Pandemic H1N1 – Part 2

This is my second post on the H1N1 flu. I have a daughter-in-law in the high risk category — she’s expecting twins in December and didn’t want to get the vaccine — but I did finally convince her. Also: while I was hosting my 150+ person webinar on how to handle the pandemic’s effect on your business — one of my employees came down with the ful. He was very sick for the first 3 days, and then slowly improving but still with a fever after five days.

We asked several questions during the webinar, which was very well attended by banks, hospitals, credit unions, and other companies. The one that surprised me was that only 40 percent of the people had a pandemic plan in place and about 20 percent didn’t know if they had plan or not. When we are discussing alternate staffing plans, the place where you might see the most impact is in the IT area. IT managers and network managers usually have knowledge not shared with the rest of the organization.

It’s easy to get a temp to fill in as a receptionist, to add a salesperson, or replace clerical or admin functions, but to get someone who knows your network and how all the configurations work is a trickier proposition — and FLASH — IT and network people also get the flu!

One of the amazing facts from the webinar was that older people — that is, anyone who was alive in 1957 or right after, has a very low chance of getting the H1N1 virus (unless they have another underlying condition like asthma). This is because a similar strain went around the world is 1957 and so people from the era are relatively immune.

Other considerations to contemplate during this pandemic is whether to relax your requirements for employees to have to get a written doctor’s excuse — doctors may not have time to write one — and employees who only have the flu, but are staying at home sleeping, may not have to visit a physician or hospital. Another aspect to consider is whether you would rather have people stay out LONGER, to make sure they don’t infect others in your company.

A company full is 20-40 year olds is probably going to have more absences because they have small children at home. If you look at the flu maps for the last four months in the U.S., you can easily see that the flu started in March-April 2009 and then died down when school was out. School in session resulted in the 2nd wave of the pandemic that is still increasing, as we enter into the usual flu season.

If all the data was analyzed, I’m quite sure they would find that the concentration of children in school, colleges and universities is a big driver in keeping the flu numbers increasing.

One disturbing note was — children may not be protected completely from the first vaccine, but may need a booster. I saw this on the news this morning, and, with vaccine in short supply anyway, the idea that boosters may be needed would be very unwelcome.

By the end of next week, we should get a better idea of the trending of the flu waves and that will help companies in planning for increases absences. At the beginning of H1N1, experts were predicting a 20-40% absentee rate — so don’t take your eye off this pandemic.

How your health records are safer — or at least you’ll know about all the disclosures now….

Well – it wasn’t a billion dollar bailout and it wasn’t a new ‘public option’, but it was, on September 23rd, the official STARTING DAY of the new HIPAA breach disclosure rule, another tangible effect of the American Recovery and Reinvestment Act of 2009.

The breach disclosure rule is a little unusual in the way it dictates how healthcare entities have to behave if there is a disclosure of YOUR PHI (i.e. Protected Health Information). Your PHI could be interesting little tidbits of information like:

- detailed health info on 1000 Hollywood celebrities, probably all about face lifts, nose jobs and liposuction.

- Details on whose tubes got tied

- Embarrassing information on warts and other disgusting physical problems
Or
- Just info you don’t want everyone to know about.

The new Breach Disclosure rules protect you. Here are some of the details about what the organization that leaked your sensitive info has to do…

If the breach involved less than 500 individuals’ information, then you must be notified within sixty days and “without reasonable delay”. If more than 500 individuals’ information is breached, then the organization has to not only notify the Department of Health and Human Services, but also has to send out a press release and notify the media — film at eleven.

Covered organizations (covered entities) will not be penalized until February 22, 2010. So for now, organizations should make sure they have these disclosure guidelines in place and practice them, including training and awareness exercises, so they will be ready by February.

Organizations must also do an individual RISK ASSESSMENT on each breach to calculate the harm that the breach may do to an individual. For example, whether the breach would affect their health insurance, or their relationship!
There are additional considerations about whether the breach was done in error and actual disclosure was limited; or whether it was malicious disclosure – done on purpose, or for financial gain.

The breach notification rule, in my opinion, is just another manifestation of how serious the government has become about protecting personal information, whether it is protected health information, or personal financial information.

The FTC reported that identity theft is the one number consumer complaint and so protection of your information has moved up to the top of the list. Lucky us

Did you Wash Your Hands Today? RISK and the H1N1 PANDEMIC

The CDC reported on August 29, that, as of April 15, 2009, total of 9,079 hospitalizations and 593 deaths associated with 2009 influenza A (H1N1) viruses
have been reported to the CDC.

I put on a seminar last week with the Florida International Bankers Association in Miami, Florida, and one of the topics on the menu was the H1N1 Flu. Now, about ten days later, the media is starting to report on H1N1 sweeping through the college campuses and elementary schools. It hasn’t hit employers hard yet, but I am confident that it will.

