Is sexual abuse an organizational resilience issue?

It is for Pennsylvania State University, a large, multi-campus public university (“college”) of 44,000 thousand students in the eastern United States. It could be at any organization – not just a school – if one of that organization’s employees were accused of abusing vulnerable individuals, especially children. Sexual abuse of children is a “significant public health problem” in many parts of the world, including the United States.

College (university) sports are a billion-dollar business in the U.S., a source of weekend pride and prejudice for millions of Americans. The top thirty (30) college sports programs alone raked in $5 billion in revenue last year (the 2010-2011 season). Penn State’s football team generated $73 million for the school, and they don’t even pay their players.  So the business impact of losing the trust of a campus, a community or a country because of criminal sexual conduct is enormous.

If you were a trustee of an educational institution at which lurid charges of sexual abuse by an employee had publicly exploded onto every screen in the land, you’d have a right to expect the school’s administrators to have a crisis management plan, and to brief you about it.    The trustees of Penn State have hired a public relations agency, Omnicom Group’s Ketchum agency, to advise them about crisis management.  Read more... (2929 words, 1 image, estimated 11:43 mins reading time)

A very similar editorial comment by U.S. comedian and former talk show host Dick Cavett on the New York Times Opinionator page yesterday (19 August 2011) caused me to excavate this one from my archives. Originally posted 2 February 2007 on my BCP Confidential blog on ZDNet, which I no longer write, the examples in it may be dated, but little else has changed, except the flying public’s resentment.

When a TSA inspector at a U.S. airport says he’s going to touch your genitals and asks, ‘Is that OK?’, what’s the right answer?

A uniformed Transportation Security Administration inspector at the Los Angeles airport asked me that question in December (2006).

Let me admit my bias: I believe the “security theater” (as security blogger Bruce Schneier described it) performed by the TSA at U.S. airports is a poor allocation of time, money and resources.

TSA screening at airports makes travel a lot more difficult for people who are NOT terrorists, like me, but I’ve not heard or read a single story of post-9/11 airport security procedures preventing an armed terrorist from boarding a plane.

In November 2005 a TSA inspector ordered a woman passenger in line in front of me to remove her denim vest – which was also her blouse – at a checkpoint in St. Louis, Missouri. The woman had to pass through the TSA check point in her brassiere.  Read more... (1566 words, 0 images, estimated 6:16 mins reading time)

The British Business Continuity Institute‘s Technical Director Lyndon Bird wrote in the July/August issue of BCI’s Continuity magazine that the new AS/NZ 5050 standard “does not follow…a generally accepted international view of business continuity management” and that 5050′s underlying principles were “not in line with progressive BCM thinking.”

Perhaps he can be forgiven for staging an unexpected  suicide attack on the Unbelievers from Down Under, as he was severely provoked. The SAI Global web site says AS/NZ 5050 “goes beyond many of the concepts that in the past may be been described as ‘Business Continuity Management’ or ‘BCM’”, and the Standards New Zealand web site said 5050 “[builds] on earlier concepts (often called ‘business continuity management’).”

Clearly intolerable provocation. So can we all agree that the Aussies and Kiwis started it by declaring a professional intifada? Those troublemakers.

I teach the BCI’s five-day entry-level training course, and I believe the BCI-prepared slides for that course reflect the BCI catechism on risk management (RM) and business continuity management. The orthodox BCI worldview is that RM is part of BCM, not the other way around (course module 2). On the right is the BCI’s “umbrella” slide from an earlier version of the course; note RM over there on the far left under the BCM umbrella. BCI acolytes also learn in the course that “formal risk management has limitations in dealing with unlikely but feasible catastrophic risks.” Lyndon Bird’s comment just reiterates the BCI’s long-held belief that BCM’s “progressive” priesthood focuses on consequences, not causes.
 Read more... (558 words, 1 image, estimated 2:14 mins reading time)

This month, U.S. credit rating agency Standard & Poor’s (S&P) started evaluating the enterprise risk management (ERM) capabilities of non-financial companies that it covers. This is S&P’s announcement, and here are their answers to common questions about it.

