Another certification

 

A number of emergency management and disaster recovery lists recently carried a blurb stating "The National Fire Protection Association (NFPA) and the Disaster Recovery Institute International (DRI) have joined forces to create an education and certification program."

I know both organizations.

The blub identifies NFPA as the authority on fire and life safety," and the DRII as "the leading certification and education body in business continuity planning."

I might agree with the NFPA description (but what about the National Fire Academy and the International Association of Emergency Managers, the IAEM?), but I would have to challenge the DRII description. Caveat: My initial certification was from the Harris Institute, great for certification, somewhat lacking in easily available information. (Harris believed that anyone who successfully tested for the certification already knew the field.) My current certification is from The Business Continuity Institute (BCI). The certification is at least as good as DRIIs and unlike DRII, The BCI is not in the business of selling courses. DRII, to its credit, does have the better Web presence and makes that content available to all.

The blub states that the NPFA and the DRII will be offering an "education and certification program that will qualify participants to audit disaster/emergency management and business continuity programs against existing standards and regulations. Certification levels currently include Certified Business Continuity Auditor (CBCA) or Certified Business Continuity Lead Auditor (CBCLA)."

Both seem to me heavy on the business continuity side and very light on the emergency management side.

For some time I have been preaching that business continuity and emergency management practitioners should work together and that there is a great deal of commonality between the two disciplines. But, like business continuity and disaster recovery, "there IS a difference."

My personal bottom line is that a combo certification will be like most compromises; less than satisfactory. Again, given the certifications' description and the fact that the "education and certification program (that) will qualify participants to audit disaster/emergency management and business continuity programs against existing standards and regulations.

"The certification will be granted by DRI International, the largest business continuity certification organization in the world" according to the blurb.

Course materials delve into existing legal and regulatory requirements by industry and country, as well as emerging requirements including: NFPA 1600, Standard for Disaster/Emergency Management and Business Continuity; DRI International' s professional practices, Course materials delve into existing legal and regulatory requirements by industry and country, as well as emerging requirements including: NFPA 1600, Standard for Disaster/Emergency Management and Business Continuity; DRI International's professional practices, financial services, insurance, healthcare, utilities, and public sector guidelines; and many others. In addition, careful attention is given to the processes by which disaster/emergency management and business continuity programs are initiated, with an eye toward corporate governance, policy, and procedures.. In addition, careful attention is given to the processes by which disaster/emergency management and business continuity programs are initiated, with an eye toward corporate governance, policy, and procedures."

Most business continuity practitioners who have been around awhile already have a copy of NFPA 1600 (or a national variation of the document) at hand. Generalists have controlling documents for "financial services, insurance, healthcare, utilities, and public sector; and many others." Most of the guidelines are freely available. (An exception to the rule are British Standards which are, for my budget, a tad pricy.)

While I am very "pro-emergency management," I think if I wanted emergency management certification I would look to an organization such as IAEM.

Like The BCI, the IAEM is comprised of professionals at varying degrees of experience - from the tyro to the very senior practitioner.

 

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Ft. Lauderdale FL
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

ERM-BC-COOP: FRH MREs can be dangerous to your health

 

MREs, translation: Meals, Ready (to) Eat seem to be a pretty good idea for disaster conditions and for travelers as well.

But MREs with FRHs, a/k/a Flameless Ration Heaters and known sometimes as FHUs or Flameless Heating Units, are another matter.

The Federal Aviation Administration (FAA) released a report titled "The Fire Safety Hazard of the Use of Flameless Ration Heaters Onboard Commercial Aircraft" includes the following:

"Flameless Ration Heaters (FRH)/Meal, Ready-to-Eat (MRE) are well known to pose certain fire, explosion, and health-related safety issues while in shipment where typically hundreds of these meals are packaged together in a single shipping container. They are also considered to be a hazardous material under the United Nations publication "Recommendations on the Transport of Dangerous Goods" and in that publication are listed as "dangerous when wet." The 2004 Emergency Response Guidebook published by the United States Department of Transportation covers FRHs under guide 138: "Substances—Water-Reactive (Emitting Flammable Gases)" and lists the potential fire and/or explosion hazards. Some of the hazards listed include:

• Produces flammable gases on contact with water
• May ignite on contact with water or moist air
• Some react vigorously or explosively on contact with water
• May be ignited by heat, sparks, or flames
• May reignite after fire is extinguished

"In fact, a major product of the reaction of the salt water and iron-magnesium mixture is hydrogen gas. The release of hydrogen is the primary cause of any fire safety concern surrounding FRHs and has resulted in at least one cargo fire during shipment. In March 2001, a container filled with FRHs was loaded onto a container ship at a naval station in Guam. The ship's crew detected leaking hydrogen from the container and removed it from the ship. Fire fighters decided to attempt to move the contents and spread them among three separate containers. While performing this operation, the contents burst into flames as can be seen in the photo. (Page 1 of report.)

