Latest Blog

Don’t forget to unmute the video.


Here’s a story about a watermain break in the Montreal borough of Pierrefonds, Quebec which left about fifty homes without water for a couple of days. The West Island Gazette writes:

Pierrefonds residents can expect two four-litre bottles of water per household will be delivered to their door by borough workers sometime before supper, Monday. Borough spokesperson Johanne Palladini explained the watermain break, which has left between 40 and 50 Fifth Avenue homes without water since Sunday morning, will only be fixed Monday night, sometime between 9 and 10 p.m.

While I agree delivering water to these families is a terrific humanitarian gesture, from a risk management perspective it’s a terrible idea.

Risk management is about preparing for events that are important but not urgent and most of the time people don’t recognize the value of identifying, assessing and managing risks until after an event (like this!) takes place. The upside of being left without water for two days is people saying “never again” then make preparations for the Next Time.

So when the government steps in to mitigate some of the pain caused by the broken watermain then that risk management lesson is not learned.

For more please see my earlier post Under the Dome Risk Management or go to the Government of Canada’s list of basic emergency kit items.









Photo: Courtesy of Emergency Outdoors

Once upon a time there were three little boys left unsupervised while on a field trip when one of them spotted a large crack in a window pane. So he tapped the glass once and nothing happened. Next, the second boy tried his luck and poked the glass as well. Tap tap tap. Again it did not break.

Now the third boy approached, looked around, saw that none of the teachers were watching and because his friends didn’t break the window he tapped lightly on the glass with his index finger. Nothing. So he poked harder. No change. Then again. Again. Another time. Ok again. Faster.

Finally the glass broke.

The funny thing is that I don’t believe the boys wanted to break the window. I submit all they wanted to do was tap repeatedly on the glass without the glass breaking. But if that’s the case how does anyone know when to stop tapping?

We use the process of risk management as a way to identify where all the cracked windows are in an organization. It also allows decision-makers to collectively decide what should be done (if anything, about these cracks). In some cases we replace the window pane immediately; we affix a warning sign; or assume anyone that sees the crack won’t touch it. But I think most people will just tap on the cracked window until it breaks and worry about it then.


Now risk management is not the panacea that will tell you when the window will break but you would be foolish if you knew about all your cracked windows and didn’t prepare for what might happen when one breaks.


Many people will agree that risk management is important. After we identify and assess a risk, it is treated appropriately and managed to an acceptable level. But is it possible to over-risk manage? Can the treatment become so onerous that people are encouraged to find workarounds thus rendering the controls useless? And if so, why does it happen?

Following the bombings of two American embassies in Africa in 1998 new facilities were redesigned and built by “American construction companies with experience in building prisons and military barracks”. Many buildings were moved to less populated areas or on the outskirts of town.

As a result many foreign diplomats were insulted having to visit these prison-like facilities. What’s more it became more difficult for the American officials to do their jobs forcing them to devise “creative” solutions like meeting people in hotels (thus rendering the control useless).

Sometimes this happens when we assess a risk higher than it should be but I think the recent events in Benghazi support the assertion that the risk to American diplomats was correctly assessed: high impact and high likelihood. If so, why overdo it with the controls?

First, I submit that nobody bothered to ask the diplomats what their requirements were and how these prison/embassies would affect their work and lifestyle. But even if that information was solicited and considered it was likely ignored and usurped by the second reason which the former ambassador to Yemen explains in the article: “Nobody wants to take responsibility in case something happens, so nobody is willing to have a debate over what is reasonable security and what is excessive.”

So despite best efforts to keep US official safe, when one of them is blown up in a hotel at least a State Department official will be able to explain to Anderson Cooper that they built these fortresses and it’s not our fault the ambassador did not want to use it.



There’s an intersection in my neighbourhood that makes me nervous to drive through. Imagine a quiet suburban street that goes north-south which intersects the east-west streets that only have stop signs. I’ve observed that frequently cars travelling east-west roll through their stop or assume it is a four-way stop and the perpendicular traffic will yield to their non-existent red octagon. Literally this is an accident waiting to happen.

As a result of the limited trust I have in the drivers going the other way, when going north-south I tend to slow down. And when I do my wife mocks my intersection risk management.

Next, I know a fellow who used to lock his car doors when he drove (much to the ridicule of his elder sibling). It was all shits and giggles until once at a red light, someone opened the elder brother’s car door and stole what was on his passenger seat.

