Preparedness, Business Continuity, and Risk

A recent study indicates that a two day interruption of key business functions could cost your business $3M.  As most businesses are in urban areas, you could face much worse. One of my clients is located in Ferguson, Missouri and they have had weeks of disruption.

If your company is to continue operations during an upheaval, then the people who do the work must have the skills and resources needed to get through each workday. This requires a common-sense approach to urban survival planning for your employees rather than trying to create urban survivalists who grow an acre of food, raise goats, and live in underground bunkers, or worse having an entirely unprepared workforce. As most of your workforce probably lives in an urban setting, this bears serious consideration.

After researching this topic for several years I have come to the conclusion that you can’t train all your employees. You must select key people and train them and then make every reasonable effort to retain them. This may require a change in the corporate culture. It will certainly require looking beyond the next quarterly results.

Unfortunately, most business owners are risk-takers. They will see a major urban upheaval as an unlikely event. They will take the risk that during their tenure the event will not occur. This characteristic also explains many business failures, data breaches and large scale fraud events.

Business leaders need to understand their risk-taking behaviour. Without this risk-taking the business wouldn’t exist. Unfortunately, this same risk-taking may also destroy the business. Does your business have a risk committee of the board and does it consider this risk? Many businesses have an audit committee and compensation committee, why did so many abandon the practice of  having a risk committee?

The full board has overall responsibility for risk oversight and this mirrors board responsibility for overseeing strategy. When an audit committee takes responsibility for risk management, the result is usually, in my experience, unfocused and inept. They do not have the skills and knowledge needed to evaluate all the business and operational risks faced by the enterprise. Audit committees often obscure the transparency needed for effective risk management and risk oversight by authorising such things as off-balance sheet transactions.

A separate risk committee of the board is not a one-size fits-all solution, but companies facing rapid changes in the business environment and emerging risks such as new technologies and security threats, should have a risk committee. Deteriorating urban infrastructure, poor city governments, inept policing, IT security, and other factors that affect business operations in our degenerating urban conditions certainly advocates the creation of a proper risk committee with business continuity on its agenda. The committee usually requires independent directors with specialised knowledge and experience with the critical risks facing the enterprise.

Surviving a Calamity

I sometimes hear someone argue that specialization has weakened society as individuals now have fewer skills with which to survive a calamity. This argument presupposes a sudden reversion to a rude state of society and that such a change would become permanent. This seems unreasonable to me as it assumes that we would not work to restore what we lost.

Of course, any person with skills suitable for employment in a more primitive society would be more comfortable until we attain our former level of development. Once this happens, this person’s skills again become irrelevant.

The question of how much time and other resources we devote to acquiring the skills needed to survive and thrive during a calamity remains unanswerable.

Normalcy Versus Risk

Feral Dogs

In the past I have written about the risks associated with feral dogs. Currently, the town of Kenora Ontario is experiencing some difficulties with feral dogs. Having a pack of feral dogs circling your house is not something to take lightly.

When Knives Attack

The recent Calgary mass murder illustrates how people assess risk wrongly. Statistics Canada reports (in 2008) that one-third of homicides and attempted murders involved edged weapons. That is more than any other type of weapon. StatsCan also reported that edged weapons were used against six per cent of victims of violent crime while firearms were used against two per cent of victims. Yet most people and organisations dither over plans for mass shootings.

Knives are easy to obtain, easy to conceal, they don’t run out of ammunition, and they cut in any direction. No training is required and if you can move your hand with the knife in your grasp, then you can kill with it.

This type of crime occurs quite often. Here is a recent sampling:

  • four people were stabbed in a Regina shopping mall
  • student was stabbed at a Brampton, Ontario, high school
  • four coworkers stabbed at a Toronto office by a man who was being fired
  • two people killed and four wounded in a Loblaw’s warehouse stabbing attack

Of course the knee-jerk reaction will be to ban assault knives. Of course all prohibitions fail miserably and probably make the situation worse as happened with the ‘war on drugs’ and ‘gun control’. Some foolish individuals will no doubt say that the StatsCan figures prove that ‘gun control’ works and we now need ‘knife control’, no doubt a knife registry will follow.

