7/25/2013

1

Presented by:

Erike Young, MPPA, CSP, ARM

1

Chapter 2

Root Cause Analysis

7/25/2013

2

Introduction to Root Cause Analysis • Root Cause

– The event or circumstance that directly leads to an occurrence

• Root Cause Analysis (RCA)

– A systemic procedure that uses the results of the other analysis techniques to identify the predominant cause of the accident

– Used to determine the underlying cause of a harmful event and prevent such events from occurring again.

• Typically used after an event has occurred, but can be

used to predict events that could harm an organization – Goal is to learn to solve problems before they become

major events, rather than reacting to them as they occur

7/25/2013

3

The Nature of Root Cause Analysis

• Four basic characteristics of Root Causes

– Root cause is specific to the underlying cause, not a generalization

– Can be reasonably identified

– Must be expressed as something that can be modified

• Cannot be an Act of God

– Must produce effective recommendations for prevention of future accidents that stem from the root cause

The Nature of Root Cause Analysis

• Harmful events are usually associated with one of three basic causes of loss

– Physical

• Failure of a tangible or material item (equipment failure)

– Human

• Human error or inaction (not performing maintenance)

– Organizational

• Faulty systems, processes or policies – Unclear procedures or processes

– Systems/policies may encourage bad behavior

7/25/2013

4

The Nature of Root Cause Analysis

Steps in Root Cause Analysis Process

• Data collection – Cannot identify root cause without complete information about

surrounding circumstances, facts, causes.

• Causal Factor Charting

– Provides structure to organize and analyze the data gathered

• Root Cause Identification

– Process to identify underlying reason(s) for casual factor identified in step two

– May involve mapping or flow-charting

• Recommendation Determination and Implementation

– Recommendations to prevent recurrence are generated

7/25/2013

5

Causal Factors- The agents that directly result in one event causing another

Summary of Major Standards and Guidelines

• Risk Maturity Model (self-assessment tool) attributes – ERM based approach

– ERM process management

– Risk Appetite management

– Root cause discipline

– Uncovering risks

– Performance management

– Business resiliency and sustainability

7/25/2013

6

Chapter 3

Business Continuity Management

7/25/2013

7

Definition of Risk

• Type of risk that provides potential for only a negative outcome • Three main categories

– Personnel Risk • Uncertainty due to loss of key employees, death, workplace injuries

– Property Risk • Uncertainty related to loss of wealth due to damage/destruction of property

– Liability Risk • Uncertainty due to bodily injury/death , harm to others

• Typically includes the following hazard risks – Fire and other property damage – Windstorm and other natural perils – Theft and other crime, personal injury – Business interruption – Disease and disability (work related injuries/illness) – Liability claims

Measuring and Managing Hazard Risk

• Common measures – Frequency – number of losses

– Severity – size of loss

• Techniques to manage – Avoidance – eliminates possibility of loss

– Separation – dispersing activity over several locations

– Duplication - reliance on back-ups

– Diversification

– Prevention – reduces frequency of losses

– Reduction – reduces severity of losses

7/25/2013

8

Role of Insurance

• Insurance – Risk management technique that transfers the potential

financial consequences of certain specified loss exposures from the insured to the insurer

– Used for low frequency/high severity events

– Used for events that have more uncertainty and/or activities that cannot be avoided

– Most common method of risk transfer

• High frequency/low severity events should be retained – predictable

7/25/2013

9

7/25/2013

10

Loss Exposures

Loss Exposures

7/25/2013

11

Failure Mode and Effects Analysis (FMEA)

• FMEA – An analysis that reverses the direction of reasoning in fault

tree analysis by starting with causes and branching out to consequences

– Primarily used in product development and operations management

– Used to identify failure modes and perform effects analysis

• Failure Mode – The manner in which a perceived or actual defect in an

item, process, or design occurs

• Effects Analysis – The study of a failure’s consequences to determine a risk

event’s root cause(s)

Failure Mode and Effects Analysis (FMEA)

• Indenture Level – An item’s relative complexity within an assembly, system, or function

• Any system can have several levels. • Level 1 represents entire system, while level 6 may represent parts

• Local effect – The consequence of a failure mode on the operation, function, or status of

the specific item or system level under analysis

• Next-higher-level effect – The consequence of a failure mode on the operation, function, or status of

the items in the indenture level immediately above the level being analyzed.

