Presentation on theme: "AMC Melbourne Chapter 15 July 2011 Greg Williams"— Presentation transcript:
1 AMC Melbourne Chapter 15 July 2011 Greg Williams Risk management frameworks for foundation Asset Information Systems Lessons drawn from experiences in the utilities industryAMC Melbourne Chapter15 July 2011Greg Williams
2 Information Risk Management Contentions……..Asset management is essentially a risk-based processInfrastructure related businesses invest heavily in Asset Information systems to help manage their assets and improve their overall performance.The necessity for good asset information is growing rather than reducing.Asset Information system requirements are becoming more sophisticated.The number of stakeholders and complexity of collating and sharing information is increasing.Drivers include changing regulation, private finance initiatives to fund major capital programs, and a greater collective understanding of asset management risk.The information and systems necessary to manage physical assets also have value.We should address information risks as part of asset managementAsset Management=Information Risk ManagementRisk Management
3 AgendaI’d like you to consider the following….What are your ‘foundation asset information systems’ and why are they important?Where are your information risk exposures?What is ‘Information risk management’Are risk management frameworks suitable for managing asset information?What challenges lay ahead for you?Lets prompt a few thoughts……
4 Foundation asset information systems – some definitions What are Asset Information Systems?The asset information systems an organization has in place to support the asset management activities and decision-making processes in accordance with the asset information strategy.Why are these systems the ‘foundation systems’?Those that contain the essential data describing the physical assetPhysical & Functional parameters (What is it, where is it, how does it connect to others?)Condition, age, operating stateHistory, changes, modificationsThese systems allow us to take control of the information regarding an asset.Examples of foundation systemsGeographic Information Systems (GIS)Maintenance Management Systems (MMS)Works Management Systems (WMS)Project Management Systems (PMS)Customer Management Systems (CMS)Incident Management Systems (IMS)
5 Why do foundation systems form the basics? ComplianceReduce compliance risk, keep records of compliance actionsGovernanceEnable accurate and timely decision makingPlanningInform planning to enable accurate project developmentSafetyEnable safe operation of the assetConfigurationAllow capture and control of changes to the configuration and operating stateInformation supply chainDeliver the right info to the right stakeholder in the right format at the right timeWithout foundation systems these objectives are challenging to achieve!
6 Sources of information risk Is your asset information:CorrectAccurateAvailableRelevantConsistent (in form between systems)Timely (or current in it’s validity)Common or standardSecureRecoverableIf your asset information doesn’t meet all of these requirements, you may have symptoms of information risk.Consult the nearest risk manager for further advice.
7 Where are our exposures? Key person dependencies
8 Examples of information risk scenarios Key person dependenciesGIS updates were done manually by a KEY PERSONNo ratings on conductors in feeder spans in control room schematicsData was reviewed prior to a regular upload to parent systems used in control room environments to manage a distributed networkNo post-processing or review of critical data after uploadsConductor rating and existing state not represented to Network ControllersWhat are the on-going risks?
9 Where are our exposures? Key person dependenciesNew information systemsChanges to existing systemsBrownfield projects create new data and changes to system configurationsPPP and major capital projects build new systems
10 Examples of information risk scenarios Major change of parent asset information systemAsset owner decision to restructure management model and data requirements with emphasis on least costExisting system left with major Service Provider and entirely new system built for new contractAll historical data ‘archived’ and only selected elements of current data exported to new systemArchive data stored in old formats – asset history now inaccessibleData matching by Service Providers using works management and interfacesAsset planning now based on limited range of data with little reference to maintenance and performance historyWhat are the on-going risks in this scenario?
