tapping the power of alignment -...
TRANSCRIPT
March 2008 • Volume 5 • Issue 3
Tapping the Power of Alignment
How does your work reinforce corporate strategy?
N a t i o n a l N e w s • I n t e r n a t i o n a l N e w s • P r o d u c t s
Where business continuity, security and emergency management converge.
2 | CPM-GA March 2008
GlobalAssurance
F E AT U R E S
3 When Snow Brings Activityto a Halt
4 Using the BalancedScorecard to Improve YourBusiness Continuity Program
16 Writing High-Stakes Memos That Busy Executives Will Read
23 Why Should the Boss Listen to You?
IN THIS ISSUE…13
20
CPM-Global Assurance is a monthly subscription-based newsletter. It addresses the strategicintegration of business continuity, security, emergency management, risk management,compliance and auditing to ensure continuity of operations in business and government— all within the context of good corporate governance.
© Entire contents copyright 2008. No portion of this publication may be reproduced in any formwithout written permission of the editor. Views expressed by the bylined contributors and sourcescited should not be construed as reflecting the opinions and/or advice of this publication.Publication of product/service information should not be deemed as a recommendation by the edi-
tor. Editorial contributions are accepted from the contingency planning community. Contact theeditor for details. Product/service information should be submitted in accordance with guidelinesavailable from the editor. Editorial closing date is two months prior to the month of publication.
CPM-Global Assurance (ISSN #1547-8904) is published monthly by The Contingency Planning &Management Group, 3141 Fairview Park Dr., Suite 777, Falls Church, VA 22042. Printed in the USA.
The Contingency Planning & Management Group publishes CPM-Global Assurance and producesthe CPM trade shows.
Group Publisher:RUSSELL LINDSAY
Editor-in-ChiefRALPH C. JENSEN
Managing EditorJOHN RAPP
Director, Event Planning & Marketing:KRISTIE O'KEEFE
Manager, Event Planning & Marketing: COURTNEY WITTER
Exhibit Sales/List Rentals: BRAD LEWIS
CPM-GlobalAssurance Contacts
National News. . . . . . . . . . . . 9
International News . . . . . . . . . 14
Products. . . . . . . . . . . . . . . . 20
Letters to the Editor . . . . . . 22
D E P A R T M E N T S
TED BROWN, CBCPKETCHConsulting
JEFFREY GOLDBERG, CHS-IIIPalm Beach County Division of
Emergency Management
PAUL KIRVAN, FBCI, CISSP, CBCPMarsh
STEVAN LAYNE, CPP, CIPMLayne Consultants International
TODD OSBORN, MSM, PMPJohn Deere
DOUGLAS WELDON, FBCIVigilant Services Group
Editorial Advisory BoardEAB Chairperson
KATHLEEN LUCEY, FBCIMontague Risk Management
The Contingency Planning & Management Group3141 Fairview Park Dr., Suite 777
Falls Church, VA 22042www.contingencyplanning.com
Fax: 609-397-5520
www.ContingencyPlanning.com | 3
When SnowBrings Activity
to a HaltBy Ralph C. Jensen
Yes, it’s true. Snow in some parts of the country can be a show stop-per. In many parts of the United States, snow is a way of life during
the winter. In North Texas, you can expect snarled roads along with icybridges and overpasses. Couple that with the fact that people don’t knowhow to drive in anything resembling frozen precipitation.
Snow in North Texas requires an emergency preparedness plan toensure business continuity. Cities prepare for such an event, and althoughmunicipalities don’t have snowplows, they are ready with sand trucks.
According to Val Lopez, a spokesman for the Texas Department ofTransportation, Fort Worth and Tarrant County dodged a bullet during asnowstorm in early March. Although there was plenty of rain, snow andhazardous driving conditions, TxDOT hadn’t seen anything terrible.Preparation for a snow event means everything. Dallas Area RapidTransit (DART) didn’t report any major rail delays due to weather, thoughsome busses decidedly traveled a bit slower because of slick roads.
When bad weather hits, airports in North Texas are affected as well.Up to 500 flights were canceled the first day of the snowstorm, simplybecause there isn’t the emergency equipment to handle snow. Goodplanning and preparation by the airports and airlines saw only 60 flightscanceled on the second day.
Good planning and execution by emergency services kept roadwaydisruption to a minimum. But what about the efforts companies make indisaster recovery?
NOT LIKE A SNOWSTORMInadequate planning sits atop the list. Businesses must identify all criticalsystems, and have plans to recover them to the current day. Companyofficials think they know what they have on their networks, but mostpeople don’t really know how many servers they have, how they’re con-figured or what applications reside on them.
Companies often make the mistake of failure to bring the business intothe planning and testing of recovery efforts.
Failure to gain support from senior-level managers creates problems innot demonstrating the level of effort required for full recovery, and notconducting a business impact analysis and addressing all gaps in therecovery model.
Senior-level management support is critical in building adequate recov-ery plans that outline recovery time objective, critical systems and appli-cations, vital documents needed by the business and business functionsby building plans for operational activities to be continued after a disas-ter.
It’s obvious that a snowstorm in the southern United States can bringproduction to a slow, grinding halt, but generally the sun pops out thenext day and all is well with the world. Disaster recovery and businesscontinuity planning help organizations prepare for disruptive events,whether it’s a hurricane, a power outage or snow. Disaster recovery is theprocess that allows you to resume business after a disruptive event, anddo so with full confidence you’re back online for the long haul.
A couple of productive steps to take might be training backup employ-ees to perform emergency tasks. Hold training exercises that involveexecutives and all employees by testing your continuity plan regularly toexpose and accommodate changes. Last, but certainly not least, it is crit-ical to have proper funding that will allow for a minimum of semiannu-al testing.
Editor’s Note
4 | CPM-GA March 2008
Using the BalancedScorecard to Improve
Your Business Continuity Program
By Cliff Thomas, CBCP
N o doubt you’ve heard the saying “what gets measured getsdone”. There is truth to that statement. But in reality, if we are
not careful our metrics can worsen the state of our business continu-ity programs, obscure improvement opportunities, and cause us tomake bad decisions. All too often, we measure what is easy to meas-ure rather than what we should measure. Or worse, we measure todemonstrate activity instead of progress. The Balanced Scorecardapproach to measuring business continuity performance provides aneffective method of driving true improvement that is sustainable overtime. This article introduces the balanced scorecard concept and sug-gests how it can be applied within the context of business continuity.Some tips are thrown in for good measure…no pun intended.
THE BALANCED SCORECARD EXPLAINEDMany organizations focus on one or two key measurements that areof supreme importance and become a holy grail of sorts for decision-makers. A classic example of how such an approach can drive nega-tive performance has become known as the “chicken efficiencyindex”. (Stay with me, we’ll get to business continuity in a moment.)
A true story. In an effort to reduce costs, a fried chicken fast-foodchain examined ways to eliminate waste. Chicken can only sit underheat lamps for a certain amount of time before it must be thrownaway, so wasting chicken is like throwing profit in the garbage. Froma corporate perspective, it seemed logical to establish the eliminationof waste chicken as a key measurement for each restaurant and topush those numbers to zero. But from the restaurants’ point of view,the best way to eliminate waste chicken is not to cook it until the cus-tomer orders it. No stale chicken, no waste. Hail to the chicken effi-ciency index! You can imagine how that worked out: long waits,
www.ContingencyPlanning.com | 5
angry customers, lower sales, loss ofprofits, and let’s not use the chicken-efficiency index anymore. This is justone example that is simple yetinstructional— metrics have bothintended and unintended conse-quences.
The Balanced Scorecard approachsuggests that an effective measure-ment system must include four ele-ments that are of equal weight:Operational Performance, FinancialPerformance, Customer Satisfaction,and Employee Satisfaction. Althoughsome organizations use a few morecategories, let’s just stick with thesefour. Performing well in all of thesecategories is imperative in order toimprove the current state of whateveris being done, whether that is sellingchicken or improving preparedness.
By over-emphasizing any single cat-egory, the others will suffer and so willperformance. The “Zen” of your busi-ness continuity program will be out ofwhack, you might say. Ultimately, themeasurement system must integrateand maintain balance between all ofthese elements. Further simplificationof the scorecard can be achieved bycreating a composite index for eachcategory. Each index is simply a com-posite of all measures in the respectivecategory.
APPLYING THE BALANCED SCORECARD TO BUSINESSCONTINUITYThink about your own business conti-nuity program; you might be collect-ing significant amounts of data, but is your program improving? A bet-ter question might be “How do you actually know that your programis improving?” And do the measurements help everyone involved inthe business continuity program, or just those responsible for oversee-ing it? Let’s take a look at how the Balanced Scorecard can help yourealize lasting and meaningful improvements in your business continu-ity program.