• End Effect – The consequence of a failure mode on the operation, function, or status of

the highest indenture level

• Example – Parts of a car

7/25/2013

12

Types of Loss Exposures

Steps in the FMEA Process

7/25/2013

13

Steps in the FMEA Process

Steps in the FMEA Process

Rankings are usually on a 1-5 or 1-10 scale, depending on organization’s process

7/25/2013

14

Types of Loss Exposures

7/25/2013

15

FMEA Advantages/Disadvantages

7/25/2013

16

FMEA Advantages/Disadvantages

Fault Tree Analysis (FTA)

• Fault Tree Analysis – An analysis that takes a particular system failure and

traces the events leading to the system failure backwards in time

– Uses the deductive method of moving from the general to specific to examine conditions that let to, or influenced a risk event

– Purpose is finding ways to break the fault tree by interrupting the sequence of events leading to system failure so that the failure itself can be prevented

– Typical fault trees have “and” gates & “or” gates which describe the casual relationships between the events within the tree

7/25/2013

17

Property Insurance And Gate- means that all events have to occur within “And” gate for injury to happen Or Gate – means that any one event is sufficient to cause that specific event

Fault Tree Analysis (FTA)

7/25/2013

18

Fault Tree Analysis (FTA)

Fault Tree Analysis (FTA)

7/25/2013

19

Assumptions and Limitations

Assumptions and Limitations

7/25/2013

20

5 Whys Analysis and the Fishbone Diagram

• 5 Whys is crucial component of Fishbone diagram

– Used primarily for problems involving human factors

– Helps prevent investigators from relying on potentially erroneous assumptions about the root cause of a problem

– Traces problem through chain of causality to its origin

Procedure for Conducting a 5 Whys Analysis

7/25/2013

21

Commercial Policies

7/25/2013

22

Steps in Developing a Fishbone

7/25/2013

23

Steps in Developing a Fishbone

7/25/2013

24

Chapter 3

Business Continuity Management

7/25/2013

25

Introduction to Business Continuity Management (BCM)

• Continuity Management – Addresses threats to operations

• Natural disasters

• Major physical damage to a building

• Loss of a critical supplier

• Pandemic outbreaks – Avian Flu, H1N1

– Involves examining threats and establishing operational plan with contingencies for key operations and critical functions to continue

– Goal of BCM is survival • Seeks to minimize loss of resources essential to a recovery

thru pre and post loss actions

Evolution of BCM • Originally started as emergency preparedness and response

planning – Focus on providing emergency supplies and trained personnel to

protect physical assets

• Disaster Recovery planning grew out of increasing use and dependence on technology – Data management, storage, communications, and critical systems – IT Departments developed plans to protect data and equipment

• Concept of BCM grew out of realization that organizations had to

look beyond their own organization to other systems – Focus on disruptions in operations from other causes

• Supply and distribution chains

– Need to continue business operations and recovery

• Examples – Super Storm Sandy – Research lost, Communications, Transportation

7/25/2013

26

Aligning BCM with Risk Management

• BCM deals primarily with operational risk – Consequences of disruption and minimizing effects on

operations

• Risk Management encompasses operational risk

associated with BCM and the hazard, financial and strategic risk

• While functions may be housed in different departments, efforts should be coordinated

Business Continuity Certifications and Standards

7/25/2013

27

Business Continuity Planning

• Seven steps for developing and implementing BCP – Understand the business – Conduct business impact analysis – Perform risk assessment – Develop the continuity plan – Implement the continuity plan – Build a BCM/BCP culture – Maintain and update the plan

• “Business” is intended to consider mission, vision,

strategy of the enterprise, in addition to its survival – Business of the charity, agency, etc..

7/25/2013

28

Business Continuity Planning

• Understand the business – Determine key objectives – Understand how it uses

• Facilities, materials supply chain, human resources,

– Allows for identification of key processes that constitute basis for business impact analysis

• Business Impact Analysis

– Assess what events may occur, when they will occur and how they could affect achievement of key objectives

– Distinguish critical vs. non-critical processes – For ISO 31000:2009 – BIA and Risk assessment process are

combined.

