"
Insight
Inadequate understanding of the threat and capabilities to address this threat lead to underestimated risk
Dissemination
Information is not provided to subordinates who need to know
Inspection
Leaders do not know or understand their personnel and critical systems
Preparedness
Prepare for consequences of what a threat might do, instead of what it can do
Consistency
Official direction is contradicted by unofficial speculation from authorities
Protectiveness
Individual or organizational one-upmanship for real or perceived self-benefit
Relationships
Personal friendships inhibit identification and resolution of deficiencies or gaps
Priority
Failure to prioritize critical needs over day-to-day activities
Reporting
Subordinates fail to report information up the command chain
Improvement
Failure to identify gaps, particularly in worst-case scenarios, and correct them
Delegation
Responsibility is delegated with inadequate authority to act

Hope you'll find this of use; you are of course welcome to share...

From: Interoperability in Critical IT and Communication Systems

Dr. Bob Desourdis cites in his book quotes from the Congressional After Action investigation & report of 1945/46 on the failures of Pearl Harbor. Sharing as food for thought.

Michael

Michael Walker
443.986.7104
wirelesswalker@yahoo.com
www.vuetoo.com

ERM-BC-COOP Paper trumps experience

2011-12-07T15:35:00.002Z

a rant

I applied for a job today via a recruiter.

I am an "Ivory Soap" match for the job.

But the 66/100% I lack (Ivory Soap advertises it is 99 44/100th percent pure), when confirmed, caused the recruiter to hang up on me.

I could have brought more than 15 years' experience to the recruiter's client.

But the lack of a degree - the "66/100th percent" - ended the phone call.

"The client requires it," she said.

I can't entirely fault the recruiter. After all, "the client requires a degree."

I know the client - Florida Power & Light, FPL. I send it a check every month.

What I am beginning to think is that whomever created this job requisition for FPL doesn't know much about business continuity.

Would a degree in InfoTech Security meet the requirements?

You bet. Forget that InfoTech security is only a very small part of business continuity.

How about a degree in journalism?

Actually that might be BETTER than a degree in InfoTech security since there is a great deal of documentation involved in creating and maintaining a business continuity plan or program.

The FPL job req writer is telling me that four years of listening to people pontificate about subjects in which they may have zero practical experience is better than 15 years' hands-on experience.

OK, to be fair, I know there are some college instructors who DO have "real world" experience. I had a couple when I attended Barry U and Sarasota U. But I also had the "other" kind. I'm a former journalist - reporter to managing editor. The required English 1 course had the instructor - a high school English teacher during the day - try to teach the class how to write a story for a newspaper. The gentleman could hardly spell "newspaper," let alone create copy for one.

But he had a degree, maybe two, and therefore was an "expert" in the field.

America was not built on degrees. It was built on people developing expertise.

Admittedly, my profession lacks - sadly - an apprentice program.

Likewise "admittedly," there are people who claim expertise, some with certifications, who can't plan their way across a deserted country road.

But if they have a degree . . .

FPL, or at least the contracting agencies, are offering a below market rate so maybe it is just as well that this recruiter abruptly ended the call.

Still, it would have been a good match: FPL and this practitioner.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

ERM-BC-COOP (Un)Social Media

2011-12-02T14:16:00.003Z

In a Wall Street Journal copyrighted article at http://tinyurl.com/88h2q2h, organizations learn that under certain circumstances angry employees can say almost anything they wish against their past or current employer with impunity.

If the employer acts against the employee, the organization may face charges from the National Labor Relations Board (NLRB).

According to what appears to be a supplement to the Melanie Trottman article, the AdvisenFPN version of the copy appends the following:

Protected employee behavior -- things employees should be allowed to do without being fired:

-- Workers discussing with each other pay or other workplace conditions, or an individual speaking on behalf of other workers about, or with the intention, to improve workplace conditions. The key is there has to be group activity, in intention or result. It is described under the law as "protected concerted activity."

-- Name-calling -- depending on the word used and the context -- that doesn't involve physical or verbal threats.

Unprotected employee behavior -- things that could get an employee disciplined or fired:

-- Mere griping solely by and on behalf of oneself, with no evidence of intended or actual group action to improve working conditions.

-- Physical or verbal threats against an employer or co-worker, depending on the context.

Unlawful employer behavior:

-- Maintaining a company policy that restricts workers' rights to discuss online with co-workers their wages and other working conditions.

-- Firing an employee for engaging in protected concerted behavior.

So, if a disgruntled employee calls a manager a "scumbag" in the course of an exchange with fellow workers, and if someone replies in any manner, the employee apparently is protected by the NLRB.

It seems to me - and I must add this caveat: "I am not a lawyer and I don't play one on tv" - that the specific person who is maligned - calling a person a "scumbag" is hardly a compliment - ought to, with perhaps assistance from the employer, file a civil complaint against the name caller.

The right of free speech is an important part of the American way, but libel and slander still are actionable.

For all that, organizations of all types should have policies and procedures in place clearly setting forth what is acceptable and expected behavior of people employed - at any level - by the organization. These policies and procedures must

Be vetted by qualified legal counsel, that is, lawyers specializing in HR issues
Be read, and understanding acknowledged, by all employees, regardless of position within the organization, from Most Senior Executive to newest intern and contractors/consultants.

If there is a problem in the organization and an employee, for whatever reason, "goes public" with it on so-called social media, it behooves management to examine the complaint to see if it has merit. At the same time, it seems appropriate to act against libel and slander.

Longer articles at https://sites.google.com/site/johnglennmbci/

If I wrote it, you may quote it.

ERM-BC-COOP Damage Control

2011-11-30T14:17:00.003Z

GM makes it work

Image can be critical to an organization's bottom line.

Ask Ford and Firestone.

Since a damaged "image" can have a severe impact on an organization - any organization, even ones that depend on donors, think charities and blood banks - things that can lower the image in the eyes of "The World" must be considered risks.

Sometimes, as in the case of General Motors and its "fire after an accident" Chevy Volt, the risk cannot be prevented.

But it can - it must - be mitigated.

Everyone knows the story of Toyota's acceleration problems and how Toyota dragged its heels publicly in dealing with the issue.

Many will recall the Ford-Firestone finger pointing when Explorer SUVs started "turning turtle." Rather than immediately move to replace Firestone tires then suspected of being either the cause or a contributing factor in the roll-overs, Ford and Firestone got into a PR battle as Explorers continued to tip over.

Ford finally replaced all Firestone tires on all Explorers but no one accepted blame for a bad combination of vehicle and tires.

One of my frequent admonishments to people who expect a risk management plan to be perfect before the first exercise is "Nothing is perfect the first time out."

No matter how expert the practitioner; no matter how conscientious the Subject Matter Experts, something always is overlooked and discovered only during an exercise. Nothing is perfect the first time out. Nothing.

GM found that out with its Chevy Volt.

According to a Los Angeles Times article titled GM learns from Toyota how not to handle a crisis (see http://www.latimes.com/business/autos/la-fi-gm-volt-20111129,0,4124119.story), "After reports of fires in Volt electric vehicles that had been crash-tested, GM put the communications pedal to the metal — unlike Toyota, which responded slowly and ineffectually to its sudden-acceleration crisis."

The Times piece detailed the Volt's problem - fires that followed test crashes of its Chevrolet Volt electric vehicles - and what GM was doing to give its customers a "warm fuzzy feeling" toward the company, the brand (Chevrolet), and the specific vehicle (Volt).

GM apparently wants to avoid looking like Toyota, yet it is taking a leaf from Toyota's book from better days. GM is offering Volt owners free loaners until the "fire after an accident" issue is resolved. Toyota did something similar when it introduced it's high-end Lexus model and discovered a couple of problems. According to the Times, "Toyota had Lexus dealers deliver loaners to people's homes, repaired the recalled cars and returned them washed, detailed and with a full tank of gas"

Was Toyota's quick action appropriate? Count the number of Lexus vehicles in the neighborhood.

Understanding that (a) nothing is perfect the first time out and (b) that "things" will happen, the smart risk management practitioner recommends that "generic" scripts be created for possible image gremlins, and works with executive management, legal, and corporate communications/PR so that when - not "if" but "when" - an issue arises the organization can respond quickly.

The organization will have at least an outline of what to say, it will know who is capable of delivering the message (and who might freeze before an audience), and the spokes person will have practiced message presentation.

A really sharp practitioner also will recommend that multiple presentations be prepared to different audiences - all having the same basic content - audiences that include

customers
employees
financial backers (stockholders, lenders, etc.)
local media
national media
regulators
trade associations
vendors

As an aside, the reason for separating the media into "local" and "national" is to assure that the local media are not slighted. The national media reporters will go home once the story starts having "second day leeds" ^(cq); the organization will have to deal with the local press for the long term; treat the local reporters kindly. This scrivener once was "local press."

As with most risks, threats to the organization's image can be mitigated but, as with most risks, responses must be planned and practiced, exercised.

It is said that a person's greatest asset is his name.

That applies equally to an organization.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

ERM-BC-COOP Government as risk

2011-11-28T13:55:00.005Z

It's not the first time I have suggested that government - at all levels - should be considered a risk to the organization.

Usually we think of government making a rule that restricts the organization's business or adds additional regulations . . . and costs.

Sometimes, though, government may reduce or eliminate regulation.

According to an AdvisenFPN article that first appeared in the Wall Street Journal (http://tinyurl.com/7lad3qx) titled Critics Target Bribery Law , corporate America's top lobbyists are trying to limit the Foreign Corrupt Practices Act of 1977, a/k/a FCPA.

In a Joe Palazzolo-bylined article, the WSJ reports that the effort against FCPA has risen to the top of the lobbyists' agenda, sparking a widespread debate about how the legislation is enforced. The reason for the corporate war on FCPA: "In the past five years, a remarkable run of enforcement of the U.S. law has led to about $4 billion in penalties against corporations. The law prohibits companies from paying bribes to foreign officials to win business. A violation can result in criminal prosecution," the WSJ article noted.

I recently did a project for World Compliance (http://www.worldcompliance.com/en/default.aspx), an organization that specializes in FCPA. It has a multitude of clients in the financial industry who are, thanks in part to FCPA, concerned that their transactions and their clients are above reproach.

World Compliance is akin to the CIA - it collects information from around the world, vets it to assure accuracy, and they packages it for its clients. To its credit, World Compliance takes risk management very seriously.

Click on drawing to enlarge

While eliminating FCPA would not by itself put World Compliance out of business - as the name implies, the organization has clients worldwide and, in addition to FCPA, it also provide data to clients complying with European laws as well as U.S. Treasury Department regulations and the Patriot Act - emasculating or killing the FCPA could impact the organization's bottom line.

Of course World Compliance has more than U.S. lobbyists to consider. It has to take lobbyists into account every place it does business, and that is most of the world. Again, it's core business is gathering information about people from the four corners of the world, analyzing the information, and packing it for its clients.

As with the CIA, most of the data is public information; World Compliance's raison d'être is the analysis and vetting of the information, putting together all the pieces that may come from disparate sources.

No matter what the organization's purpose - be it commercial, industrial, a non-profit, or a charity - the whims of government must be considered a risk. Depending on the type government, the rulers may be swayed by money, favors owed, promises of votes or threats of loss of votes, or less polite measures.

FCPA hurt - and continues to hurt - organizations that did business by bribery. It hurt them because U.S. companies no longer were on a level playing field with their foreign competition, and it hurts them when - despite FCPA - they feel obliged to risk a bribe and get caught.

Longer articles at https://sites.google.com/site/johnglennmbci/

If I wrote it, you may quote it.

ERM-BC-COOP Vendor risks

2011-11-24T14:19:00.003Z

More than meets the eye

When most of us think of vendor risks we think of a vendor failing to meet its Service Level Agreement (SLA) with our organization.

The SLA can cover a product or a service.

Interestingly, the product or service might not be considered critical - until its needed "yesterday." (Forms for bills, for example, or checks to pay bills.)

Smart organizations ask critical vendors if they have business continuity plans. Very smart organizations ask the vendors to supply the plans or at least basic plan information such as

Who is the plan/program sponsor? (Should be a Very Senior Executive with fiduciary responsibility.)
What does the plan cover (InfoTech only, key business units, the enterprise).
When was the plan last exercised. (Should be "within the year.")
When was the plan last updated. (Should be "within the year.")
Who is responsible for plan maintenance and updating?

Most of the time, the interest in the vendor ends here.

It should not.

What about the vendor's critical vendors? If the vendor provides a finished product - even something as simple as a threaded fastener (a/k/a screw), if that item is crucial then the vendor is critical and the vendor that supplies your vendor with raw materials likewise is critical.

As the risk management person in your organization, you might be wise to ask the critical vendor if it has an alternative supplier of raw materials; has your vendor asked its vendor for a business continuity plan?

Depending on the criticality of a product or service, it might be necessary to go back even father on the vendor chain, but this usually is not the case.

OK - you talked to your critical vendor and you are confident the vendor has a plan to meet all contingencies.

Is that enough?

Not really.

How is the vendor's product or service delivered to your organization?

Click on image to enlarge

Via highways and byways? Railroads and trucks to the door? Ships and barges and trucks? Airplanes and trucks?

Ask the vendor if it has alternate delivery options.

What if the teamsters walk. That shuts down multiple options since trucks almost always are required - door to door, ship to door, plane to door, train to door.

The teamsters may be perfectly content, but weather can close roads and shut down airports; accidents can close roads and seaways and ports of all types.

Knowing that transportation is an easily interrupted critical process, your organization needs to do a little research to determine a "worst case" transportation interruption and maintain product on the shelf to cover that period. "Just In Time" is fine, PROVIDING nothing interrupts delivery.

Ahh, but your vendor delivers data via the Internet. Nothing to worry about, right?

Wrong!

There are as many, perhaps more, things that can go "bump in the night" for digital deliveries as there are with physical delivers.

The vendor's InfoTech can crash; your InfoTech can crash, the pipe can get choked, your organization's Internet Service Provider (ISP) may fail, a power outage anywhere along the line can knock out a service. Sure, everyone has backup generators, but are they checked regularly under load; is the fuel supply dry and sufficient, and . . .

As they say, "Nothing's perfect except you and me, and I'm not sure about you."

There are, by the way, two sides to the transportation issue.

Your organization is a vendor to your clients.

Whether you provide a product or a service, your organization typically has to deliver to the customer.

That means transportation from your organization to the customer, be the customer another manufacturer, a wholesale or retail organization, or an individual.

Your organization's delivery options - and hazards - are the same as those of the critical vendors.

The bottom line is that when considering risks relating to critical vendors, you must think of all related risks.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

Comments to JohnGlennMBCI at gmail dot com

ERM-BC-COOP Employee loyalty

2011-11-22T17:12:00.002Z

In today's job market, with high unemployment, management has the upper hand and can, if it desires, disregard staff concerns.

Smart managers don't.

They know that when the market eventually turns around, those employees who got the short shrift during the "high jobless rate" times will start looking for new employment homes.

Taking with them skills they honed on the job.

Possibly taking with them information a competitor would be delighted to have.

Never mind non-disclosure agreements; they are difficult, and expensive, to enforce.

If the employee doesn't bolt, he or she can "bad mouth" the organization and destroy its reputation as an employer and, perhaps, as an organization.

The translation of all the above is that employees are a risk to the organization.

A "necessary" risk.

At the same time, a happy employee - or at least one who feels respected by management and peers - is a definite asset to the organization. While the unhappy current or past employee knocks the organization, an employee who feels he or she has the respect of management - at all levels - promotes the organization to other employees and to "the world."

It's been many years since I worked as a contractor at Lucent Technologies, but I still fondly remember the way it treated its personnel, even contractors. On the other hand, there have been some other organizations . . . .

While it is not something a risk management practitioner can control, the practitioner should be aware of the "mood" of the workforce and the practitioner should "suggest" to management that there are risks to employing unhappy staff.

Most people appreciate recognition for a job well done.

The nice thing about recognizing jobs well done is that it need not be expensive.

Most people appreciate an organization-sponsored (funded) function; like recognition, this need not be overly expensive.

The economy will pick-up - no, I do NOT know "when" - and when it does, unhappy employees will become mobile; their resumes already are up-to-date.

The risks to the organization include, "but are not limited to"

loss of knowledge base
cost of recruiting - advertising, interviewing, relocation
cost of training, both job and corporate customs
temporary slump in productivity, possibly due to resentment of the new employee
possibly higher salary for the new hire
risk that the new hire will leave before the organization realizes any ROI

It is not hard to mitigate the risk of disgruntled personnel.

Respect.

Acknowledgement of a job well done.

Support in the form of training.

There are many ways an employer can show respect for the troops; HR knows them all.

Longer articles at https://sites.google.com/site/johnglennmbci/

If I wrote it, you may quote it.

ERM-BC-COOP Have you created a plan for XYZ industry?

2011-11-20T15:51:00.004Z

The other day I was asked if I had done any plans for a specific industry.

I took the question at face value: have I done any plans for an industry, as in "industry association."

The question could have been less global and concerned with a specific organization in the industry (e.g., natural gas exploration) or a specific function of the industry's members (e.g., manufacturing mil-spec monel 16-inch 3-way valves with electronic control modules).

There are lots of ways I could have considered the question.

But in each case, the answer was the same: "Yes."

The reason the answer for each option is the same, "Yes," is because as a risk management practitioner I am looking at risks and means to avoid or mitigate them.

It makes no difference to me if I am working for a Mom-n-Pop corner grocery, Monster Motors, or Sara's Soup Servers charity.

The PROCESS is the same.

Find out why the organization exists.

Mom-n-Pop's grocery exists to sell groceries and, hopefully, make a profit.

Monster Motors exists to make automobiles (and other products) and, hopefully, make a profit.

Sara's Soup Servers exists to provide food for the hungry and, hopefully, to keep donations rolling in.

In each case, the organizations DO something to justify their existence.

There are some common concerns across the board - vendor management and liability as examples - but the bottom line is that each organization has risks and that the risks to each organization must be addressed; means must be identified to avoid or mitigate the risks.

Mom and Pop belong to a grocers' association.

The association's concerns are for the Mom-n-Pop grocery, but they are not the same as harbored by Mom and Pop. The association is concerned with lobbying, with member welfare, with recruiting and retaining members, and with collecting dues to support the association's operations.

Whether creating a plan for Mom-n-Pop or the association, the PROCESS is the same:

Mom-n-Pop	Grocer's Association
1. Identify the reasons the organization exists 2. Identify critical processes to No. 1 3. Identify risks to No. 2. 4. Identify means to avoid or mitigate risks. 5. Prioritize risks based on probability vs. impact. 6. Present recommendations to management. 7. Create response plans based on management's decisions re risk management implementation. 8. Create plan maintenance procedure.	1. Identify the reasons the organization exists 2. Identify critical processes to No. 1 3. Identify risks to No. 2. 4. Identify means to avoid or mitigate risks. 5. Prioritize risks based on probability vs. impact. 6. Present recommendations to management. 7. Create response plans based on management's decisions re risk management implementation. 8. Create plan maintenance procedure.

The same PROCESS can be applied to all organizations.

The organization's critical processes will vary, as will the risks, the means to avoid or mitigate them, the risks' priority, and the means to respond to the threats, but the PROCESS remains the same:

1. Identify the reasons the organization exists
2. Identify critical processes to No. 1
3. Identify risks to No. 2.
4. Identify means to avoid or mitigate risks.
5. Prioritize risks based on probability vs. impact.
6. Present recommendations to management.
7. Create response plans based on management's decisions re risk management implementation.
8. Create plan maintenance procedure.

Creating a program for Mom-n-Pop might be completed within a few weeks while a similar program for Monster Motors could require more than a year, especially if the practitioner is expected to train responders and do more than run a basic "desktop walk-through" exercise. Indeed, Monster Motors ought to have a full-time staff of risk management practitioners.

The bottom line for all plans is the same: It's all about the PROCESS.

If I wrote it, you may quote it.

Longer articles at https://sites.google.com/site/johnglennmbci/

ERM-BC-COOP These are "professionals"? A rant

2011-11-18T20:22:00.004Z

I'm thinking about cutting down the number of LinkedIn groups and other lists and forums I follow. Maybe a few blogs, too.

Several of the lists/groups/forums that I am considering leaving have "Professional" in the title.

Professional in name only

That led me to believe any discussions would be at a professional level.

Yet many, far too many, discussions are at the tyro level.

By itself that's not bad - tyros need help, too, and they can - and I'm thinking of one in particular - and do raise important questions; queries that get us all thinking.

One of the things that irritates, that - as we say in Dixie, "sticks in my craw" - is the titles many of these blatant-by-their-post amateurs advertise.

Senior this and Master that.

Another irritant is the level of the questions.

Good grief; do your homework before asking someone else to do it for you.

DRJ (http://www.drj.com) has a Website fill of good information.

DRII (http://www.drii.org) likewise has megabytes of useful information.

The information is free.

Of course the curious person needs to invest a little time to locate and extract the nuggets.

Why bother? It's easier to ask an actual practitioner "How do you spell "BIA?"

Because there are so many tyros-with-professional-titles claiming to be business continuity practitioners, people who engage them due to a title or employment by a Big Name Consulting Firm, expect a professional product. They deserve a professional; product.

But they don't get a professional product.

If the plan doesn't work? The independent likely lacks performance insurance, and the Big Name Consulting Company will try to tie the client up in a finger-pointing court date. In any case, it is hard to prove that the client ignored the practitioner's recommendations or failed to exercise the plan.

But all business continuity practitioners take the hit.

When "BC" really is "DR"

There is nothing wrong with a disaster recovery group, but please, call it what it is: disaster recovery or even "resilience" which one Big Name Company has high jacked for its disaster recovery services.

Link, don't think

One or two of the groups I am about to drop consist of 90% links to magazine articles.

The article may be really worthwhile, but I sometimes suspect the linker never read past the headline.

I really would like a synopsis of the article before I waste my time following the link.

I'm sure some of the articles are worth reading, but I don't have the time to follow each and every link on the chance that the linked copy is relevant to what I do.

Longer articles at https://sites.google.com/site/johnglennmbci/

ERM-BC-COOP Check the obvious

2011-11-07T20:26:00.003Z

About two weeks ago I put down some weed-n-feed.

The instructions state to thoroughly water in the chemicals - soak the pellets until they melt.

Not a problem.

I have a well. Flip a switch and water comes out via a number of sprinkler heads scattered around the grounds.

So I wandered back to the pump switch and flicked it on - to be greeted by a spurt of nasty brown water from a PVC pipe.

Turns out the guy who used to cut the grass once again punched a hole in the pipe. Second time.

So now I have to replace the PVC - a learning experience - and reseed a portion of the yard, a portion only recently reseeded.

I can't prove the ex-yard guy did the damage, but the substantial circumstantial evidence is pretty strong: twice since he's been cutting the grass a hole has been punched into the pipe, and no one went back by the pump except the ex-yard guy.

