Latest Blog


One of the biggest risks about evacuating your office in the event of an emergency is getting people to actually evacuate safely. You can send all the emails you want about procedures but like the boy who cried were(wolf) sometimes we hear the warning alarms so frequently that when we really have to evacuate we don’t bother. As a result many BCM people struggle with how to get people to read and learn.

Then last summer I read a preparedness post by the Centre for Disease Control who spun the best practices for traditional disasters like hurricanes and earthquakes into the context of a zombie attack. They wrote: “You may laugh now, but when it happens you’ll be happy you read this, and hey, maybe you’ll even learn a thing or two about how to prepare for a real emergency.”

I thought it was brilliant because it got the message across in a funny way which almost guaranteed that the recipient would read (and finish) the post.  Against that backdrop I re-wrote my internal evacuation memo in this zombie style borrowing shamelessly from the CDC (as well as Amanda Ripley and the Zimmerman/Sherman essay “To Leave an Area After Disaster”.)

Consider this a template for your evacuation memo. So read it, take it, borrow it, steal it and share it. Save lives.

Read and steal the memo template here.

To be read in association with the post: “Tips on writing a zombie evacuation memo“.

There are many reasons – including fire or bomb threats – that require us to evacuate the building but it is equally important that we prepare for other threats such as an evacuation because of a zombie infection. You may laugh now, but if you keep reading you may learn a few things that prepare you for the more traditional evacuation emergencies as well.

Imagine for a moment that while at lunch, a colleague is accidentally infected with zombie viruses like Solanum or Ataxic Neurodegenerative Satiety Deficiency Syndrome. You recognize the behavioral patterns of the undead manifesting in the co-worker, and decide it would be best if we evacuated the building before our zombie colleague infects everyone else or eats our brains. So you pull down on the pull station (located beside the four fire escape doors) and the alarm sounds.

Everyone will immediately hear the insert sound of tone. When we hear this tone, JUST GO!

Do not go back to your desk to pick up your possessions or stand around talking to your friends about next steps. JUST GO! (While you may want to arm yourself against the zombie, it is unlikely (and against policy) that you’ll have a machete or crowbar in your desk, so JUST GO!) Besides if there was a fire you shouldn’t be carrying anything in the stairwell. (It’s probably okay to grab your mobile phone so you can contact your family and friends to let them know you evacuated safely.)

Make your way to any of the four fire escape doors on corners of this floor. They all exit onto insert Street. (After reading this zombie preparedness memo, please familiarize yourself with the door closest to your desk, conference room or kitchen.)

Once in stairwell, walk down the insert number of floors as quickly and as safely as you can. Traditionally the undead do not run and have trouble descending stairs; don’t worry about the infected zombie chasing you.

When you get to the street, make your way insert directions to our Designated Assembly Point: the insert description of statue, square or location.

Next, look for your respective Fire Warden/Zombie Warden who will take attendance to make sure everyone left the building safely and/or that no additional zombie infections were recorded. Here’s a current list of wardens by area:

List the names of the fire wardens

After your warden knows everyone made it safely to the assembly point you will be provided with further instructions.

Finally, please make sure you have an Emergency Response Card on you at all times: a business card that illustrates the Designated Assembly Point and includes important phone numbers for you to call in case of an evacuation or emergency. Please ask for an Emergency Response Card at Reception.

If you have any additional questions about evacuations please see (insert your name).

The book Fast Food Nation was one of my favourites when I read it years ago specifically the chapter about the risks of E. coli and the meat packing industry. One of the most memorable quotes I know came from this book: “There is shit in the meat”.

Well I guess now we can say there’s shit on your mobile phone too. Gross.

It was reported this week that “90% of mobile phones are “coated with some kind of bacteria, including E.coli.” and “although 95 per cent of participants claimed to wash their hands with soap whenever they could, some 16 per cent of hands and phones contained E.coli.” Ewww.

This comes as no surprise to me as I’ve already written about witnessing grown men not washing their hands properly after doing their business. Despite the signs from public health posted in many washrooms, men still believe wetting your fingers under water for 3 seconds is proper washing technique. Men: you’re going to go home and touch your children later with your pee fingers and you’re all rubbing mobile phones with your poop bacteria all over your cheeks.

