Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

1

Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

CNN seems like it’s grabbed the lead on Haiti Earthquake coverage. They crossed that line last night when Sanjay Gupta, the CNN doctor, spent all night in a field hospital caring for patients that the UN left alone in a tent.

So there are thousands of images of the aftermath of the earth. Thousands of sad stories of loss and tragedy and all of it magnified by the grinding poverty of the country and it’s lack of government control and working infrastructure (even before the earthquake).

Obviously – it is impossible to prevent an earthquake, so there are three areas that could be explored to make earthquake disasters less horrific.

1. Advance notice of seismic activity in an area. Hurricane can be seen forming and building and can be graded, and prep work can began days before the disaster strikes
(yes – like Katrina). But perhaps it is also possible to have sensors that mark seismic activity. At least enough to get a glimmer of warning. My research says that there has been a project since 2007 to install sensors in the ocean floor to track tremors. After the Indonesian tsunami, the urgency to install these sensors increased dramatically. And because Haiti was on a fault line — I can’t help but wonder if someone somewhere in a research lab, may have noticed a few unusual tremors because this actually occurred.

2. Creating a System of International Building Codes. Obviously the death, injuries and damage occur from falling buildings and building materials (in the Haitian earthquake – cinder blocks). The UN could create standards for buildings with different standards based on the type of earthquake zone. For example, there could be a simple 1-5 scale and places that often have earthquakes (California, Japan, Pakistan) would have stricter standards than a place with almost no earthquakes, i.e. Florida and India.

While every building in a quake-prone country might not comply with the guidelines, the big multi-nationals would – the hotel chains, the government buildings (perhaps), and the better residential areas — and who lives in the better residential areas? The doctors, the medical professionals, the government officers, exactly the group of people you need in an emergency.

3. Creating Standards for Better Emergency Planning and Disaster Recovery.
The big increase in business continuity plans and disaster recovery plans (see
www.recoveryplanner.com) is amazingly limited to INFORMATION recovery and working to limit or prevent interruptions in information systems. The same kind of planning does not exist for disasters in most underdeveloped countries. Again, this is an area where the U.S. agency, FEMA could play a leading role; or the UN should make it a priority to do some kind of minimal planning standards for these devastating emergencies with massive injuries and loss of life.

The National Fire Protection Associations (www.nfpa.org) has published an Emergency Preparedness standard called NFPA 1600 – the Standard on Disaster/Emergency
Management and Business Continuity Programs and it’s a good example of the basics of Emergency Preparedness.

Individual countries would do their citizens a service by acquainting them with how to prepare families to survive in emergencies, whether they are triggered by power outages, severe cold, hurricanes or earthquakes!

Emergency Preparedness’ critical role in emergencies is something you can watch unfolding this week, as the relief efforts get stalled by lack of clear roads, problems at the airports, time involves in sea travel, etc. There has to be a better way – one that can be refined and used in future disasters.

In case you think you will never see an earthquake – here are the statistics on how many earthquakes occur in the world each year. These are averages but you can see that there is, on average, one giant earthquake, and seventeen large earthquakes, 134 strong earthquakes and many more light and moderate earthquakes.

TYPE STRENGTH AVERAGE PER YEAR
Great 8 or higher 11
Major 7–7.9 172
Strong 6–6.9 1342
Moderate 5–5.9 1,3192
Light 4–4.9 c. 13,000

The Boy Scouts were right when they adopted “BE PREPARED” as their motto.

These are three areas:

1. Better Ways to Predict Earthquakes (by even a day),
2. Minimum Building Codes based on local geography, and
3. Uniform Emergency Preparedness standards around the world.

These could be explored to prevent or at least mitigate the devastation we have seen in Haiti this week.



Fireworks Ignite After Latest Airline Terrorism Incident

It was a surprise to see the biggest news on Christmas was that a Nigerian terrorist managed to get on a plane coming to Detroit from Amsterdam with some sort of explosive strapped to his leg.

AND – the alleged terrorist was on the NO-FLY LIST. Just think about this for a moment. A recent paper from the Naval Postgraduate School on Homeland Security estimated that the costs of the no-fly list, since 2002, range from approximately $300 million (a conservative estimate) to $966 million! And after spending over $300 million, the terrorist is able to get right on the plane, WITH EXPLOSIVES STRAPPED ON, and fly to the U.S.

