AmalfiCORE Blog

Are We More At Risk Today?

Are we more at risk for attacks and disasters today than we were in the past? Yes, I think we are.

As a society it’s probably true primarily because of extraordinary changes in technology (increased reliance on complex interconnected systems), new and more bold motivations (human factors for attacks), and what I would describe as the ‘dumb down’ factor – that is, there seems to be less numbers of qualified and talented specialists who can help us prevent, defend, recover, and survive a disaster. This last point, less qualified individuals, I offer as a teaser for us to consider: “What can I fix at home or work by myself without relying on another human being to help me with a life-line?” Not much, I imagine.

Thinking in broader terms, larger centers of population may incur similar attacks or natural disasters as in the past, but the destruction and damage could be greater due to the higher concentration of people and infrastructure. The infrastructures are more complex and often interconnected, so damage or disruption to a utility service, for example, drastically impacts our routine way of life including how we commute, our ubiquitous reliance on the internet, reliance on transportation for many of our food sources, and our ability to recover swiftly and efficiently.

A task as simple as balancing an online bank account, when unavailable, can wreak havoc with an individual’s ability to manage finances. What about a cyber attack, flood damage in the data center, or major winter storm directly impacting major financial institutions?

I revel in the latest gadgets and I use many technology tools everyday to make my life easier. I just don’t think we are as resilient as we once were because of our extremely heavy reliance on technology.

While lessons from the past and statistics of probability of occurrence can inform our strategies, I don’t see history alone providing a complete picture of future threats and risks to ourselves or our businesses. For that, we should combine both historical perspectives (especially trends in naturally occurring weather patterns, sans climate change ), with current and up to date threat analysis. This combined approach gives us a better chance of understanding our exposures and planning suitable strategies to mitigate and recover.

References:

Platt, Franklin (2010). “Physical Threats to the Information Infrastructure”, found in Readings in IT Business Continuity, Norwich University, Chapter 22.

Fourmile Canyon Fire Boulder CO

Fire began mid morning on Labor Day 6-Sept10 and continues with devastating impact on Boulder County Colorado community.

Latest information on donations, fire status etc can be found at some of the following websites:

www.boulderOEM.org

A bank account and a text donation have been set up to benefit the firefighters who lost their homes while fighting the fire.Please forward this information to anyone who is interested.
Donations can be made to :

Boulder Canyon Firefighter’s Donation
Guaranty Bank and Trust
1650 Pace Street
Longmont, CO 80501

Also, you can text FIRE to 27722 to give $10 to BCFFA to directly benefit these firefighters as well.

Twitter at:  BoulderRescue

Use of Social Media During an Emergency

I think there is a good place for the use of social media in emergencies, however, we should acknowledge that there will be a large number of people who simply won’t be able to get the message due to obstacles.

Some of the obstacles include, as Ms Wagner says blocking or inaccessibility in the work environment, those that don’t use social media or only sparingly, the audience not being aware that a message is important or not having the device or access point to retrieve the message.

In the Boulder County area we experience a significant wild land fire every few years. The usual ‘reverse 9-1-1′ works well except if now one is home to receive the message or does not check their home voice mail.

There is also a large number of younger generation folks that do not watch TV or read the news through traditional means, but they are texting, tweeting, and checking Facebook regularly.

Therefore, we are considering how to use social media like Facebook and Twitter to alert residents of an impending danger. More work to be done to determine efficacy, but I do think it is time we use social media more regularly.

Impact of Risk Enablers and Realization on Supply Chain Disruptions

“Impact of Risk Enablers and Realization on Supply Chain Disruptions”

Andy Amalfitano

MSBC Seminar #4

Risk Management

Week 9, Essay 8

Aug. 7, 2010

Thesis

Supply chain disruptions can dramatically and permanently affect the success of a business. A shipment fails to arrive on time or is damaged enroute due to violent storms suffered by the transport barge; political unrest in developing nations changes the import/export policies; increasing piracy threatens to severely limit the source of parts and supplies being delivered to your overseas factories. More recently, the eruption of the Eyjafjallajokull volcano in Iceland demonstrated how vulnerable some industries are to air transport disruptions.

“Nearly three-quarters of risk managers say their companies’ supply chain risk levels have increased since 2005,” according to Marsh’s survey of 110 corporate risk managers in January and February.^[1]

Supply chain insurance demand grows each year, yet the types of insurance coverage rarely account for more than physical damage. That’s changing and businesses need to reevaluate their supply chain insurance coverage.

This paper describes the financial challenges faced by a companies with global supply chains and some suggested actions to realize and mitigate risks using among other strategies understanding of options including joining the C-TPAT program.^[2]

The Unexpected: We May Not be Ready?

Singhal and Hendricks in a study of 800 companies who incurred a supply chain disruption between 1989 and 2000 found that 33-40 percent experienced lower stock returns, share price volatility increased 13.5 percent, profits plummeted 7 percent, costs rose 11 percent and inventories increased 14 percent.^[3]

Companies can hedge their investments by diversification which brings some comfort level to the executives and shareholders. However, very little can prepare a company for unforeseen and unexpected supply chain disruptions.

The conflation or confluence of disruptions can further exacerbate the impact and significantly damage customer satisfaction.  Conflation describes the sequential occurrence of risk events that disrupt the enterprise. For example, a first event (major earthquake) partially disables and weakens the supply chain; a second event (dock workers’ strike) cripples the supply chain causing significant delays.  Confluence describes the simultaneous occurrence of risk events that overwhelm the enterprise. In the previous example, both events occur at the same time resulting in completely undeliverable shipments.^[4]

Insurance typically only covers physical losses due to transit or other damage incurred from natural hazards. Conflation and confluence situations don’t usually produce physical damage and therefore a company does not have risk mitigation in the form of financial reimbursement. In most cases, the risks caused by natural hazards, political unrest and other modern day threats is not covered by insurance. Some companies are now holding their subordinate supply chain and vendors accountable for implementing their own risk management plans.^[5]

Even if the company does have a way to cover financial losses, the impact on customer satisfaction will be dramatic. Understanding and realizing options for risk mitigation can have a profound effect on the how companies recover from such disruptions.

Intangible Risk

Another key issue is that beyond the physical and tangible risks are many more (and worse) intangible risks. Members of the supply chain including employees may hold attitudes and perceptions that undermine the process and inadvertently pose a risk.

The intangible lack of confidence in a supply chain leads to actions and interventions by supply chain members, which could increase the risk exposure. The bottom line is that the company experiences a higher level of uncertainty with lower confidence. Typical issues are no confidence in:

• Order cycle time
• Order current status
• Demand forecasts given
• Suppliers’ capability to deliver
• Manufacturing capacity
• Quality of the products
• Services delivered^[6]

This lack of confidence can compound the external risks described earlier and lead to conflation and confluence. It’s what Husdal (2009) calls a risk spiral which can lead to increased reliance on inventory buffers which may not hold up under protracted supply chain disruptions.^[7]

Realize the Risk and Take Action

Two aspects of executive action may be simply the right and the wrong action. The former leading to positive consequences and latter leading to negative consequences. In either case, an altered state or risk is the result. To avoid the negative consequences a great deal of critical thinking needs to take place which challenges the current risk management plan and attempts to envision “Unexpected, Unanticipated, Unintended

Consequences.” ^[8]

C-TPAT – Customs-Trade Partnership Against Terrorism

Of the top 10 potential benefits companies considered for joining C-TPAT, reduction in insurance rates was only 10th with less than 4 percent indicating that as a motivator.^[9]

Two key motivators for joining C-TPAT included:

• reducing the time and cost of getting cargo released by Customs
• reduced time and cost in CBP secondary cargo inspection lines.^[10]

The results seem beneficial  as described by those companies responding to the survey:

• “The vast majority (81.3%) of businesses that had a formal system in place for assessing and managing supply risk agreed or somewhat agreed that their businesses’ ability to assess and manage supply risk has been strengthened as a result of joining C-TPAT.

• Three quarters (75.2%) of businesses that had formal supply continuity and contingency plans.^[11]

Other actions suggested by C-TPAT guidelines include how to manage the supply chain risk process in a way that ensures not only that the guidelines are met, but that immediate control steps are enabled that help to provide better security.

1. 1. Mapping Cargo Flow and Identifying Business Partners (directly or indirectly contracted)
2. 2. Conducting a Threat Assessment focusing on: Terrorism, Contraband Smuggling, Human Smuggling, Organized Crime, and conditions in a country/region which may foster such threats and rate threat – High, Medium, Low
3. 3. Conducting a Vulnerability Assessment in accordance with C-TPAT Minimum Security Criteria and rate vulnerability – High, Medium, Low
4. 4. Preparing an Action Plan
5. Documenting How Risk Assessments are Conducted” ^[12]

Contingency Planning

Contingency planning is a strategic risk management tool. It allows for flexibility to use a generic set of plans to respond to unknown and unexpected events which pose a risk to the business. Success in managing unexpected events requires flexibility. These four contingency planning elements were found to be positively related to flexibility in managing risk in the supply chain:

1. “Top management support
2. Resource alignment
3. Level of IT usage
4. Inter-organizational collaboration” ^[13]

Consideration of contingencies is still a worthwhile action for executives to include among their strategic mitigation choices.

Conclusion

Studies show that major disruptions to supply chains can dramatically impact the long-term survivability of businesses. Insurance plans typically cover physical damage and not the wide variety of modern world disruptive events like volcano eruptions, earthquakes, high-seas piracy, political unrest, and other unexpected events.

Some companies have found value in joining C-TPAT to help ensure more security in their supply chain. Others realize that intangibles like the amount of confidence in supply chain capability can help strengthen or erode management of risks.

Enterprise strategies should include multiple approaches and implement a process that addresses risk in a way that is flexible and can more aptly handle unexpected disruptions.

Citations

[1] Byrt, Frank, (2008). “The Endless Quest for Indestructible Supply Chain“. Financial Week.com, Aug 2010. Retrieved 8-5-10: http://www.financialweek.com/apps/pbcs.dll/article?AID=/20080505/REG/628194365/1003/TOC

[2] Department of Homeland Security, (2010). “C-TPAT: Customs-Trade Partnership Against Terrorism“. Retrieved 8-4-10: http://www.cbp.gov/xp/cgov/trade/cargo_security/ctpat/

[3] Bosman, Ruud, (2006). “The New Supply Chain Challenge: Risk Management in a Global Economy“.  Factory Mutual Insurance Company. Retrieve 8-5-10: http://www.fmglobal.com/pdfs/ChainSupply.pdf

[4] Sikich, Geary. (2008). “The World of Risks and Opportunities“. Norwich University MSBC Seminar 4 Lecture Week 8, 2010

[5] Byrt, Ibid

[6] Husdal, Jan,  (2009). “Supply Chain Confidence“. Husdal.com. Retrieved 8-5-10: http://www.husdal.com/2009/12/07/supply-chain-confidence/

[7] Husdal, Jan,  (2010). “Contingent Flexibility“. Husdal.com. Retrieved 8-5-10: http://www.husdal.com/2010/03/08/contingent-flexibility/

[8] Sikich, Ibid

[9]  Diop, Abdoulaye; Hartman, David, and Resrode, Deborah, (2007). “Customs-Trade Partnership Against Terrorism: Cost/Benefit Survey“.  Retrieved 8-5-10: http://www.cbp.gov/linkhandler/cgov/trade/cargo_security/ctpat/what_ctpat/ctpat_cost_survey.ctt/ctpat_cost_surve.pdf pg 35

[10] Ibid.