This all reminds me of the poem “La cigale et la fourmi” by Jean de La Fontaine that I had to memorize in the third grade. You’ll know it: it’s the one about the cricket who is having good times singing all summer while the ant was saving food preparing for the winter. Well the cricket laughed at the ant’s risk management practices and you know what happened? The cricket died in the winter. He died.

Most often people don’t manage risk until something bad actually happens and by then sometimes it’s too late (see cricket above).

So don’t make fun of risk management or those who do it.

My lovely wife wants to take me camping next weekend. I’ve never been camping but understand camping was a part of her life before we met. I’ve explained that I am not averse to camping despite the dirt, cold, sleeping on the ground, canned beans, raccoons, no wifi, poison ivy, bugs and bears. But am quite looking forward to it!

While looking for camp sites in central Ontario, Killbear Provincial Park seemed like the choice. With a name that includes the verb ‘kill’ and the noun ‘bear’ I imagine it must be safe! She began doing some research on and found the following comments from a few weeks ago.

The park and the water are outstanding, we would love to come back any time, but a threatening bear encounter will make us think twice.

I had my car lights spraying the site and direction of where the Bear was as we were tearing down we were loading the trunk – I then heard a thud and crack and turned to see the Black Bear with its head in my trunk trying to get into the car…

…We had a bear snuffing and growling right outside of our tent and stamping its paws so hard the ground trembled. We left shortly after, and stayed at a hotel for the first night.

Immediately after reading these comments my beautiful wife decide against Killbear because the Bear Risk was too great. But is there more risk than other nearby sites we were considering?

Being the risk manager that I am I was curious if the Bear Risk at Killbear was as “extremely likely” as she would believe from these comments and did a quick assessment:

According to the Ontario Ministry of Natural Resources “Since the early 1900s there have been fewer than 70 deaths in North American as a result of black bears”. ( I guess it only said ‘killed’, there was no mention of how many people were de-gloved by bears.)

The same ministry provides a map to illustrate the density of bears in parts of Ontario. Killbear, and all the other sites we were looking at north of Toronto are located in the brown shaded area. Conclusion: Killbear should have the same number of bears as all the other sites so why not go there anyway!

Although we will do proper bear risk management when we camp like hide our food and clean up at night there is always a possibility there will be a bear. People do this all the time by assessing a risk based on limited information (see comments above) or emotion.

I say that if we jump to the conclusion that bears will attack us next weekend just because people saw bears a few weeks ago, THEN THE BEARS WIN.

Assess your risks carefully and manage them accordingly.


In my third instalment of this increasingly less funny series, we look at how popular auditor and blogger Norman Marks might make a PBJ sandwich.

How to Make a Peanut Butter Sandwich: Norman Marks

  1. Add jam and peanut butter to bread.
  2. Perform a self-assessment to determine if that was actually peanut butter, jam and bread.
  3. Check off boxes.
  4. Ask Tim Leech if this is an adequate sandwich.
  5. Draft a new framework about how to make a peanut butter and jam sandwich.
  6. Solicit input on LinkedIn from others who like peanut butter and jam sandwiches.
  7. Publish findings in Internal Audit magazine.


One of the biggest risks about evacuating your office in the event of an emergency is getting people to actually evacuate safely. You can send all the emails you want about procedures but like the boy who cried were(wolf) sometimes we hear the warning alarms so frequently that when we really have to evacuate we don’t bother. As a result many BCM people struggle with how to get people to read and learn.

Then last summer I read a preparedness post by the Centre for Disease Control who spun the best practices for traditional disasters like hurricanes and earthquakes into the context of a zombie attack. They wrote: “You may laugh now, but when it happens you’ll be happy you read this, and hey, maybe you’ll even learn a thing or two about how to prepare for a real emergency.”

I thought it was brilliant because it got the message across in a funny way which almost guaranteed that the recipient would read (and finish) the post.  Against that backdrop I re-wrote my internal evacuation memo in this zombie style borrowing shamelessly from the CDC (as well as Amanda Ripley and the Zimmerman/Sherman essay “To Leave an Area After Disaster”.)

Consider this a template for your evacuation memo. So read it, take it, borrow it, steal it and share it. Save lives.

Read and steal the memo template here.