the link between risk management critical controls and auditing
TRANSCRIPT
THE LINK BETWEEN RISK MANAGEMENT, CRITICAL CONTROLS & AUDITING
John Wolfe Partner
Kim Chanel Vallée-Séguin Communications Manager
Webinar Objectives
✓ To share knowledge and perspectives about operationally excellent management systems and the essential role that risk management and auditing critical controls play in operational excellence
✓ To share the Nimonik passion for developing a compliance plus culture
60% of all operational losses result from preventable causes
80% of incidences are repeat issues
25-30% of an organization’s costs this year will be wasted fixing the same issues
*Source: Peter Merrill – Do it Right the Second Time
Operational Risk Management and Audit – A Safety Moment
5
“Those who don't know history are destined to repeat it.”
- Edmund Burke
“You cannot find what you do not seek” - St. Paul
A Few Wise Words
In my experience the organizations with robust integrated ISO 9001, ISO 14001 – OHSAS 18000 HSEQ management programs that also employ Six Sigma Lean management programs are the most successful. Why?
They go beyond simple regulatory compliance ✓ They understand their risks and opportunities ✓ They understand their processes ✓ They have simple up-to-date procedures that they follow, they have competent staff and contractors, the right metrics ✓ They empower their people ✓ They focus initially on HSE bad actors, waste, first time quality, energy efficiency – building a base for continual learning and improvement ✓ They audit – a lot
Management System Framework
1. Leadership, Integrity & Accountability 2. Risk Identification, Assessment &
Management 3. Legal Requirements & Commitments 4. Objectives, Targets and Planning 5. Management of Change
6. Structure, Responsibility & Resources 7. Training & Competence 8. Facilities Design & Construction 9. Operations & Maintenance Controls 10.Contractor Management & Third Party
Services 11.Data & Document Management 12.Emergency Preparedness & Response 13.Information & Communication Management
14. Quality Assurance 15. Incident Reporting, Investigation & Learning 16. Operations Integrity Monitoring, Audit & Assessment 17. Corrective & Preventative Action
18. Stewardship & Management Review
PLAN
ACT
CHECK
DO
Regulatory Compliance
• Create a Legal Registry that identifies all your legal and
other requirements
• Create processes (including audits) to verify compliance
status
• At a minimum - operate within compliance requirements
• Have a compliance plus philosophy where it adds value
and a robust risk management process
Sample – Legal RegistryTracking Location Permit Description Dates Documents & Filing Compliance Turnover
ApprovalRegistryNumber
Approval Type
Priority / Tier
Project Area Plant
Sub-Plant
System / Tag Number
Legal Land Description
Approval Issuer
Approval Name / Title Description
Person Responsible
to Obtain Approval
Activity for which Approval
is Required
Forecast / Actual Date to Submit Appl'n
Appoval Turn
Around Time (days)
Forecast Date
Approval Required
Actual Date
Approval Received
Permanent /
Temporary (expiry date)
Renewal
Required (Y/N)
Operating Controls
(reference documents)
Oil Sands Legal
Registry(hyperlink)
Approval Application (hyperlink to Livelink)
Approval Number and Hyperlink to
Livelink
Compliance Document
(descriptor, or hyperlink to
Livelink)MPG Compliance
Status
Ultimate Approval Owner Notes
At a minimum: ✓ What is the requirement?
✓ How, why and where is it applicable in your operations?
✓ Who is responsible for demonstrating compliance?
✓ What evidence do you have?
✓ If monitoring and reporting are required - who looks after it and at what frequency
Lots of good examples – Suncor had 30 plus data fields
The Risk Management Framework
Communicate & TrainCommunication
ReportingTraining
Communicate & TrainCommunication
ReportingTraining
Risk Structure & Accountability
Risk Roles & Responsibilities:Executive Leadership Team
Chief Risk OfficerBusiness & Function Leaders &
Management
Risk Structure & Accountability
Risk Roles & Responsibilities:Executive Leadership Team
Chief Risk OfficerBusiness & Function Leaders &
Management
Mandate & CommitmentPolicy
StandardsProcedures/Guidelines
Mandate & CommitmentPolicy
StandardsProcedures/Guidelines
Measure, Review & ImproveControl Assurance
PolicyStandards & Guidelines
KPI’sKRI’s
Measure, Review & ImproveControl Assurance
PolicyStandards & Guidelines
KPI’sKRI’s
Co
mm
un
icate
an
d c
on
su
ltC
om
mu
nic
ate
an
d c
on
su
lt
Establish the contextEstablish the context
Identify risksIdentify risks
Analyze risksAnalyze risks
Evaluate risksEvaluate risks
Treat risksTreat risks
Risk management information to action
- Risk Assurance - Risk Registers- Treatment Plan - Reporting Templates
Mo
nito
r an
d re
vie
wM
on
itor a
nd
rev
iew
Strategic Process
(Framework continuous improvement cycle)
Strategic Process
(Framework Implementation)
Strategic Process
(Framework Implementation)
Strategic Process
(Framework continuous improvement cycle)
Tactical Process
Risk assessment
Process for Managing Risk
1.
