From a Sprint to a Marathon: Event Risk Management for Public Entities April 16, 2015 Havis L....

From a Sprint to a Marathon: Event Risk Management for Public Entities

April 16, 2015

Havis L. Wright, Public Entity and Education Risk Practice

Marsh Kansas City

MARSH RISK CONSULTING 2

Let’s Get Started

• Introduction • Why Overall Assessment & Preparedness Is Important • Crisis Management/Reputational Risk • Emergency Response • Active Shooter • Business Continuity • Cyber Response Management • Integrating Components: Putting It All together • Question Period

EVENT RISK ANALYSIS-AN OVERVIEW

Event Risk Analysis

MARSH 5

Event Risk Analysis “ERA”

• Proven Methodology / Risk Mitigation focused

• The ERA tool evaluate Risk Management under the following areas: Security Information Technology Environmental Financial and Management Contracts Site Services Loss Control (Health & Safety, Fire, Medical)

Emergency Response Planning

• Output delivers value

MARSH 6

Event Risk Analysis “ERA”

• ERA is a risk management tool used to evaluate the potential risks that an event represents

• Each of the risk areas noted has a number of key issues with potential impacts– financial loss– interruption of operations– insurable and non-insurable risks

• Risk ratings are an evaluation of the effectiveness of existing controls in place – policies, procedures– transfer mechanisms– physical measures

MARSH 7

ERA Risk Ratings:

A three-point scale is used to evaluate risk as illustrated below:

(*where a current control is considered poor, a comment or improvement recommendation is made)

MARSH 8

Sample Event Risk Analysis Template

MARSH 9

Sample of ERA “Key Issues”

• Temporary Grandstands or Marquees:– Erected to appropriate standards?– Inspected and signed off?

• Access and Egress Routes:– Exit and entrance routes clear?– Signage appropriate and visible?– Areas free of slip, trip and fall hazards?

• Crowd Control:– Known numbers, controlled ticket sales?– Volatile crowds/event specific risk exposures?– Risk of crush, stampede or uncontrolled movement?

OVERALL CORPORATE PREPAREDNESS

MARSH RISK CONSULTING

• Perceived effectiveness of a response is equally or more important than the event itself.

• Damage to your organization and reputation can last years and may be unrecoverable.

• The good news – failure is not inevitable, you can be prepared!

Managing Significant Events or Crises

11


Effective Crisis Management

• Value of corporate reputation.

• Study after study comes to the same conclusion over value, most recently: – “A public company’s

reputation can account for a huge portion of its stock value. In the case of firms in the Standard & Poor's 500 Index, reputation currently accounts for an average of 31% of share price."

“Of the companies that faced a crisis, on average more than three-quarters experienced a 20-30% drop in their stock price

as a result of the way the incident was managed.”Oxford Metrica, 2006

12


Risk and Preparedness Framework

Enterprise Risk

- Top Risks

- Watch Lists- Strategic

- Operational- Financial

- Reputational- Other Risks

-Analytics-Audits

-Risk Assessment

Copyright © 2012 Marsh Risk Consulting

Trig

gers

- T

hres

hold

Transfer/Hedge

Business Continuity

Issues Management

Retain

Manage

- Prevention - Health/Safety - Compliance

- Risk Management & Analytics

- Process Safety- Workforce Strategies

- Risk Control- Supply Chain RM

- Preparedness

Security

Cyber Response Management

Emergency Response

Communications

IT/Data Security

QA/Recall

Ris

k U

niv

erse Crisis Management

Eliminate

Em

ergin

g R

isks/Extern

al Even

ts

Awareness

- Education - Risk Awareness

- Training

Man

age

& M

itiga

te

Recovery:Claims, Forensics,

Post-Incident Reviews

Corporate Preparedness / ResiliencyReal Time Response

Human Impact


Past Crises and Lessons Learned

Types of Events

• Ownership scandal.

• Illegal substance scandal.

• Active shooting.

• Player scandal.

