Do these 10 questions assess BCM awareness?

Here are ten (10) questions to assess employees’ business continuity management (BCM) awareness at a bank in Singapore.  My guiding principle in creating the questions was, ‘What should everyone in a company know about BCM?’

Screen Shot 2014-04-14 at 2.38.29 pmThe context: all employees of this bank must  complete each year an online awareness quiz on information security and BCM; 10 questions on infosec and 5 on BCM (so they’ll use 5 of my BCM questions each year).  Employees can take the quiz any time during a year; passing requires eleven (11) correct answers (a “gentleman’s C“). The bank has had BCPs for many years, but only one-third of the bank’s 200 employees are directly involved in the bank’s BCM program – annual plan reviews, continuity strategy decisions, annual recovery site exercises – as department heads or recovery team members. Two-thirds of the employees, then, may know nothing about BCM.

The bank had never assessed BCM awareness. Good BCM practice starts with a baseline assessment of  ’who knows what’, for which these questions were designed, followed by appropriate training for those who have BCM responsibilities. After the first round of assessment, the bank can decide on desired levels of awareness and competence for employees at strategic,  tactical and operational levels, as described in the BCI Good Practice Guidelines Module 2 Embedding Business Continuity, see pages 44-45).  For everyone else, this quiz may be all they get.

Why PSA’s don’t work

For preparedness messages, as in stand-up comedy, timing is everything.

After thousands of Public Service Announcements (PSAs) like “preparedness for individuals” (in English and in Spanish), “preparedness for business” and “preparedness for New York City,” and websites like, only 6% of Americans have done any preparation at all, and just 17% say they’re ”very prepared” for disasters. You might conclude, as the authors of this article did, that The Preparedness Message Isn’t Reaching the Public (from the November 2012 issue of EmergencyMgmt magazine).

PSA’s do reach lots of people, of course, but they don’t seem to motivate people to prepare. Why?

No one is motivated by gory pictures or finger-wagging lectures from public figures. I know I’m not – and I’m generally receptive to preparation messages because I make my living spreading them. In fact, images of leaking nuclear power plants, collapsed houses, flooded villages, even distraught victims don’t motivate us; they overwhelm us. ‘Well, it’s hopeless’, we think to ourselves, or ‘I can’t do anything about it anyway.

Yet thousands of people all over the world donate generously to relief efforts for people they’ve never met in other countries- in Haiti, in Japan, in Indonesia – out of desire to help after a disaster. They won’t prepare themselves in advance, but they’ll willingly help others afterward.

Crowd-sourcing haze response in Asia

To stop annual fires that threaten the health of millions of people in Southeast Asia, separate the science of location from the politics of responsibility

A few months ago smoke from illegal burning in Indonesia represented an immediate danger to life and health in Singapore, where I live. On Friday June 21, “haze” originating in Indonesia caused Singapore’s Pollutants Standard Index (PSI) to peg the meter at 401, an airborne contamination level at which it is not only hazardous, but genuinely difficult, to breathe.

I think life-threatening haze from illegal fires fits into any broad definition of the word “disaster.” Haze reaches Singapore most years in the dry season when land in Indonesia is cleared for farming, but the consequences hadn’t been so miserable since the “large-scale air quality disaster” of 1997. There is no reason to expect it will stop until its perpetrators (by whom I mean landowners of palm and pulpwood concessions, not just the farmers who do their bidding) are stopped. Resilience professionals – emergency managers, business continuity managers, risk managers, crisis managers, security managers – could help.

As a downwind resident and as a resilience professional, I really want to know exactly where the burning plot is located so someone can figure out who owns it and who is responsible for burning it illegally. Helpless in the haze, Singapore government agencies pressed officials in Indonesia to make their land-ownership maps public specifically for those purposes.

“I regret to inform you”…by text message

A human resources manager in Singapore told me during an exercise she planned to notify next-of-kin of  injured or deceased employees by text message (SMS). I was stunned. If there were a worse way to receive sensitive, painful information, I can’t imagine what it could be.

