RISK MANAGEMENT PROCESS SAFETY TRAINING Corporate Safety Training For Supervisors and Affected Employees WELCOME ABOUT THIS COURSE Risk Management is a Process of Identifying exposures and Determining Treatments. (Insurance is only one small aspect of the process) Risk Management procedures, properly applied will assist you in preparing for problems as well as controlling the impact of these events. It is a tool which may be used by Individuals as well as Businesses, and assists in the implementation of a plan which reduces your chance of having a loss as well as the amount of loss which may result. COURSE OBJECTIVES Introduce the Risk Management Process. Discuss the Basics of the Risk management Process. Introduce the Corporate Business Continuity Program. Discuss the Need for a Corporate Disaster Recovery Plan. BASIS FOR THIS COURSE Life Safety. Corporate Stability. Statistically, Risk Management Results in Prevention. OSHA Requirements. EPA Requirements. RISK MANAGEMENT PROCESS 1. Obtain Senior Management Buy-in and Support. 2. Assign Roles and Responsibilities. 3. Inventory Assets. 4. Assess Risks. 5. Safety and Health Plan. Audit Policies/Procedures Incident Reporting Incident Investigation Awareness Follow up Business Continuity Plan (BCP) Business Impact Analysis (BIA) Develop Countermeasures Development/Implementation Testing of the Plan Plan Awareness and Training Maintenance of the Plan RISK MANAGEMENT PROCESS Continued Define Environment & Assets Monitoring, Testing & Audits Risk Analysis & Assessment The Process Awareness & Administration Policies, Stds, Procedures Design & Implementation RISK MANAGEMENT PROCESS Continued Impacts: Loss of Revenue - Corporate Income Legal Problems - Fines, Penalties Goodwill - Client & Stockholder Confidence Note: Losses May Not Be Dollars. PROGRAM COMPONENTS 1. Risk Analysis & Risk Assessment 2. Safety and Health Program 3. Business Continuity Program RISK OVERVIEW Risk Analysis Ten Steps Organize and Define the Scope Identify and Value the Assets Identify Applicable Threats Identify and Describe Vulnerabilities Establish Pairings (relationships) Determine the Impact of Threat Occurrence Measure Existing Countermeasures Determine Residual Risks Recommend Additional Countermeasures Prepare a Risk Analysis Report RISK OVERVIEW Risk Analysis Continued Advantages: In-depth risk assessment brings peace of mind. You get a comprehensive picture of business and technical processes. You Identify current opportunities for process enhancements and/or re-engineering. You have planning data for rapid, smooth recovery. “Insurance Policy” for staying in business. RISK OVERVIEW Risk Analysis Continued 1. Risk Analysis & Risk Assessment Risk Analysis - The process of identifying and documenting vulnerabilities and applicable threats to assets. Risk Assessment - Projecting losses, assigning levels of risk, and recommending appropriate measures to protect assets. RISK OVERVIEW Risk Analysis Continued Foundation of All Risk Management Programs: Snapshot in time. Discover compliance with existing policies. Basis for selecting cost-efficient, most appropriate protection measures for assets. Equilibrium- asset loss to countermeasures Provide information on likelihood of threat occurrence and asset impact. Federal government and most states mandate. Ensure reasonable steps are taken to prevent loss of assets. RISK OVERVIEW Risk Analysis Continued Risk Analysis Vs Business Impact Analysis: Risk Analysis & Assessment (RAA) - (Proactive) Initial process that identifies critical processes, evaluates current standards and countermeasures, determines cost-effective mitigation of identified risks. Business Impact Analysis (BIA) - (Reactive) Quantifies risks to include exposure results such as financial loss, client good will, public confidence, etc. RISK OVERVIEW Continued Risk Analysis Risk Management Jargon: Assets - Anything of value worth protecting or preserving. Threats - Events or actions which always exists and can generate undesirable impacts or loss of assets. Can be either human or environmental. Vulnerabilities - The “windows of opportunity” which allow threats to materialize. Exposures. Conditions of weakness. Countermeasures - (Safeguards, Controls) - Devices, processes, actions, procedures that can reduce vulnerabilities. Prevention, Detection, Correction. Risk - Potential for a threat to exploit a vulnerability. THREAT + VULNERABILITY = RISK RISK OVERVIEW Risk Analysis Continued The Basics: Assets identified. Threats identified. Vulnerabilities identified. Asset Losses identified. Protective measures identified and proposed. RISK OVERVIEW Continued Quantitative VS Qualitative Quantitative Qualitative Objective Numeric Values Descriptive, Immeasurable Values Asset Valuation Rough Characteristics Precise Impact No Quantifiable Data Frequency of Threats Yes/No; Low/Medium/High; Vital/Critical/Important; good/bad Countermeasure Cost-Effectiveness Use of Complex Calculations (probabilities) Rankings based on judgment RISK OVERVIEW Risk Analysis Continued In Reality. . . Risk Analysis Involves Both Quantifiable measurements. Judgments based on experience and knowledge. Quantifiable Judgments RISK OVERVIEW Risk Analysis Continued Types of Threats: Human - Intentional or Unintentional. Environmental (technological) - From on or off site event. Environmental (natural) - Earthquakes etc. Risk Analysis TYPES OF COUNTERMEASURES Prevention Detection Correction Risk Analysis CORPORATE KNOWLEDGE BASE Analysts Need to: Know current and historical internal environment. Know current and historical external environment. Understand dependencies and vulnerabilities. Understand threat profiles. Understand countermeasure choices and related costs. Be able to apply cost-benefit analysis to risks and countermeasures. PROGRAM COMPONENTS 1. Risk Analysis & Risk Assessment 2. Safety and Health Program 3. Business Continuity Program HUMAN ASSET PROTECTION 2. Safety and Health Program Safety To quantify it involves: - Gathering information from available sources. - Conducting baseline screening surveys to determine which jobs, areas or processes need a closer analysis. - Performing risk analyses of the work areas/processes with identified risk factors. - After implementing control measures, conducting periodic surveys and follow-up to evaluate changes. HUMAN ASSET PROTECTION Continued Eight Steps: Safety 1. Management Sponsorship and Support. 