Management of Disruption Related Risk for Complex Organisations Business Continuity Awareness Week19 March 2012

2

• Introduction

• Integration with risk management

• Integration with incident Management

• Organisational environment

• What is important & what is not

• Practical application.

Overview

3

Disruption-related Risk Management: What is it?

• A discipline that specifically addresses the management of risks that will have

a disruptive impact on the organisation (examples)

• It is all about the availability of processes and resources in order to ensure the

continued achievement of critical business objectives

• It is most effective when it exists in a tightly bound interrelationship with risk

management.

• A stand-alone discipline

• About just having a nice series of printed plans / documents (outputs)

• A ‘one time project’ with a defined end point

• A ‘Tick the Box’ Activity to Satisfy Legal / Compliance Requirements.

What is NOT Disruption-related Risk Management

4

What is NOT Disruption-related Risk Management

5

Integration with Risk Management

6

RISK MANAGEMENT

DISRUPTION RELATED RISKS

R I S K M A N A G E M E N T

Integration with Risk ManagementIntegration Across Disciplines: Risk Management

7

Integration with Risk Management

• Proactive approaches involving prevention and protection measures i.e. resistance (robustness & hardening)

• Prevent or minimise operational impacts through:

• Building contingent capability i.e. reliability, redundancy, flexibility / modifications to process, workarounds,

insurance, etc.

• Development of Contingency plans that: stabilise,

continue and restore.

• NOT JUST ABOUT HAVING A PLAN as shelf ware!!

Control Options

8

IM & BCM(building capability)

PREVENTION

PREPAREDNESS

RESPONSE

RECOVERY

INCIDENT MGT(managing incidents)

RISK MGT(managing uncertainty)

CONTINUITY of process

REACTIVE

Incident (& detection)

TIME

PROACTIVE

RESTORATION of resources

• Policy, plans & procedures• Organisation / structure• Personnel & training

• Facilities• Major equipment

• Support & supplies

Integration with Incident ManagementEMA Methodologies: Comprehensive Approach

Tra

nsit

ion

Cri

ticality

/ N

eed

9

Integration with Incident Management

• Used to highlight (and validate) potential high level disruptive-related risks

• Based on a notional organisation (within the same sector)

• Used to highlight the importance of the Comprehensive Approach

• Attendees divided into nominal groupings:

• Crisis Management Team

• Control Effectiveness

• Risk Management Leadership

• Key Improvement Areas.

• Time jump to highlight the ongoing impact & resumption / restoration activities

• Scenario informs maturity and status of applicable disruptive-related risks & associated control effectiveness.

Exercises

10

Organisational Environment Requirements

• Good business practice

• Contractual / Legislative / Policy requirements:

– Accreditation as a railway operator and railway manager

– Transport Services Contracts (TSC)

– Service level agreements (SLA)

– Acts

– Critical Infrastructure Protection (CIP).

11

What is Important and What is Not: Activity CriticalityIntegration Across Disciplines: Business Planning

12

Practical Application

• SE Qld Network:

– Approximate 700 kilometres of track

– 140+ stations

– Associated Infrastructure

– Train Control Centres

– Fleet of modern A/C electric trains

– Estimated 65+ million passenger journeys / year

– Estimated daily average of 170,000+ journeys.

13

Practical Application1. SEQ Qld Network Disruption

14

Practical Application

Variables

• Date and time of day

• Location on network (line / position)

• Related activities (external)

• Other Railway Operators

• Historical disruptive data

• Customer perception & expectations

Management

• Event specific.

1. SEQ Qld Network Disruption

15

Practical Application2. Loss of Access to Key Building

Preventative Controls

Mitigating Controls

Detective Controls

Management

• Focus on preventative controls

• Security a key focus area

• Investment in a redundant facility.

16

Practical Application3. Loss of Access to Key Facilities

Preventative Controls

Mitigating Controls

Detective Controls

Management

• Proactive supply chain management

• Focus on Safety critical activities

• Re-allocate work to other depots

• Re-direct existing workforce.

17

• Targeted effort (invest where the NEED is)

• Early detection (slow burn & fast burn events)

• Consistency of terminology & approach

• Integration with other disciplines (using stealth):

• Business Planning: determination of Business activities, their criticality & the associated time sensitivity

• Risk Management: not a stand-alone discipline

• Incident Management: more than just stabilise / contain & control / preservation of life and property

• Develop workforce flexibility and activity flexibility

• Learn from disruptions (continual improvement)

• Restore to a higher, more resilient state.

Practical Application: Key Takeaways

18

B C A W

BUSINESS CONTINUITY AWARENESS WEEK

CONTEXT CRITICALITY UNDERSTANDING 52

QUESTIONS?