risk management

Faculty of Science and Technology

Master of Occupational Safety and Health Risk Management

SMRK5103 – RISK MANAGEMENT

SEPTEMBER SEMESTER 2012

ASSIGNMENT (60%)

Prepared by,

Aizuddin Sugara Bin Akbar Jahan (CGS00716430)

Tutor:

MOHD RAFEE BAHARUDIN

1

Executive Summary

This paper discusses Enterprise Risk Management (ERM) of Jabil Circuit Sdn Bhd (Jabil) for

Fiscal Year (1st October 2012 – 31st September 2013). ERM takes a broad perspective on

identifying the risks that could cause an organization to fail to meet its strategies and

objectives. Several methods for identifying risks are discussed and illustrated with examples

from company experiences. Once risks are identified, the next issue is to determine the root

causes or what drives the risks. A suggested approach is described and followed by a

discussion of several qualitative and quantitative procedures for assessing risks. Some

practical ERM implementation considerations are also explored, including infrastructure and

maturity models, staging adoption, the role of the management accountant, education and

training, technology, aligning corporate culture, building a case for ERM, and the ROI of

ERM. Jabil Circuit Sdn Bhd, a large organisation which has a stakeholder with expectations

for business success can benefit from the tools and methods provided in this paper.

2

Table of Contents

1. Introduction ........................................................................................................................ 5

a. Jabil Circuit Sdn Bhd ...................................................................................................... 6

b. Explanation of Enterprise Risk Management (ERM) ..................................................... 7

i. Definition of Enterprise Risk Management (ERM) .................................................... 9

ii. Differences of ERM and Traditional Risk Management ............................................ 9

iii. Benefits of Enterprise Risk Management (ERM) ..................................................... 10

iv. Limitation of Enterprise Risk Management (ERM) .................................................. 12

2. Role of ERM in Occupational Safety and Health ............................................................. 14

a. Identifying hazards........................................................................................................ 15

b. Assessing associated risks............................................................................................. 15

c. Taking action to mitigate risks ...................................................................................... 16

d. Monitoring the effectiveness......................................................................................... 16

3. Implementing Enterprise Risk Management (ERM) ........................................................ 18

a. Committee of Sponsoring Organizations’ ERM ........................................................... 20

b. Relationship of Objectives and Components ................................................................ 27

c. Key Implementation Factors ......................................................................................... 28

4. Work Plan: Target Achievement of Objectives ................................................................ 31

a. Objectives ..................................................................................................................... 31

5. Work Plan: Components of ERM ..................................................................................... 33

a. Internal Environment .................................................................................................... 33

i. Initiative Goal of ERM - Internal Environment ........................................................ 36

b. Objective Setting ........................................................................................................... 37

i. Corporate Background .............................................................................................. 40

ii. Corporate Risk Summary .......................................................................................... 42

iii. Jabil’s Mission Statement ......................................................................................... 45

iv. COSO ERM Risk Objective Setting Components .................................................... 46

c. Event Identification ....................................................................................................... 46

d. Risk Assessment, Response, and Control Activities .................................................... 50

i. Planning ..................................................................................................................... 50

ii. Required Systems ...................................................................................................... 51

iii. Unique Assets ............................................................................................................ 56

3

iv. Security Profile .......................................................................................................... 66

v. Threat Identification and Resource Requirements for Business Continuity ............. 67

e. Information and Communication .................................................................................. 77

f. Monitoring .................................................................................................................... 80

i. Role of Internal Audit ............................................................................................... 81

6. Risk Manager Role ........................................................................................................... 85

a. Analysis of Jabil’s Safety and Health Policy in accordance to risk management ........ 85

b. OSH Policy of Jabil Circuit Sdn Bhd ........................................................................... 86

c. Discussion of Jabil OSH Policy .................................................................................... 87

7. Conclusion ........................................................................................................................ 95

8. References ........................................................................................................................ 96

Appendix A: Jabil Business Conduct……...…………………………………………………97

Appendix B: Jabil Rules of The Road…………...……………...……………………………98

Appendix C: Jabil Integrity Hotline……...………………..…………………………………99

Appendix D: Risk Identification Template…………..……………………………………..100

4

Figure 1 - A Continuous Risk Management Process ................................................................. 6

Figure 2 - COSO ERM Framework ......................................................................................... 27

Figure 3 - Industry Portfolio of Risks ...................................................................................... 38

Figure 4 - Components of Objective Setting ........................................................................... 46

Figure 5 - Flow of Information and Communication............................................................... 79

Figure 6 - Risk Management Process ...................................................................................... 92

Figure 7 - OSH Transformation ............................................................................................... 94

Table 1 - Buildings and its function ........................................................................................... 7

Table 2 - Differences of ERM and Traditional Risk Management ............................................ 9

Table 3 - ERM Objectives' Categories and its Description ..................................................... 22

Table 4 - ERM Component's Description ................................................................................ 26

Table 5 - Jabil's Objectives ...................................................................................................... 32

Table 6 - Key Risk-Oriented Characteristics’ of Jabil ............................................................. 42

Table 7 - Corporate Risk Summary ......................................................................................... 44

Table 8 - Risk Assessment Planning Task ............................................................................... 51

Table 9 - Required Systems ..................................................................................................... 56

Table 10 - Unique Assets ......................................................................................................... 66

Table 11 - Security Profile ....................................................................................................... 67

Table 12 - Tools in ERM Process of Monitoring .................................................................... 83

Table 13 - Jabil OSH Training for Year 2012 ......................................................................... 91

Table 14 - EHS Objectives and Target .................................................................................... 93

5

1. Introduction

In the economic landscape of the 21st century an organization’s business model is challenged

constantly by competitors and events that could give rise to substantial risks. An organization

must strive to find creative ways to continuously reinvent its business model in order to

sustain growth and create value for stakeholders. Companies make money and increase

stakeholder value by engaging in activities that have some risk, yet stakeholders also tend to

appreciate and reward some level of stability in their expected returns. Failure to identify,

assesses, and manages the major risks facing the organization’s business model, however,

may unexpectedly result in significant loss of stakeholder value. Thus, senior leadership must

implement processes to manage effectively any substantial risks confronting the organization.

This dual responsibility of growing the business and managing risk has been noted by Mark

Mondelo, Chairman and CEO at Jabil Circuit Inc., when he described his position at Jabil:

“My job is to figure out how to grow and manage risk and volatility at the same time.”

While it may not be possible to eliminate all risks, it is certainly possible to devise measures

to prevent them and to control losses and its impacts through proven principles of risk

management.

6

Figure 1 - A Continuous Risk Management Process

a. Jabil Circuit Sdn Bhd

Jabil Circuit Sdn Bhd Malaysia (Jabil) is a multi-national company based in Penang,

headquartered in St Petersburg, Florida, USA. Jabil’s global operations encompass more

than 60 sites on four continents and employ over 100,000 peoples.

Jabil is one of world's largest Electronic Manufacturing Services (EMS) companies,

providing customised design, manufacturing, distribution, and aftermarket services for

some of today's largest companies. To ensure continued financial success and growth,

Jabil operate in a variety of sectors, including aftermarket services, computing & storage,

defence & aerospace, digital home & office, healthcare & instrumentation, industrial &

clean tech, materials technology, mobility EMS, networking, and telecommunications.

7

For the past 16 years, Jabil have experienced double-digit growth due to unwavering

commitment to the right combination of services, industries, locations, systems, and

people.

In Penang, there five buildings of Jabil comprised as one campus of large organisation

located at Free Industrial Zone. The five buildings and its main function are listed as

below:

Building Function

Jabil Plant 1 Facilitate primary production floor

Jabil Plant 2 Facilitate secondary production floor

Jabil Global Business Centre 1 Support worldwide operation of Supply

Chain Management

Jabil Global Business Centre 2 Support worldwide operation of

Information Technology and Finance

Jabil After Marketing Services Support after marketing services

Table 1 - Buildings and its function

b. Explanation of Enterprise Risk Management (ERM)

No entity operates in a risk-free environment, and Enterprise Risk Management (ERM)

does not create such an environment. Rather, ERM enables management to operate more

effectively in environments filled with risks (R. S. Khatta, 2008).

8

Enterprise risk can include a variety of factors with potential impact on an organisation

activities, processes, and resources. External factors can result from economic change,

financial market developments, and dangers arising in political, legal, technological, and

demographic environments. Risks can arrive over time, as the public may change their

views on products or practices. In term of Jabil business operation, we can list few public

views on products and practices such as below:

Mobile Devices Software Office Appliances

Computer Executive Salaries Disposable packaging

Appliances Safety Manufacturing services

from Third Country

Technology

Most of these are beyond the control of Jabil, although Jabil can prepare and protect

themselves in timely efficient ways. Internal risks include human error, fraud, systems

failure, disrupted production, and etcetera. Thus, organisation such as Jabil needs robust,

reliable systems to control risks that arise in all facets of life.

9

i. Definition of Enterprise Risk Management (ERM)

ERM involves the identification and evaluation of significance risks, assignment

of ownership, and completion and monitoring of mitigating actions to manage

these risks within the risk appetite of the organisation.

Output of ERM is provision of information for management to improve business

decisions, reduce uncertainty and provide reasonable assurance regarding the

achievement of the objectives of the organisation.

Thus, ERM is defined to have a significant positive progress during occurrence of

unforeseen or unexpected event. In spite of that, it is designed to improve

efficiency and the delivery of services, improve allocation of resources (capital) to

business improvement, create shareholder value and enhance risk reporting to

stakeholders.

ii. Differences of ERM and Traditional Risk Management

Traditional Risk Management ERM

Risk as individual hazards Risk viewed in context of business

strategy

Risk identification and assessment Risk portfolio development

Focus on discrete risks Focus on critical risks

Risk mitigation Risk optimization

Risk limits Risk strategy

Risks with no owners Defined risk responsibilities

Haphazard risk quantification Monitoring and measurement of risks

Risk responsibility is perceived

individually

Risk is everyone’s responsibility

Table 2 - Differences of ERM and Traditional Risk Management

10

iii. Benefits of Enterprise Risk Management (ERM)

Determining whether an entity’s enterprise risk management is “effective” is a judgment

resulting from an assessment of whether ERM components are present and functioning

effectively. Thus, the components are also criteria for effective ERM. For the

components to be present and functioning properly there can be no material weaknesses,

and risk needs to have been brought within the entity’s risk appetite.

When ERM is determined to be effective in each of its categories of objectives,

respectively, the board of directors and management have reasonable assurance that they

understand the extent to which the entity’s strategic and operations objectives are being

achieved, and that the entity’s reporting is reliable and applicable laws and regulations

are being complied with.

