Transcript Slide 0

Risk Management
&
Business Continuity Management
Ir. Paul Olivier
Group manager Vinçotte Certification
Faculty Antwerp Management School
The standards
ISO 31000: 2009 Risk managementPrinciples and guidelines.
ISO 31010: Risk management- Risk
assessment guidelines
2
Part 1
ISO 31000
Risk Management
RA process & RM system
ISO 31000: Introduction
• RM enables the organization to:
•
•
•
•
•
•
Increase the likelyhood of achieving objectives
Improve the identification of opportunities and threats
Improve governance
Improve stakeholder confidence and trust
Improve loss prevention and incident management
Improve organizational resilience
4
ISO 31000 Risk management
The 5 chapters
1.
2.
3.
4.
Scope
Definitions
Principles
The system of risk management (organizational
framework)
5. The risk management process
5
ISO 31000: Definitions 1
see ISO Guide 73:2009
• Risk = uncertainty on objectives, is a combination of
likelihood(*) and consequence of an event
• Risk assessment = the overall process of risk
identification, risk analysis and risk evaluation
• Risk attitude = organization’s approach to assess and
pursue, retain, take or turn away from risk
(*) likelihood: chance of something happening, probability is interpreted as a
mathematical term
6
ISO 31000: Definitions 2
see ISO Guide 73:2009
• Risk treatment = process to modify risks (avoid,
remove, change likelihood, change consequence,
share risk wiht other parties, retain
• Residual risk = risk remaining after treatment
• Risk management coordinates activities to direct and
control an organization with regard to risk
7
ISO 31000 Risk management
Chapter 4:
RM System
How to insert RM in
your organization?
Chapter 5:
RM Process
What process steps
does RM contains?
Chapter 3: Principles
8
Part 1.1:
ISO 31000: Risk Assessment Process
9
ISO 31000: RA Process
• 1. Risk identification
• Establish a comprehensive (exhaustive?) list of risks that may
create, enhance, prevent, degrade, accelerate or delay the
achievement of goals
• Create the Risk Register
• Consider the interdependence of different risks and their sources
10
• 2. Understanding the organization and its
context
- External
• The social, cultural, political, legal, regulatory, financial,
technological, economical, natural and competitive
environment, whether international, national, regional or
local
• Key drivers and trends having impact on organization
objectives
• Relationships with, preceptions and values of external
stakeholders
- Internal
• Governance, policies, objectives, capabilities, knowledge,
processes, information, culture, models, contractual
11
relationships,...
Ferma risk
management norm
2003
(Federation of
european risk
management
associations)
13
Risk register:
List of hazards n° 5061/2005 EZU
Strategic
risks
Current business
Dependencies on customer
Dependencies on suppliers
Change in attitudes, needs of customer
Unavailability of resources (raw
material,..)
Future business
Product specifications ( inadequate
perfomance caracteristics)
Product development (development
phases inadequate)
Environmental
changes
Modifications in laws & regulations
Political change (instability of government)
Modifications of individual rights
Acquisitons
Cultural affinity
Information & mgt tools
Financial burdens (lawsuits, insurance
contracts, pension schemes,..)
Image and brand
Brand loses emotion
15
Human rights problem
ISO 31000: RA Process
• 3. Risk analysis
• Determine level of risk through likelihood and consequence (tangible and
intangible)
• Consider the confidence and sensitivity
• Qualitative, semi quantitative, quantitative analysis
Risk management guidelines to
AS/NZS 4360: 2006
16
19
ISO 31000: RA Process
• 4. Risk evaluation
•
•
•
•
assists decision making
define risk appetite and acceptable level
identifies risk that need treatment
defines priority for treatment implementation
20
ISO 31000: RA Process
• 5. Risk treatment (cyclical process)
• Generate controls and decide whether residual risks are tolerable,
if not generate new controls
• Risk treatment options
» Retain risk by informed decision
» Avoid risk by not starting the activity
» Reduce risk by:
» Removing risk source
» Reducing consequence
» Reducing likelihood
» Share or transfer risk
26
Part 1.2:
ISO 31000: RM System (Framework)
27
ISO 31000: RM Framework
• 4.3.2. Establishing the RM policy
• State the RM rationale (RAM) and define the acceptance
levels in probability and consequence (risk appetite).
• 4.3.3. Accountability
• Define risk manager and risk owners
• 4.3.4. Integration into organizational processes
• Insert the notion risk in all decision processes
• 4.3.5. Resources
• Information and knowledge mgt systems
• 4.3.6. Internal communication and reporting
• 4.3.7. External communication and reporting
28
Part 2
BS 25999
Business Continuity Management
BC process & BC system
The standards
BS 25999- 1: 2006 Business continuity
management-Part 1: Code of practice
BS 25999-2:2007: Business continuity
management-Part 2 : Specifications
30
BS 25999-2: 2007 BCM
The 6 chapters
1.
Scope
2.
Terms & definitions
3.
Planning the business continuity management
system (PLAN)
4.
Implementing and operating the BCMS (DO)
5.
Monitoring and reviewing the BCMS (CHECK)
6.
Maintaining and improving the BCMS (ACT)
31
BS 25999: Scope
• More interdependancies in the supply chain
• BCM safeguards interests of
stakeholders, brand, business
• BCM builds resilience for effective
response
• Certification possible
32
BS 25999: Definitions
•
BCMS = system which provides resilience and the
capability for effective response to safeguard the interests
of key stakeholders, reputation, brand and value creating
acitivities
•
BIA = business impact analysis, process of analysing
business functions and the effect that business disruption
might have upon them
•
IMP = incident management plan, plan of action during the
incident
•
BCP = business continuity plan, procedures for use in an
incident to enable the organization to continue to deliver its
critical activities at an acceptable predefined level
33
BCM & incident preparedness
RM
BCM
Part 2.1
BS 25999: BCMS Process
35
BS 25999 : BCM Process
1. Understanding the organization
• RA (Risk Assessment) (4.1.2)