Anyway, the grass that got the weed-n-feed is dying because I failed to make sure the pump worked before I put out the chemicals.

Lesson learned: Even with a very low probability of failure, equipment needs to be checked before it is needed.

When I get ready to go on a trip, even a relatively short one, I eyeball the tires to see that they have sufficient pressure. I check the gasoline to make sure I can get where I'm going. I should, but I don't always, check the oil level and condition. Top off the windshield washer fluid.

Basic "stuff."

Like checking the cell phone battery level.

If I'm traveling with the notebook, I charge the battery. (Leaving the battery in the machine and constantly at or near full charge diminishes the battery's charge time.)

To say I'm upset with the ex-yard guy is probably safe to say. To say I am more upset with myself for failing to practice what I preach is absolutely correct.

I'm paying for my false confidence . . . dig up the pipe, cut out the damaged section and replace it, gluing a new piece into place, testing everything and then covering the pipe, and finally reseeding the lawn.

Longer articles at https://sites.google.com/site/johnglennmbci/

ERM-BC-COOP Troubles on the tarmac

2011-11-02T21:39:00.003Z

JetBlue, the low cost airline, is facing stiff penalties for letting roughly 100 passengers sit in a plane on the ground for seven - 7 - hours.

The food and drinks apparently ran out and the bathrooms apparently were at capacity, so passengers were more than a little "uncomfortable."

The question is not "What happened?" but "Why was it allowed to happen?"

The plane, from Fort Lauderdale-Hollywood International (FLL) was bound for a northern airport. Before it got to its scheduled destination, weather conditions forced the airport to close.

The plane was diverted to another airport.

That, in itself, is not a major problem when passenger safety is the First Priority. Besides, diversions happen all the time.

But things went from bad to worse when the plane landed at the alternate airport.

Apparently shortly after the plane got on the ground, that airport also was closed due to weather conditions.

Now the problem goes from "worse" to "inexcusable."

I'm guessing that the newly landed aircraft - re-routed from another airport and unexpected at the airport where it landed - couldn't get a "gate," a jetway where passengers could disembark.

Since all flights were grounded, the planes already at the gate were "stuck" there; they could not leave for their destinations.

Realistically what could JetBlue have done? I'm a bit claustrophobic when planes are on the ground waiting for a gate so I gave this some serious consideration. I've also flown into a number of airports in the U.S. and elsewhere.

JetBlue could have done one of two things.

Thing 1, possibly the least inconvenient, would be to send a truck and buses to the plane.

The truck would bring stairs so passengers could safely get off the plane and onto the ground. This is not an emergency and there is no need to risk passenger injuries by using the emergency slides.

Lots of airports - probably most have mobile stairs and most airports have buses - if not owned and operated by the airlines, then airlines could borrow from the rental car companies or the airport authority, whichever runs the shuttles.

Thing 2, a little more inconvenient for the airline but a lot more satisfactory to the people paying to ride, would be to push back a grounded flight from a gate to make the gate available for the incoming flight.

Does this take a flight crew?

I don't think so.

It does take a push truck and a couple of people to guide the push truck's driver to avoid clipping other aircraft.

Where to put the moved birds? How about a maintenance area? What about the military section of the airport, assuming there is one and the Air National Guard gives its OK for "until the storm's over" parking permission.

In truth, the empty pushed back aircraft could be parked on the taxiways and runways, although getting them back can prove a logistics problem later. Use taxiways and runways as a last resort.

Lack of planning seems to be the bane of airlines.

Qantas' management grounded all its flights in the face of a threat of a strike. Management's pre-emptive strike.

While that may have seemed like a good idea at the time, management failed to gets its passengers booked on other airlines' flights. "Sorry, we're closed and you (passengers) are out of luck."

Then there was the Chief of Security at a U.S. airline that told me, after 9-11-2001, that terrorists couldn't get on board his airplanes using methods I proposed. "Impossible," he said - and continued to believe that even though a number of journalists proved my point.

I don't know if airline people simply ignore risks or just refuse to deal with them.

There certainly was no excuse for JetBlue to leave passengers sitting on a plane on the ground for seven hours.

What about the fuel costs? Even at idle, jet engines are expensive to operate.

Now JetBlue faces the potential of huge fines by the government. I understand it is offering free tickets to anyone on the flight who is willing to once again board a JetBlue plane.

A financial and PR fiasco that could easily have been avoided if someone had a plan - of even if someone "stepped up to the plate" and made the right decisions.

An expanded and updated article on airlines' image problems can be read at https://sites.google.com/site/johnglennmbci/11-11-03-airlines-image

If I wrote it, you may quote it

ERM-BC-COOP Employer responsibilities?

2011-10-19T20:01:00.003Z

There is a debate going on LinkedIn's "BCMIX - Business Continuity Management Information eXchange" (http://tinyurl.com/3dukcyx).

The thread has the rather long title of "U. Delaware: First Responders will report to duty but need assistance with family support and resources and thorough protective equipment training, UD discovered in Mid-Atlantic regional study."

The essence of the thread is "what needs to be done for employees to assure they will report to work" and is linked to a ScienceDaily article titled "Emergency Workers Will Respond: Study Shows First Responders Will Report to Duty, but Need Assistance With Family Matters" at http://www.sciencedaily.com/releases/2011/08/110818190657.htm.

OK, having gottern all the source references out of the way, I will offer my list of things I think an employer should consider:

This should come as NO surprise to any risk management practitioner. Most people will justifiably worry about their kin before their job. To mitigate that, we have primary and alternate responders. That lessens the load on all responders - jobs can be handed off after short shifts. We also must be concerned with burn-out and management must recognize this danger and avoid it by limiting work to a reasonable-under-the-circumstances time, say 12 hours, 16 maximum, and require at least an 8-hour "off" period. This must be cast into Policy and Procedures concrete (along with other "event-related P&Ps). Organizations, realizing responders - both local and at an alternate site - need family time (just as soldiers need R&R), need to get this into P&Ps long before an event so that everyone knows what to expect.

Two ladies whom I respect joined in as follows:

Lady #1: The suggestion which emerged was actually that the employers of the first responders help prepare the families in advance and organize support and resources for spouses.

Lady #2, adding to Lady #1"s comment, noted "This is why a 'critical worker support plan' is needed. If we don't build it, they won't come. Would you? Work is a paycheck. It has no chance of competing with the people we love or the need to reestablish family security ASAP. Even when work is a 'calling', there's a breaking point."

Lady #1 is an attorney with interests in Strategic Assessment & Conciliation .

Lady #2 is a business continuity planner for a government agency.

My comment to the ladies - and I really like these two people - was as follows:

NOT

always

Here Lady #2 responds that "if you have been through a major disaster, from a hurricane to wildfire to tornado to 9/11, what is really needed to get critical staff in to work is a company commitment to such things as:

and then she proceded to list her requirements; my responses are included

(jg)

may

- send out crews, commercial if necessary, to

-board windows

(jg)

-cover damaged structures with tarps and plastic

(jg)

-salvage homes from water, mud, smoke, fire

(jg)

may

-install portable generators

(jg)

-remove fallen trees and debris from homes, power lines (when the power company refuses)

(jg)

- deliver MRE's, water, dry ice, and survival goods

(jg)

- evacuate, house and aid reclamation for families whose housing is destroyed

(jg)

may

- ensure electronic deposit of paychecks and reimbursement checks (although notoriously after 9/11 one financial services company suspended all salary and other payments to the families of hundreds of dead workers)

(jg)

- coordinate searches of hospitals and morgues for injured and dead staff and family

(jg)

- provide medivac and crisis transport of injured, dying and dead staff and family.

(jg)

That's what people are really doing back at home. It's no walk in the park.

I don't know of any organization, anywhere, with the possible exception of government-funded agencies, who provide what Lady #1 thinks employers should provide.

I include employee welfare in all my plans, but I stop short of what I term "employer socilaism," a term I hasten to add that Lady #1 empathetically rejects.

So the question to followers of this blog: Are Lady #1's expectations - I won't call them "demands" - realistic for any non-government-funded organization?

Does anyone know of any non-government-funded organization that satisfy Lady #1's wishes?

Either way, the address is JohnGlennMBCI at gmail dot com.

If I wrote it, you may quote it.

ERM-BC-COOP Importers put on notice - again

2011-10-17T15:02:00.001Z

The husband of a woman who apparently died following an accident on an untested inflatable pool slide was awarded US$20.6 million by a Salem (MA) Superior Court jury.

According to an article in The Salem News (http://tinyurl.com/3c9j5p6), Toys "R" Us sold a Chinese-made Banzai Falls inflatable pool slide via Amazon. The 6-foot slide was installed in an in-ground pool.

The jury ruled that Toys "R" Us was responsible for the death five years ago of a 29-year-old wife and mother. Amazon and the slide's manufacturer, SLB Toys USA, settled with the survivors for an undisclosed amount.

Meanwhile, Wal-Mart and the Chinese manufacturer are being sued following a similar accident in Missouri that left a man a quadriplegic.

Court records note that more than 4,000 of the slides have been sold in the U.S.

Once again

Courts are holding importers and retailers responsible for the products they handle.

This is becoming a regular message in this blog space.

According to The Salem News article, Toys "R" Us apparently failed to have its Chinese testing company test the slide for compliance with U.S. safety rules. Toys "R" Us contended that the slide, since it is inflatable, did not need to be tested. Federal standards require testing.

The complete article can be read on The Salem News' Web site (ibid.).

The bottom line is that any business that touches a product that is blamed - no proof necessary - for causing death, injury, or financial loss (e.g., Chinese wall board) can find itself in court. Even if it prevails, there are both financial and reputational damages to overcome. It if loses, there can be - as in the Salem MA instance - hefty penalties.

There may not be any 100 percent protection, but if the organizations that "touch" the product perform "due diligence" and either test or confirm that another organization along the supply chain has tested the product for compliance to both federal and local laws, all organizations are at risk.

Will a 1-in-1000 unit sampling be sufficient?

In the case of the Banzai Fall, a 1:1000 sampling ratio would be considered insufficient. Perhaps 1:100 would be valid. In the specific Banzai Fall case, just one test to U.S. safety standards might have been sufficient to identify the problem that is alleged to have caused at least one death and one spinal cord injury. (The accident details are on the newspaper's Web site.)

With 4,000 units scattered around the U.S., and with multiple retailers (Wal-Mart, Toys "R" Us, and perhaps others), the importer would seem to have the greatest responsibility for testing. The courts, at least the one in Salem MA, apparently believe the retailer should bear the financial burden.

Even Amazon, which apparently only provided a link to the Toys "R" Us advertisement, ended up as a defendant in the Salem case.

If I wrote it, you may quote it

ERM-BC-COOP Note worthy

2011-10-16T19:48:00.002Z

Today's AdvisenFPN offered a couple of note worthy items.

First, from the New York Times, an article headlined Bits: Stanford Researcher Finds Lots of Leaky Web Sites/.

The NYT article tells us that scientists at Stanford University discovered that

If you type a wrong password into the Web site of The Wall Street Journal, it turns out that your e-mail address quietly slips out to seven unrelated Web sites.
Sign on to NBC and, likewise, seven other companies can capture your e-mail address.
Click on an ad on HomeDepot.com and your first name and user ID are instantly revealed to 13 other companies

These are, according to the Center for Internet and Society at Stanford Law School, among the leaks found on 185 top Web sites.

If the rest of the Times' copy is accurate, it's all downhill from there.

The entire document is on the NYT Web site at http://tinyurl.com/6cys4fl..

Next, in an in-house story headlined Top Cyber Losses Are Not All Hacks! , Advisen's Research & Editorial group writes that "Not every headline-grabbing cyber loss is caused by sophisticated hackers. A case in point is one of the latest actions captured in Advisen's MSCAd Loss Events database—a $20 million suit against Stanford Hospital & Clinics."

As reported in last Friday's FPN edition, in an article titled How Did Data About Patients Land on Web? Don't Even Ask," the hospital acknowledged that a breach of 20,000 records occurred on Sept. 8, 2011. The convoluted series of events leading to the breach had no hacker in sight. Instead, a job applicant for a marketing firm posted a spreadsheet containing the medical records on a homework-help website, seeking advice on how to convert the spreadsheet information into a graph. The marketing firm offering the job was a vendor for the hospital's billing contractor.

By the way, asking "The World" for help to accomplish something seems to be an everyday event, especially if you watch the social networks, even the one's with a professional demeanor.

According to Advisen's MSCAd database, more than half of the largest known data breach events, potentially compromising millions of identities, have resulted from lost CDs and hard drives, stolen laptops, and missing storage tapes.

That doesn't mean that hackers are not a concern, only that hackers should not be the ONLY concern.

Included among the victims are large U.S. financial institutions, private companies abroad, and government agencies in the U.S. and Canada.

A sampling of NON-HACKER damage includes:

Data CDs lost in transit
Data DVD and CD improperly disposed of, found on street
Data storage tapes lost in transit
Identity theft by help desk worker, ran up $50m of fraudulent charges
Identity theft from unauthorized sale of customer data
Identity theft resulting in re-routing of policy proceeds, through call center
Illegal access by employees & outsiders to credit history data
Laptop stolen from employee's home
Lost hard disk drive
Stolen microfiche tax records
Unauthorized distribution/sale of personal & financial consumer data

The point being that protecting data is not just an InfoTech function or even a Security function. It is most assuredly a risk management function.

In the above bullet list, how much damage might have been avoided by personnel training and awareness? How much by having, and enforcing, policies and procedures to protect data?

While I am a risk management subject matter "expert," I am not a security guru.

ERM-BC-COOP No experience necessary

2011-10-09T22:49:00.005Z

As most readers who frequent this blog know, I am active on a number of lists and forums.

Today I was reading an appeal from a consultant with a Big Name Company.

Our poster, who, it turns out misspelled "consultant" and "architect" on his bio, asked the group for exercise scenarios.

Now this person claims to have been around the IT block for a number of years and worked with companies whose names most of us recognize.

There is nothing in his recent job titles to indicate any experience with business continuity but he does claim "IT Disaster Recovery" experience.

Today, the consultant is a "lead technology architect."

The questions I have to ask are:

WHY does the person turn to the groups rather than his consultant peers in his company? Is no one qualified?

WHY, if this person has been "around-the-block" enough times, does he need help coming up with scenarios; he's not asking for exercise plans, just ideas. What, after all, can possibly go wrong, go wrong, go . . .

I have known of companies who promote a journeyman IT staffer to a business continuity function sans any knowledge of business continuity on the victim's part - and I use "victim" deliberately since the person is being thrown to the wolves. Of course in those conditions, everyone in the organization is being thrown to the wolves.

I'm more than willing to help newbies, especially if the newbie makes an effort on his or her own behalf.

Most "senior practitioners" feel likewise.

But my peers and I take umbrage - usually with our morning coffee - when a person represented as an expert (consultants are, after all, supposed to be experts, that's why they get the Big Bucks) has to appeal to the masses for some really basic information.

Worse, the poster should have a multitude of resources available within the organization; again, it is a Big Name company. If not, then I have some names of people the Big Name company should engage if it intends to market risk management, even if only IT disaster recovery; these true experts can mentor others to develop a well-trained cadre of competent consultants.

If I wrote it, you m,ay quote it

ERM-BC-COOP Experience pays

2011-10-06T13:42:00.004Z

In a very short AP article picked up by AdvisenFPN, a lawyer is claiming that the cause of the crash of Air France Flight 447 from Rio to Paris was faulty data fed to the air crew by the Airbus' computers.

Both the airline and the aircraft maker are charged in France with involuntary homicide for the crash that killed all 228 on board.

According to French accident investigators the accident occurred when poorly trained pilots reacted exactly as they should not have by pointing the plane's nose up instead of down when it stalled over the Atlantic.

However, the report also noted that the aircrew was dealing with bad weather, faulty sensors, incoherent speed readings, and a cacophony of alarms.

Compare the fatal Air France crash with the US Airways crash into the Hudson.

The difference, if the French government agency is to be believed, can be summed up in one word:

T R A I N I N G

The difference between an efficient and expeditious recovery and an over-budget, over-time recovery can be summed up in the same word.

Training - exercises - cannot be emphasized enough.

The problem is that a person knowing how to perform day-to-day operations may not - indeed, probably will not - know how to perform "similar" functions when responding to an event.

I discovered while working for a former top-tier defense contractor that things taken for granted can sometimes foul up the works.

For example, rebuilding a computer.

Where are the licenses if needed?

Where are the installation instructions? (They should be in the Plan document, but . . .)

By the way, if restoration depends on Internet-accessible information, how can the Internet be accessed if the data center is ash? Run to Starbucks for WiFi connectivity?

Capt. Chesley "Sully" Sullenberger and his US Airways crew drilled and drilled and drilled some more on emergency situations to the point that the flight deck crew knew when to believe or ignore instrumentation.

Granted, the US Airways flight was not well off-shore over an ocean and not at altitude - had those conditions been the case, the flight might have ended tragically, but perhaps not.

When Canada moved from Imperial gallons to liters, there was a foul-up on a Boeing's fuel capacity.

On a cross-country flight, the jet's tanks ran dry.

But because the pilot was well trained, he managed to glide the aircraft safely to the ground from its normal altitude of 30-plus thousand feet. (Its glide ratio of 17:1 is about 17 feet forward for every 1 foot in altitude.)

Actually that was "no big deal"; the space shuttles glide in from a much higher altitude. (Glide ratio is about 1:1)

In all three cases, US Airways, the Canadian jet, and the space shuttles, the one thing that these crews had that, apparently, the Air France crew lacked was TRAINING.

Not training to snooze through a routine, mostly on auto-pilot flight, but training to handle complex and unusual situations.

Not training to come into an office, turn on a computer and use a special phone in a call center, but training to go to an alternate site and perhaps use a pencil and paper to record call activity until IT can restore links to a database.

Exercises can be expensive - they take personnel away from their "real" jobs for the duration - but in the long run, exercises can be the difference between a successful, rapid recovery and no recovery.

After thought. Experience also pays handsome dividends when engaging a risk practitioner, someone who knows where to look for threats to "business as usual."

If I wrote it, you may quote it

ERM-BC-COOP Intellectual-property

2011-10-02T20:17:00.000Z

Two articles on the same day in the AdvisenFPN bulletin addressed the issue of "intellectual-property."

The first, headlined DuPont Wins Nearly $1 Billion In Secrets Case reports that a court awarded DuPont US$919.9 million in damages for a Korean company's alleged theft of secrets regarding the manufacture of Kevlar body armor.

The second, with the head SAP will pay fine of $20 million in Oracle copyright case, details how Germany's SAP AG agreed to pay a criminal penalty of US$20 million for stealing secrets from Oracle. Oracle still has a civil suit against SAP and is seeking additional financial penalties against the Germans.

For a risk management practitioner, these stories raise a two-sided concern.

Side One: Don't be a victim.

Wall Street Journal

Kolon has filed an anti-trust suit against DuPont; the article did not provide specifics.

In the Oracle secrets case, reported in the San Jose Mercury News, SAP admitted its personnel "accessed Oracle's computers without permission and made thousands of unauthorized copies of Oracle's software."

Side Two: Don't spy on the competition.

Being able to define what is a "kosher" way to acquire information about a rival and its products - and in the case of international organizations and patients, this can include a number of laws, some of which may be in conflict with others - is what keeps patient lawyers in business.

Even if the defendant - your company - prevails, the company bottom line takes a hit with lawyers and expert witness fees.

Industrial espionage is big business and it is a specialty business.

The risk management practitioner needs to know the risks are there and the practitioner needs to make the risks known to management.

Most risk management practitioners that I know are notindustrial espionage experts - nor are they financial gurus or HR mavens or ... They ARE risk management Subject Matter Experts - people who know to whom to turn for expert advice.

ERM-BC-COOP Contractor or employee Feds want to know

2011-09-28T13:26:00.001Z

According to a Wall Street Journal article titled Price Of Reclassifying Workers, the federal government is going after employers - typically small businesses - that have questionable contract employee practices. (Read the full article at http://tinyurl.com/6hn8v4e.)

The problem is: When is a contractor a staffer?

This is a problem an alert risk management practitioner should identify and bring to the client's attention.

As with most things "risk management," the practitioner can only lead the horse to water (make the client aware of a risk), the practitioner can't make the horse drink (make the client avoid or mitigate the risk).

The IRS, which is running the investigation, announced a program to allow small businesses to "reclassify" personnel the IRS might determine to be employees (vs. contractors) with only "limited' penalties.

There are pluses and minuses to "converting" a person's status from "contractor" to "employee. Some of the negatives come into play when an organization's head count reaches 50. On the plus side, some companies report improved worker loyalty and increased profitability by bringing on staff as actual employees (vs. contractors).

The bottom line for risk management practitioners is to be aware of the situation and to recommend, where appropriate, that the client seek professional advice from a labor law specialist. It's far less expensive to pay for a consultation with a labor law expert than to try to defend a position against the IRS, especially in an IRS court where there is no appeal.

ERM-BC-COOP Ignore experts at own risk

2011-09-23T14:24:00.002Z

According to multiple sources (see end of file for list/URLs), the New York Court of Appeals ruled that the Port Authority of New York and New Jersey is free of liability for the 1993 bombing of a World Trade Center building.

The reason cited by the court in its split decision was that the Port Authority is immune from suits as a government agency.

A little history.

The Port Authority owned the World Trade center buildings.

According to the New York Times, although "the court’s decision highlighted many of the warnings that had been made to agency officials about the potential risk of a car bomb in the garage, the court made it clear that the agency had also believed it had good reasons to concentrate its security measures elsewhere at the trade center complex." (Emphasis mine.)

Reuters reports that the "February 1993 bombing killed six people and injured close to 1,000. Six men were convicted including Ramzi Yousef, who was tied to al Qaeda."

The Reuter's article continued: "Lower courts had ruled that the Port Authority acted as a private landlord because the World Trade Center was largely a commercial complex. In her dissent, Appeals Court Judge Carmen Beauchamp Ciparick agreed with that position.

"The Port Authority's security decisions regarding the garage were made by civilian managers, not law enforcement or security authorities, and stemmed from commercial concerns," Ciparick wrote.

In the majority opinion the court noted that, "the Port Authority solicited numerous expert opinions on the security risks and measures to be considered before allocating its police resources. While the Port Authority's decision-making could have proceeded along different acceptable paths of action, in this case, it reached a reasoned discretionary conclusion to heighten security in sectors of the WTC considered more susceptible to harmful attack" according to Jurist.org.

But, as Judge Ciparick noted in her opinion, the "Port Authority's security decisions regarding the garage were made by civilian managers, not law enforcement or security authorities. (Emphasis mine.)

To be fair to Port Authority management, decisions had to be made based on available resources. That's the unfortunate case for all organizations.

At the time, and despite the warnings from "numerous expert opinions on the security risks and measures to be considered," car bombings, especially car bombings to bring down buildings in the US were almost unknown.