In the Calgary case, the accused probably took the knife from the kitchen and then started his rampage. I’m sure registering their kitchen knives after getting a licence to buy them would have stopped this attack.

Risk Assessment

Whether it’s feral dogs or knife attacks, you have to measure the relative probability of the event occurring against the consequences of the event. We are hard wired to believe that we live in a safe world–if we weren’t, then we would never have ventured out of our caves to create the world we now live in. This is called the normalcy bias.

Normalcy Bias Vs. Risk

I am paid to respond to situations where the normalcy bias got the better of someone or to plan for situations that nobody wants to contemplate. Decades of experience has taught me that nobody wants to contemplate the low probability, high consequence events.   Legislation and hand wringing won’t change this–planning, preparation, and training might. Unfortunately, the interest in preparation and training wanes quickly as memory of the event that spawned this dissipates, and thereby allowing the normalcy bias to reassert itself.

The Individual First Aid Kit (IFAK)

Recent involvement in investigations into industrial accidents and incidents involving security officers caused me to look into the state of first-aid training. I have some concerns that lessons-learned are not being applied as well as they should.

Recent wars have taught us how to teach personnel to control severe bleeding and maintain an airway under adverse situations. Unfortunately, from what I have seen, this hasn’t filtered down to industry in the form of better training and equipment.

This battlefield experience should be of interest security personnel at sites that might experience an active shooter or similarly catastrophic event. Those involved in emergency and business continuity planning should also take note of these lessons. My comments do not reflect the specific situation in any one Canadian province. I am aware of all the regulatory inertia, concerns about costs, and legal implications that inhibit change, but these are weak excuses for inaction when lives may be at risk. The injured person who is beading to death or suffocating doesn’t give a damn about laws and regulations–he simply does not want to die.

Read more

Business Interrupted

Managers sometimes tie themselves into knots worrying about the risk or threat rather than analysing the impact of interrupted business processes. My advice is to stop fretting about the cause and concentrate on alleviating the impact of the interrupted business processes.

To do this, defeat the problem in detail as follows:

  • Decide which processes are critical and which are not.
  • Determine how long any particular process can be interrupted before it’s loss become detrimental to operations, profitability, and customer satisfaction.
  • Design a plan of action to determine if the disruption will continue beyond the tolerable time limit.
  • Have a plan to replace each missing process.
  • Plan for the concurrent loss of several critical processes.

The key to a successful business continuity plan is concentrating on the critical day-to-day operations.

How does this relate to investigtion and research? The answer is quite simple:

  • Have you ever done a security survey?
  • Have you ever done a competitor SWOT analysis?
  • Have you ever done due diligence on a critial supplier?

Nine Meals From Anarchy

A few months later and another practice disaster is under way. These practice sessions are supposed to take the emergency out of emergency management.

The building’s automated locking system is working properly now. The new security guard provider is more responsive and the guards are performing their jobs in a more professional manner this time around. The performance of the maintenance staff has improved and the ground floor windows are completely boarded-up. Ten hours into the exercise and the generators are running flawlessly. Everything inside the building is working properly, people included. After breakfast, I decided to look for something that is screwed-up.

A Vapour on the Wind

It’s a nice Sunday morning — cool but slightly overcast as the sun rose. I decide to take a walk around the neighbourhood. Not much is moving about this early.

The additional soundproofing surrounding the generators eliminates their sound entirely when standing at street level, even at dawn on a Sunday.

I start to crave another coffee but nothing is open this early so I take another walk around the building. Somebody is up early, that bacon smells better than the oatmeal I had for breakfast.

Now I realise how I screwed-up this time.

Nine Meals From Anarchy

Nine meals from anarchy is an expression coined by Lord Cameron of Dillington who headed the Countryside Agency to describe the precarious nature of Britain’s food supply. If some catastrophe occurs and the supermarket shelves are not restocked, he estimated that they had three full days without food on supermarket shelves before law and order started to break down and British streets descended into chaos. This isn’t far-fetched – it happened in New Orleans in the aftermath of Hurricane Katrina.

