IEC 17025:2017 RISK MANAGEMENT

COURSE OBJECTIVE •to explain on risk-based thinking in ISO/IEC 17025 ... •The choices we make in choosing to accept ... 8.5 Action to address risk...

0 downloads 1 Views 3MB Size
ISO/IEC 17025:2017 RISK MANAGEMENT

By : SIRIM STS Sdn Bhd

1

TIME

A G E N D A

ACTIVITIES

0900 – 1015

Introduction to Risk Management Risk Based Thinking in ISO/IEC 17025:2017

Risk Management Process : - Risk Identification - (Exercise 2)

1015 – 1030

Break

Break

1030 - 1300

Risk Management Based on ISO 31000:2018 Principles and Framework

Risk Management Process : - Risk Analysis and Evaluation -(Exercise 3)

1300 – 1400

Lunch Break

Lunch Break

1400 – 1530

Risk Management Process : - Establish context - Exercise 1

Risk Management Process : -Risk Treatment -(Exercise 4) - Presentation

1530 – 1545

Break

Break

1545 – 1700

Presentation

Procedure Risk Management - Risk management procedure 2

COURSE OBJECTIVE • to explain on risk-based thinking in ISO/IEC 17025 • to explain the risk management process - Establish context - Risk Identification - Risk Analysis and Evaluation - Risk Treatment - Monitoring and Review

3

What do we know about RM? • RM is part of our every day lives: • • • • •

Crossing the road Managing our finances Purchase of insurance Choosing to smoke Going for a swim

- Risk of getting run-over – Risk of going broke – Risk of fire, theft, storm – Risk of cancer – Risk of drowning

• The choices we make in choosing to accept these risks is part of who we are

4

Understanding Risk Management Risk is around us…

Risk arises from uncertainties that can deviate our goals Risk are to be managed – “no risk, no gain”

5

DEFINITION OF RISK 3.1 Risk – Effect of uncertainty on objectives Note 1 An effect is a deviation from expected – positive and / or negative, and can be address, result in opportunities and threats Note 2 Objective can have difference aspects and categories ( such as financial, health and safety, and environmental goal) and can apply at different levels (such as strategic, organization-wide, project, product and process) Note 3 Risk is usually expressed in term of risk sources (3.4), potential events (3.5), their consequences (3.6) and their likelihood (3.7). (Source ISO 31000) 6

DEFINITION OF RISK MANAGEMENT • coordinated activities to direct organization with regards to risk.

and

control

an

(Adaptation From ISO 31000:2018 Risk Management - Principles And Guidelines)

• Risk Management Comprises a framework and process that enable an organization to manage uncertainty in a systemic, effective, efficient and systematic way from strategic, programme, project and operational perspectives, as well as supporting continual improvement (BSI British Standard Risk Management - Code of practice BS31100:2008)

7

What is risk management? Risk 1 Risk 2

Risk 3 Risk n

MANAGE Policy, Resources, Communication, Risk Assessment, Reporting, Monitoring & Review

Reduce / Transfer/ Eliminate / Accept Risk

Achieve Objective

8

RISK ASSESSMENT PROCESS Identify Analyze Evaluate

9

A COHERENT SET STANDARDS • ISO 31000:2018 “Risk management – Principles and guidelines” • ISO Guide 73 “Risk management – Vocabulary” • ISO/IEC 31010 “Risk management – Risk assessment techniques” • HB 327:2010 – Communicating and consulting about risk • AS/NZS 5050:2010 Business Continuity – Managing disruptionrelated risk • HB 266:2010 – Guide for managing risk in not-for-profit organization • ISO/IEC 27005 – ISMS – RISK MANAGEMENT

10

Why RISKS MANAGEMENT? LIFE IS FULL OF UNCERTAINTIES Risk Management is to reduce the uncertainties in order to  Increase the likelihood of achieving the objectives  Improve the identification of opportunities and threats, and  Effectively allocate and use resources for risk treatment

11

Understanding Risk Management Why Manage Risk

Compliance:

In compliance with ISO ISO/IEC 17025 :2017

Minimize threat and maximize opportunity Reduce operational surprises and losses Resources are rationalized Less management time on fire fighting

12

Understanding Risk Management Consequences of Improper Risk Management

In today’s world, organisations cannot afford to be caught “off guard” by unexpected events that can cause:

Physical Damage

Loss of Reputation

Potential Legal Suit

Fatality & Major Injuries

Operational Losses

Non Compliance To Regulatory Requirements

13

14

Risk Management FOR ISO/IEC 17025:2017 Based On ISO 31000:2018

15

Understanding Risk Management ISO/IEC 17025:2017

OBJECTIVES

WHAT TO COMPLY

8.5 Action to address opportunities (Option A)

risk

and

8.5.1 The organization shall consider the risks and opportunities associated with the laboratories activities in order to:

a) Give assurance that management system can achieve its intended result b) Enhance opportunities to achieve the purpose and objectives of the laboratory c) Prevent/reduce undesirable effects and potential failures in the laboratory activities d) Achieve improvements

8.5.2 The laboratory shall plan: a)

Actions to address risks and opportunities;

b)

How to: 1)

Integrate & implement actions into its management system;

2)

Evaluate the effectiveness of these actions.

