View
620
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Panel Moderator: Diana McClure, IBHS Business Resiliency Program ManagerPanelists: Tim Lovell, Executive Director, Tulsa Partners; Paul Ford, Director of Safety and Security, Tampa General Hospital, and Carol Fox, Director, Strategic and Enterprise Risk Practice, RIMS
Citation preview
IBHS Annual Conference November 17, 2010
Carol Fox, RIMS
2
Agenda
Enterprise risk management (ERM) Evolution Alignment with functional areas Alignment with standards
ERM maturity model approach to resilience
Resilience in the real world Questions
3
© 2010 Risk and Insurance Management Society, Inc. All rights reserved.
Traditional / Defensive
• Silo ad hoc approach • Focus on transferring risks
• Protect balance sheet through • Insurance • Hedging • Indemnifications
• Hazard based • Pure risk – only loss, no gain
• Not linked to corporate strategy
Integrated / Advanced
• Business risk approach • Mitigate controllable risks • prevent • reduce frequency • reduce severity
• Focus on lowering insurance costs and retained losses
• Collaborative cross-‐silo interactions
• Linked to corporate strategy through event risks and financial objectives
ERM
• Portfolio approach • Risk-‐based business decisions across the organization
• Address potentially devastating threats and weaknesses
• Exploit opportunities and strengths
• Manage unwanted variations from expected outcomes
• Integrated into strategic planning, operational planning, and day-‐to-‐day activities
Evolution in Approach
4
SVP, Controller / Treasurer
Senior Director
5
Alignment with Functional Areas
5
Board of Directors
Executive Management Team
Executive Sponsors: CFO and CLO
Business Units Lines of Business Human Resources Risk Management*
Business Continuity
Privacy and Security Internal Audit
Identified Risk Owners
Reports To Functional Lead
Senior Director, Risk Management
3 Certified BC Planning Managers
CEO President CEO Presidents CEO CLO CEO Executive
VP CFO Director
Compliance
CLO Chief
Compliance Officer
Risk Management Functional Areas
Privacy and Security
CLO Privacy and
Security Office
Top Five Risks
Risk 1 Risk 2 Risk 3
Risk 5
Risk 4
Executive Management Oversight – Risk Reporting Frequency
Risks 1 and 5
Monthly Monthly
Risk 2 Risk 3
Quarterly
Risk 4
Quarterly * ERM program lead
Illustration Purposes Only
IT Risk Management
CIO Director
© 2010 Risk and Insurance Management Society, Inc. All rights reserved. 5
Standards Alignment with ERM
TOOLS
GUIDELINES
REQUIREMENTS
TERMINOLOGY
FRAMEWORK
RISK QUALITY TECHNOLOGY ENVIRONMENTAL
ISO GUIDE 73
ISO 14001
ISO/IEC 27001
ISO/IEC 15408
OHSAS 18001
ISO 31010
NFPA 101
NFPA 75 ANSI/ASHRAE 62
HB 436
AS/NZS 4360
ISO 9001
ISO GUIDE 14050
ISO/IEC 27002 ISO 10005
SAFETY
CSA Q850
SAQ ONR 49001
AFNOR CN FD_X50-252
ISO 31000 PRINCIPLES
Standards and
Frameworks
© 2010 Risk and Insurance Management Society, Inc. All rights reserved. 6
Mitigate or Exploit
Risk Controls
Adhering to risk management
policies on risk tolerance,
risk authorities, etc.
Common Risks Business Disruption
Environmental
Execution Failure
Theft / Geopolitical
Data Breach
Regulatory
IT Infrastructure
Financial Risks
Management Control Options Business Continuity Management
Environmental Management
Quality Assurance / Project Management
Physical Security Management
Privacy / Information Security Management
Compliance Program Management
IT Risk Management
Financial Risk Management
Controls
Assessment
ERM Aligned with Recognized Standards
Measure uncertainties / deviations from plan
ISO 9001
ISO/IEC 27001
ISO 14001
ISO 28000
ISO 31010
ANSI / NFPA 1600
Root cause analyses
© 2010 Risk and Insurance Management Society, Inc. All rights reserved.
7
ERM Maturity Model Approach to Resilience
8
Nonexistent Limited to IT infrastructure orientation.
