Risk Management Process

advertisement
RISK MANAGEMENT PROCESS
SAFETY TRAINING
Corporate Safety Training
For Supervisors and Affected Employees
WELCOME
ABOUT THIS COURSE
Risk Management is a Process of Identifying exposures
and Determining Treatments. (Insurance is only one small
aspect of the process) Risk Management procedures,
properly applied will assist you in preparing for problems
as well as controlling the impact of these events.
It is a tool which may be used by Individuals as well as
Businesses, and assists in the implementation of a plan
which reduces your chance of having a loss as well as the
amount of loss which may result.
COURSE OBJECTIVES
 Introduce the Risk Management Process.
 Discuss the Basics of the Risk management Process.
 Introduce the Corporate Business Continuity Program.
 Discuss the Need for a Corporate Disaster Recovery Plan.
BASIS FOR THIS COURSE
 Life Safety.
 Corporate Stability.
 Statistically, Risk Management Results in Prevention.
 OSHA Requirements.
 EPA Requirements.
RISK MANAGEMENT PROCESS
1. Obtain Senior Management Buy-in and Support.
2. Assign Roles and Responsibilities.
3. Inventory Assets.
4. Assess Risks.
5. Safety and Health Plan.
 Audit
 Policies/Procedures
 Incident Reporting
 Incident Investigation
 Awareness
 Follow up
Business Continuity Plan (BCP)
 Business Impact Analysis (BIA)
 Develop Countermeasures
 Development/Implementation
 Testing of the Plan
 Plan Awareness and Training
 Maintenance of the Plan
RISK MANAGEMENT PROCESS
Continued
Define Environment
& Assets
Monitoring,
Testing & Audits
Risk Analysis
& Assessment
The
Process
Awareness
& Administration
Policies, Stds,
Procedures
Design &
Implementation
RISK MANAGEMENT PROCESS
Continued
Impacts:
 Loss of Revenue - Corporate Income
 Legal Problems - Fines, Penalties
 Goodwill - Client & Stockholder Confidence
Note: Losses May Not Be Dollars.
PROGRAM COMPONENTS
1. Risk Analysis & Risk Assessment
2. Safety and Health Program
3. Business Continuity Program
RISK OVERVIEW
Risk Analysis
Ten Steps