8.5.3 Actions taken to address risks and opportunities shall be proportionate to the potential impact on the validity of laboratory result. Source: ISO/IEC 17025

16

RISK IN ISO/IEC 17025:2017 CLAUSES Clause

Details

4.1.4

The laboratory shall identify risks to its impartiality on an on-going basis. This shall include those risks that arise from its activities, or from its relationships, or from the relationships of its personnel. However, such relationships do not necessarily present a laboratory with a risk to impartiality

4.1.5

If a risk to impartiality is identified, the laboratory shall be able to demonstrate how it eliminates or minimizes such risk.

7.8.6.1

When a statement of conformity to a specification or standard is provided, document the decision rule employed, taking into account the level of risk (such as false accept and false reject and statistical assumptions) associated with the decision rule employed and apply the decision rule.

7.10b

Take actions based upon the risk levels (including halting or repeating of work and withholding of reports, as necessary)

8.7 e

update risks and opportunities determined during planning, if necessary;

8.9.2a

changes in internal and external issues that are relevant to the laboratory

8.9.2m

results of risk identification; 17

Operational processes of a laboratory

18

18

ISO 31000:2018 AND ISO/IEC 17025:2017 INTEGRATION

Legend: ISO 31000 clause

Risk Assessment (6.4)

8.5.1,8.5.2

Risk Analysis (6.4.3) Risk Evaluation (6.4.4)

Risk Treatment (6.5)

ISO/IEC 17025 clause

8.9.2 & 8.7

Risk Identification (6.4.2)

Monitoring and review (6.6)

Communication & Consultation (6.2)

5.7

Establishing the context (6.3)

8.5.3

Recording & Reporting (6.7) 19

ISO 31000:2018 - STRUCTURE

20

RISK MANAGEMENT FRAMEWORK • To esure the organization in integrating risk management into significant activities and functions. • The effectiveness of risk management will depend on its intergration into governance of organization, including decision making. • Required support from stakeholder- top management

21

INTEGRATION INTO ORGANIZATIONAL PROCESSES • Risk management should be embedded in and not be separated from organizational practices and processes • Especially policy development, strategic planning and change management • Risk management plan to ensure: • Implementation of Risk Management policy • Risk Management is embedded in all practices and processes 22

EXAMPLE OF TECHNIQUE  

    

Hazard Identification, Risk Assessment and Determining Control (HIRADC) Hazard and Operability Study (HAZOP). Hazard Analysis Critical Control Points (HACCP) Aspect And Impact - ISO 14001 Hazard Analysis - OHSAS 18001 Fault Tree Analysis (FTA) Failure Mode and Effect Analysis (FMEA)

23

23

Risk Management Process Understanding the organisation and its context Understanding the needs and expectations of interested parties

8.5 Action to address risk and opportunities

24

RISK FORMAT • Document used for recording risk management process for identified risks. • The risk register will cover the significant risks facing the organization or project. • It will record the results of the risk assessment related to the process, operation, location, business unit or project under consideration.

25

RISK ASSESSMENT FORMAT Location:

Dept.

1. Risk Identification

Risk category

Process

Risks

Cause

Prepared by:

Checked by:

Approved by:

Date:

Date:

Date:

Review Date:

1.

2.

2. Risk Analysis and Evaluation

Effect

Current Risk Control

Likelihood

Severity

3. Risk Control

Risk Rating

Recommen ded Action /Additional Control

Status

PIC (Due Date/Status)

26

Risk Management Process

27

RISK MANAGEMENT PROCESS Establishing the context (6.3)

Risk Identification (6.4.2) Risk Analysis (6.4.3) Risk Evaluation (6.4.4)

Monitoring and review (6.6)

Communication & Consultation (6.2)

Risk Assessment (6.4)

Risk Treatment (6.5)

Recording & Reporting (6.7) 28

Establish Context Establish context means defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria for the risk management policy Source: ISO 31000

4.1 Understanding the organization and its context The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve intended result of its quality management system i.

Issues can include positive and negative factors or conditions for consideration ii. Understanding the external context can be facilitated by considering issues arising from legal, technological, competitive, market, cultural, social and economic environments, whether international, national, regional or local iii. Understanding the internal context can be facilitated by considering issues related to values, culture, knowledge and performance of the organization

4.2 Understanding the needs and expectations of interested parties Due to their effect or potential effect on the organization’s ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, the organization shall determine i. ii.

The interested parties that are relevant to the quality management system The requirements of these interested parties that are relevant to the quality management system

The organization shall monitor and review information about these interested parties and their relevant requirements.

Source: MS ISO 9001:2015

29

SOURCES of RISKS

INTERNAL

Resources

Processes

Inadequate internal controls, Human errors (incompetence, inexperienced, corruption) IT failure Inadequate human resources Operational Risks Legal Risks??

EXTERNAL

Political risk Country Risk Market Risk Currency Risk Interest Rate Risk Counter-part Risk Credit or default Risk Environmental Risk

30

RELATION BETWEEN STRATEGY, OBJECTIVES AND RISK MANAGEMENT SWOT Analysis Objectives Strategies

Identify Risks Action / Mitigation Plan

Analysis

31

Risk & Strategic Issues RISK AND STRATEGIC ISSUES Division / Region /Dept. : __________________________ Date: _________________ NO.

0

STRATEGIC DIRECTION

[KPI 2018 ]

1.

