How are Organizations Managing Policies Ongoing?
Posted In Business Continuity, Financial, Financial, Human Resources, Regulatory Compliance, Research, Validations on May 3rd, 2011 Tags: Accountability, auditability, OCEG, policy management, status quo
OCEG recently announced poll results from a One Minute Poll about Policy Management. In their poll, 429 members replied to the following question:
How do you primarily manage lifecycle of internal policies, procedures and guidelines?
- 32% use an internally developed database or intranet system
- 24% have no formal structure
- 18% use file folders or centralized network drive
- 14% use document or policy management software
- 8% track changes in Word
- 4% use other methods
Lessons learned: Bad guys already know what the results from this poll clearly reveal…People are an organization’s weakest links. As long as 86% or more of organizations continue to use status quo methods that provide little or no accountability and little or no auditability to ensure situational awareness at the individual level, organizations will be vulnerable to attacks, mistakes, lawsuits, fines and disconnects that have a negative (potentially significant) effect on their bottom line.
No Comments
Email This Post
Does Information Equal Awareness?
Posted In Business Continuity, Human Resources, Incident Reporting, Information Privacy, Information Security, Risk Management on November 18th, 2010
General Information
Personally Identifiable Information
Intelligence Information
Industry Information
Regulatory Information
Legal Information
Risk Information
Customer Information
Emergency Information
Competitive Information
Etc….
Most people and their organizations would agree they are overwhelmed by information that is spread all over in e-mails, web sites, binders, intranets, etc.
BUT, most people and their organizations would also agree they are not overwhelmed by awareness, and more specifically they are not overwhelmed by Situational Awareness.
Lessons learned continue to reveal that just having information is not enough. Most of the highly publicized tragedies and incidents reveal that information in the form of red flags or intelligence or risk assessments actually existed BEFORE the incident occurred.
And many incidents could have been prevented had the information been translated into Situational Awareness and shared with the right individuals in the right place at the right time so they could have taken appropriate actions to prevent or intervene or respond more proactively.
For the next week or month or longer, when you become aware of an incident or a mistake in your organization or another organization ask yourself these questions:
- Did information exist that could have helped prevent the incident or mistake?
- Does my organization have a good way to turn information into situational awareness?
- Do all appropriate individuals have the ability to access confidential situational awareness?
- Does our incident reporting system just pass along information?
- Do our threat assessment and security teams have access to situational awareness?
- Do our decision makers and leaders have on-demand access to updated situational awareness?
No Comments
Email This Post
If I Knew Then What I Know Now…
Posted In Business Continuity, Emergency Management, Incident Reporting, Pandemic Flu, Risk Management, School Safety, Workplace Violence on September 15th, 2010 Tags: 9-11, columbine, Compliance, Incident Reporting, Katrina, preparedness, Red Flags, Security, Virginia Tech
Most everyone has heard or muttered these words at some time or another:
If I Knew Then What I Know Now…
The saying is most often used when we look back at our life and we realize that if I knew then (when I was younger) what I know now (with more experience and wisdom), I may have made some different decisions.
The saying also came to mind recently as we were reminded of the 9 year anniversary of September 11th and the 5 year anniversary of Katrina and numerous other incidents that have provided experience and wisdom that we could have used before these events took place.
As I was reflecting on these and numerous other events I started thinking about how so many of the incidents and unwanted results could have been prevented from ever happening had certain people known what others knew….and perhaps how this saying should be updated to:
If I knew now what you know now.
We now know that there were multiple people who noticed red flags or knew about 9-11 before the attack. We now know that multiple people at Virginia Tech and Columbine noticed red flags or knew about these attacks before the attacks we launched. In numerous other incidents, we now know other people besides the aggressor(s) knew about red flags, suspicious actions and misguided plans before the tragic incidents actually occurred.
Unfortunately these other people who noticed red flags or knew about what was coming did not provide their information to people who could have intervened and prevented the incidents and could have saved millions of dollars and saved the lives of many.
How are you getting people to report red flags or suspicious behavior or ethics violations or safety improvements?
Lessons learned clearly show that lack of awareness and not connecting the dots will lead to gaps and disconnects that lead to expensive, embarrassing and tragic incidents.
So if you are responsible or accountable for security, safety, preparedness, compliance, legal due diligence, finances, customers, patients, etc….do you know now what others know now??
No Comments
Email This Post
Blueprints Do Not Build Skyscrapers
Posted In Business Continuity, Human Resources, Regulatory Compliance, Risk Management, School Safety, Workplace Violence on August 11th, 2010 Tags: Anti-Bullying, policy and procedure management, preparedness program
In my previous blog I suggested that building a successful preparedness campaign is like building a skyscraper…and in some cases it seems like building a skyscraper may actually be easier than building a successful campus-wide or organization-wide preparedness effort.