And this time it comes with some surprising statistics. The younger you are, the more at risk you are. Apparently if you are over 60, or born after 1956, you are mostly immune because a similar flu that made the rounds in ’57 gave people alive at the time, antibodies that will protect you this time.

I have noticed the increase in sincere doctors talking about how they are going to immunize their own children – that is, after the new vaccine comes out in mid-October.

Hospitals have already been hit especially hard by the recession, due to the increase of patients who have lost their jobs, and therefore their health insurance; and that has increased activity in the local emergency rooms. But look what the forecast is for hospitals at the height of the possible epidemic — Under some models, seriously ill influenza patients could require 50 to 100 percent of intensive care unit (ICU) beds at the epidemic’s peak, stressing the medical and public health systems to the point of overwhelming some hospitals, and could cause from 30,000 to 90,000 deaths, concentrated among children and young adults.

I went to the local grocery and stocked up on hand sanitizer for the office and also lots of foil-wrapped sanitizing wipes – keeping them in my purse and suitcase, for those occasions where I have to shake a lot of hands.

What is the effect on a business if H1N1 does reach pandemic proportions?
Your personal risk varies depending on your age. Older workers will not be affected but take a look at your workforce and calculate how many have young children or school age children.

Since transmission increases in group settings, and kids are known for not being the most hygienic of creatures – there is a better than fair chance that your employees will have children who get sick and they will have to stay home with their children.
Some schools may have to close for 4-8 weeks. Especially since elementary school teachers are often in the target group and often have small children themselves. In my own office, two-thirds of the associates are under forty and half of those have small children. One expert said that if the 30% figure holds, then expect a ten-fold increase in absenteeism.

If your organization is part of the critical infrastructure, you might want to get a professional assessment of your risk, not just to identify it, but to get a set of operating procedures you can use if the pandemic does materialize.

Here are a few things to think about:

1. Encouraging an option for employees to work at home.
2. Deciding in advance what to do when an employee tells you he has H1N1.
3. Cross-training for important as well as critical functions.
4. Think about curtailing employee travel, if necessary.
5. Consider the impact if public transportation is not available, or
Not safe to use.

Seriously consider getting some No-Doz for your employees over sixty who may have to work much longer hours!!

AND DON’T FORGET TO WASH YOUR HANDS.

Crime & Punishment – Blame & Accountability

BLAME & ACCOUNTABILITY

Gee – they go together like a horse and carriage. The CIA Interrogation controversy has been front and center this past week and what stands out, no matter what side you take, is the blame game. Blame the old White House for overstepping authority; blame the new White House for waking up the sleeping dogs. Blame the lawyers. Blame the interrogators. Blame the detainees for being such intrinsically bad people.

A process tinged with so much blame highlights that there is another principle at work here – you could call it Greed (a la Gordon Gecko) and that is the phenomena of skating right to the edge of an ethical question, or ‘getting away with as much as you can’.

The Getting Away With (GAW) principle is the polar opposite of Accountability. In the GAW, the question is never asked about whether something is legal, or moral, or right. Instead the question becomes one of degree and how far you can go without brushing up against laws, moral outrage, the notice of Congress or whatever.

If Accountability means taking responsibility for one’s actions, then GAW means not taking responsibility, not even admitting what is obviously happening, but instead pushing the responsibility onto to someone else, i.e. the lawyers, the White House Counsel, the Justice Dept., the CIA, the individual interrogators. Sort of like a musical chairs game where you go as far as you can, do whatever you want, and hope by the time the game is over, someone else is left holding the bag.

If you are wondering what this has to do with RISK – it’s the pushing around of the accountability – responsibility. If risk is going to be addressed in an analytical manner, then you have to examine, and insisit on, accountability.

So in a corporate setting, say the ENRON debacle – the justice system addresses who was accountable. Who knew what? Who signed the memos? Who shredded? Who decided?

In government decisions, there is almost a preference for non-accountability. Even though, as an organization with a budget, it should be judged just like a corporation, an association or anything else – there is a tendency for government to say “it’s the system”, as if decisions were made by the eight ball instead of an actual person. If you contribute each government decision made to an actual person, then you have accountability.
Probably why there are so many committees!

Accountability is always the Number One Control!

How to get Management On Board with Security Enhancements — or how to avoid cocktail party security decisions.

One of the most aggrevating issues that security people have to deal with is someone who has no security background and knows little about the current technology, who decides what should be funded based on:

1. My wife thinks cameras are an invasion of privacy.
2. My secretary like X instead of Y
3. My friend, Sam, said his company was adding
some new widget.

This applies whether you are doing corporate security or information security and it is basically having your management make an emotional decision, or what I call a “cocktail party decision” about where the security budget should be spent.

Don’t confuse them with the facts. In fact, most of this is from people who do not understand the complexities of security or the interactions of various security solutions with each other.