The rules for ‘breaking bad news’ are:
1. in person: never by phone, email or text
2. in time: anxious relatives want news – good or bad – as quickly as possible
3. in pairs whenever possible: a man and a woman are the best combination
4. in plain language: the facts, frankly and clearly
5. with compassion: as you would want your doctor to tell you.

Here is a page of tips for breaking bad news from Counsellor Suzanne Anderson MSW at SACAC in Singapore. You can learn more about death notification and practice doing it in Suzanne’s Crisis Communications & Crisis Intervention course.

Small business BCM: still pushing a rock uphill

Resilient Business NZ is one of many Sisyphean efforts to engage small businesses in contingency planning. A project by Welfare & Recovery Manager Jane Lodge of the Auckland (NZ) Council, Resilient Business NZ has simple menus, engaging photographs and international-standard BCM advice. But its initial self-evaluation questions include, ‘Does your business understand the Maximum Tolerable Period of Disruption?’ Gee, I hardly understand MTPD myself…

SisyphusMemories of two destructive earthquakes in New Zealand in the last two years may be enough to motivate owners of grocery stores, dry cleaners and coffee shops to prepare for disasters, but I doubt it. I hope Resilient Business NZ results in a measurable increase in preparation, because it’s a good idea, but it is basically another entreaty – like Canada’s B-Ready Now and the Singapore Business Federation’s National BCM Programme for SMEs – to small business owners to spend time and money they don’t have. A business owner isn’t looking for ways to spend money; she is looking for ways to make money (and aren’t we all?).

Small business BCM challenges the paradox of preparation: there is no return-on-investment in preparedness unless asteroids hit the planet or some other Extraordinarily Unlikely Event occurs. Resilient Business NZ tells business what they should do, but people don’t always do what they should do, or what their well-intentioned governments exhort them to do. They shouldn’t smoke, drink or eat supersized French fries, but they do anyway.

BCI-DRJ alliance: this is ‘thought leadership’?

So this is what passes for thought leadership in business continuity management (BCM) these days.

The Business Continuity Institute (BCI), a U.K. professional association with global ambitions and under-exploited footholds in the growth markets of Asia, Middle East and South America, goes looking for a partner in North America. After thoughtful deliberation about the future of BCM in the 21st century, and with all the time in the world to make a choice, they select…the Disaster Recovery Journal (DRJ), a 24-year old, American, family-owned magazine publisher and conference producer that must be the only BCM business in the world still calling it “disaster recovery,” the most-resented term in BCM profession.

BCI’s announcement says the alliance “aims to align thought leadership between [the] two organizations,” while DRJ’s press release says the alliance will “broaden and deepen discussions in…business continuity and related professions.”

That “thought leadership” bit caught my eye. When I first skimmed the headline, I mistakenly thought the BCI and the American professional association formerly-known-as the Disaster Recovery Institute International – DRII – had finally decided to stop pissing on each other’s shoes. Now, that would be news.

Conference victims of the world, unite!

Rise up and rebel against the presenters who oppress you! Join the Anti-PowerPoint Party, a grass-roots global movement dreamed up by Swiss software engineer and author Matthias Poehm. Be sure to check out his “Horror slide of the month”! You can “Like” the APPP Party on Facebook, too.

Columnist Lucy Kellaway of the Financial Times wrote about the APPP in her column, “Anti-PowerPoint revolutionaries unite”. (The FT makes you register to read their stuff, but it is free.) She was brave to admit publicly she’d been “gang raped by PowerPoint slides more times than I can count.” I can’t wait for her podcast of that one.

Joining the APPP is free. And very much tongue-in-cheek. I joined. I’d send money, too, but it’s not quite clear how it would be used. Matthias is flogging his book, The PowerPoint Fallacy, for SGD 29.00 if you join the APPP, SGD 46.00 if you don’t. His marketing strategy is positively a work of genius, in my view, because so many bad presentations waste so many people’s time, all over the world.