Operational Performance. Operations pertain to the output of productsand services. This is where programs seem to focus most of their atten-tion, if not all of it. A common example of the supreme business con-tinuity performance measurement is “number of plans developed”.More plans must equate to more preparedness, right? Let’s be honestand admit that there is no correlation between those metrics if theplans aren’t any good, if they are out of date, or if key stakeholders
aren’t familiar with them. Somewhat like the chicken-efficiency index,too much emphasis on the number of plans will most certainly resultin a high volume of low-quality plans.
We can begin to address this imbalance by creating an OperationalPerformance Index that includes metrics such as: 1) Plans developed,2) Plans tested, 3) Plans updated, 4) Plans trained, and 5) Plan auditresults. A major disparity between the number of plans written andthe number of plans tested, for example, should highlight a need to re-emphasize plan testing. Full compliance in Plan Updates with noprogress in Plan Development may indicate that new functions havenot been addressed. The examples go on and on. A similar approachcan be applied to Disaster Recovery Planning, Crisis Management,Business Impact Analyses, Risk Assessments, etc.
Financial Performance. This category can be a sticky wicket, particular-
6 | CPM-GA March 2008
Technical gobbledy-speak got you tired or confused?Try the cure: CPM’s acclaimed online Dictionary
www.contingencyplanning.com/mcv/resources/dictionary/
Hotlink to all CPM “Resources”www.contingencyplanning.com/mcv/resources/
ly as preparedness is difficult to tie to the bottom line. When it comesto business continuity, everyone is looking for a solid approach to returnon investment. Even so, the financial aspects of a business continuityprogram should not be ignored. On one hand, an out-of-control budg-et might result in spending that exceeds potential losses. On the otherhand, a miserly budget can prevent the execution of basic activities.
The Financial Performance index could include metrics such as: 1)Current year spending versus prior year spending, 2)Loss avoidance following a disruption, 3)Expenditures as a percentage of corporate profit, and4) Cost savings realized through program efficien-cies.
Customer Satisfaction. This is probably the mostoverlooked category of measurements. From anenterprise-wide standpoint, customers are those thatbuy our products or services. But for most businesscontinuity professionals, the customers are actually the people anddepartments that are responsible for developing and/or executing busi-ness continuity plans. Commonly, these customers are subjected tobusiness continuity requirements without the ability to weigh in onhow much benefit they have realized from their efforts. This informa-tion is vital, as it is the support of the broad enterprise that determineswhether a business continuity program swims or sinks.
The types of metrics that you might track in a Customer SatisfactionIndex could include: 1) Executive confidence in business continuitycapabilities, 2) Department satisfaction with corporate BC support, 3)Department satisfaction with BC training and exercises, 4) Generalemployee awareness of business continuity procedures, and 5)Satisfaction with BC-related software, tools and other resources. Youhave to have courage and a thick skin to ask for this information,because you don’t know what you’ll get back. But if you get high marksfrom your customers, you can take comfort that you are on the rightpath.
Employee Satisfaction. This category refers to the level of satisfactionamong employees that are responsible for the business continuity pro-gram (as opposed to the general employee body). The essence of thiscategory is that the attitudes of the people conducting business conti-nuity planning activities will directly reflect on the quality and sustain-ability of the program. Because business continuity is often implement-ed in a very decentralized way, the stakeholders can quickly torpedo
www.ContingencyPlanning.com | 7
the program if they don’t support it or aren’t satisfiedwith your management of it. By failing to recognizeemployee satisfaction, a business continuity managercan sail into oblivion while in the field, a mutiny is infull swing.
For those organizations that have a corporate busi-ness continuity staff, we can only imagine how effec-tive a program will be if its own members aren’tcommitted or enthusiastic about what they aredoing. It is in the manager’s interest to ensure thatstaff members and stakeholders across the organiza-tion are supportive and receive personal satisfactionfrom the results of their efforts.
An Employee Satisfaction Index might includemetrics such as: 1) Value of employee input, 2)Degree to which employees are challenged, 3)Degree to which employees are growing professionally, 4) Degree ofownership employees have for their work, and 5) The degree to whichemployees are supported by management. Note that these areemployee-generated metrics, not the manager’s impression.
USING THE SCORECARD AS A DIAGNOSTIC TOOLGood metrics look at the past, present, and future, with the goal ofenabling decision-makers to influence the future. A Balanced Scorecardwill provide the business continuity professional with just such a toolset.For the sake of brevity, in the following examples we’ll use the abbre-viations O, F, C, and E for the scorecard categories pertaining toOperations, Finance, Customer and Employee. Using a rating system ofLow, Medium and High performance, let’s take a look at what yourmetrics might tell you about your program given some hypotheticalresults.
High O, F, and C; Low E: You may be in good shape today, but youremployees will not sustain your current levels of performance. Getyour employees back on board, you need them.
High O, C, and E, Low F: You’ve overspent. You’re program is in goodshape but your company is suffering financially because of it. Revisityour budget and program goals to get spending under control, or hopethat the Finance Department doesn’t audit your budget and makethose decisions for you.
High O, F, and C, Low C: Ignorance is bliss. Everyone is happy exceptfor those that need to execute when disaster strikes. Hope that disas-ter doesn’t strike or that your customers don’t get the ear of the seniorexecutive team. Better yet, engage them by finding out how to providebetter support.
IMPLEMENTATION TIPSThe Balanced Scorecard not only sounds good in theory, but it hasbeen proven in numerous organizations and has been recognized as atenet of the Malcolm Baldrige National Quality Award. Below are afew practical tips for implementing the Balanced Scorecard.
Lead with Customer Satisfaction and Employee Satisfaction. If you don’tget these two groups involved up front in creating the OperationalPerformance goals (which will drive the Financial Performance), you’llfind this an uphill battle.
Focus on the Vital Few over the Trivial Many. Scorecards are used formany reasons: to manage a program, to demonstrate progress, to com-municate to executives, and others. We’ll focus on the executives for amoment. I recall being given an Executive Scorecard that was 87 pageslong, and I’m talking single-space 10-point font. Without even lookingat the content, my first reaction was “do your executives need all of thisdata?”. I got the answer I expected, “Of course, every bit.” Not to pointfingers, but that is a cop-out indicating “We don’t really know what theexecutives want, so we put everything in there.” Find out what yourstakeholders need and give it to them. Keeping a focus on the vitalmeasures will ensure that you don’t obscure the results with scads oftrivial data.
Executive Scorecards can become quite elaborate, but the exampleshown suggests a simple dashboard. In this case, the executive canclearly see that Employee Satisfaction and Operational Performancerequire attention. It takes guts to measure and report this type of infor-mation, but it also is a way to enlist executive support that may be atthe root of some of the program’s problems.
Emulate Your Best Department. If there is a department in your organ-ization that is widely known for its high level of performance, spendtime with their managers to find out what makes them so great. Adoptthose measures and add them to your scorecard.
PARTING WORDSI would contend that developing an effective business continuity pro-gram is as much art as it is science. Any measurement system is goingto have to consider the unique aspects of the organization; there is nosingle approach that will work for every company, agency, or institu-tion. For those interested in reading more about the BalancedScorecard, I recommend reading Keeping Score: Using the RightMetrics to Drive World-Class Performance by Mark Graham Brown.He gives concise, useful advice on the Balanced Scorecard, as well asother useful references.
About the AuthorCliff Thomas, CBCP ([email protected]) is the president of AtlasPreparedness Group and has been managing and assisting organizations withimproving preparedness capabilities for over 20 years.
www.ContingencyPlanning.com | 9
NATIONAL NEWSHEALTH CARE CASE STUDIES GIVETIMELY AFTER-ACTION ANALYSES
Their health care organizations wereunexpectedly thrown into emergencyresponse mode last year by multiple sur-prising events, including the crash inAtlanta of the bus carrying the BlufftonUniversity Baseball Team; the collapse ofthe Interstate 35W bridge in Minneapolis,Minnesota; and the destructive San DiegoCounty wildfires. Now they have invalu-able “lessons learned” to share.
Representatives from the specific healthcare organizations that were involved inresponding to those disasters will tell theirstories at The Joint Commission and JointCommission Resources’ (JCR) 2008Annual Emergency PreparednessConference: Practical Approaches toHealth Care Disaster Preparedness, April 8-9, 2008 in Alexandria, Virginia. The speak-ers also include experts in pandemic plan-ning and guidelines for nuclear, biologicaland chemical terrorist attacks.