2. Organize and Define the Scope. 3. Risk Analysis. 4. Policies and Procedures. 5. Workplace Safety Controls. 6. Accident Reporting and Investigation. 7. Safety Awareness Training. 8. Monitoring and Follow-up. HUMAN ASSET PROTECTION Continued Safety PRINCIPAL QUESTIONS TO BE ANSWERED: WHO? WHAT? WHY? WHEN? WHERE? HOW? HUMAN ASSET PROTECTION Continued Safety WHO? Who could be injured? Who controls that particular work environment? Who can render first aid or medical treatment? HUMAN ASSET PROTECTION Continued Safety WHAT? What is the past accident history of the area? What is the exact nature of previous injuries? What do the employees routinely do? What operations are performed? What hazardous/nonhazardous materials are used? What safe-work procedures have been provided? HUMAN ASSET PROTECTION Continued Safety WHAT? What personal protective equipment are used? What PPE is required? What elements can contribute to an accident? What machine guards are available but not used? What negative environmental conditions exist? What related safety procedures need revision? What shifts do the employee’s work? What ergonomic factors are involved? HUMAN ASSET PROTECTION Continued Safety WHEN? When do accidents historically occur? When do employee start his/her shifts? When was job-specific training received? When (how often) do supervisors visit the job? HUMAN ASSET PROTECTION Continued Safety WHY? Why do the accidents occur? Why do employee’s do what they do? Why do co-workers do what they do? Why are the specific tool/equipment selected? HUMAN ASSET PROTECTION Continued Safety WHERE? Where do accident’s occur? Where are employee’s positioned? Where is the supervisor stationed? Where is first aid stationed? HUMAN ASSET PROTECTION Continued Safety HOW? How do accidents occur? How many employee’s work in specific areas? How do employee’s get injured (specifically)? How can the injuries be avoided? How can witnesses help better? HOW CAN THE COMPANY IMPROVE SAFETY? HUMAN ASSET PROTECTION Continued Safety WHAT'S NEXT - AFTER RISK ANALYSIS? Instruct employee in proper behaviors. Warn employee of potential hazards. Supply appropriate safeguards. Supply appropriate PPE. Eliminate known unsafe conditions. Repair or modify known unsafe conditions. Implement procedural changes. HUMAN ASSET PROTECTION Continued Some Road Blocks to Safety: Safety Lack of Sufficient Budget. Lack of Written Procedural Guidance. Lack of Resources - Management Support, Staff. Lack of Awareness. Lack of Tools. Lack of Training. PROGRAM COMPONENTS 1. Risk Analysis & Risk Assessment 2. Safety and Health Program 3. Business Continuity Program RECOVERY Continued BCP 3. Business Continuity Program BCP - Spells out what, who, how, and when for a quick and smooth restoration of critical operations after a catastrophic disruptive event, minimizes losses, and eventually returns to business as normal. Important - The BCP can incorporate or reference other corporate plans required by outside regulatory agencies. RECOVERY BCP Twelve Steps 1. Pre-planning (Senior Mgmt Commitment/Support, Policies) 2. Risk Analysis 3. Business Impact Analysis 4. Identify Resources and Requirements Needed 5. Emergency Response 6. Coordination with Public Authorities 7. Public Relations and Crisis Communications 8. Strategic Alternatives 9. Plan Development/Implementation 10. Testing/Exercises 11. Awareness 12. Maintenance RECOVERY Continued BCP Goals Identify weaknesses and implement a disaster prevention program. Minimize the duration of a serious disruption to business operations. Facilitate effective co-ordination of recovery tasks; and reduce the complexity of the recovery effort. RECOVERY Continued BCP Corporate - Business Continuity Plan Corporate - Business Resumption Plan FEMA - Natural Disaster Recovery Plan OSHA - Facility Emergency Action Plan EPA - Risk Management and Contingency Plan Law Enforcement - Crisis Management Plan RECOVERY Continued BCP Business Impact Analysis (BIA): Foundation of BCP Establishes the value of each major organizational function as it relates to the whole. Provides the basis for identifying the critical resources required to develop a business recovery strategy. Establishes priority for restoring the functions of the organization in the event of a disaster. RECOVERY Continued BCP Six Steps to BIA: 1. Identify the Critical Business Functions. 2. Prioritize Critical Business Functions. 3. Identify Dependencies and Resources Needed. 4. Identify Points of Failure for Each Function. 5. Estimate Probable Impact of Loss for Each Point of Failure. 6. Determine if a Contingency Plan is Required. RECOVERY Continued Staying Current: BCP List (know) functions having a critical impact on mission. Ensure a plan is developed for each critical function. Continue to test and evaluate plans at least once a year. Keep personnel responsibilities current and test for readiness. Involve key personnel in operational planning. Train, Train, Train. LAST WORDS DISASTERS ARE SOMETIMES INEVITABLE SURVIVAL ISN’T