Revenue and New Project launched (Project LINAS on testing of waste water analysis)

2.

1. Land Matters 2. Timely & completion of Divisional Risks program (New Laboratory legislation requirements) 3. OSHE Compliances

CATEGORY OF ISSUES (INTERNAL / EXTERNAL)

P.E.S.T.E.L

ECONOMIC

LEGAL

STRATEGIC ISSUES

[Issues impacted organization’s strategic direction]

Loosing potential no. of businesses for full commercialization due to obsolete testing method and not marketable. 1. Non-compliance to applicable statutory bodies, government agencies, local authorities. 2. Potential breach of contract between parties.

INTERESTED PARTIES INVOLVED

RISK

[Specific Risk] (*Specific risk shall register in Risk [Issues may affect or Management Template; It potential affect requirements can be Enterprise Risk from interested parties] Management or Operational Risk Management)

1. Material Testing Lab & Microbiological Lab 2. Customer 3. Rating Agency of Malaysia

1. Solicitor / Government agencies 2. Customer (External) 3. External Provider 4. Own Management committee 5. Own group & subsidiaries

OPPORTUNITIES

[Specific Opportunities]

Decreasing & fluctuating of revenue

Maximize Testing Scope and Competitive Pricing

Potential penalty or Lawsuit.

100% compliance to applicable statutory requirements.

32

External

Category Legal/Regulatory

Technology

Issue

Issue New Standard for ISO17025:2017

SmartiLab

New equipment for Protein Distillation 8400 Analyzer

Economic

Minimum wage

Interested Party SFM lab Top management Lab client Lab employee Standard Malaysia Staff Customer IT Department Chemist Supplier

Risk Delay in accreditation

Opportunities  Improve our management system  Gain knowledge

Delay in registering and reporting the result

 More systematic  Traceability

High maintenance cost

 Expose to up to date technology  Save the working time  Submit testing report to customer on time

Chemist unfamiliar with the equipment

PCR officer Worker HR department Labor supply agency

Increase of minimum wage for cleaner

 Not shortage of manpower  Satisfaction on routine work

33

Group Exercise

Establish Context

1. External context includes all external environment parameters and factors that influence how an organization manages risk and tries to achieve its objectives. What are the examples of external context?

2. Internal context includes all internal environment parameters and factors that influence how an organization manages risk and tries to achieve its objectives. What are the examples of internal context?

34

Customers Communities Suppliers Regulators NGOs Investors

Employees

Needs and expectations (Requirements)

4.2 Understanding the needs and expectations of interested parties (ISO 9001:2015)

Relevant statutory & regulatory requirements

Monitor and review

35

4.2 Understanding the needs and expectations of interested parties (ISO 9001:2015) No

Interested Parties

Need and Expectations

1.

Local government authority such as • Ministry of Human resource : Department of occupation safety and health, Human resource development fund • Feed Act 2009- Federal Government Gazette Feed (Prohibited antibiotics, hormones and other chemicals) Regulation 2012 • Ministry of health Food Act 1983 and Food regulations, Malaysia

Compliance to statutory and regulatory Employee welfares Conductive of safe work environment No fine and penalty

2.

Product and system certification body and accreditation body eg. SIRIM, SGS (Thailand ) , SGS (Malaysia), DOF, DVS SAMM etc.

Assess conformity of te company against the

36

Risk Identification

37

RISK MANAGEMENT PROCESS Establishing the context (6.3)

Risk Identification (6.4.2) Risk Analysis (6.4.3) Risk Evaluation (6.4.4)

Monitoring and review (6.6)

Communication & Consultation (6.2)

Risk Assessment (6.4)

Risk Treatment (6.5)

Recording & Reporting (6.7) 38

TYPES OF RISKS (RISK CATEGORY) Politic

Selection of risk category as input for risk identification parameter must consider established context that influence objective achievement !!!

Financial Operation Manpower Information Strategy Stakeholder Slide 39

39

EXAMPLES OF RISKS Categories

Definition

Politic

Risks associated with changes in national leadership, stability and change leadership

Legal

Risks related to national legislation, contracts, MOU, procedures and policies.

Operation

Risks associated with the work can not be completed on time.

Financial

Risk associated with financial management, transfers, fraud, etc

Manpower

Risks associated with the ability of the workforce, motivation to perform work, high labour turnover, skills shortages, high costs, injury.

40

EXAMPLES OF RISKS Category

Definition

Information

Risks associated with the resulting information being inaccurate, incomplete, inappropriate, out dated.

Strategy

Risks associated with the strategy or policy failures or mistaken.

Stakeholder

Risks related to failure to achieve the requirements of stakeholders.

Technology

Risks associated with technology infrastructure which is incompatible with the objectives of the business, integrity, relevance, data security and business continuity.

Organization

Risks associated with the organizational structure, accountability, responsibility, which will disturb communication to achieve business objectives.