• Terrorist attack/bombing.

• Civil unrest at major event.

• Athlete death.

• Motor racing accident.

Lessons Learned

• Fill the preparedness gap.

• Be proactive.

• Clearly define roles.

• Have well-planned process and actions.

• Ensure well-practiced capabilities.

• Forecast, anticipate, and be decisive and swift in response management.

• Protect your foundation.

14


Time

Corporate Preparedness Can Reduce Impacts

Increased negative impact

Negative impact

With Preparedness

Without Preparedness

Damage Severity

Event

Without Preparedness

Damage to operational integrity, financial results,

reputation, and key relationships.

Illustrative

Business AdvantageB

usi

nes

s A

dvan

tage

With Preparedness

Preparedness reduces duration, severity, and

breadth of impacts.

15

CRISIS MANAGEMENT


News broke today regarding a scandal involving a number of high-profile professional athletes from multiple professional sports teams and officials. The scandal, reportedly involving gambling and betting on games, is trending number 1 on Twitter and is the lead story on all mainstream media outlets.

.

Crisis Management – What If Hypothetical Scenario

17


Crisis Management Defined

Crisis Management is the strategic framework that guides an organization and its senior leaders to prepare for, manage, and recover from issues and adverse events that threaten the organization’s operations, people, strategy, valuation, reputation, and future.

• Focuses on range of issues, risks, and vulnerabilities.

• Establishes strategic framework for response and recovery to a crisis.

• Provides 360-degree view of crisis and roadmap to manage it.

• Guides decision-making at all levels of the organization.

• Orchestrates and aligns related crisis response activities.

• Instills confidence in stakeholders and protects the brand/reputation for the future.


Crisis Management Drivers

• The world is emerging from a series of severe crises & significant events.

• Elected Officials and Professional Staff are acutely aware of the need to…– Be better prepared to manage the full range of risks, issues, and events.– Protect their organizations, reputations, and future.

• External trends are driving the need for crisis preparedness.– High profile events and poorly handled crises. – Changing regulations and standards of governance.– Pressure from Boards and external stakeholders (i.e. analysts, rating agencies). – Increased scrutiny and less patience from all external groups.

Boards are adopting a broad view: crisis management = preparedness.

19


Factors That Contribute to a Crisis

20


Multiple Paths to a Crisis

PhysicalEvents

BusinessInterruption

Non-PhysicalEvents

Emerging Issues

CRISIS

POTENTIAL POTENTIAL POTENTIAL


Crisis Management Approach

• Obtain broad sponsorship from Professional and Elected Leadership.• Establish a planning team.

– Cross-functional group with business units/functions represented.

• Conduct facilitated planning sessions.– Pre-thinking around strategies and approaches.– Establish governance and framework. – Determine concept of operations “how will we operate” and capability.

Response structure; team roles and responsibilities. Reporting, escalation thresholds, screening criteria. Team activation. Meeting processes. Training/awareness and exercising.

• Develop the Crisis Management Plan. • Conduct training/awareness and exercises.


Overall Organizational Response Framework

23

Tactical Teams

(Emer. Resp., Bus Cont., IT/DR)

Corporate Support Team

CrisisTeam

LocalCorp/

RegionalEnterprise

Focus on hours/days/weeksInformation clearinghouse

Resource support

Focus on minutes/hoursProtect people, property

Contain, restore operations

Focus on days/weeks/monthsStrategic decisions/policies

Defined roles & responsibilities


Best Practices in Crisis Management

• Align crisis management, response, and recovery.

• Consider the whole range of risks facing your organization.

• Create response capabilities.

• Establish adequate policies, standards, and governance.

• Include preparedness with risk management and mitigation.

• Involve senior management in the process.


EMERGENCY RESPONSE


A multi-vehicle accident occurred on the track at one of the premier professional racing events of the year. Two vehicles collided, becoming airborne, and hurdled into the fencing separating the track and spectators. Emergency responders are on scene, not only from local Fire, Police, and EMS, but also the racing venue. Mass casualties have been reported, ranging from the critically injured to the walking wounded.