Last evening, I spent quite a bit of time with a client from Asia, who had a big client who couldn’t decide which solutions they wanted to implement. Should it be A or B; and how to set it up? Regionally? by Business Unit? By Subsidiary? By Sub-subsidiary?

As we discussed it, I realized that the Director in question was really avoiding having to spend any money! It wasn’t about the decision – it was sort of smoke and mirrors to avoid having to admit a lack of funding for security.

In these cases, when your organization may have had the budget trimmed, cut or slashed — it is imperative to be able to use some quantative measurement of the risk to justify the cost of the controls. Whether you have enough budget for one control, or for everything, it must always be prioritized by NEED and by RISK. By Return On Investment. What losses can we prevent or avoid if we add this specific control? How much loss are we preventing? What is our potential exposure if we do nothing?

These are the elements that need to be understood by management in order to get the right controls in place, in the right amounts, at the right time.

THE WANTED — NEW TV SHOW ILLUSTRATES THE CONCEPT OF ACCOUNTABILITY

If one picture is worth a thousand words, then this new TV show “The Wanted” is worth about a million words!

The debut of “The Wanted” showed the terrorist-fighting journalists meeting with the Norwegian government to find out how to get a Jihad-loving Mullah deported back to Iraq to face charges for murder. The interesting twist of this series is that it shows the journalists meeting with, and clearly identifying, the woman and agency in Norway that is protecting the mullah. They go on to meet with other politicians in Norway and step through all the red tape to find out — what is required to get this terrorist out of Norway and to Iraq to face charges.

Their actions have already set a chain of events in motion including having Iraqi officials say they will not give the Mullah the death penalty, which is apparently what Norway wanted to hear. But even after that concession was made, the person directly in charge of having him deported, was still denying that he would be sent back.

Enter accountability! One TV show with the individuals picture on it — and the bureaucracy is exposed and now action takes place and spurs other actions.

It reminded me of the power of having individuals names linked to their truthful answers about how well or poorly they were complying with specific security requirements. You can talk about high, medium, and low until your face turns blue, but it just theoretical talk — until you actually show real names, with real answers and then it becomes REAL. It becomes actionable intelligence that is much much harder to ignore or push away, out of your consciousness.

I have never discussed a TV show before — but you should check out THE WANTED and see how it focuses the white light of accountability on everyone who is interviewed!! Monday nights on Dateline — catch it.

Hotel Bombing in Jakarta – A Dangerous Trend

The hotel bombings yesterday were a bad sign. According to an article this morning in USA TODAY, both hotels had been assessed by iJet, a security and intelligence company based in Annapolis, and had received high ratings, said iJet president Bruce McIndoe. The fact that Friday’s blast didn’t do more damage shows those measures were effective, McIndoe said.

“(With) the new security procedures, all they could do is get suicide bombers in and blow out some windows,” he said. “You can’t stop it — there’s no 100% foolproof way. But they’ve minimized the impact. It was a fairly sophisticated operation. (The terrorists) put a lot of time and effort into this, with very little outcome (in terms of ) death and destruction.”

McIndoe is correct that there wasn’t a catastrophic loss of life in these bombings and the damage was relatively minimal. I started to review some of my hotel experiences and see how much security COULD you put into an international business hotel. If the bombers took the bombs right up their rooms in their suitcases — there are a couple of obvious next steps.

1. All luggage gets turned over to hotel staff at the curb, or entry area, and
then is screened in an anteroom before it is taken up to the room by the hotel security staff. That seems to be a relatively easy program to implement, and would dramatically improve security.

2. Bring in the x-ray scanners and all visitors go thru the metal detector and have luggage, briefcases and shopping bags inspected upon entering the hotel. This would be more expensive and intrusive, but probably more effective and just one more travel inconvenience to get used to.

We have a model developed for hotel and casino security. The hotel/hospitality model is a little more complicated than your average business facility because it has more than one purpose. What I mean is that a business is usually set up to conduct business — but a hotel/casino has several lines of business including overnight room business; gambling; shops; restaurant business and also meeting business. All these have different objectives and they are influence the other business lines.

The maids, maintenance personnel, engineers, waitresses, cooks, etc., are all local elements that could potentially be used to gain access for terrorism purposes. Everyone has a cousin somewhere that may use family ties to get access to even a secure facility. The stowaways that get into ships, are almost always the result of the exploitation of family ties.

Better background checks conducted on hotel personnel may be another area that needs work, and would probably improve the hotel’s bottom line because other areas such as cash-handling and letting friends access empty rooms could also be improved at the same time.

Having stricter access controls and luggage/package controls at hotels would just extend the aggravation of current airport security programs right to your next hotel. Let’s hope it doesn’t come too soon.

How much does Accountability contribute to the Security Environment in an Organization?

Watching the Supreme Court confirmation hearings made me think about:

ACCOUNTABILITY. One of the problems faced by security directors in both IT and corporate security is that they are alone on the island. No one else wants to worry or think about security.

