risk management final 26june12 - neville clarke management.pdf · facilitate the change to shift...
TRANSCRIPT
The common component within the risk analogy for quality,
environment, health and safety, information security and business
continuity is the presence and reality of the unwanted risk, including
the realization that threat prevails and that we have to be cautious
about its consequences. And as we attempt to be proactive in
managing processes, in our effort for identifying risk and its
corresponding threat and consequences, a weakness in the risk
management prevails which is dependent on the insights about the
risks and the effectiveness of our understanding about our
vulnerabilities and the effectiveness of controls. Once again, get the
baseline wrong and you end up managing a wrong problem and the
wrong cause leads to waste in efforts. The subject of Barrier Analysis
which is the technique in the Bow-tie method of risk assessment is
something to be explored to address the weakness of the current risk
management approaches…The perspective of Barrier provides
structure in the thinking about underlying causes and proactive and
reactive Barriers. It helps you dig deeper into organisational
knowledge that is implicit, and make it explicit. Barrier analysis
makes you look deeper into the risk beyond the surface of just the
potential threat and event assessment. It helps be more definite in
the preventive and recovery controls and the identification of
esclation factors to guarantee the effectiveness of the controls.
To be effective in the management of risk requires focus, while risk
management encompasses varied applications, it is also a risk that
we get hanged up in its applications and detail. Get the baseline
wrong and you end up managing a wrong risk and the wrong cause
leads to waste in efforts. It is also a risk that the risk management
becomes an exercise and does not provide the depth of the reality
within the risk existence meriting the value expectation for its
application. While there is an attempt to provide a holistic process
for managing risks, it is still to be customized for its various
applications. While in the field of quality, a risk is centred on
potential causes and effect harbouring on various failure modes, the
field of environment, health and safety focuses on the environmental
aspects and hazards that will bring about threat and consequences.
The field of information security likewise focuses on threat that will
bring about breaches to confidentiality, integrity and availability to
information assets, and the business continuity focuses on the
potentiality of disruptive incidents that we intend to prevent for
potential business disruption, disaster and worst a crisis.
Every organization is on their toes in their effort to achieve their business goals. In the uncertainty of
the times, it is important to integrate Risk Management in the way we manage our businesses. We
must realize that risk is the effect of uncertainties on our objectives and we need a structure for
managing such risks..... if we must ensure the sustainability of achieving our goals.
Risks Management refers to the architecture for managing risks and Managing Risks refers to
applying that architecture to particular risks. To manage such architecture, we have to be aware
about the principles for managing risks, the frameworks for risk management, and the risk
management process itself. ISO 31000 was developed to give us directions for our risk management
process and its application, it was published 2009 along with the guidelines for Risk Assessment
Techniques within ISO 31010.
It is then but timely to explore
the framework and related risk
assessment techniques of ISO
31000 to guide the company in
its structure for risk assessment,
mitigation and treatments. It will
also be more effective if we
support such by best practice
and techniques to properly
identify risk and understand the
balance between reactive and
preventive controls through a
risk assessment technique tested
through time by organizations
involved in high risk operations.
ISO 31000 and its suggested
techniques for risk assessment
does not intend to put risk
assessment in a box but to
provide options in a structured
thinking for risk assessment and
creatively facilitate risk
assessment to be more visual ,
effective and value-adding.
In business, risks abound at all angles at any given time. The risk of
a customer dissatisfaction, the risks of penalties and closure arising
to that of non compliance to prevailing rules and regulations, the
risks of attritions, cyber-attacks, fraud, and repudiation, the
reputational risk for any smear campaign that can be done against
the company image and its personalities. That’s but to name a few,
but when a detailed assessment is performed, it makes all process
owners realize that the way to manage a process is not just to
understand its input and outputs but expand the perspective to
cover dependencies not only towards process compliance and
effectiveness, but its general protection from risks towards
business continuity. The challenge to companies is to understand
the environment in which it operates, to understand the prevailing
threat in its priority processes, determine its impact to business and
perform business contingency plans and recovery strategies to
mitigate such risks.
As system evolve, managing processes became more than just
documenting procedures, we began to look beyond effectiveness
and look at resources and its conservation towards efficiency.
Managing processes became more than just making a plan out of
what we would normally do per customer and regulatory
requirement, we began to look closer at the process dependencies
and evaluate the risks of any failure from any such dependencies.
As the market widens and technology is ever improving, and
convenience became a top concern for managing processes, risk
increases across every transaction. Managing risks used to be a
specialist function, nowadays, we see every process owners
becoming aware of business risks and initiating and instituting
controls in their processes beyond basic requirements. At this
juncture, companies are bracing themselves for bigger risks. The
climate has been fazed with disasters brought about by climate
change and the need to address the concern on the conservation of
natural resources and reduce our carbon foot prints abound as
priority concerns for companies to contribute to business
continuity. The technological convenience and the risks it brings
intensifies the image or reputational risks because of the fast
dissemination of information across the various medium and
channels available.