2.
2a.
2b.
2c.
3.
4. 5.
Figure 1. Risk Management Framework
IV.
I. II.
V. III.
Risk Management Framework --Adapted from CAN/CSA –ISO 31000–Q31001-11
Risk and Decision Making
The concept of risk includes five components:
1. Hazard inherent in an activity otherwise deemed
beneficial
2. An undesirable event, which brings out the hazard
3. Adverse consequence of the undesirable event
4. Uncertainty of whether the undesirable event will
happen or not (likelihood/ probability/ frequency)
5. Perception about the combination of the above
Definition of Risk
Issues/ “Hazards”
Undesirable event
Consequences
Risk
Likelihood of Consequences
Layers of Protection - Prevention
Layers of Protection - Mitigation
Causes
13
L i k e l i h o o d C a te g o ry - F re q u e nc y G u i d e l i n e s (B u si n e ss U n i t B a si s) D e sc r i p ti o n
f > = 1 / y rO c c u rs o n c e o r m o re p e r y e a r in B U / fa c i l i t y / p ro je c t , a n d is l ik e ly t o re c c u r w it h in o n e y e a r
6 III II I I I I
0 . 1 = < f < 1 / y r(b e t w e e n 1 / y r a n d 1 / 1 0 y e a rs )
E x p e c t e d t o o c c u r s e ve ra l t im e s in t h e B U / fa c i l i t y / p ro je c t l i fe t im e 5 III III II I I I
0 . 0 1 = < f < 0 . 1 / y e a r (b e t w e e n 1 / 1 0 a n d 1 / 1 0 0 y e a rs )
E x p e c t e d t o o c c u r in t h e B U / fa c i l i t y / p ro je c t l i fe t im e 4 IV III III II I I
0 . 0 0 1 = < f < 0 . 0 1 / y e a r (b e t w e e n 1 / 1 0 0 a n d 1 / 1 , 0 0 0 y e a rs )
M a y h a p p e n le s s t h a n o n c e d u rin g t h e B U / fa c i l i t y / p ro je c t l i fe t im e 3 IV IV III III II I
0 . 0 0 0 1 = < f < 0 . 0 0 1 / y e a r (b e t w e e n 1 / 1 , 0 0 0 a n d 1 / 1 0 , 0 0 0 y e ars ) *R e m o t e c h a n c e o f h a p p e n in g *2 IV IV IV III III IIf < 0 . 0 0 0 1 / y e a r ( le s s t h a n 1 / 1 0 , 0 0 0 y e a rs ) *E x t re m e ly re m o t e c h a n c e o f h a p p e n in g *1 IV IV IV IV III III
*N o t e : L ik e l ih o o d c a t e g o rie s 1 & 2 a re t y p ic a l ly fo r fa c i l i t y d e s ig n p u rp o s e s C 1 C 2 C 3 C 4 C 5 C 6
So
cia
l In c id e n t - n o T re a t m e n t
F i rs t a id / m in o r i l l n e s s
M e d ic a l a id , in ju ry o r i l l n e s s / re s tr i c te d w o rk / N u is a n c e p u b l ic im p a c t
T e m p o ra ry d is ab i l i ty/ lo s t tim e /
P e rm a n e n t d is a b i l i ty/ fa ta l i ty/
M u l tip le o n -s i te fa ta l i tie s /
En
vir
on
me
nta
l
R e le a s e to o n -s i te e n vi ro n m e n t, c o n ta in e d im m e d ia te ly
S m a l l u n c o n ta in e d re le a s e b e lo w le g a l l im i t o r w i th m in o r im p a c ts / p o s s ib le c u m u la tive im p a c t o n -s i te
M in o r e n vi ro n m e n ta l im p a c t, b u t re s u l t in p e rm i t vio la tio n o r a d m in is tra ti ve p e n a l tie s
S ig n i fi c a n t a d ve rs e im p ac t, s ig n i fi c a n t lo n g- te rm l ia b i l i ty, e n fo rc e m e n t a c tio n
C a ta s tro p h ic im p a c t, m a te r ia l ( c o rp o ra te ) lo n g -te rm l ia b i l i ty
Ec
on
om
ic
C < $ 1 0 k $ 1 0 k = < C < $ 1 0 0 k $ 1 0 0 k = < C < $ 1 M $ 1 M = < C < $ 1 0 M $ 1 0 M = < C < $ 1 0 0 M
C > $ 1 0 0 M
So
cia
l
In d ivid u a l c o n c e rn / lo c a l m e d ia a tte n tio n / n o im p a c t o n S u n c o r 's re p u ta tio n
C o m m u n i ty c o n c e rn / re g io n a l n e w s / a d ve rs e im p a c t o n S u n c o r 's re p u ta tio n a t re g io n a l le ve l
P ro vin c ia l n e w s / a d ve rs e im p a c t o n S u n c o r 's re p u ta tio n a t p ro vin c ia l / s ta te le ve l
N a tion a l n e w s / p u b li c o u tra g e / s h o rt- te rm d ro p in m a rke t s h a re a n d s h a re p r ic e
