This document contains information about David S Smart, including his experience and areas of expertise. It lists that he has over 40 years of experience in management consulting, auditing, and various ISO standards including information security, quality, health and safety, and outsourcing. It also mentions that he has over 8 years experience coaching and mentoring managers and directors. It provides his contact information at the bottom.
2. David S Smart
Management Consultant, Business Coach & Mentor
My ISO experience spans more than 40 years as a Manager, Auditor and Consultant, specializing in information Security, Quality, Health
& Safety, Environmental, Medical device, Laboratory, Outsourcing and Asset management systems; senior management consulting and
optimization of Client resources.
My coaching and mentoring experience covers over 8 years assisting managers and directors to achieve their business goals and also
develop the associated skillsets to achieve them
++44 (0)1592 890270
david.smart@homecall.co.uk
www.smartmentoring.co.uk
linkedin.com/david.smart
twitter.com/david.somerville.smart
fb.com/david.smart503092
4. WHAT IS RISK?
According to ISO 31000, risk is the “effect of uncertainty on
objectives” and an effect is a positive or negative deviation from
what is expected.
9. LINKING ZERO DEFECT CONCEPT WITH RISK
ASSESSMENT PROCESS
Worked Example:
Sustainability of supply of goods and services
to “Bank On Us”
10. RISK ASSESSMENT CRITERIA - EIGHT HEADERS
Regulatory compliance
Financial indicators
Exit strategy
Business continuity
Information security
Reputational risk
Service risk
Country specific risk
11. HEADER ONE – REGULATORY REQUIREMENTS
Question 1 – What method do you use to keep your
legislation up-to-date?
Sources:
• Lawyer
• Trade journal
• Paid subscription
• Internet trawl
• Competent person
12. HEADER TWO – FINANCIAL INDICATORS
Question 1 – How often are cash-flow projections checked?
Frequency:
• Weekly
• Quarterly
• Annually
• Never
13. HEADER THREE – EXIT STRATEGY
Question 1 – What is your exit strategy?
Options:
• Family succession
• Management buy-out
• Management buy-in
• Trade sale
• Buy-in management buy-out
• Stock market floatation
14. HEADER THREE – EXIT STRATEGY
Question 1 – What is your exit strategy?
Options:
• Family succession
• Management buy-out
• Management buy-in
• Trade sale
• Buy-in management buy-out
• Stock market floatation
15. HEADER FOUR – BUSINESS CONTINUITY PLANNING
Question 1 – How is your business continuity plan tested?
Methods:
• Walk through
• Simulation exercise
• Penetration test
16. HEADER FIVE – INFORMATION SECURITY
Question 1 – How many security breaches have you had
this year?
Number of breaches::
• Less than 50
• More than 50
• Over 100
17. HEADER SIX – REPUTATIONAL RISK
Question 1 – How are you testing your reputation in the
marketplace?
Data collection method:
• Face-to-face interviews
• Postal surveys
• Telephone surveys
• Social media comments
18. HEADER SEVEN – SERVICE RISK
Question 1 – What are your customer retention rates?
rate:
• Less than 20%
• Between 20% & 40%
• More than 50%
19. HEADER EIGHT – COUNTRY SPECIFIC RISKS
Question 1 – Do you source your products using affair trade
policy?
Measure:
• Pay a minimum wage
• Pay more than the minimum wage
• Provide health care for your employees
24. Vendor Rating Program
Company Name: Bank on us Date: Oct-11
Risk Category
Regulatory Compliance
1. Which method do you use to keep your legislation up-to-date?
Method Likelihood Consequence Result Control measure REN - Table 2
Lawyer 1 0 0 Embedded 1 0
Trade journal 2 0 0 Recognised 2 0
Paid subscription 1 0 0 None 4 0
Internet trawl 3 0 0 Recognised 2 0
Competent person 1 0 0 Embedded 1 0
Total 0
2 How is it ensured that all stakeholders are kept up do date with legislation?
Method Likelihood Consequence Result Control measure REN - Table 2
email attachment 2 0 0 Recognised 2 0
Hand delivery 2 0 0 Recognised 2 0
Telephone call 3 0 0 None 4 0
Doc. management system 1 0 0 Embedded 1 0
Total 0
3. What follow-up actions do you take to ensure the legislation is understood by stakeholders?
Method Likelihood Consequence Result Control measure REN - Table 2
Walk the line 1 0 0 Embedded 1 0
Set a questionnaire 2 0 0 Recognised 2 0
Manager is responsible 3 0 0 None 4 0
Total 0
25. THANK YOU FOR YOUR TIME
DURING THIS PRESENTATION
Email: d.smart18@yahoo.co.uk
Website: smartmentoring.co
My ISO experience goes back to the days of BS5750 where I was lucky enough to be part of a large project team putting in BS5750 into two large manufacturing plants back in 1979.