This may be a major underlying cause of why security problems are not easily solved, just by adding new technology. People still find ways to either ignore controls, or use them incorrectly.

One of the main benefits of a Distributed Risk Assessment is that it touches different people in the organization and increases their awareness – AND Accountability. The accountability element comes in because the risk assessment analyst can track each individuals answers so you can see a simple profile for each one, and see that they are either:

Complying MORE than others in the organization
Complying SIGNIFANTLY LESS than others in the organization
Are so clueless that they don’t know whether they are compliant or not.
Don’t think the security questions apply to them.

With this kind of detail, you can also COMPARE individuals, compare business units, compare departments and this kind of detail also encourages accountability in the business unit manager.

Accountability could be the basis for fixing everything that is wrong in society, as well as in the security program.

Think about the impact if everyone took responsibility for their OWN health. It would change the world. What about if everyone took responsibility for their neighborhood’s safety and security? What if parents took responsibility for how their children performed in school?

Obviously – adding the element of Accountability into the security program could be very motivating.

Accountability is the exact opposite of passing the buck to someone else. And while accountability can be a daunting prospect (when you think about applying it in YOUR organization) — it is also empowering. It gives individuals control over their security and takes them from a passive to an active state.

And I hope everyone would prefer being in an active state!!

www.riskwatch.com

Assessing Risk of Swine Flu (H1N1)

Largest webinar ever was today on the current pandemic (Swine or H1N1) flu.  I was surprised at how many organizations participated and we reviewed the different areas that business need to review when a flu like this threatens. 

Last year we created six different pandemic flu assessment questionnaires, differing on whether the business is tagged as a “critical industry”; whethere is is domestic, or has international offices; whether it’s a hospital or healthcare provider and also sliced and diced by the state of their pandemic and emergency plans such as continuity of operations planning.   Disaster planning is not really the same because in disaster planning, you assume the rest of the world is constant, instead of in the state of flux a real pandemic would produce.

In Maryland, there are six cases, and three of those in this county — they closed a school this morning.  So it is of concern to employees and the webinar centered on the different decisions business execs need to make about:

1) communicating with their employees and suppliers

2) making plans for auxcillary workforce members

3) doing advance planning and creating mechanisms for people to work from home, if necessary.

4) looking at last-minute cross training and making sure that everyone knows how to do almost everything.

The other aspect was understanding that this flu, at least initially, looks relatively mild, and as such, it makes a great case to run preparedness drill when people are watching the media coverage.  Also probably a good time to get budget approved for things like back up supplies, face masks (if execs are planning travel), or the business is very customer facing.

Reviewing training and trade show plans for the summer and fall would be a useful exercise.   And I think it is a service to employees to explain how to create a family pandemic stash of medicine, toilet paper, food, water and all the other necessities of life that would hold a family over for 3-6 weeks of isolation in the house.

These basic planning elements are all over the web and all over the news, but sometimes still hard to assimilate.  One of things we have developed is a spreadsheet of the planning elements, and I’d be happy to send it to you, if you send me a request to this blog.

Building a Model for Security Governance, Risk and Compliance

I recently began to think about how to integrate security seamlessly into an organization — without having security activities and processes pigeonholed into a stovepipe like physical security (the 3 Gs, guns, guards and dogs); or in the rarified atmosphere of the IT Department.

Other business processes are already thought of as an integral part of a business.  Think personnel, finance, shipping, sales.  All basic parts of any organization, including government agencies (which are another kind of business), have these different categories but security is never mentioned as one of these basics.

Of course, my readers know that none of the other pieces would get very far without good, or even great security.  You can’t run an organization without locks on the doors.  You can’t run a network with security controls or it would just collapse into a heaping pile of spam within a few hours and become totally useless.

So if we wanted to integrate security and use the risk assessment process to do it — what are the pieces we would integrate?   One night over dinner with other security people, we started to build a security model, which could then by assessed and each category would have steps which could be combined to create THE PERFECT INTEGRATED SECURITY GOVERNANCE MODEL!!

I am open to suggestions about other aspects but here’s the list of the ones we started off with:

1.  Access Controls

2.  Accountability

3.  Budget/Fiscal Responsibility

4.  Compliance

5.  Information Technology

6.  Investigations

7.  Measurement/Evaluation

8.  Personnel Management

9.  Policies & Procedures (Ps & Ps)

10. Risk Assessment & Management

11.  Security Planning

12.  Training and Awareness

In the model I’m proposing, each of these areas could by quantified into a 5-step program with zero meaning no progress in that area, and five meaning it has been integrated into the organization as a standardized, budgeted process.

Send me an email if you’d like to see a graphic of the model.  The point of a model is to get an idea of where you are on the pathway to integration of the security model into the business process.  For example, you could find out that you doing great on access control and technology, but not so good on accountability or awareness.  Then you could put more emphasis, or resources into those deficient areas.