Ad hoc Focused on infrastructure rather than business. Reactive.
Initial Incorporates resiliency in each process, in addition to mitigation through disaster recovery.
Business Resiliency and Sustainability using RIMS Risk Maturity Model©
© 2010 Risk and Insurance Management Society, Inc. All rights reserved.
The degree of business ownership and planning …
9
Repeatable Business models include resiliency and sustainability aspects, such as geography, disruptive technology, competitors, etc.
Managed Comprehensive. Considers internal and external contexts / relationships. Focused on operational objectives outcomes and delivering value. Visible at board level.
Leadership Framed within the context of service continuity to all stakeholders. Dynamic and evolving system. Sustainability derived from continual adaptation. Interwoven with strategy and strategic objectives.
© 2010 Risk and Insurance Management Society, Inc. All rights reserved.
Business Resiliency and Sustainability using RIMS Risk Maturity Model©
10
11
Training, Exercise and Testing = Corrective Actions / Continuous Process Improvement
Emergency Response,
Management and Logistics
Health & Safety • Employees
• Public
• Property • Facilities
• Infrastructure • Environment
• Network
• Processes
• Information Systems
• Product / Services Delivery
• Regulatory / Contract
Compliance
Incident Management
Communications, Procedures, Tools
BCP Policy and Program Structure
Leadership
Disaster Recovery Plans Address Immediate Needs People Business Operations Technology
• Planning • Prevention • Preparedness • Recovery • Restoration
Building Resilience in the Real World
Resilience at Work: Typhoon Ketsana / Ondoy
Storm monitoring gave advanced warning
All seven sites continued operations
Personal impact to employees
Rerouted call to other sites
“Business as usual” next day
12
©Copyright 2010 by the Risk and Insurance Management Society, Inc.
Carol Fox
Director of Strategic and Enterprise Risk Practice
Questions? Contact:
www.rims.org
13
ISO 31000: 2009 Risk Management – Principles and Guidelines
AS/NZS 4360:2004 Risk Management Australian/New Zealand Standard
ISO GUIDE 73:2009 Risk Management – Vocabulary
HB 436:2004 Risk Management Guidelines: a Companion to AS/NZS 4360:2004
ISO 31010:2009 Risk Management – Risk Assessment
NFPA 101:2009 Life Safety Code®
ANSI/ASHRAE 62.1-2007 Standard on Ventilation for Acceptable Indoor Air Quality
OHSAS 18001:2007 Occupational Health and Safety
ISO 9001:2008 Quality Management Systems – Requirements
NFPA 75:2009 Standard for the Protection of Information Technology Equipment
ISO/IEC 27001:2005 Information Security Management Systems – Requirements
ISO/IEC 27002:2005 Information Technology – Code of Practice
ISO/IEC 15408:2005/2008 (3 parts) Evaluation Criteria for IT Security
ISO 14001:2004 Environmental Management Systems - Requirements
ISO 14050:2009 Environmental - Vocabulary
CSA Q850-10 Risk Management – Implementation of CAN/CSA-ISO 31000
ISO 10005:2005 Quality Management Systems – Guidelines for Quality Plans
ISO 28000:2007 Security Management Systems for the Supply Chain
ANSI / ASIS SPC.1:2009 Organizational Resilience: Security Preparedness, and Continuity Management Systems – Requirements with Guidance for Use
Referenced Recognized Standards
A 988-‐bed Ter5ary Hospital serving a 14-‐coun5es with a popula5on in excess of 4 million in West Central Florida.
The primary teaching affiliate for USF’s College of Medicine. Region’s only Level I Trauma Center.
Region’s only Burn Center Tier 1 Hospital for the Regional Domes5c Security Task Force
Primary receiving hospital for Tampa Bay Metropolitan Medical Response System
A leading organ transplant center State-‐cer5fied comprehensive stroke center Region’s leading safety net hospital.
