Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

disaster recovery planning

A New Threat Appears – Meteor Strikes

After the meteor showers over Siberia this week, Russia put together a

Financial analysis of the damage from the meteors:

1200 injured by flying glass

             $33,000,000 in damage

4,000 building damaged

50 Acres of windows shattered

In the last twenty-five years, as the rate of climate change has increase, we have occasionally added new threats like Tsunami and ash pollution.

Now meteor showers have actually come to cause damage to companies so they are another factor to be included in risk assessments.

In evaluating threats for a risk assessment, many in the northeast would always tell me, “take out earthquakes”, we don’t have earthquakes in Virginia, Maryland, and Ohio. That changed in 2011 when the Mineral, Virginia earthquake hit during a mid-week business day.

RICHMOND, VA (WWBT) – Aug. 24, 2011. 

There was an earthquake in Central Virginia that measured 5.8 on the Richter scale centered about 5 miles south of Mineral in Louisa, depth 3.7 miles at about 1:51 p.m. The quake was centered at 38°N, 78°W.

The U.S. Geological Survey said the earthquake was centered about 38 miles northwest of Richmond, Va., about 84 miles southwest of Washington, D.C., and was felt as far north as Rhode Island and New York City. See a map of the quake from Chuck Bailey, professor of geology at the College of William and Mary.

Hospitals, government offices, dams and power generating plants,  including nuclear plants, were forced to suddenly reevaluate the long held idea that earthquakes just didn’t happen in the NorthEast.

The threat from meteor damage is the same idea.  It never happened before, but now it has happened again, if you count Tunguska as the first time.

Damage from meteor showers will now add a new category into the Threat index, even though this was the first event in my lifetime, if analyst factor in the previously known instances, such as the Tunguska Meteor Event, which did not occur thousands of years ago, like the meteor event in the Yucatan peninsula that killed off the dinosaurs, but
Tunguska occurred in 1908!   Almost in this century.

Over the next month, we’ll be looking at each different threat every week.  Sign up for my blog or access by following me on twitter at www.twitter.com/riskalert.


Holding Hurricane Sandy Survivors Hostage to House In-Fighting

Many, including Chris Christie, and Peter King,  are shocked and dismayed when the relief vote for New York and New Jersey was postponed until the new Congress assembles later this week.

The U.S. has historically had a great reputation for jumping in AS A WHOLE COUNTRY to help the victims and survivors whose lives and businesses have been ravaged and, in some cases, destroyed.  Many world leaders have commented on how the USA always pulls together in these emergencies.

According to the House, that’s no longer true.

The decision to take a budget fight to this level is NOT good politics.   These people, most of them property owners AND registered voters, are going into winter without the basic necessities, with houses that have not been repaired, with streets not repaired.  Sixty-eight days AFTER the disaster, these people cannot wait two more days, they can’t wait one more day.

A big country like the United States of America cannot hold its head up in the world, if we can’t help our own brothers and sisters who suffer these terrible events.

If this happened in New Orleans, I think you can imagine what the talking points would be.

As a group concerned about safety and security, we should be writing our congressmen and senators and tell them to stop playing games with federal disaster relief.

Get Ready for Severe Weather!

Whether it is Spring tornados or spring-summer thunderstorms and hurricanes.  We officially enter the season of severe weather across the U.S.

A major focus at the beginning of each severe weather season, take a few minute to get ready and make sure you are prepared, and your kids are prepared, and your pets are prepared.

You can download a complete list of preparation details at www.ready.gov but here is a
short list to review:

1.  Keep enough food and water for at least two weeks.

2.  Have a family evacuation plan and practice it often, including a meeting place.

3.  Keep a ‘ready-kit’ in your car with extra food, water, change of clothes and don’t forget to include pet food, plastic bags, diapers and other essentials that could carry you for a few days.

4.  Make sure and keep large trees trimmed to decrease the chance they could fall on your house.

5.  Use the internet, like Twitter or National Weather Service, to get breaking alerts, and invest in a battery powered radio.

6.  Keep extra batteries available to keep the radio alerts going.

7.   Keep your car gassed up, instead of running out during an emergency and finding
it’s out of gas, and remember, if the power goes out, the gas pumps don’t work.

