#192 – PRODUCING RESULTS YOUR ORGANIZATION NEEDS THROUGH CONTINUOUS IMPROVEMENT – BILL COOPER

Featured

2a22114Money got tight and we weren’t getting the results we needed. We were forced to make adjustments in how we worked and they weren’t well received. From a management perspective we needed to look at how we were performing and what we needed to improve. To do that we examined ourselves in terms of these two essential issues:

  1. Money suffocates creativity
  2. Leadership is tested by necessity

Continue reading

#192 – ISO 31000 RISK VALIDATION – NARESH RAO

Featured

nareshrao pictureISO 31000 Says in “Introduction”

Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainly has an organization’s objectives is “risks”.

All activities of an organization involve risk. Organizations manage risk by identifying it, analysing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Throughout this process, they communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk in order to ensure that no further risk treatment is required.

Risk Framework – Life Cycle with Risk Validation

The risks which are identified are based on what one’s vision can point out. There are many unearthed risks which “Risk Owner” may not be able to visualize and also may not be able to identify certain unknown risks or vulnerabilities, which may cause an incident.

Screen Shot 2018-01-20 at 9.32.44 AMScreen Shot 2018-01-20 at 9.35.02 AMThe initial “Risk Identification” is done by the Risk Owners” based on:

➢ Past Experience

(Every Experience has a price to pay)

&

➢ Future Vision

Screen Shot 2018-01-20 at 10.46.36 AM(Based on Capability and Capacity of the “Risk Owner”)

This means the Risk Management is Vision Based, initially.

Objective > How to convert Vision Based Risk Assessment to Factual Based Risk Assessment?

Why ?

Well > Evidence Based to Decision Making is the basic Principle of Management System and Auditing

Screen Shot 2018-01-20 at 10.47.40 AM

Risk Evaluation

Before proceeding

to understand Risk Validation, it is important to look more deep into RISK MANAGEMENT:

  1. a) Risk Evaluation : Generally parameters considered in evaluating Risk are:

PROBABILITY OF OCCURANCE & SEVERITY OF IMPACT which consolidated result is considered as RISK LEVEL – this Risk Level can be achieved through Quantitative or Qualitative Methodology.

If you observe carefully following conclusion of Impacts differ between scenarios of Stable Asset or Moving Assets:

In Stable Assets – Probability Changes more than Severity

In Moving Assets – Severity of Impact Changes more than Probability

Examples >

STABLE ASSETS

Screen Shot 2018-01-20 at 6.31.07 PM

MOVABLE ASSETS

Screen Shot 2018-01-20 at 6.32.58 PM

In Industry, most of the processes work on IT platform and IT (Information Technology) falls under Stable Assets – thus any controls implemented (to reduce the risk), reduces the Probability – example is Firewall on Servers – all controls reduce the probability only as if they are breached, Impact is same high risk.

Impact changing generally occur in Moving Assets like moving machine, health & safety like road accident (as shown above) or person falling from height (impact changes based on speed or height).

Risk Mitigation Effectiveness

  1. A) – Residual Risk Existence

Another important aspect of Risk Management is Control to reduce the risk – no matter what controls are put, the Risk Cannot be reduced to Zero – some element of residual risk is bound to be there.

Screen Shot 2018-01-20 at 10.50.39 AM

The type of investment in mitigations depends on below or any combination

➢ Probability and / or Impact of vulnerability;

➢ Risk Appetite & Risk Tolerance;

➢ Monitoring Controls or Risk Reduction controls;

➢ Management perception of the Risk;

➢ Risk Owner’s perception of the Risk;

➢ Market influence on business;

➢ Competition perception;

➢ Risk Acceptance Criteria

The residual risk visualization / perception also gives rise to Risk Owner’s decision, in case Residual Risks are not acceptable.

B) – Risk Control Effectiveness

There are two types of controls which exists

Screen Shot 2018-01-20 at 10.52.16 AM

If Monitoring Controls are more than Risk Reduction Controls in RA – Risk Management is NOT EFFECTIVE

If Risk Reduction Controls are more than Risk Monitoring Controls in RA – Risk Management is EFFECTIVE

Screen Shot 2018-01-20 at 10.53.50 AMRisk Validation

After all risks are identified, mitigated & monitored – what next?