Because all health care organizations andcommunities are unique in the emergen-cies they face and the resources they pos-sess, this conference will provide the foun-dation and tools from which each partici-pant can build and enhance their organiza-tion’s state of readiness. The conference isgeared towards hospital emergency staff,safety officers, medical directors, securitydirectors, facilities managers, operationsdirectors, emergency response and contin-gency planners, trauma nurse coordinatorsand Joint Commission coordinators.
Participants will receive a CD containingpractical knowledge from organizationswith proven strategies for meeting the2008 Emergency Management standards.
www.jcrinc.com
WORRISOME 2008 HURRICANEFORECAST FOR SOUTHEAST COASTOF US
According to the Weather ResearchCenter in Houston, the coastal areas from
Georgia to North Carolina have a 90 per-cent chance of experiencing the landfall ofa tropical storm or hurricane in 2008. TheCenter’s recently-issued outlook forecastsat least 11 named storms in the 2008Hurricane Season with six of the tropicalstorms intensifying into hurricanes.
“We believe this will be a long hurricaneseason in 2008,” says Jill F. Hasling, fellowand certified consulting meteorologist withthe Weather Research Center. “Eventhough the season officially runs from June1 to November 30, we believe storm activ-ity will occur starting in May and last intoDecember.
“Homeowners in Georgia and NorthCarolina coastal areas need to be especial-ly cautious this year. We predict there’s a90 percent chance of these areas experi-encing the landfall of a tropical storm orhurricane. Other areas of concern includewest Florida with a 70 percent chance, andLouisiana to Alabama plus the easterncoast of the United States, which all have a60 percent chance of a landfall.”
In their 2008 forecast, the WeatherResearch Center also predicts:• 24 hurricane days • 83 tropical storm days• 4 U.S. landfalls• 50% chance of Category 3 or higher
storms in the AtlanticRisk of tropical cyclones occurring in the
Atlantic by month include 30% in May;60% in June; 70% in July; 100% in August;100% in September; 100% in October;50% in November; and, 10% in December.
www.simonton.com
SCIENTISTS SIMULATE PANDEMICINFLUENZA OUTBREAK IN CHICAGOBy using computer simulations and model-ing, an international group of researchersincluding scientists from the VirginiaBioinformatics Institute (VBI) at VirginiaTech’s Network Dynamics and SimulationScience Laboratory (NDSSL) have deter-mined how a pandemic influenza outbreak
might travel through a city similar in size toChicago, Ill.
This information helped them to deter-mine the preferred intervention strategy tocontain a potential flu pandemic, includingwhat people should do to decrease thelikelihood of disease transmission.
The results, based on three differentcomputer simulation models, are describedin a paper published in the Proceedings ofthe National Academy of Sciences by scien-tists involved in the Models of InfectiousDisease Agent Study (MIDAS). MIDAS isa collaboration of research and informaticsgroups supported by the National Institutesof Health (NIH) to develop computationalmodels to examine interactions betweeninfectious agents and their hosts, diseasespread, prediction systems, and responsestrategies.
In the paper, ‘Modeling TargetedLayered Containment of an InfluenzaPandemic in the USA,’ members of theMIDAS Working Group on ModelingPandemic Influenza concluded that a time-ly implementation of targeted householdantiviral prevention measures and a reduc-tion in contact between individuals couldsubstantially lower the spread of the dis-ease until a vaccine was available.
The groups coordinated efforts to eachcreate individual-based, computer simula-tion models to examine the impact of thesame set of intervention strategies usedduring a pandemic outbreak in a popula-tion similar in size to Chicago, which hasabout 8.6 million residents. Interventionmethods used were antiviral treatment andhousehold isolation of identified cases; dis-ease prevention strategies and quarantineof household contacts; school closings; andreducing workplace and community con-tacts. Although using the same population,each model had its own representation ofthe combinations of intervention. All ofthe simulations suggest that the combina-tion of providing preemptive householdantiviral treatments and minimizing contact
GlobalAssurance
10 | CPM-GA March 2008
could play a major role in reducing thespread of illness, with timely initiation andschool closure serving as important factors.
“VBI’s computer simulation models arebuilt on our detailed estimates for socialcontacts in an urban environment,” saidVBI professor and NDSSL deputy directorStephen Eubank, who leads the VBI teamin the working group. “They provide a real-istic picture of how social mixing patternschange under non-pharmaceutical inter-ventions such as closing schools or work-places. For example, when schools close,young students require a caregiver’s atten-tion. That can disrupt social mixing pat-terns at work if a working parent stayshome or make closing schools pointless ifthe children are placed in large day-caresettings. We can use our model to suggestthe best mix of intervention strategies in avariety of scenarios, taking factors like theseinto account.”
The researchers emphasize that the mod-els are tools that provide guidance ratherthan being fully predictive. In the case of afuture outbreak of pandemic influenza,capabilities such as real-time surveillanceand other analyses will need to be availablefor the public health community and policymakers.
www.continuitycentral.com
RICIN POISONING FOUND IN VEGAS HOTEL ROOMA man was in critical condition after ricinpoisoning. Vials found in his hotel roomconfirmed the rare poison. The Las VegasPolice Department is not yet consideringthis an act of terrorism but continue to fol-low-up new leads as they develop.
Would you be prepared if this was a pub-lic health emergency? Area HealthEducation Center of Southern Nevada’s(AHEC) Emergency Preparedness andResponse Program (EPREP) offers‘Weapons of Mass Destruction’ courses liveand online, throughout the year. Thesecourses offer healthcare information onrecognizing symptoms, and approved pro-tocol for treating highly infectious and fatalbiological weapons. They also address how
to work with county, state and Federalagencies to ensure timely and effectiveevacuation plans. Roberta Keeley, EPREPProgram Manager states, “No one everthinks this type of incident could happen,especially in your own city, however thisstory proves that this training is necessaryand prudent for all healthcare providers,firefighters, police, EMT’s and all firstresponders.”
www.snahec.org
OREGON EXERCISE HIGHLIGHTSINTEROPERABLE COMMUNICATIONSThe January rain was heavy. A mudslidethreatened the elementary school. Brokenpower lines crackled on the ground.Oregon’s Lincoln County EmergencyDirector was out of town. And when thepolice, fire, rescue, and utility crews arrived,they were all carrying different types of radios.
A perfect recipe for a communications dis-aster? This “disaster” was a carefully plannedemergency drill, sponsored by LincolnCounty, Oregon for the benefit of half adozen local public safety agencies and twoneighboring counties.
It was also supported by communicationvendors Cisco and ARINC Incorporated.Observers at the exercise rated it a solid suc-cess. Among lessons learned was the criticalimportance of real-time communicationsbetween agencies. “Direct communication isperfect communication,” said one participant.He also noted a direct radio link can eliminatethe verbal relaying of messages and humanerrors.
During the exercise, the communicationstechnology integrated many different types ofcommunication networks and devices, includ-ing push-to-talk radios, cell phones, satellitephones, and laptops. They were linked intoan IP-based network of talk groups that coulddirectly communicate with each other.Observers included town mayors fromNewport, Toledo, and Waldport, two LincolnCounty Commissioners, visiting IT personnelfrom neighboring counties, and staff mem-bers from Oregon state and congressionaloffices.
www.arinc.com
SOFTWARE SUPPORTS MULTI-STATEEMERGENCY RESPONSE STRATEGY Emergency response and coordinationdoes not stop at state or jurisdictional bor-ders. The Charlotte Urban Area SecurityInitiative (UASI) Region comprises fivecounties and two cities in North Carolina,as well as one county in South Carolina.The UASI Region shares a unique combina-tion of geographic proximity and criticalassets – including nuclear power plants onboth sides of the North/South Carolinaborder – that require emergency managersfrom several counties to work together.
“Incidents do not stop at state or jurisdic-tional borders,” said Garry McCormick, bat-talion chief, Charlotte Fire Department.“A unique combination of geographic prox-imity and critical assets brought jurisdic-tions spanning two states together to formthe Charlotte UASI Region.” Joint effortsinclude prevention and response to large-scale regional incidents, as well as prepara-tion for significant public events such as fes-tivals and athletics.
In addition, this region conducts annualexercises for two local nuclear facilities –one located in southern North Carolina,and one just across the border in SouthCarolina. NC4’s E Team software providesemergency managers with necessary infor-mation-sharing tools for cross-jurisdictionand multi-state coordination.
