This document summarizes a presentation on risk management in facility management. It discusses how workplaces are a key factor in business resilience and how changes can erode relevance over time. Cyber security risk was also addressed, noting the convergence of physical and cyber threats and importance of collaboration across functions. The presentation emphasized that culture comes from leadership and governance must support appropriate security behaviors.

1. BIFM
North Region:
“Risk Management
in FM”
Mark Whittaker
Deputy Chair, BIFM North

2. 2 | 2016 Key Learning Event – Risk Management in FM

3. 3 | 2016 Key Learning Event – Risk Management in FM
Welcome & Thanks

4. 4 | 2016 Key Learning Event – Risk Management in FM
Future Events:
Workplaces: Fit for purpose?

5. Today’s Event

6. 6 | 2016 Key Learning Event – Risk Management in FM
Risk Management in FM?

7. 7 | 2016 Key Learning Event – Risk Management in FM
Introduction to today’s speakers

8. Business Resilience
The Role of Facilities Management
A Case Study
Financial Products Trading Organisation
Pre- IPO

9. What is Business Resilience?
• A framework of capabilities, enabling resources and information resources
designed to establish & support the identified priorities & strategies
• An organisation and programme to ensure that resources and capabilities
continue to be fit for purpose
• A joined up process for risk, compliance and operational continuity that
produces actionable intelligence

10. What we needed
• Transparent & auditable
• Easy to operate
• Enterprise wide
• Finger on the pulse

12. How we……….
• Prioritised
• Designed
• Managed
.
< Business Resilience >
Protect Incident Management /
Business Continuity / Recovery
Specific actions for specific
threats and regulatory
requirements
• Fire, flood, terrorism, vandalism,
utilities, IT systems failure, cyber
attack
Overarching contingency
arrangements for loss of
availability specific assets
• Workplace
• Access to information & systems
• People

13. The Big Picture……….
• Objectives
• Strategy
• Tactics
.
• What do we get paid to do?
• If we were prevented from doing it –
what kind of reputational, contractual,
regulatory and financial exposure would
be created?
• What can we do to protect ourselves?
• What if our protective measures were
overwhelmed?
• Set the strategy for supporting
resources by understanding priorities

14. Focus……….
• Customer “touch
points”
• Regulations
.
Workplace Information
Systems
Materials &
Equipment
Supply Chain

15. Overarching Strategies for Resilience
• Information Systems
• Workplace
• Critical environments
• Regulatory compliance (Fire Risk, H & S)
• Workplace protection (utilities, flood,
terrorism)
• Workforce flexibility
• Access to information systems
• Workforce mobility
Threat Protect Detect Respond Contingency
(BCP)
Assure
Power
Water
Terrorism
Flood/Escape
of Water
Regulatory
compliance
Vandalism

16. Workplace Resilience Framework
• PPM Schedule for
regulatory obligations
and general workplace
resilience
• Special focus on critical
environments
– Establish capability
– Verify capability
• Documented strategy

17. PPM Schedule

18. Critical Environments
Where IT systems meet the physical world
• UPS
– Server Room
– Comms room(s)
– Trading Desks
• Environmental monitoring & sensor
equipment
• “out of bounds” alerting
• Two stage work area recovery

19. Critical Environments
Need TLC !!
• Moves, adds & changes
– People
– Equipment
• Factor into change management
• Audit your UPS

20. Critical Environments
Need TLC !!

21. Business Continuity (for the FM)
• Incident Management
– Evacuation Management
– Emergency Services liaison (building plans)
• Recovery & Restoration
– Workplace impact assessment
– Relocation logistics
– Repair, restoration & relocation
– Contractor management

22. Joined up Resilience Management…….
Priorities
for
Resilience
Risk, Compliance & PPM
Critical Environment Strategies
“out of bounds” alerts
Business Continuity Arrangements

23. Key Messages
• Workplace a key factor in business resilience
resilience – even in the digital world
• Change erodes relevance
– audit & test regularly
• Purpose built, sustainable management
systems

24. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Mike Gillespie
BIFM – Risk Management in FM event
Cyber Security Risk in FM

25. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
agenda
• Introductions
• When we say ‘cyber’…
• Cyber in FM
• Security and Cyber
• Cyber and Health & Safety
• Collaboration and Governance
• Threat Landscape
• Corporate Risk & Risk Management
• Collaboration & Governance
• Culture
• Questions

26. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Introductions
Mike Gillespie
• Founder and MD of Advent IM Ltd
• Director of Cyber Strategy &
Research for The Security Institute
• Member of the CSCSS Global
• Industry commentator and
speaker

27. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
When we say ‘cyber’…
• The language is welcoming and intuitive
• The parameters are clearly defined
• Its easy to collaborate across disciplines to get best
overall outcome
• We understand the interconnected nature of our lives
• We take appropriate steps to ensure our resilience and
security
• We constantly learn about new threats
• We have a risk-based approach to our organisation as
an entity
• IT does security

28. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
When we say ‘cyber’….
• Your fridge
• Your TV
• Your car
• Your train
• Your medical aid
• Your aircon
• Your fire and life systems
• O and your corporate network

29. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Threat convergence
Some images courtesy of mapichai at FreeDigitalPhotos.net
physical
cyber
work
home
Many Cyber Attacks are only made
possible because of Physical
vulnerabilities.
Many Physical Attacks are only
made possible because of Cyber
vulnerabilities.
We need to cover ALL of our
bases…

30. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
The Internet of Things
WWW
“With a quadrillion
sensors embedded in the
environment—all
connected by computing
systems, software and
services—it will be
possible to hear the
heartbeat of the Earth;
impacting human
interaction with the
globe as profoundly as
the Internet has
revolutionised
communications”
Peter Hartwell, senior
researcher at HP Labs

31. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Cybersecurity in Facility Management
• FM systems
• BMS
• Security management
• Fire and Life
• Aircon and climate control

32. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Security and Cyber
• Physical security systems
• Networked management
• Collaboration between Security
disciplines
• Language challenges
• ‘Cyber’ is not always intuitive
• Maintaining securely
• Anti-malware
• Change management
• Security updates Image courtesy of Stuart Miles
at FreeDigitalPhotos.net

33. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Cyber and Health & Safety
• German steel Mill
• Polish tram system
• Stuxnet
• Jeep hack (x2)
• S. Korean Nuclear plant

34. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Why this all matters - Security Landscape
places informationpeople technology
terror sabotage subversion
Organised
crime
espionage
chemical biological radiological nuclear cyber

35. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Corporate Risk and Risk Appetite
• Management not avoidance
• Feeding into corporate risk agendas and
registers
• Understanding Risk appetite to enable
• Agility
• Secure growth
• Confident collaboration
• Resilient supply chains
• Holistic understanding of Threat and Risk
• These things do not work in isolation

36. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Cyber risk management is not cyber
risk avoidance
• Agile business environments – global market
place
• Complex supply chains
• Security doesn’t arbitrarily say, no.
• Risk appetite
• Increasing efficiency and safety of employees as
well as quality of work environment
Some images courtesy: Boaz Yiftach at FreeDigitalPhotos.net
Can we?
No, of
course not.

37. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Risk, Risk Appetite and Risk Tolerance

38. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Collaboration and Governance
• Understanding Threat and Risk – “What do I
need to do?” Not “what have I always done?”.
• Who do we need to have on-board to get this
Risk properly mitigated?
• Is there senior leadership in place?
• Have we got a framework in place to keep
ahead of the game?
• Do we have a clear understanding of
accountability and of devolved responsibility?
• Does all of this support and enable business?
picture courtesy of winnond at freedigitialphots.net

39. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Culture
• Leadership
• Governance
• Best practice
• Do as I say not as I do?
• A fish rots from the head, down…

40. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
C-suite culture
Business management
Business practices
Good quality security behaviour
Risky security behaviour

41. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
“Culture eats strategy
for breakfast!” Peter Drucker
What our
policy says
What we
actually do The culture gap

42. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
“Culture eats strategy
for breakfast!”
80%
20%
Source Ponemon 2014 ‘Exposing CyberSecurity Cracks”
80% of respondents say their company’s
leaders do not equate losing confidential
data with a potential loss of revenue,
despite Ponemon Institute research
indicating the
average cost of an organizational data
breach is $5.4 million.
Culture comes from the top...

43. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
79%
Use private, non- commercial email accounts ( eg.
Gmail, Yahoo et al) to send board documents
2013 and 2014 Board Governance report from Thomson Reuters found a worrying
lack of security understanding in the Boardroom…
68%
Never use a dedicated and exclusive email
account that was specifically set up to receive
board communications
47%
Never encrypt this sensitive and confidential
Board information
…of their own sensitive and critical information in Board Reports.
2013
Never or rarely encrypt this sensitive and
confidential Board information
2014
60%
2013
51%
Never use a dedicated and exclusive email
account that was specifically set up to receive
board communications
2014
Data Source: Thomson
Reuters Board
Governance Report.
Some images courtesy
of
freedigitalphotos.net

44. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
55%
33%
34%
33%
Yes No Dunno
56%
2013 2014
2013
40%
60%
Yes No/Dunno
2014
“Are you confident Board members
destroy all printed and emailed
documentation inline with your document
retention policy?”
Print and carry sensitive Board
documents
Data Source: Thomson
Reuters Board
Governance Report.
Some images courtesy
of
freedigitalphotos.net

45. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Data Source: Thomson
Reuters Board
Governance Report.
Some images courtesy
of
freedigitalphotos.net
One in ten had a board member
who had a computing devices either stolen or lost
65% store board communications on mobile
devices such as ipads and laptops
2014
Cyber Security information is the least requested
information by the board...only 32%
requesting…
2014

46. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
• Can you picture a board meeting in progress without any
representation from Finance or HR?
• We know there are huge cost implications of a breach but
some organisations have NO cyber/information security
representation in the Boardroom.
• Only 5% of organisation have a Chief Risk Officer and the
majority of organisations (56%) align the Information
Security with their IT policy and not with their Risk Appetite
(38%).
More on culture….

47. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
In summary
• Cyber space offers serious risk to FM
and Security systems
• Collaboration is king
• Leadership is catching up but needs
to get far more involved
• Cultural change is hard but it’s the
only way to make a real difference
• We are only ever going to have more
IP enabled kit, not less. Lets get on
top of it right now.

48. ©Advent IM Ltd 2016
p e o p l e p l a c e s i n fo r m a t i o n t e c h n o l o g y
Questions
advent-im.co.uk