Scottish Federation of Housing Associations Presentation Transcript
Scottish Federation of Housing Associations Finance Staff Forum February 2006
A bit of background!
Offrisk Consulting establish in 2002 – based in Glasgow
Specific remit to assist and advise Scottish organisations
Many clients in the public and private sector
Two main areas of interest:
Corporate Risk Governance Balanced Risk Card
Business Continuity Reco very Flow
Do we have to do risk management?
ensure we have a fully embedded system of
internal control that identifies significant operational risks
to the achievement of our plans, aims and objectives,
evaluates the nature and extent of those risks and
manages them efficiently, effectively and economically.
…… .. good corporate governance
What is risk?
‘ a future uncertain event that
could influence (positively & negatively) the
achievement of operational and strategic objectives
and statutory obligations’
Event Consequence Impact Objective?
How much of this do I have to do? Goal is achievement of objectives, not process driven assessment! Remember, the assessment work must be proportionate to gains! obsessed managing unaware threat or opportunity shocks and crises or innovation and change Managing risk to add value Over control stifles value creation Exposed and destroying value Performance low high
Balanced Risk card What could stop the Business Plan this year? Processes Are we organised as well as we could be? Learning & Growth Are we developing our people and organisation for the future? Deliverables Are we delivering what our clients expect? Resources How well are we planning and managing our resources?
risks can deter accomplishment
manage the risks out
excel at the provision of high quality service
contribute to stakeholder confidence
Balanced & SMART objectives
SOPs and ISO
Interaction with Partners
Building for the future
Service Capability External Impact Internal Process Standards People Issues
Keeping it simple and clear
Integrating risk & performance management with clear objectives
Risk Identification against scorecard objectives Risk Assessment Decide Action Control, Mitigate or Transfer Monitor risks, controls and actions Review Control Strategies Balanced Risk card
Policies and procedures
Event Consequence Impact Objective?
Accident causation & controls Adapted from the work of James Reason Other holes due to latent conditions (e.g. faulty equipment, lack of training) Successive layers of defences, barriers and safeguards Some holes due to active failures (e.g. mistakes, procedural violations)
Balanced Risk Card Service Capability People issues Internal processes External impact < Impact Impact > < Probability < Probability Probability > Probability > < Impact Impact >
Business Continuity Management
“………… ... is about the development, implementation and maintenance of an action orientated process which responds to:
an emergency incident impacting operations
the issues & implications arising – crisis management
recovery of the business ………………..”
…… the value is in the planning …….
… .. protecting enterprise value
Emergency Response 0 hrs 3 to 4 hrs Day 2 Day 4 Weeks Months Crisis Management Process Recovery
A management process Service Understanding the business risks and process priorities Developing realistic continuity and resumption strategies Risk mitigation and continuity response actions Embedding service continuity culture and confidence in the Plan Maintenance Rehearsing the people Exercising the Plan BCM
What if this happened?
The Business Continuity Plan Practical and flowcharted Reco very Flow over a timeline!
Escalation procedure to inform / call out:
Emergency Response Team
Ensure life and safety
Emergency Authority Liaison
Assess situation – fix the hazard
Inform management decisions
Red Pack – 0 to 2 hours critical 24/7/365
Practical actions steps for each function
Reflection of agreed recovery strategy
Prioritised post loss requirements
Green Pack – day 2 for as necessary
A critical turning point in a major incident
Impacting the organisations viability
Who needs to know inc. press & media
Issues and implications
Yellow Pack – ASAP up to 3 days
What is an Emergency? A serious situation or occurrence that happens unexpectedly and demands immediate action and more than usual resources.
Emergency Response – Red Pack
Emergency Response Team – 24/7/365
Capability and authority
Expertise and responsible
Agreed procedures – make safe
Eyes and ears for the Directors
Liaison with statutory authorities
Fix the hazard and set up the recovery phase
ERT to become easily identifiable within the organisation
With clearly defined roles and responsibilities
The Plan must be easily understood
What is a Crisis?
A crisis is a decisive moment or turning point event
that by fact or by perception
has the sustained potential
to seriously affect service delivery
as seen by our customers and the reputation of the Association”
Crisis Management – Yellow Pack
Issues and implications
Stakeholders – how do others see us?
Press and media – not marketing!
Specific attention to staff and relatives?
Do we appreciate the subtle difference between emergency response and crisis management?
Not all of the Association may be affected!
Process Recovery – Green Pack
Where the rubber touches the road!
The hardest part but the most satisfying
Process specific - cognisant of agreed recovery strategies
Use of alternative facilities
Post loss resources
Not able necessarily to recover all processes immediately
Planning should be about end to end processing
Do individual managers understand their part in the Plan
Don’t be frightened to test the Plan’s assumptions!
Staff Rehearsal and Plan Exercising
Plan must be kept up to date
Planned maintenance – contacts and changes in processes
Escalation procedure – weekend call out
Desk top – review against scenario
Simulation – concentrated days in short time
Disaster scenario – real time and real event exercise
Meaningful rehearsal of roles
Walk through against a realistic scenario will be useful
Summary of what will be in our Plan:
Easy to use and realistic
Understood at all levels within the organisation
Based on strong recovery strategies
Emergency procedures – Management of Work Place Regs
Corporate Governance, Auditor and Insurer expectation?
Will tell me what to do – wise guidance
Evidence of controlled document review
Regular and effective maintenance and exercising
Welcome! to Management of Risk and Uncertainty www.theIRM.org
[email_address] Graham E Offord, FIRM, MBCI, MCIBS 0141 563 9747 Questions and Answers