"Tests were performed with individual MREs in an open environment and multiple MREs in a confined space to examine the potential hazard associated with their use in an aircraft cabin. The tests also examined accidental activation of FRHs in a confined area aboard the aircraft, such as in overhead storage bins or a cargo compartment. Temperatures in excess of 215^o F and violent ignition events were observed. It is evident from the tests that the release of hydrogen gas from these MREs is of a sufficient quantity to pose a potential hazard onboard a passenger aircraft." (Page 10)

There are a number of companies that make or sell MREs; several make MREs with FRUs, one makes heater-included MREs only for the military, considering the FRUs too dangerous for the civilian market.

By and large, heater-equipped units probably are generally safe if

* the quantity on hand is small

* the storage box is explosion proof and damp proof

Hurricane season prompts many people to head for stores - or the Internet - to stock up on MREs.

But MREs are good for more than hurricane seasons. Think about travel in the winter; you're traveling along in the flivver and you get trapped in a snow storm. Stuck - but if you have an MRE or several, you won't starve. It won't be as tasty as a heated MRE, but, according to Mary Ann of My Own Meals, a/k/a "MOM," it is edible. She should know; MOM staff taste-tests each day's production and, since they don't have time to heat each test meal, they taste them at room temperature.

There is at least one private school in California that requires its students to provide a long-shelf-life meal - MREs meet that requirement - as part of registration. The meal is available in case an earthquake traps the students at the school. Meals are renewed every 5 years. (Do the kids eat the 5-year-old meals? I have no idea.)

Today's MREs remind senior citizens of the old tv dinners. Those, however, had to be heated in an oven. Today's FRU-less MREs can be heated in a microwave or under hot running water. Putting an FRU-equipped MRE into a microwave or under hot water can result in an explosion.

A longer version of this article is available at http://johnglennmbci.com/090720-MREs.html .

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Ft. Lauderdale FL
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

 

Slipping through the cracks

 

When I was a young-ish tech writer I read a test document that was given to me to "clean up."

The equipment being tested was electronic and the main tool was an oscilloscope.

The text went something like this:

1. Connect the scope to Test Point A.
2. Set the scope to (whatever).
3. Apply power to the equipment.

1. Connect the scope to Test Point B.
2. Set the scope to (whatever).
3. Apply power to the equipment.

Any thing wrong with that?

Not if the reader is an experienced person, but for the novice, trying to connect a single probe to two different test points at the same time is a bit of a problem; the test writer failed to disconnect the probe.

Later on, I was writing mil-spec documents for "process control systems." In this case, the process control controlled super-heated steam under very high pressure. Much of the gear went aboard Navy ships.

When a technician needs to work on a valve - the "control" in "process control" - the tech would first shut off AND TAG CLOSED the fluid input source, then the tech would shut off and tag the output destination. Basically, if "O" = open/close control, "I" = the valve, and "---" is the connecting pipe with > the flow direction, the arrangement was

-----> O -------> I ------> O ----->

Sometimes, of course, the tech had to shut off other "feeds" and all these had to be tagged.

The Navy is very big on keeping highly trained technical personnel safe.

Obviously, if the tech was going to work on the valve in the diagram, the feed would be closed. The tag was to prevent someone, discovering there was no steam where it was needed, from finding the closed valve and, without thinking, open it.

The military in general is pretty safety conscious. Whip antennas for vehicle-mounted, fairly high powered two-way radio gear usually carry a Don't Touch Antenna Base warning; RF can do more than curl your hair; it can kill.

As a tech writer, it quickly becomes clear that any document covering anything that might be dangerous will include warnings and cautions and that these warnings and cautions will be used only in specific instances. The services also are - or at least in my day were - strict about "will," "shall," and "may."