I mentioned that building a skyscraper and building a campus-wide or organization-wide preparedness effort have a lot in common and one of those common items is blueprints.
Blueprints can be a technical drawing, a mechanical drawing, an architectural plan, a model, a prototype, a detailed plan of action and etc. Blueprints can also include programs, policies, procedures, processes, guidelines, checklists and etc.
But blueprints are not skyscrapers.
Lessons learned continue to reveal that many organizations are extremely vulnerable because they purchase blueprints (emergency plans, anti-bullying programs, checklists, and etc.) and schedule a meeting or training session and post their blueprints on an intranet/portal and think they have built their “skyscraper”.
More and more organizations are learning the hard way that having blueprints is not enough.
Even though financial organizations have policies, government entities have plans, schools have procedures, healthcare organizations have checklists and organizations have been offering general training on an annual basis for years… tragedies, failures, bullying and lawsuits continue to escalate.
Do your organization’s leaders understand that building organization-wide preparedness efforts or a culture of safety or an anti-bullying environment requires more than disseminating blueprints?
No Comments
Email This Post
Building A Preparedness Program…like Building a Skyscraper?
Posted In Business Continuity, Emergency Management, Human Resources, Regulatory Compliance, School Safety, Workplace Violence on August 9th, 2010 Tags: campus preparedness conference, Compliance, Ethics, safety, Security
I attended the Virginia Governor’s Campus Preparedness conference last week and had an interesting discussion with one of the attendees. We were talking about how building preparedness across an organization or an entire campus is becoming more complex and more difficult due to escalating challenges, regulations, obligations, liabilities and much more.
As our discussion continued, we started talking about how important tools can be when building campus-wide preparedness programs. In reference to whether tools can make a difference, I offered the following analogy:
Could a skyscraper be built using a hammer, a saw and some nails?
The attendee responded quickly, yes the skyscraper could be built but she wouldn’t go inside it!
Next we discussed how building a skyscraper and building a campus-wide or organization-wide preparedness program have a lot in common:
- Both require blueprints
- Both are complex and require planning
- Both require specialized tools to build
- Both have a lot of parts or “dots to connect”
- Both require specialized tools to maintain
- People will not trust poorly built skyscrapers or preparedness programs
Are you building your __________ program [preparedness, compliance, business continuity, safety, security, ethics, etc.] with old outdated tools such as binders, intranets, shared drives and general training?
No Comments
Email This Post
CFOs Have Responsibility To Break Down Risk Management Silos
Posted In Business Continuity, Information Security, Regulatory Compliance, Risk Management on July 12th, 2010 Tags: CFOs, Cybercrime, Cybersecurity, DHS
Last week financial executives received some valuable advice on ways to significantly reduce costs associated with an expensive non-budgeted item – cybercrime.
Greg Schaffer heads up DHS’s Office of Cybersecurity and Communications and his comments on cybercrime included:
“Cybercrime is not a problem that is growing, or coming, or off in the future. This is a problem right now.”
Mr. Schaffer also cited some statistics from reports and surveys:
- A single cyber breach costs companies an average of $6.75 million
- 27 countries have claimed to have experienced financial losses related to cybercrime
- In 2009, 30 million examples of new malicious software were released
Mr. Schaffer shared that there is a “disconnect” between corporate risk managers and information technology professionals. Mr. Schaffer also pointed out that most companies have kept risk management related to cybercrime in “a silo” within the IT department, rather than treating cybercrime as a risk the entire organization must address.
Mr. Schaffer had this advice too… because CFOs play an important role in enterprise risk management; CFOs have a responsibility to break down “silos” within an organization.
Do you have “silos” in your organization?
Of course you do! CFOs (along with CEOs, COOs, CROs, etc.) must become more proactive and prevention focused. CFOs must find better ways to break down silos and connect the dots before a cybercrime incident creates a huge hit on their bottom line.
No Comments
Email This Post
SEC Provides Lessons Learned on Policies and Porn
Posted In Business Continuity, Human Resources, Incident Reporting, Information Security, Legal, Risk Management on July 7th, 2010 Tags: Federal Computer Week, incident management, SEC, security policy, social media policies
A recent follow up article in Federal Computer Week (FCW) highlighted the porn scandal at the Securities Exchange Commission (SEC) and suggested this was a dramatic wake-up call for any government agency who doubted the need for and importance of an airtight security policy.
Good for Teri Robinson… who wrote the article!!
However…the steps Teri laid out that an agency should take to build and enforce a security policy are missing a couple of critical steps based on lessons learned and legal defensibility. Teri suggested the following steps:
- Review existing policy
- Social media guidelines should be included and should be specific
- Assign responsibility because policies are more easily adopted if someone is in charge
- Train, train, train as threats change so do policies so regular training is needed
- Enforce the rules
- Ramp up resources with technology and staffing
I agree with Reviewing Existing Policy, Including Social Media and Enforcing the Rules.
