7/25/2013. Presented by: Erike Young, MPPA, CSP, ARM. Chapter 2. Root Cause Analysis

Transcription

1 Presented by: Erike Young, MPPA, CSP, ARM 1 Chapter 2 Root Cause Analysis 1

2 Introduction to Root Cause Analysis Root Cause The event or circumstance that directly leads to an occurrence Root Cause Analysis (RCA) A systemic procedure that uses the results of the other analysis techniques to identify the predominant cause of the accident Used to determine the underlying cause of a harmful event and prevent such events from occurring again. Typically used after an event has occurred, but can be used to predict events that could harm an organization Goal is to learn to solve problems before they become major events, rather than reacting to them as they occur 2

3 The Nature of Root Cause Analysis Four basic characteristics of Root Causes Root cause is specific to the underlying cause, not a generalization Can be reasonably identified Must be expressed as something that can be modified Cannot be an Act of God Must produce effective recommendations for prevention of future accidents that stem from the root cause The Nature of Root Cause Analysis Harmful events are usually associated with one of three basic causes of loss Physical Failure of a tangible or material item (equipment failure) Human Human error or inaction (not performing maintenance) Organizational Faulty systems, processes or policies Unclear procedures or processes Systems/policies may encourage bad behavior 3

4 The Nature of Root Cause Analysis Steps in Root Cause Analysis Process Data collection Cannot identify root cause without complete information about surrounding circumstances, facts, causes. Causal Factor Charting Provides structure to organize and analyze the data gathered Root Cause Identification Process to identify underlying reason(s) for casual factor identified in step two May involve mapping or flow-charting Recommendation Determination and Implementation Recommendations to prevent recurrence are generated 4

5 Causal Factors- The agents that directly result in one event causing another Summary of Major Standards and Guidelines Risk Maturity Model (self-assessment tool) attributes ERM based approach ERM process management Risk Appetite management Root cause discipline Uncovering risks Performance management Business resiliency and sustainability 5

6 Chapter 3 Business Continuity Management 6

7 Definition of Risk Type of risk that provides potential for only a negative outcome Three main categories Personnel Risk Uncertainty due to loss of key employees, death, workplace injuries Property Risk Uncertainty related to loss of wealth due to damage/destruction of property Liability Risk Uncertainty due to bodily injury/death, harm to others Typically includes the following hazard risks Fire and other property damage Windstorm and other natural perils Theft and other crime, personal injury Business interruption Disease and disability (work related injuries/illness) Liability claims Measuring and Managing Hazard Risk Common measures Frequency number of losses Severity size of loss Techniques to manage Avoidance eliminates possibility of loss Separation dispersing activity over several locations Duplication - reliance on back-ups Diversification Prevention reduces frequency of losses Reduction reduces severity of losses 7

8 Role of Insurance Insurance Risk management technique that transfers the potential financial consequences of certain specified loss exposures from the insured to the insurer Used for low frequency/high severity events Used for events that have more uncertainty and/or activities that cannot be avoided Most common method of risk transfer High frequency/low severity events should be retained predictable 8

9 9

10 Loss Exposures Loss Exposures 10

11 Failure Mode and Effects Analysis (FMEA) FMEA An analysis that reverses the direction of reasoning in fault tree analysis by starting with causes and branching out to consequences Primarily used in product development and operations management Used to identify failure modes and perform effects analysis Failure Mode The manner in which a perceived or actual defect in an item, process, or design occurs Effects Analysis The study of a failure s consequences to determine a risk event s root cause(s) Failure Mode and Effects Analysis (FMEA) Indenture Level An item s relative complexity within an assembly, system, or function Any system can have several levels. Level 1 represents entire system, while level 6 may represent parts Local effect The consequence of a failure mode on the operation, function, or status of the specific item or system level under analysis Next-higher-level effect The consequence of a failure mode on the operation, function, or status of the items in the indenture level immediately above the level being analyzed. End Effect The consequence of a failure mode on the operation, function, or status of the highest indenture level Example Parts of a car 11

12 Types of Loss Exposures Steps in the FMEA Process 12

13 Steps in the FMEA Process Steps in the FMEA Process Rankings are usually on a 1-5 or 1-10 scale, depending on organization s process 13

14 Types of Loss Exposures 14

15 FMEA Advantages/Disadvantages 15

16 FMEA Advantages/Disadvantages Fault Tree Analysis (FTA) Fault Tree Analysis An analysis that takes a particular system failure and traces the events leading to the system failure backwards in time Uses the deductive method of moving from the general to specific to examine conditions that let to, or influenced a risk event Purpose is finding ways to break the fault tree by interrupting the sequence of events leading to system failure so that the failure itself can be prevented Typical fault trees have and gates & or gates which describe the casual relationships between the events within the tree 16

17 Property Insurance And Gate- means that all events have to occur within And gate for injury to happen Or Gate means that any one event is sufficient to cause that specific event Fault Tree Analysis (FTA) 17

18 Fault Tree Analysis (FTA) Fault Tree Analysis (FTA) 18

19 Assumptions and Limitations Assumptions and Limitations 19

20 5 Whys Analysis and the Fishbone Diagram 5 Whys is crucial component of Fishbone diagram Used primarily for problems involving human factors Helps prevent investigators from relying on potentially erroneous assumptions about the root cause of a problem Traces problem through chain of causality to its origin Procedure for Conducting a 5 Whys Analysis 20