I registered as a consultant with PERA after being made redundant twice in 3 years when I set up my consultancy practice as Smart Quality Systems.
Credibility was a problem I had, so I joined a large American consultancy firm working on Corporate projects throughout Europe for 3 years which gave me exposure in Europe and also broader consultancy experience apart from quality.
I worked in North America for around 9 years on projects with mostly SME’s broadening my experience even further by working on other ISO Standards.
In 2008 I came home and set up Smart Mentoring to complement my ISO skills. I feel often companies do not fully understand the benefits that ISO systems can bring to a Business. They focus too much on the marketing side (Badge up on the wall mentality) using them as a bolt-on systems without looking at the bottom line savings that can be made by improvements in their internal processes by better resource utilisation
Risk definition:
This definition recognizes that all of us operate in an uncertain world. Whenever we try to achieve an objective, there’s always the chance that things will not go according to plan.
Every step has an element of risk that needs to be managed and every outcome is uncertain. Whenever we try to achieve an objective, we don't always get the results we expect. Sometimes we get positive results and sometimes we get negative results and occasionally we get both.
Because of this, we need to reduce uncertainty as much as possible. Uncertainty (or lack of certainty) is a state or condition that involves a deficiency of information and leads to inadequate or incomplete knowledge or understanding. In the context of risk management, uncertainty exists whenever the knowledge or understanding of an event, consequence, or likelihood is inadequate or incomplete
We generally see risk on the negative side as the following examples demonstrate:
Health – Cancer
Environment – oil spills
Car – Injury
But there is also a positive side to risk. Which is taking an opportunity when it is presented to us Depending on your appetite to risk you will either be adverse to risk and tend to stick within your comfort zone of be risk seeking and be willing to come out of your comfort zone and take a chance believing that the bigger the risk the larger the reward
Zero Defects (or ZD) was a management-led program to eliminate defects in industrial production that enjoyed brief popularity in American industry from 1964[to the early 1970s.
Quality expert Philip Crosby later incorporated it into his "Absolutes of Quality Management" and it enjoyed a renaissance in the American automobile industry—as a performance goal more than as a program—in the 1990s.
Although applicable to any type of enterprise, it has been primarily adopted within supply chains wherever large volumes of components are being purchased (common items such as nuts and bolts are good examples).
As you can see by the examples its use has now spread to the service industries. In my example one – Zero tolerance to domestic abuse is used by the social services to help prevent domestic violence and in the second example the police use it to cut down on alcohol consumption in public places
We are going to use a bank (Bank On Us) as an example of how they might determine whether their vendors are going to be able to supply the goods and services they need to in turn supply their services to their customers.
I have taken a service industry as we all use the services of a bank and understand the basic processes. However this approach could be used in any sector by changing the assessment criteria.
These were the headers selected by the bank themselves to measure the sustainability of supply.
These headers were then broken down into questions along with asset of criteria to assess them against
I have just taken one question to illustrate the method, there can be as many questions as you want. However a note of caution keep your questions to the key ones and not get “paralysis by analysis "syndrome.
We then have five sources where we can get the information from. The risk assessment team in the bank then go on and ask the question to the vendor and do their own assessment e.g using the internet to gather their own information. After collating and analysing the data from both sources the team allocate the numbers in the spread sheet which calculates the risk exposure number.
Let us assume the vendor says they do an internet trawl and the bank’s team come to the conclusion that this method is not as effective as the others, then they will calculate a higher level of risk exposure than if they felt the vendors method was more secure. The subsequent control measure (s) will in turn be more stringent than if the team felt comfortable with the vendor’s measures.
This time only four sources have been selected, but if it was a start-up situation you would probably check them daily then a bit less often say after 3 months of trading. Likewise if the company was going through difficult trading times then they would check their cash-flow accrual and projected calculations. It is important to remember the number one reason for a business failing is cash flow. You could be owed a substantial sum of money from your customers but could go bust before you are paid
There are six ways in which a company can develop an exit strategy. Depending on which option s taken will have major impacts on the bank.