41

Structure of Risk (Example) To complete project on time

Financial

Operation Lack of funding Liquidity

Loss Market

Legal

Political

Not complete on time Lack of resources Low quality

Fraud

defect

Interest Rate

High cost

Tax policy

Legal change

Political stability

Not flexible

Employment law tariff

Increase Tax Not comply

42

Some common laboratory errors  label error  lost sample  sample delayed in transit  contaminated samples  wrong test performed  test performed inconsistent with the written procedure

     

 

proficiency testing error no action on out of range controls false negative result

late reports missing reports Complaints laboratory accident “near miss”

43

equipment not properly maintained

QC not performed test kits not stored properly

individual responsibilities unclear

Common causes of error transcription errors checks not done

no written procedures

written procedures not followed training not done or not completed

44

44

Process Risk Management Risk Identification

Do you know your risk? Describe the risk! Identify key process Identify objective of the key process What is the risk and how it affects the process?

Who owns the risk? What are the root cause of the risk? What is the consequences of the risk? 45

Process Risk Management Risk Identification

For Illustration Only

CORE PROCESS OBJECTIVE Minimize equipment downtime and control maintenance costs

CORE PROCESS

Equipment Provision

Poor equipment Maintenance

RISK

Equipment Disposal Equipment Operation

Equipment maintenance

ROOT CAUSE Non compliance to equipment Incompetent maintenance people SOP

CONSEQUENCES Increase in Frequent equipment equipment maintenance breakdown cost

46

Process Risk Management Risk Identification

Examples of Process Risk

Equipment Maintenance

PROCESS

PROCESS OBJECTIVE

RISK

ROOT CAUSE

CONSEQUENCES

Minimize equipment downtime, increase operator / user / analyst satisfaction and control fleet maintenance costs

Poor Equipment Maintenance

RC1

Non compliance to Equipment maintenance SOP

RC 2

Incompetent people

C1

Frequent Equipment breakdown

C2

Increase in Equipment maintenance costs

47

GF/GBA-RCCM/PRA/FM

Form : Process Risk Assessment

Version 2.0

Division/Unit

: [Division Name / Unit Name ]

Date Review

: [DD/MM/YYYY]

Core Process Name

: [Core Process Name]

Reviewed By

: [Control Owner Name]

Process Owner

: [Process Owner Name]

Date Created

: [DD/MM/YYYY]

Risk Identification Category

Date : 01/11/16

Activity

[ Enter the risk category]

[Determine activity in the core process address the risk & opportunities]

Operation

Confidentiality of information

Specific Risk

[Type of risk]

Risk Analysis & Evaluation Root Causes

[Detection of risk trigger in core processes]

Consequences

[Effect of risk occurred]

Existing Control

Likelihood & Justification

Impact & Justification

[Level of [Level of consequences [Determine probability risk risk occurred & action already occur & provide provide implemented to justification] justification) control the risk] *Refer to Risk *Refer to Risk Appetite Appetite

Risk Treatment Risk Rating

[Level of Risk] *Refer to Risk Appetite

Additional Control

Control Owner/ Due Date

Status

[Responsible [To list down person to additional key conduct control require to monitoring and i.e – In Progress / control the risk/for evaluate the Completed improvement] effectiveness of * If needed these actions & Date to review]

Identify Process Function Requirements • Identify a description of the process or operation being analyzed. • Process function requirement describes the purpose of the process step / operation. • Determine the purpose of each process step or process function. May have multiple requirements.

48

Describe Process Step/ Function/Objective/ Requirements  Enter a simple description of the process or operation being analyzed.  (e.g. Receiving purchasing item, Inspection, Storage, Specimen checking, Waste disposal, etc.)

 Determine the function of each process step  Indicate as concisely as possible the purpose of the operation being analyzed.  “ You cannot identify a failure unless the process characteristic and its requirement have been identified”

49

GF/GBA-RCCM/PRA/FM

Form : Process Risk Assessment

Version 2.0

Division/Unit

: [Division Name/ Unit Name ]

Date Review

: [DD/MM/YYYY]

Core Process Name

: [Core Process Name]

Reviewed By

: [Control Owner Name]

Process Owner

: [Process Owner Name]

Date Created

: [DD/MM/YYYY]

Risk Identification Category

Activity

Specific Risk

Risk Analysis & Evaluation Root Causes

Consequences

Existing Control

Likelihood & Justification

[Level of [Determine [Determine probability risk activity in the [Detection of action already occur & [ Enter the risk [Effect of risk core process [Type of risk] risk trigger in implemented provide category] occurred] address the risk core processes] to control the justification] & opportunities] risk] *Refer to Risk Appetite

Operation

Date : 01/11/16

Confidentiality of information

Leak of customer information

Unauthorized release of confidential information

Complaint by

Policy Statement on Quality, Confidentiali ty and Impartiality

Impact & Justification

Risk Treatment Risk Rating

[Level of consequences risk occurred & [Level of Risk] provide *Refer to Risk justification) Appetite *Refer to Risk Appetite

Rare High Significant Describe customer the manner in which the process could potentially fail to meet the intended process function (s) /requirement (s) described in the previous column. What could possibly go wrong?