The ERM components will not function identically in every entity. Application in small

and mid-size entities, for example, may be less formal and less structured. Nonetheless,

small entities still can have effective enterprise risk management, as long as each of the

components is present and functioning properly. ERM provides enhanced capability to:

Align risk appetite and strategy – Risk appetite is the degree of risk, on a broad-

based level, that a company or other entity is willing to accept in pursuit of its

goals. Management considers the entity’s risk appetite first in evaluating strategic

alternatives, then in setting objectives aligned with the selected strategy and in

developing mechanisms to manage the related risks.

Link growth, risk and return – Entities accept risk as part of value creation and

preservation, and they expect return commensurate with the risk. Enterprise risk

11

management provides an enhanced ability to identify and assess risks, and

establish acceptable levels of risk relative to growth and return objectives.

Enhance risk response decisions – Enterprise risk management provides the rigor

to identify and select among alternative risk responses – risk avoidance,

reduction, sharing and acceptance. Enterprise risk management provides

methodologies and techniques for making these decisions.

Minimize operational surprises and losses – Entities have enhanced capability to

identify potential events, assess risk and establish responses, thereby reducing the

occurrence of surprises and related costs or losses.

Identify and manage cross-enterprise risks – Every entity faces a myriad of risks

affecting different parts of the organization. Management needs to not only

manage individual risks, but also understand interrelated impacts.

Provide integrated responses to multiple risks – Business processes carry many

inherent risks, and enterprise risk management enables integrated solutions for

managing the risks.

Seize opportunities – Management considers potential events, rather than just

risks, and by considering a full range of events, management gains an

understanding of how certain events represent opportunities.

Rationalize capital – More robust information on an entity’s total risk allows

management to more effectively assess overall capital needs and improve capital

allocation.

Enterprise risk management helps an entity achieve its performance and profitability

targets, and prevent loss of resources. It helps ensure effective reporting. And, it helps

12

ensure that the entity complies with laws and regulations, avoiding damage to its

reputation and other consequences. In sum, it helps an entity get to where it wants to go

and avoid pitfalls and surprises along the way.

iv. Limitation of Enterprise Risk Management (ERM)

While enterprise risk management provides important benefits, limitations exist. In

addition to factors discussed above, limitations result from the realities that human

judgment in decision making can be faulty, decisions on responding to risk and

establishing controls need to consider the relative costs and benefits, breakdowns can

occur because of human failures such as simple errors or mistakes, controls can be

circumvented by collusion of two or more people, and management has the ability to

override enterprise risk management decisions. These limitations preclude a board and

management from having absolute assurance as to achievement of the entity’s objectives.

Effective enterprise risk management helps management achieve objectives. But in

ERM, no matter how well it was designed and operated, it still does not ensure an entity's

success.

The achievement of objectives is affected by limitations inherent in all management

processes. Shifts in policy or programs, competitors' actions or economic conditions can

be beyond management's control. ERM cannot change an inherently poor manager into a

good one. Additionally, controls can be circumvented by the collusion of two or more

13

people, and management has the ability to override the ERM process, including risk

responses and controls.

The design of ERM must reflect the reality of resource constraints, and the risk

management benefits must be considered relative to their costs. Thus, while ERM can

help management achieve its objectives, but it is not a solution or remedy for all

difficulties.

14

2. Role of ERM in Occupational Safety and Health

Occupational Safety and Health (OSH) already is a legal requirement in several countries.

Others have established such system but the application is still optional.

ERM is an integral part of performing OSH. It serves to identify and assess the risks derived

from the hazards. It finally leads to appropriate action to reduce or even eliminate such risks.

Risk management subject is the critical success factor in managing OSH in any workplace.

Management system provides a framework for process of identifying hazards, assessing

associated risks, taking action and reviewing the outcome. Like any modern management

system it conforms to the kind of management system as it was developed for quality

management (ISO9000). Hence, the OSH management system just has to be integrated into

the existing management systems.

The following are the elements of a management system for as suggested by OSHAS 18001.

It is based on the Plan - Do - Check - Act cycle as described below.

Defining the OHS Strategy

Planning

Implementation and Operation

Checking and Corrective Action

Management Review

Continual Improvement

15

This description provides an idea that OSH is highly related with risk management subject

because it suggests a frame for the process in OSH management by outlining items as below.

a. Identifying hazards

A hazard is anything that is a threat to health and safety in an organisation. Therefore it is

linked to the people of the organisation and it immediately becomes clear that everybody

has to contribute to finding hazards at his or her workplace. It is a legal requirement in

some countries that employers have to consult their employees.

b. Assessing associated risks

Prior to assessing risks these risks associated to the identified hazards have to be

determined. Mind the gap and clearly understand that hazards and risks resulting from

hazards are something different. Risk assessment itself is very much the same as with risk

assessment in other management systems. Typically, a risk is assessed by its likelihood

and its consequence. Risk assessments provide with an insight in organisation’s risks and

allow prioritising risks for taking mitigating actions.

16

c. Taking action to mitigate risks

Mitigating actions focus on reducing the likelihood and/or consequence. There is a

hierarchy in different solutions whereby the most effective usually is also the most

difficult and sometimes most expensive to realise:

Actions that remove the hazard and eliminate risk.

Actions that replace the hazard by a less dangerous one.

Actions that modify the product or process design.

Actions that isolate the hazard from people.

Actions that use engineering solutions such as a new machinery or plant.

Actions that use administrative controls, e.g. new procedures.

Actions that protect through personal equipment from hazards.

d. Monitoring the effectiveness

The outcome of each risk mitigating action has to be reviewed on two levels:

To ensure that the actions taken are effective and continue to be effective

To ensure that no new hazard/risk was introduced by the actions taken.

Any control measures have to be maintained in order to ensure that they are kept in

working order. As well procedures have to be audited to ensure they are being followed

as intended.

17

After completing one entire cycle of risk management the next has to be scheduled to

ensure that always the best actions are taken and new hazards are included into risk

management.

Risk management of OSH will be a regular guest on the agenda of management and ERM is

a component of risk management subject that can address OSH issue. However, apart from

just being a requirement, management may realise the benefits and profitability in OSH

through proper presentation of related risk management modules, especially when registered

to the respective local standard as listed below.

Reduction of risk.

Competitive advantages.

Compliance with legal requirements.

Improvement of overall performance.

18

3. Implementing Enterprise Risk Management (ERM)

ERM cuts across an organization’s silos to identify and manage a spectrum of risks. Consider

these ERM action items:

Resolve to proactively manage risks, rather than react to them. Implementing ERM

takes total commitment by management, as well as recognition by the board of its

responsibility.

Clarify the organization’s risk philosophy. As discussed in the COSO ERM

framework (Enterprise Risk Management—Integrated Framework), organizations

need to know their risk capacity in terms of people capability and capital. The board

and management must come to an understanding, factoring in the risk appetite of all

significant stakeholders.

Develop a strategy. Since risk relates to the events or actions that jeopardize achieving

the organization’s objectives, effective risk management depends on an understanding

of the organization’s strategy and goals. One of the benefits of ERM implementation

is the revelation that those responsible for achieving the objectives have varying

degrees of understanding about them. ERM helps get everyone on the same page.

Think broadly and examine carefully events that may affect the organization’s

objectives. This involves taking your business and industry apart. Pore over your

strategy, its key components and related objectives. Use a variety of identification

techniques such as brainstorming, interviews, self-assessment, facilitated workshops,

questionnaires and scenario analyses. In selecting among these techniques, consider

how rigorously each business unit can implement them, and if openness among the

participants would result. Analyze how both external and internal events can change

the organization’s risk landscape. This initial effort does not have to take months to

19

accomplish. Start with a top-down approach. Begin to identify risks through

workshops or interviews with executive management and by focusing on strategies

and related business objectives.

Assess risks. Initially, try to reach a consensus on the impact and likelihood of each

risk. Placing risks on a risk map can be a valuable focal point for further discussion.

As the risk assessment process matures, consider applying more sophisticated risk

measurement tools and techniques.

Develop action plans and assign responsibilities. Every risk must have an owner

somewhere in the organization. Manage the biggest risks first and gain some early

wins.

Maintain the flexibility to respond to new or unanticipated risks. Put a business

continuity and crisis management plan into place. If your organization is in a volatile

environment, you should anticipate even more unknowns.

Use metrics to monitor the effectiveness of the risk management process where

possible.

Communicate the risks identified as critical. Circulate risk information throughout the

organization. The board of directors and audit committee should be given regular

reports on the key risks facing the organization. It is not acceptable to identify

important risks and never communicate them to the appropriate people.

Embed ERM into the culture. Integrate the knowledge of risks in your internal audit

planning, balanced scorecards, budgets and performance management system.

20

a. Committee of Sponsoring Organizations’ ERM

Committee of Sponsoring Organizations’ (COSO) is a body to provide thought leadership

through the development of comprehensive frameworks and guidance on enterprise risk

management, internal control and fraud deterrence designed to improve organizational

performance and governance and to reduce the extent of fraud in organizations.

COSO has comes out with an ERM framework as a main guidelines to implement the

ERM within organisation. This framework defines essential components, suggests a

common language, and provides clear direction and guidance for ERM.

Entity objectives can be viewed in the context of four categories as presented in table as

below:

Categories Description Type of Risks

Strategic

High-level goals,

aligned with and

supporting its

mission.

Damage to reputation

Competition

Customer Wants

Demographic and social/ cultural trends

Technological innovations/ patents

Capital investment

Shareholder requirements

Regulatory and political trends

Operational Effective and Business operations (e.g., human resources,

21


efficient use of its

resources.

product development, capacity, efficiency,

product/service failure, channel

management, supply chain management,

business cycles)

Empowerment (leadership, change

willingness)

Information Technology

Financial/

Reporting

Reliability of

reporting.

Price (e.g., asset value, interest rate, foreign

exchange)

Liquidity (cash flow, call risk, opportunity

cost)

Credit (e.g. rating)

Inflation, purchasing power and

Basis financial risk (e.g., hedging)

Wrong or incomplete reporting (e.g.,

financial performance)

Information/ business reporting (e.g.

budgeting and planning, accounting,

information, taxation)

Hazard/

Compliance

Individual errors

and compliance

with applicable

Fire and property damage

Windstorms and other natural phenomena

Theft and other crime incl. personal injury

22


laws and

regulations.

Business interruption and

Liability claims

Table 3 - ERM Objectives' Categories and its Description

ERM considers activities at all levels of the organization:

Enterprise-level

Division or subsidiary

Business unit processes

The ERM framework concerns on management consideration in viewing how individual

risks interrelate. The management develops a portfolio view from two perspectives:

Business unit level

Entity level

There are eight components of ERM framework which are interrelated to each other.

Below are the list of components and brief description on each of them.

ERM Components Description

Internal Environment Establishes a philosophy regarding risk management. It

recognizes that unexpected as well as expected events may

23


occur.

Establishes the entity’s risk culture.

Considers all other aspects of how the organization’s actions

may affect its risk culture.

Objective Setting

Is applied when management considers risks strategy in the

setting of objectives.