That's not to say nothing was "screwy" in the service. Tech writers were forbidden (and forced to rewrite documents) to require a person to "screw in" or "unscrew" something. Too "suggestive." Threaded fasteners had to be "turned in" or "turned out."

For all that, the bottom line for tech writers was to concisely document what had to be done, to assure the information could be comprehended by the intended audience - and trust me on this, the number of years in school had nothing to do with it; training and experience was everything - and that all safety concerns were documented.

The lessons I learned as a tech writer carry over to my business continuity documentation.

A responder doesn't go charging into a fire-gutted building; the responder waits for a person who knows structures to determine if it is safe to go into the building.

A responder doesn't turn a possibly damaged machine off or on at the machine; the power is controlled at a breaker/fuse box.

Even clearing a copier has some risks. Remove rings and watches that could get caught or could entice a spark from a circuit. Wearing a tie? Tuck it into your shirt. Simple stuff that many times no one thinks to do.

I once worked for a telephony accessory manufacturer - the main product was a Station Message Detail Recorder (SMDR). They came in all sizes. One monster unit with reel-to-reel tape lacked what I - a simple tech writer - considered sufficient system grounding. I complained to the Italian engineer who designed the box and for that I was chastised. What kind of chutzpan was I to tell an ENGINEER that maybe there needed to be a system ground!

A little later, a trainer was showing some prospective customers for this box how it worked. The trainer wore metal-rim glasses. As he bent over the guts of the box, a spark arced and nailed the bridge of his glasses. The next day, the box had a system ground. (The moral to that story for planners is simple: Listen to everyone; they might just know something you and your experts don't know.)

As with the military gear, the civilian equipment also has it share of warnings and cautions.

Ever notice the warnings not to disassemble a monitor or tv? My #2 son, the Geek, has done both and will do neither again. He learned that there is a reason for the warnings. #1 son learned that yes, you really SHOULD turn off power before trying to remove an element from a water heater. I'm not sure they pay any more attention to my admonishments now than before their "experiences," but they do have a greater respect for warnings and cautions.

No matter if the document covers response to an "event" or installation/operation/maintenance of simple or complex equipment and systems, personnel safety must always be the Number One concern, of the planner and of the writer (who often, in this business, are one and the same).

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Ft. Lauderdale FL
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

 

 

Identity Crisis

 

It's a conundrum.

Unfortunately, it's definition 2b rather than 1 or 2a according to Merriam-Webster OnLine (http://www.merriam-webster.com/dictionary/conundrum). Definition 2b tells me that a conundrum is "an intricate and difficult problem."

My quandary (for which there only is one definition) is this: What am I?

I know who and where, but ...

I know who I am and where I am (Hollywood/Fort Lauderdale FL), but WHAT am I?

I am certified by The BCI as a Business Continuity practitioner sans any prefixes.

Problem is, "Business Continuity" means too many different things to too many different people.

To many who live behind data center doors, "business continuity" is really little more - if at all - than disaster recovery with some casual input from one or two of the user base.

To some others, "business continuity" is a profit center function and while it may look at more threats to the process than just InfoTech, it pretty much stops right there. Yes, it is "business" continuity, but it is at best ineffectual business continuity.

Do what we do

When we, as * practitioners - at this point let's use the asterisk in lieu of a name; consider it a "wildcard" for want of a better identifier - start Phase 2 of a business continuity process (Phase 1 being SOW and Project Plan development and approval) we work with the Subject Matter Experts (SMEs) at ground level to identify critical processes.

I suggest that we, as * practitioners, do the same thing with what we do.

True, we are concerned with the continuity of the business, even if the business isn't in the common sense a "business." What do I mean, a business that's not a business? Most of us don't consider a charity a business. Likewise a non-profit. Ditto government. But these are businesses. They all produce or provide "something." They all are concerned with Profit and Loss (P&L) and Return On Investment (ROI). They all have a payroll and clients to satisfy.

But what are the concerns?

The basic questions are:

What can happen to interrupt "business as usual"?

What could be the impact be if whatever could happen did happen.

Yes, Virginia, I know I'm "weasel wording" ; it will become clear shortly.

What do we call these potential interruptions?

Most often we, collectively as * practitioners, refer to them as "risks."

What do we manage?

OK.

Then what we are doing, with all our avoidance and mitigation work and response planning and exercises, is managing risks.

