AMC Melbourne Chapter 15 July 2011 Greg Williams Risk management frameworks for foundation Asset Information Systems Lessons drawn from experiences in the utilities industry AMC Melbourne Chapter 15 July 2011 Greg Williams

Information Risk Management Contentions…….. Asset management is essentially a risk-based process Infrastructure related businesses invest heavily in Asset Information systems to help manage their assets and improve their overall performance. The necessity for good asset information is growing rather than reducing. Asset Information system requirements are becoming more sophisticated. The number of stakeholders and complexity of collating and sharing information is increasing. Drivers include changing regulation, private finance initiatives to fund major capital programs, and a greater collective understanding of asset management risk. The information and systems necessary to manage physical assets also have value. We should address information risks as part of asset management Asset Management = Information Risk Management Risk Management

Agenda I’d like you to consider the following…. What are your ‘foundation asset information systems’ and why are they important? Where are your information risk exposures? What is ‘Information risk management’ Are risk management frameworks suitable for managing asset information? What challenges lay ahead for you? Lets prompt a few thoughts……

Foundation asset information systems – some definitions What are Asset Information Systems? The asset information systems an organization has in place to support the asset management activities and decision-making processes in accordance with the asset information strategy. Why are these systems the ‘foundation systems’? Those that contain the essential data describing the physical asset Physical & Functional parameters (What is it, where is it, how does it connect to others?) Condition, age, operating state History, changes, modifications These systems allow us to take control of the information regarding an asset. Examples of foundation systems Geographic Information Systems (GIS) Maintenance Management Systems (MMS) Works Management Systems (WMS) Project Management Systems (PMS) Customer Management Systems (CMS) Incident Management Systems (IMS)

Why do foundation systems form the basics? Compliance Reduce compliance risk, keep records of compliance actions Governance Enable accurate and timely decision making Planning Inform planning to enable accurate project development Safety Enable safe operation of the asset Configuration Allow capture and control of changes to the configuration and operating state Information supply chain Deliver the right info to the right stakeholder in the right format at the right time Without foundation systems these objectives are challenging to achieve!

Sources of information risk Is your asset information: Correct Accurate Available Relevant Consistent (in form between systems) Timely (or current in it’s validity) Common or standard Secure Recoverable If your asset information doesn’t meet all of these requirements, you may have symptoms of information risk. Consult the nearest risk manager for further advice.

Where are our exposures? Key person dependencies

Examples of information risk scenarios Key person dependencies GIS updates were done manually by a KEY PERSON No ratings on conductors in feeder spans in control room schematics Data was reviewed prior to a regular upload to parent systems used in control room environments to manage a distributed network No post-processing or review of critical data after uploads Conductor rating and existing state not represented to Network Controllers What are the on-going risks?

Where are our exposures? Key person dependencies New information systems Changes to existing systems Brownfield projects create new data and changes to system configurations PPP and major capital projects build new systems

Examples of information risk scenarios Major change of parent asset information system Asset owner decision to restructure management model and data requirements with emphasis on least cost Existing system left with major Service Provider and entirely new system built for new contract All historical data ‘archived’ and only selected elements of current data exported to new system Archive data stored in old formats – asset history now inaccessible Data matching by Service Providers using works management and interfaces Asset planning now based on limited range of data with little reference to maintenance and performance history What are the on-going risks in this scenario?

Where are our exposures? Key person dependencies New information systems Changes to existing systems Brownfield projects create new data and changes to system configurations PPP and major capital projects build new systems Increases in data volume (quantities) Large increases in data available on-line Lumpy data, such as discrete time stamped parameters Lack of structured system/data configurations (master data) No current, operational data (state, condition, etc)

Where are our exposures? Increases in data volume (quantities), type & availability Major upgrade and expansion of the installed asset base (eg, Smart Meters) which introduced new technology Automation in smart networks causing large increases in data available on-line Data consisting of lumps of discrete, time stamped parameters (voltage, current, power and energy measurements) Overloading of data - 10 times increase in data volumes made available to AIM systems Corresponding increase in data storage requirements, retrieval, sorting Unresolved challenges in useability of data (relevance, currency, etc) What are the on-going risks? ‘Too much data and not enough information can lead to disastrous mismanagement, other misrepresentations and controversies.’ (IAM 2003). Industry response is introduction of pattern recognition to interpret and identify quality data

