Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Management & Business Continuity Management

Published byIra Lee Modified over 10 years ago

Similar presentations

Presentation on theme: "Risk Management & Business Continuity Management"— Presentation transcript:

0

1 Risk Management & Business Continuity Management
Ir. Paul Olivier Group manager Vinçotte Certification Faculty Antwerp Management School

2 The standards ISO 31000: 2009 Risk management-Principles and guidelines. ISO 31010: Risk management- Risk assessment guidelines

3 Part 1 ISO 31000 Risk Management RA process & RM system

4 ISO 31000: Introduction RM enables the organization to:
Increase the likelyhood of achieving objectives Improve the identification of opportunities and threats Improve governance Improve stakeholder confidence and trust Improve loss prevention and incident management Improve organizational resilience

5 ISO 31000 Risk management The 5 chapters
Scope Definitions Principles The system of risk management (organizational framework) The risk management process

6 ISO 31000: Definitions 1 see ISO Guide 73:2009
Risk = uncertainty on objectives, is a combination of likelihood(*) and consequence of an event Risk assessment = the overall process of risk identification, risk analysis and risk evaluation Risk attitude = organization’s approach to assess and pursue, retain, take or turn away from risk (*) likelihood: chance of something happening, probability is interpreted as a mathematical term

7 ISO 31000: Definitions 2 see ISO Guide 73:2009
Risk treatment = process to modify risks (avoid, remove, change likelihood, change consequence, share risk wiht other parties, retain Residual risk = risk remaining after treatment Risk management coordinates activities to direct and control an organization with regard to risk

8 ISO 31000 Risk management Chapter 4: RM System
How to insert RM in your organization? Chapter 5: RM Process What process steps does RM contains? Chapter 3: Principles

9 Part 1.1: ISO 31000: Risk Assessment Process

10 ISO 31000: RA Process 1. Risk identification
Establish a comprehensive (exhaustive?) list of risks that may create, enhance, prevent, degrade, accelerate or delay the achievement of goals Create the Risk Register Consider the interdependence of different risks and their sources

11 2. Understanding the organization and its context
External The social, cultural, political, legal, regulatory, financial, technological, economical, natural and competitive environment, whether international, national, regional or local Key drivers and trends having impact on organization objectives Relationships with, preceptions and values of external stakeholders Internal Governance, policies, objectives, capabilities, knowledge, processes, information, culture, models, contractual relationships,...

12 Ferma risk management norm 2003
(Federation of european risk management associations)

13

14

15 Risk register: List of hazards n° 5061/2005 EZU Strategic risks
Current business Dependencies on customer Dependencies on suppliers Change in attitudes, needs of customer Unavailability of resources (raw material,..) Future business Product specifications ( inadequate perfomance caracteristics) Product development (development phases inadequate) Environmental changes Modifications in laws & regulations Political change (instability of government) Modifications of individual rights Acquisitons Cultural affinity Information & mgt tools Financial burdens (lawsuits, insurance contracts, pension schemes,..) Image and brand Brand loses emotion Human rights problem Ecological problem

16 Risk management guidelines to AS/NZS 4360: 2006
ISO 31000: RA Process 3. Risk analysis Determine level of risk through likelihood and consequence (tangible and intangible) Consider the confidence and sensitivity Qualitative, semi quantitative, quantitative analysis Risk management guidelines to AS/NZS 4360: 2006

17

18

19

20 ISO 31000: RA Process 4. Risk evaluation assists decision making
define risk appetite and acceptable level identifies risk that need treatment defines priority for treatment implementation

21

22

23

24

25

26 ISO 31000: RA Process 5. Risk treatment (cyclical process)
Generate controls and decide whether residual risks are tolerable, if not generate new controls Risk treatment options Retain risk by informed decision Avoid risk by not starting the activity Reduce risk by: Removing risk source Reducing consequence Reducing likelihood Share or transfer risk

27 Part 1.2: ISO 31000: RM System (Framework)

28 4.3.2. Establishing the RM policy
ISO 31000: RM Framework Establishing the RM policy State the RM rationale (RAM) and define the acceptance levels in probability and consequence (risk appetite). Accountability Define risk manager and risk owners Integration into organizational processes Insert the notion risk in all decision processes Resources Information and knowledge mgt systems Internal communication and reporting External communication and reporting

29 Business Continuity Management
Part 2 BS 25999 Business Continuity Management BC process & BC system

30 The standards BS : Business continuity management-Part 1: Code of practice BS :2007: Business continuity management-Part 2 : Specifications

31 BS 25999-2: 2007 BCM The 6 chapters Scope Terms & definitions
Planning the business continuity management system (PLAN) Implementing and operating the BCMS (DO) Monitoring and reviewing the BCMS (CHECK) Maintaining and improving the BCMS (ACT)

32 BCM safeguards interests of stakeholders, brand, business
BS 25999: Scope More interdependancies in the supply chain BCM safeguards interests of stakeholders, brand, business BCM builds resilience for effective response Certification possible

33 BS 25999: Definitions BCMS = system which provides resilience and the capability for effective response to safeguard the interests of key stakeholders, reputation, brand and value creating acitivities BIA = business impact analysis, process of analysing business functions and the effect that business disruption might have upon them IMP = incident management plan, plan of action during the incident BCP = business continuity plan, procedures for use in an incident to enable the organization to continue to deliver its critical activities at an acceptable predefined level

34 BCM & incident preparedness
RM BCM

35 Part 2.1 BS 25999: BCMS Process

36 BS 25999 : BCM Process 1. Understanding the organization
RA (Risk Assessment) (4.1.2) Understand the threats and vulnerabilities Identify the threats that become an incident and causes business disruption Establish the likelihood of a disruption Choose appropriate risk treatments in accordance to its level of risk acceptance