Prior to implementing this software sys-tem, the Charlotte UASI Region conductedemergency response and coordinationthrough handwritten notes and spread-sheets, as well as the state system,EM/2000™, for tracking and reporting.After Mecklenburg County first utilized theNC4 software successfully during its effortto shelter Katrina evacuees in 2005, theCharlotte UASI Region recognized theneed for an incident management tool thatcould provide real-time informationexchange, data management, resourcerequest tracking, as well as reporting capa-bilities, all in one common operating pic-ture.
Users have access to a common frame-work for information sharing that includes
GlobalAssurance National News
www.ContingencyPlanning.com | 11
standardized reports, requests, notifications,directives, and annotated maps, as well as acomplete set of Web-based incident man-agement tools to sort and prioritize data.
www.nc4.us
UNITED STATES AIMS TO GIVE WAKE-UP ALERTS ON STORMSIn the not-too-distant future, the U.S. gov-ernment may be able to wake up residentsin the middle of the night when a hurricaneor tornado threatens, perhaps by soundingthe alarm on a cellphone. One of thebiggest threats from hurricanes is the explo-sive intensification of a cyclone close toshore after residents have gone to bed,shortening the time available to safely evac-uate millions of people from the crowdedAtlantic and Gulf of Mexico coasts. BillRead, the new director of the NationalHurricane Center, said he would like to seea wake-up system, perhaps Internet-basedand delivered by cellphone, within adecade.
Yahoo News
FLORIDA POWER RESTORED AFTER BLACKOUTThe power was restored to all but a fewareas of South Florida on the afternoon ofTuesday, February 26, 2008, the utilitycompany that supplies electricity to theregion, Florida Power & Light said.
The power failure was caused by a fire ina Miami-Dade County substation, utilityofficials were quoted as saying by TheMiami Herald. The utility’s president,Armando Olivera, said at an evening newsconference that the power loss resultedfrom a fire it at Flagami substation, not atthe Turkey Point nuclear station, the Heraldreported.
That failure from the fire caused otherparts of the system to shut down to protectthe integrity of the electrical grid.
The company and state officials had ear-lier said the blackout began with a failure inan electrical substation near the TurkeyPoint nuclear station south of Miami, thestate’s division of emergency managementsaid.
The agency said the affected area includ-ed Miami, Fort Lauderdale and surround-ing areas. Florida Power & Line said thepower failure began shortly after 1 p.m. Bythe evening only about 40,000 customersaround the state remained in the dark,according to the Herald, which also saidthose were mostly a result of unrelatedpower problems caused by a powerful coldfront moving down the peninsula.
New York Times
DATA BREACH NOTIFICATION LAWS, STATE BY STATEMore than five years after California’s sem-inal data breach disclosure law, SB 1386,was enacted, not all states have followedsuit. Eleven states still have not passed lawsmandating that companies notify con-sumers when that company has lost theconsumer’s personal data. One state,Oklahoma, does have a breach notificationlaw, but it only applies to state entities thathave lost data.
That leaves 38 states that have enactedsome sort of breach disclosure law. In gen-eral, most state laws follow the basic tenetsof California’s original law: Companiesmust immediately disclose a data breach tocustomers, usually in writing. Californiaalso created a private right of action, withfew exemptions. It’s a tough law.
Laws in other states are tough too, butsome allow more exemptions or do notallow a private right of action. For exam-ple, the Massachusetts law pertains topaper record as well as computer data.Some other important details:1. Notification guidelines: how soon a com-
pany is required to inform customers ofa data breach. In California, this is “assoon as possible, without unreasonabledelay.”
2. Penalty for failure to disclose: whether ornot there are civil or criminal penaltiesfor a failure to disclose. In California, acompany cannot be penalized for its lackof promptness alone.
3. Private right of action: whether thisoption exists for consumers in that state.In California, this is available.
4. Exemptions: what kinds of breaches, ifany, companies are exempt from report-ing. California allows exemptions forencrypted data that’s lost and publiclyavailable government data. In Californiathere is no such thing as an immaterialbreach, while other states do have a def-inition of immaterial breach.We have created a map provide a single
source for information on all state laws. www.csoonline.com; www.cxo.com
IDENTITY BREACHES CONTINUE TO INCREASEAn average of 1 in every 20 adults sharetheir SSN with at least one additional indi-vidual, even after accounting for data inputerrors of the number. This shared SSNoften means that personal information hasbeen compromised. There have even beencases where up to 6 people share the sameSSN.
An individual with two or more SSNs isalso a common occurrence, with 1 of every16 adults having that information. Thisprocess happens in cases of synthetic iden-tity theft, where the identity thief uses oneperson’s social security number and anoth-er person’s mailing address.
Children are among the highest at riskfor identity theft or compromises to theirSSN. From 2003-2006, the FTC reporteda 66% increase in identity theft casesinvolving children. Children are a favoredtarget because ID theft is not discovereduntil years later when the child applies fortheir first job, applies for a credit card orstudent loan.
The most common way people protectagainst identity theft is via credit reportmonitoring. However, the use of an alter-nate SSN is not something that can be eas-ily detected through a credit report.Examining your credit report will not allowyou to discover multiple SSNs or dualusage of your SSN unless the account hasgone to collection and you have been con-tacted.
While sometimes theft related to a SSNis a single time occurrence, it is more oftenmuch more serious. In some cases, the SSN
12 | CPM-GA March 2008
is tied to an address where half of the resi-dents at that address also have a sharedSSN, a sign of an organized effort to perpe-trate identity theft. These identity theftrings are growing in numbers.
Despite the clear abuse of an individual’sreal SSN, the Social SecurityAdministration is reluctant to assign a newSSN unless the damage to the real owner’scredit cannot be repaired and is continu-ous. A SSN permeates many aspects of anindividual’s life. Even if the administrationis able to assign a new SSN, this can some-times be as painful as someone sharing thenumber. Individuals have to contact virtual-ly every account or service they use asmost use the SSN as a way to locate youon their computer systems.
www.identitytruth.com
CENTRALIZED EMERGENCY WARN-ING SYSTEM FOR LOUSIANA COURTSTwo courts within Louisiana’s state judici-ary have successfully deployed an emer-gency alerting system to warn personnel inresponse to emergencies. The LouisianaSupreme Court (which includes theLouisiana Judicial Administrator’s Office)and the 4th Circuit Court of Appeal areboth located in a recently restored, historiccourthouse in the heart of the NewOrleans French Quarter.
The two courts were initially looking forseparate systems to answer their emer-gency notification needs. After performinga comprehensive market study, they decid-ed to consolidate efforts and find a singlesystem that could handle each court’s indi-vidual needs while also serving as an over-arching solution for alerting both courts.
This centralized approach provided thecourts with significant benefits, includingthe ability to alert the courts together aswell as manage each separately, reducedoverall procurement costs and lower ongo-ing maintenance and support overhead.
This system provides the courts with theflexibility of sending alerts to their own per-sonnel, while also allowing the facility secu-rity team to alert all employees across theentire building when required.
“We can now reach all personnel in thecourts on their desktops in an average ofone minute.” said Tommy Anderson,Director of Security, Louisiana SupremeCourt. “Other delivery means are alsoused to ensure broad reach, including SMStext messaging and phone calls. When anemergency occurs, triggering an alert froma single console and achieving that type ofresponse time is critical.”
The Louisiana courts began evaluatingemergency warning systems in response torecent events, particularly HurricanesKatrina and Rita. A key requirement wasthe ability for multiple court operators toconcurrently manage and trigger alertsfrom a Web browser, whether in the build-ing or remote, while reaching employeesvia their desktop PCs, office and cellphones, and BlackBerry devices.
These courts’ new AtHoc system is nowin use, and can warn personnel, includingjudges, clerks and administrators, for a widerange of emergency situations such asextreme weather, facility outages, fires andcriminal acts of violence. Intrusive alertspop up on computer desktops, providingdetails about the emergency situation,including instructions for action. Recipientscan then acknowledge the alert and pro-vide feedback which helps with personnelaccountability.
www.athoc.com
DHS CYBER STORM II EXERCISE TESTSPREPAREDNESS AND RESPONSE The U.S. Department of HomelandSecurity (DHS) is conducting the largestcyber security exercise ever organized.Cyber Storm II is being held in March2008 in Washington, D.C. and bringstogether participants from federal, state andlocal governments, the private sector, andthe international community.
Cyber Storm II is the second in a seriesof congressionally mandated exercises thatwill examine the nation’s cyber securitypreparedness and response capabilities.The exercise will simulate a coordinatedcyber attack on information technology,communications, chemical, and transporta-
tion systems and assets.“Securing cyberspace is vital to maintain-
ing America’s strategic interests, public safe-ty, and economic prosperity,” said GregGarcia, Homeland Security AssistantSecretary for Cyber Security andCommunications. “Exercises like CyberStorm II help to ensure that the public andprivate sectors are prepared for an effectiveresponse to attacks against our critical sys-tems and networks.”