U.S. President Abraham Lincoln dedicated a Civil War cemetery in three minutes and just 268 words – and no slides – in his famous Gettysburg Address. 150 years later, American school children can still recite it from memory (I learned it in the 4th grade). Here’s Google’s Director of Research Peter Norvig‘s satirical version of that Gettysburg Address  as a Powerpoint presentation. Point: bad slides detract from good content.

Putting security on the wall

I suppose that putting up posters in your office might raise awareness of risk, security, audit, fraud, theft and other naughty behaviors. New Zealand IT consulting company IsecT Limited publishes risk management posters for that purpose every month on their NoticeBored web site. The company has been distributing free, high-resolution posters since May 2006; there are five or six new ones each month. (The April 2008 selections featuring auditors are amusing.)  I’d like to be at a brain-storming session where these are dreamed up; I’ll bet that beer is involved…

American training firm Native Intelligence also distributes security awareness posters online and in print. Some posters are free, but print versions without a watermark cost USD 7.50. Native Intelligence also produces 60-second animated presentations for video kiosk and desktop screensaver displays. The company is owned by Native American women, hence the company’s name. (“Native American” is how Americans refer to American Indians, to distinguish them from people from India.)

Earthquakes in Asia: Whole Lotta Shakin’

It’s hard not to notice the earthquake risk around the Pacific Rim these days. Maybe the risk is actually higher, or maybe I just notice it more, but in the last four months, Asia has had three earthquakes of 6.0 or higher on the Richter scale, the magnitude at which earthquakes are generally considered destructive.

The Wenchuan earthquake in China’s Sichuan province in May drew worldwide attention to the enormous impact of a big earthquake, even in areas with low population density: 70,000 people killed, 18,000 missing, 375,000 injured, and 5 million people homeless. And that was only the second-deadliest earthquake in Chinese history: the Tangshan earthquake was worse (250,000 people killed, 150,000 injured) and that took place just 30 years ago in 1976.

China is in the largest orogenic zone on the planet (that’s how the Himalayas got there), but Wenchuan had “never been considered high-risk compared to cities near other fault lines”, according to Hong Kong-based seismologist Dr. Michael Spranger. And now, after the Wenchuan earthquake, the earthquake risk in China is even higher because of tectonic shifting.

The Indian Ocean earthquake near Sumatra that caused the 2004 tsunami was also in an “unexpected location”, Dr. Spranger said. In fact, Munich Reinsurance reports that Sumatra accounted for nearly a quarter of all earthquakes measuring 6.9 or greater in the world since the 2004 tsunami; Sumatra had accounted for only 2 percent of them in the previous 30 years.

Getting credit for having a BCP

This month, U.S. credit rating agency Standard & Poor’s (S&P) started evaluating the enterprise risk management (ERM) capabilities of non-financial companies that it covers. This is S&P’s announcement, and here are their answers to common questions about it.

Extrapolating a risk evaluation to a logical, eventual conclusion, if a company doesn’t have a business continuity management (BCM) program, its credit rating could be lowered. The consequence? Borrowing money would cost more, and for the large companies that S&P reviews, that could be a material consequence.

S&P already evaluates risk management at the banks, insurance, energy and agribusiness companies that it rates, and now wants to do so at companies in other sectors. These are the Asian corporates that S&P rates and these are the U.S. corporates. You’ve probably heard of their S&P 500 index of American companies. S&P also rates companies, governments and debt instruments all over the world.

Suppose one of those companies wanted to issue a bond for $200 million to build a new plant in, say, India. Suppose also that, in part to its assessment of the company’s risk management, S&P lowered its credit rating from, say, A- (upper medium grade) to BBB+ (lower medium grade). As a result, the company was forced to pay a 4.1% coupon instead of 3.9% to make the bond attractive to investors or underwriters. On $200 million, two-tenths of one percent (the difference between 4.1% and 3.9%) is $400,000.