[11] Diop, Ibid, 4

[12] Department of Homeland Security, (2010). “C-TPAT: 5 Step Risk Assessment Process Program Guide“. Retrieved 8-4-10: http://www.cbp.gov/linkhandler/cgov/trade/cargo_security/ctpat/supply_chain/ctpat_assessment.ctt/ctpat_assessment.pdf

[13] Husdal, Jan,  (2010). “Contingent Flexibility“. Ibid

Bibliography

Continuity Insights, (2010). “Demand for supply chain insurance grows as a result of the volcanic ash crisis: Marsh“.. Retrieved 8-5-10: http://www.continuitycentral.com/news05155.html

Husal, Jan,  (2010). “Risk Disablers“. Husdal.com. Retrieved 8-5-10: http://www.husdal.com/2010/03/03/risk-disablers/

“How Captive Insurance and Hedge Funds Can Help Offset Financial Risk Exposures”

“How Captive Insurance and Hedge Funds

Can Help Offset Financial Risk Exposures”

Andy Amalfitano

MSBC Seminar #4 – Risk Management

Norwich University

July 31, 2010

Thesis

In the last two years, many economists were proven wrong as the economy hit the worst recession and downturn since the Great Depression of the early 20th century. Today, missing predictions continues.  One of many examples is offered by Soto (2010).

“In April we said GSCI Total Return Y/Y could appreciate by more than 20% and at the same time we warned Crude Oil Valuation model just reached again its overvalued territory. One month later, we can say we were wrong…. It looks like Crude Oil Valuation will reverse completely… and there might still be room for more decline ahead…” ^[1]

Risk managers try to predict and find easy ways to improve their financial advantage, often listening to economic pundits. Those days are gone. “Global supply-demand imbalances in raw materials, and resulting price volatility, will likely continue to impact the profitability and competitive position of many U.S. companies.” ^[2]

This paper describes why a company should consider using various techniques within the financial markets to offset financial exposures.

Why

All businesses face exposures to predictable and unpredictable financial threats which can undermine goal achievement. The worst of these risks will be the unpredictable threats that present the greatest degree of uncertainty. Financial market-specific risks come in many forms:

• Interest rate changes
• Foreign currency exchange rate fluctuation
• Goods and services tax and import/export tariff law changes
• Geopolitical upheaval in areas where business is conducted
• Stock market volatility affecting investments and portfolios
• and more

Depending on the size of the business, some or all of these market levers may impact a business’ viability. ^[3] What’s more unnerving is the volatility and unpredictability of these risks. Economists have attempted to manage and predict the future with tools such as the CBOE-VIX ^[4], a widely used market analyzer. Academic researchers have attempted to create models to improve predictability. Both set of experts seem to agree that more data and understanding represents goodness, however, no specific model or approach to offsetting financial risk can be a guarantee. ^[5]

Verni (2005) offers four pieces of advice in managing risks:

• “Be skeptical
• Assume Murphy’s Laws are in force. If anything simply cannot go wrong, it will anyway
• If everything seems to be going well, you have obviously overlooked something
• Every solution breeds new problems” ^[6]

Gathering intelligence on financial risks and understanding what the information means to your business can be a key step in managing these risks. Scholes (2005) describes questions that a company can use to determine the ‘how’ of understanding asset management which he finds to be a key part of the strategy.^[7] In addition, three key asset management criteria that demand understanding are:

1. “Capital Allocation: How do we allocate capital to the risks we are taking, to each strategy individually or to a portfolio?
2. Optimization: Risk management is not risk minimization – it is risk optimization – but what is the right tradeoff between risk and return?
3. Stress Management: How do we handle it, and do we know how to do anything about it?”^[8]

It is incumbent upon financial risk managers to avoid poor financial investments and make educated risks about trade-offs, alternatives, and options.

How

After decades of study and trial and error attempts to completely predict and understand financial markets, no one single model has emerged that completely defines how to manage risk 100% of the time or with 100% accuracy.

In a thesis offered by Rörden & Wille (2003) the authors concluded that “the only theory which was considered to actually work in practice without any unrealistic assumptions was diversification.”^[9] Examples of diversification include spreading investments across different market types, investing some money in short-term and other money in long-term instruments, and selecting assets or commodities that are significantly unrelated by most measures.

A business needs to consider who they are as a company, what their tolerance for risk is, and apply some flexibility to their approach in selecting financial risk strategies. What is clear is that the lack of understanding of risks and/or the lack of a strategy will often mean the difference between success and failure of a business.

Here are two of the many options available for consideration by businesses:

• Captive Insurance
  • A form of member-owned self insurance, usually in a group of similar companies providing a form of alternative risk financing
  • Offers reduced insurance costs, stabilized insurance budgets, direct access to the reinsurance market, improved claims handling and data collection, possible tax benefits, profit center creation, and a negotiation tool. ^[10]

According to Jay Krafsur of the Krafsur Law Group, captives offer members a significant investment tool to manage insurance costs and reinvestment opportunities in the form of reduced and re-investable loss funding. ^[11] Approximately 60% of premiums go into loss funding which is mostly reimbursable over time. The other 40% is operating funds which are not recoverable, however all of the premiums are investment funds which provide a broad and rather securable asset which grows over time while simultaneously providing member insurance coverage. Further, captives apply strict rules to membership including letters of credit and other assurances of financial solvency of their members. ^[12] This strategy provides an avenue that businesses can consider to offset other financial risks that may be occurring within their industry or market space.

Hedge Funds

Usually reserved for the high net wealth individuals or firms^[13], hedge funds can play an important role in offsetting financial risks.  A hedge fund is “an aggressively managed portfolio of investments that uses advanced investment strategies such as leveraged, long, short and derivative positions in both domestic and international markets with the goal of generating high returns“. ^[14]

Primarily, a hedge fund is a way for an individual or in some cases, a group of people to invest significant sums of money using instruments that provide some security against changes in market value. ^[15]

The concept of hedging can be applied as a strategy to financial risk management.  The old term ‘don’t put all your eggs in one basket’ may still be wise advice to businesses facing uncertain futures.

Conclusion

There is no one sure-fire answer to how to manage financial risk particularly in the uncharted territory of today’s economy. Economists and researchers disagree on the best model or tool to use to forecast commodities, the stock market or other economic changes. Therefore, market volatility continues to plague investment strategy success for many businesses.

Two possible strategies are investment in captive insurance and hedge funds. Both offer unique ways to bring some level of security and risk avoidance to a business. These strategies offer an opportunity for businesses to not place all their investments in the same place and thus help ensure a more balanced financial risk situation.

Citations

[1] Soto, Francis (2010). “Commodities Indicators: May 2010“.  Retrieved 7-30-10: http://seekingalpha.com/article/204391-commodities-indicators-may-2010

[2] Dickson, Duanel; Manocchi, Jim, and Agarwal, Sanjay (2206). “Commodity Management: Profiting from Volatility“. Deloitte Consulting.  Retrieved 7-30-10: http://aimediaserver4.com/chemweek/pdf/deloitte1.pdf

[3] Crabb, Peter R., (2003). “Financial Risk Management: The Big and the Small”. Northwest Nazarene University ID. Retrieved 7-30-10: http://sshuebner.org/documents/Crabb%2010-29.pdf

[4] Chicago Board Options Exchange-CBOE (2009). “The CBOE Volatility Index-VIX“. Retrieved 7-30-10: http://www.cboe.com/micro/vix/vixwhite.pdf

[5] Rörden, Sarah & Wille, Kristofer, Supervised by Sundström, Angelina, Examined by Liljefors, Ole. “MEASURING AND HANDLING RISK – How different financial institutions face the same problem”. Mälardalen University School of Sustainable Development of Society and Technology Bachelor Thesis in Business Administration, 15 ECTS, June 4th, 2010. Retrieved 7-30-10: http://sshuebner.org/documents/Crabb%2010-29.pdf

[6] Verni, Ralph, (2005), “Financial Risk Management in Practice: The Known, the Unknown and the Unknowable“. Roundtable 4: Insurance and Reinsurance.” The Wharton School, Alfred P. Sloan Foundation, and Mercer Oliver Wyman Institute, 18

[7] Scholes, Myron, (2005), “Financial Risk Management in Practice: The Known, the Unknown and the Unknowable“. Roundtable 6: Asset Management.” The Wharton School, Alfred P. Sloan Foundation, and Mercer Oliver Wyman Institute, 22-24

[8] Schoel, Ibid

[9] Rörden, Sarah & Wille, Kristofer, Ibid

[10] Theriault, Patrick, PA, CPCU, AIAF. “Captive Insurance Companies: What to Consider When Establishing and Operating Captives“. Wilmington Trust Captive Management Services. Retrieved 7-30-10: http://www.captive.com/service/WilmingtonTrust/images%20and%20pdf/captive101whitepaper.pdf

[11] Krafsur, Jay of Krafsur Law Group – Captive Insurance Consultants, Chicago IL. Interviewed by Andy Amalfitano July 2010.

[12] Krafsur, Ibid

[13] Investopedia, “Hedge Fund“. Forbes Digital Company. Retrieved 7-30-10: http://www.investopedia.com/terms/h/hedgefund.asp

[14] Ibid

[15] McNulty, Daniel, 2010.“Offset Risk with Options, Futures, and Hedge Funds“. Investopedia by Forbes Digital Company. Retrieved 7-30-10: http://www.investopedia.com/articles/trading/09/offset-risk-options-futures-hedge-funds.asp

Perception – A Key Obstacle to Successful Risk Communications

We often hear that perception is reality. I can think of several obstacles within a company to proper risk communication and would like to speak to one – government regulation actually providing a shield for companies to not be required to communicate. [1]

Risk communication can be a tricky thing to do successfully. During a major crisis, experienced communicators like public relations experts help companies gather pertinent data, analyze the exposures, determine what the audience needs to know and deliver a crisp and cogent message, hopefully in a forthright manner.

What if there was a law protecting a company from having to be forthright?

According to an article by Lyndsey (2010) in the Washington Post, chemical companies are in many cases protected by a 33 year old law. [1] Lyndsey writes:

“Of the 84,000 chemicals in commercial use in the United States — from flame retardants in furniture to household cleaners — nearly 20 percent are secret, according to the Environmental Protection Agency, their names and physical properties guarded from consumers and virtually all public officials under a little-known federal provision.”

In the mid 1970′s, the policy was created to protect a company’s trade secrets from being used by competitors to overpower or destroy the business, a step purportedly taken to secure American business against foreign competition.