If you’ve ever read this blog before, you know that my mantra is, “if you can’t measure it — you can’t manage it” (quote by the late, great Dr. Peter Drucker).

While listening to talk radio people discussing the problems of AIG, I heard another great line, “Companies that are ‘to big to fail’ … are probably ‘to big to manage’.   And that’s probably right, because those companies, with tentacles out into industries all over the world, are probably ALSO TOO BIG TO MEASURE!

So having metrics applies to all these corporate processes and managing security using metrics must be an idea whose idea has come.   Often the security departments in companies are isolated from the C-level and may not be included as often as other corporate or department managers are.    This is why the breakdown occurs that leads to weakness in compliance with regulations, which can destroy the entire organization, or, if you’re a bank, can lead at a CDO (Cease and Desist
Order).

Often these twelve critical security elements are absolutely essential to the running of the organization and that is why it is important to create a management model to measure how they are working in YOUR organization!

A New Model for Assessing Corporate Security

Corporate Security — that is, what the federal government calls “Physical Security” has long been treated as a uneducated stepchild by the information technologists.  The old perception that Corporate Security is just about guns, guards and dogs is just not true anymore.   Instead, physical security has taken full advantage of the computer revolution to create security controls that run on computer networks and do amazing things like creating electronic perimeters inside hospitals (for visitor management); ID visitors and track vehicles and biometrically identify individuals.

Corporate security directors I have known are invariably smart, savvy and computer literate.   Here’s a look at the difference between the OLD physical security operations and the NEW corporate security organizations.  The OLD PS operations usually operated out a guard shack or basement office and the main activity was badging in security guards and checking badges.  The NEW PS operations are run out of a high tech command and control center and the Security Directors often have authority for not only security but also Risk and often, information security.

These Security Directors are very conscious of how to improve their department’s performance and they are getting involved with benchmarking and automating many of their functions, including their security risk assessments.  Not like the old site surveys you see on TV, where the person is walking through the dark high rise in the middle of the light, flashlight flashing. 

We have been working on a model that could easily show the main areas of corporate security and a model a company could use to track exactly where they are in the process of creating an optimum security organization.  We call it the “Corporate Security Governance Model” and it tracks twelve elements of security through five levels:

        1.  Just Starting (Incomplete) - No Commitment of resources to perform and manage this function.  No corporate sponsorship or awareness of it’s importance to the organization.       

        2.  Performing – Rudimentary start to incorporate this element into the security program.  Function may have been done once, but there is no repeatability or management commitment.

        3.  The organization has assigned a manager to create a process for this security element.  Funding  is available and management has been briefed.

        4.   The element is recognized formally in the corporate policy and has been funded. Training has been introduced and metrics identified.

        5.   The element has become part of the company culture as policy and has training and funding which occur automatically.

There are a nine elements which are tracked across the five levels above.   We need to add three more — so please send me your comments on what those should be.

As of today, here are the different elements:

1.  Access Control
2.  Compliance (Regulatory)
3.  Information Technology
4.  Loss Prevention
5.  Materials Management (looking for a better phrase for this)
6.  Personnel
7.  Policies and Procedures
8.  Risk Assessment & Management
9.  Training and Awareness

Each of these elements will be explained with the actions to be performed, or improved, at least level and the idea will be that a corporate security organization will work toward getting all 5’s across the board.  

What elements are we missing?   Please post your comments or email me directly at:  chamilton@riskwatch.com and I will send you a copy of the model, which is a work in progress.

I think a model like this can be populated and automated so that an organization can get a fast 10 minute read that gives a snapshot of the security governance of the organization under review.

The next step is creating fixes for each of the steps so that it makes moving along the continum easier and faster.

Take a Valentine Risk Assessment

I think they should make people do a risk assessment on their proposal relationship and turn it into the city office when they go to get a marriage license — I thought it would be appropriate to introduce it on Valentine’s Day!

So to design our risk assessment, first we need to create a list of assets — joint assets.  How about the 2 houses, the 2 cars, the children from the former marriage, the inlaws — actually all the relatives on both sides, and pets (dogs, horses, etc.) any cash including stocks, bonds and salaries.  Probably also insurance policies, household goods, jewelry, musical instruments and collections.

Now we can model the potential losses we could suffer if the relationship fails:  Death or personal injury, divorce, alienation of affection, compromise and loss of assets.    Now we can add in the threats that could cause one of the projected losses to occur.  Threats could include things like:   children, relatives, job loss, illness, death, affairs, theft, business travel, alienation, depression, substance abuse. 

Next are the vulnerabilites in the relationship that could sabotage the whole thing — here are some of the questions we might make the prospective marital participants ask:

Do you work out of town more than 1 month a year?

Do you have more than four children?

Will one spouse be staying at home?

Do you have two incomes?

Does each partner have a healthy asset to debt ratio?

Do the partners have the same religion?

Do the partners have more than two common interests?