Additional Control

Control Owner/ Due Date

[To list down additional key control require to control the risk/for improvement] * If needed

[Responsible person to conduct monitoring and evaluate the effectiveness of these actions & Date to review]

Notification to the customer on the information released

Technical Manager

Status

i.e – In Progress / Completed

50

GF/GBA-RCCM/PRA/FM

Form : Process Risk Assessment

[ Enter the risk category]

Operation

Date : 01/11/16

Division/Unit

: [Division Name/ Unit Name ]

Date Review

: [DD/MM/YYYY]

Core Process Name

: [Core Process Name]

Reviewed By

: [Control Owner Name]

Process Owner

: [Process Owner Name]

Date Created

: [DD/MM/YYYY]

Risk Identification Category

Version 2.0

Activity

Specific Risk

1. 1. [Determine activity in the core process [Type of risk] address the risk & opportunitie s]

Confidentiality of information

Leak of customer information

Root Causes

[Detection of risk trigger in core processes]

Unauthorized release of confidential information

Risk Analysis & Evaluation Consequences Existing Control

[Effect of risk occurred]

Complaint by customer

Likelihood & Justification

Impact & Justification

[Level of [Level of consequences [Determine probability risk risk occurred & action already occur & provide provide implemented justification] justification) to control the *Refer to Risk *Refer to Risk risk] Appetite Appetite

Policy Statement on Quality, Confidentialit y and Impartiality

Risk Treatment Risk Rating

Additional Control

[Responsible person to [To list down [Level of Risk] conduct additional key control *Refer to Risk monitoring and require to control the Appetite evaluate the risk/for improvement] effectiveness of * If needed these actions & Date to review]

Notification to the customer on the information released

Root Cause Of risk Defined as how the risk could occur, described in terms of something that can be corrected and controlled. Rare

High

Control Owner/ Due Date

Significant

Status

i.e – In Progress / Completed

Technical Manager

51

GF/GBA-RCCM/PRA/FM

Form : Process Risk Assessment

Version 2.0

Date : 01/11/16

Division/Unit

: [Division Name/ Unit Name ]

Date Review

: [DD/MM/YYYY]

Core Process Name

: [Core Process Name]

Reviewed By

: [Control Owner Name]

Process Owner

: [Process Owner Name]

Date Created

: [DD/MM/YYYY]

Risk Identification Category

Activity

Specific Risk

Risk Analysis & Evaluation

Root Causes Consequences

Existing Control

Likelihood & Justification

Impact & Justification

[Level of [Level of 1. [Determine [Determine consequences probability activity in the [Detection of action risk occurred risk occur & [ Enter the core process risk trigger in [Effect of risk already & provide [Type of risk] provide risk category] address the core occurred] implemented justification) justification] risk & processes] to control *Refer to Risk *Refer to Risk opportunities] the risk] Appetite Appetite

Operation

Confidentiali ty of information

Leak of customer information

Unauthorize d release of confidential information

Complaint by customer

Policy Statement on Quality, Confidentia lity and Impartiality

Rare

High

Risk Treatment Control Additional Risk Rating Owner/ Due Control Date [Responsible person to [To list down conduct additional key monitoring [Level of Risk] control require and evaluate *Refer to Risk to control the the Appetite risk/for effectiveness improvement] of these * If needed actions & Date to review]

Significant

Notification to the customer on the information released

Status

i.e – In Progress / Completed

Technical Manager

Effect of risk Identify potential effects/impact of the risk as perceived by customers. Should be described as what customer might notice or experience.

52

Effect(s) of risk  Brainstorming the “effect of risk” - How does the risk effect the customer.  Describe the effects of the risk in terms of what the customer might notice or experience.  State clearly if the risk could impact safety or cause noncompliance to regulations.  Customer may be external and internal.

53

Group Exercise

Risk Identification

Know Your Process Risk? 1.

Identify Key Process Name, Process Objective & Process Owner

2.

Identify risk/ root cause & consequences based on your respective key processes

3.

Complete the form given for this activity.

Do not complete Existing Controls & Control Type & Risk Rating section as this will addressed in Risk Analysis & Evaluation session

54

RISK ASSESSMENT FORMAT Location:

Dept.

Prepared by:

Checked by:

Approved by:

Date:

Date:

1.

2.

Date: Review Date:

1. Risk Identification

Risk category Operation

Process

Review of request, tenders, and contracts

2. Risk Analysis and Evaluation

Specific Risks

Root Cause

consequ ences

Current Risk Control

Incomplete information on analytical form

Lack of cooperatio n from Customer

Wrong test performed , Waste of resource

Control of record procedure; QSP013

Likelihood

Severity

Risk Rating

3. Risk Control Recommended Action /Additional Control

Status

PIC (Due Date/Status)

55

Risk Analysis & Risk Evaluation

56

RISK MANAGEMENT PROCESS Establishing the context (6.3)

Risk Identification (6.4.2) Risk Analysis (6.4.3) Risk Evaluation (6.4.4)

Monitoring and review (6.6)

Communication & Consultation (6.2)

Risk Assessment (6.4)

Risk Treatment (6.5)

Recording & Reporting (6.7) 57

Process Risk Management Risk Analysis & Evaluation

Process to determine EXISTING CONTROLS TO MITIGATE RISK LIKELIHOOD OF THE RISK - Evaluation regarding the chances of risk happening IMPACT OF THE RISK - Outcome of the risk (Consequences) - Financial or Non financial RISK RATING ⁻ Level or position of risk

58

Process Risk Management Risk Analysis & Evaluation

Categories of control Type of

Description

Example

Control Preventive These controls are designed to limit  the possibility of an undesirable outcome being realised

Elimination or removal of the source of the hazard



Substitution of the hazard with something less risky

Corrective These controls are designed to limit  the scope for loss and reduce undesirable outcomes that have