A worst case scenario would include mass deaths due to chemicals we didn’t know could harm us. I’d like to look at a smaller and more likely event, closer to home. A news story says that a Colorado emergency room nurse was exposed for 10 minutes to a dangerous chemical found on the boots of an oil rig worker.[2] She became quite sick while doctors tried to decipher the less than complete information from the manufacturer. [3]

“Although the company that makes the frac’ing fluid provided Behr’s doctors with what it calls ‘Material Data Safety Sheets” at the time of the incident, it refused to provide more specific information to the hospital once she fell ill, according to the Herald. Her intensive-care doctor had to guess what to do as he tried to keep her alive.”[4]

Of all the obstacles to providing good risk communication, I think overcoming perception is reality is probably the key hurdle. Often times perception is determined by how an individual’s interpretation of a how a danger affects them or people with whom they are concerned. If, as Sikich (2008) says, “Risk = Hazard + Outrage” [5], then managing risk communication must be conducted with a full understanding of who the audience is and the message they are expecting or think they need to hear. Crafting and delivering that message is not not-trivial.

To compound the perception issue, morality trumps economics. According to Griese (2002) events which are only economically impactful are more acceptable than events which cause both harm and economic damage. [6] Perceptions will then become more difficult to overcome due to the emotional stress associated with the ‘outrage’.

For the victims of chemical spills and their families, and for the emergency workers exposed to unknown, unreported chemicals, perception of the manufacturers will be an important consideration for the corporate crisis communications leaders to manage.

References:

[1] Sikich, Geary. (2008). “ Decision Points-Communicating Risk”. Norwich University MSBC Seminar 4 Lecture Week 10, 2010

[2] Layton, Lyndsey, (Jan. 2010). “Use of potentially harmful chemicals kept secret under law“. Washington Post. Retrieved 8-9-10: http://www.washingtonpost.com/wp-dyn/content/article/2010/01/03/AR2010010302110.html

[3] Frankowski, Eric, (2008). “Gas Industry Secrets and a Nurse’s  Story“. Retrieved 8-9-10: http://www.hcn.org/wotr/gas-industry-secrets-and-a-nurses-story

[4] Sikich, Ibid

[5] Ibid

[6] Griese, Noel L. “How to Manage Organizational Communication During Crisis“. Anvil Publishers, 2002 Tucker GA, 89

Business Continuity Webinar 25-AUG10

Join us for a webinar on August 25th, 2010 at 1:00 pm EDT
To join the meeting: http://norwich.na5.acrobat.com/r44501939/
Call in Number: 1-866-844-6898 | Conference code: 50261753
Sponsored by the Norwich University Master of Science in Business Continuity Management Program (http://businesscontinuity.norwich.edu) and the International Consortium for Organizational Resilience (http://www.theicor.org).

Continuity of Operations Planning
Events such as Hurricane Katrina have demonstrated the importance of continuity of operations planning (COOP) for public agencies. Not only can critical services be disrupted by disasters, but response agencies must ensure their own operations if they are to serve the public need during an emergency.
Recognizing the importance of COOP, President Bush enacted National Security and Homeland Security Presidential Directive 51 that requires continuity programs to “be incorporated into daily operations of all executive departments and agencies.”
We will examine the fundamental elements of continuity of operations planning, as well as how it differs from private sector business continuity. Public sector officials will learn about COOP programs, and private sector business continuity planners will learn how governmental agencies maintain their services during a disaster.

Presenters

Lynnda Nelson is the President of the Board of The International Consortium for Organizational Resilience (ICOR – www.theicor.org) a non-profit international professional development and credentialing organization. Lynnda is also owner and Director of Business Continuity Services, Inc., BCS (www.BusinessContinuitySvcs.com) a consulting company providing business continuity, disaster recovery, crisis management, and emergency management consulting, and an instructor in the Norwich University Master of Science in Business Continuity Management program.

Andrew Amalfitano is owner and principal consultant of AmalfiCORE, LLC (www.amalficore.com), a business solutions firm providing organizational learning, continuity of operations, and emergency planning to the public sector and disaster preparedness planning to medium size businesses.

Compliance Programs Only As Effective as the People

I’m not a fan of vast regulations. It seems, though that when corporate leaders make mistakes, or willfully fraud, a regulation is born that is often necessary.

Compliance programs are only as effective as the people implementing them. Yet, what ‘goes around’ seems to ‘come around’ and eventually it appears that most, if not all, perpetrators are eventually held accountable.

It never ceases to amaze me how a few dozen people in charge of various companies continue to try to get away with corruption. Some examples include:

• American Express
• Amoco
• Arthur Anderson
• BCCI
• Bridgestone
• Bristol-Meyers Squibb
• Coca-Cola
• Enron
• Exxon
• Ford
• Johnson & Johnson
• Marsh McLennan
• Merck
• Nortel
• Pepsi-Cola
• Texaco
• Tyco
• Union Carbide

Well the list is quite long. I’m not one to quote Wikipedia much, but it’s worth a look as it lists some 50+ corporations with scandalous episodes in their history. [1]

Sikich (2008) reports that “Current regulations and laws, such as NYSE Rule 446 and NASD Rules 3500, 3510, 3520, Sarbanes-Oxley (section 404), HIPAA, etc. make it incumbent on companies to assess compliance, operational resilience and ability to assure continuity of operations.” [2]

However, corruption continues. CNN reports on recent examples in a their expose of “75 Examples of Corporate Fraud.

I won’t pretend to judge each case as I don’t have the time or inclination to delve into the shenanigans of each. However, what is clear is that despite the plethora of compliance programs and regulatory oversight, the corruption seems to continue.

Leaders of corporations are responsible for setting an example and it’s definitely the people who consciously choose to follow the guidelines and comply or not. In my experience with a brush by compliance (i.e. SOX, HIPAA, etc), I can see where interpretation and judgment do enter the picture. Today’s businesses are quite complex and global connections can sometimes cloud an issue. Nevertheless, at the end of the day, someone makes a decision to do it ‘right’ or ‘wrong’ according to compliance laws and regulations.

There usually is an opportunity (usually as information comes to light) for the leaders to take responsibility, report transparently, and begin to comply. My guess is that most companies do, otherwise we’d probably be hearing about hundreds or thousands of cases instead of tens of cases.

That is crux of compliance, I think. Follow the rules the best we can and if we make a mistake, own up to it immediately, fix the situation, report what’s being done and continue our business. That is managing risk and I think it is the responsibility of all of the ‘people’ (employees included) to do the right thing always.

As for whether some of the regulations are properly worded or even need to exist is for wiser folks than me go figure out.

References:

[1] Wikipedia. “List of Corporate Scandals”. Retrieved 8-3-10: http://en.wikipedia.org/wiki/List_of_corporate_scandals

[2] Sikich, Geary. (2008). “Impact of Regulatory Initiatives and Guidelines“. Norwich University MSBC Seminar 4 Lecture Week 9, 2010

Overlooked Risk Realizations

Risk realization defines the ability of an organization to recognize threats, vulnerabilities and hazards and understand how those risks impact successful operations. Too often, a company may recognize risks, but may not always see or understand the complexities or interdependencies of risk on a broad or more global scale. Decisions are made at an executive level to prevent, mitigate, and control risks, however there may be unintended or negative consequences of the decisions. Regardless of the decision and actions taken to manage the risk(s), there will be an altered state of risk following the action(s). It’s important for company risk managers and executives to keep informed about the modified impacts due to altered risk states. [1]

An example of risk realization gone wrong is the recent BP oil spill. The media has reported that BP Oil company has developed many risk scenarios across multiple risk models. Yet, they apparently were totally unprepared to contain, control, and manage a spill of the magnitude experienced in the gulf this year.

An example of risk realization gone right is the frequent food recalls we seen on a regular basis across the food manufacturing industry. Beef, pork, chicken, dried foods, vegetables and more are often reported on a recall due to either salmonella or e.coli bacteria found in one or more lots. The food manufactures quickly identity the lot, product codes, shipment, factory station, and component source (eg. farm) and take immediate actions. Alerts are issued, notifications for recall with key data about the products are made, investigations are launched into the method by which the contamination occurred, and the ‘all clear’ is issued that says something to the effect of all the rest of the food products are fine, the contaminated food in question has been eliminated from the distribution chain, and we can all go back to eating what we choose. Unfortunately, the incidence of food contamination seems too high and too frequent.

The food companies appear to realize their risks and the confluence of multiple risks occurring at the same time, and have a plan in placed ready for execution.  While the brand may be temporarily tarnished, the masses of consumers do eventually return to eating what they want when they want it.

The key to mature risk realization seems to be that an organization is practicing a less myopic and more broadly considered view of the risk model and applying critical thinking to that model. That seems to be a recipe for success. [2]

References:

[1] Sikich, Geary. (2008). “The World of Risks and Opportunities“. Norwich University MSBC Seminar 4 Lecture Week 8, 2010

[2] Ibid.

The Impact of Clean Energy Policies on a Company’s Energy Policies

I write this to you from the comfort of my evaporative-cooled home on a hot summer afternoon somewhere in the United States. The personal computer hums quietly in the background as I sip coffee and set the cup back down on my cup warmer. The small desk lamp lights my reference material and other incidentals on my office desk. I’ll shower soon after my work-out and enjoy the warm water on my back. Later I will drive a gas-powered automobile to return family visitors to the airport for their ride home two hours away by plane and then I will complete my round trip 110 miles ride home, perhaps stopping off at a coffee shop for an iced espresso. Those machines produce great steam to careful brew the coffee, heh. And that’s just the tip of the iceberg of how much energy we consume daily. What about you? What about businesses that produce all of our goods and services, who employ us and ‘make the world go ’round’?

OK, my dilemma is I also support a global effort to decrease our negative impact on the earth from man-made activities and dependence on non-renewable polluting energy sources. I am trying to reduce my carbon footprint (but frankly I’m not convinced Gore’s work is sentinel).

As companies and businesses struggle with being ‘clean’ and still conducting vital business and the delivery of services we all require/want/need/like, there is an inherent risk. That risk is understanding and managing the complexities and dichotomies of clean and healthy vs profitable and responsible.[1]

It’s going to cost someone, somewhere, a large amount of cash to adhere to the increased energy restrictions and controls as a result of proposed legislation. [2]  There will be adherence rules that provide allowances for energy companies to be subsidized to achieve the 2012-2025 clean energy goals. However, there is proposed direction that those allowanced must eventually be transferred to the customers (energy users, like us). [3]

Back to the complexity issue. The myriad of interdependencies seems beyond my current understanding. In the Global Risks 2009 report (Economic Forum 2009) 36 risks were assessed and evaluated to determine likelihood, severity, and anticipated number of deaths. Looking narrowing at just the environmental category we find some examples of impact in the following table:

Table:

“# Environmental Risks Likelihood Severity

20 Extreme climate change-related weather

As the effects of climate change have begun to manifest themselves in weather events, this risk remains constant year on year but given that many of these incidents affect developing regions the number of deaths is likely to rise.

21 Droughts and desertification reduces agricultural yields
As the incidence of drought has risen, production has shifted where possible to less drought-prone areas or to more drought-resistant crops. Nonetheless, desertification remains a risk to incomes and health in vulnerable regions.

22 Loss of freshwater

Greater awareness and education and improved sanitation is slightly reducing the number of deaths but overall this risk is constant in terms of likelihood and severity.

23 Natural catastrophe: cyclone

Improved building standards and better warning information have to contributed to reducing loss of life from cyclones but the risk remains constant for relevant areas.

