risk management & business continuity management ir. paul olivier group manager vinçotte...
Post on 23-Dec-2015
220 Views
Preview:
TRANSCRIPT
Risk Management & Business Continuity Management
Ir. Paul Olivier
Group manager Vinçotte Certification
Faculty Antwerp Management School
The standards
3
ISO 31000: 2009 Risk management-Principles and guidelines.
ISO 31010: Risk management- Risk assessment guidelines
Part 1
ISO 31000
Risk Management
RA process & RM system
ISO 31000: Introduction
• RM enables the organization to: • Increase the likelyhood of achieving objectives• Improve the identification of opportunities and threats• Improve governance• Improve stakeholder confidence and trust• Improve loss prevention and incident management• Improve organizational resilience
5
ISO 31000 Risk management The 5 chapters
1. Scope
2. Definitions
3. Principles
4. The system of risk management (organizational framework)
5. The risk management process
6
ISO 31000: Definitions 1see ISO Guide 73:2009
• Risk = uncertainty on objectives, is a combination of likelihood(*) and consequence of an event
• Risk assessment = the overall process of risk identification, risk analysis and risk evaluation
• Risk attitude = organization’s approach to assess and pursue, retain, take or turn away from risk
(*) likelihood: chance of something happening, probability is interpreted as a mathematical term
7
ISO 31000: Definitions 2see ISO Guide 73:2009
• Risk treatment = process to modify risks (avoid, remove, change likelihood, change consequence, share risk wiht other parties, retain
• Residual risk = risk remaining after treatment• Risk management coordinates activities to direct and
control an organization with regard to risk
8
ISO 31000 Risk management
9
Chapter 3: Principles
Chapter 4: RM System
How to insert RM in your organization?
Chapter 5: RM Process
What process steps does RM contains?
10
Part 1.1: ISO 31000: Risk Assessment Process
ISO 31000: RA Process
• 1. Risk identification• Establish a comprehensive (exhaustive?) list of risks that may
create, enhance, prevent, degrade, accelerate or delay the achievement of goals
• Create the Risk Register • Consider the interdependence of different risks and their sources
11
• 2. Understanding the organization and its context- External
• The social, cultural, political, legal, regulatory, financial, technological, economical, natural and competitive environment, whether international, national, regional or local
• Key drivers and trends having impact on organization objectives
• Relationships with, preceptions and values of external stakeholders
- Internal• Governance, policies, objectives, capabilities, knowledge,
processes, information, culture, models, contractual relationships,... 12
Ferma risk management norm 2003(Federation of european risk management associations)
14
16
Risk register: List of hazards n° 5061/2005 EZU
Strategic risks Current business Dependencies on customerDependencies on suppliersChange in attitudes, needs of customerUnavailability of resources (raw material,..)
Future business Product specifications ( inadequate perfomance caracteristics)Product development (development phases inadequate)
Environmental changes
Modifications in laws & regulationsPolitical change (instability of government)Modifications of individual rights
Acquisitons Cultural affinity Information & mgt tools Financial burdens (lawsuits, insurance contracts, pension schemes,..)
Image and brand Brand loses emotionHuman rights problemEcological problem
ISO 31000: RA Process
• 3. Risk analysis• Determine level of risk through likelihood and consequence (tangible and
intangible)• Consider the confidence and sensitivity• Qualitative, semi quantitative, quantitative analysis
17
Risk management guidelines to AS/NZS 4360: 2006
20
ISO 31000: RA Process
• 4. Risk evaluation• assists decision making• define risk appetite and acceptable level• identifies risk that need treatment• defines priority for treatment implementation
21
ISO 31000: RA Process
• 5. Risk treatment (cyclical process)• Generate controls and decide whether residual risks are tolerable,
if not generate new controls• Risk treatment options
» Retain risk by informed decision» Avoid risk by not starting the activity» Reduce risk by:
» Removing risk source» Reducing consequence» Reducing likelihood
» Share or transfer risk
27
28
Part 1.2:ISO 31000: RM System (Framework)
ISO 31000: RM Framework
• 4.3.2. Establishing the RM policy• State the RM rationale (RAM) and define the acceptance
levels in probability and consequence (risk appetite).