Besides being a risk expert, I was mom who didn’t let her boys have toy guns. So imagine my shock at THINKING (to myself) that maybe we should let certain
Cleared passengers fly PACKING.

The passengers on the flight under discussion are the ones who subdued the perp, and I have a feeling that US airlines passengers would all be happy to take over their own security while flying the un-friendly skies.

Despite spending billions on patting down the grannies and business travelers along with 9 year old girls – someone can still board a plane and fly right into the U.S. with
explosives strapped on.

A simple risk formula applied to this entire passenger screening program shows that the entire TSA passenger screening program is too expensive for the results they are getting. The biggest cost waster is the idea that every single air traveler is treated exactly the same way. This is the elephant in TSA’s conference room. Every traveler is NOT the same. The most simplistic metrics show that:

1) Terrorists are more likely to be men.

2) Women over 60 are not likely to blow anything up.

3) Small children and federal employees are unlikely to be
Smuggling in explosive devices.

As the noted expert, Stephen Flynn, pointed in his book, America the Vulnerable, this policy creates huge cost, creates inefficiency and does not stop the dedicated terrorist.

Instead of being run as a gigantic stimulus program for the underemployed, TSA should sharpen it’s focus and began to start a true profiling program. A profiling program doesn’t have to target certain groups or type of individuals, but it should work towards automatically EXCLUDING the large groups of people who are unlikely to be a threat; let them opt for “cleared” status by completing a background check, and if these many individuals were automatically cleared, it would leave the TSA screeners more time to MORE RIGOROUS checks on potentially dangerous individuals, and ENSURE THAT PEOPLE ON THE NO-FLY LIST — DO NOT FLY!

Sounds obvious doesn’t it, but instead, the U.S. budget is being squandered on thousands of unnecessary screens, while the potential targets are not getting the indepth, and in-airport screenings they need to have.

These inane policies are not just indefensible – they are dangerous – and the latest incident just proves the point.



How your health records are safer — or at least you’ll know about all the disclosures now….

Well – it wasn’t a billion dollar bailout and it wasn’t a new ‘public option’, but it was, on September 23rd, the official STARTING DAY of the new HIPAA breach disclosure rule, another tangible effect of the American Recovery and Reinvestment Act of 2009.

The breach disclosure rule is a little unusual in the way it dictates how healthcare entities have to behave if there is a disclosure of YOUR PHI (i.e. Protected Health Information). Your PHI could be interesting little tidbits of information like:

– detailed health info on 1000 Hollywood celebrities, probably all about face lifts, nose jobs and liposuction.

– Details on whose tubes got tied

– Embarrassing information on warts and other disgusting physical problems
Or
– Just info you don’t want everyone to know about.

The new Breach Disclosure rules protect you. Here are some of the details about what the organization that leaked your sensitive info has to do…

If the breach involved less than 500 individuals’ information, then you must be notified within sixty days and “without reasonable delay”. If more than 500 individuals’ information is breached, then the organization has to not only notify the Department of Health and Human Services, but also has to send out a press release and notify the media — film at eleven.

Covered organizations (covered entities) will not be penalized until February 22, 2010. So for now, organizations should make sure they have these disclosure guidelines in place and practice them, including training and awareness exercises, so they will be ready by February.

Organizations must also do an individual RISK ASSESSMENT on each breach to calculate the harm that the breach may do to an individual. For example, whether the breach would affect their health insurance, or their relationship!
There are additional considerations about whether the breach was done in error and actual disclosure was limited; or whether it was malicious disclosure – done on purpose, or for financial gain.

The breach notification rule, in my opinion, is just another manifestation of how serious the government has become about protecting personal information, whether it is protected health information, or personal financial information.

The FTC reported that identity theft is the one number consumer complaint and so protection of your information has moved up to the top of the list. Lucky us



Did you Wash Your Hands Today? RISK and the H1N1 PANDEMIC

The CDC reported on August 29, that, as of April 15, 2009, total of 9,079 hospitalizations and 593 deaths associated with 2009 influenza A (H1N1) viruses
have been reported to the CDC.

I put on a seminar last week with the Florida International Bankers Association in Miami, Florida, and one of the topics on the menu was the H1N1 Flu. Now, about ten days later, the media is starting to report on H1N1 sweeping through the college campuses and elementary schools. It hasn’t hit employers hard yet, but I am confident that it will.

And this time it comes with some surprising statistics. The younger you are, the more at risk you are. Apparently if you are over 60, or born after 1956, you are mostly immune because a similar flu that made the rounds in ’57 gave people alive at the time, antibodies that will protect you this time.

