Risk Management & Business Continuity Management

Ir. Paul Olivier

Group manager Vinçotte Certification

Faculty Antwerp Management School

The standards

3

ISO 31000: 2009 Risk management-Principles and guidelines.

ISO 31010: Risk management- Risk assessment guidelines

 

Part 1

ISO 31000

Risk Management

RA process & RM system

ISO 31000: Introduction

• RM enables the organization to: • Increase the likelyhood of achieving objectives• Improve the identification of opportunities and threats• Improve governance• Improve stakeholder confidence and trust• Improve loss prevention and incident management• Improve organizational resilience

5

ISO 31000 Risk management The 5 chapters

1. Scope

2. Definitions

3. Principles

4. The system of risk management (organizational framework)

5. The risk management process

6

ISO 31000: Definitions 1see ISO Guide 73:2009

• Risk = uncertainty on objectives, is a combination of likelihood(*) and consequence of an event

• Risk assessment = the overall process of risk identification, risk analysis and risk evaluation

• Risk attitude = organization’s approach to assess and pursue, retain, take or turn away from risk

(*) likelihood: chance of something happening, probability is interpreted as a mathematical term

7

ISO 31000: Definitions 2see ISO Guide 73:2009

• Risk treatment = process to modify risks (avoid, remove, change likelihood, change consequence, share risk wiht other parties, retain

• Residual risk = risk remaining after treatment• Risk management coordinates activities to direct and

control an organization with regard to risk

8

ISO 31000 Risk management

9

Chapter 3: Principles

Chapter 4: RM System

How to insert RM in your organization?

Chapter 5: RM Process

What process steps does RM contains?

10

Part 1.1: ISO 31000: Risk Assessment Process

ISO 31000: RA Process

• 1. Risk identification• Establish a comprehensive (exhaustive?) list of risks that may

create, enhance, prevent, degrade, accelerate or delay the achievement of goals

• Create the Risk Register • Consider the interdependence of different risks and their sources

11

• 2. Understanding the organization and its context- External

• The social, cultural, political, legal, regulatory, financial, technological, economical, natural and competitive environment, whether international, national, regional or local

• Key drivers and trends having impact on organization objectives

• Relationships with, preceptions and values of external stakeholders

- Internal• Governance, policies, objectives, capabilities, knowledge,

processes, information, culture, models, contractual relationships,... 12

Ferma risk management norm 2003(Federation of european risk management associations)

14

16

Risk register: List of hazards n° 5061/2005 EZU

Strategic risks Current business Dependencies on customerDependencies on suppliersChange in attitudes, needs of customerUnavailability of resources (raw material,..)

Future business Product specifications ( inadequate perfomance caracteristics)Product development (development phases inadequate)

Environmental changes

Modifications in laws & regulationsPolitical change (instability of government)Modifications of individual rights

Acquisitons Cultural affinity Information & mgt tools Financial burdens (lawsuits, insurance contracts, pension schemes,..)

Image and brand Brand loses emotionHuman rights problemEcological problem

ISO 31000: RA Process

• 3. Risk analysis• Determine level of risk through likelihood and consequence (tangible and

intangible)• Consider the confidence and sensitivity• Qualitative, semi quantitative, quantitative analysis

17

Risk management guidelines to AS/NZS 4360: 2006

20

ISO 31000: RA Process

• 4. Risk evaluation• assists decision making• define risk appetite and acceptable level• identifies risk that need treatment• defines priority for treatment implementation

21

ISO 31000: RA Process

• 5. Risk treatment (cyclical process)• Generate controls and decide whether residual risks are tolerable,

if not generate new controls• Risk treatment options

» Retain risk by informed decision» Avoid risk by not starting the activity» Reduce risk by:

» Removing risk source» Reducing consequence» Reducing likelihood

» Share or transfer risk

27

28

Part 1.2:ISO 31000: RM System (Framework)

ISO 31000: RM Framework

• 4.3.2. Establishing the RM policy• State the RM rationale (RAM) and define the acceptance

levels in probability and consequence (risk appetite).

• 4.3.3. Accountability• Define risk manager and risk owners

• 4.3.4. Integration into organizational processes• Insert the notion risk in all decision processes

• 4.3.5. Resources• Information and knowledge mgt systems

• 4.3.6. Internal communication and reporting• 4.3.7. External communication and reporting

29

Part 2

BS 25999

Business Continuity Management

BC process & BC system

The standards

31

BS 25999- 1: 2006 Business continuity management-Part 1: Code of practice

BS 25999-2:2007: Business continuity management-Part 2 : Specifications

BS 25999-2: 2007 BCM The 6 chapters

1. Scope

2. Terms & definitions

3. Planning the business continuity management system (PLAN)

4. Implementing and operating the BCMS (DO)

5. Monitoring and reviewing the BCMS (CHECK)

6. Maintaining and improving the BCMS (ACT)

32

BS 25999: Scope

• More interdependancies in the supply chain

• BCM safeguards interests of stakeholders, brand, business

• BCM builds resilience for effective response

• Certification possible

33

BS 25999: Definitions

• BCMS = system which provides resilience and the capability for effective response to safeguard the interests of key stakeholders, reputation, brand and value creating acitivities

