Blueprints Do Not Build Skyscrapers
Posted In Business Continuity, Human Resources, Regulatory Compliance, Risk Management, School Safety, Workplace Violence on August 11th, 2010 Tags: Anti-Bullying, policy and procedure management, preparedness program
In my previous blog I suggested that building a successful preparedness campaign is like building a skyscraper…and in some cases it seems like building a skyscraper may actually be easier than building a successful campus-wide or organization-wide preparedness effort.
I mentioned that building a skyscraper and building a campus-wide or organization-wide preparedness effort have a lot in common and one of those common items is blueprints.
Blueprints can be a technical drawing, a mechanical drawing, an architectural plan, a model, a prototype, a detailed plan of action and etc. Blueprints can also include programs, policies, procedures, processes, guidelines, checklists and etc.
But blueprints are not skyscrapers.
Lessons learned continue to reveal that many organizations are extremely vulnerable because they purchase blueprints (emergency plans, anti-bullying programs, checklists, and etc.) and schedule a meeting or training session and post their blueprints on an intranet/portal and think they have built their “skyscraper”.
More and more organizations are learning the hard way that having blueprints is not enough.
Even though financial organizations have policies, government entities have plans, schools have procedures, healthcare organizations have checklists and organizations have been offering general training on an annual basis for years… tragedies, failures, bullying and lawsuits continue to escalate.
Do your organization’s leaders understand that building organization-wide preparedness efforts or a culture of safety or an anti-bullying environment requires more than disseminating blueprints?
No Comments
Email This Post
Building A Preparedness Program…like Building a Skyscraper?
Posted In Business Continuity, Emergency Management, Human Resources, Regulatory Compliance, School Safety, Workplace Violence on August 9th, 2010 Tags: campus preparedness conference, Compliance, Ethics, safety, Security
I attended the Virginia Governor’s Campus Preparedness conference last week and had an interesting discussion with one of the attendees. We were talking about how building preparedness across an organization or an entire campus is becoming more complex and more difficult due to escalating challenges, regulations, obligations, liabilities and much more.
As our discussion continued, we started talking about how important tools can be when building campus-wide preparedness programs. In reference to whether tools can make a difference, I offered the following analogy:
Could a skyscraper be built using a hammer, a saw and some nails?
The attendee responded quickly, yes the skyscraper could be built but she wouldn’t go inside it!
Next we discussed how building a skyscraper and building a campus-wide or organization-wide preparedness program have a lot in common:
- Both require blueprints
- Both are complex and require planning
- Both require specialized tools to build
- Both have a lot of parts or “dots to connect”
- Both require specialized tools to maintain
- People will not trust poorly built skyscrapers or preparedness programs
Are you building your __________ program [preparedness, compliance, business continuity, safety, security, ethics, etc.] with old outdated tools such as binders, intranets, shared drives and general training?
No Comments
Email This Post
CFOs Have Responsibility To Break Down Risk Management Silos
Posted In Business Continuity, Information Security, Regulatory Compliance, Risk Management on July 12th, 2010 Tags: CFOs, Cybercrime, Cybersecurity, DHS
Last week financial executives received some valuable advice on ways to significantly reduce costs associated with an expensive non-budgeted item – cybercrime.
Greg Schaffer heads up DHS’s Office of Cybersecurity and Communications and his comments on cybercrime included:
“Cybercrime is not a problem that is growing, or coming, or off in the future. This is a problem right now.”
Mr. Schaffer also cited some statistics from reports and surveys:
- A single cyber breach costs companies an average of $6.75 million
- 27 countries have claimed to have experienced financial losses related to cybercrime
- In 2009, 30 million examples of new malicious software were released
Mr. Schaffer shared that there is a “disconnect” between corporate risk managers and information technology professionals. Mr. Schaffer also pointed out that most companies have kept risk management related to cybercrime in “a silo” within the IT department, rather than treating cybercrime as a risk the entire organization must address.
Mr. Schaffer had this advice too… because CFOs play an important role in enterprise risk management; CFOs have a responsibility to break down “silos” within an organization.
Do you have “silos” in your organization?
Of course you do! CFOs (along with CEOs, COOs, CROs, etc.) must become more proactive and prevention focused. CFOs must find better ways to break down silos and connect the dots before a cybercrime incident creates a huge hit on their bottom line.
No Comments
Email This Post
SEC Provides Lessons Learned on Policies and Porn
Posted In Business Continuity, Human Resources, Incident Reporting, Information Security, Legal, Risk Management on July 7th, 2010 Tags: Federal Computer Week, incident management, SEC, security policy, social media policies
A recent follow up article in Federal Computer Week (FCW) highlighted the porn scandal at the Securities Exchange Commission (SEC) and suggested this was a dramatic wake-up call for any government agency who doubted the need for and importance of an airtight security policy.