Two truck bombs had gone off outside a military barracks in Beirut in 1983 killing 299 American and other servicemen; Islamic Jihad claimed responsibility But that was overseas; such things didn't happen on U.S. soil. (Actually bombings were common in the U.S., including bombing buildings, but never on the scale of the Trade Center buildings.)

The Alfred P. Murrah Federal Building in downtown Oklahoma City wasn't brought down by Timothy McVeigh and friends until April 19, 1995.

The lower court ruling that was appealed to the higher court allocated 68 percent of the fault to the Port Authority for the terrorist attack. The terrorists were ruled to be 32 percent responsible.

Apparently had the Trade Center buildings been owned by a non-government agency, the decision would have been against the Port Authority.

There are lessons to be learned here.

New York Times, Port Authority Not Liable in Bombing, Court Rules http://tinyurl.com/3krxsmn

Reuters, Port Authority not liable in 1993 WTC attack, court, http://tinyurl.com/3g86e48

Jurist.org, New York court: Port Authority not liable for 1993 World Trade Center bombing, http://tinyurl.com/3mzrq3o

ERM-BC-COOP Read and forgotten

2011-09-22T15:25:00.002Z

What happens when a person applies for a job.

The Rerader's Digest version:

HR reviews the resume to see if the candidate meets the requirements.

The hiring manager reviews the resume and may decide to interview the candidate.

The candidate is hired - or not.

The resume goes into the files, be they paper or electronic, with the intent that the information will be readily available in the future.

And then the resume is forgotten.

It happens all the time, in all manner of organizations.

Case in point. I was on a contract when I learned that a fellow - a staff person - two doors down from my work area had business continuity experience.

I'm glad I got the job, but the client HAD AN EXCELLENT RESOURCE IN HOUSE.

The guy was doing something other than business continuity and no one either bothered to ASK if anyone in the area had business continuity experience or to check the resume database.

I was hired at one company as an IT business analyst, basically to go between my boss and his customers, people who he promised to give what HE wanted to give them.

Somewhere along the way, a decision was made at a pay grade far above my boss' that the organization needed a business continuity plan, something more than what a colorful Big Name company called "business continuity."

Anyway, I went flying into the boss' office waving my resume and pointing to 8 or so years business continuity experience.

I got to do the plan, my boss ignored the recommendations, the facility was closed for a week due to power outage, and my boss was transferred to a less desirable location. At this point I already was working elsewhere.

While ostensibly employed as a technical writer, my employer needed some marketing created. Having been a marketing director - that and $5 may buy a lousy cup of coffee - at another outfit, I volunteered my services - knowing that HR never read that part of my resume.

At another tech writer job, I reminded my boss that I one flacked for a university and we started some PR/marketing projects "in my spare time." Since I also was a former reporter/editor and printer, we starting producing an internal/external (to our distributors) newsletter, complete with black and white (read "inexpensive") co-op advertisements.

Many people have broad backgrounds, either as a vocation or avocation.

I know people who are HAMs - amateur radio operators who have all manner of equipment, mostly high frequency shortwave, but their knowledge of two-way communications covers the frequency spectrum. A great asset when considering two-way radio as an alternative communications option.

Once, between "real" jobs I worked tinning railroad "stuff."* At one point my boss offered to teach me to drive a forklift. I stupidly passed on the opportunity.

Turns out on my very next "real" job that talent would have been very useful; we needed to move some crates. We had a forklift, but no one - not my boss, not a co-worker, and of course not this scrivener - knew how to operate the machine. We had to wait - and wait and wait - until someone with the skills I could have acquired for free came to drive the forklift to move the crates.

All this leads up to a suggestion that risk management practitioners get to know as many of the folks as possible; chat with them; find out their interests, their backgrounds, their hidden talents and skills.

If you are working for a monster company where the folks on the third floor don't know the people on the sixth, make friends with HR and maybe, just maybe, they can help you identify those hidden attributes.

Or you can make it part of a risk management questionnaire, but be forewarned, in a monster company you'll be burning lots of midnight oil getting all this good information into a database on your computer.

But it could prove to be a very useful exercise.

* I also once worked pickling metal for a CIA front. I didn't know it was a CIA operation then, but it makes a good story now.

If I wrote it, you may quote it.

ERM-BC-COOP My bosses made me do it

2011-09-21T13:11:00.002Z

This will be short.

If you believe Jerome Kerviel, the Société Générale trader who allegedly lost billions for his company, the reason he managed to gamble so much at a time was because, he told Der Spiegel, his "supervisors had deactivated the system of alerts. If I had wanted to, I could have even invested €100 billion in a single day. My bosses removed all the safeguards off my computer."

The Der Spiegel article is online at http://www.spiegel.de/international/business/0,1518,729155,00.html.

According to Kerviel, his supervisors knew about his bogus trades. "Already in April 2007, they received an e-mail saying that I was making bogus trades with nonexistent counterparties on a massive scale. My bosses told me that I should take care of the problem. Over the course of 2007, they received many more e-mails on the same issue."

It should be noted that, again if Kerviel's claims are true, that the trader made billions for his employer by risking similar large amounts.

He came crashing down, perhaps bringing Société Générale with him, when be made several wrong bets and lost roughly €5 billion.

What could a risk management practitioner have done?

Aside from going to whatever authorities regulate trading in France, it would seem "not much."

Obviously - and again, if Kerviel is being honest - management was willing to close its eyes to his excessive and bogus trading - he had been making profits for the company after all - and turned off some of the risk prevention or limitation controls.

Could an auditor have discovered this?

Possibly.

Could email monitoring have uncovered it. Likely as Kerviel stated, "they (management) received many more e-mails on the same (bogus trades) issue."

It is often frustrating to advise management about risks and means to avoid or mitigate them only to have management either ignore the recommendations or to actually work to enhance the risk as Kerviel claims his management did at Société Générale.

It's worth reading the entire Der Spiegel interview with Kerviel.

If I wrote it, you may quote it

ERM-BC-COOP Partial risk list

2011-09-20T23:06:00.000Z

I was putting together a short version of my BBA and MBA-targeted presentation Risk Management - an introduction and I started thinking about risks - a/k/a threats - that a risk management practitioner would identify, but that a business continuity practitioner probably would consider "out of scope."

There are only 76, but the list hardly is "all-inclusive." An " * " by an entry indicates a risk I would expect a business continuity practitioner to identify.

Acquisitions

UBIQUITOUS "OTHER"

There always is a ubiquitous "other" that can be discovered during all-hands "What If" sessions. As this is written, Chicken Little's worst fears are coming to fruition - the sky is falling, or at least parts of a man-made satellite are bearing down the third planet from the sun. It can't be a "black swan" - or even a grey one - since you and I know about it.

PowerPoint short and long Risk Management presentations available to BBA and MBA programs.

If I wrote it, you may quote it.

ERM-BC-COOP Evolution of a practitioner

2011-09-18T16:24:00.002Z

The other day a fellow seemed to be challenging my bona fides, so I thought to put together how I happen to be an enterprise risk management practitioner.

I was introduced to risk management at the tender age of a few days.

I didn't know it then, but my first encounter with risk management was in the form of preventive medicine.

Ouch.

As I got older I was taken annually for check-ups and shots - still painful, but I was rewarded with a stick of Wrigley's Juicy Fruit chewing gum.

When I was old enough, I joined the (U.S.) Air Force.

More shots and vaccinations.

Somewhere along the line I encountered veterinary preventive medicine; I must have been on a work detail before starting a specialty school - I was to become a corpsman.

The Air Force drummed into me the need for risk management.

Not just preventive medicine, but as a way of life.

It also convinced me of the value of training, training, and more training.

When the Air Force and I parted company, risk management pretty much was forgotten.

But lessons die hard.

Back in the day I used to carry in the trunk of my car

5 gallon can of gasoline
5 gallon can of water
fire extinguisher
flares

plus the standard jack and spare tire.

In the glove box I had a flashlight and fuses.

Back then, leaded regular was about 50 cents-a-gallon so I could afford to give 5 gallons away if I encountered a stranded motorist.

I didn't realize it then, but I was practicing a level of risk management.

For a number of years I worked as a reporter and then as an editor, happily knocking across the country.

Sometimes the newspaper paid for my relocation, sometimes not.

I used to staple a note to my tax forms explaining why I had - or did not have - high fuel deductions. Back in the day, relocation expenses and job-related expenses - i.e., gasoline for a reporter on the beat - were tax deductable with a lot less paperwork. The note was "risk management"; I was never invited to an audit of my returns.

I went overseas as a reporter/editor and came back as a tech writer. I also had done a brief stint as a PR flack.

While overseas, I was documenting mil-spec equipment and systems.

The military - at least the militaries what bought our products - expected to maintain the products, beginning with preventive maintenance.

Preventive maintenance. Preventive medicine. The connection.

Still, risk management was, at best, an after thought.

Working as a contract technical writer, I was engaged to document a disaster recovery program for a national data network. While I did the job, I also bothered the DR pros to find out what DR was all about.

Interestingly enough, about 6 months after the project was completed, the network failed, but because of "our" work, it was quickly restored.

A little later I went to work for a consulting house as a tech writer.

One of our clients monitored data networks. Our client had told its client that it had a business continuity plan. When our client's client asked to SEE the plan, our client asked us to develop a plan "yesterday."

Fortunately for all concerned, we knew the client's operation and we managed to put together a solid continuation of operations plan with not one but two alternate sites; all sites were at least 1200 miles from each other so we could avoid environmental risks.

We - the Business Unit Manager (BUM), the Technical Manager, and this scrivener put the plan together in a matter of a few days. There was no training, no maintenance procedure, no extended contact list, and indeed no response plan other than to "redirect the data to Alternate Site A if available or Alternate Site B if A is not available.

If the communications link failed - and that was THE concern - there were alternate links and the techs could track down the break almost at their leisure.

In retrospect, it wasn't much of a plan, but it WAS a plan . . . of sorts.

Somehow our man in the state capitol managed to sell a business continuity project to a state department.

The company brought down a DRII certified practitioner from Canada to be the technical lead and installed a Project Manager to keep the books. Our girl-from-Canada brought along a fat binder of someone's How to Do Business Continuity instructions and forms; we quickly discovered they were of little use other than as general guidance.

This gig is where I learned to appreciate "all hands" meetings where people can play off each other as they think about risks to their processes and the resources they use to perform the processes.

Both the BUM and I decided certification might be a good idea - this is early 1999 and everyone was thinking Y2K, so I researched the options. DRII was well known, but it was highly recommended that an expensive pre-test course be taken to learn DRII's buzz words and alphabet soup. Then the candidate had to wait until a test venue could be set - testing was at specific sites at specific dates.

The alternative was Norm Harris' Certified Recovery Planner (CRP) certification. His Harris Institute, besides offering a more economical way to certification, appealed to me because DRII accused Harris of "selling" certification . . . while it was selling courses and certification. Pots and kettles.

Anyway, I took four increasingly difficult tests that were reviewed by none other than Norm Harris, a founding father of the industry. On one test I wrote an answer with which the pro disagreed. He called me from Ohio - I was in Florida - to explain the error of my ways.

There were, however two problems with my CRP certification.

Problem One: Hardly anyone outside of the industry knew about the CRP designation.

Problem Two: Norm sold his business, including the certification end, sealing the fate of the CRPs.

Once again I was looking for a suitable certification, and remembering the hassle (then) to get DRII certification I found The BCI, often incorrectly referred to as the British Continuity Institute.

At the time certification was based on what you knew and could prove. I paid the fee, provided the evidence, and became a Member of the BUSINESS Continuity Institute.

Meanwhile, I am working contracts for some Fortune 50 companies, a couple that owned banks so I became familiar with FFIEC expectations. I also worked for a municipal government, an energy developer, a shipping company, and a former leader in the defense industry. There were some other "odds and ends" and some interesting Y2K work to round out the background.

As I learned more and more about business continuity, I began to realize business continuity is too limited for what organizations need.

Business continuity looks, correctly, at the profit center. Then it expands out to the obvious resources - vendors, utilities, in-house resources, including InfoTech.

But business continuity rarely considers (alphabetically)

competition
customers
ethics
financial vendors
government regulation
image
policies and procedures
succession plans
travel

Being a former reporter I need to write and not being very good at keeping things to myself, I started writing Run Of Press (ROP) copy for the Disaster Recovery Journal (DRJ). Editor Jon has been running two John Glenn articles-a-year since, I think, 2004. The byline also has appeared in other professional, trade, and general media, but DRJ gets the bulk of the copy.

Today I fancy myself a mentor to tyros and someone with whom other practitioners compare notes.

Now, as Paul Harvey used to say, "you know the rest of the story."

Someday I may explain why the rabbit avatar.

ERM-BC-COOP Economics plan?

2011-09-16T13:59:00.004Z

A person wrote on the DRJ Forum "Seeking business continuity industry recommendations - Should U.S. businesses begin developing a BCP that addresses impacts associated with economic decline?"

Gregg Jacobsen, a planner who has been around the block, correctly responded to the query. The question was "Should U.S. businesses begin developing a BCP that addresses impacts associated with economic decline?"

Gregg's answer was "No."

I went off on a tangent and explained HOW an economic downturn could impact an organization.

But I agree whole-heartedly with Gregg.

We do NOT need an "economics" specific plan any more than we need a "pandemic" specific plan or any other specific risk plan.

We do need to consider economic risks, but not in isolation.

Risk management, which is what business continuity is all about, must consider ALL risks, from whatever source.

We all know about "the usual suspects" as Capt. Louis Renault (Claude Rains) called them in Casa Blanca: environment, human error, and technology. (OK, Rains was referring to people off screen, but it's a good line.)

But there are others, many off the short range radar of business continuity, but very obvious when the focus is enterprise risk management.

Risks, to name just a few, include but are not limited to the following sampling::

Competition
Financial - the lender failing in the middle of a construction project or acquisition
Government regulations at all levels
Image - before general public, financial audience, stockholders, customers, vendors, industry
Legal - Law suits against the organization for any number of reasons including trademark infringement, copyright violations, intellectual property theft (either way), employee retaliation, and more
Military call up or conscription, even if only for local deployment
Municipal events that disrupt traffic (police, fire activity, parades)
Neighbors that may be targets of strikers, picketers for any reason
Succession
Vendors' vendors
Work actions - primary and secondary

A down turn in economics is a very real threat to all organizations.

Charity or non-profit? There is a mandate to do something. Feed the hungry from a food bank.

As the economy tanks, people give less and less. The number of hungry, at the same time, increases as people lose their jobs and with that their income.

The mandate did not "go away," it increased.

A number of lending institutions failed or were forced out of business by the government. Some of these lenders provided organizations with lines of credit so the organizations could expand.

True story. A Washington DC area contractor had a contract with the Federal government to construct an office building within a specified time period.

Like most contractors, he used a line of credit from his bank to buy materials and pay the workers before the government funds trickled in. Standard Operating Procedure (SOP) for many businesses, big and small, but particularly the small business.

Unfortunately, the contractor's bank failed and with the failure, his line of credit was no more.

No line of credit, no more materials purchases and no more paychecks for the employees.

Bottom line: construction is halted.

But wait. The government has a contract and that contract has financial penalties if the contractor fails to finish the project on time.

Seven words come to mind:

Between
a
rock
and
a
hard
spot.

Some organizations that have a captive or near captive client base simply up their prices or nickel and dime their customers; some, like airlines, do both.

Even if the practitioner's organization is considered more or less safe from the downturn, consider what an economic meltdown does to the customer base.

Bank of America is slated to lay off 30,000 - thirty thousand - employees. That's 30,000 more people on the dole and 30,000 more people who will be hard pressed to pay their mortgage and buy all the groceries they were accustomed to buying, or filling up the flivver as often, or - pick an expenditure.

An economic downturn is very much a risk, but it is "just another risk" in the grand scheme of things.

The organization deserves an enterprise risk management plan, not an economic downturn plan or a pandemic plan or a strike plan or any other one-risk plan.

A risk is a risk is a risk (unless it's a threat, which is just a risk spelled differently).

Practitioners ferret out risks.

Practitioners find ways to avoid or mitigate (or transfer) the risks.

Practitioners prioritize the risks according to probability and impact.

Practitioners present their recommendations to management so management can

decide which recommendations to accept
set an implementation schedule for the accepted recommendations
establish a budget to accomplish the implementation

Creating a plan focused on a single risk is foolish on many fronts.

It ignores other risks.

It duplicates response documentation and, perhaps, training.

It's wasteful of time - the practitioner's time, the Subject Matter Experts' time, management's time.

If I wrote it, you may quote it.

GREGG JACOBSEN comments:

Economic downturn as a risk is like sea level: it goes up, it goes down, as do all the boats thereupon. The real threat is making sure yours isn't leaky.

The leaks come in many forms, but going into business is itself a risk. The entrepreneur is betting he or she has that better mouse trap concept and gets friends and family, or a venture capital outfit to fund the boat-building effort. All risky stuff, but at the end of the story, it comes back to something Dunn and Bradstreet have been tracking for decades, and the year-to-year figures vary little: about 80% of business failures are the result of "mismanagement."

That word takes in a broad range of opportunities to screw up the enterprise, and yet it comes down to the most basic aspect of what I learned as a quality assurance practitioner in another life: PEOPLE are the single most cause of variability in any process. And variability means defects and failures, whiter in products or services. Th creepy thing is, it comes back to our old friends on the Blue Collar Comedy Tour: "You can't fix stupid."

ERM-BC-COOP A few words re vendors

2011-09-15T12:56:00.005Z

Modified on September 20, 2011 adding text. Additions are noted by an "*" at the beginning of a line.

Fire and water restoration

*Debris removal

Paper dry out

Facility repairs

Electricians

*Security

Supplemental staffing agencies

These vendors become critical very quickly when fire or water damage occurs.

Of course these are not the only people on the "Who are you gon'na call?" list, but they are at the top of the list once the Fire Marshal and Building Inspector give an all-clear to enter a damaged facility.

These vendors are not dealt with every day, but it behooves organizations to get to know vendors in these fields long before a need arises.

It also pays to check with them every so often to assure that

they are still in business and

that your organization is high on their list of preferred clients

This means something more than an annual holiday greeting card.

The risk management practitioner (who knows what "technical" questions to ask) and the Purchasing Manager should meet with potential vendors to determine the vendor's capabilities. The Purchasing Manager also should carefully check the vendor's references and look on-line comments about the vendor.

Find out what the vendor charges for various services, how many people are on staff; how long has the vendor and its employees been doing what it is advertising.

It might be wise to also (as "in addition to local vendors") consider "out-of-area" vendors who are willing to come to the organization's area in case a regional event either puts the vendor out of business or overloads the vendor's capacity.

The need for fire and water restoration services is fairly obvious. *Likewise debris clean-up and removal. Even if a facility is intact and can be occupied, there may be post-event debris that must be cleared.

Likewise the requirements for a structural engineer and an electrician.

*Securing a damaged facility may be beyond the capabilities of the rent-a-cop company that normally guards the door. Fencing, bright lights, and possibly armed guards on patrol may be required. Local police normally only watch a facility for a brief period; they have other things to do like chase criminals.

Supplemental or "casual" staffing agencies can provide the hands to move furniture, pull cable, and other non-technical work. Keep in mind that during restoration, some staff will be needed at an alternate site to keep the operation going, and some will be needed at the restoration site to supervise.

Why, however, look for a vendor with experience drying out paper.

The organization is, after all, almost paperless; everything is computerized.

Here's a challenge.

Ask each functional unit manager, and make sure to talk with HR and Finance, how many paper documents they have. HR has, among others, I-9 "right-to-work" forms that, if missing when a Federal investigator drops by, can result in a very steep fine.

Trust me. Every organization has paper it must preserve.

The vendors listed at the top of this entry really are just the tip of the proverbial iceberg.

Consider just office equipment vendors:

Lighting acquisition, installation, and repair

Printer acquisition, installation, and repair

Telephone installation and repair

Talk a walk around the facility and consider "who are you gon'na call?" if the place is scorched or flooded. Even if there is no fire damage, smoke and smell can leave behind a mess, and mold soon finds a home with wet walls and carpets.

When making up the vendor list, consider the usual suspects - the equipment vendors, the junk food vendors, the utility companies, etc., but also consider the ones that may be needed "in the event of."

If I wrote it, you may quote it.

ERM-BC-COOP Random thoughts on plan creation

2011-09-14T15:36:00.003Z

Never ending project

Enterprise risk management, a/k/a enterprise business continuity or Continuity Of OPerations - starts off as a project, but if it is to be successful - that is, if it is expected to help an organization survive a disaster event - it must become an on-going program, a series of "continuation" projects.

Every project needs a Very Senior Manager as its sponsor. The higher up the management ranks the sponsor, the more respect the program will inherit and the more cooperation will be forthcoming. This is especially true when risk management is first introduced.

Every project needs a Statement of Work (SOW) and a Project Plan..

This SOW and project plan needs to be created with cooperation from the sponsor and approved by the plan sponsor. Hopefully the sponsor's fellow executives will concur with the sponsor and word will "filter down" to the mid-level managers and line personnel that risk management is a good thing and will benefit all hands.

The best sponsor is a flag waver for risk management; someone who believes in the process and shares the belief with everyone from the Board to the vendors.

As with all projects, the risk management project must have reasonable, attainable goals - reached though the combined efforts of the sponsor and the practitioner.

Deliverables must be defined and include reviews by the Subject Matter Experts (SMEs) who provided information, and the sponsor.

Deliverables by name

My list of deliverables includes

Proposal
Even an in-house program can, perhaps should, start with a proposal. This is what needs to be done; this is how the organization will benefit. Here are a few concerns even before commencing a program.

Statement of Work and Project Plan
These contain basically the same general information. The SOW "spells it out" in general terms and while it includes anticipated phase completion dates, it rests on the Project Plan to set tracking and staffing parameters. The SOW's audience normally is the Executive Suite and the staff in general. The Project Plan is more for the Project Manager and the sponsor to track the project's progress. The PM will provide a status report to the sponsor at least once every two weeks. This assures that slippage will be identified and reported in time to eliminate problems or adjust expectations "because."
Should the practitioner be the PM?
I have worked both ways, and frankly, I learned a lot from having a PM on board. The only concern I have when a PM is named is making sure that we go together to report to the sponsor. Let the PM write the reports, but the practitioner needs to review these before they go to the sponsor, especially if the PM has little or no risk management experience..

First plan deliverable
The first scheduled plan deliverable is the Business Impact analysis.
This is a misnomer since the deliverable includes
- Identification of critical processes
- Identification of identified risks or threats
- Identification of means to avoid or mitigate the threats identified above
- Prioritization of the risks or threats listed above.
- Recommendations to avoid or mitigate risks or threats based upon impact on the organization and knowledge of the organization's direction
Management will, in the end, make the decisions regarding what to implement, when to implement, and setting the implementation budget.