Forms the risk appetite of the entity — a high-level view of how

much risk management and the board are willing to accept.

Risk tolerance, the acceptable level of variation around

objectives, is aligned with risk appetite.

Event Identification

Differentiates risks and opportunities.

Events that may have a negative impact represent risks.

24


Events that may have a positive impact represent natural offsets

(opportunities), which management channels back to strategy

setting.

Involves identifying those incidents, occurring internally or

externally, that could affect strategy and achievement of

objectives.

Addresses how internal and external factors combine and

interact to influence the risk profile.

Risk Assessment

Allows an entity to understand the extent to which potential

events might impact objectives.

Assesses risks from two perspectives:

- Likelihood

- Impact

Is used to assess risks and is normally also used to measure the

related objectives.

25


Employs a combination of both qualitative and quantitative risk

assessment methodologies.

Relates time horizons to objective horizons.

Assesses risk on both an inherent and a residual basis.

Risk Response

Identifies and evaluates possible responses to risk.

Evaluates options in relation to entity’s risk appetite, cost vs.

benefit of potential risk responses, and degree to which a

response will reduce impact and/or likelihood.

Selects and executes response based

on evaluation of the portfolio of risks and responses.

Control Activities

Policies and procedures that help ensure that the risk responses,

as well as other entity directives, are carried out.

26


Occur throughout the organization, at all levels and in all

functions.

Include application and general information technology

controls.

Information &

Communication

Management identifies, captures, and communicates pertinent

information in a form and timeframe that enables people to

carry out their responsibilities.

Communication occurs in a broader sense, flowing down,

across, and up the organization.

Monitoring

Effectiveness of the other ERM

components is monitored through:

- Ongoing monitoring activities.

- Separate evaluations.

- A combination of the two.

Internal Control

A strong system of internal control is essential to effective

enterprise risk management.

Table 4 - ERM Component's Description

27

b. Relationship of Objectives and Components

There is a direct relationship between objectives, which are what an entity strives to

achieve, and the enterprise risk management components, which represent what is needed

to achieve them. The relationship is depicted in a three-dimensional matrix, in the shape

of a cube, shown in figure as below.

Figure 2 - COSO ERM Framework

28

The four objectives categories – strategic, operations, reporting, and compliance – are

represented by the vertical columns

The eight components are represented by horizontal rows.

The entity and its units are depicted by the third dimension of the cube.

c. Key Implementation Factors

Enterprise risk management is a procedure to minimize the adverse effect of a possible

financial loss by

Identifying potential sources of loss;

Measuring the financial consequences of a loss occurring and

Using controls to minimize actual losses or their financial consequences.

The purpose of monitoring all risks is to increase the value of each single activity within

the company. The potential benefits and threats of all factors connected with these

activities have to be ordered and documented. If all employees are aware of the

importance of the risk management process, the probability of success will be increased

while at the same time failure will become unlikely.

Risk identification is not solely done by an individual. All relevant stakeholders are

involved to keep an eye on all risks that matter. Generally the risk identification sessions

should include as many as the following participants:

Risk management team

29

Subject matter experts from other parts of the company

Customers and end-user

Other project managers and stakeholders

Outside experts

Project team

The participants may vary but the risk management team should always be involved

because they are dealing with the subject every day and therefore need fresh information

at any time. Outside stakeholders and experts could provide objective and unbiased

information for the risk identification step and are therefore an essential part of the

process.

Risk identification has to be done as a continuous process. If it is treated like a one-time

event, then the whole company runs the risk of overlooking new emerging problems. The

process starts in the initiation phase where first risks are identified. In the planning stage

the team determines risks and mitigation measures and documents them. In following

stages of resource allocation, scheduling and budgeting the associated reserve planning is

also documented.

After the initial phase of risk identification, all risks have to be managed until each risk is

closed or terminated. New risks will occur as the company moves on and matures and the

outer and inner environment of the company changes. In the case of the increased

probability of a risk or if the risk becomes real, it is time for the risk management team to

respond to it. The executives and managers have to think about the problem and develop

30

strategies to deal with its impact. All the re-planning actions can mean a change to the

baseline of budget, schedule and resource planning.

How the company will deal with risks has to be clearly defined in the early stages of

getting involved in ERM, then documented and executed appropriately during the

planning cycle.

31

4. Work Plan: Target Achievement of Objectives

Within the context of an entity’s established mission or vision, Jabil’s management

establishes strategic objectives, selects strategy, and sets aligned objectives cascading through

the enterprise.

a. Objectives

There are four categories of objectives. Jabil sees these objectives into its business

perspectives as described below.

Category Description Remarks

Strategic

Achieving a 60% market share

Maintain technological in the industry

Risk may comes as

externalities and it is

beyond the control of

management Operational

Maintaining a defect rate to less than

0.1% of production.

Achieving plant availability at 95%.

Containing over time hours to less than

2% of the total hours worked.

Reporting

All internal controls personnel must be

competent in financial reporting.

Comply with Sarbanes-Oxley Act

(applicable to United States of America

Risk management is

highly dependable to

the control of internal

32

Category Description Remarks

based company) management

Compliance

Compliance with health and safety

regulation.

Compliance with hazardous materials

regulation.

Compliance with environmental

protection, security laws, and civil laws.

Table 5 - Jabil's Objectives

This categorization of entity objectives allows a focus on separate aspects of enterprise

risk management. These distinct but overlapping categories – a particular objective can

fall into more than one category – address different entity needs and may be the direct

responsibility of different executives. This categorization also allows distinctions between

what can be expected from each category of objectives. Another category, safeguarding

of resources, used by some entities, also is described.

33

5. Work Plan: Components of ERM

Enterprise risk management consists of eight interrelated components. These are derived

from the way of Jabil’s management runs an enterprise and are integrated with the

management process.

a. Internal Environment

Internal environment is composed of the elements within the organization, including

current employees, management, and especially corporate culture, which defines

employee behaviour.

It encompasses the tone of an organization, influencing the risk consciousness of its

people, and is the basis for all other components of ERM, providing discipline and

structure. Internal environmental factors include an entity’s risk management philosophy;

its risk appetite; oversight by the board of directors; the integrity, ethical values, and

competence of the entity’s people; and the way management assigns authority and

responsibility and organizes and develops its people.

COSO has described internal environment is interrelated to a concept of tone at the top.

According to COSO, the tone at the top plays a crucial role in creating the control

consciousness of an organization, one that is capable of leading employees to a higher

ethical standard of conduct or creating a breeding ground for fraudulent activity. It is the

ethical atmosphere that an organization’s leadership creates in the workplace. Whatever

tone senior management sets has a direct impact on the employees of the company.

34

Control internal environment – that is, the overall attitude, awareness, and actions of

directors and management regarding the internal control system and its importance to the

organization – is the key to setting the tone of the organization because it influences the

“control consciousness of its people.”

Concerning factors to the control environment of Jabil include:

Integrity and ethical values communicated by executive management in speaking

and writing and demonstrated by action.

Responses to incentives and temptations – clear policies and actions that prohibit

the acceptance of inappropriate gifts, for example.

Moral guidance, as communicated through a code of business conduct and ethics.

A commitment to competence, as demonstrated by robust human resource policies

and clear job descriptions for the purpose of hiring and retaining qualified people.

A board of directors and audit committee that are engaged, ask questions, and take

appropriate action.

A management philosophy and operating style that place high value on risk

assessment and internal control.

A well-defined organizational structure that is appropriate to the company’s size

and complexity.

Appropriate assignment of authority and responsibility, with well-defined

authority and duties that are appropriately segregated to prevent or detect error

and fraud.

Human resource recruiting and retention policies and practices to ensure that

human capital is valued.

35

Ways to settle internal differences, such as a forum to discuss and settle

differences of opinion between management and employees.

These factors have shape the tone at the top and come out with business conduct of Jabil

(Refer Appendix A). In spite of that, there are rules formulated for employees’ reference

while conducting the whole organisation’s business in a preferred way. This formula

named as Jabil Rules of the Road (Refer Appendix B).

Jabil always highlight the important of business integrity. Thus, a mechanism is created

(Refer Appendix C) to report any wrongdoing such as potential violations of the law,

regulations, professional standards, policy, or the applicable Code of Ethics that is

believed not being handled properly. Such potential violations could include, but are not

limited to:

Non-compliance with professional standards

Unlawful discrimination

Harassment

Workplace violence

Substance abuse

Conflicts of interest

Falsification of documents

Inappropriate gifts and entertainment

Inappropriate political activities and contributions

Insider trading or other securities law violations

Breaches of a client's or a Jabil Circuit, Inc.'s confidentiality

36

Inappropriate disposal of a Jabil Circuit, Inc.'s documents

Inappropriate personal use of a Jabil Circuit, Inc.'s resources

Theft

Bribes and kickbacks

Inappropriate client billings

Inappropriate reporting of time or expenses

Other potential violations of policies

i. Initiative Goal of ERM - Internal Environment

Some believe that the only way to correct issues related to the tone at the top is to

make personnel changes. Such measures may sometimes be warranted, but

through initiative such as education, frequent communication or even formal

classroom training, could be a remedy as well – and in fact might accelerate the

general adoption of a more ethical corporate culture in an organization.

Leadership from the top of the organization is essential to maintain rigorous

internal control and make progress on ERM and fraud prevention. A growing

number of organizations are formalizing their antifraud programs. In addition,

external auditors are reviewing companies’ antifraud controls and risk assessments

as part of their work.

All of these activities, when supported by the board and performed

conscientiously, set the right tone and help reduce the risk of fraud. Only by

setting the bar high will an ethical corporate culture be sustained.

37

On the other hand, initiative goal of this component is to integrate ERM into the

culture and strategic decision making processes of the organization.

b. Objective Setting

Objectives must exist before management can identify potential events affecting their

achievement. ERM ensures that management has in place a process to set objectives

and that the chosen objectives support and align with the entity’s mission and are

consistent with its risk appetite.

By referring to Table 5 - Jabil's Objectives, concerning objectives are listed under

strategic and operational category. They are:

1. Achieving a 60% market share.

2. Maintain technological in the industry.

3. Maintaining a defect rate to less than 0.1% of production.

4. Achieving plant availability at 95%.

5. Containing over time hours to less than 2% of the total hours worked.

When objectives are stated clearly and understood by the participants, a brainstorming

session drawing on the creativity of the participants can be used to generate a list of

risks. In a well facilitated brainstorming session, the participants are collaborators,

comprising a team that works together to articulate the risks that may be known by

some in the group. In the session, risks that are known unknowns may emerge, and

38

perhaps even some risks that were previously unknown unknowns may become

known.

Seeding or providing participants with some form of stimulation on risks is very

important in a brainstorming session. One possibility is to provide an event inventory

for the industry or a generic inventory of risks as below.