Risk Management – The Role It Plays In Business Management
Risk Management and Integrated Management Systems
Risk Management and
Business Continuity
Management Systems
Next page
A new standard just recently released May 2012 was ISO
22301:2012 that intends to facilitate the societal security
management system requirements readiness for emergency
preparedness and business continuity. The scope of this standard
encompasses within a particular scope possibilities of threats,
events and disruptive incidents.
The standard will incorporate the universal and cyclical PDCA
approach as we have seen in the typical management system,
extending the conventional business continuity planning process to
take greater account of business continuity to prepare the
organization’s critical business functions against unforeseeable
events that could change the risk environment and impact business
continuity. It will incorporate ‘failure scenario assessment
methods’ such as Threat Profiling and Assessment, FMEA (Failure
Modes and Effects Analysis), with a focus on identifying ‘triggering
events’ that could precipitate serious incidents. It will streamline
the resources among business continuity, disaster recovery,
emergency response and ICT security incident response and
management activities
The coverage of ISO 22301 is similar to BS 25999-2 such as business
continuity policy, business impact analysis, risk assessment,
business continuity strategy, business continuity plans, exercising
and testing etc. to raise the company’s level of resilience and
credibility. The level of importance of this standard is fast
increasing along with the business intent to address action
requirements for managing the risks that abound. As the old
mantra goes, an ounce of prevention is better than a pound of
cure. And while a regular process owner struggles between the
difference of Correction and Corrective Action to address prevailing
business concerns. To manage business continuity, we must
facilitate the change to shift the emphasis from Corrective action to
Preventive Action. Preventive actions should be a primary focus of
business nowadays along with performing a good business impact
analysis and programs to manage the risks.
The Game of Innovation
As the marketplace expands due to the growing need for industrial
globalisation, CEO’s are facing a pressure to further drive
operational and product innovation to meet the customer demand.
In a fast phased environment, meeting customer demand without
sacrificing quality is necessary; as such, the concept of innovation
seeks to bridge this gap through proper identification of critical
business areas to deliver customer needs. While the ultimate goal is
to identify opportunities for improvement, such objectives may not
be realised if the accompanying risks are not managed diligently. As
failure becomes not an option, CEO’s turn to two management
approach to resolve their questions relating to innovation
uncertainty, Lean Sigma and Design for Six Sigma.
Calculated Risk with Design for Six Sigma
Product development is a very crucial part when playing the game
of innovation. At the onset of product planning, one missed
potential failure could ultimately spell disaster. Realising that a lot
of things can go wrong from planning to execution, project
management efforts are now centred on placing control points in
critical areas of the product life cycle. Such approach to product
development heavily dwells on what is known as Design for Six
Sigma (DFSS). DFSS addresses risk through its Define, Measure,
Analyse, Design, and Verify (DMADV) method to product planning.
At the start of the product lifecycle, product definition would
require the proper identification of the potential value for
innovation. It is at the defining stage of value where most
companies fail to realise the potential risk and accompanied impact
of such innovation. As a result, corporation’s experience an
accelerated rate of innovation in order to just cope with market
demand. The accelerated rate of product innovation could
ultimately lead to product and market saturation as consumers
become unresponsive to the product.
Business Continuity Management System Cont. Because of the realisation of such risk, project management now
treats the early stages of innovation as a means to mitigate risk by
properly classifying potential threats and its possible impact. DFSS
as a tool for product development has a proven track record in
providing useful control points in the product lifecycle. These
control points can help address potential market saturation by
realising the value and level of priority for innovation through
product simulation and quality function deployment.
Risk management through Lean Six Sigma
While innovation draws a common misconception of being limited
only to products, such concept may also be applied to business
processes. Since business processes are likewise output oriented,
its vulnerability to the failure of people and systems are very
evident; such risks can either be directly or indirectly affecting
one’s operations as manifested by output. With Basel II drawing the
line on what is operational risk (as, any failure in the internal
process due to people, system or external event), there has now
been a growing consciousness on how such risk can be properly
managed in order to further surpass, if not at least maintain, one’s
service level.
The stringent and structured methodology of Lean Six Sigma offers
a proactive approach in addressing operational risk through proper
identification, evaluation and recommendation on how defective
processes may be eliminated. The Lean Six Sigma philosophy
sprung from two of the most effective problem solving approaches
which were pioneered by leading organisation; these approaches
are Lean and Six Sigma, with the first aiming to streamline process
and remove non value adding activities and the latter being focused
on providing consistent output through variation reduction.
The systematic approach of Lean Six Sigma, proves to be a very
useful method in addressing the risk management within the
organisations business processes. Its focus on process flow
efficiency and service level variation reduction proved to be a very
important facet if one is to calibrate their operations. Moreover,
the Lean Six Sigma problem solving philosophy also aims to assess
such process in order to further identify potential gaps within the
operations that could lead to service delay and inconsistency.
Taking the stage
Realising the greater need to address such risk in order to propel
towards operational innovation, Neville Clarke had long instigated
Lean Six Sigma as a tool towards achievement of such goal.
Dedicated to being a preferred business solutions provider, Neville
Clarke have been assisting organisations realise these objectives,
through consultancy and training centred on the idea of speed and
quality. As such, these corporations assisted by Neville Clarke are
well on their way in becoming a more competitive and
operationally innovative through the use of Lean Six Sigma.