While management is considering implementation of practitioner recommendations, the practitioner will create
- Plan maintenance procedure
- Staff awareness program
- Exercise procedures
The practitioner also should create risk management-related Policies and Procedures for such things as
- alternate site expenses - limit or per diem
- alternate site housing - how many to a room
- communication between alternate site and management
- communication between employee and family - any limits, who pays
- conjugal visits - at home or on site, and who pays for transportation, after how long
- education penalties - if employee is forced to abandon a course due to recovery requirements
- insurance - is there someone to help family members file claims
- maximum allowable work hours before required time off
- on-site transportation - bus, taxi, rental vehicle
- overtime compensation - pay, comp time, other
- pay - how is it made, to whom (if direct deposit is not possible)
- travel to/from alternate site
By the way, many of these P&Ps apply equally to the responders remaining at the original site to restore the facility or establish a new facility.

Policies and procedures need top management approval and should be vetted by Legal.
Second plan deliverable
This deliverable includes the response plan based upon managements' implementation decisions. The specific response plans - for all functional units - probably will vary somewhat from normal, day-to-day operations.
Ideally, response plans will be one task-per-sheet of paper, with the preceding task identified in the header and the following task identified in the footer

This deliverable also includes
- Exercise policy
- Maintenance procedure
- Appendices (or addendum)
  1. Contact list
  2. Forms
  3. Relevant Policies and Procedures
  4. Other documents as deemed necessary

If I wrote it, you can quote it.

ERM-BC-COOP 'Creating' a culture

2011-09-13T12:18:00.003Z

There is an interesting blog article by Ron Ashkenas at http://tinyurl.com/3oktgpm titled You Can't Dictate Culture — but You Can Influence It.

Mr. Ashkenas' position is that "Leaders can influence behaviors in several ways — and by so doing shape the culture of their firms. Whether you are a CEO or a department manager, here are three steps that you can take:"

Two of the steps "Convey your vision of a winning culture" and "Demonstrate how new cultural behaviors can advance the business" are within the capability of the risk management practitioner. The third, "Put teeth into the new culture by integrating it into HR processes" is beyond our pay grade, but perhaps within that of the risk management program sponsor.

Convey your vision of a winning culture

"What are the most critical behaviors that will characterize the culture you want to create?" the author asks. He then cites how Jack Welch "used the mantra of "speed, simplicity, and self-confidence" as the beacon for his transformation of GE's culture in the 1990's "

We are not the head of the business but we do have a goal to make everyone aware of risks in their work and personal environment. Awareness + Action = Survival

We, as risk management practitioners, can help develop this several ways.

Most important, we can be seen doing our job - looking for threats to the organization.

Putting up fancy posters won't do it, but being seen in action will.

True stories

I once worked for an Israeli company in the U.S. (Actually, I worked for several Israeli companies in the U.S., but as a risk management practitioner at only one.)

I was concerned about flooding so I made a tour of the area looking for drains to draw off water that could be trapped between a blast berm and the building.

The building had a lot of glass, and a number of people in the first floor call centers saw me walking around the building with my head down.

When I came back inside, several approached me wondering just what I was doing.

I explained and, having their attention, did a little flag waving for risk management.

Another company that engaged my services was so much behind risk management that when it held the obligatory evacuation exercises it fed the troops - and took care of the practitioner, too. Great company.

The difference between the two organizations is that the former disregarded the culture of awareness - and paid the price later - and the latter encouraged it.

Demonstrate how new cultural behaviors can advance the business

For the risk management practitioner, that may be easier said than done, but it can be done.

One of the contract managers at the Israeli company had piles and piles of hard copy contracts.

My concern, and I convinced him it should be his as well, was that something could happen and the paper would be damaged or destroyed. How could the company prove it had a contract with ZYX Company?

The risk management approach protected the documents AND lightened the contract manager's load.

The solution was simple: digitize the contracts, including the signature page.

The manager was concerned that a digital signature page would fail the test of authenticity, so the compromise was to digitize everything - scan it into a computer and backup the file to the servers which were backed up nightly - and send the hardcopy signature page to the back up archive along with the tapes. Now, when the contract manager went on the road to negotiate new contracts with the clients, he carried a CD with the contract that could be modified on the spot. A new signature page could be printed out and signed while everyone was gathered together.

The contract manager became a believer - and shared his new found "faith" with his peers.

Unfortunately, there are too many organizations - and it's been my misfortune to be a captive practitioner in several - that prefer to work against any effort to develop a culture conducive to risk management. Interestingly, several had suffered disasters, yet refused to learn any lessons.

Put teeth into the new culture by integrating it into HR processes

According to Ashkenas, "People tend to do what's measured and rewarded. So a third step for building a new culture is to use the desired behaviors as criteria for hiring, promoting, rewarding, and developing people."

About the best the practitioner can do is to suggest and promote this to management. To my mind, the emphasis should be on the carrot, not the stick.

The company I commended earlier in this post insisted that everyone - staff, contractors, and the executive suite occupants - clear the building during evacuation exercises. Compare that with another organization that ignored rank-and-file staff hiding in the bathroom and - hard to believe but true - under a desk when an evacuation alert was sounded. Amazingly, the alert was announced, with day and time, two days before the event by large signs in the lobby. The people could have ridden the elevator down and taken their lunch just before the alarm sounded!

There ARE things we - practitioners - can do to wave the flag, to make people aware of risks. Many of the things are low budget items - do a survey to see who knows the location of the nearest fire extinguisher and who can name the two nearest exits. If you have someone with mobility issues, see if the person knows if the exit provides a paved path to the assembly area; it's tough pushing a wheelchair over mud or deep sand.

Promote buddy systems so that small groups of 5 to 10 employees keep an eye out for each other.

So far, the organization's budget is totally intact.

We DO need support from the executive suite. We are more likely to get that support if we can show progress without a hit on the budget.

Not everything will be free, but if management can see progress, maybe it can find a few coins for more "advanced" efforts. Cookies and coffee, maybe?

ERM-BC-COOP Management as risk

2011-09-12T12:52:00.003Z

The other day in a closing remark I wrote management may be the biggest threat of all.

The remark was meant to be a little flip, but in retrospect, management may actually be a major risk.

I have worked several projects where management ignored the practitioner's recommendations.

Some of the projects were as in-house staff; some were as an external consultant.

Case in point

I was a staff employee reporting to the VP/MIS at one organization.

The company had hired a colorful Big Name company at its overseas headquarters to do "business continuity" for its worldwide operations.

As far as the colorful Big Name company was - and still is - concerned, "business continuity" equates to little more than disaster recovery.

But at least the Big Name company got the headquarters thinking about true business continuity.

My boss told me the company wanted a plan for its North American headquarters; I was to meet with him and the CFO to discuss what needed to be done.

To the VP/MIS, a "business continuity" plan should be done "at 20,000 feet."

Fortunately, the CFO understood that to be successful, business continuity must be done at the process - ground - level.

I created the plan and made a number of recommendations, among them being that the organization needed to increase its backup power supply output.

Generators were in place to keep the VP/MIS' servers working, but there was no power for

Special call center phones
Air conditioning - the building was "environmentally sound"
Desktop computers and monitors
Copiers and printers
Lighting
Other essential workplace equipment

A hurricane brushed by the facility and electricity was off for about 5 days.

The generator kept the servers serving, and the fuel vendor kept the tanks topped off.

But the building remained empty except for one hot and lonely guy in the data center who monitored the servers.

Why?

Because the VP/MIS chose to ignore my recommendations and somehow managed to convince the CFO to do the same.

I don't know how much it cost the company, but the VP/MIS was relocated to a less desirable location.

In this case, management was very much the risk.

In another instance, I was part of a consulting team.

We completed, despite less than enthusiastic support from Top Management, the first phase of a project for a state government department.

Unfortunately the second phase - the response and awareness sections - were considered too expensive so the plan died on the vine. A management decision.

Added September 19, 2011

Finally there was the retail chain that needed to document what was required to move its IT operation from Point A to alternate site Point B and then back to Point A again.

Management would call meetings and everyone would be present and accunted for - except management.

Nothing could be accomplished.

Finally, after three meetings sans critical management, I resigned from the engagement.

And then there are the good guys

On the other hand, some management takes risk management seriously.

One international company for which I created a plan thought it was fairly well situated. In truth it had done a number of "right" things.

But as I started asking questions I uncovered a number of "got'chas that no one had considered. Fortunately for me, my two bosses, the CIO and his second in command, were "risk management aware." They understood my concerns, even though most of the concerns were not IT related, and worked to see them mitigated.

Another client listened when I suggested it ought to ask its vendors for their (vendor) business continuity plans.

Heavily dependent on its vendors, it considered and acted upon my suggestion.

Each of its critical vendors complied. I critiqued each vendor plan and provided feedback to my client which then passed along the information to the vendor who submitted the plan.

It was a win-win-win situation: my client knew which vendors had a viable plan, the vendor got a free plan critique, and I gained knowledge by reading others' plans.

But apparently not many

As an in-house planner for a very large company, once an industry leader, I suggested to corporate management that someone should consider an enterprise risk management plan.

For my concern I nearly was terminated.

In my lowly division position I did manage to involve Facilities and Purchasing in the business continuity plans, a first, and I "discovered" that an agreement my division thought it had with another division to back up our operation "in the event of" was worth less than the paper it wasn't printed on - a handshake between two managers who had moved on. My management showed interest - for about 5 minutes and then dismissed the problem.

There ARE "risk management aware" managers and practitioners treasure these people. But too often the people who determine what will be done with a practitioner's information - no matter how much it cost the organization to develop - really only pay lip service to our recommendations.

I am reminded of the expression "A little knowledge of first aid is a dangerous thing."

Creating, but failing to implement, a plan may seem "good enough" to many managers, but in truth, such a plan provides a false sense of security.

In cases like that, management is the biggest threat of all.

ERM-BC-COOP Mom 'n' Pop need Survival Plan

2011-09-11T15:37:00.000Z

The other day Theresa (Tess) Smalley posted a note to an Emergency Management list that reminds me that Mom-n-Pop operations need risk management plans, too.

It also reminds me that (a) most Mom-n-Pops cannot afford our corporate rates and (b) that we need sponsors to market our services to the Moms-n-Pops of the world.

Most Mom-n-Pop organizations don't need 200-page plans; there simply are not that many people working there and there are not that many processes to document and train responders to perform.

Instead of taking six to 12 months to create a plan as is typical for a Big Company, a good practitioner ought to be able to create a decent plan in, say, two weeks. Allow another week for the client to review the results and perhaps a day or two to do some minimal training.

Tess' story that prompts this is as follows:

There was a creek of some sort right behind the school, yet it had not occurred to the school that they might flood. They have no plans and no flood insurance.
They do not seem to have as many after-hours contact numbers as they should. I'm sure they have daytime numbers since they need them if the kids are injured, but it is very possible they didn't recognize that there may be a very different number to call at 4am.
They did not have a plan in place and when disaster struck, they did not think on their feet. They did not consider the impact to their customers, only the impact to themselves. Those teachers that showed up would have been better used setting up a temporary child care somewhere else (even if that meant renting a hotel conference room or moving in temporarily with another child care center). It was a waste to have these specialized professionals scooping mud while the parents were struggling to find alternate child care so that they don't miss work and get fired.
They weren't willing and prepared to spend money to fix the problem, hence it is likely they'll lose a lot of their customers and could ultimately go under from it. They could easily have hired people to clean (for example) rather than re-purpose their teachers and thus free the teachers up to do child care.

OK, so who can market our services to Mom-n-Pops to generate enough business to keep us busy and pay our bills?

Two choices come quickly to mind.

Insurance companies' local agents, and accountants.

Insurance agents

Insurance agents should promote risk management to reduce their company's losses "in the event of."

Most Mom-n-Pop's probably don't carry business interruption insurance or Officer and Director insurance (although the second should be a consideration), but they DO carry the standard property and casualty (P&C) insurance and they pay into Workman's Compensation funds - more if there have been claims against the fund by employees.

Risk management would look at all risks to the operation. The same basic risks as for any organization, making certain to include employee safety. (Does that piece of mechanical gear have a guard device in place? Are there slip and fall possibilities that are less than obvious - and even if they are obvious, are they mitigated with signage or other warnings?)

As with most things "risk management," the practitioner might want to seek outside help from sundry Subject Matter Experts (SMEs), most of whom will provide their expertise gratis - free, even. I'm thinking of insurance adjustors, police for security, fire marshal for fire safety, building inspector for building safety, perhaps even someone from an environmental agency - is the facility in a flood plain?

Accountants

Many Mom-n-Pops depend on Mom to keep the books, but most Moms are smart enough to seek assistance from a real accountant - certified or not - to make certain the books will pass government muster.

Accountants could offer risk management as a value added service. This is a win-win-win situation: the account wins by offering his client an opportunity to get a risk management plan from an accountant-approved practitioner; the client wins by getting an economical plan from a qualified practitioner, and of course the practitioner wins by having an income.

The practitioner performs the same service for the Mom-n-Pop no matter who - insurance agent or accountant - provides the lead.

What the practitioner must do

The practitioner needs to create a small brochure - this can be done on the home or office computer and copied at a quick print outlet. The brochure needs to be factual more than fancy; it needs to show how risk management can help an organization identify risks and suggest ways to avoid or mitigate the risks - without giving away the practitioner's expertise.

Next, the practitioner needs to introduce him/herself to the agents and accountants.

A smart practitioner might go in with some suggestions to the agent/accountant to show the practitioner is professional and experienced.

Bottom line: Mom-n-Pops need risk management as much as General Motors and General Foods. Mom-n-Pops need to be able to afford a risk management practitioner's services.

Risk management practitioners need to be kept busy- volume can make up for deflated hourly rates.

ERM-BC-COOP Value of tyros

2011-09-09T13:32:00.005Z

As most readers of this blog are aware, I participate on a number of groups, forums, and lists.

Operative word is "participate."

For years I have encouraged newbies, tyros, to participate in exchanges on lists, forums, groups, et al.

The push back often was "I don't have anything to offer."

On the flip side of the "can't get the newbies to participate" coin are the novices - some with certifications ! - who ask questions easily answered with a little homework, researching the Internet for answers. These people, all too many of whom abound, tend to discourage real practitioners from polite responses.

Recently, however, there have been several thought-provoking questions raised by a tyro on LinkedIn's BCMIX - Business Continuity Management Information eXchange group.

The questioner is not all that new to risk management; she came to business continuity from DR, but she now finds herself in a real risk management role.

One of her questions

Black Swans & BCP

I’ve recently been given the opportunity to work with an EM/BC non-profit organization and I’m pretty excited about it.

My first assignment was to write an article for their newsletter, which has now gone out, so I’m hoping to engage the community in a conversation and drive a bit of traffic to their Facebook site.

If you wouldn’t mind sharing your thoughts on Black Swans & BCP, I’d appreciate it. Article below:

In 2007, Nassim Nicholas Taleb published "The Black Swan: the impact of the highly improbable" and the term “Black Swan” entered the common parlance of the Business Continuity community. At the time, I assumed this was because:

It was highly applicable to bcp
The term was prominent in the minds of business leaders and something they could (painfully) relate to
It spoke of loss and the need for resilience
It’s pretty catchy

However, having just read some of Taleb’s work, I have to ask “what does the Black Swan mean to business continuity?”

Taleb describes a Black Swan event as having three characteristics; “it is an outlier, as it lies outside the realm of regular expectations, because nothing in the past can convincingly point to its possibility. Second, it carries an extreme impact. Third, in spite of its outlier status, human nature makes us concoct explanations for its occurrence after the fact, making it explainable and predictable.”

Given these parameters, wouldn’t an alien invasion qualify as a Black Swan event?

After all, aliens have been sneaking around stealing our socks, umbrellas and car keys for years. We should have known this would happen.

OK, it’s a silly example but a good illustration of why I struggle with business continuity and the Black Swan. Where does the Black Swan leave us? Is it a get out of jail free card, a call to plan for the ‘impossible’ or something else altogether?

Taleb tells us not to waste time trying to predict Black Swans but to build robustness against them. That sounds like business continuity and it is; vaguely. I say vaguely because Taleb is an economist discussing the world financial system. In his “Ten Principles for a Black Swan-robust Society”, Taleb offers advice such as “People who drove a school bus blindfolded (and crashed it) should never be given a new bus” and “don't let someone making an "incentive" bonus manage a nuclear plant - or your financial risk.” While indeed astute, I’m not really sure how to incorporate it into meaningful BCM output.

Obviously the questioner did her homework before putting her query to the group. As this is written, her question has generated more than 30 responses. What is better than 30 responses? Thirty responses that do not necessarily agree with one another, a situation guaranteed to cause practitioners to think about their positions.

Another question that got practitioner attention was

Critical Worker Support Planning?

Most of us have mission critical staff who must report to work shortly after a major incident and common sense suggests that they will only do so if they feel that their families are safe and secure. Since nonessential staff outnumber those required to support recovery, it makes sense (at least on paper) to try to leverage that pool and build some kind of critical employee support/assistance program. However, I don't see much written about this, so my questions are:

Do you have plans to support critical workers?
If so, what types of assistance are provided?

This query so far has generated six responses from senior or "very senior" practitioners.

Who certified this practitioner? To date she has avoided the certification wars (BCI vs. DRII vs. several new-on-the-scene).

The bottom line is that no matter if a person is a tyro or a well seasoned - I've always wondered with what seasoning - pro, everyone, without exception has something to offer, if only a thought-provoking question.

ERM-BC-COOP One more concern

2011-09-08T21:13:00.002Z

"Suicide by Chemical, the title of a video brought to my attention on an Emergency Management list I read, is aimed toward first responders - fire, police, EMTs.

But because my mind works in "different" directions, I started thinking:

If a person who wants to commit suicide can go to a couple of local stores and by all the individually harmless products needed to make a killing gas, what's to stop a potential terrorist - and that can be a disgruntled (ex)employee - from compounding similar products to sicken or kill people where we work?"

Every housewife and bachelor knows - OK, should know - that bleach and ammonia are never mixed together. The fumes can kill.

Since it has become difficult for potential bombers to acquire their preferred materials, a fertilizer mix, expect them to check the World Wide Web for other options.

I can remember as a kid stories of two-compartment vials of chemicals that, when the vial was shattered and the chemicals mixed, an explosion resulted. OK, that was tv and movie serials, but the idea was, and remains, valid.

Fortunately, for the chemicals used in "suicide by chemical" cases, the area of effectiveness must be both (relatively) small and enclosed.

But consider.

The materials are easily acquired.

The materials can be easily concealed, either separately or together in a two-part vial or even a vacuum bottle - in other words, easily brought into the work place.

To the best of my knowledge "murder by chemical" is not on any terrorist's list of favored weapons, but it behooves risk management practitioners to consider the possibility now and to think of ways to avoid or mitigate the threat - without violating anyone's 'civil rights'.

What can be done to prevent an incident?

What can be done if an incident occurs. What is needed.

Think PPE - Personal Protective Equipment - for one or two people.

Think procedures to clear an area so that innocent people are protected from gases given off by the victims and their clothing.

Think procedures to notify whatever organization is equipped to handle hazmat incidents - usually the fire department - and the police, making certain to warn the responders of the potentially lethal chemicals.

Is the threat likely? At this point, probably not.

But as the video, "Suicide by Chemical," points out, the How To information is on the Internet for all to see.

Nothing is simple, but we are expected to anticipate the threats - no excuse for any black, or even grey, swans - and to develop means to deal with the threats.

Whether or not management agrees is another matter (and management may be the biggest threat of all, but don't quote me on that).

ERM-BC-COOP The power of people

2011-09-07T16:48:00.002Z

Risk management - under any name - should never be performed in a vacuum.

A proposal might be written by one person acting alone, but as a former proposal writer, I can tell you that is far less than optimal. Perhaps one person in 1,000 can catch their own typos and grammatical faux pas. Spell check helps, but spell check can't determine which "to/too/two" or "there/their" is appropriate or that "no" should be "now", or even that a negative needs to be inserted to convey what is meant, not what is not meant.

The Statement of Work and Project Plan need input from the client, be the practitioner internal or external - in-house or out-house? Input and approval.

Everyone from Most Senior Management to Newest Mailroom Intern should be involved in ferreting out threats to the organization. Each person has his or her own perspective of the job and of the organization.

Likewise everyone should be involved in searching for ways to avoid or mitigate a threat.

At one time a person in the U.S. or Canada was employed at one job all their working days. I once had a manager who got his job on an uncle's recommendation and when I met the man, he was already into his 30th years with the company. But he is - or was - the exception.

Most people today bring a potpourri of experience to their current job.

Sadly, most resumes, once the person is hired, are filed away and all experience relating to anything but the current job is ignored. I once worked a business continuity job for a city. The guy two offices down from my temporary home had business continuity experience, but no one asked for his help (until I "discovered" the resource).

Today's entry is prompted by several things.

One is the massive fires in Texas; another is a communications thread on LinkedIn.

Texas fire - more than flames

The fires currently raging in Texas - the tv talking head just told me the acreage is about the same as the size of Connecticut - boggles the mind, but I am certain the Emergency Management people have a handle on what can be done and what is being done.

But think for a moment of the organizations who depend upon the people whose homes - or the homes of their kin - are endangered. Think about the organization's facility.

What can be done to support the staff, an organization's most important asset? If staff are worried about their homes - or finding a new home if theirs was burned - they won't work at peak efficiency.

Assume for a moment that the facility is safely out of the fire's path. What about the highways and byways lading to the facility? Can people get to the building? Can vendors deliver? What are the options.

The practitioner can think of some, perhaps many, but there always is "another way to meet the threat." That's why "all hands" sessions are important.

Sanhedrin approach - an aside

Several thousand years ago - give or take a century - when Jewish kings ruled Israel, there was a "supreme court" of 71 elders. This court was called the Great Sanhedrin to set it apart from smaller courts consisting of 23 judges.

As with most courts, the sanhedrins had junior members, members, and senior members.

Unlike some courts, the sanhedrins had an interesting rule: When it came time to decide an issue, the most junior member spoke first. The next-most-junior member gave his opinion next and so on until the court's president - the most senior member - gave his opinion.

Why?

The reasoning was that if the president gave his opinion first, those of "lesser rank" would feel obliged to agree with the president.

This normally is a good rule to follow when looking for threats and ways to avoid or mitigate them. Sometimes, however, the practitioner needs a senior member to "prime the pump," to get people talking.

I used this approach with some success when working on a plan for my favorite state's government.

Communication options

The LinkedIn poster started off with a general question:

"Many Blue Chips rely on the Cell network or VPN as a BC option. Given that government agencies can throttle or switch off the networks during a MI, is it still a good idea?"

The query generated a number of responses - 17 as this is prepared.

There were those who suggested cell phones were perhaps less than optimal; some folks noted that Hurricane Irene proved that, while others reminded that on 9/11 (2001) the circuits were jammed and the cell phones were useless.

Others promoted satellite phones - expensive to own and operate, but almost guaranteed to work - almost guaranteed.