Emergency Response – What If Hypothetical Scenario

26


Emergency Response Defined

Emergency Response is the tactical process designed to respond to physical incidents from natural hazards or disasters to human-caused/technological accidents. It is often required and governed, in part, by a series of regulations.

• Immediate priority is life safety.

• Emphasizes life safety, followed by mitigation of property and environmental damage.

• Teams of individual responders with specialized skills and responsibilities are deployed (e.g., Fire Warden, Security).


• Establish an Emergency Response Planning Team.• Review any existing emergency response plans.• Conduct a tour of site/venue to determine types of

incidents to be addressed in the plan.• Determine internal and external response resources and

capabilities.• Develop and review draft Emergency Response Plan.• Provide draft of the Emergency Response Plan to local

emergency response agencies for review.• Print/distribute the Emergency Response Plan and

supporting documents.• Train on the Emergency Response Plan.• Conduct drills and/or tabletop exercises leading up to a

full-scale exercise.

Emergency Response Planning Approach

28


Utilized by first responders (e.g., police, fire, EMS).

• Operates within a common organizational structure.

• Enables a coordinated response among jurisdictions/agencies.

• Establishes common processes for planning/managing resources.

• Allows for the integration of facilities, equipment, personnel, procedures, and communications.

Note: Depending on type/size of organization (e.g., large sports venue), ICS may be incorporated into emergency response structures and procedures.

Incident Command System (ICS) Awareness

29


• Team structure and roles and responsibilities.• Alignment with other teams (e.g., Crisis Management, Business Continuity). • Incident reporting.• Public warning and alerting.

− Public address system announcements.− Alarms.− Verbal commands.

• Protective actions (e.g., Life Safety).• Command and control.• Training/awareness and exercising.• Supporting tools, forms, and documents (e.g., maps, diagrams).

Emergency Planning Components

30


Protective Actions (Life Safety)

31

Type of Protective Action Considerations

• Evacuation. • Assembly areas.

• Shelter-in-place. • Area of refuge.

• Lockdown. • Accountability.

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://dev.bukkit.org/bukkit-plugins/lock-down/images/1-lockdown-logo/&ei=KAb-VKuGItPAgwTJioD4AQ&bvm=bv.87611401,d.eXY&psig=AFQjCNF-lnCm85pRsFp64RqFvWpejsyehA&ust=1426020234243365


Who• External responders (e.g., #911).• Internal (e.g., security).

How• Emergency notification system (3rd party vendor).• Devices.• Telephone lists.• Public address system.

Reporting, Warning and Alerting

32

Attention please. We regret the game must be temporarily suspended and the stadium

closed. Please proceed to the nearest exit in an orderly fashion. Event staff are available to

assist. We apologize for the inconvenience and thank you for your cooperation.


• Ideal for general employee/event staff awareness.• May contain guidance on:

− Incident Reporting.− Severe Weather.− Medical Emergency.− Fire.− Explosion.− Active Shooter and Lockdown.− Evacuation and Shelter-in-Place.− Earthquake.− Tornado.− Hurricane.− Bomb Threat and Suspicious Package/Object.− Workplace Violence.− Hazardous Materials.− Personal Safety.

Emergency Response Flip Guide

33


• Conduct team training and general awareness sessions.• Use mix of exercises.

– Drills.– Tabletops.– Functionals and full-scales.

Training/Awareness and Exercises

34


Best Practices in Emergency Response

• Clearly define roles and responsibilities.• Establish chain of command.

– Everyone should understand who is in charge/reporting structure.

• Establish clear lines of communication, internally and externally.– Provide status/situation updates on a regular basis.

• Develop clear, user-friendly plans.– Consider emergency flip guides for general employees, patrons, etc.

• Build capability via training and exercising – practice, practice, practice!


ACTIVE SHOOTER


A gunman walked into a local fitness center during the peak after work period and opened fire on gym members before turning the gun on himself. There were multiple casualties, including fatalities and severe injuries.

