Risk management frameworks for foundation Asset Information Systems Lessons drawn from experiences...
29
Risk management frameworks for foundation Asset Information Systems Lessons drawn from experiences in the utilities industry AMC Melbourne Chapter 15 July 2011 Greg Williams
-
Upload
daniel-hogan -
Category
Documents
-
view
212 -
download
0
Transcript of Risk management frameworks for foundation Asset Information Systems Lessons drawn from experiences...
Risk management frameworks for foundation Asset Information Systems
Lessons drawn from experiences in the utilities industry
AMC Melbourne Chapter15 July 2011Greg Williams
Contentions……..
1. Asset management is essentially a risk-based process
2. Infrastructure related businesses invest heavily in Asset Information systems to help manage their assets and improve their overall performance.
3. The necessity for good asset information is growing rather than reducing.
4. Asset Information system requirements are becoming more sophisticated.
5. The number of stakeholders and complexity of collating and sharing information is increasing.
6. Drivers include changing regulation, private finance initiatives to fund major capital programs, and a greater collective understanding of asset management risk.
7. The information and systems necessary to manage physical assets also have value.
8. We should address information risks as part of asset management
Asset Management
=
Information Risk
Management
=
Risk Management
2
Agenda
I’d like you to consider the following….
1. What are your ‘foundation asset information systems’ and why are they important?
2. Where are your information risk exposures?
3. What is ‘Information risk management’
4. Are risk management frameworks suitable for managing asset information?
5. What challenges lay ahead for you?
Lets prompt a few thoughts……
3
Foundation asset information systems – some definitionsWhat are Asset Information Systems?
The asset information systems an organization has in place to support the asset management activities and decision-making processes in accordance with the asset information strategy.
Why are these systems the ‘foundation systems’?•Those that contain the essential data describing the physical asset•Physical & Functional parameters (What is it, where is it, how does it connect to others?)•Condition, age, operating state•History, changes, modifications•These systems allow us to take control of the information regarding an asset.
Examples of foundation systems•Geographic Information Systems (GIS)•Maintenance Management Systems (MMS)•Works Management Systems (WMS)•Project Management Systems (PMS)•Customer Management Systems (CMS)•Incident Management Systems (IMS)
Why do foundation systems form the basics?1. Compliance
Reduce compliance risk, keep records of compliance actions
2. Governance Enable accurate and timely decision making
3. Planning Inform planning to enable accurate project development
4. Safety Enable safe operation of the asset
5. Configuration Allow capture and control of changes to the configuration and operating
state
6. Information supply chain Deliver the right info to the right stakeholder in the right format at the right
time
Without foundation systems these objectives are challenging to achieve!
Sources of information risk
Is your asset information:
Correct
Accurate
Available
Relevant
Consistent (in form between systems)
Timely (or current in it’s validity)
Common or standard
Secure
Recoverable
If your asset information doesn’t meet all of these requirements, you may have symptoms of information risk.
Consult the nearest risk manager for further advice.
Where are our exposures?
• Key person dependencies
Examples of information risk scenarios
• Key person dependencies
• GIS updates were done manually by a KEY PERSON• No ratings on conductors in feeder spans in control room
schematics• Data was reviewed prior to a regular upload to parent systems
used in control room environments to manage a distributed network
• No post-processing or review of critical data after uploads• Conductor rating and existing state not represented to Network
Controllers
• What are the on-going risks?
Where are our exposures?
• Key person dependencies• New information systems• Changes to existing systems• Brownfield projects create new data and changes to system
configurations• PPP and major capital projects build new systems
• Major change of parent asset information system
• Asset owner decision to restructure management model and data requirements with emphasis on least cost
• Existing system left with major Service Provider and entirely new system built for new contract
• All historical data ‘archived’ and only selected elements of current data exported to new system
• Archive data stored in old formats – asset history now inaccessible
• Data matching by Service Providers using works management and interfaces
• Asset planning now based on limited range of data with little reference to maintenance and performance history
• What are the on-going risks in this scenario?
Examples of information risk scenarios
Where are our exposures?
• Key person dependencies• New information systems• Changes to existing systems• Brownfield projects create new data and changes to system
configurations• PPP and major capital projects build new systems• Increases in data volume (quantities)• Large increases in data available on-line• Lumpy data, such as discrete time stamped parameters • Lack of structured system/data configurations (master data)• No current, operational data (state, condition, etc)
Where are our exposures?
Increases in data volume (quantities), type & availability Major upgrade and expansion of the installed asset base (eg, Smart
Meters) which introduced new technology Automation in smart networks causing large increases in data available on-
line Data consisting of lumps of discrete, time stamped parameters (voltage,
current, power and energy measurements) Overloading of data - 10 times increase in data volumes made available to
AIM systems Corresponding increase in data storage requirements, retrieval, sorting Unresolved challenges in useability of data (relevance, currency, etc)
• What are the on-going risks?
