ERM-BC-COOP: Two eGuide articles

BC, DR, and COOP

Just read an article linked from the Continuity eGuide http://disaster-resource.com/newsletter/continuityv245.htm by Tod Newcombe titled "Should BC and DR Be Replaced by COOP?".

Good article. It even includes a quote from Dr. Jim Kennedy, principal consultant for business continuity and disaster recovery at Alcatel-Lucent and a long-time professional acquaintance.

But . . .

But the article, which initially appeared in Government Technology (http://www.govtech.com/gt/articles/374117) focuses almost exclusively on Info Tech. (Given the publication's audience, that almost rates a "duh!")

It addresses issues Chief Information Officers (CIOs) face.

It also suggests that business continuity is a sub-set of Continuity Of Operations (COOP), as disaster recovery is part of business continuity.

According to the article, "Kennedy recommends CIOs become champions for BC planning and find a champion on the business side to help when it comes time to implement and test the plans. But that's not all: CIOs also must ensure their plans have the support of senior-level managers. The National Association of State Chief Information Officers (NASCIO) insists today's government CIO needs to go one step further and ensure public-private partnerships -- especially with the industry sectors that deliver power and telecommunications -- are on board ahead of any crisis."

I have two problems with the article.

First, business continuity, by definition, means keeping the business going - meeting Service Level Agreements (SLAs) or mandates. In order to do that, Emergency Risk Management (a/k/a Business Continuity and COOP) practitioners need to protect the business processes and all the resources used by those processes.

Second, ERM should not be a function of the CIO.

ERM needs to be a function of a Chief Risk Officer or, failing independence, then a function of a Chief (Something) Officer who has fiduciary responsibility or the Chief Law/Legal Officer - someone who is independent of the individual functional units.

To my Winnie-the-Pooh mind, the only viable plan is an enterprise plan.

Even the US Federal government seems to agree with that: COOP used to be disaster recovery - save Info Tech and all is good; now it's protect the people and the organization (including Info Tech). The fact that the Government Accountability Office, GAO, annually criticizes Federal agencies for the quality of COOP plans is another matter. Still, at least there is "COOP awareness" and that's progress.

One thing the article did point out was "don't forget the details. One company had a detailed BC plan, but when a disaster struck, it failed to consider how it was going to feed workers who had to stay on the job for several days. Now it stocks the same ready-to-eat meals used by the military. Another mistake organizations make is not having an alternative work site, a problem that plagued firms devastated by the 9/11 terrorist attacks. What good is backed-up data if your workers have nowhere to work?"

Which, since it hints at the myriad of interdependencies in most organization, is one more reason to move Enterprise Risk Management - by any name - out of the data center and into the executive suite.

---

Insurance options

The second article that caught my eye was titled An Insurance Primer for Business Continuity Professionals by Kimberly R. Matlon, JD.

Ms. Matlon, a partner in R&A Crisis Management Services, writes at http://disaster-resource.com/newsletter/subpages/v245/meettheexperts.htm about a number of different insurance types.

She tells us that "Creating a resilient organization is a combination of purchasing and maintaining appropriate business insurance products, and developing and maintaining a comprehensive business continuity plan. " She adds that "There are a wide variety of commercial insurance products out there to protect your business. The most common of these are property, liability and insurance products that provide coverage for your workforce."

Well and good, but what about business interruption insurance?

What about checking vendor insurance coverages - governments and other "800-pound gorilla" clients do it all the time.

Ms. Matlon missed some critical coverage in her brief article, but she did at least point out the need for insurance.

Enterprise Risk Management practitioners need to locate knowledgeable insurance representatives - preferably from different vendors - not only to find out what coverages are available and appropriate, but what each coverage demands of the insured - for example, business interruption insurance requires extensive record keeping (which also means keeping a copy of the records off site) in order to collect.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BC-COOP: Mitigation

Short story

I was talking with an Info Tech manager the other day about Info Tech "business continuity."

Business Continuity, I said, requires not only a Business Impact Analysis (BIA) which is part of Info Tech "business continuity," but mitigation as well.

Well, said the exec, we do have mitigation - we have plans to recover the applications elsewhere if something goes bump in the night here. That's mitigation.