11 Where are our exposures? Key person dependenciesNew information systemsChanges to existing systemsBrownfield projects create new data and changes to system configurationsPPP and major capital projects build new systemsIncreases in data volume (quantities)Large increases in data available on-lineLumpy data, such as discrete time stamped parametersLack of structured system/data configurations (master data)No current, operational data (state, condition, etc)
12 Where are our exposures? Increases in data volume (quantities), type & availabilityMajor upgrade and expansion of the installed asset base (eg, Smart Meters) which introduced new technologyAutomation in smart networks causing large increases in data available on-lineData consisting of lumps of discrete, time stamped parameters (voltage, current, power and energy measurements)Overloading of data - 10 times increase in data volumes made available to AIM systemsCorresponding increase in data storage requirements, retrieval, sortingUnresolved challenges in useability of data (relevance, currency, etc)What are the on-going risks?‘Too much data and not enough information can lead to disastrous mismanagement, other misrepresentations and controversies.’(IAM 2003).Industry response is introduction of pattern recognition to interpret and identify quality data
13 Where are our exposures? Key person dependenciesNew information systemsChanges to existing systemsBrownfield projects create new data and changes to system configurationsPPP and major capital projects build new systemsIncreases in data volume (quantities)Large increases in data available on-lineLumpy data, such as discrete time stamped parametersLack of structured system/data configurations (master data)No current, operational data (state, condition, etc)Inadequate storage and back-upUnable to recover from a disaster (no DR procedure or test)Hacking, unauthorised use or data breaches (cyber criminals)
14 Where are our exposures? Unauthorised use or data breachesRead this!Do these things!Source: Risk Management, June 2011, p8
15 Where are our exposures? Key person dependenciesNew information systemsChanges to existing systemsIncreases in data volume (quantities)Large increases in data available on-lineLumpy data, such as discrete time stamped parametersInadequate storage and back-upUnable to recover from a disaster (no DR procedure or test)Lack of structured system/data configurations (master data)No current, operational data (state, condition, etc)Brownfield projects create new data and changes to system configurationsPPP and major capital projects build new systemsHacking, unauthorised use or data breaches (cyber criminals)Ambiguous organizational objectives
16 Where are our exposures? Ambiguous organizational objectivesOrganizations tend to collect information that is easiest to collect, irrespective of the need for it or the subsequent usefulness.Departmental objectives also based on such thinking; maintainers and technical service providers may be given budget targets or deadlines irrespective of the potential ‘trade-off’ impact against operational performance.Production, operations, or customer relations personnel, on the other hand, are motivated and measured in the terms of output volumes or quality, irrespective of the costs incurred by others to achieve such output.‘The current scenario requires an asset management system which connects to organizational objectives.’(IAM, 2003).
17 How are information risks being managed in utilities businesses? GIS is the core or parent platform (geocodes)Regular and full updates to related information systemsCommon and standard data sets (Master Data)Driving developments of solutions that deliver all the required capabilityAdopting risk management frameworks for asset informationThe big challenge - Systems integration where necessary to ensure data flows are efficient and error free
18 Information Risk Management What is it?Process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity or availability of an information system.Adapts the generic process of risk management and applies it to the integrity, availability and confidentiality of information assets1How do we do it?Focus our attention on processes that together ensures information risks are adequately reduced to a tolerable level.Include methods for identifying and assessing risks, plus the methods for determining which controls need to be applied, for checking that those controls have been applied, and then for tracking the actual level of protection being achieved.Apply an adequate level of risk mitigation to those situations where the risks are highest and ensure solutions are not over-engineered where the risks are minimal.Take risk-based approaches so that mitigation efforts are applied in proportion to the level of risk being addressed.2Sources:1. QLD Govt BPG Information Risk Management V1.0 Jul 012. Information Security Awareness Forum
19 Risk management frameworks Three main influences:Industry specifications or requirements for asset information & systemsAS Pipelines – Gas and Liquid PetroleumNZS 7901:2008 Electricity & Gas Industries Safety Management SystemsStandards for management systemsPAS 55-1:2008 Asset Management (also see ISO55000:2011)AS/ISO31000:2009 Risk ManagementAS/ISO9001:2004 Quality ManagementAS/ISO Quality management systems – Guidelines for configuration managementQLD Government BPG Information Risk Management V1.0 Jul 01AS/NZS ISO/IEC 27002:2006 : Code of practice for information security managementStandards for asset data structures, configurations and securityISO/IEC27000:2009 Information technology - Security techniques - Information security management systems - Overview and vocabularyISO Integration of life-cycle data for process plants (7 parts)STEP AP212 (BS EN :2007) Graphical symbols for use in tech docsMost standards include guidance on what information may be required, how to manage the information and how to assure your business that the information is valid
20 Risk management frameworks Industry specifications AS Pipelines – Gas and Liquid PetroleumSection 10 RecordsThe operating authority shall obtain, prepare and keep current…..Charts and maps showing location…Records of condition…Records of sections and components identified as potentially high risk…EtcNZS 7901:2008 Electricity & Gas Industries Safety Management SystemsSection 5.9 Provision of InformationArrangements shall be in place to inform external parties about the safety and operation of assets and the hazards associated with them. This shall include information to enable those parties to report faults, defects, failures, and emergencies.Such arrangements may include provision of maps, public notification…..But are these are really requirements?