Are the partners equal in education?

Are the partners equal in life experience?

Is there a history of mental illness in your family?

Is there  family history of major medical problems, i.e.,
       diabetes, cancer, respiratory problems, cardiac issues, etc.

Do the partners have the same political parties?

Do the partners have a shared vision for the future?

So once the questions are all answered — and possibly weighted for importance — for example, I would put higher weight on questions about family medical history and financial health.  

We link the elements together according to a pre-set algorithm and then we give the couple risk rating:

80 – 100% – chance for a healthy relationship

50 – 79%    – possibility of healthy relationship if vulnerabilities are fixed

30- 49%      – possibility of healthy relationship is doubtful

1 – 29%        - healthy relationship unlikely to be successful.

The answer would also indicate outstanding vulnerabilities (think of a
vulnerability as a window of opportunity for a threat to materialize),
for example, health, financial assets, illness, mental illness, alcohol abuse, drug abuse, obsessive compulsive disorder, responsibility, accountability, policies, romance, weight control etc.

Based on the outcome of the assessments — say the score comes in at
70%, then counteracting controls are recommended such as:

Start Exercise Program
See psychologist for extensive analysis
Schedule a date night once a week
Hire a financial counselor
Take yoga classes
Reduce stress
Quit your second job
Take a real vacation once a year

I think that using quantitative tools at the beginning of a marriage or serious relationship might be a great idea!  The city could charge another $20 for rating the assessment so it would not only save relationships but serve as a revenue generator for city and county government!

That’s your risk assessment for Valentine’s Day.  Please let me know if you’d like to fill out one of my prototype questionnaires, or maybe contribute to the model.   Enjoy the day!

Accountability and the Link to Senior Management Salaries – Can it be measured or assessed?

The recent Stimulus Bill passed in February 2009 called bank presidents up to Capital Hill to report how much they made and whether they took bonuses or not.  Most reported they made one million dollars a year and took no bonuses.   Of course, we might suspect that this was slight underreporting.

Is there a link we can assess between performance and compensation?  In a factory, where people are paid by piece work, that is, ten cents for each piece sewn, there is a direct correlation and you could probably provide other examples of direct pay for direct work.

Another place to look is sales compensation.  Again, salespeople are incentivized by commissions so there is the correlation — work harder, get paid more.  

But the farther you go up management food chain, the harder it is to see the relationship between production and/or success of the enterprise and the salary of senior management. 

A recent study by the Health Services Research found that doctors who were paid more for higher quality care did improve their performance. It examined whether patients seeing physicians participating in a “pay-for-performance” incentive program receive better care than those who saw non-participating physicians. The health plan that was examined reimburses physicians based on the quality of care they provide. 

What about in other industries?  In another study, they analyzed the 100 largest technology companies finds that those with the highest-paid CEOs in 2005 had the worst returns.    DolmatConnell & Partners, an executive compensation consulting firm based in Waltham, Mass., found there was an inverse correlation between tech CEO pay and shareholder returns over a one-year period.    Companies analyzed in the study included Cisco Systems, Dell, EMC, Google, Hewlett-Packard, IBM,  and Oracle, as well as telecommunications providers, technology services companies and products distributors.

Perhaps the answer lies in the amount of PERSONAL ACCOUNTABILITY the senior managers have in the success of the organization.  If high paid managers are isolated and insulated from the operations of the company, they may not be in a position to directly affect its success, whether you define success as higher stock price, profitability, improved EBITA or some less quantitative standard, such as, are the employees happier?

Organizations where management stays involved with the day to day operations and can use their influence and wisdom to influence the progress, might be able to make a bigger impact on success of the organization.

Credit Unions and NCUA regulators

According to several companies that track such things — the number one thing that NCUA regulators are asking credit unions for this year is a copy of their risk assessment.

With fifty-five new regulators planned for 2009, the NCUA also announced it’s plan to move to a twelve-month examination cycle.  This is in contrast to the previous 18-24 month examination cycle, and has prompted a written complaint by the Credit Union National Association (CUNA) which objects to adding new regulators, as well as objecting to the new examination cycle.

In fact, CUNA wrote, “We find this draconian and believe there is a more cooperative way in which NCUA and the state regulators can discuss this issue …”.   It may turn out to be more prudent than draconian, because these risk areas, which should be detailed in the risk assessment, are areas that many credit unions have ignored, or have managed to ‘get by’ with a homemade spreadsheet, which does little to identify or quantify risk.

In a risk adverse environment with regulator issues on television every day, CUNA did state that  “given the economic crisis and the need for NCUA to be able to continue reporting to Congress that it is handling problems well, CUNA is not opposing this change [the 12-month cycle]“, and continued, “Even so, we strongly support a reasonable phase-in period that focuses on problems and risk first.”

Looking at this, it seems that part of the problem is a disconnect between the financial regulators and the credit union senior management.  Management and the Board looks at these requirements as annoyances that have to be completed and keep them from more important work — like getting new members or new loans, instead of looking at the risk assessment as a support to their business process.