Extrapolating a risk evaluation to a logical, eventual conclusion, if a company doesn’t have a business continuity management (BCM) program, its credit rating could be lowered. The consequence? Borrowing money would cost more, and for the large companies that S&P reviews, that could be a material consequence.

S&P already evaluates risk management at the banks, insurance, energy and agribusiness companies that it rates, and now wants to do so at companies in other sectors. These are the Asian corporates that S&P rates and these are the U.S. corporates. You’ve probably heard of their S&P 500 index of American companies. S&P also rates companies, governments and debt instruments all over the world.

Suppose one of those companies wanted to issue a bond for $200 million to build a new plant in, say, India. Suppose also that, in part to its assessment of the company’s risk management, S&P lowered its credit rating from, say, A- (upper medium grade) to BBB+ (lower medium grade). As a result, the company was forced to pay a 4.1% coupon instead of 3.9% to make the bond attractive to investors or underwriters. On $200 million, two-tenths of one percent (the difference between 4.1% and 3.9%) is $400,000.  Read more... (885 words, 0 images, estimated 3:32 mins reading time)

Singapore Exchange Ltd (SGX) has issued proposed business rules on business continuity for public comment. The rules are likely to take effect for member firms in 3Q 2008, and firms would have twelve (12) months to comply. Member firms were briefed on the new rules in April.

SGX operates and regulates integrated securities and derivatives exchanges. Like many Asian exchanges, SGX is a publicly-traded (demutualized) entity; the shareholders, not the member firms, own it. These are SGX’ derivatives market members (32 trading or clearing firms) and these are the securities market members (27 firms).

If the guidelines are adopted, member firms would be required to:

1. assess their risks, complete a business impact analysis (BIA), and have “appropriate BCM measures to mitigate the risks”

2. make a senior officer responsible for BCM

3. review and test their plans regularly, and participate in financial sector exercises

4. designate and submit emergency contacts

These are not onerous requirements, and many of the member firms already have BCM programs in place. But it’s taken some time and effort to promulgate appropriate guidelines because SGX is both a market operator and a regulator. That means it must consider, in its rule-making, its commercial interests (and those of its members) alongside its fiduciary responsibilities (and those of its members).  Read more... (331 words, 0 images, estimated 1:19 mins reading time)

There is no more important long-term challenge in protecting businesses, homes and lives than bridging the knowledge gaps between what I call the “resilience professions”: business continuity, disaster response, disaster recovery, emergency management, crisis management, risk management and security. Asia is about to host the first conference I’ve seen to take on that challenge explicitly.

The 2008 International Disaster Management Conference on Public Private Partnership will bring together for the first time in Asia both public- and private-sector professionals in disaster, emergency and business continuity management as both presenters and attendees. The conference is on April 16 & 17 in Delhi, India and is endorsed by India’s National Disaster Management Authority.

In one conference you’ll be able to hear and meet senior executives from, for example, the Red Cross/Red Crescent Society, the British Standards Institute, India’s Oil Industry Safety Directorate, the Micro-Insurance Academy, the Federation of Indian Chambers of Commerce & Industry, the US Agency for International Development International Resources Group – and the Mumbai airport. There are about twenty (20) presentations, plus India’s normal introduction and thank-you rituals.

The conference is organized by volunteers at Responsenet, an initiative of the Aidmatrix Foundation, a non-governmental organization (NGO) supported by high-tech companies. Some financial support for the conference has been given by the International Association of Emergency Managers (IAEM), GeoHazards International, Tata Indicom and Sphere India. Last year’s conference organized by Responsenet on supply chain for disasters drew 120 people.  Read more... (676 words, 0 images, estimated 2:42 mins reading time)

Singapore is preparing for the International Monetary Fund (IMF) and World Bank Group meeting in September, locally referred to as “S2006“. 16,000 visitors are expected; lots of companies plan to active their BCP‘s for the event. Public demonstrations are banned in Singapore, but there’s been plenty of preparation for disruptions. Here’s how to handle a phone threat, and this is what to do with a suspicious package.