View
220
Download
0
Category
Preview:
Citation preview
7/25/2013
1
Presented by:
Erike Young, MPPA, CSP, ARM
1
Chapter 2
Root Cause Analysis
7/25/2013
2
Introduction to Root Cause Analysis • Root Cause
– The event or circumstance that directly leads to an occurrence
• Root Cause Analysis (RCA)
– A systemic procedure that uses the results of the other analysis techniques to identify the predominant cause of the accident
– Used to determine the underlying cause of a harmful event and prevent such events from occurring again.
• Typically used after an event has occurred, but can be
used to predict events that could harm an organization – Goal is to learn to solve problems before they become
major events, rather than reacting to them as they occur
7/25/2013
3
The Nature of Root Cause Analysis
• Four basic characteristics of Root Causes
– Root cause is specific to the underlying cause, not a generalization
– Can be reasonably identified
– Must be expressed as something that can be modified
• Cannot be an Act of God
– Must produce effective recommendations for prevention of future accidents that stem from the root cause
The Nature of Root Cause Analysis
• Harmful events are usually associated with one of three basic causes of loss
– Physical
• Failure of a tangible or material item (equipment failure)
– Human
• Human error or inaction (not performing maintenance)
– Organizational
• Faulty systems, processes or policies – Unclear procedures or processes
– Systems/policies may encourage bad behavior
7/25/2013
4
The Nature of Root Cause Analysis
Steps in Root Cause Analysis Process
• Data collection – Cannot identify root cause without complete information about
surrounding circumstances, facts, causes.
• Causal Factor Charting
– Provides structure to organize and analyze the data gathered
• Root Cause Identification
– Process to identify underlying reason(s) for casual factor identified in step two
– May involve mapping or flow-charting
• Recommendation Determination and Implementation
– Recommendations to prevent recurrence are generated
7/25/2013
5
Causal Factors- The agents that directly result in one event causing another
Summary of Major Standards and Guidelines
• Risk Maturity Model (self-assessment tool) attributes – ERM based approach
– ERM process management
– Risk Appetite management
– Root cause discipline
– Uncovering risks
– Performance management
– Business resiliency and sustainability
7/25/2013
6
Chapter 3
Business Continuity Management
7/25/2013
7
Definition of Risk
• Type of risk that provides potential for only a negative outcome • Three main categories
– Personnel Risk • Uncertainty due to loss of key employees, death, workplace injuries
– Property Risk • Uncertainty related to loss of wealth due to damage/destruction of property
– Liability Risk • Uncertainty due to bodily injury/death , harm to others
• Typically includes the following hazard risks – Fire and other property damage – Windstorm and other natural perils – Theft and other crime, personal injury – Business interruption – Disease and disability (work related injuries/illness) – Liability claims
Measuring and Managing Hazard Risk
• Common measures – Frequency – number of losses
– Severity – size of loss
• Techniques to manage – Avoidance – eliminates possibility of loss
– Separation – dispersing activity over several locations
– Duplication - reliance on back-ups
– Diversification
– Prevention – reduces frequency of losses
– Reduction – reduces severity of losses
7/25/2013
8
Role of Insurance
• Insurance – Risk management technique that transfers the potential
financial consequences of certain specified loss exposures from the insured to the insurer
– Used for low frequency/high severity events
– Used for events that have more uncertainty and/or activities that cannot be avoided
– Most common method of risk transfer
• High frequency/low severity events should be retained – predictable
7/25/2013
9
7/25/2013
10
Loss Exposures
Loss Exposures
7/25/2013
11
Failure Mode and Effects Analysis (FMEA)
• FMEA – An analysis that reverses the direction of reasoning in fault
tree analysis by starting with causes and branching out to consequences
– Primarily used in product development and operations management
– Used to identify failure modes and perform effects analysis
• Failure Mode – The manner in which a perceived or actual defect in an
item, process, or design occurs
• Effects Analysis – The study of a failure’s consequences to determine a risk
event’s root cause(s)
Failure Mode and Effects Analysis (FMEA)
• Indenture Level – An item’s relative complexity within an assembly, system, or function
• Any system can have several levels. • Level 1 represents entire system, while level 6 may represent parts
• Local effect – The consequence of a failure mode on the operation, function, or status of
the specific item or system level under analysis
• Next-higher-level effect – The consequence of a failure mode on the operation, function, or status of
the items in the indenture level immediately above the level being analyzed.