When viewed as an integral part of a business process, it is clear that the risk assessment supports management by providing a quantitative view of the entire IT program, or the entire operational processes of the credit union.   It supports management decisions directly by providing real justification for the controls that management and the Board need to implement; and by giving the NCUA regulators visibility into those decision processes.

It shows the logic of the decision process, i.e., why management decided to use biometrics on their laptops; or why they need to shift some of the security controls to their outsourced vendors and making the vendors more directly responsible for security.   This allows the regulators to give better advice, and support to the credit union, because there is a rational process that can be discussed and examined, to the overall benefit of improved operations for the credit union.

The intent of increased regulation is not always to aggrevate or criticize the credit union management, but can be positive force which allows the credit union to advance, gain new members and be more profitable.

TARP Risk

What is the risk associated with taking TARP money from the federal government?   If the government is going to create difficult milestones and lots of requirements — like limiting of CEO salaries and banning bonuses — it might not be the bonanza everyone seems to think.

We recently were contacted by a company that is turning into a bank just to get their share of the TARP and Stimulus dollars.  Of course, they may not understand the downside of being a bank which would include heavy regulatory compliance AND the ‘mark to market’ problems.

Thinking about a risk assessment for the TARP took another direction — what kind of formal risk process could be used by feds to judge whether a particular bank or company was TARP-worthy.   After you throw out all the joke lines — e.g., do they own corporate Gulfsteam jets?, then what would you look for?   Here’s a list of possible factors:

Value of company to overall economy
Ratio of bonuses to overall revenue
Ratio of CEO pay compared to overall revenue
Number of ‘retreats’ taken annually
Growth potential
Analysis of potentially impacting threats

These would be all mapped against the perceived value of the company in terms of dependencies, i.e., is the company the sole industry in its community or region?  

Is the company a critical element in the military industrial complex — does it have Defense implications?

Does it represent an underrepresented or endangered industry?

Past record for regulatory compliance.  It might be interesting to see how compliant the company was with previous regulations, as an indicator as to whether they would comply with all TARP/Stimulus bill requirements.

Obviously there might be a subjective edge to these ratings and the Government Accountability Office (GAO) would have to be the agency to administer these risk assessments.

Probably the hardest part would be ensuring that the recommendations made by GAO would be honored by the legislators.   But I like the risk model applied to the TARP.

Risks that Derail

I have been neglecting my blog, but I have a very good excuse.  I have just survived one of the worst experiences someone can have — watching a dear sister die unexpectedly from a brain tumor. 

It brings up lots of issues — one is, “Gee, maybe all that about cell phones and brain tumors is really true!”.   Another relation has two small children and they BOTH have had a brain tumor, and they under five years old.   If I lived in their neighborhood, I would check the water supply first.

My sister Linda was my baby sister, two years younger than me.  We were as close as twins and even had our own language.  I spent two weeks up at Lake Tahoe with her this summer.   Ten days after that she attended a wedding in Minneapolis and collapsed at the wedding.  Of course, she was perfectly healthy, married to a doctor, swam two miles a day in the lake, only ate healthy food, flossed constantly — you get the idea.  

After her collapse, it was four months until she died in a coma.  The decline was fierce and frightening.  And it took my nuclear family which was five people only a few years ago, down to two left — just me and my younger brother.  Nothing like getting shoved in front of the generational train.

So I did my risk assessment four months ago and decided that I should spend as much time with my sister as possible, so I have been flying back and forth from Annapolis to Davis, California (in the vast Central Valley), since the 8th of September.     And now I’m back.

It did give me a new appreciation of the problems of carrying medical records around and having them available for the next healthcare provider.  Just one rotate-able brain scan takes up almost two CDs — files too big to email, almost too big to fit in my oversized purse.

Having done everything I could, but left with the inevitable result, I am back to thinking about risk and consequences.  And thinking about loss, and how to avoid it in the future.

And how to encourage others to avoid it, too.   Loss Prevention through Risk Assessment — that’s going to be my mantra in 2009.  That and remembering my wonderful sister, Linda Lee .

I hope you will take the journey with me.

 

                                                   — Caroline Hamilton

Related Blogs

JACADIS Thought

What you can’t see or don’t know will hurt you.

 

 

http://thought.jacadis.com/

Hurricanes and Risk – Unexpected Consequences

Murphy’s Law states that anything that can go wrong — will go wrong.  Natural disasters like earthquakes, power outages and hurricanes always seem to prove that this old axiom is still true.

Many people are allergic to change and when their environment starts to change drastically, as it will in a natural disaster — say a hurricane. And when the environment and familiar patterns start to break down, people get anxious, anxiousness turns into nervousness and in a state of anxiety, bad decisions are made.