Understand the threats and vulnerabilities
Identify the threats that become an incident and causes business
disruption
Establish the likelihood of a disruption
Choose appropriate risk treatments in accordance to its level of risk
acceptance
36
BS 25999 : BCM Process
1. Understanding the organization
• BIA (Business Impact Analysis) (4.1.1)
» Define critical processes, services, products, installations, premisses,
persons, customers, supliers, supply sources for survival of the business
» Determine the impact of any disruption of the business,
» Establish MTPoD (maximum tolerable period of disruption)
» Estblish minimum level of business reponse
» Identify all dependencies with suppliers and outsource partners
» Set RTO (recovery time objectives)
37
39
BS 25999 : BCM Process
2. Develop response
IMP (incident management plans)







Identify lines of communications
Define roles and responsibilities during and after the incident
(who and how to start IMP and who and how to stop IMP)
Crisis command center (and alternatives) with access to TV,
GSM, critical docs, press, internet
Details of key stakeholders, emergency services, employees
and relatives
Media response organization
Technical response (what actions ifo time), prevention of further
loss
Crisis log of the incident
43
BS 25999 : BCM Process
3. Determine strategy
BCP (business continuity plans)







Premisses: forsee alternative locations, work from home, rent new
premisses, go to low wage countries
People: introduce extra shifts in other production locations
Technology: emergency replacement of installations or spares,
outsource, split production, geographical spread, upgrade to new
technology
Information: go to external IT site, convert to PC network, go to call
centers, use gsm network or smart phones, back up or critical docs,
Suppliers: extra storage, supplier with JIT contract to fulfill key
customer’s contract
Other stakeholders: forsee crisis communication, psychologic
assistance
Civil emergencies: contacts with civil protection, emergency services
44
BS 25999 : BCM Process
4. Exercise, maintain and review



Exercise programme approved by top mgt
Post exercise review, written report on exercise
Exercises (document check, technical functionality test,
theoretical exercise or dry test, practical test)
45
Part 2.2.
BS 25999: BCM System (Framework)
46
BS 25999: Framework
Chapt 3: Planning BCMS
•
3.2. establish and manage system
•
Define objectives of BCMS
•
Establish BCM policy
•
Provide resources
•
Ensure competency of personnel
•
3.3. Embed BCM in the organization’s culture
•
3.4. Provide documentation & records
47
BS 25999 Framework
Chapt. 4: Implementing & operating BCM
process
•
4.1. Understanding the organization (BIA & RA)
•
4.2. Determining the business continuity strategy
•
4.3. Developing and implementing a BCM response
•
4.4. Exercising, maintaining and reviewing BCM
arrangements
48
BS 25999: Framework
Chapt. 5: Monitoring & reviewing the BCMS
•
5.1. Internal audit
•
5.2. Management review


Review after significant changes
Post exercise review, written report on exercise
49
BS 25999 Framework
Chapt. 6: Maintaining & improving the
BCMS
•
6.1. Preventive and corrective actions
•
6.2. Continual improvement
50
Part 2.3.
Certificatie criteria BCM proces
• Risk Register
• Risk Map
• BCM curve
Certificatie criteria BCM proces
• Risk Register
• Risk Map
• BCM curve
Certificatie criteria BCM proces
• Risk Register
• Risk Map
• BCM curve
Certificatie criteria BCM System
• PLAN
• Policy
• RM mgr & jobdescription
• DO
• Implement RM proces (new decisions, changes)
• RM communication (reporting)
• RM training
• CHECK
• RM audit
• ACT
• RM mgt review
Part 3
PAS 55-1
Asset Management
AM process & AM system
The standards
PAS 55-1:2008 Asset management
Part 1: Specification for the
optimized management of physical
assets
56
Introduction
• PAS is specifically intended to cover the life
cycle management of the assets and, in
particular, the assets that are core to an
organization’s purpose, such as utility
networks, power stations, railway or road
systems, oil and gas installations,
manufacturing and process plants, buildings
and airports
• optimize the combination of assets in
accordance with their life cycle, criticalities,
condition, performance and chosen risk profile
of the organization
57
Introduction
• any asset intensive business, where significant
expenditure, resources, performance
dependency and/or risks are associated with
the creation/acquisition, utilization,
maintenance or renewal/disposal of assets
• any organization that has, or intends to manage
or invest in, a significant portfolio of assets, or
where the performance of asset systems and
the management of assets are central to the
effective delivery of service, product or other
business objectives
58
63