I sort of agree with Assigning Responsibility and Train, Train, Train…
I disagree with Ramping Up Resources and Staffing Up.
Based on lessons learned, the following steps are also needed:
- Accountability at the Individual Level
- Documentation of Individual Acknowledgements
- Situational Awareness and Case Studies that relate to organization specific policies
- Incident Reporting and Incident Management Tools for Assessment/Prevention Teams
And based on lessons learned, more staff for enforcement and training is probably not necessary if you implement the right tools for current personnel to utilize.
Now if we could just get federal agencies to start using “tractors” instead of “old horses”…
No Comments
Email This Post
Mounting Challenges with People and Processes…Do you need a Tractor?
Posted In Business Continuity, Human Resources, Risk Management, School Safety on April 27th, 2010 Tags: ACUTA, people and processes, philp quigley
I attended the national ACUTA conference last week and one of the speakers mentioned Philip Quigley’s quote regarding ‘farmers and building tractors’. If you are not familiar with his quote, see below:
Philip J. Quigley, former CEO of Pacific Telesis said, “If we were to go back in time 100 years and ask a farmer what he’d like if he could have anything, he’d probably tell us he wanted a horse that was twice as strong and ate half as many oats. He would not tell us he wanted a tractor. Technology changes things so fast that many people aren’t sure what the best solutions to their problems might be.”
And I after I heard the quote it hit me…at times we may all be like ‘farmers’ who are not aware of ‘tractors’ that could help us achieve better results. It may also explain why so many organizational leaders are still trying to get more out of their ‘horses’ (binders and intranets (aka digitized binders) and general training) to solve their escalating People and Process challenges.
Everyone knows that People and Processes are an organization’s weakest links, but now that budgets are limited and regulations, risks and pains are mounting, the ‘old horses’ cannot keep up.
Are your ‘old horses’ keeping up with your mounting challenges? Would a ‘tractor’ help?
Comment (1)
Email This Post
Warren Buffett and Lessons Learned Point to CEOs
Posted In Business Continuity, Risk Management on March 8th, 2010 Tags: Berkshire Hathaway, CEO, corporate responsibility, Journal Star, Warren Buffett
According to a recent article at JournalStar.com, Warren Buffett used his letter to Berkshire Hathaway stockholders to bring attention to corporate responsibility and the government bailout of financial institutions.
Warren Buffett wrote:
“In my view, a board of directors of a huge financial institution is derelict if it does not insist that its CEO bear full responsibility for risk control. If he’s incapable of handling that job, he should look for other employment. And if he fails at it – with the government thereupon required to step in with funds or guarantees – the financial consequences for him and his board should be severe.”
“It is the behavior of these CEOs and directors that needs to be changed: If their institutions and the country are harmed by their recklessness, they should pay a heavy price – one not reimbursable by the companies they’ve damaged nor by insurance. CEOs and, in many cases, directors have long benefitted from oversized financial carrots; some meaningful sticks now need to be part of their employment picture as well.”
My guess is that most people agree with Warren Buffett. How about you?
If you agree with Warren Buffett and you are an organizational leader:
- How are you implementing corporate responsibility across your organization?
- How are you maintaining corporate responsibility with personnel and economic changes?
- How are you ensuring accountability across your enterprise?
Lessons learned (and Warren Buffett too) validate the need for corporate responsibility and accountability…I hope your organization and your leaders are paying attention.
No Comments
Email This Post
Lessons Learned from WMD Proliferation and Terrorism Report Card
Posted In Business Continuity, Emergency Management, Risk Management on January 28th, 2010 Tags: Government Reform, Mass Destruction, National Security, Terrorism, Weapons
Reviewing the bipartisan Commission on the Prevention of Weapons of Mass Destruction Proliferation and Terrorism report card reveals lessons learned have not become lessons implemented.
The report card included an ‘F’ grade in Biological Risks due to the nation’s capabilities lacking to:
- Coordinate and deploy rapid response to prevent biological attacks causing mass casualties
Under Government Reform, the report card included two more ‘F’ grades for:
- Reform congressional oversight to better address intelligence, homeland security, and crosscutting 21st century national security missions
- Implement education and training programs to recruit and retain the next generation of national security experts
The two ‘F’ grades in Government Reform point out alarming disconnects and widening gaps that exist in oversight and awareness. And Senator Talent commented:
“We are also enormously frustrated about the failure of Congress to reform homeland security oversight”. The Department can’t do its job, if it is responding to more than 80 congressional committees and sub-committees. This fragmentation guarantees that much of what Congress does is duplicative and disjointed.”
If terrorists acquire weapons of mass destruction, will your organization be prepared? Is your organization prepared even if the government is not coordinated and ready to respond?
No Comments
Email This Post