Figure 3 - Industry Portfolio of Risks

39

In a brainstorming session or facilitated workshop, the goal is to reduce the event

inventory to those relevant to the company and define each risk specific to the

company. Every participant has to fill up a survey risk identification template (refer

Appendix D) appropriately.

40

i. Corporate Background

Some key risk-oriented characteristics of Jabil include:

Characteristics Description

Locations and Operations The company has a headquarters office in the St. Petersburg,

Florida, United States of America area with a computer security

development facility in San Jose, California, and four product

distribution centres in smaller-city locations in the United

States, as well as a distribution office in Belgium. In addition,

the company has several hardware manufacturing facilities in

Asia and a software production and distribution facility in India.

All facilities are leased or licensed, and customer service

functions have been outsourced.

Management team The company's CEO was originally the founder of the company.

He and three senior engineers are the only employees left over

from the early days and its initial public stock offering (IPO).

Due to turnover often typical in the industry, most employees

have fairly short tenures. The CFO is quite new, as the prior

officer was asked to resign because of a Sar-banes-Oxley-

related dispute with the audit committee. The company makes

extensive use of nonemployee contract workers. Reporting to

the CAO, Global has a relatively small internal audit

department as well as a single general counsel.

Product description Jabil developed an electronic product that consists of both a

41


hardware device plugged in to a user's computer along with

software drivers. The hardware device consists of a plug-in card

based primarily on standard hardware chips along with some

embedded programming. The software is based on proprietary

algorithms. Elements of the product design are protected by

patents, although these rights have been both challenged in

courts and also have been somewhat copied by some

competitors.

Marketing Jabil's product is marketed by advertisements in professional

publications as well as through a team of sales representatives.

On a worldwide basis, 80% of sales are to individuals, with the

balance to smaller businesses. The United States accounts for

about 75% of product sales, with the balance from Europe.

There is also a small but growing segment of sales in Brazil,

where an independent agent is distributing the product. Jabil

ships products from its distribution centres direct to computer

equipment retailers as well as shipping to individual customers,

based on their Internet, mail, or telephone orders.

Sales and finances Jabil's $2.4 billion in sales is split in the following categories:

Consumer cash sales through credit

card purchases

41.0%

Sales to wholesale distributors 23.4%

42


Export sales to agents

12.7%

Licensing fees and royalties 4.9%

Table 6 - Key Risk-Oriented Characteristics’ of Jabil

Jabil is a public company, traded on NASDAQ. With its stock broadly distributed,

private equity venture capitalists hold 12% of the shares, and management holds

3%. Long-term debt totals $450 million, with the majority of that based on

debentures sold to the venture capital investors. That debenture issue included

warrants that could be converted into a substantial block of common stock.

ii. Corporate Risk Summary

These risks often cross the lines of the COSO ERM cube. They should just be

considered risks that impact the enterprise.

Category Description

Organization strategic

risks that could impact the

effectiveness of products

or operations

Changes in technology that impact the effectiveness of

company products

A currency crisis at one or another of the international

operations countries causing major operations problems

43


Increased tariffs or import/export regulations

A major weather disturbance, such as a tornado or military

actions

New competitors offering attractive alternative products

Interest rate increases or other factors limiting the ability to

finance expansion

The failure of a key customer or vendor

Company operations risks iii. A computer system or network failure at one or several

locations

iv. The unexpected resignation of a key management or technical

senior manager

v. Labour unrest or related problems at one or another facility

vi. The failure to complete several key information systems

planned upgrades

vii. Product licensing disputes and resulting litigation

44


viii. The failure of an ISO or some other standards audit

A major loss in stock market capitalization value due to

reported operating losses or other negative information

Financial and operational

reporting risks

Significant internal control weaknesses identified through a

SOx Section 404 review

Failure of one or another subsidiary units to secure a "clean"

external audit opinion

Errors in individual unit financial or operations reported that are

not readily detected at headquarters

Service support reporting weaknesses

Compliance risks Financial reporting errors or missed reports

Compliance reporting failures at any level of local or national

operations

Failure to establish appropriate company-wide ethical and

financial reporting compliance standards

Failure to meet product quality standards

Table 7 - Corporate Risk Summary

45

iii. Jabil’s Mission Statement

Jabil is one of the leading worldwide suppliers of electronic devices. With strong

attention given to computer security risks and threats, we strive to offer one of the

most secure but easy-to-use combined software and hardware products in today's

marketplace.

In order to build our products and market them in ever-expanding circles, we will

assemble a worldwide team of superior computer security technical talent to

produce our products while selling them in an efficient and ethical manner. We

will continue to monitor our strategic and operational risks in this complex and

ever-changing world of computer security risks and threats.

46

iv. COSO ERM Risk Objective Setting Components

Figure 4 - Components of Objective Setting

c. Event Identification

Events are incidents or occurrences, external or internal to the organization that

affects the implementation of the ERM strategy or the achievement of its objectives.

47

There is a strong level of performance monitoring taking place in many organizations

today, but that monitoring process tends to emphasize such matters as costs, budgets,

quality assurance compliance, and the like (Moeller, Robert R., 2007). The ERM risk

objectives can become lost in this process of monitoring more operational and

process-oriented objectives. Organizations usually have strong processes to monitor

such events as favourable and particularly unfavourable budget variances, but often

do not regularly monitor either the actual events or the influencing factors that are the

drivers of such budget variance events.

The COSO ERM executive summary framework documentation lists a series of the

types of influencing factors that should be part of the framework's event identification

component, including:

Events Description

External economic events There is a wide range of external events that need to be

monitored in order to help achieve an organization's ERM

objectives. Ongoing short- and long-term trends may impact

some elements of an organization's strategic objectives and thus

have an impact on its overall ERM framework.

Example, in December 2011 and after some ongoing currency

market turmoil, USA declared a major default of its public debt.

This type of external event had a major impact on many

enterprises in many different areas, whether they were credit

markets or suppliers of agricultural commodities, or had other

48

Events Description

business dealings in USA.

Natural environmental

events

Fire, flood, or earthquakes, numerous events can become

identified as incidents in ERM risk identification. Impacts here

may include loss of access to some key raw material, damage to

physical facilities, or unavailability of personnel.

Political events New laws and regulations as well as the results of elections can

have a significant risk event-related impact on organizations.

Many larger enterprises have a government affairs function that

reviews developments here and lobbies for changes.

Social factors While an external event such as an earthquake is sudden and

arrives with little warning, most social-factor changes are slowly

evolving events. These include demographic changes, social

mores, and other events that may impact an organization and its

customers over time. The growth of the Hispanic population in

the United States is such an example. As more and more

Hispanic people move to a city, for example, both the language-

related teaching requirements in public schools and the mix of

selections in grocery stores will change. As another example of

societal change, the previously referenced dismissal of a major

corporation CEO for a consensual sexual relationship with

another company employee would probably have been ignored

in another era. Changing social mores today led to that

dismissal.

49

Events Description

Internal infrastructure

events

Organizations often make benign changes that trigger other risk-

related events. For example, a change in customer service

arrangements can cause major complaints and a drop in

customer satisfaction. Strong customer demand for a new

product may cause changes in plant capacity requirements and

the need for additional personnel.

Internal process-related

events

Changes in key processes can trigger a wide range of risk

identification events. As with many such items, risk

identification may not be immediate, and some time may pass

before the process-related events signal the need for risk

identification.

External and internal

technological events

Wide assortment of ongoing technological events that will

trigger the need for formal risk identification. The Internet and

the World Wide Web have been with us for some time, and the

shift to an Internet environment has been somewhat gradual for

many. In other cases, a company may suddenly release a new

improvement that causes competitors everywhere to jump into

action.

An organization needs to clearly define what it considers significant risk events and

then should have processes in place to monitor all of those various potentially

significant risk events such that the organization can take appropriate actions.

50

d. Risk Assessment, Response, and Control Activities

The first step in developing a comprehensive service continuity strategy is to identify

risks, which can lead to the disruption of operations. Two factors are considered in

developing a Risk Assessment Matrix:

• Likelihood of Occurrence

• Potential impact to operations if event occurs

i. Planning

The following tasks are necessary.

# Task Assignment

1 Develop the work plan and assign

responsibilities for completing tasks.

Information Technology Manager

2 Introduce team to business continuity plan

concepts, processes and tools


3 Review inventory of assets and resources to

verify completeness.


System Administrator

Network Administrator

Business Analyst

4 Use existing information to prepare the

department’s Security Profile.


5 Identify threats to assets and resources. Information Technology Manager

6 Define process for keeping the plan current Information Technology Manager

System Administrator

Network Administrator

Business Analyst

51

Table 8 - Risk Assessment Planning Task

ii. Required Systems

Applications and databases used at the Jabil Penang site are owned by the following

management team:

General Manager

Engineering Manager

Manufacturing Manager

Materials Manager

Continuous Improvement Manager

Financial Controller

Human Resources Manager


Criticality Rating:

1 - The site cannot function without the system

2 - The site can function partially without the system.

3 - The site can function fully without the system.

System Name Description Criticality Owner

Agile 3rd Party application for document

management, approval

1 Engineering

Manager

52


Agilent 5DX -

Ray

Operating software to verify pass

/fail of PCBA's

2 Engineering

Manager

AMW (Assembly

Maintenance

Wizard)

MES QM Material and Checkpoint

configuration tool.

Process verification, Assembly

material verification and Checkpoint

configuration tool for TARS, CIQ

and Manual Test Entry.

2 Engineering

Manager

Auto Cad Draft and Design software, used

primarily for customer cad data

3 Engineering

Manager

BGA Repair Profile generation for removing,

placing, or reflowing surface

mounted components

2 Engineering

Manager

BRIO 3rd Party web Front End Module for

processing quality data entered into

MES by CIQ

Need to find out if it still being used

3 Engineering

Manager

Gagetrack Calibration Reporting System.