One person was pitching a self-contained product that he promised could connect to everything.

Several were concerned with government control of the airwaves; could communications be "throttled down" to make frequencies available for government agencies.

Two-way radio was suggested. Someone thought towers were needed for antennae - they are not; handheld radios include antennas and even shortwave sets can work effectively with slant-wire aerials. Two-way radios can even be networked.

No one suggested two tin cans and a string, semaphore flags, or strong lights. Obviously the first option is facetious, but the flags and lights are legitimate; the only problem being people at both ends need to understand the code.

The LinkedIn exchanges are a worldwide version of an all-hands meeting. You get some off-the-wall suggestions that need to be considered, and you get information about things that have been tried and either succeeded or failed - and why.

ERM-BC-COOP Define that

2011-08-29T21:32:00.003Z

In the Lerner & Loewe's musical version of Geo. Bernard Shaw's Pygmalion, A Play in Five Acts, Professor 'enry 'iggins loudly challenges his chum with "Why can't the English learn to speak . . . the language!"

The original "My Fair Lady" debuted on Broadway in 1956; the film version dates to 1964, roughly the same time as the Von Trapps were singing across the alps of New York and Hollywood.

Shaw's complaint in 1912, Pygmalion's initial publication date, remains a valid complaint to this day.

Granted, English is a "living language." What was nouveau in 1912 often was passé' by 1956 and down right ancient by mid-(19)60s.

Still, some words linger and find themselves in the vocabularies of the 21st century.

Unfortunately, and I blame it on our laziness, we - practitioners in particular - no longer use words in their "common" - as in "most understood," not "vulgar" - form. Punctuation also has been abused, and, along with our choices of words, can wreak havoc when we try to communicate critical thoughts to others. For an interesting appreciation of punctuation, watch Victor Borge explain Phonetic Pronunciation at http://www.youtube.com/watch?v=lF4qii8S3gw

I'm not talking - this time - about "alphabet soup" or even "techno-speak."

I'm talking about "plain English." Yes, I know the problem exists in other languages as well, but this blog is in English and the few visitors to it are English speakers/readers.

For example, a person asked "When does an incident become a crisis."

Pretty straight forward question.

But the answers suggest that how Merriam-Webster defines "incident" and "crisis" and how some of the responders define those words are substantially different.

Just for the record, M-W defines "incident" as

in•ci•dent

1: something dependent on or subordinate to something else of greater or principal importance

a : an occurrence of an action or situation that is a separate unit of experience : happening

b : an accompanying minor occurrence or condition :concomitant

3: an action likely to lead to grave consequences especially in diplomatic matters

and "crisis" as

cri•sis plural cri•ses

a : the turning point for better or worse in an acute disease or fever

b : a paroxysmal attack of pain, distress, or disordered function

c : an emotionally significant event or radical change of status in a person's life

2: the decisive moment

b : a situation that has reached a critical phase

Frankly, I don't like the word "crisis" in relation to risk management. "Crisis" suggests that things have gotten out of control and that suggests a lack of preparation.

I will accept that something can reach a "crisis STAGE" - as an example, a hurricane pushing a huge tidal way toward the island of Hispaniola, or the liftoff of a space shuttle, but for events at most organizations, "crisis" should only be a word in a dictionary.

I am not discounting the "crisis management" function - I was on a "crisis management team" once, but our job was not to manage a "crisis" but to make certain an incident did not become a crisis. "Crisis prevention" would have been a better title.

It behooves practitioners, especially those of us who create the related and necessary documentation, to c a r e f u l l y select the words, and perhaps graphics as well, that we use for each specific audience.

It only takes a moment or two to visit an on-line dictionary - searching in an unabridged is much more interesting . . . and time consuming - to determine the most understood word for the thought you are trying to convey.

If the listener or reader fails to comprehend what you are trying to convey; if the listener or reader can possibly "interpret" the words, not only have you failed to communicate but you also may be making an incident into a crisis.

ERM-BC-COOP Odds & Ends

2011-08-28T17:08:00.002Z

Two things to share, one that is suitable to share with clients, the other more on a personal level.

Thing 1: American Red Cross "Safe & Well" Web site

The "Safe & Well" home page is at

https://safeandwell.communityos.org/

Using the page takes some pre-planning and sharing of information before the event.

Searches are by name and address (street, city, state, zip) or name and telephone number (the person who is "safe and well" may register as many as three 20-digit numbers, a match on one is sufficient).

The information is straight forward both for the person who survived an event and for people searching for the person. The add-a-name form includes a dropdown menu with a list of current disasters, but is made flexible by offering an "Other" option.

The site is well supported by HELP (how to) and FAQ pages.

The only pre-event activity is to make sure the people who you want to find you (or the people you want to find) have the critical search information: first and last name, as many as three (3) telephone numbers, and a complete address. The more information the more accurate the search.

Thing 2: Closing out social networking accounts

http://www.accountkiller.com/en/

is a Web site that lists ways to kill/delete accounts on a number of programs, including

4shared, 9lives, Aardvark, About Me, About.com, Adobe, Adsense, AdultFriendFinder, AIM, Alexa, Amazon, Amigos.com, Amplify, Ancestry.com, Answerbag, Answers.com, AOL, Apartment Therapy, Auran, Backupify, Badoo, Bart Smit, Battle.net, Bearshare, Beautiful People, Bebo, Beliefnet, Bigpoint, Bitly, BlackPlanet, Blekko, Blip.tv, Blockbuster, Blogcatalog, Blogger, Blogshot, Bol.com, Buitenlandse Partner, BuxJunction, CGHub, CNET, Facebook, Gmail, Google, Gravatar, Habbo, Hotmail / Live, ICQ, Microsoft Live, MSN / Messenger, Myspace, OurWorld, RuneScape, Skype, Tagged, Twitter, Windows Live, Wordpress, World of Warcraft, Yahoo, Zoosk

Deleting personal information from some sites is relatively simple; from other sites less so.

Bonus thing: Separate personal and work email.

If you ever intend to use email for something personal, get a personal account.

There are a number of free accounts available, some of which allow you to "POP" the correspondence down to an email consolidator such as Outlook.

If you want to express yourself on groups and blogs - such as LinkedIn - you are well advised to set up an account with a fictitious name and employer. That may limit your "connected to"s, but you cannot be associated with - and possibly fired from - your employer for expressing your opinions. Some organizations have a serious lack of humor when it comes to unflattering information being posted for all the world to read. (Imagine that.)

ERM-BC-COOP Who're you gon'na call?"

2011-08-26T21:00:00.007Z

There is a raging debate on one of the LinkedIn groups about "Who is the best person to lead people during a crisis?"

"Someone with experience doing what needs to be done."

"Someone who has crisis management experience."

"The business continuity planner."

I've been watching the debate - and its both good and educational - since it commenced.

Then it hit me: The person probably - and that's the operative word, "probably" - best qualified is someone who has been a squad or platoon leader in a combat situation.

Squad and platoon leaders - the sergeants, not the lieutenants - catch it from all sides. The enemy is making their life miserable. The Company commander is pressing to complete the mission.

Meanwhile, the squad/platoon leader is just trying to keep the troops alive and safe.

A field medic also might be a good candidate if the medic has had to operate under fire or if the medic was faced with more wounded than can be accommodated. (Been there, done that, and learned that this practitioner, while I am an excellent planner, I am a not crisis mode commander.)

I do not think the "crisis mode commander" need be a responder with a specific duty other than to make certain the tasks that need to be performed are performed and "meet spec."

The crisis mode commander, I think, needs to be able to direct the troops; he or she needs to stand aside and let others do what they are trained to do.

That's Management 101 - MANAGE the situation.

That's a hard job for people who need to get their hands dirty, who see something that needs doing and insist on doing it "right now" versus getting someone else to do whatever needs to be done.

The crisis mode commander has one job: commanding the troops, managing the troops.

It's unfortunate, but I suspect we have all too many people with squad and platoon leader-under-fire experience, and we have all too many medics who had more wounded than they could care for, and yes, I know about triage.

Why not simply assign a C*O as the crisis mode commander? After all, the C*O does management jobs all day long.

Why not? Because the C*O, like this practitioner, may be excellent in everyday, minimal stress operations but may fail as a crisis mode commander.

Crisis mode commanders

need to be able to delegate
need to trust the Subject Matter Experts to do their jobs "to spec"
need to control, as much as possible, outside interference so responders don't get frustrated by outside pressures
need to be able to deal with Very Senior Management to assure that VSMs don't try to highjack or redirect the response effort
must be cool under fire
must be able to change directions if it's necessary - but must also know when to maintain course; decisions must be made, sometimes with incomplete information
must realize that they probably will make a mistake - we all do - and have enough self confidence to get on with the job at hand

The crisis mode commander's onlyresponse function is to control responders, not to perform another response task - not to hang tapes, not to handle communications with the media, not to help HR handle travel and lodging, not to keep track of expenses, but to assure these tasks ARE accomplished.

The bottom line is that the crisis mode commander can be anyone - man or woman, staff or management - who can keep his or her head and direct others.

One caveat: All personnel - absolutely everyone - needs to know that the crisis mode commander and the crisis mode commander-alternate have VSM's full confidence and authority.

As for the risk management practitioner - maybe that person should serve in the role of go-fer as in "go for this" and "go for that."

One minor catch: How to identify a potential crisis mode commander?

Exercises and training, training and exercises - again and again, adding as much pressure as can be brought to bear. It's better if someone "breaks" during an exercise than later when it's the "real thing."

ERM-BC-COOP Pay attention!

2011-08-25T21:58:00.001Z

Several tv anchors told the world the other day that a number of zoo animals were acting strangely just moments before the earthquake felt from New York to South Carolina.

Anyone who grew up around livestock - and who paid attention to the animals - knows that animal behavior often provides a clue to a coming weather event.

People who believe in such things think that a "ring around the moon" is a predictor of rain.

In my neck of the woods, a green sky means a tornado may be coming our way; watch for it.

Likewise, when the air gets "heavy" and humidity levels are higher than the temperature, expect a severe storm, usually accompanied by lightening.

Of course we all know someone who, when the weather is about to turn nasty, has aches and pains in joints or teeth, or perhaps gets a "migraine" headache.

An article on the How Stuff Works, a wholly owned subsidiary of Discovery Communications Web site, titled Can animals predict the weather? provides some interesting conjecture.

For the risk manager, the lesson is that we - and the people with whom we work - need to become more attuned to our environment, both inside and outside the building (be "the building" a home or a workplace).

Not all awareness efforts are focused outside. Many are simply paying attention to our "personal space." In some cases, the only animal we need to notice is the human animal.

For example:

Smells

Is there a strange or different smell in the room? Perhaps a burning wire or paper in a waste basket? Caught early, damage may be minor and cause little interruption.

Sounds

Unusual or non-stop sounds can indicate a variety of things. An electrical short is perhaps the worst case; dripping or running water can indicate a leaky pipe or valve that failed to close. Attend to it early and damage may be eliminated with a mop and bucket; ignore it and you may be standing outside while professionals dry out the building,<
Sights

This covers a wealth of things, mostly human.
- Trucks of any size parked close to the building - where is the driver, how long has the vehicle been there.<,/LI>
- Strangers, especially unescorted strangers, in the work area - why are they walking around sans an escort; do they have ID badges issued by Security or Reception?

Awareness training, learning to pay attention to normal sights, sounds, and smells, is like having a physical when you feel good - get a "base line" on what is "normal" so when something is amiss, it is quickly detected and addressed.

Awareness training needs to go beyond awareness of the Three Ss (ibid.) - it needs to include What To Do in the event something seems "not right."

There are many parts to a viable risk management program; awareness is just one - albeit a critical one - of the many.

The nice thing about awareness training is that is usually is easy on the budget; the biggest cost is a little production downtime and, for really progressive organizations, perhaps a cookie and cup of coffee.

We still can't "talk to the animals," be we can be aware of their behavior and we can be much more aware of our own surroundings.

All it takes is a little encouragement and some personal effort.

By the way, where IS that fire extinguisher? What ARE the two closest exits that are wide enough for a wheelchair?

ERM-BC-COOP BC on a frayed shoestring

2011-08-21T20:10:00.007Z

I have, thanks to LinkedIn, a new acquaintenance who is caught between a hammer (a COOP mandate) and an anvil (lack of budget).

Most risk management practitioners know the situation, having "been there and done that."

This practitioner's plight has been the topic of discussion for maybe 20 individuals, all offering their two cents. If only she could put all our coins together, she might be able to fund her program.

What can this practitioner do to protect the most critical resource, without spending money she doesn't have?

As with all things "risk management," she needs stratospheric support from her management.

True, there is a mandate from On High, but "On High" is remote and is treated accordingly. Our practitioner needs visible and vocal support from the 800-pound gorilla on site, someone people know and respect.

Cost to the organization? Zero.

She needs to develop ways to reach out to the staff - at all levels.

Since she's already on staff and probably has a computer, additional costs are - Zero.

She may need to reach out to other practitioners for their advice - we've proven we give it freely, sometimes more than needed.

So still, zero expenditures.

It is my understanding that our practitioner needs help from the sundry Functional Units (FUs) to maintain the plan.

To do that, she needs

Help from the 800 pound gorilla to encourage FU managers to cooperate.

To create a short list of tasks for the FU Subject Matter Experts (SME) assigned a COOP role; my list would be a heading followed by one or two paragraphs of (a) why the task is needed and (b) how to accomplish the task.

To create a plan to monitor the SME's actions to assure compliance.

So far, still no budget impact.

Our practitioner also needs to turn all personnel into Risk Rangers - OK, it's corny, but catchy.

Risk Rangers, or whatever the practitioner decides to label all hands, will be trained to be aware of their surroundings; more importantly to be aware of CHANGES in their surroundings.

Is there a new or different smell? Could be a pinched wire about to catch fire.

Are lights flickering? Is power OK; does anything need to be powered down?

Are the skies turning green - where this blog's author resides, that a sure sign a tornado is on its way.

Are animals acting strangely - birds suddenly making a racket or suddenly becoming quiet?

Unfortunately, the Risk Rangers also need to be alert for unescorted strangers in their area.

They also need to know what to do - who to call - if they sense something is amiss.

Since both SME and Risk Ranger training cuts into production time, albeit not by much and not often, we finally have a budget hit; a minimal one, but a hit none-the-less.

It would be good if the budget could be stretched to provide finger foods - snacks - for those participating in training. Nothing big or fancy. I'd suggest that our practitioner bake cookies but that would appear chauvinistic (I prefer to bake cakes); it would save the corporate budget(but at the expense of the practitioner's).

So far little damage has been done to the corporate budget, but people have been recruited as FU SMEs for the business continuity effort, and staff has been encouraged to be aware of, and report changes to, their environment.

Our practitioner reports that her facility is located on a fault line.

It's too late to build an earthquake resistant - is there earthquake "proof" - structure and no money to retrofit the facility, but since she works for a government, perhaps she can get help from within her agency or from another agency to come assess the facilities to identify points where people should - or should not - congregate with things start to shake. These areas should be clearly identified on frequently-seen maps and the staff's quizzed from time to time on their locations, as well as the two nearest exits, the AED machines, and fire extinguishers. It's amazing what we pass by on a daily basis and never see.

What about communications. That requires special hardware and software, right?

How about scrape paper and a ball point pen. (I'd suggest crayons, but my grand daughter won't part with hers.)

Keeping in touch with the troops immediately following an event is critical. Identify, "right now," places that offer public bulletin boards. Supermarkets and laundromats are traditional plans; also public libraries. All personnel should know where the primary and alternate sites for each neighborhood are located. If a code is needed, they should know this, too.

I'm a great believer in the buddy system in the work place. It also is useful when a number of employees live in a geographically compact area; they can watch out for one another and keep the organization posted regarding their welfare. Who can they call? Our practitioner's organization is big enough to have remote operations; for those that don't, consider a remote sales office or perhaps make an agreement with a trusted vendor.

Back in the day, the (U.S.) Air Force had a program that challenged its personnel to "cut the cost without impairing the program." Those were relatively affluent days; imagine the challenge in today's penurious conditions.

Somehow we have allowed ourselves to become totally technology dependent. Unfortunately, technology costs and, more unfortunately, sometimes those costs are beyond the budget. We, like our practitioner, need to find ways to "cut the cost without impairing the program." Lacking funds to avoid or mitigate risks WILL "impair the program," but there remain things that can be accomplished even on a frayed shoestring budget.

It's not me

2011-08-21T02:31:00.003Z

Someone - apparently in Thailand - bought the JohnGlennMBCI.com domain after I killed it out.

Google Alerts advised me that someone is using the domain.

I have NO connection with this domain.

If you have the domain bookmarked from the days when I owned it, please REMOVE it from your favorites/bookmarks.

Again, John Glenn has NO connection with the JohnGlennMBCI.com domain.

ERM-BCP-COOP Read the fine print

2011-08-15T14:27:00.006Z

It's been touched on before on this blog, but it's a topic worth revisiting.

The subject: Reading insurance policies - C A R E F U L L Y .

According to an article in the May issue of Risk Management magazine by Joshua Gold of Anderson Kill & Olick,

"When reading the fine print of almost any insurance policy, one will see a host of often daunting insurance policy conditions. Almost all insurance policies, including liability, crime, kidnap and ransom, and property insurance policies call for 'notice' of claims within a certain period of time."

The article continues that

"Policyholders should be careful with these timesensitive provisions as insurance companies often seek a complete forfeiture of insurance coverage when arguing that the policyholder failed to comply with them--even where no harm to the insurance company has resulted."

In other words, before signing on the dotted line for any insurance coverage, make certain the fine print is understood and that the organization can comply with the insurer's requirements.

It was previously recommended that organizations invite an independent insurance adjuster to review any policies and, when necessary, translate "insurance-ese" into understandable language for management and the risk management practitioner (if the practitioner is allowed to be privy to the policy).

Most readers of this blog know that business interruption insurance requires careful record keeping before an event; it is these records on which the insurance payout will be based.

Most readers also are familiar with warranties and guarantees that have time limited claims reporting; if a claim is not made within "n" hours/days/weeks/months of an incident, the claim will be rejected.

Insurance companies are in business to make money for their shareholders. This is basic knowledge that should not be ignored. Paying out on claims reduces the stockholders' revenue.

Risk management practitioners, while they need not be insurance professionals, should be invited to insurance vendor sessions; more people usually means more questions that should be considered.

Beyond the risk manager's role during a vendor conference, the risk manager needs to keep in mind that, as with all other things that impact the organization, there needs to be at last two people who can respond to any incident that might involve filing a claim with an insurer.

Just as Purchasing should be involved in annual (or more often) exercises, so to Insurance department staff. When was the policy last reviewed? Where is the contact information? What happens if the local agent cannot be reached when needed; are there alternate contacts? Insurance agents are vendors and should be treated as such; require of them exactly what is required of other vendors.

The bottom line when it comes to insurance is for someone in the organization to read and understand all insurance requirements before the contract is signed.

ERM-BC-COOP Could risk management prevent food poisoning?

2011-08-11T22:02:00.009Z

News stories across the U.S. recently told us that "an outbreak of multi-drug-resistant Salmonella Heidelberg that has killed one person and sickened 76 others in 26 states appears to have been traced to ground turkey products."

According to CNN, "Cargill Meat Solutions Corporation announced Wednesday an immediate voluntary recall of approximately 36 million pounds of ground turkey meat because it may be contaminated with salmonella bacteria."

CNN also noted that "Cargill's plant in Springdale, Arkansas, processed the suspect fresh and frozen ground turkey products between February 20 and August 2." The entire CNN article can be found at http://tinyurl.com/4yaf4h2.

FoxNews (http://tinyurl.com/43m2f7o) reported that "Meat plants are expected to pass a performance standard that allows up to 49.9 percent of tests to come back positive for salmonella. A Cargill spokesman said the Arkansas plant had passed all USDA performance standards despite what he called "routine" findings of salmonella Heidelberg"

It quoted Elisabeth Hagen, the USDA's top food-safety official, as saying "We have constraints when it comes to salmonella." She said that "unlike E. coli, salmonella isn't officially considered a dangerous adulterant in meat unless that meat is directly tied to an illness or death."

A check of three major kosher certifying agencies - OK, OU, and Star K - indicates that kosher inspection does not include checking products for salmonella, e coli, and other food-borne dangers.

What is a risk managers' role in all this?

A risk manager is not - or at least should not be - expected to be a food scientist who checks products before they ship. In Cargill's case, some 36 million pounds of ground turkey meat was recalled, an amount, CNN reports, equaling "the weight of more than 36 fully-loaded Boeing 747 commercial airplanes."

But the tainted turkey is a risk.

A risk to the consumer. Remember, one died and 76 others were sickened.

A risk to the corporate bottom line; recalling "some 36 million pounds of ground turkey" has to be expensive; plus the original cost of the raw product and processing expenses. Beyond that, the processing facility will have to be thoroughly decontaminated. Finally, Cargill faces legal action from the deceased's kin and the sickened consumers.

A risk to the corporate image; like Chinese products, Cargill products may well be suspect for some time to come.

It also turns out to be a risk for the FDA.

I'm told that the FDA is a bit "gun sky" on ordering recalls and closing plants since when it tried to do this with a Texas producer a federal appeals court blocked the move.

Still, the FDA has to be embarrassed by the incident and it knows Congress will react.

Risk managers could have recommended to Cargill that it engage its own inspectors along the production line to check for contamination of any type. Moreover, the FDA's 49.9% approval rate must be declared unacceptable and substituted with at least a 99.999% contamination-free product. I'm not suggesting a 100% inspection, but given the inherent problems with raw meats and the current embarrassment, a high sampling rate seems in order.

Since the salmonella-infected meat was detected by the federal National Antimicrobial Resistance Monitoring System (NARMS) during an inspection of retail outlets, Cargill might be wise to send its own inspectors into the field to randomly check its products.

Insurance probably will cover a good portion of Cargill's recall loses, but insurance cannot cover Cargill's loss of reputation and loss of consumer confidence. Also, when insurance pays out, it recovers the payout by charging higher premiums for years to come - while Cargill probably will get insurance dollars, it will pay them back to the insurers over the coming years.

The bottom line for Cargill is simple: is it more economical to take a financial and reputational hit or is the profit in better hands if risk management is put into place.

It seems to me that implementing risk management as suggested above would, besides assuring a safer product, substantially enhance the company's image, an image badly in need of attention.

ERM-BC-COOP Forums, groups, & lists

2011-08-07T13:51:00.000Z

The other day (July 22) I ended a post noting that "we - practitioners - need to participate (not just "lurk") on the sundry forums, groups, and lists that obviously, or sometimes not so obviously, relate to what we do."

The following alphabetical list are most of the forums, groups, and lists I regularly or at least frequently visit and on which, on occasion, I add my two cents.