24 Natural catastrophe: earthquake

The threat of earthquakes remains the same as they are driven by geophysics. Improved building standards and response mechanisms are slightly reducing their impact.

25 Natural catastrophe: inland flooding

This risk rose over previous years, primarily due to flood plain development and an expected increase in climate change-related weather events but remains constant from 2008 to 2009.” [4]

In the balance, I believe that forward movement mean continuing to evaluate risks associated with adhering to energy policies, supporting or dissuading those policies based on a balance of overall good vs untenable costs, and never giving up on the need to find new ways to produced energy – ways which do not pollute the earth and still provide what’s necessary for mankind to survive and thrive.

References:

[1] Weirich, Tom, (June 2010). “Clean Energy Leaders Meet at First Global Clean Energy Ministerial Stakeholder Meeting; Declare Need for World Governments to Align to Ramp Up Clean Energy Deployment“, ACORE. Retrieved 7-25-10: http://www.usgbc.org/Docs/News/CEMSM.pdf

[2] Larsen, John, (July 2009),  “A Closer Look at the American Clean Energy and Security Act“. Retrieved 7-25-10: http://www.wri.org/stories/2009/07/closer-look-american-clean-energy-and-security-act

[3] Larsen. Ibid

[4] Economic Forum, “Global Risks 2009“, The World Economic Forum Report, Citigroup, Mash & McLennan, Swiss Re, Wharton School Risk Center, Zurich Financial Services, January 2009

Bibliography:

Sikich, Geary. (2008). “ The World of Risks and Opportunities “. Norwich University MSBC Seminar 4 Lecture Week 8, 2010

A Framework for Competitive Intelligence

Between 2008 and 2018, health care will generate more jobs than any other industry (approximately 3.2 million), primarily as a result of the aging population; healthcare occupations are also among the fastest growing with over 50% new occupations being in health care.^[1] The question is, will one Colorado hospital be in business to participate in this growth.

To remain viable in a highly competitive market, hospitals will need to create strategies that stand up to the continued financial pressures of the industry. Competitive intelligence must be part of those strategies. Since all hospitals are on nearly the same playing field, the challenge is to differentiate based on real, relevant, timely, and useful data.

This paper briefly describes what competitive intelligence is, then proposes a competitive intelligence initiative along with suggestions for a structural framework, scope, and individual skills and tools necessary to be successful.

What is Competitive Intelligence?

To ignore our environment or practice superficial reviews of our competition will surely keep us at a disadvantage. The risk to our business viability increases and our competitive advantage decreases without a constant vigil according to a systematic strategy.

Competitive intelligence is being alert for reliable information, gathering that information, and knowing what to do with it.  The process can include the collection, organization, analysis, understanding, interpretation and development of information which helps an organization differentiate itself from its competitors and reduce the risk of unknown actionable strategies. Johnson (2010) defines competitive intelligence as “… the purposeful and coordinated monitoring of your competitor(s), wherever and whoever they may be, within a specific marketplace.” ^[2]

We must understand what types of external events may impact our organization and what to do to prevent that impact. Next, collection of data is worthless without relevance, so we must convert the data into intelligent, relevant information. That involves collating, organizing, and integrating this new information with other related data points. Analysis should be performed by competent and trained strategist who understand both the big picture and the details. Finally, in order for the data to become useful and a competitive advantage, we must know how to interpret and communicate our findings.

Question types should address both the internal and external environments. The answers to these questions will change overtime, thus a repeatable, yet flexible process is necessary to ensure our information is relevant and current. Goodman suggests the following, not exhaustive, list:

________________________________________________________________________

“Corporate Picture, Focus: Company & Competitors

• When did this company begin? How did it develop?
• Who leads this company?
• What are this company’s plans?
• What does expert opinion say about the company?
• Who are the leading competitors?

Industry Environment

• How did this industry begin? Major developments?
• How are products made? Components relied upon?
• Any multi-industrial linkages?
• What technological developments will affect this industry?
• How do I update these analyses?

Socio-Political Environment

• What government or industry regulations affect operations?
• What current or pending legislation will be affecting operations?
• What market changes affect operations?
• What economic indicators would affect operations?
• What market barriers exist in U.S.? Internationally?” ^[3]

________________________________________________________________________

Collectively, these types of questions can help keep a ‘finger on the pulse’ (no pun intended) of the hospital industry and marketplace.

Why is an Initiative Needed?

The hospital has experienced over a 20% reduction in outpatient cases since the beginning of the recession in 2008.^[4] Sawyer (2006) indicates that hospital care is shifting from inpatient to outpatient.^[5]

Challenges faced by the hospital are many and developing dynamic strategies to anticipate market risks is certainly a priority. Some examples of market risks include:

• Physicians deciding on the flow of patients, many times without the patient making a choice
• Managed care contracts dictating approved hospital (vendor) lists including agreeing or not to what types of procedures can be done by which doctors at which locations. (This one boggles the mind!)
• Governmental regulations at both the state and federal level can affect the hospital’s accreditation and ability to market to new audiences (due to privacy laws etc)
• The advent of the outpatient clinics (not all are connected with a local hospital) can take away business more so during a down economy

Many of these challenges represent a risk to the financial stability of the hospital and the business of the hospital may be in jeopardy, at least in the short term.

Initiative

The purpose of the competitive intelligence initiative is to protect the hospital from risks that may permanently impact the viability of the business and which help achieve the stated mission.

A successful competitive intelligence initiative encompasses a holistic view of the hospital and works in concert with and support of the mission, vision, and goals.  This is accomplished by successfully implementing a protection system that proactively monitors, collects, and communicates information to decision makers who can respond in a timeframe that mitigates the risk and/or creates an opportunity to promote the business.

The initiative scope is all internal and external risks to the hospital business.

The initiative should include these primary elements:

1. Awareness and commitment of senior staff
2. Identification of risk area that could most impact the business viability
3. Formation of objectives to be accomplished including how to use the intelligence information when it is obtained
4. Institutionalize the process, obtain the tools (software, metrics, mechanisms to collect data, etc), and select individuals with the key skills necessary to accomplish the objectives.
5. Perform the actual gathering, storing, organizing, and reporting of the data become information taking into account event timing, currency of the information, and a process exception that allows for quick actions (the latter is particularly useful to manage disinformation and protect intellectual property or brand image).
6. Communication of information to only the people with a need to know who are equipped to understand, interpret, and take action as needed
7. Follow up and revitalization of the process in a way that considers new and emerging threats to the business.

Sikich (2003) recommends ten key actions to a company can take now and many of these are easily applied in the hospital business: ^[6]

1. “Make your enterprise an unattractive target
2. Revise employee screening processes
3. Validate business, community, and government contracts
4. Assess business continuity plans
5. Train and education your workforce
6. Equip your workforce
7. Review leases and contracts for risk exposure
8. Assess value-chain exposure to supply disruptions
9. Review insurance policies and conduct cost/benefit analysis
10. Communicate commitment”

The basic organizational structure should include representative members of the key staff and those who have a value to offer the process. In the case of the hospital, this should include the following identified individuals(by title only):

1. CFO
2. VP Technology
3. Medical Director
4. Director of Information Systems
5. Safety Manager
6. Associated staff of each above as needed to perform the data process steps
7. Others as identified by the CEO

The general set of skills required by the team collectively includes project management, data analysis, metrics and statistics, marketing and business development, the ability to apply differential analysis of alternatives, and adept decision-making skills.

The above represents a preliminary suggestion to begin the dialogue necessary to complete a full competitive intelligence initiative.

Conclusion

The challenges facing the hospital industry may cause some to incur significant financial impacts. Understanding what those impacts are, how they are caused, and what preparations can help mitigate or reduce the effects can be accomplished with a robust competitive intelligence system.

Citations

[1] US Department of Labor, Bureau of Labor Statistics, (Feb 2010). Retrieved 7-17-10: http://www.bls.gov/oco/cg/cgs035.htm

[2] Johnson, Arik R., (2010). “What is Competitive Intelligence?“. Aurora WDC consultancy. Retrieved 7-16-10: http://www.aurorawdc.com/whatisci.htm

[3] Goodman, Richard A., (Jan 2010). “Competitive Intelligence“. Retrieved 7-16-10: http://www.anderson.ucla.edu/x14441.xml#A-1

[4] VP finance, Anonymous Colorado Hospital, Interviewed by Andy Amalfitano October 2009

[5] Sawyer, Mike, (Jan 2006). “Competitive Intelligence in the Healthcare Industry-Part One“. Southern Regional Health System. Retrieved 7-17-10: http://www.directionsmag.com/article.php?article_id=2087

[6] Sikich, Geary, W., 2003. “Integrated Business Continuity-Maintaining Resilience in Uncertain Times“. Penwell Corp Oklahoma 57-58, 138-139, Chapter 8

References

Apgar, David, 2006. “Risk Intelligence- Learning to Manage What We Don’t Know”. Harvard Business School Press Boston 51-52

Aware Inc. “A Brief Guide to Competitive Intelligence“. Aware Inc, Retrieved 7-17-10: http://www.marketing-intelligence.co.uk/resources/competitor-analysis.htm

Top 5 Financial Risk Impacts

Financial risk is ubiquitous across all businesses, some more than others. By definition, the financial sector experiences risk as a part of its routine operational mission. However, all businesses even those not in the financial sector may incur financial risk as a result of business interruptions.

My guess at the top five (5) most critical financial risk exposures companies face today are:

1. Unstable economy
   • Changes in investment practices, regulations, fickle consumer spending, fall off in need for durable goods, failed banks, small businesses unable to get loans, high unemployment, all precipitous to market collapses (at least partial)
2. Supply chain unpredictability
   • Unstable emerging markets – e.g. Factory workers in China return to home provinces and stay home due to influx of government stimulus money into local regions. Factory idle, supply chain is disrupted.
   • Increase in costs to manufacture overseas
3. Service interruption
   • Loss of vital infrastructures due to natural hazards or intentional acts that disrupt power, water, and other utilities.
   • Lack of appropriate business continuity or disaster planning by over 40% of the (small) businesses in America today. [1]
4. Pandemics
   • There have been five significant pandemic outbreaks during the past 100 years with hundreds of millions of people losing their lives.[2]
   • Pandemics are unpreventable, however, there are steps to be taken to minimize impact.
   • Some pandemic plans sit collecting dust on shelves.
   • The long-term recovery could take 2-5 years [3]
5. Stock market crash
   • Could be related to the other risks I present here, but also could be unrelated.
   • Purposeful manipulation of stocks and bonds [4]

In contrast, Sikich (2003) offers a list of risk exposures many business may face, including:

• Business Interruption
• Contingent Business Interruption
• Extra Expense
• Civil Authority
• Service Interruption
• Ingress/Egress [5]

With each of these insipient risks exposures comes the challenge for each business to better understand not only the immediate impacts but the long-term financial impacts. Much more needs to be done across all industries to be prepared and hedge for inevitable financial risks.