8.  Stay alert and try to keep a day ahead of the weather!

Severe Tornados and Why We Need to Stay Prepared

The damage and destruction from the path of a tornado is incredible – and only matched by the sad stories of the survivors, if they are lucky enough to survive.

If there’s one thing that social media has improved – it is the ability of an individual in an affected area to get detailed updated by the minute on a smartphone or over the internet.

The old early warning systems were set up for radio, that was in the days when everyone listened to radios.   I do listen to the radio for maybe 5 minutes a day, in the car, just long enough to put in the CD or connect my ipod.   So the Twitter accounts and iphone-smartphone apps from CNN, the National Weather Service, Weatherbug and dozens more really help to keep people informed.

I often hear news anchors lament the over-availability of information these days, but I think the more access we get to this kind of information and other kinds of info is absolutely a wonderful thing for society and for most people!

If you do live in a tornado-, hurricane- or other disaster-likely area, the Weatherbug app is one of the best because you can set it to actually chirp if severe weather threatens.

As far as risk reduction – being able to protect yourself against major weather events is one of the threats you can more easily eliminate or at least manage.

Are there mor

“Although the average number of April tornadoes steadily increased from 74 a year in the 1950s to 163 a year in the 2000s, nearly all of the increase is of the least powerful tornadoes that may touch down briefly without causing much damage. That suggests better reporting is largely responsible for the increase.

There are, on average, 1,300 tornadoes each year in the United States, which have caused an average of 65 deaths annually in recent years.

The number of tornadoes rated from EF1 to EF5 on the enhanced Fujita scale, used to measure tornado strength, has stayed relatively constant for the past half century at about 500 annually. But in that time the number of confirmed EF0 tornadoes has steadily increased to more than 800 a year from less than 100 a year, said Harold Brooks, a research meteorologist at the National Severe Storms Laboratory. ”



Threat Modeling is the Exciting, Sexy Part of Risk Assessment

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT!  Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves.  Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc.   So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car?  Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted).  Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!


How to Correctly Analyze 100-Year Threats for Risk Assessments

Starting a risk assessment in northern Virginia and going through the threat list they say, “You can take earthquakes out – we don’t have earthquakes here”!

Hey, Haiti didn’t have earthquakes!

Vermont didn’t have major floods!

Connecticut doesn’t have tornados!

Like Murphy’s Law, as soon as you discount a threat, and think, “it will never happen here”, it happens!   The earthquake in the mid-Atlantic in August was a wake-up call for those who that they would never have earthquake damage.

One of the reasons that security risk assessment is so highly valued as an analytical took, and why it’s required by so many governments is because it DOES take into account the 100-year flood, the 75-year drought, etc.

Natural disasters can be so overwhelming, and catastrophic, that they must be considered in any proper risk assessment.  This is why some areas are not suitable for building housing tracts, because they are in a 100-year flood plan.

Because human memories are short, just because YOU haven’t experience a flood
along a meandering creek, doesn’t mean it will never happen.  

Always check the long-term probabilities when you start a risk assessment and make the numbers work for you!

Return of the Sea Monster as a Force of Nature

Last week I wrote about the oil spill in the Gulf and today I was looking at my Loch Ness model of a sea monster with a cute little red beret.  I thought about the concept of a SEA MONSTER. Any terrible  sea monster worth its salt would:

     1.  Kill things indiscriminately

     2.  Hide under the water until it is unleashed on an unsuspecting world.

     3.  Be very hard to kill or subdue.

Sound familiar?  Because the gulf oil spill IS a Sea Monster – probably worse because the Spill Monster doesn’t just kill virgins and itinerant fishermen – it kills everything.  Kills grass and insects and crustaceans (like shrimp) and also sucks the oxygen right out of the water so it doesn’t just kill everything now and then go about its business, but it makes recovery impossible.

If I was a senator or congressman I would be drafting up a bill requiring drilling AND mining companies to not only do a complete and comprehensive risk assessment PRIOR to exploration or drilling activity, but also to publish their contingency plans, disaster recovery plans and emergency plans.

Somewhere along the way – the phrase “disaster recovery” planning got pinned to the information technology recovery but it really applies to everything and certainly to risky endeavors like mining and drilling.

It would be tempting to say that the risk assessment and disaster recovery planning (in the broad sense) should be required on everything that has the potential to adversely affect the planet.   Who would administer it?   This is where the U.S. is again trapped into a corner by the responsibilities of each federal agency.  