Sounds good.

It IS mitigation.

But it's not RISK mitigation.

It's IMPACT mitigation.

While impact mitigation is an important part of business continuity, it really properly falls under the "disaster recovery" heading which, if truth be known, is what my exec calls Info Tech "business continuity."

Telling people I am an "Info Tech business continuity" planner bothers me.

Info Tech should have real business continuity.

Info Tech should look for risks to its processes and it should develop a true, independent business continuity plan based on its customers' requirements.

At the same time, all functional units should have true, independent business continuity plans (mini-plans, if you've read other John Glenn rants) which, like the Info Tech plan, need to roll up into an enterprise plan.

My exec's Info Tech "business continuity" plan totally ignores threats to the Info Tech processes. It considers the impact of an "application failure" on the business unit's finances (based on figures provided by the Info Tech customer/business unit Subject Matter Experts) and other nasty things that can happen - fines and customer penalties - but rarely considers loss or reduction of the organization's Return On Investment (ROI).

Worrying about threats to the Info Tech processes is "outside the scope" of the Info Tech "business continuity" plan.

Understanding that, I know - even if the Info Tech execs refuse to acknowledge it - that what Info Tech has is nothing more than disaster recovery under a different - and sadly inaccurate - name.

Mitigation? Yes, but only after the fact.

That is not, at least in my perspective of 13-plus in the business, "business continuity."

Let's call it what it is - disaster recovery.

No more, but maybe less.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BC-COOP: State of BCM for SMBs

An article by KATHLEEN LUCEY in the July issue of Continuity magazine culled some interesting facts from a Continuity Insights/KPMG study re the state of Business Continuity Management (BCM) in the United States.

Ms. Lucey is president of Montague Risk Management, a consulting organization (http://www.montaguetm.com).

One of the first things to catch my eye was Ms. Lucey's comment that "... based on the size of the firms responding to this survey, it means that the small-and-medium size business sector probably has even less BCM capability that previously thought."

---

This is supported in a Jan Persson article, An alarming DRP statistic that can easily be fixed on the Rothstein Associates Inc. Business Survival Weblog at http://www.rothstein.com/blog/2008/07/an-alarming-drp-statistic-that-can-easily-be-fixed/.

---

A few years ago, while working on a SOx project in Charleston WV (great town, by the way), I became involved with some Certified Public Accountant (CPA)-type auditors. We - the auditors and I - proposed to the CPA firm's management that it provide BCM, the nom du jour for business continuity, to its Small/Medium Business (SMB) clients. Management agreed in principle, but before we could turn BCM into a "value added" service offering by the CPA firm, my contract expired (my client was bought by another company) and the proposal came to naught.

It seems to me that, if Ms. Lucey (and Continuity Insights and KPMG) are correct, we - risk management practitioners - would do well to introduce ourselves to CPA firms.

Likewise - and another "if I hadn't moved" situation - independent insurance companies and multiline agents.

I might even suggest lenders of BIG BUCKS, especially when collateral is less than desired.

There is a market for Enterprise Risk Management (ERM) in the SMB world.

Independent practitioners can't mine the market unless they are independently wealthy - I'm not. But if practitioners could convince multiple clients that serve the SMB world - the CPAs, insurance companies, lenders, and others - to put a practitioner on a small retainer then the CPAs, etc. could offer ERM as a value added product (enhancing the vendor's image while increasing profit for minimal investment), the SMB owners could have a real ERM plan that reduces risks to the insurers and lenders, and the practitioner could make a living.

I'm not certain what "Medium" size indicates - perhaps between 50 and 500 employees? It seems to me that SMBs need ERM more than the big companies.

Why?

Big companies, the Fortune 1000 level, might be able to weather a storm (as some monster organizations weathered Katrina) using owned resources and an ability to "waste" extra money (that was spent because mitigation and recovery plans were either non-existent or ignored), both of which are unavailable to the "typical" SMB.

A friend of mine owned a jewelry store in Orlando FL. Small store in downtown. He'd been there for years and his name was as important to his customers as was his merchandise.

If a fire gutted his neighbor, my friend would be, at least temporarily, out of business.