References:

[1]  Berthiaume, Marc, (2008). “Is your business prepared for disaster?”. Retrieved 7-19-10:  http://www.nhbr.com/business/technology/379589-283/is-your-business-prepared-for-disaster.html

[2]  CNN. (2003). “Recent flu outbreak mild compared to past pandemics“. Retrieved 7-19-10: http://www.cnn.com/2003/HEALTH/12/10/flu.history/index.html

[3] Sikich, Geary, “Protecting Your Business in a Pandemic-Plans, Tools, and Advice for Maintaining business Continuity“. Westport CT, London 2008

[4]  Barker, Bill, (2007) “Three Forces Behind a Market Crash“. Retrieved 7-19-10: http://www.fool.com/investing/general/2007/05/08/the-3-forces-behind-a-market-crash.aspx

[5] Sikich, Geary. (2008). “Financial Risk“. Norwich University MSBC Seminar 4 Lecture Week 7, 2010

Why are some of us so poor at Measuring Risk?

People (we) are generally poor at measuring risk. We have dozens of useful statistical tools at our disposal, we collect lots of data, or in some cases, we pour over data and discuss with our ‘experts’, or we just read the news and form (uninformed) ideas about what is reality. Then in business we make decisions that affect our company and its future. This approach is the norm. Why is this so?

News media needs to sell and attract and it seems to do so with one-liners that grab attention. I find often that those one liners are quite misleading and rarely based on all the facts. Further, even when facts or data are the foundation of an article, basic statistics sometimes ignored.

For example, in the early days of our recent major economic decline, the NY Times (2009) reported that “the American economy is contracting at its steepest pace in 50 years“. Subsequent in the article it was stated that economists are predicting  “…the worst of the recession might have passed” due to a recent rise (then in early 2009) in consumer spending.” [1]

One month, one data point, and things are getting better?  I think not! It is precisely this inane, unsubstantiated rhetoric that feeds the misinformation pipeline and clouds the already unknowns of risk.

Without a trend (in process control, we sometimes considered at least 5-7 data points in a direction to be a trend), each data point taken by itself is meaningless toward predicting with an certainty what will come next in the chain.

The other salient explanation for why people and businesses are generally poor at measuring risk is the unknown nature of catastrophic risk and our inability to apply systematic tools to that unknown. In reading roundtable proceedings from the Wharton School (2005) I was amazed to learn how accurate some of the comments were from noted experts in the fields of financial policymaking, banking, venture capital, insurance, and asset management. [2]  During the roundtable session on financial policymaking, Sir Andrew Crockett offered the opinion that despite making ‘great strides’ in advancing the knowledge about managing risks, the unknown and unknowable present outcomes that simply cannot be predicted and that the statistics change over time. [3]

In the human resources recruiting arena, we often say that past performance is a very good indicator of future success. Not so in the financial risk world. In the opinion of more than one expert at the roundtable, (Crockett for sure) the past is not considered a good predictor of the future. Therefore, I think that critical financial risk exposures plague organizations over and over again simply because of the unknown nature of the most consequential hazards and events.

Apgar (2006) provides us with a number of very useful risk measurement tools. These along with other systematic methods of risk assessment can help businesses more accurately understand at least the known exposures to risk.

References:

[1] Uchitelle, Louis and Andrews, Edmund L., (April 2009). “Economy Decline in Quarter Exceeds Forecast“.  NY Times. Retrieved 7-19-10: http://www.nytimes.com/2009/04/30/business/economy/30econ.html

[2] The Wharton School, “Financial Risk Management in Practice: The Known, The Unknown and the Unknowable“. a roundtable summary; Alfred P. Sloan Foundation, Mercer Oliver Wyman Institute 2005, 3-4

[3] Wharton, et al, Ibid

[4] Apgar, David. “Risk Intelligence-Learning to Manage What We Don’t Know“. Harvard Business School Press, Boston 2006

Silo Oranizations and Risk

Silos are basically large vertical buildings that separate and store material on a farm. When referring to  organizations, a silo means that one department is not necessarily considering how their function impacts another within the same company. The larger the organization typically the more silos.

Within a company, even a small company, silos can be created. Many times silos are not knowingly are willfully created, it just happens. Well-meaning, hard-working employees and managers set out to fulfill their mission – to get the job done. We all know how that is and often don’t have time to worry about or communicate with the other departments, especially if there really doesn’t appear to be any direct connection.[1]

Example: The dive team (fill in any specialty like paramedic, hazmat etc) on a rescue or fire agency is comprised of divers and tender and field supervisors that understand and know how to manage a water-related emergency. Diving is a specialty. Usually not all of the agency are divers. When training, budgeting, and responding to calls the dive team does that themselves. Soon, there is an esprit decor established and a bit of a clique which actually serves the team well. Unfortunately, at the chief level, the whole agency is a team, an organization and silos are nearly invisible. How do leaders discuss risk mitigation, safety practices, and operating protocols when the very language the siloed functions use to communicate is different. When a 1400 person county-wide fire-rescue organization with over 500 square miles of jurisdiction covering 30 towns and 3 major cities talks about risk management, the silo effect could begin to cloud the best solutions to each risk or problem area. Now obviously, many agencies cross-train and communicate well, but you get the idea.[2]

When a large corporation develops a risk management program the existence of silos should be considered. When building a proper integrated risk management program silos can be overcome. To do so requires we look at the interface aspects of each function and the various cause and effect relationship between each. Modern trends in organizational effectiveness would suggest the need for more collaboration and less hierarchical approaches to problem identification and resolution and decision making in general.[3]

References:

[1] Sikich, Gary. (2008). “ Understanding the Risk Continuum: Integrating Risk Types “. Norwich University MSBC Seminar 4 Lecture Week 6, 2010

[2] Coleman, Ronny J., (2000). “Open up your silo and share with the community“. As appeared in FireChief Magazine July 14, 2010. Retrieved 7-14-10: http://firechief.com/mag/firefighting_open_silo_share/

[3] Retrieved 7-14-10: http://www.keyexecutiveforum.com/news/What_are_organization_silos2.htm

Almost ate the e.Coli – Company Brand Risk

I don’t watch TV or the regular news channels. Occasionally, I will catch up with Meet the Press on Sundays, a USA Today on the plane, or a quick internet browse of current events.

Last week I took a package of frozen organic buffalo from the freezer to thaw for evening dinner. Got on the internet and found this: “Colorado firm recalls bison meat over E.coli scare“.[1] So, I check the brand, date, product code, and lot number and it’s an exact match. Whoah! The likelihood of catching that article the day I was eating the bison is quite remote.

So, today I take out the package of elk for tonight’s dinner and, of course check the label and Google the company.  It seems ElkUSA (aka Grande Natural Meats) is having problems because the name of the company with the actual product recall (Rocky Mountain Natural Meats) and the product name (Great Range Brand Ground Bison) are very similar to the elk meat producer. Here’s what I found on their website:

“NOTICE: We are NOT affected by the recent USDA recall of Bison (Buffalo) ground meat and steaks from other companies.  (July 2, 2010)“[2]

This is just one small example of how a brand problem at one company affects another. When we consider the number of product recalls globally, risk to brand and image is real. Certainly it’s possible that problems with the food supply severely impact more than just one company, one geography or one product.

Just ‘food’ for thought, pun intended.

[1] Reuters on MSNBC, July 3, 2010. “Colorado firm recalls bison meat over E.coli scare“. Retrieved 7-13-10: http://www.msnbc.msn.com/id/38076817/ns/us_news

[2] Elk USA, July 2, 2010. “Grande Premium Meats”, Retrieved http://www.elkusa.com/

Today’

Threat – hazard – risk – impact – I am replaceable and someone will learn what I knew and apply it in business, building can be rebuilt and life will go on. Yes, all risks are economic.

A business ultimately exists to build profit or needs steady revenue to continue services (think non-profits need donors, volunteers, supplies). The tragic impact of loss of life or property is the most dramatic, devastating, and hurts us the most. We may lose loved ones, workers and their knowledge, possessions, equipment, product and infrastructure may be destroyed, yet, risk management becomes a strategy of balancing economic impacts.

Sikich (2008) suggests a list of top risks with high severity which easily applies to any country or business.[1]  I’ve suggested a priority order based on my understanding of each risk and a guess at what might cause the most broad and widespread global disruption:

1. Infrastructure Failure U.S.
2. Infrastructure Failure Europe
3. Emergent Virus with High Human Pathogenicity
4. Transatlantic Data Blackout
5. Significant Production Output Drop from OPEC Countries
6. Oil Price Spike due to Major Interdiction of Supply
7. Fall in U.S. Dollar
8. Severe Earthquake in Major Economic Center
9. Continuing to Consume more than is Produced
10. Significant Terrorist Event
11. China – India Economic Slowdown
12. Hedge Fund Collapse
13. Continuing Decline in Property Values

A recent risk study by FM Global (2010) found that companies who practiced rigorous risk management were more likely to be stronger financially than companies who did have good risk management practices in place as part of their corporate strategy. [2]

References:

[1] Sikich, Gary. (2008). “Strategic Risk Management: International and Economic Risk “. Norwich University MSBC Seminar 4 Lecture Week 5, 2010

[2]Douvas, Steven, 2010. “Companies With Strong Physical Risk Management Deliver More Stable Earnings, New Research from FM Global Shows“. Retrieved 7-8-10: http://www.fmglobal.com/assets/pdf/P09232.pdf

Social Media for Business Continuity

I believe today’s social media is only the beginning of more intricate and unimaginable methods of communicating.

For now, as many point out, there is a generational disconnect between those who use it and like and those who don’t. The question may also go beyond that point.

I’m not familiar with many Business Continuity managers who are  in the career stage (the age bracket) where social media is most accepted. Are they really out there? Most of the people I come in contact with who are in BCM are in the prime or later in their careers. In that latter group I find a loathing, avoidance, and irritability from many (not all) of the use of social media.

In a recent ACP member poll taken in one chapter fully 85% of those responding to a survey indicated that they either do not use or choose not to use any social media and further, they did not wish to use it to communicate or receive updates about chapter news or events.

Current social media, Facebook in particular, is fraught with privacy and security issues. Twitter has yet to prove itself valuable as a mainstream tool. However, both have been considered recently for use during disasters to get the word out to an audience who might otherwise not be paying attention to the traditional news outlets. For example, wildland fire incident command may approve the PIO (public information officer) to use Twitter to message evacuations and other fireground updates that affect citizens.

Returning to my initial statement and looking forward I believe while the challenge exists to use social media successfully in the BCM arena, we will be surprised at how other new types of social communication becomes a requirement in order to communicate at all. Think before email and cell phones and compare that time to now. It will happen again and we may not be ready.

Succession Planning Plays a Role in Business Continuity

When we think of the topic of risk management we may not immediately think of succession planning. I believe the two topics do go together. Unfortunately, in my experience, risk and managing a crisis are rarely part of a leadership curriculum.

Succession planning is a strategy to prepare today’s employees and managers to be tomorrow’s leaders. Managing risk involves understanding hazards, impacts, statistics, people and their attitudes and reactions to emergencies, urgencies, and crisis. I submit that some of the attributes that make a crisis/risk/continuity leader also are found in how we prepare and train future leaders. In particular, succession planning done well can help ensure continuity of the culture of a business.^[1] Continuity of a business culture outlasted generations as Collins and Porras (1994) learned in their research of the most successful companies who achieved perennial growth over decades.^[2]

Further, a company should care very much about the capabilities of their leaders to handle stress, crisis, and how to make strategic risk decisions for they will certainly encounter such challenges during their career.

