business continuity & risk...
TRANSCRIPT
www.intertek.com 1 © Intertek 2013, All Rights Reserved
Business Continuity & Risk Management
David Muil, Global VP Business Development
www.intertek.com 2 © Intertek 2013, All Rights Reserved
Agenda
• Understanding Risk
• Business Continuity Management
• Risk assessment
• Summary
www.intertek.com 3 © Intertek 2013, All Rights Reserved
Risk
Defining Risk:
Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization's objectives is “risk”.
ISO31000 Risk Management Principles and guidelines
www.intertek.com 4 © Intertek 2013, All Rights Reserved
Risk
External risks arise from factors (which cannot be controlled) such as economic factors (market risks, pricing pressure), natural factors (floods, earthquakes), political factors (compliance and regulations of government)
Internal risks arise from factors (which can be controlled) such as human factors (talent management, strikes), technological factors (emerging technologies), physical factors (failure of machines, fire or theft), operational factors (processes, human error)
Risks can be both positive and negative however most of the focus is on avoiding or mitigating negative (“hazard”) related risks as a “disruptive event “can be catastrophic!
www.intertek.com 5 © Intertek 2013, All Rights Reserved
Risk: Disruptive Events
Chipotle Will Increase Food Safety Measures Following E. Coli Outbreak Chipotle has had three known outbreaks this year -norovirus outbreak in Simi Valley that sickened 234, Salmonella outbreak in Minnesota that sickened 64 and an E. coli O26 outbreak that has of late sickened 55
Travelers report illnesses at Cuban resorts Unsanitary washrooms, unsafe food handling practices, unrelenting stomach pains, vomiting and diarrhea: these are some of the complaints being reported
Child Labour 2015 Nearly 80% of Argentina’s textile industry was found to be sourcing from unregulated facilities, where forced, child labour and poor working conditions are common
Rise in recalls due to listeria cause for concern, scientist says There were five times as many food recalls due to listeria contamination in 2015 than I 2014 coming from cooked meat and fish products which means that the bacteria was probably introduced during packaging.
Natural Disasters: 2015’s top five natural disasters caused a collective $33 billion of damage to businesses globally
www.intertek.com 6 © Intertek 2013, All Rights Reserved
Business Continuity Management
• Risk assessments
• Risk Appetite
• Business Impact Analysis
• Disaster recovery plans
• Enterprise Risk Management ERM
• Taxonomy of Risk
• Organizational resilience
• Risk Analysis
• Risk Severity
• Occurrence or probability of Risk
• Risk mitigation & detection
• Risk matrix
• Registry of Risk
www.intertek.com 7 © Intertek 2013, All Rights Reserved
Introduction to BCM and ISO22301
Definition of Business Continuity:
Capability of the organization to continue delivery of products or services at acceptable predefined levels following “disruptive incident”
ISO 22301, Clause 3.3
www.intertek.com 8 © Intertek 2013, All Rights Reserved
Business Continuity Management
Definition of Business Continuity Management
“Holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.” ISO 22301, Clause 3.4:
www.intertek.com 9 © Intertek 2013, All Rights Reserved
BCM Life Cycle - 6 Core Elements
www.intertek.com 10 © Intertek 2013, All Rights Reserved
ISO 22301:2012 and PDCA activities
Plan
Establish business continuity policy, objectives, targets, controls, processes and procedures relevant to managing risk and improving business continuity to deliver results in accordance with an organization's overall policies and objectives.
Do
Implement and operate the business continuity policy, controls, processes and procedures.
Check
Monitor and review performance against business continuity objectives and policy, report the results to management for review, and determine and authorize actions for remediation and improvement.
Act
Maintain and improve the BCMS by taking preventive and corrective actions, based on the results of management review and re-appraising the scope of the BCMS and business continuity policy and objectives.
www.intertek.com 11 © Intertek 2013, All Rights Reserved
ISO 22301:2012 Implementation
Defines the requirements for establishing and management of an effective BCMS.
Highlights the importance of:
• Knowledge of the organization’s needs and the necessity of BCM policy and objectives’ establishment
• Implementing and operating of controls aimed at building an organization’s capabilities for managing the business interruption
• Monitoring and review of BCMS’ functioning and effectiveness
• Continual improvement, based on the implementation of the objective criteria for risk management
www.intertek.com 12 © Intertek 2013, All Rights Reserved
Risk Assessment - Getting started
Definition of Risk Assessment
A Risk Assessment is a formula or set of rules that determine how severe or frequent the hazard will be, and assigns a level to that threat—i.e. Risk Level.
While it is impossible that companies remove all risk from the organization, it is important that they properly understand and manage the risks that they are willing to accept in the context of the overall corporate strategy.
www.intertek.com 13 © Intertek 2013, All Rights Reserved
Risk Assessment
One approach is to utilize the concept of an FMEA to develop Risk Profile - Failure Mode Effects Analysis
• Identify areas of Risk: Financial, environmental, compliance, strategic, reputational etc. List areas of impact: define where and who will this affect?
• Consequences: tangible, loss of assets, business interruptions etc.
• Severity level 1-10: 1=None, 5= Moderate 10=Critical
• Causes: Potential causes of Risk- management practices, organizational policies, procedures, training etc.
www.intertek.com 14 © Intertek 2013, All Rights Reserved
Risk Assessment - continued
• Occurrence 1-10: Likelihood of Risk happening 1=remote, 5=moderate, 10=Very likely
• Current controls: Define what is in place now to manage the risk
• Detection: Effectiveness of controls 1-10: 1= certain to Detect, 5= Moderate, 10 –None- not likely to detect
• RPN - Risk Priority Number- defines S*O*D Recommended actions: for those items over the Risk threshold
Example: RPN>250 - Dangerous risk RPN 150 to 250 - Moderate risk Begin RPN reduction for 250 and above
www.intertek.com 15 © Intertek 2013, All Rights Reserved
FMEA
www.intertek.com 16 © Intertek 2013, All Rights Reserved
Summary
• Disruptions experienced by 8 out of 10 organizations – a real threat
• 8 out of 10 say benefits & business cases are strong for BCM
• Despite this, many organizations still unprepared for threats
• 22301 is the leading global standard to help implement BCM
• BCM should consider suppliers and interested parties
• Media coverage included in BCM strategy (reputational risk)
• Senior managers must take ultimate responsibility for BCM
• Many tools to assist your organization in BCM (FMEA)
• BCM requires a Holistic Approach- “holistic" means: "relating to or concerned with wholes or complete systems rather than with the analysis of, treatment of, or dissection into parts.
www.intertek.com 17 © Intertek 2013, All Rights Reserved
Thank You
Intertek can provide customized auditing solutions to help you with your BCM needs, including ISO 22301 Certification and IRCA Lead Auditor Training.
Also contact us at [email protected].