If some otherwise nice folks came out of the corner tavern and got a bit rowdy, his storefront glass might be shattered and some "midnight sales" take place. (He locked up all the good stuff.) His customer records, unlike his merchandise, could have "disappeared" and that would have been at least a small disaster for the business.

He was lucky over the years.

Most of us are.

At the same time, most of us carry insurance of some type.

Some of us even have personal "survival" plans (in case of a fire at home. etc.).

Businesses, of all sizes, need ERM plans.

SMBs normally can't afford our services, and we can't afford to court SMB business.

But CPAs, insurers, lenders can encourage ERM during the normal course of business.

It is to the practitioner's advantage, the SMB owner's advantage, and to the intermediate vendor's advantage to develop an ERM "value added" product.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BC-COOP: The same or different?

"In simple terms, risk management is focused on prevention, while business continuity management is focused on cure. For example, risk management would view the lack of fire extinguishers in a paper factory as a high risk and recommend fire extinguishers be installed to reduce that risk. Business continuity management would not be concerned about the inadequacy of fire extinguishers but rather how to deal with the loss of the paper or the building, for example, regardless of the event that caused the loss."

I consider myself to be an Enterprise Risk Management-slash-Business Continuity-slash-COOP practitioner and I will state, unequivocally that the statement above is wrong. Very wrong.

Both risk management and business continuity, in my world at least, are concerned with

* identifying processes

* identifying risks to the processes

* identifying means to avoid or mitigate risks

among other things.

In my not-at-all humble opinion, Enterprise Risk Management = Enterprise Business Continuity.

So if there is a difference it may be how it is interpreted by the practitioner - or the client, be the client internal or external.

I think Enterprise Risk Management better defines what we should be doing: managing, directly or indirectly, all risks to the enterprise, to the organization.

I am not suggesting that the practitioner must, or even should, be a Subject Matter Expert (SME) in insurance, or finance, or anything other than risk management. I am not an Info Tech guru but I can, with input from Info Tech SMEs - both the client's and my own network - create a plan to protect Info Tech resources from all manner of threats. I expect the practitioner to be an SME in ERM/BC. Anything in addition to that is a bonus which may, or may not, "get in the way."

I also am not suggesting that the SMEs or the CFO or CLO or any other "C" report to the ERM practitioner. What I am suggesting is that the ERM practitioner manage the risks - to "hold the umbrella" over the risks, to coordinate risk identification and avoidance/mitigation.

Risk management also includes dealing with risks when they occur (disaster recovery).

How does that differ from business continuity?

Risk management - identifying threats and finding ways to avoid, mitigate, or absorb the threats - is Risk Management Part 1.

Obviously the author of the lead paragraph sees things differently. Maybe it's a difference in background. The person who penned (keyed?) the opening paragraph is the managing partner of an Australian information security firm.

Or perhaps, looking at the author's title, it has something to do with the person's focus on information security.

Whatever the reason, my "take" or ERM/BC is that, properly done, they are essentially the same.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BC-COOP: Artistic defense

Let's say you have a "sensitive" building; a facility you need to protect from unwanted visitors.

Let's say your building is at a highway "T" - the building is where the l and the - intersect.

Finally, let's say the building is in a "high tone" neighborhood.

In order to keep vehicles from turning your facility into a drive-through - intentionally or accidentally - you think about strategically placing World War II anti-tank barriers between the road and the building.

Properly anchored, they will stop a run-away semi.

Not pretty, but efficient.

Still, the organization wants to be a good neighbor and to that end it needs to find something a little more in line with the neighborhood's image.

How about a copy of Michelangelo's David?

Perhaps Alexandros of Antioch's Aphrodite of Milos?

Want something a little more thoughtful? Maybe Auguste Rodin’s The Thinker.

Prefer something more modest? Consider Frederick Remington's Western motif.

Bronze, aluminum, steel, concrete - whatever material suits your fancy.

The bottom line is to convert the World War II anti-tank idea into something suitable for the neighborhood.

Acquire artwork that can be reinforced - as in "reinforced concrete." It really makes little difference what surface material is used - what you want is a solid block of something - concrete is probably the least expensive - inside the art, and you want steel rods - remembering there is strength in numbers - inside the concrete.