That would make us "risk managers."

To my Winnie-the-Pooh mind, that also opens up the realm of possible risks well beyond the traditional. What's "traditional?" For most its environment, human nature, and technology.

In some circles, it also includes vendor management; since 2007, money vendors (lenders) have been included in my risk list (see Responsibilities Outside Planner's 'Area of Authority', DRJ Winter 2007). Wasn't that before the financial melt down became headlines?

So be it. We are risk managers.

But wait ...

But wait, as the infomercials always add, there's a problem.

If you visit the Major Job Boards (and some that aren't so "major") and search for "risk management" you get hits for medical professionals, insurance claims people, and more.

I don't know about you, but while I have a distant medical background, I'm neither doctor nor nurse, and while I worked for an insurance giant, I'm hardly qualified to rate risks according to statistical evidence, be it for human coverage or property.

Doctors, nurses, and insurance people are some of the SMEs to whom I turn.

While I deal with risks, calling myself - as I did - an "Enterprise Risk Management" practitioner still isn't clear to the boards and, if not to the boards, then also not to people who would engage my services.

So, good bye Enterprise Risk Management (ERM) practitioner. Besides, I suspect "ERM" can mean too many other things.

Since I have been working in the defense industry the last several years and since the "pandemic du jour" is headlined as a threat, and we all know about Homeland Security's national Threat Level, perhaps "Enterprise Threat Management" - ETM - is suitable.

The Free Dictionary only lists 37 entries for "ETM" compared to 42 for "ERM." Do we have a winner? Not really; abbreviations are not really my "thing."

But I think that when someone asks me what I do, I'll tell them I am an "Enterprise Threat Manager."

That is, after all, what I do.

Here's the rub

The title doesn't agree with my certification as a Member of The Business Continuity Institute. No "threat" in either the title or the credentialing organization's name.

Just for kicks, I ran a job search for "Threat Management."

Indeed (http://www.indeed.com) returned 17 hits, many of which linked back to InfoTech. There was one really interesting hit, TASO-2408: Threat Environment and Scenario Developer. Hardly business continuity, the job called for the selected candidate to "be responsible for developing the threat environment and various scenarios to be used within an Analysis of Alternatives (AoA) for an existing Mobile Nuclear Air Sampling (MNAS) capability."

 

As I was at the top of this piece, I know WHO I am and WHERE I am, but I'm no closer to WHAT I am then when I started this exercise.

 

M-W's other definitions for conundrum are:

1: a riddle whose answer is or involves a pun
2 a: a question or problem having only a conjectural answer

 

John Glenn, MBCI, has been helping organizations of all types avoid or mitigate risks to their operations since 1994. Comments about this article, or others at http://JohnGlennMBCI.com/ may be sent to Planner @ JohnGlennMBCI. com.

© 2009, John Glenn MBCI    

When Business Continuity isn't

 

An ad for a "Senior Practice Consultant - Business Continuity / Disaster Recovery (Charleston, West Virginia)" caught my eye since I spent nearly a year in that town and enjoyed almost every minute of it.

The problem for a Business Continuity practitioner is that this is not Business Continuity.

The ad goes on to explain that "the position develops, manages and articulates Disaster Recovery/High Availability (DR/HA) solutions based on a client's strategic business and technical requirements for the Managed Availability Services (MAS) offering."

Nothing wrong with that, except it is NOT "Business Continuity."

The ad listed desired skills:

Customer focus and relationship management skills, strong interpersonal skills

Strong technical, organizational and leadership skills for DR/HA technologies

Excellent verbal and written communications skills, ability to write for both technical and senior manager levels

Strong results orientation with attention to detail and quality of deliverables

Program and project management skills, PMI certification a plus

Experience with development of enterprise level DR/HA test plans

Education and experience rated two lines:

Education Required: Bachelors (Business/Computer Science), Masters a plus

Experience Required: 3-6 years total, at least half with exposure to DR/HA programs

The ideal candidate will be a DR salesman with a technical background.

I have no objection to calling the job what it is: Disaster Recovery/High Availability Senior Practice Consultant.

I DO object to the advertiser suggesting that this has any connection to Business Continuity; at best it may be one-focus IT continuity.

What's my problem with this advertiser playing fast and loose with a couple of words? The beef is that its customers will think they have "business continuity" and that "business continuity" begins and ends behind the data center doors.