R e c u r r in g n a tio n a l a tte n tio n / p u n i ti ve a c tio n b y g o ve rn m e n t a g a in s t c o m p a n y/ lo n g - te rm m a jo r im p a c t o n m a rk e t s h a re a n d s h a re p r ic e
F i n a n c i a l / D a m a g e (E q u i p m e n t + B u si n e ss I n te r ru p ti o n ) (B u si n e ss U n it/ C l i e n ts)
H e a l th & S a fe ty (P u b l i c a n d E m p l o y e e s)
In c r e a s in g C o n s e q ue n c e
Lik
elih
oo
d C
ate
go
ry
R e p u ta ti o n (P o l i ti c a l / R e g u l a to ry )
Inc
rea
sin
g L
ike
lih
oo
d
C o n s e q u e n c e C ate g o ry
E n v i ro n m e n ta l
Action PrioritiesResidual R isk Leve l Action Priority
I
II
III
IV Em ployees and contrac tors are aware of the risk , and follow es tablished procedures
Respons ible EVP & CEO to be m ade aware of risk , along with mitigation and risk reduction plansBus iness Unit EVP is respons ible to obtain approval from CEO for continued operation
Respons ible VP ensures preventive controls and m itigation plans are es tablished and m aintained, and risks are re-assessed at appropriate intervals
Operations m anagem ent m onitors the risk , ensures preventive controls and m itigation plans are func tioning and procedures are followed
Suncor Risk Matrix
• A Risk Map thus provides a means of ranking the risk of events relative to each other and also providing guidance for action levels
III II I I I I
III III II I I I
IV III III II I I
IV IV III III II I
IV IV IV III III II
IV IV IV IV III III
Consequence C
Like
lihoo
d L
Individual Event Types
• For different events that we identify through a risk analysis, once we also know their consequence C and likelihood L, we can plot them on a graph
Presentation of Risk - Risk Maps
Integrated Risk Analysis Methods
Hazard Identification Methods
• Brainstorming
• Field Level Risk Assessment
• Job Safety Analysis/ Task Analysis
• What-if
• HAZOP
• FMEA
Bow-Tie Risk Analysis
RISK
EVENT
Preventivecontrols
Reactivecontrols
Causes
Causes
Causes
Consequence
Helping to ensure that risks are managed rather than just analyzed
Consequence
Consequence
Preventivecontrols
Reactivecontrols
THREATS
PREVENTIVE CONTROLS
Governance and Oversight •Policies and procedures •Delegation of authorities •Functional segregation of duties •Continuous Improvement mindset
Approval of Vessels •Marine technical expertise and experience •Marine Risk Management System (IT tool) •Consistent vetting process and rules •Vessel Acceptance Report issuance •Document administration
Tools and Processes •AQUARIUS IT tool data management •Cargo handling instructions •Loss Control • IT general controls (disaster recovery, backup of AQUARIUS, internally hosted) •vessel tracking -Capturing of contract terms
Compliance and Benchmarking •Meet applicable legal requirements •Consistent with best industry practice •Compliance with company X Vessel Selection Criteria
Information Technology Management •Marine Risk Management System (MRMS) IT tool •MRMS data and documentation retention
Financial Management •Volume actualization •Logistic settlement •Counter-party / broker settlement •Exchange settlement •Invoice management (include netting) •A/R and A/P management •Demurrage and cargo claims •Loss control •Tariff validation
CONSEQUENCES
RECOVERY CONTROLS
MARINE TRANSPORTATION
Reputational • Public outcry from Oil Spill • Investor confidence/Share price
(shareholders)
Operational • Crude supply to refineries affected
Financial • Cost of Cleanup • Insurance Deficiency • Impact from Refinery shut- down
Legal and Regulatory • Fines and sanctions • Lawsuits • Prosecution of Executives
Strategic • SEMI Growth Objectives • Impact on other major initiatives
due to residual reputational damage
Strategic -Misalignment with current and future company strategy and risk tolerance