Take a leaf from the Dade County Florida building code.

The concrete base, and the embedded rods, needs to be securely anchored into the ground. How far? That's an engineering problem and I will leave that to the engineers.

When it comes time to position the art, think of a chess (or checker) board and how the squares alternate.

Make certain that there is no "straight line" access to the building.

How far apart? How wide is a small car? They barriers should be close enough so a small car is blocked.

While the barrier art need not be life-size, it needs to be high enough so that a jacked up, "Big Foot" swamp buggy can't clear it.

Bear in mind that nothing is 100% and even eye-pleasing barriers may not stop all attackers, but they can stop accidental intrusions and they might discourage would-be terrorists.

Security can be attractive if a little thought is given the options.

More security options: http://johnglennmbci.com/shoestring.html

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BC-COOP: Financial loss

Interesting situation before me.

I have a data base that is a repository for data from not one or two organizations but many organizations.

There is both intra-group and inter-group sharing.

The 800-pound gorilla group guesstimates that if its personnel can't access the shared data base, it will "cost" the company about 14k units of currency-per-day.

OK.

Let's "assume" that the smaller fish in the pond figure their losses to be 10k units of currency-per-day (for easy computing later).

Let's also assume that, in addition to the gorilla wading in the pond, there are 8 small frys (total 14k + (10k*8) = 94k units of currency-per-day.

The gorilla insists that the data base can be down for a maximum of two days.

Back to the basic math: 94k*2=188k units of currency.

Now we have a value for the data base.

Because (a) the data are critical and (b) we know media fails (that's why the maximum hard drive guarantee or warranty is 3 years), we have found space on a compatible machine.

If the machine on which the data base resides fails (or the facility goes away or . . . pick a risk), and since we backup-to-tape every day, and since we can retrieve and deliver yesterday's tape to the alternate site within "about" 36 hours, and since we know we can (assuming there are no Write errors) load the tape's data onto the alternate machine within 12 hours, we'll be up-and-running before the agreed-to 48 hour maximum downtime expires.

Question: How much value do I place on the data base for all days beyond Day 2?

Or, put another way, how PROBABLE is it that both the primary and alternate boxes will be lost at the same time? (They are housed at different regions.)

Realistically, the probability is minute. Small, even.

Bottom line time.

I have a box that, fully configured, is worth - say - 10k units of currency. RAID 5, all the Bells-N-Whistles, wireless mouse and keyboard; the server equivalent to a fully dressed out Harley.

I have a data base "worth" 94k units of currency-per-day to the user community that I know can be recovered - must be recovered - within 48 hours. I'll even concede that some work-aholics will access the data base from a Burger King WiFi access point on the Fourth of July.

What, given all that, is my daily financial loss for a month?

My take - and I'm willing to entertain other opinions - is

---

(94k * 2) + 10k + (1k * 30) = 228k units of currency.

---

What is the (1k * 30)? Manpower - possible, operative word is "possible," overtime for the alternate site personnel to nursemaid the temporary resident data base. Worst case expenditure.

Granted, 228k units of currency can make a major dent in some organizations' budgets, but I think it can be proportionally shared and absorbed by the 9 user groups depending on the shared data base.

One parting thought. While the techies are scrambling to get the alternate site up and running, the users can share their thoughts via email, telephone, fax, and courier so they are not necessarily out of business for the duration.

What bothers me is the once-a-day data backup.

Is it enough?

Do users keep a copy of their data on local machines? On external hard drives?

If I was writing the rules, I think I'd create a policy that states: Critical data will be stored on local media for (at least) 24 hours after being copied to the shared data base.

But I'm not "writing the rules." (Too bad; enterprise risk management very much includes development of policies and procedures.)

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BC-COOP: Mortgage mess

The "mortgage mess," of which Freddie Mac and Fannie Mae are the most recent focus of attention (along with IndyMac Bank) is the headline du jour.

Fannie Mae initially chartered in 1938 under Franklin Roosevelt was re-chartered in 1968 by Congress as a shareholder-owned company, funded solely with private capital raised from investors on Wall Street and around the world.