Within each option there are sub-categories e.g in option one “Family succession” the sub-categories are is this a first, second, third etc. generation who are going to take the business over. Now depending on how the bank’s team assess the strengths and weaknesses of the family members will determine how closely they will have to monitor the situation
There are six ways in which a company can develop an exit strategy. Depending on which option s taken will have major impacts on the bank.
Within each option there are sub-categories e.g in option one “Family succession” the sub-categories are is this a first, second, third etc. generation who are going to take the business over. Now depending on how the bank’s team assess the strengths and weaknesses of the family members will determine how closely they will have to monitor the situation
Again the control measures will depend on how the risk management team view the security of their assets. If for example they are outsourcing their customer’s statements then a walk-through would probably not suffice. The bank will have its own IT resource who will probably conduct penetration tests themselves or hire e.g. an ethical hacker to do this on their behalf
The first question that will need to be asked is “how knowledgeable are thecoutsource3d organisation on assessing the risks the banks info is being exposed to. If for example it takes an ethical hacker two minutes (which is not hard to achieve) then the bank will have to monitor the situation very closely including whether they want to look for a new vendor. Think of the recent breaches we have seen in the news – Talk talk etc.
Bad news travels faster than good news. We used to say a bad comment will be shared with ten others, now the whole world can hear about us in an afternoon. Social media is a very powerful marketing tool.
Corporate social responsibility is high on the list of company objectives, gone are the days when could say the objective of a company is to make money. If we ignore our social responsibilities e.g dump contaminated water into our rivers we won’t be in business long
A definition on retention rates will need to be agreed first of all e.g A customer who has placed a repeat order with us in the last six months.
Again the order size and price might come into the equation.
If there are high retention rates then in general the service levels must be good.
The banks are a good example of how we used to trust them and harder ever change our account with them to another bank. However after the fiasco when they had to be bailed out changed our loyalty and trust patterns.
Marks and Spencer is another example of complacency, it is very unlikely they will be recognised as the number one in both choice of clothing and service levels
This again is linked into being seen as a good corporate citizen, not encouraging “sweat shops”. Making sure the raw products are obtained from a sustainable source e.g planting 3 trees for everyone chopped down
Also looking at the stability of the country, is there rampant inflation, is it a dictatorship, is terrorism a major issue
Risk identification table 1
There are many ways of doing risk assessments both qualitive and quantitive. We are going to use the most common method as it is easy to understand, but is subjective depending on the knowledge and experience of the risk assessment team when assessing the risk factors
There are three categories for the likelihood of the risk occurring ranging from highly unlikely to probable. Along the bottom axis we have the range of consequences of the risk occurring again ranging from harmful to extremely harmful.
We have now calculated the likely and consequence score to carry forward to the next table
Carrying our score from table one this gives us the vertical axis score, we then have to decide what the score is when taking the control measures taken into consideration.
You see that the “traffic light principle” has been used here green for “Go” Amber for “Caution” and red for “Stop”
Depending on where we land on the matrix will determine which actions to take to monitor the situation
Table 3 – Risk control measures
This table suggests possible actins to take on monitor the risks again using the traffic light principle. We can see that there are two categories for “Green” low and tolerable and two categories for “Red” substantial and intolerable.
Possible courses of action along with timeframes for them happening are given
Note: Sometimes five categories are used instead of three for the tables either using words to describe them e.g one in a hundred chances of this happening or expressed as percentages i.e. 20% probability of the event happening
This is part of the spreadsheet I used for “Bank On Us”
The text is a bit small to read, so I will talk a little on the content and how it is used
There are three questions asked in the category regulatory compliance: -
What method do you use to keep your legislation?
How is it ensured that all stakeholders are kept up-to date with legislation?
What follow up actions do you take to ensure legislation is understood?
I have then categorised the risk methods into high medium & low (i.e. 1,2,3) followed by the consequences it would have on the bank. The result is the risk multiplied by the consequence.
The next step is to consider the control measure put in place ranging from none to recognised or embedded in the organisation ranging from a score of 1 being low risk (embedded in the organisation) and 4 being high (No control measures in place)
The risk exposure number (REN) is then calculated.
The final part is to calculate the overall risk category from adding up the RENs for each question which give us the Grand exposure number for the regulatory compliance category
The overall score for each category will need to be aggregated and bands introduced to decide whether the vendor stays on the approved supplier list