• 4.3.3. Accountability• Define risk manager and risk owners
• 4.3.4. Integration into organizational processes• Insert the notion risk in all decision processes
• 4.3.5. Resources• Information and knowledge mgt systems
• 4.3.6. Internal communication and reporting• 4.3.7. External communication and reporting
29
Part 2
BS 25999
Business Continuity Management
BC process & BC system
The standards
31
BS 25999- 1: 2006 Business continuity management-Part 1: Code of practice
BS 25999-2:2007: Business continuity management-Part 2 : Specifications
BS 25999-2: 2007 BCM The 6 chapters
1. Scope
2. Terms & definitions
3. Planning the business continuity management system (PLAN)
4. Implementing and operating the BCMS (DO)
5. Monitoring and reviewing the BCMS (CHECK)
6. Maintaining and improving the BCMS (ACT)
32
BS 25999: Scope
• More interdependancies in the supply chain
• BCM safeguards interests of stakeholders, brand, business
• BCM builds resilience for effective response
• Certification possible
33
BS 25999: Definitions
• BCMS = system which provides resilience and the capability for effective response to safeguard the interests of key stakeholders, reputation, brand and value creating acitivities
• BIA = business impact analysis, process of analysing business functions and the effect that business disruption might have upon them
• IMP = incident management plan, plan of action during the incident
• BCP = business continuity plan, procedures for use in an incident to enable the organization to continue to deliver its critical activities at an acceptable predefined level
34
BCM & incident preparedness
BCMRM
Part 2.1 BS 25999: BCMS Process
36
BS 25999 : BCM Process1. Understanding the organization
• RA (Risk Assessment) (4.1.2) Understand the threats and vulnerabilities Identify the threats that become an incident and causes business
disruption Establish the likelihood of a disruption Choose appropriate risk treatments in accordance to its level of risk
acceptance
37
BS 25999 : BCM Process1. Understanding the organization
• BIA (Business Impact Analysis) (4.1.1)» Define critical processes, services, products, installations, premisses,
persons, customers, supliers, supply sources for survival of the business» Determine the impact of any disruption of the business, » Establish MTPoD (maximum tolerable period of disruption)» Estblish minimum level of business reponse» Identify all dependencies with suppliers and outsource partners» Set RTO (recovery time objectives)
38
40
BS 25999 : BCM Process2. Develop response IMP (incident management plans)
Identify lines of communications Define roles and responsibilities during and after the incident
(who and how to start IMP and who and how to stop IMP) Crisis command center (and alternatives) with access to TV,
GSM, critical docs, press, internet Details of key stakeholders, emergency services, employees and
relatives Media response organization Technical response (what actions ifo time), prevention of further
loss Crisis log of the incident
44
BS 25999 : BCM Process3. Determine strategyBCP (business continuity plans)
Premisses: forsee alternative locations, work from home, rent new premisses, go to low wage countries
People: introduce extra shifts in other production locations Technology: emergency replacement of installations or spares,
outsource, split production, geographical spread, upgrade to new technology
Information: go to external IT site, convert to PC network, go to call centers, use gsm network or smart phones, back up or critical docs,
Suppliers: extra storage, supplier with JIT contract to fulfill key customer’s contract
Other stakeholders: forsee crisis communication, psychologic assistance
Civil emergencies: contacts with civil protection, emergency services
45
BS 25999 : BCM Process4. Exercise, maintain and review
Exercise programme approved by top mgt Post exercise review, written report on exercise Exercises (document check, technical functionality test,
theoretical exercise or dry test, practical test)
46
Part 2.2.BS 25999: BCM System (Framework)
47
BS 25999: Framework Chapt 3: Planning BCMS
• 3.2. establish and manage system• Define objectives of BCMS
• Establish BCM policy
• Provide resources
• Ensure competency of personnel
• 3.3. Embed BCM in the organization’s culture
• 3.4. Provide documentation & records
48
BS 25999 Framework Chapt. 4: Implementing & operating BCM process
• 4.1. Understanding the organization (BIA & RA)
• 4.2. Determining the business continuity strategy
• 4.3. Developing and implementing a BCM response
• 4.4. Exercising, maintaining and reviewing BCM arrangements
49
BS 25999: Framework Chapt. 5: Monitoring & reviewing the BCMS
• 5.1. Internal audit
• 5.2. Management review Review after significant changes Post exercise review, written report on exercise
50
BS 25999 FrameworkChapt. 6: Maintaining & improving the BCMS
• 6.1. Preventive and corrective actions
• 6.2. Continual improvement
51
Part 2.3.Certificatie criteria BCM proces
• Risk Register• Risk Map• BCM curve
Certificatie criteria BCM proces
• Risk Register• Risk Map• BCM curve
Certificatie criteria BCM proces
• Risk Register• Risk Map• BCM curve
Certificatie criteria BCM System
• PLAN• Policy• RM mgr & jobdescription
• DO• Implement RM proces (new decisions, changes)• RM communication (reporting)• RM training
• CHECK• RM audit
• ACT• RM mgt review
Part 3
PAS 55-1
Asset Management
AM process & AM system
The standards
57
PAS 55-1:2008 Asset management
Part 1: Specification for the optimized management of physical assets
Introduction
• PAS is specifically intended to cover the life cycle management of the assets and, in particular, the assets that are core to an organization’s purpose, such as utility networks, power stations, railway or road systems, oil and gas installations, manufacturing and process plants, buildings and airports
• optimize the combination of assets in accordance with their life cycle, criticalities, condition, performance and chosen risk profile of the organization 58
Introduction
• any asset intensive business, where significant expenditure, resources, performance dependency and/or risks are associated with the creation/acquisition, utilization, maintenance or renewal/disposal of assets
• any organization that has, or intends to manage or invest in, a significant portfolio of assets, or where the performance of asset systems and the management of assets are central to the effective delivery of service, product or other business objectives
59
64
top related