Cyber Storm II will include 18 federaldepartments and agencies, nine states(Calif., Colo., Del., Ill., Mich., N.C., Pa.,Texas and Va.), five countries (UnitedStates, Australia, Canada, New Zealandand the United Kingdom), and more than40 private sector companies. They includeABB, Inc., Air Products, Cisco, DowChemical Company Inc., HarrisCorporation, Juniper Networks, McAfee,Microsoft, NeuStar, PPG Industries, andWachovia.
Cyber Storm II objectives include:• Examining the capabilities of participating
organizations to prepare for, protectagainst, and respond to the potentialeffects of cyber attacks
• Exercising strategic decision making andinteragency coordination of incidentresponse in accordance with nationallevel policy and procedures
• Validating information sharing relation-ships and communications paths for thecollection and dissemination of cyberincident situational awareness, responseand recovery information
• Examining means and processes throughwhich to share sensitive informationacross boundaries and sectors withoutcompromising proprietary or nationalsecurity interests
www.dhs.gov
GlobalAssurance National News
14 | CPM-GA March 2008
DRUG-RESISTANT FLU VIRUS ON THE RISEThis winter’s most common flu strain is show-ing resistance to the frontline anti-flu treatment,new data show. More than 10% of virus sam-ples in Western Europe this winter were resist-ant to oseltamivir, better known as Tamiflu,according to figures from the European Centrefor Disease Prevention and Control (ECDC).The number of resistant strains is still smalloverall, but the superbugs are not evenly distrib-uted around the world. Among the moretroubling findings of the ECDC study was the75% resistance rate found in Norway.
The Arlington Institute
“DISASTER RESPONSE CHALLENGE” EXERCISEOn March 28-30, 2008, the British Red Crosswill hold its Disaster Response Challenge inHampshire. The Disaster Response Challengeis set to last two days and provide an opportu-nity for participants to experience firsthand theissues and decisions faced by the British RedCross Emergency Response Unit (ERU) –issues and decisions that only a handful of peo-ple get to experience in a lifetime.
Built around a hypothetical disaster unfold-ing in real time, this Challenge will let the par-ticipants develop their own “Disaster ResponsePlan.” The Challenge is run by British RedCross staff including experienced members ofthe ERU, and experts in Disaster Responselogistics. Areas covered include logistics, com-munications, first aid and casualty evacuationand delegate security.
www.redcross.org.uk
UN AIDS FLOOD VICTIMS IN KAZAKHSTANUnited Nations units are coming to aid of floodvictims in southern Kazakhstan, where in heavyrains and rapidly melting snow have displacedmore than 13,000 people following CentralAsia’s 2008 winter – the harshest in decades.
The UN Office for the Coordination ofHumanitarian Affairs has provided an emer-gency grant of $40,000 to the UN Resident
Coordinator in Kazakhstan for nearly 2000hygiene kits.
At the same time, the UN Children’s Fundhas made $50,000 available for water purifica-tion tablets, water reservoirs, filters, disinfectantsand other sanitation needs.
The overall flooding situation remains a mat-ter of concern for the immediate future,according to an OCHA report, since there is apossibility of further flooding along the Syr-Darya river basin.
That occurrence could affect over 250,000people living in the country’s South Kazakhstanand Kzylorda provinces, it said.
United Nations News Service
BIG FINE IN UK FOR DEFICIENT INFORMATION SECURITYThe Financial Services Authority (“FSA”) recent-ly fined Norwich Union Life (“Norwich”), oneof UK’s largest insurance businesses, £1.26 mil-lion for various failures in information securityand fraud prevention. The fine – the largestimposed to date by the FSA — underscoresthe FSA’s increasing enforcement of its princi-ples that require regulated businesses to ensureadequacy and responsiveness of internal infor-mation security policies and processes. TheFSA ruled that Norwich had violated FSAPrinciple 3, which requires an authorized per-son to “take reasonable care to organi[z]e andcontrol its affairs responsibly and effectively,with adequate risk management systems.”The FSA determined that Norwich had variousweaknesses in its systems and controls thatallowed unauthorized parties to obtain policyholders’ personal information, and in someinstances, caused the surrender of customers’policies. In imposing the large fine, the FSAconsidered, among other factors, that Norwichwas a large entity whose customers were enti-tled to rely on it to take reasonable care toensure the security of their information.Further, the cumulative impact of such failuresin security and controls represented a signifi-cant risk to the statutory objective of reducingfinancial crimes.
Baker & McKenzie
INDIAN BIRD FLU PRESAGES PANDEMIC?An epidemic of avian influenz in West Bengal,India, has the Indian “government in panicmode,” according to the Times of India website. And with good reason: 15 million of WestBengal’s 80 million people are crammed intoits capital city, Kolkata (Calcutta), a petri dish ofpoverty, pollution, political intransigence andhopeless public health. It is the city whereMother Teresa founded the Missionaries ofCharity order.
If the infection reaches Kolkata’s poultrymarkets, risk of animal-to-human transmissioncould become greater than in Indonesia orVietnam, where infections of H5N1 influenzahave already crossed species from animals tohumans. So far human infections of highly-pathogenic influenza in Indonesia (120 cases,98 deaths), and Vietnam (102 cases, 48 deaths)have been greater than in India. In 2006, Indiahad three outbreaks of avian influenza, butthere have been no human deaths in India, yet.
Kolkata could become a miasma of influen-za misery. The population density of Kolkata is24,000 people per square kilometer (62,000per square mile), the second highest in theworld. The population density of Ho Chi MinhCity, Vietnam’s largest city, is only 3,000 persquare kilometer (8,000 per square mile), afraction of Kolkata’s. Even the density ofJakarta, Indonesia, at 12,500 people per squarekilometer (33,000 per square mile), is just halfthat of Kolkata.
By comparison, the density of New YorkCity is 10,400 people per square kilometer(27,000 per square mile). Singapore, the fourthmost densely-populated country in the world,has 6,300 people per square kilometer (16,000per square mile).
India’s major population centers of Kolkata,Chennai (Madras) and Mumbai (Bombay)comprise three of the top 12 most-populatedand most densely-populated cities in the world.In addition to masses of destitute and thereforevulnerable people, they also host innumerableentrepreneurs, technologists and academicswho are in demand globally and have theneeds and means to travel to most of the devel-
INTERNATIONAL NEWSGlobalAssurance
www.ContingencyPlanning.com | 15
oped world’s business centers.Along with Bangalore and Hyderabad, these
megalopolises have also recently attracted largenumbers of expatriate executives and man-agers, who travel to homes and offices inEurope, Asia and North America regularly.Along with peripatetic friends and relatives ofIndia’s enormous diaspora, the number ofpotential infection vectors is, practically, infinite.
This outbreak — close to one of the world’spopulation centers — allows planners to imag-ine how easily an influenza epidemic in ani-mals could be become a pandemic in humansalmost overnight.
www.calamityprevention.com
MERGER OF SECURITY & LABOR DISPUTE GIANTSAFI International Group Inc. (AFI), Canada’slargest high risk security and investigativeservices company, has acquired a majorityinterest in U.S.-based InternationalManagement Assistance Corporation (IMACsecurity services).
“With the commonality of our clientele andthe increased pressure to expand our opera-tions into more countries, it only made sense tocome together with IMAC: the biggestprovider of labor dispute services south of theCanadian border”, said AFI International’sChief Operating Officer Peter Martin.
AFI/IMAC Press Release
NEW BUSINESS CONTINUITY PAYROLL SYSTEM IN UKUK health and social care staff recruitmentagency HCL is using call re-routing software toensure its payroll systems continue to functionin an emergency.
The HCL group, which has an annualturnover of £140m, has made 13 acquisitionsin just over three years resulting in the compa-ny running 27 different payroll systems.
At the beginning of 2008, the group imple-mented a fax-to-email service to convert faxedtimesheets into emails, which are fed in to themain payroll system to automate staff pay-ment. HCL has set up its voice call re-routingsoftware to ensure that in the event of a disas-ter, inbound timesheet faxes could be redirect-ed instantaneously. The company implement-
ed the BCM Lite software from GemaTech inAugust last year to eliminate a potential fiveday gap in telephone communications.
The decision to accelerate the company’sdisaster recovery plan was made after the dis-covery of two car bombs in central London atthe end of June 2007 which barred access toits Haymarket headquarters.