Good for Teri Robinson… who wrote the article!!
However…the steps Teri laid out that an agency should take to build and enforce a security policy are missing a couple of critical steps based on lessons learned and legal defensibility. Teri suggested the following steps:
- Review existing policy
- Social media guidelines should be included and should be specific
- Assign responsibility because policies are more easily adopted if someone is in charge
- Train, train, train as threats change so do policies so regular training is needed
- Enforce the rules
- Ramp up resources with technology and staffing
I agree with Reviewing Existing Policy, Including Social Media and Enforcing the Rules.
I sort of agree with Assigning Responsibility and Train, Train, Train…
I disagree with Ramping Up Resources and Staffing Up.
Based on lessons learned, the following steps are also needed:
- Accountability at the Individual Level
- Documentation of Individual Acknowledgements
- Situational Awareness and Case Studies that relate to organization specific policies
- Incident Reporting and Incident Management Tools for Assessment/Prevention Teams
And based on lessons learned, more staff for enforcement and training is probably not necessary if you implement the right tools for current personnel to utilize.
Now if we could just get federal agencies to start using “tractors” instead of “old horses”…
No Comments
Email This Post
Mounting Challenges with People and Processes…Do you need a Tractor?
Posted In Business Continuity, Human Resources, Risk Management, School Safety on April 27th, 2010 Tags: ACUTA, people and processes, philp quigley
I attended the national ACUTA conference last week and one of the speakers mentioned Philip Quigley’s quote regarding ‘farmers and building tractors’. If you are not familiar with his quote, see below:
Philip J. Quigley, former CEO of Pacific Telesis said, “If we were to go back in time 100 years and ask a farmer what he’d like if he could have anything, he’d probably tell us he wanted a horse that was twice as strong and ate half as many oats. He would not tell us he wanted a tractor. Technology changes things so fast that many people aren’t sure what the best solutions to their problems might be.”
And I after I heard the quote it hit me…at times we may all be like ‘farmers’ who are not aware of ‘tractors’ that could help us achieve better results. It may also explain why so many organizational leaders are still trying to get more out of their ‘horses’ (binders and intranets (aka digitized binders) and general training) to solve their escalating People and Process challenges.
Everyone knows that People and Processes are an organization’s weakest links, but now that budgets are limited and regulations, risks and pains are mounting, the ‘old horses’ cannot keep up.
Are your ‘old horses’ keeping up with your mounting challenges? Would a ‘tractor’ help?
Comment (1)
Email This Post
Warren Buffett and Lessons Learned Point to CEOs
Posted In Business Continuity, Risk Management on March 8th, 2010 Tags: Berkshire Hathaway, CEO, corporate responsibility, Journal Star, Warren Buffett
According to a recent article at JournalStar.com, Warren Buffett used his letter to Berkshire Hathaway stockholders to bring attention to corporate responsibility and the government bailout of financial institutions.
Warren Buffett wrote:
“In my view, a board of directors of a huge financial institution is derelict if it does not insist that its CEO bear full responsibility for risk control. If he’s incapable of handling that job, he should look for other employment. And if he fails at it – with the government thereupon required to step in with funds or guarantees – the financial consequences for him and his board should be severe.”
“It is the behavior of these CEOs and directors that needs to be changed: If their institutions and the country are harmed by their recklessness, they should pay a heavy price – one not reimbursable by the companies they’ve damaged nor by insurance. CEOs and, in many cases, directors have long benefitted from oversized financial carrots; some meaningful sticks now need to be part of their employment picture as well.”
My guess is that most people agree with Warren Buffett. How about you?
If you agree with Warren Buffett and you are an organizational leader:
- How are you implementing corporate responsibility across your organization?
- How are you maintaining corporate responsibility with personnel and economic changes?
- How are you ensuring accountability across your enterprise?
Lessons learned (and Warren Buffett too) validate the need for corporate responsibility and accountability…I hope your organization and your leaders are paying attention.
No Comments
Email This Post
Lessons Learned from WMD Proliferation and Terrorism Report Card
Posted In Business Continuity, Emergency Management, Risk Management on January 28th, 2010 Tags: Government Reform, Mass Destruction, National Security, Terrorism, Weapons
Reviewing the bipartisan Commission on the Prevention of Weapons of Mass Destruction Proliferation and Terrorism report card reveals lessons learned have not become lessons implemented.