BCI - Business Continuity Institute Members & Alumni
LinkedIn

BCI USA - The Business Continuity Institute US Chapter
LinkedIn

BCI-London Forum
LinkedIn

BCMIX - Business Continuity Management Information eXchange
LinkedIn

BCP/DRP Forum
http://health.groups.yahoo.com/group/bcpforum/

business continuity
http://finance.groups.yahoo.com/group/business_continuity/

Business Continuity - COOP
LinkedIn

Business Continuity and Disaster Recovery Professionals
LinkedIn

Business Continuity Management
http://finance.groups.yahoo.com/group/continuity/

Business Continuity Management & Risk
LinkedIn

Business Continuity Managers
LinkedIn

Business Resiliency Consultants USA
LinkedIn

Certified Business Continuity Planners/BC Management
LinkedIn

Continuity Insights
http://www.continuityinsights.com/

Continuity Insights
LinkedIn

ContinuityCentral
http://www.continuitycentral.com/

Discuss Business Continuity
http://finance.groups.yahoo.com/group/discussbusinesscontinuity/

DRJ Blog
http://www.drj.com/drj-blogs.html

DRJ Forum
http://www.drj.com/drj-community/forums.html

Emergency Management Discussion
http://health.groups.yahoo.com/group/Emergency-Management/

Enterprise Risk Management
LinkedIn

Governance Discussion Group
http://ca.groups.yahoo.com/group/GOV_DG2/

HR, EAP and Business Continuity Management
LinkedIn

Integrated Risk Management Association
LinkedIn

RIMS (Risk Mgt Society)
http://www.rims.org/resources/RIMStore/Pages/BusinessContinuity.aspx

ERM-BC-COOP Cloud Perils: Risks, Security & Insurance

2011-08-04T15:28:00.001Z

Joshua Gold

Originally published in the Hospitality Upgrade - Summer 2011
http://www.hospitalityupgrade.com/_files/File_Articles/HUSum11_CloudPerils_Risks_Security_Insurance_Counterpoint_Gold.pdf
Used with permission

Those considering cloud computing must size up the risks of relinquishing that control over data to a third party.

The trend toward cloud computing continues to pick up momentum. Increasingly, individuals and corporations are entrusting to "the cloud" information as varied as family photos, vacation videos, contact information and sensitive business information, including customer account data and employee information.

Those selling cloud computing services speak to the numerous advantages of cloud computing, including claims of cost savings and enhanced data security. There has been some debate regarding the accuracy of these claims, especially involving those promises of heightened data security. Individuals, small businesses and large institutions opting for cloud computing give up one central dynamic: direct control of the stored or processed information. Those considering cloud computing must size up the risks of relinquishing that control over data to a third party. Fueling the debate over the safety of cloud computing is a recent data security breach suffered by customers of one of the largest entertainment and electronics companies in the world. That company had entrusted data to a cloud computing company that was in turn infiltrated by computer hackers. According to reports of the incident, millions of customer account files (including credit and debit card information) were compromised when the hackers infiltrated the cloud site and improperly accessed the sensitive account information. Notably, the hackers actually had a legitimate account set up with the cloud computing site (albeit with phony identifying information and fraudulent intentions), as opposed to anonymously hacking into another's network.

Those considering cloud computing should perform due diligence with respect to how the cloud computing company erects safety walls between the data stored and processed for individual customers. Indemnification and insurance should also be discussed. Businesses should also explore whether they would have to disclose to their customers, employees and potentially others that certain data that they might have an interest in has been supplied, shared or transmitted to a third party for storage or processing. Additionally, businesses may wish to consider whether there are certain categories of information that are simply too sensitive to provide to an external source and, therefore, must remain off of the cloud.

Businesses can help make informed decisions regarding the extent they use cloud computing by having risk managers working in tandem with their IT departments and in-house attorneys to protect data that is created by the business or entrusted to it by outside entities and individuals. One starting point is developing a data security protocol which establishes clear directives regarding the handling of and access to information within the organization and that information which might be transmitted outside the institution as part of cloud computing. Virtually any hospitality firm will have its own business and employee information electronically captured. So too will it have customers' e-data, including credit card information and other information gathered upon checkin and through rewards programs. An important step is to inventory the information possessed and determine its sensitivity. Categories of information calling out for heightened protection include: health information, personally identifying information of customers and employees, certain types of non-public financial information, trade secrets, customer lists and business processes that yield competitive advantages. Once such information is identified for heightened protection, it usually is not enough to simply guard against external threats of unauthorized access. It is also important to make intelligent decisions about internal access to protected classes of information. This applies for cloud computing too: businesses should find out what levels of employees within a cloud computing firm have access to information. Not surprisingly, some cloud computing firms have several other divisions and business enterprises. It is important to know who has access and to what categories of information to get a handle on both the external and internal hacking threat.

Insurance coverage is available for losses arising from computer fraud or theft under both existing and new stand-alone insurance products. Some of this coverage is quite valuable but should never be regarded as "customer-friendly."

Policy terms should be closely scrutinized to determine whether the use of cloud computing would alter or reduce coverage. Beware, for example, clauses purporting to condition coverage on the absence of errors or omissions in the data security measures employed by the policyholder. Such clauses may be exploited by insurance companies arguing that the policyholder was somehow derelict in safeguarding computer data from hackers, among others. Furthermore, some policies may attempt to limit insurance coverage for data breaches occurring in a computer not actively connected to a network.

Risk abounds when dealing with electronically captured information. It is therefore no surprise that cloud computing entails risk as well. Data security measures coupled with risk transfer in the form of insurance coverage and indemnification from the cloud computing firm can serve as a financial buffer when the data genie escapes the bottle.

About Anderson Kill & Olick, P.C.

Anderson Kill practices law in the areas of Insurance Recovery, Anti-Counterfeiting, Antitrust, Bankruptcy, Commercial Litigation, Corporate & Securities, Employment & Labor Law, Health Reform, Intellectual Property, International Arbitration, Real Estate & Construction, Tax, and Trusts & Estates. Best-known for its work in insurance recovery, the firm represents policyholders only in insurance coverage disputes, with no ties to insurance companies and no conflicts of interest. Clients include Fortune 1000 companies, small and medium-sized businesses, governmental entities, and nonprofits as well as personal estates. Based in New York City, the firm also has offices in Newark, NJ, Philadelphia, PA, Stamford, CT, Ventura, CA and Washington, DC. For companies seeking to do business internationally, Anderson Kill, through its membership in Interleges, a consortium of similar law firms in some 20 countries, assures the same high quality of service throughout the world that it provides itself here in the United States.

Anderson Kill represents policyholders only in insurance coverage disputes, with no ties to insurance companies, no conflicts of interest, and no compromises in its devotion to policyholder interests alone.

The information appearing in this article does not constitute legal advice or opinion. Such advice and opinion are provided by the firm only upon engagement with respect to specific factual situations

Joshua Gold, Esq.
Anderson Kill & Olick, P.C.
1251 Avenue of the Americas
New York, New York 10020-1182
UNITED STATES
Tel: 212-278-1000
Fax: 212-278-1733
E-mail: cueckerman@andersonkill.com
URL: www.andersonkill.com

ERM-BC-COOP Product liability Where's it end?

2011-08-03T18:19:00.002Z

A headline in the AdvisenFPN email of August 3, 2011, reads: Aluminum bat maker liable for pitcher's death, says Montana Supreme Court. The article was originally published by Lawyers USA.

During a teenage league game, a hit ball struck the pitcher in the head, killing the 18-year old hurler.

The pitcher's mother sued, claiming the ”aluminum bat increased the dangers of baseball because infielders have less time to react due to the increased velocity of a batted ball."

The supreme court got the case on appeal of a jury's US$850,000 award.

According to the state supreme court, the bat maker is obliged to warn all players that the bat's properties placed players at risk by the increased exit speed of the batted ball.

Editorial comment. Young people, little leaguers to collegians, have been using aluminum bats for many years. Like McDonald's hot coffee, it seems safe to assume that coaches and players knew that a ball came off an aluminum bat faster than a wooden bat. The pitcher was 18 years old at the time of his death; how many years had he been playing ball on teams using aluminum bats? End of editorial comment.

The question for risk management practitioners is: How, and to whom, should a product's potential danger be advertised?

The court ruling stated that "A warning of the bat's risks to only the batter inadequately communicates the potential risk "

Obviously, in this case, a warning on the bat, if there was one, was insufficient, even though it seems reasonable to believe that the unfortunate pitcher also used the bat from time to time.

The supreme court seemed to suggest that a warning should be posted in each teams' dugout.

Would a warning in only one language be sufficient? What if there is a person who has yet to master the local language - one assumes English in Montana. Must the warning be in all languages that are used privately in the area; as examples, Vietnamese or Hebrew or Spanish?

While it may seem frivolous asking where to post a warning and in what languages, the questions need to be considered before a product is released to the consumer.

The courts apparently are deciding that the obvious based on experience - balls hit with aluminum bats travel faster than those hit with plastic or wooden bats - lacks adequacy and that additional warnings and cautions are required.

Risk managers need to deal in "worst case" scenarios. In the case of the bat maker, the worst case is the death of a young person followed by a suit against the manufacturer. Even had the bat maker prevailed, the costs to defend would have been high.

Could the suit be avoided if additional warnings had been provided? What if the warnings were provided and the consumer (in this instance coaches and managers) failed to post the warnings in locations frequented by the players?

Does the bat maker have insurance to cover the US$850,000 award and costs?

Questions to consider before releasing a product to the market.

Warnings plastered on a dugout's walls and elsewhere might not have avoided either the injury or the legal action, but they might have mitigated the amount of the award.

Risk management is all about playing the "what if" game and coming up with probable answers. It is not a game to be played in isolation; the more "players" the better for all concerned.

ERM-BC-COOP News Corp good for risk managers?

2011-08-01T13:47:00.002Z

An article made available via AdvisenFPN about Director and Officer (D&O) insurance notes that in regard to the News Corporation's current and mounting legal woes, suits have been filed in federal district court in Manhattan, and in Delaware's Chancery Court in Dover. Additionally, a class action was filed against the corporation and its directors in New York..

News Corporation, on Monday, August 1, 2011, still is making headlines, so when those headlines include the words "directors and officers," directors and officers of organizations big and small pay attention to the article under the headline.

One of risk management's problems always has been getting attention, and support, from Very Senior Managers and Board Members. Since risk management typically is not a "profit center," it is, if not "out of sight" at least a low priority in the overall operation.

Note, by the way, I earlier wrote "directors and officers of organizations." No organization - be it commercial, non-profit, NGO, charity - is exempt from the threat of legal action against its directors and officers. (Perhaps government entities are exempt, but when officers and directors terms expire, they might be subject to civil or criminal action; I am not a lawyer nor do I play one on tv.)

Even if News Corporation's directors and officers prevail, it is estimated it will cost hundreds of millions to defend, millions more than the organization's D&O insurance covers.

Perhaps with the knowledge that they, the organizations directors and officers, can be sued as a group and individually for what may be perceived as negligence - never mind misfeasance or malfeasance - and knowing that having insurance to protect the organization is a hit to the "bottom line," perhaps the directors and officers will take risk management more seriously and become more involved.

On top of the civil action, in News Corporation's case there may be associated criminal investigations to determine if the organization misrepresented itself to the market. It may be a domino effect, but it is one more thing News Corporation must pay to defend.

Could all or any of this have been avoided?

Perhaps not, but if the organization had - and perhaps it did have - well publicized policies about honesty and ethical behavior, and if it regularly emphasized honesty and ethical behavior to all its employees and board members, perhaps - perhaps - defending against the actions against it and its directors and officers would be an easier, less expensive, task.

It is not normally a risk management practitioner's job to write policies and procedures, nor is it normally a risk management practitioner's job to preach honesty and ethical behavior to the board and all hands, but it IS a risk management practitioner's job to advise the client - be it an internal or external client - of the risks facing the organization, and lack of honest and ethical behavior is very much a risk to be considered.

Amazing what a little phone tapping can do to a company.

ERM-BC-COOP Ignore risks?

2011-07-28T17:59:00.001+01:00

I'm following an interesting thread on one of the risk management lists.

One of the posters suggested that there simply are too many risks to worry about them all.

Pick two or three and ignore the rest.

Admittedly this list's audience is comprised mainly of external and internal auditors and their concerns generally are limited while ERM practitioners (should) have an enterprise (ergo the "E" in ERM), all-risk approach.

Still, the idea that a risk management practitioner would suggest ignoring risks because there were "too many" boggles the mind.

In my world, we look at all risks.

We look at ways to avoid or mitigate risks - some we "transfer" or "absorb," but most we try to avoid or mitigate.

Once we identify all the risks - and the ways to deal with them - then they are prioritized as we think they should be based on what we know about the organization's current and - if we're privy to it - future operation.

Since the ERM practitioner is always a "consultant," even when in a captive, staff, in-house, "permanent" employee role, we give management our findings and recommendations.

Management, not the practitioner, reviews the recommendations and determines which recommendations to implement, in what order, on what schedule, and then sets up the budgets to implement the decisions.

Some practitioners suggest first working on the "low hanging fruit," risks that offer an easy, inexpensive fix. I dislike that approach, but if the risk management budget is sufficient for only that type risk . . . well, it's better than nothing and may help instill a risk management mentality in the organization's staff.

To my Winnie-the-Pooh mentality, ignoring the presence of risks - versus giving them a low priority - is not risk management, it is risk ignorance.

This is akin to the practitioner who suggested that organizations simply allow a risk to run its course and then pick up the pieces (http://tinyurl.com/3jh9ddr). This is neither risk management nor business continuity; at best it is disaster recovery.

If practitioners in the U.S. were licensed, as are doctors, lawyers, and numerous other professionals, they might be liable for ignoring risks. Unfortunately, or for many, fortunately, an organization would be hard pressed to prevail in court claiming the practitioner failed to consider all risks; in other words, there's no penalty for ignoring threats.

I consider it my mandate to diligently seek out risks from all points, and to related those risks to management.

ERM-BC-COOP Neighbors - revisited

2011-07-26T14:23:00.005+01:00

A recent discussion on LinkedIn's Business Continuity Management & Risk group with an abbreviated title of I'm looking for a good sample of scenarios brought a number of interesting responses.

One that caught my eye came from Konstantin Smirnov, an IT Risk Consultant in Russia and the CIS.

Proving it pays to engage practitioners with a broad background, Smirnov suggested that "Any industrial food processing facility nearby - it will have tons and tons of liquid ammonia for freezers. Or water processing facility - chlorine, could be tons and tons of it. If we go for industrial hazards - there could be a long list."

Another responder, Herman-Peter Steens of Antwerp Area, Belgium, suggested a related scenario, but with a twist. "A train hits another train with dangerous chemicals (e.g. liquid agriculture fertilizers compounds) and this in a railway station nearby one of your buildings. The alarm is set off at the railway station, but a cloud of toxic gas closes in on your facility. People have to run out of the building, some get intoxicated, they are of finance and you have to give in your financial data to the Fed’s soon, and one of the intoxicated dies; is it your CFO or isn’t it him? To continue in your exercise."

What would be really interesting is if the finance people, including the CFO, are exercise participants. It's always fun to watch a "dead" executive sit on the sidelines while his, or her, staff makes the decisions. Of course in "real life," we know that the CFO has a designated alternate, someone who can take over, seamlessly, if the CFO is unavailable.

My question to Steens is: Why would people "run out of the building"? They should remain safely inside and the building should be sealed against the toxic gases. Depending on the railroad's safety record, perhaps the building should be designed or retrofitted to so that it can easily and quickly sealed closed.

Jack Whittaker of Bristol, UK, suggested that "There is a cold water tank in the roof-space of your office building. One weekend, it starts to leak. Three stories below, your server room is unattended until Monday morning..."

The bottom line for all of the above is that the threat's point of origin is beyond the control of the organization impacted.

All organizations have threats - risks - beyond the control of the organization's risk management personnel.

What we, as risk management practitioners, can do is to carefully look at the facility's neighbors - perhaps even several miles out - and recommend implementation of means to mitigate the threats posed by the neighbors. In this case, include "neighboring" water ways and woodlands.

If a resource, for example, IT, cannot be protected from all possible threats - and nothing can be protected from all possible threats - then the process must be available at an alternate site sufficiently distant to avoid shared power and weather problems. (And if IT service is disrupted, the profit centers need to know how to survive, at least for a short time, without the service.)

In retrospect, there really are two "bottom lines" to this post. Beside the one already cited, the second is that we - practitioners - need to participate (not just "lurk") on the sundry forums, groups, and lists that obviously, or sometimes not so obviously, relate to what we do.

ERM-BC-COOP Perspective

2011-07-25T22:28:00.003+01:00

Sometime is early July Shannon Creighton, a young lady in Canada, posted a note to a LinkedIn group headlined Looking for Strike Action/Job Action Advice!. The complete message is as follows:

My company if facing strike/job action in the next 24 hours. We have a very comprehensive plan for all our mission critical functions, our Emergency Operations Centre is set up and operational, we have the redeployment list for all management and out of scope staff and all Communication key messages and templates have been built.

My question is to anyone that has been through strike/job action....are there any lessons learned from your experiences that you would like to share with me????.

Unfortunately for Ms. Creighton, no one read her post until I somehow stumbled across it on the 24th of July - well after the strike threat passed (one hopes).

I asked Ms. Creighton for an update. I'm still waiting for that.

But because of my response, LinkedIn flagged the exchange and other people offered their opinions not, alas, directly answering her query but taking the topic in a slightly different direction.

One responder commented that "Responding to strike action is a delicate subject. Very often, well certainly in the UK, the response has to be a suspension of business for the duration of the action because you can't simply replace striking staff.

"Consider something like public transport. If their drivers go on strike you can't simply call in more drivers (firstly because there aren't any but also) because not only would you end up with further union action but you would be in breech of all sorts of health and safety regulations."

A gentleman from Africa joined in noting "in the context of my experience you need to have a good exercise that proves the adequacy of your preparedness." He added "In the case of public 'transport strike', a contingency plan that caters for continuity of operation is often handled by an "outsourcing of drives", that can be called in to take over. ... Did you consider all possible scenario strike actions and tested. Therefore, lesson learned can only be drawn from your special experience?"

The first responder countered by answering the second responder thus: "In the case of public transport, and here I was thinking more of trains and the London Underground service, you can't have an outsourced workforce ready to take over. In the first place there isn't an organisation that has people with the required skills, insurance cover, Public Service Vehicle licenses etc. Furthermore, I would think if the management even suggested a replacement workforce to disrupt their opportunity for strike action, the union would make you test that plan quicker than you might like, with a strike."

Neither responder - nor did I - directly admit to having strike experience.

But reading on to the first responder's second post, I was taken aback by his remark that

"I think we all have to recognise that business continuity doesn't mean you will be able to keep your operation running under any circumstances. Sometimes we may just have to let events take their course and industrial action can be one of those where we hope the action is short term or negotiations happen quickly."

Point 1: "I think we all have to recognise that business continuity doesn't mean you will be able to keep your operation running under any circumstances."

If business CONTINUITY is not to keep business in continuous operation - that is, meeting a minimum level of service - what IS "continuity."

Merriam Webster Online Dictionary's first two definitions for "continuity" are (see http://www.merriam-webster.com/dictionary/continuity)

uninterrupted connection, succession, or union
uninterrupted duration or continuation especially without essential change

The "key word" in both is "uninterrupted."

Point 2: "Sometimes we may just have to let events take their course and industrial action can be one of those where we hope the action is short term or negotiations happen quickly."

Shades of the British Airways fiasco. Many will recall that BA did nothing to mitigate a threatened walkout by its caterer (vendor) when it could have sought out an alternative, back-up provider to keep its passengers fed.

Those who followed the work (in)action will recall that BA's baggage handlers went on a sympathy strike with the caterer's crew. Unfortunately, unlike the old American telephone company, apparently BA managers were unable or unwilling to load luggage. But, given that there was no food available for the passengers - at least at LHR (BA has no operations at other UK airports??), perhaps it was just as well. Things got worse before they got better, and all because one vendor failed to meet its minimum level of service agreement.

Both the gentleman from Africa and I agree that accepting a risk as inevitable and doing nothing to mitigate it is NOT "business continuity."

I've seen this "it can't be helped" attitude from UK planners in the past (the BA strike).

This is NOT the attitude of any U.S. practitioner I know and, based on the exchange with the gentlemen in Africa, not on his turf, either. Is it unique to the small island?

Our English planner, who happens to be a senior consultant with a name organization, apparently is not alone in his "hunker down and hope for the best" approach to - well, I cannot call it business continuity - we'll just call it "planning."

Meanwhile, I'm still curious. What did Ms. Creighton learn with her brush with a strike.

ERM-BC-COOP Unseen risk

2011-07-24T13:34:00.002+01:00

The recent kidnapping, murder, and dismemberment of a young boy in one of New York's boroughs reminds me that a post-event condition oft-ignored deserves to be included in the "recovery" portion of holistic risk management plans.

That condition is mental trauma, often called "post traumatic stress syndrome."

We no longer are a people accustomed to being told to "suck it up and get on with your life."

Now we need a therapist to guide us back to an even keel. Perhaps we always did, but just didn't know it.

Whenever an event occurs at a school or involves a school's student, the therapists are called out. It's routine.

Stress, however, is not limited to students.

It can happen to any of us given the right circumstances.

Loss of home or loved one.
Loss of a place to work and fear of losing a job.
Job site terrorism (someone "going postal")
Dislocation and sometimes simply relocation.

The psyche is a fragile thing.

In order to provide therapeutic assistance to staff and close relatives following an event, there are several things that need to be in place "pre event."

Therapist
An agreement should be in place with a therapist or group of therapists to be available to personnel on a need basis (the "need" to be determined by the personnel).
Where will mental health professionals meet with employees?
Typically this will be the provider's office, but other options may be necessary.
Visits
Is there a maximum number of visits or will this be set based on the level of the event that caused the trauma?
Policies and procedures
All personnel at all levels need to know the organization's policies regarding mental health providers.
- How will provider-patient confidentially be guaranteed.
  Will the organization be able to identify the patient?
- Who is covered?
  Employee, spouse, people residing with the employee?
- How will the provider be compensated?
  What will the patient be expected to pay, when can the provider expect payment from the organization if that is arranged?
- How many visits are allowed
  Is a set number appropriate or should the number be determined by the magnitude of the event or the event's impact on the individual?
What are the procedures
- to access the providers
- pay the providers (is this covered by employee insurance, the organization, or will the employee be expected to fund all or a portion of the costs?),
- will the employee be required to report visits to the providers; how will this be done while protecting the employee's privacy?

Organizations must be aware of all local, state, and national laws relating to provider-patient privacy and care, as well as laws relating to releasing personnel no longer able to function in their job - is a job transfer possible, is there a union involved with its rules?

The risk management practitioner's role is not to answer any of the questions presented above, but to lead management - in conjunction with HR, Legal, and internal or external mental health practitioners, as well as union leaders if a union if involved, to review the issue of post-event trauma.