21 Commercial Policies 21

22 Steps in Developing a Fishbone 22

23 Steps in Developing a Fishbone 23

24 Chapter 3 Business Continuity Management 24

25 Introduction to Business Continuity Management (BCM) Continuity Management Addresses threats to operations Natural disasters Major physical damage to a building Loss of a critical supplier Pandemic outbreaks Avian Flu, H1N1 Involves examining threats and establishing operational plan with contingencies for key operations and critical functions to continue Goal of BCM is survival Seeks to minimize loss of resources essential to a recovery thru pre and post loss actions Evolution of BCM Originally started as emergency preparedness and response planning Focus on providing emergency supplies and trained personnel to protect physical assets Disaster Recovery planning grew out of increasing use and dependence on technology Data management, storage, communications, and critical systems IT Departments developed plans to protect data and equipment Concept of BCM grew out of realization that organizations had to look beyond their own organization to other systems Focus on disruptions in operations from other causes Supply and distribution chains Need to continue business operations and recovery Examples Super Storm Sandy Research lost, Communications, Transportation 25

26 Aligning BCM with Risk Management BCM deals primarily with operational risk Consequences of disruption and minimizing effects on operations Risk Management encompasses operational risk associated with BCM and the hazard, financial and strategic risk While functions may be housed in different departments, efforts should be coordinated Business Continuity Certifications and Standards 26

27 Business Continuity Planning Seven steps for developing and implementing BCP Understand the business Conduct business impact analysis Perform risk assessment Develop the continuity plan Implement the continuity plan Build a BCM/BCP culture Maintain and update the plan Business is intended to consider mission, vision, strategy of the enterprise, in addition to its survival Business of the charity, agency, etc.. 27

28 Business Continuity Planning Understand the business Determine key objectives Understand how it uses Facilities, materials supply chain, human resources, Allows for identification of key processes that constitute basis for business impact analysis Business Impact Analysis Assess what events may occur, when they will occur and how they could affect achievement of key objectives Distinguish critical vs. non-critical processes For ISO 31000:2009 BIA and Risk assessment process are combined. Business Continuity Planning Performing Risk Assessment Goal is to identify and evaluate potential exposures and the probability that certain events will occur Helps prioritize and make decisions regarding organizational risk appetite Will reveal exposures and assist in establishing methods for future mitigation efforts Helps develop an action plan 28

29 29

30 Develop the Continuity Plan Implementing the Continuity Plan 30

31 Building a BCM/BCP Culture Senior management must provide support for the BCP Desktop exercises/drills Hypothetical disaster scenarios Goal is to find holes in the BCP Suppliers and customers should know about BCP Maintaining and Updating the Plan BCP is only effective if fresh and updated Review should be done semiannually or when significant change in product line, processes, or management occurs. Where to store BCP is also a key consideration How and where to access Sharepoint, thumb drive, etc.. 31

32 Strategic Redeployment Planning Helps determine how to resume business operations and ensure survival and recovery Determine how to realign to survive Regain position in marketplace Protect its reputation Decisions that are made are not just operational, but may also be strategic Strategic Redeployment Planning Strategic Redeployment Planning Stages Comprehensive plan for resiliency after a severe disruption Designed to bring organization back from a state of chaos in four stages Emergency stage Alternate marketing stage Contingency stage Communication stage 32

33 Emergency Stage Emergency stage is designed to accomplish three objectives Protect People Protect physical assets Protect reputation Alternate Marketing Stage Evaluate impact of disruption on the organization s reputation and market share Need for new marketing strategy Customer loyalty considerations Issues with suppliers and subcontractors Competition Continuation of product lines 33

34 Contingency Production Stage Determination of what products and services will provide based upon facilities, technology, and machinery Must consider supply chain Cost and quality Transportation to get product to market Communication Stage Sole objective is to preserve or enhance stakeholders trust and confidence in the organization Often referred as Crisis Communications Begins when disruption occurs Ends when production and reputation has been restored Four basic internal/external concerns to be addressed Safety and security of all stakeholders Transparency in all management s decisions Clarity and consistency in communications Perceived lack of trust in management and the organization Good relationship with new media is essential and regularo communication with employees 34

35 Supply Chain Risk Management Involves assessing and mitigating all the threats that might interrupt the normal flow of goods and services from and on to an organization s stakeholders For production of goods, encompasses volatility related to Producing Transporting Storing goods 35

36 Need to balance between efficiency and vulnerability to disruptions 36

37 Crisis Communication Mitigating risk through crisis communication Quality of crisis communication is essential to resiliency Stakeholder Communications Begins before threats materialize to develop baseline trust Stakeholders must believe that management will competently handle crisis Demonstrate that senior management is committed to maintaining transparency in decision making Consistent and tailored to specific audiences Must embody corporate integrity and authenticity 37

38 Crisis Communication Internal Stakeholders Individual needs must be acknowledged Employees must be informed regularly How crisis may impact job and working conditions Unit and operational managers must be made aware of ongoing risks and held accountable for aspects of crisis management plan Stockholders must be informed of steps to manage, mitigate, and prevent future crisis Board of Directors informed about strategic exposures, governance issues and long term resilience. Crisis Communication External Stakeholders Suppliers Deliveries, production schedule Customers Safety and customer loyalty Public officials Efforts to ensure public safety and health Media Helps transmit information to stakeholder groups 38

39 Benefits of Crisis Communication Improve relationships with internal and external stakeholders Protection of reputation Promote trust in products and services Minimize litigation Mitigating Supply Chain Risk 39

40 Page 3.21 Case Study Mille Company Grain flour Producer Purchased by large company and mixed nonorganic grain to lower costs Bakeries, Inc Makes organic whole-grain bread Only purchases grain flour from Mille Company Health Foods Purchases bread from Bakeries, Inc. Bakeries, Inc products account for 35% of product sales 40

41 41

42 42