Presentation on theme: "Risk Management in the IT Industry ELG/SEG/CSI 2910 By Dr. Mike Histed Office of Risk Management, Environmental Health and Safety www.uottawa.ca/services/ehss/"— Presentation transcript:
Risk Management in the IT Industry ELG/SEG/CSI 2910 By Dr. Mike Histed Office of Risk Management, Environmental Health and Safety 13 February, 2006
2 Outline Industry types OH&S* law, common themes in differing jurisdictions Voluntary OH&S Standards Typical employer OH&S expectations Roles and responsibilities Risk Management Environmental Issues *OH&S=Occupational Health & Safety
3 What’s out there? Workplaces tend to be classified into manufacturing or service Design of electronics or SW Manufacturing of microchips, components and equipment for mass market and specialty industries SW development for the mass market or specialty applications Military SW and HW development Web applications
4 Work Environments Companies such as Nortel, JDS Uniphase, Marconi, IBM, Microsoft, Varian, Perkin Elmer…all have manufacture or design/development divisions In mixed work environments Certain people work purely in an office setting
5 Work Environments Other work purely in a manufacturing setting Few bridge both settings. They are usually involved on prototype development or R&D
6 Workplaces Different work environments require different OH&S/Env/risk approaches North American laws include penalties (jail time and/or financial penalties) for supervisors, managers, and companies OH&S infractions are now part of the criminal code in Canada Basically know the rules applicable to where you work
7 Canadian OH&S Law and Structure The Federal Government has jurisdiction over issues that are outside of the scope of what one province can handle Ex. Waterways, air traffic, national security, banks, etc. The Provinces have jurisdiction over matters that can be contained to one province
8 Canadian OH&S Law and Structure The Provinces can also add specific requirements to a federal law Ex. Worker OH&S, labour laws, permits, education, etc. Municipalities govern issues applicable to their infrastructure
9 Regulatory Structure Ex. No smoking in public places Ontario has a general regulation (Municipal Act 2001)Ontario has a general regulation (Municipal Act 2001) Ottawa by-law regulates where in when smoking in public places is allowedOttawa by-law regulates where in when smoking in public places is allowed Country Province/State Municipality Province/State
10 OH&S Requirements WHMIS – the hazards of the job must be identified Ergonomics (computer work, repetitive movements on the assembly line) Air quality (off gassing of new carpets, furniture, paint, process chemicals, dust, particulates etc.) Workplace safety committee and inspections
11 OH&S Requirements ESD, EM waves, radiation and electrical safety Evacuation drills, spill and leak response Harassment, smoking by-laws …and much more!
12 More OH&S Requirements Transportation of Dangerous Goods (TDG) Emergency planning Hazardous waste management General OH&S Health Canada requirements for medical devices Agriculture Canada requirements for equipment handling food
13 More Requirements England has ergonomic requirements built into legislation Aerospace industry has special requirements Extreme traceability Life span studies Military specifications Get to know what applies to your work Ignorance of the law is no excuse!
14 Bill C-45 On March 31, 2004 it was put into effect What makes it significant? Agents of a corporation (directors, managers, and even employees) can be charged in criminal court Criminal proceeding apply = prison terms and criminal records H&S violations did not have criminal proceeding possibilities before Bill C-45 “217.1 Every one who undertakes, or has the authority, to direct how another person does work or performs a task is under a legal duty to take reasonable steps to prevent bodily harm to that person, or any other person, arising from that work or task.”
15 Voluntary International Standards International standards are often used to gain an edge over the competition: ISO9001 (quality) ISO (environment), and OHSAS (OH&S) It is almost guaranteed that manufacturing and R&D environments will be registered to one if not all of these standards SW companies will focus on ISO 9001 or TL 9001
16 OHSAS The standard requires the company to show: Employees understand the OH&S policy Legal requirements are known by those affected Measurable improvement objectives have been set and action plans are in place to meet the objectives Daily control of hazards is in place Mechanisms for fixing issues (before and after) are used properly Management us involved The company gets audited a minimum of annually and any employee is fair game
17 Your OH&S Roles and Responsibilities First…definition according to the law: Worker – collects salary at a company. Can be a contractor. Supervisor – has authority over another worker, or who is in charge of a work place. Employer – person who hires workers, contractors, subcontractors to undertake the delivery of a service or perform work.
18 Responsibility Structure Responsible for larger scope issues Responsible for relaying information to superiors and workers, as well as working to solve and prevent OH&S problems Responsible for identifying OH&S problems and following OH&S laws and procedures Employer Supervisor Worker
19 Employer Roles and Responsibilities Providing and maintaining protective equipment Ensuring everyone uses equipment properly Providing information, instruction and supervision for working with hazards in the workplace* Appoint competent supervisors Take every precaution reasonable for the protection of workers *This general clause is intended to capture all situations that cannot be defined by the law.