Business Continuity Planning

• Performing Risk Assessment

– Goal is to identify and evaluate potential exposures and the probability that certain events will occur

– Helps prioritize and make decisions regarding organizational risk appetite

– Will reveal exposures and assist in establishing methods for future mitigation efforts

– Helps develop an action plan

7/25/2013

29

7/25/2013

30

Develop the Continuity Plan

Implementing the Continuity Plan

7/25/2013

31

Building a BCM/BCP Culture

• Senior management must provide support for the BCP

– Desktop exercises/drills

• Hypothetical disaster scenarios

– Goal is to find holes in the BCP

• Suppliers and customers should know about BCP

Maintaining and Updating the Plan

• BCP is only effective if fresh and updated

– Review should be done semiannually or when significant change in product line, processes, or management occurs.

• Where to store BCP is also a key consideration

– How and where to access

• Sharepoint, thumb drive, etc..

7/25/2013

32

Strategic Redeployment Planning

• Helps determine how to resume business operations and ensure survival and recovery

– Determine how to realign to survive

– Regain position in marketplace

– Protect its reputation

• Decisions that are made are not just operational, but may also be strategic

Strategic Redeployment Planning

• Strategic Redeployment Planning Stages

– Comprehensive plan for resiliency after a severe disruption

– Designed to bring organization back from a state of chaos in four stages

• Emergency stage

• Alternate marketing stage

• Contingency stage

• Communication stage

7/25/2013

33

Emergency Stage

• Emergency stage is designed to accomplish three objectives

– Protect People

– Protect physical assets

– Protect reputation

Alternate Marketing Stage

• Evaluate impact of disruption on the organization’s reputation and market share

– Need for new marketing strategy

– Customer loyalty considerations

– Issues with suppliers and subcontractors

– Competition

– Continuation of product lines

7/25/2013

34

Contingency Production Stage

• Determination of what products and services will provide based upon facilities, technology, and machinery

• Must consider supply chain

– Cost and quality

– Transportation to get product to market

Communication Stage

• Sole objective is to preserve or enhance stakeholders’ trust and confidence in the organization

– Often referred as “Crisis Communications”

• Begins when disruption occurs • Ends when production and reputation has been restored

– Four basic internal/external concerns to be addressed

• Safety and security of all stakeholders • Transparency in all management’s decisions • Clarity and consistency in communications • Perceived lack of trust in management and the organization

– Good relationship with new media is essential and regularo

communication with employees

7/25/2013

35

Supply Chain Risk Management

• Involves assessing and mitigating all the threats that might interrupt the normal flow of goods and services from and on to an organization’s stakeholders

• For production of goods, encompasses volatility related to – Producing

– Transporting

– Storing goods

7/25/2013

36

Need to balance between efficiency and vulnerability to disruptions

7/25/2013

37

Crisis Communication

• Mitigating risk through crisis communication – Quality of crisis communication is essential to resiliency

• Stakeholder Communications – Begins before threats materialize to develop baseline trust

– Stakeholders must believe that management will competently handle crisis

– Demonstrate that senior management is committed to maintaining transparency in decision making

– Consistent and tailored to specific audiences

– Must embody corporate integrity and authenticity

7/25/2013

38

Crisis Communication

• Internal Stakeholders – Individual needs must be acknowledged – Employees must be informed regularly

• How crisis may impact job and working conditions

– Unit and operational managers must be made aware of ongoing risks and held accountable for aspects of crisis management plan

– Stockholders must be informed of steps to manage, mitigate, and prevent future crisis

– Board of Directors informed about strategic exposures, governance issues and long term resilience.

Crisis Communication

• External Stakeholders

– Suppliers

• Deliveries, production schedule

– Customers

• Safety and customer loyalty

– Public officials

• Efforts to ensure public safety and health

– Media

• Helps transmit information to stakeholder groups

7/25/2013

39

Benefits of Crisis Communication

• Improve relationships with internal and external stakeholders

• Protection of reputation

• Promote trust in products and services

• Minimize litigation

Mitigating Supply Chain Risk

7/25/2013

40

Page 3.21

Case Study

Mille Company

Grain flour Producer

Purchased by large company and mixed non-organic grain to

lower costs

Bakeries, Inc

Makes “organic” whole-grain bread

Only purchases grain flour from Mille Company

Health Foods

Purchases bread from Bakeries, Inc.

Bakeries, Inc products account

for 35% of product sales

7/25/2013

41

7/25/2013

42