From a Sprint to a Marathon: Event Risk Management for Public Entities April 16, 2015 Havis L....
-
Upload
leslie-riley -
Category
Documents
-
view
215 -
download
0
Transcript of From a Sprint to a Marathon: Event Risk Management for Public Entities April 16, 2015 Havis L....
From a Sprint to a Marathon: Event Risk Management for Public Entities
April 16, 2015
Havis L. Wright, Public Entity and Education Risk Practice
Marsh Kansas City
MARSH RISK CONSULTING 2
Let’s Get Started
• Introduction • Why Overall Assessment & Preparedness Is Important • Crisis Management/Reputational Risk • Emergency Response • Active Shooter • Business Continuity • Cyber Response Management • Integrating Components: Putting It All together • Question Period
EVENT RISK ANALYSIS-AN OVERVIEW
Event Risk Analysis
MARSH 5
Event Risk Analysis “ERA”
• Proven Methodology / Risk Mitigation focused
• The ERA tool evaluate Risk Management under the following areas: Security Information Technology Environmental Financial and Management Contracts Site Services Loss Control (Health & Safety, Fire, Medical)
Emergency Response Planning
• Output delivers value
MARSH 6
Event Risk Analysis “ERA”
• ERA is a risk management tool used to evaluate the potential risks that an event represents
• Each of the risk areas noted has a number of key issues with potential impacts– financial loss– interruption of operations– insurable and non-insurable risks
• Risk ratings are an evaluation of the effectiveness of existing controls in place – policies, procedures– transfer mechanisms– physical measures
MARSH 7
ERA Risk Ratings:
A three-point scale is used to evaluate risk as illustrated below:
(*where a current control is considered poor, a comment or improvement recommendation is made)
MARSH 8
Sample Event Risk Analysis Template
MARSH 9
Sample of ERA “Key Issues”
• Temporary Grandstands or Marquees:– Erected to appropriate standards?– Inspected and signed off?
• Access and Egress Routes:– Exit and entrance routes clear?– Signage appropriate and visible?– Areas free of slip, trip and fall hazards?
• Crowd Control:– Known numbers, controlled ticket sales?– Volatile crowds/event specific risk exposures?– Risk of crush, stampede or uncontrolled movement?
OVERALL CORPORATE PREPAREDNESS
MARSH RISK CONSULTING
• Perceived effectiveness of a response is equally or more important than the event itself.
• Damage to your organization and reputation can last years and may be unrecoverable.
• The good news – failure is not inevitable, you can be prepared!
Managing Significant Events or Crises
11
MARSH RISK CONSULTING
Effective Crisis Management
• Value of corporate reputation.
• Study after study comes to the same conclusion over value, most recently: – “A public company’s
reputation can account for a huge portion of its stock value. In the case of firms in the Standard & Poor's 500 Index, reputation currently accounts for an average of 31% of share price."
“Of the companies that faced a crisis, on average more than three-quarters experienced a 20-30% drop in their stock price
as a result of the way the incident was managed.”Oxford Metrica, 2006
12
MARSH RISK CONSULTING 13
Risk and Preparedness Framework
Enterprise Risk
- Top Risks
- Watch Lists- Strategic
- Operational- Financial
- Reputational- Other Risks
-Analytics-Audits
-Risk Assessment
Copyright © 2012 Marsh Risk Consulting
Trig
gers
- T
hres
hold
Transfer/Hedge
Business Continuity
Issues Management
Retain
Manage
- Prevention - Health/Safety - Compliance
- Risk Management & Analytics
- Process Safety- Workforce Strategies
- Risk Control- Supply Chain RM
- Preparedness
Security
Cyber Response Management
Emergency Response
Communications
IT/Data Security
QA/Recall
Ris
k U
niv
erse Crisis Management
Eliminate
Em
ergin
g R
isks/Extern
al Even
ts
Awareness
- Education - Risk Awareness
- Training
Man
age
& M
itiga
te
Recovery:Claims, Forensics,
Post-Incident Reviews
Corporate Preparedness / ResiliencyReal Time Response
Human Impact
MARSH RISK CONSULTING
Past Crises and Lessons Learned
Types of Events
• Ownership scandal.
• Illegal substance scandal.