In a perfect world, you’d like to think that the EPA (Environmental Protection Agency) would be in charge, but that, under the present structure, would exclude deep sea drilling and agribusiness concerns.   Because the EPA is regulating toxic substances like chemicals, and air quality, but not everything that affects the ‘natural environment’.

We need an ENVIRONMENTAL OMBUDSMAN to protect the citizens of the United States, and maybe of the whole world.   This position would cut across the current agency lines to include oil drilling/extraction; mining as in strip mining;  use of pesticides in agribusiness; industrial pollution of rivers, lakes and oceans; and deforestation.

Over-fishing belongs in the same category.  I have heard that Blue Fin Tuna is now endangered and the United Nations is going to vote this year on protective measures. 

Basically all these kind of industries, mining, drilling, fishing are all scooping raw material up out of the earth and selling it.  The companies involved seem intent on drilling, fishing or scooping up as much as they can get of FREE STUFF from the planet, and then selling it for enormous amounts of money.  Again, you would think that old self-preservation gene would kick in, but instead, it may be that when one of these industries hears that whatever they are taking could be limited, or managed, or made less easy to get, they rush to get every more before the limit or ban goes into effect. 

This behavior accelerates the underlying diminishing supply problem, drives up prices, making industries want to get even more of their oil, minerals, diamonds, fish, whales, or whatever and so the cycle becomes maximally destructive to the environment on even a shorter time line.

One of the biggest aggravating factors of the current SPILL MONSTER is that we, the taxpayers, basically financed it and now we are going to get to pay to clean it up, and the paying includes providing services for all the damaged parties.  Do you really think that BP is going to cover the entire costs by the end of the day?  I am highly skeptical.

We keep hoping that man’s (and woman’s) survival instinct is going to kick in at some point and people will think, “If we don’t keep the earth clean, it is going to negatively affect MY health, or MY business, or MY customers”, but we, as a country, are not quite a that tipping point yet.   I hope we get there sooner instead of later.

The Oil Rig Disaster and Risk Assessment — And Accountability Issues with Politicians

“Drill, baby, drill.”   We have heard that before – being from California and being a tree-hugger, I didn’t think that was a great idea, especially since I know our oceans are already struggling, but I did not expect something this bad to happen.

The politicians who were so busy expanding oil leases and the profit-rich oil companies who are raking in billions,  don’t spend much time on assessing the potential risks AND the potential losses for a catastrophic oil spill.

Maybe we should require them to do REAL risk assessments on the total possible impact of an oil disaster.    It would not be an environmental impact statement, which downplays the risk by putting in lots of scientific jargon and ASSUMES that proper safety controls and contingency plans are in place.  But obviously that either was not done;  or it was not accurate, or it was done and burned so no newsperson would ever see the smoking document (or should I say, the oily document).

If we go back to the classic risk model – we are by listing the assets at risk:

  1. The Cost of the Original Rig and Drill Equipment – $500,000,000
  2. The Value of the Lives of the 11 workers who died –    25,000,000
  3. The Value of the Oil itself, with replacement value
    (5 million gallons at  $2.00 per gallon = $10 million dollars)
  4. BP’s Reputation as a good company – $2 million
  5. Gulf Fishing and Shrimp Industries Value – $2.5 billion dollars for

Just Louisiana – add in Alabama, Mississippi and Florida and quickly     the bill runs up to $10 billion dollars.

  1. Value of Summer Beach Tourist Business in the Gulf – $20 billion
  2. Value of lives of 20,000 – 50,000 shorebirds; 10,000 turtles; 0ther assorted marine mammals, birds, and fish   – $25 million.

So we have a resource worth about $33.5 billion dollars – that is potential loss estimate.

What we will lose if a threat materializes?    Keep in mind, for comparison purposes, that BP had recently doubled it’s profits from $3 billion to $6 Billion a quarter,  which calculated out to about  $24  Billion Dollars a Year.

Next we factor in the likelihood of a threat occurring.  Reviewing the frequencies of and problems problems with oil rigs, and oil spills, we find:

There are an average of about 2000 oil spills a year of various degrees.

There are an average of 1 million gallons spilled each year (going back 7 years).

(Already you can start to get a idea of how terrible this spill is.)