20 Supervisor Roles and Responsibilities Ensuring that workers wear protective equipment Inform workers of OH&S hazards Works safely Take every precaution reasonable in the circumstances to protect workers* *Again, another catch-all general clause.
21 Worker Roles and Responsibilities Comply to OH&S laws Use and wear protective equipment the employer provides Report hazards that endanger workers Report contraventions Shall not: Engage in pranks that endanger workers Endanger others or the worker Disable protective devices
22 Worker Rights Rights to OH&S training Right to refuse unsafe work Right to participate in OH&S decisions The law: Prevents the employer from disciplining or reprising the worker when a true problem exists Protects individuals who acted out of good intention Does not protect those who plead ignorance
23 What to Expect When You go to Work OH&S committees Management and worker representatives OH&S inspections of the workplace Initiation training What are the physical, chemical, and/or biological hazards associated with the job Emergency procedures Applicable regulations that apply to the, product/service Information on the company hierarchy, both work related and OH&S related
24 Due Diligence The best defence in OH&S law is due diligence* Taking every reasonable precaution to protect the OH&S of the worker given the circumstances * With the exception of Criminal prosecutions as a result of Bill C-45
25 Due Diligence How does someone show due diligence? Identifying all predictable events All reasonable measures taken to prevent an event – primarily thru structural changes, communication, training Verify effectiveness of controls put in place Identified issues were followed up on, including disciplinary action where necessary Incident response and follow up IF IT ISN’T DOCUMENTED IT DIDN’T HAPPEN
26 Typical Court Cases and Fines Failure to educate employee about hazards of doing the job and how to prevent injury Injury to hands (amputation) Crushing injuries Death Fines start at $ per charge and can be applied to individuals as much as companies
Real Life Situations What to expect and Guideline on OH&S Real Life Situations What to expect and Guideline on OH&S
28 New Job: Making Microchips Your new employer must cover the following with you: WHMIS Training OH&S committee Etching, developing, and bonding chemicals Personal protective equipment is required Spill and leak response procedures Hazardous waste management ESD training Clean room procedures Possibly Transportation of Dangerous Goods
29 New Job: Developing Software Your new employer must cover the following: WHMIS Emergency Drills OH&S committee Considerations Most SW developers do not understand their OH&S roles and responsibilities A strong bug testing program is essential Legal OH&S strings are attached to equipment manufacturers
30 Scenario: Supervision You are the owner of a small company that designs specialised SW and HW for air traffic control You know that a bug exists ion the guidance system under certain atmospheric conditions Your testing manager gets assigned to fix as many problems as possible before the beta SW release but can’t fix this specific bug What do you do?
31 Scenario – what to do Legislation in all provinces and states require that suppliers be held responsible for faulty equipment If an accident happens due to the SW bug, your insurance may pay some of the damages, but it is unlikely that the company will recover from the financial and credibility loss You must delay the release of the SW (even the beta version). Credibility from the client is at stake.
32 SW Gone Bad What can happen? Insurance premiums can go up Product can be recalled ($$) Company designer can be sued …and you never set foot where the instrument was built or used
33 Scenario – Hazard Awareness You are a SW developer working in cubicle land You notice the power to your computer is fluctuating and causing you and some co- workers some problems You notice a buzzing sound from the wall socket where the 5 computers involved are all connected This has been happening since they re- wired your floor What do you do?
34 Scenario – what to do 1. As a worker, it is your legal duty to advise your supervisor of a hazard 2. Your supervisor is required to investigate and take measures to resolve true hazards 3. If you feel the hazard is still present, you must advise your worker member on the OH&S committee 4. If all else fails contact the ministry of Labour They will require proof of hazard and inaction before proceeding They can issue an order to the employer
35 Scenario - PPE Your employer requires you to wear personal protective equipment when installing SW and control devices on the aircraft your company builds You find the equipment restrictive and decide that you are willing to live with safety consequences of not wearing PPE. After all, you’ve been doing this for a while… Is this OK?
36 Scenario – what you have to do Most jurisdictions have a clause in their legislations indicating that any specific PPE the employer requires you to wear has to be worn If the employer says wear pink pyjamas to be seen, then it is a LEGAL requirement Wear the fall arrest harness, if you don’t your employer has legal jurisdiction to give you a reprimand or worse
37 Web Sites Medical Devices Standards Council of Canada Ontario Ministry of Labour Ontario Laws laws.gov.on.ca/home_E.asp?lang=en laws.gov.on.ca/home_E.asp?lang=enwww.e- laws.gov.on.ca/home_E.asp?lang=en Health Canada US FDA Worker’s Compensation Education Safety Association of Ontario
38 Questions? Know your roles and responsibilities as a worker and supervisor
39 Environmental Impact of IT Factoids As much as 40% of heavy metals in landfills come from electronic waste Between 97’-04’ 315M computers became obsolete Shipping of e-waste to developing countries is a reality 6” of silicone wafers requires 2M gallons of de- ionized water/day Large quantities of solvent usage contributes to localized SMOG issues Electronic Products Stewardship Canada is proposing take back concepts for Canada
40 Environmental Impact of IT Cradle to the grave approach to environmental protection in the recent years has generated legislation which is forcing manufactures to think about life cycle of a product and the environmental impact. In some industries products must be taken back by the manufacturer at the end of their use.