• Active shooting.
• Player scandal.
• Terrorist attack/bombing.
• Civil unrest at major event.
• Athlete death.
• Motor racing accident.
Lessons Learned
• Fill the preparedness gap.
• Be proactive.
• Clearly define roles.
• Have well-planned process and actions.
• Ensure well-practiced capabilities.
• Forecast, anticipate, and be decisive and swift in response management.
• Protect your foundation.
14
MARSH RISK CONSULTING
Time
Corporate Preparedness Can Reduce Impacts
Increased negative impact
Negative impact
With Preparedness
Without Preparedness
Damage Severity
Event
Without Preparedness
Damage to operational integrity, financial results,
reputation, and key relationships.
Illustrative
Business AdvantageB
usi
nes
s A
dvan
tage
With Preparedness
Preparedness reduces duration, severity, and
breadth of impacts.
15
CRISIS MANAGEMENT
MARSH RISK CONSULTING
News broke today regarding a scandal involving a number of high-profile professional athletes from multiple professional sports teams and officials. The scandal, reportedly involving gambling and betting on games, is trending number 1 on Twitter and is the lead story on all mainstream media outlets.
.
Crisis Management – What If Hypothetical Scenario
17
MARSH RISK CONSULTING 18
Crisis Management Defined
Crisis Management is the strategic framework that guides an organization and its senior leaders to prepare for, manage, and recover from issues and adverse events that threaten the organization’s operations, people, strategy, valuation, reputation, and future.
• Focuses on range of issues, risks, and vulnerabilities.
• Establishes strategic framework for response and recovery to a crisis.
• Provides 360-degree view of crisis and roadmap to manage it.
• Guides decision-making at all levels of the organization.
• Orchestrates and aligns related crisis response activities.
• Instills confidence in stakeholders and protects the brand/reputation for the future.
MARSH RISK CONSULTING
Crisis Management Drivers
• The world is emerging from a series of severe crises & significant events.
• Elected Officials and Professional Staff are acutely aware of the need to…– Be better prepared to manage the full range of risks, issues, and events.– Protect their organizations, reputations, and future.
• External trends are driving the need for crisis preparedness.– High profile events and poorly handled crises. – Changing regulations and standards of governance.– Pressure from Boards and external stakeholders (i.e. analysts, rating agencies). – Increased scrutiny and less patience from all external groups.
Boards are adopting a broad view: crisis management = preparedness.
19
MARSH RISK CONSULTING
Factors That Contribute to a Crisis
20
MARSH RISK CONSULTING 21
Multiple Paths to a Crisis
PhysicalEvents
BusinessInterruption
Non-PhysicalEvents
Emerging Issues
CRISIS
POTENTIAL POTENTIAL POTENTIAL
MARSH RISK CONSULTING 22
Crisis Management Approach
• Obtain broad sponsorship from Professional and Elected Leadership.• Establish a planning team.
– Cross-functional group with business units/functions represented.
• Conduct facilitated planning sessions.– Pre-thinking around strategies and approaches.– Establish governance and framework. – Determine concept of operations “how will we operate” and capability.
Response structure; team roles and responsibilities. Reporting, escalation thresholds, screening criteria. Team activation. Meeting processes. Training/awareness and exercising.
• Develop the Crisis Management Plan. • Conduct training/awareness and exercises.
MARSH RISK CONSULTING 232323
Overall Organizational Response Framework
23
Tactical Teams
(Emer. Resp., Bus Cont., IT/DR)
Corporate Support Team
CrisisTeam
LocalCorp/
RegionalEnterprise
Focus on hours/days/weeksInformation clearinghouse
Resource support
Focus on minutes/hoursProtect people, property
Contain, restore operations
Focus on days/weeks/monthsStrategic decisions/policies
Defined roles & responsibilities
MARSH RISK CONSULTING 24
Best Practices in Crisis Management
• Align crisis management, response, and recovery.
• Consider the whole range of risks facing your organization.
• Create response capabilities.
• Establish adequate policies, standards, and governance.
• Include preparedness with risk management and mitigation.
• Involve senior management in the process.