Well, there is one more objective left out, which we discussed above:

Question>

– How to covert a vision based Risk Assessment into Factual based Risk Assessment?

Answer>

– Updating Risk Assessment after an incident occurs

Now “Risk Owners” have to do is – “Risk Validation” when incident happens

1) Identify the causes of the risks

2) Compare the causes of the incident to risk assessment and update the same – which is Risk Validation.

Some cautions are to be taken as below:

> Residual Risks

> Controls – Risk Reduction controls like (Server Firewall, etc.) and Monitoring Controls (like CCTV, etc.)

> Relevant Interested party not identified

> Interested party identified but not the risk or vulnerability

We need to know why the Incident occurred on first place, in spite of existing controls. Risk Validation shall help us to understand –which vulnerability in the Risk Assessment lead to the incident:

– The Risk Management Strategy OR

Risk Process (criteria or evaluation or mitigation or acceptance criteria)

KEDB (Known Error Data Base) – updated after every Risk Validation in Incidents, apart from linking up to RA for required corrective actions. This updated KEDB is used for future reference, thus building up the knowledge base for the scope of the organization. By doing this, you are actually validating actual incidents with vision based current risks – thus converting vision based RA to Factual based RA.

Screen Shot 2018-01-20 at 10.55.26 AM

Risk Assessment – Preventive Action Vs Corrective Action

As per Annex SL on which most of ISO Management Standards, new versions are released, the Preventive Action word is replaced by “Risk & Opportunities” there is no need for Preventive Actions;

– but when Risk Assessment is updated based on an incident – entire information of that specific risk (including controls & residual risks) now gets converted as corrective action(s) and do not remain as preventive, any more.

The definition of Corrective Actions is “Eliminating the causes of detected non-compliance and Pre-venting from recurrence”

Example: (Information Security)

There are three parameters of Information Security:

Confidentiality ( Information is available only to authorised personnel and not to unauthorized personnel )

Integrity ( Accuracy and Completeness of Information )

Availability ( Information is available to authorised personnel, when required)

Note >

If Confidentiality Breaches, changes of Integrity & Availability breaches automatically increases

If Integrity Breaches, chances of Availability breaches automatically increases

If Availability Breaches, then no risk for Confidentiality & Integrity is not there

Screen Shot 2018-01-20 at 10.57.00 AM

Hope you have gained from this white paper on RISK VALIDATION and hope that this would benefit, if practiced. Requesting you to share your comments via mail to naresh@ircbo.solutions

Best Regards > Naresh RAO, Technical Director, IRCBO Solutions Pvt. Ltd., INDIA

Bio:

Started carrier from banking software development in 1986 then was an entrepreneur of textile mill. Entered Management Systems in 1993. Became and auditor with DNV(III CB) and later AQSR, RINA , KPMG, BSI and Intertek in senior positions like Regional Manager, Head Operations, General Manager , Head Standards and Business Solutions. Also a Lead Trainer  in qualifying III party auditors on risk based standards. Now running a consulting firm in all Management system standards,  apart from III party auditor for Intertek etc. and also has his own Lead Auditor course in Business Continuity (ISO 22301:2012) , Annex A based ISMS software (ISO 27001:2013 – new product about to be released globally)”

Naresh RAO,

Technical Director,
IRCBO Solutions Pvt Ltd.,
www.ircbo.solutions
mail > naresh@ircbo.solutions
mobile > +91 981182 7758

Screen Shot 2018-01-20 at 11.01.32 AM

 

#192 – PROJECT FAILURE – THE WHAT, WHY, WHEN, HOW, WHERE, AND WHO … – MALCOLM PEART

Featured

Malcom-Peart-pixMost are familiar with an oft referenced 1970’s observation of the all-too-true life cycle of big projects.  Although written in humour it holds the main reasons for projects failing and the phases may be mapped against Kipling’s six famous questions as follows: Continue reading