Hurricanes
-‐ Emergency Management -‐ Hazard Vulnerability Analysis 2009-‐2010
Type Event Probability Risk Prepara5on Level sc P
Event and * if a plan is currently being reviewed
has occurred
4 high 3
med 2
low 1
To Life 5
To Health 4
Major Disrup5o
n 3
Med Disrup5o
n 2
Low
Disrup5on 1
Poor 3
Fair 2
Good 1
Mass Casualty in region 2 5 2 9 3
Anthropological
MC-‐Terrorism-‐chm/nuc/rad 1 5 2 8
MC-‐Terrorism-‐biological 2 4 2 8
MC-‐Explosion-‐external 3 5 1 9
Bomb threat 2 3 3 8
Hostage situa5on * 2 5 2 9 3 Mass Migra5on 1 3 2 6
Schools Closed 4 3 1 8
Civil disturbance 2 1 1 4
VIP-‐situa5on 4 1 1 6
Infant abduc5on * 3 4 2 9 3
Labor ac5on 2 1 3 6
Internal violence * 4 5 2 11 1
Suicide 4 5 2 11 1
Internal chemical spill * 4 4 8
Coastal oil spill 2 3 3 8
Gas release at port * 1 5 3 9 3
Accident blocking bridge 4 2 1 7
Natural
Hurricane 3 5 2 10 2
Tornado * 3 5 2 10 3
Severe thunderstorm 4 1 1 6
Earthquake 1 5 3 9 3
Epidemic 4 4 2 10 1
Ice-‐ 1 3 3 7
Flooding 3 3 1 7
Temperature extreme 1 1 3 5
Drought 3 1 1 5
Wild fires 4 1 1 6
Fire, Internal 4 5 1 10 2
Hazard Vulnerability Analysis
Emergency Management Commicee with our partners Recognize and analyze our risks HVA
Annual Update to the Citizens Advisory Committee on Mitigation Activities
Hazard Mitigation Grant Program 2005 Submittals
• Met with Local Mitigation Strategy Representatives
– County, Cities, SWFWMD, Hospitals, etc. – Initial List Submitted by Reps in October
2004 • Approximately 30 Projects
– List Refined For Funding Constraints (January – April 2004)
• Approximately 15 Projects – Final Submittal May 2nd, 2005
• 7 Projects
• Final Projects Submitted – Duck Pond Area Flood Protection (City of
Tampa and County) – Tampa General Wind Retrofit – Plant City Retrofits (Fire and Police Stations)
Presented by the Hillsborough County Building Services Division, Hazard Mitigation Section August 26, 2005
Mi7ga7on and Prepara7on Efforts • Hurricane Mi7ga7on
• Window Shields
• Electrical / Red Outlets • A/C
• Suc7on
• Medical Gas – Air and Oxygen
• Boiler
• Roofs • Louvers
• Pa7ent reloca7on plans
• Helo landing on garage
• Flooding protec7on (Sub doors)
• Security weapons
Mass Casualty Preparedness
Treatment Surge Capacity 60 Exam Rooms
Double Headwall + 60 = 120 6 Trauma Bays
Double Gas Booms = 6 = 12
6 Behavioral Exam Rooms Surge Cabinets = 71
Total Surge Capacity is 200+ Triage at S
urge
Incremental Costs • Size of ED is approximately 65,000 sq. e.
• ED construc5on cost= approximately $24,000,000 • Approximate cost per square foot of $374 • Incremental costs for isola5on pod HVAC $50,000
• Incremental costs for surge capacity headwalls $355,000
• Duel headwalls in each treatment room $450,000
• Decontamina5on facili5es and storage $15,000 • Addi5onal costs per square foot for ER One concepts was approximately $13.40 a square foot
Intangible Benefits
• Free Publicity • Improvement of reputa5on
• Employee pride
• Community pride
• Sleeping becer at night
Community Resilience in the Real World
IBHS Conference
November 17, 2010
Tim Lovell
Executive Director
Tulsa Partners, Inc.
Background
Community Partnerships-Local and State
• Chambers of Commerce
• State/County/Local Gov.
• Corporate entities
• Nonprofit entities
Community Partnerships-From National to Local
Community Partnerships and the Insurance Industry
Structural and Nonstructural Mitigation
• Community Emergency Response and Hazard Mitigation Processes
• Employee Preparedness
• Millennium Center
• Workshops
Open for Business® Training
Tulsa Partners, Inc.
Questions?
Tim Lovell
Executive Director
Tulsa Partners, Inc.
www.tulsapartners.org
918-632-0044