41 Environmental Impact of IT Manufactures must comply with EU initiatives on waste electrical and electronic equipment (WEEE) in order to sell equipment in Europe. Other initiatives in the EU relate to the restrictions of hazardous substances (RoHS) Example: reduction or prohibition of lead used on PCB’s effective 2006
42 Environmental Regulation Overview Federal CEPA, CEAA, TDG, DSL, Species at Risk, CGRPCEPA, CEAA, TDG, DSL, Species at Risk, CGRP Provincial EPA, OCDWA, TSSAEPA, OCDWA, TSSA Municipal Sewer by-laws, noise by-lawsSewer by-laws, noise by-laws
43 Environmental Reg Overview Federal Importation of hazardous substancesImportation of hazardous substances Canada wide inventories of pollutants (NPRI)Canada wide inventories of pollutants (NPRI) Importation and exportation of hazardous wasteImportation and exportation of hazardous waste Emergency management of specific chemicalEmergency management of specific chemical
44 Environmental Issues Provincial RegulationsRegulations AirAir Ozone Depleting SubstancesOzone Depleting Substances Non hazardousNon hazardous Hazardous wasteHazardous waste SpillsSpills Water treatment and dischargesWater treatment and discharges
45 Environmental Issues Municipal Local limits placed on effluent begin released to sanitary and storm sewersLocal limits placed on effluent begin released to sanitary and storm sewers Nuisance noise in the communityNuisance noise in the community
46 Upcoming Environmental Issues Hardware: Use of ODSsUse of ODSs High consumption of waterHigh consumption of water Ensuring staff are trainedEnsuring staff are trained Software Controls for air emissions processesControls for air emissions processes Physical impacts due to robotics malfunctionsPhysical impacts due to robotics malfunctions Modelling for multitude of environmental issuesModelling for multitude of environmental issues
47 Definition of Risk Definition: Risk is an uncertain outcome Meaning: Risk does not represents only negative events for example a program that is estimated to take 750hrs to code could take 500hrs or 1,250hrs, one would have a positive and one a negative impact
48 What is Risk? Risk Uncertainty Loss Expectations Stakeholder is characterised by is defined by is valued by Probability Impact Timing Objectives Risk = Probability x Impact
49 Definition of Risk It is impossible for risks not to be present. Risks are present: crossing the street paying for items by credit card deciding on who to hire deciding which priority is higher proposing a new idea/project investing $50,000,000 in a new facility
50 Definition of Risk Management Definition: The art of assessing and managing risks to ensure that the objective is accomplished within established tolerance levels Meaning: Risks that aren’t known can’t be managed
52 Risk Identification Objective: To identify all the “things” that could potentially go wrong (or right) How to do it: Brainstorming Project plans Key objectives for the project Subject Matter Expertise Previous Experience
53 Risk Reduction Definition: reducing the probability that an event will occur How to do it: obtain written contracts with contractors conducting background checks on prospective employees visit a current user of new equipment before deciding what to buy
54 Risk Mitigation Definition: Reducing the impact of an event once it’s occurred How to do it: insurance wearing personal protective equipment temporary staff to meet surge demands installing an UPS storing back up tapes off-site Emergency Response Plans/Business Continuity Plans
55 Risk Reduction vs Risk Mitigation Risk reduction is much more important than risk mitigation Would you rather install a baby gate at the top of a flight of stairs or put pillows on the stairs to make the baby’s landing softer Risk financing is often expensive
56 Risk Monitoring Definition: ensuring that the risk identification, risk reduction and risk mitigation activities are effective How to do it: management review meetings loss history accident/incident reports supervisor’s comments THEN START OVER AGAIN!!!!
57 Timing of Risk Management
58 Insurance Insurance has a limited role. Insurance is good when: large numbers of similar events can be insured premiums can be established based on logic/experience premiums are commercially feasible Cases when insurance is not useful: delays in projects (ERP etc) regulatory fines or jail time loss of a blackberry when things go right! Don’t forget all insurance has specified limits!
59 Questions? Contact for questions? Dr. Mike Histed Office of Risk Management ext 5892 Hans Loeffelholz Risk Management Officer Tel: ext 2627