• End Effect – The consequence of a failure mode on the operation, function, or status of
the highest indenture level
• Example – Parts of a car
7/25/2013
12
Types of Loss Exposures
Steps in the FMEA Process
7/25/2013
13
Steps in the FMEA Process
Steps in the FMEA Process
Rankings are usually on a 1-5 or 1-10 scale, depending on organization’s process
7/25/2013
14
Types of Loss Exposures
7/25/2013
15
FMEA Advantages/Disadvantages
7/25/2013
16
FMEA Advantages/Disadvantages
Fault Tree Analysis (FTA)
• Fault Tree Analysis – An analysis that takes a particular system failure and
traces the events leading to the system failure backwards in time
– Uses the deductive method of moving from the general to specific to examine conditions that let to, or influenced a risk event
– Purpose is finding ways to break the fault tree by interrupting the sequence of events leading to system failure so that the failure itself can be prevented
– Typical fault trees have “and” gates & “or” gates which describe the casual relationships between the events within the tree
7/25/2013
17
Property Insurance And Gate- means that all events have to occur within “And” gate for injury to happen Or Gate – means that any one event is sufficient to cause that specific event
Fault Tree Analysis (FTA)
7/25/2013
18
Fault Tree Analysis (FTA)
Fault Tree Analysis (FTA)
7/25/2013
19
Assumptions and Limitations
Assumptions and Limitations
7/25/2013
20
5 Whys Analysis and the Fishbone Diagram
• 5 Whys is crucial component of Fishbone diagram
– Used primarily for problems involving human factors
– Helps prevent investigators from relying on potentially erroneous assumptions about the root cause of a problem
– Traces problem through chain of causality to its origin
Procedure for Conducting a 5 Whys Analysis
7/25/2013
21
Commercial Policies
7/25/2013
22
Steps in Developing a Fishbone
7/25/2013
23
Steps in Developing a Fishbone
7/25/2013
24
Chapter 3
Business Continuity Management
7/25/2013
25
Introduction to Business Continuity Management (BCM)
• Continuity Management – Addresses threats to operations
• Natural disasters
• Major physical damage to a building
• Loss of a critical supplier
• Pandemic outbreaks – Avian Flu, H1N1
– Involves examining threats and establishing operational plan with contingencies for key operations and critical functions to continue
– Goal of BCM is survival • Seeks to minimize loss of resources essential to a recovery
thru pre and post loss actions
Evolution of BCM • Originally started as emergency preparedness and response
planning – Focus on providing emergency supplies and trained personnel to
protect physical assets
• Disaster Recovery planning grew out of increasing use and dependence on technology – Data management, storage, communications, and critical systems – IT Departments developed plans to protect data and equipment
• Concept of BCM grew out of realization that organizations had to
look beyond their own organization to other systems – Focus on disruptions in operations from other causes
• Supply and distribution chains
– Need to continue business operations and recovery
• Examples – Super Storm Sandy – Research lost, Communications, Transportation
7/25/2013
26
Aligning BCM with Risk Management
• BCM deals primarily with operational risk – Consequences of disruption and minimizing effects on
operations
• Risk Management encompasses operational risk
associated with BCM and the hazard, financial and strategic risk
• While functions may be housed in different departments, efforts should be coordinated
Business Continuity Certifications and Standards
7/25/2013
27
Business Continuity Planning
• Seven steps for developing and implementing BCP – Understand the business – Conduct business impact analysis – Perform risk assessment – Develop the continuity plan – Implement the continuity plan – Build a BCM/BCP culture – Maintain and update the plan
• “Business” is intended to consider mission, vision,
strategy of the enterprise, in addition to its survival – Business of the charity, agency, etc..
7/25/2013
28
Business Continuity Planning
• Understand the business – Determine key objectives – Understand how it uses
• Facilities, materials supply chain, human resources,
– Allows for identification of key processes that constitute basis for business impact analysis
• Business Impact Analysis
– Assess what events may occur, when they will occur and how they could affect achievement of key objectives
– Distinguish critical vs. non-critical processes – For ISO 31000:2009 – BIA and Risk assessment process are
combined.