• ‘Too much data and not enough information can lead to disastrous mismanagement, other misrepresentations and controversies.’
• (IAM 2003).
Industry response is introduction of pattern recognition to interpret and identify quality data
Where are our exposures?
• Key person dependencies• New information systems• Changes to existing systems• Brownfield projects create new data and changes to system
configurations• PPP and major capital projects build new systems• Increases in data volume (quantities)• Large increases in data available on-line• Lumpy data, such as discrete time stamped parameters • Lack of structured system/data configurations (master data)• No current, operational data (state, condition, etc)• Inadequate storage and back-up• Unable to recover from a disaster (no DR procedure or test)• Hacking, unauthorised use or data breaches (cyber criminals)
Source: Risk Management, June 2011, p8
Read this!Read this!
Do these things!
Do these things!
Where are our exposures?Unauthorised use or data breaches
Where are our exposures?
• Key person dependencies• New information systems• Changes to existing systems• Increases in data volume (quantities)• Large increases in data available on-line• Lumpy data, such as discrete time stamped parameters • Inadequate storage and back-up• Unable to recover from a disaster (no DR procedure or test)• Lack of structured system/data configurations (master data)• No current, operational data (state, condition, etc)• Brownfield projects create new data and changes to system
configurations• PPP and major capital projects build new systems• Hacking, unauthorised use or data breaches (cyber criminals)• Ambiguous organizational objectives
Where are our exposures?
Ambiguous organizational objectives
• Organizations tend to collect information that is easiest to collect, irrespective of the need for it or the subsequent usefulness.
• Departmental objectives also based on such thinking; maintainers and technical service providers may be given budget targets or deadlines irrespective of the potential ‘trade-off’ impact against operational performance.
• Production, operations, or customer relations personnel, on the other hand, are motivated and measured in the terms of output volumes or quality, irrespective of the costs incurred by others to achieve such output.
• ‘The current scenario requires an asset management system which connects to organizational objectives.’
• (IAM, 2003).
How are information risks being managed in utilities businesses?
1. GIS is the core or parent platform (geocodes)
2. Regular and full updates to related information systems
3. Common and standard data sets (Master Data)
4. Driving developments of solutions that deliver all the required capability
5. Adopting risk management frameworks for asset information
6. The big challenge - Systems integration where necessary to ensure data flows are efficient and error free
Information Risk ManagementWhat is it?
• Process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity or availability of an information system.
• Adapts the generic process of risk management and applies it to the integrity, availability and confidentiality of information assets1
How do we do it?
• Focus our attention on processes that together ensures information risks are adequately reduced to a tolerable level.
• Include methods for identifying and assessing risks, plus the methods for determining which controls need to be applied, for checking that those controls have been applied, and then for tracking the actual level of protection being achieved.
• Apply an adequate level of risk mitigation to those situations where the risks are highest and ensure solutions are not over-engineered where the risks are minimal.
• Take risk-based approaches so that mitigation efforts are applied in proportion to the level of risk being addressed.2
Sources: 1. QLD Govt BPG Information Risk Management V1.0 Jul 012. Information Security Awareness Forum
Risk management frameworks Three main influences:
1. Industry specifications or requirements for asset information & systems• AS 2885.3-2001 Pipelines – Gas and Liquid Petroleum
• NZS 7901:2008 Electricity & Gas Industries Safety Management Systems
2. Standards for management systems• PAS 55-1:2008 Asset Management (also see ISO55000:2011)
• AS/ISO31000:2009 Risk Management
• AS/ISO9001:2004 Quality Management
• AS/ISO 10007-2003 Quality management systems – Guidelines for configuration management
• QLD Government BPG Information Risk Management V1.0 Jul 01
• AS/NZS ISO/IEC 27002:2006 : Code of practice for information security management
3. Standards for asset data structures, configurations and security• ISO/IEC27000:2009 Information technology - Security techniques - Information security
management systems - Overview and vocabulary
• ISO 15926 Integration of life-cycle data for process plants (7 parts)
• STEP AP212 (BS EN 81714-2:2007) Graphical symbols for use in tech docs
Most standards include guidance on what information may be required, how to manage the information and how to assure your business that the information is valid
Risk management frameworks Industry specifications AS 2885.3-2001 Pipelines – Gas and Liquid Petroleum
Section 10 Records
The operating authority shall obtain, prepare and keep current…..
• Charts and maps showing location…
• Records of condition…
• Records of sections and components identified as potentially high risk…
• Etc
NZS 7901:2008 Electricity & Gas Industries Safety Management Systems
Section 5.9 Provision of Information
•Arrangements shall be in place to inform external parties about the safety and operation of assets and the hazards associated with them. This shall include information to enable those parties to report faults, defects, failures, and emergencies.
•Such arrangements may include provision of maps, public notification…..
But are these are really requirements?
Risk management frameworksManagement system standards
PAS 55-1:2008 Asset Management4.4.6 Information Management
•The organization shall identify the asset management information it requires.....considering all phases of the asset life cycle.