Why not just lick the toilet handle as it’s probably cleaner.  Manage your risk people. Wash your hands properly please.

Footnote: It wasn’t that long ago that one could regularly hear our neighbours in the bathroom stalls scrolling through their emails on their BlackBerry devices. Now that the devices have track pads and touch screens, I am sure they are still doing this, only it’s done silently.


When my son was 7-years old he asked me what I did for a living. I explained that “Daddy goes to companies and helps them find where all the bad things are.” Ironically, this definition served me well when I had to explain what ERM was to grown ups. While others were quoting definitions from COSO frameworks and generating glazed looks and polite nods, I was explaining the concepts in a way so that my 7-year old could understand. And people liked it! Since then I’ve realized that what I learn from my children I can teach to my peers, employees or clients; and what I learn in my professional world often works on the children.

He is 13 now and his schedule is getting busier with hockey games, practices, chores, parties, friends plus increased homework. Despite the fact that his school provides him with a $12 agenda, he still doesn’t write any deadlines down or prioritize. For example, since he started being accountable for doing his laundry, on some mornings, when he realizes he doesn’t have any clean pants to wear, he digs into his laundry basket to pull out a pair of previously worn jeans. Gross.

What’s funny is that I think the behaviour of a 13-year old boy is a window into the attitudes of the C-suite and board members to risk management who seem to prefer to wait until their closet is empty before they wash their clothing. Doing laundry, like risk management is important, but it is not urgent until it becomes urgent.

My boy may be a little irresponsible and a bit lazy but I am optimistic I can teach him some of Stephen Covey’s basic lessons like putting the big rocks in first and being proactive. I have no doubt he will grow up to be a responsible young man.

As for all those people who keep putting off their risk management efforts… I think all they have to look forward to is wearing dirty stink pants from the laundry basket until a 13-year old girl tells them that they smell.

The good folks at Riskviews got me thinking about my least read posts. I’ve been doing this for a few years and understand that no one wants to scroll through over 300 blog entries to find some gems from 2006. So here are a few items you may have missed that might be worth your time.

A Common Sense Approach to ERM

In a sentence, The Riskczar says the common sense approach to describing the process of risk management like this: First you identify your risks, you figure out which ones are the most important, next you decide how to address and then you do something about it and tell everyone how you are doing from time to time.


Fantasy football pool risk management

Risk Management Monitor addresses the concern about employees spending hours of company time researching and updating their fantasy football picks. Some argue that it’s disruptive – having fired employees or blocked access to certain websites from the company network – while others suggest it boosts morale.

Riskczar believes that fantasy football is merely another workplace distraction. If people were not spending their workday on sports betting, they might be wasting time on Facebook or Twitter. And in places where those sites are banned, your employees may be reading the online version of the Wall Street Journal, shopping on Amazon or searching for a new job on Monster. If we transport ourselves back to 1990 before the Internets, people used to hang out by the water cooler talking about football or the latest episodes Cheers and the Cosby Show. Unengaged employees have always found a way to slack off. Technology didn’t create that.

And what goes for the workplace often goes for the classroom. When I returned to school in 2001, only a couple of people had wireless Internet access from their laptops. One professor was upset that the surfing was going on and wanted to turn off the connection. Here’s my take: before wifi, people brought laptops to class and played Solitaire and before that people passed notes around or doodled on their hands. Today they probably play on their iPhones or BlackBerry devices. Unengaged students will always find a way to pass the time. Technology didn’t create that.

But in the end does it really matter what your employees are doing with their time so long as all of their work is getting done on time?

The CRO cannot be expected to do what only the CEO can do

Here’s an excellent op-ed piece in US Banker about the role of the chief risk officer and the CEO. This may be the best thing I’ve read in months.

Setting the tone for this article is Warren Buffet who recently wrote in the BRK shareholder’s letter: “I believe that a CEO must not delegate risk control. It’s simply too important. … If Berkshire ever gets in trouble, it will be my fault. It will not be because of misjudgments made by a risk committee or chief risk officer.”