Textbooks and training programs are replete with dozens of qualities and attributes that help an individual grow in ability and contribute as a leader. I believe that our leadership programs should include at least a facile understanding of risk management – the new global expanded world of business demands it, I think.

A successful succession plan begins with the future – understanding and in some cases guessing what lies ahead for a company, an industry, and the workforce that will support that future state. Smallwood et al (1999) refers to this as results-based leadership.^[3] In my experience working with Mr. Smallwood and a high tech computer company’s human resources function, I found that this approach has great validity. One approach can be to connect the nature of the business and industry to performance-based criteria. For example, oil industry leaders should be trained and prepared to manage a potential oil spill, scientists at NASA should be ready with contingencies for a space-born rescue mission, a college level school district should partner with local industry to understand how to train future leaders, etc.

Collectively, we as a society can nurture and focus on the future leaders instead of adhering to traditional, static methods of training managers to ‘just do a job’.

I offer a few suggestions here to businesses that may help with succession planning:

• Share the vision
  • educate the workforce with the ‘why’ of training and not just the ‘what’
  • demonstrate why particular measurements, training aids and topics can help the candidates be more productive and ready for the future
• Show you care
  • invest in your internal talent by providing ongoing, but focused training
• Provide tuition reimbursement
  • reinstate (some now defunct) tuition reimbursement programs
• Build competencies specific to risk and crisis management
  • include one module with practice on crisis management

And finally, one of my favorite mantras (which sometimes got me in trouble with management and sometimes reward myself and my team) is:

“If we always do

what we’ve always done

we’ll always get

what we always got.”

Therefore, we should listen to both the pundits speaking of the future as well as the next generation of primary workers (ages 25-45) for together we can build future leaders that can actually make a positive difference.

References:

[1] Byham, William C, Smith, Audrey B., Paese, Matthew, J., (2002). “Grow Your Own Leaders-How to identify, develop, and retain leadership talent“. Prentice Hall, New Jersey 357

[2] Collins, James C., and Porras, Jerry Il, (1994). “Build to Last-Successful Habits of Visionary Companies“. Harper Business New York

[3] Ulrich, Dave, Zenger, Jack, and Smallwood, Norm, (1999). “Results-Based Leadership-How leaders build the business and improve the bottom line“. Harvard Business School Press, Boston 207

SWOT for Utilities Sector

Well the first thing I noticed when performing an online search for information about utility company SWOT analysis is that the vast majority of information is about the stability of the companies for investing and from a financial perspective. While that can be interesting, I am looking more for the infrastructure capability issues.

There is a superb source for the infrastructure perspective found in a report by the World Economic Forum-WEF (2008) on building resilience in response to natural disasters.[1]  The WEF report highlights two important considerations regarding utilities: 1- continuous water sources is both a critical infrastructure service as well as vital to support most other service, as in, water for human consumption for workers in the utility sector and water to generate electricity that powers other sectors; 2- a connection to the transportation sector, as in, moving people and supplies that support, operate and distribute other utilities.[2]

A proper utility SWOT analysis would be quite involved, so here is a glimpse of the significant issues:

Strengths

• Provides key services that assure business continuity of other sectors [3]
• Revenue generator
• Provides jobs and employment
• A ‘green’ industry catalyst and/or incipient user

Weaknesses

• Disproportional impact of disasters on the industry [4]
• Increased vulnerability due to nature of large expanse of source and networks
• Out of date monitoring systems (many have been updated since 9-11, but others may still be exposed

Opportunities

• Large contribution to water management (dams/sea walls, irrigation, desalination, flood management, sewage draining etc) [5]
• Maintain revenues [6]

Threats (challenges)

• Susceptible as high priority terrorist target
• Where sectors are not privatized there is an increased burden on the public sector (i.e. funding and support), especially during a disaster which overtaxes the response from public sector [7]
• Regulatory constraints may threaten ability to generate revenue or implement all safeguards

Possible Initiatives

At a high level, I’d recommend the following actions.

1. Monitor, inspect, and institute quality assurance procedures. Knowing what we know and don’t know is the first step toward determining risks, threats, and vulnerabilities.
2. Perform regular maintenance of substations, dams, levees, and distribution systems. This action helps prevent needless outages due to inattention.
3. Create backup plans through co-ops and partnerships. When one region is experiencing problems or disaster other regions can more readily be prepared to take on some of the burden.
4. Develop business continuity plans (or COOP plans for public sector utilities) and conduct practice exercises to ensure the plans work when needed.
5. Implement security where there is none and bolster security in the most highly vulnerable locations (this includes redundant protections so that if one part of the water system or utility is contaminated another part can still be functional).
6. Create training and education programs for all utility employees relevant to the role they play in protecting our infrastructures.
7. Assign liaison duties to a key representative of the utility organization to build relationships and stay up to date with local governments and commissions.

Further detailed actions would result from each of these high level initiatives.

References:

[1] World Economic Forum, (2008). “Building Resilience to Natural Disasters: A Framework for Private Sector Engagement“. Retrieved 6-22-10: http://www.unisdr.org/eng/about_isdr/isdr-publications/joint-pub/building-resilience-natural-disasters-wef.pdf

[2] Ibid. 15-16

[3] Ibid.

[4] Ibid.

[5] Ibid

[6] Ibid.

[7] Ibid

How Useful is SWOT Analysis?

SWOT Analysis is an analytical tool/methodology used to evaluate an organization’s strengths, weaknesses, opportunities, and threats within their internal and external environment and is often the foundation of a company strategic plan.[1] [2]

Over the years, the SWOT method has been attributed to many different origins and authors, however, I could not find any absolute citation that directly attributes its invention to a particular person or group. Friesner (2010), a senior lecturer in marketing at the University of Chichester, West Sussex, UK, conducted research into SWOT origin as far back as the 1950′s, but similarly could not make a final determination.[3]

I think it’s important to consider origin simply because it would be interesting and possibly insightful to learn whether we are using the tool in its intended manner. I wonder if there is more to this simply tool or have the plethora of modifications actually improved and enhanced the tool. For example, Sikich (2008) presents an additional element ‘Hazards-H’ for evaluating risks.[4] Also, in the early 1920s Harvard Business School introduced the word ‘Challenges-C’ [as in SWOC] in their education programs (prior to ‘Threats-T’ being used). [5] Understanding intent might help us gain perspective in the value of SWOT. Nevertheless, the SWOT tool is ubiquitous in business and has many applications.

I have used SWOT analysis on several projects during the past 20 years and find it very useful. Some of the projects were at the strategic level of the business, others at the organizational level, and still others I applied at the functional (tactical) level.

One example was the use of the SWOT tool for a volunteer county rescue team. While facilitating the discussion among the officer staff, I found that strengths and weaknesses were quite easy to obtain, but opportunities and threats were more difficult. I think that is because we are all very used to looking at pros and cons, what’s good and what isn’t. However, opportunities and threats force us to look into the future and consider ‘what might happen if’ this or that occurs, ‘what forces (unknown) external to our company, organization, or business, might exist that directly impact us’ and ‘how might we react/prepare’ for such a situation.

Another example was the use of SWOT for a functional (silo-ed) organization. The purpose was to focus only on our internal environment and build a strategy related to improving our process. This exercise was well received and quick work was made of using the tool and creating the strategy. Obviously, it was naive to think that we could actually ignore (by design) external factors within the larger enterprise. Nevertheless, the exercise was useful to indentify how we might perform our work better in ways that would not have been found had we not had the discussion.

SWOT, like many tools, is limited by who participates and how broad the scope is, with better representation and broader considerations being of great help to the validity and analysis of the results. Some critics conclude that the output of SWOT can be too broad or too trivial depending on the participants and prejudiced expectations.[6] I like SWOT and also understand it has limitations.

Perhaps the salient point about SWOT and its usefulness is it stimulates a guided discussion that would not normally take place in the same manner as getting together to make improvements without a tool as guidance.

References:

[1] Papers4You.com, (2009). “What is SWOT Analysis?“. Retrieved 6-22-10: http://www.coursework4you.co.uk/essays-and-dissertations/swot-analysis.php

[2] Bartolomei, Kyra, 2010. “Weaknesses in SWOT Analysis”. Retrieved 6-22-10: http://www.ehow.com/list_6505968_weaknesses-swot-analysis.html

[3] Freisner, Tim, (2010). “History of SWOT Analysis”. Retrieved 6-22-10: http://www.marketingteacher.com/SWOT/history_of_swot.htm

[4] Sikich, Geary W. (2008). “Risk Analysis: Methods, Resources, Techniques“. Norwich University MSBC Seminar 4, Lecture Week 3.

[5]  Florida International University (2009) . “SWOT Analysis Defined“. College of Architecture-FIU. Retrieved 6-22-10: http://carta.fiu.edu/SWOC%20Analysis%20Definitions%20for%20Units.pdf

[6] Papers4You.com Ibid.

Effects of ‘Unrelated Risks’

An unrelated risk is a situation perceived to be directly related to and as a result a significant impact on an entity, company (etc) which in retrospect is determined to be irrelevant. Sikich (2003) points to the preoccupation of some competent risk managers (in the area of pandemics for example) with dwelling on and precise measurement of  threats, hazards, and risks that are actually dissimilar and have not significant effect on outcomes. [1]

There is evidence of pitfalls to risk management caused by unrelated influence on those making risk decisions. In some cases, information which truly has no bearing on the understanding or measurement of risk has been found to raise alarm where there may be no reason or under-react to more significant threats, especially to fear of pandemics, loss of a company asset, or other situation.

Pandemic

In multiple surveys conducted by the Association for Psychological Science,  it was found that those surveyed immediately after seeing or hearing (witnessed) a person sneezing were much more likely to perceive a chance of falling ill or of thinking it a good idea to support raised funding for production of flu vaccines. “The researchers suggest that the public sneeze triggered a broad fear of all health threats, even ones that couldn’t possibly be linked to germs.” [2]

Finance

In a recent Haifa University study it was found that reading stories of successful investing seems to cause some financial advisors to over rate the underlying company stock value in the article. The concern is that people can be influenced by unrelated information which can mask the true risk of a situation.[3]

Insurance

Insurance companies avoid writing policies on unrelated risks and use an ownership test (the company owns more than 50% of the asset) to determine insurability. [4] As businesses prepare for risk prevention and mitigation they would do well to work with their insurance companies to ensure that all assets are accounted for in the plan.

Chemical

Risk management of chemical and biotechnology often involves a paradigm from established and direct models. The European  Joint  Commission suggests that the paradigm of does measurements of “…precise dose-response” does not match reality. [5] Uncertainty factors used to “…derive human safety standards …” may result in an inaccurate does assessment [6]. “Indeed it is often acknowledged that quantifiability and relative seriousness are often unrelated ” (Cohen and Pritchard, 1980.) [7]

We can prepare for unrelated risks by considering an approach that addressed uncertainty in a more broad manner and offers challenges to traditional paradigms. [8] Enterprise risk assessment will need to expand its view beyond previously successful business models and learn to be more adaptable. [9]

References:

[1] Sikich, Geary W. (2008). “Protecting Your Business in a Pandemic“. Praeger Publishers, CT. Chapter 1.