MARSH RISK CONSULTING
EMERGENCY RESPONSE
MARSH RISK CONSULTING
A multi-vehicle accident occurred on the track at one of the premier professional racing events of the year. Two vehicles collided, becoming airborne, and hurdled into the fencing separating the track and spectators. Emergency responders are on scene, not only from local Fire, Police, and EMS, but also the racing venue. Mass casualties have been reported, ranging from the critically injured to the walking wounded.
Emergency Response – What If Hypothetical Scenario
26
MARSH RISK CONSULTING 27
Emergency Response Defined
Emergency Response is the tactical process designed to respond to physical incidents from natural hazards or disasters to human-caused/technological accidents. It is often required and governed, in part, by a series of regulations.
• Immediate priority is life safety.
• Emphasizes life safety, followed by mitigation of property and environmental damage.
• Teams of individual responders with specialized skills and responsibilities are deployed (e.g., Fire Warden, Security).
MARSH RISK CONSULTING
• Establish an Emergency Response Planning Team.• Review any existing emergency response plans.• Conduct a tour of site/venue to determine types of
incidents to be addressed in the plan.• Determine internal and external response resources and
capabilities.• Develop and review draft Emergency Response Plan.• Provide draft of the Emergency Response Plan to local
emergency response agencies for review.• Print/distribute the Emergency Response Plan and
supporting documents.• Train on the Emergency Response Plan.• Conduct drills and/or tabletop exercises leading up to a
full-scale exercise.
Emergency Response Planning Approach
28
MARSH RISK CONSULTING
Utilized by first responders (e.g., police, fire, EMS).
• Operates within a common organizational structure.
• Enables a coordinated response among jurisdictions/agencies.
• Establishes common processes for planning/managing resources.
• Allows for the integration of facilities, equipment, personnel, procedures, and communications.
Note: Depending on type/size of organization (e.g., large sports venue), ICS may be incorporated into emergency response structures and procedures.
Incident Command System (ICS) Awareness
29
MARSH RISK CONSULTING
• Team structure and roles and responsibilities.• Alignment with other teams (e.g., Crisis Management, Business Continuity). • Incident reporting.• Public warning and alerting.
− Public address system announcements.− Alarms.− Verbal commands.
• Protective actions (e.g., Life Safety).• Command and control.• Training/awareness and exercising.• Supporting tools, forms, and documents (e.g., maps, diagrams).
Emergency Planning Components
30
MARSH RISK CONSULTING
Protective Actions (Life Safety)
31
Type of Protective Action Considerations
• Evacuation. • Assembly areas.
• Shelter-in-place. • Area of refuge.
• Lockdown. • Accountability.
MARSH RISK CONSULTING
Who• External responders (e.g., #911).• Internal (e.g., security).
How• Emergency notification system (3rd party vendor).• Devices.• Telephone lists.• Public address system.
Reporting, Warning and Alerting
32
Attention please. We regret the game must be temporarily suspended and the stadium
closed. Please proceed to the nearest exit in an orderly fashion. Event staff are available to
assist. We apologize for the inconvenience and thank you for your cooperation.
MARSH RISK CONSULTING
• Ideal for general employee/event staff awareness.• May contain guidance on:
− Incident Reporting.− Severe Weather.− Medical Emergency.− Fire.− Explosion.− Active Shooter and Lockdown.− Evacuation and Shelter-in-Place.− Earthquake.− Tornado.− Hurricane.− Bomb Threat and Suspicious Package/Object.− Workplace Violence.− Hazardous Materials.− Personal Safety.
Emergency Response Flip Guide
33
MARSH RISK CONSULTING
• Conduct team training and general awareness sessions.• Use mix of exercises.
– Drills.– Tabletops.– Functionals and full-scales.
Training/Awareness and Exercises
34
MARSH RISK CONSULTING 35
Best Practices in Emergency Response
• Clearly define roles and responsibilities.• Establish chain of command.
– Everyone should understand who is in charge/reporting structure.
• Establish clear lines of communication, internally and externally.– Provide status/situation updates on a regular basis.
• Develop clear, user-friendly plans.– Consider emergency flip guides for general employees, patrons, etc.
• Build capability via training and exercising – practice, practice, practice!