Data entry system for entering,

storing, and reporting calibration of

all required gauges and equipment

2 Engineering

Manager

CIMbridge Creation of Visual Aids 2 Engineering

Manager

Cuteftp Accessing ftp sites for transfer of

customer documents

3 Engineering

Manager

DR (Dynamic

Replenishment)

2 Materials

Manager

Scrubbing Tool -

Citrix access

BOM Scrubbing Tool 3 Engineering

Manager

IRIS - Citrix

Access

Golden BOM creation 2 Engineering

Manager

Agile BOM -

Citrix Access

Golden BOM Creation 2 Engineering

Manager

53


Router Solutions 3rd Party application for Translating

CAD Data / reviewing BOM Info /

Translating CAD Data

3 Engineering

Manager

Package Inspector 3rd Party application for looking at

PDX packages

3 Engineering

Manager

Agile Express 3rd Party application for looking at

PDX packages

3 Engineering

Manager

Blue Beam 3rd Party application for creating

PDF documents

3 Engineering

Manager

WinRar 3rd Party application for file

compression and extractor tool

3 Engineering

Manager

WinZip 3rd Party application for file

compression and extractor tool

3 Engineering

Manager

ESS (Employee

Suggestion

Scheme)

Application and database to enter

process improvement suggestions

3 General

Manager

Exceed 3rd Party application for accessing

UNIX systems

2 Engineering

Manager

Fabmaster CAM CAD Tool, used by Test

Engineering

3 Engineering

Manager

First Windows Finance application 2 Financial

Controller

Heel Strap

Testing - CT8900

Data entry system for recording and

reporting employee testing of heel

and wrist straps for ESD purposes

3 Engineering

Manager

HR Database Application and Database storing

employee certification records, dates

and frequency

3 Human

Resource

Manager

JAFFA Feeder maintenance Application 3 Engineering

Manager

JEDI Manufacturing Application to view

documents stored in Agile

2 Engineering

Manager

54


JOS (Jabil

Operating

System)

Management system used to drive

improvement activities

3 Manufacturi

ng Manager

JOS Metrics Application to correlate plant

metrics

2 General

Manager

Knowledge

Pathways

On line training 3 Human

Resource

Manager

Loftware (Label

Management)

Label Management 1 Engineering

Manager

MES Manufacturing Execution System

for

1 Engineering

Manager

MES Reports Reporting system for MES 2 Engineering

Manager

Report Builder Reporting Tool for MES 2 Engineering

Manager

EPS Packout control system to prevent

untested / failed product from

shipping

2 Engineering

Manager

Microsoft Office Outlook, Word, Excel, Powerpoint,

Visio, Access

2 General

Manager

MPC

(Management

Planning &

Control)

Forecasting application 3 Financial

Controller

Olives Visitor Login System 3 Human

Resource

Manager

PLR (5DX

software)

Application to translate 5DX tester

output

3 Engineering

Manager

Pointsec Encryption software for laptops 3 Information

Technology

Manager

55


QNET Document Control System 2 Engineering

Manager

SAP Material resource planning software 1 Material

Manager

SAT Sourcing Application 2 Material

Manager

SBA (Shipping

Billing and

Authorisation)

Web application to authorize

material for shipment

2 Material

Manager

Softscape Employee Appraisal System 3 Human

Resource

Manager

SIS Supplier Information System 2 Material

Manager

SPS Supplier Performance System

(Scorecards)

3 Material

Manager

SVS SPC / Charting - Need more

information - is it still being used

3 Material

Manager

Axi to TARS Converts AXI records to TARS

suitable records

3 Engineering

Manager

Manual Test

Entry

Manual Test entry station for non

networked test systems

3 Engineering

Manager

CIQ (Computer

Integrated

Quality)

Manual Test entry station for non

networked test systems

1 Engineering

Manager

TARWIZ Tars Reporting Wizard 2 Engineering

Manager

VB TARS Used for diagnosing and recording

repairs to product

1 Engineering

Manager

VB TARS RMA Used for entering returned material

back into the TARS database

1 Engineering

Manager

56


Time &

Attendance

Stores clock entry data,

holiday\absence requests

2 Human

Resource

Manager

Universal GSM Placement check for X, Y, and

rotation data based on classification

2 Engineering

Manager

Universal HSP Placement check for X, Y, and

rotation data based on classification

2 Engineering

Manager

Vidifax Supplier Fax solution 2 Material

Manager

Valor CAM CAD Tool, used for BOM

comparisons, machine

programming, set up sheets, etc…

2 Engineering

Manager

Vitronics Oven Oven temperature control / SPC /

Charting

2 Engineering

Manager

Waterfall

Schedule

Planning

Excel based, VB planning tool with

SQL database

2 Material

Manager

Web Plan / Rapid

Response

Material Reporting tool used for

planning and business unit for

making business decisions.

2 Material

Manager

Table 9 - Required Systems

iii. Unique Assets

The table below details the equipment and assets used at the Jabil Penang site.

Criticality Rating:

1 - The site cannot function without the asset

2 - The site can function partially without the asset.

3 - The site can function fully without the asset.

57

Asset Description Asset Serial # Detail Role Vendor Criticality

PROLIANT DL360 7J14FXX1SK01 PENTRM01A

Terminal

Server

HP

2

PROLIANT DL360 7J14FXX1SK02 PENTRM01B

Terminal

Server

2

PROLIANT DL360

G3 7J34KYD11018 PENTRM01C

Terminal

Server

2

PROLIANT DL360 7J19FXK1A020 PENTRM01D

Terminal

Server

2

PROLIANT DL360

G3 J17NKYD11D PENTRM01E

Terminal

Server

2

PROLIANT DL360

G3 7J34KYD1101M PENTRM01G

Terminal

Server

2

PROLIANT DL360

G4 GBJ51103XG PENTRM01T

Terminal

Server

2

PROLIANT DL380 8145FSB11151 PENMFG01 SQL Server 2

PROLIANT DL365

G1 GB8721FHR8 PENCMP10 Com +

1

PROLIANT DL365

G1 GB8725KBNL PENCMP11 Com +

1

PROLIANT DL365

G1 GB8721FHMB PENJAFN10A JAF Server

1

PROLIANT DL365

G1 GB8721FHNP PENJAFN10B JAF Server

1

Desktop PENDEV01

Development

SQL Server

3

Desktop

PENDEVTEST0

1

Development

SQL Server

3

PROLIANT DL380

G4 GB84512PAJ PENSQL06

Site SQL

Server

1

PROLIANT DL380

G4 GB8527DA8D PENSQL08

Site SQL

Server

1

58


PROLIANT DL320

G2 J03MKVJB3N PENPRS10 Parser

1

PROLIANT DL320

G2 J050KVJB3N PENPRS11 Parser

1

PROLIANT DL320

G2 J04NKVJB3N PENPRS12 Parser

1

PROLIANT DL320

G4 GBJ61200EL PENPRS13 Parser

1

PROLIANT DL320

G4 GBJ61602M9 PENPRS14 Parser

1

DESKTOP 8139JYGZ014R PEN1IT100

Pointsec

Server

3

PROLIANT 5500 8945CQW300240 PENFILE01 File Server 1

PROLIANT DL320

G2 7J37KVJ6M032 PENMRP02

MRP

Download

/Thinclient

Server

1

PROLIANT DL360

G4 GBJ506003F PENNCU10 NCU Server

1

PROLIANT 1850R 8906CFW10220 PENNCU11

T&A Clocks

System

2

PROLIANT DL380

G2 D205FRW1M008 PENOPU01

Oputils

Server

3

PROLIANT DL320

G2 J03YKVJ61P PENPRNT02 Print Server

1

PROLIANT DL320

G2 J03TKVJ61P PENPRT01 Print Server

1

PROLIANT DL380

G4 GB8606XPD5 PENSMS02 SMS Server

2

PROLIANT DL380

G4 GB80442AMP PENVALOR01 Valor Server

2

59


DESKTOP 8010CKH61502 PENVIDI01

VidiFax

Server

2

PROLIANT DL320

G2 J04PKVJB3H PENWEB01 Web Server

3

PROLIANT DL320

G2 7J37KVJ6M066 PENWSUS01

WSUS

Server

3

PROLIANT DL380

G4 GB86339N2X6 PENTEAPP05 TE Server

2

PROLIANT ML370 8030DKJ11022 PENTEAPP01 TE Server 2

PROLIANT DL360

G4p GB8627CPDR PENFAB10

Fabmaster

Server

2

PROLIANT DL360

G5 GB8725KBJ8 PENFAB11

Fabview

Server

2

PROLIANT DL580 D112DYT1K025 PENFAB01

Old

Fabmaster

Server

3

HP9000 CLHP68 3

HP9000 CLHP69 3

C240 CLHP90 3

C240 CLHP96 3

Desktop PEN3070filea 3

Desktop PEN3070fileb 3

PENteapp03 TE Server 3

Compaq Deskpro PENteapp04 TE Server 3

PBX 1

- Power Module

- Fibre Receiver

Card

Telecoms

exchange

Telekom

Malaysi

a

1

60


- RAN / PAG Card

(Music)

- 6 x Digital Card

- 3 x Analogue Card

PBX 2

- Power Module

- Fibre Receiver

Card

- 3 x Analogue Card

- 7 x Digital Card

- RAN / PAG Card

(Music)

Telecoms

exchange

1

PBX 3

- Power Module

- Controller Card

- 2 x PIR Card

- PRI Card

"Undocked"

- Voice GTW Card

- Analogue Card

- 4 x Digital Card

- Mail Module

Telecoms

exchange

1

PBX 4

- Power Module

- Fibre Receiver

Card

- 2 x Analogue Card

- 5 x Digital Card

Telecoms

exchange

1

Nortel Signalling

Server Elan:

10.228.4.5

Tlan: 10.228.4.37

1

APC SmartUPS RT

3000VA double

conversion on-line

UPS units for

comms rooms

RMD

CARSE

BRIDG

1

61


UPS E

Cisco 2600 Router CISCO2651 JMX0603K0H0 Cisco 2600

Router

Dimensi

on Data

1

Comp Room Switch WS-C2948G FOX05450EEZ Comp Room

Switch

1

Comms A 4000

switch

WS-X4013 JAB052505ZH Comms A

4000 switch

1

Comms A 10/100 48

port RJ45

WS-X4148-

RJ45V

JAB0529076S Comms A

10/100 48

port RJ45

1

Comms A 10/100 48

port RJ45

WS-X4148-

RJ45V

JAB052907DZ Comms A

10/100 48

port RJ45

1

Comms A 10/100 48

port RJ45

WS-X4148-

RJ45V

JAB052907DV Comms A

10/100 48

port RJ45

1

Comms A 10/100 48

port RJ45

WS-X4148-RJ JAB054106V8 Comms A

10/100 48

port RJ45

1

Comms B Switch WS-C2948G FOX05450EF4 Comms B

Switch

1

Comms D Switch WS-C2948G FOX05450EF9 Comms D

Switch

1

Comms D Switch WS-C2948G FOX05450EGB Comms D

Switch

1

Comp Room 6509

chassis

WS-C6509 SCA055200LS Comp Room

6509 chassis

1

Comp Room 6509

Policy Feature Card

WS-F6K-PFC2 SAD054302BW Comp Room

6509 Policy

Feature Card

1

Comp Room 6509

GBIC card

WS-X6416-GBIC SAL0551FJQY Comp Room

6509 GBIC

1

62


card

Comp Room 6509

supervisor card

WS-X6K-SUP2-

2GE

SAD054604AZ Comp Room

6509

supervisor

card

1

Comp Room 6509

10/100 48 PORT rj45

WS-X6348-RJ-45 SAL0552FQZ6 Comp Room

6509 10/100

48 PORT

rj45

1

Comp Room 6509

10/100/1000 48

PORT rj45

WS-X6148-GE-

TX

SAL09264KML Comp Room

6509

10/100/1000

48 PORT

rj45

1

Comp Room 6509

10/100/1000 48

PORT rj45

WS-X6148-GE-

TX

SAL092642L0 Comp Room

6509

10/100/1000

48 PORT

rj45

1

RDC 6509 Chassis WS-6509 SCA0552200LV RDC 6509

Chassis

1

RDC 6509 Policy

Feature Card

WS-F6K-PFC2 SAD055104A9 RDC 6509

Policy

Feature Card

1

RDC 6509 10/100 48

PORT rj45

WS-X6348-RJ-45 SAL0552FQUD RDC 6509

10/100 48

PORT rj45

1

RDC 6509 GBIC

card

WS-X6416-GBIC SAL0551FJP2 RDC 6509

GBIC card

1

RDC 6509 supervisor

card

WS-X6K-SUP2-

2GE

SAD055101C1 RDC 6509

supervisor

card

1

RDC 3560G WS-C3560G-

48PS

FOC1108Y06G

RDC 3560G

1

63


Portakabin 4000

series

WS-X4013 JAB052505KJ Portakabin

4000 series

1

Portakabin 4000

series 10/100 48 Port

rj45

WS-X4148-RJ JAB052908BQ Portakabin

4000 series

10/100 48

Port rj45

1

Portakabin 4000

series 10/100 48 Port

rj45

WS-X4148-RJ JAB052908CA Portakabin

4000 series

10/100 48

Port rj45

1

Computer Room

3560G

WS-C3560G-

48PS

FOC1108Y117 Computer

Room

3560G

1

Customer broadband

switch

WS-C1924-EN FAB0324T04K Customer

broadband

switch

1

Catalyst 2900XL

24x10/100

WS-C2924C-XL FAA0305H0HE Catalyst

2900XL

24x10/100

1

Catalyst 2900XL

24x10/100

WS-C2924-XL-

EN

F0C0534Y0Y4 Catalyst

2900XL

24x10/100

1

RDC 4006 WS-X4013 JAB053905LV RDC 4006 1

RDC 4006 WS-X4148-RJ JAB054106VL RDC 4006 1

RDC 4006 WS-X4548-GB-

RJ45

JAE0944PEFW

RDC 4006

1

shop floor switch WS-C1924-EN FAB031730TQ shop floor

switch

1

shop floor switch WS-C1924-EN FAB04083DHQ shop floor

switch

1

shop floor switch WS-C1924-A FAA0307G0XC shop floor

switch

1

64


shop floor switch WS-C1924-A FAB0346V0M0 shop floor

switch

1

shop floor switch WS-C1924-A FAB0401U0SX shop floor

switch

1

shop floor switch WS-C2924XL FOC0535Y07U shop floor

switch

1

24 port hub 3C16671 INACCESSABL

E 24 port hub

2


E 24 port hub

2


E 24 port hub

2


E 24 port hub

2


E 24 port hub

2


E 24 port hub

2


E 24 port hub

2


E 24 port hub

2


E 24 port hub

2


E 24 port hub

2


E 24 port hub

2


E 24 port hub

2

24 port hub 3C16441 24 port hub 2

65



E 24 port hub

2


E 24 port hub

2

24 port hub 3C16441 MISSING 24 port hub 2


E 24 port hub

2


E 24 port hub

2

12 port switch 3C16920 12 port

switch

2

Aironet 1200 access

point

AIR-AP1220B-E-

K9

FHK0731K2Q6 Aironet 1200

access point

1

Aironet 1200 access

point

AIR-AP1220B-E-

K9

FHK0731K2QB Aironet 1200

access point

1

Aironet 1200 access

point

AIR-AP1220B-E-

K9

FHK0837K0BS Aironet 1200

access point

1

Aironet 1200 access

point

AIR-AP1220B-E-

K9

FHK0837K0BX Aironet 1200

access point

1

Aironet 1200 access

point

AIR-AP1242AG-

E-K9

FCZ095380BD Aironet 1200

access point

1

Aironet 1200 access

point

AIR-AP1220B-E-

K9

FHK0731K2QN Aironet 1200

access point

1

Aironet 1200 access

point

AIR-AP1220B-E-

K9

FHK0731K2QK Aironet 1200

access point

1

Aironet 1200 access

point

AIR-AP1220B-E-

K9

FHK0731K2QD Aironet 1200

access point

1

Aironet 1200 access

point

AIR-AP1242AG-

E-K9

FCZ101381UB Aironet 1200

access point

1

Aironet 1200 access

point

AIR-AP1231G-E-

K9

FCZ0924Z117 Aironet 1200

access point

1

66


CISCO WS-C3750-

48TS

WS-C3750-48TS CAT09451AJX CISCO WS-

C3750-48TS

1

CISCO WS-C3750-

48TS (spare)

WS-C3750-48TS CAT09451AF4 CISCO WS-

C3750-48TS

(spare)

1

Aironet 1200 access

point

AIR-AP1220B-E-

K9

FHK0837K0AT Aironet 1200

access point

1

Aironet 1200 access

point

AIR-AP1242AG-

E-K9

FCZ095380BG Aironet 1200

access point

1

16-port async access

server

AS2511-RJ 250736186 16-port async

access server

1

Cisco 2600 Router CISCO2611 SHN0243012X Cisco 2600

Router

1

Cisco 2600 Router CISCO2611 JAC0435A301 Cisco 2600

Router

1

Cisco 2500 Router CISCO2511 250915420 Cisco 2500

Router

1

Table 10 - Unique Assets

iv. Security Profile

The table below details for each of the assets and resources included in the unique

asset section the potential impact of loss of the resources.

Criticality Rating:

1 - The site cannot function without support are “high” impact.

2 - The site can function partially without support are “medium” impact.

3 - The site can function fully without support are “low” impact.

67

Assets and resources N/A Low Medium High

Terminal services

File services

Database services

Web services

Print services

Parsers

Encryption services

Test Engineering services

Faxing services

Development services

WAN

LAN

Customer networks

Telecommunication services

Table 11 - Security Profile

v. Threat Identification and Resource Requirements for Business Continuity

The table below highlights potential threats, risks, risk controls (resource

requirements) and any conclusions, along with the estimated costs associated with the

threat.

Low Cost 0 – MYR12500

Medium Cost MYR12500-

MYR50000

68

High Cost >MYR50000

Power

Failure

High cost Medium cost Low cost Minimal /

No cost

High risk 1 5 9 13

Medium risk 2 6 10 14

Low risk 3 7 11 15

Unlikely

risk

4 8 12 16

Risk:

a) The main incoming power supply comes from two 11kv feeder cables on

the same ring. The supply enters the site via the rail bridge.

Risk controls:

- The site infrastructure has a UPS backup system.

- There is a Mega stream connection to other plants.

- Data is backed up and stored in an offsite data vault.

Conclusions:

A new switching arrangement has been approved by Malaysian Power - where, in

the event of power failure Jabil Penang will be fed from another source.

Aircraft High cost Medium cost Low cost Minimal /

No cost

High risk 1 5 9 13


Low risk 3 7 11 15

Unlikely

risk

4 8 12 16

69

Risk:

The plant is situated approx. 3 KM from Bayan Lepas airport

Wind High cost Medium cost Low cost Minimal /

No cost

High risk 1 5 9 13


Low risk 3 7 11 15

Unlikely

risk

4 8 12 16

The Penang site location is situated in a fairly exposed surrounding and is

therefore exposed to the natural weather elements. However, the area is not

normally subject to hurricane forces.

Risk:

a) High wind is unlikely to affect the building but could damage the electrical

supply cables to the Penang area

b) High winds may disrupt road traffic and employee travel arrangements but

should not compromise production.

Bomb threat

& sabotage.

Civil

insurrection


No cost

High risk 1 5 9 13


Low risk 3 7 11 15

Unlikely

risk

4 8 12 16

70

The situation is stable at the present time, however there is some risk in all

companies of disgruntled ex-employees seeking retribution against their ex-

employer. Also, there is a level of risk considering the current climate of terrorist

attacks.

Risk controls:

Close circuit television. Security procedures and regular internal and external

patrols should identify any would be perpetrators.

Fire High cost Medium cost Low cost Minimal /

No cost

High risk 1 5 9 13


Low risk 3 7 11 15

Unlikely

risk

4 8 12 16

71

The risk of fire in the site has reduced considerable with the introduction of the no

smoking policy. Other areas of risk are the kitchen, the ovens and wave soldering

machines in the main production area.

Risk Controls:

- Fire fighting appliances to BS 5306, BS 5423, and BS EN 3 These are

maintained and serviced by BAFE registered company.

- Sprinkler system installed throughout the building.

- The fire detection and emergency lighting systems conform to BS5446.

- “Red care” alarm system installed to the local fire brigade.

- Basic fire fighting training program has been identified

- Regular evacuation drills are carried out.

- Jabil Penang complies with the Fire Services Act 1988 (Malaysia) and has

a current fire certificate.

- The Jabil Penang Facilities department retain the test records.

Conclusions

Jabil Penang believes all necessary steps have been done to mitigate and reduce

risk.

Flood High cost Medium cost Low cost Minimal /

No cost

High risk 1 5 9 13


Low risk 3 7 11 15

Unlikely

risk

4 8 12 16

72

The Jabil Penang site is considered safe because of Penang’s small island terrain.

Therefore there is no risk of high water flood.

There is risk of accidental spillage from internal water and fire prevention systems

but this risk is minimised through maintenance routines.

Water

Supply


No cost

High risk 1 5 9 13


Low risk 3 7 11 15

Unlikely

risk

4 8 12 16

Although there is not the means of monitoring water quality the incoming water.

The water board charter states that they will maintain the water supply at agreed

levels of purity and pH.

The water reserve tank should supply hygiene services for two days should the

supplies be disrupted.

A consideration for the future would be to consider a recycling process for water

by installing de-ionized water system.

Gas Supply High cost Medium cost Low cost Minimal /

No cost

High risk 1 5 9 13


Low risk 3 7 11 15

Unlikely

risk

4 8 12 16

73

Jabil Penang has a twin gas governor arrangement - no interruptions are

experienced during routine maintenance operations.

Petronas the gas supply pipeline, providing emergency support 24 hours a day 7

days a week for 365 days a year.

Land

Subsidence


No cost

High risk 1 5 9 13


Low risk 3 7 11 15

Unlikely

risk

4 8 12 16

Land subsidence is considered a very low risk:

a) A full Geotechnical site investigation was carried out prior to Jabil

purchasing the land- this did not highlight any significant future risk of

subsidence.

b) There is no site history of subsidence within site and surrounding

boundaries

Hazardous

material

release


No cost

High risk 1 5 9 13


Low risk 3 7 11 15

Unlikely

risk

4 8 12 16

74

The main risk surrounds liquid nitrogen storage tanks and replenishment:

- Storage vessels and associated pipe work is under maintenance contract

- Delivery drivers and key Jabil Penang employees are aware of Emergency

procedures

- No significant incidents within history of Jabil Penang site

Transportation High cost Medium cost Low cost Minimal /

No cost

High risk 1 5 9 13


Low risk 3 7 11 15

Unlikely risk 4 8 12 16

There is no history of any significant transportation incidents at Jabil Penang site.