The smell of cooking bacon would be very enticing to somebody who hasn’t eaten for three days. If this occurred during a protracted cataclysm, then it would add some emergency back into emergency management. Hungry people, especially normally over-fed but now hungry people, will do almost anything to get food.

Practice Doesn’t Make Perfect

Practice doesn’t make perfect – it shows you how many ways you can screw-up. I’m a big believer in practice.

I was working on a project to improve a company’s emergency preparedness that began with a risk assessment which then led to many interesting adventures. One adventure was a little bit of practice to test how they could operate during an extended power outage.

The extra guards didn’t show-up on time. The maintenance staff didn’t want to play the game unless they got time and a half. Someone had pilfered about half of the plywood with an intumescent coating intended for window coverings. The fancy locking system left all the doors open on one side of the building. So far, so good!

Wandering around outside, I was marvelling at how quiet the generators were – those mufflers were really good. Things were going just fine and I was enjoying the nice spring day and then the generators started to make strange sounds, then they belched black smoke. Then they died an ignoble death. Oh well, we got through four and one half hours and the imaginary blackout became permanent.

Now it was time to earn my keep. I had to quantify the screw-ups. The worst was the generator failures. All the generators died as if on cue. We traced this to a single diesel fuel source for all the generators. A single point of failure is never good.

I learned that the new low sulfur diesel creates a storage problem. While the reduced sulfur is good for the environment, it eventually mixes with water that condenses in the fuel tank to form black sediment or emulsified water that can damage the engines. No system was in place to deal with this problem. Some research revealed the type of filtering system needed to maintain the usability of the fuel.

No good deed goes unpunished. I became the point man for the efforts to correct this situation. Product sourcing, procurement, and construction – who knew I could do all that stuff?

Contingency Planning

Recently, I wrote about the dangers of government action when preparing for adverse conditions. While conducting some research on this topic for a planning document I came across a couple of interesting examples.

In the old Soviet Union during the Chernobyl reactor catastrophe, it became illegal for an ordinary citizen to possess any type of radiation meter.  I came across reports that Japanese police confiscated radiation meters from citizens who were taking their own measurements after the Fukushima disaster.

Perhaps I should have recommended that the client read Fuller’s The Day We Bombed Utah.

OPSEC and Business Continuity

Operational Security (OPSEC) is the first consideration when preparing for adverse conditions.

In Canada, I always advise clients to read the Emergencies Act (R.S.C., 1985, c. 22 (4th Supp.)), Section 8  carefully before they take any action or commit to any preparations. The same applies to any individual preparations. Section 8 (1)(c) allows public officials carte blanche to loot your storehouse of supplies during a declared emergency. The provinces have similar legislation, for example, in Ontario it is the Emergency Management and Civil Protection Act, R.S.O. 1990, c.E.9. Politicians wrote all of these acts so that the government can always find a ‘legal’ way to do whatever it wants to do. This problem isn’t unique to Canada. During Hurricane Sandy, so called ‘First responders’ broke into Shore Army-Navy in Seaside Heights and looted it for supplies. During Hurricane Katrina, officials in New Orleans went further, and according to many accounts, committed armed robbery. In the face of armed troops or police, you will be helpless to prevent such looting. Of course, when government is the looter, they get a free pass from government lawyers and politicians.

Undertaking business continuity planning requires a very high degree of OPSEC given the propensity of governments, rioters, and criminals to take what they want. This leads to the question, what are the OPSEC requirements of business continuity planning?

I always advise that all business continuity (BC) assets be separated geographically, and in other ways, from the business they serve. Transfer ownership of BC assets to  obscure sole-purpose subsidiaries. For example, one entity owns the BC site while another buys the supplies and equipment. Yet another entity takes delivery of the supplies at an unrelated location. Execute all the BC planning and implementation on a strict need-to-know basis. The quick dissemination of the BC plan during an emergency must occur on a need-to-know basis. The employees only get the information they need to accomplish their part of the plan. Large-scale rehearsals should not reveal the actual location of the real BC site. To reveal the location of the BC site to all those involved in the rehearsal invites the looting of the site long before it is needed. Experience dictates the use a rented property in the general area of the real BC site for rehearsals.