The author writes:
1)  CEO is directly responsible for thoroughly understanding and signing off on all significant risks embedded in the bank’s business strategy
2)  CEO is directly responsible for protecting the bank’s franchise against excessive or inappropriate risks that could derail the business strategy or damage the bank’s reputation and access to capital.
3)  CEO is directly responsible for creating a strong risk culture across the entire bank

Read this article then read it again. Print it out and nail it to the front door of your bank too.

What can Grover teach us about risk management?

In a book called Project Manager’s Spotlight on Risk Management by Kim Heldman, the author references The Monster at the End of This Book by Jon Stone and Michael Smollin to demonstrate the importance of having a risk response plan for dealing with monsters and threats in projects.

I took this allegory a step further and actually read this book to a room full of adults during my presentations on risk management basics.

In the book, Grover is concerned with the monster he is going to find at the end of this book. To mitigate this threat, Grover spends thousands of dollars on costly building supplies to prevent us from turning pages, so that we do not get to the end of the book.

As a risk management professional, I appreciate Grover’s proactive risk management approach, but unfortunately, our blue, furry little friend overreacts to the threat.

If he had only performed a proper risk assessment, rather than basing it on anecdotal evidence – he learns about the monster by reading the title page only – Grover may have realized that the monster did not have the catastrophic impact he expected it to have. It turns out the risk was not even material.

With more due diligence, Grover may have chosen a different risk treatment: he could have accepted the risk by doing nothing or transferred it to someone more naïve like Elmo.

This book is a great primer on risk management and one that your three-year old might also enjoy.

Since the world is singing the praises of the late Steve Jobs, I thought I would share my earliest Apple memories.

It was probably 1981. I was in the sixth grade when my friend first mentioned his Apple computer. I had no idea what a computer actually was nor what it did or looked like. When he described this “computer” I visualized an arcade game like Pac-Man where you stood while you used it. It wasn’t until the following year when I saw my first Apple computer at school. We played with Logo and drew pictures by typing code and I still have no idea what was the benefit. It was around that time that we bought one at home.

I believe that Apple ][e cost $2400. I remember splitting the cost three ways between my brother, my parents and I. We had some bar mitzvah cash we were looking to spend.

My Apple ][e introduced me to programming. It was always fun when I walked past one on display in a department store and typed the following code then walked away. Sometimes I typed bad words too.

20 GOTO 10







My Apple ][e was fun for its walkthrough games like Kabul Spy and action games like Lode Runner or Karetaka (I recommend you watch the Karateka video. It’s good times).

Incidentally, I also remember when Apple introduced the Lisa. I like a girl named Lisa in 1983 so it was funny.

By 1990, I was in university and Apple’s Bank Street Writer word processor wasn’t cutting it. I despised all those MSDOS back-slashes so the new Mac Classic which was about half the price of the previous Macs was a no brainer for me. I believe I paid $1600 for that one. I pulled it out of storage last year just to show it to my son, now 13. It was fun showing him that old Mac.

It didn’t know Steve Jobs but he was responsible for making some neat stuff and some pretty nice memories. My son has an iPod Touch now but I doubt it will give him the same great memories that I had with my first Apple product.

I read two articles yesterday which suggested to me that 1-in-5 people in leadership positions are confused.

A PwC survey revealed that only “21% of leaders understand the potential value of social media”.

In another survey by Greenwich Associates and reported in Risk Management Magazine, “The study finds that less than 20% of participating companies say their boards of directors fully agree that ERM is a real strategic imperative for their companies.”

Of course we all know about the 1 out of 5 people surveyed who would not recommend Trident sugarless gum to their patients who chew gum.

Therefore, it would appear that people who are proponents of ERM, have cavities and no Twitter accounts.

I read two articles yesterday which suggested to me that 1-in-5 people in leadership positions are confused.

A PwC survey revealed that only “21% of leaders understand the potential value of social media”.

In another survey by Greenwich Associates and reported in Risk Management Magazine, “The study finds that less than 20% of participating companies say their boards of directors fully agree that ERM is a real strategic imperative for their companies.”

Of course we all know about the 1 out of 5 people surveyed who would not recommend Trident sugarless gum to their patients who chew gum.

Therefore, it would appear that people who are proponents of ERM, have cavities and no Twitter accounts.