However, currently there is a construction of second Penang bridge toward the

main road to Penang site. Consideration by the local authorities to improve the

transport infrastructure will take place in the event that Jabil Penang applies to

expand the site.

Food

Poisoning


No cost

High risk 1 5 9 13


Low risk 3 7 11 15


75

No incident of food poisoning has been recorded in the Jabil Penang site. The

catering company that operates on site has very high hygiene and health and safety

standards and adheres to various regulatory requirements.

Contagious

Diseases


No cost

High risk 1 5 9 13


Low risk 3 7 11 15


In the event that a contagious disease or symptoms are discovered, Jabil Penang

site is located less than 10 minutes from Hospital Pantai to allow quick diagnosis.

Jabil maintains a Global Contagious Disease Contingency Plan.

Wide Area

Network

(WAN) Circuit


No cost

High risk 1 5 9 13


Low risk 3 7 11 15


76

Risk:

Jabil Penang has network circuit connections to Global Crossing and Sprint. The

two connections provide resilience and redundancy. The main risk resides with

the last mile of both the Global Crossing and Sprint cable runs. The last mile for

both circuits runs from the local exchange to the Jabil Penang site via a single

duct. In the event a hole was dug and the cable was cut the Penang facility would

have no network connectivity or access, every system would be offline.

Risk controls:

To reduce the level of risk a third circuit is currently being sized. The circuit

being investigated is wireless, which would mitigate the single point of failure and

risk.

Technical

Failure


No cost

High risk 1 5 9 13


Low risk 3 7 11 15


77

Risk:

Ability to provide continuity IT Services – technical failure may occur to any one

of the IT Services.

Risk controls:

The following risk controls are in place today to help mitigate or reduce the level

of impact:

- Backup and recovery strategy, including off-site storage

- Elimination of single points of failure such as the single entry point into

the Penang site for the WAN circuits, single power supply into the building

- Services run from corporate and regional locations

- Resilient IT systems and networks constantly change-managed to ensure

maximum performance in meeting the increasing business requirements

- Greater security controls such as a physical access control system using

unique pin codes and restricted badge access

- Better control to detect local service disruptions such as fire detection

coupled with suppression systems, water, temperature and humidity

detection systems

- Improving procedures to reduce the likelihood of errors or failures such as

Change control

e. Information and Communication

The COSO ERM application framework document suggests this monitoring could include

the following types of activities.

78

Risk response component received residual and inherent risk inputs from the risk

assessment component as well as risk tolerance support from the objective-setting

component. ERM risk response then provided risk response and risk portfolio data to

control activities as well as risk response feedback to the risk assessment component.

Standing alone, the monitoring component does not have any direct information

connections but has overall responsibility for reviewing all of these functions. Refer to

image below (Figure 5 - Flow of Information and Communication) for the flow of

communication within enterprise.

79

Figure 5 - Flow of Information and Communication

80

f. Monitoring

The COSO ERM application framework document suggests this monitoring could include

the following types of activities.

Implementation of a strong and ongoing management reporting mechanism such

as cash positions, unit sales, and other key financial and operational data. A well-

organized organization should not have to wait until fiscal month end or worse for

these types of operational and financial status reports. Reporting tools should be

expanded to include key ERM measures. This type of flash reporting should take

place at all appropriate levels of the organization.

Periodic reporting processes should be installed to specifically monitor key

aspects of established risk criteria. These might include such things as acceptable

error rates or items held in suspense. Rather than just reporting periodic statistics,

such reporting should emphasize statistical trends and comparisons with prior

periods as well as with other industry sectors. This type of reporting will highlight

potential risk-related alerts.

The current and periodic status of risk-related findings and recommendations from

internal and external audit reports. This periodic reporting should include the

status of ERM-related SOx identified gaps.

Updated risk-related information from sources such as government revised

regulations, industry trends, and general economic news. Again, this type of

economic and operational reporting should be available for managers at all levels.

That same information reporting should be expanded to include ERM issues as

well.

81

i. Role of Internal Audit

Internal auditors represent the "eyes and ears" of management as specialists who visit

all areas of an organization and report back to management on the status of the

operations visited (Moeller, Robert R., 2011). They have historically had ongoing

concerns and interests in risk management. In particular, internal auditors have

regularly assessed the relative risks of areas to be examined when planning their

upcoming audit activities, deciding which areas or functions within an organization to

select for internal audits.

Whether it is internal audit, a risk management team under a Chief Risk Officer (CRO),

outside consultants, or other trained staff from within the organization, any specific

individual reviews of an ERM process might use the following tools:

Tools Description

Process flowcharting As part of any identified ERM process, the parties responsible

should have developed flowcharts documenting that process. If

not for any other reason, such flowcharts would have been

developed as part of their SOx Section 404 review work. These

same process flowcharts can be very useful in completing an

ERM review of an individual process. This requires looking at

the documentation prepared for a process, determining if the

process documentation is correct given current conditions, and

82

Tools Description

updating the process flowcharts as appropriate. This update

should determine if those identified risks still appear

appropriate and if risks have been identified appropriately.

Reviews of risk and

control materials

An ERM process often results in a large volume of guidance

materials, documented procedures, report formats, and the like.

There is often value to review the risk and control materials

from an effectiveness perspective. A dedicated ERM team,

internal audit, or the organization's quality assurance function

can perform such reviews.

Benchmarking Although an often misused term, benchmarking here is the

process of looking at the ERM functions in other enterprises to

assess their operations and to develop an approach based on the

best practices of others. Gathering such comparative

information is often a difficult task, as competing organizations

are often reluctant to share competitive data. The process works

best when one-to-one professional contacts can be developed,

but information regarding how others have attempted to solve

similar problems is often very valuable.

Questionnaires A good method for gathering information from a wide range of

people, questionnaires can be sent out to designated

stakeholders with requests for specific information. This is a

valuable technique for monitoring when the respondents are

scattered geographically, such as a risk-monitoring survey of

83

Tools Description

employees in a nationwide retail organization.

Internal infrastructure

events

Organizations often make benign changes that trigger other risk-

related events. For example, a change in customer service

arrangements can cause major complaints and a drop in

customer satisfaction. Strong customer demand for a new

product may cause changes in plant capacity requirements and

the need for additional personnel.

Facilitated sessions Valuable information can often be gathered by asking selected

people to participate in a focus group session led by a skilled

conference leader. This is the approach used by many

organizations for gathering market research information through

what are called focus groups. This same general approach can

be used to gather a team of people—often from different

positions in the organization—to review the enterprise risk

status of a particular area. People with different responsibilities

can often work together to provide some good information about

the risk-related status of selected activities.

Table 12 - Tools in ERM Process of Monitoring

The purpose of this monitoring process is to assess how well the ERM framework is

functioning in an organization. Deficiencies should be regularly reported to the

managers responsible for enterprise risks in the specific area monitored as well as to the

ERM or risk management office. The roles and responsibilities of the CRO and steps to

84

building an effective risk management program in an organization management office

is to ascertain that enterprise risks are properly understood and translated into

meaningful business requirements, objectives, and metrics. The concept behind this

monitoring is not just to find faults or deficiencies but to identify areas where the ERM

framework can be improved (R. S. Khatta, 2008). For example, if some event

monitoring work points to areas where a function is assuming excessive levels of risk,

processes need to be in place to install corrective actions.

85

6. Risk Manager Role

Both the position of a CRO and a supporting formal ERM function are new to many

enterprises today (Moeller, Robert R., 2008). However, to implement this very important

function or concept of COSO ERM, an enterprise should establish both of these concepts. An

effective ERM group will improve the overall enterprise controls environment and will

improve many of organisation’s procedures. While the enterprise risk function can operate

similar to an internal audit function with its own reviews, it is important to remember that the

CRO and the designated risk management function have a significant overall responsibility

for helping to launch and manage the overall COSO ERM framework.

a. Analysis of Jabil’s Safety and Health Policy in accordance to risk management

Jabil encourage a work environment that is free from safety and health hazards,

intimidation and harassment, or any other behaviour not conducive to productive and

excellent work. Jabil committed to abide by all health and safety rules applicable to any

jobs. In spite of this, criteria of Occupational Safety and Health (OSH) must be

implemented into the organisation as highlighted in Jabil’s OSH policy as in following

section.

Occupational Safety and Health (OSH) legislation requires that all foreseeable hazards

are identified and the risks arising from these hazards are eliminated or controlled.

Risk management is a legal requirement for all businesses regardless of their size and

basically it involves asking the following questions:

What hazards exist in the workplace?

86

How serious are the hazards?

What can be done to control these hazards?

Risk management is a process whereby to identify hazards in the workplace, then assess

the risk of those hazards and then implement control measures, which will eliminate or

minimise the risk of injury or loss from the hazards you identified. Control measures

which have been put in place must be reviewed periodically to check that they actually fix

the problem, without creating another one.

b. OSH Policy of Jabil Circuit Sdn Bhd

Jabil Circuit Sdn Bhd, is an electronic manufacturer of circuit board assemblies and

system for global electronic product companies. Jabil Circuit Sdn Bhd is fully committed

to conduct its business in a responsible manner and committed to achieving excellence in

occupational, health and safety practiced in all areas within Jabil Circuit Sdn Bhd. We

continually strive to reduce the occupational, safety and health impact and risk in our

operations.

We are committed to:

1) Complying with relevant Malaysian occupational, health and safety regulations

and other requirements applicable to our operations.

2) Driving occupational, health and safety responsibility from top management to all

levels.

87

3) Preventing by adopting industries best practices and providing a safe and healthy

working environment.

4) Inculcating our employees, customers, contractors, vendors and suppliers with

awareness on occupational health and safety.

5) Providing occupational, health and safety training and instructions to our

employees.

6) Conducting audits and reviews our OSH objectives and targets regularly to create

conducive working environment.

7) Pursuing continual improvements in OSH performance.

8) Communicating this policy to all employees and person(s) working for or on

behalf of the organization and is available to the public.

This policy signed by Operations Director, Harwender Singh and dated on 1st June 2012.

c. Discussion of Jabil OSH Policy

Jabil’s modus operand in running business must be understood when analysing Jabil

OSH Policy and its relevancies to security management.

88

In term of conciseness, this policy concentrates and highlight on OSH’s fundamental that

easily can be understood by all level of employees. The first element in this policy state

the company comply with Malaysia regulation and other relevant requirement. It is

understood that the mentioned regulation is referring to Malaysian OSH Act 1994

(OSHA 1994). Thus, the company is committed to comply with OSH legal requirement

and enforce the regulation in the workplace.