•The information shall be of a quality appropriate to the asset management decisions and activities it supports.
•The organization shall design, implement and maintain a system for managing asset management information.
•Employees and other stakeholders, including contracted service providers, shall have access to the information relevant to their asset management activities or responsibilities.
• The organization shall establish, implement and maintain procedures for controlling all information required. These procedures shall ensure:
• the adequacy of the information is approved by authorized personnel prior to use;
• information is maintained and adequacy assured through periodic review and revision, including version control where appropriate;
• allocation of appropriate roles, responsibilities and authorities regarding the origination, generation, capture, maintenance, assurance, transmission, rights of access, retention, archiving and disposal of items of information;
• Etc…
ISO31000:2009 Risk Management
• Provides principles and generic guidelines on risk management
• Risk is the ‘effect of uncertainty on objectives’• Principle 3 – risk management is part of decision
making• Principle 6 – risk management is based on the
best available information
• Controls Effectiveness- Should be operating in the manner intended- Can be demonstrated to be effective- Based on proper documentation, recording and
reliable assurance processes
Risk management frameworksManagement system standards
ISO31000 adapted to information risk management
Source: QLD Government BPG Information Risk Management V1.0 Jul 01
ISO/IEC27000:2009 Information technology - Security techniques• Provides all types of organization (e.g. commercial enterprises, government
agencies and non-profit organizations) with a basis to implement an information security management systems (ISMS).
• Based on a simple Plan-Do-Check-Act (PDCA) process
• Defines requirements for an ISMS and for those certifying such and conformity assessment for an ISMS.
ISO 15926 Integration of life-cycle data for process plants (7 parts)• Standardisation of asset information is the key to Collaborative Asset
Lifecycle Management (CALM)
•CALM is the basis for information sharing between contractors and asset owners
• Provides standards for lifecycle data for process plants
• Formalises how assets are identified and how data should be structured so the same terminology can be used consistently (same language)
• Contributes to the preservation of the value of asset information as it flows between stakeholder systems
• Compliance can be at software configuration level up to integration of distributed systems
Risk management frameworks Data & security standards
The bigger challenge - Integration where necessary to ensure data flows are efficient and error free
Integrated asset information systems:•support organizations to•efficiently and sustainably manage the whole lifecycle of physical assets in terms of
• performance,• risks, and • expenditures
•to achieve and maintain the stated business objectives.
Integrated
Holistic
Systematic
Systemic
Risk-based
Optimal
Sustainable
Example: OneWater by TechnologyOne• Complete integration between all software and related systems, including
SCADA, GIS, IMS, MMS, PMS, 3rd party interfaces• Under the system, a leak could be reported, SCADA data used to confirm the
incident, geocoding to pinpoint location, remedial works logged, replacement materials ordered
Integration example - Mapping content to assets
Source:
To enable operational readiness and excellence, the “information plant” must match the “physical plant”
Matching of these aspects need to be:•Complete and accurate•Current and available•Relevant, consistent and sustainable
Integration example - Mapping content to assets
Source: SAP 2011
In summary,
1. Make use of relevant management system standards to determine your minimum requirements for AIM, including data standardsPAS55, ISO31000, ISO27000
2. Adopt a risk-based approach to managing the effectiveness of your asset information systems
3. Ensure asset information risks are registered in your company Risk Management System
4. Wherever possible, seek to integrate systems if data must flow in consistent forms (by use of Master Data)
Greg Williams(T): 03 8603 5472(M): 0439 070 125(E): [email protected]
Some interesting resources for bedtime reading:
•Queensland Government Information Architecture best practice guide, BPG Information Risk management, V1.0 November 2002
•IFS white paper, ‘Selecting software for AIM: Asset Information Management’, Christian Klingspor, IFS AB, August 2009
•SAP presentation, ‘Integrated information system for safety, risk and performance management’, ICOMS2011, Dr Ing Achim Kruger, May 2011
•Harte Hanks Trillium Software white paper, ‘Where is your risk? How insurers use location intelligence to manage risk and grow their business’, 2010
•Enterprise Strategy Group white paper, ‘Databases at risk’, Jon Oltsik, ESG, September 2009
•SANS Institute white paper, ’An introduction to information system risk management’, Steve Elky, May 2006
•Faiz, R.B., & Edirisinghe, E.A., ‘Decision making for predictive maintenance asset information management’, Interdisiplinary Journal of Information, Knowledge and Management, Volume 4, 2009
•Ouertani, M.Z., Parlikad, A.K., & McFarlane, D., ‘Towards an approach to select an asset information management strategy’, International Journal of Computer Science and Application, Volume 5, No. 36., 2008
•‘How much does asset information cost?’, Strategic Asset Management Issue 143, June 2004
•‘If asset managers lost control of their information, they lose control of everything’, Strategic Asset Management Issue 174, September 2005