These considerations are not irrational paranoia for any business located in an area subject to catastrophic disruptions such as riots, protests, natural disasters, or terrorist attack. Discontinuing business activity during such an upheaval is surrendering to these adverse forces.

Risk Assessment Adventure: When Havoc Strikes

Business Continuity

Awhile back I wrote about one of my adventures in risk assessment.  This involved identifying the risks to a Business Continuity site located in a rural area outside a large metropolitan area.

When Havoc Strikes

What happens to Spot when havoc strikes?

The U.S. Humane Society say that 46% of U.S. households own at least one dog and there are 78.2 million dogs owned. In the Canadian Census of 2006 there were 6,070,783 dogs in Canada.

Feral Dogs

After a prolonged catastrophic event, feral dogs will form packs and begin to hunt. They have all the tools they need — fangs, claws, and a fur coat to keep warm. Feral dogs will interbreed with other canids.  Over time, you will encounter dog-wolf and dog-coyote hybrids. The domestic dog ancestry will ensure that they are not afraid of man, and their offspring will inherit this trait.

Feral dogs have better noses, better ears, and sharper teeth than humans. Their reflexes are faster, they possess better protection from the elements, and they move through the environment in near silence. They will attack as a pack and they will do so silently. Their arsenal includes stealth and surprise. When they don’t fear us, we are at a disadvantage.

Solutions

The dog pack will be hunting you. You’re not the hunter, you’re prey. How good is your gun-handling? Can you hit a 2 foot tall predator charging at you?  How about several of them at once?

Security in such a situation will entail modified small unit tactics, marksmanship, and muzzle control. This client took our advice on training and on-site rehearsals. Twelve bore shotguns and 30-30 lever-action rifles won’t get a doomsday prepper’s heart racing, but they get the job done safely when combined with proper training, rehearsals, and forethought.

Note: This article about an attack by a pack of feral dogs appeared in one of my news feeds:
Houston woman in critical condition after pack of 15 dogs attack

This clearly illustrates how dangerous a pack of feral dogs can be. Even feral cats can inflict dangerous wounds as illustrated by this article:

Warning to tourists in France after attack by feral cats

 

Hazardous Material

The Emergency Response Guidebook published jointly by the Canadian Department of Transportation, Mexican Transportation agencies, and the USDOT lets you identify the hazardous contents of pipelines, trucks, or trains from the placards on the side of the tanker, rail car, or pipeline. The guide lists specific hazards and evacuation distances for spills or fires. However, it doesn’t provide any spill/fire/explosion protocols.

If you are around hazardous materials and their transport conveyances then you need this guidebook.

Adventures in Business Continuity

Risk management is research, analysis, planning, and artful guessing. In my part of the risk management process, I have to deal with the inevitable failure. Every General will tell you that no plan survives intact after first contact with the enemy. I have to prepare for the failures that happen upon first contact. In essence, I have to make Plan B a reality. Of course, Plan B has an even greater likelihood of failure than Plan A, because it is, after all, Plan B. Things aren’t going very well if you have to resort to Plan B.

The current Plan B project is the result of the failure exhibited during a rehearsal of the Plan A for moving operations to the client’s emergency business continuity operations centre.

Plan B is a plan involving getting key staff to rally points from which they can be transported to the business continuity site. In a large metropolitan area, this can be a major undertaking when roads are clogged with traffic or blocked by the police or rioters.

Plan B starts with selecting key Plan B staff on the basis of physical fitness above all else. (These people are a different lot from the Plan A staff. They are a hardier and generally younger lot.) Then they are trained on the principals of movement and communications under circumstances where transportation and policing have broken down. If the selected staff are still engaged enough after this to remain on the team, then they have to be trained for their jobs at the business continuity site.

Next comes the hard part — planning their individual routes to the rally points. Each person will have their own routes to their rally point. This has to be done to minimize risks of attack and robbery as well as the physical risks associated with the route itself.