MARSH RISK CONSULTING
ACTIVE SHOOTER
MARSH RISK CONSULTING
A gunman walked into a local fitness center during the peak after work period and opened fire on gym members before turning the gun on himself. There were multiple casualties, including fatalities and severe injuries.
Workplace Violence/Active Shooter – What If Hypothetical Scenario
37
MARSH RISK CONSULTING 38
• 70% of incidents occurred in the commercial/ business or educational environments.
• 60% of incidents ended before law enforcement arrived.
• In 45% of the attacks the shooter did not have an apparent connection with the location of the attack.
• All but two incidents involved a single shooter.
• In 40% of incidents, the shooter committed suicide on scene.
A Few Quick Facts: 2000-2013
MARSH RISK CONSULTING 39
Active Shooter
• Definition– “An Active Shooter is an
individual actively engaged in killing or attempting to kill people in a confined and populated area; in most cases, active shooters use firearms(s) and there is no pattern or method to their selection of victims. Active shooter situations are unpredictable and evolve quickly.” – DHS
• Approach– Develop or review current
protective action procedures.– Train and exercise employees/
event staff, executive/senior leadership, and emergency response team members.
– Build relationships – collaborate with local law enforcement.
MARSH RISK CONSULTING
Response to an Active Shooter
• Know how to respond and to help prevent and reduce the loss of life.
• Understand you will likely have minimal information to base decisions upon.
• No single response fits all active shooter situations.– Each individual MUST know their options and react decisively.– Employees/event staff may need to utilize more than one option.
• Understand what to expect from law enforcement.– First priority is to locate and stop the shooter– Cooperate with law enforcement; do not interfere.
40
MARSH RISK CONSULTING
Post-Incident Considerations
• Family reunification.
• Psychological first aid, defusing, debriefings.
• Memorials, funerals.
• Site closures and moving forward.– Immediate days post-incident.– Long-term.
• Emergency response team/employees/event staff. – After-action report including lessons learned.
41
BUSINESS CONTINUITY
MARSH RISK CONSULTING
A professional sports team, with about two thirds of the 2014/2015 season left to play, lost use of its home facility. The venue received extensive damage from a 7.8 M earthquake. Restoration and repairs to the venue will take nine months to complete, thus impacting team operations and all remaining season home games.
Business Continuity – What If Hypothetical Scenario
43
MARSH RISK CONSULTING
Business Continuity Defined
Business Continuity is a management and logistical process and plan for how an organization will continue or resume, restore, and recover partially or completely interrupted critical business functions within a pre-determined time after a disaster or extended disruption.
• Focuses on the continuation of critical business functions.
• Ensures business functions are supported.
• Aligns business continuity and recovery strategies with business function priorities and criticality.
44
MARSH RISK CONSULTING
Business Impact Analysis
• Identify critical business processes and disruption tolerances.• Determine the potential impact in the event of a disaster.• Identify critical dependencies and interdependencies.• Identify recovery resource requirements.• Develop potential recovery strategies for loss of site, systems, people and
relationships.
45
CYBER RESPONSE MANAGEMENT
MARSH RISK CONSULTING
A municipality and its police department had its servers compromised by hackers who subsequently stole and then published trade information. Correspondence included internal information exchanged between teams that was then shared on websites known to share hacked information.
Cyber Response Management – What If Hypothetical Scenario
47
MARSH RISK CONSULTING 48
Current Cyber Environment…
$400 Billion*1
Growing Financial Costs91%*2
Expanding Threat Environment
71%*4
Increased Sophistication67%*3
Inadequate Response 1-5%*5
Reputation Degradation
Sources:1. Net Losses: Estimating the Global Cost of Cybercrime, MacAfee , June 2014. 2. 2014 Internet Security Threat Report, Symantec.3. Ponemon Second Annual Study on Data Breach Preparedness, Oct 2014.4. Trustwave’s 2014 Global Security Report.5. The Economic Impact of Cybercrime and Cyber Espionage, McAfee and CSIS .
By 2020, more than 50 billion devices will be
connected to the Internet.
MARSH RISK CONSULTING
Data or Privacy Breach: PII, sensitive, PCI, or confidential.
Electronic or physically stored data.
Cyber Attacks/Business Interruption:Service, network, and application interruptions.
Compromised business operations.