[2] Association for Psychological Science, (2009, November 2). “Sneezing in Times of a Flu Pandemic: Exposure to Public Sneezing Increases Fears of Unrelated Risk“. Retrieved June 7, 2010, from http://www.newswise.com/articles/sneezing-in-times-of-a-flu-pandemic-exposure-to-public-sneezing-increases-fears-of-unrelated-risk

[3] University of Haifa (2009, April 28). “Reading Reports Involving Risk-taking Affects Financial Decision Making“. ScienceDaily. Retrieved June 7, 2010, from http://www.sciencedaily.com­ /releases/2009/04/090427091120.htm

[4]Westover, Kate and Whitehead, Bill (2010). “Unrelated Risk: What are Captives Writing, Why and How?“. 2010 Western Captive Round up. Retrieved 6-7-10: http://www.westerncaptiveconference.org/PDF/speaker-presentations/Unrelated-Risks.pdf

[5]European Science and Technology Observatory. (2001, November). “On Science and Precaution in the Management of Technological Risk Volume II Case Studies“, Report EUR 19056/EN/2 edited by Andrew Stirling (SPRU University of Sussex), 61

[6] Ibid.

[7] Ibid.

[8] Sikich, Geary W. (2003). “Integrated Business Continuity-Maintaining Resilience in Uncertain Times“. Penwell Corp OK, Chapter 1

[9] Sikich, Geary W. (2010). “Introduction to Risk: How it Applies to Your Enterprise“. Norwich University MSBC Seminar 4, Lecture Week 1.

Inherent Company Challenges Evaluating Risk Probability

There are challenges to completing a probability and consequence graph for an organization. We must first overcome the propensity to give attention to only the most probable threats, hazards, and then risks that may impact our company.  Often, the highest probable failure factor gets most of the attention and is the easiest to understand. While that factor must, of course, be planned for (prevented, mitigated,  prepared), other failure factor may produce unexpected consequences. Not being ready for the unexpected could prove more catastrophic than the occurrence and impact of the highest probable risk event. [1]

During the course of consulting with various organizations, I’ve found the most common reaction to the discussion of risk assessment is complacency. There is the usual litany of reasons (excuses) many of which are well-founded. For example, a typical comment is ‘ we’ve never had a natural disaster here and probably never will – the data just doesn’t support even a remote possibility, so why bother ‘(waste time or money)’.

Others suggest that they fully recognize the myriad of threats and hazards, but they have previously determined those risks and instituted preventive actions. In one case, I found that the organization had actually performed a good probability study of internal and external risks, but ignored the airport 1 mile away. An open discussion with that company helped them ask more specific questions that eventually modified their thinking about being unprepared for unexpected consequences.

The accuracy of the outcome depends on what an organization has done to fully understand a complex set of factors and influences. A study should be balanced to understand the impact of influences from internal capabilities and assets from the assets and capabilities of others, i.e. supply chain, service vendors, and others. Understanding what is within our control and balancing that with constraints can help ask the right questions. [2] For example, we learned that the pandemics are virtually outside our control and stop from occurring (cannot prevent), but organizations  can understand the complex impacts of exposure and implement mitigations, educate a workforce, and practice for contingencies to lessen either the time impact or the number of people impacted. [3]

Some business areas may be more susceptible to inherent risk assessment challenges than others. Areas of the business which use metrics and have systems in place to measure critical factors may be better equipped to understand the influences in terms of risk factors. Those areas might include IT, supply chain, customer service and finance. Other areas less likely to have consistent and formal metrics might be human resources, sales (other than revenue and quota), and ancillary support functions.

References:

[1] Sikich, Geary W. (2008). “Protecting Your Business in a Pandemic“. Praeger Publishers, CT. Chapter 1.

[2] Ibid

[3] Sikich, Geary W. (2010). “Introduction to Risk: How it Applies to Your Enterprise“. Norwich University MSBC Seminar 4, Lecture Week 1.

Training a Resilient Nation

“So building a resilient nation doesn’t come from a top-down, government-only, command-and-control approach; it comes from a bottom-up approach; it comes from Americans connecting, collaborating; it comes from asking questions and finding new solutions. And it comes from all of us as a shared responsibility.” Secretary Janet Napolitano, 29 Sept 2009 [1]

Community & Regional Resilience Institute-CARRI is yet another very valuable organization , this time grass roots approach, to researching, educating, sharing, informing, and building consensus among communities across the country. I say ‘yet another’ because I realize there seems to be dozens and dozens of separate and unique groups and organizations all working on similar or sometimes tangent topics related to emergency planning, critical infrastructure protection, disaster risk reduction, community awareness and preparation for major crises and disasters.[2]

On the one hand, it’s very reassuring that such groups all exist. Many bring unique and valuable perspectives to the discussion, while others appear to provide what might be considered duplicative efforts. There are community CERT teams, Red Cross training, government based programs like Ready.gov (for families, businesses and communities), institutes of this’ and consortiums ‘of that’.

I wonder what value there would be from some type of consolidation of thoughts, a repository of ideas and suggestions. I don’t advocate eliminating the social network sharing across the globe, but at some point I would think that information overload becomes an issue. Just exactly where does a person or business start?

I propose multiple, connected repositories where information can be gathered and sorted but in done so in a way that does not stop, prohibit, or stifle the continued creativity and dialog  which must continue in order to respond to a dynamically changing world.

Reference

[1] Napolitano, Janet, 2009. Source accessed 5-10-10: http://www.dhs.gov/xabout/structure/gc_1232568253959.shtm

[2] Community & Regional Resilience Institute. Source accessed 5-10-10: http://www.resilientus.org/

Risk Reduction: Building Confidence with NGOs

The United Nations disaster risk reduction guidebook (2007) offers a detailed accounting of how a variety of relief and support groups are actively working to help reduce risk during and after a disaster. Much of the focus is on the young people, children, and others who are not able to typically take care of themselves without additional assistance. The common approach that each of these organization have taken is information dissemination via multiple formats, video comics for the children, informative radio messages broadcast over channels that target audiences would hear, hardcopy media, and live, in-person gatherings. It is all a wonderful example of the vital role that NGO’s (non-governmental organizations) play on the world stage when it comes to influencing government and other agencies to cooperate and take action. [1]

When a group of people has information and shares their opinions, concerns, and fears about what actions to take because of knowing information, confidence is built. Confidence in the community can grow because fear can be mitigated by citizens believing that they can take care of themselves in the face of devastating incidents.

Business continuity professionals can help catalyze the information flow in their companies in ways that help bolster the confidence of communities. For example BC professionals can provide:

• support and champion a cause for risk reduction by speaking on behalf of the community at citizen meetings, local council activities, faith-based organizations, and other groups to build a sense of awareness;
• collaborate with information resource exchanges like the National Voluntary Organizations Active in a Disaster -NVOAD [2]
• family emergency guidebooks, information, what to do to prepare for emergencies or disasters
• training to employees of villages, businesses, and municipalities; emergency response teams and citizen groups that are more prepared to recognize a crisis and take early action;

A large number of communities throughout the western civilization already provide such support and help in the form of websites, speaking engagements at civic meetings, and free brochures and information materials.

The larger challenge is what can be done in the developing countries. While some of these countries have been fortunate enough to receive United Nations programs on disaster risk reduction (Practical Action Bangladesh; Ecuador “Critical Video Analysis” of Volcanic Eruption Mitigation Project;

El Salvador- Children and Youth at the Centre of Disaster Risk Reduction; Haiti Community Members Design and Implement Information Campaigns; India Masons with a Disaster Risk Reduction Mission; India Disaster Micro-Insurance Scheme for Low-Income Groups, and many others around the world) [2] many others have not.

Even in the United States, there are still many rural areas without internet access or consistently reliable cell phone service. There may be dozens of miles to paved roads or municipal supported services. Building self-resilience as a community may be the only avenue to be ready and survive a disaster. Preparation in these communities  should include assessment of the people, resources, organizations, and the community at large, and develop plans to evacuate or shelter in place in the event of a local disaster. [3]

Reference

[1] United Nations. “Building Disaster Resilient Communities – Good Practices and Lessons Learned ‘Global Network of NGOs’ for Disaster Risk Reduction“. U N D P 2007

[2] “Welcome to National VOAD“. Source accessed 5-9-10: http://www.nvoad.org/

[3] The Community Resilience Project Team, “The Community Resilience Manual“. Making Waves Vol. 10 No. 4.

Community Support by Businesses During Disasters

It is important for all businesses to evaluate their impact on the community should they face a situation when then cannot continue providing their goods and services. The primary reason for this importance is that the citizens and community at large become dependent on these goods and services to survive. For example, when a day care center was obliterated in a tornado (Windsor, CO 2008), it forced parents to make other arrangements for the care of their children while the parents continued to work. Also, the employees may have become dependent on the company for additional benefits that are no longer or at least temporarily not available due to a crisis or disaster.

Larger companies routinely provide may adjunct benefits to employees that become commonly expected. Employers with over 500 employees may provide employee services well beyond what is necessary to get the job done-the company mission. Examples include wellness centers at headquarters, daycare provisions for the children of employees, employee assistance programs to help with mental and emotional support, discounts on insurance and other services, and clubs and teams for recreation and social outlets. On the other hand, smaller businesses (less than 20 employees) rarely have the funds or the means to offer such elaborate services to their employees, a fact that is commonly accepted in that setting. During a disaster, the community at large is often impacted and so are many companies. Those same adjunct benefits may not be available and employees will be directly impacted. [1]

Beyond the benefits and internal services, some businesses provide goods and services that are more of a necessity to the community. Examples include private schools, gasoline stations, grocery stores, hardware and building material centers, HVAC suppliers and contractors, etc. When these businesses are impacted by a community wide crisis a ripple reaction occurs. Not only are the employees directly impacted (cannot get to work and get paid), but everyday necessities may be unavailable for extended periods of time.

Because of the vital role that many businesses play in the community, encouraging community resilience is an important responsibility of those businesses. Many communities have found value in building cooperative programs that include bringing together the public and private sector organizations for the purpose of shared ownership of being prepared for possible disaster events. Even businesses that do not  provide vital services and products may, during a crisis, be able to offer vacant buildings, facilities, equipment, and shelter to support the relief effort.

To maximize the opportunities to be ready as a community, pre-planning is an important step. Prior knowledge of space, size, capacity, availability, and access and egress to locations can save time and money and expedite bringing vital resources to the community during and after a serious event. By participating in such readiness preparation, businesses can help strengthen resource-dependent communities.[2]

Reference

[1] Small Business Association Office of Advocacy. Source accessed 5-9-10: http://www.sba.gov/advo/stats/sbfaq.pdf

[2] The Terrorism and Disaster Center in the Department of Psychiatry and Behavioral Sciences at the University of Oklahoma Health Sciences Center and the National Child Traumatic Stress Network, Building Community Resilience for Children and Families, 2007, 26

Supply Chain Risk vs Benefit

One of the most interesting facets of supply chain management is the dichotomy of risk versus benefit analysis. The very same strategies that can help a company rein in costs, consolidation and single sourcing, can also be sources vulnerability that can inhibit business resumption following a major disruption or disaster.