Freddie Mac was established by Congress as the Federal Home Loan Mortgage Corporation Act and is a stockholder-owned organization.

Both organizations are charged with using private funds, vs. having the full faith and backing of the Federal government as do Treasury notes.

Both are Federally regulated, as - to a less hands-on extent - is IndyMac of California.

So how could Fannie Mae and Freddie Mac find themselves in a financial fix that Washington is talking about bailing them out.

Easy. Things happened which were beyond the organizations' control.

Does that mean the organizations are without fault.

No.

Indeed, Freddie Mac claims that it is "subject to rigorous governmental oversight and substantial capital requirements."

---

From Freddie Mac's page: http://www.freddiemac.com/news/corp_facts.html

"Freddie Mac operates in a single, safe business: residential mortgages backed by the equity of millions of American homes across the nation. Freddie Mac is subject to rigorous governmental oversight and substantial capital requirements, and our financial disclosures surpass those of other large institutions. These practices ensure that our business is financially transparent and accountable to our shareholders, regulators and the American public."

---

Somewhere, something went very wrong with the "rigorous governmental oversight and substantial capital requirements."

Could this have been prevented?

Perhaps not completely, but it probably could have been mitigated with a hard-look enterprise risk management program.

"Hard look" because, in our generally Pollyanna world, few are willing to look at, and seriously consider, all the threats to our organization.

---

The Corporation (Freddie Mac) may not make any capital distribution that would decrease the total capital of the Corporation (as such term is defined in section 1303 of the Federal Housing Enterprises Financial Safety and Soundness Act of 1992) to an amount less than the risk-based capital level for the Corporation established under section 1361 of such Act or that would decrease the core capital of the Corporation (as such term is defined in section 1303 of such Act) to an amount less than the minimum capital level for the Corporation established under section 1362 of such Act, without prior written approval of the distribution by the Director of the Office of Federal Housing Enterprise Oversight of the Department of Housing and Urban Development. (Federal Home Loan Mortgage Corporation Act, 12 U.S.C. § 1451)

---

The fall out following the 9-11 (2001) attack with our own resources was finger-pointing and finally an admission that, within the Federal government (and elsewhere) "the right had doesn't know what the left is doing"; there is little inter-organization communication. Turf wars gave the enemy his opportunity.

It is hard to believe that the same thing didn't happen again.

The financial crisis didn't happen overnight.

I am an enterprise risk management practitioner. I am not a financial analyst; I am not chair of the Federal Reserve or even a bank clerk. Knowing my limitations, I know I need to turn to financial Subject Matter Experts (SMEs) and, in the financial world, they are in abundance.

So why didn't anyone ask - or if they DID ask, why didn't they listen to - the SMEs?

This "collapse" didn't happen overnight.

The beginning as I see it - and again, I am not a financial guru who could see "the signs" of things to come - was the Real Estate Investment Trust (REIT) woes that brought down several financial houses.

That followed by Wall Street's embarrassments and commercial banks' losses.

(My retirement account has been sufficiently decreased to force me to work "extra innings." I am not a happy camper.)

My question has to be - since this was hardly an overnight event - why some mitigation efforts were implemented to stem the flow of red ink?

But it's easier to say that "everything will be all right."

Pollyanna.

Head-in-sand syndrome.

I don't doubt we'll weather the storm, but it seems to me that facing reality "then" could have prevented, or at least mitigated, the financial reality we are facing today.

(Never mind that this Wall Street outsider thinks most traders are lemmings who would follow any perceived leader.)

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BC-COOP: AT&T's 2008 preparedness survey

It's been out for awhile, but not everyone knows about it, so . . .

AT&T for the past 7 years produced a "Business Continuity Study."

It's a flawed study because the AT&T researchers queried only InfoTech executives. AT&T should correctly title the study an "IT preparedness study" rather than suggesting anyone from a business unit provided input.

For all that, the biased report is both interesting and encouraging. It is on the WWW at

http://www.att.com/gen/press-room?pid=7922

Because AT&T markets "business continuity" planning, the graphic headline above the study reads "We've found that one in five U.S. businesses does not have a plan to handle man-made and natural disasters."

Put a positive spin on this and you have "Four out of five U.S. businesses have a plan to handle man-made and natural disasters."