21 Risk management frameworks Management system standards PAS 55-1:2008 Asset Management4.4.6 Information ManagementThe organization shall identify the asset management information it requires.....considering all phases of the asset life cycle.The information shall be of a quality appropriate to the asset management decisions and activities it supports.The organization shall design, implement and maintain a system for managing asset management information.Employees and other stakeholders, including contracted service providers, shall have access to the information relevant to their asset management activities or responsibilities.The organization shall establish, implement and maintain procedures for controlling all information required. These procedures shall ensure:the adequacy of the information is approved by authorized personnel prior to use;information is maintained and adequacy assured through periodic review and revision, including version control where appropriate;allocation of appropriate roles, responsibilities and authorities regarding the origination, generation, capture, maintenance, assurance, transmission, rights of access, retention, archiving and disposal of items of information;Etc…
22 Risk management frameworks Management system standards ISO31000:2009 Risk ManagementProvides principles and generic guidelines on risk managementRisk is the ‘effect of uncertainty on objectives’Principle 3 – risk management is part of decision makingPrinciple 6 – risk management is based on the best available informationControls EffectivenessShould be operating in the manner intendedCan be demonstrated to be effectiveBased on proper documentation, recording and reliable assurance processes
23 ISO31000 adapted to information risk management Source: QLD Government BPG Information Risk Management V1.0 Jul 01
24 Risk management frameworks Data & security standards ISO/IEC27000:2009 Information technology - Security techniquesProvides all types of organization (e.g. commercial enterprises, government agencies and non-profit organizations) with a basis to implement an information security management systems (ISMS).Based on a simple Plan-Do-Check-Act (PDCA) processDefines requirements for an ISMS and for those certifying such and conformity assessment for an ISMS.ISO Integration of life-cycle data for process plants (7 parts)Standardisation of asset information is the key to Collaborative Asset Lifecycle Management (CALM)CALM is the basis for information sharing between contractors and asset ownersProvides standards for lifecycle data for process plantsFormalises how assets are identified and how data should be structured so the same terminology can be used consistently (same language)Contributes to the preservation of the value of asset information as it flows between stakeholder systemsCompliance can be at software configuration level up to integration of distributed systems
25 The bigger challenge - Integration where necessary to ensure data flows are efficient and error free HolisticIntegrated asset information systems:support organizations toefficiently and sustainably manage the whole lifecycle of physical assets in terms ofperformance,risks, andexpendituresto achieve and maintain the stated business objectives.SustainableSystematicIntegratedOptimalSystemicRisk-basedExample: OneWater by TechnologyOneComplete integration between all software and related systems, including SCADA, GIS, IMS, MMS, PMS, 3rd party interfacesUnder the system, a leak could be reported, SCADA data used to confirm the incident, geocoding to pinpoint location, remedial works logged, replacement materials ordered
26 Integration example - Mapping content to assets Source:
27 Integration example - Mapping content to assets To enable operational readiness and excellence, the “information plant” must match the “physical plant”Matching of these aspects need to be:Complete and accurateCurrent and availableRelevant, consistent and sustainableSource: SAP 2011
28 In summary,Make use of relevant management system standards to determine your minimum requirements for AIM, including data standardsPAS55, ISO31000, ISO27000Adopt a risk-based approach to managing the effectiveness of your asset information systemsEnsure asset information risks are registered in your company Risk Management SystemWherever possible, seek to integrate systems if data must flow in consistent forms (by use of Master Data)
29 Greg Williams (T): 03 8603 5472 (M): 0439 070 125 (E): greg Greg Williams (T): (M): (E):Some interesting resources for bedtime reading:Queensland Government Information Architecture best practice guide, BPG Information Risk management, V1.0 November 2002IFS white paper, ‘Selecting software for AIM: Asset Information Management’, Christian Klingspor, IFS AB, August 2009SAP presentation, ‘Integrated information system for safety, risk and performance management’, ICOMS2011, Dr Ing Achim Kruger, May 2011Harte Hanks Trillium Software white paper, ‘Where is your risk? How insurers use location intelligence to manage risk and grow their business’, 2010Enterprise Strategy Group white paper, ‘Databases at risk’, Jon Oltsik, ESG, September 2009SANS Institute white paper, ’An introduction to information system risk management’, Steve Elky, May 2006Faiz, R.B., & Edirisinghe, E.A., ‘Decision making for predictive maintenance asset information management’, Interdisiplinary Journal of Information, Knowledge and Management, Volume 4, 2009Ouertani, M.Z., Parlikad, A.K., & McFarlane, D., ‘Towards an approach to select an asset information management strategy’, International Journal of Computer Science and Application, Volume 5, No. 36., 2008‘How much does asset information cost?’, Strategic Asset Management Issue 143, June 2004‘If asset managers lost control of their information, they lose control of everything’, Strategic Asset Management Issue 174, September 2005