Post on 16-May-2015
Scottish Federation of Housing Associations
Finance Staff Forum
February 2006
A bit of background!A bit of background!
Offrisk Consulting establish in 2002 – based in Glasgow
Specific remit to assist and advise Scottish organisations
Many clients in the public and private sector
Two main areas of interest:
o Corporate Risk Governance Balanced Balanced RiskRiskCardCard
o Business Continuity RecoRecoveryveryFlowFlow
Do we have to do risk management?Do we have to do risk management?
ensure we have a fully embedded system of
internal control that identifies significant operational risks
to the achievement of our plans, aims and objectives,
evaluates the nature and extent of those risks and
manages them efficiently, effectively and economically.
…….. good corporate governance
What is risk?What is risk?
‘a future uncertain event that
could influence (positively & negatively) the
achievement of operational and strategic objectives
and statutory obligations’
Event Consequence Impact Objective?
How much of this do I have to do?How much of this do I have to do?
obsessed managing unaware
threat or opportunity
shocks and crises or innovation and change
Managing risk to add value
Over control stifles value
creation
Exposed and destroying
value
Performance
low
high
Goal is achievement of objectives, not process driven assessment!
Remember, the assessment work must be proportionate to gains!
BalancedBalanced RiskRiskcardcard
What could stop the Business Plan
this year?
Processes
Are we organisedas well as we could be?
Learning & Growth
Are we developing our peopleand organisation for the future?
Deliverables
Are we delivering whatour clients expect?
Resources
How well are we planningand managing our resources?
Business PlanningBusiness Planning
risks can deter accomplishment
performance measurement
manage the risks out
excel at the provision of high quality service
contribute to stakeholder confidence
Balanced & SMART objectivesBalanced & SMART objectives
Processes• Procurement• SOPs and ISO• Interaction with Partners
Building for the future• Personnel• Training
Deliverables• Effectiveness• Policy• Reputation
Resources• Budget control• Staffing levels• Infrastructure
Service Capability
External Impact
Internal Process Standards
People Issues
Keeping it simple and clearKeeping it simple and clear
o Integrating risk & performance management with clear objectives
Risk Identification against scorecard
objectives
Risk Assessment
Decide ActionControl, Mitigate or Transfer
Monitor risks, controls and
actions
BalancedBalanced RiskRiskcardcardReview
Control Strategies
Risk AssessmentRisk Assessment
Impact
Likelihood
Controls
•Management•Policies and procedures•Contingency plans•Controls
Event Consequence Impact Objective?
Accident causation & controlsAccident causation & controls
Adapted from the work of James Reason
Other holes due to latent conditions (e.g. faulty equipment, lack of training)
Successive layers of defences, barriers and safeguards
Some holes due to active failures (e.g. mistakes, procedural violations)
BalancedBalanced RiskRiskCardCard
Impact > < Impact
Pro
bab
ility >
Pro
bab
ility >
< Probab
ility < P
rob
ability
Impact > < Impact
Service Capability
People issues
Internal processes
External impact
Business Continuity Management
o “…………... is about the development, implementation and maintenance of an action orientated process which responds to:
o an emergency incident impacting operationso the issues & implications arising – crisis management o recovery of the business ………………..”
…… the value is in the planning …….
….. protecting enterprise valueEmergency Response
0 hrs 3 to 4 hrs Day 2 Day 4 Weeks Months
Crisis Management
Process Recovery
A management process
Service Service
Understanding the business risks and process priorities
Developing realistic
continuity and resumption strategies
Risk mitigation and continuity response
actionsEmbedding service
continuity culture and confidence in the Plan
MaintenanceRehearsing the
people Exercising the
Plan
BCM
What if this happened?
The Business Continuity Plan
Escalation procedure to inform / call out:Emergency Response Team Ensure life and safety Emergency Authority Liaison Assess situation – fix the hazard Inform management decisions
Red Pack – 0 to 2 hours critical 24/7/365
Process Recovery Practical actions steps for each function Reflection of agreed recovery strategy Prioritised post loss requirements
Green Pack – day 2 for as necessary
Practical and flowcharted RecoveryFlow over a timeline!
Senior Management A critical turning point in a major incident Impacting the organisations viability Who needs to know inc. press & media Issues and implications
Yellow Pack – ASAP up to 3 days
What is an Emergency?
A serious situation or occurrence
that happens unexpectedly and
demands immediate action and
more than usual resources.
Emergency Response – Red Pack
o Location specifico Emergency Response Team – 24/7/365o Capability and authorityo Expertise and responsibleo Agreed procedures – make safeo Eyes and ears for the Directorso Liaison with statutory authoritieso Fix the hazard and set up the recovery phase
KLP:o ERT to become easily identifiable within the organisationo With clearly defined roles and responsibilitieso The Plan must be easily understood
What is a Crisis?
A crisis is a decisive moment or turning point event
that by fact or by perception
has the sustained potential
to seriously affect service delivery
as seen by our customers and the reputation of the Association”
Crisis Management – Yellow Pack
o Directorso Issues and implicationso Communicationo Stakeholders – how do others see us?o Press and media – not marketing!o Specific attention to staff and relatives?
KLP:o Do we appreciate the subtle difference between emergency
response and crisis management?o Not all of the Association may be affected!
Process Recovery – Green Pack
Where the rubber touches the road!o Not generico The hardest part but the most satisfyingo Process specific - cognisant of agreed recovery strategieso Use of alternative facilitieso Post loss resourceso Not able necessarily to recover all processes immediatelyo Planning should be about end to end processing
KLP:o Do individual managers understand their part in the Plano Don’t be frightened to test the Plan’s assumptions!
Staff Rehearsal and Plan Exercising
Plan must be kept up to dateo Planned maintenance – contacts and changes in processeso Controlled document
Prove ito Escalation procedure – weekend call outo Desk top – review against scenarioo Simulation – concentrated days in short time o Disaster scenario – real time and real event exercise
KLP:o Meaningful rehearsal of roleso Walk through against a realistic scenario will be useful
Summary of what will be in our Plan:
o Easy to use and realistic
o Understood at all levels within the organisation
o Based on strong recovery strategies
o Emergency procedures – Management of Work Place Regs
o Corporate Governance, Auditor and Insurer expectation?
o Will tell me what to do – wise guidance
o Evidence of controlled document review
o Regular and effective maintenance and exercising
enq@offrisk.com
Graham E Offord, FIRM, MBCI, MCIBS
0141 563 9747
Questions and AnswersQuestions and Answers