The continual push to have emergency responders train, train and train some more, the importance of doing drills and testing emergency plans reflects the importance of people feeling COMFORTABLE and FAMILIAR with the disaster operations and steps toward recovery.   Almost every requirement, whether it is for a physical security standard like FEMA 426 (How to Protect Buildings from Terrorist Attacks), to a bank standard like the FFIEC (Federal Financial Institutions Examination Council) the requirements requires disaster plan testing, and training for the personnel who will be affected by the disaster. The better and more frequent the testing and training, the better the plan will perform during an actual disaster.

Stories keep making the rounds about the South Street Seaport outage in lower Manhattan, and the emergency vehicles who raced to the scene and found there was no electricity to plug into. 

If we put aside the original disaster, then you will often find peripheral activities that are thrown off and do not behave as planned.  When I first moved to the DC area, we had a major power outage in the high rise office I off the beltway.  No problem — the building manager had a diesel generator up on the roof.  But he had stored the diesel fuel in the basement, and it was about 88 degrees that day.  He managed to carry the fuel up the 16 flights of stairs to the waiting emergency generator, but he was hot and tired and when he poured the diesel, he slopped it over the side and it spilled down the outside the building and then soaked into the walls, and we had diesel leaking out of the electrical outlets!   If you ever drive by the “Darth Vadar” building right at Route 50 and the Beltway — you can still see the stain on the building.

So when hurricanes are heading west, north and east, all at the same time, it’s a good idea to encourage your associates to breathe deeply, calm down, and take extra time to make sure that things get done correctly. 

One of my friends is leaving Brownsville to get away from Hurricane Ike as I am writing this.  And I had Hurricane Hanna visiting Annapolis less than a week ago.

Stay safe.

School Security Assessments & Children

My children are out of schools now, but I am always shocked at what I see on CNN’s Nancy Grace Show — all the terrible people who are snatching little girls on their way home from school.  And what about the janitorial staff in some schools who don’t take time for the routine background check and find later that these men just rotate through the different schools looking for young victims.

I have been discussing this with some of my ASIS friends who do these types of assessment and they agree that  sometimes it seems like the school management is not interested in a REAL security assessment, but instead just wants to punch the ticket so they can say it’s been done. 

Conversely, they also find organizations who want to justify an expensive camera system, but totally ignore the basics….One of my friends wrote to me and said, “I have  yet to see a school that has not spent a few thousand on detection systems to  protect a few thousand dollars of computers but nothing on educating the staff  and students on how to respond to critical events in conjunction with the  first responders”.  

He continued…. “ 99% of all of the school vulnerability assessments I have performed shows
is this:  CCTV and Access Control systems are truly useful tools,  but they follow the principle of responding after the horse has left the barn, when they should be putting time and smaller amounts of money into such  things as fencing and meaningful emergency exercises to prevent and mitigate  the threats.  Dependence upon electronics is lulling the schools into a  false sense of security – the real assets aren’t the computers – the real  assets are the kids and staff.  An effective true vulnerability risk assessment would show the way to making more informed decisions”.

The same thing happens to organizations who want to spend money on fancy, shiny, IT stuff, instead of doing boring things like:

1.  Making sure the staff gets enough training.
2.  Making sure that security plans are updated annually.
3.  Updating the background checks.

Controls that cost less than $1000 are usually ignored for big purchases like digital color camera systems.  We had one incident I remember where the organization had already paid for and installed the fancy camera system, but no one was available to do the monitoring!

Training in how to use new systems is also another area that often gets neglected and it is probably the SINGLE, MOST IMPORTANT PART of any new system.   More than one organization didn’t keep using the new visitor management system because the staff never took the training and didn’t understand how to use it.  Without that training, you might as well save your money.

And while we’re on schools – I actually got a letter from a big inner-city school district, and it was on letterhead and it said, “We regret that we cannot do a security risk assessment but we feel that if we identified particular risks, we might be liable if we did not fix them in a timely manner.”

YES – if you identify a terrible security problem and don’t fix it – you could be held responsible – but what if you have three teachers killed, or three students – Security shouldn’t just be about liability.  It should actually FIX something.

One of the more successful schools assessment projects I have seen lately is down in Florida, where one of the schools is involving parents, as well as staff, in the school security program.  There are online security guides that parents have to view, and they actually track it to make sure the parents are taking the online security training.  

I got re-interested in the schools when I saw an HBO documentary on a Baltimore school that was having problems complying with the No Child Left Behind legislation, it’s called “Hard Times at  Douglass High”. It outlined many of the problems that large city schools have to face, and although the documentary didn’t focus on security, security is always an issue.

Again, it’s the risk assessment that can give a school, whether it’s a public school, private school, magnet school or charter school a good overview of the security controls they have in place and what they need to do to improve.   By setting up a program that REGULARLY assesses the school’s security profile, and does a cost benefit analysis on potential controls, the school will go a long way in protecting the interests of the students, the staff and the parents.