Organize and Define the Scope
Identify and Value the Assets
Identify Applicable Threats
Identify and Describe Vulnerabilities
Establish Pairings (relationships)
Determine the Impact of Threat Occurrence
Measure Existing Countermeasures
Determine Residual Risks
Recommend Additional Countermeasures
Prepare a Risk Analysis Report
RISK OVERVIEW
Risk Analysis
Continued
Advantages:
 In-depth risk assessment brings peace of mind.
 You get a comprehensive picture of business and
technical processes.
 You Identify current opportunities for process
enhancements and/or re-engineering.
 You have planning data for rapid, smooth recovery.
 “Insurance Policy” for staying in business.
RISK OVERVIEW
Risk Analysis
Continued
1. Risk Analysis & Risk Assessment
Risk Analysis - The process of identifying and
documenting vulnerabilities and applicable threats to
assets.
Risk Assessment - Projecting losses, assigning
levels of risk, and recommending appropriate
measures to protect assets.
RISK OVERVIEW
Risk Analysis
Continued
Foundation of All Risk Management Programs:
 Snapshot in time.
 Discover compliance with existing policies.
 Basis for selecting cost-efficient, most appropriate
protection measures for assets.
 Equilibrium- asset loss to countermeasures
 Provide information on likelihood of threat occurrence
and asset impact.
 Federal government and most states mandate.
 Ensure reasonable steps are taken to prevent loss of
assets.
RISK OVERVIEW
Risk Analysis
Continued
Risk Analysis Vs Business Impact Analysis:
 Risk Analysis & Assessment (RAA) - (Proactive)
Initial process that identifies critical processes, evaluates
current standards and countermeasures, determines
cost-effective mitigation of identified risks.
 Business Impact Analysis (BIA) - (Reactive)
Quantifies risks to include exposure results such as
financial loss, client good will, public confidence, etc.
RISK OVERVIEW
Continued
Risk Analysis
Risk Management Jargon:
 Assets - Anything of value worth protecting or preserving.
 Threats - Events or actions which always exists and can
generate undesirable impacts or loss of assets. Can be either
human or environmental.
 Vulnerabilities - The “windows of opportunity” which allow
threats to materialize. Exposures. Conditions of weakness.
 Countermeasures - (Safeguards, Controls) - Devices,
processes,
actions,
procedures
that
can
reduce
vulnerabilities. Prevention, Detection, Correction.
 Risk - Potential for a threat to exploit a vulnerability.
THREAT + VULNERABILITY = RISK
RISK OVERVIEW
Risk Analysis
Continued
The Basics:
 Assets identified.
 Threats identified.
 Vulnerabilities identified.
 Asset Losses identified.
 Protective measures identified and proposed.
RISK OVERVIEW
Continued
Quantitative
VS
Qualitative
Quantitative
Qualitative
Objective Numeric Values
Descriptive, Immeasurable Values
 Asset Valuation
 Rough Characteristics
 Precise Impact
 No Quantifiable Data
 Frequency of Threats
 Yes/No; Low/Medium/High;
Vital/Critical/Important; good/bad
 Countermeasure Cost-Effectiveness
 Use of Complex Calculations
(probabilities)
 Rankings based on judgment
RISK OVERVIEW
Risk Analysis
Continued
In Reality. . .
Risk Analysis Involves Both
 Quantifiable measurements.
 Judgments based on experience and knowledge.
Quantifiable
Judgments
RISK OVERVIEW
Risk Analysis
Continued
Types of Threats:
 Human - Intentional or Unintentional.
 Environmental (technological) - From on or off site event.
 Environmental (natural) - Earthquakes etc.
Risk Analysis
TYPES OF COUNTERMEASURES
 Prevention
 Detection
 Correction
Risk Analysis
CORPORATE KNOWLEDGE BASE
Analysts Need to:
 Know current and historical internal environment.
 Know current and historical external environment.
 Understand dependencies and vulnerabilities.
 Understand threat profiles.
 Understand countermeasure choices and related
costs.
 Be able to apply cost-benefit analysis to risks and
countermeasures.
PROGRAM COMPONENTS
1. Risk Analysis & Risk Assessment
2. Safety and Health Program
3. Business Continuity Program
HUMAN ASSET PROTECTION
2. Safety and Health Program
Safety
To quantify it involves:
- Gathering information from available sources.
- Conducting baseline screening surveys to determine
which jobs, areas or processes need a closer analysis.
- Performing risk analyses of the work areas/processes
with identified risk factors.
- After implementing control measures, conducting
periodic surveys and follow-up to evaluate changes.
HUMAN ASSET PROTECTION
Continued
Eight Steps:
Safety
1. Management Sponsorship and Support.
2. Organize and Define the Scope.
3. Risk Analysis.
4. Policies and Procedures.
5. Workplace Safety Controls.
6. Accident Reporting and Investigation.
7. Safety Awareness Training.
8. Monitoring and Follow-up.
HUMAN ASSET PROTECTION
Continued
Safety
PRINCIPAL QUESTIONS TO BE ANSWERED:






WHO?
WHAT?
WHY?
WHEN?
WHERE?
HOW?
HUMAN ASSET PROTECTION
Continued
Safety
WHO?
 Who could be injured?
 Who controls that particular work environment?
 Who can render first aid or medical treatment?
HUMAN ASSET PROTECTION
Continued
Safety
WHAT?






What is the past accident history of the area?
What is the exact nature of previous injuries?
What do the employees routinely do?
What operations are performed?
What hazardous/nonhazardous materials are used?
What safe-work procedures have been provided?
HUMAN ASSET PROTECTION
Continued
Safety
WHAT?








What personal protective equipment are used?
What PPE is required?
What elements can contribute to an accident?
What machine guards are available but not used?
What negative environmental conditions exist?
What related safety procedures need revision?
What shifts do the employee’s work?
What ergonomic factors are involved?
HUMAN ASSET PROTECTION
Continued
Safety
WHEN?