Exposure reduction by job rotation or limitation on hours worked



Post implementation review



Medical check up (inspection) to seek

been realized

Detective

These controls are designed to identify occasions of undesirable

early symptoms

outcomes having been realized (or example Audit, Inspection &

Testing)

59

Current risk control Safety Financial

Operational Legal

PPE, emergency stop button, relief valve, sop 3rd party financial audit, deposit, Level of authority SOP, Quality control inspection

Contract

But most important, the current risk control must be effective, otherwise it is considered none 60

RISK ANALYSIS METHODOLOGY 1) Using qualitative or quantitative methods 2) Developing the likelihood scale (e.g: 1-low (Impossible), 5-high (Almost Certain) ) 3) Developing risk consequences scale (e.g: 1low (Negligible), 5-high (Critical)) 4) Develop risk assessment format (template)

61

RISK ASSESSMENT FORMAT Location:

Dept.

Prepared by:

Checked by:

Approved by:

Date:

Date:

Date:

Review Date:

1.

2.

1. Risk Identification

Risk category

Process

Risks

Cause

2. Risk Analysis and Evaluation Effect/co nsequen ces

Current Risk Control

Likelihood

Severity

Risk Rating

3. Risk Treatment Recommended Action /Additional Control

Status

PIC (Due Date/Status)

62

Process Risk Management

Risk Analysis - Likelihood (Assessing Probabilities) • For actual or recurring events, we use the quantitative method to calculate the probability of risk happening. • For potential event, we use the qualitative method to determine the probability of risk happening based on expert opinion or experience in other companies. Level

Level Of Likelihood

Description

1

Rare

The event may occur only in exceptional circumstances – e.g. once in every 3 years or chances of probability is 10% and below

2

Unlikely

The event could occur at some time – e.g. once in every 2 years or chances of probability is above 10% to 25% The event might occur at some time – e.g. once in every 1 year or chances of probability is more than 25% to 50%

3

Possible

4

Likely

The event will probably occur in most circumstances – e.g. once in 6

Almost Certain

months or chances of probability is beyond 50% to 75% The event is expected to occur in most circumstances – e.g. on a monthly basis or chances of probability is above 75%

5

63

Process Risk Management

Risk Analysis – Example of likelihood measurement Example of Risk

1

Likelihood measurement

Fall from height (Accident)

Occurrence of incidents involving fall from height

Jan

Feb

Mac

April

Mei

Jun

Julai

Ogos

Sept

Okt

Nov

Dis

-

-

2

1

-

-

-

-

-

-

-

4

The statistics indicate that incidents took place in 3 months ( March, April and December). Therefore, risk likelihood is Unlikely ( 3 months/ 12 months x 100 = 25%)

UNLIKELY: The event could occur at some time – e.g. once in every 2 years or chances of probability is above 10% to 25%

64

Process Risk Management

Risk Analysis – Example of financial impact measurement

RISK IMPACT

Variance against targets / budget on financial indicators, e.g. EBITDA, PATAMI , OPEX or REVENUE

LEVEL

LEVEL OF IMPACT

MEASUREMENT

1

INSIGNIFICANT

< 2% variance *

2

MINOR

< 3% variance *

3

MODERATE

< 4% variance *

4

MAJOR

< 5% variance *

5

CATASTROPHIC

> 5% variance *

65

Process Risk Management

Risk Analysis – Example of non - financial impact measurement LEVEL

DESCRIPTOR

DESCRIPTION

LEVEL

DESCRIPTOR

DESCRIPTION

1

Insignificant

Service disruption involving state level or emergency services below 1 hour Recovery period up to 1 week for reputation No bodily injuries

3

Moderate

4

Major

Service disruption involving state level or emergency services between 3-6 hours Recovery period up to 1 year for reputation Bodily injuries requires medical treatment The project will not meet its primary target Reported in local formal media & new media Service disruption involving state level or emergency services exceeding 6 hours Recovery period of more than 1 year for reputation Extensive bodily injuries/permanent disability The project will not meet all its objectives

The project is not greatly affected by the event Not reported in any media 2

Minor

Service disruption involving state level or emergency services between 1 - 3 hours Recovery period up to 3 months for reputation Bodily injuries require first aid treatment The project may need to be replanned to remain on track Reported in local formal media

5

• Each key risk owner may suggest the appropriate impact measurement based 15 on the type of risk

Catastrophic

Reported & criticized in new media and formal media (local & foreign) Nationwide Service Disruption Permanent reputation damage Injuries results in death The project is stopped Highlighted & criticized heavily in new media, formal media (local & foreign) & parliament

66

GF/GBA-RCCM/PRA/FM

Form : Process Risk Assessment

Version 2.0

Division/Unit

: [Division Name/ Unit Name ]

Date Review

: [DD/MM/YYYY]

Core Process Name

: [Core Process Name]

Reviewed By

: [Control Owner Name]

Process Owner

: [Process Owner Name]

Date Created

: [DD/MM/YYYY]

Risk Identification Activity

1. [Determine activity in the core process address the risk & opportunities]

Confidentiality of information

Date : 01/11/16

Specific Risk

[Type of risk]

Leak of customer information

Root Causes

[Detection of risk trigger in core processes]

Unauthorized release of confidential information

Risk Analysis & Evaluation Consequences

[Effect of risk occurred]

Complaint by customer

Existing Control

Likelihood & Justification

Impact & Justification

[Level of [Level of consequences risk [Determine probability risk occurred & action already occur & provide provide implemented to justification] justification) control the risk] *Refer to Risk *Refer to Risk Appetite Appetite

Policy Statement on Quality, Confidentiality and Impartiality

Rare

High

Risk Treatment Risk Rating

[Level of Risk] *Refer to Risk Appetite

Significant

Additional Control

Control Owner/ Due Date

Status

[Responsible [To list down person to conduct additional key monitoring and control require to i.e – In Progress / evaluate the control the risk/for Completed effectiveness of improvement] these actions & * If needed Date to review]

Notification to the customer on the information released

Technical Manager

Current Control (Prevention, Detection) Descriptions of the controls that either prevent the cause of risk from occurring or detect the risk if it occur.