Where are our exposures? Key person dependencies New information systems Changes to existing systems Brownfield projects create new data and changes to system configurations PPP and major capital projects build new systems Increases in data volume (quantities) Large increases in data available on-line Lumpy data, such as discrete time stamped parameters Lack of structured system/data configurations (master data) No current, operational data (state, condition, etc) Inadequate storage and back-up Unable to recover from a disaster (no DR procedure or test) Hacking, unauthorised use or data breaches (cyber criminals)

Where are our exposures? Unauthorised use or data breaches Read this! Do these things! Source: Risk Management, June 2011, p8

Where are our exposures? Key person dependencies New information systems Changes to existing systems Increases in data volume (quantities) Large increases in data available on-line Lumpy data, such as discrete time stamped parameters Inadequate storage and back-up Unable to recover from a disaster (no DR procedure or test) Lack of structured system/data configurations (master data) No current, operational data (state, condition, etc) Brownfield projects create new data and changes to system configurations PPP and major capital projects build new systems Hacking, unauthorised use or data breaches (cyber criminals) Ambiguous organizational objectives

Where are our exposures? Ambiguous organizational objectives Organizations tend to collect information that is easiest to collect, irrespective of the need for it or the subsequent usefulness. Departmental objectives also based on such thinking; maintainers and technical service providers may be given budget targets or deadlines irrespective of the potential ‘trade-off’ impact against operational performance. Production, operations, or customer relations personnel, on the other hand, are motivated and measured in the terms of output volumes or quality, irrespective of the costs incurred by others to achieve such output. ‘The current scenario requires an asset management system which connects to organizational objectives.’ (IAM, 2003).

How are information risks being managed in utilities businesses? GIS is the core or parent platform (geocodes) Regular and full updates to related information systems Common and standard data sets (Master Data) Driving developments of solutions that deliver all the required capability Adopting risk management frameworks for asset information The big challenge - Systems integration where necessary to ensure data flows are efficient and error free

Information Risk Management What is it? Process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity or availability of an information system. Adapts the generic process of risk management and applies it to the integrity, availability and confidentiality of information assets1 How do we do it? Focus our attention on processes that together ensures information risks are adequately reduced to a tolerable level. Include methods for identifying and assessing risks, plus the methods for determining which controls need to be applied, for checking that those controls have been applied, and then for tracking the actual level of protection being achieved. Apply an adequate level of risk mitigation to those situations where the risks are highest and ensure solutions are not over-engineered where the risks are minimal. Take risk-based approaches so that mitigation efforts are applied in proportion to the level of risk being addressed.2 Sources: 1. QLD Govt BPG Information Risk Management V1.0 Jul 01 2. Information Security Awareness Forum

Risk management frameworks Three main influences: Industry specifications or requirements for asset information & systems AS 2885.3-2001 Pipelines – Gas and Liquid Petroleum NZS 7901:2008 Electricity & Gas Industries Safety Management Systems Standards for management systems PAS 55-1:2008 Asset Management (also see ISO55000:2011) AS/ISO31000:2009 Risk Management AS/ISO9001:2004 Quality Management AS/ISO 10007-2003 Quality management systems – Guidelines for configuration management QLD Government BPG Information Risk Management V1.0 Jul 01 AS/NZS ISO/IEC 27002:2006 : Code of practice for information security management Standards for asset data structures, configurations and security ISO/IEC27000:2009 Information technology - Security techniques - Information security management systems - Overview and vocabulary ISO 15926 Integration of life-cycle data for process plants (7 parts) STEP AP212 (BS EN 81714-2:2007) Graphical symbols for use in tech docs Most standards include guidance on what information may be required, how to manage the information and how to assure your business that the information is valid

Risk management frameworks Industry specifications AS 2885.3-2001 Pipelines – Gas and Liquid Petroleum Section 10 Records The operating authority shall obtain, prepare and keep current….. Charts and maps showing location… Records of condition… Records of sections and components identified as potentially high risk… Etc NZS 7901:2008 Electricity & Gas Industries Safety Management Systems Section 5.9 Provision of Information Arrangements shall be in place to inform external parties about the safety and operation of assets and the hazards associated with them. This shall include information to enable those parties to report faults, defects, failures, and emergencies. Such arrangements may include provision of maps, public notification….. But are these are really requirements?