When do accidents historically occur?
When do employee start his/her shifts?
When was job-specific training received?
When (how often) do supervisors visit the job?
HUMAN ASSET PROTECTION
Continued
Safety
WHY?




Why do the accidents occur?
Why do employee’s do what they do?
Why do co-workers do what they do?
Why are the specific tool/equipment selected?
HUMAN ASSET PROTECTION
Continued
Safety
WHERE?




Where do accident’s occur?
Where are employee’s positioned?
Where is the supervisor stationed?
Where is first aid stationed?
HUMAN ASSET PROTECTION
Continued
Safety
HOW?






How do accidents occur?
How many employee’s work in specific areas?
How do employee’s get injured (specifically)?
How can the injuries be avoided?
How can witnesses help better?
HOW CAN THE COMPANY IMPROVE SAFETY?
HUMAN ASSET PROTECTION
Continued
Safety
WHAT'S NEXT - AFTER RISK ANALYSIS?







Instruct employee in proper behaviors.
Warn employee of potential hazards.
Supply appropriate safeguards.
Supply appropriate PPE.
Eliminate known unsafe conditions.
Repair or modify known unsafe conditions.
Implement procedural changes.
HUMAN ASSET PROTECTION
Continued
Some Road Blocks to Safety:
Safety
 Lack of Sufficient Budget.
 Lack of Written Procedural Guidance.
 Lack of Resources - Management Support, Staff.
 Lack of Awareness.
 Lack of Tools.
 Lack of Training.
PROGRAM COMPONENTS
1. Risk Analysis & Risk Assessment
2. Safety and Health Program
3. Business Continuity Program
RECOVERY
Continued
BCP
3. Business Continuity Program
BCP - Spells out what, who, how, and when for a
quick and smooth restoration of critical operations
after a catastrophic disruptive event, minimizes
losses, and eventually returns to business as
normal.
Important - The BCP can incorporate or reference
other corporate plans required by outside
regulatory agencies.
RECOVERY
BCP
Twelve Steps
1. Pre-planning (Senior Mgmt Commitment/Support, Policies)
2. Risk Analysis
3. Business Impact Analysis
4. Identify Resources and Requirements Needed
5. Emergency Response
6. Coordination with Public Authorities
7. Public Relations and Crisis Communications
8. Strategic Alternatives
9. Plan Development/Implementation
10. Testing/Exercises
11. Awareness
12. Maintenance
RECOVERY
Continued
BCP
Goals
 Identify weaknesses and implement a disaster prevention
program.
 Minimize the duration of a serious disruption to business
operations.
 Facilitate effective co-ordination of recovery tasks; and
reduce the complexity of the recovery effort.
RECOVERY
Continued
BCP
 Corporate - Business Continuity Plan
 Corporate - Business Resumption Plan
 FEMA - Natural Disaster Recovery Plan
 OSHA - Facility Emergency Action Plan
 EPA - Risk Management and Contingency Plan
 Law Enforcement - Crisis Management Plan
RECOVERY
Continued
BCP
Business Impact Analysis (BIA):
Foundation of BCP
 Establishes the value of each major organizational
function as it relates to the whole.
 Provides the basis for identifying the critical resources
required to develop a business recovery strategy.
 Establishes priority for restoring the functions of the
organization in the event of a disaster.
RECOVERY
Continued
BCP
Six Steps to BIA:
1. Identify the Critical Business Functions.
2. Prioritize Critical Business Functions.
3. Identify Dependencies and Resources Needed.
4. Identify Points of Failure for Each Function.
5. Estimate Probable Impact of Loss for Each Point of Failure.
6. Determine if a Contingency Plan is Required.
RECOVERY
Continued
Staying Current:
BCP
 List (know) functions having a critical impact on mission.
 Ensure a plan is developed for each critical function.
 Continue to test and evaluate plans at least once a year.
 Keep personnel responsibilities current and test for readiness.
 Involve key personnel in operational planning.
 Train, Train, Train.
LAST WORDS
DISASTERS
ARE SOMETIMES
INEVITABLE
SURVIVAL ISN’T
Download