When a real Business Continuity practitioner proposes a true Business Continuity project or program, the response is "We have business continuity; we're paying ZXY Company n thousands a year to provide it."

Now the thing about Charleston West Virginia is that Disaster Recovery/High Availability doesn't cut it.

Besides the lovely Kanawha River flowing through town, Charleston's outskirts host several major chemical plants.

If one of those plants has an "accident," it won't only be an IT problem, it will be a personnel and facilities problem; it will be a "stay at home with the windows closed" or a "shelter-in-place" problem. Could it happen?

The local government thinks so; that's why bus sideboard advertisements tell residents and visitors what to do when the siren sounds, and that's why there are sirens to sound.

There are some other some other things that can go "bump in the night" (and daytime, too), but the main "global" threat comes from the chemical plants, both the big legal variety and the "in-the-garage meth labs" that plague the area. (Thanks to Charleston, I learned about Early Warning Radios.)

Call a spade a spade (and not a shovel) and call D/R D/R; it is not Business Continuity. Like spades and shovels, there is a difference.

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Ft. Lauderdale FL
http://johnglennmbci.com/
JohnGlennMBCI @ gmail dot com

Tamiflu resistant H1N1 reported

 

.

From ProMED-mail, a program of the International Society for Infectious Diseases http://www.promedmail.org

Public health authorities in Hong Kong announced Friday [3 Jul 2009] they have found a case of Tamiflu resistance in a woman who hadn't taken the drug. That means she was infected with swine flu viruses that were already resistant to Tamiflu, the main weapon in most countries' and companies' pandemic drug arsenals.

Two earlier cases, reported from Denmark and Japan, involved people who had been taking the medication. While always unwelcome, that type of resistance is known to occur with seasonal [influenza virus] strains and may be less of a threat to the long-term viability of this key flu drug. "It was not at all surprising to see resistance in patients on treatment, but seeing it in someone who was not treated, it certainly is more concerning," says Dr. Malik Peiris, a flu expert at the University of Hong Kong.

There is currently no evidence Tamiflu-resistant viruses are spreading widely. Still, some experts see the Hong Kong case as a warning that Tamiflu's role in this pandemic may not be as long-lived as pandemic planners would like. "I think it's too early to judge," says Dr. Frederick Hayden, an expert on influenza antivirals who teaches at the University of Virginia. "But I think that possibility has existed from the beginning, and it's something that needs to be certainly considered in making determinations about things like antiviral stockpiling, management of patients with more serious illness in hospital and how the available drugs will be used."

Japan's Osaka Prefectural Government sent a research paper to a U.S. medical journal on the 1st case in Japan of a genetic mutation of swine flu [virus] resistant to Tamiflu about a week before making the finding public, officials said Sunday [5 Jul 2009]. "It's not that we intentionally placed priority on the manuscript and delayed the announcement," said Tatsuya Oshita, an official in the prefectural government's health and medical care department. "As it turned out, we dealt with the matter in a way that could be criticized, and we are sorry."

* * * * * * * * * * * * * * * * * * * * * * * *

NOW WE HAVE A QUANDARY.

We have a malady that may now be human-human transmissible that, apparently, has mutated to be resistant to one of the two medicines of choice.

How it became Tamiflu resistant is of interest for the future.

What has changed, to my mind at least, is the need for stronger mitigation measures and a better understanding of what works and what doesn't.

Organizations that are able to perform critical functions in isolation are well-advised to establish, now, means to allow personnel to work in physical - but not virtual - isolation. Such options include use of public and private networks, applications such as Netmeeting/Live Meeting, teleconferences, Instant Messenger, and greater use of email.

As with most things, there are two sides to the "work-in-isolation" coin.

When people work in clusters, highways and byways are crowded with cars and delays in arriving are commonplace. Weather can further delay the commute.

Working in isolation and "commuting" via the Internet likewise will show as the pipe becomes congested with digital traffic, particularly when large files are transferred or video applications are involved.

A partial solution may, operative word is "may," be to stagger Internet access much as most business days are staggered, e.g., when it's 8 a.m. in Miami, it's only 4 a.m. in San Francisco, but 3 p.m. in Jerusalem, Israel. Staggering access puts a greater burden on email and telephone use and slows communication exchanges to what now seems a snail's pace. (Does anyone still communicate via mail and courier? Compared to the Internet, which spoils us, that IS slow.) Fax may make a comeback.