Workplace Violence/Active Shooter – What If Hypothetical Scenario

37


• 70% of incidents occurred in the commercial/ business or educational environments.

• 60% of incidents ended before law enforcement arrived.

• In 45% of the attacks the shooter did not have an apparent connection with the location of the attack.

• All but two incidents involved a single shooter.

• In 40% of incidents, the shooter committed suicide on scene.

A Few Quick Facts: 2000-2013


Active Shooter

• Definition– “An Active Shooter is an

individual actively engaged in killing or attempting to kill people in a confined and populated area; in most cases, active shooters use firearms(s) and there is no pattern or method to their selection of victims. Active shooter situations are unpredictable and evolve quickly.” – DHS

• Approach– Develop or review current

protective action procedures.– Train and exercise employees/

event staff, executive/senior leadership, and emergency response team members.

– Build relationships – collaborate with local law enforcement.


Response to an Active Shooter

• Know how to respond and to help prevent and reduce the loss of life.

• Understand you will likely have minimal information to base decisions upon.

• No single response fits all active shooter situations.– Each individual MUST know their options and react decisively.– Employees/event staff may need to utilize more than one option.

• Understand what to expect from law enforcement.– First priority is to locate and stop the shooter– Cooperate with law enforcement; do not interfere.

40


Post-Incident Considerations

• Family reunification.

• Psychological first aid, defusing, debriefings.

• Memorials, funerals.

• Site closures and moving forward.– Immediate days post-incident.– Long-term.

• Emergency response team/employees/event staff. – After-action report including lessons learned.

41

BUSINESS CONTINUITY


A professional sports team, with about two thirds of the 2014/2015 season left to play, lost use of its home facility. The venue received extensive damage from a 7.8 M earthquake. Restoration and repairs to the venue will take nine months to complete, thus impacting team operations and all remaining season home games.

Business Continuity – What If Hypothetical Scenario

43


Business Continuity Defined

Business Continuity is a management and logistical process and plan for how an organization will continue or resume, restore, and recover partially or completely interrupted critical business functions within a pre-determined time after a disaster or extended disruption.

• Focuses on the continuation of critical business functions.

• Ensures business functions are supported.

• Aligns business continuity and recovery strategies with business function priorities and criticality.

44


Business Impact Analysis

• Identify critical business processes and disruption tolerances.• Determine the potential impact in the event of a disaster.• Identify critical dependencies and interdependencies.• Identify recovery resource requirements.• Develop potential recovery strategies for loss of site, systems, people and

relationships.

45

CYBER RESPONSE MANAGEMENT


A municipality and its police department had its servers compromised by hackers who subsequently stole and then published trade information. Correspondence included internal information exchanged between teams that was then shared on websites known to share hacked information.

Cyber Response Management – What If Hypothetical Scenario

47


Current Cyber Environment…

$400 Billion*1

Growing Financial Costs91%*2

Expanding Threat Environment

71%*4

Increased Sophistication67%*3

Inadequate Response 1-5%*5

Reputation Degradation

Sources:1. Net Losses: Estimating the Global Cost of Cybercrime, MacAfee , June 2014. 2. 2014 Internet Security Threat Report, Symantec.3. Ponemon Second Annual Study on Data Breach Preparedness, Oct 2014.4. Trustwave’s 2014 Global Security Report.5. The Economic Impact of Cybercrime and Cyber Espionage, McAfee and CSIS .

By 2020, more than 50 billion devices will be

connected to the Internet.


Data or Privacy Breach: PII, sensitive, PCI, or confidential.

Electronic or physically stored data.

Cyber Attacks/Business Interruption:Service, network, and application interruptions.

Compromised business operations.

Cyber Crime:Release, disseminate, corrupt, damage, or destroy data.

Confidential information taken. Hinder access to technology, network, or system.

Intellectual Property Disclosure:Leaking sensitive corporate information to the public or competitors.

