Scottish Federation of Housing Associations

Finance Staff Forum

February 2006

A bit of background!A bit of background!

Offrisk Consulting establish in 2002 – based in Glasgow

Specific remit to assist and advise Scottish organisations

Many clients in the public and private sector

Two main areas of interest:

o Corporate Risk Governance Balanced Balanced RiskRiskCardCard

o Business Continuity RecoRecoveryveryFlowFlow

Do we have to do risk management?Do we have to do risk management?

ensure we have a fully embedded system of

internal control that identifies significant operational risks

to the achievement of our plans, aims and objectives,

evaluates the nature and extent of those risks and

manages them efficiently, effectively and economically.

…….. good corporate governance

What is risk?What is risk?

‘a future uncertain event that

could influence (positively & negatively) the

achievement of operational and strategic objectives

and statutory obligations’

Event Consequence Impact Objective?

How much of this do I have to do?How much of this do I have to do?

obsessed managing unaware

threat or opportunity

shocks and crises or innovation and change

Managing risk to add value

Over control stifles value

creation

Exposed and destroying

value

Performance

low

high

Goal is achievement of objectives, not process driven assessment!

Remember, the assessment work must be proportionate to gains!

BalancedBalanced RiskRiskcardcard

What could stop the Business Plan

this year?

Processes

Are we organisedas well as we could be?

Learning & Growth

Are we developing our peopleand organisation for the future?

Deliverables

Are we delivering whatour clients expect?

Resources

How well are we planningand managing our resources?

Business PlanningBusiness Planning

risks can deter accomplishment

performance measurement

manage the risks out

excel at the provision of high quality service

contribute to stakeholder confidence

Balanced & SMART objectivesBalanced & SMART objectives

Processes• Procurement• SOPs and ISO• Interaction with Partners

Building for the future• Personnel• Training

Deliverables• Effectiveness• Policy• Reputation

Resources• Budget control• Staffing levels• Infrastructure

Service Capability

External Impact

Internal Process Standards

People Issues

Keeping it simple and clearKeeping it simple and clear

o Integrating risk & performance management with clear objectives

Risk Identification against scorecard

objectives

Risk Assessment

Decide ActionControl, Mitigate or Transfer

Monitor risks, controls and

actions

BalancedBalanced RiskRiskcardcardReview

Control Strategies

Risk AssessmentRisk Assessment

Impact

Likelihood

Controls

•Management•Policies and procedures•Contingency plans•Controls

Event Consequence Impact Objective?

Accident causation & controlsAccident causation & controls

Adapted from the work of James Reason

Other holes due to latent conditions (e.g. faulty equipment, lack of training)

Successive layers of defences, barriers and safeguards

Some holes due to active failures (e.g. mistakes, procedural violations)

BalancedBalanced RiskRiskCardCard

Impact > < Impact

Pro

bab

ility >

Pro

bab

ility >

< Probab

ility < P

rob

ability

Impact > < Impact

Service Capability

People issues

Internal processes

External impact

Business Continuity Management

o “…………... is about the development, implementation and maintenance of an action orientated process which responds to:

o an emergency incident impacting operationso the issues & implications arising – crisis management o recovery of the business ………………..”

…… the value is in the planning …….

….. protecting enterprise valueEmergency Response

0 hrs 3 to 4 hrs Day 2 Day 4 Weeks Months

Crisis Management

Process Recovery

A management process

 

Service Service

Understanding the business risks and process priorities

Developing realistic

continuity and resumption strategies

Risk mitigation and continuity response

actionsEmbedding service

continuity culture and confidence in the Plan

MaintenanceRehearsing the

people Exercising the

Plan

BCM

What if this happened?

The Business Continuity Plan

Escalation procedure to inform / call out:Emergency Response Team Ensure life and safety Emergency Authority Liaison Assess situation – fix the hazard Inform management decisions

Red Pack – 0 to 2 hours critical 24/7/365

Process Recovery Practical actions steps for each function Reflection of agreed recovery strategy Prioritised post loss requirements

Green Pack – day 2 for as necessary

Practical and flowcharted RecoveryFlow over a timeline!

Senior Management A critical turning point in a major incident Impacting the organisations viability Who needs to know inc. press & media Issues and implications

Yellow Pack – ASAP up to 3 days

What is an Emergency?

A serious situation or occurrence

that happens unexpectedly and

demands immediate action and

more than usual resources.

Emergency Response – Red Pack

o Location specifico Emergency Response Team – 24/7/365o Capability and authorityo Expertise and responsibleo Agreed procedures – make safeo Eyes and ears for the Directorso Liaison with statutory authoritieso Fix the hazard and set up the recovery phase

KLP:o ERT to become easily identifiable within the organisationo With clearly defined roles and responsibilitieso The Plan must be easily understood

What is a Crisis?

A crisis is a decisive moment or turning point event

that by fact or by perception

has the sustained potential

to seriously affect service delivery

as seen by our customers and the reputation of the Association”

Crisis Management – Yellow Pack

o Directorso Issues and implicationso Communicationo Stakeholders – how do others see us?o Press and media – not marketing!o Specific attention to staff and relatives?

KLP:o Do we appreciate the subtle difference between emergency

response and crisis management?o Not all of the Association may be affected!

Process Recovery – Green Pack

Where the rubber touches the road!o Not generico The hardest part but the most satisfyingo Process specific - cognisant of agreed recovery strategieso Use of alternative facilitieso Post loss resourceso Not able necessarily to recover all processes immediatelyo Planning should be about end to end processing

KLP:o Do individual managers understand their part in the Plano Don’t be frightened to test the Plan’s assumptions!

Staff Rehearsal and Plan Exercising

Plan must be kept up to dateo Planned maintenance – contacts and changes in processeso Controlled document

Prove ito Escalation procedure – weekend call outo Desk top – review against scenarioo Simulation – concentrated days in short time o Disaster scenario – real time and real event exercise

KLP:o Meaningful rehearsal of roleso Walk through against a realistic scenario will be useful

Summary of what will be in our Plan:

o Easy to use and realistic

o Understood at all levels within the organisation

o Based on strong recovery strategies

o Emergency procedures – Management of Work Place Regs

o Corporate Governance, Auditor and Insurer expectation?

o Will tell me what to do – wise guidance

o Evidence of controlled document review

o Regular and effective maintenance and exercising

Welcome!

to

Management of Risk and Uncertainty

www.theIRM.org

enq@offrisk.com

Graham E Offord, FIRM, MBCI, MCIBS

0141 563 9747

Questions and AnswersQuestions and Answers