But more than working in isolation, and for those who must be clustered - call centers, classrooms, military maneuvers, etc. - we need to find out exactly what we can do to prevent person-to-person contact in a face-to-face environment.

What, for example, type mask is suitable?

Should we frequently wash hands with anti-bacterial soap or use anti-bacterial wipes? There is the very real probability that the bacteria we kill with the anti-bac applications will simply make the bacteria resistant to the soap. Would it be effective against influenza, anyway? Is simple hand soap - the likes of Ivory or Lava - sufficient?

We can try to teach people to be pro-active; to sneeze into a sleeve or elbow rather than into a hand or, worse, into the air, but no one will succeed in teaching a toddler to do these things.

Likewise, while adults may know to wash hands after a sneeze, will they do so when they are involved in an activity - from working a production line to playing a game? Even watching a movie or tv program ... will we actually get up and wash, missing part of the plot?

A cultural shift may be in order. Many societies are hand-shakers. Perhaps a non-touch salutation is in order, although how the saluting hand is raised could be considered either a greeting or insult, depending on the culture of all involved. The same applies to cheek-to-cheek physical contact.

There is no single answer, and there is no "solution" without its own peril.

Now - actually "yesterday" - is the time to consider all the options that are reasonable for our organizations and for ourselves at a personal level.

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Ft. Lauderdale FL
http://johnglennmbci.com/
JohnGlennMBCI @ gmail dot com

 

 

 

 

How much protection can we afford ?

 

I used to ask my peers: How far away from our organization do we have to go to assure continuity?

Primary vendor?

Vendor's vendor?

Now, in light of several Category 5 storms and the financial crisis that turned into a tsunami swamping some major players, the question becomes: How prepared must an organization be to survive a disaster event?

The answer, of course, is the old stand-by: what is the organization's "risk appetite?" How much is management willing to risk?

I can hear the rank-and-file muttering: "Sure, management will risk OUR pay checks and pensions and benefits, but not its own." There's some sad truth in that as evidenced by the collapse of several "name" organizations.

We - risk management practitioners - play odds makers on a regular basis when we - with input from Subject Matter Experts (SMEs) both inside and, I hope, outside the organization - prioritize risks. The most common risk rating mechanism is Probability vs. Impact; what is the probability a risk will occur and what impact can the risk be expected to have on the organization if it insists on occurring?

Most of the time, picking the fruit from the long-hanging branches is sufficient. If you live on the US' southern Atlantic coast or along the Gulf of Mexico the chances are pretty good that you'll see flooded streets sometime between June 1 and November 30; almost as likely are Category 1 and, maybe, Category 2 storms.

But usually not Category 5 Katrinas.

Since most organizations lack unlimited funds, management (hopefully) uses our recommendations to determine what threats are the most "threatening."

Build a Cat 5-proof building when the likelihood of a Cat 5 storm is relatively small? Probably not the best Return On Investment (ROI) an organization can make. (Yet, here in Southeast Florida, even private residences are reinforced concrete block structures (CBS) with wind mitigation required. Economies of scale - sort of, since CBS still is a tad more expensive that the slapped-together-ply board used some other places I've lived.)

Does that mean we can ignore Cat 5 storms altogether? Hardly. It means we mitigate as much as we can and make plans - in the case of a storm - to get us and our organization's raison d'être out of the way.

Some threats are less obvious; perhaps only on the radar of a few specialists.

The current financial disaster, for example.

I'm not a financier and I don't play one on tv so I didn't see the storm clouds that gathered before the collapse of Wall Street and housing markets and the related domino effect. Being a skeptic, had I really been watching the markets, I might have wondered how long can the upward trends continue.

Like most small investors, my portfolio "ain't what it used to be." Nor is my retirement fund.

Big organizations, including government agencies, should have had "rainy day" funds. Many, like the State of Florida, did.

Problem is, it wasn't just a rainy "day," the financial storm was a continuing deluge.

How can anyone prepared for a threat at that level? Unlike a Cat 5 storm, there was not much the average organization could do to mitigate the risk. Southwest Airlines, which managed to weather the 9-11 storm that grounded airlines coming into, going out of, and traveling around the US now finds itself in financial trouble. I doubt it will file for bankruptcy, but it's had to tighten its fiscal belt a notch or two more than it did following 9-11.