To elaborate OSHA 1994, a reference of its objective listed as below:

For securing the safety, health and welfare of persons at work

Protect persons at a place of work other than employees

Promote a suitable environment for persons at work

Enable previous legislation to be replaced by regulations and approved industry

codes of practice operating in combination with the OSH Act 1994

By referring to Jabil’s OSH Policy, this first element is reflective from the whole picture

to its counterpart of OSHA 1994 objectives. Therefore, obviously Jabil considered this

criterion is the most important in OSH and put it as the highest element in OSH policy.

To ensure good practices of OSH and security management, Jabil took an approach to a

method of preventive based on best practices as mentioned in third element of OSH

policy. Continual research on OSH such as Hazard Identification, Risk Assessment and

Risk Control (HIRARC) is concurrently running with Jabil’s operation to achieve best

result of practices. HIRARC has become fundamental to the practice of planning,

management and the operation of a business as a basic of risk management. With

HIRARC, Jabil able to identify hazard, analyse, and assess its associated risk and then

apply the suitable control measures.

89

Jabil managed to conduct a dedicated induction for those employees and emphasize

signage for better communication.

A general Jabil induction for all employees and impacted parties includes:

A tour of workplace

Roles and responsibilities

Emergency procedures

General workplace hazards and safety signs

Workplace hazards/incident reporting

Introductions to fellow personnel in the work area

Specific OSH instructions relevant to specific area (e.g. Personal Protective

Equipment (PPE), safety signage, and safe work procedures)

Consultation mechanisms

Each units or department in Jabil should perform local area inductions using Jabil staff

induction guide. Monthly assembly is held to keep reminding of OSH policy and there

will be a safety month at least once a year to rejoice all employees pertaining OSH

matter through an attractive programs. Usually, Jabil invites Fire and Rescue Department

of Malaysia (BOMBA) to conduct some events during safety month to create realistic

environment on safety awareness.

Apart from this, Jabil correspond to the fifth element of OSH policy by providing proper

OSH trainings to appropriate personnel within organisation to enhance their knowledge

and skills. Those selected or voluntarily personnel are expected to become competent

90

worker and distribute their knowledge to others and ensure safety awareness is at highest

level. Refer below, Table 13 - Jabil OSH Training for Year 2012.

91

JABIL OSH TRAINING FOR YEAR 2012

Progams Training Needs Target Group

OSH-MS Understanding and establishing an

effective of OSH-MS.OHSAS

documentation requirements

Safety Committee

members, Internal

Auditors, Selected

personals

Strategic Safety

Management

OSH related Acts. Principles of

accident prevention, Implications

of accidents, Prevention

strategies, Safe work behavior,

Effective change agent.

Supervisors, Sr.

Supervisors, Managers,

Engineers,

First Aid & CPR Ability to attend to emergencies

during crisis.

ERT members, Safety

Committee, other

interested personnals.

Emergency

response and

planning ERP process and procedures,

ERT members. Supervisory

Personals. Security

personals

Fire Prevention Usage and inspection of fire

fighting equipments. ERT members and other

interested personals

Positive and

Proactive safety

Committee

Characteristics and performance

indicators of safety committee,

Effective Management of Safety

committee, Effective Meeting

Criteria,

All Safety Committee

Members, Managers ,

CEP programs Compliance to SHO legal

requirements. Safety and Health Officers

Table 13 - Jabil OSH Training for Year 2012

In order to implement good security management, Jabil’s conduct periodic evaluation on

compliance legal and other requirements through risk management process (Figure 4). It

is reviewed and confirmed there are no changes in the legal and other requirements since

September 2011 to February 2012. During this period, Jabil did not receive complaints

from any internal and external parties.

92

Figure 6 - Risk Management Process

Note that once a review has taken place it does not end there. A close monitor on

Environmental Health and Safety (EHS) audit findings is also recorded periodically and

to be discussed concurrently with risk management process. This review provides

suggestions that need to be considered to improve safety outcomes, thus achieving sound

security management. Through these suggestions, Jabil’s top management comes out

with EHS objectives and target as below, Table 14 - EHS Objectives and Target.

93

EHS OBJECTIVES AND TARGET

GLOBAL SITE

NA Environment Scope Safety And Health Scope

Reduce Energy

Consumption – Plant

wide 8%

To reduce the usage of

electricity by 8%

To drive and reduce accident

0% plant wide

Establish process to

assess building energy

efficiency for new and

existing building

To reduce the usage of

water by 2 %

Compliance to legal

requirements by ensuring zero

Non-Compliance Report

(NCR) from Department of

OSH (DOSH) and

Department of Environment

(DOE)

Chemical management NA NA

Table 14 - EHS Objectives and Target

For an OHS Risk Management strategy to be successful in an agency, it must be driven

from senior management level, as this is the management level responsible for making

critical decisions in terms of future direction. This statement emphasized through second

element of Jabil’s OSH policy.

In a big organisation such as Jabil, it is top management responsibility to conduct OSH

objectives and targets to all levels of employees through a systematic approach of

communication. This approach is done hierarchal, starts from Senior Management, Line

Managers, down to operators.

Risk management should be integrated during the initial stages of business planning.

Within this context, interested parties such as human and financial resources should be

made available to OSH practices and action plan by Senior Management as below:

94

Training and education of staff and line managers in hazard identification, risk

assessment and risk management.

Allocation of funds for purchase of appropriate safety equipment as required.

Any workplace modifications, either physical or process changes, which are

required as a result of a risk assessment.

Through discussion above, it is ascertained in order to control and manage the risks,

organisation’s core business and key fundamentals of OSH policy must be understood

thoroughly by all personnel to achieve OSH transformation as described below.

Figure 7 - OSH Transformation

Awareness

• Knowledge of OSH is well communicated among employees.

• All impacted parties must be able to picturised OSH fundamental of their workplace.

Implementation

• Consist a set of procedures to be taken into action.

• Perform thoroughly a check list of actions required such as required training and develop a visitor sign in process.

Compliance

• To make sure all departments within organisation compliance with OSH legislations.

• Periodic audit to ensure OSH practices are deployed by all impacted parties.

Enhancement

• Efficiently managing resources to achieve better working environment and boost organisation's profitability.

• Able to enhance OSH program by blending current technology, organisational behaviour, and politics into an asset of organisation to move forward.

95

7. Conclusion

In Jabil, we realise that effective risk management must be based on holistic approach such as

COSO ERM. By adhering to a standardized set of processes, procedures, and controls, Jabil

can identify and assess risks and develop strategies or business priorities to mitigate them.

Addressing those priorities may seem a complicated endeavour, but several key components

make for a practical strategy, which can be delineated as; enterprise risk management is a

holistic view of proper administration methodology within an organization. By this way,

companies would be able look at the complete risk sphere in which they move. Beside the

classical risks which can be strategic, financial and operational nature or concern the legal

environment, so-called emerging risks must be also considered. In spite of that, an

organization may benefits from a proactive approach to occupational safety and health

whereby it will improves productivity, business image and minimize costs that associated

with a work related injury or unnecessary loss.

96

8. References

[1] Robert R. Moeller (2007). COSO enterprise risk management: understanding the new

integrated ERM framework, J. Wiley.

[2] Andrew Jaquith (2007). Security Metrics, Addison-Wesley.

[3] Michael Blyth (2008). Risk and Security Management, Wiley.

[4] R. S. Khatta (2008). Risk Management, Global India Publications.

[5] Cecilia Bailliet (2009). Security: A Multidisciplinary Normative Approach, Martinus

Nijhoff Publishers.

[6] Robert R. Moeller (2011). COSO enterprise risk management: establishing effective

governance, risk, and compliance processes (Second Edition), J. Wiley.

��

��

��

��

�� !��! ��"��

�� #��

�� $��%��

��&�� '��#��(��

��#��'��

��

��

)* #��+�� &��

,* ��#��(��

-* .�� +�� /��

��0��1��2��34��2�� &��

5* .��678�� )778��2�9':(;��

�� '�#��4��<��=&��>��

?* �� 2&<��

��<��=��&�� 94+��

@* 2�� /��

��A�$�� *�� '�

��! �� >��

��

B* '�� !��""��

C* �� #��+��

��

6* �>��

��

)7* ��$�� &D(��/�� #�

� "$��%��%��$��

))*�((��>��!��

�&��"��#��

#�� '��'�()�*��

�� +��"��

�� /��

��

�� :��,� ��

�� "��!�� >��

�� '��

��

�� "�%� �� E�4��

�� "�%� �� "��

��>��

�� "��!�� '�-#��%��

��'��

� "��"�� "%� ��#$��

� 0��1��2��A012�*��

�� 012��>�� !��

�� '��2�� ##�� "��

��2��>�� !��

��0�� ! ��

��"�� "��

��

Jabil Integrity Hotline

Jabil does business honestly. We need the help of all our employees to

maintain the highest level of integrity. If you learn of any suspected

wrongdoing, please report it to the company, either by speaking to a

supervisor or by using the Jabil Integrity Hotline.

Jabil employees and others may use the Jabil Integrity Hotline to anonymously

report concerns such as:

• Theft of Jabil property

• Kickbacks and bribes

• Unlawful or improper accounting practices

• Unlawful or improper performance of a government contracts

An investigator employed by an outside company (EthicPoint) will answer your

call, take information you have to offer, and forward a report for appropriate

follow-up and investigation. Jabil strictly prohibits supervisors or employees

from taking retaliatory actions against someone who reports information

under this process; however, you may remain anonymous.

TOLL FREE HOTLINE: 1-800-81-2354

OPERATORS AVAILABLE 24 HOURS PER DAY

TRANSLATION SERVICES ARE AVAILABLE

You can also report your concerns using a web form:

www.jabilhotline.ethicspoint.com

RISK IDENTIFICATION TEMPLATE

Please list the major strategies and/or objectives for your area of responsibility.

Please list the major risks your unit faces in achieving its objectives. List no more than 10 risks.

1. __________________________ 6. __________________________

2. __________________________ 7. __________________________

3. __________________________ 8. __________________________

4. __________________________ 9. __________________________

5. __________________________ 10. __________________________

Please assess the overall risk management capability within your area of responsibility to seize

opportunities

MAJOR STRATEGIES/OBJECTIVES FOR YOUR UNIT

Please list the major strategies/objectives for your unit

MAJOR RISKS FOR YOUR UNIT

Please list the major risks your unit faces in achieving your objectives. List no more than 10 risks.

1. __________________________ 6. __________________________

2. __________________________ 7. __________________________

3. __________________________ 8. __________________________

4. __________________________ 9. __________________________

5. __________________________ 10. __________________________

risk management

Documents

checkpoint configuration tool

achangeincustomerservice arrangementscancausemajorcomplaintsandadropin customersatisfaction

fibre receiver card

total hours worked

jabil integrity hotline

ethical corporate culture

corporate risk summary

traditional risk management