People •Skills/experience of staff •Workforce demographics
Roles & Responsibilities •Marine accountability for transportation vs. contractual agreement made by operating groups
Environmental and Reputational •Operating business units non-compliance •Employment of sub-standard vessels •Engagement of unapproved vendors •Geographic operating environment •Inadequate insurance coverage •Public Perception – •Readiness to respond to a major event •Increasing Environmental consciousness
Assets •Use of Aging Fleets/infrastructure
Commercial •Commercial needs are not aligned with company’s risk tolerance •Inadequate insurance coverage •Structured deals •High cargo volumes •High dollar values •Freight market volatility •Cargo quality and Loss Control
Unsafe (release of Petroleum Product
in Waterway) or non-compliant transportation
activity
Core Business Objectives: 1.Safe, efficient, regulatory compliant movement of crude and products transportation on water)
Who is the Client: Marine Transportation, other stakeholders involved in or supporting marine transportation activities.Risk Analysis
Financial •Commercial and market expertise • competitive commercial advantage •Centralized market knowledge •Cost controls (GOA/CA limits)
Risk Management •Major Emergency Team process •Marine Dept people and processes •Corporate Public Relations process •Internal and External Legal support •Corporate Charterers Liability Insurance
▲No material findingsGrayed out: excluded from scope based on planning meetings
◄ Process improvement or increased formalization
▼ Gap or control failure warranting attention
Key:
II
IIII
III
III
IIIIIIIII
II
I
Current State Future State Current State Future State
Governance and Oversight •Marine policy should be a company X PG&S •Identify all stakeholders •Marine policy improved by appropriate level of company X executive management •Appropriate individual responsible for updating and maintenance of policy •Formalized process for communicating Marine policy
Marine Department Procedures •Formalized procedures should be documented
Tools and Processes •AQUARIUS / MRMS systems should be documented •Formal documented guidance provided to users
East Coast •Formalized communication channels with Marine department •Update East Coast Marine procedures •Compliance to policy •SCM Logistics group interaction with marine group
BC Terminal •Formalized communication channels with Marine department •Use of TSW
RR
RL= Risk Level RR= Residual Risk
RLII
II
IIII
II
III
IIII
Emergency Response Procedures •EH&S and Terminal spill procedures •Spill reporting/control procedures
SIG
NIF
ICAN
T RI
SK
RECOVERY MEASURES
Unplanned Event
Emergency Condition
CON
SEQU
ENCES
Risk
Ass
essm
ent
Elem
ent 2
Proc
ess
Haz
ard
Anal
ysis
Man
agem
ent o
f Ch
ange
s
Com
pete
ncy
Pro
gram
Engi
neer
ing
Cont
rols
Stan
dard
, Pro
cedu
re,
Gui
delin
e
Cont
ract
or S
elec
tion
Cont
ract
or P
erfo
rman
ce
Stak
ehol
der C
once
rns
Com
plia
nce
Task
s
Less
ons
Lear
ned
Emer
genc
y Re
spon
se
Inci
dent
Inve
stig
atio
nRo
ot C
ause
Ana
lysi
s
Goa
ls a
nd T
arge
ts
Man
agem
ent o
f Cha
nge
Risk
Ass
essm
ent
Deci
sion
Mak
ing
Auth
ority
PM P
rogr
ams
Haz
ard
Repo
rtin
gN
ear M
isse
s
Tren
ding
& A
naly
sis
Elem
ent 3
Elem
ent 4
Busi
ness
Pla
ns
Elem
ent 5
Elem
ent 6
Elem
ent 7
Elem
ent 9
Elem
ent 1
0
Elem
ent 1
2
Elem
ent 1
3
Emer
genc
y Pl
ans
Elem
ent 1
5
Elem
ent 1
2
Elem
ent 1
5
Elem
ent 1
7
Elem
ent 5
Elem
ent 1
2
PREVENTIVE BARRIERS
OEMS
Risk and Control based audits will audit both preventative and recovery control adequacy and effectiveness using OEMS criteria
End Result of a Risk Assessment
• “Risk Inventory” or “Risk Registry”
• Risk assessments are “integrated” risk assessment
• Risk assessment worksheet to record the results in summary form.