Business Continuity Planning
• Performing Risk Assessment
– Goal is to identify and evaluate potential exposures and the probability that certain events will occur
– Helps prioritize and make decisions regarding organizational risk appetite
– Will reveal exposures and assist in establishing methods for future mitigation efforts
– Helps develop an action plan
7/25/2013
29
7/25/2013
30
Develop the Continuity Plan
Implementing the Continuity Plan
7/25/2013
31
Building a BCM/BCP Culture
• Senior management must provide support for the BCP
– Desktop exercises/drills
• Hypothetical disaster scenarios
– Goal is to find holes in the BCP
• Suppliers and customers should know about BCP
Maintaining and Updating the Plan
• BCP is only effective if fresh and updated
– Review should be done semiannually or when significant change in product line, processes, or management occurs.
• Where to store BCP is also a key consideration
– How and where to access
• Sharepoint, thumb drive, etc..
7/25/2013
32
Strategic Redeployment Planning
• Helps determine how to resume business operations and ensure survival and recovery
– Determine how to realign to survive
– Regain position in marketplace
– Protect its reputation
• Decisions that are made are not just operational, but may also be strategic
Strategic Redeployment Planning
• Strategic Redeployment Planning Stages
– Comprehensive plan for resiliency after a severe disruption
– Designed to bring organization back from a state of chaos in four stages
• Emergency stage
• Alternate marketing stage
• Contingency stage
• Communication stage
7/25/2013
33
Emergency Stage
• Emergency stage is designed to accomplish three objectives
– Protect People
– Protect physical assets
– Protect reputation
Alternate Marketing Stage
• Evaluate impact of disruption on the organization’s reputation and market share
– Need for new marketing strategy
– Customer loyalty considerations
– Issues with suppliers and subcontractors
– Competition
– Continuation of product lines
7/25/2013
34
Contingency Production Stage
• Determination of what products and services will provide based upon facilities, technology, and machinery
• Must consider supply chain
– Cost and quality
– Transportation to get product to market
Communication Stage
• Sole objective is to preserve or enhance stakeholders’ trust and confidence in the organization
– Often referred as “Crisis Communications”
• Begins when disruption occurs • Ends when production and reputation has been restored
– Four basic internal/external concerns to be addressed
• Safety and security of all stakeholders • Transparency in all management’s decisions • Clarity and consistency in communications • Perceived lack of trust in management and the organization
– Good relationship with new media is essential and regularo
communication with employees
7/25/2013
35
Supply Chain Risk Management
• Involves assessing and mitigating all the threats that might interrupt the normal flow of goods and services from and on to an organization’s stakeholders
• For production of goods, encompasses volatility related to – Producing
– Transporting
– Storing goods
7/25/2013
36
Need to balance between efficiency and vulnerability to disruptions
7/25/2013
37
Crisis Communication
• Mitigating risk through crisis communication – Quality of crisis communication is essential to resiliency
• Stakeholder Communications – Begins before threats materialize to develop baseline trust
– Stakeholders must believe that management will competently handle crisis
– Demonstrate that senior management is committed to maintaining transparency in decision making
– Consistent and tailored to specific audiences
– Must embody corporate integrity and authenticity
7/25/2013
38
Crisis Communication
• Internal Stakeholders – Individual needs must be acknowledged – Employees must be informed regularly
• How crisis may impact job and working conditions
– Unit and operational managers must be made aware of ongoing risks and held accountable for aspects of crisis management plan
– Stockholders must be informed of steps to manage, mitigate, and prevent future crisis
– Board of Directors informed about strategic exposures, governance issues and long term resilience.
Crisis Communication
• External Stakeholders
– Suppliers
• Deliveries, production schedule
– Customers
• Safety and customer loyalty
– Public officials
• Efforts to ensure public safety and health
– Media
• Helps transmit information to stakeholder groups
7/25/2013
39
Benefits of Crisis Communication
• Improve relationships with internal and external stakeholders
• Protection of reputation
• Promote trust in products and services
• Minimize litigation
Mitigating Supply Chain Risk
7/25/2013
40
Page 3.21
Case Study
Mille Company
Grain flour Producer
Purchased by large company and mixed non-organic grain to
lower costs
Bakeries, Inc
Makes “organic” whole-grain bread
Only purchases grain flour from Mille Company
Health Foods
Purchases bread from Bakeries, Inc.
Bakeries, Inc products account
for 35% of product sales
7/25/2013
41
7/25/2013
42
Recommended