Failure to attend to event-related mental health issues before an event can result in chaos, reputation damage, and possibly legal action.

ERM-BC-COOP Continuing education

2011-07-22T14:37:00.001+01:00

In my business, enterprise risk management, "continuing education" is a must.

Not necessarily continuing formal education - although that, too, but continuing education wherever it is found.

The Internet is a wonderful place for continuing education.

Every day I get a post from AdvisenFPN (https://www.advisen.com/). Advisen, as everyone knows who follows this blog, focuses on insurance news.

All practitioners know we need insurance coverage, but that is not the reason I read the daily email. The email provides me with information that impacts insurers, e.g., when they have to pay, when they go to court. It points up a number of risks that may have slipped my mind or, occasionally, that I never considered.

I am a member of several LinkedIn professional groups. I check for new "threads" (topics) daily.

I also subscribe to several Yahoo lists.

Finally, I confess to being a 5 a.m. news junky; I have to have my "fix" first thing in the day.

Continuing education also means keeping in touch with both fellow practitioners and with those Subject Matter Experts (SMEs) who are the backbone of my experts' network. My favorites in the "fellow practitioner" category are those folks who frequently add to my thoughts and sometimes disagree with those thoughts. I don't count "Yes" men (and women) in my list of trusted sources.

The Internet also lets me access the multitude of (U.S.) federal and state Web sites. FEMA probably is the most frequented, but financial sites and medical (HIPAA-related) sites also are bookmarked. The other day I was looking at a distant county's flood history.

I don't "Facebook," nor do I "Tweet."

I may not be gaining Continuing Education Credits (CEUs) by expanding my knowledge outside the brick-and-mortar or electronic "halls of ivy," but I do maintain currency in my field through what might be termed "alternative resources."

I can do that wherever I find a portal to the Internet.

ERM-BC-COOP:Comparing notes

2011-07-20T14:44:00.003+01:00

An acquaintenance and I were interviewed for the same job.

Both of us are well qualified for it; he's geographically closer to the work site so I think the nod will go - if it goes to either of us - to my acquaintenance.

Since we've known each other for a number of years, we have been comparing notes from the interviews.

Some of our thoughts tend to give pause.

First, my acquaintenance was invited to a face-to-face interview - at his expense (air fare, lodging, local transportation, meals). I was allowed a telephone interview - at my expense. My interview took less than half-an-hour (28 minutes, to be exact). I hope my acquaintenance got closer to his money's worth of interview time.

Both of us were interviewed by people we were given to believe are business continuity people. Neither, as far as we can ascertain, would be the successful candidate's manager. Were we interviewed by people who will report to us? Will they be our peers? Why wasn't the hiring manager at least participating in the interview?

The lead interviewer made it clear that the winning candidate would be no more than "supplemental" staff (vs. consultants) and paid accordingly. Translation: the practitioner will have no leverage to accomplish anything, although the practitioner will be expected to accomplish a great deal.

The interviewers asked us if we had any "change management" experience. We do, but just how did the interviewers define "change management?"

In ERM terms - my terms - change management means managing changes to the program and its documentation. "Change management" in IT-speak is, basically "check out - check in" of code that hopefully is fully exercised before going operational.

No, for the two interviewers, "change management" means changing the organization's perception of risk management, In other words, marketing and education. I don't have a formal "process" or "program" to accomplish this, although I suspect my acquaintenance probably does have such a document in his kit bag.

We were told a decision would be made by the Friday of the interview week and conveyed to the sundry agents representing us and, we suspect, several others.

Monday arrived and my acquaintenance checked with his agent. No response.

Tuesday, same story.

I have a suspicious mind.

My suspicion is, based on the "change management" requirement, the lack of management involvement in the interviews, and the delayed response, is that despite allegedly having 800-pound gorillas supporting risk management, in truth there is little respect for the practice and, I fear, developing same - the change management - will be a long uphill battle that has little chance of success.

I understand there is some "add/move/delete" actions going on at the very senior management level - yesterday's org chart already is outdated. It seems to this practitioner that with management - management that will need to be on board to make "change management" work - in flux, perhaps the requisition, interviews, and decision should be put off until the dust settles.

Right now, taking a job with this organization - which will require more than a little travel - seems like an unnecessary risk.

ERM-BC-COOP:Phoenix - no surprises

2011-07-19T23:28:00.004+01:00

A few years ago I talked to a guy about a job in Phoenix AZ. The job, which I declined, would have been strictly DR.

But while I was in Phoenix, a town I happen to like a lot, I did some risk research.

There are only a few serious risks.

One, a sandstorm, happened twice in July (2011) - July 6 and again on July 25.

Motorola had a chip operation in Greater Phoenix when I visited, and its business continuity people recognized the threat of a sandstorm, a/k/a "haboob," a word borrowed from Arabic.

When the plant was constructed, Motorola included a space-station like air lock.

Personnel entered the air lock.

The doors closed.

The air was cleaned.

A second door to the work area opened.

Actually, the air lock is the standard approach to a clean room, but Motorola's was, I was told, on a plant-size scale.

Phoenix also has flooding as a risk.

Believe it.

According to the Maricopa County Flood Control District, the county, in which Phoenix resides,

"has two rainy seasons: summer and winter. Winter usually brings longer-lasting but less-intense storms. Summer brings shorter, more intense thunderstorms. These summer thunderstorms are usually the result of the North American Monsoon (also called the Arizona Monsoon or the Mexican Monsoon). The North American Monsoon impacts the southwestern United States and northwestern Mexico every summer (usually July, August and September). "

The county's FCD web site lists floods dating back to 1889 (see http://www.fcd.maricopa.gov/Education/history.aspx).

In addition to sand and flood, the city has two interstate highways - I-10 and I-17 - and a major east-west "U.S." highway, U.S. 60. In addition to the threat of a hazmat mishap, there is the constant risk of accidents preventing staff from timely travel. Sky Harbor International Airport is surrounded by major roadways, including I-10. Once a sleepy airport with only an occasional flight (c. 1957), the airport now has a respectable number of flights provided by 17 airlines, plus the major air freight carriers.

Probably not the last threat, and certainly not the least, is a power outage in a community that cannot remember when it lacked air conditioning.

Phoenix, which at "first blush" appears to be as risk free as any place in the U.S. turns out to have "the usual suspects" plus a couple that fall into the "would you believe" category.

If only Phoenix wasn't so far from a major body of water it would be almost perfect, but I'm used to an ocean or gulf within a short drive.

ERM-BC-COOP: Facebooking? Laws change by location

2011-07-15T14:00:00.006+01:00

According to an AdvisenFPN article from Proskauer's International Labor and Employment Practice Group (http://tinyurl.com/6fdwauv),

"While social media law is too new and undeveloped to give a clear picture, the Labor Board's approach appears to give employees broad latitude to disparage their employer on Facebook and similar social media sites.

Early indications are that foreign tribunals are taking a different approach. In several recent cases, they have affirmed the employers' right to dismiss employees for comments made in social media forums."

The article goes on to cite two cases, one in England, the other British Columbia (Canada).

Proskauer's article ends with the admonishment that

"The law is too new, and the sample size too small, to draw any definitive conclusions from these cases. Where possible, expectations of privacy should be defined, particularly with respect to conduct occurring during work time and comments that are widely disseminated. The use of social media sites to disparage the employer's customers, products and services should be addressed, as well as conduct that would be prohibited in the workplace, such as insubordination. As with any multinational HR policy, local rules (both substantive and procedural) should be considered."

Social media must make risk management practitioners aware of several critical needs:

The need to involve HR and Legal in the risk management process. (All functional units should be involved, but especially HR and Legal.)
Policies and procedures need to be carefully crafted and published and there must be evidence that personnel - at all ranks - have read and comprehended the policies.
Policies and procedures must cover all of an organization's locations.
Policies and procedures must consider visiting employees, for example, an employee from France visiting the organization's facility in Finland. See http://tinyurl.com/68uawjw
Someone within the organization needs to monitor the Internet for any comments, good and bad, relating to the organization. Likewise, someone needs the authority to quickly respond to Internet postings, particularly negative postings to prevent damage to the organization's reputation.

Proskauer is located on the Web at http://www.proskauer.com/

ERM-BC-COOP: Read the policy And be smart

2011-07-11T15:33:00.005+01:00

According to a story from the Herald - Times of Bloomington, IN, and picked up by AdvisenFPN, if you disconnect a building's sprinker system and there's a fire, don't expect the insurance company to pay off.

It seems that the Little Nashville Opry's sprnkler system failed to work because, as the Brown County TN circuit court found, the structure's owners failed to maintain the sprinkler system so the insurance company "has no obligation to pay."

The story, which may be read at http://tinyurl.com/63b3kux, noted that the reason the sprinkler system failed was because the building owners disconnected the system following a case of frozen-and-then-burst pipes - which an insurance company paid to restore to working order. The article failed to note if it was the same insurance company that now denied the building owers' claim.

For risk management practitioners, there are two lessons to be learned.

Lesson 1: Maintain, and test, safety equipment.

Lesson 2: Read and abide by insurance company policy contents.

Unless the policy is in BIG PRINT and in plain English (or whatever the language of the land), get outside help in deciphering it before signing the contract. Insurance adjusters are good resources as interpreters.

One other point.

If the contract is multi-lingual, determine which language is the "base" language for the document. For example, if the English is a translation from Spanish, and if there is a conflict between Spanish and English, Spanish - as the original language - will prevail. (Many hours have been spent arguing the meaning of the Sixth of the "Big 10" commandments, לא תרצח - is it "do not murder" or, as mistranslated, "do not kill?" As with the insurance policy or any other multi-lingual document, "The Original Rules.")

The problem for a risk manager: How to convince management that its action (or inaction - failing to test) is itself a risk, or as in the case of the burned facility, that management compounded the risk.

The article noted that the fire that severely damaged the building appeared to be arson.

ERM-BC-COOP: Out of state,not out of court

2011-07-06T15:13:00.001+01:00

In a Los Angeles Times article headlined on Advisen FPN as California overtime-pay laws protect nonresidents too, court rules (read at http://tinyurl.com/3prouu6), the newspaper reports that

"Residents of other states who work for California companies are protected by the state's overtime laws during business trips here, the California Supreme Court decided unanimously Thursday."

According to the court, "Not to apply California law would also encourage employers to substitute lower-paid temporary employees from other states for California employees, thus threatening California's legitimate interest in expanding the job market."

The LA Times article notes that the decision impacts on non-California residents working temporarily in California for a California-based organization. The initial suit was brought by non-California employees of Oracle Corporation who "wanted to benefit from California's generous overtime law during business trips."

From a risk management standpoint, the ruling could have several consequences.

Companies will have to pay non-resident employees working temporarily in California at California rates.
More California companies needing non-resident employees will either
- Make do without the out-of-state staffers
- Increase tele- and video conferencing
Relocate their headquarters offices to another state, expensive but a one-time cost.

The California ruling may not be the "final ruling" on the matter.

Since the issue is one of "interstate commerce," the Federal courts could be asked to intervene.

In another Advisen FPN pick-up, the Las Vegas Sun reported that the Clark County commissioners agreed to pay $150,000 to settle a lawsuit brought by person diagnosed with cubicle claustrophobia. The full article as it appears on the Advisen FPN site is at http://tinyurl.com/3hdos3p.

Advisen focuses on the insurance industry, but for a risk management practitioner, the articles are both interesting and often educational, certainly identifying risks normally not considered in the typical risk litany.

ERM-BC-COOP: Prepared . . . or not

2011-07-04T15:18:00.003+01:00

Malcolm Smeaton, Director Security Services and Contingency Planning at Government of Ontario, posted the following question on LinkedIn's Business Continuity-COOP group:

BCM Key Metric: I and others are to consolidate our annual reports to executives. This will include an executive summary that only allows the BCM program to highlight one key metric, what should it be?

I have considered: Last Exercised, last updated, departments covered, critical services covered, % of employees trained on BCP. Any suggestions what key metric I should select? Or any articles that you can point me to that will help me select?

A long-time acquaintenance of mine, Howard Pierpont, Board Chair - Disaster Preparedness and Emergency Response Association, responded that Smeaton should consider:

Being in Ontario, I'd suggest you look at 'Where are we in meeting the requirements of BS25999 or the Canadian equiv of NFPA1600".

Howard's been in the business a long time and has an enviable record; I generally respect his opinion.

But this time, I think he came up a tad short.

My problem is that, in my opinion, "meeting the requirements" does not necessarily equate to being prepared to handle an event.

BS25999-* is a rather broad ISO-want-to-be that was cobbled together by a committee of practitioners, many of whom - and I know this first hand - ignore avoidance and mitigation as if risks are inevitable and must be accepted as the occur. The Canadian version of NFPA 1600 is a better standard, but again, it is generic.

Each organization is unique; indeed, similar operations within the same organization - think national vehicle rental companies - can be unique from one to another. One size generic standard, be it CNFPA 1600 or the BS effort, cannot be all things to all organizations.

There simply are too many things that can go "bump in the night" to be addressed by a standard, accepted or want-to-be.

My answer to Mr. Smeaton's query, probably no more helpful that Howard's, took a different approach and one I think more accurately, yet briefly, states the organization's readiness:

The organisation is prepared for an event based on the recent enterprise exercise using a scenario.

I added that, considering the kick-off question's contents,

Everyone should be trained on the plan; that's a given.

All departments need to be covered; that's a given.

The "last exercised" is included in my suggested statement; the "last update" is a given following the exercise - I assume there were some deficiencies noted during the exercise and they were/are being eliminated

Admittedly I think primarily in terms of enterprise risk management, but even dealing with functional units (creating "mini-plans" if you will), I firmly believe that everyone involved in the unit - functional or enterprise - needs to have a role in the management of risks and should be involved in risk management exercises.

Given that, it seems obvious to me that the best indicator of an organization's readiness is the most recent enterprise exercise.

I do not expect the exercise to be perfect; the points - at least two - of an exercise are to (a) identify any deficiencies and (b) enhance responder confidence and ability; the "B" is as important as the "A."

Critiquing an exercise to determine what "we" can do better - finger pointing and personal criticisms are counter-productive - usually, at least in my experience, usually results in a "to do" list that becomes a living part of the plan, with each item closed out as it is completed (and confirmed) - in other words, answering the Mr. Smeaton's "last updated" concern.

As this is cobbled together only Howard and I have responded; it will be interesting to see others' opinions. The great thing about LinkedIn and its groups is that people can build on each other's input.

Long ago I understood that no one should create a plan - or a program - in a vacuum. People such as Howard are part of a personal, highly valued network of fellow risk professionals. We don't always agree, but we always share our knowledge.

ERM-BC-COOP: Audits & auditors

2011-06-30T00:17:00.006+01:00

Updated July 3, 2011

Auditing functions and processes - versus auditing just financial statements - has become a hot topic in many areas.

Enterprise risk management is one of those "many areas."

This raises three questions:

Who audits the program - internal auditor or external auditor?

How in-depth the audit?

What qualifications should an auditor possess?

As with most things in the risk management world, there is more than one "correct" answer because "it depends."

Inside, Outside

Should the risk management audit be conduced by an internal auditor or should it be jobbed out to an outside person or firm?

If an in-house auditor is used, there must always be a suspicion that the auditor will be less than totally candid; after all , the auditor's job is on the line.

Will the internal auditor check with Very Senior Management to determine what the audit is expected to convey? Will the auditor "adjust" the report to present something in a better, of lesser, light than reality demands?

One other thing: An internal audit is easier for management to quash, brush under a convenient rug, than an outside auditor's report.

While an independent outside auditor may have less to fear from an upset client, the auditor will need to be privy to sensitive client information; information that could damage the client - or the client's clients - if it fell into the wrong hands.

Even with an iron-clad Non-Disclosure Agreement (NDA), with the right enticement, an external auditor might be convinced to share client information.

Of course that also holds true for an internal auditor, especially one who feels his or her work is in vain.

Drilling down

Just how deep should an auditor investigate?

Is the auditor expected to gloss over the organization at "20,000 feet," the altitude at which some managers expect their risk managers to operate? Or, should the auditor drill down to the process level? The real question is: what does management want from the audit?

Does management want the auditor to provide a cursory check-list comparison of plan vs. reality or does management want the auditor to delve into each of the plan's statements - maybe even call for, and observe, an exercise?

It was not so long ago that a financial auditing firm - one of the once "Big Five" - found itself spurned because it glossed over a client's weaknesses.

The thoroughness of an audit may be tempered by sensitivity of information or driven by regulation or "Generally Accepted Auditing Standards," a/k/a GAAS, as well as management's mandate to the practitioner. The effectiveness of the audit depends solely on management's commitment to, acceptance of, and implementation of audit recommendations.

Who should audit

Once what should be audited and at what depth is determined, the next logical question is: What should be the auditor's qualifications?

I have worked with auditors who knew the field in which they were working and I have worked with people who are innocents in the field they were asked to audit.

The former can be either like the risk management practitioner who is in love with that he or she does and approaches it enthusiastically or like the risk management practitioner who creates programs according to a checklist. (Check lists are valuable, but must only be a starting point to assure all bases are considered.)

The enthusiastic auditor approaches the job as an opportunity to help everyone improve the organization. The risk management practitioner's work is vetted by an outsider who may only know enough about risk management to ask questions: "What if . . . " and "Why was this recommended?"

My long-time mantra was, and continues to be, "No plan is perfect the first time out." If early exercises fail to turn up something to address, something is wrong with the exercise. Auditors could find a "got'cha" missed during an exercise just by challenging the pracitioner's notions.

Auditors thrown into audits of areas in which they have little or no knowledge need to have a network of people who can give them direction; suggest things to examine closely for each unique client.

It helps if the auditor, with or without knowledge of the audit subject, has good interview skills. An audit that is limited to document examination is, in most cases, an incomplete audit. If a document is the basis of the audit - as it normally would be with a risk management audit - the auditor needs to assure that what is documented can be accomplished and it being accomplished.

Change auditors

Parting shot: Change auditors frequently.

The same admonishment applies to risk management practitioners as well. (If the risk management is an in-house operation, consider hiring a consultant once every "n" years just to get a new perspective.)

Regardless of what is being audited, the auditor or auditing firm should be replaced, "rotated out," every few years - perhaps every three years, perhaps every five years.

Auditors have a vested interest in keeping the business, be it as a staff auditor or as a consultant. A less than totally honest auditor could "hide" a previous year's mistake year and year - or until a new auditor (from a different firm) is invited to perform a new, "from the ground up" audit.

Even a totally honest auditor may fail to see a situation that needs attention that was ignored in a previous audit.

Auditors are our friends

I am absolutely convinced that a good auditor can be a valuable asset to any risk management program; I welcome auditors who care about their work to critique my programs.

It's good for me.

It's good for my client.

Got it right - almost

2011-06-24T12:04:00.005+01:00

I'm currently looking for a new opportunity - have passport / will travel - so once again I'm lurking on the major job boards, e.g., Careerbuilder, Monster, DRII, and DRJ.

I found one this morning for a Business Continuity Manager that looked really good from an enterprise business continuity perspective. A lot of the "right" words.

ESSENTIAL DUTIES & RESPONSIBILITIES

Capitalize on business opportunities to refine and optimize business processes to mitigate exposure during disruptions of service, and, possibly, improve day-to-day operations.

I really like this. It shows someone understands that "process improvement" is an integral part of business continuity - IF the client allows the practitioner to consider, and recommend, possible improvements.

OTHER DUTIES AND RESPONSIBILITIES

Establish business continuity and disaster recovery testing methodologies; assure recovery procedures are effective for the restoration of critical business processes and key personnel. Ensure all components of the Business Continuity Plan are successfully tested at least annually, or whenever significant changes are made to those components. Plan and coordinate at least one simulation exercise a year, involving all critical business units and functional areas.

Everything looked really good until the third bullet from the bottom (of the advertisement).

EDUCATION and/or EXPERIENCE:

Working knowledge of data processing and telecommunications in order to assist in the preparation of recovery procedures in this area.

Why a "working knowledge of data processing and telecommunications?" Why not a "working knowledge of HR" or Facilities or Finance or Shipping or . . . ?

In this instance HR and Facilities probably are more important than data processing. Telecom for this advertiser is a toss-up.

Certainly data processing and telecom must be restored, but WHY only the requirement for these functions?

There was one bullet under the ESSENTIAL DUTIES & RESPONSIBILITIES heading that caught my eye. I have mixed emotions about it. The bulleted paragraph reads:

Lead the development of Business Continuity Plan and procedures in a disaster situation; provide 7x24 on-call support for any emergency which may require activation of all or part of the Business Continuity Plans. In the event that activation is required, serve as liaison between the senior management and the Business Continuity Teams.

"Lead the development of Business Continuity Plan and procedures in a disaster situation" is a pretty broad statement. Besides, what if the practitioner is off in Timbuktu and can't return home until who-knows-when? That's why even the practitioner must have an alternate. Beyond that, developing a plan and procedures "in a disaster situation" is akin to closing the barn door after the livestock escaped.

The selected candidate also will "provide 7x24 on-call support for any emergency which may require activation of all or part of the Business Continuity Plans." That is broadly phrased so it can be read - as I would interrupt it - to mean either the practitioner or an alternate would be on call.

What I did like was the final sentence: "In the event that activation is required, serve as liaison between the senior management and the Business Continuity Teams." This sentence clearly defines the practitioners primary role: "serve as liaison between the senior management and the Business Continuity Teams." That statement, however, seems to contradict the requirement for the practitioner to have a "working knowledge of data processing and telecommunications."

I wonder if the job requisition/description wasn't cobbled together by a committee.

Obviously someone understands business continuity, and just as obviously, someone (else) thinks business continuity is just another name for IT disaster recovery.

Risk is recognized,but not controlled?

2011-06-23T19:44:00.005+01:00

In December 2010 the Economist Intelligence Unit * conducted a SAP-sponsored worldwide survey of 385 senior executives from finance, risk, compliance and legal functions. All respondents were executives in one of the following industries:

financial services
healthcare
energy and utilities
logistics and manufacturing
public sector

Outside the public sector, 63% of respondents work for companies with annual revenue of over US$500m or the equivalent, and 25% work for firms with over US$5bn in annual revenue. The average annual company revenue was around US$4bn. One-third of the respondents are employed in Western Europe, 28% in the Asia-Pacific region and 27% in North America.

The full report is found at http://digitalresearch.eiu.com/enterpriseriskandcompliance/report; it is summarized at http://digitalresearch.eiu.com/enterpriseriskandcompliance/highlights.

For many respondents the high scores from self assessments fail to match reality as determined by the Economist Intelligence Unit.

One interesting statistic was the result of asking the responders "How do the risk and compliance practices of your organization rate relative to the rest of your industry?"

Responses were broken down between those organizations that had suffered an event and those that were - so far - unscathed.

Executives of those organizations that had survived an event were far more conservative in their thinking (see graphic, below).

While the report may not be an eye-opener to most risk management practitioners, it does provide useful information.