If the disaster was localized to the US, organizations could have been advised to move funds into foreign currencies. But the debacle is worldwide.

The old advice to move money into bonds, especially municipals, when the market dipped normally is sound. But this time both stocks and bonds have taken a hit.

So the question I put to you: What COULD have been done to keep a GM, for example, from layoffs?

Who should have told AIG that it was putting too much money into pig-in-a-poke products (and would anyone have listened, anyway?)

I didn't see this coming, and frankly, I'm not certain what - short of keeping a stable of SMEs from sundry disciplines on retainer - an organization could have done - should be doing - to mitigate this and future "Cat 5" threats, be they weather or financial or pick-a-risk category.

John Glenn, MBCI
Enterprise Risk Management/Business Continuity practitioner
Ft. Lauderdale FL
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com

Financial squeeze

Most Enterprise Risk Management/Business Continuity practitioners never see an organization's financials.

That's too bad.

We all can see the financial straits organizations find themselves due to the current financial debacle, bailout not withstanding.

Back when airlines were grounded following the coordinated attacks on the World Trade Center towers, the Pentagon, and the aborted-by-passengers attempt on the White House, most airlines suffered a substantial hit, one that had them going to the government for a handout.

Not Southwest.

Southwest apparently has a reserve and a plan that let it weather that specific hiccup in cash flow. The current government handouts to banks - some of which did not want a handout - and AIG didn't make its way directly down to the airlines and this time I understand Southwest is concerned about its bank accounts. There's a limit even for forward-thinking organizations such as Southwest.

I've considered the ripple effect in previous blog entries, and this is "more of the same, but different."

This time I'm looking at government.

Not just the federal government, but local governments - cities, counties, taxing districts, states.

My state, despite a homestead exemption and no state income tax, has some pretty stiff property millage rates. We pay more for less in Florida than we did near Washington DC.

When I went down to file for the $25,000 homestead exemption, the topic of "Wow, that's a high rate" came up. The very civil servant said the she expected tax valuations to drop - logical since the bottom fell out of the housing market - but, she noted somewhat sadly (she, too, owns property in the county) that the millage rate probably would increase to make up the difference. If I paid $2 on an assessed value of $2,000, I might soon be paying $1.50 on an assessed value of $1,000. Multiply that by the thousands of assessed value for the property and even with a homestead exemption, the taxpayer is stuck with a big bill.

While most states have, as Florida has, a "rainy day" fund, most smaller government bodies either have none or a small one. Similar to being prepared for a Category 2 hurricane and being hit with a Category 4 storm.

Things undoubtedly will get worse for property owners (and renters, too) in the near future.

More and more people will be forced out of their homes by the tax collector. As these homes become, and remain, vacant - even discounted, they will further drag down the market while failing to produce any tax revenue - local taxes will have to be raised, even with cuts in staff (does anyone at the top ever volunteer for a pay cut?) there is a certain level of service that must be sustained by the governments and someone, read "the remaining few taxpayers," will have to foot the bill.

The "American Dream" is becoming the "American Nightmare" for many folks just trying to get started. At the other end of the age scale, seniors on fixed incomes, perhaps with only Social Security to fund their basic requirements (do I pay for food or Medicare or rent this month?) also watch as their dreams of a rocking chair or time with a grandchild fade away.

I don't believe in beating a dead horse - although I certainly would like to beat a few of the fat cats who precipitated today's financial disaster - but there are lessons to be learned by individuals, corporations, and governments. One of those lessons is not to over-extend financially.

That lesson applies equally to individuals, organizations, and governments.

Organizations are finding that people simply cannot afford to buy the product, even if the product would normally be considered a necessity (e.g., health care).

Governments must be made to understand the camel, in the form of the taxpayer, can only support so much straw before its back is broken. Government executives also need to start budget cutting measures with their often-inflated wages. (Yes, I know, "captains of industry" make much more than their government counterparts, but there are tradeoffs.)

It's time very senior management stopped behaving like the king with his new invisible clothes and started inviting risk management practitioners and others to "tell it like it is" - to listen and then act on the information.

It's too late for this catastrophe, but perhaps if anyone learns the lessons, it can be avoided in the future.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity practitioner
Ft. Lauderdale FL
http://johnglennmbci.com/
Planner @ JohnGlennMBCI.com