I have noticed the increase in sincere doctors talking about how they are going to immunize their own children – that is, after the new vaccine comes out in mid-October.

Hospitals have already been hit especially hard by the recession, due to the increase of patients who have lost their jobs, and therefore their health insurance; and that has increased activity in the local emergency rooms. But look what the forecast is for hospitals at the height of the possible epidemic — Under some models, seriously ill influenza patients could require 50 to 100 percent of intensive care unit (ICU) beds at the epidemic’s peak, stressing the medical and public health systems to the point of overwhelming some hospitals, and could cause from 30,000 to 90,000 deaths, concentrated among children and young adults.

I went to the local grocery and stocked up on hand sanitizer for the office and also lots of foil-wrapped sanitizing wipes – keeping them in my purse and suitcase, for those occasions where I have to shake a lot of hands.

What is the effect on a business if H1N1 does reach pandemic proportions?
Your personal risk varies depending on your age. Older workers will not be affected but take a look at your workforce and calculate how many have young children or school age children.

Since transmission increases in group settings, and kids are known for not being the most hygienic of creatures – there is a better than fair chance that your employees will have children who get sick and they will have to stay home with their children.
Some schools may have to close for 4-8 weeks. Especially since elementary school teachers are often in the target group and often have small children themselves. In my own office, two-thirds of the associates are under forty and half of those have small children. One expert said that if the 30% figure holds, then expect a ten-fold increase in absenteeism.

If your organization is part of the critical infrastructure, you might want to get a professional assessment of your risk, not just to identify it, but to get a set of operating procedures you can use if the pandemic does materialize.

Here are a few things to think about:

1. Encouraging an option for employees to work at home.
2. Deciding in advance what to do when an employee tells you he has H1N1.
3. Cross-training for important as well as critical functions.
4. Think about curtailing employee travel, if necessary.
5. Consider the impact if public transportation is not available, or
Not safe to use.

Seriously consider getting some No-Doz for your employees over sixty who may have to work much longer hours!!

AND DON’T FORGET TO WASH YOUR HANDS.



Crime & Punishment – Blame & Accountability

BLAME & ACCOUNTABILITY

Gee – they go together like a horse and carriage. The CIA Interrogation controversy has been front and center this past week and what stands out, no matter what side you take, is the blame game. Blame the old White House for overstepping authority; blame the new White House for waking up the sleeping dogs. Blame the lawyers. Blame the interrogators. Blame the detainees for being such intrinsically bad people.

A process tinged with so much blame highlights that there is another principle at work here – you could call it Greed (a la Gordon Gecko) and that is the phenomena of skating right to the edge of an ethical question, or ‘getting away with as much as you can’.

The Getting Away With (GAW) principle is the polar opposite of Accountability. In the GAW, the question is never asked about whether something is legal, or moral, or right. Instead the question becomes one of degree and how far you can go without brushing up against laws, moral outrage, the notice of Congress or whatever.

If Accountability means taking responsibility for one’s actions, then GAW means not taking responsibility, not even admitting what is obviously happening, but instead pushing the responsibility onto to someone else, i.e. the lawyers, the White House Counsel, the Justice Dept., the CIA, the individual interrogators. Sort of like a musical chairs game where you go as far as you can, do whatever you want, and hope by the time the game is over, someone else is left holding the bag.

If you are wondering what this has to do with RISK – it’s the pushing around of the accountability – responsibility. If risk is going to be addressed in an analytical manner, then you have to examine, and insisit on, accountability.

So in a corporate setting, say the ENRON debacle – the justice system addresses who was accountable. Who knew what? Who signed the memos? Who shredded? Who decided?

In government decisions, there is almost a preference for non-accountability. Even though, as an organization with a budget, it should be judged just like a corporation, an association or anything else – there is a tendency for government to say “it’s the system”, as if decisions were made by the eight ball instead of an actual person. If you contribute each government decision made to an actual person, then you have accountability.
Probably why there are so many committees!

Accountability is always the Number One Control!



THE WANTED — NEW TV SHOW ILLUSTRATES THE CONCEPT OF ACCOUNTABILITY

If one picture is worth a thousand words, then this new TV show “The Wanted” is worth about a million words!