• BIA = business impact analysis, process of analysing business functions and the effect that business disruption might have upon them

• IMP = incident management plan, plan of action during the incident

• BCP = business continuity plan, procedures for use in an incident to enable the organization to continue to deliver its critical activities at an acceptable predefined level

34

BCM & incident preparedness

BCMRM

Part 2.1 BS 25999: BCMS Process

36

BS 25999 : BCM Process1. Understanding the organization

• RA (Risk Assessment) (4.1.2) Understand the threats and vulnerabilities Identify the threats that become an incident and causes business

disruption Establish the likelihood of a disruption Choose appropriate risk treatments in accordance to its level of risk

acceptance

37

BS 25999 : BCM Process1. Understanding the organization

• BIA (Business Impact Analysis) (4.1.1)» Define critical processes, services, products, installations, premisses,

persons, customers, supliers, supply sources for survival of the business» Determine the impact of any disruption of the business, » Establish MTPoD (maximum tolerable period of disruption)» Estblish minimum level of business reponse» Identify all dependencies with suppliers and outsource partners» Set RTO (recovery time objectives)

38

40

BS 25999 : BCM Process2. Develop response IMP (incident management plans)

Identify lines of communications Define roles and responsibilities during and after the incident

(who and how to start IMP and who and how to stop IMP) Crisis command center (and alternatives) with access to TV,

GSM, critical docs, press, internet Details of key stakeholders, emergency services, employees and

relatives Media response organization Technical response (what actions ifo time), prevention of further

loss Crisis log of the incident

44

BS 25999 : BCM Process3. Determine strategyBCP (business continuity plans)

Premisses: forsee alternative locations, work from home, rent new premisses, go to low wage countries

People: introduce extra shifts in other production locations Technology: emergency replacement of installations or spares,

outsource, split production, geographical spread, upgrade to new technology

Information: go to external IT site, convert to PC network, go to call centers, use gsm network or smart phones, back up or critical docs,

Suppliers: extra storage, supplier with JIT contract to fulfill key customer’s contract

Other stakeholders: forsee crisis communication, psychologic assistance

Civil emergencies: contacts with civil protection, emergency services

45

BS 25999 : BCM Process4. Exercise, maintain and review

Exercise programme approved by top mgt Post exercise review, written report on exercise Exercises (document check, technical functionality test,

theoretical exercise or dry test, practical test)

46

Part 2.2.BS 25999: BCM System (Framework)

47

BS 25999: Framework Chapt 3: Planning BCMS

• 3.2. establish and manage system• Define objectives of BCMS

• Establish BCM policy

• Provide resources

• Ensure competency of personnel

• 3.3. Embed BCM in the organization’s culture

• 3.4. Provide documentation & records

48

BS 25999 Framework Chapt. 4: Implementing & operating BCM process

• 4.1. Understanding the organization (BIA & RA)

• 4.2. Determining the business continuity strategy

• 4.3. Developing and implementing a BCM response

• 4.4. Exercising, maintaining and reviewing BCM arrangements

49

BS 25999: Framework Chapt. 5: Monitoring & reviewing the BCMS

• 5.1. Internal audit

• 5.2. Management review Review after significant changes Post exercise review, written report on exercise

50

BS 25999 FrameworkChapt. 6: Maintaining & improving the BCMS

• 6.1. Preventive and corrective actions

• 6.2. Continual improvement

51

Part 2.3.Certificatie criteria BCM proces

• Risk Register• Risk Map• BCM curve

Certificatie criteria BCM proces

• Risk Register• Risk Map• BCM curve

Certificatie criteria BCM proces

• Risk Register• Risk Map• BCM curve

Certificatie criteria BCM System

• PLAN• Policy• RM mgr & jobdescription

• DO• Implement RM proces (new decisions, changes)• RM communication (reporting)• RM training

• CHECK• RM audit

• ACT• RM mgt review

Part 3

PAS 55-1

Asset Management

AM process & AM system

The standards

57

PAS 55-1:2008 Asset management

Part 1: Specification for the optimized management of physical assets

 

Introduction

• PAS is specifically intended to cover the life cycle management of the assets and, in particular, the assets that are core to an organization’s purpose, such as utility networks, power stations, railway or road systems, oil and gas installations, manufacturing and process plants, buildings and airports

• optimize the combination of assets in accordance with their life cycle, criticalities, condition, performance and chosen risk profile of the organization 58

Introduction

• any asset intensive business, where significant expenditure, resources, performance dependency and/or risks are associated with the creation/acquisition, utilization, maintenance or renewal/disposal of assets

• any organization that has, or intends to manage or invest in, a significant portfolio of assets, or where the performance of asset systems and the management of assets are central to the effective delivery of service, product or other business objectives

59

64