Martin (2003) and Bosman (2006) offers good guidance on many of the issues facing global supply chain managers.

1. Reduce inventory through just in time methods:

The advantage is improved cash flow as a cost reduction of carrying less inventory on the books as assets prior to posting receivables. However, this may result in an inability to respond to a rapid increase in product need, thus missing market opportunity and revenue. The impact on risk management is a positive since if there is a site or location specific crisis, the loss of inventory is much smaller and therefore ability resume normal business operations is improved. [1]

2. Global sourcing minimizes risk and improves business continuity:

By broadening the base of suppliers (pre-approved and pre-priced), the loss or interruption of one supplier does not dramatically impact the overall production. When environmental catastrophe occurs, it would not be prudent for a business to have both primary suppliers of the same goods in the same geographic location. [2]

3. Visibility into the supply chain.

“Risk management should be based on a high level of supply chain visibility, process alignment and understanding/cooperation amongst all supply chain partners.” [3]

That is, as long as there was accountability with the approved vendor list, then sub-vendors were not of concern. That approach is changing, according to Martin (2003) and more and more supply chain managers are setting stricter controls on the suppliers of the suppliers.

I recall managing a sourcing information team in the computer industry. Our job was to create a qualification standard to measure our suppliers and eliminate unreliable vendors. Through a series of metrics (quality, cost, delivery, and issue response) we rated each vendor. One of the questions involved proof that the vendor’s own suppliers were on-board and able to meet similar supply goals. Any vendor that could not also prove that it’s supplier could meet the goals was summarily dropped from the approved vendor list. This proved fortuitous since one of the business goals of the program was to reduce the number of vendors which we did from 900-330 within  8 months.  It did not occur to me at the time to consider business continuity implications.

Reference

[1] Christopher, Martin. 2003. “Creating Resilient Supply Chains: A Practical Guide“. Centre for Logistics & Supply Chain Management School of Management Cranfield University

[2] Bosman, Ruud. 2006. “The New Supply Chain Challenge: Risk Management in a Global Economy“.  FM Global. Source accessed 5-3-10: m http://www.fmglobal.com/pdfs/chainsupply.pdf

[3] Nelson, Lynnda ,2010. “Improving the Resilience of Your Supply Chain“, from Norwich MSBC Seminar 3 Lecture Week 9.

Employee Theft

Lenard (2010) suggests that there are three factors that [can] lead to employee theft

• Motive
• Rationalization
• Opportunity [2]

The economy can cause people to do things they might not have considered before providing motive.  With that motive comes the rationalization that stealing from a big company won’t hurt the company; they may think that they deserve something more in return for their efforts, which may be more unnoticed in the fast-paced  world; employees may believe that  it’s not theft if they are using the property for both work and personal use.

What is being done to reduce employee theft? Some organizations are increasing company communications to employees to bring more awareness and set expectations about theft. Additional audits of company databases, tracking of phone use, particularly long-distance, and increased security measures at entrance/egress points are all ways that companies can and are trying to prevent and reduce theft.

To address criminal activities as a result of the state of the economy, 28% of all companies and 38% of large organizations point to increased communication with employees regarding the issue. Twenty percent are conducting additional audits (25% in large companies), and 19% of companies overall are paying more attention to background checks prior to the hiring of new employees.[2]

One primary reason why employee theft may be on the rise is the poor state of the economy. According to a recent report by the Institute of Corporate Productivity (i4cp report) “...27% of respondents in large companies — those with 10,000 or more employees — said crime in the workplace has risen during the current economic crisis, while 15% of all respondents, regardless of company size, reported it stayed the same the same.” [2]

References

[1] i4cp.Inc, 2008. “Study: Down Economy Sparks Rise in Workplace Theft”. Source accessed 4-26-10:  http://www.i4cp.com/news/2008/12/11/study-down-economy-sparks-rise-in-workplace-theft

[2] Lenard, George. 2010. “The Recession and Increasing Employee Theft: Understanding and Preventing Employee Theft”. George’s Employment Blog-Workplace News & Views, Edited by St. Louis Labor & Employment Lawyer George Lenard. Source accessed 4-26-10: http://www.employmentblawg.com/2008/the-recession-and-increasing-employee-theft-understanding-and-preventing-theft/

Safe and Secure Work Environment

A resilient organization is able to work through and recover from a major crisis or disaster in a positive manner. One of the many contributing factors which makes an organization more resilient is a safe and secure environment. When a company has taken steps to mitigate and reduce exposures to unsafe practices and to increase security, employees experience less stress, feel more comfortable and confident, and demonstrate improved productivity.

At a global high-tech firm, the most visible sign of security is badge access to facilities. From an IT perspective, random password generators are used to allow individuals to access any workstation at any facility in any country.

On a business trip to Stockholm, we encountered a breach in security which impacted the productivity of our business plan for that week. The night before we arrived unknown people broke into the main office, did some damage, and the office became a crime scene. For those of us that travel often we know that just being in a different country, navigating the language and getting around town, are challenging enough. This event raised our level of stress about being present and trying to work around the scene. This was not a major crisis in any way, however, it did cause some consternation and impacted our goals for that trip.

Looking at the workplace, most company campuses have a great deal of focus and programs in place that support the employees. Some of these include ergonomic standards, security force patrolling the grounds and buildings, surveillance cameras, adherence to OSHA guidelines, full background checks and drug screening for new hires, environmental health and safety programs that monitor interior building air systems, and many more.  The result is that the work environment feels open and safe.

Reference

“Creating a Safe and Secure Workplace“. hrthatworks.com. 2007

Can Corporate Governance Affect Reslience?

Larson proposes a “Basic Resiliency Model” where employee resiliency is a modifier to risk and organizational change and therefore productivity (and performance) is less impacted by the changes. The value of this model, if true, is that a company can create an environment that promotes resiliency and avoids the loss in productivity during ever increasing times of change. [1]

Lee provides guidance (based on material from R.M. Kantor) on what makes for a more resilient workforce with the intent of helping companies create policies that promote healthy resiliency. When individuals exhibit qualities such as being “fast, friendly, flexible, and focused”, organizations can withstand the pressures of fast-paced changes and better cope with uncertain times. [2]

Addressing employee stress can create a more controlled environment which has been found to be one of the key attributes of resilient individuals and their sense of self-efficacy. An organization can build trust by providing an open, friendly, focused, and goal-driven environment. This can also attract new talent and keep existing talent.

I recall our company working closely with a high-value consulting firm which presented the concept (among many in the model) that once a corporation provides a clear governance model, with expected behaviors, individuals will self -select in or out. [3] This can be an approach which helps develop a more resilient workforce. An organization can set policies that promote reduced risk, increased resource attainment, and a more process-focused environment (including training), all characteristics found to be present in resilient organizations. [4]

Robb suggests that organizations can be more resilient by building both an adaptive and performance- based culture [5]. By focusing on goals and tasks for immediate survival (performance culture) and providing a safe, supportive, and innovative atmosphere (adaptive culture), an organization and its employees can weather most major events. [6]

Organizations that do not foster resilience will find themselves having a difficult time surviving major changes, particularly emotionally draining and stressful events.

References

[1] Larson, Milan. “Resiliency: A Resource For Today’s Employees“. University of Nebraska Organizational Behavior Organizational Theory Track. (date unknown)

[2] Lee, David. “Why You Will Need a Resilient Workforce in Today’s Economy“. HumanNatureAtWork.com, 2008.

[3] Meagher, Ed. “The Woodstone High Performance Model“. Woodstone Consulting. 2000

[4] Larson, Ibid, 10

[5] Robb, Dean, 2000. “Building Resilient Organizations“. Robb Consulting. Vol 32 No 3. Source accessed 4-18-10: http://www.robbconsulting.com/resilientarticle.pdf

[6] Ibid

Nike and Crisis Management

In 1996, Nike was embroiled in a scandal when allegations were brought to light regarding child labor used in offshore factories around the globe. In 1997, Nike was in violation of OSHA standards in Vietnam with workers allegedly exposed to toxic fumes. [1]

At the time, Nike CEO Phil Knight issued a statement identifying the ways in which Nike was going to make things better by creating improved working conditions. The six promises were:

• “1st Promise: All Nike shoe factories will meet the U.S. Occupational Safety and Health Administration’s (OSHA) standards in indoor air quality.”
• 2nd Promise: The minimum age for Nike factory workers will be raised to 18 for footwear factories and 16 for apparel factories.
• 3rd Promise: Nike will include non-government organizations in its factory monitoring, with summaries of that monitoring released to the public.
• 4th Promise: Nike will expand its worker education program, making free high school equivalency courses available to all workers in Nike footwear factories.
• 5th Promise: Nike will expand its micro-enterprise loan program to benefit four thousand families in Vietnam, Indonesia, Pakistan, and Thailand.
• 6th Promise: Funding university research and open forums on responsible business practices, including programs at four universities in the 1998–99 academic year.” [2]

Subsequently and during the next few years, Nike is said to have made changes to working conditions. However, independent sources suggest that not all the steps were taken that should have been for Nike to stop unfair labor practices in southeast Asia. [3] Further, a current article refers to “…Nike’s 2007-2009 Corporate Social Responsibility Report… [indicating that] …more than 20% of Nike’s original equipment manufacturers have asked their employees to work excessive overtime hours and this number is still on the increase“. [4]

My view is that Nike appears to have launched a campaign to divert attention away from the primary issues (negative press about their labor practices in southeast Asia) and focus attention on their promises and programs (Global Alliance for Workers) and what they were doing to make things right. A reasonable crisis reaction. What would be more credible is if the company actually made significant progress and did not repeat the offenses. As we see from the recent report, Nike’s OEMs are asking workers to work excessive overtime hours.

What Nike did right was mount a campaign to demonstrate change. What they did wrong was not make the changes 100% throughout their operations and repeat similar violations of worker’s rights. Nike now seems to be addressing the OEM issues through an improved OEM supply chain relationship program. I’m not convinced that it is working. [5]

From personal experience, I know that a proper factory audit by an independent team can be helpful. However, we found that there are ways for factories to temporarily hide the true conditions. Also, if the ‘home-workers’ are not part of the audit, then companies and their supply chains can get away with continuing practices.

References

[1] Connor, Tim, 2001. “Still Waiting For Nike To Do It-Nike’s Labor Practices in the Three Years Since CEO Phil Knight’s Speech to the National Press Club“. ISBN 0-9711443-0-3. Source accessed 4-11-10: http://www.globalexchange.org/campaigns/sweatshops/nike/NikeReport.pdf

[2[ Ibid , 2-3

[3] Ibid, 3-5

[4] China CSR. 2010. “Nike Admits Poor Labor Practice By OEM”, Source accessed 4-11-10: http://www.chinacsr.com/en/2010/01/28/7060-nike-admits-poor-labor-practice-by-oem/

[5] Norwich University, “Nike Case Study“, Lesson 6 Discussion Question #2, MSBC Seminar 3, 2010