#192 – RISK 2018 AND THE MISSED OPPORTUNITIES OF 2017 – GREG CARROLL

Featured

team-carroll-150x150In my 2013 book “Mastering 21st Century Enterprise Risk Management” I quipped “just as the Wild West of the 1890’s had disappeared without trace by the Roaring 1920s, so too will the business world of the 1990s, be long forgotten by the 2020s”.  Just 5 years on and not only has the world changed emphatically but the rate of change is accelerating. Continue reading

#191 – REAL WORLD VOLATILITY – GEARY SIKICH

Featured

Untitled1-150x150Introduction

In the risk-neutral world, all business and government continuity planning would be risk-balanced. However, in reality, risks, threats, hazards and their consequences change depending on an organizations exposure, sensitivities to impact and other factors.  For instance, a natural disaster, can occur without much warning and can have direct and indirect impact on an organization.  Complicating the Business Continuity Planners life is a simple fact, events have unforeseen consequences that can rarely be planned for. Continue reading

#191 – FORGET SUPPLY CHAIN MANAGEMENT – RICK FELTENBERGER

Featured

WScreen Shot 2018-01-13 at 6.04.32 PMhen people discuss Supply Chain Management, there doesn’t seem to be any common understanding of what it is all about. I get it! To some, it is software and technology. To others, it is just purchasing and logistics. And still others believe that it is ‘big data’ and analytics. No wonder that eyes glaze-over when the subject is mentioned. Continue reading

#191 – HOW TO TURN A STRATEGIC PLAN INTO RESULTS – GREG CARROLL

Featured

team-carroll-150x150Recently I read a new 6-star hotel is opening in Australia in 2018. 6-Stars, really?  I remember when 5-star rating was synonymous with 1st Class, as opposed to 2nd Class.  Now we have 0th Class.  I stayed in a 6-star hotel once and couldn’t see the difference to a true 5-star hotel, in fact it wasn’t as good as the 5-star Royal Crescent Hotel in Bath UK, which I would have to say is the best hotel experience I have enjoyed (that includes The Plaza, Savoy & Peninsula). Truly sublime. So if ISO 31000 is the 5-star of the GRC field what would be 6-stars? I would put that as being Strategic Management, it’s what turns the Plan into reality. Continue reading

#191 – INTELLECTUAL ABUSE: A NEW PROBLEM IN THE WORKPLACE – MALCOLM PEART

Featured

Malcom-Peart-pixIn the workplace we have identified and attempted to eradicate racial and gender discrimination, sexual harassment and bullying.  We now battle age discrimination in our aging society in a (supposedly) increasingly politically correct world.  However, our intellects are also being abused as individuals find increasing ways to breach of the bounds of reasonable behavior and put our sanity and dignity at risk. Continue reading

#190 – WALKING ON SHIFTING SANDS IN THE AGE OF UNCERTAINTY – GEARY SIKICH

Featured

Untitled1-150x150 “To do something very dangerous takes a certain lack of imagination
 – Anonymous

Introduction

Governments and companies worldwide are emerging from the current financial crisis and subsequent recession.  While governments are crafting new regulations, businesses around the world are walking in shifting sand as risk exposures are high and new regulations will create compliance challenges.  According to a recent survey by Korn/Ferry International, corporate leaders are focusing more attention on risk management after what is considered by many to be excessive risk-taking during the boom times that factored into the global financial crisis. Continue reading

#190 – FEDERAL HIGHWAY ADMINISTRATION RISK BASED ASSET MANAGEMENT – JAMES KLINE PH.D.

Featured

aIMG_4231-150x150Introduction

The 2012 Moving Ahead for Progress in the 21st Century Transportation Act (MAP 21) requires state departments of transportation to develop a Transportation Asset Management Plan (TAMP). The TAMP is to include a Risk Based Asset Management Plan (RBAMP). The two plans must be certified by the Federal Highway Administration (FHWA) by June 30, 2019.   Continue reading