Business Continuity & Risk Management

Transcription

1 Business Continuity & Risk Management David Muil, Global VP Business Development 1 Intertek 2013,

2 Agenda Understanding Risk Business Continuity Management Risk assessment Summary 2 Intertek 2013,

3 Risk Defining Risk: Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization's objectives is risk. ISO31000 Risk Management Principles and guidelines 3 Intertek 2013,

4 Risk External risks arise from factors (which cannot be controlled) such as economic factors (market risks, pricing pressure), natural factors (floods, earthquakes), political factors (compliance and regulations of government) Internal risks arise from factors (which can be controlled) such as human factors (talent management, strikes), technological factors (emerging technologies), physical factors (failure of machines, fire or theft), operational factors (processes, human error) Risks can be both positive and negative however most of the focus is on avoiding or mitigating negative ( hazard ) related risks as a disruptive event can be catastrophic! 4 Intertek 2013,

5 Risk: Disruptive Events Chipotle Will Increase Food Safety Measures Following E. Coli Outbreak Chipotle has had three known outbreaks this year -norovirus outbreak in Simi Valley that sickened 234, Salmonella outbreak in Minnesota that sickened 64 and an E. coli O26 outbreak that has of late sickened 55 Travelers report illnesses at Cuban resorts Unsanitary washrooms, unsafe food handling practices, unrelenting stomach pains, vomiting and diarrhea: these are some of the complaints being reported Child Labour 2015 Nearly 80% of Argentina s textile industry was found to be sourcing from unregulated facilities, where forced, child labour and poor working conditions are common Rise in recalls due to listeria cause for concern, scientist says There were five times as many food recalls due to listeria contamination in 2015 than I 2014 coming from cooked meat and fish products which means that the bacteria was probably introduced during packaging. Natural Disasters: 2015 s top five natural disasters caused a collective $33 billion of damage to businesses globally 5 Intertek 2013,

6 Business Continuity Management Risk assessments Risk Appetite Business Impact Analysis Disaster recovery plans Enterprise Risk Management ERM Taxonomy of Risk Organizational resilience Risk Analysis Risk Severity Occurrence or probability of Risk Risk mitigation & detection Risk matrix Registry of Risk 6 Intertek 2013,

7 Introduction to BCM and ISO22301 Definition of Business Continuity: Capability of the organization to continue delivery of products or services at acceptable predefined levels following disruptive incident ISO 22301, Clause Intertek 2013,

8 Business Continuity Management Definition of Business Continuity Management Holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. ISO 22301, Clause 3.4: 8 Intertek 2013,

9 BCM Life Cycle - 6 Core Elements 9 Intertek 2013,

10 ISO 22301:2012 and PDCA activities Plan Do Check Act Establish business continuity policy, objectives, targets, controls, processes and procedures relevant to managing risk and improving business continuity to deliver results in accordance with an organization's overall policies and objectives. Implement and operate the business continuity policy, controls, processes and procedures. Monitor and review performance against business continuity objectives and policy, report the results to management for review, and determine and authorize actions for remediation and improvement. Maintain and improve the BCMS by taking preventive and corrective actions, based on the results of management review and re-appraising the scope of the BCMS and business continuity policy and objectives. 10 Intertek 2013,

11 ISO 22301:2012 Implementation Defines the requirements for establishing and management of an effective BCMS. Highlights the importance of: Knowledge of the organization s needs and the necessity of BCM policy and objectives establishment Implementing and operating of controls aimed at building an organization s capabilities for managing the business interruption Monitoring and review of BCMS functioning and effectiveness Continual improvement, based on the implementation of the objective criteria for risk management 11 Intertek 2013,

12 Risk Assessment - Getting started Definition of Risk Assessment A Risk Assessment is a formula or set of rules that determine how severe or frequent the hazard will be, and assigns a level to that threat i.e. Risk Level. While it is impossible that companies remove all risk from the organization, it is important that they properly understand and manage the risks that they are willing to accept in the context of the overall corporate strategy. 12 Intertek 2013,

13 Risk Assessment One approach is to utilize the concept of an FMEA to develop Risk Profile - Failure Mode Effects Analysis Identify areas of Risk: Financial, environmental, compliance, strategic, reputational etc. List areas of impact: define where and who will this affect? Consequences: tangible, loss of assets, business interruptions etc. Severity level 1-10: 1=None, 5= Moderate 10=Critical Causes: Potential causes of Risk- management practices, organizational policies, procedures, training etc. 13 Intertek 2013,

14 Risk Assessment - continued Occurrence 1-10: Likelihood of Risk happening 1=remote, 5=moderate, 10=Very likely Current controls: Define what is in place now to manage the risk Detection: Effectiveness of controls 1-10: 1= certain to Detect, 5= Moderate, 10 None- not likely to detect RPN - Risk Priority Number- defines S*O*D Recommended actions: for those items over the Risk threshold Example: RPN>250 - Dangerous risk RPN 150 to Moderate risk Begin RPN reduction for 250 and above 14 Intertek 2013,

15 FMEA 15 Intertek 2013,

16 Summary Disruptions experienced by 8 out of 10 organizations a real threat 8 out of 10 say benefits & business cases are strong for BCM Despite this, many organizations still unprepared for threats is the leading global standard to help implement BCM BCM should consider suppliers and interested parties Media coverage included in BCM strategy (reputational risk) Senior managers must take ultimate responsibility for BCM Many tools to assist your organization in BCM (FMEA) BCM requires a Holistic Approach- holistic" means: "relating to or concerned with wholes or complete systems rather than with the analysis of, treatment of, or dissection into parts. 16 Intertek 2013,

17 Thank You Intertek can provide customized auditing solutions to help you with your BCM needs, including ISO Certification and IRCA Lead Auditor Training. Also contact us at 17 Intertek 2013,