That has to be encouraging.

As to be expected, when you ask InfoTech folks about threats, the answer will be focused on InfoTech - that's a logical conclusion supported by the AT&T study.

---

Two-thirds of IT executives predict that hacking will be the biggest threat in the next five years. The next most frequently mentioned threats are internal:

Accidents — 56 percent
Sabotage — 47 percent
Remote workers — 44 percent

---

The AT&T survey was developed in 12 market areas, alphabetically: Atlanta, Boston, Chicago, Cleveland, Houston, London, Los Angeles, Memphis/Nashville, Minneapolis/St. Paul, New York, San Francisco, and Toronto.

While I would very much like to see a survey of business leaders, the AT&T effort is worth a look.

It is interesting to see how U.S. organizations compare to those in Toronto and London (UK).

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BC-COOP: Value calculator

---

Q: How many times has a manager pushed back on a ERM-BC-COOP project because he or she couldn't see a Return On Investment (ROI)?

A: Too many.

---

One of the problems Emergency Management/Business Continuity/COOP* practitioners encounter is the difficulty of justifying the cost of the effort.

We know that what we do makes good business sense.

We know that what we do can, if implemented, make the difference between being in or out of business.

We know what we do can help prevent loss of life or serious injury.

But even if something happens and our effort works flawlessly, it's hard to put a monetary value on what we do.

Michael Z. Bell to the rescue.

Mr. Bell runs his own consulting company, Albion Research, in Ottawa, Canada.

He also runs a Web site, http://www.riskythinking.com/.

The Web site includes a page titled "BCP Value Calculator" at http://www.riskythinking.com/tools/bcpvalue.php.

It's a page well worth visiting and, from my point of view, worth sharing with management.

* Continuity Of OPerations

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BCP-COOP: Test before need

Had a sister-in-law (SIL) and her spouse visiting for 3 weeks.

Over the course of their stay, we visited NYC, DC, West Virginia, a couple of US parks, and Luray Caverns.

Since my digital camera is (still) in need of repair and since the SIL doesn't own a digi-cam, the wife bought a couple of discount store cardboard film cameras.

One sans flash but with high-speed film and one with flash.

I own several "real" cameras - a Canon F-1 and a Canon FtB, as well as a 4*5 (inch) that is great for technical stuff but a bit much to schlep on a Shank's Mare tour.

But, being lazy, of late I used the cardboard, single-use variety for simple documentation purposes (such as when I moved into rental quarters and wanted to document pre-move in conditions).

I always bought "name" cameras - Fujifilm or Kodak, names I know and - based on experience - trust.

But hey, a single-use camera is a single-use camera is a . . .

Well, maybe not.

Turns out many of the West Virginia, NYC, and DC shots with the flash-less unit were destined for the trash can.

Exposure.

Likewise the photos from the flash camera used in the cave. The flash simply didn't do the job. All it had to do was supplement the low-level lights in the cave. (The place is impressive and well worth a visit.)

I have been a "professional" photographer for more years than I care to say. Mostly for newspapers or PR. I avoided weddings since if something goes wrong, how are you going to re-shoot, especially when the wedding party has scattered to the four winds?

This was something similar.

This was SIL's first trip to the U.S.; her husband's second in 30-some years and his first outside NYC.

They boarded a plane home yesterday - no chance to "re-do" any of the photos.

Where was the problem?

It could have been with the developing process; stale chemicals, an off-speed conveyor.

But the film from the two cameras was processed at different times, albeit at the same "ready-in-an-hour" location.

I suspect the problem is with the cardboard cameras with their plastic lenses.

Now, the ERM-BC-COOP connection.

I know, based on experience, that name single-use cameras take "OK" pictures. True, they can't match the Canons or the 4*5 for control, but for "quick-n-dirty" work, they do the job.

I know the "send-the-film-out" processing also is "pretty good." Not what you expect from a true photo lab (do they still exist?), but "good enough."

But I was using "no name" products across the board.

My guests paid a heavy price - they had few photographic memories to stuff into their suitcases for the return home.

Risk management demands that we test things - physical and processes - BEFORE we need them.