In the current project, we had to establish caches of supplies to facilitate Plan B. This was difficult and entailed renting storage lockers and other spaces to store supplies, vehicles, and to provide shelter if needed.

When I hear people talking about business continuity without any understanding of the human element, I know they have never encountered a real disaster at first hand. The technology is easy to deal with compared to getting competent people to the places where they are needed.

 

Risk Assessment Adventure

Once you acquire good research skills, you can apply those skills to support many endeavors. Recently, I have been doing risk assessment matrices for Business Continuity and Emergency Response planning.

One such job involved identifying the risks to a Business Continuity site. This site was in a rural area outside a large city. I collected the usual maps, aerial imagery, and satellite imagery of the site. This revealed a zoo was nearby. This led to the examination of a risk that few would normally consider — wild animals.

While the predatory carnivores such as lions and tigers seemed to be the greatest risk, we also learned that the large non-carnivores owned by zoos and feral livestock can be very destructive, especially to the fencing intended to keep out the carnivores.

You might not think this would be a risk, but just think of why a Business Continuity site might be in full operation and the risk become obvious. It would be operating due to a black swan event and that would probably entail the failure of normal utilities and services. Many of these animals would eventually escape due to broken fencing or be released to fend for themselves. The prospect of a number of large cats or grizzly bears loose near the site sparked a search for some very strong fencing.

This led us to examine which animals would be the most dangerous over a two year period. The most dangerous animals soon after a catastrophe would be feral dog packs followed by any domesticated pigs let loose and feral hogs. Neither of these animals are afraid of people and in a major disaster they might resort to feeding on corpses which would make a living person also look like a good meal. Hogs and pigs also represented the biggest risk to the fencing.

After the dogs and hogs, the greatest risk seemed to be Grizzly Bears. These animals are dangerous predators that are not afraid of man and they are adapted to the North American climate. The next was the lions and tigers. Next came the lesser cats and canids if they escaped from the zoo. In the two year span none of these zoo animals seemed to present a great risk if recent history in war zones is any guide.

Along with the dogs and hogs, it seemed that vermin such as rats and mice would be the constant threats, not the exotic creatures from the zoo.

Hurricane Irene Devastates the East Coast’s Economy

The recent destruction of Hurricane Irene on the East Coast left many Americans underwhelmed. The carnage and destruction of Hurricane Katrina were not as present for Irene, but billions of dollars worth of damage and flooding are still wreaking havoc on the eastern seaboard. In the already sluggish economy, Irene is hitting the pocketbooks of most Americans in a serious way.

The event was downgraded from a hurricane to a tropical storm, but because of the lack of emergency infrastructure, damage was more widespread and costly than if a more devastating hurricane were to hit a prepared Florida coast. If the storm became any stronger, it could have caused serious damage to all of the glass in the Manhattan skyscrapers or cause permanent damage to all of the towns by rivers and ponds in Vermont.

Many retailers and businesses were relying on decision analytics and a busy back to school weekend in order to optimize sales. For operations such as grocery, drug, and home improvement stores; the weekend was a huge success because of the need to stock up on emergency supplies. For outlets like department stores, clothing chains, and movie theaters; the weekend was a bust because of evacuations and the fear of leaving shelter. A family was more likely to purchase something like a power generator or an emergency supply of freeze dried food rather than a new wardrobe to show off at college.

In an AP article, market researcher Ken Perkins said that the $300-500 people spend on fixing their homes would be lost to discretionary spending and could be taken back from the back to school business. With the economy already in a bad state of being, it will be even harder for most retailers to recover from missing the second biggest shopping season of the year.

For those with hurricane insurance, there claims might not cover all of the damages incurred by the storm. As reported by The Christian Science Monitor, most Americans do not participate in the National Flood Insurance Program. Since most of the damage caused by Irene was through flooding and not wind, people will find a hard time getting compensation for damaged goods and property.

While the immediate impact of Hurricane Irene may seem less severe than other highly publicized natural disasters of the past; its effects will linger through the economy and infrastructure of the area for years to come.