Define the Scope of Cyber: Four Key Cyber Categories

49


Technology

Administrative/Security Management Controls

Cyber Response Management Preparedness

Insurance

Key Areas for Cyber Risk Management, Preparedness, and Transfer

50


• Cyber response management planning.– Develop overarching cyber response management plan.– Engage the right stakeholders at the right time.– Align and link with supporting, tactical plans, such as:

Crisis communications. Notification protocols. Information technology response protocols.

– Consider external vendors/support requirements (e.g., legal). Build relationships in advance of an event.

• Remember practice makes perfect!– Provide team-specific training and exercising opportunities.

Cyber Response Management Preparedness


Considerations – Before, During, and After

BeforeManage, Mitigate, Prepare

DuringRespond

AfterRecover

• Define ‘cyber’. • Establish and implement

security/administrative controls.• Consider cyber risk/capability

assessments.• Develop Cyber Response

Management Plan.• Conduct training/exercising.• Establish relationships with

appropriate authorities.• Identify and implement other

mitigation strategies.

• Activate Cyber Response Management Plan.

• Engage real-time support.• Trigger insurance and

other coverages.• Minimize reputational

impacts.• Understand stakeholder

communications expectations.

• Balance public trust, transparency, and privacy requirements.

• Conduct post-incident reviews.

• Conduct root cause analysis, forensics, etc.

• Capture lessons learned.

52


Cyber Response ManagementKey Considerations

• No ‘silver bullets’.– Technology and security are critical but cannot guarantee

protection.– Mitigation options (e.g., insurance) are excellent, but not a

stand-alone solution.

• Cyber events do not occur in a vacuum – respond holistically!– Quickly identify the potential for spillover into unrelated areas.– Anticipate and manage potential impacts and consequences.– Incorporate reputational risk into all decision making.– Go beyond stove-piped, individual tactical response plans.– Leverage experts – enlist key vendors early in the process, but

remember they are there to support you.– Understand your priorities may be complicated by law

enforcement requirements – coordinate early.

INTEGRATING COMPONENTS: PUTTING IT ALL TOGETHER


Establish Baseline/Program Foundation

TH

RE

AT

& R

ISK

AS

SE

SS

ME

NT

Develo

p S

trategic

Pro

gram

Plan

Set P

rog

ram G

overn

ance

&

Ob

jectives

Program Components

CO

RP

OR

AT

E P

RE

PA

RE

DN

ES

S

Crisis Management

Business Continuity

Human Impact/Humanitarian Assistance

Emergency Response

Crisis Communications

IT/Disaster Recover & Security

PR

EP

AR

ED

NE

SS

RE

VIE

W/A

SS

ES

SM

EN

T Cyber Response Management

Increase Preparedness/ Build Capability

Program Development Approach – Putting It All Together

2015 © Marsh Risk Consulting


Why Embrace Preparedness Programs

• Minimize business impacts: – Operational.– Strategic.– Reputation.– Finance.– Legal.

• Safeguard people.

• Protect physical assets (buildings and equipment).

• Address increasing emphasis in standards, regulatory bodies, etc.

• Maintain good governance.

• Protect brand and reputation.

56

CONTACT INFORMATION


Marsh Public Entity & Education Practice

Havis L. Wright Office: 816-556-4227 [email protected]

mailto:[email protected]

QUESTIONS

Registered in England Number: 1507274, Registered Office: 1 Tower Place West, Tower Place, London EC3R 5BU

Marsh Ltd is authorised and regulated by the Financial Services Authority for insurance mediation activities only.

Marsh Ltd conducts its general insurance activities on terms that are set out in the document "Our Business Principles and Practices".

This may be viewed on our website http://www.marsh.co.uk/aboutMarsh/principles.html

From a Sprint to a Marathon: Event Risk Management for Public Entities April 16, 2015 Havis L....

Documents

Transcript of From a Sprint to a Marathon: Event Risk Management for Public Entities April 16, 2015 Havis L....