Test in a hostile environment if that is when those things will be implemented. Find the "worst case" scenario ("situation" if you dislike the word "scenario") and test.

I am, unfortunately, not alone in learning (actually being reminded of) this lesson.

The U.S. lost a number of soldiers in Iraq when helicopters in which they were riding crashed - often because the environment damaged the 'copters engines.

The Army - and the planes' manufacturers - should have known there was a dust/sand-in-the-engine issue and either eliminated the problem or used a more appropriate vehicle to transport troops.

The Army's loss is far greater than mine, but in both cases, the problem could have been avoided by testing before critical application.

Had I practiced what I preached, I would have made certain the cameras were either from Fujifilm or Kodak, and I would have insisted that the film be developed by a "real" lab where there would be a better chance that the chemicals would be fresh and the machines properly calibrated.

That, of course, still does not assure success, but it improves the odds.

We exercise ERM-BC-COOP plans (at some level) and we practice building evacuations (at some level). What we often fail to do is to test the complete process or the back-up device.

As an example, some plans I see call for acquiring replacement equipment.

Did anyone check to see if the equipment is still available?

Did anyone make certain Purchasing is included in the response team?

"Minor" little things that - like my no-name cameras and in-an-hour film processors - can cause a good plan (or good intentions) to be defeated.

My guests may have enjoyed their stay in the U.S., but they have little to show for it.

I knew I should have bought those souvenir post cards.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BC-COOP: All about image

A recruiter called yesterday.

Actually two from the same office.

When all was said and done, I was left with second thoughts about working for, or recommending, the organization.

There were a several problems, all impacting the organization's image.

I wonder if the image problem I encountered also is encountered by potential customers of the organization.

The recruiters, based on their language and accents, called me from somewhere in the Far East. Their employer managed to display a local-to-me phone number, not terribly difficult technology.

The first problem was that the agency was using simplex voice-over-IP (VoIP).

Simplex, for those who never dealt with two-way radio, means "I talk-you listen - you talk-I listen."

Think about the movies where one character is talking to another over a two-way and says "Over" each time the person completes a thought. Over.

Anyway, beside the simplex issue (modern landline phones are, by the way, duplex, which means we can - and too often do - interrupt each other in mid-sentence), the quality of the calls was terrible. Between voice quality and latency (IT for "delay"), the "conversation" was frustrating at best.

The second problem was that the first caller didn't know what she was calling about.

Or maybe she just didn't understand American English when I asked "is this a project or a staff job."

The second caller explained that it was both. How so? Well, the offer is to be a staff employee of the caller's organization for the duration of a project with a client of the organization. Bottom line: it's a project.

The second caller started off badly when he told me that a woman from his office called me several days ago.

Now I know about the international date line, but this man clearly didn't have his facts straight.

I told the second caller that the connection was bad - true - and asked that he send the job description via email.

That would be done, he promised, and I disconnected.

I'm still waiting for the email.

To be absolutely fair, I was talking to the recruiters on a Sony-Ericsson cell phone with AT&T (nee' Cingular) service (which still is better than my Nokia unit and Verizon service - the problem is more the instrument than the carrier). Landline normally is better than either mobile unit/service - unless there is a thunderstorm outside the window.

Word to the wise: Always have at least one Plain Old Telephone Service (POTS) phone available for use during power outages. Fancy phones that require AC to work are useless, but simple phones, which take power from the phone lines, usually work. Still, in an electrical storm, stay away from anything with a cord.

What's the ERM-BC-COOP connection?

Image is very much a risk.

If the company projects the same image to prospective customers as it presented to a prospective employee, its bottom line must be threatened. I want to talk with someone who understands what I say and can communicate with me (comprehension and technology).

I don't think I'm a chauvinist; I work with people every day with accents similar to my callers'. I'm accustomed to talking to people with non-US accents (and, in truth, some US accents are as difficult to understand as any from the Far East). I am "image conscious": my own image, that of my employer, and, frankly, that of the client.

I wouldn't go to a ERM-BC-COOP job interview in a torn tee-shirt and dirty jeans; it's image.

Image is communication and, as with all communication, the audience's comprehension and perception must be a concern.

This company's recruiters failed the test with this practitioner.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com