He said the software had brought the addi-tional benefit of consolidating the group’sdiverse telephony infrastructure ahead of aplanned phased migration to a central voice-over-IP system by the end of 2008.
The software has also enabled HCL to re-route calls from newly acquired social workrecruitment companies and conduct variousmarketing campaigns using the messagingfacility.
Computer Weekly
GLOBAL WATER CRISES INCREASINGThe World Bank reports that 80 countries nowhave water shortages and 2 billion people lackaccess to clean water. More disturbingly, theWorld Health Organization has reported that 1billion people lack enough water to simplymeet their basic needs.
Population growth and groundwater deple-tion present the two most significant dangers toglobal water stability. In the last century, thehuman population has increased from 1.7 bil-lion people to 6.6 billion people, while the totalamount of potable water has slightlydecreased. Much of the population growthand economic development experienced inthe last fifty years has been supported by sub-terranean water reserves called groundwater.These nonrenewable reserves, an absolutelyessential aspect of the modern world, are beingconsumed at an unsustainable rate.
According to the UNEP, 263 rivers in theworld either cross or mark internationalboundaries. The basins fed by these riversaccount for 60% of the world’s above groundfreshwater. Of these 263 rivers, 158 have nointernational legislation, and many are thesource of conflict.
Water has always been a central issue inArab-Israeli situation. For example, ArielSharon once said the Six Days War actuallybegan the day that Israel stopped Syria from
diverting the Jordan River in 1964.[25]Decades later, the Egyptian military came closeto staging a coup against Egyptian presidentAnwar Sedat, who had proposed divertingsome of the Nile’s water to Israel as part of apeace plan.
The Nile River, which runs through Ethiopia,Sudan, and Egypt, exemplifies the potential forfuture water conflicts. Similarly, The MekongRiver is the lifeblood of South East Asia, but itbegins in one of the most water poor countrieson Earth: China. The Indus River separatesPakistan and India, and aquifer depletion byIndian farmers has one of the highest rates inthe world. U.S.-Mexican relations are alreadystrained over water use on their mutual border.
In many countries water shortages are exac-erbated or even caused by governmental mis-management, political infighting, and outrightcorruption. International organizations like theWorld Trade Organization (WTO) often sug-gest that privatization of water managementservices would alleviate many of these prob-lems. It has been shown that privatizing utilitiesfrequently increases efficiency, innovation, andmaintenance. However, privatization rarely hasan effect on corruption, and often disadvan-tages the poor.
Technical solutions like rainwater capture,water-free toilets, and water reclamation offerpeople the possibility of effective conservation.Market-oriented solutions such as water tariffs,pricing groundwater, and increasing finesagainst industries that pollute could be adopt-ed. Freshwater could be traded internationallyby using pipelines and enormous plastic bags.
Water crises will likely become increasing-ly common. If the population continues togrow at a rate of 1 billion people every 15years, the Earth’s capacity to support humanlife will be severely strained. The currentsupply of water is being degraded by pollu-tion, overdrawing, and climate change. It isnot too late to guarantee a safe supply ofwater for everyone alive today and for allfuture generations; although to do so wouldrequire an unprecedented level of interna-tional cooperation, trust, and compassion.
Paul Alois, “The World’s Biggest Problems” (2007)
16 | CPM-GA March 2008
Writing High-StakesMemos That Busy
Executives Will ReadBy Matthew Spence
Crafting an effective argument to justify investments in somethingas sophisticated as contingency planning and emergency man-
agement can be challenging. The executives and public managersyou are writing to don’t usually have your depth of technical under-standing and expertise. And they don’t often take the time to readmemos and reports that are based on technical knowledge they maynot readily understand. So, how does one present technical informa-tion to nontechnical readers in a manner that is clear, concise andconvincing?
Any message can be crafted to capture the attention of busy exec-utives, no matter how technical your topic may be. To do so, you needto focus on two fundamental principles of effective communication:• Write for your readers, showing that you understand their point of
view by addressing their specific concerns.• Structure your message so readers know from the beginning what
you are proposing and how you intend to justify it.
No doubt you have heard these principles before, or somethinglike them. But read on, and I will give you detailed guidelines for
www.ContingencyPlanning.com | 17
applying each one so that your business correspondence gets read byeven your busiest readers, and convinces them.
WRITING FOR YOUR READERSWriting for your readers is widely recognized as one of the keys toeffective communication, but the failure to do so also is one of themost frequent mistakes in business writing. It comes about, in part,because few of us have learned how to systematically evaluate ourreaders’ needs and address them when we write.
In general, you can safely make one basic assumption about all yourreaders: they are, essentially, just like you—they are dealing with moreinformation than human beings were designed to process on a dailybasis. In other words, your readers are working under stress. As aresult, almost without fail:
• Your readers do not read, they only scan.• They read selectively, looking only for information that is relevant to
their agenda.
Therefore, the first principle to remember about writing for yourreaders is you should write so that they can scan what you have writ-ten without missing any important information. And you should pres-ent your information so people can quickly identify what you wantthem to know, as well as what you want them to do about it. Theapproach to presenting your information in a logical sequence that Ipresent in the next section will help you write so your readers canscan and read selectively.
Beyond this simple understanding of business readers’ needs, it isoften necessary to address complex audiences. In such instances, youneed to think more systematically about the personal characteristics,concerns and even idiosyncrasies of those you are writing to, and howtheir concerns and perspectives may differ from your own.
The first step in evaluating a complex audience is to gather togeth-er what you know about your readers. The following five questionsidentify the primary characteristics of your audience that will affecthow you craft your message.
Who are the decision-makers? Address their concerns above all others.
Are your readers familiar with your expertise and with your topic?If necessary, establish your credibility by telling where you got your
information, and provide essential background about your topic.Are your readers detail-oriented or do they just want an overview?
Use this evaluation to decide how much information to include.Are your readers bold or cautious decision-makers?
Decide how bold or cautious you should be.Do your readers already have a point of view about your topic?
Anticipate objections that readers may have to your proposal anddecide how you will address them.
Research suggests that you are more likely to win favor with yourreaders if you mirror their communication style and preferences. Thus,if your readers are detail-oriented, be sure to give them detail. If theyare bold decision-makers, give them a clear basis for making a decision.
In addition to addressing your readers’ needs and concerns, thinkabout how your readers will use your document, and how you canmake it more useful to them. Will they use it as the basis for a discus-sion with other executives, or circulate it for comments? Should youinclude a glossary of key terms, or attach a copy of correspondenceyou are answering?
If what you are proposing is particularly sensitive or controversial,develop the strategy you will use to keep your readers with you in aseparate step. Writing in situations that may stir up negative emotionsor company politics can tend to confuse our thinking and muddle ourwriting. Therefore, develop the logic of your presentation first, with allits reasoning and supporting evidence, as if no emotions or politicswere involved. Then in a subsequent step, when you are finalizingyour draft, consider what you need to do to make your message morediplomatic, either by softening the manner in which you advocateyour position, or by acknowledging your readers’ concerns or objec-tions up front and telling them the factors you believe offset the argu-ments against your proposal.
You may be surprised how analyzing your audience before youwrite will affect the content and structure of your documents. The fiveminutes you spend systematically analyzing your readers’ point ofview will enable you to strategically tailor your message to their needsand therefore to be more persuasive.
LOGICALLY ARRANGE YOUR INFORMATIONThe second thing you can do to ensure that your readers will actuallyread what you write is to present your information in a logicalsequence that is easy to follow and understand. The most effective wayto do this is to present a complete summary of your argument in a sin-gle page, before you present the details or evidence that support it.
A summary of your argument is what anyone is looking for whenthey say, “Get to the point” or “What’s the bottom line?” Summarizingthe essence of your argument at the beginning of your documentenables people to scan what you have written and only read the infor-mation that is most important to them.
Having a general idea of what you are advocating at the beginningof your document gives your readers a map with which to navigatethe detailed argumentation or data that follows. If your readers stillhave questions after reading the opening summary or want to studysome aspect of your evidence in greater depth, they can go directly tothe specific section of your document that addresses their concerns.
The following four questions will help you identify the essential ele-ments of any message:
What prompts your document now? Begin by telling your readers why you are writing: In response to
your e-mail last week in which you asked … Following is the informa-tion you requested about … The following report presents the find-ings of a study on … If necessary, this is also a good place to empha-size the importance of your topic by highlighting a problem your pro-posal will solve or an opportunity it will take advantage of.What do you want your readers to do or believe?