37 BS 25999 : BCM Process 1. Understanding the organization
BIA (Business Impact Analysis) (4.1.1) Define critical processes, services, products, installations, premisses, persons, customers, supliers, supply sources for survival of the business Determine the impact of any disruption of the business, Establish MTPoD (maximum tolerable period of disruption) Estblish minimum level of business reponse Identify all dependencies with suppliers and outsource partners Set RTO (recovery time objectives)

38

39

40

41

42

43 BS 25999 : BCM Process 2. Develop response IMP (incident management plans)
Identify lines of communications Define roles and responsibilities during and after the incident (who and how to start IMP and who and how to stop IMP) Crisis command center (and alternatives) with access to TV, GSM, critical docs, press, internet Details of key stakeholders, emergency services, employees and relatives Media response organization Technical response (what actions ifo time), prevention of further loss Crisis log of the incident

44 BS 25999 : BCM Process 3. Determine strategy BCP (business continuity plans)
Premisses: forsee alternative locations, work from home, rent new premisses, go to low wage countries People: introduce extra shifts in other production locations Technology: emergency replacement of installations or spares, outsource, split production, geographical spread, upgrade to new technology Information: go to external IT site, convert to PC network, go to call centers, use gsm network or smart phones, back up or critical docs, Suppliers: extra storage, supplier with JIT contract to fulfill key customer’s contract Other stakeholders: forsee crisis communication, psychologic assistance Civil emergencies: contacts with civil protection, emergency services

45 BS 25999 : BCM Process 4. Exercise, maintain and review
Exercise programme approved by top mgt Post exercise review, written report on exercise Exercises (document check, technical functionality test, theoretical exercise or dry test, practical test)

46 Part 2.2. BS 25999: BCM System (Framework)

47 BS 25999: Framework Chapt 3: Planning BCMS
3.2. establish and manage system Define objectives of BCMS Establish BCM policy Provide resources Ensure competency of personnel 3.3. Embed BCM in the organization’s culture 3.4. Provide documentation & records

48 BS 25999 Framework Chapt. 4: Implementing & operating BCM process
4.1. Understanding the organization (BIA & RA) 4.2. Determining the business continuity strategy 4.3. Developing and implementing a BCM response 4.4. Exercising, maintaining and reviewing BCM arrangements

49 BS 25999: Framework Chapt. 5: Monitoring & reviewing the BCMS
5.1. Internal audit 5.2. Management review Review after significant changes Post exercise review, written report on exercise

50 BS 25999 Framework Chapt. 6: Maintaining & improving the BCMS
6.1. Preventive and corrective actions 6.2. Continual improvement

51 Part 2.3. Certificatie criteria BCM proces
Risk Register Risk Map BCM curve

52 Certificatie criteria BCM proces
Risk Register Risk Map BCM curve

53 Certificatie criteria BCM proces
Risk Register Risk Map BCM curve

54 Certificatie criteria BCM System
PLAN Policy RM mgr & jobdescription DO Implement RM proces (new decisions, changes) RM communication (reporting) RM training CHECK RM audit ACT RM mgt review

55 Part 3 PAS 55-1 Asset Management AM process & AM system

56 The standards PAS 55-1:2008 Asset management
Part 1: Specification for the optimized management of physical assets

57 Introduction PAS is specifically intended to cover the life cycle management of the assets and, in particular, the assets that are core to an organization’s purpose, such as utility networks, power stations, railway or road systems, oil and gas installations, manufacturing and process plants, buildings and airports optimize the combination of assets in accordance with their life cycle, criticalities, condition, performance and chosen risk profile of the organization

58 Introduction any asset intensive business, where significant expenditure, resources, performance dependency and/or risks are associated with the creation/acquisition, utilization, maintenance or renewal/disposal of assets any organization that has, or intends to manage or invest in, a significant portfolio of assets, or where the performance of asset systems and the management of assets are central to the effective delivery of service, product or other business objectives

59

60

61

62

63

64

65

Download ppt "Risk Management & Business Continuity Management"

Similar presentations

EMS Checklist (ISO model)

EMS Checklist (ISO model)
Risk and RACI: Defining Clear Roles

Risk and RACI: Defining Clear Roles
Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.

Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.
Environmental Management System Implementation

Environmental Management System Implementation
Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.

Reliability of the electrical service Business Continuity Management Business Impact Analysis (BIA) Critical ITC Services Minimum Business Continuity Objective.
INTRODUCTION TO ISO 14001 Joan Kithika. OUTLINE DEFINITIONS WHY ENVIRONMENTAL MANAGEMENT? LEGAL OVERVIEW HOW TO MANAGE THE ENVIRONMENT-AN ENVIRONMENTAL.

INTRODUCTION TO ISO Joan Kithika. OUTLINE DEFINITIONS WHY ENVIRONMENTAL MANAGEMENT? LEGAL OVERVIEW HOW TO MANAGE THE ENVIRONMENT-AN ENVIRONMENTAL.
Environmental Management System (EMS)

Environmental Management System (EMS)
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
Security Controls – What Works

Security Controls – What Works
Implementing BCM Lynda McMullan CBCI Business Continuity Manager.

Implementing BCM Lynda McMullan CBCI Business Continuity Manager.
ISO General Awareness Training

ISO General Awareness Training
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Not everything in life is black or white Managing Consultant David J. Window AMBCI/CIPS Continuity 22301 Ltd Company Registered Number: 07714424

Not everything in life is black or white Managing Consultant David J. Window AMBCI/CIPS Continuity Ltd Company Registered Number:
TEMPUS ME-TEMPUS-JPHES

TEMPUS ME-TEMPUS-JPHES
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.

Similar presentations

Ads by Google