Risk management frameworks Management system standards PAS 55-1:2008 Asset Management 4.4.6 Information Management The organization shall identify the asset management information it requires.....considering all phases of the asset life cycle. The information shall be of a quality appropriate to the asset management decisions and activities it supports. The organization shall design, implement and maintain a system for managing asset management information. Employees and other stakeholders, including contracted service providers, shall have access to the information relevant to their asset management activities or responsibilities. The organization shall establish, implement and maintain procedures for controlling all information required. These procedures shall ensure: the adequacy of the information is approved by authorized personnel prior to use; information is maintained and adequacy assured through periodic review and revision, including version control where appropriate; allocation of appropriate roles, responsibilities and authorities regarding the origination, generation, capture, maintenance, assurance, transmission, rights of access, retention, archiving and disposal of items of information; Etc…

Risk management frameworks Management system standards ISO31000:2009 Risk Management Provides principles and generic guidelines on risk management Risk is the ‘effect of uncertainty on objectives’ Principle 3 – risk management is part of decision making Principle 6 – risk management is based on the best available information Controls Effectiveness Should be operating in the manner intended Can be demonstrated to be effective Based on proper documentation, recording and reliable assurance processes

ISO31000 adapted to information risk management Source: QLD Government BPG Information Risk Management V1.0 Jul 01

Risk management frameworks Data & security standards ISO/IEC27000:2009 Information technology - Security techniques Provides all types of organization (e.g. commercial enterprises, government agencies and non-profit organizations) with a basis to implement an information security management systems (ISMS). Based on a simple Plan-Do-Check-Act (PDCA) process Defines requirements for an ISMS and for those certifying such and conformity assessment for an ISMS. ISO 15926 Integration of life-cycle data for process plants (7 parts) Standardisation of asset information is the key to Collaborative Asset Lifecycle Management (CALM) CALM is the basis for information sharing between contractors and asset owners Provides standards for lifecycle data for process plants Formalises how assets are identified and how data should be structured so the same terminology can be used consistently (same language) Contributes to the preservation of the value of asset information as it flows between stakeholder systems Compliance can be at software configuration level up to integration of distributed systems

The bigger challenge - Integration where necessary to ensure data flows are efficient and error free Holistic Integrated asset information systems: support organizations to efficiently and sustainably manage the whole lifecycle of physical assets in terms of performance, risks, and expenditures to achieve and maintain the stated business objectives. Sustainable Systematic Integrated Optimal Systemic Risk-based Example: OneWater by TechnologyOne Complete integration between all software and related systems, including SCADA, GIS, IMS, MMS, PMS, 3rd party interfaces Under the system, a leak could be reported, SCADA data used to confirm the incident, geocoding to pinpoint location, remedial works logged, replacement materials ordered

Integration example - Mapping content to assets Source:

Integration example - Mapping content to assets To enable operational readiness and excellence, the “information plant” must match the “physical plant” Matching of these aspects need to be: Complete and accurate Current and available Relevant, consistent and sustainable Source: SAP 2011

In summary, Make use of relevant management system standards to determine your minimum requirements for AIM, including data standards PAS55, ISO31000, ISO27000 Adopt a risk-based approach to managing the effectiveness of your asset information systems Ensure asset information risks are registered in your company Risk Management System Wherever possible, seek to integrate systems if data must flow in consistent forms (by use of Master Data)

Greg Williams (T): 03 8603 5472 (M): 0439 070 125 (E): greg Greg Williams (T): 03 8603 5472 (M): 0439 070 125 (E): greg.williams@amcouncil.com.au Some interesting resources for bedtime reading: Queensland Government Information Architecture best practice guide, BPG Information Risk management, V1.0 November 2002 IFS white paper, ‘Selecting software for AIM: Asset Information Management’, Christian Klingspor, IFS AB, August 2009 SAP presentation, ‘Integrated information system for safety, risk and performance management’, ICOMS2011, Dr Ing Achim Kruger, May 2011 Harte Hanks Trillium Software white paper, ‘Where is your risk? How insurers use location intelligence to manage risk and grow their business’, 2010 Enterprise Strategy Group white paper, ‘Databases at risk’, Jon Oltsik, ESG, September 2009 SANS Institute white paper, ’An introduction to information system risk management’, Steve Elky, May 2006 Faiz, R.B., & Edirisinghe, E.A., ‘Decision making for predictive maintenance asset information management’, Interdisiplinary Journal of Information, Knowledge and Management, Volume 4, 2009 Ouertani, M.Z., Parlikad, A.K., & McFarlane, D., ‘Towards an approach to select an asset information management strategy’, International Journal of Computer Science and Application, Volume 5, No. 36., 2008 ‘How much does asset information cost?’, Strategic Asset Management Issue 143, June 2004 ‘If asset managers lost control of their information, they lose control of everything’, Strategic Asset Management Issue 174, September 2005