Cyber Crime:Release, disseminate, corrupt, damage, or destroy data.
Confidential information taken. Hinder access to technology, network, or system.
Intellectual Property Disclosure:Leaking sensitive corporate information to the public or competitors.
Define the Scope of Cyber: Four Key Cyber Categories
49
MARSH RISK CONSULTING
Technology
Administrative/Security Management Controls
Cyber Response Management Preparedness
Insurance
Key Areas for Cyber Risk Management, Preparedness, and Transfer
50
MARSH RISK CONSULTING 51
• Cyber response management planning.– Develop overarching cyber response management plan.– Engage the right stakeholders at the right time.– Align and link with supporting, tactical plans, such as:
Crisis communications. Notification protocols. Information technology response protocols.
– Consider external vendors/support requirements (e.g., legal). Build relationships in advance of an event.
• Remember practice makes perfect!– Provide team-specific training and exercising opportunities.
Cyber Response Management Preparedness
MARSH RISK CONSULTING
Considerations – Before, During, and After
BeforeManage, Mitigate, Prepare
DuringRespond
AfterRecover
• Define ‘cyber’. • Establish and implement
security/administrative controls.• Consider cyber risk/capability
assessments.• Develop Cyber Response
Management Plan.• Conduct training/exercising.• Establish relationships with
appropriate authorities.• Identify and implement other
mitigation strategies.
• Activate Cyber Response Management Plan.
• Engage real-time support.• Trigger insurance and
other coverages.• Minimize reputational
impacts.• Understand stakeholder
communications expectations.
• Balance public trust, transparency, and privacy requirements.
• Conduct post-incident reviews.
• Conduct root cause analysis, forensics, etc.
• Capture lessons learned.
52
MARSH RISK CONSULTING 53
Cyber Response ManagementKey Considerations
• No ‘silver bullets’.– Technology and security are critical but cannot guarantee
protection.– Mitigation options (e.g., insurance) are excellent, but not a
stand-alone solution.
• Cyber events do not occur in a vacuum – respond holistically!– Quickly identify the potential for spillover into unrelated areas.– Anticipate and manage potential impacts and consequences.– Incorporate reputational risk into all decision making.– Go beyond stove-piped, individual tactical response plans.– Leverage experts – enlist key vendors early in the process, but
remember they are there to support you.– Understand your priorities may be complicated by law
enforcement requirements – coordinate early.
INTEGRATING COMPONENTS: PUTTING IT ALL TOGETHER
MARSH RISK CONSULTING 55
Establish Baseline/Program Foundation
TH
RE
AT
& R
ISK
AS
SE
SS
ME
NT
Develo
p S
trategic
Pro
gram
Plan
Set P
rog
ram G
overn
ance
&
Ob
jectives
Program Components
CO
RP
OR
AT
E P
RE
PA
RE
DN
ES
S
Crisis Management
Business Continuity
Human Impact/Humanitarian Assistance
Emergency Response
Crisis Communications
IT/Disaster Recover & Security
PR
EP
AR
ED
NE
SS
RE
VIE
W/A
SS
ES
SM
EN
T Cyber Response Management
Increase Preparedness/ Build Capability
Program Development Approach – Putting It All Together
2015 © Marsh Risk Consulting
MARSH RISK CONSULTING
Why Embrace Preparedness Programs
• Minimize business impacts: – Operational.– Strategic.– Reputation.– Finance.– Legal.
• Safeguard people.
• Protect physical assets (buildings and equipment).
• Address increasing emphasis in standards, regulatory bodies, etc.
• Maintain good governance.
• Protect brand and reputation.
56
CONTACT INFORMATION
MARSH RISK CONSULTING 58
Marsh Public Entity & Education Practice
Havis L. Wright Office: 816-556-4227 [email protected]
QUESTIONS
Registered in England Number: 1507274, Registered Office: 1 Tower Place West, Tower Place, London EC3R 5BU
Marsh Ltd is authorised and regulated by the Financial Services Authority for insurance mediation activities only.
Marsh Ltd conducts its general insurance activities on terms that are set out in the document "Our Business Principles and Practices".
This may be viewed on our website http://www.marsh.co.uk/aboutMarsh/principles.html