67

GF/GBA-RCCM/PRA/FM

Form : Process Risk Assessment

Version 2.0

Division/Unit

: [Division Name/ Unit Name ]

Date Review

: [DD/MM/YYYY]

Core Process Name

: [Core Process Name]

Reviewed By

: [Control Owner Name]

Process Owner

: [Process Owner Name]

Date Created

: [DD/MM/YYYY]

Risk Identification Activity

1. [Determine activity in the core process address the risk & opportunities]

Confidentiality of information

Date : 01/11/16

Specific Risk

[Type of risk]

Leak of customer information

Root Causes

[Detection of risk trigger in core processes]

Unauthorized release of confidential information

Risk Analysis & Evaluation Consequences

[Effect of risk occurred]

Complaint by customer

Existing Control

[Determine action already implemented to control the risk]

Policy Statement on Quality, Confidentiality and Impartiality

Likelihood & Justification

Impact & Justification

[Level of [Level of consequences risk probability risk occurred & occur & provide provide justification] justification) *Refer to Risk *Refer to Risk Appetite Appetite

Rare

High

Risk Treatment Risk Rating

[Level of Risk] *Refer to Risk Appetite

Significant

Additional Control

Control Owner/ Due Date

Status

[Responsible [To list down person to conduct additional key monitoring and control require to i.e – In Progress / evaluate the control the risk/for Completed effectiveness of improvement] these actions & * If needed Date to review]

Notification to the customer on the information released

Technical Manager

Likelihood Likelihood of specific cause of risk will occur.

68

GF/GBA-RCCM/PRA/FM

Form : Process Risk Assessment

Version 2.0

Division/Unit

: [Division Name/ Unit Name ]

Date Review

: [DD/MM/YYYY]

Core Process Name

: [Core Process Name]

Reviewed By

: [Control Owner Name]

Process Owner

: [Process Owner Name]

Date Created

: [DD/MM/YYYY]

Risk Identification Activity

1. [Determine activity in the core process address the risk & opportunities]

Confidentiality of information

Date : 01/11/16

Specific Risk

[Type of risk]

Leak of customer information

Root Causes

[Detection of risk trigger in core processes]

Unauthorized release of confidential information

Risk Analysis & Evaluation Consequences

[Effect of risk occurred]

Complaint by customer

Existing Control

Likelihood & Justification

Impact & Justification

[Level of [Level of consequences risk [Determine probability risk occurred & action already occur & provide provide implemented to justification] justification) control the risk] *Refer to Risk *Refer to Risk Appetite Appetite

Policy Statement on Quality, Confidentiality and Impartiality

Rare

High

Risk Treatment Risk Rating

[Level of Risk] *Refer to Risk Appetite

Significant

Additional Control

Control Owner/ Due Date

Status

[Responsible [To list down person to conduct additional key monitoring and control require to i.e – In Progress / evaluate the control the risk/for Completed effectiveness of improvement] these actions & * If needed Date to review]

Notification to the customer on the information released

Technical Manager

Impact Rank associated with the most serious effect for a given risk mode.

69

Process Risk Management Risk Analysis – Determining Impact

Example of Risk 1

Road Accident

Impact The effects of the risk injury or death (Non-financial)

Cases that occurred did not cause death, only serious injury. Thus, the impact is MAJOR

MAJOR - Extensive bodily injuries/ permanent disability

70

Group Exercise

Risk Analysis & Evaluation

Analyse risk based on the risk that was identified during previous group exercise

71

What is Risk Appetite? Likelihood

• Amount and type of risk that an organisation is prepared to seek, accept and tolerate.

(Source: British Standard 31100)

Risks appetite within the risk tolerance

• Amount and type of risk that an organisation is willing to pursue or retain

(Source: ISO 31000 (Guide 73)

Impact

Risk appetite should always be within the risk tolerance

Risk Tolerance (Limit) • Organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives (Source: ISO 31000 (Guide 73) • The maximum amount of risk that the company can bear despite controls

(Source : European Confederation on Institutes of Internal auditing ECIIA and Federation of European Risk Management Associations FERMA)

72

RISK MANAGEMENT PROCESS Establishing the context (6.3)

Risk Identification (6.4.2) Risk Analysis (6.4.3) Risk Evaluation (6.4.4)

Monitoring and review (6.6)

Communication & Consultation (6.2)

Risk Assessment (6.4)

Risk Treatment (6.5)