The report card included an ‘F’ grade in Biological Risks due to the nation’s capabilities lacking to:
- Coordinate and deploy rapid response to prevent biological attacks causing mass casualties
Under Government Reform, the report card included two more ‘F’ grades for:
- Reform congressional oversight to better address intelligence, homeland security, and crosscutting 21st century national security missions
- Implement education and training programs to recruit and retain the next generation of national security experts
The two ‘F’ grades in Government Reform point out alarming disconnects and widening gaps that exist in oversight and awareness. And Senator Talent commented:
“We are also enormously frustrated about the failure of Congress to reform homeland security oversight”. The Department can’t do its job, if it is responding to more than 80 congressional committees and sub-committees. This fragmentation guarantees that much of what Congress does is duplicative and disjointed.”
If terrorists acquire weapons of mass destruction, will your organization be prepared? Is your organization prepared even if the government is not coordinated and ready to respond?
No Comments
Email This Post
Common Elements of Failed Financial Institutions (FDIC)
Posted In Business Continuity, Regulatory Compliance, Risk Management on November 5th, 2009 Tags: Failed Banks, FDIC, FinancialYes, I admit it…I was surfing the FDIC web site this past weekend and I was spending some time reviewing past Financial Institution Letters that the FDIC releases to advise the banking industry of supervisory changes and guidelines.
I came across a Financial Institution Letter for Newly Insured FDIC-Supervised Depository Institutions that included the new changes, as well as a list of common elements from troubled or failed institutions.
The list offers some potential lessons learned for organizational leaders (board of directors, executive management, compliance and others) and so I thought I would share the list.
- Rapid growth
- Over-reliance on volatile funding, including brokered deposits
- Concentrations without compensatory management controls
- Significant deviations from approved business plans
- Noncompliance with conditions in the deposit insurance orders
- Weak risk management practices
- Unseasoned loan portfolios, which masked the potential deterioration during an economic downturn
- Weak compliance management systems leading to significant consumer protection problems
- Involvement in certain third-party relationships with little or no oversight
The list identifies the difficulties and complexities of “connecting the dots” and reminds bank leaders about many different types of “dots” that need better management to ensure better results.
If you are an organizational leader in the financial sector, this is good information!
No Comments
Email This Post
To Do Lists and Got To Do Lists…
Posted In Business Continuity, Information Security, Legal, Pandemic Flu, Regulatory Compliance, School Safety on August 14th, 2009 Tags: FTC, H1N1, Heartland, HIPAA, HITECH, Obama, OSHA, QSAsEvery manager I talk to has a long To Do List and they all say the list is getting longer.
Then I ask them a question about their GOT TO DO LIST? Their responses usually include groans, moans and terribly painful looks on their faces.
As I talk to more and more managers and review more and more headlines in the news, it is obvious to me that managers’ GOT TO DO LISTS are becoming more painful by the day.
Why are GOT TO DO LISTS getting more painful? Look at these articles which include lessons learned as well as future challenges:
Heartland CEO on Data Breach: QSAs Let Us Down
HITECH Act Ramps Up HIPAA Compliance
Obama Wants Big Banks to Pay More for Oversight
FTC Announces Expanded Business Education Campaign on ‘Red Flags’ Rule
Updated Federal Guidelines for 2009 H1N1 Influenza in Schools Offer Many Options
Improving OSHA’s Enhanced Enforcement Program
How are you managing and implementing your GOT TO DO LIST?
No Comments
Email This Post
Strained Budgets Cut Funding for Technologies…Blessing in Disguise?
Posted In Business Continuity on July 30th, 2009 Tags: Bottom Line, Budget Cuts, TechnologyAccording to a recent article, because of tight budgets, many organizations plan to cut funding for technologies that would help to mitigate the main security threats they face.
The article went on to say that 72 percent of respondents have seen an increase in e-mail borne malware and phishing, but eight percent of respondents said they plan to cut previously allocated funding for messaging security, e-mail encryption, e-mail security or instant messaging security technologies.
The survey also revealed that although 40 percent of respondents noted lost or stolen devices as a top security challenge for the next 12 months, 15 percent said they will be cutting budget allocations planned for mobile encryption and wireless security.
Other surveys have offered some interesting numbers, too. A survey from Ponemon indicated that 88% of breaches in 2008 were due to negligence and a survey from Verizon revealed 90% of breaches could have been prevented with security basics.
So perhaps the strained budgets could be a good thing??
What if an organization implemented awareness and accountability instead of more technology?
What if an organization implemented better knowledge that led to better decisions, less duplication and more efficiency across their silos/departments?
The bottom line would be improved with cost savings. The bottom line would be improved by targeting negligence. The bottom line would be improved by addressing security basics.
The bottom line is that perhaps strained budgets are a blessing in disguise…
No Comments
Email This Post