The debut of “The Wanted” showed the terrorist-fighting journalists meeting with the Norwegian government to find out how to get a Jihad-loving Mullah deported back to Iraq to face charges for murder. The interesting twist of this series is that it shows the journalists meeting with, and clearly identifying, the woman and agency in Norway that is protecting the mullah. They go on to meet with other politicians in Norway and step through all the red tape to find out — what is required to get this terrorist out of Norway and to Iraq to face charges.

Their actions have already set a chain of events in motion including having Iraqi officials say they will not give the Mullah the death penalty, which is apparently what Norway wanted to hear. But even after that concession was made, the person directly in charge of having him deported, was still denying that he would be sent back.

Enter accountability! One TV show with the individuals picture on it — and the bureaucracy is exposed and now action takes place and spurs other actions.

It reminded me of the power of having individuals names linked to their truthful answers about how well or poorly they were complying with specific security requirements. You can talk about high, medium, and low until your face turns blue, but it just theoretical talk — until you actually show real names, with real answers and then it becomes REAL. It becomes actionable intelligence that is much much harder to ignore or push away, out of your consciousness.

I have never discussed a TV show before — but you should check out THE WANTED and see how it focuses the white light of accountability on everyone who is interviewed!! Monday nights on Dateline — catch it.



How much does Accountability contribute to the Security Environment in an Organization?

Watching the Supreme Court confirmation hearings made me think about:

ACCOUNTABILITY. One of the problems faced by security directors in both IT and corporate security is that they are alone on the island. No one else wants to worry or think about security.

This may be a major underlying cause of why security problems are not easily solved, just by adding new technology. People still find ways to either ignore controls, or use them incorrectly.

One of the main benefits of a Distributed Risk Assessment is that it touches different people in the organization and increases their awareness – AND Accountability. The accountability element comes in because the risk assessment analyst can track each individuals answers so you can see a simple profile for each one, and see that they are either:

Complying MORE than others in the organization
Complying SIGNIFANTLY LESS than others in the organization
Are so clueless that they don’t know whether they are compliant or not.
Don’t think the security questions apply to them.

charth

With this kind of detail, you can also COMPARE individuals, compare business units, compare departments and this kind of detail also encourages accountability in the business unit manager.

Accountability could be the basis for fixing everything that is wrong in society, as well as in the security program.

Think about the impact if everyone took responsibility for their OWN health. It would change the world. What about if everyone took responsibility for their neighborhood’s safety and security? What if parents took responsibility for how their children performed in school?

Obviously – adding the element of Accountability into the security program could be very motivating.

Accountability is the exact opposite of passing the buck to someone else. And while accountability can be a daunting prospect (when you think about applying it in YOUR organization) — it is also empowering. It gives individuals control over their security and takes them from a passive to an active state.

And I hope everyone would prefer being in an active state!!



Assessing Risk of Swine Flu (H1N1)

Largest webinar ever was today on the current pandemic (Swine or H1N1) flu.  I was surprised at how many organizations participated and we reviewed the different areas that business need to review when a flu like this threatens. 

Last year we created six different pandemic flu assessment questionnaires, differing on whether the business is tagged as a “critical industry”; whethere is is domestic, or has international offices; whether it’s a hospital or healthcare provider and also sliced and diced by the state of their pandemic and emergency plans such as continuity of operations planning.   Disaster planning is not really the same because in disaster planning, you assume the rest of the world is constant, instead of in the state of flux a real pandemic would produce.

In Maryland, there are six cases, and three of those in this county — they closed a school this morning.  So it is of concern to employees and the webinar centered on the different decisions business execs need to make about:

1) communicating with their employees and suppliers

2) making plans for auxcillary workforce members

3) doing advance planning and creating mechanisms for people to work from home, if necessary.

4) looking at last-minute cross training and making sure that everyone knows how to do almost everything.

The other aspect was understanding that this flu, at least initially, looks relatively mild, and as such, it makes a great case to run preparedness drill when people are watching the media coverage.  Also probably a good time to get budget approved for things like back up supplies, face masks (if execs are planning travel), or the business is very customer facing.

Reviewing training and trade show plans for the summer and fall would be a useful exercise.   And I think it is a service to employees to explain how to create a family pandemic stash of medicine, toilet paper, food, water and all the other necessities of life that would hold a family over for 3-6 weeks of isolation in the house.

These basic planning elements are all over the web and all over the news, but sometimes still hard to assimilate.  One of things we have developed is a spreadsheet of the planning elements, and I’d be happy to send it to you, if you send me a request to this blog.


  • Categories:


top