Then if you are in a position to propose a course of action, state it
18 | CPM-GA March 2008
clearly in a single sentence: A plan needs to be implemented, a pieceof equipment should be purchased, a study needs to be conducted.If, on the other hand, you are providing information that someoneelse will use to make a decision, summarize your principal conclusion:The plan addresses the necessary contingencies, a piece of equipmentmeets specifications, a person is qualified for a job.What are your supporting arguments?
Give your readers a simple summary of the reasons, findings, orconclusions that support the recommendation or evaluation you aremaking, or an outline of the details of your proposal: The plan will beimplemented in the following five phases …, the equipment willenable XYZ Company to deal with the following threats…, the can-didate has needed expertise in the following areas …What’s next? Who will do what, when and how?
Summarize what your readers need to do to further your propos-al: If you agree with this proposal, please sign in the space below …,please call me if you have questions …, please prepare a preliminaryestimate of …; and what you will do in support of the position you
are advocating: I will visit three local companies that have implement-ed similar plans …, I will organize a meeting of those who will …, Iwill prepare a full report detailing the implementation of …
IMPROVE YOUR COMMUNICATIONAs simple and obvious as this structure may appear, too many peoplefail to use it as the basis for their business communications. And notjust in writing. This structure is applicable to all types of messaging. Itmodels the structure of all good decision making and problem solvingand can be used as the basis for something as simple as a voicemailmessage or as challenging as an effective PowerPoint presentation. Itis even the structure of any good strategy.
Ideally, all these points should be made in a single page, in keepingwith the common wisdom that in business anything with a staple in itdoesn’t get read. Each one of these points should be discussed in aseparate paragraph. The summary of your supporting reasons is agood place to use a bulleted list that readers can scan to capture theessential elements of your supporting arguments.
If your communication is particularly complex or technical, you alsomay want to include a few additional pieces of information not specif-ically covered in the outline above. When your audience is unfamiliarwith your topic, consider including a few sentences of essential back-ground or even definitions of terms– whatever may be necessary toensure that your message is understandable to any audience.
If you and your qualifications are not known to your readers, or ifyour proposal is especially costly or controversial, you may want toexplain the sources of the information you use to justify it. And final-ly, if what you are proposing is only applicable to a specific set of cir-cumstances, state any assumptions that underlie your conclusions, andthe limitations of your findings or recommendations. These variouselements are usually best incorporated just prior to stating your cen-tral proposition – what you want your readers to do or believe – orjust after it. In either case, the idea is to create whatever context maybe necessary for your readers to fully, but quickly, understand whatyou are talking about.
Systematically evaluating your readers’ needs and giving them acomplete summary of your point of view in a single page are elementsof all effective communication. We have all learned these principles atsome point in our schooling or professional training. But how manypeople actually apply them? Doing so will increase the chances thatyour ideas get the attention of decision-makers and ensure that organ-izations and communities are prepared for emergencies the way youknow they need to be.
About the AuthorMatthew Spence is president of Spence & Company (www.spenceandco.com)and teaches workshops on business and technical writing to professionals ofall kinds. The approach he teaches was developed by his father in the early1950s for McKinsey & Co., where it became the basis for approaches simi-lar to the “pyramid principle,” MECE, and other acclaimed techniques ofeffective communication used by McKinsey and other leading management,consulting and professional firms around the world. Spence can be reached [email protected].
New & Improved
The business continuity, emergency management and securityfields continue to grow and change. And to follow suit,www.contingencyplanning.com has done the same.You’llnotice a new look to our site – one that makes it easier foryou to find the information you’re looking for quickly.
Learn the latest-breaking industry news, get information and register for The Contingency Planning & Management Group’ssemi-annual conference. Sign up for our free publications andparticipate in weekly polls to see where you stand amongyour peers.The new www.contingencyplanning.comWeb site makes it a snap to stay on top of your game and inthe know. Check it out today and see for yourself!
www.contingencyplanning.comredesigned with the reader in mind
20 | CPM-GA March 2008
GlobalAssurance
REAL-TIME TRANSCRIPTIONAccept speech input from 100 event participantsThe CaptionBot from ULTECH offersautomated broadcast captioning technol-
ogy for real-time transcription applica-tions. This technology turns speechinput from different locations into text,together with participants’ identities; andcan display collective text on a videomonitor, or over individual computers.A data file of proceedings can also beproduced, after the event. For example,a team of emergency responders can cre-ate a text rendition of their conferencecalls.
www.ultech.com/transcription
EMISSIONS-FREE PACKAGINGMATERIALProtect items and recovery personnel for up to 10 yearsIntercept Technology packaging, avail-able up to 40 feet wide, mitigates disas-
ter damages by protecting items fromatmospheric corrosion, static electricity,and mold – employing a copper polymerto sacrificially remove contaminants thatdamage items. The samples pictured
show the results of a test comparingIntercept packaging to bagging alterna-tives: chemical preservative, foil, andanti-stat plastic.
www.InterceptShrinkfilm.com
MASS NOTIFICATION SYSTEMSend emergency messages efficientlyover a wide area Cooper Notification recently announcedthe launch of its Roam Secure AlertNetwork (RSAN), a personal and region-al alerting system on Microsoft’s
Windows Server 2008 operating plat-form. RSAN delivers personal andregional text and voice alerting; and ispart of the Cooper Notification suite.This suite delivers mass notifications overa wide area through integrated outdoorspeakers and offers an indoor evacuationsupport system.
www.coopernotification.com
ACCESS SECURITY SOLUTION FOR MAJOR EVENTSVerify millions of identities in emergenciesCoreStreet has inte-grated its PIVMANsolution with aunique smart cardand identity man-agement system tocreate an improvedverification andsecurity solution for
big events, with handheld devices andrelated backend software. This integrat-ed solution was deployed in a March2008 “Winter Blast” First ResponderAuthentication Credential (FRAC)authentication demonstration, hosted byFEMA and the Office of National CapitalRegion Coordination. PIVMAN controlsaccess without persistent connection to adata source.
www.corestreet.com
OFFSITE BACKUP OF ALL VIDEORECORDINGSWhy put key assets under your mattress?Do you “protect” your DVRs and/or NVRsby storing them on hard disk drives? Whenthe hard disk fails, both types of video will belost. Backing them up to a hard disk is like
hiding money in a mattress. Using a reliablebank is far better. NCL Security’s EyeHostservice is a reliable bank for DVRs andNVRs. We have potentially unlimited redun-dant storage. No need to worry, from nowon, about fiber channels, NAS clusters, block-based iSCSI, or other storage options.
www.nclsecurity.com
SINGLE-PANE DASHBOARD FORYOUR RECOVERY ASSURANCESOLUTIONSMonitor critical applications acrossmainframe and open systems21st Century’s DR/VFI Recovery Assurancesoftware offers tools to monitor and analyze
PRODUCTS
www.ContingencyPlanning.com | 21
GlobalAssurance Products
key data and applications across mainframeand open systems via a single-pane, multi-view interface. Customize by user, typeand function. Integrate data from separateIT teams. Identify interdependencies.Validate recoverability. Optimize yourRecovery Time Objectives and RecoveryPoint Objectives.
www.21stcenturysoftware.com
ADOBE FLASH AND MAPQUESTFUNCTIONALITIES NOWINTEGRATED INTO CONTIGOMAPPING TOOLSGet location context even for non-vehicle applications, especially in recov-ery situations
Contigo has added a new “draggable”tiled interface — and integrated street,aerial and hybrid map views across all itsmapping interfaces, including its 24/7monitoring portal. Adobe Flash andMapQuest (both the Advantage API andEnterprise editions) help give you anoptimal mix of usability, cross platformcompatibility, speed and extensibility.
www.contigo.com
NEW DMP PANEL EXPANSION CARD PROVIDES DIGITAL CELLULAR LINKOne-step installation of panel-to-stationwireless communicationsInstall a secure wireless communicationlink between the panel and any DMPCentral Station, providing multiple com-munication paths – with full, two-waycommuncations. DMP’s Digital Cellular
Communicator: 463G — an expansioncard for the DMP XR500 panel – givesyou a one-stepmethod to establishwireless communica-tions, either as the
primary link or as a reliable backup. Thisnew solution works with any wirelesscarrier.
www.dmp.com
DELIVER ACCURATE AND TIMELYINFORMATION OVER A QUARTER-MILE AREAReduce crisis injury and property lossthrough a Clear Warning systemADTs Clear Warning intelligible voicemessaging uses live or pre-recorded mes-sages, and can be installed permanentlyon buildings or poles, or mounted on aportable trailer. These units – which can
be equipped with an optional camera,and with back-up power – comport witha 2006 US Presidential homeland securi-ty directive on implementation of effec-tive mass notification systems for emer-gency incidents.
www.adt.com
NEW SYSTEM IMPROVESEMERGENCY DECISIONS BYENHANCING “SITUATIONALAWARENESS”Instantly access 300 data points, includ-ing building details and criticalresponse plansPrepared Response has upgraded itsRapid Responder Crisis Management
System, which digitally catalogues andinventories critical infrastructure includingall kinds of buildings, transportation sys-tems, and other structures. Upgradesinclude improved navigation, RSS feeds,more documentation, better imagery, inci-dent tracking module, and other features.
www.preparedresponse.com
22 | CPM-GA March 2008
LETTER OF THE MONTHAfter reading Building Business Resiliency in the February 2008issue, I find I agree with Mr. Myers’s basic premises. Most of hispoints are great.