Recording & Reporting (6.7) 73

Process Risk Management Risk Analysis– Coming with a risk rating RISK RATING

LEVEL OR POSITION OF THE RISK

Once the likelihood and impact of the risk have been established, we can then combine them to determine the level of risk. In arriving at this level, the risk rating matrix is used. Level Of Impact

Level Of Likelihood

Insignificant

Minor

Moderate

Major

Catastrophic

Almost Certain

Significant

Significant

High

High

Extreme

Likely

Moderate

Significant

Significant

High

High

Possible

Low

Moderate

Significant

High

High

Unlikely

Low

Low

Moderate

Significant

High

Rare

Low

Low

Moderate

Significant

Significant

Risk rating is calculated using the following formula

Example:

LIKELIHOOD

IMPACT

UNLIKELY

MAJOR

SIGNIFICANT

74

RISK ACTION PLAN TABLE RISK LEVEL

ACTION AND TIMESCALE

ACCEPTABLE 1-4

No additional controls are required. Consideration may be given to a more cost effective solution or improvement that imposes no additional cost burden. Monitoring is required to ensure that the controls are maintained.

MODERATE 5-12

Efforts should be made to reduce the risk, but the costs or prevention should be carefully measured and limited. Risk reduction measures should be implemented within a defined time period. Where the moderate risk is associated with extremely harmful consequences, further assessment may be necessary to establish more precisely the likelihood of harm as a basis for determining the need for improved control measures.

UNACCEPTABLE 15-25

Work should not be started or continued until the risk has been reduced. If it is possible to reduce risk even with unlimited resources, work has to remain prohibited

75

Risk Treatment

76

RISK MANAGEMENT PROCESS Establishing the context (6.3)

Risk Identification (6.4.2) Risk Analysis (6.4.3) Risk Evaluation (6.4.4)

Monitoring and review (6.6)

Communication & Consultation (6.2)

Risk Assessment (6.4)

Risk Treatment (6.5)

Recording & Reporting (6.7) 77

ULTIMATELY, WE NEED TO DECIDE WHETHER…

78

RISK TREATMENT

AVOID • not taking or continuing the activities

REDUCE • Likelihood and Impact by training, testing, control, improve the management system.

TRANSFER • Involves

another party to share in whole or in part through contracts, insurance, MOU.

ACCEPT • Identified risks

can not be eliminated or avoided or no treatment process that can be done.

79

TRANSFER AND AVOID THE RISK • When the likelihood of a risk is low but the consequences is high, the organization will wish to transfer that risk. • When a risk is both of high likelihood and high consequences, the organization will wish to avoid or eliminate the risk.

80

ACCEPT AND REDUCE THE RISK • When the risk is considered to be within the risk appetite of the organization, the organization will accept that risk. • When the level of risk exposure (likelihood) is high but the potential loss (impact) associated with it is low, the organization will wish to treat to reduce the risk.

81

Communication, Monitoring & Review

82

RISK MANAGEMENT PROCESS Establishing the context (6.3)

Risk Identification (6.4.2) Risk Analysis (6.4.3) Risk Evaluation (6.4.4)

Monitoring and review (6.6)

Communication & Consultation (6.2)

Risk Assessment (6.4)

Risk Treatment (6.5)

Recording & Reporting (6.7) 83

DEVELOPMENT OF RISK MANAGEMENT CULTURE CULTURE

MANAGE

TRAINING

• Risk is the way of work done

• Include risk in all planning

• Train employee to see risk during conducting their job

84

COMMUNICATION AND REPORTING RISK LEVEL Critical

High

Medium Low

COMMUNICATION  Notify to top management  Immediate action to be taken  Notify to top management  Refer to strategic planner  Action to be taken without notifying to top management  Accept risk but need monitoring

85

85

RISK MANAGEMENT PROCESS Establishing the context (6.3)

Risk Identification (6.4.2) Risk Analysis (6.4.3) Risk Evaluation (6.4.4)

Monitoring and review (6.6)

Communication & Consultation (6.2)

Risk Assessment (6.4)

Risk Treatment (6.5)

Recording & Reporting (6.7) 86

MONITORING & REVIEW Always monitoring and conduct strategy evaluation as the context or risk may change or other factors that might arise such as: 1) New risks 2) Existing risk assessment result might be change 3) The risk may be lost 4) Treatment may not be effective

87

MONITORING & REVIEW Effectiveness

Details

Excellent

Monitoring conducted at planned interval, audit and review has been conducted to measure the effectiveness of the system.

Good

Monitoring conducted. Action has been taken

Moderate

Monitoring conducted but no action taken

Weak

No monitoring been done

88

AUDIT • See the involvement of management • See the methodology used • See the members of the group involved • See what kind of risks are taken into account • See how the marks given • View the data used • See Actions treatment • See follow-up actions

89

EFFECTIVE RISK MANAGEMENT • Maintain global perspective • Initiate open communication • Integration of Risk Management in daily operation • Continual improvement in risk management • Team cooperation • To avoid loss business / profit / company image

90

RISK MANAGEMENT PROCESS Establishing the context (6.3)

Risk Identification (6.4.2) Risk Analysis (6.4.3) Risk Evaluation (6.4.4)

Monitoring and review (6.6)

Communication & Consultation (6.2)

Risk Assessment (6.4)

Risk Treatment (6.5)

Recording & Reporting (6.7) 91

Thank you [email protected] Tel 03-55446237 H/P :012-2348594

92