HAZOP worksheet in Stature
21
Hazard Controls
Last resortPersonal Protective Equipment (PPE):the least effective way to protect workers. If the PPE fails, the workers are exposed
to the hazard.
Engineering Controls:Separate: Isolate the hazard by guarding or enclosing Redesign: Change a process or reconfigure equipment
Substitute: Replace materials or processes
Administrative:changing the way workers do their jobs,
changing policies and procedures for safe work practices, training, etc.
Most effective to least effective
The Hierarchy of Hazard Controls
Control of hazards starts at the top and works down with PPE being the last line of defense.
Figure 1: The Hierarchy of Controls: a method for determining appropriate Operational Controls.
Eliminate the hazard:Completely remove the hazard
Cost/Benefit Analysis
Dynamics of an Incident
System 1
System 2
System 3
System 4
System 5
System 6
System 7
“Hardware” Defenses - Process design - Plant layout - Protection systems
“Software” Defenses - Procedures - Audits - Management systems
“Liveware” Defenses - Safety culture - Motivation - Alertness
Unusual conditions
Latent failures in systems
Incident
Deepwater Horizon
Incident and KPI Analysis
Major Operational Risks and Control Review
Strategy and Values -Emerging EHS and PS Risks
OEMS Self Assessments & Audits
Coverage - Prior Audits & Assessments
Audit and Assessment Planning
Audit Scope Value Proposition
Management Consultations
Principal Risks Suncor Strategy & Value Drivers
Audit Plan
Idea Generation & Project Scoping
Coverage Over Time
Resourcing
Risk, Value, OEMS Alignment
Prioritization& Selection
Prior Audit Insights External Risks
• 5 Year Audit Plan Established • Process Audit Approach
OEMS Audits – Non Hazardous Operations / Functions
• Embedded into OEMS Process Audits • Process Hazard Analysis • Mechanical Integrity • Quality Assurance
OEMS Audits – Hazardous Operations • Annual Determination of Targets
• Significant Risks / Key Controls • Environmental • Safety (Personnel and Process) • Emerging Risks • Business Process Effectiveness • Compliance
Risk- Based Audits
Planning Process
In-Year High Risk Requests
Process Improvement Project GRC implementation
Continuous Improvement
Audit Area DescriptionProposed Timing
ENTERPRISE ASSESSMENTS (Potential impact based on Scope of Audit)
Facility Siting Organizational assessment of conformance to the company X 2110 Standard on Facility Siting requirements. Review of status of studies, API and SU 2110 requirements, reporting, risk management, mitigative actions and budgeting
TBD
Risk Transparency Risk Transparency / Efficacy of Ranking & Reporting RRI and RRII identification, assessment, monitoring and reporting requirements. company X Standards and Process support effective risk transparency and governance of high risk exposures identified by the organization. (Including and internal review of past incidents and risk ranking/reporting)
TBD
Pipeline Integrity Non-Regulated Lines
Process Pipelines Compliance, Conformance to Standards and Risk Management Assessment of compliance against regulatory requirements and conformance against related corporate standards.
TBD (Western Canada)
Decommissioned Equipment
Operational excellence; policies, standards, procedure review of decommissioned equipment processes utilized throughout the organization.
TBD
Contaminated Sites Liability
Compliance, Conformance and Risk Management Assessment of compliance against regulatory requirements and conformance against related corporate standards.
TBD
Capital Allocation Process (Joint with IA)
Capital Allocation and Risk Management Assessment of current capital allocation process and risk management/mitigation of projects identified by the business to mitigate RRI and RRII items.
TBD
Critical Equipment Back-up
Critical Equipment and Exposure to Significant Operational Outages Targeting of assets that if taken offline (e.g. external threat / incident) could lead to a significant operational outage. How exposed are we on certain systems and what security exists to protect identified critical assets.
TBD
Contractor Management TBD
Risk Management Process design effectiveness review to mitigate company X Contractor Management risks. Scope to be determine with IA.
TBD
Audit Plan - Summary
Auditing of Critical Controls
• Minimize impact on operations because of limited resources
• Focus on efficacy
• Start with Level 1 inherent risk
Auditing of Critical Controls
• All audit programs have limited resources, and need to minimize their impact on operations
• It is therefore important to focus efforts on providing assurance that the controls used to prevent incidents with the highest consequences are operating with efficacy
• I suggest you start with your level I inherent risk controls and work your way down the food chain – recognizing that the front line risk and control owner have the ultimate responsibility and in an ideal world should already have said data and you are simply confirming it
31