But I disagree with a fundamental fact – and one which seemsto be causing our profession some serious “back-sliding.” Here iswhere Mr. Myers goes wrong: He mentions Business ImpactAnalysis (“BIA”), and then confuses this key issue by combininga Risk Assessment (“RA”) with a BIA. Many newer individualsin our industry incorrectly lump BIAs together with RAs.My 30+ years in this profession have taught me to distinguishthese two actitivities. BIA and RA are two very different “ani-mals.” BIA dealswith what happens to the business over time,regardless of the incident. BIA helps identify: critical businessfunctions, technology processes that affect those functions, andresources needed to maintain them. BIA helps set priorities, tosupport differentiation between critical, important, necessary,and deferrable organizational processes.
By contrast, RA deals with identification of every possible riskof significance, and the vulnerabilities the organization has foreach such risk identified. RA is used to identify the risk priori-ties. With these priorities in hand, the organization can chooseto handle some of them through other means, such as insurance.RA also provides a basis from which to develop possible exercis-es addressing what would be the risks most likely to occur forthe organization. And RA gives a crisis management team aheads up on the most likely incidents the team could face, so itcan develop procedures to deal with them.
BIA and RA are thus very different — and equally importantfor developing a viable business continuity plan and overall pro-gram. They should be handled differently, and separately. BIAdetermines: “What will happen when” — while Risk Analysisasks: “What if this occurs?” One is an answer. The other is aquestion. Both are needed.
Patrick Kelley, Business Continuity Analyst
James Myers replies:I agree with Mr. Kelley’s feedback in principle. I agree that lots of con-tent could be written on distinguishing between a conventional RA, anda BIA.
The intent of the article was to provide practical information to busi-ness executives and their peers, so they can better understand the func-tional work required when building business resiliency into the enter-prise. The article states that once a vulnerability has been identified viathe BIA process, only then should a level or magnitude of risk beassigned the vulnerability — a separate process. RA can then be lever-aged against the findings of the BIA. Through the RA process, one canthen quantify pertinent loss exposures (loss potential), based on estimat-ed frequencies and cost of occurrence.
At a high level, a BIA analyzes all business functions and how a spe-cific disaster would affect those functions. A BIA and an RA are twodifferent animals yet not mutually exclusive when performing loss andcost calculations.
LETTERS TO THE EDITORGlobalAssurance
www.ContingencyPlanning.com | 23
Question: How do I get the boss to participate seriously in a crisisreadiness exercise?
Answer: All crises are management problems first. Pre-planningexecutive actions can avoid career-defining (and limiting) moments.Include very specific executive instructions in all plans and responsescenarios.
To be successful, every crisis response process requires plannedresponse elements devoted exclusively to senior management rolesand responsibilities:
• Have a plan for what the boss should do in a crisis.• Set the tone and the goals of the response – any, and every,
response.
1. HAVE A PLAN: WHAT THE BOSS SHOULD REALLY DO IN A CRISIS
One of the more dangerous weaknesses in crisis response is the lackof specific roles and assignments for top management. This defect incrisis management planning occurs all too frequently and can resultin mismanagement, lack of management, and even organizationalparalysis. Prompt and effective response depends on carefullyspelling out essential CEO responsibilities in your crisis response plan.
Why Should the BossListen to You?
Management Participation in Readiness Exercises
By James E. Lukaszewski, ABC, APR, Fellow PRSA, CCEP
www.ContingencyPlanning.com | 24
The CEO or surviving leader must:Assert the moral authority expected of ethical leadership. Even the
most devastating or catastrophic crisis will be forgiven in mostcultures. Forgiveness is possible — provided the organization,through early behaviors and leadership, takes appropriate andexpected steps to deal with critical issues. The behaviors, brieflyand in order, are:• Candor and disclosure (acknowledge something adverse has or
is happening)• Explanation and revelation about the nature of the problem
(analyze early)• Commitment to communicate throughout the process (even if
critics abound)• Empathy (commit intentional acts of helpfulness, kindness, and
compassion)• Oversight (invite outsiders, even victims, to look over your
shoulders)• Commitment to zero (find ways to prevent any similar event
from occurring again)• Restitution or penance (pay the price – do more than would be
expected, asked for, or required)
Take responsibility for the care of victims. The single most crucialelement in any crisis — aside from ending the victim-causing event— is managing the victim dimension. Management must see thatappropriate steps are taken to care for victims’ needs. These stepsare both reputation preservation and litigation reduction activi-ties. Most devastating responses to crises occur when victims areleft to their own devices; when victims’ needs go unfulfilled; or —for whatever reasons (usually legal) — the organization that creat-ed the victims refuses to take even the simplest of humane stepsto ease the pain, suffering, and victimization of those afflicted.Out of all of the CEO’s essential responsibilities, taking a person-al interest and an active role in the care of victims is the mostimportant. Maintain a positive, constructive pressure to get vic-tim issues resolved promptly.
Set the appropriate “tone” for the organizational response. Tonerefers to internal management behavior that helps the organiza-tion meet the expectations triggered by a crucial, critical, or cata-strophic situation. When senior management assumes the pos-ture of victimization, of being under attack, the entire organiza-tion will react in the same way. Rarely are large organizations andinstitutions considered victims. They are generally considered tobe the perpetrators at worst, or arrogant bystanders at best.
Top executives need to set a constructive tone that encouragespositive attitudes and language, and prompt responses. Thisapproach protects the organization’s relationships with variousconstituents during the response and recovery period, showsrespect for victims, and reduces the threat of trust or reputationdamage.
Set the organization’s voice. Put a face and a voice on the organ-ization or institution as it moves through the crisis. This action isdirected towards the external world —how we describe ourselves,what we are doing, how the response is going, what responsibili-
ties we are taking, what outside scrutiny we are inviting, etc.Commit acts of leadership at every level. Acting like a leader has
significance during urgent situations. Literally walk around andtalk to people. Encourage, suggest, knock down barriers, andhelp everyone stay focused on the ultimate response processgoals. Random acts of leadership are always welcome in anyenvironment, but especially during crisis. Rather than huddling inthe executive suite while trying to determine what steps shouldbe taken to resolve the situation, 90 percent of senior executiveactivity should involve being out-and-about — leading, motivating,and sharing empathy.
2. SET TONE AND RESPONSE GOALSSetting the tone means establishing clear, simple, verbal and writ-ten goals and achievement statements that guide the organiza-tion’s behavior. Here is one example.
Our Crisis Communication Goal:Simple, Sensible, Positive, Empathetic Responses at Lightning Speed
A) Define specific responsibilities:• Be available; be helpful, as required by the response
plan.• Know what to do; when to do it.• Know what to say; when to say it.• Know what to delegate and to whom.• Inspire rapid recovery as the crisis atmosphere sub-
sides.
B) Establish a policy base for crisis response inside the organi-zation.
Avoid negative behaviors, language, and decisions. They onlyslow response time, distract those with response assignments, andendanger the organization’s reputation and executive careers.
CONCLUSIONHaving specific responsibilities for bosses keeps them away fromthe Command Center and in the field — where they reallybelong — where they can motivate, help overcome barriers, andre-allocate resources on the spot. We will elaborate on this lastpoint in more detail next month.
About the AuthorHave a question for Jim Lukaszewski? E-mail him [email protected]. Make your subject line “CPM Questions.”Include your full contact information, including a telephone number ande-mail address. If your need is urgent, please clearly say so. If you’dlike your questions answered in this column, please say so. JimLukaszewski’s new book, Why Should the Boss Listen to You, publishedby Jossey-Bass, is available in bookstores. (The book can also be pur-chased at www.barnesandnoble.com and www.Amazon.com. Bulkorders are available at www.800CEORead.com.) Contact Jim at (914)681-0000, or via his website at www.e911.com. All questions andanswers used in these columns become the property of the CPM Groupand may be used in other media and products.