* The Economist Intelligence Unit is the business-to-business arm of The Economist Group, which publishes The Economist Newspaper. Like The Economist, we are known for our global perspective, accurate analysis, objective thinking, business acumen and influential opinions. We pride ourselves as the world’s foremost provider of country, industry and management analysis. For nearly 65 years, the Economist Intelligence Unit has delivered vital business intelligence to influential decision-makers around the world. Our extensive international reach and unfettered independence make us the most trusted and valuable resource for international companies, financial institutions, universities and government agencies. Today we have over 150 full-time country specialists and economists supported by an unparalleled global network of 650+ contributing analysts and editors

Putting a surplus to use

2011-05-31T02:04:00.006+01:00

Q1: What is piled high in sea ports and rail heads around the world?

Q2: What is one of the biggest problems in developing countries?

A1: Containers. 20-foot containers. 40-foot containers.

A2: Housing; low cost, functional housing for people, schools, hospitals, manufacturing, and more.

What's the connection?

Simple - move the containers stacked in ports around the world - including every major port in the U.S. - to places in need of facilities of all types.

HAITI - Devastated by an earthquake more than a year ago, thousands of Haitians remain homeless. Schools and hospitals are rubble.

This country is pathetically poor; according to the U.S. Agency for International Development (USAID, the annual per capita income of less than $400. "Haiti is the poorest country in the Western Hemisphere," according to USAID (http://www.usaid.gov/policy/budget/cbj2004/latin_america_caribbean/haiti.pdf).

Of course Haiti is not the only country that could put containers to good use.

Refugees in the Sudan - Darfur - could be housed, educated, and provided medical care in modified containers. There are a number of companies in the U.S. that convert containers to housing - that's housing in generic terms; housing for people, for students, for patients, for offices and factories, perhaps even jails. For a small, albeit impressive, sample of container use, go to http://tinyurl.com/lk8w9w.

The "campus," below, was built of containers by Mobile Modular Management Corporation (http://www.mobilemodularrents.com/).

According to its Web site, Mobile Modular "currently serves Alabama, Arkansas, California, Delaware, Florida, Georgia, Louisiana, Maryland, North Carolina, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, West Virginia and Washington D.C."

Imagine clearing out empty containers taking up space at Gulf ports and at the same time generating a great deal of good will for the United States. If anyone wants to be assured that the folks who will use the converted units know they are a gift of the people of the United States, paint the units in red, white, and blue motifs.

Most countries have a sea port that can handle container ships. Those that don't, such as Darfur, and those that need containers inland, usually have rail lines; worst case, containers can be trucked overland. Darfur's situation is almost unique in that it is landlocked and surrounded by people not particularly friendly to the area.

We're not talking about making people live in 10 foot by 20 foot or 40 foot boxes.

Units are adapted to provide large, multi-floor facilities to meet a variety of needs.

The photo below shows a three-story facility being assembled by Germany's Container Lion (http://www.container-lion.com/en/container-raumcontainer-buerocontainer.php).

When I worked for Zim, a shipping company that carts containers around the world, I was told that it wasn't worth returning empty containers to their ports of origin. Because of economics, many ports, certainly the major U.S. ports, have containers stacked up 4, 5, or more levels high. If they are used at all, it is by local homeless who manage to sneak by security.

(Yes, Virginia, the U.S., too, could benefit by converting unused containers to dwellings, even if only as barracks and shelters.)

How much does it cost to convert containers into a different function? I imagine it depends on the function and the volume of containers to be converted; there usually are "advantages of scale."

It seems it would be a win-win situation.

The surplus containers would be reduced at the ports; companies would have work converting the units, shipping companies - are there any American flag carriers? - could carry the converted containers to their destinations, and people in need of the facilities would have a rood over their head. Locally, we could create "container towns" where people could receive the services they need to become taxpaying citizens again.

Who would pay for all this?

The taxpayer.

But consider, the taxpayer already is paying for refugee facilities and getting nothing in return. If American companies modify the containers, taxes will be paid by the companies and the companies' employees; shippers will be paid to move the containers and again, taxes will be paid. At least this way, the taxpayer is getting SOME return on his or her tax dollar and the folks who will use the modified containers will have a constant reminder of this nation's help.

ERM-BC-COOP: Gaining knowledge

2011-05-26T22:34:00.003+01:00

Before donning my risk management hat I was in "communications."

That translates to: technical documentation, public relations, marketing, and newspapering. I never called myself a "journalist"; that was too fancy for the likes of this scrivener.

When I worked for the Harrisburg (PA) Patriot-News, I wrote a full newspaper page about Three-Mile Island and the safety controversy surrounding it at the time.

When I started gathering information for the article I knew nothing - nada, zero, klum - about nuclear energy or power plants.

By the time I was finished interviewing the pro-plant, the anti-plant, and the state's experts I knew a great deal about nuclear power plants. Hardly an expert, but "knowledgeable."

In Gillette, WY, I learned about coal; in Ely NV about copper mining and smelting. Aside from knowing about coal fires smoldering under some Pennsylvania towns, before I got to Gillette I had little idea of coal mining and storage. I was educated via "OJT" - On the Job Training."

For a reporter, OJT means interviewing people. It means LISTENING to people and asking the "right" questions.

Back in the day, reporters were expected to provide, as Detective Joe Friday (Jack Webb) would intone, "Just the facts"; putting a "spin" on hard news was, to put it mildly, "discouraged."

I learned about government's inner workings by interviewing the people in the know. Ditto higher education, banking, transportation, and other topics I discovered really interesting.

The thing I learned early on, and the key to whatever success I had as a "communicator," was how to ask questions. Listening to the answers, and often following a tangent suggested by my source, was a major part of Interviewing 101.

This rant is prompted by a blog I read earlier today by auditor Richard Chambers. The entry that caught my eye was titled You Don't Have to Be a Clown to Audit the Circus in which Mr. Chambers makes much the same point that I often try to make here:

The risk management practitioner need not be an expert in every business function in order to protect the function from risks.

The risk management practitioner, like the auditor, needs to be expect in his or her field; in our case, risk management.

I don't need to know the inner workings of a micro computer nor how bits and bytes are packed for fast transit to "wherever." Likewise I don't need to know double-entry bookkeeping or how to disassemble a 16-inch valve, or how to run a switchboard/reception desk, or even how to provide building security.

I DO need to know how to talk to the people who do these things.

Just for the record, I have done everything except double-entry bookkeeping.

At one point I knew nothing of the Federal Financial Institutions Examination Council, I couldn't even spell "FFIEC." But I listened to a client and "discovered" the FFIEC on the WWW.

Funny enough, my next client needed my knowledge of the FFIEC.

Besides the ability to listen, interviewers - be they risk management practitioners or auditors - need to be sincerely curious about the processes performed by the folks we are interviewing.

We need to listen to everyone - managers AND the people in the trenches.

He thought and replied: "Not a thing."

His assistant - who had more HR experience than the manager - innocently asked "What about the I-9s?"

Suddenly the HR manager realized he did have something the lack of which could be very expensive if the Feds came asking for the paperwork.

Talk to everyone.

Listen to everyone.

What we doNOT need to be is a Subject Matter Expert (SME) in all things.

There is a "flip side" to all the above.

A person who is an SME for, say, an HP3000 running Oracle might think he or she knows everything there is to know about HP3000s running Oracle; after all, the expert just completed an audit/plan that involved an HP3000 running Oracle.

Except THIS HP3000 has a different OS version and the Oracle is "tweaked" differently and ...

I knew how to fly an Aeronca Model 7 Champion, but rest assured flying a "Champ" is a great deal different from piloting a Boeing 7*7 or even a Beechcraft King Air 350i. (By the way, when did the Beech Banana [Bonanza] lose its distinctive "V" tail?)

ERM-BC-COOP: Terror targets

2011-05-20T21:39:00.001+01:00

According to a Global Security Newswire headline on May 20 (http://gsn.nti.org/gsn/nw_20110520_2896.php), Antiterrorism Program Cuts Funding for More Than 30 U.S. Cities, "More than 30 U.S. cities have been informed by the Homeland Security Department that they will not receive terrorism preparedness funding under one top grant program in this budget year due to budget constraints, the Associated Press reported on Friday"

Naturally all the communities on the chopping block are asking "Why us?"

The Big Cities are getting the dollars, but the cities in the hinterland are not. The article states that "Some of the cities that will lose out on program funding include Providence, R.I., Hartford, Conn., Bridgeport, Conn. and three Texas cities -- Austin, El Paso and San Antonio. Those Texas population centers were awarded roughly $14.5 million from the funding initiative in fiscal 2010."

Human life in Austin TX is as valuable as human life in New York City, so why one place and not the other?

Ignoring politics, consider the purpose of terrorism: Not (just) to kill and maim, but to strike fear into the population.

As a terrorist, where could I do the most damage?

Austin TX where the folks likely would take up arms and hunt me down?

Or unarmed New York City, which not only strikes at Americans but at visitors to these shores as well.

Compare Columbus OH with San Francisco. The California city, like Greater New York, has a high density population assuring a bigger bang for the buck, the bang being both death and injury as well as panic and lingering fear.

Also consider that some of the communities that will receive the Fed's largesse are port towns - New York, Boston, LA, San Francisco, Seattle - and some of the towns with reduced or eliminated funding are port-free, Bridgeport CN and San Antonio TX being two examples.

It is possible that the terrorists will attack wherever an opportunity is presented, but both domestic and imported terrorists typically go for the greatest exposure.

Jerusalem and Tel Aviv are more often the scene of suicide murderers than Bet Shean and Zefat, both "tourist" towns but off the main roads.

As with all things "risk management," avoidance and mitigation measures must be focused on the greater risks, the more probable risk with the greatest impact if allowed to occur.

I don't live in any of the communities mentioned in the article, but I do live close to several major sea and air ports and in an area with more possible threats than anyone dare count.

While it would be nice if money to defend against terrorists was unlimited, that is not the case so the standard probability vs. impact matrix we routinely use needs to be applies to anti-terrorist funding.

Basic risk management.

No one like it, but its the reality of budgets.

ERM-BC-ERM: Ripple effect

2011-05-18T13:57:00.003+01:00

I talk about the ripple or domino effect quite a bit.

Sometimes this is in connection with vendors.

According to a United Press International (UPI) piece on Advisen FPN, "The (U.S.) Federal Reserve said manufacturing production fell 0.4 percent in April after nine consecutive months of increases. The most notable drop in the sector was a decline in vehicle production, which fell to an annual rate of 7.9 million units from a previous rate of 9 million." (Emphasis mine.)

The Fed blamed the decline in auto production on Japan's earthquake.

Consider the global picture.

Japanese parts destined for US assembly plants were not manufactured, so they were

not stuffed into truck-to-train-to-ship containers

not shipped to Japanese ports

not inspected by U.s. agents stationed in Japan

not shipped to the U.S. west coast ports

not off-loaded by union steveadores at US ports

(import duties, if any, were not collected)

not shipped by rail and truck to assembly plants

not assembled into "American made" vehicles

not shipped by rail and truck to dealers across the U.S.

not sold by sales people at the dealerships

Plus, additional parts never made it to dealership maintenance facilities so faulty or damaged parts were not replaced, possibly putting unsafe vehicles on the road

But it doesn't stop there.

I'm not sure is anyone at any of the Japanese assembly plants in the U.S. was laid off, but I am sure that sales people who have nothing to sell have $0 commissions so unless they have a nice financial buffer in the local bank, there could be missed mortgage payments, reduced spending at the supermarket, fewer entertainment-related purchases, less miles traveled - and less fuel bought, and on and on.

Granted, there may - MAY - be "pent up demand" when Japanese parts start arriving on America's shores again (meanwhile Korea's Hyundai and Kia are enjoying record sales and even U.S. automakers are noting an up tick in sales).

We have a global economy; no longer is any country's economy independent of others' economies, be they across the border or around the world.

The U.S. had an "economic meltdown" and most of the world felt the heat.

When the dominos start to fall, they fall around the world.

Something to think about.

ERM-BC-COOP: Awards

2011-05-15T22:11:00.007+01:00

The other day I read an appeal by a person claiming Business Continuity Management expertise, including, specifically "Business Impact Analysis," asking members of a supposedly professional group "for some suggestions on inclusions for a BIA questionaire"^(sic). The appeal, for what it's worth, is at http://tinyurl.com/3ty5otb.

I suggested, as I often do, that people claiming expertise but lacking same, cause practitioners with time-in-grade to take up Jacob Cohen's plaint: "I don't get no respect."

We ought, I suggested to a couple of my peers, create an award with Mr. Cohen's mug on it and present it to the people who cause us to exclaim that infamous expression.

I'd show you a photo of the late Mr. Cohen, but due to copyright vigilantes I'm forced to forego the pleasure. You may, of course, visit http://tinyurl.com/3n9opvj to see the gentleman's photographs.

But today I realized we also need an award for executives who with fail to engage our expertise - at least those of us who DO have the expertise - or, worse, fail to implement our carefully researched and thought out recommendations.

Such people make me MAD, and it is from MAD Magazine that I found my poster boy for this award.

Good ol' Alfred E. (http://tinyurl.com/3o23al7

But, like Mr. Cohen, a/k/a Rodney Dangerfield, I fear to run Alfred E.'s likeness here.

But picture MAD's favorite cover guy with his famous "What, me worry?" statement on a suitably framed award.

Since I musing about awards, maybe there also should be an award for "business continuity" practitioners who deal only with Information Technology.

My recommendation for this award's poster boy is Moshe Dayan, the late one-eyed Israeli general and politician (or are "general" and "politician" redundant).

Don't like Dayan? Maybe a cartoon character with a telescope. The one here is a royalty-free image from Microsoft Word's collection.

There's nothing wrong with a business continuity planner coming from an InfoTech background, but all practitioners need to understand that InfoTech usually is a profit center resource rather than the profit center.

How about an Alex Trebek (http://jackpendarvis.blogspot.com/2009/03/vintage-trebek.html) award for the client who expects the practitioner to know everything about everything, not realizing that a really good business continuity practitioners is an expert in one field: business continuity.

Have an idea for an award? Share it with me at JohnGlennMBCI@gmail.com .

ERM-BC-COOP: There ought'a be an award for . . .

2011-05-13T21:29:00.007+01:00

JOHN GLENN

Enterprise Risk Management Practitioner & Curmudgeon

Most enterprise risk management (business continuity) practitioners participate on, or at least "lurk" on, one or more professional lists.

There are many.

DRJ has its Forum and a separate presence on LinkedIn.

There are numerous business continuity groups on LinkedIn, including the BC-COOP group.

There are Yahoo groups for business continuity and emergency management.

And of course there are sundry groups focused on Information Technology issues of concern to a practitioner. Most of the time, the discussions are professional.

A tyro asking how to approach something.
A pro telling how he or she managed to overcome an obstacle

But occasionally, alas all to frequently, we read a post asking experienced practitioners to give away the farm.

Most practitioners are delighted to mentor the juniors and newbies. We once were in their shoes.

But most experienced practitioners are, to be polite, miffed when asked to do the work for a person claiming to have experience, especially when that person claims expertise in the area they are seeking basic help.

My refrain, one I share with a number of my peers, is "We're becoming a Jacob Cohen profession" due to people claiming expertise they sorely lack.

It became abundantly obvious when one person, appealing for help from a group, admitted via post-appeal correspondence, that his employer of many years insisted he appeal to a wider audience, despite the person's claim to expertise in the area in which he sought assistance.

It's no wonder, then, as Jacob Cohen continually whined:, we "don't get no respect."

Our profession, with tyros masquerading as experts, causes us to "get no respect."

Because of people such as the tyro-pretending-to-expertise, I suggested to some of my peers that we need an award for such folk.

No Respect Award

The first "award" that comes to mind is the "We Don't Get No Respect" award.

The poster boy for this award would be the late Jacob Cohen's alter ego, Rodney Dangerfield.

Mr. Dangerfield made a career of five words: "I don't get no respect."

For us, the profession "don't get no respect" when it's populated by tyros flying professional colors. When a novice with a manufactured resume is turned loose on a client, old timers hope that these mountebanks are hoisted by their own patards.

That some organizations are cognizant that the practitioner lacks expertise is obvious when one such practitioner admitted that his employer instructed him to ask the on-line groups for help.

Microscope Award

This award could have a microscope rampant on a field of personal, macro, mini, and mainframe computers ranging from the Berkeley Enterprises' Simon introduced in 1950 - yes, 1950, that's not a typo - (http://www.blinkenlights.com/pc.shtml) to today's smallest and largest machines.

I like the microscope since the focus of this award winner is strictly Information Technology. Ignored is the fact that Information Technology rarely is a profit center; its role most often is as a critical profit center's resource.

Winners of this award are convinced that if InfoTech can be recovered following an event, all is right with the world. Never mind the profit centers that fund Information Technology and never mind avoidance or mitigation efforts.

Head In the Sand Award

The "Head in the Sand" award also could be known as the Ostrich Award; this award would feature an ostrich with its head in the sand.

This award goes to organizational management that either

a. fails to engage qualified practitioners, or

b. fails to implement the qualified practitioners' recommendations.

In the first instance, one has to wonder why a practitioner was engaged in the first place. The most probable reason is because the organization is trying to get business from a potential client that demands its vendors have risk management or because the organization has a government or industry mandate to have risk management.

We all understand that not all recommendations will be implemented, and certainly not necessarily in the order we think appropriate. That's why management always retains the right to prioritize implementation of the practitioner's suggestions.

Smart management may challenge a practitioner's priorities and perhaps the practitioner's reasoning why Option A would be better for the organization than Option B, but in the end, some option will be put into practice.

Ice Floe Award

Picture a polar bear adrift on a chunk of ice, far away from any solid surface.

The "Ice Flow" award is presented to the practitioner - or perhaps the client manager - who thinks a risk management project can be successfully put together with zero input from anyone.

No successful plan can be created in a vacuum; input must come from all sources, from newest intern to most senior executive.

Managers who refuse to share information about the organization's direction or who prevent the practitioner from having access to all personnel who the practitioner - not the manager - deems to have critical information, almost guarantees that should an event occur, the plan will fail.

Spilled Ink Award

Does anyone still fill real ink pens from an ink bottle?

Probably not, but a tipped over bottle of ink remains a suitable graphic symbol to award a practitioner who can't spell "practitioner."

Documentation plays a large part in every risk management program and every project within the program.

From a Statement of Work - or maybe even a proposal - to the final deliverable, the practitioner is called upon to be a wordsmith with a better-than-average command of the local language.

Indeed, the practitioner may need to communicate his or her thoughts, concerns, and reasoning to several different audiences, each with its own interests.

The practitioner who is honored with this award can claim a high level of self confidence, sufficient that he or she foregoes spell check before submitting a document.

Know Everything Award

This award would have Alex Trebek's likeness on it and would be awarded to managers who believe a risk management practitioner needs to know everything about the organization, preferably before the practitioner's credentials are reviewed.

It's fairly common that organizations expect the risk management practitioner to be an expert in data security, but often there is a requirement that the practitioner have experience in a specific industry.

Granted, there are regulated industries and a practitioner who already knows which regulations apply has a head start, but the bottom lines are that

b. the core processes of all plans are the same

Identify key processes
Identify risks to the processes
Identify ways to manage the risks via avoidance, mitigation, or transfer
Prioritize the risks
Make recommendations to management on how to manage the risks (ergo "risk management").

In truth, the only subject in which the practitioner need be expert is risk management, a/k/a business continuity or resiliency or COOP or whatever the term du jour.

Flying Funds Award

The "Flying Funds" award, which also can be labeled "My bucket's got a hole in it" goes to management that pays to have a plan created and then ignores it. This award is related to the "Head in the Sand Award" and often is presented to the same person or management team.

This wastes the organizations finances - as well as the practitioner's and plan contributors' time - since a plan neither exercised not maintained quickly loses its value.

Ignored plans, if ever implemented, usually fail and, as most practitioners know all too well, all fingers point to the practitioner, even if the practitioner is long gone from the job.

And finally

An Honorable Mention for pounding round pegs into a template's square holes.

This certificate is presented to managers and practitioners who believe that filling in a form or template pulled from the Web or a book will give the organization a plan that will assure its survival "in the event of."

There ARE good programs that, in the hands of an experienced practitioner, are useful tools, tools that are adapted to meet a specific requirements. Unfortunately, most templates and programs in the hands of a novice only lead an organization to false sense of security.

ERM-BC-COOP: Inevitable

2011-05-03T17:47:00.002+01:00

An attack following Osama bin Laden's alleged execution will - not "may" - be forthcoming.

I carefully word that.

Not an "attack to avenge" or "an attack of revenge" for that would suggest that the attack will be by a Moslem, albeit not necessarily an Arab Moslem - radical Islam is not restricted to Arabs.

A revenge attack probably will happen - an attack by a Moslem individual or group, but Bin Laden's claimed death also opens the door for other crazies, non-Moslem crazies, to reap the whirlwind.

Who brought down the Alfred P. Murrah Federal Building, murdering 168 people, including 19 children?

Timothy James McVeigh, a WASP - White, Anglo-Saxon Protestant - who won a Bronze Star for service in the first Gulf War and his partner, Terry Nichols also a WASP were responsible for the Oklahoma City massacre.

Theodore (Ted) Kaczynsk, the "Unabomber", is a Polish American mathematician, social critic, anarchist and Neo-Luddite.

Eric Robert Rudolph, the Olympic Park Bomber, is responsible for a series of bombings across the southern United States between 1996 and 1998, which killed two people and injured at least 150 others.

Buford O'Neal Furrow, Jr. is a former Aryan Nations member and security guard who opened fire on the Los Angeles Jewish Community Center shooting in August 1999. The shooting injured three children and a receptionist. He also shot dead USPS carrier Joseph Ileto, a Filipino American.

James von Brunn fired a weapon into the Washington D.C. Holocaust Museum, resulting in the death of security guard Stephen Tyrone Johns. Von Brunn died while awaiting trial.

Joseph Andrew Stack III flew a small personal plane into an office complex containing an IRS office in Austin, Texas after posting a manifesto on his website stating his anti-government motives and burning his house. One person other than Stack died, 13 were injured.

Not one of the above is a Moslem or even an Arab.

That, or course, is not to exclude Moslems - Arab or not - from the list of potential threats, but only to try to make all risk management practitioners and their clients aware that others may decide to ride the coattails of Bin Laden's supposed death. When a person has a mission, any excuse is a good excuse to act.

Yesterday's entry included suggestions on how to mitigate exposure to crazies.

Today's comment is simply a reminder that no one is, or should be, above suspicion.

Likewise, nothing should be taken for granted. A portable radio allegedly brought down Pam Am 103 over Lockerbie, Scotland.

Israeli airport security routinely takes "pregnant" women - including my wife - aside to "pat them down" to confirm the bulge really is due to pregnancy. The wife did not complain.

The bottom line for risk management practitioners is to be aware that "packaging" may be deceiving.