Next we list all the problems (vulnerabilities) that could or would have made it more likely to have a disaster occur,  you will recognize many of these from the latest news conference

  1. New,  untried technology
  2. No recovery plan if secondary shut offs fail
  3. Difficulty of working on deep ocean
  4. No reliable oil containment systems have ever been developed

SO – if British Petroleum is making $24 BILLION A YEAR and because of this spill, BP loses about $1 billion dollars. That’s not a bad Return.

The problem comes in with the $30 Billion dollars that is borne and felt, not by BP, who goes on to drill somewhere else, but by the citizens of the affected states and the whole United States due to the incalculable environmental damage.

The last thing we look at in a risk assessment model is the potential controls that could have been put in place to reduce the likelihood of the threat materializing, and the cost of those controls that could either reduce the threat, or, and even more important in this case, minimize the damage if the threat occurs anyway.

What controls could have been improved in this model?

Development of effective oil capping techniques BEFORE a disaster

Better training of oil rig workers

Better fire controls which might have saved the rig from sinking.

Accountability Increased for the Materials Management Service (MMS)

Tougher Regulations for Oil Companies

Better oil containment tools

Better oil absorption tools

Regular drills so that workers are better prepared in an emergency like this.

I’m still here watching the news coverage but I have learned why this happened – because BP was making so much money, it just didn’t have that much to lose from a disaster.  So it avoided improving its technology and spending money on controls that might have helped.

And the former and current U.S. administrations are to blame for not requiring accountability from the MMS.  And the rest of us, including the bluefin tuna, the birds, the jellyfish, the crabs, the shrimp, bottlenose dolphin, sperm whale, dozens of varieties of sharks, manatees, oysters, warblers, terns, swallows, egrets, plovers, sandpipers, pelicans,  loggerhead turtles, Ridley’s turtle, diamondback terrapins, and alligators.

According to the Louisiana Department of Wildlife and Fisheries,   here are the numbers of species that will be affected:

445 species of fish,

45 species of mammals

32 species of amphibians and reptiles

134 species of birds,
and the ocean itself, and all of us.

Avatar, the Field and the BP Oil Spill

As the old drill-baby-drill cry loses its appeal, the coastal communities in the Gulf of Mexico are beginning to understand that they will feel the devastating consequences of the BP oil spill. 

The U.S. is a bicoastal country – 50% of the entire population of the United States lives within 50 miles of a coast.  And pays extra in housing prices to live there.  Ignore for a moment all the businesses that will be impacted – and think about buying a $4 million dollar house on the water – and have the water turn into an oil slick. 

I watched Avatar last night and noticed how the movie depicted the planet, Pandora, as an interconnection of elements that you could SEE how they supported  and depended on each other. 

That illustrates our relationship with our own Earth and how if one thing changes, it effects everything along the food chain (literally, in this case).  So the oil gets the birds and the blue crab larvae and the shrimp and now they are saying it may wipe out a generation of sea life.

As a species, we generally do not recognize that our connection with the earth is every bit as interconnected and tangible as the network on Pandora.  We need the earth to give us water, provide us with food (whether you are a vegetarian or not), provide water and shelter, medicine – everything – even manufacturing of plastic comes from the earth through our use of petroleum.

 That is also why ideas about animals are often so ‘un-evolved’, meaning they are thought of a things, not spiritual beings.  Time magazine ran an article on animal intelligence several years ago and said, at the conclusion of the article, “if we recognized and were aware of how sensitive and intelligent animals actually were, we would have to change everything we do as humans.”

News flash — we ARE going to have to change everything we do – we have to find our connection to the earth and the animals and plants who share it, or we will continue to have these devastating environmental disasters and wake up one day to a wasteland that can no longer support us. 

If you’ve watched “What The Bleep”, which is a movie that explains new developments in quantum physics – and I highly recommend that you watch it…  you will reach the same conclusion – that the electric Field exists on our planet and connects you and me to every dog, every blue crab, every tree, every blade of grass.  There is no artificial separation.  We are them and they are us and we are the same thing – just a different sector of the same energy field. We are Pandora. 

Oil spills and other disasters make this living network more apparent by watching, hour by hour on CNN, how one event affects everything, first in the Gulf, then in the entire coastal area touching the Gulf, then probably the Caribbean – who knows how wide the damage will be from this one oil platform. 

Do you feel the connection?  A few years ago, I got a great book about ‘curing the incurable’ and it was a collection of Russian folk remedies – from a former doctor to the Russian Olympics.  One of the remedies was how to use trees for healing – complete with details about which trees were most responsive – how to tap into the energy of the trees and use them by standing eighteen inches from the tree and putting your hands on the trunk…

This oil spill may dissolve political differences and even national differences and show us, one more time, how interconnected we are with the earth – and I’m hoping that we will find a positive way to use that information.

Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

Exploring Ideas to Prevent Disasters like the Haiti Earthquake Disaster

CNN seems like it’s grabbed the lead on Haiti Earthquake coverage. They crossed that line last night when Sanjay Gupta, the CNN doctor, spent all night in a field hospital caring for patients that the UN left alone in a tent.

So there are thousands of images of the aftermath of the earth. Thousands of sad stories of loss and tragedy and all of it magnified by the grinding poverty of the country and it’s lack of government control and working infrastructure (even before the earthquake).

Obviously – it is impossible to prevent an earthquake, so there are three areas that could be explored to make earthquake disasters less horrific.

1. Advance notice of seismic activity in an area. Hurricane can be seen forming and building and can be graded, and prep work can began days before the disaster strikes
(yes – like Katrina). But perhaps it is also possible to have sensors that mark seismic activity. At least enough to get a glimmer of warning. My research says that there has been a project since 2007 to install sensors in the ocean floor to track tremors. After the Indonesian tsunami, the urgency to install these sensors increased dramatically. And because Haiti was on a fault line — I can’t help but wonder if someone somewhere in a research lab, may have noticed a few unusual tremors because this actually occurred.

2. Creating a System of International Building Codes. Obviously the death, injuries and damage occur from falling buildings and building materials (in the Haitian earthquake – cinder blocks). The UN could create standards for buildings with different standards based on the type of earthquake zone. For example, there could be a simple 1-5 scale and places that often have earthquakes (California, Japan, Pakistan) would have stricter standards than a place with almost no earthquakes, i.e. Florida and India.

While every building in a quake-prone country might not comply with the guidelines, the big multi-nationals would – the hotel chains, the government buildings (perhaps), and the better residential areas — and who lives in the better residential areas? The doctors, the medical professionals, the government officers, exactly the group of people you need in an emergency.

3. Creating Standards for Better Emergency Planning and Disaster Recovery.
The big increase in business continuity plans and disaster recovery plans (see
www.recoveryplanner.com) is amazingly limited to INFORMATION recovery and working to limit or prevent interruptions in information systems. The same kind of planning does not exist for disasters in most underdeveloped countries. Again, this is an area where the U.S. agency, FEMA could play a leading role; or the UN should make it a priority to do some kind of minimal planning standards for these devastating emergencies with massive injuries and loss of life.

The National Fire Protection Associations (www.nfpa.org) has published an Emergency Preparedness standard called NFPA 1600 – the Standard on Disaster/Emergency
Management and Business Continuity Programs and it’s a good example of the basics of Emergency Preparedness.

Individual countries would do their citizens a service by acquainting them with how to prepare families to survive in emergencies, whether they are triggered by power outages, severe cold, hurricanes or earthquakes!

Emergency Preparedness’ critical role in emergencies is something you can watch unfolding this week, as the relief efforts get stalled by lack of clear roads, problems at the airports, time involves in sea travel, etc. There has to be a better way – one that can be refined and used in future disasters.

In case you think you will never see an earthquake – here are the statistics on how many earthquakes occur in the world each year. These are averages but you can see that there is, on average, one giant earthquake, and seventeen large earthquakes, 134 strong earthquakes and many more light and moderate earthquakes.

Great 8 or higher 11
Major 7–7.9 172
Strong 6–6.9 1342
Moderate 5–5.9 1,3192
Light 4–4.9 c. 13,000

The Boy Scouts were right when they adopted “BE PREPARED” as their motto.

These are three areas:

1. Better Ways to Predict Earthquakes (by even a day),
2. Minimum Building Codes based on local geography, and
3. Uniform Emergency Preparedness standards around the world.

These could be explored to prevent or at least mitigate the devastation we have seen in Haiti this week.